Their greatest weakness
Today I will tell you a short story of how I was able to penetrate a company and gain complete access to their files, contacts, emails, backups, images, source-code, practically, every byte they had. I was a penetration tester on a project that was a bit out of the ordinary. The client didn't want to nitpick every nook and cranny of their systems. Instead of being granted a detailed scope of access, I was challenged to infiltrate their information systems from an external, remote position, emulating a genuine cyber attack - no limitations except physical ones. Methods like WiFi, RFID cards, and other such 'sweet things' could have been beneficial, these physical attack strategies were off-limits as per the client's rules of engagement.
Information Gathering
First step, I started gathering as much information I could by performing OSINT techniques and gathering information regarding the company and the company employees. Regarding their infrastructure I evaluated their domains and I gathered basic information such as domains, subdomains, mail-servers, ports any web-application hosted and more. Finally I conducted threat intelligence (along with a fellow hacker). Among various discoveries, I managed to uncover WiFi passwords, previously leaked credentials, and employee email addresses. Along with my hacker comrades, we meticulously charted their buildings, pinpointing entrances and determining the layout of their premises. We supplemented this with images gleaned from social media and their own website to construct a comprehensive picture of their physical environment - this could give us an idea of how the organization is structured, which may, or may not, help later in the social engineering phase - and in any red team activities that could follow in the future.
Launch the missile
Next, we started a full enumeration of their infrastructure and scanning for possible vulnerabilities. There was not much services except mainly their main website. I had to say that was a tough job and there was no way of getting into their internal network through their external infrastructure. As much I wanted to break-in there was no other way (given also that there were time-limitations too).
Well, to get things going, we continued with assumed breach. We gave the customer a custom device which when plugged into their network (i.e via Ethernet) it could connect back to us and give us shell via the device. It’s like being there without being there - in short, a RAT in their network. Their internal network was rough, and there was a good firewall with all proper plugins. The firewall could detect and block our plugged-in device. Explicitly unblocking our device by the IT manager we continued our journey by scanning for potential vulnerabilities yet without automated tools, to be as stealthy as possible (stealthy regarding the detection tools - IT manager was aware of course).
We exhausted all of our time window trying to breach the target from an unauthenticated standpoint. Every system was updated, each machine correctly configured, leaving no room for slip-ups. Despite our best efforts, we couldn't penetrate the target. What an embarrassing moment!
Reuse every bit
Along-side the network scan procedures, we made some research regarding their staff. Their internal infrastructure was based on Active Directory and they were using OWA as an email solution. During that time we prepared several phishing campaigns, but one was targeting all the users. We prepared a phishing scenario where the target goal was to harvest user credentials. We knew that their email account’s username and passwords were also used internally to log-in into their AD. Therefore, we concentrated our effort to gather as much credentials as possible targeting all users, except some senior ones, that could raise suspicions.
The Phishing Campaign
The plan was straightforward: we set up a simple website unrelated to their current infrastructure and the applications they were accustomed to. We introduced something completely new to them - a fresh service! The employees would receive an email, seemingly from their IT manager (but in reality, sent from our server), introducing this new service and inviting them to log in using their existing credentials. We provided a link (a phishing link) that led users to a login page on our website. The service offered was relevant to the employees' line of work. For instance, if it was a law office, the service might appear to be a new database for filing documents.
We quickly made the application and set everything up on our end, so it was ready to go. We used a domain that was a lot like theirs, just changing some letters around, so it wouldn't seem out of the ordinary.
During our reconnaissance phase we have managed to gather a list of 1100 employee emails. In our phishing campaign we have sent out approximately 900 emails and 150 users were hooked - we got some creds!. That’s almost 15% of their users providing their corporate credentials - that’s a good catch. Some users were trying too many times without success (failing to login, as we didn’t had any real application behind that fake login page). Following this, we could not log-in to their email accounts, as all users were protected by a 2FA mechanism. Eh, we were blocked again.
The bomb
So we returned back to their internal network. We have managed to use the credentials, and have some basic user access to the organization’s Active Directory.
A side note here, keep in mind that the assumed breach could have been skipped if the company had a public VPN access - then we could have used the gathered valid credentials to log-in through the VPN and have access to their internal network.
We have not found any user that had special permissions on anything that could be used to abuse any internal network misconfiguration. However, with a simple user we could have access to their Active Directory environment and so we could enumerate the AD, even though the Active Directory was tough - much like a concrete wall. Even though very well configured, had a very tiny, little weak spot, that was only accessible by any authenticated user. That was an old feature of AD left forgotten and misconfigured. It was a very well hidden weak spot but we eventually found it.
Well.., using only basic user credentials we took advantage of this mistake to gain top-level access (Domain Admin privileges). At this point we had everything at our disposal: emails, files - confidential documents, conversations, servers, web-application code-base, user accounts and more. This put the whole system at risk. Of course, we didn't do anything to hurt the company and we quickly got in touch with our point-of-contact there, as we were in a close-loop. If a real attacker had found this weak spot, the company could have been seriously harmed. Luckily, they had a security test (the one we did), which helped them find and fix problems like this one and others, like the phishing issue. After the test, we didn't just give them a detailed report. We also had a call with their team to talk about everything that happened during the test.
The moral lesson
What's the lesson here?
Even if you create strong security, it can all fall apart quickly when people make mistakes. The IT team might have set up a secure network and the developers might have made a safe web application. But, the network was still broken into when people messed up - ok the network had a well hidden issue too. We can be pretty sure about our systems, but we can't always be sure about our people. Especially those who haven't been taught about these things - but it's not their fault. This is something we can fix, just like anything else.
Think about these questions and evaluate how ready your company is to defend itself:
- What is the last time you performed a phishing campaign?
- How often do you perform a penetration test?
- What systems do you test during the penetration test? Does this make sense? Are the most valuable?
- How advanced phishing campaigns can your employees defend against?
- Have you ever called an expert to train your employees against phishing campaigns? What about targeted phishing campaigns?
- How well configured is your Active Directory environment?
You are not untouchable
Some believe they're invincible, setting up networks and systems that are as solid as a fortress. But guess what? Eventually, they face breaches! This is not a warning, but a reminder - in the world of IT, security isn't just an option, it's a necessity.
The best way to truly gauge your IT and coding skills is to get a penetration test done. Let us find the loopholes in your system before someone else does. Above all, stay informed about the latest tech threats and how to guard against them. You may start by subscribing to Cybervelia's newsletter.
Contact us now to talk about penetration testing or whatever else might bothering you.
White hat hackers are here to help you, so take advantage of us!
You can find our offered services at https://cybervelia.com/penetration-testing
Originally posted on Cybervelia's main blog found here: https://blog.cybervelia.com/p/breaking-their-defense-hacking-stories
Top comments (0)