Solved

vulnerability exploitation basics

Posted on 2012-03-12
12
510 Views
Last Modified: 2012-03-20
Can anyone give me a management style breakdown of how a missing patch on a webserver could lead to compromise of restricted data in a private LAN? And some realistic opinion on whether it would.

Say for example you find apache tomcat is out of date on a public facing web server. Who and how would a user compromise that? And by compromising that exploit on just that web server– so what? What access does this give them and to what, typically.

A manager will say “… well there’s know sensitive data housed on this web server – so who cares about this finding”. So… if they exploit that missing patch on the web server, what is the typical flow of attack for them to then gain access to the private network? Or is it basically impossible to leverage this new level of access to the internal network?

And realistically how will an out of date apache tomcat version make your internal private network and data at risk? Is this theoretical, or a high possibility. You don’t have to go into how to hack detail just put it in some form of clearer picture how someone (if possible) exploited an out of date apache – could that in turn lead to access to sensitive data housed in the internal LAN?

I’d be very interested to see perhaps the 1-10 steps required to go from anonymous internet user finds out of date software on web server …. User gets access to payroll records in internal private network. It sounds on the outside so far fetched its untrue but perhaps you can explain it to me in layman’s terms as a bit of an eye opener.
0
Comment
Question by:pma111
  • 8
  • 4
12 Comments
 
LVL 10

Accepted Solution

by:
scriven_j earned 500 total points
Comment Utility
Well, it very much depends on what the patches that have been missed are for, whether the machine is in a DMZ, if compromising that machine would then give access to other machines / a website and what would be the reputational impact of that.

So one example would be a buffer overflow exploit whereby a string is sent to the server in such a way that it runs a command in a bit of memory which it shouldn't which could circumvent your security and run a command as administrator.

The command would normally be something that would allow further compromisation of the server such as running some hacking tools which would allow a command shell or remote access to the server.

From there, they could do anything from defacing a website (which might give the impression to your customers that their data would not be safe in your posession) to creating new users / running a Root Kit (which basically will replace commands on the machine with their own version), sniffing network traffic, using that as a jumping off point on to other machines in the network.
0
 
LVL 10

Expert Comment

by:scriven_j
Comment Utility
Another thing could be that they could then use your machine to do something nefarious, such as storing illegal files / child pornography / copyrighted material or to attack other machines (as part of a Denial of Service attack) for instance.  Although you could probably eventually prove that this was nothing to do with you, again, there could be a reputational risk at the very least.  I'll try to find some relevant links to add some detail to the above.

I have been on an "ethical hacking" course as part of my training and it is very interesting what you can do starting with just one little exploit.
0
 
LVL 10

Expert Comment

by:scriven_j
Comment Utility
In answer to whether it is a real or hypothetical risk, it is very real.  The Black Hat community (as they are known) spend a lot of time looking at security flaws and as soon as they are known, tools are developed to compromise them and the process of finding vulnerable machines is automated, so machines are scanning the internet looking for unpatched machines and compromising them.
0
 
LVL 10

Expert Comment

by:scriven_j
Comment Utility
These links should help:-

Anatomy of a Hack
http://www.ethicalhacker.net/content/view/8/2/

http://www.zdnet.co.uk/news/it-at-work/2008/01/07/anatomy-of-a-hack-attack-39291953/

Of course, there are other ways of compromising security too and Social Engineering is a big thing now.

Social Engineering

http://www.networkworld.com/news/2009/020409-social-engineering-anatomy-of-a.html
0
 
LVL 10

Expert Comment

by:scriven_j
Comment Utility
Hopefully the above answers your questions thoroughly.  Please post back if you need additional information ro would like me to elaborate on anything specific.  Just remember your network is only as secure as its weakest link,
0
 
LVL 3

Author Comment

by:pma111
Comment Utility
Im not bothered about website defacement the managers are more interested in personal data protection. And yes DMZ web servers not those in private network. Again a 1-10 workflow of a web server missing several various security patches - could/how could that be exploited to get into the private network and sensitive data - and how likely is it to happen. This is theoretical, I just want to understand the process and determine how likely it is.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 3

Author Comment

by:pma111
Comment Utility
I say 1-10 as I assume a missing security patch on a DMZ web server is merely a foothold and one of many requried stages and wouldnt give them any access at all in getting to private data in the private network
0
 
LVL 3

Author Comment

by:pma111
Comment Utility
I assume another thing I am getting at is from a managers standpoint, is the sensitivty of the first system you exploit irrelevant? For example say you find a DMZ web server hosting a basic info only website with non sensitive data, no search or login functions etc - does it matter about that system and what data it processes, if the hacker is just after getting a foothold onto the network? I think thats why vuln assessments do themselves a misfavour.

If a manager saw a report that said "multiple vulns of payroll database server" they will likely take more note as opposed to "multiple vulns on web server that hosts johns plant collection website". When in reality the "multiple vulns on web server that hosts johns plant collection website" may be the initial foothold the attacker needed to take advantage later down the line of "multiple vulns of payroll database server"..
0
 
LVL 10

Expert Comment

by:scriven_j
Comment Utility
Yes, you have hit the nail on the head.  Unless that server is completely physically detached from your network, then there is a risk, however small, of that being used as a jumping off point to the next hop along which might be a main switch, firewall or server.  If they can't get anywhere, then maybe they will content themselves with placing a virus on your website which is served up to anyone who uses it, defacing it, trashing it or using the server to attack other servers or to host hacking tools.  With any of these things there could be reputatational damage as if you don't seem concerned about security issues on this server, then maybe that is how you view security of all your servers.
0
 
LVL 10

Expert Comment

by:scriven_j
Comment Utility
The Ethical Hacker link I posted previously had some examples of stage by stage steps for compromising a network from an external facing server.  Was that sufficient or do you want me to give you a hypothetical step by step process?
0
 
LVL 3

Author Comment

by:pma111
Comment Utility
A hypothetical would be great, in a 1-10 type step - by - step would ber very interesting.
0
 
LVL 10

Expert Comment

by:scriven_j
Comment Utility
OK - Here goes:-

1.      Locate your server.  Unless you are specifically targetted, then your machine will likely have been detected by an automated script which has been designed to scan IP ranges either looking for specific operating system/web server combinations and flagging them for closer inspection or more likely running known exploits against them to try and gain Root privileges on that server.  Typically in your example, this would be by sending a command that exploits a Buffer Overflow in Apache to run a command line which has Root privileges.

