You are on page 1of 36

enetrat|on 1est keport

MegaCorp Cne
AugusL 10
Lh
, 2013




Cffens|ve Secur|ty Serv|ces, LLC
19706 Cne norman 8lvd.
SulLe 8 #233
Cornellus, nC 28031
unlLed SLaLes of Amerlca
1el: 1-402-608-1337
lax: 1-704-623-3787
Lmall: lnfo[offsec.com
Web: hLLp://www.offenslve-securlLy.com
LNL1kA1ICN 1LS1 kLCk1 - MLGACCk CNL
18-20130313 CopyrlghL 2013 Cffenslve SecurlLy Servlces LLC. All rlghLs reserved. age l
!"#$% '( )'*+%*+,
Lxecut|ve Summary 1
!"##$%& () *+,"-., /
Attack Narrat|ve 3
*+#(.+ !&,.+# 01,2(3+%& 4
56#17 8+9,+%3+% :7.+%)$2+ ;(#<%(#1,+ =
:7.+%$2.13+ !>+-- .( 56#17 !+%3+% ?
56#171,.%$.13+ @%131-+A+ B,2$-$.1(7 C/
D$3$ ;-1+7. 5..$2E, C4
B,2$-$.1(7 .( F(2$- 56#171,.%$.(% CG
0++< @$2E+. :7,<+2.1(7 H&<$,, C=
;1.%1I B731%(7#+7. ;(#<%(#1,+ /J
B,2$-$.1(7 .( 0(#$17 56#171,.%$.(% /K
Conc|us|on 28
*+2(##+76$.1(7, /?
*1,E *$.17A 4J
Append|x A: Vu|nerab|||ty Deta|| and M|t|gat|on 31
*1,E *$.17A !2$-+ 4C
0+)$"-. (% 8+$E ;%+6+7.1$-, 4C
@$,,L(%6 *+",+ 4/
!>$%+6 F(2$- 56#171,.%$.(% @$,,L(%6 4/
@$.2> M$7$A+#+7. 44
0N! O(7+ P%$7,)+% 44
0+)$"-. 5<$2>+ Q1-+, 44
Append|x 8: About Cffens|ve Secur|ty 34

LNL1kA1ICN 1LS1 kLCk1 - MLGACCk CNL
18-20130313 CopyrlghL 2013 Cffenslve SecurlLy Servlces LLC. All rlghLs reserved. age 1 of 34
-.%/0+12% 3044"56
Cffenslve SecurlLy was conLracLed by MegaCorp Cne Lo conducL a peneLraLlon LesL ln order Lo
deLermlne lLs exposure Lo a LargeLed aLLack. All acLlvlLles were conducLed ln a manner LhaL slmulaLed a
mallclous acLor engaged ln a LargeLed aLLack agalnsL MegaCorp Cne wlLh Lhe goals of:
o ldenLlfylng lf a remoLe aLLacker could peneLraLe MegaCorp Cne's defenses
o ueLermlnlng Lhe lmpacL of a securlLy breach on:
o ConfldenLlallLy of Lhe company's prlvaLe daLa
o lnLernal lnfrasLrucLure and avallablllLy of MegaCorp Cne's lnformaLlon sysLems
LfforLs were placed on Lhe ldenLlflcaLlon and explolLaLlon of securlLy weaknesses LhaL could allow a
remoLe aLLacker Lo galn unauLhorlzed access Lo organlzaLlonal daLa. 1he aLLacks were conducLed wlLh
Lhe level of access LhaL a general lnLerneL user would have. 1he assessmenL was conducLed ln
accordance wlLh Lhe recommendaLlons ouLllned ln nlS1 S 800-113
1
wlLh all LesLs and acLlons belng
conducLed under conLrolled condlLlons.


1
hLLp://csrc.nlsL.gov/publlcaLlons/nlsLpubs/800-113/S800-113.pdf
LNL1kA1ICN 1LS1 kLCk1 - MLGACCk CNL
18-20130313 CopyrlghL 2013 Cffenslve SecurlLy Servlces LLC. All rlghLs reserved. age 2 of 34
3044"56 '( 7%,0$+,
lnlLlal reconnalssance of Lhe MegaCorp Cne neLwork resulLed ln Lhe dlscovery of a mlsconflgured unS
server LhaL allowed a unS zone Lransfer. 1he resulLs provlded us wlLh a llsLlng of speclflc hosLs Lo LargeL
for Lhls assessmenL. An examlnaLlon of Lhese hosLs revealed a password-proLecLed admlnlsLraLlve
webserver lnLerface. AfLer creaLlng a cusLom wordllsL uslng Lerms ldenLlfled on Lhe MegaCorp Cne's
webslLe we were able Lo galn access Lo Lhls lnLerface by uncoverlng Lhe password vla bruLe-force.
An examlnaLlon of Lhe admlnlsLraLlve lnLerface revealed LhaL lL was vulnerable Lo a remoLe code
ln[ecLlon vulnerablllLy, whlch was used Lo obLaln lnLeracLlve access Lo Lhe underlylng operaLlng sysLem.
1hls lnlLlal compromlse was escalaLed Lo admlnlsLraLlve access due Lo a lack of approprlaLe sysLem
updaLes on Lhe webserver. AfLer a closer examlnaLlon, we dlscovered LhaL Lhe compromlsed webserver
uLlllzes a !ava appleL for admlnlsLraLlve users. We added a mallclous payload Lo Lhls appleL, whlch gave
us lnLeracLlve access Lo worksLaLlons used by MegaCorp Cne's admlnlsLraLors.
uslng Lhe compromlsed webserver as a plvoL polnL along wlLh passwords recovered from lL, we were
able Lo LargeL prevlously lnaccesslble lnLernal resources. 1hls resulLed ln Local AdmlnlsLraLor access Lo
numerous lnLernal Wlndows hosLs, compleLe compromlse of a ClLrlx server, and full admlnlsLraLlve
conLrol of Lhe Wlndows AcLlve ulrecLory lnfrasLrucLure. LxlsLlng neLwork Lrafflc conLrols were bypassed
Lhrough encapsulaLlon of mallclous Lrafflc lnLo allowed proLocols.


LNL1kA1ICN 1LS1 kLCk1 - MLGACCk CNL
18-20130313 CopyrlghL 2013 Cffenslve SecurlLy Servlces LLC. All rlghLs reserved. age 3 of 34
8++"/9 :"55"+12%
7%4'+% 36,+%4 ;1,/'2%56
lor Lhe purposes of Lhls assessmenL, MegaCorp Cne provlded mlnlmal lnformaLlon ouLslde of Lhe
organlzaLlonal domaln name: megacorpone.com. 1he lnLenL was Lo closely slmulaLe an adversary
wlLhouL any lnLernal lnformaLlon. 1o avold LargeLlng sysLems LhaL were noL owned by MegaCorp Cne, all
ldenLlfled asseLs were submlLLed for ownershlp verlflcaLlon before any aLLacks were conducLed.
ln an aLLempL Lo ldenLlfy Lhe poLenLlal aLLack surface, we examlned Lhe name servers of Lhe
megacorpone.com domaln name (llgure 1).

I|gure 1 - Informat|on gather|ng for megacorpone.com revea|s three act|ve name servers.
WlLh Lhe name servers ldenLlfled, we aLLempLed Lo conducL a zone Lransfer. We found LhaL
ns2.megacorpone.com was vulnerable Lo a full unS zone Lransfer mlsconflguraLlon. 1hls provlded us
wlLh a llsLlng of hosLnames and assoclaLed l addresses, whlch could be used Lo furLher LargeL Lhe
organlzaLlon. (llgure 2) Zone Lransfers can provlde aLLackers wlLh deLalled lnformaLlon abouL Lhe
capablllLles of Lhe organlzaLlon. lL can also leak lnformaLlon abouL Lhe neLwork ranges owned by Lhe
organlzaLlon. lease see Appendlx A for more lnformaLlon.

LNL1kA1ICN 1LS1 kLCk1 - MLGACCk CNL
18-20130313 CopyrlghL 2013 Cffenslve SecurlLy Servlces LLC. All rlghLs reserved. age 4 of 34

I|gure 2 - A m|sconf|gured name server a||ows a fu|| and unrestr|cted DNS zone transfer.
1he llsL of ldenLlfled hosLs was submlLLed Lo MegaCorp Cne for verlflcaLlon, whlch verlfled LhaL Lhe
enLlre 30.7.67.x neLwork range should be lncluded ln Lhe assessmenL scope. 1hese sysLems were Lhen
scanned Lo enumeraLe any runnlng servlces. All ldenLlfled servlces were examlned ln deLall Lo deLermlne
Lhelr poLenLlal exposure Lo a LargeLed aLLack.


LNL1kA1ICN 1LS1 kLCk1 - MLGACCk CNL
18-20130313 CopyrlghL 2013 Cffenslve SecurlLy Servlces LLC. All rlghLs reserved. age 3 of 34
1hrough a comblnaLlon of unS enumeraLlon Lechnlques and neLwork scannlng, we were able Lo bulld a
composlLe LhaL we feel reflecLs MegaCorp Cne's neLwork.
1he LargeL neLwork ls shown below ln llgure 3. AddlLlonal deLalls regardlng conLrols such as deep packeL
lnspecLlon were dlscovered laLer ln Lhe assessmenL buL are lncluded here for compleLeness.

I|gure 3 - 1arget Network

LNL1kA1ICN 1LS1 kLCk1 - MLGACCk CNL
18-20130313 CopyrlghL 2013 Cffenslve SecurlLy Servlces LLC. All rlghLs reserved. age 6 of 34
8<41* =%#,%52%5 >*+%5("/% )'4?5'41,%
1he adm|n.megacorpone.com webserver was found Lo be runnlng an Apache webserver on porL 81.
Accesslng Lhe rooL u8L of Lhls slLe resulLed ln Lhe dlsplay of a blank page. We nexL conducLed a qulck
enumeraLlon scan of Lhe sysLem looklng for common dlrecLorles and flles (llgure 4).

I|gure 4 - Lnumerat|on of the adm|n.megacorpone.com host part|a||y d|sc|oses the webserver's fo|der structure.
1he scan resulLs revealed LhaL along wlLh common Apache defaulL flles (lease see Appendlx A for more
lnformaLlon), we ldenLlfled an ]adm|n" dlrecLory LhaL was only accesslble afLer auLhenLlcaLlon. (llgure
3).

I|gure S - Access to the "adm|n" fo|der |s password-protected.

LNL1kA1ICN 1LS1 kLCk1 - MLGACCk CNL
18-20130313 CopyrlghL 2013 Cffenslve SecurlLy Servlces LLC. All rlghLs reserved. age 7 of 34
1o prepare a LargeLed bruLe-force aLLempL agalnsL Lhls sysLem, we complled a cusLom dlcLlonary flle
based on Lhe conLenL of Lhe www.megacorpone.com webslLe. 1he lnlLlal dlcLlonary conslsLed of 331
cusLom words, whlch were Lhen puL Lhrough several rounds of permuLaLlons and subsLlLuLlons Lo
produce a flnal dlcLlonary flle of 16,201 words. 1hls dlcLlonary flle was used along wlLh Lhe username
adm|n" agalnsL Lhe proLecLed secLlon of Lhe slLe.

I|gure 6 - Us|ng a custom word d|ct|onary |t |s poss|b|e to d|scover the adm|n|strat|ve password for the "adm|n" fo|der.
1hls bruLe-force aLLack uncovered a password of nanoLechnology1" for Lhe admln user. We were able
Lo leverage Lhese credenLlals Lo successfully galn unauLhorlzed access Lo Lhe proLecLed porLlon of Lhe
webslLe (llgure 6). lease see Appendlx A for more lnformaLlon on Lhe explolLed vulnerablllLy.
1he admlnlsLraLlve porLlon of Lhe webslLe conLalned Lhe SCLlLe Manager web lnLerface (llgure 7), whlch
was accesslble wlLhouL any addlLlonal credenLlals. uLlllzlng Lhls lnLerface, we found whaL appeared Lo be
Lhe daLabase LhaL supporLed an lnsLance of phpSL|teCMS
2
.

I|gure 7 - An |nstance of SL|te Manager |s found to be runn|ng on the comprom|sed webserver.

2
hLLp://phpsqllLecms.neL/
LNL1kA1ICN 1LS1 kLCk1 - MLGACCk CNL
18-20130313 CopyrlghL 2013 Cffenslve SecurlLy Servlces LLC. All rlghLs reserved. age 8 of 34
1he lnLerface gave us dlrecL access Lo Lhe daLa and Lhe ablllLy Lo exLracL a llsL of users on Lhe sysLem wlLh
Lhe assoclaLed password hash values (llgure 8).

I|gure 8 - Lack of add|t|ona| access contro|s a||ows an attacker to retr|eve usernames and password hashes from the
"userdata" database.
AfLer examlnaLlon of Lhe values, we found LhaL Lhe hashes dld noL conform Lo any sLandard formaL.
uslng a copy of Lhe phpse||tecms" sofLware, we examlned Lhe source code Lo deLermlne exacLly how
Lhls value ls produced. 1hrough Lhls process we were able Lo ldenLlfy Lhe funcLlon responslble for
hashlng of Lhe accounL passwords.

I|gure 9 - Source code rev|ew |eads to the d|scovery of the password hash generat|on a|gor|thm.
WlLh Lhe newly-acqulred knowledge of Lhe password hashlng formaL and Lhe use of a randomly
generaLed 10 characLer salL value, we were able Lo easlly converL Lhe recovered hashes lnLo Lhelr salLed
SPA1 equlvalenL and conducL a bruLe-force aLLack.
1hls efforL resulLed ln Lhe recovery of Lwo plalnLexL passwords. AlLhough Lhese values were noL
lmmedlaLely useful, Lhey were reLalned ln hope LhaL Lhey may have been re-used on oLher sysLems
wlLhln Lhe organlzaLlon.
LNL1kA1ICN 1LS1 kLCk1 - MLGACCk CNL
18-20130313 CopyrlghL 2013 Cffenslve SecurlLy Servlces LLC. All rlghLs reserved. age 9 of 34
>*+%5"/+12% 3@%$$ +' 8<41* 3%52%5
1he prevlously dlscovered SCLlLe Manager sofLware was found Lo be vulnerable Lo a well-known code
ln[ecLlon vulnerablllLy
3
. Successful explolLaLlon of Lhls vulnerablllLy resulLs ln shell access Lo Lhe
underlylng sysLem ln Lhe conLexL of Lhe webserver user. uslng a modlfled publlc explolL, we were able Lo
obLaln llmlLed lnLeracLlve access Lo Lhe adm|n.megacorpone.com webserver. lease see Appendlx A for
more lnformaLlon.

I|gure 10 - A pub||c|y ava||ab|e SL|te exp|o|t |s used to ga|n unauthor|zed access on the
adm|n.megacorpone.com host.


3
hLLp://www.explolL-db.com/explolLs/24320/
LNL1kA1ICN 1LS1 kLCk1 - MLGACCk CNL
18-20130313 CopyrlghL 2013 Cffenslve SecurlLy Servlces LLC. All rlghLs reserved. age 10 of 34

I|gure 11 - Contro| of the vu|nerab|e server |s ||m|ted to the context of the www-data user.
1he publlc verslon of Lhe explolL LargeLs a sllghLly dlfferenL verslon of Lhe SCLlLe Manager Lhan Lhe one
deployed by MegaCorp Cne. AlLhough Lhe deployed verslon of Lhe sofLware ls vulnerable Lo Lhe same
underlylng lssues, Lhe explolL does noL successfully run wlLhouL modlflcaLlon. We were able Lo exLend
Lhe orlglnal explolL Lo supporL P11 auLhenLlcaLlon and cusLomlze lL for Lhe updaLed verslon. A copy of
Lhls updaLed explolL wlll be provlded separaLely from Lhls reporL.
1he exLenL of compromlse aL Lhls polnL can be besL vlsuallzed ln llgure 12.
LNL1kA1ICN 1LS1 kLCk1 - MLGACCk CNL
18-20130313 CopyrlghL 2013 Cffenslve SecurlLy Servlces LLC. All rlghLs reserved. age 11 of 34

I|gure 12 - Web Server Comprom|se
LNL1kA1ICN 1LS1 kLCk1 - MLGACCk CNL
18-20130313 CopyrlghL 2013 Cffenslve SecurlLy Servlces LLC. All rlghLs reserved. age 12 of 34
8<41*1,+5"+12% A5121$%B% -,/"$"+1'*
WlLh lnLeracLlve access Lo Lhe underlylng operaLlng sysLem of Lhe admlnlsLraLlve webserver obLalned,
we conLlnued wlLh Lhe examlnaLlon of Lhe sysLem searchlng for ways Lo escalaLe prlvlleges Lo Lhe
admlnlsLraLlve level. We found LhaL Lhe sysLem was vulnerable Lo a local prlvllege escalaLlon explolL
4
,
whlch we were able Lo uLlllze successfully. lease see Appendlx A for more lnformaLlon.

I|gure 13 - A |oca| pr|v||ege esca|at|on exp|o|t |s used to take advantage of an
unpatched host and ga|n root-|eve| access.
1he use of Lhls explolL was parLlally made posslble due Lo Lhe lncluslon of developer Lools on Lhe
vulnerable sysLem. lf Lhese Lools were noL presenL on Lhe sysLem, lL would have sLlll been posslble Lo
successfully explolL, alLhough Lhe dlfflculLy ln dolng so would have been lncreased.
ln lLs currenL conflguraLlon, Lhe webserver represenLs an lnLernal aLLack plaLform for a mallclous parLy.
WlLh Lhe ablllLy Lo galn full admlnlsLraLlve access, a mallclous parLy could uLlllze Lhls vulnerable sysLem
for a mulLlLude of purposes, ranglng from aLLacks agalnsL MegaCorp Cne lLself, Lo aLLacks agalnsL lLs
cusLomers. lL's hlghly llkely LhaL Lhe aLLackers would leverage Lhls sysLem for boLh purposes.

4
hLLp://www.explolL-db.com/explolLs/18411/
LNL1kA1ICN 1LS1 kLCk1 - MLGACCk CNL
18-20130313 CopyrlghL 2013 Cffenslve SecurlLy Servlces LLC. All rlghLs reserved. age 13 of 34
C"2" )$1%*+ 8++"/9,
uslng Lhe admlnlsLraLlve access Lo Lhe sysLem, we conducLed an analysls of Lhe explolLed sysLem. 1hls
resulLed ln Lhe dlscovery of a prlvaLe secLlon of Lhe webslLe LhaL serves a !ava appleL only Lo speclflc
worksLaLlons. 1hls neLwork range ln quesLlon was laLer dlscovered Lo be Lhe managemenL neLwork for
MegaCorp Cne.

I|gure 14 - ntaccess ru|es revea| an add|t|ona| subnet on the comprom|sed network.
1hrough examlnaLlon of Lhe log flles and Lhe !ava appleL presenL on Lhe sysLem, we found LhaL Lhe
appleL provlded admlnlsLraLlve funcLlonallLy Lo a subseL of lnLernal users of MegaCorp Cne. 1hls was
advanLageous Lo us as aLLackers, as lL provlded us wlLh a poLenLlal paLh Lo lnLernal sysLems LhaL
oLherwlse were noL easlly accesslble.
upon obLalnlng permlsslon from MegaCorp Cne, we added an addlLlonal appleL Lo be downloaded by
cllenLs. 1he Lheory of Lhls aLLack was LhaL cllenLs would access Lhe LrusLed appleL, allow lL Lo run, and
provlde us wlLh dlrecL access Lo addlLlonal cllenL hosLs. 1hls ls a derlvaLlve of a common soclal
englneerlng aLLack ln whlch Lhe vlcLlm ls manlpulaLed lnLo runnlng a mallclous appleL. ln Lhls case
however, no efforL was requlred Lo mlslead Lhe vlcLlm as Lhe appleL ls already regarded as LrusLed.
1hls aLLack worked as lnLended, provldlng us wlLh access Lo an addlLlonal cllenL sysLem.


LNL1kA1ICN 1LS1 kLCk1 - MLGACCk CNL
18-20130313 CopyrlghL 2013 Cffenslve SecurlLy Servlces LLC. All rlghLs reserved. age 14 of 34

I|gure 1S - Us|ng a ma||c|ous [ava app|et |t |s poss|b|e to exp|o|t a host on the management
subnet.
WlLh Lhls compromlse ln place, we obLalned access Lo sysLems ln Lhe managemenL neLwork as lndlcaLed
ln llgure 16.

I|gure 16 - Successfu| [ava app|et attack comprom|ses the MegaCorp Cne management subnet.
LNL1kA1ICN 1LS1 kLCk1 - MLGACCk CNL
18-20130313 CopyrlghL 2013 Cffenslve SecurlLy Servlces LLC. All rlghLs reserved. age 13 of 34
-,/"$"+1'* +' D'/"$ 8<41*1,+5"+'5
1he access provlded by Lhe !ava appleL aLLack was llmlLed Lo Lhe level of a sLandard user. 1o maxlmlze
Lhe lmpacL of Lhe compromlse we wanLed Lo escalaLe access Lo Lhe level of uomaln AdmlnlsLraLor. As
Lhe flrsL sLep, we needed Lo obLaln local admlnlsLraLlve access. ln an efforL Lo accompllsh Lhls, we
examlned Lhe compromlsed sysLem Lo ldenLlfy how lL could be leveraged.
uslng Lhls approach we found a Croup ollcy references flle on Lhe sysLem LhaL allowed us Lo decrypL
Lhe local admlnlsLraLlve password
36
. lease see Appendlx A for more lnformaLlon.

I|gure 17 - Us|ng the new|y ga|ned access |t |s poss|b|e to retr|eve the Groups.xm| f||e from a doma|n contro||er.

3
hLLp://msdn.mlcrosofL.com/en-us/llbrary/cc422924.aspx

6
hLLp://blogs.LechneL.com/b/grouppollcy/archlve/2009/04/22/passwords-ln-group-pollcy-preferences-
updaLed.aspx
LNL1kA1ICN 1LS1 kLCk1 - MLGACCk CNL
18-20130313 CopyrlghL 2013 Cffenslve SecurlLy Servlces LLC. All rlghLs reserved. age 16 of 34

I|gure 18 - Lncrypted |oca| adm|n|strator password |s found |n the Groups.xm| f||e.


I|gure 19 - Us|ng the encrypt|on key pub||shed by M|crosoft, the encrypted password |s eas||y decrypted.
uslng Lhe recovered plalnLexL password, we were able Lo galn local admlnlsLraLlve access Lo Lhe
compromlsed cllenL.
;%%? A"/9%+ >*,?%/+1'* E6?",,
Whlle Lrylng Lo esLabllsh addlLlonal layers of access lnLo Lhe compromlsed sysLem, we encounLered
aggresslve egress fllLerlng. 1hls was flrsL encounLered whlle Lrylng Lo esLabllsh an encrypLed ouLbound
Lunnel for Lhe MlcrosofL 8emoLe ueskLop roLocol.

I|gure 20 - In|t|a| attempts to estab||sh an outbound tunne| for kD were b|ocked by the egress f||ter|ng systems.
AddlLlonally, we dlscovered neLwork proLocol enforcemenL as we aLLempLed Lo connecL Lo Lhe aLLacker
SSP server on porL 80. 1o bypass Lhls, we creaLed a Lunnel wlLhln Lhe exlsLlng meLerpreLer sesslon Lo
allow us Lo access Wlndows flle sharlng from Lhe aLLacker sysLem. 1hls was uLlllzed Lo run a wlndows
command shell on Lhe compromlsed hosL as Lhe local admlnlsLraLlve user. WlLhln Lhls shell, we execuLed
an addlLlonal meLerpreLer payload.
LNL1kA1ICN 1LS1 kLCk1 - MLGACCk CNL
18-20130313 CopyrlghL 2013 Cffenslve SecurlLy Servlces LLC. All rlghLs reserved. age 17 of 34

I|gure 21 - ort forward|ng through the |n|t|a| meterpreter sess|on |s estab||shed |n order to ach|eve d|rect access to the
comprom|sed management host.


I|gure 22 - New|y estab||shed connect|on |s used to ga|n an adm|n|strat|ve she|| on the comprom|sed management host.


I|gure 23 - Loca| Adm|n|strator access |s used to estab||sh a meterpreter she|| on host 10.7.0.22.
LNL1kA1ICN 1LS1 kLCk1 - MLGACCk CNL
18-20130313 CopyrlghL 2013 Cffenslve SecurlLy Servlces LLC. All rlghLs reserved. age 18 of 34
WlLh Lhe new meLerpreLer shell ln place, we Lhen uLlllzed P11-1unnel, an open source uLlllLy
7
, LhaL
encapsulaLes arblLrary Lrafflc wlLhln Lhe P11 payload. We used Lhe newly esLabllshed http tunne|" Lo
encapsulaLe a remoLe deskLop connecLlon beLween Lhe aLLacker and compromlsed cllenL. 1hls allowed
us Lo obLaln full graphlcal access Lo Lhe compromlsed cllenL sysLem. 1he remoLe deskLop sesslon was
esLabllshed uslng Lhe password for user m|ke", whlch was dlscovered Lo be re-used from Lhe
compromlsed SCLlLe Manager appllcaLlon. lease see Appendlx A for more lnformaLlon.

I|gure 24 - kemote Desktop access |s estab||shed by encapsu|at|ng the prev|ous|y f||tered protoco| through a http tunne|.
AL Lhls polnL, Lhe exLernal perlmeLer of Lhe MegaCorp Cne neLwork was fully compromlsed as shown ln
llgure 23. 1he vlrLual equlvalenL of console access Lo a compuLer wlLhln Lhe MegaCorp Cne's LrusLed
envlronmenL had been obLalned. lL should be noLed LhaL Lhe currenL access Lo Lhe Wlndows neLwork
was llmlLed Lo a non-prlvlleged domaln user accounL and a local admlnlsLraLor accounL.

7
hLLp://hLLp-Lunnel.sourceforge.neL/
LNL1kA1ICN 1LS1 kLCk1 - MLGACCk CNL
18-20130313 CopyrlghL 2013 Cffenslve SecurlLy Servlces LLC. All rlghLs reserved. age 19 of 34

I|gure 2S - Comprom|se of the MegaCorp Cne network has reached |nto the network management subnet.
LNL1kA1ICN 1LS1 kLCk1 - MLGACCk CNL
18-20130313 CopyrlghL 2013 Cffenslve SecurlLy Servlces LLC. All rlghLs reserved. age 20 of 34
)1+51. -*215'*4%*+ )'4?5'41,%
uslng remoLe deskLop access Lo Lhe lnLernal neLwork, we proceeded Lo explore Lhe neLwork ln search of
hlgh value LargeLs. Cne such LargeL appeared Lo be a ClLrlx server, whlch was seL as Lhe homepage on
Lhe compromlsed hosL. uslng Lhe same credenLlals LhaL were uLlllzed Lo esLabllsh Lhe remoLe deskLop
connecLlon, we were able Lo successfully logln Lo Lhls ClLrlx envlronmenL.

I|gure 26 - A C|tr|x server offer|ng on|y Internet Lxp|orer was d|scovered on the MegaCorp Cne network.
1hls ClLrlx envlronmenL exposed lnLerneL Lxplorer" as Lhe only avallable appllcaLlon. 1hls ls a commonly
uLlllzed meLhod by many organlzaLlons Lo llmlL access Lo Lhe underlylng operaLlng sysLem of Lhe ClLrlx
server. lL ls lmporLanL Lo noLe LhaL many meLhods exlsL Lo bypass Lhls conflguraLlon. ln Lhls case, we
uLlllzed Lhe Save" dlalog wlndow Lo creaLe a baLch flle LhaL would provlde us wlLh a owershell
lnLerface.
1hls ls posslble as Lhe Save" dlalog operaLes ln much Lhe same manner as a sLandard Wlndows
Lxplorer" flle managemenL wlndow.
LNL1kA1ICN 1LS1 kLCk1 - MLGACCk CNL
18-20130313 CopyrlghL 2013 Cffenslve SecurlLy Servlces LLC. All rlghLs reserved. age 21 of 34

I|gure 27 - Us|ng the Save d|a|og, |t |s poss|b|e to bypass the some restr|ct|ons |mposed by the C|tr|x
env|ronment.


I|gure 28 - A batch f||e |nvok|ng the owershe|| app||cat|on |s created on the C|tr|x server.
LNL1kA1ICN 1LS1 kLCk1 - MLGACCk CNL
18-20130313 CopyrlghL 2013 Cffenslve SecurlLy Servlces LLC. All rlghLs reserved. age 22 of 34

I|gure 29 - C|tr|x restr|ct|on |s bypassed resu|t|ng |n the execut|on of the owershe||.
1he ablllLy Lo use owershell was Lhen uLlllzed Lo download a mallclous payload, whlch would provlde us
wlLh a meLerpreLer sesslon Lo Lhe underlylng ClLrlx server.

I|gure 30 - owershe|| funct|ona||ty a||ows an end-user to retr|eve f||es from arb|trary sources, |nc|ud|ng remote |nternet
|ocat|ons.
1he ablllLy Lo uLlllze Lhe Save" dlalog Lo run arblLrary execuLable programs was comblned wlLh Lhe
prevlously dlscovered local admlnlsLraLor password allowlng us Lo execuLe programs ln Lhe conLexL of
Lhe local admlnlsLraLor. 1hls allowed us Lo galn full admlnlsLraLlve conLrol of Lhe ClLrlx sysLem. lease see
Appendlx A for more lnformaLlon.
LNL1kA1ICN 1LS1 kLCk1 - MLGACCk CNL
18-20130313 CopyrlghL 2013 Cffenslve SecurlLy Servlces LLC. All rlghLs reserved. age 23 of 34

I|gure 31 - assword re-use a||ows the attackers to execute a ma||c|ous executab|e w|th
adm|n|strat|ve pr|v||eges.


I|gure 32 - Comp|ete comprom|se of the C|tr|x server |s ach|eved.
LNL1kA1ICN 1LS1 kLCk1 - MLGACCk CNL
18-20130313 CopyrlghL 2013 Cffenslve SecurlLy Servlces LLC. All rlghLs reserved. age 24 of 34

I|gure 33 - An add|t|ona| host |n the network management subnet has been comprom|sed.
-,/"$"+1'* +' ;'4"1* 8<41*1,+5"+'5
WlLh Lhe ClLrlx server compromlsed, we made an aLLempL Lo capLure passwords from memory. A ClLrlx
server ls an ldeal candldaLe for Lhls aLLack vecLor, as lL Lyplcally operaLes for long perlods of Llme wlLhouL
rebooLs and servlces a large number of users.
1o capLure passwords from memory, we uLlllzed Lhe Wlndows CredenLlal LdlLor Lool
8
due Lo lLs ablllLy Lo
run on 64 blL sysLems wlLhouL causlng adverse effecLs.

8
hLLp://www.ampllasecurlLy.com/research/wcefaq.hLml
LNL1kA1ICN 1LS1 kLCk1 - MLGACCk CNL
18-20130313 CopyrlghL 2013 Cffenslve SecurlLy Servlces LLC. All rlghLs reserved. age 23 of 34

I|gure 34 - W|ndows Credent|a|s Ld|tor |s used to retr|eve p|a|ntext passwords from the C|tr|x server.

