The Accidental Hacker
By chance, a good guy found serious holes in a company's network. He tells you how you can avoid that company's security mistakes.
January 31, 1998
Do your system's open doors invite intruders?
This story will interest network administrators who use Windows NT Serveras their platform for Internet and database processing. The events Ireport can happen only if staff are unprofessional andhave no knowledge of security. I'm not saying that NT is not secure--Ithink NT is the most stable, robust, and secure operating system inthe world--but organizations must have a good administrator. I hope thisstory shows you how to protect your site from unauthorizedaccess.
Andrey Kruchkov
This story began in early 1997. I was in my office in Russia, beta-testing aWindows NT Internet package for Internet Service Providers (ISPs). I didn't havetime to test a component that replicates Web servers, so I decided to do astress test by replicating a big Web server on the other side of the earth.While replicating the site, I had time to browse the original Web server. I sawthat the server was completely unsecured, and the administrator had a very badsecurity policy.
My first look at the server showed me that the company had not installedany security patches for Internet Information Server (IIS). Contrary toMicrosoft's recommendations, not only could users execute folders with Webscripts and Common Gateway Interface (CGI) programs but they also had Readaccess and could browse the folders' contents.
I added an extra period at the end of the universal resource locator (URL).This period lets you download Active Server Pages (ASP) files unprocessed,potentially exposing SQL Server passwords and other secure information. (Thissecurity hole is very well known; see NT News Network, Tim Daniels, "ActiveServer Pages Security Hole," April 1997.) When I added the period in thiscase, I saw the display, shown in Screen 1, in my Internet Explorer (IE) window.
Security tip:
If you follow Microsoft's recommendation and put all your Web scripts in the InternetService Manager(ISM) folder, which has only Execute access permissions, your site will be safe,even if you have a security hole in IIS and don't have a fix for it. If yousecure your scripts in this way, the intruder will see the display shown inScreen 2.
Of course, if the site administrator had spent some time checking the NTNews Network in Windows NT Magazine, the administrator would have knownabout possible security holes and fixes available at ftp://ftp.microsoft.com.If you install this IIS patch, you'll see the screen shown in Screen 3.(The sidebar, "Stop, Thief!"--page 183--offers suggestions forprotecting IIS and other components of your system.)
But the most important problem was not the IIS hole, but that I could seethe default systems administrator login (sa) in Microsoft SQL Server. Thisadministrator has no password--as anyone can see on the Web site.
Security tip:
Tell me: Who at this site letusers access the database from the sa login for all scripts? Why didn't theadministrator change the password immediately after installation? I hope youaren't giving a hacker such a present. If you are, stop reading now and changethe sa password immediately.
I am a really good man, so I sent email to the Web master of this site. Iexplained briefly why his site was unsecure (this site has more than 2 millionhits per day, and processes orders and accepts credit card information fromcustomers). Here is our correspondence:
Administrator: Dear Andrey, Thanks for your comments. We are aware ofthe [security] problem. We installed the patch, and no one could access any ofour Internet Database Connectors (IDCs). I don't think this is a potentialsecurity risk because you can't place a new .idc in our script directory.
Wow! He didn't understand what I'd written. I decided to tell him that hewas wrong, and this security hole is really dangerous! I proposed a deal to him:To confirm my security analysis, I would try to hack his site.
Andrey: I hope that from now on your site is much more secure than itwas in past, but I will try to break into it.
Administrator: That's a deal! We'll send you a nice package tocompensate you for your work. We are not using any firewalls, so go ahead (butplease be careful with our data ;-)).
Kind regards,
admin
Security tip:
Never talk to strangers. Youwould not believe how much useful information an unscrupulous person can gainand use from a conversation such as this one.
Finding the Holes
OK! At first, I ran a nice program called nslookup (NT Server includesnslookup for testing Domain Name System--DNS--servers). I looked at thecompany's DNS zone information. Figure 1, page 180, shows the servers I found.
Then, I thought, let's see which server processes email and is running the DNS service. Figure 2, page 180, shows the additional information and the mailserver addresses.
What other computers are in this network? I might find somethinginteresting there. Figure 3, page 181, shows the computers' names and their IPaddresses. (The ls command is a UNIX command for List.) Not much there, butsomething was better than nothing.
Security tip:
You can configure DNS so that itwon't show address records to strangers. Don't give anyone the right to inspectyour network. Hackers usually need only a small amount of information. Don'tgive it to them for free.
The next step: Did he disable NetBIOS over TCP/IP (NetBT)? NetBT performsname-to-IP address mapping for name resolution. For computers connected to theInternet, Microsoft recommends disabling this service. I entered
C:>nbtstat -A 555.555.200.1
The computer responded Host not found. I typed
C:>nbtstat -A 555.555.200.2
The computer answered Host not found.
Hmm, was he smarter than I thought? But I needed to test all the computersin the network, not just a few servers. When I typed
C:>nbtstat -A 555.555.200.16
C:>nbtstat -A 555.555.200.17
Figure 4, page 181, shows what appeared on the screen. Thanks to WindowsNT Magazine, I could understand what this stuff means. You can see eachrecord's type after the computer name. The presence of a unique record for EEG1and the __MSBROWSE__ record signifies that this server is the Primary DomainController (PDC) or the Backup Domain Controller (BDC). You can also see thatthe Administrator is logged on.
To connect to the server \pluto, I entered
Press
Start _ Run and \pluto.server.com
Screen 4 shows that I can connect as a guest. (In NT 4.0, I connectedeasily; in NT 3.51 and Windows 95, I had to add records into the LMHOSTS file.)
Next, I connected to the company's printer (everyone wants to printsomething to a cool color laser printer) and printed a small letter, saying thatI had broken into the company's network. Funny, isn't it?
Security tip:
In any book about NT, you willread, "Disable Guest account." Moreover, NT Server disables the Guestaccount by default, so I don't know why this company had enabled it. Stopreading now! Look in User Manager, and disable the Guest account if it isenabled!
On another project I worked on, I found that somebody had installed NetworkMonitor Agent (NMA) on his computer, as Callout A in Figure 5, page 181, shows.(NMA lets a network administrator use Network Monitor to track activity on thatremote client.) Do you know what the record with inside is? This isthe NMA signature. If people are foolish enough to put the NMA on a computer,you can use your network sniffer in their network. Even if they use a password,you can use the tool at http://www.nmrc.org/files/nt to break in by bruteforce.
Security tip:
Never install NMA in your siteif someone can view it from the Internet; NMA is a very dangerous toy.
At this point, I wrote a complete report about the company's domain and thecomputers with the enabled Guest account. I wrote many recommendations aboutsecurity (e.g., rename or disable the Administrator account, and disable theGuest account). It was Friday evening, and I went home. On Monday morning, I hadan email from the Web master, saying he appreciated my work. He promised to sendmy prize soon. Good beginning of the day.
I forgot this case, but two weeks later, I had another email from myvictim. He asked me to continue my security analysis and try to gain access totheir site's database. (You can understand that a vulnerable database could costthe company much money. The managers were afraid that a hacker could steal theirdatabase, in the same way that I had viewed their user list.)
Penetration of SQL Server
I checked whether the database administrator had changed the sa password(can you believe that he knew about these problems for more than two weeks anddidn't do anything to protect the site?). I wanted to find the server where SQLServer resided, but I needed access as a guest. I checked my records and putsome lines in my LMHOSTS file and then used the nbtstat-R command to reload theNetBT cache without rebooting the server:
555.555.200.5 priny #PRE
555.555.200.16 pluto #PRE
.
.
.
555.555.200.23 insernia #PRE #DOM:eeg1
Reload NetBT cache:
nbtstat-R.
I checked all the computers with the Guest account enabled, but I didn'tfind any SQL servers. He apparently had installed SQL Server on the computerthat had the Guest account disabled. Wasn't he smart?
What could I find on the computers with the enabled Guest account? Oneperson's computer with Guest enabled had a shared folder with Read permissionsfor everyone. I took a look.
Wow! In one folder, I found the file drwtsn32.log, a crashing log. For mostusers, the log is completely useless, but for experienced professionals, it canbe very useful. Screen 5, page 182, shows the contents of this log. Do you seewhat I noticed? I could see the domain name (EEG1), username (HCAPSUser1), andsomething that looked like a password (grk***). To test my theory, I connectedto the server with the Guest account disabled as user EEG1HCAPSUser1 withpassword grk***. I could log in!
I ran SQL Server Enterprise Manager. EM is a useful program for browsingdatabases and performing other administrative tasks. However, most companiesprefer that only the systems administrator use EM.
