The enemy is inside: how I got caught on insider redtimming

Original author: Tinker
  • Transfer

I had all the benefits. I was already inside the network. I was beyond suspicion. But they discovered my hacking, thrown out of the network ... and tracked down physically.

Many penetration tests begin outside to test how you can overcome the perimeter. This time the customer wanted to see how far an attacker could go, who had already managed to find himself inside the organization. Could they stop me if I was already online?

So, they secretly took me to the office, disguised as a new employee. I was given a work computer, a badge, a register in the system ... damn, I even had my own booth with an assumed name on it. The only person who knew who I really was was their director of information security. Everyone else thought I was Jeremy from Marketing.

Intelligence service

For most of the morning of the first day, I was busy with the procedures for applying for a job, getting to know my colleagues, and doing the dirty work. But I had to act fast. I had only a week for everything about everything, and it was necessary to have time to hack everything without arousing suspicion. So I took up the business.

For you to understand: most penetration tests are fairly straightforward. The hardest thing is to break into the net. But once inside, you get a wide choice of goals: old computers, default passwords, everyone sits under local administrators ... I usually get a domain administrator for a day or two, and soon after that, and the administrator of the organization. The remaining time is spent on sweeping traces and gathering evidence of the possible consequences of an attack. But this time it was different. It's time to be surprised.

Sitting at the computer, I pretended to work. I was going to use my office computer to research, study the settings of other workstations, but I would not attack directly from it, so as not to leave traces pointing to me. Instead, I brought a separate hacking device: a personal laptop with Linux and a bunch of hacking tools. I connected it to the network and got an IP address. Their NAC did not cover the entire network: any connection from the working booth was trusted.

I started as usual. Intercepting and analyzing network traffic from Wireshark, changing the MAC address and the name of my laptop so that it gets lost in their infrastructure and looks like ordinary hardware. Then - use Responder in your subnet to catch hashes and crack passwords. Pretty quickly, I managed to collect a full handful of hashes. I was in a regular subnet for employees, so there were a lot of logged in accounts with open browsers spreading authentication data around.

First surprises

I ran through the hashes found on my farm of 8 video cards, but ... something went wrong. Pretty quickly, all 8-character combinations of large and small letters, numbers and special characters (NetNTLMv2) were checked. Most of the usual passwords (one word, the first capital letter ending in a number or character) I crack instantly. But not here.

I could run net accounts on my workstation to view the password policy directly in AD, but first I decided to look somewhere else. I did not want to leave extra traces. Rummaging in the network, I managed to find security requirements. It turned out that the minimum password length, which was supposed to include capital and small letters, special characters and numbers, was 12 characters. And they have already begun the transition to password phrases ... I changed my set of rules for brute force to use longer words, uppercase letters and endings of numbers and special characters. It brought me a few passwords!

Cool! Let's go! I immediately tried to log in remotely to the user's computer under his password ... and was blocked. What the ...? It always worked. Password is correct. But access is closed. I rechecked myself. Start with the basics. Do it right. Some time was spent searching for a domain controller. On VoIP-phones there were configs of web pages, where his address was registered. From the controller through LDAP, I pulled out group policy properties to view privileges. After long excavations in a bunch of settings, I realized that remote access is allowed only a small part of IT specialists, not even the entire IT department. And I did not crack any of their passwords. They implemented the model of least privilege ... Who does that?

Okay, go to hell. Do without access to computers. Climb into their correspondence! So I did. I was looking for passwords in the mail, Skype chat rooms, checked notes and drafts in Outlook. I came across a bunch of personal passwords from anything ... But not one from a business account. But I found a letter from the department of information security, which stated that they were planning to implement two-factor authentication for mail within a week. Looks like I was lucky.

The weakest point of any system

Then I went to the SSO portal . All internal applications in one place. Hacker's dream! I clicked on one of the applications. It required two-factor authentication. The following too. And the following. But what about Alcatraz? Nightmare hacker!

I saw them using Citrix. He is behind two-factor authentication, well, and do not care. I'll deal with it. Citrix will give me access to the internal server. I needed to get to the internal host in order to remove my hacker’s laptop and start moving into the network. I launched Citrix by receiving a 6-digit pin request in response. There is a button with the words “Click to get a token” and a slightly edited phone number: (xxx) xxx-5309. Looking in the mail "5309", I found the user's signature, in which this phone number was specified in full. I called him.

