Presentation on theme: "Expose the Vulnerability Paul Hogan Ward Solutions."— Presentation transcript:
Expose the Vulnerability Paul Hogan Ward Solutions
Session Prerequisites Hands-on experience with Windows 2000 or Windows Server 2003 Working knowledge of networking, including basics of security Basic knowledge of network security-assessment strategies Level 300
Anatomy of a Hack Information Gathering / Profiling nslookup, whois Probe / Enumerating Superscan, nmap, nessus, nikto, banner grabbing, OS fingerprinting Attack Unicode directory traversal Advancement Entrenchment Infiltration/Extraction
Simple Command Line Utilities net view \\172.16.10.5 net use \\172.16.10.5 net use \\172.16.10.5 "" /u:"" red button vulnerability net view \\172.16.10.5 nbtstat -A 172.16.10.5 nbtscan -r 172.16.10.0/24 net use \\172.16.10.5 "" /u:guest
Overview Name: Microsoft IIS 4.0/5.0 Extended Unicode Directory Traversal Vulnerability. (BugTraq ID 1806) Operating System: Windows NT 4.0 (+ IIS 4.0) and Windows 2000 (+ IIS 5.0). Brief Description: A particular type of malformed URL could be used to access files and directories beyond the web folders. This would potentially enable a malicious user to gain privileges commensurate with those of a locally logged-on users. Gaining these permissions would enable the malicious user to add, change or delete data, run code already on the server, or upload new code to the server and run it.
Impacts If the E-business web server was compromised, the backend database sever is under threat too. Trust relationship. Same passwords. Database connection pools. Use web server and database server as a relay to connect the outside machine with the internal machines. Then firewall is circumvented…… If the compromised web server is a site for software distribution, add Trojans or Zombie codes to the downloadable software, then you can control all the machines which download software from that website…..
Solutions Install patches as soon as possible Patch Management: SMS/SUS/MBSA Disable NetBIOS over TCP/IP. Be sure that the IUSR_machinename account does not have write access to any files on the server.
How To Get Your Network Hacked In 10 Easy Steps 1. Don’t patch anything 2. Run unhardened applications 3. Logon everywhere as a domain admin 4. Open lots of holes in the firewall 5. Allow unrestricted internal traffic 6. Allow all outbound traffic 7. Don’t harden servers 8. Use lame passwords 9. Use high-level service accounts, in multiple places 10. Assume everything is OK
The moral Initial entry is everything Most networks are designed like egg shells Hard and crunchy on the outside Soft and chewy on the inside Once an attacker is inside the network you can… Update resume Hope he does a good job running it Drain the network