RE: Anatomy of a slightly better hack

["Matt Fisher" <mfisher () spidynamics com>]

I believe a lot of that stuff you can do right in the sqli if you're
already SA anyhow ... And seeing how every login form should POST, and
how POSTs aren't logged by the web server, and how SA can probably
destroy the db logging, and this would all be over ssl ... 

whoami: exec sp_who  
and just for the sake of doing it, exec sp_sysxlogins to enum all the
native/mixed mode accts, 
Could also use xp_isNTAdmin to check their status ;) 
Portscan: forgot the commands, it's in a paper som
hostname: select @@servername
portscan: select * from OPENROWSET(
'SQLoledb''server=172.17.0.3;uid=solong;pwd=nthx4alldaphishes',...
list services: mmm dunno, maybe brute xp_servicecontrol ? 
getsysteminfo: does xp_regread work on a remote machine ?


> -----Original Message-----
> From: Dave Aitel [mailto:dave () immunitysec com] 
> Sent: Wednesday, July 06, 2005 9:03 PM
> To: Matt Fisher
> Subject: Re: [Dailydave] Anatomy of a slightly better hack
>
> Matt Fisher wrote:
>
> > You can do most of that shizzle with the sqli anyhow, and 
> with unlogged 
> > POSTs too boot.
> >
> >
> >  
> You should post to the list. :>
> -dave
>
>
> > > -----Original Message-----
> > > From: dailydave-bounces () lists immunitysec com
> > > [mailto:dailydave-bounces () lists immunitysec com] On Behalf Of Dave 
> > > Aitel
> > > Sent: Wednesday, July 06, 2005 10:48 AM
> > > To: dailydave
> > > Subject: [Dailydave] Anatomy of a slightly better hack
> > >
> > >
> > > This article, generically titled "Anatomy of a Hack" has been 
> > > wandering around the net lately. I thought it'd be fun, as a group 
> > > exersize, to improve on the material. Admittedly, the 
> article is for 
> > > beginners, but maybe we can change that?
> > >
> > > http://www.microsoft.com/technet/technetmag/issues/2005/01/Ana
> > > tomyofaHack/default.aspx
> > >
> > > On thing I notice right away is that the article uses a lot 
> of tools 
> > > you pretty much have to guess at. What exactly does "DiscoverHosts" 
> > > do? The figures show you the output - I assume you can 
> download these 
> > > tools on some MSDN CD or something.
> > >
> > > I notice he's using Windows to hack with - which is funny, because 
> > > very few hackers actually use Windows as their desktop - there's no 
> > > GRSecurity for Windows. :>
> > >
> > > In any case, it probably would be better if he had used the 
> industry 
> > > standard nmap to do his scanning, like every other article. 
> NMap has 
> > > that neat "resolve all the domain names asyncronously" thing.
> > >
> > > The bit about XSS (just below the SQL Injection bit) is 
> oddly placed, 
> > > considering there's no guarantee this is actually cross site 
> > > scripting.
> > > It might or might not be, but we have no reason to think 
> either way at 
> > > this point.
> > >
> > > After that he uses xp_cmdshell('TFTP') to download netcat to his 
> > > target, although it would have been a lot cooler if he'd 
> used debug to 
> > > write a little .com to do that for him. And netcat is so...1980's. 
> > > These days you can get Hydrogen for free and have some real 
> > > encryption, file uploading/downloading, for roughly the 
> same size. You 
> > > could probably upload it via a debug script without having 
> to write a 
> > > stage0 downloader. Hacking without crypto is lame. I notice 
> he creates 
> > > a directory c:\warez, which is probably not optimal.
> > >
> > > One thing I notice about his dumpinfo tool is that it tells you all 
> > > the wrong things. Your first job when on a new box is not 
> to find out 
> > > the users on the box - it's to find out if you were caught 
> and clean 
> > > up any logs. He needs to first look at the processes and 
> see if anyone 
> > > is logged on locally - a screen shot is useful for this. (I 
> know, and 
> > > you thought CANVAS's screenshot module was just for kicks 
> and grins, 
> > > didn't
> > > you?)  "Are people sitting here editing word documents or 
> what?" I'm 
> > > about to generate a lot of disk activity, and I don't want 
> people to 
> > > be like "wtf?"
> > >
> > > He does do a pretty good job with the shared service 
> accounts gimmick, 
> > > but he misses that domain tokens can be in all sorts of random 
> > > processes
> > > - the web server is a good one. It's likely the domain 
> admin has been 
> > > admining his web server lately, and you can hop into that 
> process to 
> > > check to see if a token is sitting around for the taking.
> > >
> > > It's interesting how lucky he gets with LSADump. I never get lucky 
> > > enough to see anything interesting. Is this true for everyone else 
> > > too?
> > >
> > > Then he...mounts a drive. This is very non-covert. Mounting 
> drives is 
> > > very suspicious activity, even by windows admin standards. :>
> > >
> > > He decides to get logged and go through terminal services 
> so he can do 
> > > some "GUI hacking". I have no idea why he thinks this is a 
> good idea, 
> > > but I guess it makes for flashier screenshots.  Having Hydrogen 
> > > instead of netcat would make using socketpipe unnecessary.
> > >
> > > I notice he's careful to avoid saying which password 
> cracker he uses - 
> > > I assume john the ripper or l0phtcrack.
> > >
> > > Anyways, just some thoughts. Back to haxing.
> > >
> > > -dave
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > _______________________________________________
> > > Dailydave mailing list
> > > Dailydave () lists immunitysec com
> > > https://lists.immunitysec.com/mailman/listinfo/dailydave
> > >
> > >    
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave