The Art of Intrusion: The Real Stories Behind the Exploits of Hackers, Intruders and Deceivers (34 page)

They then uploaded other hacking tools, including the popular net- working tool netcat, which is a very useful utility for setting up a com- mand shell to listen on an incoming port. They also uploaded an exploit tool called HK that exploited a vulnerability in older version of Windows NT to obtain system administrator privileges.

They uploaded another simple script to run the HK exploit and then used netcat to open a shell connection back to themselves, enabling them to enter commands to the target machine, much like getting a "DOS prompt" in the days of the DOS operating system. "We tried to initiate an outgoing connection from the internal web server to our computer on the DMZ," Louis explained. "But that didn't work, so we had to use a technique called `port barging.'" After executing the HK program to gain privileges, they configured netcat to listen on port 80; to "barge" the IIS server out of the way temporarily, watching for the first incoming connection to port 80.

Louis explained barging by saying, "You essentially temporarily push IIS out of the way, to steal a shell, and allow IIS to sneak back in at the same time you maintain access to your shell." In the Windows environ- ment, unlike Unix-type operating systems, it's permissible to have two programs use the same port simultaneously. An attacker can take advan- tage of this feature by finding a port that's not filtered by the firewall and then "barging" onto the port.

That's what Louis and Brock did. The shell access they already had on the IIS host was limited to the rights permitted to the account that the Web server was running under. So they ran HK and netcat, and were able to gain full system privileges -- running as the system user, which is the highest privilege on the operating system. Using standard methodolo- gies, this access would allow them to get full control of the target's Windows environment.

The server was running Windows NT 4.0. The attackers wanted to get a copy of the Security Accounts Manager (SAM) file, which contained the details of user accounts, groups, policies, and access controls. Under this older version of the operating system, they ran the "rdisk /s" com- mand to make an emergency repair disk. This program initially creates 214 The Art of Intrusion

several files in a directory named "repair." Among the files was an updated version of the SAM file that contained the password hashes for all the accounts on the server. Earlier Louis and Brock recovered the PWL file containing sensitive passwords from a security guard's laptop; now they were extracting the encrypted passwords of users on one of the servers of the company itself. They simply copied this SAM file into the webroot of the Web server. "Then, using a web browser, we retrieved it from the server to our machine back in our office."

When they had cracked the passwords from the SAM file, what they noticed was that there was another administrator account on the local machine that was different than the built-in administrator account.

After I believe it was a couple of hours of cracking, we were able

to crack the password for this account and then attempt

to authenticate it to the primary domain controller. And we

discovered that the local account that had administrator rights

on the web server we hacked also had the same password on the

domain! The account also had domain administrator rights.

So there was a local administrator account on the web server that

had the same name as a domain administrator account for the

entire domain, and the password for both of those accounts was

also the same. It was obviously an administrator being lazy and

setting up a second account with the same name as the adminis-

trator account on the local system, and giving it the same

password.

Step-by-step. The local account was simply an administrator on the Web server and didn't have privileges to the entire domain. But by recovering the password on that local Web server account, thanks to a careless, lazy administrator, they were now able to compromise the domain adminis- trator account. The responsibility of a domain administrator is to admin- ister or manage an entire domain, as distinguished from being an administrator on your local desktop or laptop (single machine). In Louis's view, this administrator wasn't an exception.

This is a common practice we see all the time. A domain admin-

istrator will create local accounts on their machine on the net-

work, and use the same password for their accounts with domain

administrator privileges. And that means the security at each one

of those local systems can be used to compromise the security of the

entire domain. Chapter 9 On the Continent 215

Goal Achieved Getting closer. Louis and Brock saw that they could now gain full control over the application server and the data contained on it. They obtained the IP address used to connect to the application server from the security guard's laptop. From this, they realized the application server was on the same network, which is likely part of the same domain. At last, they had full control over the entire company's operations.

Now we had reached right to the heart of the business. We could

change orders on that application server, so we could get the

guards to deliver money to where we said. We could essentially

issue orders to the guards like, "Pick up money from this business

and drop off at this address," and you're waiting there to get it

when they arrive.

Or "Pick up this prisoner A, take him to this location, deliver him to the custody of this person," and you've just gotten your cousin's best friend out of jail.

Or a terrorist.

They had in their hands a tool for getting rich, or creating havoc. "It was kind of shocking because they didn't see the possibility of what could have happened had we not brought this to their attention," Louis says.

What that company considers "security," he believes, "is actually suspect security."

INSIGHT Louis and Brock did not enrich themselves from the power they held in their hands, and they didn't issue orders to have any prisoners released or transferred. Instead, they provided the company a full report of what they had discovered.

From the sound of it, the company had been seriously remiss. They hadn't gone through a risk analysis step-by-step -- "If the first machine gets compromised, what could a hacker do from that point?" and so on. They considered themselves secure because with a few configuration changes, they could close the gap Louis had pointed out. Their assump- tion was that there weren't other faults except this one that Louis and Brock had managed to find and use.

Louis sees this as a common arrogance within the business sector -- an outsider can't come along and preach security to them. Company IT 216 The Art of Intrusion

people don't mind being told about a few things that need to be fixed, but they won't accept anyone telling them what they need to do. They think they know it already. When a breach occurs, they figure they just dropped the ball on this one occasion.

