2009-11-13

Abuse Citrix and own the domain

 
 

Sent to you by l5g via Google Reader:

 
 

via Bernardo Damele A. G. by Bernardo Damele A. G. on 11/12/09

Little Bobby Table is growing up quickly, he is now performing a Citrix break-out assessment: basically the scope of the penetration test consists in executing applications that he is not allowed to after logging to a Citrix MetaFrame or similar environment. Usually a screenshot with a command prompt showing the output of ipconfig /all is enough proof to the Client that you have successfully broken out of the restricted environment and the party can roll out onwards. There are many tutorials to achieve this goal and I will not repeat them.

Assume that little Bobby asked for help to old uncle Google, found the above mentioned tutorials along with some videos and successfully broke-out of the environment while circumventing Windows GPO/SRP and other security mechanism getting a command prompt or even an unrestricted RDP session onto the box.
He now feels good, is excited and wants the Client to know that in about half an hour he broke-out of the environment, then he calls who paid two or more days of assessment to let him know that he is done already with the work and asks for permission to go further with the test and demonstrate how dangerous a malicious attacker could be in such a scenario. The Client agrees.. in the end he paid for the rest of man days, wants to make profit out of them and is keen to know about flaws within his whole network.

What is next?

Little Bobby knows about the beauties of Windows' net command and uses it to enumerate machines within the Windows domain, identify the primary domain controller (PDC), list local and domain users from the PDC/BDC, etc.. all in all gather as much information as possible about the owned system and its network perimeter.

He can also upload his own tools by mapping his local shared hard-drive via Citrix XenApp (the new Citrix ICA client for Windows) onto the target Citrix environment, by copy 'n paste and debug.exe trick, via muudecode/uuencode, or whatever working technique, depending how hardened Citrix is.

First goal now is to escalate privileges to a highly privileged local user like Administrator or LOCAL SYSTEM assuming that the user is not within the Administrators group already. There exist several techniques to do so. Once done it is game over, you own that system completely.

What about logging onto other systems?

Surely little Bobby won't stop here. He wants to own all the servers within the network perimeter, above all the PDC and other infrastructure critical servers, like database servers.

He dumps user's password hashes (Security Accounts Manager), LSA secrets, passwords cache, protected storage, reversible encryption storage, passwords history and current logon sessions tokens. PWDumpX and Cain&Abel are handy tools along with the others linked.
Now he has collected credentials of many other users: either plain-text or NTLM credentials for all local users, users who logged onto the box since last reboot, users logged in at the very same time, and users used to start services.
Hopefully among these credentials, little Bobby has got the hash of a domain user. If he gets very lucky, it will be a domain administrator. Again, net is your friend to check so.

Now Bobby resurrect the list of enumerated hosts, tries to discover more hosts on the network perimeter via ping sweep, ARP scan and network traffic sniffing with a bunch of uploaded tools. He now has a huge list of hosts to own. On top of the list there are the domain controllers and eventually the database servers!

At this point he has a list of hosts in one text file and a single file collecting the above dumped hashes (output of PWDumpX et all).

Own the LAN: the common way

Little Bobby could crack the dumped password hashes and try to login over SMB or RDP with the cracked plain-text credentials onto the other systems, one by one. To login and execute commands over SMB onto another system he could upload to the Citrix box and run a single executable file, PsExec.

Another tool can be handy, smbshell, a pre-compiled NASL script, but it requires the nasl interpreter and a bunch of other Nessus libraries to run, not very convenient in the above scenario. Nevertheless, an advantage over PsExec is that it accepts also the NTLM hash of the password, so there is no need to crack the password to login over SMB. Like PsExec, it can be used to login onto one system at a time.

Isn't there anything quicker to check usefulness of dumped hashes?

Own the LAN: the quickest way

Our lazy little Bobby heard about a new open source multi-threaded tool called keimpx developed in Python that can be used to quickly check for the usefulness of credentials across a network over SMB. Credentials can be:
  • Combination of user / plain-text password.
  • Combination of user / NTLM hash.
  • Combination of user / NTLM logon session token.
If any valid credentials has been identified across the network after its attack phase, the user is asked to choose which host to connect to and which valid credentials to use, then Bobby will be prompted with an interactive SMB shell where he can:
  • Navigate through the available shares: list, upload, download files, create, remove files, etc.
  • Deploy and undeploy his own service (for instance, a backdoor listening on a TCP port for incoming connections).
  • List users' details and domains.
  • Read/write/delete registry keys (soon).
  • Spawn an interactive command prompt like PsExec can do (soon).
This tool does the trick and is the quickest way to identify in a single shot which dumped hashes work on which machines of the network perimeter without the need to crack the hashes. Moreover, it can also be used to login over SMB onto the systems where valid credentials have been spotted and perform the above mentioned operations.

keimpx is a work in progress tool and feedback is more than welcome!

Remember that:
  • Many users share the same password across multiple machines, this might include also Administrator, in such a case you are local administrator on most, if not all, the systems of the network perimeter.
  • You might have been lucky enough to dump also a domain administrator password hash (for instance, via LSA secrets dump, Pass-the-Hash's whosthere.exe or incognito) so you totally own the domain and can login on all systems of the network with the highest global privileged user.
Little Bobby Table can now call the Client and let him know that he has access to most (if not all) the network's machines.

Own the LAN: the hardcore way

If no dumped credentials worked on any other system then Bobby needs to get his hands dirty.

If the Citrix environment has direct access to the Internet he could initiate an out-of-band connection with his own local system to pivot traffic from the local system to the Citrix machine network perimiter. This can be achieved, for instance, via Metasploit's Meterpreter. From this point on he can launch any Metasploit module against others boxes to portscan them, perform a vulnerability assessment or exploit security flaws.
Elsewhere, if the Citrix environment has not direct access to the Internet, Bobby can upload a port scanner and his suite of exploits to scan and own them all.

 
 

Things you can do from here:

 
 
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)