An interview of NeonSurge, from the security team Rhino9
just to let you know: I choosed not to put a tittle to the Interview.
| <Kitetoa> - First, let's try to understand what we're
gonna talk about. You've connected trough Telnet to servers on the internal network of one
of the largest software company in the World. Is that right?
<NeonSurge> Yes. It was a joint project by Rhino9. I didnt do it alone<Kitetoa> - Apart from "pure talent", is that made possible by a bug of the servers or is it a hole in the network security policy?
<NeonSurge> It was the Administrators lazy policy that let us Into their network<Kitetoa> could you elaborate on the kind of servers because it seems difficult to "enter" a company 's network, because of the firewall, proxys etc.
<NeonSurge> Now... alot of intruders
would still not be able to get in, they just dont think the way they should.
<NeonSurge> The Anonymous FTP had readable...
<NeonSurge> It also had a shareware program installed on it called AbsoluteFTP
<NeonSurge> So we copied (read) the AbsoluteFTP config files and then downloaded and installed the shareware version of Absolute...
<NeonSurge> Then we copied over the files we got from the companies website into the shareware install we did....
<NeonSurge> Then we ran the program and sniffed the local network adapter card.. our own NIC... so we could easily read the packets... no sweat
<NeonSurge> Now we had not only the admin login and password, but we had total read ability on the server
<NeonSurge> So we uploaded NetBus....
<NeonSurge> And we uploaded NetCat...
<NeonSurge> We then exectued NetBus via URL (to the scripts directory) through IIS...(http://blah.com/scripts/patch.exe)
<NeonSurge> Once NetBus was running... we executed NetCat through NetBus....
<NeonSurge> We bound NetCat to cmd.exe on the remote server, and had it listening on a port for connections....
<NeonSurge> We then connected via telnet to the NetCat program and copied over their sam._... the repair copy... and ran it through LophtCrack
<NeonSurge> (Mad shout outs to LophtCrack and their tools.)
<NeonSurge> And thats it
<NeonSurge> If the admin had not allowed anonymous read, we could not have gotten in as EASY
<NeonSurge> We could still have gotten in, just not as easy
<NeonSurge> Any more questions? <Kitetoa> what does Absolut FTP stands for (normally)
<NeonSurge> AbsoluteFTP appears becuase AbsoluteFTP is a shareware FTP program.. like CuteFTP
<NeonSurge> (Im sure the french use shareware stuff like CuteFTP) <Kitetoa> yes
<NeonSurge> Ok...<Kitetoa> Did you tell that company's people that you discovered that hole? <NeonSurge> Yes we did... <Kitetoa> What did they say and/or do?
<NeonSurge> We actually have a good working relationship with this company....
<NeonSurge> Whenever we find a problem in their network, we let them know... they send us free stuff... <Kitetoa> ok
<NeonSurge> Whenever we find a problem in their products, we let them know before we make any public notices...
<NeonSurge> A lot of people would criticize us for this... We always try to let companies know about problems before we release information about the problem.... Its common courtesy. <Kitetoa> I understand that
<Kitetoa> it's normal i think <Kitetoa> How big a problem is it for that company to have a open gate like your's? I mean, can you go further on their network from the servers you own?
<NeonSurge> The weakness we found allowed us to install a packet sniffer and collect over 70 usernames and passwords in 2 days
<NeonSurge> We collected all data off the local network....
<NeonSurge> Which left this 'large' company at our mercy.
<NeonSurge> We could have gone almost anywhere in their network.
<NeonSurge> But we didnt. <Kitetoa> You say "We could have gone almost anywhere in their network". But i guess that this large company dosen't link the Internet part of its network to sensible data like the servers where you can see theire sales and payrolls and stuff...?
<NeonSurge> Actually... The server we got into was attached to the Internet...
<NeonSurge> We worked our way back into their sensitive servers from there. <Kitetoa> you mean this is possible? <NeonSurge> Absolutely <Kitetoa> it's hard to belive
<NeonSurge> It all depends on the final configuration of the network
<NeonSurge> Example: If someone has 20 computers on a subnet, but only 1 computer is connected to the internet... I can gain access to that one machine and then eventually gain access to all machines on that local subnet <Kitetoa> yes i know, but i mean, they must have plenty of firewalls, proxys,and all that stuff, don't they? or, better, have the sensitive data totally phisically disconnected from any internet link?
<NeonSurge> Well.... their firewalls are configured to allow certain connections...
<NeonSurge> We played with the firewalls and found the connections they allowed and went for those weaknesses
<NeonSurge> Thats actually a very standard technique....
<NeonSurge> You must keep in mind.. that this company WANTED us there.. and they didnt even know we were there...
<NeonSurge> Because of how we did it <Kitetoa> did they ask for an intrusion test?
<NeonSurge> They did <Kitetoa> ok
<NeonSurge> They have other companies do security work as well, but they obviously didnt find as much as we did.
<NeonSurge> We obviously found alot
<NeonSurge> Which backs up my theory about other companies....
<NeonSurge> Alot of companies have professional 'hackers'.. the problem with these companies is that they have lousy hackers, or they dont have enough hackers...
<NeonSurge> When I say enough hackers, Im talking about a rotation.... You put hackers in the field for 2 or 3 months TOP... then you take them out of the field for 2 or 3 weeks... to let them catch up and learn the latest techniques.... <Kitetoa> i understand
<NeonSurge> Thats one thing that BIG companies do not do.... and hackers often break into networks that have been 'secured' by these companies becuase they dont give their people a chance to stay on top of things.<Kitetoa> Do you think that french companies are at risk? I mean if one of the largest company is at risk, many french ones may be...
<NeonSurge> French networks???
<NeonSurge> Whats the name of that french computer college?? <Kitetoa> Epita?
<NeonSurge> I took me 3 hours to own Epita...
<NeonSurge> You can put that into the interview
<NeonSurge> They left themselves open with a very sloppy flaw... I dont want to talk about the flaw...
<NeonSurge> I dont want to talk about the flaw, because they have not plugged the flaw yet. <Kitetoa> OK, just to be a little more precise, when you say "I took me 3 hours to own Epita..." what does "own" mean exactly?
<NeonSurge> I was in there network
<NeonSurge> That did not involve anyone else from Rhino9... in case epita gets mad....
<NeonSurge> But... I was able to get in there without really trying hard. <Kitetoa> ok <Kitetoa> People in the press web sites should consider security as a big issue as banks do. Theire data is as sensitive as banks ones, if someone can modify them
<NeonSurge> People in the press approach security as a 'news item' they dont approach it seriously<Kitetoa> but this is the heart of that infowar stuff everybody's talking about
<NeonSurge> L0pht was not lying when they said they could bring the Internet down. <Kitetoa> do you belive L0pht when they say that they could bring the Net down?
<NeonSurge> Absolutely...<Kitetoa> Do you need a lot of computer power to do so?
<NeonSurge> Its actually not very hard to do... which is the sad thing...
<NeonSurge> Its alot easier than you might think....
<NeonSurge> but what alot of people do not realize about the internet is that there are certain backbones that span the net...
<NeonSurge> That part is well known... whats not well known is how easy it is to take down those backbones... <Kitetoa> anyway, i still think that it's more interesting to break in the NYT and change some dada so that noone would think they have been changed than taking the net down
<NeonSurge> Breaking into NYT is nothing compared to the things that would bring down the Net...
<NeonSurge> Without the net, the NYT site does not exist...
<NeonSurge> Either does any of the online businesses in the US... which make up Billions of Dollars in commerce... <Kitetoa> hum
<NeonSurge> Not to mention the DOD and GOV comps that still hold connections to the Net
<NeonSurge> If you take out even one of the major INet backbones, youre crippling the system.
Nous envoyer des commentaires
By la page de le Feed-Back
Sommaire général du site
On s'en fout!
|Les dossiers :
Le monde fou des Admins
Le hack le plus bizarre
Guerre de l'info
Convention contre la cyber-criminalité
sur le site
...et sur le Net
D'autres choses du Ouèb