Ultimate Pen TestCompromising a highly secure environment
Nikhil Mittal
@nikhil_mitt
1
What this paper is about
• Pen Testing a highly secure environment.
• Methods used (Different phases of the test).
• Bad Practices faced.
• This is a real world scenario.
2
The Environment
• Network IPS and Firewall at DMZ
• Internal NIPS
• HIPS, HIDS and AV as end point security.
• Complete segregation by Internal firewalls.
• Servers and Desktops patched and hardened.
• Limited internet access to nearly fifty websites (related to vendors).
• Dedicated Security Operations Team
3
Recon Phase 1
• Info about products and vendors (mostly banner grabbing).
• Listing of possible targets (machines and humans).
• Starting place was browsing the target portal and looking for help contact, admin contacts.
4
Listing of possible targets
• Help Please!
• A small bug in the target’s application was discovered and help was asked regarding it.
• Direct involvement of someone from Technical Support and with Authority was asked for.
• Idea was to get someone with who has access to things, like the internet.
5
A mail used in the attack
6
What was the result
• A nice list of hierarchy (based on emails) was prepared.
• In total thirteen such mail ID were gathered including two group mail ID.
7
Attack Phase 1
• Forged mails were sent pretending to be employees from vendors.
• Domain names similar to that of vendors and the target itself were used.
(e.g. ibmindia.selfip.biz, microsoft.dnss.com)
• In some of the websites BeEF hook was used.
• Above helped in bypassing the white list.
• Multiple methods were used.
8
White list Internet
• Websites history listed by BeEF.
• SET was used to send emails.
• Simple Social Engineering emails from name of vendors gave two useful things
1. Vendor websites are allowed.
2. Some meterpreter sessions already popped up.
9
10
11
12
13
14
15
Distracting the Security Team
• Distracting the team was required so that any activity detected internally may be ignored.
• A nice tool is available in backtrack which makes that much noise which can deafen even the best SIEM devices.
• ADMdnsfuckr is the tool.• Capable of generating nearly 1.5 lakhs of fake DNS
requests from a 4Mbps line in an hour.• Within 15 minutes the attacking IP was blocked.• Concentration must be on DMZ then but already
insider access was there.
16
Gaining more access
• Admin level access to compromised machines.
• Access to more systems to understand the architecture.
• Access to a whole network was required to actually understand how things were working inside.
17
Admin level access
• Recon turned out to be very useful here as victims with “authority” had admin rights.
• Simple getsystem is enough once you are an admin on some machine.
• A hashdump followed to get hashes for local admin user.
18
19
Local admin
• Generally, for local admin password will be same for most of the machines on a LAN. Same was the case here for victim subnet.
• psexec with route was used to get Local Admin (and then system) privileges on most of the machines in the victim LAN.
20
21
Maintaining access
• To maintain access two ways were used.
• Persistence script of meterpreter and method posted by HDM at metasploit blog.
• For both of these it was sensible to kill AV (at least temporarily).
• But there was a problem.
22
23
• A simple script was created to duplicate the session, migrate it to AV process and kill self and bingo!! we knocked AV down.• Below is how it was done.
24
• Persistence script was used and persistent meterpreter connections were created on the victim machines.•A little change was required; change the default connect method to reverse_https in place of reverse_tcp in persistence.rb.
25
Other Network reachable from victim
• A ping sweep was done.
26
What we have now
• Now we control a complete LAN mostly with administrative privileges.
• We have a list of IP of servers and other devices, thanks to our ping sweep.
27
Recon Phase 2
• Listing critical assets (humans and machines)
• Searching machines for Network diagrams, IP lists, password lists etc.
• Logging of keystrokes to read mails, gather passwords.
• Residing on the network to gather information.
28
Listing critical assets
• Servers were listed down from the data collected using ping sweep, port scans and excel sheets found for assets while searching various machines across compromised LAN.
• Naming convention and role of servers revealed the critical ones.
• Some password sheets were also found on the compromised machines.
29
• Search_dwld script is a powerful method to get useful files.• Excel Sheets (xls, xlsx), Word documents (doc, docx) and diagrams (jpg, jpeg) were searched for.
30
Gathering more info• Keystrokes were dumped for days.
• Gave access to official mail id, employee management portal, passwords to production servers, for firewalls; virtually to everything in that environment.
• Screenshot from meterpreter was used.
• Source code was received “on the fly” as coded by developers.
• Password were also captured with the help of BeEF Prompt Dialog module.
31
Keyscan_dump output
•Screenshot of one of the victims. (was showing too much details).
•Screenshots helped in understanding the working environment and habit of victim users.
32
33
Attack Phase 2
• Using gathered info to compromise production.
• There was nothing actually left to do to compromise.
• Even UPS consoles were accessed.
• Query to view sensitive data from databases were “sniffed” from keystroke dumps.
34
Bad Practices Identified• Help desk too helpful.
• Employees found out to be more than happy to click links and open unknown pdf.
• Higher authority means Administrator privilege.
• Local Administrator exception of password policy.
• Unencrypted password lists.
• Sites allowed in form of *.domain.*
35
How it can be avoided
Educating the employeesEducating the employees
Educating the employees
Educating the employees
Educating the employees
36
• Thank You
• Questions Please ?
37