You have credentials, now what???

Test this against your own lab!!!
After talking to a LOT of minor hackers, they know how to do a few hacking tricks. They can capture someone's credentials but almost ALL of them don't know what to do with them. They will read someone's email which would be a minor infraction as you'd have to read about 1000 emails to possibly get something desirable. Then they will post the email on some wiki leaks or something. Sure that's fun and all, but the user will change his password and this hacker will have to start from scratch. Today we are going to look at what to do when you get credentials, how to access TONS of information, how to take control of a corporate network, and avoid common security flags that would notify the real Domain Admins.
First, you'd need to get your credentials. Setup a site with a login that saves the data to an CSV file. You can download a pre-coded login form and host it on a webserver. Once you've downloaded the pre-coded login, you will need to edit the HTML so that the login site looks identical to the login for the company that you are attacking.
FAKE LOGIN PAGE (This is only an example & will not store your credentials)
Once you have a login page, you can send out an email to a bunch of people in that company. "Fill out a our survey, Let us know how much you enjoy your job"
If you send this out to at least 30 people, at least one person will fill it out, and you have your credentials.
You will need to setup a Virtual PC. I'd suggest doing this on a remote service like Amazon AWS or something similar.
You will need a VPN that matches the company that you are hacking. How do you find out what they user? Google "CompanyName VPN Download"
You will often find sites that show you what software they use & what connections / settings to put in the VPN:
Harvard's VPN Setup
Virginia Tech's VPN Setup
That's just 2 examples, but there are THOUSANDS out there.
Setup a Local Admin Account on this PC, you may need this as Group Policies often remove local admin rights. Group Policies are a thing that companies use to keep their employees from accessing things they shouldn't that are on their network. For example, you don't want Jill, the secretary, to access the Human Resources server and change her salary.
You will also need "windows remote server administration tools" (Google this). This can be downloaded from Microsoft.com and it's based on what OS you use for your VM. The tool we will use MOST is "Active Directory Users and Computers".
Once you have your VM ready, login to the VPN with the credentials that you have, and add the PC to the Domain. When adding a PC to a domain, most companies have a naming convention like "TypeOfPC-State-SerialFoundOnPC". An Example would be WS-NY-F8HT3P (WS - Work Station & NY - New York). Basically as long as you don't name your PC "VM-Hacking-Tool" it will likely be over looked in audit report.
Once you are connected to the Domain, your Remote Server Management tools will likely register the Domain and you can search for anyone or any device connected to the network.
This tool is quite powerful. You can now find out who's account has admin rights. Don't go directly for a Domain Admin or you will set off all kinds of alarms. Search for an SQL Database, A DNS Server, See who has access to these tools, what AD permissions to you need to get into these servers, who's account is disabled, who's account is part of the Service Desk so you can reset passwords & enable AD accounts.
See if this company uses Samba Sharing across it's network. This is VERY common and does not have high levels of security. You can gain access to documents about future projects that the company is working on.


Once you have gotten the data you are after, you can start an actual attack.
RDP to the SQL Database. Use this to add a few accounts as the SQL Database is often the Security measure that allows AD accounts to be created.
Start escalating your accounts so that Account 1 gets data from all the Samba network drives, Account 2 gets control over their infrasystem (CUCM, Exchange, DNS, etc...), Account 3 is a manager of a fake office with 5 employees. Account 1 & 2 will likely set off some flags, but since you have a fake office with fake employees, you always have another chance to setup your attacks.
What is most likely going to happen is that most companies won't actively stop you when you are pulling data off of their network drives or when you are making changes on the Active Directory. They won't notice until they've run an audit before making changes to block you. Plus all this activity will look legit if you do it correctly. For example, do not use Powershell to import 500 new accounts into AD with randomized names. That would look really bad on an audit. Use your AD search tool to figure out what looks normal, and make your activity look as normal as possible.
Have fun hacking!!!

Comments

Popular Posts