Subscribe to the CyberThreatPOV Podcast

3 Easy Wins For Defenders From A Pentesters Point Of View

There’s no shortage of stories about how a bad actor was able to compromise a user’s computer, and within minutes, move laterally, achieve Domain Admin level rights and deploy ransomware to all the machines on the network.

There is also no shortage of stories about attackers compromising a network and exfiltrating troves of sensitive data from wide-open file shares.

Believe it or not, there are things you can do to combat these threats. You can win and you can bolster your defenses to make it harder for criminals to accomplish their goals.

The following are 3 easy wins that defenders can do that make attackers’ lives much harder. They will have to make more noise and find alternative ways to achieve their goals, which will take longer, which in turn increases the chance they will be caught and evicted.

3 Easy Wins Summary

  1. Audit file shares for sensitive information and credentials
  2. Ensure service accounts have strong passwords
  3. Implement honey/canary tokens

1. Audit File Shares for Sensitive Information and Credentials

After we’ve performed some initial situational awareness and reconnaissance, one of the first things we do on internal penetration tests is to search file shares for sensitive information and credentials. The reason we do this is that we know that so often file shares are an uncontrolled dumping ground for literally everything. From company tax documents, to scanned in confidential documents to plaintext credentials in word or excel documents.

With a little bit of luck, one of those files will have the password for an Administrator account and before you know it, the entire domain is essentially compromised.

This technique is not reserved for just pentesters. Real threat actors use this very technique. The CONTInuing the Bazar Ransomware Story report by The DFIR Report is a great example of a threat actor utilizing PowerView’s Invoke-ShareFinder and then exfiltrating data of interest using the Rclone application via the MEGA cloud storage service.

How to Audit File Shares for Sensitive Information and Credentials

[Manual Method]

Open up windows explorer and navigate to your favorite file share, head on over to the search bar and type in “passw.” Press enter and see what pops up!

search for "passw" in file explorer

I would also recommend searching “file contents” like this:

search file contents in file explorer

That’s how easy it can be. Use whatever keywords you’d like. For example:

  • logins
  • accounts
  • passw
  • ssn

[Automated Methods]

The manual method works great for one-off or ad-hoc searching. However, if you have a large environment and numerous file shares, this is obviously not scalable. There are a number of free tools/scripts you can use to help you automate discovery of sensitive information and credentials on network shares.

Invoke-ShareFinder

We can use Invoke-ShareFinder to actually find network shares, just like real attackers do.

Results of Invoke-ShareFinder

That’s great and it helps us discover file shares, but lets go a bit further and try to actually find some sensitive stuff.

Find-InterestingDomainShareFile

We can use another PowerView function called Find-InterestingDomainShareFile. Here is what the output looks like.

Results of Find-InterestingDomainShareFile

As you can see, it found some potentially very interesting files. Now this is a rather old tool, it’s no longer supported and it does generate quite a bit of false positives. Maybe not the most ideal for defenders, however, it’s better than not discovering these files and waiting for an attacker to find them.

SMBeagle

Another great and new tool is SMBeagle. This one is great because it can scan local drives and network drives, enumerate ACLs, output to a csv file, and is overall more performant than the previous two tools. This tool gathers much more information but as a downside, it can take a bit longer to run.

Here’s what SMBeagle looks like when it’s running and what the output csv file looks like.

SMBeagle running
Example SMBeagle csv output

You may need to zoom in on that image, but what is super cool about SMBeagle is all the information it provides and because it’s in csv format, it’s easy to search and filter. This is a great tool for defenders.

There are a number of tools both free and commercial that can help you discover sensitive files and credentials on network shares. My recommendation is to start small and free. Use open source tools or write a script yourself that will continuously monitor for such files and alert you.

2. Ensure Service Accounts Have Strong Passwords

Another common attack on Windows Active Directory networks is Kerberoasting. So common, in fact, that the Conti group used this heavily in their attacks.

The best part of waking up Kerberoast in your cup

Kerberoasting is such a prevalent attack because it can be carried out by any user on a domain. If the accounts that are kerberoasted have weak passwords, the password hash may be able to be cracked, revealing the password for the account.

How do you know which accounts have weak passwords? That’s a great question. On one hand, there’s a possibility that you don’t really need to know. If you’re not sure if a service account has a weak password, change it to something that is not weak. Of course, this could result in scripts, scheduled tasks, or applications breaking, so it’s important to know what service accounts are running and where.

username admin password admin

Once you know your service account passwords have been changed to something long and strong, modify your password policy such that weak passwords are not allowed to be used.

