LowHangingFruits:TheTopFiveEasiestWaystoHackorGetHacked1LowHangingFruits:TheTopFiveEasiestWaystoHackorGetHackedWHITEPAPER2LowHangingFruits:TheTopFiveEasiestWaystoHackorGetHackedWHITEPAPERTableofContents3ExecutiveSummary31.
WeakDatabaseCredentials4Easeofattackandimpact6Defense62.
LMHashandBroadcastRequests7Easeofattackandimpact10Defense103.
OpenShares10Easeofattackandimpact12Defense124.
Default/WeakCredentialsonSensitiveResources12Easeofattackandimpact13MisconfiguredApacheTomcatwithdefaultcredentials15VNC16DRAC16Defense175.
VulnerabilitieswithPublicExploits17Easeofattackandimpact18Defense18Summary18Acknowledgements19AboutTheAuthor19AboutMcAfeeFoundstoneProfessionalServicesThiswhitepaperwaswrittenby:AmitBagreePrincipalSecurityConsultantMcAfeeFoundstoneProfessionalServicesExecutiveSummaryTheintentofthispaperistopresentacompilationoftheeasiestandmostprevalentnetwork-basedtechniquesanattackercanusetogainaccesstosystemsanddata,alsopopularlyknownas"low-hangingfruit"intheinformationsecuritycommunity.
Moreoftenthannot,theseleadtocompletecompromiseofaMicrosoftWindowsdomain.
Thefocusofthispaperisongainingthefirstfootholdonthenetwork.
Thesemethodsarebasedonmypersonalexperienceandhencearesubjective,andmostpenetrationtesterswouldconcurwithmany,ifnotall,ofthem.
Thispaperdoesnotdiscussnewattacks,butratherpresentscommonlyknownmethodsoffindinglow-hangingfruit,theeasewithwhichtheycanbeexploited,theimpactofthisexploitation,and,finally,remediationsuggestionstoaddressthem.
Afteryearsofpenetrationtestingandahighsuccessrateofcompromisingdomains,myprimemotivationforwritingthispaperistohelporganizationsperformthesesothatweallupthegameofhackinganddefendingdata.
Thiswillbeofinteresttonetworkanddatabaseadministrators,aswellasapplicationowners,sothattheybecomebetterinformedaboutprotectingtheirassetsanddata.
Securityprofessionalswillalsofindthisinformationuseful,asitwillhelpthembecomemoreawareoftheseexploitswhiletheyperformpenetrationtesting.
Thisshouldalsohelpmanagementpersonnelunderstandthegravityoffindingonesuchfruitontheirnetwork.
Belowisacompilationoffiveofthelowest-hangingfruits.
1.
WeakDatabaseCredentialsDataisanorganization'smostpreciousasset,soitcomesasnosurprisethatdatabasesareaprimetargetforattackers.
Whatmakesitmorelucrativeforanattackerishoweasilymanydatabasescanbecompromised.
OneofthemostvaluedtargetsistheMicrosoftSQLserver,givenitsprevalenceandsneakyinstancesofMSDEs/SQLServerExpressgettinginstalledwithoutusers'awareness.
ItisstillnotuncommontofindMSSQLserversusingweakorblankpasswords.
Surprisinglythe"Enforcepasswordpolicy"(includingaccountlockoutfromtheOS),whichhasbeenavailablesinceMicrosoftSQLserver2005(9.
xx),isoftennotused.
Thismakesitextremelyeasyforanattackertoconductabrute-forceattackontheseSQLservers.
WHITEPAPERLowHangingFruits:TheTopFiveEasiestWaystoHackorGetHacked3LowHangingFruits:TheTopFiveEasiestWaystoHackorGetHackedConnectWithUs4LowHangingFruits:TheTopFiveEasiestWaystoHackorGetHackedWHITEPAPEREaseofattackandimpactTherearemanywaystodiscoverMSSQLserversonanetworkandperformabrute-forceattack.
OneofmyfavoritetoolsisSQLPing3.
0,whichcanbeusedforbothMSSQLserverdiscoveryandbrute-forcing.
Theinterfaceisintuitive,andallyouhavetoprovideistheIPsandlistofusernamesandpasswordstotry.
Ensurethat"DisableICMPcheck"under"Options"isselectedtoperformathoroughdiscoveryandtoggle"Brute-ForcePasswords"accordingtoyourneed.
Figure1.
