Inspired by @TinkerSec, I'll tweet out a "hack job" I recently did. I rarely pentest companies, I've always been a blue teamer. The pentest gigs I do are generally favors to other blue team friends to teach them. My rate was $50/h which is much lower than what I typically charge.
A friend wants to test their user's Phishing, I walk her through what my campaign is. First I gather all the names I can then generate emails based upon it. I use a 3rd party "People Finder" service to build a database of their personal emails.
With a large database of emails, I grep through a bunch of previously pwned databases I keep on a spare hard drive to create a juicy password list that is bound to get a hit. I fire up metasploits OWA bruteforce to confirm work emails and start brute forcing and go exercise.
Alright it's now two hours later, I've biked around 25 miles and have showered. Time to check who I've pwned. What!? No one? Am I losing my touch with this? Do I have to resort to phishing!? Well before that lets create a password list that is almost too stupid to work.
Okay Password complexity is generally between change passwords every 4 months, and must have characters of all character classes. We have to keep it under four passwords to try to not lock anyone out. Lets try November2020!, December2020!, and Winter2020!
Whoa, I'm in! Winter2020 worked! Wow, I'm so glad I did Rastalabs years ago I guess @_RastaMouse has had a lot of success with this method too. Well, before we continue I need to talk with the CISO... I was only supposed to phish but got in without one. Hopefully we expand scope
The CISO is all for expanding scope, but they have to get approval from more people. Man, it is taking a lot of self-restraint to not go deeper.
Awesome the scope is expanded to include digging into user data (email/cloud services), cracking the perimeter, and internal exploitation. Time to look at this person's mailbox and map out all the cloud services the company uses which should be externally accessible.
A SharePoint instance that is only accessible internally, a timecard system, and a helpdesk. Well if I don't get anywhere, atleast I know what their timecard looks like and on Friday I can send more people a phishing email letting them know they need to login and submit time.
These types of targeted phishes can fail magnificently thoe. As a Blue Teamer, I remember a pentester doing this tactic against my organization. I have a rule that emails me when new domains email us, and saw the typosquated domain pretty quickly.
If you want to make a sysadmin go from 0-100 fast. Do a targeted phish that requires a little insider knowledge. If it gets caught, be prepared to send the team on high alert... Sometimes it may be better to test generic phishes first and measure what level of phish is successful
Anyways, this hour I'm not a good guy I gotta get into this company... I log into the help desk and see if there are any services I miss, password scheme exposed, or in general what else I can get... No matter what side I'm on, I love help desks and tickets.
Great, I see a VPN! However, there is MFA applied to this. I'm worried I may get caught now, I want to tell the help desk i got a new phone and need to setup the MFA. The problem is if the user has email on their phone they may see these emails and catch wind of my exploits.
I could do create an OWA Rule to automatically delete emails from the help desk and work out of the recycle bin so the user doesn't see it. But if these admins follow best practices any rules created will send an email to security.... What to do? This is tough.
It's been 30 minutes, I decide to create the rule, if I get caught it's a nice kudos to include in the report. I love writing about what teams do well, so it isn't just all bad. You'd be surprised how much more pleasant people are to work with when you dont make them look bad
I said this in a reply, but putting here for visibility. In o365, you can create the alert policy here: protection.office.com/alertpolicies. From experience, this is a great one to have as password sprays generally lead to deleting emails from clients, and tricking them with fake invoices. 
Back to the hack. It's been 15 minutes. I'm in the VPN, I have to say their helpdesk is really helpful. If only MFA was on their email I would have been stopped. I'm almost certain I'll be caught soon, I just broke their user's VPN access. Time to run bloodhound.py
I normally don't open up with Bloodhound.py but time is of the essence and I already did what I suspect will get caught quickly. I did specify only run the DCChecks, at a bare minimum I can get computers and a list of users and their password change times.
Alright. Got bloodhound, it shows some kerberoastable accounts, Running impacket's Get-UserSPN shows two accounts. Great, if I get caught and they didn't see this there's a chance I will crack a hash and have another way in. I rarely will limit myself to just one back door.