1hls revealed mulLlple passwords, lncludlng a Wlndows domaln admlnlsLraLor accounL. lease see
Appendlx A for more lnformaLlon. ln order Lo valldaLe Lhe newly recovered credenLlals, we successfully
creaLed a new remoLe deskLop sesslon Lo Lhe ClLrlx server uslng Lhe domaln admlnlsLraLor credenLlals.
LNL1kA1ICN 1LS1 kLCk1 - MLGACCk CNL
18-20130313 CopyrlghL 2013 Cffenslve SecurlLy Servlces LLC. All rlghLs reserved. age 26 of 34

I|gure 3S - Doma|n Adm|n|strator credent|a|s are va||dated aga|nst the C|tr|x host.
AL Lhls polnL, full conLrol of Lhe Wlndows domaln had been obLalned. A mallclous aLLacker would have
mulLlple Lools aL Lhelr dlsposal, lncludlng:
o uLlllzaLlon of Croup ollcy Lo deploy backdoor sofLware on Wlndows sysLems.
o CompleLe exfllLraLlon of all daLa sLored on any sysLem LhaL uses Wlndows auLhenLlcaLlon.
o uesLrucLlon of any and all neLwork resources.
o 1argeLed aLLacks agalnsL any and all employees of MegaCorp Cne, Lhrough Lhe use of
lnformaLlon gaLherlng Lools such as keysLroke loggers Lo ldenLlfy personal lnformaLlon.
o Leveraglng Lhls sysLemlc access Lo conducL aLLacks agalnsL MegaCorp Cne suppllers and parLners
LhaL malnLaln a LrusL relaLlonshlp wlLh Lhe company.
LNL1kA1ICN 1LS1 kLCk1 - MLGACCk CNL
18-20130313 CopyrlghL 2013 Cffenslve SecurlLy Servlces LLC. All rlghLs reserved. age 27 of 34
lL was deLermlned LhaL whlle Lhese sLeps would be posslble, Lhey would be consldered ouLslde Lhe scope
of Lhe currenL engagemenL. lL was demonsLraLed LhaL a LoLal compromlse of Lhe MegaCorp Cne domaln
had been accompllshed wlLh a compleLe loss of lnLegrlLy for all local sysLems.

I|gure 36 - Iu|| Doma|n Comprom|se








LNL1kA1ICN 1LS1 kLCk1 - MLGACCk CNL
18-20130313 CopyrlghL 2013 Cffenslve SecurlLy Servlces LLC. All rlghLs reserved. age 28 of 34
)'*/$0,1'*
MegaCorp Cne suffered a serles of conLrol fallures, whlch led Lo a compleLe compromlse of crlLlcal
company asseLs. 1hese fallures would have had a dramaLlc effecL on MegaCorp Cne operaLlons lf a
mallclous parLy had explolLed Lhem. CurrenL pollcles concernlng password reuse and deployed access
conLrols are noL adequaLe Lo mlLlgaLe Lhe lmpacL of Lhe dlscovered vulnerablllLles.
1he speclflc goals of Lhe peneLraLlon LesL were sLaLed as:
o ldenLlfylng lf a remoLe aLLacker could peneLraLe MegaCorp Cne's defenses
o ueLermlnlng Lhe lmpacL of a securlLy breach on:
o ConfldenLlallLy of Lhe company's lnformaLlon
o lnLernal lnfrasLrucLure and avallablllLy of MegaCorp Cne's lnformaLlon sysLems
1hese goals of Lhe peneLraLlon LesL were meL. A LargeLed aLLack agalnsL MegaCorp Cne can resulL ln a
compleLe compromlse of organlzaLlonal asseLs. MulLlple lssues LhaL would Lyplcally be consldered mlnor
were leveraged ln concerL, resulLlng ln a LoLal compromlse of Lhe MegaCorp Cne's lnformaLlon sysLems.
lL ls lmporLanL Lo noLe LhaL Lhls collapse of Lhe enLlre MegaCorp Cne securlLy lnfrasLrucLure can be
greaLly aLLrlbuLed Lo lnsufflclenL access conLrols aL boLh Lhe neLwork boundary and hosL levels.
ApproprlaLe efforLs should be underLaken Lo lnLroduce effecLlve neLwork segmenLaLlon, whlch could
help mlLlgaLe Lhe effecL of cascadlng securlLy fallures LhroughouL Lhe MegaCorp Cne lnfrasLrucLure.

LNL1kA1ICN 1LS1 kLCk1 - MLGACCk CNL
18-20130313 CopyrlghL 2013 Cffenslve SecurlLy Servlces LLC. All rlghLs reserved. age 29 of 34
7%/'44%*<"+1'*,
uue Lo Lhe lmpacL Lo Lhe overall organlzaLlon as uncovered by Lhls peneLraLlon LesL, approprlaLe
resources should be allocaLed Lo ensure LhaL remedlaLlon efforLs are accompllshed ln a Llmely manner.
Whlle a comprehenslve llsL of lLems LhaL should be lmplemenLed ls beyond Lhe scope of Lhls
engagemenL, some hlgh level lLems are lmporLanL Lo menLlon.
Cffenslve SecurlLy recommends Lhe followlng:
1. Lnsure that strong credent|a|s are use everywhere |n the organ|zat|on. 1he compromlse of
MegaCorp Cne sysLem as drasLlcally lmpacLed by Lhe use of weak passwords as well as Lhe reuse
of passwords across sysLems of dlfferlng securlLy levels. nlS1 S 800-11
9
ls recommended for
guldellnes on operaLlng an enLerprlse password pollcy. Whlle Lhls lssue was noL wldespread
wlLhln MegaCorp Cne, lL was sLlll an lssue and should be addressed.
2. Lstab||sh trust boundar|es. CreaLe loglcal boundarles of LrusL where approprlaLe on Lhe lnLernal
neLwork. Lach loglcal LrusL segmenL should be able Lo be compromlsed wlLhouL Lhe breach
easlly cascadlng Lo oLher segmenLs. 1hls should lnclude Lhe use of unlque admlnlsLraLlve
accounLs so LhaL a compromlsed sysLem ln one segmenL cannoL be used ln oLher locaLlons.
3. Imp|ement and enforce |mp|ementat|on of change contro| across a|| systems: MlsconflguraLlon
and lnsecure deploymenL lssues were dlscovered across Lhe varlous sysLems. 1he vulnerablllLles
LhaL arose can be mlLlgaLed Lhrough Lhe use of change conLrol processes on all server sysLems.
4. Imp|ement a patch management program: CperaLlng a conslsLenL paLch managemenL program
per Lhe guldellnes ouLllned ln nlS1 S 800-40
10
ls an lmporLanL componenL ln malnLalnlng good
securlLy posLure. 1hls wlll help Lo llmlL Lhe aLLack surface LhaL resulLs from runnlng unpaLched
lnLernal servlces.
3. Conduct regu|ar vu|nerab|||ty assessments. As parL of an effecLlve organlzaLlonal rlsk
managemenL sLraLegy, vulnerablllLy assessmenLs should be conducLed on a regular basls. uolng
so wlll allow Lhe organlzaLlon Lo deLermlne lf Lhe lnsLalled securlLy conLrols are properly
lnsLalled, operaLlng as lnLended, and produclng Lhe deslred ouLcome. lease consulL nlS1 S
800-30
11
for guldellnes on operaLlng an effecLlve rlsk managemenL program.

