The Art of Intrusion: The Real Stories Behind the Exploits of Hackers, Intruders and Deceivers (27 page)

So his challenge at this stage was to find his way to the help desk.

I started using a little utility called the Network Mapper, some-

thing I wrote myself. It basically goes sequentially through a list

of typical host names. I use it as my sequential DNS resolver.

The Network Mapper identifies hosts and provides the IP address for each. Robert's short Perl script simply went down a list of commonly used hostnames and checked to see if it existed with the target company's domain. So, for an attack on a company called "digitaltoes," the script might look for web.digitaltoes.com, mail.digitaltoes.com, and so on. This exercise had the potential of uncovering hidden IP addresses or net- work blocks that were not easily identified. On running the script, he might get back results looking like the following:

beta.digitaltoes.com

IP Address #1:63.149.163.41...

ftp.digitaltoes.com

IP Address #1:63.149.163.36...

intranet.digitaltoes.com

IP Address #1:65.115.201.138...

mail.digitaltoes.com

IP Address #1:63.149.163.42...

www.digitaltoes.com

IP Address #1:63.149.163.36...

This would reveal that our fictitious company "digitaltoes" has some servers in the 63.149 net block, but I'd put my money on the server in the 65.115 net block with the name "intranet" as being their internal network.

A Little Help from helpdesk.exe Among the servers Robert discovered with his Network Mapper was the one he had hoped for: helpdesk.companyX.com. When he tried to go to the site, though, a login dialog box appeared demanding a username and password, restricting access to authorized users.

The helpdesk application was on a server running IIS4, an ancient ver- sion of Microsoft's Internet Information Server (IIS) software, which Robert knew had a number of vulnerabilities. With a little luck, he might find a useful one that had not been patched. 172 The Art of Intrusion

Meanwhile he also discovered a gaping hole. Some company administra- tor had enabled MS FrontPage in such a way that anyone could upload or download files from the root directory where the Web server files are stored.

(I'm familiar with the problem. One of the Web servers at my security startup company was hacked using a similar vulnerability because the vol- unteer system administrator who was giving me a hand did not properly configure the system. Fortunately, the server was a standalone system, on its own network segment.)

Recognizing that this mistake gave him the ability to download and upload files to the server, he began looking at how the server was set up.

The most common thread with some dumb IIS servers is that

[whoever set it up] enabled FrontPage authoring.

And, in fact, this site had a weakness. Deploying Microsoft FrontPage (an application program used to easily create and edit HTML documents) without setting the proper file permissions is sometimes an oversight by a system administrator, sometimes intentionally configured this way for convenience. In this case, it meant anyone could not only read files but could also upload files to any unprotected directory. Robert was stoked.

I was looking at it and going, "Holy shit, I can read or edit any

pages on the server without needing a username or password."

So I was able to log in and look at the root of the Web server.

Robert thinks that most hackers miss an opportunity here.

The thing is that when people set up a scanner network for a

server, they often don't look for common misconfigurations with

server extensions like FrontPage. They look [to see what kind of

server it is] and say, "Well, it's just Apache" or "It's just IIS."

And they miss making their work much easier if FrontPage has

been misconfigured.

It wasn't as much of a blessing as he had expected, since "there wasn't really a whole lot on that server." Still, he noticed that an application called helpdesk.exe would come up when he accessed the site through his browser. That could prove highly useful, but required a login with password.

So, I'm looking at it thinking how the f___k can I attack this?

One thing I don't like doing is uploading some other file to a

Web server, because if the administrators look through their Web Chapter 8 Your Intellectual Property Isn't Safe 173

logs and see a thousand people going to helpdesk.exe and all of a

sudden one guy in the South Pacific is going to two.exe or some

other thing, that would make them think twice, right? So I try to

stay out of the logs.

The helpdesk application consisted of a single executable and a dynamic-link library (DLL) file (files with the .DLL extension contain a collection of Windows functions the application can call on).

With the ability to upload files to the Web root, an attacker could eas- ily upload a simple script allowing him or her to execute commands through his or her browser. But Robert isn't just any attacker. He prides himself on being stealthy, leaving few if any traces in the Web server logs. Instead of just uploading a customized script, he downloaded the helpdesk.exe and helpdesk.dll files to his computer to analyze how the application worked, relying on some of his background experience. "I've done a lot of reverse engineering applications and looking at things in assembler," so he knew how to go about working with the compiled C code and reversing most of it back to assembler.

The program he turned to was called IDA Pro, the Interactive Disassembler (sold by www.ccso.com), used, as he describes it, "by a lot of, like, virus companies and worm hunters, looking to decompile some- thing to an assembler level and read it and figure out what it's doing." He decompiled helpdesk.exe and, approving of work performed by pro- fessional programmers, decided that it was "written quite well."

From the Hacker's Bag of T ricks: the "SQL Injection" Attack Once he had the program decompiled, Robert examined the code to see whether the helpdesk application was susceptible to "SQL injection," an attack method that exploits a common programming oversight. A security- conscience programmer will sanitize any user query by including code that, among other things, filters certain special characters such as the apostrophe, quotation mark, and greater-than and less-than symbols. Without filtering characters such as these, the door may be left open for a malicious user to trick the application into running manipulated data- base queries that may lead to a full system compromise.

In fact, Robert had realized that the helpdesk application had indeed made the proper sanitation checks to prevent someone from using SQL injection. Most hackers would have just upload an ASP script to the Web server and be done with it, but Robert was more concerned with being covert than exploiting a simple vulnerability to compromise his targets. 174 The Art of Intrusion

I thought, "That's quite fun, that's quite cool. I'm gonna enjoy

this."

