Practical training in pentest laboratories. Part 3

“Corporate laboratories” is a training program in the field of information security, consisting of theoretical (webinar courses) and practical training (work in pentest laboratories). This article will consider the content of the practical base, which constitutes about 80% of the total training program. The article contains a brief analysis of one of the tasks of practical training.

External and internal perimeter

Often, the focus of information security specialists is on the outer perimeter. However, there is a possibility that the attacker will overcome the external perimeter security systems and end up inside the network. There are a huge number of such methods, including sociotechnical methods, using manipulating the psychology of a person, the linearity of his actions or other factors.
')
Internal protection usually comes down to separation of rights and anti-virus protection - either from a misunderstanding of the seriousness of the threats and risks, or poor qualifications and awareness of technical personnel or insufficient budgeting.

Insider

Not in last place is the so-called problem. an insider when an attacker is inside the network and has certain rights and powers that he can try to expand using infrastructure flaws or vulnerabilities.

Insiders can be divided into several categories:

• Curious - as you know, many people are distinguished by curiosity and the desire to stick their nose out of their way. This type of insider is characterized by the fact that even if by the nature of its activities it should not have access to confidential data, it is still, often out of curiosity, wants to read them. This may concern payroll lists, distribution of premiums, etc.
• The researcher is a legal employee with the right of access to the main server, but insufficient authority to access confidential information. Such a person may try to increase the level of authority in the server OS that is insufficient for his non-work purposes to the level of an administrator. This type of insider is characterized by attempts to explore the company's infrastructure, outside of its professional activities or responsibilities.
• The Avenger is an offended or dismissed employee who can use a period of time until the administrator revokes his access rights to confidential data, to copy or change them in order to at least somehow “win back” for his offenses.
• Motivated - a legal employee of the company, acting purposefully and able to attract significant technical resources to gain access to information of interest to him. At the same time, he uses social engineering, physical access to the server, and other features, 90% of which are completely legal and necessary for his regular work. This kind of insider may be motivated by the extraction of profits from the data obtained for himself or by order of a third party.

Attack scenario

An example is the Group Policy Hijacking attack. Group Policy is a set of rules or settings according to which the receiving / transmitting working environment is configured (Windows, X-unix and other network-supported operating systems). Group policies are created in the domain and replicated within the domain. Group Policy Hijacking was opened at the beginning of this year, but the first fully functional implementation of this attack appeared only in Intercepter-NG (some browsers may mark the site as malicious, however the utility does not carry destructive functionality).

Thanks to this vulnerability, in about an hour and a half, you can access any computer in the domain (except the domain controller). The situation is that approximately every 90 minutes a domain member requests group policies from a domain controller. This happens via SMB, and if something has changed since the last request, it means that they need to be updated.

Every 90+ random number from 0 to 30 minutes a domain member requests group policies with DC. This happens via SMB, by opening the network address \\ DC \ SYSVOL \ domain.name \ Policies \ UUID \ gpt.ini, containing the following entry:

[General]
Version = 12345

This number is a relative version of the current group policies. If the version has not changed since the last update, the process of receiving group policies is terminated, but if the version is different, it means that they need to be updated. At this stage, the client requests from the domain active CSE (client-side extensions), which include various logon scripts, tasks for the scheduler, and so on. Naturally, an attacker, standing in the middle, can replace one of the tasks that is generated by the controller as a file. In this situation, operation would be quite simple, but all these CSEs are disabled by default and the only thing you can do is modify the registry, because when updating group policies, the client requests another file, GptTmpl.inf, through which you can add or delete an entry.

But not everything is so simple, CSE is disabled by default and the only thing you can do is modify the registry. Therefore, the Intercepter author implemented a special mechanism (setting up a debugger for the taskhost.exe process), which allows you to get a shell with the “NT AUTHORITY \ SYSTEM” rights.

Group Policy Hijacking is possible on Windows 7 \ 8.1 systems; server solutions 2008R2 \ 2012R2 can be used as domain controllers with all existing patches today. It is also worth noting that the attack is fully automated and does not require any additional actions or conditions.

Prevention

Specific methods of counteraction depend on the techniques used by the attackers, the tools and experience of the IT / IB departments. Knowledge of the methods and tactics of attack in modern systems will allow in a timely manner to eliminate possible shortcomings and vulnerabilities, preventing attempts to gain unauthorized access. Information security specialists need to be familiar with the arsenal of modern tools, master practical exercises and be ready to use them in real situations. You should also pay attention to the little-known and undocumented features that may be useful for checking your own infrastructure. It is worth developing the right mindset, which includes thinking outside the box and anticipating the actions of an attacker, careful weighing of risks and time-tested techniques. These skills will be useful to you repeatedly, regardless of whether you are a professional information security specialist, or you work as a system / network administrator.

---

Practical training in pentest laboratories. Part 1
Practical training in pentest laboratories. Part 2
Practical training in pentest laboratories. Part 4
Practical training in pentest laboratories. Part 5