2 Firewalls, 1 switch and a Router PWN3D in 1 hour 5 minutes – yes the 5 minutes are really important.

It was a cold Monday morning and I was tasked to do a Security Assessment on a newly built architecture that consisted of 2 Firewalls, a Switch and a router. This was in a data center and a specially built Lab for testing. It was planned that once the lab testing is over the same setup will be migrated to production.
So after doing the basic CHECK CHECK CHECK (PTES | OSSTMM). I plugged my laptop to the allocated network port and started with my assessment.
Started with nmap and SSH was open as expected on all the devices. So as a parallel time consuming activity I fired up Hydra for a Brute force attack on the router and Switch. No point in doing it against the Firewalls.
Nmap was over in 15 minutes and nothing interesting came up. SInce the cold was killing me I decided to Start Nessus scan. I quickly made a new scan profile to suit the open ports and services and started the scan against 1 firewall.
I knew this is going to take time so i left the Nessus scan against firewall and Brute force against the router and switch ON and came out of the data center to read the project documentation again. My plan was to create a strategy for the pentest and verify the threat model built earlier.
After sometime I went back to check and
both the scan and the brute force were still on. I found that SNMP v2 was used on the router – New hope. So I ran snmpwalk against it.
Realized that it was not a Public key so need to crack it. Launched a bruteforce against the Key using nmap (snmp-brute NSE). The Nessus scan was almost complete by this time and so i started looking at the findings. There was nothing in RED. Suddenly I noticed Hydra has stopped – and the wordlist was not ended – Hurray – It cracked a password.
Quickly did a ssh on the router with username as nadmin and the cracked password. I was IN :)
I noted the time it was close to 1 hour from the time I started and this was a great breakthrough. New ideas started to float in my mind – but wait – Suddenly a more innovative thought came to my mind.
I used the same credentials on the switch and I was IN :)
Used the same on the Firewall but did not work. So I fired up Hydra again but this time I brute forced the username instead of password – in less than a minute I had the username. ‘FWADMIN’
Tried on Firewall 1 – I was IN :)
Tried on Firewall 2 – I was IN :)
So in the Last 5 minutes i had PWN3D all the boxes. Fast and Furious.
I continued my assessment and had cracked the SNMP key as well with which then I could read the entire Router configuration.
Finished the assessment and reported the findings. Project and Operations team was advised not to use the same credentials on all the boxes. It makes the attackers life easier.
After this I had done at least 5 to 6 more security assessments for the same operations team but could never find flaws in the passwords.
That’s the actual WIN and a real Value for a Penetration Test.

Note2Self: Always try the acquired credentials on all the boxes in the same environment. You never know you may get Lucky.