Use only one WiFi, penetrate into the enterprise all intranet

In recent years, hackers through the Enterprise wireless network initiated by the enterprise Intranet infiltration incident frequency, in a vulnerability platform search found only 2015 years have occurred in dozens of well-known enterprises due to WiFi-related security issues caused by the intrusion of the intranet, the enterprise caused a very bad impact.

By the year 2016, wireless network has become an important infrastructure for enterprise mobile office, but these wireless networks are generally lack of effective management, wireless network is increasingly becoming a breach of hacker intrusion into the enterprise intranet.

Day Patrol laboratory in the first half of this year, several large and medium-sized enterprises based on wireless security services, found that the actual situation is more serious than imagined. This time, in the case of one of the customer authorization, we will share a wireless for the entrance of the black box penetration test.

Attack Process

We found two wireless networks in the vicinity of the target company, confirmed that one is open Wi-Fi, authenticated via the portal, and the other is a 802.1X network. Let's go through the tests separately.

Portal Security Detection

After connecting to this open hotspot, jump to the portal certification page.

Soon we found a very common "loophole" that can be used to determine whether a user name exists by returning information from the portal login.

The user does not exist as follows:

The user exists as follows:

According to their test rules, you can see that the user name is spelled all by name. By using the Chinese name top1000, the burp was used to explode and crawl a group of existing users. We use these existing users for brute force hacking.

As you can see, the demolition is limited, but you can use a "multi-user name, single-password" policy that does not trigger their rules. Soon get to an account password, login success. There are many ACL problems in the portal, access to the portal directly assigned to the IP can access the resources of the Intranet (for the infiltration of people, can not pay attention to the Internet, I only need to be able to access your intranet on the line), if there is such a situation, you do not have to obtain the portal user name password.

After analysis, this network and the enterprise's office network isolation, is generally provided to employees for daily use of the Internet. For this purpose of penetration, this segment is not in touch with our goals. We look to another wireless network, which uses 802.1x authentication.

802.1x hack

Enterprises in the deployment of 802.1X wireless network, for compatibility and the integration of domain account convenience, generally will use PEAP-MSCHAP v2 architecture. The authentication process for PEAP is divided into two stages:

Phase one: Server authentication and establishing a TLS tunnel. Server sends certificate information to the client for "client-to-server Authentication".

Phase two: Client authentication. "Server-to-client authentication" is implemented in the TLS tunnel established by phase one through a variety of authentication methods (typically EAP-TLS or EAP-MSCHAPV2) and PEAP.

The problem with PEAP is now primarily in the client's verification of the server certificate, which provides the transport Layer security for authentication through a similar SSL mechanism, requiring the enterprise to purchase a certificate from the CA, or to build a PKI system, sign the certificate for wireless, and deploy the root certificate to each client. Most businesses choose to self-sign a certificate, but "Deploying the root certificate to each client" is too cumbersome to be directly ignored.

Attack method for the establishment of pseudo-hotspot cheat user connection to establish a TLS tunnel, in phase two to obtain MSCHAP V2 authentication Transfer account hash value, using a dictionary to crack out the password.

Here we use HOSTAPD-WPE to build a 1X hot spot with the same name, we quietly wait around downstairs to smoke stroll fish bait can be.

In a moment, we get 8 hash values. We first try to use top100w's dictionary run, not run out of words, then spend more than 10 yuan to find someone to run.

Fortunately, when trying the 4th hash, we found that the weak password in the top 100w was used. In conjunction with the previous plaintext username, we can access this wireless network.

Information Collection

As mentioned earlier, one of the reasons for using the PEAP-MSCHAP v2 architecture is that it can be combined with a domain account, which is also the password for the employee's domain account. Can log into the company's OA, mail and other systems. But in which we did not find some information we want, temporarily put, look at the network segment of the other machines. To scan the host of the open HTTP service in the intranet.

Jenkins Hack

A Jenkins program was found in the intranet through the pre-collection of information. Jenkins is a continuous integration tool based on Java development that monitors ongoing duplication of effort. When Jenkins is improperly configured, an unauthorized command execution vulnerability exists by default, but has been restricted by the inspection administrator and cannot be exploited. So in order to execute the command, we need to get an account that can execute the command.

The user list was obtained without logging in because of improper configuration. After crawling all usernames, use burp again to burst the weak password, the process is slightly. Successfully obtained 3 accounts, using the acquired user login Jenkins, access to Xxxx.com/script, such as:

Executable command, low-privilege, bounce shell back to local to raise power. Because wget is not available in the environment, groovy syntax is used to write bounce scripts to the server.

Using the local power-up vulnerability of Linux kernel, we acquired root privileges. The next step is to collect information about sensitive files such as configuration files, history, shadow, and so on.

SSH Key

Using the password obtained in the shadow, decrypt the SSH batch login attempt of the network segment using Hydra. After logging on to a machine, a private key file was found.

If you are using Putty to use Linux to copy the private key file, you need to use Puttygen.exe for format conversion, such as the AAAAAA.PPK file.

Zabbix

Zabbix is an enterprise-class open source solution that provides distributed system monitoring and network monitoring capabilities based on a web interface, with weak passwords (admin Zabbix), cve-2013-5743, etc. common vulnerabilities.

Why Zabbix I like the most, because Zabbix in the background can customize the script, execute the command (itself contains the agent can). Zabbix is like an internet café 's network management tool, through which it can send any instructions to the client and execute, in the hacker's view, this is a super backdoor. Therefore, in the case of network segment isolation, as long as the Zabbix can be done, almost means to take a large number of machines.

A Zabbix is found on a machine that logs on with the private key, and Zabbix's server address is found in the configuration file, when the task turns to finding the Zabbix account password. By collecting the information from the history of many machines, we zabbix the account and finally entered the Zabbix. (here to avoid leaking sensitive information, put a map of the source network)

Conclusion

1. No reasonable domain password policy has been set, resulting in a large number of weak passwords.

2. The VLAN partition of the intranet is not strict.

3. A large number of system patches in the intranet are not timely.

4. Operation and maintenance personnel each system uses a set of passwords.

This penetration test, but also do a lot of other work, but because of the customer some sensitive information, here is no longer described in detail, only open the core of the place, there are some other loopholes are not all records, such as Elasticsearch code execution, internal system SQL injection, shared drive letter writable, Javadebug and so on.

But perhaps the most noteworthy part of the article is the beginning of the wireless network infiltration. While attacks against the 802.1X are not widespread in the country, it is foreseeable that the lack of security protection for wireless networks will be deeply disturbed.

For a more detailed introduction to 802.1X network penetration, you can refer to the previously issued "Enterprise-class wireless infiltration of PEAP"

* 360-day patrol Laboratory (Enterprise account), reproduced please specify from FREEBUF hackers and Geeks (freebuf.com)

Use only one WiFi, penetrate into the enterprise all intranet