Ultimate pen test compromising a highly secure environment (nikhil)
4 likes1,149 views
This document summarizes a penetration test of a highly secure environment. The recon phase involved gathering information on targets through banner grabbing and discovering admin contacts. Social engineering emails were then used to gather a list of employee hierarchies. In the attack phase, forged emails pretending to be vendors were used to bypass the whitelist and gain initial access. The security team was distracted using a tool that generated DNS requests while more access was gained using admin privileges from compromised machines. The second recon phase involved mapping the network and gathering passwords by logging keystrokes. Servers and sensitive data were then compromised, identifying issues like helpful help desks and privileged local admin accounts.
Ultimate pen test compromising a highly secure environment (nikhil)
- 1. Ultimate Pen Test Compromising a highly secure environment Nikhil Mittal @nikhil_mitt 1
- 2. What this paper is about • Pen Testing a highly secure environment. • Methods used (Different phases of the test). • Bad Practices faced. • This is a real world scenario. 2
- 3. The Environment • Network IPS and Firewall at DMZ • Internal NIPS • HIPS, HIDS and AV as end point security. • Complete segregation by Internal firewalls. • Servers and Desktops patched and hardened. • Limited internet access to nearly fifty websites (related to vendors). • Dedicated Security Operations Team 3
- 4. Recon Phase 1 • Info about products and vendors (mostly banner grabbing). • Listing of possible targets (machines and humans). • Starting place was browsing the target portal and looking for help contact, admin contacts. 4
- 5. Listing of possible targets • Help Please! • A small bug in the target’s application was discovered and help was asked regarding it. • Direct involvement of someone from Technical Support and with Authority was asked for. • Idea was to get someone with who has access to things, like the internet. 5
- 6. A mail used in the attack 6
- 7. What was the result • A nice list of hierarchy (based on emails) was prepared. • In total thirteen such mail ID were gathered including two group mail ID. 7
- 8. Attack Phase 1 • Forged mails were sent pretending to be employees from vendors. • Domain names similar to that of vendors and the target itself were used. (e.g. ibmindia.selfip.biz, microsoft.dnss.com) • In some of the websites BeEF hook was used. • Above helped in bypassing the white list. • Multiple methods were used. 8
- 9. White list Internet • Websites history listed by BeEF. • SET was used to send emails. • Simple Social Engineering emails from name of vendors gave two useful things 1. Vendor websites are allowed. 2. Some meterpreter sessions already popped up. 9
- 10. 10
- 11. 11
- 12. 12
- 13. 13
- 14. 14
- 15. 15
- 16. Distracting the Security Team • Distracting the team was required so that any activity detected internally may be ignored. • A nice tool is available in backtrack which makes that much noise which can deafen even the best SIEM devices. • ADMdnsfuckr is the tool. • Capable of generating nearly 1.5 lakhs of fake DNS requests from a 4Mbps line in an hour. • Within 15 minutes the attacking IP was blocked. • Concentration must be on DMZ then but already insider access was there. 16
- 17. Gaining more access • Admin level access to compromised machines. • Access to more systems to understand the architecture. • Access to a whole network was required to actually understand how things were working inside. 17
- 18. Admin level access • Recon turned out to be very useful here as victims with “authority” had admin rights. • Simple getsystem is enough once you are an admin on some machine. • A hashdump followed to get hashes for local admin user. 18
- 19. 19
- 20. Local admin • Generally, for local admin password will be same for most of the machines on a LAN. Same was the case here for victim subnet. • psexec with route was used to get Local Admin (and then system) privileges on most of the machines in the victim LAN. 20
- 21. 21
- 22. Maintaining access • To maintain access two ways were used. • Persistence script of meterpreter and method posted by HDM at metasploit blog. • For both of these it was sensible to kill AV (at least temporarily). • But there was a problem. 22
- 23. 23
- 24. •A simple script was created to duplicate the session, migrate it to AV process and kill self and bingo!! we knocked AV down. • Below is how it was done. 24
- 25. • Persistence script was used and persistent meterpreter connections were created on the victim machines. •A little change was required; change the default connect method to reverse_https in place of reverse_tcp in persistence.rb. 25
- 26. Other Network reachable from victim • A ping sweep was done. 26
- 27. What we have now • Now we control a complete LAN mostly with administrative privileges. • We have a list of IP of servers and other devices, thanks to our ping sweep. 27
- 28. Recon Phase 2 • Listing critical assets (humans and machines) • Searching machines for Network diagrams, IP lists, password lists etc. • Logging of keystrokes to read mails, gather passwords. • Residing on the network to gather information. 28
- 29. Listing critical assets • Servers were listed down from the data collected using ping sweep, port scans and excel sheets found for assets while searching various machines across compromised LAN. • Naming convention and role of servers revealed the critical ones. • Some password sheets were also found on the compromised machines. 29
- 30. •Search_dwld script is a powerful method to get useful files. • Excel Sheets (xls, xlsx), Word documents (doc, docx) and diagrams (jpg, jpeg) were searched for. 30
- 31. Gathering more info • Keystrokes were dumped for days. • Gave access to official mail id, employee management portal, passwords to production servers, for firewalls; virtually to everything in that environment. • Screenshot from meterpreter was used. • Source code was received “on the fly” as coded by developers. • Password were also captured with the help of BeEF Prompt Dialog module. 31
- 32. Keyscan_dump output •Screenshot of one of the victims. (was showing too much details). •Screenshots helped in understanding the working environment and habit of victim users. 32
- 33. 33
- 34. Attack Phase 2 • Using gathered info to compromise production. • There was nothing actually left to do to compromise. • Even UPS consoles were accessed. • Query to view sensitive data from databases were “sniffed” from keystroke dumps. 34
- 35. Bad Practices Identified • Help desk too helpful. • Employees found out to be more than happy to click links and open unknown pdf. • Higher authority means Administrator privilege. • Local Administrator exception of password policy. • Unencrypted password lists. • Sites allowed in form of *.domain.* 35
- 36. How it can be avoided Educating the employees Educating the employees Educating the employees Educating the employees Educating the employees 36
- 37. • Thank You • Questions Please ? 37