The woman answered. “Good afternoon, Pam. I'm Josh from IT. We transfer your Citrix profile to a new server. I will now send you a 6-digit number. I need you to read it to me. Just in case, I remind you, we never ask for your password. ” I already had her password. She hesitated: “Goooooo ...” I pressed the button to send an authentication token and said: “Done. I sent you a number, read it to me, please, when you receive it. ” She replied: “Ummm ... Yes, I did. 9-0-5-2-1-2. “Thank you! Please don't run Citrix for a couple of hours! ”The timer ticked on the screen for 60 seconds. I typed the numbers in the two-factor authentication window and clicked “Ok”. Zaloginen. Go to Stump, two-factor authentication! Once inside, I saw ... nothing. NOTHING! This user did not need Citrix, so there was NOT ANYTHING attached to it. I hacked the back room.

So. This is madness. I may pick up a long password, but only if I’m lucky enough to catch the desired hash. Even with the password being cracked by someone from a small group of people, I will have to bypass two-factor authentication. Each attempt, especially with someone from this protected group, increases the risk of detection. Damn it ...

I tried everything. I ran more and more aggressive scans, trying to still remain below the radar. I probed the entire network and all the services I managed to find, with all the attacks I knew. And although here and there I found some trifles, this was not enough to gain a foothold somewhere. I began to despair. Already the end of the second day. Usually at this time I already gut the database, read the mail of the CEO and shoot people on their webcams. Hell. It's time to break into the lair of IT people. I'm going to steal laptops.

Night raid

I lingered after work. Colleagues said they need to complete a job security course. They left and dumped. Then came the cleaners. When they finished, I was left alone. I went to the office of IT specialists. Found the door. Looking around, I took the handle ...

Before that, I had already tried various things with my service notebook, but I was not a local administrator, and the disk was completely encrypted. My goal was to find an old unencrypted laptop with a local admin password hash.

I checked the hall so that no one was around. I looked around the ceiling for security cameras. I opened my mouth and bent my head to hear someone coming from around the corner. Nothing. I was ready to act. I was ready to poke around in a mechanical lock, to deal with electronic access control systems, or to remove the door from the hinges, but I found that the door was ajar. Lucky. There was an electronic lock and a mechanical lock on the door. Even protected loops. But someone left it uncovered that night. I opened the door a little, I looked in, expecting to bump into someone inside. No one. Oh nafig. Just pruha. I went inside.

I have no idea why the door was open, but 80% of my work are user mistakes, 56% are skills, 63% are adaptability, 90% are features, and 80% are lucky. And only about 1% is related to mathematics ...

Be that as it may. I did not know if anyone would return here any minute, so I set to work. In the corner lay piles of laptops of different ages, manufacturers and models. After weighing the risks of getting caught in an IT office or with a bunch of laptops on my desk, I chose my desk. And now I’m dragging a pile of old laptops from an IT hole into my booth, folding the Tower of Pisa from them under my desk. Then I began methodically trying to load every laptop from a flash drive in search of the unencrypted Holy Grail.

I have a bootable flash drive with Kali and samdump2 utility. I connect it to one of the laptops, load it and try to mount a hard disk. Each time I stumble upon encryption, I’m getting more and more frustrated. Finally, after 30 tested laptops, I find three half-dead with unencrypted disks. With samdump2, I pull local NTLM hashes from SAM and compare them. Thus, it is possible to find a non-standard local administrator “ladm” on all three machines. The hashes match. Glory to Eris , they do not use LAPS . The local administrator account is the same on all computers. I cracked this hash quite easily. The password was <Company name> <Year>, and this year was a couple of years ago. Error in asset management. Love.

I tried to log in remotely and received the same error as before. Even the local admin was denied remote login ... I tried to log in locally on my own service laptop, and I did it! This account circumvented full encryption! Master key! So ... soooo! This can be used! But then I noticed one oddity ... I did not have access rights to user data. What? They have restricted access EVEN FOR LOCAL ADMINES ?! Heck. It was necessary to raise the privileges to the system.

I tried all the tricks that came to my head. In the end I looked for Unquoted Service Path vulnerabilitiesand found a couple! But the output said that my local administrator does not have the right to write to the necessary folders. Come on! By that time I was exhausted and broken. My 17-hour shift was ending. The brain was no longer working. This was another dead end. Another series of hard struggle and successful hacking for the sake of the next file. You had to go home and get some sleep to start anew the next day.

