Injecting Credentials

NodeZero can run pentests from a compromised user perspective. This type of perspective shows the impact an attacker would have if leveraging a specific set of assumed compromised credentials.

Users can run an authenticated pentest by injecting credentials into the pentest via the Real-Time View, as described below.

NodeZero uses injected credentials in ways that emulate how an attacker may use credentials they compromise. This feature allows users to execute "what if" scenarios to see what impacts may result from compromised credentials.

Why Inject Credentials?

What if employee X was phished?

No matter how advanced our network's technological defenses, humans have been and will continue to be a popular attack vector through which attackers can gain initial access. Whether through phishing attacks or other forms of social engineering, we should expect that user credentials may fall into an attacker's hands.

If your organization performs phishing exercises you may identify a set of credentials that are prone to being phished. By injecting their credentials into a pentest NodeZero can generate a complete picture of the potential impacts of a successful phishing attack.

What if employee X goes rogue?

We all like to believe we can trust our employees and co-workers, but at Horizon3 we encourage our users to ~~Trust but~~ Verify. It is important to implement and verify access policies that use the concept of least privilege: users and service accounts should only have access to the resources to which they need access.

By injecting a credential for a user or service account into a pentest, NodeZero can generate a complete picture of what resources that account has access to.

How to Inject Credentials

Users can inject credentials through the Real-Time View immediately after launching a pentest.

Click the Inject Credentials button to open the Inject Credentials modal. In the modal, choose a credential type from the Add Credential drop-down to add a new credential. The supported credential types are shown in the table below.

Type	Description	Example
Domain User: Cleartext	Cleartext credentials for an Active Directory domain user. If there is not a domain controller in scope, NodeZero will not attempt to use this credential. An attacker may compromise this type of credential through various means including phishing, social engineering, key logging, or password guessing.	Username: `john.doe` Password: `MyPassword123`
Domain User: NTLM Hash	The NTLM Hash for an Active Directory domain user. If there is not a domain controller in scope, NodeZero will not attempt to use this credential. An attacker may compromise this type of credential if they were able to dump the SAM or NTDS database on a domain controller.	Username: `jdoe` Hash: `31d6cfe0d16ae931b73c59d7e0c089c0`
Local User: Cleartext	Cleartext credentials for a local Windows or Linux user. These credentials include the IP address of the local machine and will be used to attempt login over SSH and SMB. An attacker may compromise this type of credential through various means including phishing, social engineering, key logging, or password guessing.	Username: `jdoe2` Password: `MyPassword123` IP Address: `10.0.0.1`
Local User: NTLM Hash	The NTLM Hash for a local Windows user. These credentials include the IP address of the local machine and will be used to attempt logins over SMB. An attacker may compromise this type of credential if they are able to dump the SAM database on a local Windows machine.	Username: `Administrator` Hash: `31d6cfe0d16ae931b73c59d7e0c089c0` IP Address: `192.168.0.1`
AWS User: Access Keys	An AWS access key and secret access key. By injecting an AWS credential, all cloud resources belonging to the associated AWS ID will be considered in scope. An attacker may compromise this type of credential by finding it on a compromised machine or file share, as they are commonly stored in files in the user's directory.	Access Key ID: `AKIASP2TPHJSVM75TWVN` Secret Access Key: `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`
Azure	The username and password of an Azure user. NodeZero will authenticate to Azure using these credentials. The pentest will include all cloud resources and services that this resource can access. An attacker may compromise this type of credential through various means including phishing, social engineering, key logging, or password guessing. Note: Microsoft has deprecated the use of non-MFA enabled accounts. When Microsoft fully prohibits their use, Azure non-MFA credentials will no longer be a valid credential type for injection. For details, see Microsoft’s Azure Mandatory Multifactor Authentication: Phase 2 blog post.	Enter Entra ID username in UPN format: `john.doe@example.com` Enter Entra ID Password: `MyPassword123`
Azure MFA	NodeZero will authenticate to Azure using an Azure MFA device code with the Azure Tenant ID provided. You will receive an email alert when it is time to enter your MFA code from the Real-Time View page. The pentest will include all cloud resources and services that this resource can access. For more detailed instructions, see Injecting an Azure MFA Credential. Need help finding your Tenant ID? See Microsoft’s How to find your Microsoft Entra tenant ID topic for step-by-step instructions.	Tenant ID: `aaaabbbb-0000-cccc-1111-dddd2222eeee`
Azure Service Principal Certificate	NodeZero will authenticate using a service principal certificate (in `.pfx` format) that you provide. You also need to provide the Tenant ID and Application ID. If the `.pfx` cert is password-protected, you need to provide its password. The pentest will include all cloud resources and services that this resource can access. An attacker may compromise this type of credential by finding it on a compromised machine. Need help finding your Service Principal’s Application ID in the Entra portal? See Microsoft’s Application and Service Principal Objects in Microsoft Entra ID topic. Need help finding your Tenant ID? See Microsoft’s How to Find Your Microsoft Entra Tenant ID topic for step-by-step instructions.	Tenant ID: `aaaabbbb-0000-cccc-1111-dddd2222eeee` Application ID: `00001111-aaaa-2222-bbbb-3333cccc4444` .pfx file: `myserviceprincipalcert.pfx` Password (if the .pfx certificate is password-protected): `MyPassword123`

Tip

While you cannot inject an AWS Role in the Real-Time View, there is another way to accomplish this. See: Injecting an AWS Role.

Forum for entering credentials to inject into pentest

After entering the credential details, click the green checkmark. Add more credentials as desired, then click Submit to send the credentials to NodeZero.

You can view the status of credentials in the Real-Time View using the icons next to each credential. Credentials states are shown below:

Icon	State	Description
	Pending	The credential has been submitted but has not yet been received by NodeZero. This state may occur when a pentest first begins until the ephemeral infrastructure is fully deployed.
	Received	The credential has been received by NodeZero. If NodeZero has attempted to use the credential but authentication was unsuccessful, it will remain in the Received state.
	Confirmed	The credential has been used by NodeZero to successfully authenticate within the target environment.

Tip

You may continue to inject credentials in the Real-Time View until the pentest completes and enters the Processing state. Injecting credentials may extend the duration of a pentest, but the best way to minimize the pentest operation runtime is to inject credentials early in the pentest.

FAQ

Is it safe to inject credentials in NodeZero?

Yes. Horizon3 takes the security of injected credentials seriously.
Once injected, credentials are securely transferred to NodeZero's ephemeral environment, which is dedicated to a single pentest and is destroyed once the pentest is completed. Sensitive parts of credentials (e.g. plaintext passwords, hashes, private keys, etc.) are never stored in persistent databases.

How many credentials can I inject?

NodeZero supports injecting up to twenty total credentials per pentest.

Are injected credentials used when re-running a pentest?

No. Since injected credentials are destroyed at the end of a pentest, NodeZero cannot use them when re-running a pentest.
However, in the Real-Time View you can see descriptions of the credentials that were used in the previous pentest. We encourage users to re-enter these credentials to get a comparable pentest experience.

Does injecting credentials increase the duration of a pentest?

There are many factors that affect pentest duration, the most significant of which are number of live hosts, services, and web applications. When credentials are injected, NodeZero will attempt to authenticate with the credentials, and if successful will perform various post-exploitation tasks such as enumerating shares and dumping credentials on compromised hosts, which can lead to further discoveries that may extend the duration of the pentest.

The best way to minimize the pentest runtime is to inject credentials early in the pentest.