In this presentation, we discuss the tricky scenarios we faced during internal penetration test engagements and how we have developed a tool to solve those issues. We want to fill the gap from after cracking a password hash (normal user) from NetBIOS/LLMNR/WPAD attacks to compromising the entire Domain as well as solving a few tricky issues that we as penetration testers face. There are also scenarios where after getting Domain Admin access doesn't mean we have access to all hosts/shares/databases on all hosts in the network. Some of the workstations/servers are in workgroup membership. Some file shares are restricted to certain groups/users in the Active Directory. These file shares might contain sensitive cardholder information or router configuration backups or Personally identifiable information (PII) data that are restricted to certain users or groups that are out of bounds to Domain Administrators. How do we get there? It would be easy for an attacker if all hosts in the network were part of the same Domain membership and the Domain Admin group have access to all file shares in the network. However, in complex organizations, these might not be the scenarios. The tricky part for an attacker is to find the right account to gain access and getting in and out of the environment fast. The tool finds creds from SYSVOL, dump hashes/passwords, it also performs the below actions. Enabling RDP, Which Accounts Have Logged into The Host Before, finding docs containing passwords, Listing Installed Programs, Dump Wireless. WinVNC, UltraVNC, Putty, SNMP, Windows AutoLogon, Firefox Stored credentials, Find KeePass Databases, FileZilla sitemanger.xml, Apache Httpd.conf, Unattend.xml, sysprep.xml, sysprep.inf and extracting credentials, PII data and Credit Card Track Data from memory. At the end of the presentation, we will be releasing a new tool to allow attackers to carry out the attacks in an automated fashion with minimal effort and maximum compromise.
Keith Lee is a Senior Security Consultant with Trustwave's SpidersLabs Asia-Pacific. Keith Lee is based in Singapore.
Michael Gianarakis is the Director of Trustwave SpiderLabs' Asia-Pacific practice where he oversees the delivery of technical security services in the region. Michael has presented at various industry events and meetups including, Black Hat Asia, Rootcon, and Hack in the Box. Michael is also actively involved int the local security community in Australia where he is one of organizers of the monthly SecTalks meetup.