Call a friend

The next day, I rechecked everything again to make sure that I did not miss anything. I checked everything I could check, scanned everything I could scan, did everything that came to my mind. Everywhere small clues, but nothing worthwhile. I called a colleague from Dallas Hackers. After telling him about my ordeals, I ended up with shattered hopes for the vulnerability of the Unquoted Service Path, when the output showed me the lack of necessary privileges. He asked: “Did you still try to exploit it in spite of this?”. I froze. I have not tried. In that state, I believed the conclusion and did not check it myself. Good. I tried to write data to the directory. The same, for the record in which, according to Windows, I did not have access. And I managed it. Devil's Windows. Again deceived me. But alright. Well this is awesome. New clue.

A colleague quickly threw a C bootloader on me that ran the load on Powershell. I ventured to check the bundle on my own computer, and everything seemed to work fine. It was a perverted attack. But that's all I had. I was going to:

  1. Run a listener on my hacker laptop
  2. Get physical access to a laptop in the office
  3. Go under the local administrator account
  4. Download your Malvarian link at Unquoted Service Path
  5. Go out
  6. Wait for user login and load start

A lunch break was coming. I answered with a smile at the invitation of colleagues to go for a snack and lingered a bit. At first, I planned to go back to the IT specialists and get to one of their computers while they were having lunch. But when I went to their office, I saw that they were all in place! Eat your lunch in front of the computers! Are they not aware how harmful it is ?! How does the lack of separation of work and rest and the lack of breaks lead to stress ?! Why don't they eat like normal people ?!

Yes, you went. I'm going to hack the computer. Any computer. I walked around the office and found an office where no one was. Financiers. Well, hack finance. I answered something to a sweet little old woman who had returned for her wallet. Gave her to understand that I am an IT specialist updating computers. She nodded and, smiling sweetly, left. Annoyed, with a face filled with hatred and gloating, I turned to one of her colleagues' computers and hacked it.

It took less than 30 seconds. I returned the chair and mouse to the state in which they were before my arrival. I glanced around once more, making sure everything looked normal. And he returned to his workplace. Sit, staring at your listener. At some point, the dinner ended. I didn’t even want to talk. Already starting to lose hope, I saw:
> Meterpreter session 1 opened
And then ...
> Meterpreter session 2 opened
> Meterpreter session 3 opened
> Meterpreter session 7 opened

Well your left! I ran GETUID and saw NT AUTHORITY \ SYSTEM. Iii-ha!

Good! Fine! So! Um ... Let's go! Yes! Being fixed in the system, I made a memory dump and began to dig through the file system. Some financial information. Some kind of passwords in the clear. Sensitive information, but nothing serious. But oh well. This is just the beginning. Bridgehead. And then ...
> Meterpreter session 1 closed

I'm trying to cling to sessions, but they are all closed. I ping the system is not responding. I scan port 445. Nothing. The system is unavailable. It. Already. Too. I get up and head straight to the finance department. What happened to my shells ?!

Turning around the corner, I see a nice old woman talking to the most hefty and fierce IT person. I quickly do “Oh, ё ...” and turn around when the old woman looks in my direction, points her finger directly at me and shouts: “This is it! He fumbled with our computers! ”I utter a heart-rending cry and throw myself away. Having turned my back to the fierce IT specialist, I run in the opposite direction and come across two safeguards. They look very unfriendly and make it clear that I wandered into the wrong area. I woke up in the blood, fastened to an ergonomic office chair with ties, with which they tightened the cables in the server room. The head of the DFIR stands in front of me, her knuckles are knocked down. Behind her is a small team of analysts from the intrusion detection team. I squeeze one word out of me ... I need to know ... "How ...

Okay ... I added a bit of drama at the end. But the story of how I stumbled upon an old woman who turned me in to an IT person is real. They detained me right there. They took my laptop and reported to me about the leadership. The director of information security came and confirmed my presence. And the way they figured me out is also real. They received a notification that Powershell was running on a system that did not belong to a small group of IT specialists and developers who started Powershell under normal conditions. Simple and reliable method for detecting anomalies.


Blue team

  • Least Privilege Model
  • Multifactor authentication
  • Simple rules for detecting anomalies
  • Deep protection

Red team

  • Keep trying
  • Do not assume
  • Ask for help
  • Lucky prepared
  • Adaptation and overcoming

Also popular now: