解剖学.

of.

attack.txt.

释放双眼,带上耳机,听听看~!

anatomy.of.attack.txt,

解剖学.

of.

attack.

txt,标签纸,日期:Sun,1999年3月14日14:34:29-0700(MST)发件人:mea culpa收件人:InfoSec News主题:[isn]一次相当容易的攻击的解剖学>发件人:Subash Raman一次相当容易的攻击的解剖学,审计人员被要求证明一个组织的机器不是不安全的.

尽管他们天真得可怜,审计员还是让他们在必要的法律条文上签字,然后把注意力转移到手头的工作上.

对于那些喜欢他们的细节的人来说,这是一个带有SQL Server 6.

5的NT环境,因此我们的英雄首先运行一个名为chronicle的工具来开始他的冒险,该工具告诉他哪些服务器上运行的是什么服务包.

这消除了很多不必要的漏洞探测,不是吗.

当他意识到他们只运行SP-3,没有应用其他补丁时,而且当他意识到他们使用SMS(客户机-服务器-网络管理软件)时,他使用sechole(很容易从网上获得),并从一个普通的帐户以域管理员的身份进入.

他们的PDC结果是相当容易的,因为他们的注册表是不受保护的,他接下来运行了一个find和lo,并发现两个默认帐户的密码脚本在注册表中.

接下来使用这些帐户,他附加到他们的共享(当然只有隐藏的redbutton没有问题找到他们),然后继续下载SAM和更感兴趣的drwtsn32.log文件.遗憾的是,日志文件没有包含他所追求的各种有趣的数据,但他确实从中收集到了一个访问它们的内部web服务器.

所以回到信息收集,他扫描了整个网络,拿起了网络服务器.

一些快速的perlscript(还有一个非常漂亮的工具,叫做grinder,它可以递归地自动遍历url)然后他锁定了他要找的服务器.

通过使用数据流技术,他设法获得了asp脚本的源代码,特别是global.

asa和lo,并且看到连接反对者在那里有他们的sqlserver的用户id和密码.

几分钟后,他再次进入服务器,isql获得了他被要求查找的信用卡信息.

redbutton,grinder,几个解析数据的perlscript,whatsup gold做网络地图(和portscans),他在几个小时内就进入了公司数据仓库.

如果他是一个真正的黑客,而且他没有使用ASP代码访问web服务器,那么他仍然可以通过运行一个特别恶劣的DOS攻击来让SQL服务器崩溃,然后查看日志来做到这一点.

垃圾桶潜水被认为不是很有魅力,但你会同意,大多数内部黑客是基于检查核心垃圾由知识渊博的调试器.

在NT日志的情况下,你甚至不需要知道如何进行核心分析,你只需要知道英语,并有足够的耐心继续浏览,直到你找到你正在寻找的信息.

由于他是使用sa权限进入SQL Server的,所以他运行xp_shellcmd并将自己添加为用户,然后继续将id添加到全局域管理员组中,也就是为了简单起见.

为什么我要做一个典型的攻击解剖?教人们这样的方法有什么危险?一般来说很多,但说实话,如果有人花时间清理登记处,应用sp-3/sp-4之后的关键修补程序,然后确保严格遵守策略,例如在编码和删除存储过程(如xp_cmdshell)时不使用明文脚本,如果使用更具体的存储过程,那么做我所做的事情会困难得多.

我提到的工具可以很容易地从网上下载.

所以当你警告人们的时候,你绝对不会低估危险.

我只是觉得有必要通过写这篇文章来进一步证明这一点,比如说有人会怎么做.

希望这能给我们带来启发,而不是迷惑.

不得不承认,这张便条在一天结束时花了很多时间试图建立出于政策、意识和保护战略的需要,同时注意预防、发现、反应和缓解,这可能是我决定打破在这件事上一贯的沉默,公开发表意见的原因.

另外,我开始感觉到,我们正在进行一场失败的战斗,试图提高人们的认识,并被媒体驱动的威胁而不是真正的威胁所淹没.

哦,好吧,也许我会回去做预算管理.

至少,预测模型要比安全问题更难处理.

regds,-sr P.S.别问我可怜的审计员的名字.

他太忙了,没有时间回答你的问题,他也太谦虚了,不想放弃自己的身份,不管怎样都要走出衣柜-o-Subscribe:mail majordomo@repsec.

com,上面写着“Subscribe is”.

今天的ISN赞助商:互联网安全研究所[www.

isi-sec.com.

,网络安全教程anatomy.of.attack.txt,tags |
paper,Date: Sun, 14 Mar 1999 14:34:29 -0700 (MST)
From: mea culpa <jericho@dimensional.com>
To: InfoSec News <isn@repsec.com>
Subject: [ISN] Anatomy of a fairly easy attack

>From: Subash Raman <subash@hotmail.com>

An anatomy of a fairly easy attack

Once upon a time, an auditor was asked to prove that an organizations
machines are not insecure. Their lamentable naivete notwithstanding, the
auditor got them to sign the necessary legalese and then turned his
attention to the task at hand. Some background for those who like their
detail It was an NT environment with SQL Server 6.5 So our hero starts his
venture by first running a tool called chronicle which tells him what
service packs are running on which servers. That eliminates a lot of
unnecessary probing for vulnerabilities does it not. When he realised that
they are only running SP-3 and no other patches have been applied and
furthermore on realising that they are using SMS (client server network
management s/w) he uses sechole (easily obtainable from the net) and gets
in as a domain admin from a lowly regular account.

Their PDC turned out to be fairly easy since their registries were
unprotected He next ran a find and lo and behold found two default
accounts with passwords scripted in the registry. Next using these
accounts he attached to their shares (hidden of course only redbutton had
no trouble finding them) and then proceeded to download the SAM's and
what's of more interest the drwtsn32.log file.

Sadly the log file didn't contain much interesting data of the variety he
was after but he did glean from them an internal webserver that was
accessing them. So back to info gathering he scanned the entire network
and picked up the webservers. A few quick perlscripts (and a very nifty
tool called the grinder which can recursively go through the urls
automatically) and he nailed the server he was after. Using the datastream
technique he managed to get hold of the source code for the asp scripts
esp. global.asa and lo and behold the connection objection had the userid
and password for their sqlserver right there. In a matter of minutes he
was inside the server again with isql getting the creditcard information
he had been challenged to find.

redbutton, grinder, couple of perlscripts to parse through the data,
whatsup gold to do network maps (and portscans) and he was inside
literally the corporate data vault in a matter of a couple of hours.

If he was a real hacker and he didn't have access to a webserver using ASP
code, he could have still done it by <you guessed it> running a
particularly nasty DOS attack to bring the SQL Server crashing down and
then going through the log. Dumpster diving is not considered very
glamourous but you will agree that most insider hacking is based on
examining core dumps by knowledgeable debuggers. In the case of the NT
logs you don't even need to know how to core analysis, all you have to
know is english and have enough patience to keep going through them till
you find the info you are looking for.

Since he was inside SQL Server with sa privileges he ran xp_shellcmd and
added himself as a user and then proceeded to add the id to the global
domain admins group as well just to make a long story short.

Why did I do this anatomy of a typical attack ? And what are the dangers
of teaching people such methods ?

Lots generally, but to tell you the truth if somebody had spend some time
cleaning up the registries, applying the key post sp-3/sp-4 hotfixes and
then ensured strict compliance with policies such as no clear text
scripting when it came to coding and removal of stored procedures such as
xp_cmdshell with more specific stored procedures then it would have been
far more difficult to have done what I did. and the tools i mentioned can
be got off the internet very, very easily. So you are definitely not
underestimating the dangers when you warn people. I just felt that it is
also necessary to further prove the point by writing this article of how
somebody would actually go about doing it.

Hope this enlightens more than it obfuscates. Have to admit that this note
coming at the end of a day spent trying to establish the need for both
policy, awareness and a protection strategy that pays equal attention to
prevention, detection, reaction and alleviation is probably why I decided
to break my usual silence on this matter and come out in the open about
this. Plus I am beginning to feel that we are fighting a losing battle
trying to raise awareness and are being drowned by the focus on the media
driven threats as opposed to the real ones. Oh well, maybe I'll go back to
doing budget management. At least forecasting models are a lot less dicier
to deal with than security issues.

regds,
-sr

P.S. and don't ask me for the name of the poor auditor. he's far too busy
to have the time to answer your questions and he's far too modest to want
to relinquish his identity and come out of the closet anyway <grin>

-o-
Subscribe: mail majordomo@repsec.com with "subscribe isn".
Today's ISN Sponsor: Internet Security Institute [www.isi-sec.com]

人已赞赏
安全工具

<p>bugtraq.ids.thread.txt文件.</p>

2020-2-6 3:17:08

安全工具

<p>99-to-watch-in-99.</p><p>html网站.</p>

2020-2-6 3:17:11

0 条回复 A文章作者 M管理员
    暂无讨论,说说你的看法吧
个人中心
购物车
优惠劵
今日签到
有新私信 私信列表
搜索