Could I log in? Yes, success! As Screen 6, page 182, shows, I was now thesystems administrator, not in the domain, but for the SQL Server database. Icould do anything with this SQL server.
The administrator had been worried about someone stealing the user list, soI looked at the list to see why he was concerned. As Screen 7, page 182, shows,I typed a simple query that shows everything in the table named tblMember.
Wow! Too much information for me: names, email addresses, postal addresses,credit card numbers, logon names, passwords, and much more--all the informationabout visitors to this site. If anyone knows what I can do with 74,342 creditcard numbers, please call me . It was time to write a letter to theWeb master about another hole in the system.
Can you believe that I could read all this sensitive information so easily?Subscribers and shoppers on this site have reason to be afraid of this kind ofInternet commerce. If database administrators don't know how to secure thissensitive information, hackers can steal credit card numbers not by usingsniffers to trace Web traffic but by cracking databases on real servers.
Security tip:
Keep SQL Server hidden from theInternet. You can install an expensive firewall or just run SQL Server overNetBEUI protocol on a different server. I'm not the only one who makes thisrecommendation--check with Microsoft.
I was ready to finish the security testing and see what else I could dowith this server. I created a user in the EEG1 domain with the name Andreyand the password mypassword:
xp_cmdshell 'net user Andrey mypassword /add /domain'
The SQL Server extended stored procedure xp_cmdshell executes valid NTcommands on the server and displays the results. Then, with one more command
xp_cmdshell 'net group "Domain Admins" Andrey /add /domain'
my account became an administrator in the EEG1 domain, and I could doanything with this network.
Let's publish something on their Web site. I can connect to any share--even a hidden share--on this server.
Start _ Run and \prinyc$
Now I've connected to a hidden root share on the C drive.
I typed a small HTML file (hack.htm) and copied it to the wwwroot folder,which contains all the HTML files for their Web site. Screen 8 shows the file Ityped.
Did you hear about the hacker who changed the home page in http://www.cia.gov?I didn't do it, but I think the hacker worked the way I did.
Security tip:
A hacker can't break into yoursystem this way if you take the following precautions:
Disable the xp_cmdshell stored procedure and disable access to theRegistry from stored procedures
Run SQL Server under a user account (not a system account) with restrictedpermissions
Change the systems administrator password
Install SQL Server on a computer hidden from the Internet
Don't debug programs on a computer connected to the Internet
Don't run any Web scripts from the sa account
Disable the Guest account everywhere
Don't run NMA on a computer inside a public network
Set only Execute rights for Web-script folders
Install all patches from the Microsoft Web site
Think like a hacker about security
When you need remote control of a system via the Internet,RemotelyPossible/32 is a nice program that can help; it works very fast. Idownloaded an evaluation version from http://www.avalan.com. If I wantedto be the administrator of the company's computer, I could installRemotelyPossible/32 on my computer and on the computer on the other side ofearth.
As you can see, I had gained full access to the EEG1 domain and could doanything with the company's network. Don't let this kind of intrusion happen onyour network.
Some Security Resources
Many articles in computer magazines discuss security in general and in NT.Windows NT Magazine highlights the most important places you need tocheck in your NT Server. The most informative security Web sites that I've foundare http://www.microsoft.com/security and http://www.ntsecurity.org.
I also recommend that you hire a good security consultant or buy goodsoftware for security advice. The Windows NT Magazine Lab reviewedseveral NT security software products in Lab Reports in the magazine's October1997 issue.
My favorite product is Kane Security Analyst from Intrusion Detection. Thissecurity assessment tool analyzes NT domains, servers, and workstations forsecurity exposure; it can give you a lot of information about your system'ssecurity. You can download an evaluation version from http://www.intrusion.com.The company also offers Kane Security Monitor, a new utility for onlinemonitoring. I highly recommend that you download it right now.
This article illustrates many security problems an NT server can have, butNT doesn't cause those problems; people cause them. Therefore, you need to thinkabout security from a hacker's point of view. A recommendation that you checkyour security usually means that a hacker can gain access to sensitiveinformation on your site. Close any open doors as soon as possible; the gaps canbe dangerous for your system, and not all guys are as good as I am.
OK, I'll be in the airport very soon. The systems administrator I talkedabout in this article asked me to come and make all the changes needed toprotect the company's site from attacks. I love to be in different countries, soit's time to go. See you later.
About the Author
You May Also Like