CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway. Learn More

CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

The Problem With Networks .....

Where do I start with this open-ended statement? I guess from a pen testing perspective, quite a lot. Internal pen test results tend to open up a can of worms fora company. There you are, managing your network, covering all the bases:

  • AV updated daily - tick
  • OS updates regurly -tick
  • Password policy in place -tick
  • Software patch management - tick
  • User groups and network segregation - tick
  • (by the way the list should go on for sometime yet!)

Anyway, you get the idea. So, time for the internal pen test.

A friendly (or not-so-friendly) chap comes on site, sits down and within the first day manages to chuck all that good practice stuff they teach you in courses and certifications in the rubbish dump...he got domain admin!

Don't get me wrong, all the good practice stuff is necessary for maintaining a secure network. An internal pen test should be the final thing performed to confirm you have done all that good practice stuff well. Getting pawned on day 1 of the test should ring alarm bells that your processes aren't quite up to scratch, you would hope!

Take for example a recent gig I did, through a number of attack vectors I got access onto the domain in 10 minutes. How? Null sessions are unfortunately still out there. Usually classed as a low/info rating, it is often the first steps used in the attack. Connecting to the null session normally gets you a list of domain users. Having a list of domain users, then opens the possibility of a password attack. Ensuring not to break the password policy (also discovered via the null session), we can then look for stupid, weak passwords on the accounts retrieved. There, 10 mins work, access onto the domain (you did check your legacy accounts didn't you, the ones not used, that they are disabled?)

So what to do once you are on the domain? That depends. Remember, this is only the first day! We've not even started checking all the other services on the network like your databases, network devices, applications, operating systems etc.. etc..

What I normally do is check what access the user account(s) creds you retrieved, have access to (you would hope a Domain Admin doesn't have a weak password...it has been known!). Another step would involve what I call "Hunting for Gold"....essentially its just a way of checking the network shares available and trawling through what goodness there is. This is where all that good security practice can be thwarted.

It goes along the typical assumptions of the following:

  • anyone who has access on the internal network and has a domain account is good
  • we pay them a salary to do a good job and they follow our policies
  • we use best practice to secure our network
  • we trust our employees
  • our network is secure...

As a result of some or all of the above, many company's implicitly trust their internal networks and store confidential stuff (for want of a better word ...'data' maybe?) on network shares for people on the domain to access. Not only do they store stuff, they log stuff, they write about stuff, they create temp directories and stick stuff there to check out things....but it doesn't get audited or cleaned, or 'secured'. It is difficult to determine what group can access what share, and what data and keep on top of it. Who has time to manage all this 'stuff' !

In my view sticking confidential data on a network is like putting a post-it note on a wall and letting anyone read it as they walk past. If folks took this analogy to secure the data on the network, my job would be a lot harder!

The simple script below hunts for this gold to some degree. It wont find the data for you, it will just enumerate all the network shares from a list of hosts, and recursively dump the filenames and directories into a file for each host. What you do with that data is up to you. Simple greps are called for given the amount of data that can be retrieved.

My advice when running it is stick it all in a directory (change MYDIR in the script to whatever suites you), and do your grepping from there. Some recent examples on a gig I did:

grep -i password *

10.1.1.11.users.share.txt:Admin_passwords.doc

10.2.1.91.users.share.txt:SAGE passwords.xls

10.2.1.91.users.share.txt:passwords.doc

grep -i credit *

192.4.1.121.users.share.txt:credits.txt

10.2.1.11.users.share.txt:creditcard.xls

10.2.1.11.users.share.txt:credit card analysis

grep -i cisco *

10.4.1.1.IT.share.txt:Cisco 3750 switch -1-3.txt

10.4.1.1.IT.share.txt:Cisco Router & Switches config backups.zip

So, from the above, I got admin passwords stored in a document on a network share, log files and spreadsheets used by someone in finance with credit card numbers in, and all their Cisco infrastructure configurations stored in a share, all on the network. So Domain Admin in less than a day.

Going back to my analogy, would you want this sort of stuff to be put on a post-it note, in your canteen notice board?

I'd advise treating networks with some respect, think about what is stored on there. Does it really need to be there? If it's confidential in nature, encrypt it and try to limit the access to shares on the network to only those that require it. The more shares you have the harder this will become! Remember my analogy and all will be well!

Anyway, here's my simply and ugly bash script that serves a purpose:

 

#!/bin/sh# Script to enumerate all network shares and their contents.# Need domain credentials.#ARGS=4USER="$1"PASS="$2"DOM="$3"FILE="$4"# Edit the location where you want all files saved belowMYDIR=/home######################################if [ $# -ne "$ARGS" ]; thenprintf "Usage: `basename $0`    \n"echo "Retrieves the available network SMB shares from a list of hosts in a file."echo "It mounts the share, recursively lists the contents to a file, and then"echo "unmounts the share once its finished."exit 0fi############################################################## Check that we can login with credential first using medusa#for host in `cat $FILE`domedusa -u $USER -p $PASS -h $host -M smbnt -m GROUP_OTHER:$DOM >> $MYDIR/med1.tmpdonecat $MYDIR/med1.tmp|grep -i success|cut -d' ' -f5 >>$MYDIR/med2.tmprm $MYDIR/med1.tmp############################################################### Get a list of shares from each host#for host in `cat $MYDIR/med2.tmp`;do echo "HOST: $host" echo "=================="
rpcclient --command='netshareenumall' -d 1 -U $USER\%$PASS -W $DOM -I $host $host>$MYDIR/med3.tmp if [[ -s $MYDIR/med3.tmp ]] ; then cat /$MYDIR/med3.tmp|grep netname|cut -d' ' -f2 >/$MYDIR/med4.tmp# Mount each of the shares for share in $(cat $MYDIR/med4.tmp); do mount -t cifs -o username=$USER%$PASS,domain=$DOM \\\\$host\\$share /mnt if [ $? -eq 0 ]; then cd /mnt echo "Mounting $share to /mnt and writing to $MYDIR/$host.$share.share.txt" ls -R >$MYDIR/$host.$share.share.txt cd $MYDIR umount /mnt echo "Unmounting /mnt" else echo "Couldnt mount share $share" echo "" fi done else echo "No Open Shares" echo "" fidoneecho "Finished...go search your files!"rm $MYDIR/med2.tmprm $MYDIR/med3.tmprm $MYDIR/med4.tmp

Latest SpiderLabs Blogs

The Secret Cipher: Modern Data Loss Prevention Solutions

This is Part 7 in my ongoing project to cover 30 cybersecurity topics in 30 weekly blog posts. The full series can be found here. Far too many organizations place Data Loss Prevention (DLP) and Data...

Read More

CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway

Overview A command injection vulnerability has been discovered in the GlobalProtect feature within Palo Alto Networks PAN-OS software for specific versions that have distinct feature configurations...

Read More

CNAPP, CSPM, CIEM, CWPP – Oh My!

We all know the cybersecurity industry loves its acronyms, but just because this fact is widely known doesn’t mean everyone knows the story behind the alphabet soup groups of letters, we must deal...

Read More