Own the Enterprise - Penetration Testing | Real Scenarios


Own the Enterprise

Penetration testing | Real Scenarios

Prepared by: Mohamed Magdi

Information Security Specialist

OSWP | GSEC | CEHV8 | EC-Council CAST 614 | RHCSA | ITILV3


1.    About This Document

This document describes a real penetration testing scenario performed on X-Company and showing the methodology followed by the penetration tester to hit the target and escalate the privilege from normal user to domain administrator


2.    Scope

We will name the company through this article as X-Company


3.    Setup

  • Poll of IPs (Network devices and servers)
  • Two domain accounts with very limited privilege (test1-test2)


4.    Vulnerabilities

During the engagement and after discovering the network, open ports, running services, OS versions missing updates, etc. I found a lot of vulnerabilities, and to work on the scenario I will spot on the following specified only


4.1.           Microsoft Windows SMB Shares Unprivileged Access

Some of the tested server’s shares can be accessed through the network with the default credentials. Depending on the share rights, it may allow an attacker to read/write confidential data.


4.2.           Microsoft Windows Remote Desktop with Default Credentials

One of the tested servers can be accessed remotely through RDP with the default credentials.  Depending on the account rights, it may allow an attacker to install a malicious software to compromise the server and then use it to affect other servers that put the Enterprise into high risk.


4.3.           Vsphere Administrator Account with Weak Password

The Vsphere client installed on one of the remote servers which used to access the Vcenter has Administrator account with weak password. A remote attacker can leverage this issue to access all the virtual machines on those servers and may be able to alter the booting sequence of those machines


5.    The Scenario


5.1.           Part one

  • Using the given account which has a limited privilege I began to enumerate the users within the enterprise using NMAP Scripts for the servers where smb service is running
nmap -sU –sS –n –-script smb-enum-users -–script-args=smbuser=test1,[email protected],smbdomain=comapny.com -iL Testedservers_smb –oN UsersEnumeration


  • After running the script the result will be as below

2Figure 1


  • Based on the previous result we can create a list of users (Users.lst)


5.2.           Part Two


  • I tried to figure out the lockout policy using my limited privilege account in order to determine whether I could start brute forcing with the extracted users list without locking any account
  • After investigation I found that no lockout policy applied and so we can brute force on the extracted accounts without locking any account
  • I used Hydra which is a famous tool for brute forcing and set the service to smb and the password list was one of my dictionaries
Hydra –L Users.lst –P smbpass.lst –M SMB_IPs.txt –o SMBLogin –e nsr smb


Figure 2


  • From the previous command I got a list of users who successfully login, then I can use the accounts from this list which have different privilege to explore the remote servers, read confidential data, and upload malicious code and a lot of such ways which may compromise the serves at the end, but for our scenario I will use this list to brute force the RDP service
Hydra –L SMBUsers.lst –p [email protected] –M RDP_IPs.txt –o RDPLogin rdp
  • And Finally I got another list of users who successfully log on through RDP to the remote servers
  • Then after trying the final list against the servers where RDP service is enabled I logged on with account (magic) on server (x.x.x.x)
Rdesktop –f x.x.x.x


Figure 3



5.3.           Part Three


  • After logging remotely to one of the tested machines, the privilege of the account which I used was limited to this machine (standard user)
  • I began browsing the machine and I found Vsphere client which is used to log on to the V-Center


Figure 4


  • As we can see there is an option called use windows session credentials which will make you login to the V-Center with your current credentials if there is account created with the same name and password in V-Center
  • I marked this option and successfully logged in to the V-Center but this time I found that I had administration privilege
  • After browsing the virtual machine I found one machine with very interesting screen

Domain Administrator user name on the login screen and I just needed the password


5.4.           Part Four


  • Here the fun began, after I reached the machine where the domain Administrator log on screen was and I needed the password to act as the domain administrator I used the power which I had.
  • I had administration privilege on the V-Center so I navigated to the data store (the location where images of operating system exist and which are used for booting) and uploaded the Konboot software from my computer as a floppy image
  • The Konboot software used to bypass the password it worked by hooking into the system BIOS and temporarily changed the content of windows kernel while booting


Figure 5

  • Then I rebooted the machine … Sure after confirming that there is no hits on it by monitoring the CPU and memory usage from the V-center screen JJ
  • Then I changed the boot sequence of the machine and made the first boot at is the floopy image where my konboot software exist
  • And Finally I logged on as a domain administrator on that machine and had the power to do whatever I wanted on it and used this as a next step on completing my penetrating testing


January 9, 2015
Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Inline Feedbacks
View all comments

© HAKIN9 MEDIA SP. Z O.O. SP. K. 2013