Awesome article on how a hacker can compromise a network

Jesper Johansson just posted an article in TechNet magazine describing how a hacker might take over your network.

One tidbit from the conclusions:

Once a network has been thoroughly hacked, the system administrator has three options: update their resume, hope the hacker does a good job running the network, or drain the network. You will of course need to take action to deal with the attack. Let's first take a look at some of the available options and assumptions and consider why they might not be the best course of action when cleaning a hacked system.

 While his article shows how a single vulnerability can be exploited to totally own a network, his conclusion is totally relevant:

In this article, I've examined how a Windows-based network might be hacked. I hasten to point out that Windows-based networks are no less secure than any other network. While the specific attacks used in this article are unique to Windows, minor modifications to the techniques and a new tool set would make the same compromise possible on a network running a different platform. The problem is not the platform itself, but the practices. All platforms are securable, but all networks are exploitable if they are not architected and implemented carefully. Poor implementation is always poor implementation, regardless of the underlying platform.

This isn’t a “windows” problem.  It’s a secure system problem.  Once the vulnerability is exploited, the ONLY difference between compromising a Windows system and a *nix system (or an OSX system, or any other system) is the tools that are used to compromise the system.


Comments (14)

  1. Anonymous says:

    Attended a few of Jasper’s session during TechEd 2004 in Malaysia. All of them were very informative and enjoyed it very much…

  2. Anonymous says:

    Funny conclusions, but my personal experience is completely different. Once a hacker hacks your network your admins will complain to their managers about you pointing out the hack and the managers will forbid you to ever talk to IT personel again and restrict your access so you will not be able to find out whether the network was hacked or not in the future.

  3. Anonymous says:

    That’s very sad Jerry.

    Because it means that the managers don’t care about the company.

    Because if they cared about their company, they’d care about the fact that every bit of data on the company network is gone.

    And if every bit of data on the company network is now in the hands of the hackers, then it’s not their company any more, As Jesper’s article mentioned: "hope that the hacker does a good job running the network".

    Once the hack’s happened, you don’t own your company any more, the hacker owns your company.

  4. Anonymous says:

    Appears that checking for single quote in the input would have prevented this.

  5. Anonymous says:

    Actually there were a couple of things that were done wrong on that site, but yes, the avenue for entry was a single case of not validating inputs from the user.

    That’s all it takes.

  6. Anonymous says:

    I’ll add a quote I’ve heard from one manager about validating user input: "We don’t need to validate the input because normal user will never enter values like you did." And I have to thank Larry for finding the right word to describe this – sad.

  7. Anonymous says:

    SQL Server runs fine as a limited account, too; they shouldn’t have been running it with LocalSystem.

  8. Anonymous says:

    Findings this afternoon

  9. Anonymous says:

    10/29/2004 11:34 AM Larry Osterman

    > That’s very sad Jerry.

    > Because it means that the managers don’t

    > care about the company.

    In exactly the same way, some government agencies don’t care about their countries. One of Richard Feynman’s books includes a story of what happened when he discovered that safes used in a military office weren’t secure. More recently (in this millennium) a US court ordered the FBI to pay a million dollars to a whistleblower that they had fired, but they didn’t have to rehire the whistleblower and the criminals who are in charge remain in charge. Oops sorry, no hacking in the latter case, but Feynman’s accidentaly discovery resembled white-hat hacking.

  10. Anonymous says:

    >but Feynman’s accidentaly discovery resembled >white-hat hacking.

    i think it wasn´t accident. He did it for curiousity as he was quite adventurous person=).

  11. Anonymous says:

    He was playing for fun, but I don’t think he started with a deliberate intention to break in. After his discovery, he tried to be a white-hat hacker, demonstrating the problem and recommending that it get fixed, but naturally he was ostracized for his efforts and the security holes were left in place.

  12. Anonymous says:

    The only thing about a ‘generic’ windows install is that it’s easier to get into than a ‘generic’ *nix install. Secured versions of each are harder, and unprotected versions of each are easier – the really important aspect is an admin who knows what they’re doing and can weigh trade-offs appropriately.

    I knew one guy who broke into a network and ‘adopted’ it, upgrading and securing it, answering administrative questions, and communicating with employees in general, just because he liked the feeling of being an admin. (In a rather pathological way.) And a dozen who take networks for fun, profit, and revenge, and leave them trashed, even one who only broke into challenging unix systems.

    Unfortunately, unless you’re willing to live day-to-day like a locked-down, paranoid government branch with audited software and no outside connection, there will always be some way for a dedicated hacker to get you. *shrug* There’s always a chance you’ll get hit by a car, just be safe and be ready with some plan for after.

  13. Anonymous says:


    Is a ‘generic’ Windows install more secure than a generic Linspire install? Linspire’s a Linux distro, last I heard (albeit, not intended for enterprise deployment).

    And I’m not sure that it really matters. As a corrolary to your comment, if you’re deploying a server solution on ANY platform, you need to make sure that it’s locked down, regardless of platform.

Skip to main content