Consequently, we were still in control of the computer accounts NTLM password hashes. We had previously retrieved all the information from the SAM database in the second set of hosts-including the file server we no longer had access to. Closing In: Using a Kerberos Service Ticket to Gain Control Despite basic security controls being in place, the initial security weaknesses we exploited gave us enough information to keep moving forward. The isolation was indeed temporary, but the security team had changed the RID 500 user account password and also disabled it. Since file servers often have privileged user credentials in memory, we thought it would be worth waiting for it to come back online, which would likely be within a few hours because file servers are so essential to complete regular organizational activities. However, we were once again caught, and one host, which seemed to be a file server, was put into network isolation to restrict our access to it. We repeated the process of retrieving SAM databases and LSA secrets. Ultimately, this gave us local administrator privileges on four new hosts. Having previously retrieved the contents within the SAM databases of the hosts, we decided to test all of the RID 500 default admin account NTLM password hash against all of the hosts in the domain. However, before we were able to complete this task, our account was disabled by the defense team.ĭespite this, we were far enough along in the process that we had other options that we could turn to. Nothing of interest came from these efforts, so we next moved to access the host’s process memory to try and pull credentials that would hopefully have more extensive privileges. Setbacks and Successes: Stealth and Security ControlsĪfter the successful password spray attack, we accessed the Security Account Manager (SAM) databases and Local Security Authority (LSA) secrets of the discovered hosts. We were able to use this account, conduct a password spray attack, and obtain local administrator privileges on seven different hosts. The password for John Doe’s disabled domain account worked for his regular user account login, which was still enabled. There are often trivial, easily guessed naming conventions for usernames, and it is not unusual for employees to make the mistake of using the same password for all of their different accounts. While this is theoretically a security measurement so that the employee is only using the account with the least amount of privilege needed to accomplish a task, it can also be a security weakness. For example, an IT team member may get both a regular user account and a privileged account. An experienced attacker is likely aware of the common practice of having employees with multiple Domain User accounts, depending on their role. Skilled and experienced attackers will always attempt to use what’s available to them, even if it requires some workarounds. However, during such engagements it’s important to maintain an attacker mindset. The last one was a domain user account, which would have been ideal, but the account was disabled. Two were invalid, meaning their passwords were no longer used. This turned up three different sets of credentials. There is both a Core Impact module and some GitHub projects that can be used to easily complete this extraction. Any user with administrative privileges or administrative credentials for the printer was able to interact with the server and extract configured FTP and SMB usernames and passwords. In this engagement, we sought and discovered two printers that possessed domain credentials and exposed certain HTTP SOAP API on TCP ports. This makes printers an ideal place to attempt an initial breach. To accomplish this, many organizations provide such devices with corporate domain credentials-for example, it could be given the username “printer1” and a password, “printprintprint.” Unfortunately, printers are sometimes only configured during the initial setup and then left behind, frequently going without updates and patching. For example, a user can use a printer to scan a document and email it to themselves or save it to a file server. However, printers have become increasingly sophisticated and multi-faceted over the years and are essentially specialized computers that are well integrated into an organizational network, interacting with or exposing different services like FTP, SMB, or SMTP. Since printers aren’t regularly used by attackers, security teams also tend to overlook these devices. There are many paths an attacker may take in order to compromise the infrastructure. A Weak Link in the Chain: Misconfigured Printers
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |