Attack Configuration
When configuring a pentest with NodeZero, users are given the option to enable or disable a set of Attack Configuration Options. These options are controllable because they effect the performance of the pentest, or because they have the potential to disrupt the target environment.
This reference page lists the attack configuration flags available in NodeZero, along with descriptions of how these flags effect NodeZero's behavior.
Info
When all attack config options are disabled, the operation is still a pentest.
The following activities are performed:
- Asset Discovery
- Identifying potential vulnerabilities
- Exploiting most vulnerabilities/misconfigurations (that have been vetted to not have an operational impact on the target)
- Limited credential discovery and credential pivoting
The following actitivies are not performed:
- Windows Active Directory attacks
- Man-in-the-middle attacks
- Hash cracking
- Password Spray
- Azure AD pivoting
- Default Cred checking
- OS credential dumping
- Any brute force enumeration
- Any exploits specifically disabled in the advanced config (but most exploits are still executed as described above)
Brute Force
Properties related to modules that carry out brute force attacks.
| Name | Description | Risk |
|---|---|---|
| DNS | Enables brute forcing of internal DNS records. Only applies if an operation has been scheduled with the Intelligent Scope option. This may place noticeable load on DNS servers in the network. | low |
| S3 | Enables brute-force discovery of S3 buckets using wordlists and top level company domain names. This can add significant time if the pentest has been configured to run against many top-level domains. | none |
| Subdomains | Enables brute-force discovery of company subdomains using a large wordlist of common subdomain names. This can aid in the discovery of more external assets but significantly extend the time it takes for discovery to complete. | none |
Credential Verification
Properties related to modules that use credentials discovered by NodeZero to access services in the environment.
| Name | Description | Risk |
|---|---|---|
| Azure AD Credential Pivoting | Enables using domain user credentials discovered in an internal pentest against Azure Active Directory services. Requires user-entered Domains from the OSINT step. | none |
| Azure AD Password Spray | Enables password spraying Azure cloud users with common passwords by NodeZero. By default, a user will only be tried three times every 60 minutes. There is a small chance of locking out accounts. | moderate |
| Credential Reuse | Checks for access to services and shares using local user (non-domain) authentication. | none |
| Domain User | Checks for Windows domain user access by authenticating with credentials against the SMB service running on the Windows Domain Controller. | none |
| Internal Password Spray | Enables password spraying domain users with common passwords by NodeZero. By default, a user will only be tried twice every 60 minutes | moderate |
Data
Properties related to data discovery.
| Name | Description | Risk |
|---|---|---|
| Domain Admin Scanning of SMB Shares | Enables scanning of SMB shares using domain administrator credentials that were injected into the pentest or discovered during the course of the pentest. Enabling this flag provides a more complete picture of data risk but can add significant time to the pentest. | none |
| Extended Domain User Scanning of SMB Shares | Enables scanning of all SMB shares accessible to domain users whose credentials were injected into the pentest or discovered during the course of the pentest. | none |
| Verify Permissions on SMB Shares | Verify read, write, list, and delete permissions on an SMB share by writing a test file and deleting it afterwards. Cleanup of the test file may fail in exceptional circumstances. | none |
Default Credentials
Properties related to modules that check for default credentials using a dictionary attack with known default credentials.
| Name | Description | Risk |
|---|---|---|
| FTP | Enables checking default credentials against FTP services found by NodeZero. | low |
| Microsoft SQL Server | Enables checking default credentials against Microsoft SQL Server databases found by NodeZero. There is a small chance of locking out the sa account. |
moderate |
| MongoDB | Enables checking default credentials against MongoDB databases found by NodeZero. | low |
| MySQL | Enables checking default credentials against MySQL databases found by NodeZero. | low |
| PostgreSQL | Enables checking default credentials against PostgreSQL databases found by NodeZero. | low |
| SNMP | Enables checking default SNMPv1 community strings against SNMP services found by NodeZero. | low |
| SSH | Enables checking default credentials against SSH services found by NodeZero. Against older ESXi servers vulnerable to CVE-2019-5528, this module may trigger a partial denial of service condition in the hostd process. |
moderate |
| Telnet | Enables checking default credentials against telnet services found by NodeZero. | low |
| Web | Enables checking default credentials against HTTP or HTTPS web servers found by NodeZero. | low |
Environment Impact
Properties related to modules that change the environment. All modules attempt to clean up after themselves but there is a small chance cleanup may fail.
| Name | Description | Risk |
|---|---|---|
| ADCS ESC4 Attack - Misconfigured Templates Access Controls | Exploit vulnerable Active Directory Certificate Templates that allow an unprivileged user to overwrite Certificate Template security features -- enabling Subject Alternative Name (SAN). Restoration of original template configuration may fail in exceptional cases. | none |
| Anonymous Docker Engine Write Check | Checks for write privileges against a Docker Engine instance that allows anonymous (unauthenticated) access. The check attempts to create a Docker container or pull a Docker image and deletes the container or image afterwards. | none |
| Anonymous Printer Access | Check for anonymous access to printers over port 9100. This check may cause certain printer models to print out pages. | moderate |
| Anonymous ZooKeeper Write Check | Checks for write privileges against a ZooKeeper instance that allows anonymous (unauthenticated) access. The check writes to a ZooKeeper node and deletes it afterwards. | none |
| Atlassian Crowd and Crowd Data Center Remote Code Execution (CVE-2019-11580) | Checks for exploitability of CVE-2019-11580 by uploading a malicious JAR file. This upload is likely to be caught by AV software on the host. Cleanup of the JAR file may fail in exceptional cases. | none |
| CVE-2022-26923 (Certifried) Privilege Escalation - Creation of Machine Account | Attempt to exploit vulnerable Active Directory Certificate Services Privilege Escalation by creating a machine account and manipulating its attributes. Deletion of the machine account may fail in exceptional circumstances. | none |
| Elasticsearch Write Check | Checks for write privileges against an Elasticsearch cluster. The check attempts to create an index and deletes it afterwards. | none |
| FTP Write Check | Checks for write privileges against an FTP server. The check creates a remote directory and deletes it afterwards. | none |
| Insecure JMX (H3-2020-0022) | Tests exploitability of the insecure JMX weakness (H3-2020-0022). The test checks for remote code execution by installing a payload on the vulnerable JMX service, runs a small set of commands using the payload, and uninstalls the payload at the end. There is a small chance that cleanup of the payload may fail. | none |
| ManageEngine ServiceDesk Plus PreAuth RCE (CVE-2021-44077) | Checks for exploitability of CVE-2021-44077 by uploading a malicious payload through that API, and execute the payload through another API. This upload is likely to be caught by AV software on the host. If successful, this exploit will leave behind a file msiexec.exe in the ManageEngine\ServiceDesk\site24x7 folder. | none |
| Subdomain Takeover | Proactively takeover and hold onto subdomains that are vulnerable to subdomain takeover (H3-2021-0002) to prevent bad actors from compromising them first. | none |
| VMWare vCenter Server Access Control Vulnerability (CVE-2020-3952) | Checks for exploitability of CVE-2020-3952 by adding an administrative user and removing it afterwards. | none |
| VMWare vCenter Server Plugin Remote Code Execution Vulnerability (CVE-2021-21972) | Checks for exploitability of CVE-2021-21972 by installing a webshell, executing a command within the webshell, and removing it afterwards. For vCenter servers running on Linux, it is possible that randomly-named webshells will be left behind on the vulnerable vCenter server if the exploit fails. | none |
| VMWare vRealize Operations Manager SSRF Vulnerability (CVE-2021-21975) | Checks for exploitability of CVE-2021-21975 and CVE-2021-21983 by installing a randomly named webshell, executing a command within the webshell, and removing it afterwards. Cleanup of the webshell may fail in exceptional cases. | none |
| Zoho ManageEngine ADSelfService Plus API Auth Bypass (CVE-2021-40539) | Checks for exploitability of CVE-2021-40539 by uploading a malicious JAR file. This upload is likely to be caught by AV software on the host. Cleanup of the JAR file may fail in exceptional cases. | none |
Exploitation
Attempt exploitation of a vulnerability to confirm that it can be exploited by NodeZero.
