One of the great things about having a pentesting background is that when forensic casework is light, I can snatch up some pentests from the SpiderLabs network pentest team .
In the pentest I am currently working on, I was reminded how attackers can turn a mole hill into a mountain. After scanning the network looking for hosts listening on ports 139 and 445 - since we all know that means they are more than likely windows boxes - I generated a list of all those boxen. Next, I began arp spoofing the default gateway in search of valid usernames, and generated a second list. Then, I used a tool called Medusa with my two files and bada boom, I got a hit. A single hit, on a single box. I had more than 200 potential targets, and more than 300 valild usernames, but all it took was one. My mole hill.
Now, to turn it into a mountain, I tried to gain command shell access to that host from my jump box...bingo...first time go. Then I opened a second shell and used smbmount to gain FTP-like access and put a tool on the target to dump the NTLM hashes. After dumping and extracting those, I ran them through Cain and BAM...I went from a single ID to more than 10...to include an ID in the Domain Administrators group!
To make my mountain even bigger, I used that ID to do the same thing I JUST did on the initial target, but this time, I targeted the Domain Controller. Using the poor DomAmin guy's account, I was able to dump the NTLM hashes from the DC and increase my list of usernames and passwords from 1 to 10 to 45! I now can be whomever I want to be, and explore, the network at my leasure...they have been p0wn3ed!
So now, there are a few things we can take away here:
1. This was not a sophisticated attack...I simply exploited a weak password. Once that was done, I was quickly was able to turn that 1 compromised ID into many many more.
2. It was not a sophisticated attck becasue it didn't have to be! Harlan and I harp if Occam's Razor not because we like to say it, but becasue it's true. The easiest answer IS usually the right one.
3. All it takes to own a network is one weak password...just one...not a sophisticated 0day, not a uber hax0r with m@d skillz...just a bad password.
Mole hill into mountain in under an hour...not bad for a days work...wonder what goodies I will find today!?