Customer: A leading NBFC in UAE
One of our partners has recently engaged us for a large penetration testing service, an internal VAPT, in Dubai. The scope of the engagement was to perform an internal VAPT on the business side of the IT infrastructure. The scope included more than 200 servers, 200+ network devices, 50+ applications and about 2000 workstations.
The objective of the penetration testing was to simulate an attacker who controls an endpoint at the client network through covert channels.
Security Testing Tools used in the engagement:
- Kali Linux
- Tenable Nessus
- Metasploit Pro
Engagement Approach for Penetration Testing in Dubai
One of the project requirements was to complete the engagement in less than 30 days. ValueMentor assigned four separate security teams to meet the requirement.
- The first teams’ focus was on end-user workstation penetration testing.
- The second team focused on bypassing the access controls and performing network penetration testing.
- The 3rd focused on the penetration testing of servers and
- The 4th team performed the application penetration testing.
The teams shared the results of their assessments to enable other team members to make use of the information for effective and faster delivery.
Penetration Testing the Production Environment
The biggest challenge in performing a penetration test of the production environment is that the penetration testing methodology should be production safe. ValueMentor has developed a unique production safe penetration testing methodology. The application penetration testing team and the server penetration testing team members relied upon this methodology to ensure that no critical systems are adversely affected by the penetration testing in Dubai.
The Act & Findings
During the initial identification phase, the ValueMentor team has found a group of Windows XP machines (relatively small in number), unused but connected to the network. Our analysts took control of these XP systems exploiting some well-known vulnerabilities. Analysis of the system configuration provided critical information related to the servers. The team collaborated with the servers and application penetration testing team to share the collected information so that it can be used during the application security testing.
The application pen testing team, with the new knowledge, was able to access some of the applications using low privileged user accounts. Careful examination of the applications proved SQL injection vulnerabilities in some applications. Exploiting the SQL injection vulnerabilities helped the analysts to obtain some critical business information in addition to the critical application information. (Good that these applications are accessible only from the internal network).
Our network penetration testing team used some of the files found by the workstation pen testing team, in addition to the information obtained using network surveillance, which provided detailed information about the network configurations. The team were able to find weak configurations which they exploited for bypassing the network access controls.
Combined with the network and application penetration testing, the server team were able to reach the core of the network. The team had exploited at least 2 servers to obtain the Domain administrator privileges
- Weak asset management. A number of unused systems are still connected to the production network. Unused systems are normally out of sight as far as the busy system administrators are concerned
- Weak password policy enforcement. A strong password policy, but not enforced well is as bad as a weak password policy
- Insecure web applications. Some web applications fetch information from other systems using FTP where authentication credentials are sent over clear text
- Patch management not being consistent
A combination of the above set of weaknesses allowed our team to exploit many servers and control part of the IT infrastructure as part of the engagement.
We have submitted our report highlighting the weakest links present in the environment and how a compromise of the relatively low-value desktop environment, can lead to organization-wide compromise.