| Name | Description | Risk |
|---|---|---|
| Bluekeep (CVE-2019-0708) | Tests exploitability of the Bluekeep vulnerability (CVE-2019-0708). There is a moderate-level risk this exploit may crash the target host, and it is not recommended for use against production systems. | high |
| Cisco Smart Install Vulnerability (CVE-2018-0171) | Tests exploitability of the Cisco Smart Install vulnerability (CVE-2018-0171). The test attempts to pull router config from the vulnerable router via the TFTP protocol. Against a few older models of Cisco routers, running this exploit may cause the router to reload or go down. | moderate |
| EternalBlue (MS17-010) | Tests exploitability of the Windows SMB remote code execution vulnerability EternalBlue. This is a kernel buffer overflow exploit and carries a moderate risk of crashing the target. It is not recommended for use against production systems. This exploit is only attempted if NodeZero is able to reliably determine the target operating system and NodeZero is not able to first exploit EternalChampion/EternalSynergy/EternalRomance. | moderate |
| EternalChampion/EternalSynergy/EternalRomance (MS17-010) | Tests exploitability of the Windows SMB remote code execution vulnerabilities EternalChampion, EternalSynergy, and EternalRomance. | low |
| Exploding Can (CVE-2017-7269) | Tests exploitability of the IIS 6.0 WebDAV vulnerability CVE-2017-7269, aka Exploding Can. | low |
| HP iLO Web API Remote Code Execution (CVE-2017-12542) | Tests exploitability of the HP iLO Web API Remote Code Execution vulnerability (CVE-2017-12542). The test attempts to retrieve users and their credentials by exploiting a heap-based buffer overflow. | low |
| Heartbleed (CVE-2014-0160) | Tests exploitability of the Heartbleed vulnerability (CVE-2014-0160), if discovered by NodeZero. This test dumps memory from the vulnerable server. | low |
| Server Service Vulnerability (MS08-067) | Tests exploitability of the Windows SMB remote code execution vulnerability CVE-2008-4250, aka MS08-067. There is a high likelihood that this exploit will crash the SMB service on the target after successful exploitation. | high |
Hash Cracking
Properties related to cracking hashes found in the environment.
| Name | Description | Risk |
|---|---|---|
| Automatic Hash Cracking | Automatically attempt to crack hashes found in the environment. | none |
Man in the Middle Attacks
Properties related to modules that conduct man-in-the-middle (MITM) attacks.
| Name | Description | Risk |
|---|---|---|
| Expanded LLMNR and NetBIOS poisoning | Enables sniffing of cleartext passwords and hashes sent over insecure protocols such as LLMNR, NetBIOS, SMB v1, and HTTP. This will sniff all available traffic regardless of scope. | none |
| Limited LLMNR and NetBIOS poisoning | Enables sniffing of cleartext passwords and hashes sent over insecure protocols such as LLMNR, NetBIOS, SMB v1, and HTTP. This is limited to the scope provided during the configuration of the pentest. If selected, this option overrides the 'Expanded LLMNR and NetBIOS poisoning' option. | none |
| Net-NTLM Authentication Coercion | Enables Net-NTLM Authentication coercion techniques. This allows attackers to capture Net-NTLM (NTLMv2) hashes by coercing machines to authenticate to an attacker controller server. | none |
| Net-NTLM Hash Relaying | Enables SMB relay attacks. This allows attackers to gain unauthorized access to machines by capturing Net-NTLM (NTLMv2) hashes over the network and relaying them to target SMB servers. | none |
Post-Exploitation
Properties related to actions taken after compromising a host
| Name | Description | Risk |
|---|---|---|
| SSH | Enables post-exploit actions such as system enumeration and privilege escalation on hosts for which SSH access was gained. In exceptional circumstances, files may be left on disk in the /tmp folder. | none |
| Windows Credential Dumping - LSA Secrets | Enables dumping of credentials from the Local Security Authority (LSA) after gaining administrative access to a Windows machine. In exceptional circumstances, cleanup may fail, leaving files on disk. | none |
| Windows Credential Dumping - LSASS | Enables dumping of credentials stored in the Local Security Authority Subsystem Service (LSASS) process, after gaining administrative access to a Windows machine. In exceptional circumstances, cleanup may fail, leaving files on disk. | low |
| Windows Credential Dumping - SAM | Enables dumping of credentials from the Security Account Manager (SAM) database after gaining administrative access. In exceptional circumstances, cleanup may fail, leaving files on disk. | none |