I recently attended a fantastic training titled Adaptive Red Team Tactics put on by the Veris Group at BlackHat. Red Team is a term often used by white-hat hackers and the US army to describe a structured team built on challenging an organizations defenses and inner detection systems by attempting to infiltrate and move around undetected. This class took you through information gathering to spear phishing for credentials to eventually escalating to system privileges on the DC (domain controller) and from that point the sky was the limit. Eventually they showed they were able to manipulate the company's public web pages for the company, read ceo emails and rummage through anything and everything. Because of the nature of the attacks used all the attacks and activities they taught can be accomplished right under the nose of a security minded company with alerting systems in place. Tools Here's a list of both free and commercialized tools used during the whole process.
|Metasploit||Tool used for executing exploit code||x|
|Cobalt Strike||Penetration Test tool used to execute targeted attacks and take over systems|
|Veil AV Evasion Tool||Generates payloads that bypass antivirus tools.||x|
|Metagoofil||Information gathering from customer's website||x|
Information gathering emails, usernames and hosts domains from public sources
Information gathering off LinkedIn
|Maltego||Information gathering focused on gathering email transforms|
|MimiKatz||Gather user credentials for a given machine||x|
- Where to start?
- Intel Gathered, Now what
- Basic User's Account Compromised, Let's begin. After compromising a single basic user's account we started information gathering on the machine to see what's available to us. This can be done by trying to finger print the network. Using whois gives you the range of ips available for a particular network. Use fixedorbit.com to find ASNs then apply ASN to www.cidr-report.org to get host provider details. Inside the system look for shared network folders and credential files. Attempt to run port scanners to see what other machine are on the network and what they might be running. Running key loggers on the infected user's machine is a good way to gain information without the user's knowledge. Usually the attacker is trying to be quite in their attack but one thing they can do after they have a keylogger running is produce a lot of noise on a systems machine like kicking the victim out of their session or restarting the machine. This will cause concern for the victim and they will most likely contact IT. IT may then log in to the system and try to fix the problem. During this login process an attacker can then record the IT's credentials which will most likely have admin access of the machine and privileged access on other systems. In our class we ended up finding a file share internal network system and in the folders we found a credentials file with an account that had admin level access on a machine.
- More Escalation Next we continued to escalate from just admin on the system to system access on the DC (domain controller). DC level access is often a good stopping point for Red Team pen testing since at that point you have such an escalated privileges account that you can attack a large set of systems and eventually take complete control. To get to this point we had to do a few things. Once on our new machine we realized we were logged in as a use with local admin privileges. This allowed us to open a remote desktop into another computer capturing access to it. By placing our veil payload onto the machine and running it we opened complete access to that machine. Next we ran MimiKatz which is a tool that can grab all user passwords and user names of individuals that have logged into the machine. This provided us with a system level access account. We then targeted the DC and logged in with this system level access and were in control of the DC on the acquired company's network. One trick we used to escalate privileges on a system was first see what processes are being run with admin privileges.
- Access to Acquired Company's DC so what? Since access at this level is so high we were able to find and access a user's account in our network that was the direct contact with the main company we wanted to origianlly attack. Their account had dual access between this acquisition and the main company. This allowed us an entry point into the main company and from there we combined numerous similar attacks to gain full exploitation of their system. One trick we used in gaining access to a machine once we had gain significant access we were able to use a copy command to copy a malicious file to user's machine. Then running the at \\<ip address> <time> <command> we were able to schedule a task to run this executable on the machine which provided us with entry into the machine.
- Finally Eventually having full access of our victim's network we were able to read the CEO's emails, manipulate the public company site and steal any information in databases and email accounts, anything was possible. Conclusion Whether it be from a disgruntled employee to an accidental click on an email to careless browsing, an attacker will find a way onto your system. It is up to your security team to have appropriate detection systems in place and proper reactive strategies for removing attackers when discovered on your system. A smart attacker will not only take their time and most likely work silently, but also have numerous ways of maintaining access in the case they are discovered. Some mitigation tactics are:
After enough intelligence has been gathered they will begin attacking the company. This can vary based on what information is gain but usually it'll begin with a spear phishing attack. This may be targeted to a particular user or set of users. The more convincing the email sent the better response is given. On average 20-60% of companies will click on the malicious link placed in the phishing email. Recently emails talking about how IT will be installing new phone apps on company phones have created the best click rate. In our class we quickly created convincing phishing emails with malicious links using Cobalt Strike and sent them out to a list of user emails we deduced based on member names and a few email listings. (example: Jsmith@company.com we concluded their emails were first letter in first name followed by last name)
Useful command lines used to gather info are the following):
net localgroup "Administrators"
net user /domain
1.Using Meterpreter shell we run "ps" listing all processes
2.This gave us a pid like explorer.exe that was running under an admin account. Using "migrate <pid>" this took over this process and with it the escalated privileges which can only be done when you have system level access. Metasploit also has a getsystem command that will try a few tricks to gain system level access on a machine.
- Limiting the access levels of your employees and refrain from logging into machines with system level access.
- Do not leave credentials files on available on your machine.
- Be proactive and warn employees of any possible phishing attack emails that have gotten past your email filters.
- Use logging tools like Splunk to capture logs on machines and hopefully warn users when odd active is happening.