Have you ever had one of those internal penetration tests where everything you do either gets picked up by the company's alarming or you get shut down with every thing you try? You're dealing with very stringent policies for password lockouts, no open ports on anything that is not necessary, fully patched servers and workstations- the list goes on and on. You know, the kind of penetration test where you typically don't run a Nessus scan but because there is nothing else, you want to make sure you didn't miss something crazy. You're contemplating walking into the security office with a pouty face, hanging your head in shame, and telling them, “We can’t find anything…" I’ve been there. I had exhausted every method I knew. I pinged every member of our team for ideas and tried their every suggestion. I spent countless hours scouring Google for anything that might help and I kept coming up empty-handed. There wasn’t anything out there that was getting me any closer to getting into this company. Fast forward to day 4 of our 5-day engagement. The gloating had started. The CSO was taunting us. He would come into our quaint corner office on the 20th floor, with this smug look on his face, “No domain admin yet? Do you want any hints or help?” What could we be missing? Where is it? “No, I do not want help.” He could see the frustration on my face, though. He knew I was close to admitting failure, and I was. I had already determined that if I didn’t find anything by the end of that day, I would ask for help. Any hint at all so that we could write a report that had at least one "finding." I spent the remaining hours of that day keeping myself occupied looking through long shots. I had resigned to the fact that I was going to ask for help. We, as a PenTest company, were… defeated. Then it happened. I found the needle in the hay silo! The company had just bought some new network document centers. Fancy ones. Color printing, scanning, faxing, emailing capabilities, document storage for easy printing, all of the bells and whistles that a company could ever want. The documents that were stored on the device were useless to us: network behavior policies, privacy policies, blank W-4 forms, mostly just miscellaneous HR documents that got printed often. I had downloaded an SNMP MIB browser and I was going line-for-line through the 47,000 lines of information. It was incredibly tedious and my eyes were starting to go cross. I was about ready to go ask for that help, but wait! What’s this?! The printer manufacturing company was nice enough to provide, right at line 28,734, a clear-text username. Guess what was right below it, at line 28,735? A clear-text password. I thought to myself, “There’s no way that these can these be valid on their network. These have to be printer credentials, right?” I did not have high hopes for this username and password at all. They seemed, well, odd I guess is the best word for them. I decided that I would try it, just to rule out another roadblock. I loaded up good old Metasploit, put in the smb_login module, entered in my newly found credentials, and ran it against the IP range that I knew contained workstations. I locked my computer and went for a quick break. The whole time I was gone, I kept thinking about how awesome it would be if these credentials actually worked. I would have finally found something, something that could lead to a lot more. I finished my little break, came back and unlocked my computer and what I found was glorious! My screen was completely full of these! Hundreds of them! I tried logging into each of the servers on the list, but it was a false login. It accepted the credentials, but then it displayed a message saying that the user did not have sufficient rights to do anything on that server and logged me back off. That’s when I noticed that the workstation sitting right next to me had a pretty little label on it. That label had one of the IP addresses that was on my screen. I grabbed the keyboard and logged in. Finally, I was getting somewhere. Moments later, the CSO comes strutting in, grinning, and asks if I want that help yet. I refused and told him I had an idea that I would like to try first thing in the morning. If that didn’t work, then I would take his help. He chuckled and told me to have a good night. The next morning, I connected right up to that computer and almost immediately got a local admin account and password. A couple of escalations and add_group_user later and we had the coveted TrustedSec Domain Admins account created. I would have expected that with their strict password lockout rules, they would have been notified immediately about an add to the Domain Admins group, but that rule had a 24-hour notification that had just ran 90 minutes before that. It was fun poking around in their network after that. The best part was when I found their PCI data and was taking a screenshot of it right as the CSO was walking in with that same look on his face. He tauntingly asked me again if I wanted that help. I told him that I think I had found something, and as he walked around to my computer to see what I was talking about, the look on both of our faces reversed. Mine went from the somber, melancholy, straight-faced look to an evil grin. His from his smug grin to mouth wide open in disbelief. “Is tha.. It can’t… How di.. How did you get there?” I told him that the idea I had last night turned out to be a pretty good one. Pentest Team 1 - Super-secure Company 0 Needless to say, we had a very thankful client for all of the hard work we put into the engagement. This was one of the tightest networks I have seen, yet one tiny little missed piece of the puzzle blew up to be a giant gaping hole in their network. Some people say I got lucky that day, I choose to think of it as being completely thorough. This blog post was posted by Paul Koblitz, Staff Security Consultant at TrustedSec