 |
 |
|
|
||||
|
 |
|
|||||||
  |
|
 |
Protect Your Network Servers are typical target for intrusions from within and outside of organization. Because servers may process or have connections to sensitive data (databases, mail messages, passwords, whole network traffic, etc.), gaining full control of a server can permit comprising of entire organization's network. Generally, an intruder exploits an unpatched or "zero-day" vulnerability and mis-configuration of particular network service as a trampoline to:
GeSWall's access control policy isolates an intruder within an attacked service precluding attacks on the server's host itself as well as organization's network. You can evaluate the protection of GeSWall's policy with a help of Evaluation Kit, which is available as a part of free evaluation of GeSWall Server Edition. This kit includes intrusion simulation tools for Microsoft SQL Server and Internet Information Server 6.0. The simulation scenario implies that attacker gets a remote command shell running in the context of MS SQL or IIS and conducts various attacks on critical host's subsystems and related infrastructure as shown in the figure below. The scenario consists of four phases as numbered on the figure. Phase 1. An attack on a particular network service such as MS SQL, Oracle, IIS, etc. The intruder uses one of the service's vulnerabilities (buffer overflow, sql injection, etc.) or holes in configuration to break into the service. As a result, an intruder can run code in the context of this service. The evaluation Kit does not contain exploits on known vulnerabilities of particular network services but implies that the intruder has successfully exploited one of those. Therefore, this phase is represented by a special initialization procedure that depends on the particular service. Phase 2. An intruder starts a Command Shell Sever, which provides execution of commands sent by remote clients. Typically, an intruder uploads this Shell Server program as a part of the initial attack but it is not required. The default installation of Windows has means to run a Shell Server. GeSWall Evaluation Kit uses special VBS and ASP scripts that launch cmd.exe and tunnel its output through default ftp client (ftp.exe) to intruder's host. Typically, anti-viruses or code signatures checking solutions cannot prevent such Shell Server because the scripts execute only authorized programs already present on the server. Phase 3. The Command Shell Server connects to a Command Shell Console started on the intruder's host. Once connected an intruder receives tunneled output from cmd.exe running on the server host. Note that the Command Shell Server does not listen for inbound connections but places an outbound connection. Normally outbound connections are not blocked by perimeter firewalls. Phase 4. An intruder sends commands representing various attacks on other services, the server host itself and related infrastructure, such as back-end servers and clients. The GeSWall Evaluation Kit automates these attack commands within the Command Shell Console by running a VBS script, which includes subsequent attacks:
See "Running the Intrusion Simulation" section for a detailed description of each attack. As you may see, these attacks allow an intruder to compromise an entire server host and hack in to related infrastructure: attack back-end servers and clients, spreading intrusion to the whole organization's network and so on. GeSWall policy stops such dangerous attacks by isolating an intruder within the compromised service. To evaluate the policy's protection, you should run an intrusion scenario with and without GeSWall. Running the Intrusion Simulation The Intrusion simulation script (gswdemo_server.vbs) probes for various attacks. After each probe, it displays the result and then restores the initial state. Please do not stop or interrupt the script, as it may lead to an incomplete restore. 1. Privilege elevation from a service's account to LocalSystem Description The script checks if it is running with administrative privileges. If not then it executes an exploit on Windows impersonation's weakness. This exploit elevates current context to LocalSystem. Threat Although, some services do not run on behalf LocalSystem, Windows impersonation's weakness may allow privilege elevation attacks. For example, it is possible to elevate the Network Service account context and any account of MSSQL service up to LocalSystem. That means a successful attack on a service leads to full control of the entire system. GeSWall Policy GeSWall stops such privilege elevation attacks in the first place. However, with GeSWall policy this is not required, as it provides protection when a service already has high privileges. 2. Installing a rootkit and keylogger Description The script probes for kernel mode rootkit/keylogger installation. It installs a driver by means of sc.exe tool (command line program to manage services). You will see the probe status from sc.exe output. Sc.exe sets up a kernel driver by communications with the Services Controller through RPC. Besides this method, a rootkit can be installed by:
Threat By installing a rootkit, intruder gains full control of the server host. A rootkit may control an access to every file, intercept network traffic, execute intruder's commands, attack other hosts, etc. Worse, a typical rootkit hides its presence in the system and usually cannot be identified by detection tools like anti-viruses. GeSWall Policy GeSWall prevents rootkits and keylogger installations by imposing access restrictions upon an isolated service. Once isolated, service:
Additionally, GeSWall policy locks malware or intruder within an isolation layer. For instance, whenever an isolated application creates a file, GeSWall tracks it down. If that file is:
Description The script simulates virus (or trojan) like infection of key windows components, particularly the ping.exe tool. It disables Windows File Protection, makes a backup and then replaces ping.exe by the cacls.exe tool. On completion, the script starts ping.exe in order to see the result. If ping.exe was successfully replaced you will get an output from cacls.exe. Threat By infecting files the intruder leaves its code in the system. This code may audit particular actions, steal confidential data, serve as a backdoor and so forth. GeSWall Policy GeSWall policy prevents modification of trusted files by isolated services. Description The script starts a network sniffer that intercepts all network packets coming through one of the server host's network interfaces. Sniffing takes 16 seconds and if there are TCP or UDP packets intercepted in this period, they are displayed at the end. Additionally, you may try to generate some traffic by browsing the web. Note, that sniffing does not require a kernel code but uses standard Windows raw socket's mechanisms. Windows allows raw sockets for administrators and for the Network Service account as well. Threat Network traffic coming through the server host may contain various confidential information, files, mail messages, passwords and so on. With this information, an intruder may attack backend servers and clients within an organization's network. GeSWall Policy GeSWall restricts access to raw sockets. Therefore, an isolated service cannot establish such a user mode sniffer. Preventing access to the kernel also blocks kernel mode sniffers. Description The script launches the pwdump2.exe tool that retrieves user password's hashes from SAM database and prints them. These hashes can be then used for offline crack actual passwords by automated tools like Jonh The Riiper, LC5 or by means of pre-computed databases. Threat Depending on complexity, many passwords can be cracked in a relatively short time. Generally, it takes from a few minutes to a few days. Getting the server host's passwords will let an intruder logon even after the intrusion is detected and host patched. Often similar passwords are used on other machines, so an intruder can attack backend servers as well. If a server is a domain controller then its SAM database will reveal password hashes for the entire domain. GeSWall Policy To get password's hashes, pwdump inject its code into the lsass process. GeSWall policy prevents modification of trusted processes address space and code injection. Description The script enables and starts the telnet service that comes with Windows. An intruder can use this service as a backdoor. Since the telnet service is started by the sc.exe tool, you may check the status from the sc.exe output. Threat An intruder may enable Windows standard services to use them later as a backdoor. Additionally an intruder may enable potentially vulnerable services like DDE to attack when all holes are patched. The advantage is that the intruder leaves no code on the host and remains undetected. GeSWall Policy GeSWall policy prevents such attacks by restricting isolated service's access to trusted processes, services and system configuration. |
|
|
||||||||||||||
|
|
|||||||||||||||||
|
|
|
||||||||||||||||
Copyright 2006 GentleSecurity |
Contact Us | Privacy Statement |
