After executing security assessments (e.g. Penetration Testing, Red Teaming, etc.), I make it a habit to debrief my client’s senior management on the work done and my report. This creates an opportunity to discuss stuff such as the attack Tactics, Techniques and Procedures (TTPs) used, attack vectors used, findings, recommendations, remediation efforts, etc. More often than not, I get surprising looks from the leadership teams about some of the ways I got my initial foothold on the network or some of the tactics I used. For most of them, they expect some Tom Cruise Mission Impossible-style of hacking, bypassing firewalls, etc., only to find out how effortless it was for me to compromise their networks.
So, I usually take the time with my clients to shed some light on how modern-day attacks are usually carried out and how a small loophole as simple as one weak user credential can topple the entire network defense. The truth is, cyber-attacks are more about efficiency and not necessarily elegance. Thus, adversaries don’t look for the hardest ways to break in. They mostly look for the easiest ways to get in. We popularly term this approach the path of least resistance and one of these paths is login credentials. All it takes is just one set of user credentials and your entire network could fall to an adversary.
This write-up walks us through one of my many journeys in my external attack and penetration tests and how I compromised the organization in this write-up.
Back in 2018, a large healthcare organization contracted us to conduct an external attack and penetration test against its external network infrastructure. For the scope of the engagement, the organization provided us with their domain name and IP address ranges. Of course, the goal was to identify attack vectors to compromise the organization from the internet.
I need not to mention or iterate the importance of reconnaissance in every cyber-attack or penetration test alike. This phase of the cyber kill chain is where you gather intelligence about your target, both passively and actively. I usually use this opportunity to do lots of passive intelligence gathering using Open Source INTelligence (OSINT) tools and platforms. I barely use scanning tools against a target’s network at this phase since I can get almost all the necessary information to craft my attack strategy.
So, what am I usually looking for in this phase? Well, among the plethora of information that can be discovered from OSINT, below are the key items I normally pay attention to:
- Login portals (Citrix, OWA, VPN, SharePoint, etc.)
- Types of technologies (IIS, etc.)
- Email addresses
- Usernames (lots of ‘em)
Using tools, sites and platforms such as Google (google.com), Shodan (shodan.io), Censys (censys.io), connect.data.com, Fierce, Recon-ng, SimplyEmail, TheHarvester, SpiderFoot (spiderfoot.net), Email Hunter (hunter.io), VirusTotal (virustotal.com), FOCA, Maltego and Pastebin (pastebin.com), I was able to harvest lots of information about my client such as subdomains, email addresses, usernames, hosts, network services, open ports, leaked credentials from prior breaches, login portals, etc.
For the sake of this write-up and to keep the confidentiality of my client’s name intact, I’m using cisco.com and Email Hunter to demonstrate one of the many ways I got the username format and email addresses (and later extracted the usernames) of my target client. In the image below, you can see I got more that 9,000 email addresses and the username format for the target cisco.com.
Figure 1: Harvesting email addresses
After I had spent a considerable amount of time in the reconnaissance phase and had gathered lots of information, I used this phase to go through the plethora of data gathered and strategically mapped out my attack surface and the attack technique I would be using. While going through this data, I was interested in application and network services that usually authenticate to the organization’s LDAP or AD environment. This could be SMB, OWA, Autodiscover, VPN, Citrix, Jenkins, SharePoint, custom-made applications, etc. Once I had discovered such services and which ones to attack, I then organized all the email addresses and usernames I discovered from the reconnaissance phase. I made sure I had removed duplicate email addresses, usernames and also cross-checked that the external usernames and internal domain usernames are the same format or if there are differences, I got that checked too. At the end of this phase, I had discovered the client’s external OWA and Citrix applications, among others, and also gotten close to about 1,000 unique usernames. From here, I was ready to roll into the next phase of my kill chain.
This is where the actual action happens. For most attacks, this phase is where the adversary attempts to gain initial foothold. Lots of things are iterative in this phase since the TTPs used in this phase would vary based on the information gathered from the Reconnaissance and Target Development phases.
During a penetration test, efficiency is key and most of the time, keeping things simple is your best route. In the early days of penetration tests, finding vulnerabilities and exploiting them was usually the way to go. However, as adversaries evolved in their TTPs, we had to evolve as well. With that said, one of the basic, yet effective, attack techniques is an authentication-based attack, also known as password brute-forcing. In the typical password brute-force attack, you have one username and you try several possible passwords against that username, hoping that the user is using one of the passwords in your list. Well, administrators became wiser and started implementing account lockout policies, thus, after login attempts meet a certain threshold (say after five attempts), the account locks out. To counter this control, a new breed of authentication-based attack emerged called Password Spray (some call it horizontal, reverse brute-forcing, etc.). With this attack, an adversary gathers several usernames or email addresses (depending on the type of application or network service being attacked) and then tries one password against all the usernames or email addresses to identify which one of the users may be using such a password. This attack technique has had, and continues to have, high success rate in real world attacks and on most of my penetration testing engagements.
There are several tools to carry out this attack, however, for application-based password spray attacks, my favorite go-to tool is Burp Suite. Burp Suite gives me enough room for customizing my password spraying such as threading, throttling, grepping for strings, etc. When choosing passwords for this attack, I usually try Season + Year (e.g. Summer2018, Winter19, etc.), CompanyName + Numbers (e.g. Company123, Company2003, etc.), ideas from prior company breaches, locations, sports teams, etc. Honestly, there are no right or wrong ways in picking passwords for the password spray attack. After setting up and configuring everything within Burp Suite against the client’s Citrix web application, I kick-started the attack, slowly and steadily. My first round of spray gave me two valid user credentials with the password Winter2017. In the image below, request numbers 208 and 853 are the valid credentials, with three levels of redirects.
Figure 2: Password spray attack against Citrix login portal
Off to a good start!
Using the two user accounts discovered, I was then able to authenticate to the client’s Citrix applications as those users. However, to my dismay, none of the users had any applications in their Citrix application catalogue. What a bummer ☹. Since I already had two valid credentials, I used the MailSniper tool from Black Hills and dumped the client’s OWA Global Address List (GAL). This gave me additional usernames for my next round of password spray attack. This time, I tried the spray attack against the client’s OWA, using the password Companyname123 (I used the actual client’s name and appended numbers 123 to it). This yielded me two additional valid credentials. In the image below, request numbers 395 and 431 are the valid credentials.
Figure 3: Password spray attack against client’s OWA
This time, one of the users had an internal SAP application in their Citrix application catalogue and this SAP application opens with Internet Explorer.
At the lateral movement phase, the adversary or the penetration tester has gotten some level of access on the target, either from the application level or the network level, with either limited or full access. The goal from this point going forward is finding ways to move within the target’s network while evading internal network security controls. We (adversaries/pentesters) use the access gained to gather additional information to move within the target’s internal network. Basically, we are back to reconnaissance and this can be host-based intelligence gathering and/or network-based intelligence gathering. Again, the techniques used in this phase can vary based on many factors.
At this point, I had obtained application-level access and my next goal was to gain network-level access. Since I had experience in breaking out of Citrix environments, I saw this as my opportunity to break into the network-level. If you are interested in reading more about Citrix breakouts, the guys at NetSPI have a great blog on that (see On The Web section for the link to the blog). To execute the Citrix breakout attack, I opened the victim’s SAP account with Internet Explorer and tried to save the webpage’s source.
Figure 4: Viewing Citrix application’s webpage source
Then using the “Save As” option from the File menu, I navigated to C:\Windows\System32\ directory and called out Windows CMD utility (cmd.exe).
Figure 5: Calling CMD utility from Save As functionality
This pop opened CMD and gave me access to the backend Citrix server.
Figure 6: Broken out of Citrix
With access to the backend Citrix server, I whipped up a PowerShell Empire listener, generated a PowerShell launcher, executed it on the Citrix server and got a call back to my Empire listener from the Citrix server.
Figure 7: Running Empire PowerShell launcher on Citrix server
‘Nough has been said and written about Kerberoasting so I won’t dwell on its explanation here, but rather go straight to what happened next. Most of the time, a Citrix server is considered a high value system and as such, only a limited number of users have administrative privilege on the server. With that said, the user account with which I had gained access to the Citrix server was an unprivileged user. However, any domain user account can be used to request Service Principal Names (SPN), a Windows feature used by Kerberos Authentication to associate a service instance with a service logon account; for example, an SPN for a service account that runs IIS. Querying the AD for service accounts can be done locally with Windows’ built-in utility setspn.exe or remotely with tools such as Empire, Impackets, Metasploit, etc.
