At the .edu where I work, there are a number of C.I.S. classes taught. One class that’s new this semester is “Introduction to Computer Security”. One of the chapters of the text focuses on intrusion detection systems (IDS). The professor, Bill, asked me if I would teach the chapter on IDS and I agreed. Since I always learn better by seeing things work instead of just reading about them, I decided I’d include a demo in my “presentation”.
I already have VMware on my laptop and use it extensively during the course of my normal job duties (it makes a great little testbed), I decided I’d just come up with something in VMware. I did a minimal installation of in one virtual machine, to act as a router between two networks. This was also the machine that the IDS, snort, was running on. I then installed Microsoft Windows 2000 Advanced Server in another virtual machine, to simulate a company’s web server on the Internet. I did a default installation of Windows 2000 Advanced Server, though it was slipstreamed with Service Pack 3. Other than that, no updates were applied. This machine was aptly named “hapless victim”.
Next came an installation of Red Hat Enterprise Linux AS 4. This machine was named “evil hacker”. This machine was then fully patched, though that didn’t really matter.
First up was installing the Metasploit Framework on evil-hacker. I took a quick glance through the list of exploits and found the one I was looking for, the Microsoft SSL PCT MS04-011 Overflow. I knew that Win2K AS SP3 box was vulnerable to this and figured it’d be a good one for demonstrating.
When class day came, we went through the chapter on IDS (which was rather boring, to be honest) before we got to the good part. I took longer on the chapter than I would’ve liked, and so had less time for the demo. I didn’t really have to cut it short very much, though, and the whole class got to see just how easy it is to compromise vulnerable servers. Since Win2K installs IIS 5.0 by default (and is vulnerable to this exploit), it was a simple matter. I set the appropriate options in the Metasploit Framework and launched the exploit. Once at a command prompt, I use the “net.exe” command to add a user account to the domain and then made that user a member of the Domain Admins group. From there, it was game over. The attacker had full control of the server. I don’t think anyone in the group realized that it could be that easy to compromise a box. I didn’t, of course, go into how you would cover your tracks or anything like that because that wasn’t the goal. The goal was to show off the IDS. Once compromised, we pulled up the IDS and seen the port scans that preceded the compromise, along with the alert generated when the SSL packets themselves were detected.
It was a pretty cool demo, I think, and hopefully I can do some more stuff like that in the future for the classes. I think I probably enjoyed it even more than some of the students did.
Recent Comments