Read customer’s SMS


We discovered a critical vulnerability on the corporate web ui of the mail server hosted on premise. A firewall temporary open afforded us to bounced on a new network using password guessing. After days of information gathering on the workstation of the zone, we discovered a huge network and complex network. We decided to focus on the monitoring zone first, it appeared that one “logs” monitored were the SMS themselves encrypted. A wrong management of the cryptography enabled us to retrieve the SMS in clear text.

Day 1: The first step was to discover the entire internet facing of the entity.

Day 3: After having gathered all the subdomains, mail server, exposed services we started to analyzed them in order to find a vulnerabilities.

Day 6: The mail server publicly exposed the Web UI as well as the admin UI. We managed to Exploit the Public-Facing Application (T1190) and gain a remote code execution. A new information gathering phase began on the server itself as well as the subnet.

Day 8: After analyzed the mailed, we were aware of the deployment of a new server in the subnet we stayed. We also managed to understand the Password Policy (T1201) and login to the new server (Remote Services T1021).

Day 9: The log on the server gave us the IP of the admin, the ACL open, knowing the password policy, guessing the password of the workstation was only a matter of time (Remote Desktop Protocol T1076).

Day 10: No Active Directory for the workstation, we abused Windows auto-discovery protocol to compromise the whole subnet (LLMNR/NBT-NS Poisoning and Relay T1171). The password hashes were submitted to our cracking server. Meanwhile we analyzed the files on the workstation we had access.

Day 15: We had access to almost all the workstation, we got a lot of network diagram and a lot of passwords stored in files. No clear clue of where the SMS could be. For the sake of being silent we decided to compromise the monitoring zone.

Day 18: After a while we discovered that the SMS was sent to one of the monitoring server. On the web UI the SMS appeared encrypted. We found out that the SMS was encrypted on the server himself hence they were sent out in clear text. Listening the incoming traffic afforded us to extract the SMS (Automated Collection T1119) and achieve our goal.