ThemanyinstancesofMSSQLserversdiscoveredonanetworkwithsomeofthemusingweakorblankpasswords.
BelowaresomeofthemostcommonMSSQLusernamesonwhichtoattemptabrute-forceattack:sasqladminprobedistributor_admindboguestsysAlthoughthe"sa"(securityadministrator)accountisthemostprivilegedaccount,ifanattackergainsaccesstoalesserprivilegedaccountlike"admin,"theycanstillattempttoescalatetheirprivileges.
Thefigurebelowshowsonesuchinstance,wherealesserprivileged"admin"accountwascompromised,andthenaSQLqueryisusedtorecoverthe"sa"useraccounthashwithasimpleSQLclient"issqlw.
"Figure2.
The"sa"hashretrievedfromtheSQLserver.
Forpre-2005versionsofMSSQL,youcanqueryadifferenttable:SELECTpasswordFROMmaster.
dbo.
sysxloginsWHEREname='sa';5LowHangingFruits:TheTopFiveEasiestWaystoHackorGetHackedWHITEPAPERThiscanthenbecrackedusingadictionaryattackwithvariouspasswordcrackingtools.
ThefigurebelowshowsJohntheRippersuccessfullyretrievingthepasswordfromthehashabove.
Figure3.
Asuccessfuldictionarycrackingofan"sa"password.
Thislow-hangingfruitisveryenticing,as,inmostcases,notonlydoesthecompromiseofaMicrosoftSQLserverprovidecompleteaccesstothedatabasesthemselves,butalsototheunderlyingoperatingsystem(OS)—typicallyMicrosoftWindows.
Microsoftprovidespowerfulextendedstoredprocedureslike"xp_cmdshell,"whichcandirectlyinteractwiththeOSsoanattackercansimplyusethenetcommandstoaddhimselfasalocaladministrator:xp_cmdshell'netuserfstonePassPhrase!
0/add'xp_cmdshell'netlocalgroupadministratorsfstone/add'OrevenasadomainuserifSQLserviceaccounthasprivileges:xp_cmdshell'netuser/addfstonePassPhrase!
0/add/domain'Notethatjustdisablingextendedstoredproceduresprovidesnoprotectionsinceitcanbeeasilyre-enabled:sp_configure'showadvancedoptions',1reconfiguresp_configure'xp_cmdshell',1reconfigureOtherdatabases,suchasOracle,PostgreSQL,MySQL,andothers,arealsovulnerabletosimilarbrute-forceattacks.
YoucanfindvariouscredentiallistsspecifictotargetingthosedatabasesontheInternet.
HoweverthemethodstoescalateprivilegesforgainingaccesstotheunderlyingOSisnotalwaysstraightforward.
CompromisingaSybasedatabaseandescalatingprivilegesisverysimilartodoingsoinMicrosoftSQL,althoughitisnotascommonlyusedasMicrosoftSQL.
TodiscoverSybaseonanetwork,youcanuseNmapwiththe–sVflag,whichtypicallylistensonports5000-5004.
YoucanidentifySybaseinstancesviaotheropenportslistedhere,oryoucanalsousethefollowingNmapscript:nmap--scriptbroadcast-sybase-asa-discoverSybasealsousescommoncredentialslikeentldbdbo/dbopswd,mon_user/mon_user,sa/blank.
McAfeeVulnerabilityManagerforDatabasesisapowerfultoolthatcanperformdiscoveryandbrute-forcingofSybasedatabases,alongwithallotherpopulardatabasesaswell.
SybaseusespowerfulstoredprocedurescapableofinteractingdirectlywiththeOSjustlikeMicrosoftSQL.
Thereisaspecificxp_cmdshellconfigurationsettingthatdeterminesthesecuritycontextunderwhichxp_cmdshellexecutesinSybase.
SettingittozerowillexecutethecommandshellunderthesecuritycontextofSybaseitself.
Withthedefaultsetting,(1)xp_cmdshellwillexecuteunderthecontextoftheuserwhoisexecutingthequery.
6LowHangingFruits:TheTopFiveEasiestWaystoHackorGetHackedWHITEPAPERFigure4.
Togglingtheextendedstoredprocedurexp_cmdshell'ssecuritycontext.
LikewithMicrosoftSQL,youcanthenusethe"net"commandstointeractwiththeOS.
Figure5.
Thexp_cmdshellbeingusedtoqueryWindowsuseraccounts.
