Injecting Credentials
NodeZero can run pentests from a compromised user perspective. This type of perspective shows the impact an attacker would have if leveraging a specific set of assumed compromised credentials.
Users can run an authenticated pentest by injecting credentials into the pentest via the Real-Time View, as described below.
NodeZero uses injected credentials in ways that emulate how an attacker may use credentials they compromise. This feature allows users to execute "what if" scenarios to see what impacts may result from compromised credentials.
Why Inject Credentials?
What if employee X was phished?
No matter how advanced our network's technological defenses, humans have been and will continue to be a popular attack vector through which attackers can gain initial access. Whether through phishing attacks or other forms of social engineering, we should expect that user credentials may fall into an attacker's hands.
If your organization performs phishing exercises you may identify a set of credentials that are prone to being phished. By injecting their credentials into a pentest NodeZero can generate a complete picture of the potential impacts of a successful phishing attack.
What if employee X goes rogue?
We all like to believe we can trust our employees and co-workers, but at Horizon3 we
encourage our users to Trust but Verify. It is important to implement and verify
access policies that use the concept of least privilege: users and service
accounts should only have access to the resources to which they need access.
By injecting a credential for a user or service account into a pentest, NodeZero can generate a complete picture of what resources that account has access to.
How to Inject Credentials
Users can inject credentials through the Real-Time View immediately after
launching a pentest.
Click the Inject Credentials button to open the Inject Credentials modal. In the
modal, choose a credential type from the Add Credential drop-down to add a new
credential. The supported credential types are shown in the table below.
| Type | Description | Example |
|---|---|---|
| Domain User: Cleartext | Cleartext credentials for an Active Directory domain user. If there is not a domain controller in scope, NodeZero will not attempt to use this credential. An attacker may compromise this type of credential through various means including phishing, social engineering, key logging, or password guessing. |
Username: john.doePassword: MyPassword123 |
| Domain User: NTLM Hash | The NTLM Hash for an Active Directory domain user. If there is not a domain controller in scope, NodeZero will not attempt to use this credential. An attacker may compromise this type of credential if they were able to dump the SAM or NTDS database on a domain controller. |
Username: jdoeHash: 31d6cfe0d16ae931b73c59d7e0c089c0 |
| Local User: Cleartext | Cleartext credentials for a local Windows or Linux user. These credentials include the IP address of the local machine and will be used to attempt login over SSH and SMB. An attacker may compromise this type of credential through various means including phishing, social engineering, key logging, or password guessing. |
Username: jdoe2Password: MyPassword123IP Address: 10.0.0.1 |
| Local User: NTLM Hash | The NTLM Hash for a local Windows user. These credentials include the IP address of the local machine and will be used to attempt logins over SMB. An attacker may compromise this type of credential if they are able to dump the SAM database on a local Windows machine. |
Username: AdministratorHash: 31d6cfe0d16ae931b73c59d7e0c089c0IP Address: 192.168.0.1 |
| AWS User: Access Keys | An AWS access key and secret access key. By injecting an AWS credential, all cloud resources belonging to the associated AWS ID will be considered in scope. An attacker may compromise this type of credential by finding it on a compromised machine or file share, as they are commonly stored in files in the user's directory. |
Access Key ID: AKIASP2TPHJSVM75TWVNSecret Access Key: hqJqp7aq/u/Lo15X9ABLGkmzrJKnNrLNVAnqr0Sp |
Tip
While you cannot inject an AWS Role in the Real-Time View, there is another way this can be accomplished. See: Injecting an AWS Role.
After entering the credential details, click the green checkmark. Add more
credentials as desired, then click Submit to send the credentials to NodeZero.
You can view the status of credentials in the Real-Time View using the icons next to each credential. Credentials states are shown below:
| Icon | State | Description |
|---|---|---|
 |
Pending | The credential has been submitted but has not yet been received by NodeZero. This state may occur when a pentest first begins until the ephemeral infrastructure is fully deployed. |
 |
Received | The credential has been received by NodeZero. If NodeZero has attempted to use the credential but authentication was unsuccessful, it will remain in the Received state. |
 |
Confirmed | The credential has been used by NodeZero to successfully authenticate within the target environment. |
Tip
You may continue to inject credentials in the Real-Time View until the pentest completes and enters the Processing state. Injecting credentials may extend the duration of a pentest, but the best way to minimize the pentest operation runtime is to inject credentials early in the pentest.
FAQ
Is it safe to inject credentials in NodeZero?
Yes. Horizon3 takes the security of injected credentials seriously.
Once injected, credentials are securely transferred to NodeZero's ephemeral environment, which is dedicated to a single pentest and is destroyed once the pentest is completed. Sensitive parts of credentials (e.g. plaintext passwords, hashes, private keys, etc.) are never stored in persistent databases.
How many credentials can I inject?
NodeZero supports injecting up to twenty total credentials per pentest.
Are injected credentials used when re-running a pentest?
No. Since injected credentials are destroyed at the end of a pentest, NodeZero cannot use them when re-running a pentest.
However, in the Real-Time View you can see descriptions of the credentials that were used in the previous pentest. We encourage users to re-enter these credentials to get a comparable pentest experience.
Does injecting credentials increase the duration of a pentest?
There are many factors that affect pentest duration, the most significant of which are number of live hosts, services, and web applications. When credentials are injected, NodeZero will attempt to authenticate with the credentials, and if successful will perform various post-exploitation tasks such as enumerating shares and dumping credentials on compromised hosts, which can lead to further discoveries that may extend the duration of the pentest.
The best way to minimize the pentest runtime is to inject credentials early in the pentest.