Security tip:
Never install NMA in your site
if someone can view it from the Internet; NMA is a very dangerous toy.
At this point, I wrote a complete report about the company's domain and the
computers with the enabled Guest account. I wrote many recommendations about
security (e.g., rename or disable the Administrator account, and disable the
Guest account). It was Friday evening, and I went home. On Monday morning, I had
an email from the Web master, saying he appreciated my work. He promised to send
my prize soon. Good beginning of the day.
I forgot this case, but two weeks later, I had another email from my
victim. He asked me to continue my security analysis and try to gain access to
their site's database. (You can understand that a vulnerable database could cost
the company much money. The managers were afraid that a hacker could steal their
database, in the same way that I had viewed their user list.)
Penetration of SQL Server
I checked whether the database administrator had changed the sa password
(can you believe that he knew about these problems for more than two weeks and
didn't do anything to protect the site?). I wanted to find the server where SQL
Server resided, but I needed access as a guest. I checked my records and put
some lines in my LMHOSTS file and then used the nbtstat-R command to reload the
NetBT cache without rebooting the server:
555.555.200.5 priny #PRE
555.555.200.16 pluto #PRE
.
.
.
555.555.200.23 insernia #PRE #DOM:eeg1
Reload NetBT cache:
nbtstat-R.
I checked all the computers with the Guest account enabled, but I didn't
find any SQL servers. He apparently had installed SQL Server on the computer
that had the Guest account disabled. Wasn't he smart?
What could I find on the computers with the enabled Guest account? One
person's computer with Guest enabled had a shared folder with Read permissions
for everyone. I took a look.
Wow! In one folder, I found the file drwtsn32.log, a crashing log. For most
users, the log is completely useless, but for experienced professionals, it can
be very useful. Screen 5, page 182, shows the contents of this log. Do you see
what I noticed? I could see the domain name (EEG1), username (HCAPSUser1), and
something that looked like a password (grk***). To test my theory, I connected
to the server with the Guest account disabled as user EEG1\HCAPSUser1 with
password grk***. I could log in!
I ran SQL Server Enterprise Manager. EM is a useful program for browsing
databases and performing other administrative tasks. However, most companies
prefer that only the systems administrator use EM.
Could I log in? Yes, success! As Screen 6, page 182, shows, I was now the
systems administrator, not in the domain, but for the SQL Server database. I
could do anything with this SQL server.
The administrator had been worried about someone stealing the user list, so
I looked at the list to see why he was concerned. As Screen 7, page 182, shows,
I typed a simple query that shows everything in the table named tblMember.
Wow! Too much information for me: names, email addresses, postal addresses,
credit card numbers, logon names, passwords, and much more--all the information
about visitors to this site. If anyone knows what I can do with 74,342 credit
card numbers, please call me <grin>. It was time to write a letter to the
Web master about another hole in the system.
Can you believe that I could read all this sensitive information so easily?
Subscribers and shoppers on this site have reason to be afraid of this kind of
Internet commerce. If database administrators don't know how to secure this
sensitive information, hackers can steal credit card numbers not by using
sniffers to trace Web traffic but by cracking databases on real servers.
Security tip:
Keep SQL Server hidden from the
Internet. You can install an expensive firewall or just run SQL Server over
NetBEUI protocol on a different server. I'm not the only one who makes this
recommendation--check with Microsoft.
I was ready to finish the security testing and see what else I could do
with this server. I created a user in the EEG1 domain with the name Andrey
and the password mypassword:
xp_cmdshell 'net user Andrey mypassword /add /domain'
The SQL Server extended stored procedure xp_cmdshell executes valid NT
commands on the server and displays the results. Then, with one more command
xp_cmdshell 'net group "Domain Admins" Andrey /add /domain'
my account became an administrator in the EEG1 domain, and I could do
anything with this network.
Let's publish something on their Web site. I can connect to any share--even a hidden share--on this server.
Start _ Run and \\priny\c$
Now I've connected to a hidden root share on the C drive.
I typed a small HTML file (hack.htm) and copied it to the wwwroot folder,
which contains all the HTML files for their Web site. Screen 8 shows the file I
typed.
Did you hear about the hacker who changed the home page in http://www.cia.gov?
I didn't do it, but I think the hacker worked the way I did.
Security tip:
A hacker can't break into your
system this way if you take the following precautions:
- Disable the xp_cmdshell stored procedure and disable access to the
Registry from stored procedures
- Run SQL Server under a user account (not a system account) with restricted
permissions
- Change the systems administrator password
- Install SQL Server on a computer hidden from the Internet
- Don't debug programs on a computer connected to the Internet
- Don't run any Web scripts from the sa account
- Disable the Guest account everywhere
- Don't run NMA on a computer inside a public network
- Set only Execute rights for Web-script folders
- Install all patches from the Microsoft Web site
- Think like a hacker about security
When you need remote control of a system via the Internet,
RemotelyPossible/32 is a nice program that can help; it works very fast. I
downloaded an evaluation version from http://www.avalan.com. If I wanted
to be the administrator of the company's computer, I could install
RemotelyPossible/32 on my computer and on the computer on the other side of
earth.
As you can see, I had gained full access to the EEG1 domain and could do
anything with the company's network. Don't let this kind of intrusion happen on
your network.
Some Security Resources
Many articles in computer magazines discuss security in general and in NT.
Windows NT Magazine highlights the most important places you need to
check in your NT Server. The most informative security Web sites that I've found
are http://www.microsoft.com/security and http://www.ntsecurity.org.
I also recommend that you hire a good security consultant or buy good
software for security advice. The Windows NT Magazine Lab reviewed
several NT security software products in Lab Reports in the magazine's October
1997 issue.
My favorite product is Kane Security Analyst from Intrusion Detection. This
security assessment tool analyzes NT domains, servers, and workstations for
security exposure; it can give you a lot of information about your system's
security. You can download an evaluation version from http://www.intrusion.com.
The company also offers Kane Security Monitor, a new utility for online
monitoring. I highly recommend that you download it right now.
This article illustrates many security problems an NT server can have, but
NT doesn't cause those problems; people cause them. Therefore, you need to think
about security from a hacker's point of view. A recommendation that you check
your security usually means that a hacker can gain access to sensitive
information on your site. Close any open doors as soon as possible; the gaps can
be dangerous for your system, and not all guys are as good as I am.
OK, I'll be in the airport very soon. The systems administrator I talked
about in this article asked me to come and make all the changes needed to
protect the company's site from attacks. I love to be in different countries, so
it's time to go. See you later.