Another option, one that you must understand how to do securely, is to grab the hashes and attempt to crack them yourselves. There’s some nuance to this and several best practices that we recommend if you plan to do this, but it is an option. There’s some open source tools such as DPAT that you can use yourself. Some even provide additional analytics such as password reuse statistics. The Offensive Security team here at SecurIT360 has developed our own internal process for helping clients with this. If you’re considering this option, reach out to us and we’d be happy to help guide you through this process.

You can of course also implement commercial tools such as Specops Password Policy. Many of these commercial tools make it much easier to disallow weak passwords, some even allowing you to create and maintain “banned” password lists.

Other commercial offerings such as Microsoft’s Password Hash Sync can help eliminate weak credentials as a result of comparing them to a list of leaked credentials. Microsoft works alongside dark web researchers and law enforcement agencies to find publicly available username/password pairs. If any of these pairs match those of our users, the associated account is moved to high risk. Also helpful is Microsoft’s Azure AD Password Protection, which allows you to eliminate easily guessed passwords and customize lockout settings for your environment.

What is a strong password?

Service account passwords should be as long as possible. Ideally 25 random characters or longer, consisting of lowercase letters, uppercase letters, numbers, and symbols. That’s generally not too much of a problem because service account passwords are not something that any IT administrator needs or should have to remember, and they typically do not get rotated frequently.

Once you’ve gotten a handle on weak passwords in your environment, now it’s time to start thinking about Privilege Identity Management software.

3. Implement honey/canary tokens

Ever hear the phrase “canary in a coal mine?” Well, back in the day miners would carry birds (often canaries) down into the mine tunnels with them. If dangerous gases such as carbon monoxide collected in the mine, the gases would kill the canary before killing the miners, thus providing a warning to exit the tunnels immediately.

While the tactic used in the early 1900s was inhumane, the core concept has translated to a number of disciplines, including Cyber Security. You see, you can implement “canaries” on your network (often referred to as “canary tokens” or “honey tokens”) in order to provide an early warning system for intruders on your network. Tokens consist of a unique identifier (which can be embedded in either HTTP URLs or in hostnames.) Whenever that URL is requested, or the hostname is resolved, a notification email is sent to the address tied to the token.

Thinkst has a great blog post introducing various types of canary tokens and why you may want such a thing. They also have free and commercial services for creating your own canary tokens. There are also many other talks and blog posts that going into more depth. There is an entire niche of Cyber Security that’s commonly referred to as “Active Defense” or “Cyber Deception.” It’s worth reading up and getting educated on.

How To Create a Canary Token

  1. First go to canarytokens.org and create a honey token. Let’s use a Microsoft Word DocumentCreate a word document canary token
  2. Now click Create my Canarytoken, then Download your MS Word file Download your canary token
  3. Now give the file a tempting name (this won’t affect the operation of the token) and put it on a network share

When the document is opened (and each time it’s opened), you will receive an email to the address you configured in the token.

Canary token example alert

What’s awesome about this is not only do you get an alert when a document gets opened, but you can also obtain the public IP address and User Agent of the device that the document was opened on.

What else can we do with canary tokens?

This really just scratches the surface of what you can do with canary tokens. The same concept can be applied to domain accounts, AWS keys, DNS hostnames, web site URLs, and so much more. In fact, you can even create “honey pots” on your network which can be real or simulated machines (Linux, Windows, etc.) that can be very alluring to attackers and as soon as they start scanning the host or once they gain access to it, an alert can be fired off the same way a canary token would. Using canary/honey tokens is a really awesome and something you should be adding to your defensive arsenal.

Use canary tokens, catch bad guys I have spoken

If this is something that looks interesting to you, and you’d like more advice or support with implementing this type of thing. Please reach out to us and we would be happy to assist you and supporting you throughout the process.

Conclusion

If you have made it this far, thank you for reading! I hope this information was informative and educational for you. I hope you have some takeaways or ideas that you can implement in your environment to make it more secure.

If there is anything we can do to help you with implementing the above, if you’re looking for general advice or assistance with best practices or if you just want to put your defenses to the test with a penetration test, please reach out.

Lastly, if you did get value from this, please consider sharing it with your network and your peers.