The role of the Windows file server in the network is crucial. They host sensitive files, databases, passwords, and more. When the file server goes down, the network is likely to be embarrassed. If they are destroyed, it is equivalent to opening the Pandora's Box. Here is
TechTarget China Contributing Writer encountered a file server hacked real case. Share with you what happened and how these vulnerabilities were exploited to compromise the system - all from a hacker's perspective. This will help you learn more about how the system vulnerabilities are seen in the news and how to understand security issues in combination with specific situations – helping you to detect your server security from a whole new perspective, you will know not all Security issues are unfathomable.
The first step: find a patch is not installed
all you know Microsoft critical security updates are installed, and then use my favorite of several vulnerabilities The probe tool scans. You will find that there must be a vulnerability that may be attacked.
you will often find that most Windows file server because of the security problems caused by forgotten to install the patch, this often leads to attacks within the network. Much of this is due to the fact that many networks do not deploy intrusion protection systems internally - all internal connections are trusted. If there are criminals in your company trying to control your Windows server, it will be a hassle. Let
from the perspective of an internal attacker forgot to look at a dozen windows patched vulnerability is what was found. All he needs is an internal network connection and several security tools that can be downloaded for free: NeXpose Community edition and Metasploit.
The following are the specific steps:
a potentially malicious user to scan the network by installing NeXpose - or a series of important server he knew - scan for vulnerabilities.
Then he found a file server MS08-067 vulnerability allows "arbitrary code 'execution, which looks a bit ridiculous really.
Then the user enters the Metasploit testing page you can see the list of vulnerabilities.
He then download and install Metasploit, add some parameters, then create full access to your server command, as shown below.
Figure 1. Check the MS08-067 vulnerability
with Metasploit This can be repeated operations on vulnerable Windows systems and related applications, even if you know nothing about. Think about how terrible this can be: delete files, copy backup SAM databases and sensitive files, add/remove users, and more. If you have a server on the public network for public access but no firewall protection, the same type of attack can happen through the INTERNET.
It is also important to remember that the network connection mentioned above can obtain an unsecured wireless network. A common example is the ability to connect directly to your network via a wireless hotspot that was originally provided to the scanning device in the warehouse. Whether they use WEP, WPA or other encryption to ensure the security of these scanning devices, any device that is within a certain distance (usually in your parking lot or next to the building) can easily access you. The network thus launched an attack.
Step Two: sniffing the network to obtain useful information
it comes to unsecured wireless networks, malicious alien attackers sneak into your network to obtain sensitive information general Use some wireless network analysis tools such as CommView for WiFi or AirMagnet WiFi Analyzer. In addition, if an attacker can get a physical connection to your network (or a trusted user), he can use tools to perform ARP attacks, which allows him to penetrate your Ethernet 'security' control and get from you. Get whatever he wants in the network. Why
to attack a file server must be done about this? Quite simply, an attacker can easily obtain a password via SMB, POP3, WEB, FTP, and Windows authentication dialogs and then use it as an illegal direct link to access your file server.
Figure 2. Using real case tools such as Cane% Abel easy or password
Here is TechTarget China Contributing Writer encountered a file server is hacked. In the first half of this article, we showed you how to find a patch that is not installed, and how to sniff the network to get useful information. What are the next steps? Step 3: Get sensitive files I repeat this topic over and over again because the problem seems to get worse. The problem is that these sensitive information stored on unprotected shared servers can be accessed at will by anyone on the network - typically those public folders. why? My opinion is that network administrators often have too much information to manage, and users often do some sloppy operations on their files. Of course, for business management, there is no doubt that the security management of personally identifiable information is very important. Here's what can happen: A user with standard domain permissions (or a hacker who has obtained a legitimate user's rights) scans the network to find shared files. For example, GFI LANguard can bring this problem, it has a built-in tool for finding shared resources. He finds shared resources and then tries to connect them one by one. He found that the file was too much, and then decided to use the Windows browser's search function to filter, or faster and more powerful tools such as Effective File Search (EFS) to find sensitive information. Attacker search. Doc, .xls, .txt, and similar text files contain keywords such as "ssn", "dob", "confidential", and so on. Undoubtedly, as long as he does not search for hundreds of documents, he will find something useful. He copied the information and then used the stolen permissions to further damage, such as the competitors sold to them. Repeat again, test this problem yourself, you will find that what I said is not false. What tools are available to find the type of document and keywords you want. If your file server is for public access (which is generally forbidden, but I see a lot of this), then hackers can do a lot of things with google queries to get sensitive server information. To test this, I recommend using Acunetix's Web Vulnerability Scanner, which has a built-in google attack database (GHDB) scanning feature. Step 4: Attacks that indirectly affect file server security Finally, it is easy to find other vulnerabilities in your network and it is easy to indirectly cause file servers to be manipulated and attacked. Most of these are due to physical device security issues. One serious problem I want to address is that the web management interface of devices in some data centers can be accessed by all users, including any users who come in through other insecure wireless networks in other buildings. Worse, this data center management application runs with the default user and password. This means that once you log in, you can disable the access control, the security alert can be changed, the log file can be changed, and so on. This is a good way for hackers to cover up the traces of the attack. I have also seen many times that file servers are completely open to the public (typically in busy financial companies, medical institutions, networks are fully open to local business systems). I'm talking about a network environment with no security controls at all - not even the most basic physical device security controls. These servers are often not locked to the screen, which can easily lead to administrator backdoors. Hackers can also learn about the internal connections of the system so they can enter the system to steal the information they need when no one is there. Is it difficult to crack a Windows file server? Because the hard drives are not encrypted, all the hackers have to do is use some tools like Ophcrack Live CD or ElcomSoft System Recovery to crack or reset the system password, including the administrator password. That's why I recommend the encryption of the server hard drive, which is almost the last line of defense. Finally - don't sit idle. Remember that if a hacker can do this, then you should test it yourself. You can try to attack your windows file server yourself - in a malicious way - to see what can be done inside and outside the network without restrictions. Keep in mind that you should pay attention to the way you do these tests, so that you can use the right tools, at the right time, with the right tools, and so on.