DefenseBeginbysettingstrongpasswordsforallSQLserveraccounts.
Wikipedia'sarticlePasswordStrength:Guidelinesforstrongpasswordsisagoodstartingpoint.
Considerrenamingcommonaccountslistedabovetopreventsuchbruteforcingandassign"sysadmin"privilegestotherenamed"sa"account.
Mostimportantly,ensurethatyouuseSQLserver2005andaboveonWindowsserver2003andabovesoyoucanutilizetheOSloginpoliciesofpasswordcomplexityandaccountlockout,asrecommendedherebyMicrosoft.
ForSybase,utilizethe"UserLoginLockout"policytocontrolaccountlockout.
2.
LMHashandBroadcastRequestsIfyouhaveevenremotelydealtwithsecurityinaWindowsenvironment,chancesareyouhaveheardoftheLANManager(LM)hash.
TheideaofahashistopreventreversingofthehashedvaluebacktoitsplaintextandOSsusethismethodtoavoiddisclosureofaccountpasswords.
However,withtoday'scomputingpower,LMhashhasbecomeaveryweakformofhashandlikelyarootcauseofmanydatatheftsandcompromise.
7LowHangingFruits:TheTopFiveEasiestWaystoHackorGetHackedWHITEPAPEREaseofattackandimpactThefigurebelowdescribestheprocessofgeneratinganLMhashfromapassword—"Passphrase321.
"Figure6.
HowanLMhashisgeneratedfromapassword.
Notonlydoesthismethodsignificantlyreducethekeyspacethatyouneedtoguess,italsodoesnotusea"salt"—arandomvaluetopreventgenerationofthesamehashforthesamepassword.
Thismakesithighlysusceptibletopre-computeddictionaryattacks,suchasrainbowtables,whichrevealcleartextpasswordsinamatterofseconds.
FigurebelowshowssixLMhashesthatwerecrackedusinga4ATIRadeon6950GPUcardssetup.
Figure7.
HowquicklyLMhashescanbecracked.
AllMicrosoftOSs,includingandpriortoWindowsXPandWindowsServer2003,usedLMhashesbydefault,and,althoughorganizationsareslowlyupgradingtolatestsystems,itonlytakesasingleoldsystemonanetworktogetcompromised.
Inaddition,MicrosoftstillstorestheLMhashesfornewerOSsinmemoryforuserswithcurrentlylogged-oninteractivesessions,asdescribedindetailhere.
NotethatNTLMv1(thefirstupgradetoLM)isalsoaffectedbyseriouscryptographicvulnerabilitiesandcanbeeasilyreversedbutwillnotbedealtwithspecificallyinthispaper.
TherealinsidiousfactofexploitinguseofLMhashesonanetworkisthatyoudonotnecessarilyneedanyauthenticatedaccesstohostsonyourLAN.
Andyoudonotneedtouseanyhighlydisruptiveman-in-the-8LowHangingFruits:TheTopFiveEasiestWaystoHackorGetHackedWHITEPAPERmiddle(MITM)techniques,likeARPspoofingeither.
AllanattackerhastodoisexploitthelackoftrustverificationinhownameresolutionworksonWindowsdomains.
MicrosoftdescribestheprocessofhostnameresolutionhereandNetBIOSnameresolutionhere.
Ifaresourceresolutionisrequestedforsayabcxyz.
com,thefigurebelowdescribeshowaWindowsOSwouldlookforananswer(IPaddress)fromsourcesinroughlythefollowingorder.
Figure8.
TheorderofresourcenameresolutionforMicrosoftsystems.
Ifanon-existentresourceisrequested,WindowssystemswouldsendoutaLLMNR(Link-LocalMulticastNameResolution)orNBNS(NetBIOSNameService)broadcastdependingontheOS.
OnlyWindowsVista/WindowsServer2008andabovesendLLMNRbroadcastmessagebeforesendingaNBNSbroadcast.
Thesebroadcastmessagesblindlytrusttheresponses,andallanattackerneedstodoisrespondback,tellingthevictimtoconnecttothem.
Then,dependingonthetypeofrequestandtheOSconfiguration,thevictimmayactuallysendLMorNTLMv1hasheswithitsfollow-upquery.
AndthatisallanattackerneedstodotogetaLMhash:listenforNBNSandLLMNRbroadcastrequestsontheLANandrespondbackwiththeirIPaddresstoconnectbackto.
