Where do I start with this open-ended statement? I guess from a pen testing perspective, quite a lot. Internal pen test results tend to open up a can of worms fora company. There you are, managing your network, covering all the bases:
- AV updated daily - tick
- OS updates regurly -tick
- Password policy in place -tick
- Software patch management - tick
- User groups and network segregation - tick
- (by the way the list should go on for sometime yet!)
Anyway, you get the idea. So, time for the internal pen test.
A friendly (or not-so-friendly) chap comes on site, sits down and within the first day manages to chuck all that good practice stuff they teach you in courses and certifications in the rubbish dump...he got domain admin!
Don't get me wrong, all the good practice stuff is necessary for maintaining a secure network. An internal pen test should be the final thing performed to confirm you have done all that good practice stuff well. Getting pawned on day 1 of the test should ring alarm bells that your processes aren't quite up to scratch, you would hope!
Take for example a recent gig I did, through a number of attack vectors I got access onto the domain in 10 minutes. How? Null sessions are unfortunately still out there. Usually classed as a low/info rating, it is often the first steps used in the attack. Connecting to the null session normally gets you a list of domain users. Having a list of domain users, then opens the possibility of a password attack. Ensuring not to break the password policy (also discovered via the null session), we can then look for stupid, weak passwords on the accounts retrieved. There, 10 mins work, access onto the domain (you did check your legacy accounts didn't you, the ones not used, that they are disabled?)
So what to do once you are on the domain? That depends. Remember, this is only the first day! We've not even started checking all the other services on the network like your databases, network devices, applications, operating systems etc.. etc..
What I normally do is check what access the user account(s) creds you retrieved, have access to (you would hope a Domain Admin doesn't have a weak password...it has been known!). Another step would involve what I call "Hunting for Gold"....essentially its just a way of checking the network shares available and trawling through what goodness there is. This is where all that good security practice can be thwarted.
It goes along the typical assumptions of the following:
- anyone who has access on the internal network and has a domain account is good
- we pay them a salary to do a good job and they follow our policies
- we use best practice to secure our network
- we trust our employees
- our network is secure...
As a result of some or all of the above, many company's implicitly trust their internal networks and store confidential stuff (for want of a better word ...'data' maybe?) on network shares for people on the domain to access. Not only do they store stuff, they log stuff, they write about stuff, they create temp directories and stick stuff there to check out things....but it doesn't get audited or cleaned, or 'secured'. It is difficult to determine what group can access what share, and what data and keep on top of it. Who has time to manage all this 'stuff' !
In my view sticking confidential data on a network is like putting a post-it note on a wall and letting anyone read it as they walk past. If folks took this analogy to secure the data on the network, my job would be a lot harder!
The simple script below hunts for this gold to some degree. It wont find the data for you, it will just enumerate all the network shares from a list of hosts, and recursively dump the filenames and directories into a file for each host. What you do with that data is up to you. Simple greps are called for given the amount of data that can be retrieved.
My advice when running it is stick it all in a directory (change MYDIR in the script to whatever suites you), and do your grepping from there. Some recent examples on a gig I did:
grep -i password *
10.1.1.11.users.share.txt:Admin_passwords.doc
10.2.1.91.users.share.txt:SAGE passwords.xls
10.2.1.91.users.share.txt:passwords.doc
grep -i credit *
192.4.1.121.users.share.txt:credits.txt
10.2.1.11.users.share.txt:creditcard.xls
10.2.1.11.users.share.txt:credit card analysis
grep -i cisco *
10.4.1.1.IT.share.txt:Cisco 3750 switch -1-3.txt
10.4.1.1.IT.share.txt:Cisco Router & Switches config backups.zip
So, from the above, I got admin passwords stored in a document on a network share, log files and spreadsheets used by someone in finance with credit card numbers in, and all their Cisco infrastructure configurations stored in a share, all on the network. So Domain Admin in less than a day.
Going back to my analogy, would you want this sort of stuff to be put on a post-it note, in your canteen notice board?
I'd advise treating networks with some respect, think about what is stored on there. Does it really need to be there? If it's confidential in nature, encrypt it and try to limit the access to shares on the network to only those that require it. The more shares you have the harder this will become! Remember my analogy and all will be well!
Anyway, here's my simply and ugly bash script that serves a purpose:
#!/bin/sh# Script to enumerate all network shares and their contents.# Need domain credentials.#ARGS=4USER="$1"PASS="$2"DOM="$3"FILE="$4"# Edit the location where you want all files saved belowMYDIR=/home######################################if [ $# -ne "$ARGS" ]; thenprintf "Usage: `basename $0` \n"echo "Retrieves the available network SMB shares from a list of hosts in a file."echo "It mounts the share, recursively lists the contents to a file, and then"echo "unmounts the share once its finished."exit 0fi############################################################## Check that we can login with credential first using medusa#for host in `cat $FILE`domedusa -u $USER -p $PASS -h $host -M smbnt -m GROUP_OTHER:$DOM >> $MYDIR/med1.tmpdonecat $MYDIR/med1.tmp|grep -i success|cut -d' ' -f5 >>$MYDIR/med2.tmprm $MYDIR/med1.tmp############################################################### Get a list of shares from each host#for host in `cat $MYDIR/med2.tmp`;do echo "HOST: $host" echo "=================="
rpcclient --command='netshareenumall' -d 1 -U $USER\%$PASS -W $DOM -I $host $host>$MYDIR/med3.tmp if [[ -s $MYDIR/med3.tmp ]] ; then cat /$MYDIR/med3.tmp|grep netname|cut -d' ' -f2 >/$MYDIR/med4.tmp# Mount each of the shares for share in $(cat $MYDIR/med4.tmp); do mount -t cifs -o username=$USER%$PASS,domain=$DOM \\\\$host\\$share /mnt if [ $? -eq 0 ]; then cd /mnt echo "Mounting $share to /mnt and writing to $MYDIR/$host.$share.share.txt" ls -R >$MYDIR/$host.$share.share.txt cd $MYDIR umount /mnt echo "Unmounting /mnt" else echo "Couldnt mount share $share" echo "" fi done else echo "No Open Shares" echo "" fidoneecho "Finished...go search your files!"rm $MYDIR/med2.tmprm $MYDIR/med3.tmprm $MYDIR/med4.tmp
