The Day They Invited Hackers In: A Pen Test Success Story

The Day They Invited Hackers In: A Pen Test Success Story

We recently partnered with a transportation company that keeps hundreds of trucks on the road daily. Their digital environment supports a variety of critical applications and sensitive data, including invoicing systems, dispatch operations, and business contracts.

Despite the importance of their infrastructure, they operated with a lean IT setup—just two individuals juggling both IT and security responsibilities. While they had some basic controls in place, such as antivirus and Next generation firewalls solutions managed internally, there was no formalized security program.

That's where RiskSentinels came in.

After an initial security assessment, our team recommended a proactive approach: a network penetration test conducted by our Sentinels Offence team. The goal? To uncover gaps and misconfigurations before a real attacker could.

We started by drafting a detailed Statement of Work (SOW) and establishing strict rules of engagement. It was agreed that the first phase of testing would simulate an external attack, followed by an internal network assessment. All internet-facing assets were included in the scope, and we opted for a black box testing approach—meaning our ethical hackers knew nothing beyond the target subnets.

Once we secured written authorization from the client’s leadership—a critical step to stay compliant and avoid legal complications—we launched the penetration test.

Note: Black box testing involves simulating an attack with no prior knowledge of the environment, closely mimicking real-world threat scenarios. Also, establishing clear rules of engagement and obtaining written consent are essential to prevent the test from being misconstrued as unauthorized hacking.

What followed was a series of valuable insights, some unexpected findings, and a stronger security posture for the organization. But that’s a story for the next post.

Back to blog

The Pen Test in Action: Tales from the Trenches

Recon, Recon, Recon

Our Red Team kicked things off with good ol’ open source intelligence (OSINT). We scoured tools like Shodan—basically the search engine for misconfigured dreams—and discovered an interesting host exposing the infamous RDP port. Bonus points: it was running Windows. Suspense builds.

Slow and Steady Wins... Intel

Next, we performed some polite, “low and slow” port scanning. You know, the digital equivalent of tiptoeing through a dark hallway with night vision goggles.

🔦 The lightbulb moment? That “interesting host” turned out to be a Domain Controller wide open to the internet—with RDP, LDAP, Kerberos, and SMB ports all waving hello to the outside world.

Gaining a Foothold

With targets in sight, our team decided to give RDP and SMB a whirl. We tried logging in with the classic “Administrator” account—because, hey, you miss 100% of the shots you don’t take.

Then we brought out CrackMapExec for a bit of password spraying. And boom 💥—credentials!

SMB gave up an Admin username and password, and we waltzed into RDP like we had VIP passes.

Peek Behind the Curtain (a.k.a. Active Directory Enumeration)

Once inside, we unleashed PowerShell and started digging through Active Directory. Our goal? Domain admin users. Spoiler: we found them.

The Mimikatz Magic Show

Now came the juicy part—credential access. We transferred Mimikatz over RDP (don’t worry, it was encrypted—so NGFWs were totally in the dark 😎).

With Mimikatz in play, we passed the hash like pros and scooped up NTLM hashes for Administrator and svc_backup.

We exported and cracked the hashes successfully. 🎯

But we didn’t go further—we’re the good guys, remember? Instead of spinning up a Golden Ticket attack and conquering the domain, we waved the red flag and escalated the issue to the client.

Post-Pen Test: The Journey to Resilience

Once the adrenaline faded and the findings settled in, it was time to patch the cracks and fortify the fortress. Here’s what we recommended to help the organization go from exposed to empowered:

  1. No More Open Invitations
    Never expose Domain Controllers or other critical internal systems directly to the internet. That’s like giving attackers a backstage pass to your core.
  2. Passwords with Muscle
    Enforce strong password policies and enable account lockouts after multiple failed attempts. Weak credentials are still one of the most common entry points.
  3. Double the Locks with MFA
    Enable Multi-Factor Authentication (MFA)—especially for RDP access. One password is no longer enough.
  4. Eyes on the Logs
    Monitor authentication logs for brute-force attempts, failed logins, or unusual activity. Sometimes the clues are there—you just need to look.
  5. Shield Remote Access
    Use a Remote Desktop Gateway or VPN to securely manage remote access. Direct RDP exposure is risky business.

The "After" Picture: Lessons Learned and Continued Commitment

Following the engagement, our team partnered closely with the client to reinforce their security framework. Key remediation efforts included:

  • Migrating exposed services behind a secure VPN, significantly reducing the organization's external attack surface.
  • Deploying advanced monitoring and alerting mechanisms, enabling real-time visibility into unusual activity and strengthening incident response readiness.
  • Establishing a proactive security operations approach, ensuring recurring assessments and continuous improvement.

These efforts represent more than a technical response—they reflect a strategic shift toward embedding security at the core of the organization's operations.

Conclusion: When Small Gaps Create Big Risks

This assessment was a textbook case of low-hanging fruit—where common misconfigurations and weak credential practices could have led to devastating consequences. Despite using basic tools and techniques, the impact potential was significant.

  • Key Takeaway
    Proactive security testing isn't a luxury—it's a necessity. Regular penetration testing surfaces hidden risks, reinforces accountability, and empowers organizations to build a more resilient security posture.
  • Why It Matters
    Every investment in security—whether it’s assessment, remediation, or visibility—translates directly into reduced risk, enhanced trust, and long-term operational continuity.