How fun accidentally became security risk

Last week, I was given access to a network which seemed secure at first glance.

As I’m always being curious, I ran my metasploit and scanned the range for that floor /24 with nmap to see how many live hosts are active. Almost all devices were showing up and after a second run I notice port 445 is open on almost all boxes. I try eternalblue against couple hosts but connection kept dropping, thought probably firewall or installed AV is blocking it. I noticed one device named PRINT-PC with one of first IPs in that range.

I nmap it and see that SMB port and RDP port are open, naturally I open hydra and try brute the RDP password and using username I guess from SMB response. after about 1 minute my hydra get stuck and repeats itself on 1234 as giving error on each repeated try. I open my RDP client and it WORKED!

Repeated same for all available ranges by guessing floor number based on floor i was on and I found a second PRINT-PC with exact same password.

I run PsExec againt the first device and by little snooping I find very sensitive information left on that device and an user account from old staff who used it. About 2GB of data had to be wiped properly after I reported the issue to the security staff.

After this I run Inveigh netbios spoofer to grab NTMLv2 hashes for PTH attack. As usual i get almost all hashes on all connected devices to my range with SMB open. Me always having bad luck, the script broadcasted my listen IP under the PBX used by the staff directly from their device and not external Cisco phone and after 5 minutes I hear some yelling that their phone ain’t working. :smiley:

But still I managed to pass the hash on SMB to get CMD shell on one device for the lolz and had to hear yelling from IT department and the floor manager for about an hour but still was worth it.

Something looking very innocent like an windows box as print server with a weak password could easily become worst nightmare for an company because of accidentally left data and forgotten data that should’ve been deleted. Something out fun because actually a very serous threat to the organization, this almost never happened to me before.

All this was done with consent from Administrators and I had full permission.
DO NOT ATTACK PEOPLE’S NETWORKS WITHOUT CONSENT PERIOD.

20 Likes

Were you like :smirk: while IT and the Floor mgr were shouting? I liked this btw, haven’t been near windows/company networks enough from an attacker perspective yet

2 Likes

I felt an orgasm while everybody complaining, I was thinking “aye this is your art work”. LOL

7 Likes

Okay now that’s epic haha. A similar thing happened to me back in highschool, where I pwned the lab printers using PRET and jacked someone’s printout to have a smiley face on it.
This of course, was NOT done with permission but my teacher was always super nice to me, bless her.

1 Like

I don’t like to pull of pranks a lot that much but some times when I have permission to do whatever I want my favorite shit is hacking PA system that are linked to network or hijack the signals with some shit my partner made and start playing the most popular rap song and hype everybody up and get my employer angry :slight_smile:

1 Like

Enjoyed this very much.

It kinda reminds me of “Hacking John Doe” post, someone did some time ago

Fear the power of taps and clicks :joy: on point thou!!

@cuckkoo you are very correct, think about a gun, you got 16 max 30 in the clip if you a very good shooter 30 out 30 but then in the warzone you out of bullets and loose, so no real power. But on the other hand lets say you own a decent laptop with 8gb memory and have the right knowledge or skill set to perform intrusions. If that person knowns what they doing and is creative enough they might really f**k some shit.

1 Like

Unfortunately, this happens more than I’d like to hear about. I’ve been on internal assessments before and this sort of thing has happened. I’ve had shells on the network which contained excel sheets full of DA credentials, others with bank details, credit card info, etc.

How some of the companies think is beyond me.

This might sound nonsensical, but I feel like I am better at attacking than I would be at setting up a decent hardened system. I’d be nervous if I had to come up with that sort of thing.

1 Like

This is like every single network around my area cuz there are no tech companies around… lol

This was an IT company, that’s the funny thing.

That’s why there is a little something called the internet. :wink:
-Archangel

sorry for the necro, but i totally enjoyed this read. especially the orgasm over the mysterious IT issues bit. :slight_smile: interesting to have some insight on something as simple as that being a critical factor

Even worse, poor Active Directory configurations. Mimikatz runs circles around domains that aren’t configured to best practice. Always check SAM/LSA, not to mention wdigest and Kerberos configs.

Long story short, even if IT people don’t think they’re leaving sensitive information on a machine (like their own service login), they probably are, no thanks to Microsoft running the worst defaults known to man.

1 Like

Same company got permission to attack entire users on the network but have to ask permission of which users I can collect data on as proof of security issue as almost half of company develop software for businesses that can’t be easily hacked by an expert in 5 mins. So they ways I’m gonna hack mainly those three exact people and pwn entire company is first I spoofed MAC and scanned that floors range then found used IP with nmap say an phone and thought it is auto login on that places firewall for internet access and used the spoofed MAC and setup IP settings of that floor then It wasn’t someone’s login I didn’t wanna mess with, so changed MAC under new IP on a VM with bridge connection. Installed my payload/beacon on it and used to connect to an folder all employees share files with each other under folders in their full name given as username with format of name picked by user, as my current usernames the data had been same as network firewall login username I randomly sprayed pass 123567 and another very simple pass then found login a login less than couple of seconds and got a login and used it. Then installed my stage one public but very hard to find toolkit with very good features and started sniffing NTLM hashes first thing to show was an user to IP and host of domain controller I hit jackpot I just first tried plaintext of the hash online with no results then brute forced with rockyou list. the username was same as the damn password and I was domain controller and they were using outdated IIS 6 and MSSQL 2005 server and it showed it was windows 7 on nmap, rest is gonna be this weeks story as it was last day of work in that company

1 Like

Nice. Well we know you made your last day memorable. :stuck_out_tongue_winking_eye:
Question, When you are pentesting companies do you ever start to lose hope in humanity after seeing their lack of security (CTI included)?

-Archangel aka R0gu3

Just inspires some healthy paranoia for me.

1 Like

Don’t even have to be pentesting to be shocked at lax security sadly. I’ve seen people sharing accounts at a large defense contractor before, sharing pics of their nametags, plaintext logins built into git repos and all sorts of crazy shit.

1 Like

Yes I loose hope in humanity, people are stupid.

1 Like