I was recently tasked with performing a pentest of a very small environment that contained 10 networked devices. Needless to say that everything seemed to be pretty new and well configured. Servers were patched, services were few and far between, firewall rules were tight and passwords were not set as defaults.
I was getting a bit desperate and thought I’d fire up Wireshark to have a look at the background traffic to see what was going on. In doing so I struck lucky!
Firstly, before I get to the point of the post I’ll take a small detour; in viewing network traffic it immediately became evident that the same physical switch was being used within several VLANs. It was possible to identify the switch from the System Name and Description subtrees within some LLDP_Multicast packets. These packets contained useful information such as switch name, model number and firmware/ROM revision information. Collecting such information not only helps identify any vulnerabilities that may exist in outdated firmware, but also helps gain a better understanding of the environment – especially when network diagrams are non-existent.
Back to the story. I was currently on a network with addresses in the range of 10.x.x.x/24 and I noticed a lot gratuitous ARP replies for the IP address 192.168.0.120 (many also stating duplicate address in use). I changed my IP to one in the 192.168.0.0/24 range and picked a single MAC address that was associated with the 192.168.0.120 address. After clearing my local ARP cache I set a permanent entry for the selected MAC address using the command ‘arp –s 192.168.0.120 mac:address’.
A fast nmap scan of the host revealed that ports 22, 80 and 443 were open. I navigated to 80 (which forwarded to 443 HTTPS) and lo and behold it was a Dell iDRAC controller for one of the 10.x.x.x hosts. I knew that default credentials are set as root/calvin (from many a previous pentest) to which, unsurprisingly, I was straight in, SSH too!
It just goes to show, if all else fails just open the shark and cross your fingers!