Ultimate Pen TestCompromising a highly secure environment

Nikhil Mittal

@nikhil_mitt

1

What this paper is about

• Pen Testing a highly secure environment.

• Methods used (Different phases of the test).

• Bad Practices faced.

• This is a real world scenario.

2

The Environment

• Network IPS and Firewall at DMZ

• Internal NIPS

• HIPS, HIDS and AV as end point security.

• Complete segregation by Internal firewalls.

• Servers and Desktops patched and hardened.

• Limited internet access to nearly fifty websites (related to vendors).

• Dedicated Security Operations Team

3

Recon Phase 1

• Info about products and vendors (mostly banner grabbing).

• Listing of possible targets (machines and humans).

• Starting place was browsing the target portal and looking for help contact, admin contacts.

4

Listing of possible targets

• Help Please!

• A small bug in the target’s application was discovered and help was asked regarding it.

• Direct involvement of someone from Technical Support and with Authority was asked for.

• Idea was to get someone with who has access to things, like the internet.

5

A mail used in the attack

6

What was the result

• A nice list of hierarchy (based on emails) was prepared.

• In total thirteen such mail ID were gathered including two group mail ID.

7

Attack Phase 1

• Forged mails were sent pretending to be employees from vendors.

• Domain names similar to that of vendors and the target itself were used.

(e.g. ibmindia.selfip.biz, microsoft.dnss.com)

• In some of the websites BeEF hook was used.

• Above helped in bypassing the white list.

• Multiple methods were used.

8

White list Internet

• Websites history listed by BeEF.

• SET was used to send emails.

• Simple Social Engineering emails from name of vendors gave two useful things

1. Vendor websites are allowed.

2. Some meterpreter sessions already popped up.

9

10

11

12

13

14

15

Distracting the Security Team

• Distracting the team was required so that any activity detected internally may be ignored.

• A nice tool is available in backtrack which makes that much noise which can deafen even the best SIEM devices.

• ADMdnsfuckr is the tool.• Capable of generating nearly 1.5 lakhs of fake DNS

requests from a 4Mbps line in an hour.• Within 15 minutes the attacking IP was blocked.• Concentration must be on DMZ then but already

insider access was there.

16

Gaining more access

• Admin level access to compromised machines.

• Access to more systems to understand the architecture.

• Access to a whole network was required to actually understand how things were working inside.

17

Admin level access

• Recon turned out to be very useful here as victims with “authority” had admin rights.

• Simple getsystem is enough once you are an admin on some machine.

• A hashdump followed to get hashes for local admin user.

18

19

Local admin

• Generally, for local admin password will be same for most of the machines on a LAN. Same was the case here for victim subnet.

• psexec with route was used to get Local Admin (and then system) privileges on most of the machines in the victim LAN.

20

21

Maintaining access

• To maintain access two ways were used.

• Persistence script of meterpreter and method posted by HDM at metasploit blog.

• For both of these it was sensible to kill AV (at least temporarily).

• But there was a problem.

22

23

• A simple script was created to duplicate the session, migrate it to AV process and kill self and bingo!! we knocked AV down.• Below is how it was done.

24

• Persistence script was used and persistent meterpreter connections were created on the victim machines.•A little change was required; change the default connect method to reverse_https in place of reverse_tcp in persistence.rb.

25

Other Network reachable from victim

• A ping sweep was done.

26

What we have now

• Now we control a complete LAN mostly with administrative privileges.

• We have a list of IP of servers and other devices, thanks to our ping sweep.

27

Recon Phase 2

• Listing critical assets (humans and machines)

• Searching machines for Network diagrams, IP lists, password lists etc.

• Logging of keystrokes to read mails, gather passwords.

• Residing on the network to gather information.

28

Listing critical assets

• Servers were listed down from the data collected using ping sweep, port scans and excel sheets found for assets while searching various machines across compromised LAN.

• Naming convention and role of servers revealed the critical ones.

• Some password sheets were also found on the compromised machines.

29

• Search_dwld script is a powerful method to get useful files.• Excel Sheets (xls, xlsx), Word documents (doc, docx) and diagrams (jpg, jpeg) were searched for.

30

Gathering more info• Keystrokes were dumped for days.

• Gave access to official mail id, employee management portal, passwords to production servers, for firewalls; virtually to everything in that environment.

• Screenshot from meterpreter was used.

• Source code was received “on the fly” as coded by developers.

• Password were also captured with the help of BeEF Prompt Dialog module.

31

Keyscan_dump output

•Screenshot of one of the victims. (was showing too much details).

•Screenshots helped in understanding the working environment and habit of victim users.

32

33

Attack Phase 2

• Using gathered info to compromise production.

• There was nothing actually left to do to compromise.

• Even UPS consoles were accessed.

• Query to view sensitive data from databases were “sniffed” from keystroke dumps.

34

Bad Practices Identified• Help desk too helpful.

• Employees found out to be more than happy to click links and open unknown pdf.

• Higher authority means Administrator privilege.

• Local Administrator exception of password policy.

• Unencrypted password lists.

• Sites allowed in form of *.domain.*

35

How it can be avoided

Educating the employeesEducating the employees

Educating the employees

Educating the employees

Educating the employees

36

• Thank You

• Questions Please ?

37