PREVIEW: Active Directory Pentesting

Dear PenTest Readers,

In the current edition we provide you with mixed, interesting content, prepared by our brilliant contributors. There is no doubt, that these days we are more dependent on information systems than ever, and that’s why we bring to your attention diverse aspects of cybersecurity.

To start with, Valerio Alessandroni presents a case study of his Active Directory CTF, completed on the “Hack The Box” platform. Analysing how other pentesters solve CTFs is one of the most efficient ways to learn, so we definitely recommend checking this one out!

Marlene Ladendorff, PhD is honouring us with her contribution again! This time this unquestionable expert on Operational Technology security provides you with an insight on the role of Active Directory in OT environments. This piece will enrich your understanding of the AD with a new perspective.

We have a great pleasure to publish an article of Dr. Chuck Easttom, who brings a great article on professional standards that should be applied in engineering, based on rigorous modeling and detailed planning. Penetration testing can surely benefit from these elements. Want to improve your pentests? Give it a read!

Other articles cover useful tools and offensive security techniques, such as DDoS detection with machine learning in Splunk, presentation of the JoomScan OWASP tool, WordPress vulnerabilities, and execution flow redirection in binary exploitation.

Also, you will find an interesting article on the evolution of penetration testing by Kavya Pearlman and Alex Halfin, and the importance of translation in the cybersecurity business, by Ofer Tirosh.

As always, we would like to thank all of the contributors, reviewers, and proofreaders, who helped in the creation of this edition.

Best wishes and let’s dive in the reading!

Enjoy,

PenTest Magazine’s Editorial Team

---

Table of Contents

---

CTF Active Directory

by Valerio Alessandroni

Service Principal Names (SPNs) are used in Kerberos authentication to discover an account under the account of the machine which is hosting them (which is MACHINENAME$) and those accounts have long and random passwords, making them virtually impossible to crack. Sometimes however services run under user accounts, and those user accounts have a higher probability of having a short and predictable password, making them the ideal candidate for a brute force attempt, associated to server instances.

---

Active Directory in Operational Technology Environments

by Marlene Ladendorff, PhD

Active Directory has been installed in IT network configurations for years. OT has only recently seen the introduction of AD. OT networks have traditionally been comprised of stand-alone ICS equipment, requiring local administration of policies and access controls. As OT networks have become more interconnected, local management is increasingly time consuming and complicated. The introduction of AD into ICS environments allows centralized administration of systems that had not been possible in the past, improving ease of administration on equipment. From a cybersecurity perspective, however, a reduction in administrative complexity may introduce increased security risk for the network if AD is not appropriately installed and conFigured specifically for ICS architecture.

---

A Professional, Engineering Approach To Penetration Testing

by Dr. Chuck Easttom

Every mature profession has standards, and they are adhered to, for example, electrical engineering, medical care, the legal system, construction, etc. If penetration testing is to be executed as a profession rather than the ad hoc hacking it has been, then standards are the place to begin. Fortunately, there are a number of standards already out in the industry. It is just a question of ensuring the penetration testers are familiar with them and incorporate them into their testing methodology.

---

DDoS Detection with Machine Learning in Splunk

by Daniel Alves

Distributed Denial of Service (DDoS) attacks are one of the most effective forms of cyberattacks that are growing in number, impact and concealment. Its main aspect is the indiscriminate sending of requests to a pre-determined target, aiming to impair the quality or render services offered by the target computer unavailable. And since identifying these attacks are difficult because of the large number of machines involved as botnets – a significant part of them being compromised IoT devices, and the use of techniques for forging IP addresses and the similarity to legitimate traffic - I’ve been testing some solutions to find new ways to recognize threats with computer intelligence, and found in this case a Machine Learning practical application with Splunk, where I compared a few algorithms on DDoS detection in a HTTP/HTTPS traffic, to achieve a viable approach to detect (and why not prevent!?) any offenders.

---

Pentesting is Not Dead - It is Transformed

by Kavya Pearlman and Alex Halfin

Early pentests were little more than exhaustive enumerations of all (known) vulnerabilities, occasionally detailing out the most effective ways to exploit them. However, over time, networks grew geometrically more complex, rendering mere vulnerability enumeration all but useless. The reality of BAS tools, as well as Red Team exercises, are here to stay. Taking all these changes into account, it can be safely said pentesting isn’t dead, it's simply transformed.

---

Owning WordPress Like a Boss

by Vinícius Vieira

Keeping your WordPress site up to date is always a good security practice, but it is not always the most effective. If you have a vulnerable plugin installed in your environment, which has not yet received a security update, WordPress will not warn you of the vulnerability as your repository checks for updates. The ideal is to keep up to date with Miter publications or WPScan, which publishes daily security bulletins with published vulnerabilities and mitigation status.

---

SEH And Execution Flow Redirection

by Mostafa Mahmoud

When exception happens, the OS check from the first exception register record node of SHE Chain by accessing it by TEB wish contains the address of the first node in the linked list, so if the SHE in first node isn’t handling the exception, the OS will check the next node and accessing it by using the next SEH which is an address pointing to the next exception register record. The last exception register record is the default Handler end of chain list (MSVCRT!exhandler) and it will terminate the program, and OS will take action.

---

OWASP JoomScan Project

by Mohammad Reza Espargham, Ali Razmjoo, and Ehsan Nezami

JoomScan is not aiming just at testing different vulnerabilities and trying to simulate attacks, the process always begins with information gathering and it proceeds step by step following ethical hacking techniques. The information-gathering phase is not limited to the web application but also the webserver and domain, also misconfigurations, human-errors and different possible risks on the product.

---

Why Technical Translation Matters in the Cyber Security World

[FULL ARTICLE AVAILABLE IN THE FREE PREVIEW VERSION >>]

by Ofer Tirosh

In the case of the current situation at the time of this writing, someone may use the current coronavirus global pandemic as a means to speak to someone on a more personal level. Social engineering is, in the case of cyber security, all about getting to know someone by pretending to be interested in the same things that they are, or perhaps in the case of COVID 19 to be concerned about the same things that they are concerned about.

---

Javascript - Power and Weakness

by Franciny S.

A sample of the power of Javascript was when Google launched Gmail, showing the world the power of this language using Ajax. This completely changed the development scenario at that time. Unfortunately, along with all this growth also came security issues, especially when Javascript is no longer just a language interpreted by the browser to occupy a great development position with NodeJS.

---