Most books and papers on the matter of hacking always stops at the point
where the attacker has gained access to a system. In real life it is here
where the real problems begin - usually the machine that has been
compromised is located in a DMZ, or even on an offsite network. Another
problem could be that the compromised machine has no probing tools or
utilities and such tools to work on a unknown platform is not always that
easy. This chapter deals with these issues. Here we assume that a host is
already compromised - the attacker have some way of executing a command on
the target - be that inside of a Unix shell, or via a MDACexploit. The
chapter does not deal with rootkitting a host.
Some hosts are better for launching 2nd phase attacks than others -
typically a Linux or FreeBSD host is worth more than a Windows NT webserver.
Remember - the idea is to further penetrate a network. Unfortunately, you
can not always choose which machines are compromised. Before we start to be
platform specific, let us look at things to do when a host is compromised.
The first step is to study one's surroundings. With 1:1NAT and other address
hiding technologies you can never be too sure where you really are. The
following bits of information could help (much of this really common sense,
so I wont be explaining *why* you would want to do it):
1. IP number, mask, gateway and DNS servers (all platforms)
2. Routing tables (all platforms)
3. ARP tables (all platforms)
4. The NetBIOS/Microsoft network - hosts and shares(MS)
5. NFS exports (Unix)
6. Trust relationships - .rhosts, /etc/hosts.allow etc. (Unix)
7. Other machines on the network - /etc/hosts , LMHOSTS (all platforms)
All of the above will help to form an idea of the topology of the rest of
the network - and as we want to penetrate further within the network its
helpful. Let us assume that we have no inside knowledge of the inner network
- that is - we don't know where the internal mailserver is located - we
don't know where the databases are located etc. With no tools on the host
(host as in parasite/host), mapping or penetrating the inner network is
going to take very long. We thus need some way of getting a (limited)
toolbox on the host. As this is quite platform specific, we start by looking
at the more difficult platform - Windows.
where the attacker has gained access to a system. In real life it is here
where the real problems begin - usually the machine that has been
compromised is located in a DMZ, or even on an offsite network. Another
problem could be that the compromised machine has no probing tools or
utilities and such tools to work on a unknown platform is not always that
easy. This chapter deals with these issues. Here we assume that a host is
already compromised - the attacker have some way of executing a command on
the target - be that inside of a Unix shell, or via a MDACexploit. The
chapter does not deal with rootkitting a host.
Some hosts are better for launching 2nd phase attacks than others -
typically a Linux or FreeBSD host is worth more than a Windows NT webserver.
Remember - the idea is to further penetrate a network. Unfortunately, you
can not always choose which machines are compromised. Before we start to be
platform specific, let us look at things to do when a host is compromised.
The first step is to study one's surroundings. With 1:1NAT and other address
hiding technologies you can never be too sure where you really are. The
following bits of information could help (much of this really common sense,
so I wont be explaining *why* you would want to do it):
1. IP number, mask, gateway and DNS servers (all platforms)
2. Routing tables (all platforms)
3. ARP tables (all platforms)
4. The NetBIOS/Microsoft network - hosts and shares(MS)
5. NFS exports (Unix)
6. Trust relationships - .rhosts, /etc/hosts.allow etc. (Unix)
7. Other machines on the network - /etc/hosts , LMHOSTS (all platforms)
All of the above will help to form an idea of the topology of the rest of
the network - and as we want to penetrate further within the network its
helpful. Let us assume that we have no inside knowledge of the inner network
- that is - we don't know where the internal mailserver is located - we
don't know where the databases are located etc. With no tools on the host
(host as in parasite/host), mapping or penetrating the inner network is
going to take very long. We thus need some way of getting a (limited)
toolbox on the host. As this is quite platform specific, we start by looking
at the more difficult platform - Windows.
No comments:
Post a Comment