Joe Barrett bio photo

Joe Barrett

INFOSEC Professional

Email Twitter

This post is in solidarity with the nameless NSA analyst who wrote USGOV NSFW: these blog posts. I’m going to explain why hunting sys admins is both a legitimate technique and used by pentesters the world over, not some heinous abuse of power. This post maybe ramble a little and will cover some topics that experienced security professionals already understand, but bear with me.

First, there are two main goals of hacking a network for real.

  • Intelligence Gathering: This could be anything from stealing trade secrets, grabbing e-mails to embarrass an organization, copying classified documents, etc. Basically, you don’t do anything that falls into the next category.
  • Network Attack (Deny, Degrade, Disrupt, Destroy): This is pretty self explanatory. Knock a server offline? That’s denying access to the resource. DDoS? Same. Make centrifuges fall over? Destroying something physical.

Traditional Pentesting Model

So with that in mind, let’s talk about pentesting/red teaming and the security industry. As an industry, we’re fond of Capture The Flag style games. In fact, many of our clients essentially hire us to play Capture The Flag on their enterprise network, a lot of the time with Domain Administrator as the ‘flag’ (or similar tokens like ‘create an account’ or ‘log in to the domain controller’). But that’s not necessarily what a real adversary would do, right? If you’re determined to stay undetected on a network for a long time, you’re going after those intelligence gathering goals. And those aren’t necessarily domain admin. But wait…

Let’s diverge a little bit to talk about ‘old school’ pentesting as compared to the new breed. When firms would get hired to conduct an internal pentest, they normally sit down on the company’s network and start trying to get access to domain resources, move laterally, and capture those flags. And that’s certainly a nice model if the janitor goes rogue, but what about if you’re emulating a nationstate and coming from the outside? And how would those pentesters start the engagement? They’d begin scanning the network ranges from their workstation, because generally they only have a limited time (a week or two) for the engagement and you’ve got to move quickly. That’s noisy, if the client’s Security Operations Center is looking in the right places.

Adversarial Emulation Pentesting Model

Instead, let’s imagine a more realistic scenario. You get contracted to perform a pentest on an enterprise, but it’s “low and slow” – the client really wants to know if their security staff is good at hunting down attackers on the corporate network. So you’ll begin by conducting open source intelligence (OSINT) gathering, spear-phishing personnel to gain a foothold, and then slowly moving around the network to gain access to the flags.

And what are those flags? Well, how about if we go back up to the ‘intelligence gathering’ bullet and pick some appropriate ones:

  • Access to the CEO’s e-mail and screenshot a specific e-mail he sent on a specific day
  • Grab a file off the CIO’s personal network share
  • Log in to the HR database with the CFO’s level of access

All of those are high impact flags, things a real adversary might definitely want to hunt down, but have multiple ways to achieve this goal.

Hunting Sys Admins

What’s the simple approach? Spear-phish the CEO, CIO, CFO, and their admin staff. You’ll probably get at least one win just off that, but probably not all three. But what if they’re bringing their A-game and actually have a security awareness training program that doesn’t suck? So you spear-phish a wider segment of the populace and you’ll (statistically) get at least one success, dropping you on the corporate network as DOMAIN\User.

What would I do from there? Try to get a sys admin or two. If I can grab someone with workstation admin credentials, I can psexec my way onto the CEO, CIO, and CFO’s machines. If I get someone with Exchange Admin credentials, I can log in to the CEO’s mailbox directly. If I get someone with DBA credentials to the HR database, I might not be the CFO, but I’ve probably got the same level of access – and if not, I can easily identify who does and work to get those accounts. And if I can get a server admin, I can probably get into the CIO’s network share.

But even more to the point – what if there are other critical systems on the network I’m asked to pentest? What if there are financial databases, SCADA systems, physical access control servers, etc.? Where are they on the network? I don’t know. But I do know who does: the system and network administrators who have network diagrams explaining how it all works. So I’m going to go and steal some credentials, get onto their network shares, and start downloading Visio diagrams.

How about something else to consider: what if I’m conducting a long term cat-and-mouse engagement with a customer and I want to know if they’re on to me? I’ll probably try to get their security analysts’ credentials and start searching their e-mail for keywords that matter – seeing if they think they’ve found someone hacking their network. And then seeing if that person is me or a malicious actor.

Bringing Home The Bacon

At the end of the day, our job as pentesters is to help our clients secure their networks. This also includes topics like “help their SOC better detect realistic threats.” And by attacking their network as if I were one of those nation-state actors or other sophisticated adversary, I’m helping them realize just what the threat is out there in the world. That’s especially important because system administrators frequently fall into the target list without realizing it.

By understanding that system administrators are often one of the first targets on a network for an adversary, we can help protect our networks better. This then begins a discussion on hunting for anomalies on your network, unusual login patterns, and so on which is far larger than the scope of this blog post. At the end of the day though, if I’m hired to pentest a network, I’m hunting down their sys admins to make my life that much easier. And I’m far from the only person doing that.