
Story of a failed pentest - mariedm
https://threader.app/thread/1063423110513418240
======
gtsteve
Great story, but I wouldn't call it "failed" because it showed that the
company has really good security procedures. I don't know many companies that
could have resisted this sort of internal threat.

I've had pentests that found nothing before but I had logs full of attempts to
compromise the app, including in some ways I'd never even heard of before. I
didn't consider them to be failures either.

~~~
baby
Let's be honest. No company would have resisted this sort of internal threat.
This is either fiction (which it sounds like it is) or this is just a lack of
time. The difference between pentesters vs real hackers are that hackers have
as much time as they want.

~~~
corndoge
I agree this reads like fiction. Strange capitalization, and no technical
person I know or know of would write this way; it all seems very cavalier and
not the careful writing of someone who actually does this for a living. Not
that I know better.

~~~
emmelaich
I found this odd:

> spent some time hunting the Domain Controller

The DC address(es) are trivial to find.

~~~
crankylinuxuser
They _can_ be. But here's the problem:

You have a GPO that turns on command and ps logging. Ok, so if you _type_
those commands, you alert script logging engines.

And then you search how to find the DC:
[https://serverfault.com/questions/78089/find-name-of-
active-...](https://serverfault.com/questions/78089/find-name-of-active-
directory-domain-controller)

It's all PS or cmd. Trapped.

You might find the DC listed in the registry if you look for key "DCname".
However again, that's another thing you'd use app whitelisting for, and catch
every invocation of regedit. A lot of unattended driveby attacks attempt to do
bad things here, so you catch/trap them.

Again, dead end.

So, I'd love to see a good walkthrough how to find the DC if these avenues
don't work.

~~~
brazzledazzle
I think this one won’t get you caught:

Explorer address bar (or start>run) > %logonserver%

~~~
crankylinuxuser
True, for smaller orgs.

When you get to larger orgs, the DC doesnt always have to be the logon server.
In fact, you're liable to see a slew of logon kerb redirectors talking to a
few ldap backends running as pri and secondary AD.

~~~
brazzledazzle
I have to admit I’m not familiar with anything in your comment. Is this
different terminology for a RODCs? I was also under the impression that AD
didn’t have a primary DC, the only vestige of that is the PDC Emulator FSMO
role.

------
dstick
Meanwhile 4 put of 5 webshops we check have critical vulnerabilities and half
the owners don’t care because “it just costs money to fix it and things have
been fine so we’d rather spend more on Adwords”

Security, no scratch that - the human psyche works in mysterious ways :)

This company seems to run a tight ship though!

~~~
AnIdiotOnTheNet
Frankly, that's an entirely appropriate way to deal with security. You can
make the most secure product in the universe, but no one will use it if it
takes forever to develop or is unnecessarily difficult to work with. Of
course, how much security is enough is a multi-variable problem, but in
general I find that "security people", who for obvious reasons want to sell
you on security, way over-estimate its value.

~~~
michaelt

      no one will use it if it [...] is unnecessarily
      difficult to work with
    

In some aspects of security, you can trade off inconvenience for cost, instead
of trading off against security.

For example, imagine an office with a security gate, but it takes a few days
for new employees to be issued with a working gate pass.

One way to reduce that inconvenience would be to trade off security, by having
staff members buzz strangers in if they know the magic words "I just started,
my pass hasn't arrived yet".

An alternative way would be to trade off cost, by having while-you-wait gate
pass printing, and every gate having a guard who can check an online employee
directory before buzzing someone in without a pass.

I feel a lot of people say "Security is a trade-off with convenience" when
they actually mean "Security is a trade-off with convenience and spending, but
we've already taken spending off the table"

~~~
gpm
There is another option here. Have security passes issued promptly. It's
possible, I've worked at a bank where it took all of 5 minutes. (Not that I
disagree with the general point, just the example)

~~~
isostatic
I had a meeting at a major UK broadcaster in London the other day. Arriving at
reception I had my photo taken, a visitor pass printed, and put in a pass with
a guest RFID enabled card, and to top it all a voucher for a free cup of
coffee from the canteen.

No reason that such a system can't be done for the first week or so, even if
you don't want to have the facility to print permanent cards in every office.

------
org3432
The problem I have with pen tests is that they're not systematic and rely on
the cleverness and knowledged of the tester. Even if they identify an issue,
it's often hard or impossible to ensure it doesn't regress, and if it's an
inhouse or custom software they've never seen before they likely won't be of
much help without a lot of effort.

I think one step forward would be also approaching security the same way
epidemiologist track down causes of diseases. In that they take patient data
and trace back the factors that caused it, just instead of patients we're
talking about security vulnerabilities and breaches. Having a corpus of causal
diagrams that then we can develop software to analyze risk factors that we can
then systematically test for.

~~~
dstick
I agree and from a purely rational standpoint you are correct. However in my
experience the main benefit of a successful pentest is to achieve a change in
culture and the perception of security of staff across the entire workforce
where before it was deemed “taken care of” or non-important.

In short, people won’t change before shit has hit the fan, and a pentest is
the closest you can get to a controlled shit-hit-fan situation without it
being a meaningless drill :) How, and what is uncovered is besides the point
and merely secondary when viewed from that perspective.

~~~
logifail
>> the main benefit of a successful pentest is to achieve a change in culture

Is there much (any?) _public_ evidence that this tends to happen after a
successful pentest, though?

One of my friends used to be a pentester. He said (I paraphrase) "we go in,
break stuff, write a report, go home".

What's the betting that in a company with poor security culture that the
pentester's report might just end up locked in a safe?

~~~
unreal37
I did a website for Visa a few years ago, and it required a pentest before
launch. We tried to find a loophole to justify it not needing a pentest
(because that would give us 3 more weeks to develop the site), but no luck. It
was such a simple site with no database, but they required it to go through
pentest anyways.

The pentest came back with some recommendations. Mostly to do with the use of
HTTP headers. Absolutely we fixed them, and made damn sure that the next time
we had a site to be pentested those unforced errors were not repeated.

So on a small scale, yes. Pentesting improved the way we developed websites. I
don't know about how it affected the "culture". Visa has a really strong
security culture already.

~~~
logifail
>> Pentesting improved the way we developed websites. I don't know about how
it affected the "culture". Visa has a really strong security culture already.

So if the security culture is strong, the pentesters reports are read and
implemented; if the security culture is weak-to-completely-non-existant,
they'll likely be ignored?

~~~
crankylinuxuser
> if the security culture is weak-to-completely-non-existant, they'll likely
> be ignored?

\---->

> if the security culture is weak-to-completely-non-existant, they'll likely
> not even be budgeted or done.

------
cs02rm0
_I could 've run "net accounts" on my workstation to query Active Directory
directly & see their password policy, but decided to look elsewhere first. I
didn't want to set off any alerts or logging._

I know nothing about Windows, but I'd have thought checking password policies
far less likely to alert than plugging in your own device on the network.

Anyway, my favourite bit was that they didn't stop the people in Accounts
running Powershell, they just raised an alert. I much prefer that approach to
blocking people most likely just doing their job.

~~~
crankylinuxuser
If PowerShell and cmd logging is turned on (and I'm sure it is) then seeing
net * commands run from a marketing machine is hella bad. Its similar to "HEY
LOOK AT ME IM HACKED!"

These logging things do get in the way of devs. They run PowerShell after
ps... Its not uncommon for MB's a day of log per dev. So if you're wanting to
run crap and get away with it, hack a dev machine and bury your commands in
there.

~~~
no-s
So true. Just write an innocuous automation script that will fail on privs
generating massive logs and then use debugging as an excuse when you try to
systematically audit capabilities. Often helpful IT staff will open up vulns
for ya to put an end to the noise. Of course in many orgs it’s necessary to do
this in order to get legitimate work done too...

------
asaph
The author confirmed on Twitter that "aside from the beating up and tying
down" this is a true story[0].

[0][https://twitter.com/TinkerSec/status/1063781216128835584](https://twitter.com/TinkerSec/status/1063781216128835584)

------
asaph
> I woke up, bloody, in an ergonomic office chair, my hands zipped tied behind
> me with the same zip ties they used to manage the server ethernet cables.

I didn't realize this story was fiction until I got to this sentence.

Update: The author confirmed on Twitter that other than the dramatization,
this story is in fact true.

> And, aside from the beating up and tying down, it was true![0]

I can admit when I'm wrong. I stand corrected.

[0][https://twitter.com/TinkerSec/status/1063781216128835584](https://twitter.com/TinkerSec/status/1063781216128835584)

~~~
icebraining
Read a bit further; the story is not fiction, only that specific incident.

~~~
asaph
I read it all before posting here. I assume you're referring to this part:

> The DFIR lead leaned down next to my ear and whispered, "No one in Accounts
> Payable ever runs Powershell..."

> Alright... That last part had a bit of dramatization added to it.

I interpretted the "last part" to mean the part where the DFIR whispers in his
ear.

