Preconceptions About Network Security

A common preconception about network security is that as long as the firewall is working and preventing all unauthorized access to internal devices (that’s incoming traffic) – then the firewall is doing its job. However this often isn’t the case and a number of recent attacks have proved this. This misconception is held amongst many sys admins and their IT managers, who often turn their back on security news with the idea that they have a firewall; they are protected.

I wanted to demonstrate how an attacker with a targeted victim, can gain access and infiltrate an organizations network.

When I say targeted victim, I mean the attacker specifically wants to target a certain organisation and has re-arranged his tools to suit the environment at hand. Many of these attacks are planned and a rough outline can be seen below.

For this little example, lets call the Attacker Bob and the company “Widgets Limited”.

Attackers goal: Bob wants to gain access to Widget’s internal network.

Bob knows that Widget’s has a strict firewall policy which has a number of open ports such as SMTP and FTP. After failing to exploit these two services, Bob moves on to a more complex approach using a little social engineering and a basic web vulnerability.

Step 1:

Bob visits social networking site; and looks for employees that work for Widgets. He finds out that Lisa and Mary both work for Widgets and have each other on their friends list. (Concept works for Facebook too)

Step 2:

Through the use of Google, Bob may be able to tell what email address format Widgets use (“”) and therefore will be able to determine whether the company uses simply “” or perhaps “”.

Step 3:

In the next step, Bob sets up a website with javascript code known to exploit either Internet Explorer or other addons such as Adobe Flash player. (A exploit was found in the version of Adobe Flash that comes with Microsoft’s XP service pack 3″)

Step 4:

Remember those two Widget employees Bob found earlier? Bob can then send Lisa an email with a link to the website he created, and by spoofing the sender address, can make it look like it came from Mary, the other Widget employee. Bob uses the sender address format he found in Step 2 so that its sent to the correct Lisa. Bob might make the email say something like “Checkout this funny video”.

Step 5:

When Lisa visits the page, the exploit is injected into the operating system – which is most likely shell code designed to perform a certain function, or perhaps a trojan is loaded allowing Bob to take control.

But how can the attacker connect to Lisa’s machine; there’s a firewall!!

Why should sys admins restrict outbound traffic, I mean my employees aren’t hackers!

Ah but most firewalls generally allow outgoing traffic, so Bob configures the trojan to use a Backconnect script which tells the trojan to make a connection BACK to Bob’s computer – bypassing the firewall.

As you can see in this example, Bob is able to achieve his goal of gaining access to the Widgets network. From here, Bob could run network scans on internal subnets to asses further machines he could compromise. Have an unpatched domain controller? Bam – Bob is in and you don’t want to know what damage he can do. Bob could also use ARP poisoning tools which will allow him to perform man in the middle attacks (article coming soon), which allow data from a particular host to route through a certain network device.

What can I do to stop this?

Keep your Anti-Virus up to date!

Ensure all PC’s have an updated anti-virus program designed to be proactive! (Kaspersky 6.0 for workstation does a great job at this!)

Patch your network devices!

Nessus is a vulnerability scanner which has the ability to scan all machines in a particular subnet. Nesses can report;
-Hosts that need Microsoft updates
-Hosts that have exploitable software (Such as Adobe Flash, old versions of Firefox, IE, etc)

Limit outgoing traffic!

Create a firewall policy to only allow outgoing traffic on the ports people need! If your clients only need web access to browse the web, only open port 80! While this might help prevent Bob from using a backconnect script, he can always connect through port 80 ..

I’d love to hear peoples thought’s on this topic so feel free to add comments! Valuable comments will have their content injected into the post to help educate others.

One Response to “Preconceptions About Network Security”

  1. Adrian says:

    I really enjoyed reading this post, and trying to decipher your complicated steps program.

    A security company recently conducted an experiment on an organization much similar but simpler then what you explained.
    They were hired by the company to try to hack into the network and see what info they could get.

    1st. The security company’s first step was to write a program that obtained all personal details e-mail addresses, and log on passwords. This was quite easy for the company being professionals in security

    2nd. The second step was getting the program installed on peoples computers, this is where true genius was shown. they placed the program 30 usb thumb drives, and dropped them in public areas of the building, Car parks, elevators, rest rooms, and other common areas.

    3rd. The waiting game. Out of the 30 drives 25 were pluged into work computers sending all data(address books, personal info, Passwords etc.)needed over E-mail to specific address.

    Now thats scary.

    Every man and his dog now has a USB key. i know if i found one on the road before reading that article i would have pluged it into my computer, but now i would think twice.

    Whats stopping me from going to office works and buying 512mb(i say this because they were in the $1 bin last time i was there) usb disks and putting trojens on them and letting them out into the world. so for $50 i could have a possible 50 peoples E-mails, probably bank details, credit cards, the information is endless. Be afraid be very afraid

    Also on a totaly unrelated topic
    The future is scary

Leave a Reply

You must be logged in to post a comment.