.

Guidance on Black Box Testing

<<

det_security08

Newbie
Newbie

Posts: 8

Joined: Mon Jun 23, 2008 7:29 pm

Post Fri Oct 10, 2008 8:42 am

Guidance on Black Box Testing

In the middle of a black box test, external network, social engineering, client-side attacks, the whole nine yards.  We started off with an external recon of open ports and services and then to the social engineering.  We've already obtained several usable usernames and passwords, but the issue externally is that only a few open ports and services are available.  No golden nuggests such as RDP unfortunately.  THere is a Citrix portal which we managed to discover that one user has access to (the rest do not).  We installed the Citrix client and are able to open a Windows Explorer window on the Citrix box itself for this one user.  I've already tried all the basics to create local users and even launching AD Users and Computers for their domain and adding IDs or changing permissions on acounts but the environment is fairly locked down and the user does not have permission to install software on the box, etc.

I can attempt to map drives and try some light brute forcing, since ive been enable to enumerate who the domain admins are, etc, etc and i have a list of every internal host name.  I just don't yet have that 'in' that affords me access to a desktop or internal domain.  I simply have 'domain user' creds in a locked down environment and a citrix portal...so far.  We're still in the middle of testing but I was wondering if anyone had guidance on things we can do from this Citrix server since its officially some sort of internal session.  I can also browse network drives and I've been downloading sensitive information left and right...so we're partly successful but we would like to eventually add ourselves as a domain user or admin/domain admin (would be our end game). 
<<

geekyone

User avatar

Full Member
Full Member

Posts: 180

Joined: Fri Oct 26, 2007 12:45 pm

Location: Peoria, IL

Post Fri Oct 10, 2008 4:09 pm

Re: Guidance on Black Box Testing

If they haven't locked down Internet access when using Citrix.  You could setup a web server with a privilege escalation browser exploit and surf to that website while logged in as your user.
CISSP, CEH, GPEN, GCIH, GCFA
<<

toggmeister

Post Mon Oct 13, 2008 11:15 pm

Re: Guidance on Black Box Testing

Hi,

Have you seen the thread I started on Citrix Testing here, if not the resource specified is:

http://www.vulnerabilityassessment.co.uk/Citrix.html

Have you got command-line access or just gui tools, if not how about using ikat to pop shell or attempt, other tools also:

http://ikat.ha.cked.net/

Hope this helps
<<

det_security08

Newbie
Newbie

Posts: 8

Joined: Mon Jun 23, 2008 7:29 pm

Post Tue Oct 14, 2008 9:43 am

Re: Guidance on Black Box Testing

Geeky...yeah we definitely tried that as well...and they did lock down access to the Internet on that Citrix browser...that would have made life very easy for us!  :)
<<

LSOChris

Post Wed Oct 15, 2008 5:55 pm

Re: Guidance on Black Box Testing

well in that case can you escape out of it? some of the citrix applications can be escaped from an you can run system commands
<<

det_security08

Newbie
Newbie

Posts: 8

Joined: Mon Jun 23, 2008 7:29 pm

Post Thu Oct 16, 2008 10:20 am

Re: Guidance on Black Box Testing

ok...we have had some great progress, including several RDP and TS sessions into servers on the client network.  We've managed to extract some SAM data, but so far have not been able to capture any administrator (for the domain) credentials.  we've placed keyloggers and have other things going, but no luck so far.

I do have one question with regards to NTLM, LM password cracking.  We've managed to extract two separate administrator ID password hashes from two separate servers.  Unfortunately the password policy is at least 8 characters long.  Using LM Hashes, we've managed to get the first 7 characters of both accounts...but no more than that.  Is there anyone with hashing experience who can provide guidance on what to do after capturing the first 7 characters of a LM hash?  we've in the process of creating our own rainbow table, including alpha numberic, complex characters.  we decided to just do three more spaces, and start at index space 8...so that the hash may give us characters 8-10 and we could possible start some brute force combos from there.

If anyone has any other advice, it would be much appreciated.

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 1 guest

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software