Hide and Sneak • Chapter 1 11 HELP, EXPN, and VRFY available to me.That’s a lot of information to just give out. So, I could access the mail port, but I really wanted telnet access. I moved on to the Web servers. The Web, the Web … It’s Always the Web The Web servers proved more worthwhile, as far as access was concerned. Initial scans indicated that the only two ports open to the Internet on these two servers were 80 and 443 (HTTP and HTTPS, respectively). I knew that they were watching port 80 because none of my Whisker scans were suc- cessful on either server.The SSL port provided a plethora of information. See, that’s the beauty of SSL: It hides things from the IDSs.They can’t see into the data stream, because the data stream is encrypted. Isn’t that lovely? So to get the scans of their SSL servers, I had to set up an SSL tunnel and then use that to conduct my scans.That’s easy enough to do with one of the tools in my toolbox called—big surprise—SSL Proxy. SSL Proxy (sslproxy) is a neat little program that basically lets you con- nect to an SSL server (or something else that uses SSL) and communicate with it normally. SSL Proxy handles all the necessary encryption for you.To use it, you just point it to the remote SSL server and bind it to a local port on your box, telnet to that port, and you’re in. SSL Proxy to Windows 2000 Web Server www.syngress.com 249_StealThis_01.qxd 4/18/03 6:20 PM Page 11 12 Chapter 1 • Hide and Sneak From the screen, I could tell that I wasn’t the first one to show up at this machine. Apparently, someone else hacked into it and changed the default page on the SSL server. Oh well, no matter.That didn’t deter me. But it was kind of funny that the sysadmin hadn’t figured out that someone else owned this box. My guess is that it wasn’t that important of a system for them. For me, it meant a way in. Once I had verified that I could scan the Web server, I let Whisker go through its paces, and what do you know? This box was also open to a whole variety of Internet Information Server (IIS) vulnerabili- ties.You would think the admins would at least patch it somewhat! Still, the easiest thing to do would be to choose an exploit and go with it.The one I went with was the Microsoft IIS directory traversal vulnerability and its pop- ular exploit, iis-zang. Still using the SSL Proxy tunnel I had set up, I connected to the Web server and began looking around. Apparently, the guys who hacked this box before me left behind the tools of their trade. Tools of the Trade www.syngress.com 249_StealThis_01.qxd 4/18/03 6:20 PM Page 12 Hide and Sneak • Chapter 1 13 They left behind plenty of things for me to use myself. But, in order to get to that Solaris box behind the router, I was going to need to go even further than they had.This would be a bit tricky, but if it worked, it would be quite sweet. So, what to do with the remnants left by my apparent predecessors on this system? Well, I figured why waste their work? So I used the pwdump tool to dump the local system SAM. I figured out that their nc1.exe was basically netcat. In order to get around some minor limitations in the Microsoft vul- nerability that I was exploiting, I decided to make use of the nc1.exe pro- gram my “friends” left behind. One problem though: the router ACL. How to get around that? Well, since I couldn’t connect into them, why not have them connect to me? That’s exactly what I did. I set up netcat on my system, and then used the nc1.exe program to connect into my listening netcat process. It’s not called the “Swiss army knife for networks” for no reason. Setting up my netcat listener on port 5000, I then used the netcat on the Windows host to connect in. Apparently, they were not filtering on the outbound traffic; shame on them.This can be so much fun! Instant Command-Line Access www.syngress.com 249_StealThis_01.qxd 4/18/03 6:20 PM Page 13 14 Chapter 1 • Hide and Sneak Now, this provided me with a better command-line interface. I then used the pwdump.exe program to dump the host SAM, which might come in handy. I dumped the host SAM and downloaded the output to my system, where I could run it through John the Ripper to crack some passwords. I cracked several passwords almost immediately, including one called master. Interesting. My goal was not the Windows host that I had accessed, but rather the Sun mail server.The first step was to find some accounts on that system.To do this, I would need to tunnel through the Windows host to reach ports on the Sun host, from inside the router. I know about another neat little pro- gram called httptunnel (and its Windows counterpart, hypertunnelNT), which would let me do just that. I uploaded hts.exe (along with the necessary cygwin1.dll) from the hypertunnelNT software package to the Windows host using TFTP. I then set up the server side of the HTTP tunnel with this com- mand: c:\inetpub\scripts\hts.exe –F 10.89.144.241:79 443 Basically, this forwards port 443 (and, subsequently, knocks off the SSL server from that port) to the host 10.89.144.241 TCP port 79 (finger).Then, on my host, I set up the “client” end of the tunnel: [root@tethys:httptunnel-3.0.5] ./htc –F 79 10.89.144.166:443 This forwards my local port (TCP port 79, again finger) to the Windows server box 10.89.144.166 on the SSL port. I had to hope that their IDS didn’t have any signatures for traffic destined to port 443 (since that is typi- cally encrypted). Once that was done, I simply used the finger program on my localhost, and it was forwarded to their Sun system’s finger port. In my mind, I could picture what was going in. It’s actually pretty neat. www.syngress.com 249_StealThis_01.qxd 4/18/03 6:20 PM Page 14 Hide and Sneak • Chapter 1 15 Tunneling through a Routers ACLs Now, Sun has had a few bugs in their finger program. One of them involves using a long argument to the finger program.This argument can be used to trigger the bug: a b c d e f g h i j k l m n o p q r s t u v w x y z This causes finger to return a list of all user accounts on the system, not just those logged on at the time. Using the following command causes the host being fingered to dump all of its user account information: [idubraws@tethys idubraws] finger “a b c d e f g h i j k l m n o p q r s t u v w x y z”@localhost And there it is on my screen. Account Information on a Sun SMTP Host www.syngress.com microsystems ? htc -F 79 10.89.144.166:443 hts.exe -F 10.89.144.241:79 443 2 1 Sun SMTP Server Windows 2000 Web Server 249_StealThis_01.qxd 4/18/03 6:20 PM Page 15 16 Chapter 1 • Hide and Sneak With the account information, I now needed to point the tunnel to the Sun’s telnet port and simply try some of the accounts.The account named master that I had seen before on the Windows host seemed like a good start, especially since I already had a password for that account. It would be inter- esting to see if that account carried over to this system. Telnet Access to Sun SMTP Host And it did. Now I had a real system to work with. What I needed to do was find a local exploit against that system, get root access, and then go to work on the SSH host to get complete access through a more “direct” channel. Root access to the Sun workstation was achieved through a local exploit called netprex.This little exploit takes advantage of a bug in the netpr pro- gram, which is part of the Solaris printing facility. Once I achieved root privileges, I grabbed the passwd and shadow files for cracking by John the Ripper. John didn’t take very long to crack the root password to the Solaris SMTP host.The next thing to do was find an account on the SSH host, get access, and then come in through the front door. www.syngress.com 249_StealThis_01.qxd 4/18/03 6:20 PM Page 16 Hide and Sneak • Chapter 1 17 KISS, or Keep It Simple, Stupid One of my professors in aerospace engineering used to tell us that we should always keep our designs simple.The easiest solution is the simplest one. He had it down to four letters: KISS, for Keep It Simple, Stupid. Having learned my lesson, I decided to try the simplest thing first. I’ll telnet to the SSH host and see what it is. And guess what I got! Out through the In Door It was an OpenBSD system. Very nice, but it gets even better.The very same account that gave me access to the Solaris mail server also provided access to the SSH server. I didn’t get root on this system, but who needed that when I had access to this host from the outside? I could now use SSH to access this host as the user master and not need to rely on any tunneling methods to get around the router ACLs. It was getting late, and I had to go to work. The Jackpot I came back home from work the next morning and decided that further pene- tration into the target network could wait until I caught up on some sleep. Third shift sucks, but hey, it pays the bills. When I got up that afternoon, I www.syngress.com 249_StealThis_01.qxd 4/18/03 6:20 PM Page 17 18 Chapter 1 • Hide and Sneak decided to keep going with my little “project.” I sat down in front of the computer, turned on some music (I prefer Beethoven’s Ninth Symphony for this kind of work), grabbed a Coke, and focused on the OpenBSD host. After connecting in through the OpenBSD server with SSH, I started looking around. Just as I thought, the really good stuff— the Web servers and database hosts—was at the data center. But, like all companies that do this kind of work, I figured that they probably had some database systems on their corporate network where the development boys did their work. And most likely, those databases had live data. I’d seen it before; it’s not like they would be the first to do that. A little poking around gave me my answer.The Web server was also running a Microsoft SQL database. Even better was that I discovered that it was also running Microsoft Terminal Services. Getting access was easier this time, because I just used SSH forwarding to forward my local port TCP/3389 to the Web server’s Terminal Server port when I con- nected in to the SSH server.To access the terminal server from Linux, I used the rdesktop Linux client. www.syngress.com 249_StealThis_01.qxd 4/18/03 6:20 PM Page 18 Hide and Sneak • Chapter 1 19 SSH Tunneling to Microsoft Terminal Server Access to Microsoft Terminal Server I figured, what the hell, I’ll try some of the passwords I have to see if I can gain access to the box. Sure enough, the admin password I cracked the day before worked like a charm. Once I gained access to that host, I poked around to find the database.The Microsoft SQL client was installed on that host anyway, and it didn’t take me long to get access there either.This was something very much worth my while. One thing I have to say about MS SQL is that you can really have fun with it. I had to figure that they did a default install on this system. I mean, come on, it’s internal to their network, they’ve got this stuff behind a router with ACLs, so who wouldn’t think that this thing is safe? Well, with a default install, the sa account doesn’t get a password.You can use some tools to gain access to the SQL Server (I couldn’t find a Linux box to run LinSQL or SLAT), but there’s just no substitute for good, old SQL commands you craft yourself. All I can say is the information in that database was worthwhile. I found plenty of credit card numbers, customer names, addresses, social security numbers, and other interesting stuff. I figured this was worth sharing with www.syngress.com 249_StealThis_01.qxd 4/18/03 6:20 PM Page 19 20 Chapter 1 • Hide and Sneak my friends. Perhaps next time, these guys will be a little nicer to their cus- tomers when they have a problem and be more willing to help out. With Customers Like Me… You certainly don’t need enemies.The credit card information in the database was worth its weight in gold. So I announced to my “select” friends on IRC what I had. Boy, you know, some of these people wouldn’t give me the time of day before. Now, it’s,“Hey, buddy, how ya’ doin?” and “What’s up, friend?” I didn’t care that much about their respect. I was more interested in getting a little “justice.” I bet someone over there got their butt chewed out big time when they found my little escapade. About two days after I went in on my little romp through their house, I suddenly noticed that the OpenBSD box was no longer there and the Microsoft Web servers were patched. Hmmm… wish I was a fly on the wall of the office of the IT guys over there. www.syngress.com 249_StealThis_01.qxd 4/18/03 6:20 PM Page 20 [...]... of,” and it’s down to the songs that suck I always like some Motorhead to get me going Okay, I like the one song If You Like to Gamble After a few hours, I’ve made a tool that seems to work Geeze, it’s 4:30 A.M I mail the cleanup tool to the list for people to try It’s tempting to use the root.exe and make the infected boxes TFTP down my tool and fix themselves Maybe, by putting it out there, some idiot... worms Well, at least these addresses avoid the 127 net, and the multicast nets, and others Maybe those nets are mostly in the U.S., and this guy wrote an antiU.S worm? I’d have to look up the address ranges later Wait, what’s the cmp with 7F inside the loop for then? He’s checking to see if it hits the 127 net, and if it does, then it adds one to the top octet, and goes to the 128 net Is that maybe... the analysis credit with the rest of the guys, and I’ll write a free, open-source, cleanup tool to go with it (Well, everyone will end up just downloading and trusting my binary version, but the source will be there if they want to compile it themselves.) I shoot a note to the list with all the details I know about the worm and tell them I’m writing a tool.Time to get coding I need some new music The. .. come by, because they don’t necessarily try to deliver themselves to every machine in the world If you want to be early with one of those, usually you’ll need someone to hand you a copy If you’re lucky, someone will post to a mailing list that they’ve got something they’ve never seen before, and their AV softwww.syngress.com 23 24 9_StealThis_ 02. qxd 24 4/18/03 5 :28 PM Page 24 Chapter 2 • The Worm Turns... if someone wants to fix some of their internal boxes, they won’t need to run around to the consoles.Then I go ahead and change it to do a whole range of IP addresses, so admins can use it on their whole internal network at once When everyone gets to work tomorrow, they’re going to need all the help they can get I do it in C, so I can compile it to an exe, since most people won’t have the Windows Perl... the older stuff, like “Kill ‘Em All.” Heh, don’t worry Lars, I own a copy of the damn CD I ripped it myself No Life ‘til Leather Usually, the quickest way to narrow down things to the more interesting functions in the worm is to get the list of function pointers and examine the locations where the functions are being called If you want to know where www.syngress.com 24 9_StealThis_ 02. qxd 4/18/03 5 :28 ... going to be port 80 Okay, there’s 5000h, which is the same thing in network order He’s filling in the structure directly, rather than using the htons() calls and such.There’s address family 2 (AF_INET), and it’s filling in the IP from an argument passed by the caller There are a couple of subroutines that call this one Let’s look at the first one.There’s the argument that gets passed for the IP .The IP... her friend that I’m going to be up all night, and that I’ll probably be useless tomorrow I hear her voice trail off as I wander back down the hall to my home office 21 24 9_StealThis_ 02. qxd 22 4/18/03 5 :28 PM Page 22 Chapter 2 • The Worm Turns Whenever someone asks me what I do for a living, and I know they really don’t care, I tell them “computer stuff.” If that’s not enough for them, I clarify with “computer... few special friends in the tech groups of these same companies, you can keep your supply lines open.They just want copies of the malicious code, too A small percentage of time, I’m the first one to get a copy I make sure to send a copy to a few friends, and then later when I ask them for a favor, they won’t ignore me It gives them the edge over their competitors Everyone wants to be first It’s not just... missing all the Windows boxes on cable modems on 24 .x.x.x I shoot a quick note off to the list, asking if anyone outside 56-1 12 is getting hit Well, that’s boring All it does is perform a sequential scan of 56.0.0.0 through 111 .25 5 .25 5 .25 5 What a waste of a 0-day Heh, someone at 56.x.x.x isn’t going to be happy today Every new copy of the worm is going to pound on them first Other worms have shown pretty . post to a mailing list that they’ve got something they’ve never seen before, and their AV soft- The Worm Turns • Chapter 2 23 24 9_StealThis_ 02. qxd 4/18/03 5 :28 PM Page 23 24 Chapter 2 • The Worm. office. Chapter 2 21 24 9_StealThis_ 02. qxd 4/18/03 5 :28 PM Page 21 22 Chapter 2 • The Worm Turns Whenever someone asks me what I do for a living, and I know they really don’t care, I tell them “computer. they need to be able to detect it, clean it, and move on. Add to that all the false alarms their customers mail them all day long. If people don’t know what files are, they just mail them to their