COUNTERMEASURES As in so many of the stories in this book, the attackers here did not find many security flaws in their target company, yet the few they found were enough to allow them to own the company's entire domain of computer systems that were essential to business operations. Following are some lessons worth noting.

Temporary Workarounds At some time in the past, the 3COM device had been plugged directly into the serial port of the Cisco router. While the pressure of answering immediate needs may justify temporary technology shortcuts, no com- pany can afford to let "temporary" become "forever." A schedule should be set up for checking the configuration of the gateway devices through physical and logical inspection, or by using a security tool that continu- ally monitors whether any open ports existing on a host or device is in accordance with company security policy.

Using High Ports The security company had configured a Cisco router to allow remote connections over a high port, presumably in the belief that a high port would be obscure enough never to be stumbled upon by an attacker -- another version of the "security through obscurity" approach.

We've already addressed the issue more than once in these pages about the folly of any security decision based on this attitude. The stories in this book demonstrate again and again that if you leave a single gap, some attacker will sooner or later find it. The best security practice is to ensure that the access points of all systems and devices, obscure or not, be fil- tered from any untrusted network.

Passwords Once again, all default passwords for any device should be changed prior to the system or device going into production. Even the technical Chapter 9 On the Continent 217

white-belts know this common oversight and how to exploit it. (Several sites on the Web, such as www.phenoelit.de/dpl/dpl.html, provide a list of default usernames and passwords.)

Securing Personnel Laptops The systems being used by the company's remote workers were connect- ing to the corporate network with little or no security, a situation that is all too common. One client even had PC Anywhere configured to allow remote connections without even requiring a password. Even though the computer was connecting to the Internet via dial-up, and only for very limited periods of time, each connection created a window of exposure. The attackers were able to remotely control the machine by connecting to the laptop running PC Anywhere. And because it had been set up without requiring a password, attackers were able to hijack the user's desktop just by knowing the IP address.

IT policy drafters should consider a requirement that client systems maintain a certain level of security before being allowed to connect to the corporate network. Products are available that install agents onto the client systems to ensure security controls are commensurate with com- pany policy; otherwise, the client system is denied access to corporate computing resources. The bad guys are going to analyze their targets by examining the whole picture. This means trying to identify whether any users connect remotely, and if so, the origin of those connections. The attacker knows if he or she can compromise a trusted computer that is used to connect to the corporate network, it's highly likely that this trust relationship can be abused to gain access to corporate information resources.

Even when security is being well handled within a company, there is too often a tendency to overlook the laptops and home computers used by employees for accessing the corporate network, leaving an opening that attackers can take advantage of, as what happened in this story. Laptops and home computers that connect to the internal network must be secure; otherwise, the employee's computer system may be the weak link that's exploited.

Authentication The attackers in this case were able to extract the authentication informa- tion from the client's system without being detected. As has been pointed out repeatedly in earlier chapters, a stronger form of authentication will 218 The Art of Intrusion

stop most attackers dead in their tracks, and companies should consider using dynamic passwords, smart cards, tokens, or digital certificates as a means of authentication for remote access into VPNs or other sensitive systems.

Filtering Unnecessary Services IT staff should consider creating a set of filtering rules to control both incoming and outgoing connections to specific hosts and services from untrusted networks such as the Internet, as well as from semi-trusted (DMZ) networks within the company.

Hardening The story also provides a reminder of an IT staff that did not bother to harden the computer systems connected to the internal network, or keep up-to-date with security patches, presumably because of the perception that the risk of being compromised was low. This common practice gives the bad guys an advantage. Once the attacker finds a way to access a sin- gle internal unsecured system and is able to successfully compromise it, the door is open for expanding illicit access to other systems that are trusted by the compromised computer. Again, simply relying on the perimeter firewall to keep the hackers at bay without bothering to harden the systems connected to the corporate network is like piling all your wealth in $100 bills on the dining room table and figuring you're safe because you keep the front door locked.

THE BOTTOM LINE Since this is the last chapter on stories that illustrate technical-based attacks, it seems like a good place for a few words of recap.

If you were asked to name important steps to defend against the most common vulnerabilities that allow attackers to gain entry, based on the stories in this book, what would some of your choices be?

Please think about your answer briefly before reading on; then go to the next page. Chapter 9 On the Continent 219

Whatever items you came up with as some of the most common vul- nerabilities described in this book, I hope you remembered to include at least some of these:

Develop a process for patch management to ensure that all the

necessary security fixes are applied in a timely manner.

For remote access to sensitive information or computing

resources, use stronger authentication methods than are pro-

vided by static passwords.

Change all default passwords.

Use a defense-in-depth model so that a single point of failure

does not jeopardize security, and routinely test this model on

a regular basis.

Establish a corporate security policy concerning the filtering

of both incoming and outgoing traffic.

Harden all client-based systems that access sensitive informa-

tion or computing resources. Let's not forget that the persist-

ent attacker also targets client systems to either hijack a

legitimate connection or to exploit a trusted relationship

between the client system and the corporate network.

Use intrusion-detection devices to identify suspicious traffic

or attempts to exploit known vulnerabilities. Such systems

may, as well, identify a malicious insider or an attacker who