This story will interest network administrators who use Windows NT Server as their platform for Internet and database processing. The events I report can happen only if staff are unprofessional and have no knowledge of security. I'm not saying that NT is not secure--I think NT is the most stable, robust, and secure operating system in the world--but organizations must have a good administrator. I hope this story shows you how to protect your site from unauthorized access.
This story began in early 1997. I was in my office in Russia, beta-testing a Windows NT Internet package for Internet Service Providers (ISPs). I didn't have time to test a component that replicates Web servers, so I decided to do a stress test by replicating a big Web server on the other side of the earth. While replicating the site, I had time to browse the original Web server. I saw that the server was completely unsecured, and the administrator had a very bad security policy.
My first look at the server showed me that the company had not installed any security patches for Internet Information Server (IIS). Contrary to Microsoft's recommendations, not only could users execute folders with Web scripts and Common Gateway Interface (CGI) programs but they also had Read access and could browse the folders' contents.
I added an extra period at the end of the universal resource locator (URL). This period lets you download Active Server Pages (ASP) files unprocessed, potentially exposing SQL Server passwords and other secure information. (This security hole is very well known; see NT News Network, Tim Daniels, "Active Server Pages Security Hole," April 1997.) When I added the period in this case, I saw the display, shown in Screen 1, in my Internet Explorer (IE) window.
If you follow Microsoft's recommendation and put all your Web scripts in the Internet Service Manager(ISM) folder, which has only Execute access permissions, your site will be safe, even if you have a security hole in IIS and don't have a fix for it. If you secure your scripts in this way, the intruder will see the display shown in Screen 2.
Of course, if the site administrator had spent some time checking the NT News Network in Windows NT Magazine, the administrator would have known about possible security holes and fixes available at ftp://ftp.microsoft.com. If you install this IIS patch, you'll see the screen shown in Screen 3. (The sidebar, "Stop, Thief!"--page 183--offers suggestions for protecting IIS and other components of your system.)
But the most important problem was not the IIS hole, but that I could see the default systems administrator login (sa) in Microsoft SQL Server. This administrator has no password--as anyone can see on the Web site.
Tell me: Who at this site let users access the database from the sa login for all scripts? Why didn't the administrator change the password immediately after installation? I hope you aren't giving a hacker such a present. If you are, stop reading now and change the sa password immediately.
I am a really good man, so I sent email to the Web master of this site. I explained briefly why his site was unsecure (this site has more than 2 million hits per day, and processes orders and accepts credit card information from customers). Here is our correspondence:
Administrator: Dear Andrey, Thanks for your comments. We are aware of the \[security\] problem. We installed the patch, and no one could access any of our Internet Database Connectors (IDCs). I don't think this is a potential security risk because you can't place a new .idc in our script directory.
Wow! He didn't understand what I'd written. I decided to tell him that he was wrong, and this security hole is really dangerous! I proposed a deal to him: To confirm my security analysis, I would try to hack his site.
Andrey: I hope that from now on your site is much more secure than it was in past, but I will try to break into it.
Administrator: That's a deal! We'll send you a nice package to compensate you for your work. We are not using any firewalls, so go ahead (but please be careful with our data ;-)).
Never talk to strangers. You would not believe how much useful information an unscrupulous person can gain and use from a conversation such as this one.
Finding the Holes
OK! At first, I ran a nice program called nslookup (NT Server includes nslookup for testing Domain Name System--DNS--servers). I looked at the company's DNS zone information. Figure 1, page 180, shows the servers I found.
Then, I thought, let's see which server processes email and is running the DNS service. Figure 2, page 180, shows the additional information and the mail server addresses.
What other computers are in this network? I might find something interesting there. Figure 3, page 181, shows the computers' names and their IP addresses. (The ls command is a UNIX command for List.) Not much there, but something was better than nothing.
You can configure DNS so that it won't show address records to strangers. Don't give anyone the right to inspect your network. Hackers usually need only a small amount of information. Don't give it to them for free.