Youwouldbeamazedathowmanysuchqueriesflybyonanetwork.
Givenenoughtimeorabusynetwork,anattackerwouldseelotofmistypedURLs,resourcerequestsfornon-existentprinters,drives,andmore.
9LowHangingFruits:TheTopFiveEasiestWaystoHackorGetHackedWHITEPAPERThefiguresbelowshowtwoofmyfavoritetoolstoexploitLMhashesasdescribedabove.
Figure9.
Metasploit'sNBNSspoofingmodule.
BysettingtheirownsystemasSPOOFIPinMetasploit'sNBNSspoofingmodule(auxiliary/spoof/nbns/nbns_response),anattackertricksthevictimstoconnectbacktothemwhenrequestingforanon-existentresource.
WhenusedalongwithcoupleofotherMetasploitmodulesforcapturingthehashessuchasSMB(auxiliary/server/capture/smb)andHTTP_NTLM(auxiliary/server/capture/http_ntlm),thiscanleadtopasswordswithoutmucheffort.
Figure10.
CapturedandcrackedNTLMv1passwords.
Responder.
pyisapythonscriptwrittentotakeadvantageofthisbroadcastbehaviorandotherWindowsdefaultnetworkconfigurations.
YoucanuseittospoofNBNS,aswellasLLMNRrequestsandactiveman-in-the-middleWPADrequests.
Thefigurebelowshowsanexampleconfiguration.
Figure11.
ActivespoofingforNBNS,LLMNR,andWPADrequestsalongwithforcedNTLMandLMauthentication.
YoucanfindmoredetailsontheResponderscripthere.
10LowHangingFruits:TheTopFiveEasiestWaystoHackorGetHackedWHITEPAPERDefenseThebestdefenseagainstexploitationofLM/NTLMv1hashesistocompletelyeliminateusingthemonthehostsandnetworks.
Ideally,youcoulduseagrouppolicyforthefollowingtwosettingsforallhostsonanetwork:Networksecurity:DonotstoreLANManagerhashvalueonnextpasswordchange–EnabledNetworksecurity:LANManagerauthenticationlevel–SendNTLMv2responseonly.
RefuseLM&NTLM.
Thesecanalsobesetforindividualhostsviathe"LocalSecurityPolicy,"whichmisstheglobalsettingforvariousreasons.
Ensurethatpasswordsforallaccounts,includingserviceaccounts,arechangedwhenthepolicyisbeenapplied.
Inaddition,considerenforcingpasswordlengthsof15charactersormoreforHLA(HighLevelAccess)accountstoautomaticallyensurethatLMhashesarenotstoredeveninmemory,asdiscussedearlier.
Finally,considerimplementingamonitoringtooltodetectspoofingattacksasdiscussedhere.
3.
OpenSharesSometimesyoudon'thavetobreakadoortoenterin—it'ssimplyleftopen.
Anditisimportanttorememberthatcompromisingsystems,applications,andpasswordsisultimatelyjustameanstotherealend—data.
Likeweakcredentialsondatabases,opensharesareanothergoldmineforanattacker,anditisnotuncommontoseethempoppinguponnetworkseverynowandthen.
Opensharesaresharesaccessibleoverthenetworkwithoutanycredentials.
Thisistypicallyaresultofmisconfigurationandhasledmetodiscoverallsortsofsensitiveinformation,includingSocialSecuritynumbers(SSNs),creditcarddata,passwords,payrollinformation,andmore.
Andwhat'sworsethanstoringsensitivedataonanon-encryptedfileKeepingthatfileinaworldreadableshare.
EaseofattackandimpactFindingopensharesandsensitivedatainsidethemisextremelyeasywiththeuseofrighttools.
MyfavoritetoolisSoftperfect'sNetworkScanner(Netscan).
YoucanimportalistofIPsyouwouldliketotestorevenprovidearange,asseeninthescreenshotbelow.
Figure12.
FigureshowsIPrangeinputfieldsforNetScan.
Underthe"Options:->"Shares"menu,youcanselectthe"Enablesecurityanduserpermissionscan"tocheckread/writeprivilegesontheshares.
Uponpressingthe"StartScanning"button,itwouldlookforsharesonalldiscoveredIPaddresses.
Youcanthenapplythesharesfilter()toonlylookatsystemswithavailablesharedfolders.
Theredmarkedfoldersaresharesaccessiblewithoutauthentication.
Belowareacoupleofexamplesofhowfindingsuchopensharesonanetworkarenotthatrare.
11LowHangingFruits:TheTopFiveEasiestWaystoHackorGetHackedWHITEPAPERFigure13.
Systemsdiscoveredwithopennetworkshares.
Figure14.
Systemsdiscoveredwithopennetworkshares.
Onceyoufindanysuchshares,thenextlogicalstepforanattackerwouldbetolookforsensitivedata.
AndmyfavoritetoolforthisjobisAstroGrep—aWindowsbased"grep"utility.
Apartfromkeywords,italsosupportsregexsoyoucanlookforSSNs,creditcardnumbers,andotherformatteddata.
Figure15.
AfileonanetworkaccessiblesharewithcredentialspossiblyforaMicrosoftaccount.
12LowHangingFruits:TheTopFiveEasiestWaystoHackorGetHackedWHITEPAPERFigure16.
Sensitivedataofauser'sdesktopbackeduponanetworkaccessibleshare.
DefenseAsthesayinggoes"thereisnopatchformisconfiguration.
"Thebestdefensetopreventsuchinadvertentexposureofdataiseducationanddetection.
Networksecurityteamsinorganizationsneedtocontinuouslylearntherisksofmisconfigurednetworksharesandroutinelyusemethodssuchastheonesdescribedabovetodetectopensharesontheirnetwork.
Thisshouldbecomepartofthesecuritylifecycle.
4.
Default/WeakCredentialsonSensitiveResourcesThismethodofattackisessentiallyawaytolookforanyresourceswhichcanbeeasilycompromised.
Typically,themostlucrativewayistolookforweak/defaultcredentials.
Plus,iftheseresourcesaresensitive,anattackerhitsthejackpot.
EaseofattackandimpactTolookfordefaultorweakcredentialsdoesnotrequirerunningacomprehensiveautomatedvulnerabilityscan.
Therearemultipletoolsthatcanusedtoaccomplishthisgoal.
Followingarefiveofthemostfruitfulones:RapidAssessmentofWebResources(RAWR):Aquickandcomprehensivewaytolookatallwebresourcesonanetwork.
ItisapythonscriptandusesphantomJStotakescreenshotsoflandingpagesofallwebresourcesdiscoveredandpresentsitinasearchableHTMLreport.
ItisavailableonBacktrack6andtakesinvariousfileformats,suchasNmap,Nessus,andMetasploit,forinput.
Mostimportantly,itprovidesdefaultpasswordsuggestionsusingseveralonlinesources.
Eyewitness:Anotherpythonscript(thereisaRubyversionaswell)thatusesGhost.
pyforwebpagescreenshots;ittakesinvariousfileformats,includingNmap,Nessus,andAmap;anditisdesignedtorunonKali.
Itgroupstogethersimilarwebpages,likedefaultserverpagesandprovidespasswordsuggestionsaswell.
13LowHangingFruits:TheTopFiveEasiestWaystoHackorGetHackedWHITEPAPERNmaphttp-screenshotscript:FinallythereisanNSEscriptthatallowsyoutoscananetworkwithNmapandtakeascreenshotofeverywebpageatthesametime.
Itusesthe"wkhtmltoimage"librarytotaketheimages.
NessusDefaultCommonCredentialsScanPolicy:Whiletheabovethreetoolsfocusonwebresources,thisNessuspolicyismuchbroaderandlooksfordefaultandeasilyguessablecredentialsforallkindsofresources,suchasnetworkingdevices,OSs,databases,andothers.
Ihaveexcludedsomeoftheplug-insfromthispolicythatperformuserenumerationandbrute-forcetypeofattackstopreventdisruptionofservices.
Soensurethatyoureadthroughtheselectedplug-insbeforelaunchingthisscan.
NBTEnum3.
3:AnothercommonblindspotformanyITteamsisuseraccountsonOSs,especiallyserviceaccounts.
NBTEnum3.
3isoneofthemanytoolsanattackercanusetotakeadvantageofweakcredentialsonsuchaccounts.
Thistoolprovidesanicefeaturetoperformpasswordcheckingonlywhenthe"accountlockoutthreshold"issettozero.
Itisveryeffectiveinfindingaccountswithhavepasswordsthatarethesameastheusername.
Believeitornot,entiredomainshavebeencompromisedusingthismethod.
Figure17.
Twouseraccountsdiscoveredusingpasswordsthatarethesameastheusername.
Toofferapeekintowhatkindofdamagethesedefault/weakcredentialscanleadto,takealookatthefollowingexamples.
MisconfiguredApacheTomcatwithdefaultcredentialsSinceit'sthemostpopularwebserver,itisnotuncommontocomeacrossinstancesofApacheTomcatmisconfigurationstoenablemanageraccessandusedefaultcredentials(admin/admin,tomcat/tomcat).
Manytimes,thesemisconfigurationstendtobetestinstances.
However,theycanbevaluabletargetsforanattackeriftheyarepartofaWindowsdomain,asthiswouldpresentopportunitiesforprivilegeescalation.
14LowHangingFruits:TheTopFiveEasiestWaystoHackorGetHackedWHITEPAPERSinceTomcattypicallyrunswith"SYSTEM"privilegesonaWindowssystem,anattackercaneasilycompromisethehostOS,asseenbelow.
Figure18.
TomcatManagerapplicationaccessedwithdefaultcredentials.
Usingaweb-basedshell,suchasLaudanum,allowseasyshellaccesstothehostOS.
Figure19.
TheJSPcommandshellexecuting"whoami.
"Figure20.
"Localadministrators"ontheserver.
15LowHangingFruits:TheTopFiveEasiestWaystoHackorGetHackedWHITEPAPEROryoucanusetheMetasploit"ApacheTomcatManagerApplicationDeployerAuthenticatedCodeExecution"module.
Figure21.
ApacheTomcatManagerusingdefaultcredentials.
Powerfulremotecontrolandadministrativeapplications,likeVNC,DRAC(DellRemoteAccessControl),Radmin,andPCAnywhere,cansometimesuseno/default/weakpasswords,and,oncediscovered,theynotonlyprovideaccess,butalsoawealthofinformationaboutanorganization'sbusiness.
Screenshotsbelowprovideaninsidelookatsomesuchdiscoveries.
VNCFigure22.
AnactiveSSHsessionviewedoveracompromisedVNCconnection.
Figure23.
SensitivetradingapplicationdataoveracompromisedVNCconnection.
16LowHangingFruits:TheTopFiveEasiestWaystoHackorGetHackedWHITEPAPERFigure24.
Auser'semailsoveracompromisedVNCconnection.
DRACFigure25.
DRACusingroot/calvinpasswordcombination.
Figure26.
"ConsoleRedirectionConnection"screenprovidesfullremotecontrolofthesystem.
DefenseTherootcauseofthislow-hangingfruitislackofstrongpasswords—allstepstakentoaddressthatwouldhelppreventitsexploitation.
Useadefense-in-depthapproach,startingwithdocumentingastrongpasswordpolicythatclearlydefinesinclusionofthird-partyandsensitiveapplications.
Theproceduredocumentationshouldlistthelength,complexity,andlockoutrequirements,pertheacceptablerisklevel.
Enforcingsuchpolicyisnotsimplyamatterofsoftwareimplementation,butalsoeducationandawareness.
Makesuretoalsoincluderoutinetestingwiththetoolsandmethodsdiscussedaboveforstrongenforcement.
17LowHangingFruits:TheTopFiveEasiestWaystoHackorGetHackedWHITEPAPER5.
VulnerabilitieswithPublicExploitsAsadefender,ifyouhavenotbeencompromisedthusfarusinganyofthemethodsabove,youhavedoneagoodjob.
Inmypersonalexperience,amajorityoforganizationsfailtoprotectthemselvesagainsttheabovetechniques.
Andifyoucanprotectagainstthisfifthlow-hangingfruit—vulnerabilitieswithpublicexploits—anattackerwouldknowtheyareupagainstafairlysecurity-matureorganization.
Youwouldalsonotethatthismethodofgainingafootholdonthenetworkistypicallynoisierthantheonesdiscussedearlier.
EaseofattackandimpactHavingavulnerabilityisonething,andhavingavulnerabilitywithapublicallyavailableexploitisanother.
Metasploitexploitationframeworkandexploit-db.
comaretwoofthelargestsourcesoffreepublicallyavailableexploits.
Twoofmyfavoritewaystomakeuseoftheseexploitsareexplainedbelow:ByusingaNessusscanpolicyselectingonlyvulnerabilitychecksfilteredby"ExploitAvailable=True.
"Thiscanquicklyprovidealistoflucrativetargetsthatareexploitableandcanalsopossiblyprovideremoteaccess.
Figure27.
AscreenshotofNessus'sfiltertoonlyselectvulnerabilitychecksthathaveanexploitavailable.
ByimportingNmapscanresultsintoMetasploit.
AftertyingaPostgreSQLdatabasetoMetasploitandimportingalllivehosts,openportsandservicesdata,Metasploitprovidesveryusefulmodulestotargetspecificsystemsorservices.
Basedonexperienceandknowledgeoftheenvironment,anattackercanselectivelygoaftertargetsthatcanbevulnerable.
AgoodprimerforusingthisMetasploitfunctionalitycanbefoundhere.
Thescreenshotsbelowshowasmallsampleofeasyexploitationofsuchvulnerabilitiesandthelevelofaccesstheycanprovidetoanattacker.
Figure28.
ExploitationofMS08_067,whichprovidesremoteaccessandhashesforuseraccountsfromthelocalSAMdatabase.
18LowHangingFruits:TheTopFiveEasiestWaystoHackorGetHackedWHITEPAPERFigure29.
ExploitationofMS09_050allowingremoteadministrativeaccesstothesystem.
Figure30.
FigureshowsexploitationofCVE-2009-1429allowinganattackertoaddusertothesystem.
DefenseUseadefense-in-depthapproachtoprotectagainstsuchexploitationwiththebestlineofdefensebeingup-to-datepatchingforallsystemsandsoftwareallthetime.
Organizationsshouldlookintodevisingacomprehensivepatchmanagementstrategyfortimelyupdatesofallsystems.
Usesoftwareforpatchmanagementaswellasvulnerabilityscanning.
Useascanpolicy,asdiscussedabove,tolookexclusivelyforvulnerabilitieswithpubliclyavailableexploits.
Thiswouldprovidehighvalueforthetimeandmoneyinvested.
Alsoincludestrongblocking,monitoring,andloggingcapabilitiesforalltrustzoneswithinyournetwork.
SummaryThereyouhaveit—acollectionofthetopfivelow-hangingfruit.
AtMcAfeeFoundstoneProfessionalServices,wearepassionateabouthackingandsecuringorganizations,andIhopethiswhitepaperhelpsyouhackordefendbetter.
Iencourageyoutoshareyourthoughtsandfeedbackwithme.
AcknowledgementsAnoteofthankstoPalanAnnamalaiandCarricDooleyforprovidingareviewofthiswhitepaperandtoBradAntoniewiczforhissupport.
19LowHangingFruits:TheTopFiveEasiestWaystoHackorGetHackedWHITEPAPERAboutTheAuthorAmitBagreeisaprincipalsecurityconsultantatMcAfeeFoundstoneProfessionalServices,basedoutofOrlando,Florida.
Heisthetechnicalleadfornetworksecurityservicesandanexpertatperformingpenetrationtests.
Hehasfocusedallhisenergiesonbreakingthingsapartsincechildhoodandenjoyssharingthosefailuresandsuccesseswithothers.
Hehelpsclientswithavarietyofsecurityneeds,developsnewservicelinemethodologies,andimprovesexistingmethodologieswithnewattacks,testingmethods,andremediationsuggestions.
Amitholdsamaster'sdegreeininformationsecuritytechnologyandmanagementfromCarnegieMellonUniversity.
AboutMcAfeeFoundstoneProfessionalServicesMcAfeeFoundstoneProfessionalServices,adivisionofMcAfee,offersexpertservicesandeducationtohelporganizationscontinuouslyandmeasurablyprotecttheirmostimportantassetsfromthemostcriticalthreats.
Throughastrategicapproachtosecurity,McAfeeFoundstoneidentifiesandimplementstherightbalanceoftechnology,people,andprocesstomanagedigitalriskandleveragesecurityinvestmentsmoreeffectively.
Thecompany'sprofessionalservicesteamconsistsofrecognizedsecurityexpertsandauthorswithbroadsecurityexperiencewithmultinationalcorporations,thepublicsector,andtheUSmilitary.
http://www.
mcafee.
com/us/services/mcafeefoundstone-practice.
aspxAboutMcAfeeMcAfeeisoneoftheworld'sleadingindependentcybersecuritycompanies.
Inspiredbythepowerofworkingtogether,McAfeecreatesbusinessandconsumersolutionsthatmaketheworldasaferplace.
Bybuildingsolutionsthatworkwithothercompanies'products,McAfeehelpsbusinessesorchestratecyberenvironmentsthataretrulyintegrated,whereprotection,detectionandcorrectionofthreatshappensimultaneouslyandcollaboratively.
Byprotectingconsumersacrossalltheirdevices,McAfeesecurestheirdigitallifestyleathomeandaway.
Byworkingwithothersecurityplayers,McAfeeisleadingtheefforttouniteagainstcybercriminalsforthebenefitofall.
www.
mcafee.
com.
McAfeeandtheMcAfeelogoandFoundstonearetrademarksorregisteredtrademarksofMcAfee,LLCoritssubsidiariesintheUSandothercountries.
Othermarksandbrandsmaybeclaimedasthepropertyofothers.
Copyright2017McAfee,LLC.
61429wp_low-hanging-fruit_0115JANUARY2015LicenseThescreenshotimagesandcontentofthiswhitepaper,"LowHangingFruits:TheTopFiveEasiestWaystoHackorGetHacked"byAmitBagree,arelicensedundertheCreativeCommonsAttribution-ShareAlike4.
0InternationalLicense.
Toviewacopyofthislicense,visithttp://creativecommons.
org/licenses/by-sa/4.
0/.
2821MissionCollegeBlvd.
SantaClara,CA95054888.
847.
8766www.
mcafee.
com20LowHangingFruits:TheTopFiveEasiestWaystoHackorGetHacked
部落分享过多次G-core(gcorelabs)的产品及评测信息,以VPS主机为主,距离上一次分享商家的独立服务器还在2年多前,本月初商家针对迈阿密机房限定E5-2623v4 CPU的独立服务器推出75折优惠码,活动将在9月30日到期,这里再分享下。G-core(gcorelabs)是一家总部位于卢森堡的国外主机商,主要提供基于KVM架构的VPS主机和独立服务器租用等,数据中心包括俄罗斯、美国、日...
RAKsmart 商家这几年还是在做事情的,虽然他们家顺带做的VPS主机并不是主营业务,毕竟当下的基础云服务器竞争过于激烈,他们家主营业务的独立服务器。包括在去年开始有新增多个数据中心独立服务器,包括有10G带宽的不限流量的独立服务器。当然,如果有需要便宜VPS主机的他们家也是有的,比如有最低月付1.99美元的美国VPS主机,而且可选安装Windows系统。这里商家有提供下面六款六月份的活动便宜V...
Friendhosting发布了今年黑色星期五促销活动,针对全场VDS主机提供45折优惠码,虚拟主机4折,老用户续费可获9折加送1个月使用时长,优惠后VDS最低仅€14.53/年起,商家支持PayPal、信用卡、支付宝等付款方式。这是一家成立于2009年的老牌保加利亚主机商,提供的产品包括虚拟主机、VPS/VDS和独立服务器租用等,数据中心可选美国、保加利亚、乌克兰、荷兰、拉脱维亚、捷克、瑞士和波...
pcanywhere为你推荐
网络访问路由器上的访问网络是什么意思安徽汽车网安徽汽车票查询蓝色骨头手机蓝色骨头为什么还没上映www.983mm.com哪有mm图片?你懂得rawtools相机中的RAW是什么意思?777k7.comwww 地址 777rv怎么打不开了,还有好看的吗>comhaole16.com高手们帮我看看我的新网站WWW.16mngt.com怎么不被收录啊?www.vtigu.com如图所示的RT三角形ABC中,角B=90°(初三二次根式)30 如图所示的RT三角形ABC中,角B=90°,点p从点B开始沿BA边以1厘米每秒的速度向A移动;同时,点Q也从点B开始沿BC边以2厘米每秒的速度向点C移动。问:几秒后三角形PBQ的面积为35平方厘米?PQ的距离是多少www.javmoo.comjavimdb怎么看斗城网女追男有多易?喜欢你,可我不知道你喜不喜欢我!!平安夜希望有他陪我过
godaddy域名解析教程 smartvps webhostingpad 贵州电信宽带测速 100x100头像 双拼域名 1g内存 爱奇艺vip免费试用7天 web服务器搭建 双线asp空间 智能dns解析 新加坡空间 photobucket 美国迈阿密 测试网速命令 杭州电信 免费获得q币 winserver2008r2 服务器机柜 wordpress安装 更多