Pentesting Restrictive Environments – Part 2

Putting it all together

Note: This blog is part 1/2 of Pentesting Restrictive Environments. I highly recommend reading part 1 if you have not! All of the equipment (and context) mentioned below is outlined in the first blog.

After getting all of my Amazon packages, I flashed Kali Linux onto the MicroSD card and plugged it into the ODROID-C2. After getting the OS configured on the ODROID-C2, I plugged in the wireless dongle and connected it to the ZyXEL Wireless Travel Router. Now that the ODROID-C2 is connected to the ZyXel wireless router, you’re ready for the next step. First disconnect your victim workstation from the corporate network and use a wireless dongle to connect them to your network-in-a-backpack (AKA: PacLan).

You can now test any technique you want to escalate or infect the system without setting off any alarms. Without access to the corporate network, the Windows host cannot call out and alert anyone of you activities (until you reconnect it to the corporate network). Using this tactic I was able to effectively choose when to be moved to a clean operating system. Once I was moved I would know exactly how to execute an undetected payload, therefore I’d be able to start testing the network as usual from the ODROID-C2. To make this a bit more clear, here’s a diagram:

 

Figure 1: PacLan Network Topology

This setup also allows an easy way exfiltrate data. The environment blocked mass storage but that doesn’t matter if you are able exfiltrating data to an SMB server. Data being copied to a network share over SMB is a perfectly valid operation, so it is less likely to throw red flags in this environment.

I was not able to run portable putty like I originally intended and had to use an SSH client from my smartphone to control the ODROID-C2. I could get the putty binary copied to the Windows host using my SMB server running on the ODROID-C2 but I could not run it due to application whitelisting. My hope was that I would be able to run putty on the workstation and use that to SSH into my ODROID-C2 Kali and then infect myself with a metepreter/empire agent on the workstation.

Since alerts were effectively disabled, I could keep experimenting with payloads until one finally worked. At this point I’d get myself caught and moved to a clean PC where I would infect myself with the undetected payload. I was finally able to bypass the powershell.exe GPO restriction and execute arbitrary PS1 files using an application whitelisting bypass. I tested reverse and bind shells but each time a log file was generated proclaiming the user did not have permission to bind to the requested ports. Unfortunately, I was not able to copy the exact error message because the client came over and ended the engagement before I could copy my research to the SMB server, so that’s all for today!

 

FAQ

Question: How long were you able to run this setup?

Answer: The rig ran for ~35 hours (yes you read that correctly) before finally exhausting all the power in the Crave PowerPack. I was actively using the ODROID-C2 for roughly 8 hours.

Question: Did this setup get very hot in your backpack?

Answer: It got a bit warm but it never got hot enough that I was concerned.

Question: How did you disable the corporate network if you didn’t have access to the network settings?

Answer: I unplugged the Ethernet from the back of the desktop.
 

Question: Why did you use an ODROID-C2 instead of a Raspberry PI?

Answer: I chose the ODROID-C2 because the Raspberry PI (the original one) that I had laying around did not run Kali very well. It was very laggy on the command line and I couldn’t run Metasploit as the PI didn’t have sufficient memory.

Question: Why not just hardwire the ODROID-C2 into the ZyXEL Wireless Travel Router?

Answer: I tried this originally but for some reason DHCP was not assigning the ODROID-C2 an IP address. I spent about 10 minutes looking at it before grabbing an extra wireless dongle I had laying around.

Question: Why not use a BashBunny? It can replace this entire setup.

Answer: Yes it can. I purchased one of those and brought it just in case. Sadly the restrictive GPO didn’t allow me to configure network settings so I could not give it a proper IP. As application whitelisting was in place in the environment I would not be able to make any sort of SSH or Serial connections to the BashBunny.