- November 24, 2020
Can your organization withstand a targeted attack? You can find out easily through Red Teaming – a simulation of a real-life adversary.
Red Teamers execute almost all stages of an attack (without causing any real harm to the client’s infrastructure, of course). These stages include reconnaissance, social engineering (usually phishing), weaponization (preparing malicious payload and post-exploitation tools), exploit delivery, lateral movement, and exploitation itself.
Red Teaming does not only test the client’s resilience on multiple levels, it also tries to train the client’s Blue Team. At the end of every Red Teaming operation, clues are given to the Blue Team, to make retrospective identification of the attack vector easier for them. A good Red Teaming unveils the weak spots of the organization and trains the Blue Team to spot the intrusion earlier the next time.
In the following paragraphs, we will go through a Red Teaming Case Study. There will be five steps – each one corresponding to an arrow (or a set of arrows) in the scheme below. The attack resulted in the compromisation of Active Directory and taking over a whole target’s subnet. (LIFARS team provided us with this case study. Please note, that the data included in this report is anonymized to protect the client.)
Step 1: The whole operation started with a spear-phishing campaign. The team leveraged a tool called Gophish – an open-source phishing framework. They decided to use two Google Chrome vulnerabilities targeting different browser versions and thus increasing the attack surface. They aimed to achieve heap corruption via a maliciously crafted HTML page.
Step 2: The phishing was successful – they obtained a Meterpreter session from one of the targets (10.10.14.3) that clicked the link. Then they performed a nmap scan of the internal network to find a vulnerable Windows 7 host (10.10.14.6). More specifically, it had an RDP vulnerable with BlueKeep. After adjusting some parameters in the exploit, the team was capable of executing the code on the machine with the highest privileges
Step 3: They observed, that the exploited Windows 7 host had access to another internal subnet. One of the hosts from this subnet (10.10.15.15) was running a vulnerable version of Rejetto HttpFileServer. After trying two unsuccessful public Rejetto exploits, they switched to Metasploit and it exploited the vulnerability flawlessly. They used named pipe impersonation of „find“ command to get the privilege escalation.
Step 4: From this compromised machine (10.10.15.15), they spotted a domain controller in the same subnet. The team decided to use Impacket kerbrute to search for accounts without pre-authentication that usually protects from brute-forcing the passwords. They found one user without pre-authentication and performed AES-REP Roasting on his account to gain his credentials. AES-REP Roasting was successful because user without pre-authentication can request authentication data and gets an encrypted TGT that he can crack offline. Then the team established a connection to this account with cracked credentials and escalated the privileges.
Step 5: As the last step, they utilized Sharphound and Bloodhound – tools that use graph theory to reveal unintended relationships within the Active Directory environment. As one account had GetChanges and GetChangesAll privileges, they could perform a DCSync attack. Prerequisite for DCSync attack are the two aforementioned privileges. With those privileges, an attacker can create a domain replica and crack the password hashes included in the replica. By executing the DCSync attack, the team managed to create a golden ticket and gain a foothold of the whole subnet.
This Red Teaming was successful and LIFARS provided its client with technical recommendations to increase their overall security and fix the issues that led to exploitation. They also provided the client’s Blue Team with tips on how to identify the attack vector in logs and how to spot similar intrusions earlier.
Such training is needed to maintain the company’s resilience against cyber attacks. Red Teaming is a means of ethical hacking that verifies whether your organization can withstand a targeted cyber attack. It is not only about finding gaps in your defense, a good Red Teaming will also teach your Blue Team how to react to an attack and improve the organization’s overall security.