Incorrectly hardening servers are one of the biggest challenges in cyber security. Watch from the driver’s seat to see what (ethical!) hackers are looking for so you can protect against vulnerabilities.
Security experts on both sides of the house recognize that bringing up a new server improperly can create a wide open door for cybercriminals, but how can you know for sure that you’re closing every nook and cranny and completely hardening your server? Small- to medium-sized organizations are particularly vulnerable, as they may not have the full complement of IT staff required to specialize in cyber security and are likely following a set of directions instead of fully understanding the challenges they’re facing. With the rapid pace of change and the complexity of technology today, it can be difficult to keep up with the myriad options available for your network. Puryear IT agrees, so we’ve put together a first-hand view of how an ethical hacker quickly takes down a business Avaya server in a very short period of time. This cautionary tale may offer you some ideas for keeping your organization’s data such as your customer and employee personal information safe from cybercriminals.
Types of Attacks
There are some standard types of attacks that we see on a regular basis, many of which are perpetrated when an unethical individual gains access to a key internal server:
- DoS: Denial of Service attacks can cause a web server to come to a halt, making your website(s) completely unavailable to users.
- Phishing: Perhaps the most well-known type of attack, phishing occurs when individuals within your organization click on a link or navigate to a website that is fake. Individuals are then tempted to enter personal information or passwords so the hacker can gain entrance to your company.
- Defacement: A scare tactic that is often used towards politicians or large corporations, defacement occurs when a hacker gains access to a web server and replaces the company’s website with a different page that includes a message, music or even the hacker’s name.
- DNS Hijacking: Hijacking your domain name server (DNS) redirects all web traffic from your site to another location on the web.
- Sniffing: Hackers attempt to “sniff out” sensitive information that is being passed internally and externally to your organization through an intercept, in an effort to gain unauthorized server access.
Let’s say your organization’s servers have been hacked. What does this really mean in terms of data loss and security? Not only can your organization’s reputation be ruined by a DNS hijacking that sends your customers to a nefarious website, but cybercriminals can also install malicious viruses that can utilize your systems as a replication tool, sending viruses out to all your clients and contacts. Additionally, a true data breach could be incredibly expensive in terms of lost business and even lawsuits against your organization if the personal financial information is breached and then utilized by hackers. However, perhaps the most troubling and damaging effect of an attack is the loss of trust from your customers, which can have a long-term negative impact on your organization.
Let the Hacking Begin
The penetration testing was done against three different Avaya servers, exploiting different vulnerabilities each time. In all three instances, the white-hat security tester was able to gain access to all three servers.
The first activity was to run a Nessus vulnerability scan, which showed that anonymous LDAP queries were a possibility: a hacker’s goldmine of data. Once this was determined, the hacker determined it was an easy step to scan for an Avaya phone tree by using JXplorer and looking for an LDAP tree with root “vsp” with a branch labeled “People”. After that, it was simple enough to scan for the two important entries: “cust” and “admin”. After determining that the passwords within the entries were hashed, it took only a moment to break the encryptions using a software tool called John the Ripper, even with the default settings. Turns out, the passwords were still the default passwords for the system “admin01” and “cust01”. After trying a few different tactics to get a full shell, the hacker eventually was able to utilize a combo of a Meterpreter reverse tcp payload via a Linux binary executable file delivered by msfvenom to essentially backdoor into the system. Next, the hacker was able to gain access to a second box that was tied into the first one, simply by following root SSH keys — which can indicate a way for users to log into the system remotely without a password. An additional find was user passwords on the second server, none of which were difficult for the hacker to guess using easy counter-encryption methods.
Two Down . . .
On the final server on the same subnet, the security expert quickly got a bonus find: easy logins with a full shell using the default “cust” and “admin” passwords. While they did receive a full shell from the system, the passwords and usernames uncovered in the first two servers also worked on the third. However, the shell would not allow access to the root directory and this third server was proving a difficult nut to crack. After utilizing linuxprivchecker.py script to identify any potential locations to run a binary, the hacker uncovered that the majority of locations on the box were covered with noexec commands — effectively halting binaries from executing to protect the server. Eventually, however, the white hat hacker noticed that there was a diag program setuid binary that was only available to a few users within the group, and not the users whose accounts were already compromised.
Getting to the Root
After several circuitous attempts, the security expert managed to gain access to a shall as a secondary user, by running through voice-only setup binaries and leveraging the diag command, which runs as root regardless of where the command is executed. The meterpreter reverse payload was used again in this instance, to gain access to the /msg/database/vm/tmp directory, which eventually led to full root access by the hacker.
There are several vulnerabilities in this scenario that could have been prevented with successfully-hardened servers. If all security patches were in place, no default user passwords and configurations were successfully updated, penetration would have been much more difficult if not impossible. Our cybersecurity experts are standing by in Baton Rouge to help support and protect you from attacks such as this one. Contact Puryear IT today at (225) 706-8414 or via email to firstname.lastname@example.org, and we’ll work with you to ensure that hackers will not have such an easy time gaining access to your protected information.