Target: International Trading Company
Access Point: Internal
Test Profile: Guest
Before Test:
The customer said that they had received penetration testing services from different consulting companies a few times and had fixed all vulnerabilities. They just wanted to be sure that they had enough cybersecurity maturity. They also added that there would be no exceptions, no test accounts, and that MITM-based attack vectors were out of scope. Brute-forcing would be limited to five tries per minute.
Day 1:
I discovered that the target organization had implemented a network access control solution. I tried to clone the MAC address of a personal computer, but it didn’t work. I then tried to clone the MAC address of a printer, but it didn’t work again.
While I was playing with printers, I realized that it was possible to print the printer’s system information. On the output, I saw that the printer’s MAC address was different from the barcode on its back.
I tried to change my MAC address to the new one, and I was able to access the internal network.
I started to analyze the internal network, and everything looked good. All systems were updated and configured well.
Day 2:
I decided to check HTTP services on the internal network. I found an HTTP service on a custom port (16672); it was a RabbitMQ web panel.
RabbitMQ
RabbitMQ is open-source message-broker software that originally implemented the Advanced Message Queuing Protocol and has since been extended with a plug-in architecture to support Streaming Text Oriented Messaging Protocol, MQ Telemetry Transport, and other protocols.
Default username: guest
Default password: guest
I was able to log in successfully using the default username and password.
While I was checking the application, I realized that an admin user had been created, but the default user’s deletion had been forgotten. Using the “Export Definitions” section, I downloaded the JSON file that contained the hash of the admin user.
Hashing
When a password has been “hashed” it means it has been turned into a scrambled representation of itself. A user’s password is taken and – using a key known to the site – the hash value is derived from the combination of both the password and the key, using a set algorithm.
To verify a user’s password is correct it is hashed and the value compared with that stored on record each time they login.
You cannot directly turn a hashed value into the password, but you can work out what the password is if you continually generate hashes from passwords until you find one that matches, a so-called brute-force attack, or similar methods.
I wrote a script to test a few wordlists, and I realized that the password was “P@ssWrd1325!”.
I started to try this password on local computers, and I was able to log in with an administrator account. I also realized that one of the domain admin accounts was using this password.
Once again, the impact of minor configuration mistakes on the integrity of organizations has been proven.