I'm still not convinced this is real. It smells like fiction.

~~~
jfolkins
Dramatization === Fiction ?

Storytelling as a knowledge share is fundamental to human culture. Drama and
story refinement are required to make the knowledge easy to remember and
spread.

As for you being convinced, my personal experience is that this story is
entirely believable. Many of us in security have stories we cannot share that
would make this one look like a Saturday morning cartoon.

~~~
asaph
> Dramatization === Fiction ?

Certainly not. But at the very least, dramatization decreases the credibility
of a story.

~~~
jfolkins
Dramatization has nothing to do with credibility. It is a memory facilitation
technique. Because you the reader can remove the drama and distill the
critical story elements for further inspection of credibility.

Credibility is found in the citations, which here is only the story teller. As
that is only one data point, I totally understand doubting its credibility
because one needs more citations and voices for proof.

Further, I never stated I found the story creditable. I was operating from a
believability standpoint. Inferring one's experience to weight if the story
could possibly be believed. You shared you found it hard to believe based on
it's dramatization. Where I shared that I found it completely plausible based
on my experience.

And that is my main argument, that in this equation drama shouldn't be used as
a weight. Positive or negative.

Edit: For the folks down voting this. Please don't conflate dramatization with
persuaion, propaganda, or fake news. Dramatization is a tool used in those
techniques.

------
tomohawk
This doesn't seem at all realistic. Tight security and people are actually
getting work done? Inconceivable!

~~~
ju-st
And IT has time to check alarms, very unrealistic.

~~~
neolefty
Plus, budget to hire a pen tester?!?

~~~
marcofloriano
A bank!

~~~
johann8384
Nah, I've worked with some banks here and there. Amazing lack of security.
Can't talk specifics, but yeah, just wow....

------
raesene9
Nice story and a good illustration that a lot of good IT Security isn't buying
fancy "next gen" products, it's doing the basics of managing your systems
well.

It costs more to run IT well, but there are good payoffs, like this.

~~~
teilo
I would imagine that it was just one of these “next gen” products that
identified the fact that Powershell was running on a machine that normally
would not run Powershell.

~~~
raesene9
Why would you need anything "next gen" for that?

Just log use of powershell then have your good old SIEM system alert when it's
used by a group outside of the IT dept.

------
abledon
I love reading factual hacker stories that read like fiction. very
entertaining. A brutal 5-7 year on ramp of learning what computers actually do
on the inside... but understanding what the story about is worth it.

------
netsec_burn
During pentests most testers run the usual route of attacking the domain. In
my opinion it's not realistic, because most attackers don't attack domains.
They attack applications.

~~~
raesene9
That is true but if you can get Domain Admin access, generally getting
application access is pretty simple after that, and as getting DA is pretty
simple if the domain hasn't been locked down (like the one in the post had),
it's a reasonable place to go...

~~~
bitexploder
Things like 2FA greatly limit the damage of a compromised domain and give
defenders time to react.

~~~
raesene9
I'm a great fan of 2FA for all administrative access. It's not a panacea for
sure, but a definite good layer of defence

------
progval
I must be missing something; but why not plug keyloggers on IT's computers?

~~~
_underflow_
I believe the thing you're missing is known colloquially as 'antivirus'

~~~
dlgeek
I think GP was referring to a hardware keylogger - antivirus wouldn't help.

------
iscrewyou
That was a good fun read. Especially where they zip tied him. Good change of
pace.

~~~
craftyguy
Pretty sure he was joking about that.

~~~
iscrewyou
Yeah, I know. I believed it until I read it further.

------
asaph
This story is also available as a series of tweets in case anyone prefers to
consume it that way.

[https://twitter.com/TinkerSec/status/1063423110513418240](https://twitter.com/TinkerSec/status/1063423110513418240)

~~~
dexterdog
Does anybody prefer to consume it that way?

~~~
asaph
It's actually the original format in which the author published this content.
It was auto-converted to the blog style format linked here on HN by
[https://twitter.com/threader_app](https://twitter.com/threader_app).

> Want to see some magic? See a thread. Mention @threader_app with the word
> "compile". Get a reply from our bot with the link to the thread[0]

[0][https://twitter.com/threader_app/status/1041712862295666690](https://twitter.com/threader_app/status/1041712862295666690)

------
catacombs
Really? A Twitter thread? This could have been a blog post.

~~~
progval
Disable Javascript, you won't even notice it's not a blog post. (After reading
your comment I had to whitelist the website to realize it actually was a bunch
of tweets)

------
sizzle
So if he ran the powershell at midnight he could have potentially gone
unnoticed until the IT guys got back in the office?

What if this was a global Corp, would someone be monitoring this 24/7 across
timezones?

What kind of damage could he have done if he had, say, 1 hour of unfettered
access?

------
fulafel
> On most Internal Pentests, I generally get Domain Admin within a day or two.
> Enterprise Admin shortly thereafter.

Sounds realistic, from how most Windows shops are run.

Would it help to stop using AD to manage the IT infra, or have tiny domains
(say, max 10 computers) without centralised control, and no company-internal
workstation networks? Maybe throw in a rule that devices are recycled (to be
wiped) frequently, say every 6 months.

