Use of the Exploit
Now it has been established whether the system is vulnerable to themsadc.pl exploit, and it is possible to execute remote commands on the
system, precisely what commands to run must be considered.
Potential attacks could revolve around either system enumeration or
gaining further control.
If the port scan revealed access to ports other than TCP/80 on the
system, a tool such as netcat could be installed on the port to permit
future shell connections, although this would give no extra control over
the system.
It may be more useful to install a Trojan such as B02k on such an open
port, permitting access to further local system information. Access to
the system and registry from the privileged shell could also be used to
enumerate:
• System information
• Users
• Network shares
• Sensitive data
This may also reveal trust relationships with other hosts that would
allow access to further systems having exploited the web server.
Example
In this case, a series of commands will be run to produce a local backup
of the sam._ security file on the system, and then to transfer the file off
the server to the attack machine. This will then enable an NT password
cracker to be run, in this case L0pht crack, to gain passwords which
may prove useful later in this attack on the site.
No comments:
Post a Comment