case study Ethical hacking is one of the most intriguing and exciting elements of our work at CQUR IT. In most engagements, our efforts involve attempting to penetrate a client's network, documenting the results of our efforts, and recommending optimal strategies for mitigating the risks we have identified.
A recent engagement for a software development firm took an interesting twist at the onset of the project as we quickly discovered the client's FTP server had already been hacked and was being used for illegal purposes. I'll describe the techniques we used to meet the client's requirements and explain how our efforts turned from hacking their network to hacking the hacker.
Late to the party
We convened with the client for a brief kickoff meeting to reconfirm the objectives of the Limited Knowledge Penetration Test (PT) and to gather sufficient information to ensure that the testing did not affect normal business operations. We began our preliminary research by reviewing publicly available information relating to the target company, including news releases, newspaper articles, annual reports, SEC filings, and the corporate Web site. Hackers commonly use these resources to gather potentially vital information relating to a company, including names of key employees, product lines/releases, key dates (such as the date a partnership was formed and a network administrator's birthday), empire locations, hardware/software used, etc.
During these operations, we discovered that an internal user at the client's organisation was the leading poster of messages and/or content to a Web site that distributed illegal pornographic images. This was immediately reported to the management, which became increasingly concerned as it disclosed that there were multiple instances of often unexplainable periods of full utilisation of the outbound Internet links during odd hours. (We are still unsure why it didn't disclose this at the kickoff meeting.)
After using nMap to footprint the external network, we focused our attention on an FTP server that was curiously installed outside the firewall. A port scan against the box returned extremely troubling results. In addition to the expected open port (port 21), we found a half dozen other open ports, including 139, 2187, 3437, and 14120.
- Port 139 was running NetBIOS and allowed extensive leaking of information via Null Session Enumeration.
- Port 2184 was running Microsoft Windows Telnet Server, which generally runs on port 23. Sometimes an admin will run this on an odd port; however, attempts to log in to Telnet with a valid username/password combination we obtained via Enumeration of port 139 would result in a hung Telnet session.
- Port 3437 was running a service that prompted for a password. We connected to it with both Telnet and NetCat. If no valid password was given for three seconds or an invalid password was given, the connection would be terminated.
- Port 14120 was running a second FTP Service.
Some key details of our FTPing the site include:
- Two users were currently connected; in the past 24 hours, 23 users had connected.
- 19 MB had been downloaded since the last time the server was restarted (earlier that morning).
- Anonymous logins were rejected and our attempts to password-guess were unsuccessful.
- Searches based on the hacker tags in the banner returned only links to listings of various hacked pubstors.
- Searching on the machine's IP address failed to reveal its public listing in any warez or pubstor directories.
We assumed that access to this site was being traded via Internet Relay Chat (IRC). Interestingly, in the hour or so it took us to document our observations, 195 MB of files were downloaded from the rogue FTP site.
