RE: Multi stage attacks on networks?
Dude this happens all the time. It's the essense of a hack.
Case 1.
1. Webserver on the DMZ is running an older version of IIS that is
vulnerable to *insert your buffer overflow here* Attacker inserts trojan
and creates some variable that will either force the server to reboot
or make the admin reboot (maybe a DoS of some sort to trick a dumb
netadmin). Upon reboot, trojan is executed and attacker has full access
to the dmz server.
2. Let's say hypothetically that the firewall has been mis-configured by
a sloppy netadmin who decided to choose ANY for the source and
destination interfaces to allow the DMZ server to access the internal
LAN via port 21 for uploading FTP files from an internal node. Now
attacker has the option to upload a trojan to the node on the internal
lan. Let's also say that trojan.a has the ability to setup terminal
services on this box as well as change the default listening port to 21.
Voila. Attacker has basically exploited numerous vulnerabilities and
gained access to your internal LAN.
Case 2.
1. Citrix server setup for remote access. The box hasn't been patched in
awhile. Stale username setup and attacker gains access to a user
account. Using priveldge escalation via Debploit (sploit that calls the
windows session manger debugging subsystem to attach to a priv process),
he now gains access to the local system account and creates himself a
nice admin account.
2. The citrix server is not in a dmz. Now that the attacker has access
to cmd.exe he/she decides to run kaht.exe on the local LAN, an RPC Dcom
scanner and sploiter. He finds 20 vulnerable boxes, gains access to 10
of them. One happens to be the payroll server. Case closed.
This topic actually does not belong in the bugtraq mailing list. It
should be on firewalls or security.
-----Original Message-----
From: Sudhakar-bugtraq Govindavajhala [mailto:sudhakar@xxxxxxxxxxxxxxxx]
Sent: Thursday, April 29, 2004 7:36 PM
To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Multi stage attacks on networks?
Hi
I am a Ph.D. student studying network security at Princeton
University. I am trying to see if attacker can use a series of
vulnerabilities to take over a particular resource. Has there been
prior work on this topic earlier? Can someone give me a real example
where the adversary actually uses a series of vulnerabilities to break
into a resource?
May be he uses the webserver in DMZ and then uses it to get
access to fileserver and then uses it to compromise something else?
thanks for your time,
Sudhakar.
Sudhakar Govindavajhala Department of Computer Science
Graduate Student, Princeton University
(o) +1 609 258 1798
http://www.cs.princeton.edu/~sudhakar
DISCLAIMER:
This e-mail, including attachments, may include confidential and/or proprietary
information, and may be used only by the person or entity to which it is
addressed. If the reader of this e-mail is not the intended recipient or his or
her authorized agent, the reader is hereby notified that any dissemination,
distribution or copying of this e-mail is prohibited. If you have received this
e-mail in error, please notify the sender by replying to this message and
delete this e-mail immediately.