Attack Configurations
An Attack Configuration in NodeZero refers to a set of customizable settings that define how the system behaves during a penetration test. These settings allow you to enable or disable specific attack modules to tailor the pentest according to your target environment and objectives. Users are given the option to enable or disable a set of Attack Configuration Options because they affect the performance of the pentest or have the potential to disrupt the target environment. This flexibility allows NodeZero to adapt to different test scenarios and helps ensure that tests are focused and effective.
The image below shows a screenshot from an Internal Pentest.
Figure 1 - Screenshot of the attack configuration options for an internal pentest
Attack Configuration options may vary depending on the pentest type.
When all options are disabled, the operation is still a pentest. Click for more info.
The following activities are performed:
- Asset Discovery
- Identifying potential vulnerabilities
- Exploiting most vulnerabilities/misconfigurations (that have been vetted to not have an operational impact on the target)
- Limited credential discovery and credential pivoting
The following activities are not performed:
- Windows Active Directory attacks
- Man-in-the-middle attacks
- Hash cracking
- Password Spray
- Azure AD pivoting
- Default Cred checking
- OS credential dumping
- Any brute force enumeration
- Any exploits specifically disabled in the advanced config (but most exploits are still executed as described above)
Categories and Options
Below is a summary of the different attack configuration categories and their available options:
Brute Force
This category involves using brute-force techniques to discover sensitive resources such as DNS records, subdomains, and cloud storage buckets, often by applying wordlists or domain names.
| Option | Description | Risk |
|---|---|---|
| DNS | Enables brute-forcing of internal DNS records. Only applies if an operation has been scheduled with the Intelligent Scope option. This may place noticeable load on DNS servers. | low |
| Domain User | Enumerate domain users using brute force methods against a domain controller. Disabling this flag will hinder the execution of certain attack techniques. | low |
| S3 | Enables brute-force discovery of S3 buckets using wordlists and top-level company domain names. This can add significant time if the pentest runs against many top-level domains. | none |
| Subdomains | Enables brute-force discovery of company subdomains using a large wordlist of common subdomain names. This can aid in discovering more external assets but significantly extend the time it takes. | none |
Data
This section covers options for scanning and analyzing sensitive data on SMB and NFS shares. These configurations help assess the security of network shares and verify permissions, providing a deeper view of data risks during a pentest. Enabling these options may increase the pentest duration.
| Option | Description | Risk |
|---|---|---|
| Domain Admin Scanning of SMB Shares | Enables scanning of SMB shares using domain administrator credentials that were injected into the pentest or discovered during the course of the pentest. This provides a more complete picture of data risk but can add significant time to the pentest. | none |
| Extended Domain User Scanning of SMB Shares | Enables scanning of all SMB shares accessible to domain users whose credentials were injected into the pentest or discovered during the course of the pentest. | none |
| Extract and analyze files from NFS shares | Retrieve, parse, extract, and analyze data from sensitive files on NFS shares. Files are analyzed one at a time and deleted after the analysis is complete. | none |
| Verify Permissions on SMB Shares | Verify read, write, list, and delete permissions on an SMB share by writing a test file and deleting it afterward. Cleanup of the test file may fail in exceptional circumstances. | none |
Environmental Impact
This section configures tests that assess the impact of penetration testing on the environment, including vulnerabilities, misconfigurations, and access control weaknesses in critical systems.
