Rapid7 was recently tasked with testing a client's internal network, an environment that included multiple subnets. Due to the size of the network, this was a paired internal – an engagement in which two consultants are assigned to the same network penetration test.
Starting softly
We kicked off this one how we typically do: by poisoning network traffic while enumerating active services on hosts. In the background, we started poisoning the network traffic looking for hashes. While enumerating services, we tested hosts running SMB and found multiple which did not require SMB Message Signing. SMB Signing helps secure communication and data running on the network and without it, captured hashes through poisoning can then be relayed to provide us with a foothold on the domain.
Through the first few days, we were actively poisoning and relaying hashes that gave us access to hosts, but the client's Endpoint Detection and Response (EDR) system stopped any effective exploitation. Even hosts we had administrative access to could not be leveraged for exploitation because the EDR stopped our attempts. As such, we continued to poison and relay credentials, but began to look for other avenues of exploitation.
Some servers were found to be missing critical security patches, which could have provided us with local administrator access to the hosts, but we knew the vulnerability to have a 50-50 chance of causing a Denial of Service (DOS) on the server. After discussing it with our client, we opted to not perform the exploit to avoid any disruptions.
Another vulnerability, this one discovered in the web application management console, allowed us to run commands locally on a host. Rapid7 exploited it to gain a remote shell, giving us our first foothold on the domain. We enumerated additional information and captured some hashes, but proved unable to pivot to perform lateral movement or gain further access due to the users limited rights. This activity was also caught by the client’s monitoring, and access was cut quickly. Through these other attack vectors, we were able to discover additional risks to the client and capture, but none of the hashes were passable and offline cracking wasn't successful.
Making some noise
Rapid7 internal penetration tests are different from red team engagements. We always do our best to not be disruptive to any services. However, unlike red team engagements, our goal with internal penetration tests isn't to be quiet. All our tests are timebox tests, and in that limited time we work hard to discover as many exploitable vulnerabilities to help our clients secure their systems.
After failing to gain a foothold that would allow us lateral movement or privilege escalation, we decided to go loud. While we were poisoning the network and relaying hashes, we established multiple proxy connections – one of which had administrative access on their hosts, but wouldn't let us run any administrative commands there. Instead, we used that proxy connection to target all hosts on the domain running SMB to dump Local Security Authority (LSA) secrets. LSA secrets are a set of hashes, and sometimes plaintext credentials, stored in the Windows registry. Most of our attempts were properly stopped by the EDR, but on some of the hosts we were able to dump the LSA secrets. The LSA secrets provided us with NTLM hashes of domain users. NTLM hashes can be used in 'pass-the-hash' attacks to login as the user and let us establish a foothold in the domain.
With a machine's captured NTLM hash, Rapid7 enumerated the certificate authorities and their templates to target their Active Directory Certificate Services (ADCS) – a Windows Server that issues and manages public key infrastructure (PKI) certificates used in secure communication and authentication. We identified a template vulnerable to ESC1 which is a privilege escalation attack to gain unauthorized access to higher privileges. We leveraged this vulnerability to request and eventually capture the login certificate for a domain administrator. Performing an authentication request then provided us the domain administrator’s NTLM hash, compromising the entire AD environment.
While we had successfully gained domain administrator access, the engagement didn’t stop there. Rapid7 extracted the contents of the 'ntds.dit' database from the domain, which contains the password hashes for all domain user accounts to examine and perform password analysis and provide information on weak passwords, potential password reuse and common words used in passwords.
We discovered yet another ADCS template vulnerable to ESC4, a situation where the user has write privilege over a certificate template. In this case, domain users could abuse this to overwrite ADCS template configuration to make them vulnerable to ESC1. So even if there wasn't a certificate already vulnerable to ESC1, we could have leveraged this to take an extra step to gain domain administrator access.
Final thoughts
While all this technical stuff makes a good story, it doesn't help all clients understand the risks. Rapid7 also accessed shares with captured domain users and discovered critical company documents, including internal schematics, business projects, insecurely stored passwords, and banking information – packaged up to help highlight the risks of these exploited vulnerabilities.
This security assessment demonstrates the value of a Rapid7 penetration test. We partner with the clients during our engagements to provide them the best value, while also limiting the risks to their environment. Through our penetration testing assessments, we don't just highlight the technical vulnerabilities, but also demonstrate the real risks to business data and exposure that our clients face.