8 min read

How our Red Team went from nothing to Domain Admin in 22:22

I am seeing more and more recently that a “real red team” engagement needs to go on for weeks upon weeks and stretch into months. It needs to infiltrate the company to the deepest levels, convincing recruitment to give a red teamer a job and successfully infiltrate this way. To this, I call baloney! What if I told you that our Red Team went from having nothing but the company name to DOMAIN ADMIN in 22 hours and 22 minutes (which was a nice coincidence)? Well, here is how.

We were once again challenged to get access to one of our companies’ infrastructure. On a side note, we are doing these weekly and I celebrate this as there is less 'head in the sand' mentality and more willingness to understand weaknesses. This was one of my favourite personal challenge, full scope. Nothing was off-limits, absolutely nothing. We had successfully infiltrated them through physical social engineering last year, which was quite fun, but we wanted to try something new this year. Now consider that we had launched several phishing campaigns last year using a common online SMTP relay and been unsuccessful due to Mimecast blocking us, we knew we would have to get creative.

Enter, custom SMTP servers once more. Thanks to the efforts undertaken by Manish Singh earlier in the month to build a Terraform infrastructure as code phishing platform with a secure Dovecot Postfix server, we were ready to rock in less than 2 minutes. First challenge: get email addresses. Believe it or not, a script can still be used to harvest employee names from LinkedIn. Then onto hunter.io to find out the email format. Within 5 minutes we had the email addresses for 633 users across this organisation. Time to get building a really crafty phishing campaign to bypass the mail gateway that got us last year.

Utilising DarkWebID we identified that there are some of these companies’ credentials already floating around the dark web. What better evidence do you need to craft an email informing all staff that the company had been compromised and they needed to check their password than already compromised passwords? So we built an email that does exactly this using a screenshot of DarkWebID and informing staff to head to our custom form and enter their password and if the screen turns green then their password is fine, if it goes red then passwords need changing. Thanks to an Amazon S3 bucket, everyone’s screens turned green through a re-direct when they entered their passwords!

Utilising alt codes (https://usefulshortcuts.com/alt-codes/accents-alt-codes.php) we registered a domain that replaced a character in the companies domain that was so close even the most discerning user would be caught. Upon checking the MX record, we noted that SPF was set up with a soft failure only, meaning even if our SPF failed we would get through. Even still, as we now had our own encrypted SMTP server, we set up SPF, DKIM and DMARC records just in case. Armed without craft email, evidence of a previous compromise, 633 email addresses and custom infrastructure, we were ready to go.  

At 3 pm Tuesday last week, the campaign was launched, and we sat with anticipation and hopeful anxiety that the campaign would work. With great glee, we watched as 11 minutes later the first victim entered their password. Bingo! We are in…. here we go. So, first Office365. Great success, we are in. We thought it was game over until we tried to access things and we hit the dreaded MFA. This is going to be harder than we thought. So, we kept trying to access different platforms within Office365 until we got access to Yammer and the IT Service Desk, both of which are heavily used internal tools. We watched on as Service Desk tickets were raised about our campaign and Yammer went nuts with discussions if this was real or not. By 4:31 pm, the game is up and our phish is no more. However, by this stage, we had seven sets of user credentials. We tried these creds to login to Citrix, but again hit MFA.

We spent a few hours going through Yammer and trying to find information that might be useful. But this stage, most users had changed their passwords. However, logged in sessions still maintained access. As five of us were working through this, we had a fair bit of persistent access to browse at will. We thought we had a bingo moment when we discovered the WiFi password, but this would still require physical compromise as the office is over 20 stories high and we are trying to avoid this. The company has very good password policy hygiene and we were unable to locate the normal things like cleartext passwords in Yammer. Then we came across gold, how to set up email on your BYOD device. Here is when the fun really starts!

A little-known issue exists (that I was not even aware of until last week!) that if you manually configure email on a BYOD through the exchange app, MFA is bypassed. Yes, you read that correctly. Unless you specifically have settings configured, you can just add the email address and password of a user and ActiveSync will automatically configure mail through the exchange app on an Android mobile device. Fortunately for us, one of the users had still not reset their password. We pulled out one of our red teaming Nokias ($80 handset from AusPost are really easily configured) and setup mail. In this user’s email, we discovered the username and password for a new user who did not start for another week. Bingo!

