Last updated at Fri, 04 Oct 2024 19:59:38 GMT

This is a story of network segmentation and the impact that seemingly trivial misconfigurations can have for your organization.

This is one of those occasions.

This particular pen test asked for goals-based assessment focusing on post-compromise activities — an attempt by the client to discover how vulnerable internal systems were to lateral movement by an attacker who had compromised the domain. Among the goals was a request to attempt to compromise the client’s Amazon Web Services (AWS) infrastructure and a secondary request to access and exploit any systems discovered to contain sensitive or critical operational data .

The domain for the internal environment was compromised within an hour and a half using common attack vectors: Responder network poisoning to obtain low-level network credentials followed by exploitation of Active Directory Certificate Services (ADCS) web enrollment vulnerabilities to escalate to a member of the ‘Domain Administrators’ group. While performing credential-stuffing attacks against several devices within the network to determine what previously compromised user accounts could access, it was noted that the testing device could access subnets containing user devices due to a lack of segmentation and access control policies. These configurations are known to provide additional layers of security to the network which can help to mitigate damage after compromises by preventing attacker movement to sensitive resources within the network .

Upon initially attempting to access the company’s confidential Google Suite resources, it was found that all requests redirected to a required Multi-Factor Authentication (MFA) request. Additionally, Remote Desktop Protocol (RDP) services had been properly secured, preventing sessions from the network of the attacking device.

Devices within the user environment were accessed through use of a common suite of testing tools which aid penetration testers in testing Windows environments and connecting to devices with compromised credentials, Impacket.  Using the ‘wmiexec’ script provided within the suite to explore the  file system for a known Software Architect’s machine, a hidden AWS folder was discovered. This folder contained credential files holding what appeared to be a recently authenticated and currently active AWS session. Through testing the credentials from the attacking machine two discoveries were made:

  1. The account was an administrator to a testing and development AWS environment
  2. This session had already authenticated through MFA

Using a tool called ‘aws_consoler’, a session was generated to allow for administrative access to the AWS Console. As MFA sessions within AWS expire within an hour by default, the first action performed with this session was to create a user account. The new account gave persistent access to the environment without needing to rely on another session credential file being obtained. While exploring virtual machines deployed within AWS, it was noted that there appeared to be no network filtering of RDP between the internal environment and the AWS environment.

An in-browser RDP session within AWS provided a graphical user interface on the EC2 instance for a server on a separate network, which then allowed for an RDP chain to be established to user devices. Upon connection to the user device, active authenticated sessions to multiple confidential resources, including event monitoring systems and GitLab, were discovered. Further enumeration revealed something that would pique the interest of any tester: access to the company’s secrets vault. This allowed access to a device with ‘Security’ in the name. This was surely an opportunity no tester would ever willingly pass up.

After successful authentication to the machine, the motherload was discovered: unrestricted feeds of all cameras on the campus, unrestricted access to file shares, and, most importantly, access to the badge printing system. Through the camera feeds, the data center could be analyzed for any potential physical vulnerabilities which might allow for physical access to the servers. Within the file shares, multiple files were discovered detailing physical security in such granularity it could be determined which rooms were left unlocked after business hours. A file containing the door pin codes and alarm codes for every employee as well as the combination to the Network Operation Center’s (NOC) physical key safe was also discovered.

This left only one piece of information needed to access the facility unimpeded: the badge. Exploring the badge printing system, the algorithm used in badge creation was discovered to be Wiegand 26 bit. This made it a simple task to create a proper access badge as all data needed to create one within the system had been obtained: the facility code and badge id for the impersonated user. Both pieces of information existed within the system for a user with free access to the entire facility and data center. Using all of the acquired data, the hex value of the code, which would be written to the card during the badge creation process, was synthesized and the card created using the popular Proxmark badge creation tool. In the process of the enumeration the picture used on the badge was also acquired, allowing for the created badge to be a high-quality facsimile of the user’s own card.

With this we had the card, the door pins, and alarm codes. These are all of the pieces needed to infiltrate the campus undetected and without restriction — a malicious actor’s dream. Add access to the NOC key safe, which would lead to Data Center access, as the cherry on the cake. All from one door control and badge system device which had not been properly protected and a lack of proper segmentation and access controls.

Penetration testers typically approach physical assessments from the angle of internal network access as a result of a physical breach, however, these configurations show that it is possible to breach the facility with information obtained from an internal breach, flipping the situation around completely. This access could be devastating to a company reliant on 24/7 business continuity, especially for clients who use and maintain Operational Technology (OT) on their campus. A network breach could lead to an attacker selling off the ‘keys to the kingdom,’ leading to additional potential physical and network breaches further down the line. When reviewing your internal environment, make sure to properly protect and segment critical security devices, and ensure adequate protections are in place on sensitive files and documents as well.

Learn More about Rapid7's Vector Command Service ▶︎

Validate your external attack surface exposures and test your defenses with continuous red team operations.