When we hear the word hacking we often think of some complex and mysterious art that only a select few people in the world have the expertise to perform. This is a misnomer, however, and it's one of the great contributors to the hacking going on today.
Server hacking doesn't have to be that complex and, in reality, it often isn't. Sure, the propeller head hackers will flaunt their "mad skillz," but these really aren't the guys we need to worry about. Instead, it's usually the people with lesser skills combined with patient determination that'll cause the most problems. In fact, these people are on the inside of many networks this very moment, seeking out vulnerabilities that can be exploited for ill-gotten gains.
When it comes to keeping Windows servers protected from intrusion, I'm a strong believer in focusing on the low-hanging fruit first. Remember, it's the basic security weaknesses that'll get you every time. In a previous tip, I outlined some of the common causes of Windows server security vulnerabilities. Now, let's take a look at two common exploits I see in Windows servers and how they're actually carried out.
Missing patches that lead to remote command prompts
As simplistic (and boring) as patching can be, you'd think most Windows servers would be somewhat up-to-date on patches. Unfortunately, that's often not the case. Inconsistent patch management is one of the greatest contributors to Windows server weaknesses.
Here's how the bad guys carry out their attacks against unpatched Windows servers:
- Attackers run a free vulnerability scanner from outside or -- more commonly -- inside the network and find a missing patch.
- Attackers confirm that the vulnerability can be exploited using the free Metasploit tool.
- Attackers launch Metasploit and obtain a remote command prompt.
- Attackers set up a backdoor user account and add themselves to the local administrators group.
- Attackers have full access to the system (local login, remote desktop, VPN, etc.) and odds are in their favor that no one will never notice.
Unsecured network shares that lead to unauthorized file access
Sharing files on the network is one of the basic functionalities of Windows servers. Unfortunately, it's also the Achilles heel that facilitates unauthorized access by otherwise "trusted" users. Boredom, curiosity and revenge sometimes find their way into the scenario of an employee clicking around in Windows Explorer and stumbling across sensitive information he or she should not be able to access.
Here's how the bad guys carry out their attacks against unsecured Windows shares:
- Attackers run a free share scanner tool such as GFI LANguard inside the network and find numerous shares on Windows servers – many of which happen to have Full Control granted to the Everyone group.
- Attackers click through the shares to see what they can find.
- Attackers may stumble across some sensitive information or, better yet, download and install a free text search tool like FileLocator Pro.
- Attackers plug some keywords in the text search tool that signify sensitive information such as "password", "SSN", or "confidential", and off it goes.
- Attackers find Microsoft Excel spreadsheets, Word documents, PDF files, and databases chock full of sensitive employee and customer information that can be used for illicit purposes. Once again, chances are no one will ever notice.
With enough "sticktuitiveness" an attacker can find missing/simple passwords on Windows servers, weak SQL Server configurations, IIS-based servers configured to share entire drives out via anonymous FTP, and much more. If physical access is possible (which is often the case in smaller businesses), attackers can reboot Windows servers and bring them up using a live CD containing Ophcrack or Elcomsoft System Recovery. They can then gain full access to all user accounts and passwords, including the Active Directory file ntdis.dit. The entire Windows environment is "0wned" and, yet again, odds are in the attacker's favor that no one will ever notice.
Be it an external hacker or malicious insider, it's likely that there are weaknesses on your Windows servers waiting to be exploited. Given enough time, they very well could be. Your mission is to seek out what's vulnerable and plug the holes before the bad guys beat you to the punch.
ABOUT THE AUTHOR
Kevin Beaver, is an information security consultant, keynote speaker and expert witness with Atlanta-based Principle Logic LLC. Kevin specializes in performing independent security assessments. Kevin has authored/co-authored seven books on information security, including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley). He's also the creator of the Security on Wheels information security audio books and blog providing security learning for IT professionals on the go. Kevin can be reached at firstname.lastname@example.org.