Dailydave mailing list archives
Anatomy of a slightly better hack
From: Dave Aitel <dave () immunitysec com>
Date: Wed, 06 Jul 2005 10:48:23 -0400
This article, generically titled "Anatomy of a Hack" has been wandering around the net lately. I thought it'd be fun, as a group exersize, to improve on the material. Admittedly, the article is for beginners, but maybe we can change that? http://www.microsoft.com/technet/technetmag/issues/2005/01/AnatomyofaHack/default.aspx On thing I notice right away is that the article uses a lot of tools you pretty much have to guess at. What exactly does "DiscoverHosts" do? The figures show you the output - I assume you can download these tools on some MSDN CD or something. I notice he's using Windows to hack with - which is funny, because very few hackers actually use Windows as their desktop - there's no GRSecurity for Windows. :> In any case, it probably would be better if he had used the industry standard nmap to do his scanning, like every other article. NMap has that neat "resolve all the domain names asyncronously" thing. The bit about XSS (just below the SQL Injection bit) is oddly placed, considering there's no guarantee this is actually cross site scripting. It might or might not be, but we have no reason to think either way at this point. After that he uses xp_cmdshell('TFTP') to download netcat to his target, although it would have been a lot cooler if he'd used debug to write a little .com to do that for him. And netcat is so...1980's. These days you can get Hydrogen for free and have some real encryption, file uploading/downloading, for roughly the same size. You could probably upload it via a debug script without having to write a stage0 downloader. Hacking without crypto is lame. I notice he creates a directory c:\warez, which is probably not optimal. One thing I notice about his dumpinfo tool is that it tells you all the wrong things. Your first job when on a new box is not to find out the users on the box - it's to find out if you were caught and clean up any logs. He needs to first look at the processes and see if anyone is logged on locally - a screen shot is useful for this. (I know, and you thought CANVAS's screenshot module was just for kicks and grins, didn't you?) "Are people sitting here editing word documents or what?" I'm about to generate a lot of disk activity, and I don't want people to be like "wtf?" He does do a pretty good job with the shared service accounts gimmick, but he misses that domain tokens can be in all sorts of random processes - the web server is a good one. It's likely the domain admin has been admining his web server lately, and you can hop into that process to check to see if a token is sitting around for the taking. It's interesting how lucky he gets with LSADump. I never get lucky enough to see anything interesting. Is this true for everyone else too? Then he...mounts a drive. This is very non-covert. Mounting drives is very suspicious activity, even by windows admin standards. :> He decides to get logged and go through terminal services so he can do some "GUI hacking". I have no idea why he thinks this is a good idea, but I guess it makes for flashier screenshots. Having Hydrogen instead of netcat would make using socketpipe unnecessary. I notice he's careful to avoid saying which password cracker he uses - I assume john the ripper or l0phtcrack. Anyways, just some thoughts. Back to haxing. -dave _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com https://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Anatomy of a slightly better hack Dave Aitel (Jul 06)
- Re: Anatomy of a slightly better hack byte_jump (Jul 06)
- <Possible follow-ups>
- RE: Anatomy of a slightly better hack Matt Fisher (Jul 06)
- RE: Anatomy of a slightly better hack Kyle Quest (Jul 07)