1. **Analyze the Request:** * **Role:** News summarization expert. * **Task:** Summarize the provided article concisely in 2-4 sentences. * **Focus:** Most important information. * **Constraints:** * NO copy-paste. * NO simple restatement of the title. * ADD new information beyond the title. * Language: English. 2. **Analyze the Input:** * **Title:** "Story of a Failed Pentest (2018)" from Hacker News. * **Article Text:** [Missing from the prompt]. The prompt provides the title and source, but the "Article Text" section is empty or just repeats the title. 3. **Identify the Problem:** The user provided the *Title* and *Source* but did not provide the actual *Article Text* to summarize. The "Article Text" block only contains the title again. 4. **Formulate a Strategy:** * I cannot summarize the content of an article that isn't there. * However, looking closely at the prompt structure: * `Title: Story of a Failed Pentest (2018)` * `Source: hackernews` * `Article Text: Story of a Failed Pentest (2018)` (This is likely a placeholder or error in the prompt, meaning the user forgot to paste the text). * *Correction:* Wait, usually, when prompts look like this, the user might be asking me to generate a summary based on *general knowledge* of a well-known blog post, or they made a mistake. However, the instructions say "Summarize the following article". If the text is missing, I should point that out. * *Alternative interpretation:* Maybe the user pasted the text, but the system cut it off
본문
Singing the Blues: Taking Down an Insider Threat "I had all of the advantages. I was already inside the network. No one suspected me. But they found my hack, kicked me off the network... ...and physically hunted me down." Many pentests start from the outside, wanting to see how the perimeter might be breached. This pentest started from the inside. My client wanted to assume they had already been breached, and, if breached, how far could an attacker go. Could they stop me once I was inside? So they snuck me in. Disguised me as a new employee. Gave me a work computer, an ID badge, an account in their system... hell, I even had a cubicle w/my assumed name on it. The only person who knew who I really was was their CISO. Everyone else thought I was Jeremy in Marketing. During most of the first morning, I completed onboarding, made introductions, and completed menial tasks. But I had to act quick. I only had a week onsite. I had to hack their network while not raising suspicion. So I set about it. You have to understand... most "Internal Pentests" are straight forward. The hard part is breaching the network, but once you're inside, it's a target rich environment. End of Life computers, default passwords, everyone a Local Administrator... On most Internal Pentests, I generally get Domain Admin within a day or two. Enterprise Admin shortly thereafter. The rest of the time spent in mop-up and proofs of impact. Narrator: "But this time was different. This time, Tinker was in for a surprise." I set up my work computer and made it look like I was actually working. I would use my work computer for research, for seeing how other workstations were configured, but I wouldn't use it to launch attacks from directly. I didn't want things to get back to me. Instead, I brought in a rogue device. A personal laptop, loaded with Linux and a mess of hacking tools. I plugged it into the network and got an IP address. Their Network Access Control (NAC) wasn't fully set up across their environment. Everyone at a cube was trusted. I started my usual approach. Captured packets and analyzed them with wireshark, changed my rogue computer's MAC and hostname to blend into their environment and look like their standard equipment. Poisoned the local subnet with Responder to trap hashes and crack passwords. I got lucky pretty quickly. Captured a solid handful of hashes. I was on their standard employee subnet, so many user accounts were logging in, opening up internet browsers, and throwing authentication hashes around. I started cracking these with my 8 GPU cracking rig, but... Something was off. I can go through an 8 character password, all combinations upper/lower/number/symbol, in a short amount of time (NetNTLMv2). Most normal passwords (single word, capital first letter, ending with a number or symbol), I crack instantly. But not here. I could've run "net accounts" on my workstation to query Active Directory directly & see their password policy, but decided to look elsewhere first. I didn't want to set off any alerts or logging. I navigated through the company's intranet and found their Security Requirements. They required a minimum of 12 characters with upper, lower, number, symbol. They were moving from passwords to pass phrases... I changed my cracking rulesets to use a dictionary with longer words, capitalized the first letter, ended with num/symbol. And got a few! Alright! Let's go! I immediately try to log in remotely to the user's workstation with their own password... And am blocked. What the...? This always works... Password is correct. But access is denied. I checked myself. Start from basics. Do it right. I spent some time hunting the Domain Controller. The VoIP phones served up a web page config file and gave the DC's address. I pulled Group Policy Preference, accessed AD through LDAP, looked through their group rights/privs. After reading through the massive amount of settings, I realized that they had limited remote access to only a small number of IT personnel, and even that was only a few. I hadn't cracked any of those passwords. They had implemented a Least Access Model... Who does that? Well screw you. I don't need to log into their workstation. I'll log into their email! So I do. I search for "password" in their emails, in their Skype Conversations, check their Outlook Notes section and Drafts. I find a lot of personal passwords: Bank, PTA, Amazon... But no corporate passwords. I *did* find a recent email sent out by Corporate Information Security stating that email was going to implement MultiFactor Authentication in a week's time. Well then... got lucky, didn't I? I next went to their Single Sign On portal. Every internal app, in one tidy space. A hacker's dream! I click on one of the applications. It requires MultiFactor Authentication. So did the next one. And the next! What sort of locked down prison is this?! A hacker's nightmare! I see they're using Citrix. It's behind MFA, but fine. I'll deal with that. Citrix