Last week, I was given access to a network which seemed secure at first glance.
As I’m always being curious, I ran my metasploit and scanned the range for that floor /24 with nmap to see how many live hosts are active. Almost all devices were showing up and after a second run I notice port 445 is open on almost all boxes. I try eternalblue against couple hosts but connection kept dropping, thought probably firewall or installed AV is blocking it. I noticed one device named PRINT-PC with one of first IPs in that range.
I nmap it and see that SMB port and RDP port are open, naturally I open hydra and try brute the RDP password and using username I guess from SMB response. after about 1 minute my hydra get stuck and repeats itself on 1234 as giving error on each repeated try. I open my RDP client and it WORKED!
Repeated same for all available ranges by guessing floor number based on floor i was on and I found a second PRINT-PC with exact same password.
I run PsExec againt the first device and by little snooping I find very sensitive information left on that device and an user account from old staff who used it. About 2GB of data had to be wiped properly after I reported the issue to the security staff.
After this I run Inveigh netbios spoofer to grab NTMLv2 hashes for PTH attack. As usual i get almost all hashes on all connected devices to my range with SMB open. Me always having bad luck, the script broadcasted my listen IP under the PBX used by the staff directly from their device and not external Cisco phone and after 5 minutes I hear some yelling that their phone ain’t working.
But still I managed to pass the hash on SMB to get CMD shell on one device for the lolz and had to hear yelling from IT department and the floor manager for about an hour but still was worth it.
Something looking very innocent like an windows box as print server with a weak password could easily become worst nightmare for an company because of accidentally left data and forgotten data that should’ve been deleted. Something out fun because actually a very serous threat to the organization, this almost never happened to me before.
All this was done with consent from Administrators and I had full permission.
DO NOT ATTACK PEOPLE’S NETWORKS WITHOUT CONSENT PERIOD.