Power to the Users! Leveraging Regular User Accounts to Achieve Compromise
One of the more common ways penetration testers break in to networks is by leveraging regular user accounts which have been compromised. They can be used in various ways to compromise systems, data, applications, and more.
In addition, once valid user accounts are obtained, using them throughout the network rarely triggers any alarms, due to the fact that their use appears to be legitimate.
It's fairly common that users will be given administrative access every once in a while for a number of different reasons. Maybe a user needs administrative access to their workstation for a specific application. Perhaps a user is getting an annoying error message when logging into a system that goes away if they are an administrator.
Whatever the reason, a standard seeming user account can be the turning point in a pentest if the account can be matched up with a system it can control.
During an Internal Pentest, user accounts can be compromised in several ways, such as password attacks or NetBIOS spoofing. Once a pentester has a decent amount of compromised user accounts, they can use them to scan several subnets within an organization’s internal network with the goal of identifying administrative access to specific systems.
This is significant because this technique does not require any exploitation of additional vulnerabilities in order to compromise systems. Once administrative access to one system is obtained, experience has proven that the overall Windows Domain can be compromised by leveraging this level of access to the system.
Accessing Data and Applications
From the perspective of an External Pentest, a single compromised user account, even one with no elevated permissions at all, is a huge turning point in the pentest. One valid login to a user's email can allow an attacker to gain a huge wealth of knowledge about the organization.
In addition, access to a user's email is a great place to launch spear-phishing attacks due to the fact that the source of the emails is now 100% legitimate, and the attacker can learn about the user's relationship with other users by reading past emails. This greatly increases the likelihood of success in a spear-phishing attack.
Secondly, if an organization is using a remote access solution without implementing multi-factor authentication such as VPN, Citrix, or other third party software, these accounts may have access to these applications as well. The result of this access can allow an attacker to access internal company resources, systems and applications where sensitive data resides.
From here, the scanning technique discussed above, in addition to other exploits, can also be leveraged to identify administrative access on other systems.
Protecting Your Organization
This type of access is difficult to protect against from a resource, cost, and time perspective. A few general measures should be reviewed to see what the most cost-effective way of protecting against, or mitigating these attacks.
- Use the principal of least privilege when assigning user permissions. If the user doesn't require elevated access to do their job, don't give it to them. Permissions should be reviewed periodically to ensure that elevated permissions are removed when no longer needed.
- Implement multi-factor authentication on internet-facing resources, if possible. This can significantly raise the difficulty level for an attacker to gain access.
- Monitor and alert on access attempts, both failed and successful. It is also recommended that abuse of valid access be logged and monitored.
- Continue to educate users on social engineering and phishing attacks using the Simple Phishing Toolkit (http://www.sptoolkit.com/), Social Engineering Toolkit, or other similar tools.