Thursday, February 4, 2010

The Mole Hill

One of the great things about having a pentesting background is that when forensic casework is light, I can snatch up some pentests from the SpiderLabs network pentest team .

In the pentest I am currently working on, I was reminded how attackers can turn a mole hill into a mountain. After scanning the network looking for hosts listening on ports 139 and 445 - since we all know that means they are more than likely windows boxes - I generated a list of all those boxen. Next, I began arp spoofing the default gateway in search of valid usernames, and generated a second list. Then, I used a tool called Medusa with my two files and bada boom, I got a hit. A single hit, on a single box. I had more than 200 potential targets, and more than 300 valild usernames, but all it took was one. My mole hill.

Now, to turn it into a mountain, I tried to gain command shell access to that host from my jump time go. Then I opened a second shell and used smbmount to gain FTP-like access and put a tool on the target to dump the NTLM hashes. After dumping and extracting those, I ran them through Cain and BAM...I went from a single ID to more than include an ID in the Domain Administrators group!

To make my mountain even bigger, I used that ID to do the same thing I JUST did on the initial target, but this time, I targeted the Domain Controller. Using the poor DomAmin guy's account, I was able to dump the NTLM hashes from the DC and increase my list of usernames and passwords from 1 to 10 to 45! I now can be whomever I want to be, and explore, the network at my leasure...they have been p0wn3ed!

So now, there are a few things we can take away here:

1. This was not a sophisticated attack...I simply exploited a weak password. Once that was done, I was quickly was able to turn that 1 compromised ID into many many more.

2. It was not a sophisticated attck becasue it didn't have to be! Harlan and I harp if Occam's Razor not because we like to say it, but becasue it's true. The easiest answer IS usually the right one.

3. All it takes to own a network is one weak password...just one...not a sophisticated 0day, not a uber hax0r with m@d skillz...just a bad password.

Mole hill into mountain in under an hour...not bad for a days work...wonder what goodies I will find today!?


  1. Excellent post! Glad to see you posting here again.

    I wish I had the power to require good passwords where I work, but alas I am powerless. Further, I know some of the user passwords and they are horribly simple, but no one seems to care.

    Also, I'm currently reading Unix and Linux Forensic Analysis and wondered if you plan on a follow up or second edition anytime.
    Take care,

  2. Ken...I am hoping to write a second book, but not a follow on to ULFE. Most likely it will cover hilights on case work that I have done spanning the past five years. What works, common pitfalls, and new tools and techniques.

  3. That sounds really interesting. I'll be looking forward to it!