Now that you've found some potential issues (again, this is just the tip of the iceberg), you can run off to patch and harden your systems, but that's no fun if system penetration is your ultimate goal.
Here are a few examples of what you can do with the vulnerabilities I've already mentioned. Often, screenshots such as these help bring things full circle to obtain much-needed attention from upper management.
Figure 4 shows how QualysGuard can exploit a null session vulnerability to glean all user IDs off a system. Talk about getting a leg up on attacking other processes and services!
Now, all an attacker has to do is to run a few brute-force or dictionary password attacks against Windows, Outlook Web Access, SMTP/POP3 email accounts, etc. to discover these account passwords. Heck, you don't even need to spend that much time -- some simple network sniffing using ARP poison routing via Cain and Abel or even some wireless sniffing using CommView for WiFi or WEP/WPA-PSK cracking using Aircrack might be all it takes to glean such information.
Now, let's look at how a malicious insider with a standard user account (i.e., not administrator-equivalent) or an external attacker who has compromised an account can use Metasploit. Both the insider and external attackers can exploit the recent MS06-025 vulnerability. The following figure shows the basic Metasploit commands in preparation of carrying out this exploit.
Figure 5: Metasploit commands.
Once you enter exploit at Metasploit's MSFConsole prompt, boom -- you've now got full command line access to the remote Windows server as shown in Figure 6. Imagine the possibilities -- the server is yours (or the attacker's) at this point.
Other attacks to carry out
Now that you have access to the system, it helps to look at the big picture to see what else can be exploited. You can perform other attacks to further demonstrate that a security problem exists. Other attacks include:
- Rooting out other non-Windows processes, services and applications that may have been installed on top of the OS -- such as Firefox, Apache, various media players, backup software and more. They can be just as vulnerable and create just as many holes in the system as any Microsoft code
- Using the Windows regedit tool's Connect Network Registry feature to connect and edit the server's Registry
- Enumerating all running processes on the remote server using PsList to see what else can be gleaned, captured or otherwise exploited
- Using a hex editor such as WinHex to analyze running processes and glean passwords and other sensitive information currently stored in memory
- Performing DNS zone transfers using nslookup (via the ls --d domain_name command) or Sam Spade for Windows
Keep in mind that there are tons of variables involved here, so you may or may not be able to successfully execute these tests -- depending on your Windows versions, patches applied, system configuration, and so on. I'll bet, though, that if you look long enough and hard enough though, you'll hit pay dirt.
Hacking server processes and services
Step 1: Home in on your target
Step 2: Use good information and good tools to get rolling
Step 3: Drive your point home
|ABOUT THE AUTHOR:|
| About the author: Kevin Beaver is an independent information security consultant and expert witness with Atlanta-based Principle Logic, LLC. He has more than 18 years of experience in IT and specializes in performing information security assessments revolving around compliance and IT governance. Kevin has written six books including Hacking For Dummies (Wiley), Hacking Wireless Networks For Dummies, and The Practical Guide to HIPAA Privacy and Security Compliance (Auerbach). He can be reached at firstname.lastname@example.org.
Copyright 2005 TechTarget