Step-by-Step Guide

Step 1: Exploiting a missing patch

Take all the Microsoft critical security updates you're expected to keep up with and combine those with some of my favorite vulnerability scanning and exploit tools and you've got a surefire exploit on your hands. One thing you'll find more and more is that most vulnerabilities -- such as the recent MS06-040 buffer overrun -- are directly exploitable from inside the network. This is due to the fact that a large proportion of networks don't use internal segmenting or intrusion prevention -- everything's trusted. Not good when you've got a rogue employee looking to control your server.

So, let's look at how the MS06-040 vulnerability can be easily exploited from a rogue insider's point of view. All that's required is a connection on your network and a couple of freely-downloadable security tools:

Requires Free Membership to View

Nessus and Metasploit. The following steps seal the deal:
  1. He downloads installs Nessus and scans the network -- or a few key servers that he knows about -- looking for vulnerabilities.
  2. He comes across this MS06-040 issue on a file server that allows "arbitrary code" execution -- that sounds like fun.
  3. He goes to Metasploit's exploit listing page and sees that Metasploit supports this exploit.
  4. He downloads and installs Metasploit, plugs in a few variables, and boom he's got a command prompt with full access to your server as shown in the following figure.


Using Metasploit against the MS06-040 flaw to obtain a server command prompt.

This can be done time and time again -- with this vulnerability and all the others affecting Windows and related applications -- without you ever knowing a thing about it. Imagine the damage that can be done with full server command prompt access: delete files, copy the backup SAM database and other sensitive files, add/remove users, and more. Simply run NET HELP at a command prompt and you can see what's available.

The same type of exploit can be carried out via the Internet on one of your publicly-accessible servers if it's not adequately protected behind a firewall. Also, it's important to remember that the network connection requirement I mentioned above can be obtained via an improperly secured wireless network. Like having a couple of access points connected directly to your network that serve up handheld scanners in your warehouse. There's hardly ever any WEP, WPA or other security controls for these scanners. Anyone within range (which is usually your parking lot or in adjacent buildings) can jump right onto your network to carry out their exploits.


Hacking file servers

 Home: Introduction
 Step 1: Exploiting a missing patch
 Step 2: Sniffing the network for juicy info
 Step 3: Stumbling across sensitive files
 Step 4: Executing related hacks that indirectly affect file servers
ABOUT THE AUTHOR:
Kevin Beaver is an independent information security consultant and expert witness with Atlanta-based Principle Logic, LLC. He has more than 18 years of experience in IT and specializes in performing information security assessments revolving around compliance and IT governance. Kevin has authored/co-authored six books including Hacking For Dummies, Hacking Wireless Networks For Dummies, Securing the Mobile Enterprise For Dummies (all by Wiley), as well as The Practical Guide to HIPAA Privacy and Security Compliance (Auerbach). He can be reached at kbeaver ~at~ principlelogic.com. Copyright 2006 TechTarget

This was first published in September 2006

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: