The top five avenues to pentest success

It may seem like a pen testers job is extremely difficult. That testers have the seemingly impossible job of having to know how to both secure and demonstrate exploitation and risk of every device, every service, and every application they run across. The truth is, however that a tester can be wildly successful and have relatively limited knowledge of specific assets if an organization has not taken basic precautions in hardening their network. So without further ado, these are my top five paths to domain admin, which in my personal experience amounted to 99% of the engagements I came across in internal testing.

Open shares

This may seem like common sense but the most common path to domain admin was usually finding credentials saved in an open file share. With shares, its possible to have security set to everyone/anonymous and not knows it. So you should routinely check, add this to your monthly to-do.

On windows see the advanced IP scanner

On Linux this one-liner nmap script will carve out open file shares and save them to a text file, just adjust the ip range accordingly.

nmap -T4 -v -oA myshares –script smb-enum-shares –script-args smbuser=pwndizzle,smbpass=mypassword -p445 && cat myshares.nmap|grep ‘|\|192’|awk ‘/[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+/ { line=$0 } /\|/ { $0 = line $0}1’|grep \||grep -v -E ‘(smb-enum-shares|access: <none>|ADMIN\$|C\$|IPC\$|U\$|access: READ)’|awk ‘{ sub(/Nmap scan report for /, “”); print }’ >> sharelist.txt

Layer 2 protocol exploitation

In a network containing more then a hundred devices you should configure separate broadcast domains or vlans for each major group of devices such as printers, workstations, servers etc. Segmenting is the first step in securing layer 2 of your network.

The second step is hardening switches to prevent arp cache poisioning, or broadcast based attacks such as a rouge DHCP. This can be done by turning on controls for Dynamic ARP inspection within your switches. These can be easily exploited used either Cain & Abel (windows), or Ettercap which is installed by default in Kali Linux.
The third has to do with client device configuration. In your build checklists, or baseline images for user workstations you should take the time to disable LLMNR, NetBios broadcasts, and disable proxy server auto configuration to prevent workstations from connecting to a hosts labeled WPAD if its not used. These protocols offer no authentication, and are simple to exploit using a tool Responder available at

Default passwords or no password

If I can login to your datacenters UPS with default creds does this represent a risk? What about cameras? Printers? Scanners? Is there confidential information on these devices? In my experience there is.

To avoid the problem of rolling devices out with default credentials implement deployment guidelines (or a checklist item), which includes changing the password.

Devices that have never been updated (in years)

MS08-067 is one of the most commonly exploited vulnerabilities in a pentest despite the fact that its almost nine years old now. Typically devices with this level of exploitability are discovered for one of two reasons.

The first, is no one is allowed to update the device due to some vendor requirement or fickle application. If you have devices that can never be updated they shouldn’t be attached to the network as a mater of policy.

The second, is teams simply don’t know the device is on the network . This unfortunately is a symptom of a larger problem with not knowing what you have and will take not just a piece of technology to fix but cooperation between your development, networking, and security teams. The end result should be a process and technology to track every asset and verify that it adheres to standard IT policies, which should include installing updates.

Social engineering

There is no quicker way to get access to an organization then through a phishing email campaign. If I can load up a campaign, setup a landing page to serve malware and discover a large number of your organizations email addresses I have never not been successful.

To combat this threat training should be engaging for end users. Don’t simply beat people with a stick if they fail a phishing exercise. Instead find ways to make the experience enjoyable. Consider a reward programs to staff that forward phishing emails to security, and conduct training often. A weekly or monthly phishing training email takes very little effort and can be implemented using plethora of open source tools including: