Open in app

Sign in

Write

Sign in

Purple Team War Stories — №3

Hacking and defending a hospital, part one

Chapter8
Chapter8
13 min readAug 13, 2021

--

Photo by Piron Guillaume on Unsplash

Wow, dear readers. It took us a while to come up with another war story, because we were so busy! Because this Assignment was quite intensive, we have split the tale into several parts.

This Assignment was a Mission that took us to an industry that has been — and still is — under enormous pressure: healthcare. Needless to say that this Mission needed to be as non-invasive as possible. Although we are used to working in high pressure environments, there was extra pressure on the non-intrusiveness this time. No penetration testing waiver in the world covers for putting people’s health at risk.

But we are used to moving stealthy and not breaking things, so we picked up the glove. No crown jewels were explicitly mentioned for this Mission. “Just see how far you can come”, we were told.

Did that CISO just smirk?

Okay.

Disclaimer

At Chapter8, many of our Missions take place at the highest levels of the Dutch digital security industry, dealing with confidential information. That is why we are very careful about presenting client-related information. Being fictional in context, but true in tech, our war stories are a way to get the technical gist of a train-as-they-fight Purple Team mission across and contribute to your security mentality.

But, what is a Purple Team Mission again?

Security testing usually involves an outside-in penetration test after which a list of vulnerabilities is presented to the client as a ‘to-do-list’. When done like this, the security benefits for the client will only be visible after the recommendations have been adopted. In a medium-sized company, this process could take months.

You don’t have the luxury of postponing security benefits for months.

A Purple Team Mission starts from within the network (Assume Breach) and does not solely focus on red teaming. It brings together the expertise of hackers (Red team) and hunters (Blue team) in one ‘Squadron’ led by a healer (White team), cooperating with the client during the Mission. This close-knit team works in a way that results in mutual improvement.

Now, visible security benefits will take days, if not real-time.

Day 1 — Setting up shop

By now, dear reader of our war stories, you know that every Mission starts with extensive reconnaissance and personal contact with the parties involved.

Hunter got himself familiar with the hospital’s ‘blue team’, which was outsourced to a managed security service provider (MSSP). Although he came to the online call in peace, he was not greeted with much enthusiasm. As it turned out, the hospital’s CISO had not informed his security suppliers about the purple aspect of the Mission. So the MSSP expected “just another red team exercise” and was not prepared to have to work together. Later, we learned that this omission was on purpose: an ominous sign on how the relations between CISO and supplier were at the time. And to be honest, it is pretty challenging for a MSSP with many clients to focus attention on one and at the meantime accept a third party taking a peek into their kitchen.

Hacker started his Mission connecting to the public Wi-Fi from outside the building. The obvious starting point since we were in a (semi)public place. The Wi-Fi was set up pretty well, using a captive portal to prevent unauthorized internet access and client isolation. The client isolation prevented Hacker from using his standard attacks to gain credentials. Bonus points for the hospital there. However, keep in mind that some Wi-Fi setups do not force client isolation while the client devices are connected, but not yet authenticated with the portal! This still leaves a (small) window of opportunity for attackers to attack these devices.

Wi-Fi sniffing revealed the presence of some hidden Wi-Fi networks. But Hacker quickly found out their names. (NOTE: we’ll write the more technical parts of the war story with slightly different formatting from now on, so you can easily choose to skip these parts)

Sniffing the 2.4Ghz-band with bettercap revealed the presence of hidden Wi-Fi networks. These networks do not include their network names (or ESSIDs) in their beacon frames, so they will not show up by default if you scan for Wi-Fi networks from your phone or device. A client that wishes to connect to a hidden Wi-Fi network must know the ESSID to send a successful association request frame. And this is where the attack vector lies. For one, you could just keep sniffing the wireless traffic until a client wants to connect to the hidden access point. If the ESSID in the association request frame is correct, the network will respond with an association response frame containing an acceptance and confirmation of the ESSID. Since these frames are unencrypted, analyzing a successful association request will reveal the hidden network’s name.

But why wait? If the hidden network has at least one client connected to it, we can perform a de-authentication attack: forcing the client to disconnect from the wireless network, will force the(re)associationprocess between client and Wi-Fi network. And these packets will — again — contain the ESSID.

As a bonus, we can capture the authentication packets themselves: these are called the WPA 4-way handshake and any attacker within reach of the Wi-Fi network can get their dirty hands on them.

So within minutes he had the ESSID name: {{HIDDEN WI-FI A}} and the authentication packets. Remember our previous war story about long, but dumb passwords? We developed a special hashcatrule for these and lo and behold: within an hour we also cracked the password using this rule and a smart wordlist based on, well, what the client is and does.

Hacker connected to the hidden Wi-Fi and found a network printer.

With a default password.

Photo by Caleb Woods on Unsplash

Healer’s sigh could probably be heard halfway around the world, when he found out about the printer with the default password. Many Missions share the same characteristics, because many ICT infrastructures share the same basic problems. And again, network equipment was installed out of the box, plugged in and forgotten, leading to one of the most widely used stepping stones for attackers. Essentially easy to prevent, pretty pesky to remediate after the fact and hard as hell for Hunters to detect abuse on.

So, day one already provided Healer with ammunition to talk to CISO about three points:

  1. Implementing some more serious and up-to-date Wi-Fi hardware, which could spot and prevent these kind of attacks — by enabling the 802.11w-standard for Protected Management Frames for example.
  2. Hiding an access point’s BSSID does not equal security. Although security by obscurity has its place and time, this is not it.
  3. Passwords should be strong ánd smart. More on this further on!

On with the story, then, since the printer had an LDAP connection page to lookup domain users. Pretty handy. Especially if one can change the LDAP server the printer authenticates against to, let’s say, Hacker’s loadout. Since LDAP is a cleartext protocol, it takes only seconds to capture the printer’s service account credentials. Alas for Hacker, the captured account does not seem to be allowed interactive logon via Remote Desktop Protocol — kudos for the administrators! We oftentimes see service accounts during our Missions that ARE allowed to use these logon types.

Using the service account’s credentials, Hacker requests a list of all domain users, groups and computers from the domain controller and maps his access to network shares in the network. This could be done by using scripts like smbclient.py from the Impacket stack, but where’s the fun in that! Those scripts are oftentimes detected by an MSSP, because they are so widely used and therefore often already fingerprinted. It’s much more challenging for the blue team if Hacker uses some ‘living off the land’-techniques. These are much harder — although not impossible — to detect. Custom use cases you need there, young Skywalker.

Alas, the file shares do not contain anything useful.

But, wait. It seems this Wi-Fi network does not have client isolation. Because it’s hidden and trusted, right? Let’s fire up our trusted LLMNR attack, because that seems to work almost every time.

Oh boy.

It appears that many hospital staff are using this Wi-Fi with their personal devices.

Luckily the hospital’s MSSP logs a lot. Hunter especially likes to delve into failed RDP logins. Combining these with a list of Active Directory service accounts makes for a good hunting strategy, because service accounts are attractive targets for hackers, for one reason because service accounts seldom have their password changed.

There is a solution for this: Group Managed Service Accounts (GMSAs) provide more security because the password is managed by AD and automatically changed.

So, our hacker was spotted again by the Blue Team, giving away his position in the network and his level of access. This led to much rejoicing. Slowly the ice between them thawed.

Photo by Erol Ahmed on Unsplash

Hospital personnel — any personnel — has an implicit right to internet access provided by their employer these days. Healer had seen different times, when internet access from the workspace was still considered a special privilege. Those days are long gone, gramps. But there is a difference between internet access for office services and internet access for TikTok. Separating the former from the latter in a production network is sadly still not commonplace and BYOD is a rampant risk these days.

Healer spoke to the CISO, asking his point of view on employees spreading infections they got at home to the hospital’s workplace. “Not a good idea, we have very strict procedures for sick employees not coming into work”. Upon this statement, Healer said that BYOD on a production network is generally considered a Bad Idea[tm], for the very same reason. Eureka. The case for Wi-Fi client isolation on the ‘trusted Wi-Fi’ and segmentation between employee internet and production was crystal clear and added to the list of recommendations.

While CISO was discussing these changes and planning a roadmap with his team, Hacker forced the re-authentication of some wireless devices and because he chose for a quite noisy combination of ntlmrelayx and Man-in-the-Middle, those devices reconnected to domain services like network shares and remote desktop sessions. Hacker got some extra domain account hashes. On top of that he caught clear text credentials for — at this point unknown — internal services.

Of course, some of the passwords were simple enough to crack within minutes. And because the hospital uses the Microsoft365 suite without multi-factor authentication, Hacker now had access to some employee mailboxes. Not interesting for now, but maybe a crucial pivot point for the attack or exfiltration plans later?

Both Pass-the-Hash and the credentials themselves seem to work on the domain controllers, but only show default file shares like NETLOGON and SYSVOL. Now, where are those file servers?

Meanwhile, cracking of the other (hidden) Wi-Fi WPA handshakes is taking forever…

The noisy actions of Hacker stood out as an anomaly and because they came from the same IP-address as the earlier service account RDP logon attempts, Hunter and the MSSP kicked Hacker’s device off the wireless network — and they were caught smiling while doing it. This was quickly turning into a King of the Hill!

Blocking an attacker on IP and MAC level is of course a half-hearted countermeasure, because changing both is trivial. A possibly unwanted side effect is that the attacker knows he has been seen. Fine for a Purple Team Mission, but not so much in a real-life crisis situation. Advanced attackers will dive deeper if they feel they are being watched, possibly to depths that make them almost impossible to find again. So, depending on the perceived level of sophistication of an attacker, it might all too well be the best choice to completely burn a network to the ground and build it all again from scratch, to make sure Elvis has really, really left the building.

Imagine that in a hospital environment. #nightmare

Ah yes, passwords. We have a mantra about them. “They may look strong, but they might be dumb”. During our Assignments, we encounter many passwords that look strong at first sight, but are based on predictable human behavior. The consequence is that although a password is not crackable with a brute force attack, it is guessable by applying a mix of several rules and smarty-pants tricks.

For example: what is the most often used “special character” and where do people put it?

Indeed, the exclamation mark ! — at the end of the password. The same goes for so-called leet speak. Although it is perfectly fine to use it, using it consistently in a password makes that password weaker rather than stronger.

Consider the following passwords: Wir3l3ss2020! and W!r3le$s!2020. Both are considered unbreakable by brute force and wordlists won’t help (much) because of the leet speak. They are strong passwords.

But — making the leet speak consistent (all e’s become 3's), adding the year (2020) and the infamous exclamation-mark-at-the-end makes the first password dumb and the second one smart(er). At Chapter8, we will figure out the first one, but we’ll have more problems guessing the second one.

But, don’t take our word for it. Read this excellent post by NCSC-UK — quite an organization with a deep knowledge of security, since they are directly linked to GHCQ. In a nutshell, NCSC-UK promotes choosing three random words for a password and concatenating them. As an addition, we would advise to concatenate them using a instead of “just” concatenating them. smart-phish-stew is much harder to crack than smartfishstew. But both of them are far better than Pa55word!.

Photo by James Wheeler on Unsplash

Taking over the domain controller seems to be the only route to the other internal networks. But using an attack like ZeroLogon would cripple the network and be way too intrusive. Hacker needs to find another way through. Maybe it’s possible to plug in a physical device?

Since hospitals are semi-public places, we can easily walk around and recon the building, even on this early evening (did we mention this was turning out to be a long day?). And during our walkabout, Healer found an active network outlet near a television screen in a waiting room. Using the extra port on the outlet we discover more televisions, some printers, some network switches, some VOIP devices and…

Wait, whut?

Is that…

Wow…

You rarely see one of those in the wild anymore…

A real Windows XP machine! File sharing is open, but EternalBlue does not work out of the box. Luckily, we have seen this before and a custom send_and_execute.py-script neatly delivers our reverse shell. Now we elevate privileges using ‘Named Pipe Impersonation’ via Meterpreter command: getsystem.

This Windows XP machine seems to be a ‘powerpoint machine’ with auto-login. This feature comes with the 'feature' that the computer’s registry shows the clear text username/password autologin combination. New credentials in the pocket!

Since using the network outlet next to the television gains us some hard stares from hospital staff (which is a Good Thing and we were actually expecting to be apprehended), we switch our modus operandi to something a bit more stealthy. We modify our meterpreterreverse shell on the XP relic to connect back to our loadout over the internet. This way, we can set up an encrypted command and control channel using regular internet access and a non-suspect domain. And because of the backconnect and some extra magic, this is a pretty inconspicuous way to regain access if the connection is dropped.

Okay, we’re set up to work remotely! Time to unplug from the wall socket and go home. Did we mention this turned out to be a long day?

Are these wall-outlet attacks easily detected or mitigated? Well, yes to both. With a little effort and lots of standard operating procedures. Network Access Control (NAC) is a very powerful tool to enhance endpoint visibility and control and there are several versions of this tool available. The simplest being hard-coding equipmentMAC-addresses into white-lists on a managed switch. On larger networks, this is a pain to manage though. A more sophisticated way is the adoption of 802.1xwhich comes in two flavors: credentials-based (username/password) or certificate-based. The latter is better, because it forces end users to go through an enrollment process to ensure their devices are set up correctly. But, not every network device supports this standard and it is quite an undertaking for IT to implement this standard thoroughly. Therefor, the adoption rate of 802.1xis still relatively low. There are known attacks on this standard and its extension 802.1x-2010, although these still rely on an attacker being able to place a custom made rogue device between a target supplicant and the switch.

Besides implementing NAC, unused physical ports should be disabled completely. Standard Operating Procedures, yes?

Luckily for Hunter, the hospital has two things: a naming convention for the devices they allow access to the network and a MSSP who has a use case for deviations to that convention. Hacker’s loadout was noticed in the DHCP-logs and recognized as malicious. His machine was blocked (again), albeit too late (again).

Healer knew hospital staff was suspicious about the behavior they noticed around the TV set. He asked CISO where staff could report such behavior. The answer was not quite clear and one of the recommendations became to create a “tip line” for staff. Combined with a security awareness program on insider threat, an organization creates a powerful way to enhance staff involvement in security. Staff are important eyes and ears on the work floor and can be invaluable in detecting suspicious behavior and preventing insecure situations.

What a first day. Exhausted, we go to a hotel in the vicinity of the hospital to be able to start early for day two. This was a good day, making friends with the client’s security suppliers, helping CISO out and just experiencing the fun of being on the road again. Time for a good night’s rest. But first…

Photo by Thais Do Rio on Unsplash

Thank you for reading and stay tuned for part Two!

Cybersecurity
Infosec
Cyber
War Stories
Hacking

--

--

Chapter8
Chapter8

Written by Chapter8

29 Followers

Advanced Purple Teaming

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams