Category: Uncategorized

So I took this exam last week and it’s fair to say I failed and pretty hard too. The structure of the exam is really good and I felt that the initial contact was very well written. The Rules of Engagement are super clear and you’re given an Open VPN file to connect to the network.

The network itself is really responsive and running scripts and other attacks work really really well.

The problems

Please note the problems here are all mine. Absolutely nothing wrong with TCM and their practices.

After about 9 hours of trying to get some sort of foothold on the network and getting nowhere, I became super frustrated so frustrated I emailed TCM’s support team asking them to check the environment as I was convinced something was wrong. Let’s put it this way I didn’t send my email graciously, it was a rather panicked clumsy email that no doubt sounded like I was asking for help and tips. I wasn’t but certainly didn’t help myself. They responded in about 10 minutes which I couldn’t quite believe. They were very gracious in their response and kindly informed me that the environment was working fine with no errors.

The second thing I did which was super stupid in hindsight is going to Discord Server and ask for general guidance on OSINT. I was convinced and still am that my OSINT sucked. What I was trying to ask for is how people take the information and make the decision on their attacking method. I was quickly pulled into a one-to-one meeting with the moderators and told off. Whilst this is an open-book exam and I felt I was being generic enough to ask, the topic in question is still pertinent to the exam. Just learn from my mistake don’t do it. Fortunately, the moderator was gracious enough to tell me off and put a temporary ban on my account on the Discord Server. They said that if I did anything like that again, my exam would have been terminated. It’s not worth it, it’s open book just go to Google and research.

Take-Aways

So all in all, I didn’t get very far in the exam, the thing I wanted to test my knowledge on Active Directory I never got into which is a shame. Once I submitted my report the TCM team dropped me a little hint, my jaw dropped as I looked into it and my wife started laughing her head off because it was rather stupid.

Takeaway 1: I believe the exam is designed for beginner to intermediate, if you’re spending hours and hours coming up with weird and wonderful ways to exploit something, don’t. Just stop!

Takeaway 2: In the courses, Heath talks about the importance of Enumeration. I genuinely believe he’s right here. Make sure you’re notes are right on this and make sure you include Reconniasinace and Scanning within your Enumeration.

Takeaway 3: There’s a saying “try harder” when it comes to this stuff. However, John Hammond, I think re-phrases this perfectly to “try again”. If you’re stuck. Stop, you might not be able to let go of what you’re doing in your head. I know I can’t however, take 10-20 minutes off, step away from the desk and get a cup of tea or coffee. Then when you sit back down at your desk and review all of your Enumeration, it’s likely there’s something in there that you can use which is much easier than whatever you’re looking at.

Next Steps

I’d like to give this another crack, however, all of my Cisco certifications are up for renewal at the end of the year and with work moving to Juniper, I don’t have access to any of their hardware so I need to put some time aside to get back to it. If I get time I’d like to have another go before the end of the year but we’ll see what happens with my other certifications. I’ll update here once I’ve had another go.

Attempt 2

So, it happened again. TCM has announced a complete overhaul to their exam scenario and should I want to make use of the hint I was provided with I should have another go before the end of 2022. Not ideal with my Cisco certification renewals looming but I felt I needed to use the knowledge I gained on the scenario and not waste it.

With the hint I got from the last attempt I spent 30 minutes on the re-attempt and had access to the internal network through Proxychains. I attempted to use Responder, MITM6 and NTLMRelayX but as they all use Link-Local networking I needed to run the software on the External server. Unfortunately, I couldn’t escalate my privileges on that external server and as such I could run those pieces of software as it needs root privileges.

I was able to run some brute-force attacks against the internal network and got a user account on the domain but the account didn’t have any privileges so I could use SMB or RDP to get onto the internal network any further. All in all a bit of a shame but I’m glad I didn’t give up and continued to attempt to gain further access.

TCM recently had a discount code available to get their Practical Ethical Hacking (PEH) course for $1. In the UK this worked out with taxes to be about £1.10 which in my mind is an absolute bargain. Bearing in mind that I have over 10 years of experience in IT Infrastructure and about a year fumbling through Ethical Hacking courses. I thought I’d give my thoughts on the course so far as I’ve just completed the Capstone section.

The initial sections of the course, Network Refresher, Setting Up Our Lab, Introduction to Linx and Introduction to Python are very basic, I get the feeling that this part of the course is designed for anyone who doesn’t have any experience in Networking, Linux or Python. I supposed based on the fact that most of them say “Introduction” that’s about right. They are good in their content but if you’ve already got experience in these technologies you can pretty much skip the entire section. I found a few bits useful reminders like Tuples in Python being immutable.

The next section was the first part of the hacking lifecycle, Reconnaissance. This was quite a good section as it introduced tools available on the internet that you do not get introduced to by using services such as TryHackMe. Whilst TryHackMe does have some OSINT rooms I never really walked away from completing those rooms feeling like I learned something where I did with this as Heath takes you through what you’re looking for a why.

Scanning & Enumeration is the next section which again if you’ve not done any sort of Hacking/Pen Testing/Red Teaming is a great introduction to some of the basics. I really like the emphasis that Heath puts on this section and Reconnaissance as with him I believe it’s the most important as having as much information as possible, makes the rest so much easier. I would say that the Nessus scanning is included in this section as well but TCM/Heath has given it, its own section and rightly so. Nessus is a monster and a wonderful tool but it is part of enumeration.

The final section before the Capstone is the exploitation, again not too much here I hadn’t seen before but understanding the difference between staged and non-staged payloads was great as it also explained why sometimes when using things like Metasploit the exploits don’t work with one type of payload but work with another. You are also taken through the manual exploitation process which at first glance feels like it’s going to be coding your own exploit against a piece of software. Actually, it’s just googling until you find an exploit someone else has written understanding the exploit and how to run it against your intended victim.

Capstone

So the Capstone section, in this section you’re given five machines to attempt to hack. The idea is you have a go and in the event you get stuck they provide a video to go through and work out where you went wrong and why. The five machines in order are Blue, Academy, Dev, Butler and Blackpearl. These machines are supposed to go from basic to harder. I personally found the first two a breeze, Dev I ended up not following my methodology on and went down a rabbit hole on one of the open ports. In other words, explore all ports. Butler was annoying, there’s no other word for it. I spent hours on this machine trying to break past the authentication to no avail. I finally gave up after 10 hours and watched the video and in the end, it turned out that whatever I put at it (in this case the rock you database) wouldn’t have gotten me anywhere. All I will say is to pay attention to the software name, apparently, some administrators like to use something like this for the username and password to a piece of software. I thought this was a bit cheeky as I’ve never seen anything like that before in the industry. Blackpearl was a great learning experience and I cracked that in 90 minutes after watching all of the videos I believe I got most of the things nailed, don’t forget this isn’t a CTF, you need to capture all possible paths of exploitation and privilege escalation in your notes for your report later.

My thoughts

So my thoughts on this course, it’s a great introduction to ethical hacking and so far it’s been quite enjoyable to understand some different techniques that people are using. I personally haven’t picked up loads with having quite a lot of experience however, the things I have picked up I believe have made me understand things better and that can only be a win. I still have Exploit Development (Buffer Overflow), All of the Active Directory (AD) sections as well as Web Applications and Post Exploitation to do and I’m really looking forward to it as I’ve not done much around attacking AD. I’ll update this post once I have completed the rest and let you know my thoughts on the second half of the course.

The Background

The company I work for has been users of Sonus/Ribbon SBC’s for just shy of 10 years and in that time the devices have become an absolute pain in the backside to support. We have been seeing one minor routing change or an Access Control Entry re-number in our firewalls that completely stops communication between the Ribbon SBC and Teams.

We decided the time was up on these SBCs and the plan was to move to a hosted solution, unfortunately, we found out one of the directors had signed a multi-year agreement with Gamma on our SIP service. In the end, we purchased an AudioCodes SBC, specifically a virtual one.

I hope the below may help you in configuring your AudioCodes device with Teams and prevent you from coming into the same issues we faced.

The Problems

The first problem we came across when we installed the SBC and followed the AudioCodes guide for Teams Direct Routing was the re-writing of specific headers or lack thereof. We noticed that the SIP TO header wasn’t being modified as it was being sent out to Gamma. We submitted a support ticket and all AudioCodes were saying is we needed to remove the Message Manipulation that we were trying to implement on the outbound leg to Gamma. After back and forth with them, we ended up just pursuing the issue with Gamma as turning off Message Manipulation wasn’t the answer. What was being sent to Gamma in the SIP TO header was: +441234567890@siptrunk.example.com. siptrunk.example.com being our FQDN of our TLS connection to Teams which had nothing to do with the outbound leg to Gamma who were expecting their gateways IP Address. After a load of back and forth with Gamma’s excellent support team, we identified five manipulations that needed to take place for both connectivity and also Caller ID:

FORMAT Index = ManipulationName, ManSetID, MessageType, Condition, ActionSubject, ActionType, ActionValue, RowRole;
MessageManipulations 0 = "To URL Host", 0, "", "", "Header.To.URL.Host", 2, "Param.Message.Address.Dst.IP", 0;
MessageManipulations 1 = "Contact Header Name", 0, "", "", "Header.Contact.Name", 2, "'01332333000'", 0;
MessageManipulations 3 = "P-Asserted-Identity", 0, "", "", "Header.P-Asserted-Identity", 2, "'<tel:01332333000>'", 0;
MessageManipulations 4 = "From Header URL User", 0, "", "", "Header.From.URL.User", 2, "'01332333000'", 0;
MessageManipulations 6 = "Request URI to Destination", 0, "", "", "Header.Request-URI.URL.Host", 2, "Param.Message.Address.Dst.IP", 0;

So the first and last manipulation was needed so we could send the correct information to Gamma which was the Request-URI.URL.Host and TO.URL.Host had their SIP gateways IP Address in it rather than siptrunks.example.com. The other three were needed so that when we dialled out a customer would see the call coming from 01332333000.

Now that we got connectivity and are able to make and receive calls we migrated across to the new platform. That’s where the second problem occurred. What we identified was we were able to transfer blindly between a PSTN call and two users within Teams but were unable to perform a consultative transfer. We spent just over four hours checking and rechecking the REFER header configuration which is required in transferring within Teams however, we got nowhere.

In the end, we found a thread on the Microsoft forum relating to an issue with the lack of Music on Hold for consultative transfers, following this thread we re-read the AudioCodes integration document: https://www.audiocodes.com/media/13253/connecting-audiocodes-sbc-to-microsoft-teams-direct-routing-enterprise-model-configuration-note.pdf and noticed that it was an optional extra to configure this. We bit the bullet and set this up downloading a WAV sample file and using the DConvert utility available from AudioCodes to convert it to a .DAT file. We then set the IP Profile to use the internal audio file and hey presto Consultative Transfers started working.

I guess the issue here was with there being no audio being sent from Teams the AudioCodes SBC decided that the call was dead and decided to terminate the call.

What’s weird about this solution is we found that the original Teams music on hold was being played to the caller, not the one we uploaded (We purposely chose something completely different). However, it worked.

At work, we have been customers of Fortinet for just under 10 years. During this time we haven’t really had anything wrong to say about their product, the Fortigate. That was until about a year ago when we pursued our Cyber Essentials Plus certification. Before we dived into the audit we went over the scope and believed the edge firewalls to be within the scope of audit purposes. This meant that we were going to need to show one of two things for our administration access. Multi-Factor Authentication or Lockout policies. As we were big users of Azure MFA we decided to go down this route as an easy win.

Upon investigation into setting this up, Fortinet had their own product the FortiToken to be able to take advantage of MFA for administration purposes. However, they did allow AzureMFA through SSL-VPNs so we decided to see if we could adopt their configuration guide to allow us to perform MFA on the logins for administration purposes. After a load of trail and error we managed to get it working.

RADIUS Server Configuration – Fortigate

config user radius
edit "NPS"
set server "10.0.0.100"
set secret ENC SecretKey
set timeout 60
set all-usergroup enable
set password-renewal disable
next
end

User Group Configuration – Fortigate

config user group
edit "Admins"
set member "NPS"
next
end

User Configuration – Fortigate

config system admin
edit "twestby"
set remote-auth enable
set accprofile "super_admin"
set vdom "root"
set email-to "talan.westby@takeitfurther.co.uk"
set remote-group "Admins"
set password ENC SecretBackupKey
next
end

Network Policy Server

On your Network Policy Server (NPS) install the AzureMFA extension as per the Microsoft documentation: https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension

Next, configure NPS to allow connection from your firewall by setting up a RADIUS Client. All this needs is the IP Address and the SecretKey configured in the Fotigate RADIUS Server Configuration above.

Next, we’ve had to set up both a Connection Request Policy and a Network Policy. In the Connection Request Policy, we’ve left everything at default apart from adding one condition which is the RADIUS Client IP so it always hits this policy and add a Vendor-Specific Attribute in the settings. This Attribute is a RADIUS Standard attribute and has a string value of 12356 and we’ve set the policy to conform.

Finally, we set the Network Policy to meet two conditions, the RADIUS Client IP and the group of users we wish to use for this administration. In our case, we used our IT Department. The constraints we use are to enable PEAP in the EAP types and MS-CHAP-v2 as an authentication method. We’ve then set the same Vendor-Specific attribute as in the Connection Request Policy.

Notes

One thing to note here is we attempted to configure this whilst keeping our old NPS setup active. Don’t do this. We weren’t getting the expected results and were seeing our RADIUS traffic hitting both our old and new NPS servers and as the old one didn’t need MFA it was responding with the Access-Accept message before the MFA was performed. This took me quite a while to figure out despite me setting our group to go via the new MFA NPS server in the Fortigate. The simple solution is to either remove the RADIUS Server from the configuration or just move the configuration across to the new NPS Server altogether.