How fun accidentally became security risk

hacking
#1

Last week, I was given access to a network which seemed secure at first glance.

As I’m always being curious, I ran my metasploit and scanned the range for that floor /24 with nmap to see how many live hosts are active. Almost all devices were showing up and after a second run I notice port 445 is open on almost all boxes. I try eternalblue against couple hosts but connection kept dropping, thought probably firewall or installed AV is blocking it. I noticed one device named PRINT-PC with one of first IPs in that range.

I nmap it and see that SMB port and RDP port are open, naturally I open hydra and try brute the RDP password and using username I guess from SMB response. after about 1 minute my hydra get stuck and repeats itself on 1234 as giving error on each repeated try. I open my RDP client and it WORKED!

Repeated same for all available ranges by guessing floor number based on floor i was on and I found a second PRINT-PC with exact same password.

I run PsExec againt the first device and by little snooping I find very sensitive information left on that device and an user account from old staff who used it. About 2GB of data had to be wiped properly after I reported the issue to the security staff.

After this I run Inveigh netbios spoofer to grab NTMLv2 hashes for PTH attack. As usual i get almost all hashes on all connected devices to my range with SMB open. Me always having bad luck, the script broadcasted my listen IP under the PBX used by the staff directly from their device and not external Cisco phone and after 5 minutes I hear some yelling that their phone ain’t working. :smiley:

But still I managed to pass the hash on SMB to get CMD shell on one device for the lolz and had to hear yelling from IT department and the floor manager for about an hour but still was worth it.

Something looking very innocent like an windows box as print server with a weak password could easily become worst nightmare for an company because of accidentally left data and forgotten data that should’ve been deleted. Something out fun because actually a very serous threat to the organization, this almost never happened to me before.

All this was done with consent from Administrators and I had full permission.
DO NOT ATTACK PEOPLE’S NETWORKS WITHOUT CONSENT PERIOD.

7 Likes

#2

Were you like :smirk: while IT and the Floor mgr were shouting? I liked this btw, haven’t been near windows/company networks enough from an attacker perspective yet

1 Like

#3

I felt an orgasm while everybody complaining, I was thinking “aye this is your art work”. LOL

4 Likes

#4

Okay now that’s epic haha. A similar thing happened to me back in highschool, where I pwned the lab printers using PRET and jacked someone’s printout to have a smiley face on it.
This of course, was NOT done with permission but my teacher was always super nice to me, bless her.

0 Likes

#5

I don’t like to pull of pranks a lot that much but some times when I have permission to do whatever I want my favorite shit is hacking PA system that are linked to network or hijack the signals with some shit my partner made and start playing the most popular rap song and hype everybody up and get my employer angry :slight_smile:

1 Like

#6

Enjoyed this very much.

It kinda reminds me of “Hacking John Doe” post, someone did some time ago

0 Likes

(cuckkoo) #7

Fear the power of taps and clicks :joy: on point thou!!

0 Likes

#8

@cuckkoo you are very correct, think about a gun, you got 16 max 30 in the clip if you a very good shooter 30 out 30 but then in the warzone you out of bullets and loose, so no real power. But on the other hand lets say you own a decent laptop with 8gb memory and have the right knowledge or skill set to perform intrusions. If that person knowns what they doing and is creative enough they might really f**k some shit.

1 Like

(Mantis) #9

Unfortunately, this happens more than I’d like to hear about. I’ve been on internal assessments before and this sort of thing has happened. I’ve had shells on the network which contained excel sheets full of DA credentials, others with bank details, credit card info, etc.

How some of the companies think is beyond me.

0 Likes

#10

This might sound nonsensical, but I feel like I am better at attacking than I would be at setting up a decent hardened system. I’d be nervous if I had to come up with that sort of thing.

1 Like

(Alice) #11

This is like every single network around my area cuz there are no tech companies around… lol

0 Likes

#12

This was an IT company, that’s the funny thing.

0 Likes