Client Side and Pivot Attacks on
Fully Patched Windows Systems
Daniel Compton, Information Security Consultant of 7Safe, took the audience through a demonstration of common risks found that he sees whilst carrying out penetration tests for clients. This covered two main areas which were “client side attacks” and “pivot attacks”. The demonstrations were all based on fully patched Windows operating systems with anti-virus protection, firewall protection and the latest patches for third party products. Once the client victim computer was exploited from the Internet, Daniel demonstrated how it was possible to pivot and dive deep into the internal corporate network and extracting passwords and credit card data.
This video shows a highly effective attack vector for SCADA/ICS systems, because it allows initial "enterprise" network access that bypasses corporate security appliances used to protect the "inside" networks from the Internet. Once initial access is granted, additional techniques are used to gain further access using "inside credentials", making it very difficult to identify using commonly used security controls.
The steps of the attack include:
- Leverage vulnerability in a client-side application that is often left unpatched, such as sending a PDF document that has been embedded with a payload that can easily be generated using the Metasploit Framework exploit "fileformat/adobe_utilprintf" with the Meterpreter payload.
- Payload creates new outbound connection allowing stateful access via allowed ports to the attackers server. All inbound traffic is therefore allowed. Initial host is owned!
- Grab local user credentials and perform network enumeration.
- Using local credentials, gain access to additional network node(s), such as a print server. Second host is owned!
- Grab new credentials of current sessions and perform additional network enumeration.
- Search for the Domain Controller, often used as a DNS and/or WINS server, and "pass-the-hash" for credentials to own the server and extract domain users' credentials, resulting in complete network compromise.