Using my Empire session, I dumped the SPNs and went about cracking the password hashes with Hashcat. Below is an example command used for cracking the password:
hashcat -m 13100 -a 0 spn.output password.list -r best64.rule -o kerb.cracked
While reviewing the SPN query output, I noticed some of the accounts belonged to the Administrators group and Hashcat happened to have cracked password hashes for one such account (IIS_Admin).
From my initial information gathering, I had obtained certain critical intel about the internal network such as the list of Domain Admins, Enterprise Admins, Domain Controllers, etc. So, to effectively use the newly obtained credentials to compromise the domain, I needed to identify which systems the Domain Admins and/or Enterprise Admins had logged sessions or had previously logged in. Tools such as netview.py, Invoke-EventHunter can be used to accomplish that objective. After I had identified a few systems where Domain and Enterprise Admins had sessions, I kicked off CrackMapExec against those systems, using the IIS_Admin account and the cracked password.
Figure 8: Credential abuse with CrackMapExec
I identified a few systems where the IIS_Admin account had administrative privileges and, using the Mimikatz module in CrackMapExec, extracted credentials from those boxes.
King’s Landing Falls!!!
Among the credentials extracted was one that belonged to a Domain Admin! The last thing I needed to do was to confirm the validity of the new Domain Admin credentials against a Domain Controller and also dump the NTDS database for offline password cracking and analysis.
Figure 9: Dumping NTDS database
Data Hunting and Exfiltration
One of the primary goals of an adversary is to access and/or extract sensitive/critical data, which we loosely call the “crown jewels” of the target. This could be:
- User credentials
- Secret formulae
- Customer data
- Personally Identifiable Information (PII)
- Medical Records
- Financial data
- Intellectual Property
The exfiltration phase is where data is moved from the target’s network environment to the attacker-controlled systems (e.g. C2 server). This is usually part of the data hunting activities.
Gone are the days where penetration testing used to be all about gaining a Domain Administrator (DA) level access and calling it a day. Now, penetration tests need to demonstrate the business risk and impact your client could have suffered if your tests and attacks were executed by a real-world adversary. With that said, this is one of the critical phases in our tests.
As a penetration tester, it might be necessary to confirm with your client if data exfiltration is required by the Rules of Engagement (RoE) before you move data out of their environment. If allowed, I carefully analyze what type of data to exfiltrate to demonstrate business risk and impact to the client. Depending on the environment and the systems compromised, different exfiltration techniques can be used for different situations.
As you may have noticed throughout this write-up, I did not run a single vulnerability scan on this test. Why am I bringing this up? Well, there have been several instances where I have seen some penetration testing reports or work that claimed to be a penetration test but in actuality, they were vulnerability assessments. The debate about the differences between penetration test and vulnerability assessments has been going on for quite some time so I will leave it alone.
However, I always tell people that, in our line of work, we learn every day from each other and from engagements and there are several ways to skin a cat. I just wanted to share one of the many ways I execute external attack and penetration tests. I am not an expert so please, do not hold me up to a standard if my write-up disappoints you ☺!
Until then, thanks for reading.
About the Author
Stephen Kofi Asamoah is a Snr. Cybersecurity Consultant with IBM X-Force Red. He has over a decade of experience in the IT security industry, specializing in Offensive Cybersecurity operations across the globe and various industries.
He has extensive knowledge and experience in translating technical threats into business risks and aiding organizations in the development of administrative and detective controls through security operations and incident response strategies, policies and procedures development to combat cyber threats.
On the Web
Citrix Break: https://blog.netspi.com/breaking-out-of-applications-deployed-via-terminal-services-citrix-and-kiosks/
Neal Bridges (https://www.linkedin.com/in/nealbridges/) for coining the phrase “Target Development.”
Jimmy Tharel (https://www.linkedin.com/in/jimmy-tharel-1110ab1/) for reviewing this for me.