The next step: Did he disable NetBIOS over TCP/IP (NetBT)? NetBT performs name-to-IP address mapping for name resolution. For computers connected to the Internet, Microsoft recommends disabling this service. I entered
C:\>nbtstat -A 555.555.200.1
The computer responded Host not found. I typed
C:\>nbtstat -A 555.555.200.2
The computer answered Host not found.
Hmm, was he smarter than I thought? But I needed to test all the computers in the network, not just a few servers. When I typed
C:\>nbtstat -A 555.555.200.16
C:\>nbtstat -A 555.555.200.17
Figure 4, page 181, shows what appeared on the screen. Thanks to Windows NT Magazine, I could understand what this stuff means. You can see each record's type after the computer name. The presence of a unique record for EEG1 and the __MSBROWSE__ record signifies that this server is the Primary Domain Controller (PDC) or the Backup Domain Controller (BDC). You can also see that the Administrator is logged on.
To connect to the server \\pluto, I entered
Start _ Run and \\pluto.server.com
Screen 4 shows that I can connect as a guest. (In NT 4.0, I connected easily; in NT 3.51 and Windows 95, I had to add records into the LMHOSTS file.)
Next, I connected to the company's printer (everyone wants to print something to a cool color laser printer) and printed a small letter, saying that I had broken into the company's network. Funny, isn't it?
In any book about NT, you will read, "Disable Guest account." Moreover, NT Server disables the Guest account by default, so I don't know why this company had enabled it. Stop reading now! Look in User Manager, and disable the Guest account if it is enabled!
On another project I worked on, I found that somebody had installed Network Monitor Agent (NMA) on his computer, as Callout A in Figure 5, page 181, shows. (NMA lets a network administrator use Network Monitor to track activity on that remote client.) Do you know what the record with <BE> inside is? This is the NMA signature. If people are foolish enough to put the NMA on a computer, you can use your network sniffer in their network. Even if they use a password, you can use the tool at http://www.nmrc.org/files/nt to break in by brute force.
Never install NMA in your site if someone can view it from the Internet; NMA is a very dangerous toy.
At this point, I wrote a complete report about the company's domain and the computers with the enabled Guest account. I wrote many recommendations about security (e.g., rename or disable the Administrator account, and disable the Guest account). It was Friday evening, and I went home. On Monday morning, I had an email from the Web master, saying he appreciated my work. He promised to send my prize soon. Good beginning of the day.
I forgot this case, but two weeks later, I had another email from my victim. He asked me to continue my security analysis and try to gain access to their site's database. (You can understand that a vulnerable database could cost the company much money. The managers were afraid that a hacker could steal their database, in the same way that I had viewed their user list.)
Penetration of SQL Server
I checked whether the database administrator had changed the sa password (can you believe that he knew about these problems for more than two weeks and didn't do anything to protect the site?). I wanted to find the server where SQL Server resided, but I needed access as a guest. I checked my records and put some lines in my LMHOSTS file and then used the nbtstat-R command to reload the NetBT cache without rebooting the server:
555.555.200.5 priny #PRE
555.555.200.16 pluto #PRE
555.555.200.23 insernia #PRE #DOM:eeg1
Reload NetBT cache:
I checked all the computers with the Guest account enabled, but I didn't find any SQL servers. He apparently had installed SQL Server on the computer that had the Guest account disabled. Wasn't he smart?
What could I find on the computers with the enabled Guest account? One person's computer with Guest enabled had a shared folder with Read permissions for everyone. I took a look.
Wow! In one folder, I found the file drwtsn32.log, a crashing log. For most users, the log is completely useless, but for experienced professionals, it can be very useful. Screen 5, page 182, shows the contents of this log. Do you see what I noticed? I could see the domain name (EEG1), username (HCAPSUser1), and something that looked like a password (grk***). To test my theory, I connected to the server with the Guest account disabled as user EEG1\HCAPSUser1 with password grk***. I could log in!
I ran SQL Server Enterprise Manager. EM is a useful program for browsing databases and performing other administrative tasks. However, most companies prefer that only the systems administrator use EM.
Could I log in? Yes, success! As Screen 6, page 182, shows, I was now the systems administrator, not in the domain, but for the SQL Server database. I could do anything with this SQL server.
