Our Story

During penetration tests on the external infrastructure of a public administration body, very serious flaws were found that led to several servers being completely compromised. In certain cases, we managed to identify several vulnerabilities, specifically - missing security patches, weak password policies and not adhering to best practices.

The company allowed its employees to connect remotely using an SSL VPN. However, the version of the remote access technology used was not the latest version and therefore did not contain updates to fix critical bugs/vulnerabilities. One of them was the possibility of unauthorized access to sensitive information - listings of usernames and passwords in a legible form. Because the technology was linked to an Active Directory / LDAP, it concerned domain users and their passwords. Under the identity of an arbitrary user, it was possible to log into the SSL VPN and subsequently connect to an employee's dedicated machine - thus, among other things, the attacker gained unauthorized access directly to the internal network, could compromise the computer of any user, move around and attack further in the internal network, etc.

Another critical vulnerability found was again related to missing updates, in this case to the e mail server. The web interface of the email server contained a deserialization vulnerability that allowed code to be run remotely at the operating system level. However, a successful attack required the login data of a legitimate domain user - as mentioned, we already had those at our disposal. Thus, a potential attacker could have completely compromised the email server because the service was running under the highest privileges.

The last critical vulnerability was an error in the validation of user inputs to the web application used as a "HelpDesk". The application had access to the Internet, however, it was secured by an authentication form and only selected users (administrators) had access to the application from the Internet. It was just a question of time to find the right user (using the vulnerability from the SSL VPN). After gaining unauthorized access, a very serious vulnerability was found quite quickly - SQL Injection, where a malicious SQL statement is inserted and executed by the database machine. The attacker would thus be able to obtain all the data in the database, as well as completely compromise the database server and gain access to the internal infrastructure.

Thanks to running tests of the external infrastructure in time, the public administration organ could fix the vulnerabilities we found and secure its perimeter from the interests of a real attacker.

Short description

Penetration testing the external infrastructure

An external penetration test simulates an attacker attacking the components of an information system from outside. The tests aim to determine how easily identifiable a target an organization's ICT infrastructure is, what technical information can be obtained on publicly available services, to detect vulnerabilities that can be exploited to gain unauthorized access to sensitive system resources and to propose recommendations for removing them.

The comprehensive security assessment of the external components tested during penetration testing includes the following steps:

identifying targets,
finding active services,
uncovering vulnerabilities,
exploiting vulnerabilities / gaining access,
escalating privileges and controlling the target.

Detailed description

When carrying out penetration tests, we rely primarily on the current OSSTMM methodology, with an emphasis on using the techniques listed below:

Identifying targets

Collecting as much information as possible (DNS names, IP addresses, publicly available information, registration databases, traces, response times, etc.).

Finding active services

Scanning open ports and running services,
detecting the type of operating system and individual software versions,
an emphasis on using system tools and automated scanners.

Uncovering vulnerabilities

Based on the results of the previous phases and further scanning, we find out where the vulnerabilities occur,
an attempt to exploit vulnerabilities and compromise services/systems,
we use powerful, commercial vulnerability scanners as well as our own proprietary tools.

Gaining access

An attempt to penetrate systems/services using the vulnerabilities found in previous phases,
the aim is primarily unauthorized acquisition of sensitive information, access to systems, etc.

Escalating privileges and controlling the target

The goal is to gain full control over the given asset,
or the possible use of the target for "pivoting" - attacking other systems through ones already compromised.

Why AEC?

We are an established Czech security company that has been successfully operating on the market for over 30 years.
We have more than 20 years of experience in the field of external infrastructure security.
We have the largest team of ethical hackers in the Czech Republic, one that is made up of more than 15 of our own employees.
We hold CEH, eMAPT, CISSP, OSCP, OSCE and many other certifications.
Our team is composed of specialists with experience from hundreds of projects.
We listen to our clients and adapt our tests to their needs and the time they have available.
We follow modern trends in security and technology.
During testing, we put an emphasis on a thorough enumeration of the specified targets. This leads to the uncovering a larger number of vulnerabilities.

References

Expobank CZ, a.s.
Poslanecká sněmovna Parlamentu České republiky
Diebold Nixdorf MAILPROFILER Development s.r.o.
ČEPS, a.s.

Contact us

First name:*
Surname:*
Company:*
Position:
E-mail:*
Phone:

I am interested in:
Agreement:*	I agree to the processing of my personal data for the purpose of sending marketing and business messages from AEC s.r.o.

Check:

REFERENCES

PRODUCT SHEET

CONTACT