| I l@ve RuBoard | |
On one engagement, we were given the client's IP address range and asked to attempt to penetrate the defenses. We started with the discovery phase and confirmed the client's IP address ranges and DNS information. Using Sam Spade (see Chapter 12) we performed whois queries on “client.com,” obtained DNS information, and confirmed the IP address range.
Next we used Pinger to identify live hosts within the IP address range. Pinger identified five hosts within the range. It appeared ICMP was allowed into the network, but we still used Nmap to perform a TCP ping using SYN packets just in case some hosts were not responding to ICMP. We used the following Nmap command for this purpose:
# nmap –PT80 ip_address_range
Nmap found only the same five hosts Pinger had identified.
Next we performed a stealth port scan against the five hosts using our list of favorite ports (we present this full list in Chapter 13). This list contains about 30 ports that either offer identifying information about the host or run a service that we can frequently use to compromise the system. By using a stealth port scan for just a few select ports, we improve our chances of avoiding detection. We used the following Nmap command:
# nmap -sS –O –p 7,21,23,25,80,135-139,2301 (etc.) IP_address_range
The Nmap results identified the systems as Windows NT systems. In addition to others, TCP port 2301 was open. We knew port 2301 supports the Compaq Insight Manager. We knew this service frequently contains vulnerabilities that enable us to compromise the host. (If we were not aware of the vulnerabilities we would have identified the service during our banner-grabbing step and identified the vulnerabilities through research.)
Such sites as www.packetstormsecurity.org, www.securityfocus.com, and others with vulnerability databases contain information concerning the Compaq vulnerabilities.
The Compaq Management Web Agent and the Compaq Survey Utility may be vulnerable to an access validation error. A remote user could exploit this vulnerability to access and download files. Compaq's Insight Manager is a management tool that can monitor and control the operation of Compaq clients. In order to communicate with its managed devices, it runs a Web server listening on TCP port 2301.
This particular version of Compaq Insight Manager was susceptible to a vulnerability that caused it to fail to check whether any requested files fell outside its document tree. This allowed attackers to retrieve files in the same drives as that on which the software resides if they knew the file name.
In addition, there are three default accounts (user name/password pairs) with access to the Insight Manager. These accounts are anonymous/(no password), user/public, and administrator/administrator. The first step we took to exploit this vulnerability was to attempt to log into the Compaq Insight Manager via a Web browser using the URL http://10.10.10.250:2301/cpqlogin.htm. This returned the login screen. We entered the default administrator user ID and password and were successful. The administrator had failed to change the default user ID and passwords. We frequently find these accounts still set to the defaults because system administrators may not even realize the service is installed.
Next we attempted to access files on the system. We targeted the system's repair SAM database. We entered the URL http://10.10.10.250:2301/../../../winnt/repair/sam._ in the browser in an attempt to download the repair SAM file. The results are shown in Figure CS-1.
This successfully downloaded the SAM file to our machine. After downloading the SAM file, we used L0phtCrack to crack the passwords. Within an hour, L0phtCrack was able to crack the passwords for all three users in the SAM file, including that of the administrator's account. We had attained administrator-level access within a matter of hours.
Once we had accomplished this against one host, we could use Compaq's HTTP Auto-Discovery Device List (at http://10.10.10.250:2301/cpqdev.htm) to locate other vulnerable machines and further penetrate the client's network.
This was a fairly straightforward test. The basic steps are listed below.
Identify the target hosts.
Scan to find open ports.
Identify applications, servers, and so on that are running (based on the open ports).
Find exploits specific to those applications and servers.
Exploit.
This example illustrates the importance of knowing what services are running on your systems, changing all default passwords, and keeping up-to-date on all system patches. In addition, blocking all unnecessary ports and services at the firewall and border router would have prevented access to the vulnerability.
| I l@ve RuBoard | |