The enemy is inside: how I got caught on insider redtimming
I had all the benefits. I was already inside the network. I was beyond suspicion. But they discovered my hacking, thrown out of the network and tracked down physically.
Many penetration tests start outside to see how you can cross the perimeter. This time the customer wanted to see how far the attacker could go, who had already managed to find himself inside the organization. Could they stop me if I was already online?
So, they secretly took me to the office, disguised as a new employee. They gave me a work computer, a badge, a register in the system damn, I even had my own booth with an assumed name on it. The only person who knew who I really was was their director of information security. Everyone else thought I was Jeremy from Marketing.
For most of the morning of the first day, I was busy with the procedures for applying for a job, getting to know my colleagues and doing the black work. But I had to act fast. For everything about everything, I had only a week, and it was necessary to have time to hack everything without arousing suspicion. So I took up the business.
For you to understand: most penetration tests are fairly straightforward. The most difficult thing is to break into the net. But once inside, you get a wide choice of goals: old computers, default passwords, everyone sits under local administrators I usually get a domain administrator for a day or two, and soon after that, and the administrator of the organization. The remaining time is spent on sweeping traces and gathering evidence of the possible consequences of an attack. But this time it was different. It's time to be surprised.
Sitting at the computer, I pretended to work. I was going to use my office computer to research, study the settings of other workstations, but I would not attack directly from it, so as not to leave traces pointing to me. Instead, I brought a separate hacking device: a personal laptop with Linux and a bunch of hacking tools. I connected it to the network and got an IP address. Their Nac did not cover the entire network: any connection from the working booth was trusted.
I started as usual. Interception and analysis of network traffic from Wireshark, changing the MAC address and the name of my laptop, so that it gets lost in their infrastructure and looks like ordinary equipment. Then - use Responder in your subnet to catch hashes and crack passwords. Pretty quickly, I managed to collect a full handful of hashes. I was in a regular subnet for employees, so there were a lot of logged in accounts with open browsers spreading authentication data around.
The first surprises are
I ran through the hashes found on my farm of 8 video cards, but something went wrong. Pretty quickly, all 8-character combinations of large and small letters, numbers and special characters (NetNTLMv2) were checked. Most of the usual passwords (one word, the first capital letter ending in a number or character) I crack instantly. But not here.
I could run net accounts on my workstation to view the password policy directly in AD, but first I decided to look somewhere else. I did not want to leave extra traces. Rummaging in the network, I managed to find security requirements. It turned out that the minimum password length, which was supposed to include capital and small letters, special characters and numbers, was 12 characters. And they have already begun the transition to password phrases I changed my set of rules for brute force to use longer words, uppercase letters and endings of numbers and special characters. It brought me a few passwords!
Cool! Let's go! I immediately tried to log in remotely to the user's computer under his password and was blocked. What the ? It always worked. Password is correct. But access is closed. I rechecked myself. Start with the basics. Do it right. Some time was spent searching for a domain controller. On VoIP-phones there were configs of web pages, where his address was registered. From the controller through LDAP, I pulled out group policy properties to view privileges. After long excavations in a bunch of settings, I realized that remote access is allowed only a small part of IT specialists, not even the entire IT department. And I did not crack any of their passwords. They implemented the model of least privilege Who does that?
Okay, go to hell. Do without access to computers. Climb into their correspondence! So I did. I searched for passwords in mail, Skype chat rooms, checked notes and drafts in Outlook. I came across a bunch of personal passwords from anything But not one from a business account. But I found a letter from the department of information security, which stated that they were planning to implement two-factor authentication for mail within a week. Looks like I was lucky.
The weakest point of any system is
Then I went to r3r369. SSO portal
. All internal applications in one place. Hacker's dream! I clicked on one of the applications. It required two-factor authentication. The following also. And the following. But what about Alcatraz? Nightmare hacker!
I saw them using Citrix. He is behind two-factor authentication, well, and do not care. I'll deal with this. Citrix will give me access to the internal server. I needed to get to the internal host in order to remove my hacker’s laptop and start moving into the network. I launched Citrix by receiving a 6-digit pin request in response. There is a button with the words “Click to get a token” and a slightly edited phone number: (xxx) xxx-5309. Searching in the mail "5309", I found the user's signature, in which this phone number was specified in full. I called him.
The woman answered. “Good afternoon, Pam. I'm Josh from IT. We transfer your Citrix profile to a new server. I will now send you a 6-digit number. I need you to read it to me. Just in case, I remind you, we never ask for your password. ” I already had her password. She hesitated: “Goooooo ” I pressed a button to send an authentication token and said: “Done. I sent you a number, read it to me, please, when you receive it. ” She replied: “Ummm Yes, I did. 9-0-5-2-1-2. “Thank you! Please don't run Citrix for a couple of hours! ”The timer ticked on the screen for 60 seconds. I typed the numbers in the two-factor authentication window and clicked “Ok”. Zaloginen. Go to Stump, two-factor authentication! Once inside, I saw nothing. NOTHING! This user did not need Citrix, so there was NOT ANYTHING attached to it. I hacked the back room.
So. This is madness. I may pick up a long password, but only if I’m lucky enough to catch the desired hash. Even with a password being cracked by someone from a small group of people, I will have to bypass two-factor authentication. Each attempt, especially with someone from this protected group, increases the risk of detection. Curse
I tried everything. I ran more and more aggressive scans, trying to still remain below the radar. I probed the entire network and all the services I managed to find, with all the attacks I knew. And although here and there I found some trifles, this was not enough to gain a foothold somewhere. I began to despair. Already the end of the second day. Usually at this time I already gut the database, read the mail of the CEO and shoot people on their webcams. Hell. It's time to break into the lair of IT people. I'm going to urast laptops.
I lingered after work. Colleagues said that they need to complete a course on security in employment. They left and dumped. Then came the cleaners. When they finished, I was left alone. I went to the office of IT specialists. Found the door. Looking around, I took the handle
Before that, I had already tried different things with my service notebook, but I was not a local administrator, and the disk was completely encrypted. My goal was to find an old unencrypted laptop with a local admin password hash.
I checked the hall so that no one was around. I looked around the ceiling for security cameras. I opened my mouth and bent my head to hear someone coming from around the corner. Nothing. I was ready to act. I was ready to poke around in a mechanical lock, to deal with electronic access control systems, or to remove the door from the hinges, but I found that the door was ajar. Lucky. There was an electronic lock and a mechanical lock on the door. Even protected loops. But someone left it uncovered that night. I opened the door a little, I looked in, expecting to bump into someone inside. No one. Oh nafig. Just pruha. I went inside.
I have no idea why the door was open, but 80% of my work are user mistakes, 56% are skills, 63% are adaptability, 90% are features, and 80% are lucky. And only about 1% are related to mathematics 3r33253.
Howbeit. I did not know if anyone would return here any minute, so I set to work. In the corner lay piles of laptops of different ages, manufacturers and models. After weighing the risks of getting caught in an IT office or with a bunch of laptops on my desk, I chose my desk. And now I’m dragging a pile of old laptops from an IT hole into my booth, folding the Tower of Pisa from them under my desk. Then I began methodically trying to load every laptop from a flash drive in search of the unencrypted Holy Grail.
I have a bootable flash drive with Kali and samdump2 utility. I connect it to one of the laptops, load it and try to mount a hard disk. Each time I stumble upon encryption, I am getting more and more frustrated. Finally, after 30 tested laptops, I find three half-dead with unencrypted disks. With samdump? I pull local NTLM hashes from SAM and compare them. Thus, it is possible to find a non-standard local administrator “ladm” on all three machines. The hashes match. Glory Eris They do not use LAPS 3r34343. . The local administrator account is the same on all computers. I cracked this hash quite easily. The password was <Название компании> <Год> , and this year was a couple of years ago. Error in asset management. Love.
I tried to log in remotely and received the same error as before. Even the local admin was denied remote login I tried to log in locally on my own office laptop, and I did it! This account circumvented full encryption! Master key! So soooo! This can be used! But then I noticed one oddity I did not have access rights to user data. What? They have restricted access EVEN FOR LOCAL ADMINES ?! Heck. It was necessary to raise the privileges to the system.
I tried all the tricks that came to my head. In the end, I looked for vulnerabilities
Unquoted Service Path and found a couple! But the output said that my local administrator does not have the right to write to the necessary folders. Come on! By that time I was exhausted and broken. My 17-hour shift was ending. The brain was no longer working. This was another dead end. Another series of hard struggle and successful hacking for the sake of the next feil. You had to go home and get some sleep to start anew the next day.
Call a friend
The next day, I rechecked everything again to make sure that I did not miss anything. I checked everything I could check, scanned everything I could scan, did everything that came to my mind. Everywhere small clues, but nothing worthwhile. I called a colleague from 3r3139. Dallas Hackers
. After telling him about my ordeals, I ended up with shattered hopes for the vulnerability of the Unquoted Service Path, when the output showed me the lack of necessary privileges. He asked: “Did you still try to exploit it despite this?”. I froze. I have not tried. In that state, I believed the conclusion and did not check it myself. Good. I tried to write data to a directory. The same, for the record in which, according to Windows, I did not have access. And I managed it. Damn Windows. Again deceived me. But alright. Well this is awesome. New clue.
A colleague quickly threw a C bootloader on me that ran the load on Powershell. I ventured to check the bundle on my own computer, and everything seemed to work fine. It was a perverted attack. But that's all I had. I was going to:
Run a listener on my hacker laptop
Get physical access to the laptop in the office
Go under the local administrator account
Download your bundle of Malvari at Unquoted Service Path
Wait for the user to log in and start the load
A lunch break was coming. I answered with a smile at the invitation of colleagues to go for a snack and lingered a bit. At first, I planned to go back to the IT specialists and get to one of their computers while they were having lunch. But when I went to their office, I saw that they were all in place! Eat your lunch in front of the computers! Are they not aware how harmful it is ?! How does the lack of separation of work and rest and the lack of breaks lead to stress ?! Why don't they have lunch like normal people ?!
Yes, you went. I'm going to hack the computer. Any computer. I walked around the office and found an office where no one was. Financiers. Well, hack finance. I answered something to a sweet little old woman who had returned for her purse. He let her know that I am an IT specialist updating computers. She nodded and, smiling sweetly, left. Annoyed, with a face filled with hatred and gloating, I turned to one of her colleagues' computers and hacked it.
It took less than 30 seconds. I returned the chair and mouse to the state in which they were before my arrival. I glanced around once more, making sure everything looked normal. And he returned to his workplace. Sit, staring at your listener. At some point, the dinner ended. I did not even want to talk. Already starting to lose hope, I saw: 3r33232.
3r3204. > Meterpreter session 1 opened
3r3204. > Meterpreter session 2 opened
> Meterpreter session 3 opened
> Meterpreter session 7 opened
Well your left! I launched GETUID and saw NT AUTHORITYSYSTEM. Iii-ha!
Good! Fine! So! Um Let's go! Yes! Being fixed in the system, I made a memory dump and started digging through the file system. Some kind of financial information. Some kind of passwords in the clear. Sensitive information, but nothing serious. But oh well. This is just the beginning. Bridgehead. And then
3r3204. > Meterpreter session 1 closed
I'm trying to cling to sessions, but they are all closed. I ping the system is not responding. I scan port 445. Nothing. The system is not available. It. Already. Too. I get up and head straight to the finance department. What happened to my shells ?!
Turning around the corner, I see a nice old woman talking to the most hefty and fierce IT person. I quickly do “Oh, ё ” and turn around when the old woman looks in my direction, points her finger directly at me and shouts: “This is it! He fumbled with our computers! ”I utter a heart-rending cry and throw myself away.Having turned my back to the fierce IT specialist, I run in the opposite direction and come across two safeguards. They look very unfriendly and make it clear that I wandered into the wrong area. I woke up in blood, fastened to an ergonomic office chair with ties, with which they tightened the cables in the server room. The head of the DFIR stands in front of me, her knuckles are knocked down. Behind her is a small team of analysts from the intrusion detection team. I squeeze one word out of myself I need to know "How ?" She leans over my ear and whispers: "No one in the financial department ever launches Powershell "
Okay I added a little drama at the end. But the story of how I stumbled upon an old woman who passed me on to the IT people was real. They detained me right there. They took my laptop and reported to me about the leadership. The director of information security came and confirmed my presence. And the way they figured me out is also real. They received a notification that Powershell was running on a system that did not belong to a small group of IT specialists and developers who started Powershell under normal conditions. Simple and reliable method for detecting anomalies.
Least Privilege Model
Simple rules for identifying anomalies
Do not assume
Contact for help
Adapting and overcoming
It may be interesting
I am overwhelmed by your post with such a nice topic. Usually I visit your blogs and get updated through the information you include but today’s blog would be the most appreciable. Well done!
Took me time to understand all of the comments, but I seriously enjoyed the write-up. It proved being really helpful to me and Im positive to all of the commenters right here! Its constantly nice when you can not only be informed, but also entertained! I am certain you had enjoyable writing this write-up.