2.      Once the script has the command prompt running as root, it will take steps to completely gain control of the server permanently.  A web server by its very nature will have Internet access and so it is easy to download malware designed for such purposes typically this would comprise of a Root Kit (details here - http://en.wikipedia.org/wiki/Rootkit) which will make detection and removal only really possible by rebuilding the server, a backdoor (an easy route back into the server) – one well known example is Back Orifice (details here - http://en.wikipedia.org/wiki/Back_Orifice_2000) which adds functionality such as total remote file control, remote Windows registry editing, watching the desktop remotely by streaming video, remote control of both the keyboard and the mouse, allowing access to systems hidden by a firewall (by forming a connection outward to the administrators computer or by a web browser on the server), forming connection chains through a number of administrated systems (meaning that as other systems are compromised within the organisation, even if they do not have access to the Internet directly, control can be passed along via a web enabled machine down the line) and on-line keypress recording.  The software will also “phone home” so that the attacker is aware that they now have control of a compromised server.

3.      From here the process becomes a manual one.  This step is a fact finding mission which would include looking for and monitoring any traffic spotted on the network, mapping out the network and looking for connectivity to other machines or network devices and identifying what OS they are running - using something like nmap (details here - http://nmap.org/), viewing the desktop and keylogging for any commands / logins / clues which might get them closer to your internal systems.  They also might look at the external IP range and scan the addresses around for other servers which could be compromised and might be more important, but might be accessed using some of the information gathered on the original server.

4.      Once the next target has been identified, work beings on compromising that.  Now let’s assume in your case that this is a reasonable secure set-up and that this server is actually in a DMZ.  This means that the likely link with to the rest of the network is a switch/router.  Maybe something known for security like a Cisco box.  However, this is only as secure as its latest patch and security.  The first thing to try is default passwords.  Hopefully these will have been changed, but you’d be surprised.  The next thing is when was the firmware last patched.  This is often overlooked and you might be running firmware that is years out of date.  Some ways that you might compromise a Cisco device are outlined here http://www.symantec.com/connect/articles/exploiting-cisco-routers-part-1 and http://www.symantec.com/connect/articles/exploiting-cisco-routers-part-2.  In our example, we use HTTP to connect to the router and get the running config as outlined in the link and then use a tool to decrypt the root password.

5.      We now have root access to the switch and can download the config which essentially gives a high level map of the network.  We can also change the routing so that the compromised web server has connectivity to the internal VLAN (or however the systems is segregated), get the SNMP key from the Router config which will allow us to interrogate other devices on the network and start to look for interesting targets on the internal network.  Of course once we can see the internal network, we can also monitor traffic passing around on or get certain traffic routed via the compromised server which can be monitored for cleartext usernames and passwords (more common than you would expect in the “safety” of an internal network, any clues as to what the different internal servers are doing and what ports and network services might be available.

6.      The key server to compromise next assuming a Windows network would be a Domain Controller.  Access to this would allow us to set-up users with domain admin rights and getting this compromised basically means your whole network is “owned”.  DC’s are easy to spot due to the ports that they use and should be easy enough to identify with a quick network scan.  If the DC also runs DNS, then an exploit such as the one outlined here could be used. http://topteedesigns.blogspot.co.uk/2010/04/active-directory-domain-controller.html. Once you have elevated privileges on the DC you effectively have control of the internal environment.  From here, downloading a similar Rootkit as mentioned previously would make sense giving you a direct route on to this server.  You can use a tool such as http://www.hackwindowspassword.com/how-to-hack-active-directory-admin-password/ to reset the admin password.  Once you have done this, you can create a user for yourself who has full privileges on the domain.  Using this you now have access to all of the user accounts, can create your own user accounts and give them whatever privileges you want or add them to whatever groups you want.

7.      From here you can now install any software you want anywhere on the domain and essentially have full control until your presence is spotted.  Obviously changing the password to the admin account could draw attention, but might just be reset without raising too much attention.  However, with this whole thing time is of the essence anyway.

8.      So the final step is to compromise the payroll database (or whatever).  This could be achieved in a number of ways.  The database could now be copied somewhere offsite for later cracking.  Alternatively you could look for any servers that were running web services (such as if your payroll system is web-enabled) and see if single sign on is enabled allowing you to login using a Windows account with the proper privileges.  Alternatively you could use a technique called SQL injection to gain access (http://msdn.microsoft.com/en-us/library/ms161953.aspx).  If all else fails, then you can identify people from finance or HR and what machine they are using and set keyloggers running on their machines.
There are so many different possibilities and it doesn’t take long just with the Internet and Google to learn about a lot of these techniques.  

To summarise, security is all about reducing your surface area (in laymens terms, if you are an opportunist thief, would you target the house with sealed double-glazing or the one that had left a window open or had a really old rotting door.  The best way to avoid attack is to allow the minimum into your network that is reasonable and to ensure that you patch regularly and use security software and hardware that will give you as much warning of any compromise as possible.  As I said before, you are only as strong as your weakest entry point.  I hope this post has gone some way to proving that.
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now