| Option | Description | Risk |
|---|---|---|
| Active Directory - Creation of Machine Account | Attempts to add a domain machine account during exploitation of common AD vulnerabilities and misconfigurations (e.g. CVE-2022-33679, CVE-2022-26923, RBCD attacks). Deletion of machine accounts may fail if the correct permissions are not obtained. | none |
| ADCS ESC4 Attack - Misconfigured Templates Access Controls | Exploit vulnerable Active Directory Certificate Templates that allow an unprivileged user to overwrite Certificate Template security features -- enabling Subject Alternative Name (SAN). Restoration of original template configuration may fail in exceptional cases. | none |
| Anonymous Docker Engine Write Check | Checks for write privileges against a Docker Engine instance that allows anonymous (unauthenticated) access. The check attempts to create a Docker container or pull a Docker image and deletes the container or image afterwards. | none |
| Anonymous Printer Access | Check for anonymous access to printers over port 9100. This check may cause certain printer models to print out pages. | moderate |
| Anonymous ZooKeeper Write Check | Checks for write privileges against a ZooKeeper instance that allows anonymous (unauthenticated) access. The check writes to a ZooKeeper node and deletes it afterwards. | none |
| Application Administrator Account Creation | Some exploits require the creation of an administrative user for an application. In certain instances, NodeZero is unable to remove this user after exploitation. Manual cleanup will be required. | none |
| Atlassian Crowd and Crowd Data Center Remote Code Execution (CVE-2019-11580) | Checks for exploitability of CVE-2019-11580 by uploading a malicious JAR file. This upload is likely to be caught by AV software on the host. Cleanup of the JAR file may fail in exceptional cases. | none |
| AWS IAM Privilege Escalation | Allow NodeZero to attempt IAM privilege escalation by modifying AWS identity and trust relationship policies. There is a small chance setting policies back to their original settings may fail. | none |
| Elasticsearch Write Check | Checks for write privileges against an Elasticsearch cluster. The check attempts to create an index and deletes it afterwards. | none |
| Entra ID App/Directory Role Privilege Escalation | Attempt Privilege Escalation in Entra ID by adding App or Directory Roles to a user or service principal. Cleanup may fail -- leaving the affected object with elevated privileges. | none |
| Entra ID Application Service Principal Abuse | Allow NodeZero to abuse vulnerable Entra Service Principals by modifying application owners, and adding credentials to Service Principals. There is a small chance cleanup of these artifacts fails. | none |
| FTP Write Check | Checks for write privileges against an FTP server. The check creates a remote directory and deletes it afterwards. | none |
| Insecure JMX (H3-2020-0022) | Tests exploitability of the insecure JMX weakness (H3-2020-0022). The test checks for remote code execution by installing a payload on the vulnerable JMX service, runs a small set of commands using the payload, and uninstalls the payload at the end. There is a small chance that cleanup of the payload may fail. | none |
| ManageEngine ServiceDesk Plus PreAuth RCE (CVE-2021-44077) | Checks for exploitability of CVE-2021-44077 by uploading a malicious payload through that API, and execute the payload through another API. This upload is likely to be caught by AV software on the host. If successful, this exploit will leave behind a file msiexec.exe in the ManageEngine\ServiceDesk\site24x7 folder. | none |
| Set Expired Credentials | Allow NodeZero to set expired credentials to further attacks. | none |
| Subdomain Takeover | Proactively takeover and hold onto subdomains that are vulnerable to subdomain takeover (H3-2021-0002) to prevent bad actors from compromising them first. | none |
| VMWare vCenter Server Access Control Vulnerability (CVE-2020-3952) | Checks for exploitability of CVE-2020-3952 by adding an administrative user and removing it afterwards. | none |
| VMWare vCenter Server Plugin Remote Code Execution Vulnerability (CVE-2021-21972) | Checks for exploitability of CVE-2021-21972 by installing a webshell, executing a command within the webshell, and removing it afterwards. For vCenter servers running on Linux, it is possible that randomly-named webshells will be left behind on the vulnerable vCenter server if the exploit fails. | none |
| VMWare vRealize Operations Manager SSRF Vulnerability (CVE-2021-21975) | Checks for exploitability of CVE-2021-21975 and CVE-2021-21983 by installing a randomly named webshell, executing a command within the webshell, and removing it afterwards. Cleanup of the webshell may fail in exceptional cases. | none |
| Zoho ManageEngine ADSelfService Plus API Auth Bypass (CVE-2021-40539) | Checks for exploitability of CVE-2021-40539 by uploading a malicious JAR file. This upload is likely to be caught by AV software on the host. Cleanup of the JAR file may fail in exceptional cases. | none |
Extended Scope
This section includes advanced tests for vulnerabilities in mobile device management systems and other extended targets.
| Option | Description | Risk |
|---|---|---|
| Intune Mobile Device Management Remote Code Execution (RCE) | Allow NodeZero to attempt RCE on devices running Intune MDM by uploading platform scripts to Microsoft Endpoint Manager. | none |
Man in the Middle Attacks
Modules in this section perform man-in-the-middle (MITM) attacks to intercept and manipulate network traffic, capturing cleartext credentials and performing attacks like NTLM hash relaying.
| Option | Description | Risk |
|---|---|---|
| Expanded LLMNR and NetBIOS poisoning | Enables sniffing of cleartext passwords and hashes sent over insecure protocols such as LLMNR, NetBIOS, SMB v1, and HTTP. This will sniff all available traffic regardless of scope. | none |
| Limited LLMNR and NetBIOS poisoning | Enables sniffing of cleartext passwords and hashes sent over insecure protocols such as LLMNR, NetBIOS, SMB v1, and HTTP. This is limited to the scope provided during the configuration of the pentest. If selected, this option overrides the 'Expanded LLMNR and NetBIOS poisoning' option. | none |
| Net-NTLM Authentication Coercion | Enables Net-NTLM Authentication coercion techniques. This allows attackers to capture Net-NTLM (NTLMv2) hashes by coercing machines to authenticate to an attacker controlled server. | none |
| Net-NTLM Hash Relaying | Enables SMB relay attacks. This allows attackers to gain unauthorized access to machines by capturing Net-NTLM (NTLMv2) hashes over the network and relaying them to target SMB servers. | none |
Post Exploitation
This section contains actions that are performed after compromising a host, such as deploying remote access tools, dumping credentials, and escalating privileges.
| Option | Description | Risk |
|---|---|---|
| NodeZero Remote Access Tool | Allows NodeZero to load Remote Access Tools onto compromised hosts to further attack paths. Depending on the type of weakness exploited, files may be left behind on disk within the C:\Windows folder. | none |
| SSH | Enables post-exploit actions such as system enumeration and privilege escalation on hosts for which SSH access was gained. In exceptional circumstances, files may be left on disk in the /tmp folder. | none |
| Windows Credential Dumping - DPAPI Secrets | Enables dumping of credentials from secrets encrypted with DPAPI keys after gaining administrative access to a Windows machine. In exceptional circumstances, cleanup may fail, leaving files on disk. | none |
| Windows Credential Dumping - LSA Secrets | Enables dumping of credentials from the Local Security Authority (LSA) after gaining administrative access to a Windows machine. In exceptional circumstances, cleanup may fail, leaving files on disk. | none |
| Windows Credential Dumping - LSASS | Enables dumping of credentials stored in the Local Security Authority Subsystem Service (LSASS) process, after gaining administrative access to a Windows machine. In exceptional circumstances, cleanup may fail, leaving files on disk. | low |
| Windows Credential Dumping - SAM | Enables dumping of credentials from the Security Account Manager (SAM) database after gaining administrative access. In exceptional circumstances, cleanup may fail, leaving files on disk. | none |
Credential Verification
Modules in this section use discovered credentials to gain access to various services, including internal password spraying and credential pivoting.
| Option | Description | Risk |
|---|---|---|
| Credential Reuse | Checks for access to services and shares using local user (non-domain) authentication. | none |
| Domain User | Checks for Windows domain user access by authenticating with credentials against the SMB service running on the Windows Domain Controller. | none |
| Internal Password Spray | Enables password spraying domain users with common passwords by NodeZero. By default, a user will only be tried twice every 60 minutes. It is recommended to enable the Brute Force: Domain Users flag along with this option. | moderate |
| MS Entra (AzureAD) Credential Pivoting | Enables using domain user credentials discovered in an internal pentest against MS Entra services. Utilizes user-entered Domains from the OSINT step or Entra domains discovered via other methods. | none |
| Azure AD Password Spray | Enables password spraying Azure cloud users with common passwords by NodeZero. By default, a user will only be tried three times every 60 minutes. There is a small chance of locking out accounts. | moderate |
Default Credentials
This section involves checking for the use of default credentials on a variety of services like FTP, SQL databases, and web servers.
