So, youjust bought that fancy new box with the blinky lights that's supposed tosomehow keep you safe from the bad guys. While it is true that some of thesemachines run on unicorn blood and fairy dust, they still don't keep you safefrom stupidity, or even worse – laziness.
Below aretrue stories of how I went from basic network access to domain admin withoutexploits, effort, or a care in the world. Each one of these scenarios tookplace in fairly large organizations that felt my PenTest attempts would befutile due to their "enhanced security" (I always giggle when people say that).
PTJ pwns thePretty Pony Palace
In thissituation I had scanned a subnet to see what kind of services were listening. Ifound several FTP servers. One of them allowed anonymous read access, so Idecided to connect to it to see if it had any files. It did, one juicy,delicious text file:
You seethat? "asdf.txt" ? That innocent and unassuming looking file contained some plaintext storage of passwords. Oh, and that "d_t_a" account? Thatwas the "Domain Test Account" used for testing various applications andenvironment changes – It was a domain administrator. It was pretty much gameover at that point, I logged into the DC, dumped hashes, and proceeded to lookfor CHD.
Who onearth would think putting plaintext passwords in an anonymous FTP share wouldbe a good idea? Scumbag Sysadmin did.
Scumbag Sysadmin: "I'm sick of remembering these retardedpasswords, they're test accounts for god's sake! I'll just put them in a textfile real quick on an FTP server while I work on this project. Its no biggie,I'll take it all down once I finish"
Scumbag Sysadmin: *NEVER TAKES IT DOWN*
PTJ pwns thePrissy Panda Park
In thissituation, while looking through my NMAP output I noticed a host had(among other ports) VNC open. So I decided I'd connect to it and see ifanything useful shows up. My internal thought process went something like this:
- Oh lookey at that, there is no password for vnc,how welcoming of them.
- A redhat machine? Interesting, lets take a lookaround, lets start with bash_history.
- Yeah, yeah, yeah, bunch of editing files, and abunch of…wait, is that…yes it is!
- Looks like someone connected to a mysql box andtyped the password as an argument for the command!
- I wonder if those credentials work on that one ms-sql box...
- Oh you, you are just too kind to me.
- My magic pentest 8-ball predicts "xpcmdshell isin your future"
The magic PenTest 8-ball was correct, as it always is. Once Igot access to the mssql box, I impersonated a domain admin's token, andcontinued the fun. Moral of the story here? Put strong authentication on points of access, and avoid typing your password as an argument.
Theimportant thing to remember here is that these are not made up scenarios, theseACTUALLY HAPPENED*. These organizations were not some small shops with no ITguy, these were massive, you've-definitely-heard-of-them shops. So, before you decide to scoff andsay "oh, that could never happen to me, those are special cases" – they reallyaren't. Things like this happen way more than they should.
Here aresome lessons to take away:
- Never assume you can't be hacked or that you aresafe from a particular attack. Never assume anything, you must test, verify,and test again.
- If your bosses have a stigma to the idea of "hackingthe company for defense" than don't call it hacking. Call it something like"Enhanced Active Defense" or something that sounds like a marketing team cameup with.
- An attack vector is an attack vector, whether ornot it's a flashy new 0-day.
*Pandas were maintained at a safe location for the duration of the testing.