Anatomy of a slightly better hack

[Dave Aitel <dave () immunitysec com>]

This article, generically titled "Anatomy of a Hack" has been wandering
around the net lately. I thought it'd be fun, as a group exersize, to
improve on the material. Admittedly, the article is for beginners, but
maybe we can change that?

http://www.microsoft.com/technet/technetmag/issues/2005/01/AnatomyofaHack/default.aspx

On thing I notice right away is that the article uses a lot of tools you
pretty much have to guess at. What exactly does "DiscoverHosts" do? The
figures show you the output - I assume you can download these tools on
some MSDN CD or something.

I notice he's using Windows to hack with - which is funny, because very
few hackers actually use Windows as their desktop - there's no
GRSecurity for Windows. :>

In any case, it probably would be better if he had used the industry
standard nmap to do his scanning, like every other article. NMap has
that neat "resolve all the domain names asyncronously" thing.

The bit about XSS (just below the SQL Injection bit) is oddly placed,
considering there's no guarantee this is actually cross site scripting.
It might or might not be, but we have no reason to think either way at
this point.

After that he uses xp_cmdshell('TFTP') to download netcat to his target,
although it would have been a lot cooler if he'd used debug to write a
little .com to do that for him. And netcat is so...1980's. These days
you can get Hydrogen for free and have some real encryption, file
uploading/downloading, for roughly the same size. You could probably
upload it via a debug script without having to write a stage0
downloader. Hacking without crypto is lame. I notice he creates a
directory c:\warez, which is probably not optimal.

One thing I notice about his dumpinfo tool is that it tells you all the
wrong things. Your first job when on a new box is not to find out the
users on the box - it's to find out if you were caught and clean up any
logs. He needs to first look at the processes and see if anyone is
logged on locally - a screen shot is useful for this. (I know, and you
thought CANVAS's screenshot module was just for kicks and grins, didn't
you?)  "Are people sitting here editing word documents or what?" I'm
about to generate a lot of disk activity, and I don't want people to be
like "wtf?"

He does do a pretty good job with the shared service accounts gimmick,
but he misses that domain tokens can be in all sorts of random processes
- the web server is a good one. It's likely the domain admin has been
admining his web server lately, and you can hop into that process to
check to see if a token is sitting around for the taking.

It's interesting how lucky he gets with LSADump. I never get lucky
enough to see anything interesting. Is this true for everyone else too?

Then he...mounts a drive. This is very non-covert. Mounting drives is
very suspicious activity, even by windows admin standards. :>

He decides to get logged and go through terminal services so he can do
some "GUI hacking". I have no idea why he thinks this is a good idea,
but I guess it makes for flashier screenshots.  Having Hydrogen instead
of netcat would make using socketpipe unnecessary.

I notice he's careful to avoid saying which password cracker he uses - I
assume john the ripper or l0phtcrack.

Anyways, just some thoughts. Back to haxing.

-dave

















_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave