[ISN] Anatomy of a fairly easy attack

From: mea culpa (jerichoat_private)
Date: Sun Mar 14 1999 - 13:34:29 PST

  • Next message: mea culpa: "[ISN] USAF Cadet found guilty of hacking private computers of N.C. company"

    From: Subash Raman <subashat_private>
    
    An anatomy of a fairly easy attack
    
    Once upon a time, an auditor was asked to prove that an organizations
    machines are not insecure. Their lamentable naivete notwithstanding, the
    auditor got them to sign the necessary legalese and then turned his
    attention to the task at hand. Some background for those who like their
    detail It was an NT environment with SQL Server 6.5 So our hero starts his
    venture by first running a tool called chronicle which tells him what
    service packs are running on which servers. That eliminates a lot of
    unnecessary probing for vulnerabilities does it not. When he realised that
    they are only running SP-3 and no other patches have been applied and
    furthermore on realising that they are using SMS (client server network
    management s/w)  he uses sechole (easily obtainable from the net) and gets
    in as a domain admin from a lowly regular account. 
    
    Their PDC turned out to be fairly easy since their registries were
    unprotected He next ran a find and lo and behold found two default
    accounts with passwords scripted in the registry. Next using these
    accounts he attached to their shares (hidden of course only redbutton had
    no trouble finding them)  and then proceeded to download the SAM's and
    what's of more interest the drwtsn32.log file. 
    
    Sadly the log file didn't contain much interesting data of the variety he
    was after but he did glean from them an internal webserver that was
    accessing them. So back to info gathering he scanned the entire network
    and picked up the webservers. A few quick perlscripts (and a very nifty
    tool called the grinder which can recursively go through the urls
    automatically) and he nailed the server he was after. Using the datastream
    technique he managed to get hold of the source code for the asp scripts
    esp. global.asa and lo and behold the connection objection had the userid
    and password for their sqlserver right there. In a matter of minutes he
    was inside the server again with isql getting the creditcard information
    he had been challenged to find. 
    
    redbutton, grinder, couple of perlscripts to parse through the data,
    whatsup gold to do network maps (and portscans) and he was inside
    literally the corporate data vault in a matter of a couple of hours. 
    
    If he was a real hacker and he didn't have access to a webserver using ASP
    code, he could have still done it by <you guessed it> running a
    particularly nasty DOS attack to bring the SQL Server crashing down and
    then going through the log. Dumpster diving is not considered very
    glamourous but you will agree that most insider hacking is based on
    examining core dumps by knowledgeable debuggers. In the case of the NT
    logs you don't even need to know how to core analysis, all you have to
    know is english and have enough patience to keep going through them till
    you find the info you are looking for. 
    
    Since he was inside SQL Server with sa privileges he ran xp_shellcmd and
    added himself as a user and then proceeded to add the id to the global
    domain admins group as well just to make a long story short. 
    
    Why did I do this anatomy of a typical attack ? And what are the dangers
    of teaching people such methods ? 
    
    Lots generally, but to tell you the truth if somebody had spend some time
    cleaning up the registries, applying the key post sp-3/sp-4 hotfixes and
    then ensured strict compliance with policies such as no clear text
    scripting when it came to coding and removal of stored procedures such as
    xp_cmdshell with more specific stored procedures then it would have been
    far more difficult to have done what I did. and the tools i mentioned can
    be got off the internet very, very easily. So you are definitely not
    underestimating the dangers when you warn people.  I just felt that it is
    also necessary to further prove the point by writing this article of how
    somebody would actually go about doing it. 
    
    Hope this enlightens more than it obfuscates. Have to admit that this note
    coming at the end of a day spent trying to establish the need for both
    policy, awareness and a protection strategy that pays equal attention to
    prevention, detection, reaction and alleviation is probably why I decided
    to break my usual silence on this matter and come out in the open about
    this. Plus I am beginning to feel that we are fighting a losing battle
    trying to raise awareness and are being drowned by the focus on the media
    driven threats as opposed to the real ones. Oh well, maybe I'll go back to
    doing budget management. At least forecasting models are a lot less dicier
    to deal with than security issues. 
    
    regds,
    -sr
    
    P.S. and don't ask me for the name of the poor auditor. he's far too busy
    to have the time to answer your questions and he's far too modest to want
    to relinquish his identity and come out of the closet anyway <grin>
    
    
    -o-
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: Internet Security Institute [www.isi-sec.com]
    



    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:20:54 PDT