//
you're reading...
Hacking / Counter Intelligence

Anatomy of a hack: Expanding compromised resources

So many kiddies I teach always stop to short in hacks these days. I see very few hacks that are extensive in that they go beyond an initial point of entry. Take the Westboro Baptist Church hack for example. Was it a simple DoS? NO! Was it limited to a single point of entry? NO! When they were owned, they were owned via every device with admin privileges on every device.

One of the biggest problems that one faces is that most systems are off during the nighttime hours that someone is in a network. SO TURN THEM ALL BACK ON! WOL or wake on lan is your friend. It is as simple as sending a packet to a mach address. For security reasons this is a non routed layer 2 technique wrapped with the typical security through obscurity bull that I facepalm over on a daily basis. I realize this topic is beneath me, and many of my peers are wondering why I am writing this. If you are a god like me, stop reading, and use this for the same reason I am writing it. Save the link, paste in channel, and tell the fkn n00b to RTFM.

After you breech a system it is important to immediately set it up as a beachhead for a more widespread attack. Root kits, User accounts, network map, log deletion, and controlling the network gateway are your immediate priorities.

In most cases a network administrator will block remote administration of their gateway devices, but leave the credentials as default. Even in cases where they have taken the precaution of changing the admin credentials, the device will still be vulnerable to information disclosure vulnerabilities via HNAP and CGI. You goal here is to get an IP and MAC address list from the gateway or whatever other device is serving DHCP.

download mc-wol.exe via http://www.matcode.com/wol.htm
execute the following via batch file

setlocal enabledelayedexpansion
FOR /F "tokens=2" %%i IN ('NETSH INTERFACE IPv4 SHOW NEIGHBORS') DO (
set macd=%%i  
mc-wol.exe !macd:-=:!)

Now would be a good time to download mc-wol.exe and send a WOL packet to each of those MAC addresses don’t you think?

Now that you have read this stupid article, stop thinking you are a rock star because you owned a web server and STFU kid.

Advertisements

About Pythorian

Exploration and Production oriented security consultant for securing IT infrastructures relating to natural resources.

Discussion

No comments yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: