If you missed the previous articles in this series please read:
Shells for sale!
For those of you who had the time to read my article series on the Optix Pro trojan you will remember our wannabe hacker friend John. He was the rather lazy fellow who did not want to study for a math test, and instead installed a trojan on his professors computer. Well his harebrained scheme backfired, and resulted in his getting dismissed from college.
We now pick up several months later where John has been making good use of his idle time. He has since decided that school is not really for him, and that he will further his hacking abilities instead. To that end John has been spending a great deal of time in various IRC chat rooms, and some rather questionable websites. During this enforced leisure time courtesy of his college expulsion John has made some decent progress actually.
John has taken a rather organized approach to furthering his skill set, and actually spent some time learning networking protocols, some programming principles, and very rudimentary exploit development. This was all done via a computer lab that he created for himself. He went and bought himself a copy of VMWare and installed various Microsoft Windows operating systems on it, in addition to a linux distribution.
Having this computer lab to explore various concepts has greatly aided his research. An idea had crystallized in John's mind last night though while he was chatting in IRC with one of his friends. They had been chatting about DDoS attacks, and the methods that some hackers use to harvest their zombie armies. It came to John that if someone chose to sell access to these harvested computers, there could very well be a buck or two in it. The idea of making a few dollars greatly appealed to John. There was a problem though, he did not know a great deal about exploit code that was used to harvest these vast bot armies.
It's starting to come together now
John was fairly confident in using one piece of exploit code that would result in system level access on a Windows 2K/XP/2K3 box. He had been using the M3-026 vulnerability to learn more about what to do with a computer once you had owned it. While the exploit itself might have been several years old it was still very effective. After all there was not a ton of exploit out there for Microsoft Windows that would result in remote code execution. That was very much the Holy Grail of malicious hacking; to obtain a reverse or forward shell by which to execute your commands.
This MS03-026 exploit was still very useful in John's mind for he had conducted large scale port scans of the cable modem range and found many, many computers without firewalls that SYN/ACK'd back on port 135. While all of these computers may not be vulnerable to this exploit, odds are that at least a few were, as the owners had probably yet to patch them. Well while John might not be as talented as a computer security professional as say Mike Sues, he knew that if he broke into a computer using this exploit, anyone else scanning for well known back door ports like 4000 or 4444 could easily take over his exploited computer.
First exploit, then patch
Well John knew that if he wanted to execute his plan of mass exploitation for the purpose of selling shell access to these exploited computers he needed to patch the vulnerability he used to get in, in the first place. That did not seem too difficult as all he had to do was download the patch from Microsoft's website and then install it. While easy in thought John was sure he would need to practice this first in his computer lab, so that he did not get caught like he did at college.
So John needed to get organized, and plan out his attack and patch scheme first. What tools did he need, and what was the patch that he needed to plug the MS03-26 hole. His first priority was to find the patch. This he found after doing a bit of googling and came up with it. Directly on the page itself, as John expected was also how to install the patch itself. Though John noticed he didn't see anything that said how to remotely install it, he figured it must be possible. After all John wanted to remotely break into a computer and then remotely, via a reverse shell, patch the vulnerability.
With the most important piece of the puzzle found ie: the Microsoft hotfix for MS03-206 in place, he now needed to figure out what the other tools would be. John could either go with exploit code posted on the FRSirt site or he could use the Metasploit Framework that also had this exploit, as part of its arsenal. He also needed a good win32 based port scanner, and so he decided to go with Superscan. He had used this scanner before, and rather liked it.
It has many excellent features built into it, much like its Linux based cousin Nmap which has since been ported to win32 as well. John also needed a way of ferrying files back and forth from the computers he intended to exploit as well. For that he went and got the free TFTP server from Solarwinds. Lastly he needed something that would give him the ability to get a reverse shell on command. This task was dead easy to figure out, as there was simply nothing better then Netcat to use, or the win32 port nc.exe.
Dialing home on command
With all of the tools gathered he still needed to figure out one piece of the puzzle. John remembered from getting caught at college that they must have twigged to his presence on the professors computer via a port monitoring utility like netstat. Furthermore, it was rather likely as well that he was caught because he had connected to the professor's computer during normal business hours. John most certainly did not want to get caught like this again. To that end he decided to only exploit computers on the cable modem range he belonged to, so that he would know when he could break into them, and not get caught ie: late at night.
John was still confronted with how to get the now exploited computer to shovel back a reverse shell to him at a pre-determined time late at night. After a bit of googling around he decided he was going to use the AT command. This command would give him the ability to invoke the Windows port of Netcat at a specific time via a simple batch script. He also realized that he would need to confirm the local time on the computer via the time command as well.
Well with all of the pieces roughly in place John knew that he next had to practice his exploit scenario in the lab. With this last bit said we will break the article here. See you in part two!
If you missed the previous articles in this series please read: