National Cyber Warfare Foundation (NCWF)

Welcome back, cyberwarriors. It’s Collateral here again. Today we’ll look at an attack vector that goes beyond password complexity and 2FA. This method proved successful during one of our latest operations targeting a Russian company. The environment we encountered was complex with segmented network and no straightforward access paths. But this is where one of […]

The post CyberWar! Taking Over a Russian Corporate Mail first appeared on Hackers Arise.

Entry Point

One of our Ukrainian contacts shared access to a segmented internal network used for corporate mail. No details were provided about the machine or its environment. Initial analysis showed that the host was running multiple Docker containers. On the surface, it looked like the company had done a decent job hardening the environment. As you may know, hosted applications regardless of the operating system typically store their configuration files in specific locations within the system. Searching for that manually is slow and unreliable, especially if the files are big. That’s where a tool like LaZagne comes in.

LaZagne

LaZagne is a Python-based credential recovery tool that parses local credential stores and dumps recovered data in a clean format. It automates the grunt work and can often uncover application passwords buried in odd locations. The interface is simple and the results can be surprisingly effective.

Not every entry you see will be a valid login, but most of the passwords are usable. In our case, we found the root credentials for MySQL, which gave us database access. If needed, it’s enough to temporarily adjust the entries to analyze mail overnight.

We redacted the usernames since this is an active campaign. The password hashes used BLF-CRYPT format, which can be easily reproduced using basic Python scripts if you decide to manipulate the entries.

Network Traffic Analysis

Password hashes don’t always help, especially when they’re slow to crack or backed by 2FA. Logging in with a cracked password might trigger a verification code sent to the user’s phone, which can raise alarms or cause the account to get locked.

That’s why we turned to traffic analysis with tcpdump. This CLI tool might be basic in appearance, but it’s quite powerful. It helped us understand the network’s behavior and discover which services were in use. For more efficient analysis, consider opening your PCAP files in Wireshark.

We started with a general traffic capture to get a sense of the environment. In secure networks where active scanning tools like nmap are blocked or logged, passive monitoring with tcpdump is a better choice. By examining traffic flows and packet patterns, we were able to map out machine roles and communication paths.

Next, we focused on HTTP traffic and found a POST request made to the mail server. The request exposed an internal proxy setup where a publicly accessible mail portal forwarded traffic to a local Linux machine.

As you can see, the request contains the original IP address.

Even though the main site used HTTPS, internal traffic was still HTTP, which is common in closed networks, but dangerous.

Looks pretty good, right? They still think so.

Identifying the Right Port

To collect only the traffic we needed, we had to locate the correct port. It wasn’t on the usual 80 or 8080. A closer look at the POST request revealed the destination port is 20000.

With that in hand, we started capturing targeted traffic:

kali > tcpdump -i interface tcp port 20000 -w /etc/systemd/20k_01.pcap

Adjust the interface name to match your setup and always store captures in obscure locations. Note that capture processes remain visible in the process list, so keep it quiet.

With that in hand, we started capturing targeted traffic:

kali > tcpdump -i interface tcp port 20000 -w /etc/systemd/20k_01.pcap

Adjust the interface name to match your setup and always store captures in obscure locations. Note that capture processes remain visible in the process list, so keep it quiet.

The irony was obvious. Complex passwords, but no basic security on local traffic.

Bypassing 2FA With Cookies

Some accounts had 2FA, but if you have valid session cookies, you don’t need the password or the 2FA code. Just import them into your browser using an extension like Cookie-Editor and you’re in.

Streamlining With TCPDump

Once we knew what to look for, we filtered the traffic using this simple command:

kali > tcpdump -A -r 20k_05.pcap port 20000 | grep “userName”

The irony was obvious. Complex passwords, but no basic security on local traffic.

Bypassing 2FA With Cookies

Some accounts had 2FA, but if you have valid session cookies, you don’t need the password or the 2FA code. Just import them into your browser using an extension like Cookie-Editor and you’re in.

Streamlining With TCPDump

Once we knew what to look for, we filtered the traffic using this simple command:

kali > tcpdump -A -r 20k_05.pcap port 20000 | grep “userName”

We found folders labeled “Accesses” and “VM”. Emails confirmed that the company hosted client services on virtual machines. Every change or deployment was logged in plain text, including IP addresses, usernames, and new passwords.

Conclusion

Network traffic might be an underestimated asset during an intrusion. Companies often focus their defenses on firewalls and perimeter security, leaving internal communications wide open. But if you know how to look and listen, the answers are often already flying through the air. Traffic analysis turns noise into opportunity and with enough patience, it leads to full compromise.

The post CyberWar! Taking Over a Russian Corporate Mail first appeared on Hackers Arise.

Source: HackersArise
Source Link: https://hackers-arise.com/cyberwar-taking-over-a-russian-corporate-mail/

CyberWar! Taking Over a Russian Corporate Mail

Entry Point

LaZagne

Network Traffic Analysis

Identifying the Right Port

Bypassing 2FA With Cookies

Streamlining With TCPDump

Bypassing 2FA With Cookies

Streamlining With TCPDump

Conclusion

Comments