Running CrackMapExec with guessed creds from earlier shows SMB Signing is enabled everywhere, which is good for them ntlmrelayx probably won't be much use for me today. Because I'm on a VPN, responder isn't too helpful as I'm not on the same broadcast domain.
If you want to know more about networking, @Cry0l1t3 and myself put out an introduction to networks module over at academy.hackthebox.eu/module/details… - Some more fireside stories are in it. If you ever have problems with academy content you can come to me or @mrb3n813. Alright, end of promo
Computers ticking away no pwned... Wait there's one! They are local admin of their workstation. I run impackets wmiexec.py because AV's hate it less than psexec.py -- I probably should boot up windows and use sysinternal psexec tool but im lazy.
Looks like they use Kaspersky. That's a shame this client shouldn't run foreign AV but it does do a good job stopping most of the opensource toolkits. Thankfully, I have one I develop with a friend which should do the trick. I just can't touch LSASS, so no cleartext passwords.
Hmm. I can't reach my C2 because of a transparent proxy blocking uncategorized sites. Time to go to expireddomains.net and buy one on the list. Thankfully this proxy has a service where people can submit URL's and it says if its malicious or not and says the category of url
Domain purchased, time to wait for DNS to update. This can take some time. Meanwhile, I'm still cracking away at those kerberoasted accounts and looking at Bloodhound for what I can do with them.
Oh one of the kerberoast accounts cracked, but it isn't a Domain Admin. B4 we do anything this could be an old invalid hash. Im going to run KerBrute to test out if its valid. I like this rule because on failure it doesn't create 4625, instead its a 4678 and not logged by default
Awesome. My domain registration went through. Time to recompile my implant and get a shell. I hate operating through "Reverse Shells" because they are hard to log and track what artifacts I leave behind to clean up.
I want to log onto the server, with the kerberoasted credential. Before I do, lets setup persistence on a workstation. I can write to C:\windows due to local admin, so I'm just going to give a dll a magical name and persist via dll injection. No registry/sched task this ways
I do have my dll coded to delete itself after 7 days just incase I forget to clean up after myself. But now time to wmiexec to the server and load my implant.
I'm on the server! And I'm not the only one here! There is a domain admin! Quick time to run mimikatz and dump their password!
My c2 tells me it's a horrible idea because of Kaspersky being installed... As a joke I added "Clippy" to this thing which would pop up and tell me when I'm being rash. Turns out that fun POC saved me here. I really should finish all the clippy features i wanted, i like it a lot
Well. No touching LSASS, but I can dump the SAM and grab local hashes. I don't see LAPS being used so there's a chance this local administrator account shares the passwords of other servers.
LocalAdmin hash gained! Time to throw this into hashcat and try to crack it while I pass the hash annnd it works on the DC! Whew. That was much faster than I thought. I search for a conference room PC and take a webcam shot then email +call the CISO who got me into this.
Uh oh. The CISO talked to the CEO and they want me to go hard on the person that used the weak password. I was asked to email them from a burner email with a picture of their office and get them to run a program on someone elses computer or I'll email the CEO.
I have no idea on the legalities of this, but that doesn't really matter I find it highly unethical and is a hard no from me. I tell them to give me an hour while I come up with something and then run SecretsDump to grab a list of all password hashes and go back to the kracken.
Whoa 60% passwords cracked in 30 minutes. There's plenty of bad ones I even see Spring2018!, do they not have PW Expiration!? Or is it just some accounts. I should really slow down and look at things but it's such an adrenaline rush every time I jump to the next box.
I take a list of everything I cracked and go back to the mystical hard drive with database dumps on it... I run grep this time but with the passwords I cracked that look unique, checking to see if there are any personal emails I missed at the beginning.
Got a few hits! Looks like if I spent a bit more time on recon, I would have been successful without guessing. Maybe I am losing my touch a bit should have done a better job running recon in the background...
There's one in particular that is extremely interesting to me. Its an administrator, I look up the email on facebook and see he is local to the company. Looks like someone should have used a password manager.
When I write this finding up, I can't use the guys name he should have known better. However, I place the fault at the company for not providing employee's a password manager to use and keep track of everything.
That really took a toll on me and made me want to get out of Red Teaming PT. Thankfully, I found another home for the person I got fired a long time ago and weve become good friends. He even took what got him fired and prevented his new employer employee's from making the mistake
There really is something to be said about an employee becoming more valuable after they've made a mistake... Anyways side tangent. Back to the point. I call up the CEO and let them know it wasn't just that user and pointed out a handful of the bad passwords I came across.
Crisis averted. They agree to take it easy on the person and are pleased with the work. Now time to register a new domain and run the phishing campaign they originally wanted.... Thread over, at least I think I am all out of things to say.
Oh I lied. I should be better about self-promotion. If you want to learn more by videos go to ippsec.rocks and type in stuff related to infosec. For course type stuff, check out HackTheBox's Academy. academy.hackthebox.eu. Tier 0 modules are free, tons for beginners
Uh oh... Another Lie but unlike all my others here is some more content -- I didn't change enough of the story and the client contacted me. They aren't happy I didn't end with the get-well plan to help others... Fair.
And for the record here. When I write findings that go about licenses and such, I generally am bullshitting and hoping I'm right... In order to understand Microsoft licensing you need to work in their fraud department and even then I think they tend to make it up as they go.
Anyways this started out with guessing credentials. A simple periodic password audit can fix this issue real quick. Can't do it on AD? Just go to ippsec.rocks and look up secretsdump... Or I guess you can contact me on a work email or something. I love hashes.
Alright, don't trust me? That's fine, in o365 land most companies are on E3 because $20/u/m seems to be the magic amount of money companies will pay. However, I don't believe it gives you the "Identity Protection" which helps point out password sprayed accounts or opened emails
Microsoft Business Premium is the same cost as E3 but capped at 300 users. Gives you the above features and more, I'm pretty sure you can tag emails as sensitive to prevent them from going outside your domain. Those accidental CC's to a wrong address? Gone!
Also the "At Risk Sign Ons" can be pretty lit. I have no idea what black magic is behind it maybe @GossiTheDog can shed some light but I presume it's based upon some pre-sentinel stuff to look at IP Address heuristics and distance traveled between sign-ins.
I know phishing hasn't come into play (yet) but I plan on recommending adding a report button to Outlook. So users can report just as fast as they could delete. Often phishes are sent to multiple people with the same domains. Act quick save the company. docs.microsoft.com/en-us/microsof…
Okay, the next part. The HelpDesk VPN is a tough one with no real good answer. Monitoring IP Addresses is tough because people travel and some IPs are more dynamic than others. So if you only look at IP Addresses you get desensitized to the noise pretty quick.
If you have a good SIEM Dashboard, you can probably tie new IPs to different activities. One good one is a new (and/or non-residential) IP Address for 48 hours after an MFA Token has been reset. Tough to automate alerts but on a dashboard this is normally simple.
I doubt you'll catch this one because checking dashboards frequently is harder than it sounds, eventually you just have too many things to look at. But at least it does exist so there is a chance.
Ok after the VPN, I dropped a DLL as a user. If I chose Impacket's PSEXEC, I would have been SYSTEM. Anyways, users creating DLLs is pretty unique, only happens during software install which they shouldn't be doing in the first place. I love admins using pdq.com
I used to recommend Ninite back in the day but have switched to PDQ after the price hike. PDQ gives admins more control and there's cool communities that build install packages for you (ex: github.com/bmrf/pdq_deplo…).
If I think a shop can handle using ansible/puppet/chef/salt/we, I'd recommend that. However if I think they could handle that software then they probably are already using it 😀
Wow what a tangent... Anyways. Next, I made persistence sound super spooky with DLL Injection inside of the C:\Windows Directory. There are so many stupid ways to persist here that are "won't fix", we finally got diaghub privesc patched thoe so there's that.
As I said before, the user creating a DLL is unique. Sysmon can log file creates which should have lit up like a Christmas tree in any type of dashboard. What the hell is a marketer doing creating c:\windows\[a-z]{3}.dll?
Sysmon should definitely be installed and configured. If you can't afford any logging solution. At least, do it for the future incident responders on your network. Yes, an attack *could* clear the local logs but clearing local logs is phishy and does attract attention.
Anyways, whenever you hear a red teamer say "spooky", "sexy", "fud"... You should take 10-15 minutes and just look into it. Most of us have no idea what we are talking about when we do these "bleeding edge" attacks and have no idea what IOC's we create.
Oh crap.... I forgot a step! Remember the Kerberoast attack? Well that exports hashes in $krb5tgs$23$... 23 is an Etype. Lets run ./hashcat --example-hashes | grep krb5tgs... What are these other ETYPES?
Holy Cow! Did a bunch of Cisco People create kerberos? The higher etype doesn't mean the stonger alg it is? 23 is just RC4? and 17/18 are AES? (I applaud anyone who got this stupid joke).
ldapwiki.com/wiki/Kerberos%…
ldapwiki.com/wiki/Kerberos%…
Anyways. You can disable RC4 Kerberos but that may break things. It's better to ensure clients are set to "prefer strong encryption", then just monitor for weak Kerberos tickets. I forget the Windows event code that has this, maybe someone can help. Maybe @HackingDave?
But this is a good segway into talking about defense. I'd argue not disabling RC4 and watching for it improves your defense. Those kerberoastable accounts should have strong passwords. Hopefully, auto-rotating group-managed service accounts! docs.microsoft.com/en-us/windows-…
If your organization is smart enough to watch KRB Encryption Methods, then they probably know what accounts are kerberoastable and can just set a good password. If you disable RC4, then tools may see it and just not try and you miss out on good IOC's, amongst risk breaking stuff
So the next real finding is the local administrator password being shared. This one is simple, LAPS (Local Administrator Password Solution) should be used. It's like the GMSA account I mentioned earlier. Sets the local admin to a strong auto-rotating password.
The other thing I haven't really explored is just detecting WMIEXEC/PSEXEC... Maybe its for a stream one day but these types of methods shouldn't be used anymore. But legacy (even M$) products are famous for still using them😳
Instead of PSEXEC, admins should really learn PSRemoting which uses Kerberos for authentication. This prevents that nasty NTLM Authentication that all of us hackers love to mess with. Yes, there is "Pass the ticket" but the damage is normally more limited from a leaked ticket.
Hashes are all or nothing. Tickets can specify time frame and endpoints it has access to. As much heat as M$ gets, their new stuff is pretty secure. The vulnerabilities are generally because of how backwards compatible their stuff is. SMBv2 was created in 2006 but 1 still works
The last part of my chain is tough. It's DC Sync, AFAIK the best way is to enable Event Id 4662
Group Policy > Computer configurations > Windows Settings > Security Settings > Local Policies > Audit Policy > Audit Directory Service Access
Be sure only Success is chosen.
Group Policy > Computer configurations > Windows Settings > Security Settings > Local Policies > Audit Policy > Audit Directory Service Access
Be sure only Success is chosen.
With this you can then look for:
9923a32a-3607-11d2-b9be-0000f87a36b2 (DS-Install-Replica),
1131f6aa-9c07-11d1-f79f-00c04fc2dcd2 (DS-Replication-Get-Changes),
1131f6ac-9c07-11d1-f79f-00c04fc2dcd2 (DS-Replication-Manage-Topology)
docs.microsoft.com/en-us/openspec…
9923a32a-3607-11d2-b9be-0000f87a36b2 (DS-Install-Replica),
1131f6aa-9c07-11d1-f79f-00c04fc2dcd2 (DS-Replication-Get-Changes),
1131f6ac-9c07-11d1-f79f-00c04fc2dcd2 (DS-Replication-Manage-Topology)
docs.microsoft.com/en-us/openspec…
But now it's time for bed. Before I log off, I create a note to include that this client had SMB Signing enabled, LSASS as a Protected Process, Network Proxy, and MFA on their VPN in the report. I'm sure whoever set those up will read this report and be happy they slowed me.
• • •
Missing some Tweet in this thread? You can try to
force a refresh