Using this user’s credentials, we logged into Citrix. Even better yet, the new started email informed us this person did not start until 6 days later so we knew we had a whole heap of time. As this was a new user, MFA had not been set up yet. So, we registered our mobile device for SMS MFA and were successfully logged into Citrix. This company presents XenApp for remote access, so we are now on the network. Without admin privileges, we could not install anything and did not really want to just in case there was monitoring. We spent hours upon hours browsing network shares, batch files and random locations and files for passwords. By 2 am we had basically all the company’s data; but still not the keys to the kingdom. Time to rest on it.

The next day our sysadmin skills from way back when came into play. A little known tool called NetScan is really useful as it is a portable application that requires no install and allows for a port scan of defined ports, browse for open network shares and other useful info. Really helpful is the DHCP discovery that finds the DHCP servers across the network. Armed with the 3 DHCP scopes; we ran a network scan targeting open shares, port 80 and port 443 which discovered about 100 web servers. Browsing each of the web servers, we were quite pleased we were quiet as possible as we hit a DarkTrace web server. Stealth mode well and truly enabled!

Through a few more web servers, we found some printers with default credentials, but this did not reveal the normal LDAP credentials we would normally find. Overall, most web servers had strong auth and our usual tricks did not work. On to browsing more open network shares. After countless hours and only a small time before a meeting with the client (that had been arranged that morning to present them with the findings of the phishing attack), we found a really interesting network share entitled, Desktop. Using a standard, unprivileged account, we were able to open this share and view all user’s Desktops due to a misconfiguration in Citrix. Good thing our CEO is a former sysadmin and Citrix Administrator isn’t it! Using a quick script searching for any reference to passwords; we discovered a OneNote file that was pure gold. This file contained service account passwords, local admin passwords, all IT system passwords and everything in between.

Using one of the two service account passwords, we RDP’d into the Domain Controller we were able to find through a quick IP check and connecting to the network name. As usual, the service account was a Domain Admin and part of the Remote Access Users group. We were nor on a domain controller with full access using legitimate accounts and no “traditional hacking” so would not be caught by DarkTrace. Mission achieved and we were no further as we could now add a persistent user and add them to Domain Admin or Enterprise Admin and have persistency. By 1:22 pm the following day, we had full outright access.

We entered the meeting a little later in the day and revealed our findings. It was at this time, we discovered not only did the client have DarkTrace which only picked up an ICMP scan (which is rated low and never investigated), but that the company has a SIEM in the top right of the magic quadrant that is monitored and managed 24x7x365 that did not raise any alerts. Overall, we had a perfect storm to get from nothing to everything and did this without being detected by a network security monitoring tool nor a SIEM! This goes to show that using legitimate user accounts has a big impact and that your people really are your biggest risk.

What are the key takeaways?

1: MFA everything! Do this on the front gateway and use a Single Sign On portal. Don’t just rely on the Office365 MFA as it can by bypassed.


2: Implement a Self-Service tool for new users. Don’t email password in clear text and don’t set up user accounts 6 days in advance.


3: Review the whole cyber killchain! A tool such as DarkTrace will get you at 1-3 and SIEM at 6-8 but tools such as User Behaviour Analytics (built into Rapid7 InsightIDR that the TL SOC happily leverages) will get more insight around Privilege Escalation and Lateral Movement when using legit user accounts.


4: Conduct regular scans of your network for passwords in clear text. This is one of the best companies we work with for credential hygiene but all it takes is one user to not follow process and it can be game over.


5: Don’t rely on your mail filter. We can bypass this. Ensure you are conducting regular awareness training. Check out the offering from Ninjio, it really rocks.


6: Set up monitoring on your Active Directory, especially Domain and Enterprise Admin. Any time a change is made, you should be alerted.


7: Set up a watch list for specific accounts, especially Service Accounts! These passwords rarely change and need the highest level of monitoring.


8: Remove your Service Accounts from Interactive Logins. There is 0 need for this.

Overall, be vigilant! A phishing campaign may not always be where it stops. Just because passwords have been changed, don’t think the attackers are not still in your network. They could be laying there, waiting and watching.