Inject Credentials

NodeZero operates like an unauthenticated attacker (black box), enumerating and exploiting what it finds to build a true attacker’s perspective of your risk.

However…if you’d like to see how far an attacker can get when compromising a credential within your domain, you can inject a credential (up to 5) into a NodeZero operation to be leveraged as an attacker would and see full path and proof of what risk those particular credentials pose to your environment.

NOTE: this is NOT authenticated or elevated privileged scanning!

Whether injected, discovered, or cracked, NodeZero has two goals after obtaining a credential:

  1. Maneuver Laterally – · Enumerate Active Directory for attack paths that lead to more credentials or more privileged access on a host · Enumerate hosts for elevated permissions and then dump stored credentials in memory, the registry, and other common locations
  2. Obtain Sensitive Information – · Enumerate all endpoints in a network, looking for file shares, databases, and hosts that it can access · Laterally move and repeat

You can inject a credential into any running operation where a domain controller is within NodeZero’s scope for the op.

  • Click on the Action button, and select “Inject Credential”
  • Enter a user domain name and passwordInject2.png
  • Click “Submit”!

There are several use-cases where it is useful to understand how far an attacker may get after compromising a credential:

  • Regular User– Attackers have many common paths to compromise a regular user through phishing, breach data, or poor security hygiene. Whether compromised or deliberate (such as with an Insider Threat), ensuring further compromise is not possible is critical based on the highly demonstrated likelihood of occurrence.
  • Service Account – Service accounts are a high-value target for attackers because they are often over-privileged and multi-factor authentication is rarely enabled. This is the perfect scenario for an attacker to obtain the keys to your kingdom. Service accounts are often obtained after a vulnerability is exploited on an out-of-date application. Injecting service account credentials can help you understand the risk in one of those services being compromised.