Steps to Attack a Server Using a Vulnerability Scanner
An attacker will first scan a remote server with a vulnerability scanner to quickly find a number of possible exploits. The information gathered by the scanner will help the hacker better understand the configuration of the target machine. Based on the vulnerabilities found by the scanner the hacker will then research each vulnerability on hacker websites and other resources. This research will provide all the information the hacker needs to begin the attack including all the information surrounding the vulnerability, proof of concept code, examples of how to run the code and any other information that other attackers may have gained while exploiting the vulnerability on other servers.
The hacker will take all this information and setup a mirror system on his local network for testing purposes. This mirror system has exactly the same software and configuration as the system the hacker wants to exploit. The mirror system allows the hacker to practice exploiting the vulnerability to ensure there are as few unknowns as possible when the real attack comes.
Once the hacker is comfortable with the attack and knows what to expect from the real machine the attacker will exploit the vulnerability on the remote machine, which most likely will grant him a command shell bound to the remote machine. Once a hacker has obtained shell access he can search for another exploit to gain root access or if root access has already been obtained by the first exploit then all system information, processes, and applications will be available to him. Other exploits may return vital system information such as usernames-password pairs or sensitive information.
Example Proof of Concept:
Quoted and slightly modified for clarity from original concept code
BlackJumboDog FTP Server Buffer Overflow Vulnerability
Bind Shell Exploit for English Win2K SP4
27 Jul 2004
BlackJumboDog is an integrated proxy server, web server and FTP server developed by SapporoWorks for Microsoft Windows platforms. BlackJumboDog version 3.6.1 is vulnerable to a buffer overflow in its FTP server. By sending a FTP request containing an overly long parameter string in the USER, PASS or various other commands, a remote attacker can cause a stack overflow, overwriting EIP (Extended Instruction Pointer. This points to the next instruction to be executed), and then execute arbitrary code.
This vulnerability is caused by an unsafe strcpy that copies the entire parameter of the user's FTP command to a stack buffer of 256 bytes. For example, if the user's FTP client issues the following command, USER xxxxxxxxxxxx. Strcpy is an unsafe function which does not check the size of the destination buffer and doe not check for null or otherwise invalid pointers. If the destination buffer is smaller than the source buffer strcpy will overwrite memory to write the source buffer.
The FTP command parameter "xxxxxxxxxxxx" will be copied to a 256 bytes buffer using strcpy. Hence, by crafting an FTP command with an overly long parameter, a remote attacker can trigger a stack overflow and execute arbitrary code. The attacker does not need to have a valid account on the FTP server since the overflow can be triggered before authentication using the USER command.
This exploit code will return a shell prompt allowing an attacker to have full control of the server through port 2001 on any vulnerable BlackJumboDog FTP server.
A vulnerability scanner would be able to find this by scanning for it using the exploit code in its database. The scanner would execute the exploit very similarly to how an attacker might. The database would tell the scanner to try to connect to the FTP service, if a BlackJumboDog FTP service is found to be running on that port the scanner would then issue a USER command followed by a 256 byte buffer. If the source code from this Proof of Concept was used the scanner would know the exploit worked by listening for a shell prompt from the remote computer. The remote code could be changed for the purpose of a benign scanner to simply return a custom message to the scanner to verify the exploit worked.
Source of this exploitA hacker can also scan a web application for vulnerabilities in an arbitrary application, even if no known exploits have been found or posted on security websites. This is the most common way to scan a proprietary web application, such as an application written for in house use, or for a unique reason at a public company. A hacker might use the information gained by the scanner to orchestrate more advanced attacks. For instance a simple Cross Site Scripting bug that would be easily revealed by a Web Application Vulnerability Scanner might be modified to steal a user's cookies while visiting the website.
Often hackers will write scripts to constantly scan for vulnerable servers. This is done by discovering an interesting IP range and calling the scanning engine repeatedly on each of the servers within the range. Vulnerability scanners are one of the most used tools in a hacker's toolbox because they are easily scripted and can discover so many vulnerabilities. Once a hacker has finished scanning a set of servers they can scan the logs for especially vulnerable servers or for a vulnerability they know how to exploit. Then they can use a hacking tool, PoC code or write their own exploit code to gain access to the server or deface the website. Hackers can also use vulnerability scanners as part of a larger attack even though the vulnerable server is not the primary target. Often a hacker will relay their messages through many servers to help cover their tracks and slow down any tracing that might be taking place.
Using multiple servers to cover tracks:
A hacker may use many servers to slow down any trace on their hacking attempts. This is done for a number of reasons. To track down a hacker the system administrator must first realize there is a hacker on the system. This can be done a number of ways, but the most common is to watch which system processes are running for anything that is trying to elevate its privileges, consume out of the ordinary amounts of resources, or overwrite other system memory. Once a hacker has been detected the System Administrator can find the connecting remote IP of the attacker. However this only shows the last computer the attacker has connected from, that means that if that hacker connected to another machine before the final server the remote IP will show up as the middle machine.
The System Administrator must now employ the same technique on the remote machine. Since often the administrator doesn't have access to the remote server they must contact the Administrator of the remote machine.
By the time the trace is complete the attacker might have already completed his/her actions on the server, deleted the logs on both servers, and removed any other traces of their presence.
| <<Previous | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | Next>> |
Provided by: Security Innovation, The Application Security Company