Objective

In this article, we would be assuming the role of the ethical hacker who has zero knowledge about the target network. The objective would be to breach the target network, own the entire domain and compromise critical assets of the target network. So let’s get started.

Limitations

Before beginning the assessment, it was clear that we would have zero information about the target network and would only be given physical access to the guest area of the target network.

Attack Narrative

We begin the process by assessing possible network connections that were available to us. There were no hard-wired ports available for us to connect, so we shifted our attention to the wireless connections. To perform the wireless network reconnaissance, we will use the aircrack-ng suite of tools available in Kali Linux Distro and the Alfa Wireless card USB adapter. We set up the environment and view the wireless connections that are available.

The wireless enumeration reveals a hidden SSID “Corporate WLAN” which is accessible from the guest area. Moreover, this SSID is using the WPA2-PSK authentication mechanism which could be brute-forced, and this could give us access to the Corporate Network. We went ahead and captured the handshake of the “Corporate WLAN” SSID successfully.

Then we managed to crack the handshake and got the password for the “Corporate WLAN” SSID.

Now we have access to the Internal Corporate Network of the Target; we proceed further to enumerate the network and find ways to get a foothold into this network. In the attempt to identify potential attack surface, we examine the IP Address, Domain and Mail Servers of the target network. Since DHCP was running we already had an IP Address. A simple “nslookup” command revealed the name-server of the target domain which was helpful for further enumeration.

We then started to perform basic network-discovery scanning and enumeration on the identified name server’s network range. (ie ..40.1-254) .For this, we will use the netscan tool. The netscan is a very helpful tool to perform network reconnaissance. It has a very simple interface, checks for common open ports, supports credentialed login and give the results in very user-friendly format.

We were able to see multiple target systems within this network-range. These systems consist of Web Servers, Databases, and Application Servers, etc. Most of these systems also had the RDP Port 3389 open which would be very helpful to remote into the systems should we manage to break any of them. At the same time, it was also important to note IP Addresses of any potential high-value targets which could be useful in our post-exploitation phase.

Vulnerability assessment

Now with so many targets in hand, it was important that we carefully analyze the weaker targets and attack them. At this stage, we start the vulnerability assessment on these systems to evaluate potential vulnerabilities which are exploited. We perform the vulnerability assessment using well-known tools like Nessus and Open Vas. During the vulnerability assessment, we also noticed that many of these systems were running outdated third party software’s and operating systems which could become easy victims of targeted attacks. The process could be time-consuming since many of the vulnerabilities that automated scanners give out are false positives. Hence, it is imperative that we carefully evaluate the vulnerabilities to break into the system.

The Vulnerability assessment will reveal a lot of potential vulnerabilities, one of them being the MS09-050 Vulnerability. We will go ahead and try to exploit this vulnerability.

Exploitation

We will be using the well-known Windows exploit (MS09-050 Vulnerabilities in SMBv2 could allow remote code execution) available at https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/14674.zip link. This machine was apparently running a legacy application and hence was left unpatched in the environment. After multiple attempts, we managed to exploit the vulnerability successfully and luckily got a command shell with Local Administrator privileges.

To ensure that we have persistent access to the exploited system, we create a backdoor user and add him to the Local Administrator’s Group.

We can now log in to the exploited system with our backdoor user and further enumerate this system

Post-exploitation

Now that we have broken into a domain system and added a backdoor user, let’s do post-exploitation on this system. Our aim will be to get the local administrator password of this system and then check if we can login to other domain systems with these credentials. Mimikatz is a well-known tool which can dump out clear-text passwords through LSASS. However, the target system is running an Anti-virus, which blocks Mimikatz. Moreover, the Anti-virus is password protected which means we cannot disable it or whitelist mimikatz. So we decide to use the Meterpreter shell to dump out the password hashes. To get a Meterpreter shell, we will create a malicious Meterpreter payload and set up the handler on our attacking system. We now host this malicious Meterpreter payload on our attacking system’s webserver and call the file via the browser of the exploited system.

Now we have the Meterpreter shell on the exploited system. We can then proceed to dump out the hashes.

After dumping out the administrator hash, we managed to crack this hash successfully

Escalating our privileges

Now we have the Local Administrator Credentials of a Domain system. Our next step will be to see if we have access to numerous other systems with these credentials. Again we use the netscan tool to look up logged-on users with the Local Administrator Credentials.

As we can see, there are numerous other systems in the domain which are using the same username and password. This effectively means that we have succeeded in compromising multiple systems in the domain. We then login to these systems with the Local Administrator credentials and dump out the clear-text passwords from these systems using the Mimikatz tool. The Local Administrator password was useful to unlock the Antivirus and disable it for the time-being. The Screenshot below shows the output of the Mimikatz command. In this way, we managed to collect multiple domain user credentials from these affected systems.

Escalation to domain administrator

Our final step is to escalate the privileges of our backdoor user to become the Domain Administrator and own the entire the domain. In the previous step, we had managed to dump out numerous domain user credentials from different systems. One of these credentials turned out to be the Domain Administrator. We the logged-in to the domain controller system using this credential and proceeded to add our backdoor user to the Domain and then escalate his privileges making him the Domain Administrator.

We can confirm that our backdoor user is the Domain Administrator by logging to the Active Directory and viewing his access rights.

Accessing high-value targets

Now that we have become the Domain Administrator, we proceed to access high-value targets of the network to expose the gravity of the attack. From the information gathering phase, we identified the mail servers of the target network. MS-Exchange 2013 was used to manage the mail-servers. This means that the Exchange admin center was accessible from the following link: http://webmailip/ecp We log in to the Exchange Admin Center using the Domain Administrator credentials. We can now add ourselves as a delegate to any of the user mailboxes and get complete access to their mailbox. This means that we can access emails of all Top-Level Executives of the Target Network.

Conclusion

In this article we have looked at a complete penetration test cycle wherein we start with zero knowledge about the organization than we managed to breach the corporate network, proceeded to compromise the domain system; got the administrator hash and after cracking the hash we were able to get compromise multiple systems and finally the domain controller. To maintain access, we also created a backdoor user and made him the Domain Administrator. Also to prove the seriousness of the attack we took complete control of the user mailboxes. A Black box Penetration assessment reveals the actual security posture of the entire organization. It helps the organization to understand how an attack could occur and how badly affected the business would be if it were a successful attack. Hence, it is absolutely imperative that Organizations carry out such assessments at regular intervals. This kind of assessment also helps the organization to prioritize the top action items which pose an immediate threat followed by the medium and lower action items. From a pentester’s perspective, a black box penetration assessment is one of the most challenging and fulfilling exercises. It not only tests your knowledge but also your ability to think creatively in difficult situations.