This pentest started from the inside. My client wanted to assume they had already been breached, and, if breached, how far could an attacker go.
Could they stop me once I was inside?
The only person who knew who I really was was their CISO. Everyone else thought I was Jeremy in Marketing.
But I had to act quick. I only had a week onsite. I had to hack their network while not raising suspicion.
So I set about it.
Narrator: "But this time was different. This time, Tinker was in for a surprise."
I would use my work computer for research, for seeing how other workstations were configured, but I wouldn't use it to launch attacks from directly. I didn't want things to get back to me.
I plugged it into the network and got an IP address. Their Network Access Control (NAC) wasn't fully set up across their environment. Everyone at a cube was trusted.
Captured packets and analyzed them with wireshark, changed my rogue computer's MAC and hostname to blend into their environment and look like their standard equipment.
Poisoned the local subnet with Responder to trap hashes and crack passwords.
I started cracking these with my 8 GPU cracking rig, but...
I can go through an 8 character password, all combinations upper/lower/number/symbol, in a short amount of time (NetNTLMv2).
Most normal passwords (single word, capital first letter, ending with a number or symbol), I crack instantly.
But not here.
I navigated through the company's intranet and found their Security Requirements.
They were moving from passwords to pass phrases...
I changed my cracking rulesets to use a dictionary with longer words, capitalized the first letter, ended with num/symbol.
And got a few!
I immediately try to log in remotely to the user's workstation with their own password...
And am blocked.
What the...? This always works...
Password is correct. But access is denied.
I spent some time hunting the Domain Controller. The VoIP phones served up a web page config file and gave the DC's address.
I pulled Group Policy Preference, accessed AD through LDAP, looked through their group rights/privs.
I hadn't cracked any of those passwords.
They had implemented a Least Access Model...
Who does that?
I'll log into their email!
So I do. I search for "password" in their emails, in their Skype Conversations, check their Outlook Notes section and Drafts.
I find a lot of personal passwords: Bank, PTA, Amazon...
I *did* find a recent email sent out by Corporate Information Security stating that email was going to implement MultiFactor Authentication in a week's time.
Well then... got lucky, didn't I?
Every internal app, in one tidy space. A hacker's dream!
I click on one of the applications. It requires MultiFactor Authentication. So did the next one. And the next!
What sort of locked down prison is this?! A hacker's nightmare!
It's behind MFA, but fine. I'll deal with that.
Citrix will get me remote access to an internal server. I need to hop onto an internal box. Get away from my rogue device and actually start pivoting.
I click on it. It asks me to enter a 6 digit pin.
I bring up the email account (that didn't require MFA) and search for "5309". I find a signature of the user with their full phone number.
I call the phone number.
"Good afternoon, Pam. I'm Josh from IT. We're about to migrate your Citrix instance to a new server. I'm going to send you a 6 digit number. I'll need you to read that off to me. As a reminder, IT will never ask for your password."
I already had her password.
I clicked on the "Click for MFA token" button and stated, "Alright, I've sent you the number. You should get a text. Please read it to me."
She said, "Umm, alright. Got it. It's 9-0-5-2-1-2."
"Thanks! Please stay off Citrix for about two hours!"
And I log in.
Fuck you, MultiFactor Authentication!
Once in, I see... nothing. NOTHING!
This user didn't need Citrix, so her Citrix linked to NOTHING.
I had hacked into a broom closet.
I can maybe crack a long password, but only if I get lucky and capture the right hash. Even with a cracked password of a tiny group of people, I have to bypass MFA. Each attempt, especially with a secured group, runs the risk of detection.
I'm getting desparate.
Fuck it. I'm going to break into the IT shack. I'm going to steal laptops.
Tell my new coworkers that I'm going to finish the Annual Security Training for my onboarding.
They nod. Everyone leaves.
The cleaning crew comes through. And leaves.
I head to the IT/Helpdesk room. Find the door.
I look around and then go for it.
I had already tried various things to my own employee laptop, but I was not local admin and the disk was fully encrypted.
My goal was to find an old unencrypted laptop that had a common local admin hash on it.
I opened my mouth slightly and tilted my head to hear if anyone is coming from around the corner.
Nothing. I was clear to proceed.
Well there's a bit of good luck.
But someone left it pried open that night.
I cracked the door & peered in expecting to see someone inside.
Fuck it. Seize the day. I opened the door & entered.
Only about 1% involves math...