| Option | Description | Risk |
|---|---|---|
| FTP | Enables checking default credentials against FTP services found by NodeZero. | low |
| Microsoft SQL Server | Enables checking default credentials against Microsoft SQL Server databases found by NodeZero. There is a small chance of locking out the sa account. | moderate |
| MongoDB | Enables checking default credentials against MongoDB databases found by NodeZero. | low |
| mySQL | Enables checking default credentials against MySQL databases found by NodeZero. | low |
| PostgreSQL | Enables checking default credentials against PostgreSQL databases found by NodeZero. | low |
| SNMP | Enables checking default SNMP v1 community strings against SNMP services found by NodeZero. | low |
| SSH | Enables checking default credentials against SSH services found by NodeZero. Against older ESXi servers vulnerable to CVE-2019-5528, this module may trigger a partial denial of service condition in the hostd process. | moderate |
| Telnet | Enables checking default credentials against telnet services found by NodeZero. | low |
| Web | Enables checking default credentials against HTTP or HTTPS web servers found by NodeZero. | low |
Exploitation
Modules in this section test for the exploitability of known vulnerabilities, such as EternalBlue and BlueKeep, which could potentially crash or disrupt services.
| Option | Description | Risk |
|---|---|---|
| Bluekeep (CVE-2019-0708) | Tests exploitability of the Bluekeep vulnerability (CVE-2019-0708). There is a moderate-level risk this exploit may crash the target host, and it is not recommended for use against production systems. | high |
| Cisco Smart Install Vulnerability (CVE-2018-0171) | Tests exploitability of the Cisco Smart Install vulnerability (CVE-2018-0171). The test attempts to pull router config from the vulnerable router via the TFTP protocol. Against a few older models of Cisco routers, running this exploit may cause the router to reload or go down. | moderate |
| EternalBlue (MS17-010) | Tests exploitability of the Windows SMB remote code execution vulnerability EternalBlue. This is a kernel buffer overflow exploit and carries a moderate risk of crashing the target. It is not recommended for use against production systems. This exploit is only attempted if NodeZero is able to reliably determine the target operating system and NodeZero is not able to first exploit EternalChampion/EternalSynergy/EternalRomance. | moderate |
| EternalChampion/EternalSynergy/EternalRomance (MS17-010) | Tests exploitability of the Windows SMB remote code execution vulnerabilities EternalChampion, EternalSynergy, and EternalRomance. | low |
| Exploding Can (CVE-2017-7269) | Tests exploitability of the IIS 6.0 WebDAV vulnerability CVE-2017-7269, aka Exploding Can. | low |
| Heartbleed (CVE-2014-0160) | Tests exploitability of the Heartbleed vulnerability (CVE-2014-0160), if discovered by NodeZero. This test dumps memory from the vulnerable server. | low |
| HP iLO Web API Remote Code Execution (CVE-2017-12542) | Tests exploitability of the HP iLO Web API Remote Code Execution vulnerability (CVE-2017-12542). The test attempts to retrieve users and their credentials by exploiting a heap-based buffer overflow. | low |
| Server Service Vulnerability (MS08-067) | Tests exploitability of the Windows SMB remote code execution vulnerability CVE-2008-4250, aka MS08-067. There is a high likelihood that this exploit will crash the SMB service on the target after successful exploitation. | high |
Hash Cracking
This section automatically attempts to crack hashes discovered during the penetration test to gain further insights into the security of the environment.
| Option | Description | Risk |
|---|---|---|
| Automatic Hash Cracking | Automatically attempt to crack hashes found in the environment. | none |
Others
Exploits and vulnerability checks with other side effects.
| Option | Description | Risk |
|---|---|---|
| RegreSSHion check | Runs the regreSSHion (CVE-2024-6387) check. This check may result in a high number of false positives. | none |
Scan Options
Modules in this section help manage host discovery and asset scanning, including setting packet rate limits and repeating host discovery during a pentest.
| Option | Description | Risk |
|---|---|---|
| Repeated Host Discovery | Repeatedly attempts to discover hosts throughout a pentest. This may extend the total time of the pentest if a significant number of new hosts are discovered. | none |
| Scope discovery packets per second | Slow: 150 PPS Normal: 1500 PPS |
none |