HomeCalendarCertificationsColumnsFeaturesForumResourcesVitals
 
Image
 
linkedin_logo.png rss_logo.jpg
twitter_logo.png youtube_logo.jpg
Latest Additions
 
EH-Net Login
Welcome Guest.
Lost Password?
No account yet? Register
Who's Online
We have 29 guests online
 
Advertisement

You are here: Home arrow Ethical Hacking Discussions and Related Certificationsarrow Network Pen Testingarrow Guidance on Black Box Testing
EH-Net
May 24, 2013, 05:36:07 AM *
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
News: Go back to The Ethical Hacker Network Online Magazine Home Page
 
   Home   Help Calendar Login Register  
Pages: [1]   Go Down
« previous next »
  Print  
Author Topic: Guidance on Black Box Testing  (Read 5370 times)
0 Members and 1 Guest are viewing this topic.
det_security08
Newbie
*
Offline Offline

Posts: 8


View Profile
« on: October 10, 2008, 08:42:49 AM »
In the middle of a black box test, external network, social engineering, client-side attacks, the whole nine yards.  We started off with an external recon of open ports and services and then to the social engineering.  We've already obtained several usable usernames and passwords, but the issue externally is that only a few open ports and services are available.  No golden nuggests such as RDP unfortunately.  THere is a Citrix portal which we managed to discover that one user has access to (the rest do not).  We installed the Citrix client and are able to open a Windows Explorer window on the Citrix box itself for this one user.  I've already tried all the basics to create local users and even launching AD Users and Computers for their domain and adding IDs or changing permissions on acounts but the environment is fairly locked down and the user does not have permission to install software on the box, etc.

I can attempt to map drives and try some light brute forcing, since ive been enable to enumerate who the domain admins are, etc, etc and i have a list of every internal host name.  I just don't yet have that 'in' that affords me access to a desktop or internal domain.  I simply have 'domain user' creds in a locked down environment and a citrix portal...so far.  We're still in the middle of testing but I was wondering if anyone had guidance on things we can do from this Citrix server since its officially some sort of internal session.  I can also browse network drives and I've been downloading sensitive information left and right...so we're partly successful but we would like to eventually add ourselves as a domain user or admin/domain admin (would be our end game). 

Logged
geekyone
Full Member
***
Offline Offline

Posts: 180



View Profile
« Reply #1 on: October 10, 2008, 04:09:22 PM »
If they haven't locked down Internet access when using Citrix.  You could setup a web server with a privilege escalation browser exploit and surf to that website while logged in as your user.
Logged
CISSP, CEH, GPEN, GCIH, GCFA
toggmeister
Guest
« Reply #2 on: October 13, 2008, 11:15:42 PM »
Hi,

Have you seen the thread I started on Citrix Testing here, if not the resource specified is:

http://www.vulnerabilityassessment.co.uk/Citrix.html

Have you got command-line access or just gui tools, if not how about using ikat to pop shell or attempt, other tools also:

http://ikat.ha.cked.net/

Hope this helps
Logged
det_security08
Newbie
*
Offline Offline

Posts: 8


View Profile
« Reply #3 on: October 14, 2008, 09:43:01 AM »
Geeky...yeah we definitely tried that as well...and they did lock down access to the Internet on that Citrix browser...that would have made life very easy for us!   Smiley
Logged
LSOChris
Guest
« Reply #4 on: October 15, 2008, 05:55:27 PM »
well in that case can you escape out of it? some of the citrix applications can be escaped from an you can run system commands
Logged
det_security08
Newbie
*
Offline Offline

Posts: 8


View Profile
« Reply #5 on: October 16, 2008, 10:20:47 AM »
ok...we have had some great progress, including several RDP and TS sessions into servers on the client network.  We've managed to extract some SAM data, but so far have not been able to capture any administrator (for the domain) credentials.  we've placed keyloggers and have other things going, but no luck so far.

I do have one question with regards to NTLM, LM password cracking.  We've managed to extract two separate administrator ID password hashes from two separate servers.  Unfortunately the password policy is at least 8 characters long.  Using LM Hashes, we've managed to get the first 7 characters of both accounts...but no more than that.  Is there anyone with hashing experience who can provide guidance on what to do after capturing the first 7 characters of a LM hash?  we've in the process of creating our own rainbow table, including alpha numberic, complex characters.  we decided to just do three more spaces, and start at index space 8...so that the hash may give us characters 8-10 and we could possible start some brute force combos from there.

If anyone has any other advice, it would be much appreciated.
Logged
Pages: [1]   Go Up
  Print  
« previous next »
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.18 | SMF © 2013, Simple Machines
Joomla Bridge by JoomlaHacks.com 		Valid XHTML 1.0! Valid CSS!
Page created in 0.064 seconds with 23 queries.
 
Exclusive Deal

sansfire13_245x90_cw90.jpg
SANSFIRE 2013
June 15 - 22

5% Off w/ Code: EHN_5

SANS Deals 4 EH-Netters
5% OFF Any SANS Course in Any Format!
Coupon Code: EHN_5 Including SANS Rocky Mountain 2013 & SANS Boston 2013
Polls
Compared to this year, 2013 will be:
 
Recent Forum Topics
EH-Net News Feeds
Latest Additions
 
         
Free Business and Tech Magazines and eBooks

© 2013 The Ethical Hacker Network
Joomla! is Free Software released under the GNU/GPL License.