I saw stacks of laptops in a corner. Various ages, makes, and models.
I weighed the risks of staying and getting caught in the the IT shack, or having a pile of laptops at my desk.
I chose my desk.
Once I have a solid pile, I methodically try to boot each one from USB. Hoping to find a single laptop that doesn't have Full Disk Encryption.
I stick the USB in one, boot it up, try to mount the harddrive.
And get more and more frustrated as each one has FDE enabled.
Finally, after 30 laptops, I find three that are half ripped apart with clear harddrives.
I find a nonstandard local admin account called "ladm" on those three machines. Each hash is the same.
Oh thank Eris... They aren't using LAPS. They're sharing the local admin across boxes.
Improper disposal of information assets. Gotta love it.
I used the creds to log into my own work laptop, and it worked!
It bypassed Full Disk Encryption! A master key!
Ok.. okay! I can use this!
I didn't have permissions to view the user area of the harddrive.
What? They limited access EVEN TO LOCAL ADMINS!?! Damn.
Finally I ran a check for Unquoted Service Path vulnerabilities and found some! But the output said that my local admin user did not have permissions to write to the needed folders. Come on!
This was yet another dead end. Another series of hard fought, successful hacks, only to end with no access.
I had to get home. Get some sleep. Start again the next day.
Small things here and there. Nothing worthwhile.
I call a colleague. A fellow member of the @Dallas_Hackers.
He asked, "Did you try to exploit it anyway?"
In my fatigue, I believed the output & hadn't tried.
I attempted to write to the folder. The same folder that Windows told me I didn't have privs to write to.
And I successfully wrote to the folder.
Damnit Windows... lying to me again.
But cool. Fucking awesome. A new lead.
I tested it on my box (a risk) and it seemed to work fine.
- Set up a listener on my rogue device.
- Gain physical access to a laptop in the office.
- Log in w/localadmin creds.
- Upload the two-stage malware to the "Unquoted Service Path"
- Log out.
- Wait for user to log in & trigger.
I planned first to target IT while they were at lunch and pop one of their boxes.
Don't they realize how unhealthy that is!? How lack of work/life separation and lack of breaks adds to stress?!
WHY DON'T THEY EAT LUNCH LIKE NORMAL PEOPLE?!?!
I walked around the office and finally found a set of desks that were empty. Accounts Payable / Accounts Receivable. Finance.
Okay. We're hacking into Finance.
Angerly, my face filled with spite and malice, I turned towards one of her team's computers & hacked it.
And sat. Staring at my listener.
Lunch ended at some point. I lacked the will to conversate.
> Meterpreter session 1 opened
> Meterpreter session 2 opened
> Meterpreter session 3 opened
> Meterpreter session 7 opened
I ran a quick GETUID and saw:
- NT AUTHORITY\SYSTEM
Oh Fuck Yeah!!!
Establish quick persistence, dump memory, and start rifling through their file system.
Some AP/AR finance info. Some clear text passwords. Sensitive information, but nothing major.
S'alright. It's a start. A foothold.
I try to hop sessions, but they're all closed. I ping the system, it's not responding. I port scan 445. Nothing. The system is offline.
Fuck. That. Noise.
I get up and begin a beeline towards to Finance department. What happened to my shells?!?!
I do a quick "Oh fuuu" & make to turn around when the old lady turns towards me, points a finger directly at me, and shouts "That's him! He was messing with our computers!"
My back turned from one mean looking blue team, I ran in the opposite direction.
Only to run into two other blue team members. Looking quite pissed off and making it clear that I was in the wrong neighborhood.
The head DFIR person stood in front of me, her knuckles raw, a small crew of Intrusion Detection Analysts behind her, grinning.
The DFIR lead leaned down next to my ear and whispered, "No one in Accounts Payable ever runs Powershell..."
But me running around the corner and into the little old lady reporting me to IT's Blue Team was real. They stopped me right there. Confiscated my machine and reported me.
CISO came in, validated my presence.
They got an alert that powershell was running on a system that did not belong to the small group of IT and Developers that ran powershell on a normal basis.
A solid, and simple, anomaly detection method.
- Least Privilege Model
- Least Access Model
- MultiFactor Authentication
- Simple Anomaly Rule Fires
- Defense in Depth
- Keep Trying
- Never Assume
- Bring In Help
- Luck Favors the Prepared
- Adapt and Overcome
Thanks for reading.