Signing delays are common for any large company. An exception was the agreement between Tom Hunter and one network pet store for thorough pentesting. We had to check the site, and the internal network, and even a working Wi-Fi.
It is not surprising that the hands were itching before all the formalities were settled. Well, just scan the site just in case, it is unlikely that such a well-known store as the Baskerville Dog will make mistakes here already. A couple of days later, the signed original of the contract was delivered to Tom - at this time, over the third mug of coffee, Tom from the internal CMS assessed the state of the warehouses with interest ...
Source:
But it was not possible to do much in the CMS - Tom Hunter's IP was banned by the site administrators. Although it would be possible to have time to generate bonuses on the store card and feed your beloved cat for many months on the cheap ... "Not this time, Darth Sidious," Tom thought with a smile. It would be no less interesting to go from the website zone to the customer's local network, but, apparently, these segments are not connected at the customer. Still, this is more often the case in very large companies.
After all the formalities, Tom Hunter armed himself with the provided VPN account and went to the customer's local network. The account was inside the Active Directory domain, so it was possible to take an AD dump without any special tricks - to merge all publicly available information about users and working machines.
Tom launched the adfind utility and started sending LDAP queries to the domain controller. With a filter on the objectCategory class, specifying person as an attribute. The response is returned with the following structure:
dn:CN=ΠΠΎΡΡΡ,CN=Users,DC=domain,DC=local
>objectClass: top
>objectClass: person
>objectClass: organizationalPerson
>objectClass: user
>cn: ΠΠΎΡΡΡ
>description: ΠΡΡΡΠΎΠ΅Π½Π½Π°Ρ ΡΡΠ΅ΡΠ½Π°Ρ Π·Π°ΠΏΠΈΡΡ Π΄Π»Ρ Π΄ΠΎΡΡΡΠΏΠ° Π³ΠΎΡΡΠ΅ΠΉ ΠΊ ΠΊΠΎΠΌΠΏΡΡΡΠ΅ΡΡ ΠΈΠ»ΠΈ Π΄ΠΎΠΌΠ΅Π½Ρ
>distinguishedName: CN=ΠΠΎΡΡΡ,CN=Users,DC=domain,DC=local
>instanceType: 4
>whenCreated: 20120228104456.0Z
>whenChanged: 20120228104456.0ZIn addition, there was a lot of useful information, but the most interesting was in the >description: >description field. This is a comment on the account - basically a convenient place to keep minor notes. But the administrators of the client considered that the passwords could easily lie here. Who, after all, may be interested in all these insignificant office accounts? So the comments that Tom got were:
Π‘ΠΎΠ·Π΄Π°Π» ΠΠ΄ΠΌΠΈΠ½ΠΈΡΡΡΠ°ΡΠΎΡ, 2018.11.16 7po!*VqnYou do not need to be seven spans in the forehead to understand what the combination at the end is useful for. It remained to parse the large response file from the CD using the >description field: and here they are - 20 login-password pairs. And almost a half has access rights on RDP. A good foothold, time to split up the attacking forces.
network
The accessible balloons of the Hound of the Baskervilles resembled a big city in all its chaos and unpredictability. With user and RDP profiles, Tom Hunter was a poor boy in this city, but even he had a lot to see through the shining windows of security policy.
Parts of file servers, ledger accounts, and even related scripts have all been released to the public. In the settings of one of these scripts, Tom found the MS SQL hash of one user. A bit of brute force magic - and the user's hash turned into a plain text password. Thanks to John The Ripper and Hashcat.
This key should have come to some chest. The chest was found, and moreover, ten more "chests" were associated with it. And inside the six lay ... superuser rights, nt authority system! On two, it was possible to run the xp_cmdshell stored procedure and send cmd commands to Windows. What else to wish?
Domain controllers
Tom Hunter prepared the second blow for domain controllers. There were three of them in the "Dogs of the Baskervilles" network - in accordance with the number of geographically remote servers. Each domain controller has a public folder, like an open window in a store, near which the same beggar boy Tom hangs around.
And this time the kid was lucky again - they forgot to remove the script from the showcase, where the password of the local server admin was hardcoded. So the path to the domain controller was open. Come on, Tom!
Here from the magic hat was extracted , which profited from several domain administrators. Tom Hunter got access to all the machines on the local network, and the devilish laughter frightened the cat from the next chair. This route was shorter than expected.
EternalBlue
The memory of WannaCry and Petya is still alive in the minds of pentesters, but some admins seem to have forgotten about ransomware in the other evening's news. Tom found three hosts with a vulnerability in the SMB protocol - CVE-2017-0144 or EternalBlue. This is the same vulnerability that spread the WannaCry and Petya ransomware, a vulnerability that allows arbitrary code to be executed on a host. One of the vulnerable nodes had a domain admin session - βexploit and getβ. What can you do, time has not taught everyone.
"The Dog of the Bastervilovs"
Classics of information security like to repeat that the weakest point of any system is a person. Notice that the heading above doesn't match the name of the store? Perhaps not everyone is so attentive.
In the best tradition of phishing blockbusters, Tom Hunter registered a domain that was one letter different from the Hounds of the Baskervilles domain. The postal address on this domain imitated the address of the information security service of the store. Within 4 days from 16:00 to 17:00, the following letter was sent evenly to 360 addresses from a fake address:
Perhaps only their own laziness saved them from the mass drain of employee passwords. Out of 360 letters, only 61 were opened - the security service is not very popular. But then it was easier.
Phishing page
46 people clicked on the link and almost half - 21 employees - did not look at the address bar and calmly entered their logins and passwords. Good catch, Tom.
Wi-Fi network
Now there was no need to count on the help of a cat. Tom Hunter loaded some pieces of iron into his old sedan and went to the Hounds of the Baskervilles office. His visit was not agreed: Tom was going to test the customer's Wi-Fi. In the parking lot of the business center, there were several empty spaces that were successfully included in the perimeter of the target network. Apparently, they didnβt think much about its limitation - as if the administrators randomly poked additional points in response to any complaint about weak Wi-Fi.
How does WPA/WPA2 PSK security work? Encryption between the access point and clients provides a pre-session key - Pairwise Transient Key (PTK). PTK uses a Pre-Shared Key and five other parameters - SSID, Authenticator Nounce (ANounce), Supplicant Nounce (SNounce), AP and client MAC addresses. Tom intercepted all five parameters, and now only the Pre-Shared Key was missing.
The Hashcat utility brute-forced this missing link in 50 minutes - and our hero ended up in the guest network. From it you could already see the working one - oddly enough, here Tom managed the password in about nine minutes. And all this without leaving the parking lot, without any VPN. The working network opened up spaces for our hero for monstrous activities, but he ... never put bonuses on the store map.
Tom paused, looked at his watch, threw a couple of banknotes on the table and, having said goodbye, left the cafe. Maybe pentest again, or maybe as in decided to write...
Source: habr.com