9
hLLp://csrc.nlsL.gov/publlcaLlons/drafLs/800-118/drafL-sp800-118.pdf
10
hLLp://csrc.nlsL.gov/publlcaLlons/nlsLpubs/800-40-ver2/S800-40v2.pdf
11
hLLp://csrc.nlsL.gov/publlcaLlons/ubsurafLs.hLml#S-800-30-8ev.201
LNL1kA1ICN 1LS1 kLCk1 - MLGACCk CNL
18-20130313 CopyrlghL 2013 Cffenslve SecurlLy Servlces LLC. All rlghLs reserved. age 30 of 34
71,9 7"+1*B
1he overall rlsk ldenLlfled Lo MegaCorp Cne as a resulL of Lhe peneLraLlon LesL ls n|gh. A dlrecL paLh from
exLernal aLLacker Lo full sysLem compromlse was dlscovered. lL ls reasonable Lo belleve LhaL a mallclous
enLlLy would be able Lo successfully execuLe an aLLack agalnsL MegaCorp Cne Lhrough LargeLed aLLacks.

LNL1kA1ICN 1LS1 kLCk1 - MLGACCk CNL
18-20130313 CopyrlghL 2013 Cffenslve SecurlLy Servlces LLC. All rlghLs reserved. age 31 of 34
8??%*<1. 8F G0$*%5"#1$1+6 ;%+"1$ "*< H1+1B"+1'*
71,9 7"+1*B 3/"$%
ln accordance wlLh nlS1 S 800-30, explolLed vulnerablllLles are ranked based upon llkellhood and
lmpacL Lo deLermlne overall rlsk.
;%("0$+ '5 =%"9 )5%<%*+1"$,
kat|ng: n|gh
Descr|pt|on: An exLernally exposed admlnlsLraLlve lnLerface ls only proLecLed wlLh a weak
password.
Impact: uslng common enumeraLlon and bruLe-forclng Lechnlques, lL ls posslble Lo
reLrleve Lhe admlnlsLraLlve password for Lhe SCLlLe Manager web lnLerface. uue
Lo Lhe lack of any addlLlonal auLhenLlcaLlon mechanlsms, lL ls also posslble Lo
reLrleve all user password hashes ln Lhe underlylng daLabase. Successful reLrleval
of plalnLexL passwords could allow furLher compromlse of Lhe LargeL
envlronmenL lf password reuse ls found Lo exlsL.
kemed|at|on: Lnsure LhaL all admlnlsLraLlve lnLerfaces are proLecLed wlLh complex passwords
or passphrases. Avold use of common or buslness relaLed words, whlch could be
found or easlly consLrucLed wlLh Lhe help of a dlcLlonary.


LNL1kA1ICN 1LS1 kLCk1 - MLGACCk CNL
18-20130313 CopyrlghL 2013 Cffenslve SecurlLy Servlces LLC. All rlghLs reserved. age 32 of 34
A",,I'5< 7%0,%
kat|ng: n|gh
Descr|pt|on: MegaCorp Cne user m|ke" was found Lo be reuslng credenLlals for Lhe SCLlLe
Manager appllcaLlon and hls Wlndows domaln access.
Impact: assword reuse ln general ls a pracLlce whlch should be hlghly dlscouraged and
prevenLed Lo Lhe exLend posslble. ln Lhls case, Lhe lmpacL of Lhe vulnerablllLy ls
ampllfled by Lhe facL LhaL an exLernal aLLacker lndlrecLly compromlsed a valld seL
of lnLernal Wlndows domaln credenLlals. 1hls compromlse poLenLlally allows a
subsLanLlal lncrease ln Lhe aLLack surface.
kemed|at|on: updaLe Lhe password managemenL pollcles Lo enforce Lhe use of sLrong, unlque,
passwords for all dlsparaLe servlces. 1he use of password managers should be
encouraged Lo more easlly allow employees Lo uLlllze unlque passwords across
Lhe varlous sysLems.
3@"5%< D'/"$ 8<41*1,+5"+'5 A",,I'5<
kat|ng: n|gh
Descr|pt|on: A number of MegaCorp Cne hosLs are provlsloned wlLh Lhe same local
admlnlsLraLor password.
Impact: MegaCorp Cne uses a Croup ollcy Lo seL a local admlnlsLraLor password on all
hosLs wlLhln Lhe scope of Lhe CC. uslng Lhe same local admlnlsLraLor password
on corporaLe sysLems allows an aLLacker wlLh approprlaLe access Lo uLlllze Lhe
well-known pass-Lhe-hash" aLLack vecLor. lL allows an aLLacker Lo successfully
auLhenLlcaLe on all hosLs LhaL share Lhe same password, uslng only Lhe reLrleved
password hash. As such, Lhe aLLack does noL rely on successful decrypLlon of Lhe
hash and lL slgnlflcanLly lncreases Lhe securlLy breach fooLprlnL.
kemed|at|on: lL ls hlghly recommended Lo dlsable all local admlnlsLraLor accounLs. ln cases
where a local admlnlsLraLlve accounL ls necessary, lL should be asslgned a unlque
name and a complex random password.


LNL1kA1ICN 1LS1 kLCk1 - MLGACCk CNL
18-20130313 CopyrlghL 2013 Cffenslve SecurlLy Servlces LLC. All rlghLs reserved. age 33 of 34
A"+/@ H"*"B%4%*+
kat|ng: n|gh
Descr|pt|on: MegaCorp Cne's exLernal and lnLernal envlronmenLs conLaln a number of
unpaLched sysLems and appllcaLlon.
Impact: A comblnaLlon of weak auLhenLlcaLlon and unpaLched hosLs, whlch conLaln
known vulnerablllLles wlLh publlcly avallable explolLs, allows an aLLacker Lo galn
unauLhorlzed access Lo a large number of MegaCorp Cne's asseLs. Speclflcally,
dlscovered lnsLance of SCLlLe Manager ls vulnerable Lo a remoLe code execuLlon
vulnerablllLy and Lhe underlylng hosL also conLalns a local prlvllege escalaLlon
vulnerablllLy, whlch can easlly be leveraged Lo compromlse Lhe exLernally
exposed hosL enLlrely. 1hls appears Lo be an lndlcaLlon of an lnsufflclenL paLch
managemenL pollcy and lLs lmplemenLaLlon.
kemed|at|on: All corporaLe asseLs should be kepL currenL wlLh laLesL vendor-supplled securlLy
paLches. 1hls can be achleved wlLh vendor-naLlve Lools or Lhlrd-parLy
appllcaLlons, whlch can provlde an overvlew of all mlsslng paLches. ln many
lnsLances, Lhlrd-parLy Lools can also be used for paLch deploymenL LhroughouL a
heLerogeneous envlronmenL.
;:3 J'*% !5"*,(%5
kat|ng: Low
Descr|pt|on: A mlsconflgured unS server allows unresLrlcLed zone Lransfers.
Impact: A unS server, whlch ls conflgured Lo allow zone Lransfers Lo any unS server, can
provlde senslLlve lnformaLlon abouL corporaLe asseLs and neLwork layouLs.
kemed|at|on: unS zone Lransfers should be resLrlcLed only Lo pre-approved servers.
;%("0$+ 8?"/@% K1$%,
kat|ng: Low
Descr|pt|on: uefaulL Apache flles were dlscovered on Lhe adm|n.megacorpone.com hosL.
Impact: An aLLacker may be able Lo guess Lhe exacL verslon of Lhe runnlng Apache server
by lnspecLlng Lhe conLenLs of Lhe defaulL flles. AddlLlonal senslLlve lnformaLlon
may also be avallable.
kemed|at|on: 8emove all defaulL flles from publlcly accesslble web servers.

LNL1kA1ICN 1LS1 kLCk1 - MLGACCk CNL
18-20130313 CopyrlghL 2013 Cffenslve SecurlLy Servlces LLC. All rlghLs reserved. age 34 of 34
8??%*<1. EF 8#'0+ L((%*,12% 3%/051+6
Cffenslve SecurlLy advocaLes peneLraLlon LesLlng for lmpacL as opposed Lo peneLraLlon LesLlng for
coverage. eneLraLlon LesLlng for coverage has rlsen ln popularlLy ln recenL years as a slmpllfled meLhod
of assessmenLs used ln slLuaLlons where Lhe goal ls Lo meeL regulaLory needs. As a form of vulnerablllLy
scannlng, peneLraLlon LesLlng for coverage lncludes selecLlve verlflcaLlon of dlscovered lssues Lhrough
explolLaLlon. 1hls allows servlce provlders Lhe ablllLy Lo conducL Lhe work largely Lhrough Lhe use of
auLomaLed LoolseLs and malnLaln conslsLency of producL across mulLlple engagemenLs.
eneLraLlon LesLlng for lmpacL ls a form of aLLack slmulaLlon under conLrolled condlLlons, whlch closely
mlmlcs Lhe real world, LargeLed aLLacks LhaL organlzaLlons face on a day-Lo-day basls. eneLraLlon
LesLlng for lmpacL ls a goal-based assessmenL, whlch creaLes more Lhan a slmple vulnerablllLy lnvenLory,
lnsLead provldlng Lhe Lrue buslness lmpacL of a breach. An lmpacL-based peneLraLlon LesL ldenLlfles
areas for lmprovemenL LhaL wlll resulL ln Lhe hlghesL raLe of reLurn for Lhe buslness.
eneLraLlon LesLlng for lmpacL poses Lhe challenge of requlrlng a hlgh sklllseL Lo successfully compleLe.
As demonsLraLed ln Lhls sample reporL, Cffenslve SecurlLy belleves LhaL lL ls unlquely quallfled Lo dellver
world-class resulLs when conducLlng peneLraLlon LesLs for lmpacL, due Lo Lhe level of experLlse found
wlLhln our Leam of securlLy professlonals. Cffenslve SecurlLy does noL malnLaln a separaLe Leam for
peneLraLlon LesLlng and oLher acLlvlLles LhaL Lhe company ls engaged ln. 1hls means LhaL Lhe same
lndlvlduals LhaL are lnvolved ln Cffenslve SecurlLy's lndusLry leadlng performance-based Lralnlng, Lhe
producLlon of lndusLry sLandard Lools such as kall Llnux, auLhors of besL selllng books, creaLors of 0-day
explolLs, and malnLalners of lndusLry references such as LxplolL-u8 are Lhe same lndlvlduals LhaL are
lnvolved ln Lhe dellvery of servlces.
Cffenslve SecurlLy offers a producL LhaL cannoL be maLched ln Lhe markeL. Powever, we may noL be Lhe
rlghL flL for every [ob. Cffenslve SecurlLy Lyplcally conducLs consulLlng servlces wlLh a low volume, hlgh
sklll raLlo Lo allow Cffenslve SecurlLy sLaff Lo more closely mlmlc real world slLuaLlons. 1hls also allows
cusLomers Lo have lncreased access Lo lndusLry-recognlzed experLlse all whlle keeplng cosLs reasonable.
As such, hlgh volume/fasL Lurn-around engagemenLs are ofLen noL a good flL for our servlces. Cffenslve
SecurlLy ls focused on conducLlng hlgh quallLy, hlgh lmpacL assessmenLs and ls acLlvely soughL ouL by
cusLomers ln need of servlces LhaL cannoL be dellvered by oLher vendors.
lf you would llke Lo dlscuss your peneLraLlon LesLlng needs, please conLacL us aL lnfo[offsec.com.