Assume that little Bobby asked for help to old uncle Google, found the above mentioned tutorials along with some videos and successfully broke-out of the environment while circumventing Windows GPO/SRP and other security mechanism getting a command prompt or even an unrestricted RDP session onto the box.
He now feels good, is excited, and wants the Client to know that in about half an hour he broke-out of the environment. Bobby then calls who paid two or more days of assessment to let him know that he is done already with the initial work and asks for permission to go further with the test to demonstrate how dangerous a malicious attacker could be in such a scenario. The Client agrees.. in the end he's paid for the rest of the man days and wants to make the best usage out of them by finding the flaws within his whole network.
What is next?
Little Bobby knows about the beauties of Windows' net command and put it to great use. He enumerates machines within the Windows domain, identifies the primary domain controller (PDC), list local and domain users from the PDC/BDC, etc.. all in all gather as much information as possible about the owned system and its network perimeter.
He can also upload his own tools easily by mapping his local shared hard-drive via Citrix XenApp (the new Citrix ICA client for Windows) onto the target Citrix environment, by copy 'n paste and debug.exe trick, via muudecode/uuencode, or whatever working technique, depending how hardened Citrix is.
First goal now is to escalate privileges to a highly privileged local user like Administrator or LOCAL SYSTEM assuming that the user is not within the Administrators group already. There exist several techniques to do so. Once done it is game over, you own that system completely.
What about logging onto other systems?
Surely little Bobby won't stop here. He wants to own all the servers within the network perimeter, above all the PDC and other infrastructure critical servers, like database servers.
He dumps user's password hashes (Security Accounts Manager), LSA secrets, passwords cache, protected storage, reversible encryption storage, passwords history and current logon sessions tokens. PWDumpX and Cain&Abel are handy tools along with the others linked.
Now he has collected credentials of many other users: either plain-text or NTLM credentials for all local users, users who logged onto the box since last reboot, users logged in at the very same time, and users used to start services.
Hopefully among these credentials, little Bobby has got the hash of a domain user. If he gets very lucky, it will be a domain administrator. Again, net is your friend to check so.
Now Bobby resurrect the list of enumerated hosts, tries to discover more hosts on the network perimeter via ping sweep, ARP scan and network traffic sniffing with a bunch of uploaded tools. He now has a huge list of hosts to own. On top of the list there are the domain controllers and eventually the database servers!
At this point he has a list of hosts in one text file and a single file collecting the above dumped hashes (output of PWDumpX et all).
Own the LAN: the common way
Little Bobby could crack the dumped password hashes and try to login over SMB or RDP with the cracked plain-text credentials onto the other systems, one by one. To login and execute commands over SMB onto another system he could upload to the Citrix box and run a single executable file, PsExec.
Another tool can be handy, smbshell, a pre-compiled NASL script, but it requires the nasl interpreter and a bunch of other Nessus libraries to run, not very convenient in the above scenario. Nevertheless, an advantage over PsExec is that it accepts also the NTLM hash of the password, so there is no need to crack the password to login over SMB. Like PsExec, it can be used to login onto one system at a time.
Isn't there anything quicker to check usefulness of dumped hashes?
Own the LAN: the quickest way
Our lazy little Bobby heard about a new open source multi-threaded tool called keimpx developed in Python that can be used to quickly check for the usefulness of credentials across a network over SMB. Credentials can be:
- Combination of user / plain-text password.
- Combination of user / NTLM hash.
- Combination of user / NTLM logon session token.
- Navigate through the available shares: list, upload, download files, create, remove files, etc.
- Deploy and undeploy his own service (for instance, a backdoor listening on a TCP port for incoming connections).
- List users' details and domains.
- Read/write/delete registry keys (soon).
- Spawn an interactive command prompt like PsExec can do (soon).
keimpx is a work in progress tool and feedback is more than welcome!
Remember that:
- Many users share the same password across multiple machines, this might include also Administrator, in such a case you are local administrator on most, if not all, the systems of the network perimeter.
- You might have been lucky enough to dump also a domain administrator password hash (for instance, via LSA secrets dump, Pass-the-Hash's whosthere.exe or incognito) so you totally own the domain and can login on all systems of the network with the highest global privileged user.
Own the LAN: the hardcore way
If no dumped credentials worked on any other system then Bobby needs to get his hands dirty.
If the Citrix environment has direct access to the Internet he could initiate an out-of-band connection with his own local system to pivot traffic from the local system to the Citrix machine network perimiter. This can be achieved, for instance, via Metasploit's Meterpreter. From this point on he can launch any Metasploit module against others boxes to portscan them, perform a vulnerability assessment or exploit security flaws.
Elsewhere, if the Citrix environment has not direct access to the Internet, Bobby can upload a port scanner and his suite of exploits to scan and own them all.
