One missing patch -- that's all it takes for complete network compromise. Similar to how one misjudged click can lead to desktop malware infiltration. A basic administrative oversight or patching tool failure is all it takes for a rogue insider to gain unauthorized access to your desktops and, ultimately, your enterprise.
Here's the scenario:
- You have, say, anywhere from 500 to 5,000 Windows desktops.
- Five to perhaps 50 or more of your desktops are missing a Windows patch. It's typically a hotfix from a few years ago, such as the MS08-067 flaw that the Conficker worm exploited.
- You're not aware of the missing patch because Windows Update, Windows Server Update Services or your third-party patch management tool is humming along with no complaints.
- A malicious insider who happens to have physical access to your network -- i.e. to just an Ethernet port; no local Windows or domain login credentials are required -- decides to go exploring. For grins and giggles, this person downloads and runs a free vulnerability scanner, such as NeXpose or Retina, to see what's out there for the taking.
- Alas, a vulnerability pops up. You say, "What's the big deal? It's just a missing patch that we'll get to soon enough." Well, all it takes for the criminal insider to get to the next level is to see what can be done to exploit such a missing patch.
- Do some quick searches online, and the handy-dandy Metasploit tool pops up. As I wrote in a previous tip, Metasploit is an open source tool that allows you or the bad guys to exploit these missing patches and related Windows-based flaws on your network. Using Metasploit, rogue insiders can gain administrator-level credentials on the compromised system to do whatever they want -- copy files, create backdoor accounts -- you name it. The compromised machine is fair game for anything.
So, now you have a rogue insider who knows about missing Windows patches on your network and how to go about exploiting such vulnerabilities for nefarious purposes. Such activity can happen almost anywhere, including unsecured reception areas, workrooms, training facilities and even the manufacturing floor. You may think it's too technical and too far-fetched for the people on your network to accomplish. Let me demonstrate how simple it really is.
Next, the user downloads, installs and runs Metasploit. Once it's loaded, the user selects an exploit as shown in Figure 2.
As shown in Figure 3, the user then leaves the default Target type in place and scrolls down to select the payload, such as "shell_reverse_tcp," which is a remote command prompt. In addition, it's possible to add a user or even select "speak_pwned," which will play a message on the compromised computer that the system has been "owned." The latter may not be the smartest option if the user is trying to fly under the radar, but criminals do dumb things all the time, so never overestimate their abilities in that regard.
The user then plugs in the IP address of his computer (LHOST) and the IP address of the computer to exploit (RHOST) and then clicks Run exploit as shown in Figure 4.
The result can be seen in Figure 5, which shows the remote command prompt on the compromised system. The user now "owns" that system, and unless you've got some internal intrusion-protection or data loss prevention technology that may detect such attack, you'll never know it happened.
Alternatively, the user could select the add user payload and run it in the Metasploit command-line interface (console) as shown in Figure 6.
It's that simple. Once the malicious user gains a foothold, that system can be used as a stepping stone to further penetrate the network. It's the ultimate in insider abuse, and I'd venture to guess it happens more often than we'd like to think it does.
Don't get me wrong. My intent is not to cast any of these security testing tools in a negative light -- these are actually some of the best tools we have at our disposal as IT professionals. My point is you need to be the one finding these flaws, rather than sitting and waiting for a malicious user to do so. Carve out some time, get it on management's radar, and make it happen. You won't regret it.
ABOUT THE AUTHOR:
Kevin Beaver is an information security consultant, expert witness, author and professional speaker at Atlanta-based Principle Logic LLC. With over 22 years of experience in the industry, he specializes in performing independent security assessments around information risk management. He has authored/co-authored 10 books on information security including the best-selling Hacking For Dummies. In addition, he's the creator of the Security On Wheels information security audio books and blog providing security learning for IT professionals on the go. You can reach him through his website www.principlelogic.com, follow him on Twitter at @kevinbeaver and connect to him on LinkedIn.
This was first published in September 2011