2. What this paper is about
• Pen Testing a highly secure environment.
• Methods used (Different phases of the test).
• Bad Practices faced.
• This is a real world scenario.
2
3. The Environment
• Network IPS and Firewall at DMZ
• Internal NIPS
• HIPS, HIDS and AV as end point security.
• Complete segregation by Internal firewalls.
• Servers and Desktops patched and hardened.
• Limited internet access to nearly fifty websites
(related to vendors).
• Dedicated Security Operations Team
3
4. Recon Phase 1
• Info about products and vendors (mostly
banner grabbing).
• Listing of possible targets (machines and
humans).
• Starting place was browsing the target portal
and looking for help contact, admin contacts.
4
5. Listing of possible targets
• Help Please!
• A small bug in the target’s application was
discovered and help was asked regarding it.
• Direct involvement of someone from Technical
Support and with Authority was asked for.
• Idea was to get someone with who has access
to things, like the internet.
5
7. What was the result
• A nice list of hierarchy (based on emails) was
prepared.
• In total thirteen such mail ID were gathered
including two group mail ID.
7
8. Attack Phase 1
• Forged mails were sent pretending to be
employees from vendors.
• Domain names similar to that of vendors and
the target itself were used.
(e.g. ibmindia.selfip.biz, microsoft.dnss.com)
• In some of the websites BeEF hook was used.
• Above helped in bypassing the white list.
• Multiple methods were used.
8
9. White list Internet
• Websites history listed by BeEF.
• SET was used to send emails.
• Simple Social Engineering emails from name
of vendors gave two useful things
1. Vendor websites are allowed.
2. Some meterpreter sessions already
popped up.
9
16. Distracting the Security Team
• Distracting the team was required so that any activity
detected internally may be ignored.
• A nice tool is available in backtrack which makes that
much noise which can deafen even the best SIEM
devices.
• ADMdnsfuckr is the tool.
• Capable of generating nearly 1.5 lakhs of fake DNS
requests from a 4Mbps line in an hour.
• Within 15 minutes the attacking IP was blocked.
• Concentration must be on DMZ then but already
insider access was there.
16
17. Gaining more access
• Admin level access to compromised machines.
• Access to more systems to understand the
architecture.
• Access to a whole network was required to
actually understand how things were working
inside.
17
18. Admin level access
• Recon turned out to be very useful here as
victims with “authority” had admin rights.
• Simple getsystem is enough once you are an
admin on some machine.
• A hashdump followed to get hashes for local
admin user.
18
20. Local admin
• Generally, for local admin password will be
same for most of the machines on a LAN.
Same was the case here for victim subnet.
• psexec with route was used to get Local Admin
(and then system) privileges on most of the
machines in the victim LAN.
20
22. Maintaining access
• To maintain access two ways were used.
• Persistence script of meterpreter and method
posted by HDM at metasploit blog.
• For both of these it was sensible to kill AV (at
least temporarily).
• But there was a problem.
22
24. •A simple script was created to duplicate the session, migrate it to AV
process and kill self and bingo!! we knocked AV down.
• Below is how it was done.
24
25. • Persistence script was used and persistent meterpreter connections
were created on the victim machines.
•A little change was required; change the default connect method to
reverse_https in place of reverse_tcp in persistence.rb.
25
27. What we have now
• Now we control a complete LAN mostly with
administrative privileges.
• We have a list of IP of servers and other
devices, thanks to our ping sweep.
27
28. Recon Phase 2
• Listing critical assets (humans and machines)
• Searching machines for Network diagrams, IP
lists, password lists etc.
• Logging of keystrokes to read mails, gather
passwords.
• Residing on the network to gather
information.
28
29. Listing critical assets
• Servers were listed down from the data
collected using ping sweep, port scans and
excel sheets found for assets while searching
various machines across compromised LAN.
• Naming convention and role of servers
revealed the critical ones.
• Some password sheets were also found on the
compromised machines.
29
30. •Search_dwld script is a powerful method to get
useful files.
• Excel Sheets (xls, xlsx), Word documents (doc, docx)
and diagrams (jpg, jpeg) were searched for.
30
31. Gathering more info
• Keystrokes were dumped for days.
• Gave access to official mail id, employee
management portal, passwords to production
servers, for firewalls; virtually to everything in
that environment.
• Screenshot from meterpreter was used.
• Source code was received “on the fly” as coded
by developers.
• Password were also captured with the help of
BeEF Prompt Dialog module.
31
32. Keyscan_dump output
•Screenshot of one of
the victims. (was
showing too much
details).
•Screenshots helped in
understanding the
working environment
and habit of victim
users.
32
34. Attack Phase 2
• Using gathered info to compromise
production.
• There was nothing actually left to do to
compromise.
• Even UPS consoles were accessed.
• Query to view sensitive data from databases
were “sniffed” from keystroke dumps.
34
35. Bad Practices Identified
• Help desk too helpful.
• Employees found out to be more than happy
to click links and open unknown pdf.
• Higher authority means Administrator
privilege.
• Local Administrator exception of password
policy.
• Unencrypted password lists.
• Sites allowed in form of *.domain.*
35
36. How it can be avoided
Educating the employees
Educating the employees
Educating the employees
Educating the employees
Educating the employees
36