Advanced Penetration Testing - When the world crashes down

Can a seasoned security professional beat the world’s best security software and mitigation? This job certainly found out. It also demonstrated well the difference between a vulnerability scan and a penetration test. The client had spent three years relying on a "market leading" vulnerability scanner to identify all their security weaknesses. What it didn’t spot was, well, all their security weaknesses.

The job was for a large multi office operation in the UK. An advanced penetration test where I got to play the bad guy and use any tool in my arsenal. I knew a lot from the OSINT phase of the engagement and most importantly I knew they had a large reliance on Windows 2008 Server. Unfortunately for the client they could not migrate because of the mission critical software would only run on 2008. I also knew a few of their IT folk would be at a conference during the testing window and I managed to drop a few shiny new mouse and keyboard combos into their realm. For those not aware of Darren Kitchen at Hak5, he is one of the best in HID device attacks I have had the privilege to know. I had previously modified several Logitech and Microsoft wireless USB keyboard and mice to include the USB rubber ducky within them. With a custom script that would only work in the AD realm of the client, we had auto key logging and remote access built in. All I had to do was wait and hope one of the admins would use them.

From the outside the client was solid. There were no vulnerable services, and everything was locked down well. For fun I ran all my trusted vulnerability scanners at the site:

Nessus:                0 Critical, 0 High, 4 Medium, 23 Low

NeXpose:            0 Critical, 0 High, 5 Medium, 21 Low

OpenVAS:           0 Critical, 0 High, 4 Medium, 22 Low

After removing the false positives, all the scans had the same answer, 2 Medium risk and 19 Low risk issues. No viable avenue of attack from the outside.

The OSINT scans revealed many users for the company, and I was able to pull back a lot of password combinations from the various breaches and "collections" in my collection. One user immediately became popular for attack. Their password was footballteamname0318 and then footballteamname1018 and then footballteamname0119. It didn’t take a genius to log into their outlook web access with the users email address and footballteamname0619, and yes, it worked. Great, so now I have a user account in finance and given the way everything is configured, I have their internal network account credentials too. Sadly, dual factor authentication was forced on all users, so I was unable to use their remote working VPN. Shame but that would have been too easy.

Getting access to the site was a simple matter of social engineering. I won’t go into the various ways I have used in the past, but this was quite simple. Onsite the meeting rooms were sparse. A phone and TV. I was tempted to do something with the TV’s, but they had been excluded from scope. Both protected by 802.11x anyway. Simply connecting my laptop just wasn’t going to work. But being the attacker means thinking differently. Try as I might I simply could not see the wireless access point, until I popped the ceiling tile. There it was, in the ceiling void. Unprotected. One Raspberry PI later and I am sitting in my truck in the car park linked to the client network via a simple SSH session.

With access to the network, I simply waited until after 7pm to start my work. Knowing the admins would be at home having their tea, there was an excellent chance that no-one would be watching their SEIM. I know they have one, they did a press release about it. At 1905 scanning started. Within the hour I knew where their server network was. Now, the goal of this test was to retrieve a flag set in the CEO's home drive, so I figured it would be on the file servers. Annoyingly there were 7 of them. What I really needed was the CEO's password, it would be simple then. I looked closer at the Windows 2008 servers present. There were four of them. Fully patched and protected. After a few false starts I broke out the BlueKeep exploit and gained admin access to three of them. I knew full well, from the configurations I observed, that the company used white-lists on their DNS servers and somehow a direct IP address call outbound would fail. (Still not too sure how they achieved this, but it didn’t matter as they implemented it in the endpoint protection.) I really needed one of the 2008 servers to download files, so I added an entry to the hosts files. The entry was for the Microsoft update server and the IP was for one of my attack boxes. While I was surprised this worked, I equally wasn’t. I was learning a lot about the client’s IT department and there was a large reliance on the endpoint protection software. I loaded mimikatz and dumped the hashes.

Around the same time, Nessus was running in the background and was reporting that SMB signing was not enabled. Surely that can’t be right. I grabbed the hash from the server I just compromised and pasted it in. I was rewarded with Access Granted. While SMB signing isn’t always enabled, to leave it disabled on one of the AD servers was the IT equivalent of leaving your key hanging on your front door. I dumped the AD hashes and spent the rest of the night focusing my hash crack attack on the CEO's account.

I was woken from my slumber at a little before 0300 with DING DING DING SUCCESS from my laptop speakers. Checking the hash cat run, I had a 15-character password for the CEO. It was still early in the morning, so I logged back in and used a PSexec session to authenticate as the CEO and yes, it worked. I went back to bed.

That morning I noticed a new screen on my attack box. It took a few moments to register but yes, there was a shell from one of the keyboards. And it was a domain admin using it. I had their username and password and a current working shell with Domain Admin rights. It is rare to have two attack avenues on a test, but you take the wins with the losses. Could I get three avenues? It took a few minutes to grab the CEO's flag back using each of the accounts so now it was now a matter of pride. A hat-trick of avenues would give the client more value and help them work on different areas. Remember that user in finance? I wonder if they would click on a link for me. A quick phish later and a few different emails were sent, some to the user in question and some to the generic user department. To be cheeky I sent one from the security team with an awareness training slide deck on passwords. You guessed it, the user opened the awareness training deck and allowed the macro to run. It was after all sent from inside, or so it appeared. I followed the same path as before and achieved the same set of results.

The engagement from my view point was fun and stimulating. The scope was broad enough and permitted enough actions for all my creative attack juices to flow. From the client’s point of view, they saw three successful attack vectors and many unsuccessful ones. Each of the successful ones had a fully write up of the narrative detailing how I did what I did and where I was able to a screencast. I sat down with their board and walked them through the attacks, from my thoughts and feelings all the way to how I achieved it. We spent a few hours discussing why they didn’t spot me, and why x tool didn’t spot me, and why y tool didn’t prevent the attack etc. The endpoint protection worked exactly the way it should. The SEIM did its job perfectly. When we looked through the logs they could see my actions, but it took some work to get to that point.

At the end of the day, I had to be lucky once. I was lucky three times. They had to be lucky every single time. The odds were simply stacked in my favour.