Red Team Go

slinuxuzerslinuxuzer Member Posts: 665 ■■■■□□□□□□
I have been watching Cbt nuggets CEH series. James Conrad is the man.

I wanted to see if anyone wanted to share some of their Red team or Pen testing experiences. I have been involved with one and I will share my experience. I will keep it to technical details only, no company names or anything that would violate NDA.

This was a two man team, my focus was to be primarily on the internal windows infrastructure. I was given a cubical and a standard user account.

Step one. map network and key systems.
As a general user account I was able to install GFI languard and a few other tools, port scanners etc. I was not local admin and this prevented me from installing any kind of perl interpreter (this is important later)

With command line access I was able to run several proprietary windows commands that allowed me to locate the domain controllers.

Also, some purusing of the harddrive revealed the local admin password in a ghost image answer file, unencrypted.

Step two. Gain or expand access

Since the local admin password was such and easy find, I decided to hack it anyway.
The directory C:\Documents and Settings\All Users\Start Menu\Programs\Startup was unsecured and accessible to all users, so I wrote a quick batch script (probably better written in .VBS since I believe it will run silently, .bat scripts were already in place so I figured this would go unnoticed) the script basically added a local user and then added that user to local admin. I then trashed several essentail programs on this "shared Pc" and the night shift operator promptly called IT who logged in as local admin to fix the issue (too bad they didn't login as Domain admin, I would have cracked the entire network right there.)

Now with my new local admin account, I proceeded to install lophtcrack and crack the local passwords for fun. Arp posining the network and sniffing turned out to be ineffective and wireless was not in widespread use at the time.

So it was time to start vulnerability scanning, I turned up one NT4 box, running IIS and logged in as Domain admin, also vulnerable to RDS exploit. I installed my perl interpreter and was promplty given a command shell. GameOver!

I opened a share with the net share command that gave me write access and then uploaded lsadump and pwdump, lsadump worked like a charm giving me the password of the logged in domain admin, I then Dumped several hundred user account password hashes and wouldn't you know it the domain admins used the same password over almost all domains.

I will spare you the rest of the details as they are fairly uninteresting, but I will tell you their IT dept looked like a bunch of kids whose swimming trip had just been cancelled.
Sign In or Register to comment.