So today I'll be writing about an obscure way I managed to get Domain Admin from a pretty strange attack chain.
It was back in the winter of 2016, and here in Minnesota that was probably the coldest winter I've experienced in a while (to the tune of -40 degree F windchill). So there I was, working with our local news crew and fellow RedTeam members on trying to pick a client's exterior doors... Hands completely numb, shivering so hard I felt like I might as well have been dancing... Eventually we were defeated, but never the less we persisted our efforts on attacking their networks and business at their request, and to showcase our talents to the local media.
We had been foiled in the physical attacks, however what was left was social engineering the employee's in person... Believe it or not, SE can quite literally give you access to almost anything if you present a valid enough claim that you are with XYZ internet service provider completing a work order to perform maintenance due to connectivity issues.
To that extent after gaining the trust of the employees all it took was a few minutes in their server room and installing a Raspberry Pi with linux and a few tools from Kali with a reverse ssh connection that would phone home. Suddenly it was no longer an issue to try to phish the employees through the phone, or through email attachments... We were in...
Soon after deploying the device I got to work. Started Nmap scripts, ran Responder and started taking a look at Nmap's output as Responder slowly gathered hashed NTLM credentials via SMB or NBNS spoofing and responding. Well turns out we didn't need those credentials after all!
Stay tuned for Part 2! The next section will go over how a single printer gave us "Key's to the Kingdom" for lack of better terminology beyond getting Domain Admin.