Mati Aharoni “muts”
A few years back, a good friend (and Microsoft Networking mentor of mine) came to visit me during a course. We started talking about the (latest at the time) ZOTOB worm (MS05-039) and I asked him if he had seen any instances of it. He answered that he saw an infection in one location, where it was quickly overcome. He then said: “That ZOTOB was annoying though, it kept rebooting the servers until they managed to get rid of it”.
I took my friend aside and proceeded to boot a vulnerable class computer and told him: “Watch this, I’m going to manually replicate the Zotob attack”. I browsed to the milw0rm site, and downloaded the first (at the time) exploit on the list, and saved it to disk. I opened a command prompt, compiled the exploit and ran it. The output was similar to “ms05-039.exe [victim IP]“. I punched in the IP address of the vulnerable computer with one finger, and pressed enter. I was immediately presented with command shell belonging to the victim machine. I typed in ipconfig, whoami and proceeded to add an administrative user to the victim machine. I gave him just enough time to see the output, and then typed “exit”.
Exiting the shell caused svchost.exe to crash, and a reboot window popped up, just like the ones he saw. I could slowly see the realization seep in. His face lost colour and he slowly sat down on the nearest chair. He looked at me, horrified, somehow managing to gasp “how” and “why” at the same time. He then quickly exited the room and made some urgent phone calls.
I realized that this master of Windows Active Directory and Multiple Domain PKI Infra-structure guru did not share the same narrow (in)security knowledge as a 12 year old junior hacker. He was not aware of the outcomes of such an attack and did not know that the “reboot” syndrome he observed was an “unfortunate” byproduct of an unauthorized SYSTEM level access to the machine.
This made me realize that there is a *huge* gap between the “Defensive” and “Offensive” security fields. A gap so big that a 12 year old could outsmart a well seasoned security expert. Hopefully, if this separation between the “Defensive” and “Offensive” fields is clear enough, network administrators and (defensive) security experts will start to realize that they are aware of only one half of the equation and that there’s a completely alien force they need to deal with – and that in order to defend, they need to understand the attack(er).