The Problem With Networks .....

Where do I start with this open-ended statement? I guess from a pen testingperspective, quite a lot. Internal pen test results tend to open up a can of worms fora company. There you are, managing your network, covering all the bases:

  • AV updated daily - tick
  • OS updates regurly -tick
  • Password policy in place -tick
  • Software patch management - tick
  • User groups and network segregation - tick
  • (by the way the list should go on for sometime yet!)

Anyway, you get the idea. So, time for the internal pen test.

A friendly (or not-so-friendly) chap comeson site, sits down and within the first day manages to chuck all that goodpractice stuff they teach you in courses and certifications in therubbish dump...he got domain admin!

Don't get me wrong, all the good practice stuff is necessary formaintaining a secure network. An internal pen test should be the final thingperformed to confirm you have done all that good practice stuff well. Gettingpwned on day 1 of the test should ring alarm bells that your processes arn't quite up to scratch, you would hope!

Take for example a recent gig I did, through a number of attack vectors Igot access onto the domain in 10 minutes. How? Null sessions are unfortunatleystill out there. Usually classed as a low/info rating, it is often the firststeps used in the attack. Connecting to the null session normally gets you a list of domain users. Having a list of domain users, then opens the possibility of apassword attack. Ensuring not to break the password policy (also discovered viathe null session), we can then look for stupid, weak passwords on the accountsretrieved. There, 10 mins work, access onto the domain (you did check yourlegacy accounts didn't you, the ones not used, that they are disabled?)

So what to do once you are on the domain? That depends. Remember, this isonly the first day! We've not even started checking all the other services onthe network like your databases, network devices, applications, operatingsystems etc.. etc..

What I normally do is check what access the user account(s) creds you retrieved, have access to (you would hope a Domain Admin doesnt have a weak password...it has beenknown!). Another step would involve what I call "Hunting forGold"....essentially its just a way of checking the network sharesavailable and trawling through what goodness there is. This is whereall that good security practice can be thwarted.

It goes along the typical assumptions of the following:

  • anyone who has access on theinternal network and has a domain account is good
  • we pay them a salary to doa good job and they follow our policies
  • we use best practice to secure our network
  • we trust ouremployees
  • our network is secure...

As a result of some or all of the above, many companys implicitly trust their internal networks and store confidential stuff (for want of a better word ...'data' maybe?) onnetwork shares for people on the domain to access. Not only do they storestuff, they log stuff, they write about stuff, they create temp directories andstick stuff there to check out things....but it doesnt get audited or cleaned, or 'secured'. It is difficult to determine what group can access what share, and what data and keep on top of it. Who has time to manage all this 'stuff' !

In my view sticking confidential data on a network is like putting a post-it note on awall and letting anyone read it as they walk past. If folks took this analogyto secure the data on the network, my job would be a lot harder!

The simple script below hunts for this gold to some degree. It wont find the data foryou, it will just enumerate all the network shares from a list of hosts, andrecursively dump the filenames and directories into a file for each host. Whatyou do with that data is up to you. Simple greps are called for given theamount of data that can be retrieved.

My advice when running it is stick it all in a directory (change MYDIR in the script to whatever suitesyou), and do your grepping from there. Some recent examples on a gig I did:

grep -i password *

10.1.1.11.users.share.txt:Admin_passwords.doc

10.2.1.91.users.share.txt:SAGE passwords.xls

10.2.1.91.users.share.txt:passwords.doc

grep -i credit *

192.4.1.121.users.share.txt:credits.txt

10.2.1.11.users.share.txt:creditcard.xls

10.2.1.11.users.share.txt:credit card analysis

grep -i cisco *

10.4.1.1.IT.share.txt:Cisco 3750 switch -1-3.txt

10.4.1.1.IT.share.txt:Cisco Router & Switches config backups.zip

So, from the above, I got admin passwords stored in a document on a networkshare, log files and spreadsheets used by someone in finance with credit cardnumbers in, and all their Cisco infrastructure configurations stored in ashare, all on the network. So Domain Admin in less than a day.

Going back to my analogy, would you want this sort of stuff to be put on apost-it note, in your canteen notice board?

I'd advise treating networks with some respect, think about what is stored on there. Doesit really need to be there? If it's confidential in nature, encrypt it and try to limit the access to shares on the network to only those that require it. The more shares you have the harder this will become!Remember my analogy and all will be well!

Anyway, here's my simply and ugly bash script that serves a purpose:

#!/bin/sh# Script to enumerate all network shares and their contents.# Need domain credentials.#ARGS=4USER="$1"PASS="$2"DOM="$3"FILE="$4"# Edit the location where you want all files saved belowMYDIR=/home######################################if [ $# -ne "$ARGS" ]; thenprintf "Usage: `basename $0`    \n"echo "Retrieves the available network SMB shares from a list of hosts in a file."echo "It mounts the share, recursively lists the contents to a file, and then"echo "unmounts the share once its finished."exit 0fi############################################################## Check that we can login with credential first using medusa#for host in `cat $FILE`domedusa -u $USER -p $PASS -h $host -M smbnt -m GROUP_OTHER:$DOM >> $MYDIR/med1.tmpdonecat $MYDIR/med1.tmp|grep -i success|cut -d' ' -f5 >>$MYDIR/med2.tmprm $MYDIR/med1.tmp############################################################### Get a list of shares from each host#for host in `cat $MYDIR/med2.tmp`;do echo "HOST: $host" echo "=================="
rpcclient --command='netshareenumall' -d 1 -U $USER\%$PASS -W $DOM -I $host $host>$MYDIR/med3.tmp if [[ -s $MYDIR/med3.tmp ]] ; then cat /$MYDIR/med3.tmp|grep netname|cut -d' ' -f2 >/$MYDIR/med4.tmp# Mount each of the shares for share in $(cat $MYDIR/med4.tmp); do mount -t cifs -o username=$USER%$PASS,domain=$DOM \\\\$host\\$share /mnt if [ $? -eq 0 ]; then cd /mnt echo "Mounting $share to /mnt and writing to $MYDIR/$host.$share.share.txt" ls -R >$MYDIR/$host.$share.share.txt cd $MYDIR umount /mnt echo "Unmounting /mnt" else echo "Couldnt mount share $share" echo "" fi done else echo "No Open Shares" echo "" fidoneecho "Finished...go search your files!"rm $MYDIR/med2.tmprm $MYDIR/med3.tmprm $MYDIR/med4.tmp

Trustwave reserves the right to review all comments in the discussion below. Please note that for security and other reasons, we may not approve comments containing links.