• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer

War Room

Shells from above

RSM logo

  • Home
  • About
  • Blog
  • Talks/Whitepapers
  • Tools
  • Recreation
Home > Offense > Pentesting Restrictive Environments – Part 1

Pentesting Restrictive Environments – Part 1

October 6, 2017 By RSM Author

The Scenario

On a recent engagement, the client was focused on testing the controls that were in place within the environment. The client wanted a penetration test conducted as a malicious employee using a heavily restricted, domain joined Windows host. The other caveat is that the client would be actively looking for me and works under a 3 strike system. I want to be clear that the client was not physically looking for me but that they were attempting to find me by alerts generated through malicious activity. For example, if I trigger the antivirus. If the client finds me 3 times, the engagement is over. Each time I am found I will be forced to move to a new location and use a clean Windows operating system (per their incident response policy).

It should also be noted that the Group Policy (GPO) applied to these systems is very strict. Some of the restrictions that I can recall are:

  1. Mass storage
  2. Command Prompt
  3. PowerShell (or Powershell ISE)
  4. Access to the C: drive
  5. Registry
  6. Task scheduler
  7. Computer Management
  8. Services
  9. Network configuration settings
  10. Any other common administrative tools

The PC could not be booted by USB without enabling it in the BIOs (which was password protected) and the client specifically requested that we do not take apart any hardware. Since the drive was unencrypted, an attacker could theoretically use a drive reader to extract the SAM file and try to crack the built in Administrator account (or pass the hash if the account is shared).

The client does not allow their employees to bring in external devices, therefore I would not be able to plug an external device into the network. With 802.1x controls in place- any attempt to plug in an external device would be met with 1 strike.

Instead of thinking of this as a network penetration test, I thought of this as a controls test. A successful engagement would mean I circumvented the controls. There wasn’t going to be any way to easily do that with all the restrictions so I devised a plan. Here’s a picture of the solution:

                      Figure 1: Portable Backpack LAN aka PacLan

 

After some thinking, I decided it was reasonable to assume that a wireless dongle would be authorized. Ideally this meant I would go into the environment, plug the dongle into the desktop I was testing from and connect to my portable backpack network. I will be referring to this setup as PacLan.

To turn the PacLan into a reality, I began ordering some things.

 

What you will need

  1. Low Profile Edimax Wi-Fi USB x 2
  2. ODROID-C2
  3. Don’t forget the ODROID-C2 case like I did
  4. ZyXEL Wireless Travel Router
  5. Crave PowerPack 50,000 mAh battery
  6. Memory Card Reader/Writer
  7. MicroSD Card

 

In the next blog we will be putting all these pieces together!

Originally authored by Corey

Share this...
  • Reddit
  • Email
  • Facebook
  • Twitter
  • Linkedin

RSM Author

Primary Sidebar

Categories

  • Defense
  • Forensics
  • Offense
  • Physical
  • R&D

Most Viewed Posts

  • DLL Injection Part 1: SetWindowsHookEx 10.8k views
  • Sophos UTM Home Edition – 3 – The Setup 10.8k views
  • Leveraging MS16-032 with PowerShell Empire 10k views
  • Bypassing Gmail’s Malicious Macro Signatures 9.8k views
  • How to Bypass SEP with Admin Access 8.9k views

Footer

  • RSS
  • Twitter
  • Tools
  • About
  • RSM US LLP

+1 800 903 6264

1 S Wacker Dr Suite 800
Chicago, IL 60606

Copyright © 2023 RSM US LLP. All rights reserved. RSM US LLP is a limited liability partnership and the U.S. member firm of RSM International, a global network of independent audit, tax and consulting firms. The member firms of RSM International collaborate to provide services to global clients, but are separate and distinct legal entities that cannot obligate each other. Each member firm is responsible only for its own acts and omissions, and not those of any other party. Visit for more information regarding RSM US LLP and RSM International.