Jump to content

acquiring remote network access


joe7

Recommended Posts

Company X has a website and an internal network. The website is hosted by a provider; the site is not on X's network. X's network has Internet access so they can browse, send email etc. The website is the public world access to the company. They can see and read up about the company. All good and dandy. X's internal network has security measures in place, that any good company should; IDS, IPS, firewalls, IPtables galore.

An attacker(or what have you) wants to breach company X's internal network for what ever purpose. To do so, the attacker needs to know how the company connects to the Internet. The company's connection is referenced by their assigned IP address from their ISP. How can an attacker find the IP address of the company and how can the company make such information hard to obtain? A ping sweep is not practical and so is trying to attack the ISP. Could one possible option be breaching the company website to try and find traffic information that points to the company's IP address? I can't think of any other way of finding the IP address of the company. I know if the attacker as physical access to the network he could directly jack in or setup a rouge wireless AP. Or the attacker can gain documents or verbal communication to discover VPN info or other remote access methods. But I want to know how it is possible for an attacker to determine how to remotely access the company's network without using the aforementioned techniques.

This brings up another question. In a typical set up a website is not hosted directly by a company X. The site is hosted by a hosting business. To be more efficient and modern Hosts use visualization. So when sending pings or other traffic to a website it is not directly hitting one entity. The traffic is being routed internally; it hits the routing machines, then the server running the VM, directed to the right VM, and finally processed appropriately by the localized server software. In short when pining a website you are indirectly touching a single server. So how can a single website be compromise when there are so many layers of the hosting framework? It seems like the target server is buried far away and just getting to one site requires breaking through many systems merely for one target. Does the VM host server have to be compromised first? I know SQL injections will leak private data that could be useful in attacking a website. Where and what security measures need to placed to prevent website directed attacks?

Link to comment
Share on other sites

First a simple way to find their IP (though it depends on how their systems are set up) is to email them with a question and then look in the headers of their reply email. This usually gives their IP away of the person sending the email.

The other question is that an attacker would normally work their way out rather than in. So for example they would find a way to exploit a script running on the web which would give them access as the web server on the virtual machine. From this they then work away to get shell access to the virtual machine, then they would work on getting root access to the virtual machine, then they may try and figure out if they are on virtual machine and then only after that would they try to access the physical host machine. Of course sometimes they would have run a network map and found a way into the physical host machine first then discover that it is running a number of virtual machines and worked their way down, but this is less likely as the virtual machines tend to be more public facing than the host machine.

Link to comment
Share on other sites

First a simple way to find their IP (though it depends on how their systems are set up) is to email them with a question and then look in the headers of their reply email. This usually gives their IP away of the person sending the email.

Can the IP address be falsified while allowing the receiver to reply to the true sender? The company could use an external email host system so they would not be giving out their IP. The mail would just be routed to them and the IP address would not have to be falsified. Is hiding the company's IP address a legitimate concern?

Pinging a web address will return an IP address. Requesting header information(curl -I www.example.com) will usually return server information. How could that be useful in attacking a website? The IP address is not the direct web server being targeted, but the header information is from the target server. Beyond that it seems like the means of attack are dealing with dynamic nature of a website to hopefully inject or exploit services through it. Are there other common methods of website attack? What is the gain for attacking a website? DoS, defacing, multiple forms of data extraction?

Link to comment
Share on other sites

email the company - info@abc.com or alike with a lame question, check the reply headers and then do a whois on the ip that will give confirmation on the owners also tracert with "can't remember the name" but with an app that will point on a google map or alike the most probable location of the source IP.

if that's not working then roll up your sleeves and think again or move on to another company that is not so secure.

in a sleeve rolling up approach maybe trick a member of staff into looking at a website "your website" this will provide you with there browsing ip address - and if your really good at social engineering you could even get them downloading a "cough" demo program.

of course this is all if's and but's and is of course what you "could" do if you were into such thing's

Link to comment
Share on other sites

you can also social engineer a staff member of company x by either dropping a USB key with a payload preinstalled and hope that employee of company x will use said USB key and then depending on the payload on the USB key you can get access that way OR you can attempt to find an internal phone directory in some way to company x and use social engineering skills to determine the IP address of a box inside the network by posing as a rep from a company that services the servers such as VmWare or the like

Link to comment
Share on other sites

you can also social engineer a staff member of company x by either dropping a USB key with a payload preinstalled and hope that employee of company x will use said USB key and then depending on the payload on the USB key you can get access that way OR you can attempt to find an internal phone directory in some way to company x and use social engineering skills to determine the IP address of a box inside the network by posing as a rep from a company that services the servers such as VmWare or the like

Getting the actual IP address is pretty trivial. For example, not every server is hosted elsewhere. There's a good chance something is hosted locally if it's a large enough company. For example, we keep our website hosted elsewhere, but our Exchange in house where we get to back it up and keep it safe. Once you find an IP address, you can pretty easily get the range, ping sweeps are legal. You can ping as much as you want around the world with no consequence. With that in mind, if they did get attacked and you did the ping sweep from your house, you will be on a short list of destinations for the FBI to visit. DO IT FROM A STARBUXXX WIFI.

As previously mentioned, the most successful attack would be from the inside out. Social engineering or trojan exploits, etc. You would be surprised how easy a telco shirt and tool box will get you past the front desk.

Otherwise you would need to exploit vulnerable services. Here's where it gets fuzzy. A ping is a legitimate request from computer to computer. A port scan is not, it is an active inquiry into a system that is not your own. This might be where you cross the line. Again, do this from NOT your house. Find a vulnerable service and apply the zero day (that you wrote!! ;/).

These are the basics of a pen test, study up on pen testing for more on this topic. Many good books out there, "Stealing the ______" (network/continent/etc) is a really good series by experienced authors, it's all fiction, but the methods are real.

Link to comment
Share on other sites

Otherwise you would need to exploit vulnerable services. Here's where it gets fuzzy. A ping is a legitimate request from computer to computer. A port scan is not, it is an active inquiry into a system that is not your own. This might be where you cross the line. Again, do this from NOT your house.

Incidentally, nmap has an option whereby you can set 'decoy' ip addresses that appear to be the source of your scan. Using the -D option enables you to make it look like your scan is one of several, the others coming from ip addresses that you specify. Thus the target won't know which ip address is the actual source: yours, or one of the other addresses you are spoofing.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...