How Hackers Work

Hackers start by learning that an e-mail server exists, which generic scanning tools can tell them. Coupled with the public information of your Domain Name System (DNS) records, hackers can quickly know a lot about your network.

Finding company information is easy for anyone. You can do it. Simply open a command prompt and type nslookup. Set the type of the record you’re looking for to a mail exchanger (MX) record by typing set type=mx. Enter a domain name. In our example, we’ll type in Microsoft.com. Figure 24-1 gives us the results.

Figure 24-1: Using the NSLookup tool to find the public MX records for Microsoft.com.

Next, the hacker determines the platform of your SMTP server in one of two ways. In the first approach, the hacker can use Telnet to open a session to your server over port 25 and then read the banner, which by default includes the version of the Exchange server you’re running (Figure 24-2). Notice that the software version is displayed in the banner. The main version number, 6.0, means Exchange Server 2003. An Exchange 2000 Server registers with a main version number of 5.0. A SendMail server has its name and the version of SendMail software used by the company displayed in the header as well as the operating system (OS).

Figure 24-2: Opening a Telnet session to the Tucson server running Exchange Server 2003.

The second way to determine your e-mail server platform is to send a bogus e-mail to your server. This is accomplished by sending a message to an unlikely e-mail address such as lskdfjsliej34@trainsbydave.com. The non-delivery report (NDR) returned will have the e-mail server information in its header. The following sample is a message header that we’ve sent to our own Exchange server at Networknowledge.com. Notice that the platform and version of the Exchange server is embedded in the message header (look for the XmimeOLE line):

Received: by snoopy.networknowledge.com  id <01C344CB.DE8D6CE0@snoopy.networknowledge.com>; Mon,7Jul 2003 16:08:09 -0500 X-DSNContext: 335a7efd - 4457 - 00000001 - 80040546 content-class: urn:content-classes:dsn Subject: Undeliverable: test MIME-Version: 1.0 Content-Type: multipart/report;    report-type=delivery-status;    boundary="----_=_NextPart_001_01C344CB.DE8D6CE0" Date: Mon, 7 Jul 2003 16:08:09 -0500 Message-ID: <byVPMZ7VY0000000a@snoopy.networknowledge.com> X-MS-Has-Attach: yes X-MimeOLE: Produced By Microsoft Exchange V6.0.6249.0 X-MS-TNEF-Correlator:  Thread-Topic: test Thread-Index: AcNEy94N8s377i5iQE+RNH2oOBoKPgAAACD7 From: "System Administrator" <postmaster@networknowledge.com> To: "Aenglish" Administrator@networknowledge.com This is a multi-part message in MIME format. 

Now that the hacker knows which e-mail server software you’re running, he or she checks known databases to find vulnerabilities to exploit. The known vulnerabilities for Exchange Server 2003 are listed in Microsoft’s Security Bulletins and can be found at www.microsoft.com/security. Some of the vulnerabilities will involve Microsoft Internet Information Services (IIS) because IIS manages the SMTP service for Exchange. Other vulnerabilities will involve Microsoft Outlook Web Access (OWA), again because of the involvement of IIS managing the HTTP connectivity to the Exchange server. At a minimum, you should be aware of any vulnerabilities that exist for Exchange Server 2003 and, when the patches are released, test and install them.

Generally speaking, the e-mail administrator can expect the following kinds of attacks:

• Buffer overflows Buffer overflows send a larger quantity of data to the server than is anticipated. Depending on how the overflow is executed, it could cause the server to stop working or it might run malicious code from the attacker.

• Data processing errors These are not common currently, but the concept is that a small program is sent directly to the server and the server runs it. More common today is sending these programs to a network though e-mail as attachments. Depending on their function and purpose, these programs can be viruses, Trojans, or worms (discussed at length later in this chapter).

• HTML viruses These do not require user intervention to run unattended scripts.

• Custom programs written to run against port 25 (SMTP) The more common types of programs that attack port 25 include e-mail flooding programs or programs that contain their own SMTP engine that will use the port for their own malicious purposes.

Here are some broad actions you can take to guard against the attacks just described, plus others:

• Physical access to the server Lock the doors, and use some type of biotech authentication.

• Viruses, Trojans, and worms Use antivirus software and regularly scan your servers and workstations.

• Loss of data Perform regular backups.

• Unauthorized use of user accounts Conduct user training on information security policies and require complex passwords.

• Denial of service attack Harden the TCP/IP stack and the router.

• Platform vulnerabilities Install all software patches and engage in service that offers minimization. Microsoft has released excellent free software for updating its patches on your servers. This software is called Software Update Services (SUS).

  More Info

  A discussion of SUS is outside the scope of this chapter, but you can learn more about SUS on Microsoft’s Web site at www.microsoft.com/windows2000/windowsupdate/sus/default.asp.

The rest of this chapter is intended to help you secure Exchange Server 2003 against these types of attacks. However, before we dive in, let’s briefly discuss physical security of your Exchange server.