💬 true story... The enemy is inside: how I got caught on insider redtiming.
• I had all the advantages. I've already been online. I was above suspicion. But they discovered my hacking, kicked me out of the network... and tracked me down physically.
• Many penetration tests start outside to check how the perimeter can be overcome. This time, the customer wanted to see how far an attacker who had already managed to get inside the organization could go. How could they stop me if I was already online?
• So they smuggled me into the office disguised as a new employee. I was given a work computer, a badge, an account in the system... hell, I even had my own booth with an assumed name on it. The only person who knew who I really was was their information security director. Everyone else thought I was Jeremy from Marketing...
The enemy is inside: How I got caught on insider redtiming
Information security
*
Translation
Original author: Tinker
I had all the advantages. I've already been online. I was above suspicion. But they discovered my hacking, kicked me out of the network... and tracked me down physically.
Many penetration tests start from the outside to check how the perimeter can be overcome. This time, the customer wanted to see how far an attacker who had already managed to get inside the organization could go. How could they stop me if I was already online?
So they smuggled me into the office disguised as a new employee. I was given a work computer, a badge, an account in the system... hell, I even had my own booth with an assumed name on it. The only person who knew who I really was was their information security director. Everyone else thought I was Jeremy from Marketing.
Intelligence service
Most of the morning of the first day I was busy with the procedures of applying for a job, meeting colleagues and doing menial work. But I had to act quickly. I had only a week to do everything about everything, and I had to have time to hack everything without arousing suspicion. So I got busy.
Just so you understand: most penetration testing is pretty straightforward. The most difficult thing is to get into the network. But once inside, you get a wide range of goals: old computers, default passwords, all sit under local administrators ... Usually I get a domain admin account in a day or two, and soon after that, the administrator of the organization. The remaining time is spent on covering up traces and collecting evidence of possible consequences of the attack. But this time it was different. It's time to be surprised.
Sitting down at the computer, I pretended to be working. I was going to use my office computer for research, to study the settings of other workstations, but I would not attack directly from it, so as not to leave traces pointing at me. Instead, I brought a separate hacking device: a personal laptop with Linux and a bunch of hacking tools. I connected it to the network and got an IP address. Their NAC did not cover the entire network: any connection from the work booth was trusted.
I started as usual. Interception and analysis of network traffic from Wireshark, changing the MAC address and name of my laptop so that it gets lost in their infrastructure and looks like ordinary equipment. Then — using Responder in your subnet to catch hashes and crack passwords. Pretty quickly I managed to collect a handful of hashes. I was in a regular subnet for employees, so there were a lot of logged-in accounts around with open browsers scattering authentication data.
The first surprises
I ran a search of the found hashes on my farm of 8 video cards, but... something went wrong. Pretty quickly, all 8-character combinations of large and small letters, numbers and special characters (NetNTLMv2) were checked. Most common passwords (one word, first capital letter ending in a digit or symbol) I hack instantly. But not here.
I could have run net accounts on my workstation to see the password policy directly in AD, but first I decided to look somewhere else. I didn't want to leave unnecessary traces. After searching the web, I managed to find the Security Requirements. It turned out that the minimum length of the password, which was supposed to include large and small letters, special characters and numbers, was 12 characters. And they have already started switching to passphrases… I changed my set of rules for bruteforce to use longer words, uppercase first letters and endings of numbers and special characters. It brought me some passwords!
Cool! Let's go! I immediately tried to remotely log into the user's computer with his password..., and was blocked. What the...? It always worked. The password is correct. But access is closed. I double-checked myself. Start with the basics. Do everything right. It took some time to find a domain controller. On VoIP phones, there were configs of web pages where his address was registered. From the controller, I pulled out the group policy properties via LDAP to see the privileges. After a lot of digging in a bunch of settings, I realized that remote access is allowed only to a small part of IT specialists, not even to the entire IT department. And I haven't cracked any of their passwords. They implemented the least privilege model… Who does that?
Okay, go to hell. I'll do without access to computers. I'll get into their correspondence! That's what I did. I searched for passwords in mail, Skype chats, checked notes and drafts in Outlook. I came across a bunch of personal passwords for anything… But none from the official account. But I found a letter from the information security department saying that they plan to implement two-factor authentication for mail within a week. Looks like I got lucky.
The weakest point of any system
Then I went to the SSO portal. All internal applications in one place. Hacker's dream! I clicked on one of the apps. It required two-factor authentication. The next one too. And the following. What kind of Alcatraz is that?! Hacker's nightmare!
