With your notes on the elements of the target information system, you can now choose your first targets in order to compromise your first account on the domain.
Take Control of a Machine
During the network discovery, you probably identified the machines on the network, the services provided by these machines, and what versions of operating systems and services they are running.
Exploit a Missed Update
Here are a few vulnerabilities that I regularly find among these services, which allow me to take control of the machine when exploited:
MS17-010 is a vulnerability in the SMB service on Windows machines. It was resolved in 2017, but you’ll regularly find machines that are no longer being updated in an information system. You can use the nmap tool to identify vulnerable machines.
nmap --script smb-vuln-ms17-010.nse -p445 10.10.10.0/24The Metasploit framework will be particularly helpful when exploiting this vulnerability.
There are other Windows vulnerabilities that enable you to control a machine remotely, such as CVE-2019-0708 (known as BlueKeep and affecting the RDP protocol) or CVE-2020-1350 (known as SIGRed and affecting the DNS service). Although these vulnerabilities are critical, they are more difficult to exploit than MS17-010.
Use the Default Login Credentials
Watch out for web login screens when discovering servers and services. These are web pages where you have to enter a username and password to access the site. You’ll often see this type of page when you want to access an application’s admin area.
For many solutions, there are default login credentials that can be used when the application is first installed. They should of course be changed, but administrators don’t always do it. This is the reason why, whenever I come across an authentication interface, I check the name and version of the web application and search for the documentation to find the default login credentials. Trust me, it works more often than you’d think!
This will allow you to log in to administration interfaces for several types of applications:
Application servers, allowing you to add a new application to the server and run code remotely. For example, there are Tomcat, Jenkins, and JBoss servers.
Print servers, which are sometimes connected to the Active Directory to identify the company’s users and their email addresses. This will allow you to find the printer’s login credentials.
Network equipment such as switches or routers. This will allow you to read their configuration and discover hidden VLANs.
Administration tools such as iLo interfaces or vCenter servers.
Exploit a Weak Password Policy
During the reconnaissance phase, you discovered the company’s password policy. This will allow you to try finding your first valid but weak login credentials.
You can use password spraying for this. This means that you will try to use simple passwords on all or some of the domain’s users.
What do you mean by simple passwords?
A simple password is one that is very easy for the user to remember or a password that uses a common or proper name and perhaps a number and a symbol. It could also be a series of numbers.
Okay, but what password am I actually testing?
You’re right, this does leave many possibilities! You’ll need to carefully choose which password(s) to test. Here are a few ideas that I use during my audits.
I take the company name, add the current year at the end, and add a capital letter at the beginning. For example, Medicex2022. I also test with an exclamation mark at the end: Medicex2022!.
I can do the same with the name of the city where the company is located (e.g., Seattle2022 or Seattle2022!).
Sometimes, I also test very simple combinations of the most commonly used passwords in the United States. I avoid testing passwords that are only numbers. These rarely work, in my experience.
monkey
ashley
qwerty
password123
chicago
You can let your imagination run wild and adapt your testing to your own situation. If you know that the password for all new hires is Welcome123 and the policy states that they have to change it when they arrive, it’s worth giving it a try!
There are many tools available that check the validity of a password across multiple accounts. SprayHound, for example.
sprayhound -U ./users.txt -p Medicex1 -d medic.ex -dc 10.10.10.2The password Medicex1 will be tested on the user list contained in the users.txt file.
If you’ve already compromised a domain account, you can use SprayHound to search for all the users. Simply provide it with the username ( -lu ) and password ( -lp ) that you know. In addition, because you have a valid account, the tool has the advantage of making your testing more intelligent by taking the password policy into account. It will not continue to test accounts that will become locked on the next failed attempt.
sprayhound -p Medicex2022 -d medic.ex -dc 10.10.10.2 -lu pixis -lp P4ssw0rd
Finally, a technique that sometimes works is user-as-pass. This involves looking for users with a password that matches their username. This often occurs, and you may find accounts like test with the password test or servicesql with the password servicesql.
SprayHound can perform checks for this. To achieve this, you can use the same command lines as above, except that you don’t specify a password to test. You can then provide a list of usernames ( -U ) or a first account ( -lu and -lp ).
sprayhound -U ./users.txt -d medic.ex -dc 10.10.10.2
sprayhound -d medic.ex -dc 10.10.10.2 -lu pixis -lp P4ssw0rdUse the Network to Your Advantage
If you still haven’t recovered an account, or if you’d like to discover other accounts in order to acquire more privileges, you can exploit default Windows behavior at the network level.
LLMNR and NBT-NS
The first thing to consider is the LLMNR (Link-Local Multicast Name Resolution) and NBT-NS (NetBIOS Name Service) protocols. Both are name resolution protocols. A Windows machine uses several methods to search for the IP address associated with a domain or machine name. It will check for an entry in the hosts file and will then use the DNS protocol. If that doesn’t work, it will use the NetBIOS and LLMNR protocols. Windows will send the name resolution request to all the machines around it using these protocols, a process known as broadcast.
This video explains when and how you can intervene to recover key information.
The Responder tool lets you do this automatically, by specifying which network interface it should use to listen for LLMNR and NBT-NS requests.
./Responder.py -I eth0Sometimes you’ll receive plaintext login credentials, but more commonly they will be NTLMv1 or NTLMv2 hashes, depending on the NTLM version in use on the machines under attack. These hashes must then be cracked using a specific tool (e.g., hashcat).
hashcat -m 5600 ./NTLMv2-hash.txt /home/pixis/wordlist.txtIPv6
In an enterprise environment, Windows default behavior is rather surprising. While most companies are fully configured to use IPv4, Windows can use both IPv4 and IPv6 by default. But that’s not all. IPv6 takes precedence over IPv4. Let’s consider an example where all of a company’s machines receive IPv4 configuration settings. As an attacker, you can provide IPv6 configuration settings to all workstations, and your configuration will override the other.
You can specify the location of the DNS server or the default route in an IPv6 configuration. This is a great method to place yourself back in the man-in-the-middle position.
The mitm6 tool exploits this behavior.
mitm6 -i eth0It will listen on the provided network interface and respond to DHCPv6 requests. The Responder tool can be run at the same time to collect password hashes.
Before exploiting another attack path, let’s ask Charlie how to compromise the first account and what to do in the first few minutes of an internal penetration test:
Let’s Recap!
Now you know several techniques that can be applied to take control of your first account. This is the order in which I personally apply them during my pentesting:
Exploit vulnerable systems and applications.
Use default passwords.
Use password spraying to compromise a user.
Compromise a user or machine through a network attack in a man-in-the-middle position.
Congratulations! You’ve managed to get a foothold in the company by compromising a first account! Rest assured, the journey doesn’t end here. You can conduct a new reconnaissance phase with these recently recovered login credentials and then proceed to a lateral movement phase to potentially compromise even more of the information system.
