This document summarizes a penetration test of a highly secure environment. The recon phase involved gathering information on targets through banner grabbing and discovering admin contacts. Social engineering emails were then used to gather a list of employee hierarchies. In the attack phase, forged emails pretending to be vendors were used to bypass the whitelist and gain initial access. The security team was distracted using a tool that generated DNS requests while more access was gained using admin privileges from compromised machines. The second recon phase involved mapping the network and gathering passwords by logging keystrokes. Servers and sensitive data were then compromised, identifying issues like helpful help desks and privileged local admin accounts.

1. Ultimate Pen Test
Compromising a highly secure environment
Nikhil Mittal
@nikhil_mitt
1

2. What this paper is about
• Pen Testing a highly secure environment.
• Methods used (Different phases of the test).
• Bad Practices faced.
• This is a real world scenario.
2

3. The Environment
• Network IPS and Firewall at DMZ
• Internal NIPS
• HIPS, HIDS and AV as end point security.
• Complete segregation by Internal firewalls.
• Servers and Desktops patched and hardened.
• Limited internet access to nearly fifty websites
(related to vendors).
• Dedicated Security Operations Team
3

4. Recon Phase 1
• Info about products and vendors (mostly
banner grabbing).
• Listing of possible targets (machines and
humans).
• Starting place was browsing the target portal
and looking for help contact, admin contacts.
4

5. Listing of possible targets
• Help Please!
• A small bug in the target’s application was
discovered and help was asked regarding it.
• Direct involvement of someone from Technical
Support and with Authority was asked for.
• Idea was to get someone with who has access
to things, like the internet.
5

6. A mail used in the attack
6

7. What was the result
• A nice list of hierarchy (based on emails) was
prepared.
• In total thirteen such mail ID were gathered
including two group mail ID.
7

8. Attack Phase 1
• Forged mails were sent pretending to be
employees from vendors.
• Domain names similar to that of vendors and
the target itself were used.
(e.g. ibmindia.selfip.biz, microsoft.dnss.com)
• In some of the websites BeEF hook was used.
• Above helped in bypassing the white list.
• Multiple methods were used.
8

9. White list Internet
• Websites history listed by BeEF.
• SET was used to send emails.
• Simple Social Engineering emails from name
of vendors gave two useful things
1. Vendor websites are allowed.
2. Some meterpreter sessions already
popped up.
9

10. 10

11. 11

12. 12

13. 13

14. 14

15. 15

16. Distracting the Security Team
• Distracting the team was required so that any activity
detected internally may be ignored.
• A nice tool is available in backtrack which makes that
much noise which can deafen even the best SIEM
devices.
• ADMdnsfuckr is the tool.
• Capable of generating nearly 1.5 lakhs of fake DNS
requests from a 4Mbps line in an hour.
• Within 15 minutes the attacking IP was blocked.
• Concentration must be on DMZ then but already
insider access was there.
16

17. Gaining more access
• Admin level access to compromised machines.
• Access to more systems to understand the
architecture.
• Access to a whole network was required to
actually understand how things were working
inside.
17

18. Admin level access
• Recon turned out to be very useful here as
victims with “authority” had admin rights.
• Simple getsystem is enough once you are an
admin on some machine.
• A hashdump followed to get hashes for local
admin user.
18

19. 19

20. Local admin
• Generally, for local admin password will be
same for most of the machines on a LAN.
Same was the case here for victim subnet.
• psexec with route was used to get Local Admin
(and then system) privileges on most of the
machines in the victim LAN.
20

21. 21

22. Maintaining access
• To maintain access two ways were used.
• Persistence script of meterpreter and method
posted by HDM at metasploit blog.
• For both of these it was sensible to kill AV (at
least temporarily).
• But there was a problem.
22

23. 23

24. •A simple script was created to duplicate the session, migrate it to AV
process and kill self and bingo!! we knocked AV down.
• Below is how it was done.
24

25. • Persistence script was used and persistent meterpreter connections
were created on the victim machines.
•A little change was required; change the default connect method to
reverse_https in place of reverse_tcp in persistence.rb.
25

26. Other Network reachable from victim
• A ping sweep was done.
26

27. What we have now
• Now we control a complete LAN mostly with
administrative privileges.
• We have a list of IP of servers and other
devices, thanks to our ping sweep.
27

28. Recon Phase 2
• Listing critical assets (humans and machines)
• Searching machines for Network diagrams, IP
lists, password lists etc.
• Logging of keystrokes to read mails, gather
passwords.
• Residing on the network to gather
information.
28

29. Listing critical assets
• Servers were listed down from the data
collected using ping sweep, port scans and
excel sheets found for assets while searching
various machines across compromised LAN.
• Naming convention and role of servers
revealed the critical ones.
• Some password sheets were also found on the
compromised machines.
29

30. •Search_dwld script is a powerful method to get
useful files.
• Excel Sheets (xls, xlsx), Word documents (doc, docx)
and diagrams (jpg, jpeg) were searched for.
30

31. Gathering more info
• Keystrokes were dumped for days.
• Gave access to official mail id, employee
management portal, passwords to production
servers, for firewalls; virtually to everything in
that environment.
• Screenshot from meterpreter was used.
• Source code was received “on the fly” as coded
by developers.
• Password were also captured with the help of
BeEF Prompt Dialog module.
31

32. Keyscan_dump output
•Screenshot of one of
the victims. (was
showing too much
details).
•Screenshots helped in
understanding the
working environment
and habit of victim
users.
32

33. 33

34. Attack Phase 2
• Using gathered info to compromise
production.
• There was nothing actually left to do to
compromise.
• Even UPS consoles were accessed.
• Query to view sensitive data from databases
were “sniffed” from keystroke dumps.
34

35. Bad Practices Identified
• Help desk too helpful.
• Employees found out to be more than happy
to click links and open unknown pdf.
• Higher authority means Administrator
privilege.
• Local Administrator exception of password
policy.
• Unencrypted password lists.
• Sites allowed in form of *.domain.*
35

36. How it can be avoided
Educating the employees
Educating the employees
Educating the employees
Educating the employees
Educating the employees
36

37. • Thank You
• Questions Please ?
37