I've seen them using Citrix. He's behind two-factor authentication, well, whatever. I'll deal with it. Citrix will give me access to the internal server. I needed to get to the internal host in order to remove my hacker laptop and start moving into the network already. I launched Citrix, receiving a 6-digit pin request in response. There is a button with the inscription "Click to get a token" and a slightly edited phone number: (xxx)xxx-5309. After searching for "5309" in the mail, I found the user's signature, in which this phone number was specified in full. I called it.
The woman answered. "Good afternoon, Pam. I'm Josh from Aichi. We are migrating your Citrix profile to a new server. I will now send you a 6-digit number. I need you to read it to me. Just in case, I remind you, we never ask for your password." I already had her password. She hesitated: "Good..." I pressed the button to send the authentication token and said: "Done. I have sent you a number, please read it to me when you receive it." She replied: "Um... yes, I got it. 9-0-5-2-1-2». "Thank you! Please don't run Citrix for a couple of hours!" A timer for 60 seconds ticked on the screen. I typed the numbers in the two-factor authentication window and clicked "Ok". Logged in. Go to the stump, two-factor authentication! Once inside, I saw... nothing. NOTHING! This user didn't need Citrix, so NOTHING was tied to it. I hacked into the back room.
So. This is crazy. I'll probably pick up a long password, but only if I'm lucky enough to catch the right hash. Even with a hacked password of someone from a small group of people, I will have to bypass two-factor authentication. Every attempt, especially with someone from this protected group, increases the risk of detection. Damn it…
I've tried everything. I was running more and more aggressive scans, trying to stay below the radar. I probed the entire network and all the services I could find, with all the attacks I knew. And although I found some little things here and there, it wasn't enough to get a foothold somewhere. I began to despair. It's already the end of the second day. Usually at this time I'm already gutting databases, reading the CEO's mail and filming people on their webcams. Damn it. It's time to break into the IT people's lair. I'm going to steal laptops.
Night raid
I was late after work. He told his colleagues that they needed to complete a course on employment security. They nodded and left. Then the cleaners came. When they finished, I was left alone. I went to the IT specialists' office. I found the door. Looking around, I took hold of the handle…
Before that, I had already tried various things with my office laptop, but I was not a local admin, and the disk was completely encrypted. My goal was to find an old unencrypted laptop that would have a hash of the local admin's password.
I checked the lobby to make sure no one was around. I scanned the ceiling for security cameras. I opened my mouth and tilted my head to hear someone coming around the corner. Nothing. I was ready to act. I was getting ready to pick at the mechanical lock, deal with electronic access control systems or remove the door from its hinges, but I found that the door was ajar. Lucky. The door had both an electronic lock and a mechanical one. Even protected loops. But someone left it open that night. I opened the door a crack and looked in, expecting to run into someone inside. No one. Oh, whatever. Just a pruha. I went inside.
I have no idea why the door was opened, but 80% of my work is user errors, 56% is skills, 63% is adaptability, 90% is the use of features and a fat 80% is luck. And only about 1% are related to mathematics…
Anyway. I didn't know if anyone would be back here any minute, so I got to work. There were stacks of laptops of different ages, manufacturers and models in the corner. Having weighed the risks of getting caught in the office of IT specialists or with a bunch of laptops on my desk, I chose my desk. And now I'm already dragging armfuls of old laptops from the IT burrow into my booth, folding them into the Leaning Tower of Pisa under my desk. Then I started methodically trying to boot each laptop from a USB stick in search of the unencrypted Holy Grail.
I have a bootable USB flash drive with Kali and the samdump2 utility. I connect it to one of the laptops, boot it up and try to mount the hard drive. Every time I stumble upon encryption, I get more and more upset. Finally, after 30 tested laptops, I find three half-dead ones with unencrypted disks. Using samdump2, I pull out local NTLM hashes from SAM and compare them. Thus, it is possible to find a non-standard account of the local administrator "ladm" on all three machines. The hashes match. Thank Erida, they don't use LAPS. The account of the local admin is the same on all computers. I cracked this hash pretty easily. The password turned out to be <Company name><Year>, and this year passed a couple of years ago. An error in asset management. Adore.
I tried to log in under the new account remotely and got the same error as before. Even the local admin was banned from remote login… I tried to log in locally to my own office laptop, and I succeeded! This account bypassed full encryption! Master key! So... soooo! This can be used! But then I noticed one oddity… I didn't have access rights to user data. What? Have they restricted access EVEN FOR LOCAL ADMINS?! Heck. It was necessary to raise privileges to system.
