# airmon-ng start wlan0
With the card in Monitor Mode I decided to see how many people were still oblivious to the insecurities of relying on WEP to protect their wireless networks from unauthorized access. Let's see who's out there:
# airodump-ng --encrypt wep mon0
There was only 1 in range. I fired up wifite.py so I could get on IRC from my laptop.
After a couple minutes I was online. I got curious and decided to see what was on this network I was connected to. I ran ifconfig wlan0 to see what my IP address was, and then made an educated guess that my Default Gateway was 192.168.100.1, which turned out to be correct. Next I ran nmap to see what other devices were on the network:
Let's take a look at this nmap command:
- -sV performs a Service Scan which determines the running services listening on each port, and it's version
- -O does Active OS Detection
- -A enables OS detection, version detection, script scanning, and traceroute. Yes it's redundant, but that's how I roll.
- -oX will dump the output in XML format (which we will use later with Metasploit) to an XML file. It also prints everything to STDOUT.
Now that I had all the data nmap gathered from the target network, I could work with it easily from within Metasploit. Below is a list of all the devices on the network:
That Windows 2000 box looked tempting but I decided to just start at the top and work my way down. I figured there was no way the infamous MS08-067 exploit would work, so I decided to try it just for the lulz. I mean, everyone patches their boxes right? It's only in Metasploit as a demo exploit isn't it? Well, not really. In this case anything was possible because the admin was still using WEP with the very secure key of 1234567890.
Hmm, first box, first try and I get a Meterpreter shell. Kinda pathetic but lets move on.
First I migrated to another process incase the one my Meterpreter shell was living in crashed:
I figured the only way it could get any easier was to get an RDP session on the box. So that's what I did. I added myself a new account to the administrators group:
Now that I have an account on the box named hacked with password password, I could RDP into it:
# rdesktop -u hacked -p password -r clipboard 192.168.100.30
- -u Specifies the username to connect with
- -p The password for the account
- -r clipboard Redirects the remote clipboard to the local machine. I use this so I can copy and paste between the remote host and my machine.
At that point it was game over, but I was curious so I dug around a little.
After digging around on the box with the account I created I decided to crack the Administrator account password to see if there was anything interesting on that account.
Using my Meterpreter shell I ran hashdump to dump the SAM database:
I cracked the NTLM hashes using an online hash cracker which took about 4 seconds. With the password for the Administrator account I RDP'd into the box and started looking around. The first thing that caught my eye was an icon for the management software for Carbonite Backup. I started it up and was prompted for a password, the username was already filled in. I tried the password that I cracked and bam, I was in. The drive contained thousands of files containing social security numbers, names, and addresses. Jackpot for anyone with malicious intent.
Covering my tracks was pretty easy because they didn't have the Event Log service running.
The ironic thing was that this company does computer training. What they train people to do exactly I'm not sure, but obviously they aren't teaching security or secure best practices.
Lessons learned: Don't use WEP, patch your systems, and don't reuse passwords for everything. That same password was probably used on every system on the network, but I didn't bother checking.
The company was notified via anonymous email.
dcprom0
No comments:
Post a Comment