~~~
swiley
> Maybe throw in a rule that devices are recycled (to be wiped) frequently,
> say every 6 months.

That would be doable if setting up devtools at most places didn't take an
entire day.

~~~
fulafel
The first choice strategy obviously would be to automate this stuff.

Because it's hard to mandate a flag day where everything must be automated, a
transitional strategy might be: document each dev setup so well stepwise that
you can outsource it to the IT dept or other internal support org. Maybe the
dev team can provide a screencast of it, for example. The support org would
then have an incentive to automate it to replace manual work, along with a
measurable payoff for it.

~~~
swiley
NO! now the automation has to be maintained and set up. The first choice
strategy is to simplify the tools and application!

Always with software people there is this tendency to add more abstraction and
machinery when encountering complex abstractions and machinery. You only
exacerbate the problem by doing this!

------
flerchin
Smells like a CISO suck-up job. Doesn't mention that the developers are
paralyzed and unable to work.

------
crankylinuxuser
Ok, wow. That story is pure gold. And when your shop is really on its toes,
this is how you run Opsec.

------
nebulous1
> I had already tried various things to my own employee laptop, but I was not
> local admin and the disk was fully encrypted.

Hang on, if he can boot his laptop does it not follow that he has the
necessary information to decrypt the drive?

~~~
viraptor
Probably standard bitlocker. You get decrypted drive automatically, windows
can use it, but you only get access to your files, and you can't decrypt and
not boot windows. You have to hack local admin for that.

~~~
Buge
Because of the TPM right? If you use bitlocker without a TPM you could boot to
a live Linux USB and decrypt the bitlocker drive with dislocker.

~~~
medlazik
USB boot most probably disabled in bios

~~~
Buge
Ok, then physically remove the drive and plug it into a Linux computer.

~~~
medlazik
Right, hence why nobody uses bitlocker without a TPM ;)

~~~
ams6110
I have, because the laptop I was using didn't have a TPM.

Also (possibly wrongly), I trust my ability to remember a good passphrase more
than I trust the TPM to not have bugs.

------
badrabbit
Excellent reading. In my experience,internal politics is the greatest threat
against companies.

Most of us here can walk into most companies and engineer end to end
encrypted,least access,zero trust,mfa authenticated network using strictly
foss tools and methodologies. Question: Who will let you?

No joke,OP wasn't exaggerating about how easy most of his pentests are. Most
companies throw money at it,do risk analysis and say "hmm,this is enough,a
compromise is tolerable".

IMO, when it rains,it pours. Risk analysis only tells you what the risk is
based on known data. Unknown unknowns will be your doom. Best to build things
right even without an incentive.

------
nubb
As a security student, reading his methodology was invaluable.

------
nunb
It would be interesting to see the MacOS version of this story, say hacking an
office full of Macs, like a Digital Agency or something...

------
ascar
He should've joined as a dev instead of marketing. Access to so much more
systems to begin with.

~~~
darkhorn
His dev coworkers would ask him dev questions and look up his online identity.

------
quantum_state
Nice story while educating people on security ... Thanks!

------
chmars
How did they even notice Powershell?

~~~
diminoten
Endpoint detection picks up stuff like this all the time.

------
sharpshadow
Wonderful:))

------
itomato
Story of a failed pentester, perhaps?

Social engineered their way into an unlikely scenario bound to raise
suspicion.

Tests and methods were pretty successful, otherwise.

Still, I cannot fathom why companies insist on the rickety tinkertoy that is
Microsoft Windows.

------
floatboth
> hauling armloads of old laptops from the IT shack to my cubicle, a small
> Leaning Tower of Pisa forming under my desk

that sounds more unrealistic than properly protected Windows systems tbh. New
marketing employee hauling lots of laptops, no one noticed? Like, people that
work nearby might've noticed that?

~~~
freeflight
It was in the middle of the night after even the cleaning crew left.

Tho, I don't know how he managed to carry 30 of them in one go, or what he did
with them after he left. I guess the number is a bit dramatized.

~~~
Jolter
I didn't see mention of doing it in one go. I presumed he went at least three
times.