I tried every trick that came to mind. In the end, I searched for Unquoted Service Path vulnerabilities and found a couple! But the conclusion was that my local administrator does not have the right to write to the necessary folders. Come on! By that time I was already exhausted and broken. My 17-hour shift was ending. The brain was no longer working. It was another dead end. Another series of hard struggle and successful hacks for the sake of another fail. I had to go home and get some sleep to start over the next day.
Call a friend
The next day I double-checked everything again to make sure I hadn't missed anything. I checked everything I could check, scanned everything I could scan, did everything that came to mind. There are small clues everywhere, but nothing worthwhile. I called a colleague from Dallas Hackers. After telling him about my ordeal, I ended up with dashed hopes for the vulnerability of the Unquoted Service Path, when the output showed me the lack of necessary privileges. He asked: "And you still tried to exploit her, despite this?". I froze. I didn't try it. In that state, I believed the conclusion and did not check it myself. Good. I tried to write the data to the directory. The same one that, according to Windows, I didn't have access to write to. And I succeeded. Damn Windows. She tricked me again. But okay. That's awesome. A new lead.
A colleague quickly threw me a loader on C, which started the load on Powershell. I took a chance to check the bundle on my own computer, and everything seemed to work fine. It was a perverse attack. But that's all I had. I was going to:
Launch listener on my hacker laptop
Get physical access to a laptop in the office
Log in under the account of the local administrator
Upload your bundle of malware to Unquoted Service Path
Exit
Wait for the user to log in and start the load
The lunch break was approaching. I responded with a smile to the invitations of colleagues to go for a snack and stayed a little late. At first, I planned to visit the IT guys and get to one of their computers while they were having lunch. But when I went to their office, I saw that they were all there! Eating their lunch in front of computers! Don't they know how harmful it is?! How does the lack of separation of work and rest and the lack of breaks lead to stress?! Why don't they have lunch like normal people?!
Fuck you. I'm going to hack the computer. Any computer. I walked around the office and found an office where there was no one. Financiers. Okay, let's crack the finances. I said something to the cute little old lady who came back for her wallet. I let her know that I'm an IT guy updating computers. She nodded and, smiling sweetly, left. Annoyed, with a face filled with hatred and gloating, I turned to one of her colleagues' computers and hacked it.
It took less than 30 seconds. I returned the chair and the mouse to the state they were in before my arrival. I took another cursory look around, making sure that everything looks fine. And returned to his workplace. Sit staring at your listener. At some point, lunch was over. I didn't even want to talk. Already beginning to lose hope, I saw:
> Meterpreter session 1 opened
And then…
> Meterpreter session 2 opened
> Meterpreter session 3 opened
...
> Meterpreter session 7 opened
Your left! I ran GETUID and saw NT AUTHORITY\SYSTEM. Iii-ha!
Good! Great! So! Um... let's go! Yes! Having fixed myself in the system, I made a memory dump and started digging into the file system. Some kind of financial information. Some passwords in plain text. Sensitive information, but nothing serious. But come on. This is just the beginning. A bridgehead. And then…
> Meterpreter session 1 closed
I'm trying to cling to sessions, but they're all closed. I ping the system, it doesn't respond. I'm scanning port 445. Nothing. The system is unavailable. It's. Too. much. I get up and head straight to the finance department. What happened to my shells?!
Turning the corner, I see that a sweet old lady is talking to the heftiest and fiercest IT guy. I quickly do "Oh, f..." and turn around when the old lady looks in my direction, points her finger right at me and shouts: "It's him! He was messing with our computers!" I let out a heart-rending scream and run away. Turning my back to the ferocious IT guy, I run in the opposite direction and stumble into two security guards. They look very unfriendly and make it clear that I have wandered into the wrong area. I woke up covered in blood, strapped to an ergonomic office chair by the ties they use to tighten the cables in the server room. The head of DFIR is standing in front of me, her knuckles are knocked down. Behind her, a small team of analysts from the intrusion detection group grins. I squeeze out one word… I need to know... "How...?" She leans over my ear and whispers, "No one in the finance department ever runs Powershell..."
Okay… I added a bit of drama at the end. But the story of how I came across an old lady who turned me in to IT specialists is real. They detained me right there. They took away my laptop and reported me to the management. The Director of Information Security came and confirmed my presence. And the way they figured me out is also real. They received a notification that Powershell was running on a system that did not belong to a small group of IT specialists and developers who ran Powershell under normal conditions. A simple and reliable method for detecting anomalies.
Conclusions
Blue Team
The Least Privilege model
Multi-factor authentication
Simple rules for detecting anomalies
Deep protection
Red Team
Keep trying
Don't assume
Ask for help
Lucky prepared
Adaptation and overcoming