Failure Is Not the End - How to Provide Value to Your Customer Even When You Can't Own Their Network
So you’ve failed (to own the network). Its week 3 of 4 and you’ve exhausted everything in your toolkit and just can’t manage to go that last mile and gain those golden Domain Administrator Credentials. We know you’ve failed, you know you’ve failed, your peers know you’ve failed, but the customer doesn’t have to know. Here is how you can still wreak havoc and provide value to your customer in the event that you are a sad, miserable, failure (it’s ok, we’ve all been there).
Implement effects on the network without domain administrator credentials
Tactic – Pilfer Customer Data
Status of Forces: You’ve made moderate progress into the customer’s network and gained persistence inside the network with access to several user accounts which you’ve managed to dump and crack credentials for.
Initial Engagement: Read the scope document. You know, the thing the sales manager and team lead were supposed to get written up by the customer. In there, somewhere, is something about the customer’s critical data and infrastructure. In this example, it is going to be the Movie file storage server. It is the server the customer uses to store all of their CGI, pictures, and concept art of the film they have been developing for 7 years. You don’t need domain administrator credentials to steal that data, an ‘Effects animator’s credentials’ are good enough. Unfortunately for you, only the finance guy was dumb enough to fall for your phishing email but fortunately for you, they did not lock down the server based on departments. Pilfer away!
Adversary Counter Response: One of the best things an adversary can do is to correctly restrict access to data based on group permissions. However, this is tedious, requires constant upkeep, and pits the IT department against the users of the network. It is rarely done because of the inconvenience it presents to the users. Another way a customer can catch you pilfering their data is by monitoring their network boundary for data exfiltration. To get around this, you can limit the data you are pulling out or use encrypted tunnels to mask it. Feel free to see previous blogs on SSH tunneling and redirection. Many companies do this poorly as well, some taking weeks to realize that credit card information is being leaked, *cough* target *cough*.
Tactic – Default Passwords for Network Devices
Status of Forces: You’ve gained access to an unprivileged user account on the network and browsing around you’ve found a number of devices on the network with default credentials.
Initial Engagement: These devices didn’t seem to matter, they had default credentials but so what? They weren’t even part of the domain and that is the only thing that matters, right? Wrong, my sweet summer child. Winter is coming. Many security devices have default credentials and can be rendered useless in their settings. Bypassing a $100K security device is a surefire way to turn some heads in your final debrief. Recently, I found a retina scanner that had default credentials and in the settings, there was the ability to set the device to pass through incorrect authentication attempts. A valid setting allowed me to render a security device worthless to the customer. Always make sure to share your findings with your team in a central repository, they may look worthless to you but one of your peers could pick something like this up.
Adversary Counter Response: There is very little chance that this misconfiguration will be detected. Obviously the customer is not auditing the security settings of these devices otherwise they would have changed the passwords to them. In the case of enabling pass through of failed attempts, a normal user, who would normally be the one to identify a malfunctioning device to the helpdesk, would not notice anything is amiss with the device. This is an easy target that has a high impact to security but a lower barrier to entry. Do not underestimate finding devices like this on the network.
Tactic – ARP Denial of Service
Status of Forces: Your customer was so confident in the security of their network that they let you put a Kali VM on the internal network. This was discussed in the initial scoping the sales rep did with the company and struck the right balance of fully probing their internal and external networks at the same time. Their confidence was not misplaced and you weren’t able to do anything until…arp denial of service.
Initial Engagement: We are going to start off simple, arp spoofing our gateway and our target, but not turning on IP forwarding. This way, all traffic ends at our computer. Start off with the command ‘arpspoof -i eth0 -c both -t 192.168.1.1 -r 192.168.1.235’ where .1 is your gateway and .235 is the host you are attempting to DDOS. Once the tool starts running, go ahead and run a ‘tcpdump host 192.168.1.235’ just to make sure that you are in fact intercepting all of the target’s traffic.
Adversary Counter Response: Right about the time the buffering runs out on your targets youtube video they are going to ask a coworker if their internet is working. Maybe they walk around and see what’s happening. Eventually, they are going to work their way over to the helpdesk and put in a ticket. That ticket is going to be racked and stacked with all the other meaningless shit going on at the helpdesk and eventually it will get to a technician. Technician will take a look and probably won’t realize what’s happening. Depending on the importance of the person you are DOSing, the problem may or may not get resolved. Chances are, it will never make it to an incident response team because it is targeted at a single individual and technicians do not diagnose DOS attacks on a routine basis. Go for as long as it takes you to prove your point and document it in your findings. Note that your DOS attack was not thwarted, you only stopped out of your own good will.
In some cases, the host based anti-malware solution may alert network defenders by keeping its own arp records and detecting changes which will alert defenders to your presence. Do your research and watch out for these types of programs. However, this attack is still a golden DOS that is inherent in the protocol and still works on default windows systems and my home router. Security was not a thing people were concerned with when developing the address resolution protocol.
Tactic – Lock out Accounts
Status of Forces: You’ve exhausted all your resources and all you got was this lousy meterpreter session on a local administrator’s account.
Initial Tactical Engagement: Enumerate the domain password policy and look for the lockout tag using the command ‘net accounts /domain’. Next, find all user accounts on the domain using the following command ‘Net user /domain’. In powershell, create a variable called badcreds with the command ‘$badcreds = get-credentials’. Enter your best guess at the credentials for the account you want to lockout(your password should be wrong). Spam that however many times it takes to get a lockout with the command ‘invoke-command -credential $badcreds -computername <any computer on the network> -scriptblock . Put it on a loop if you hate your customer and wait for the ensuing chaos as the CEO fires his CIO because he can’t log in to his account.
Adversary Counter Response: In order to detect this your adversary is going to need to have a few things enabled. Account logins are going to need to be monitored and enabled across the network with a GPO. Then they are going to have to correlate that information and isolate the computer you are sending the requests from. But, instead of hunting you with that method, they will probably just disable account lockouts across the network and scramble to find a competent threat hunting team.
Just because you’ve failed to own the network doesn’t mean you can’t create havoc (training opportunities) for your customer. This is valuable training that can be used to train your customer’s incident responders to a malicious attacker that seeks to destroy out of malice instead of profit off of a company’s poor security. Always remember to document your attacks as you progress through the network because there is little chance you will be detected until the damage is done. There is very little experience in defending against these types of malicious attacks because incident responders and threat hunters usually aren’t involved until the damage is done. Providing this type of training to your customer will make you a valuable recurring expense they will love/hate to bring back year after year.