How to penetrate the enterprise intranet via WiFi?

Introduced

The black box penetration test means that the white hat is ignorant of the target network. Simulate hackers attacking the network and get sensitive information. Further, explore the intranet, identify vulnerabilities in the intranet, through the vulnerability to access the network of important resources.

Objective

In this article, we assume that the white hat does not know any information about the target network. The aim is to obtain the sensitive information of the target network, obtain the whole domain, and break down the important resources in the target network. Let's get started.

Conditions

Before we start the audit, we do not know any information on the target network and can only physically access the guest area of the target network.

Start attacking

We detect the available network connections. There is no wired network interface available for us to connect to. So we turned our attention to the wireless connection.

For wireless network detection, we need to use the Aircrack-ng toolset in Kali Linux, as well as the Alfa Wireless card USB adapter. We set up an environment to find available wireless connections.

The Wireless enumeration feature lists a hidden SSID "Corporate WLAN" that the guest area can access. This SSID uses the WPA2-PSK authentication mechanism, which can be brute force, so that we can access the corporate network.

We first successfully crawled the handshake package for the "Corporate WLAN" SSID.

Next, we find a way to crack the handshake package and get the password for the "Corporate WLAN" SSID.

Now that we have visited the target company's internal network, we further enumerate the networks to find a foothold in this network.

To identify the potential attack surface, we look at the IP address, domain, and mail server of the target network. Because DHCP is running, we already have an IP address, and a simple "nslookup" command can expose the target domain's name server, which helps further enumeration.

We then started the basic Network Discovery Scan, which enumerates the network scopes of the name servers. (e.g. *.*.40.1-254). To do this, we will use the Netscan tool. Netscan is very useful in performing network reconnaissance. It has a very simple interface, checks common ports, supports credential logins, and outputs results in a user-friendly format.

We can see multiple target systems within this network segment. These systems include Web servers, databases, application servers, and so on. Most systems open the RDP 3389 port, which is helpful for us to access these systems remotely.

At the same time, it is important to remember IP addresses with high-value targets, which can be very useful in the later post-exploitation phase.

Vulnerability assessment

Now that there are many goals, we need to carefully analyze the fragile targets and then attack them.

At this stage, we assess the potential vulnerabilities that can be exploited on these systems. Use well-known tools, such as Nessus and open VAs, for vulnerability assessment. In the vulnerability assessment, we noted that many of these systems are running outdated third-party software and operating systems, which can easily be targeted for attack. This process can be time-consuming because many of the vulnerabilities found by automation tools are false positives, so it is necessary to evaluate these vulnerabilities carefully.

Vulnerability assessment exposes a number of potential vulnerabilities, one of which is the ms09-050 vulnerability, and we then try to exploit this vulnerability.

Exploit exploits

We will use the famous Windows Vulnerability (MS09-050,SMBV2 allows arbitrary code execution), which can be found here. This machine is obviously not maintained for a long time, so there is no patching.

After many attempts, we finally managed to exploit the vulnerability and get a shell with local administrator privileges.

In order to have persistent access to this compromised system, we created a backdoor user and added it to the local Administrators group.

Now we can use the backdoor user to log into the system and then enumerate the system further.

Post-infiltration

Now we have entered a domain system and added a backdoor user. Let's take a post-infiltration attack on this system (post-exploitation). Our goal is to get the local administrator password for this system, and then check if you can log in to other systems in the domain with this credential.

Mimikatz is a well-known tool that can obtain plaintext passwords from LSASS. However, the target system runs the kill soft, which blocks the Mimikatz. Moreover, this killing soft uses password protection, which means that we cannot disable it, nor can we add Mimikatz to the whitelist.

So, we decided to use the Meterpreter shell to get the password hash. In order to get meterpreter shell. We will create a malicious meterpreter payload to run a handler on our attack aircraft. Now we put the malicious meterpreter load on our attacker's Web server and use a browser to access the file on the compromised system.

Now we have the meterpreter shell that compromised the system. We can get the hash.

After getting the hash of administrator, the hash was successfully cracked.

Elevate permissions

Now we have a local administrator credential for the domain system. The next step is to see if you can use this credential to access other systems. We use Netscan again to find the target to log in with the local administrator credentials.

As we can see, many other systems in the domain use the same user name and password. This means that we have successfully breached multiple systems within the domain.

Next, we use local administrator credentials to log in to these systems and use Mimikatz to obtain plaintext passwords from these systems. The local administrator password can be unlocked, and it can be temporarily disabled. The following screenshot shows the output of the Mimikatz command. In this way, we have managed to collect the credentials of multiple domain users from these affected systems.

Elevate to Domain pipe permissions

The final step is to elevate the permissions of our backdoor users to the domain administrator and control the entire domain.

In the previous step, we acquired many domain users. One of them is the domain administrator. We use this credential to log in to the domain control system, add our backdoor user to the domain, and then take the power to make it a domain tube.

View backdoor users ' access rights by logging in to the Active Directory. I can be sure it's a domain administrator.

Access to high-value targets

Now that we're a domain administrator, we'll be accessing high-value targets in the network to uncover the severity of the attack.

During the information gathering phase, we discovered the mail server of the target network. Ms-exchange 2013 is used to manage the mail server. This means that you can use the link HTTP://WEBMAILIP/ECP to access the Exchange Admin Center.

We log in to the Exchange Admin Center using the credentials of the domain tube. We can now allow ourselves to access their mailboxes as representatives of any user. This means that we have access to the messages of the top executives in the target network.

Conclusion

In this article, we saw a complete penetration test cycle, we started to know nothing about this organization, and then find a way to enter its network, compromised a domain system, got the administrator hash, after cracking this hash, we can break through multiple systems, Finally, the domain control was breached. For persistent access, we created a backdoor user and added it to the domain tube. And in order to prove the severity of the attack, we have full control of the user's mailbox.

A black-box penetration test exposes the entire organization to a true security situation. It helps organizations understand how an attack occurs and how bad it can be for operations if the attack succeeds. Therefore, periodic audits are very important to an organization.

From the penetration tester's point of view, black-box penetration testing is a challenge and practice. Not only did he test your knowledge, but he also tested your ability to think creatively under difficult conditions.

* Original: nfosecinstitute.com Felix compiled, transfer must be noted from Freebuf hack and geek (freebuf.com)

How to penetrate the enterprise intranet via WiFi?