I was requested to perform a proof of concept hack into a large organization a few weeks ago. The aim was to get an interactive session, preferably GUI, on one of the internal machines which was guarded by 2 (External and DMZ) firewalls, and an Intrusion detection system. I was allowed to use any means necessary to achieve this goal. This is extremely unusual for a penetrations test, where the rules, guidelines and penetration methods are very strict and defined. I was supposed to impersonate a hacker that would stop at nothing to gain interactive access to the internal network.
Obviously, there was no external access to this machine from the internet, so I had to plan the attack carefully.I decided to use some social engineering skills to initiate a connection from the internal network to my attacking machine, as this was the only way to establish communications with my target.
I called up the organization, and asked to speak with the secretary working on my target computer. I told her that “I was interested in buying one of their products, and I would like to send her an email with a few questions, before I make the purchase”. She gladly complied, and disclosed her email address to me.
I crafted a special html email, with a reverse shell (netcat) payload, which would self execute, once the email was opened. A few minutes later, she received the email, opened it, thus shovelling a shell to my listening machine. Let the games begin.
Once I had the shell, I had to create some “Backup Shells” in case the connection gets severed. There’s nothing worse than losing the only single connection to a penetrated machine I did this using the “at” command, sending myself a NetCat shell every 15 minutes. I found myself smiling every 15 minutes.
Once this was done, my first instinct was to start uploading my toolkit to this machine using tftp, however it seemed that there were very restrictive firewall policies on outgoing connections in the internal network. TFTP just didn’t go through.
By echoing ftp commands into a text file, I downloaded a small toolkit to the victim machine, which included some VNC files, and a custom made registry file, which places VNC setting (such as a VNC password and a setting which allows to connect to VNC locally – more on that later).
From this point onwards, I followed the instructions from http://guh.nu to remotely install vnc, as can be summarized from these commands:
Now I had VNC installed on the remote machine, but there was no way to get to port 5900 (VNC) in order to connect to it (2 firewalls, and fascist outbound rules).
I decided to implement a UNIX scenario by which one can tunnel ports via SSH to remote machines. The SSH client I found suitable for this job was plink.exe (the putty command line client).
I installed the SSH server found in Cygwin on my attacking machine, at proceeded to tunnel port 5900 from the victim machine, to my own:
The SSH connection had been made, and from a local netstat -a on my machine, I could see that port 5900 was successfully mapped to my attacking computer.
I quickly whipped out my VNC client, and attempted to connect locally to port 5900:
To my surprise, I was welcomed with a password prompt:
And immediately after, I had a remote VNC session to the attacked machine.
I had tunneled stuff via SSH many times in Linux environments, however this was the first time I attempted to do in under Windows.
I was blown away by the Speed of the VNC session (due to the compression on the SSH channel), and by the fact that it actually worked. I thought of releasing a stray KaHt2.exe into the internal network (all in GUI, of course), however, my objectives had been achieved, and it was very late at night.
Mati Aharoni, MCSES, MCT, CCNA, CCSA, CISSP
Visit the Security through Hacking Web site at http://www.secureit.co.il for additional information.