I thought to myself, "Well, I'm gonna enable SQL injection by

screwing up the validity check." I found the string of where the

invalid characters were kept and I changed them all to, I think

it was a space or a tilde (~) or something else that I wasn't gonna

be using, but at the same time it wouldn't affect anyone else.

In other words, he modified the program (using a hex editor to "break" the routine designed to verify user input) so that the special char- acters would no longer be rejected. This way, he could secretly perform SQL injection without changing the behavior of the application for any- one else. Another added bonus was that the administrators would not likely check the integrity of the helpdesk application, since there would be no obvious signs it had been tampered with.

Robert then sent his modified version of the helpdesk application to the Web server, replacing the original version. The way some people collect stamps, postcards, or matchbooks from places they've been, hackers some- times keep not just the spoils of their break-ins but the code they used as well. Robert still has a binary compiled copy of the executable he created.

Since he was working from home (gutsy, and not recommended unless you want to get busted), he uploaded his "new and improved" version of the helpdesk application through a chain of proxy servers -- which are servers that act as a mediator between a user's computer and a computer he or she wants to access). If a user makes a request for a resource from computer A, this request is directed to the proxy server, which makes the request, gets the response from computer A, and then forwards the response to the client.

Proxy servers are typically used for accessing World Wide Web resources from inside a firewall. Robert increased his security by using several proxy servers located in different parts of the world to lessen the likelihood that he could be identified. So-called "open proxies" are commonly used like this to mask the origin of a cyber attack.

With his modified version of the helpdesk application up and running, Robert connected to the targeted site using his Internet browser. When presented with an input form requesting username and password, he launched a basic SQL injection attack, as he had planned. Under normal circumstances, once a user enters a username and password -- say, "davids" and "z18M296q" -- the application uses these inputs to gen- erate a SQL statement such as the following:

select record from users where user = `davids' and password = `z18M296q' Chapter 8 Your Intellectual Property Isn't Safe 175

If the user field and the password field match the database entries, then the user is logged in. That's the way it's supposed to work; Robert's SQL injection attack went like this: In the username field, he entered

` or where password like'%--

For password, he entered the identical statement

` or where password like'%--

The application used these inputs to generate a SQL statement similar to the following:

select record from users where user = `' or where password

like `%' and password = `' or where password like `%'

The element or where password like % tells SQL to return the record if the password is anything at all (the "%" is a wildcard). Finding that the password did meet this nonsense requirement, the application then accepted Robert as a legitimate user, just as if he had input authentic user credentials. It then logged him in with the credentials of the first person listed in the user database, usually an administrator. That turned out to be the case here. Robert found himself not only logged in, but logged in with administrator privileges.

From there, he was able to see the message of the day that an employee or other authorized user sees after successfully logging in. From a series of these messages, he gleaned information on dial-up numbers for calling into the network and, in particular, hyperlinks for adding and removing users from the VPN group under Windows. The company was using Microsoft's VPN services, which is set up so that employees use their Windows account names and passwords to sign in. And since Robert was logged in to the helpdesk application as one of the administrators, this gave him the ability to add users to the VPN group and change user pass- words for Windows accounts.

Making progress. Yet, so far, he was just logged in to an application as an administrator; that didn't get him closer to their source code. His next goal was to gain access to their internal network through their VPN setup.

Just as a test, through the helpdesk menu he tried changing the pass- word of what appeared to be a dormant account, and added it to the VPN users and administrator's group -- which meant that his activities would be less likely to be noticed. He figured out some details of their VPN configuration, so he could then "VPN in. This is good, but it plays a bit slowly." 176 The Art of Intrusion

I got in at about 1:00 a.m. their time. With me being in the

Australia time zone is very nice. It can be 1:00 a.m. in America,

but during the working day here. I wanted to go in when I was

sure the network was empty, I didn't want anyone logged in or

people to notice this. Maybe they have active reporting of everyone

who's going in. I just want to be sure.

Robert has a sense that he understands how IT and network security people work, and it's not all that different from everyone else in the working world. "The only way for them to notice [my going online] would have been going through the logs actively." His view of IT and security people isn't very flattering. "People don't read logs every morn- ing. When you get to your desk, you sit down, have a coffee, read some Web sites of personal interest. You don't go in and read logs and see who changed their passwords yesterday."

One of the things he had noticed in his hacking efforts, Robert says, is that "when you change something on a site, people will either catch it right away, or they won't catch it at all. The change I made to that Web application would have been noticed if they'd been running something like Tripwire," he said, referring to an application that verifies the integrity of systems programs and other applications by doing a crypto- graphic checksum and comparing it against a table of known values. "They would have noticed that the executable had changed."

At that point he felt reassured, citing the now-familiar term about "M&M security" -- hard on the outside but very soft and chewy on the inside. "No one really cares if someone looks around their network because you are inside the premises." Once you've managed to penetrate the perimeter security, you're pretty well home free." (The phrase means that once an attacker is on the inside and using resources like any author- ized user, it's difficult to detect his unauthorized activity.)

He found that the account he hijacked (changed the password to) through the helpdesk application allowed him onto the network through the Microsoft VPN service. His computer was then connected to the company's internal network, just as if he were using a computer physi- cally plugged into the network at the company's premises.

So far, he had been careful to do nothing that would create log entries a conscientious systems administrator might notice, and he was sailing free.