The administrator had been worried about someone stealing the user list, so I looked at the list to see why he was concerned. As Screen 7, page 182, shows, I typed a simple query that shows everything in the table named tblMember.
Wow! Too much information for me: names, email addresses, postal addresses, credit card numbers, logon names, passwords, and much more--all the information about visitors to this site. If anyone knows what I can do with 74,342 credit card numbers, please call me <grin>. It was time to write a letter to the Web master about another hole in the system.
Can you believe that I could read all this sensitive information so easily? Subscribers and shoppers on this site have reason to be afraid of this kind of Internet commerce. If database administrators don't know how to secure this sensitive information, hackers can steal credit card numbers not by using sniffers to trace Web traffic but by cracking databases on real servers.
Keep SQL Server hidden from the Internet. You can install an expensive firewall or just run SQL Server over NetBEUI protocol on a different server. I'm not the only one who makes this recommendation--check with Microsoft.
I was ready to finish the security testing and see what else I could do with this server. I created a user in the EEG1 domain with the name Andrey and the password mypassword:
xp_cmdshell 'net user Andrey mypassword /add /domain'
The SQL Server extended stored procedure xp_cmdshell executes valid NT commands on the server and displays the results. Then, with one more command
xp_cmdshell 'net group "Domain Admins" Andrey /add /domain'
my account became an administrator in the EEG1 domain, and I could do anything with this network.
Let's publish something on their Web site. I can connect to any share--even a hidden share--on this server.
Start _ Run and \\priny\c$
Now I've connected to a hidden root share on the C drive.
I typed a small HTML file (hack.htm) and copied it to the wwwroot folder, which contains all the HTML files for their Web site. Screen 8 shows the file I typed.
Did you hear about the hacker who changed the home page in http://www.cia.gov? I didn't do it, but I think the hacker worked the way I did.
A hacker can't break into your system this way if you take the following precautions:
- Disable the xp_cmdshell stored procedure and disable access to the Registry from stored procedures
- Run SQL Server under a user account (not a system account) with restricted permissions
- Change the systems administrator password
- Install SQL Server on a computer hidden from the Internet
- Don't debug programs on a computer connected to the Internet
- Don't run any Web scripts from the sa account
- Disable the Guest account everywhere
- Don't run NMA on a computer inside a public network
- Set only Execute rights for Web-script folders
- Install all patches from the Microsoft Web site
- Think like a hacker about security
When you need remote control of a system via the Internet, RemotelyPossible/32 is a nice program that can help; it works very fast. I downloaded an evaluation version from http://www.avalan.com. If I wanted to be the administrator of the company's computer, I could install RemotelyPossible/32 on my computer and on the computer on the other side of earth.
As you can see, I had gained full access to the EEG1 domain and could do anything with the company's network. Don't let this kind of intrusion happen on your network.
Some Security Resources
Many articles in computer magazines discuss security in general and in NT. Windows NT Magazine highlights the most important places you need to check in your NT Server. The most informative security Web sites that I've found are http://www.microsoft.com/security and http://www.ntsecurity.org.
I also recommend that you hire a good security consultant or buy good software for security advice. The Windows NT Magazine Lab reviewed several NT security software products in Lab Reports in the magazine's October 1997 issue.
My favorite product is Kane Security Analyst from Intrusion Detection. This security assessment tool analyzes NT domains, servers, and workstations for security exposure; it can give you a lot of information about your system's security. You can download an evaluation version from http://www.intrusion.com. The company also offers Kane Security Monitor, a new utility for online monitoring. I highly recommend that you download it right now.
This article illustrates many security problems an NT server can have, but NT doesn't cause those problems; people cause them. Therefore, you need to think about security from a hacker's point of view. A recommendation that you check your security usually means that a hacker can gain access to sensitive information on your site. Close any open doors as soon as possible; the gaps can be dangerous for your system, and not all guys are as good as I am.
OK, I'll be in the airport very soon. The systems administrator I talked about in this article asked me to come and make all the changes needed to protect the company's site from attacks. I love to be in different countries, so it's time to go. See you later.