Thursday, July 29, 2010

Major Oil Company Data Leaked By Service Provider at Black Hat USA 2010 Conference

At the recent Black Hat USA 2010 security conference, a well known Washington DC area security service provider accidentally leaked a sensitive penetration test report for a major US-based oil company containing enough sensitive information to gain Windows domain administrator access rights as well as the username and password for everyone in the target company's domain. According to the detailed, 39-page report, these access rights included the ability to access servers containing SCADA system information. The report was not encrypted or password-protected in any way. Anyone with access to the leaked document and a copy of Microsoft Word could read the report in full.

The file was inadvertently distributed on USB keys provided to some attendees.

I guess the lesson here is that, as a service provider, you must take every absolutely every precaution to safeguard customer data.

As a purchaser of pentest services, you should make sure that you contractually require your pentest vendor to take any necessary precautions to safeguard whatever reports and data they might retain. If you need boilerplate terms and services contract language, please contact me via email or as @sharpesecurity on Twitter. If there is enough demand, I may post the sample contract language online for download.

Essentially the process used was fairly standard for such a insider threat type pentest:
1). gain access to an internal Windows client
2). stop the client's AV
3). identify candidate local admin accounts on that client to compromise
4). use fgdump to extract the password hashes from those accounts
5). use rcrack to convert those hashes to cleartext passwords
6). identify which of those accounts get used on all windows client builds
7). NET VIEW to get a list of usernames and machines in target domain
8). NET GROUP "domain admins" /domain to get list of candidate domain admins
9). Use results of steps 7 and 8 to pivot to client machines of domain admin. Steps below show how.
10). attack a domain admin's client machines using the Metasploit Framework’s incognito token impersonation utility to obtain access to that domain admin's privilege level.
11). accessed the domain admin client machine with local admin privileges over the admin$ pipe to upload the Metasploit Meterpreter. This allowed full control over the client machine, with local admin privileges as one of the shared local admin accounts taken in steps 3-5. The psexec module in Metasploit to conduct the attack. This allowed a binary to to be uploaded inside of a process and reside in memory for the duration of the attack.
12). use the Metasploit incognito commands to list out available tokens to impersonate. Impersonating the the target domain admin user and create a new account in the “domain admins” group to demonstrate the successful compromise of the target Windows domain.
13). dump every username and password hash on the domain controller using “fgdump.exe” for later offline cracking using rcrack
14). This should be enough to access any machine or data in the domain.

email: david @


  1. Mountain. Molehill. meh. Once you allow for access to a Windows host on the network, it's all over anyway. Setting aside the document release, the specific details shouldn't be a surprise to anyone. It's not what's in it, it's that it got out at all. Our SOP in my shop is all data goes into encrypted objects and never sits in a clear state. Clients get paper and an encrypted disk. If out stuff shows up in clear, it didn't come from us.

  2. Your process sounds exactly right and I would expect be in accordance with the terms and conditions set out in all standard contract language.