Overview of Black-Box Penetration Testing

Introduction:

A Black-box penetration testing means that an ethical hacker has no knowledge of the target network. The idea is to simulate an attack which a hacker might undertake to exploit the weaknesses in target network and breach it. Furthermore he explores the internal network and identifies further vulnerabilities within the internal network which would give him access to the critical assets of the organization.

Objective:

In this article, we would be assuming the role of the ethical hacker who has zero knowledge about the target network. The objective would be to breach the target network, own the entire domain and compromise critical assets of the target network. So let’s get started.

Limitations:

Before beginning the assessment, it was clear that we would have zero information about the target network and would only be given physical access to guest area of the target network.

Attack Narrative:

We begin the process by assessing possible network connection that were available to us. There were no hard-wired ports available for us to connect so we shifted our attention to the wireless connections.

To perform the wireless network reconnaissance we will use the aircrack-ng suite of tools available in Kali Linux Distro and the Alfa Wireless card USB adapter. We set up the environment and view the wireless connections that are available.

The wireless enumeration reveals a hidden SSID “Corporate WLAN” which is accessible from the guest area. Moreover this SSID is using the WPA2-PSK authentication mechanism which could possibly be brute-forced and this could give us access to the Corporate Network.

We went ahead and captured the handshake of the “Corporate WLAN” SSID successfully.

Than we managed to crack the handshake and got the password for the “Corporate WLAN” SSID.

Now we have access to the Internal Corporate Network of the Target; we proceed to further enumerate the network and find ways to get a foothold into this network.

In the attempt to identify potential attack surface, we examine the IP Address, Domain and Mail Servers of the target network. Since, DHCP was running we already had an IP Address. A simple “nslookup” command revealed the name-server of the target domain which was helpful for further enumeration.

We then started to perform basic network-discovery scanning and enumeration on the identified name server’s network range. (ie *.*.40.1-254) .For this we will use the netscan tool. The netscan is very helpful tool to perform network reconnaissance. It has very simple interface, checks for common open ports, supports credentialed login and give the results in very user-friendly format. 

We were able to see multiple target systems within this network-range. These systems consist of Web Servers, Databases, and Application Servers etc. Most of these systems also had the RDP Port 3389 open which would be very helpful to remote into the systems should we manage to break any of them.

At the same time it was also important to note IP Addresses of any potential high value targets which could be useful in our post-exploitation phase.

Vulnerability Assessment:

Now with so many targets in hand, it was important that we carefully analyze the weaker targets and attack them.

At this stage, we start the vulnerability assessment on these systems to evaluate potential vulnerabilities which are exploited. We perform the vulnerability assessment using well-known tools like Nessus and Open Vas. During the vulnerability assessment we also noticed that many of these systems were running outdated third party software’s and operating systems which   could become easy victims of targeted attacks. The process could be time consuming since many of the vulnerabilities that automated scanner’s give out are false positives. Hence, it is imperative that we carefully evaluate the vulnerabilities to break in the system.

The Vulnerability assessment will reveal a lot of potential vulnerabilities; one of them being the MS09-050 Vulnerability. We will go ahead and try to exploit this vulnerability.

Exploitation:

We will be using the well-known Windows exploit (MS09-050 Vulnerabilities in SMBv2 could allow remote code execution) available at https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/14674.zip link. This machine was apparently running a legacy application and hence was left unpatched in the environment.

After multiple attempts we managed to exploit the vulnerability successfully and luckily got a command shell with Local Administrator privileges.

To ensure that we have persistent access to the exploited system, we create a backdoor user and add him to the Local Administrator’s Group.

We can now login to the exploited system with our backdoor user and further enumerate this system

Post-Exploitation:

Now that we have broken into a domain system and added a backdoor user, let’s do post-exploitation on this system. Our aim will be to get the local administrator password of this system and then check if we can login to other domain systems with these credentials.

Mimikatz is well-known tool which can dump out clear-text passwords through LSASS. However the target system is running an Anti-virus which blocks Mimikatz. Moreover the Anti-virus is password protected which means we cannot disable it or whitelist mimikatz.

So we decide to use the meterpreter shell to dump out the password hashes. In order to get a meterpreter shell, we will create a malicious meterpreter payload and set up the handler on our attacking system. We now host this malicious meterpreter payload on our attacking system’s webserver and call the file via the browser of the exploited system.

Now we have the meterpreter shell on the exploited system. We can then proceed to dump out the hashes.

After dumping out the administrator hash we managed to crack this hash successfully.

Escalating our Privileges:

Now we have the Local Administrator Credentials of a Domain system. Our next step would be to see if we have access to numerous other systems with these credentials. Again we use the netscan tool to look up logged-on users with the Local Administrator Credentials.

As we can see, there are numerous other systems on the domain which are using the same username and password. This effectively means that we have succeeded in compromising multiple systems in the domain.

We then login to these systems with the Local Administrator credentials and dump out the clear-text passwords from these systems using the Mimikatz tool. The Local Administrator password was useful to unlock the Antivirus and disable it for the time-being. The Screenshot below shows the output of the Mimikatz command. In this way, we managed to collect multiple domain user credentials from these affected systems.

Escalation to Domain Administrator:

Our final step is to escalate the privileges of our backdoor user to become the Domain Administrator and own the entire the domain.

In the previous step, we had managed to dump out numerous domain user credentials from different systems. One of these credentials turned out to be the Domain Administrator. We the logged-in to the domain controller system using this credential and proceeded to add our backdoor user to the Domain and then escalate his privileges making him the Domain Administrator.

We can confirm that our backdoor user is the Domain Administrator by logging to the Active Directory and viewing his access rights.

Accessing High-Value Targets:

Now that we have become the Domain Administrator, we proceed to access high value targets of the network to expose the gravity of the attack.From the information gathering phase we identified the mail servers of the target network. MS-Exchange 2013 was used to manage the mail-servers. This means that the exchange admin center was accessible from the following link: http://webmailip/ecpWe login to the exchange admin center using the Domain Administrator credentials. We can now add ourselves as a delegate to any of the user mailboxes and get complete access to their mailbox. This means that we can access mails of all Top-Level executives of the Target Network.

Conclusion:

In this article we have looked at a complete penetration test cycle wherein we start with zero knowledge about the organization than we managed to breach the corporate network, proceeded to compromise the domain system; got the administrator hash and after cracking the hash we were able to get compromise multiple systems and finally the domain controller. In order to maintain access we also created a backdoor user and made him the Domain Administrator. Also to prove the seriousness of the attack we took complete control of the user mailboxes.