Penetrating secure networks
Category: Videos -> Hacking
After we have run out Passive Information Gathering techniques and tools we begin Active Information Gathering by launching a quick nmap scan of our target. As show in the video only port 3389 was closed while the rest were filtered ports.
Usually in these circumstances we’d perform further enumeration on the target however with only 3389 closed and knowing that it is Windows 2003 we can assume that attacks directly to the server are not likely to work, so we decide to attack a client within the NAT environment using the Aurora exploit available in Metaploit.
During out Passive Information Gathering we are likely to come across email addresses used by employee’s which we can use in out next PenTest efforts to help with Client Side Exploits.
We start up the Aurora exploit and send an email to the client. When the client clicks on the email link and opens the web page his browser crashes and sends us a remote Meterpreter session on his machine using his limited credentials.
First thing we decide to do is elevate our privileges to local system which will hopefully give us unrestricted access to the machine. Once we acquire system access we decide to dump the local hashes and copy the Administrator hash to our clipboard hoping that they are unfortunately using the same Administrator credentials on other parts of the network.
Considering the netmask and IP range of the network we can safely assume that the domain controller is located at 192.168.0.1 so we decide to use the client as a pivot point meaning that we can continue our attacks using the client.
We choose to load the psexec exploit module and set the remote host to 192.168.0.1 which is the default gateway for the network and the domain controller. Note that this attack will travel through our already compromised host on the network so it would appear the client is doing the attacking, not an outsider.
As we don’t know the password for the administrator account we use the already obtained hash for the admin and perform a PassTheHash technique. What this does, is rather than encrypting the password into a hash to send to the remote machine it will just pass the hash straight over.
We get another meterpreter session this time from the domain controller and again we attempt to elevate our privileges to local system. We also dump the Active Directory hashes and attempt to crack them using the Ophcrack rainbow table cracking software and successfully crack all hashes in under 10 minutes.
We then attempt to create a new user called ‘thexero’ and add him to the administrators group and the remote desktop users. Once completed we attempt to enable remote desktop assuming that it had been disabled for security reasons and we login with the new credentials that we had just created.