Hannibal Exploits His Victim
Using his access on the external Web server, Hannibal uploaded computer vulnerability scanning tools, such as Nessus, to look for security weaknesses on the rest of the network. As illustrated in Figure 7, from the vantage point of the Web server, Hannibal scanned the Clarice Commerce internal network looking for vulnerabilities. The firewall screened most of the traffic from the Web server going into the internal network. However, the firewall did allow the Web server to send Domain Name System (DNS) messages into the network. Hannibal therefore focused his scan on weak DNS servers.
Figure 7 The attacker remotely accesses a financial institution using ICMP tunnel and begins to scan the internal network.
As shown in Figure 8, Hannibal's scan of the Internal network was successful. "Wonderful!" growled Hannibal. He discovered an internal DNS server with a security flaw allowing him to take it over. A configuration error on the machine let Hannibal compromise an internal system. He quickly took over this system and installed another remote control back-door program, this time using the versatile Netcat tool to create a back door.
Figure 8 The attacker takes over the internal name server with a buffer overflow.
Mistake #6: The internal DNS server was not securely configured. DNS servers fill a critically important function: to map domain names such as http://www.claricecommerce.com into IP addresses, among other things. Because they have such critical functions, they must be configured to be extremely secure. You must make sure that your organization carefully hardens all its DNS servers and guards these systems with intrusion-detection system tools.