Return on Investment
 | I (Fyodor) wrote this story as a chapter ofStealingthe Network: How to Own a Continent. In this book, I teamed withFX, Joe Grand, Kevin Mitnick, Ryan Russell, Jay Beale and severalother hackers to write individual stories that combine to describe amassive electronic financial heist. While the work is fiction, we tried to portray realistic attacks and technology. For example, mycharacter Sendai uses Nmap, Hping2, Ndos, and similar tools to exploit networkconfiguration and software vulnerabilities commonly found in the wild.Many thanks to Syngress for allowing me to post this online forfree. Update: Syngress has released a sequal:Stealingthe Network: How to Own an Identity. While Fyodor isn't aco-author of this one, Syngress let him post his favorite chapteronline for free. That chapter isBl@ckTo\/\/3r, by Nmap contributor Brian Hatch. Translations: |
Sendai's Story
Like many professional penetration testers, Sendai was notalways the wholesome “ethical hacker” described in his employer's marketingmaterial. In his youth, he stepped well over the line between questionable (greyhat) and flat-out illegal (black hat) behavior. Yet he never felt that he wasdoing anything wrong. Sendai did not intentionally damage systems, and was onlytrying to learn more about UNIX, networking, security, phone systems, andrelated technology. Yet the law might consider some of his actions to beunauthorized access, theft of services, wire fraud, copyright infringement, andtrade secret theft. In the rare times that Sendai thought of this, he foundsolace in the words of the Mentor's Hacker Manifesto: “Yes, I am a criminal. Mycrime is that of curiosity.” Surely his innocent motives would preventprosecution. Besides, his teenage arrogance assured him that the government andtargeted corporations were too dumb to catch him.
This perception changed dramatically in 1989 and 1990 when the“Operation Sundevil” raids took place. Well-known security enthusiasts,including The Prophet, Knight Lightning, and Erik Bloodaxe, were raided andmany more were indicted. The popular Phrack e-zine was shut down while itseditor faced trial. Sendai worried that he, too, might be swept up in thepersecution. After all, he had been active on some of the same bulletin boardsas many suspects, performing similar activities. Sendai was never targeted, butthose nine months of stress and paranoia changed his outlook on hacking. He wasnot exactly scared straight, but he ceased treating network intrusion as a gameor casual hobby. In the following years, Sendai became much more disciplinedabout hiding his tracks through multiple layers of indirection, as well asalways wiping logs, even when it was inconvenient. He also began to researchhis targets and methods much more extensively. Failing to fully understand asystem could cause him to miss important defenses and lead to detection. A sideeffect of this more methodical approach to hacking is that Sendai substantiallybroadened his network security knowledge and skill set.
Sendai did not recognize the growing value of this skill setand clean record until he was offered the “ethical hacking” job at a well-knownauditing firm. The burgeoning Internet was creating such intense demand forsecurity professionals that the firm asked few questions about his past. Usinghis real name, they were unaware that he even used the hacker handle Sendai. Hedid have some reservations about commercializing his hobby, not wanting to beseen as a sell out. Despite these concerns, Sendai accepted the positionimmediately. It sure beat his previous technical support day job! Soon he wasliving in the security world during both days and nights. The job providedlegitimate access to exciting enterprise technologies, and he could hone hishacking skills without risking arrest. Bragging about his exploits led to bonusesinstead of jail time. Sendai had so much fun cracking into systems for moneythat he eventually ceased much of his nocturnal black hat network exploration.
Playing the Market
Sendai's new position pays far more money than his modestlifestyle requires. After tiring of watching the money stagnate in his checkingaccount, Sendai opens a brokerage account and begins to dabble in investing. Aswith hacking, Sendai learns everything he can about investing. Interestingly,he finds many parallels between the two disciplines. Many books and articlessuggest filling a portfolio with funds that passively track broad indexes suchas the S&P 500. This insures diversity and reduces the risk of bad timingor stock-picking mistakes. Sendai discards this advice immediately. It soundstoo much like the conventional wisdom that computer and telephone users shouldrestrict themselves to advertised behavior, and stay ignorant about how thesystems work. Sendai prefers stretching system capabilities to extract as muchvalue as possible, based on a comprehensive understanding. In other words, hewants to (legally) hack the financial markets.
Sendai soon discovers another aspect of investing that isfamiliar to him. Successful active trading is all about obtaining relevantinformation before it is widely recognized and reflected in the stock price. Thisis similar to the security market, where the value of an exploit degradesquickly. The Holy Grail is a zero-day exploit, meaning one that is not publiclyknown or patched. Attackers who possess such an exploit can break into anysystem running the vulnerable service. The attack is unlikely to be detected,either, because administrators and IDS systems are not watching for what theydo not know exists. Once the vulnerability is published and a patch is created,the exploit value decreases rapidly. The most secure installations will quicklyupgrade to be invulnerable. In the coming days and weeks, most organizationswill patch their systems. Soon, only the least security conscious networks willbe exploitable, and they are probably vulnerable to many other attacks anyway. Asother hackers (and in many cases worms) compromise the remaining vulnerablesystems, the exploit value continues to dwindle.
In the security world, Sendai sometimes gains zero-dayknowledge through friends in the scene and private mailing lists or IRC/SILCchannels. Other times, he finds them himself by auditing software for bugs. Auditingproduces the best zero-day exploits because the bugs are exclusively his, untilhe discloses them (or they are independently discovered elsewhere). To find animpressive and generally useful vulnerability, Sendai tends to look at widelydeployed and frequently exploitable software like Microsoft's IIS webserver,Sendmail smtpd, OpenSSH, or the ISC BIND DNS server. In the more common casethat Sendai wants to break into a specific company, he looks for the mostobscure software run on the target network. This specialized software isunlikely to have gone through the rigorous testing performed against morepopular packages. An alternative approach to obtaining zero-day is to buy itfrom the controversial organizations that openly broker such information. Sendaihas never resorted to this, for both ethical and financial reasons. He stillbelieves some information wants to be free.
The flow of valuable investment insights is similar to securityinformation. Someone with the right insider connections or a willingness to payextravagant fees to research boutiques can learn information before it movesthe market. Unable to partake in these options, Sendai decides to do his ownresearch. Some of the most valuable preannouncement data are company earningsand mergers, acquisitions, or big partnerships. After a couple hours ofbrainstorming, Sendai comes up with several ways to use his security andnetworking expertise to his advantage.
Information Leakage at the Packet Level
Because Sendai cannot think of above-board ways to learnpublic companies' private earnings information directly, he looks forattributes that may correlate strongly with earnings. One idea is to study theSSL traffic to e-commerce sites. The amount of encrypted traffic they generateis often proportional to the number of sales during that period. This begs thenext question: How will Sendai measure a company's SSL traffic? They certainlywill not tell him. Breaking into a router barely upstream of the target hostwould give him access to this data, but that is quite illegal and also requiressubstantial custom work for each target. Sendai wants a general, unobtrusive,easy, and legal way to determine this information.
Eventually, Sendai thinks of the fragmentation ID field inInternet Protocol (IP) packets. This unsigned 16-bit field is intended toprovide a unique ID number to each packet sent between machines during a giventime period. The primary purpose is allowing large packets, which must befragmented during transit, to be reassembled properly by the destination host.Otherwise a host receiving hundreds of fragments from dozens of packets wouldnot be able to match fragments to their original packets. Many OS developersimplement this system in a very simple way: they keep a global counter andincrement it once for each packet sent. After the counter reaches 65,535, itwraps back to zero.
The risk of this simple implementation is that it allows badguys to remotely determine traffic levels of a host. This can be useful formany sinister purposes, including an extraordinarily stealthy port scanningtechnique known asIdle Scan. Sendai will use it to estimate daily orders.
He decides to test whether popular public e-commerce sites areactually vulnerable to this sort of information leakage. He visits the onlinesites of Dell and Buy.Com, following the order placement path until reachingtheir secure sites. These sites are designated by the https protocol in the URLbar and a closed padlock icon on his browser. They are ecomm.dell.com andsecure.buy.com. Sendai uses the open source hping2 program (freely availablefrom www.hping.org ) to send eight TCP SYN packets, 1 second apart, to port 443(SSL) of the specified host.
Using hping2 and the IP ID Field to Estimate Traffic Levels
# hping2 -c 8 -S -i 1 -p 443 ecomm.dell.comHPING ecomm.dell.com (eth0 143.166.83.166): S set, 40 headers + 0 data bytes46 bytes from 143.166.83.166: flags=SA seq=0 ttl=111 id=8984 rtt=64.6 ms46 bytes from 143.166.83.166: flags=SA seq=1 ttl=111 id=9171 rtt=62.9 ms46 bytes from 143.166.83.166: flags=SA seq=2 ttl=111 id=9285 rtt=63.6 ms46 bytes from 143.166.83.166: flags=SA seq=3 ttl=111 id=9492 rtt=63.2 ms46 bytes from 143.166.83.166: flags=SA seq=4 ttl=111 id=9712 rtt=62.8 ms46 bytes from 143.166.83.166: flags=SA seq=5 ttl=111 id=9974 rtt=63.0 ms46 bytes from 143.166.83.166: flags=SA seq=6 ttl=111 id=10237 rtt=64.1 ms46 bytes from 143.166.83.166: flags=SA seq=7 ttl=111 id=10441 rtt=63.7 ms--- ecomm.dell.com hping statistic ---8 packets transmitted, 8 packets received, 0% packet loss# hping2 -c 8 -S -i 1 -p 443 secure.buy.comHPING secure.buy.com (eth0 209.67.181.20): S set, 40 headers + 0 data bytes46 bytes from 209.67.181.20: flags=SA seq=0 ttl=117 id=19699 rtt=11.9 ms46 bytes from 209.67.181.20: flags=SA seq=1 ttl=117 id=19739 rtt=11.9 ms46 bytes from 209.67.181.20: flags=SA seq=2 ttl=117 id=19782 rtt=12.4 ms46 bytes from 209.67.181.20: flags=SA seq=3 ttl=117 id=19800 rtt=11.5 ms46 bytes from 209.67.181.20: flags=SA seq=4 ttl=117 id=19821 rtt=11.5 ms46 bytes from 209.67.181.20: flags=SA seq=5 ttl=117 id=19834 rtt=11.6 ms46 bytes from 209.67.181.20: flags=SA seq=6 ttl=117 id=19857 rtt=11.9 ms46 bytes from 209.67.181.20: flags=SA seq=7 ttl=117 id=19878 rtt=11.5 ms--- secure.buy.com hping statistic ---8 packets transmitted, 8 packets received, 0% packet loss
The IP ID fields in both cases show a pattern of steadymonotonic increases, which is consistent with trivial packet counting behavior.During this test, the Dell machine sends an average of 208 packets per second(10441 minus 8984 all divided by 7) and secure.buy.com is showing 26 pps. Oneadded complexity is that major hosts like Dell and Buy.Com have many systemsbehind a load balancer. That device ensures that subsequent packets from acertain IP address go to the same machine. Sendai is able to count the machinesby sending probes from many different IP addresses. This step is critical, asthe pps rate for a single box will naturally decrease when more machines areadded to the farm or vice versa. Against a popular server farm, he may needmany addresses, but huge netblocks can easily be purchased or hijacked.
Sendai begins to execute his plan. He writes a simple C programto do the probing and host counting using Dug Song's free libdnet library. Itruns via cron a few dozen times a day against each of many publicly tradedtargets that are vulnerable to this problem. These samples allow an estimation oftraffic for each day. Sendai knows better than to jump in with his money rightaway. Instead he will let his scripts run for a full quarter and count thecumulative traffic for each company. When each company reports results, he willdivide their actual revenue for that quarter by his traffic estimate to computerevenue per packet. The second quarter will be a test. He will multiply revenueper packet by his calculated traffic to guess quarterly revenue, and thencompare that revenue to the official numbers released later. Companies that proveinaccurate at this point will be discarded. With the remainder, Sendai hopes finallyto make some money. He will watch them for a third quarter and again estimatetheir revenue. He will then compare his estimate to the First Call Consensus. Ifhis revenue estimate is substantially higher, he will take out a major longposition right before the earnings conference call. If he estimates a revenueshortfall, Sendai will go short. Obviously he still needs to research otherfactors such as pricing changes that could throw off his purely traffic-basedrevenue estimates.
Corrupted by Greed
Although Sendai feels that this plan is legal and ethical,greed has taken over and waiting nine months is unacceptable. He thinks aboutother market moving events, such as mergers, acquisitions, and partnerships. Howcan he predict those in advance? One way is to watch new domain nameregistrations closely. In some mergers and partnerships, a new entity combinesthe name of both companies. They must register the new domain name before theannouncement or risk being beaten to it by domain squatters. But if theyregister more than a trading day in advance, Sendai may be able to find outearly. He obtains access to the .com TLD zone files by submitting anapplication to Verisign. This gives him a list of every .com name, updatedtwice daily. For several days, he vets every new entry, but finds nothingenticing. Again, impatience gets the best of him. Sendai decides to cross anethical line or two. Instead of waiting for a suggestive name, he will createone! Sendai takes a large (for him) position in a small Internet advertisingcompany. A few minutes later he registers a domain combining that company namewith a major search engine. The public whois contact information is identicalto that used by the search engine company. Payment is through a stolen creditcard number, though a prepaid gift credit card would have worked as well. Thatwas easy!
The next morning, the ad company is up a bit on unusually highvolume. Maybe Sendai wasn't the first person to use this domain watchingstrategy. Message board posters are searching to explain the high volume. Hisheart racing, Sendai connects through a chain of anonymous proxies and posts amessage board response noting the new domain name he just “discovered.” Theposters go wild with speculation, and volume jumps again. So does the price. Acompany spokesman denies the rumors less than an hour later, but Sendai hasalready cashed out. What a rush! If this little episode does not receive muchpress coverage, perhaps investors of another small company will fall for ittomorrow. Sendai clearly has forgotten the hacker ethic that he used to espouse,and now dons his black hat for profit rather than solely for exploration andlearning.
Freed from his misgivings about outright fraud and otherillegal methods, Sendai's investment choices widen immensely. For example, hisfundamental research on a company would be helped substantially by access tothe CEO and CFO's e-mail. He considers wardriving through the financialdistrict of nearby cities with his laptop, antenna, GPS, and a program likeKismet or Netstumbler. Surely some public company has a wide open access pointwith an identifying SSID. Standard network hacking through the Internet isanother option. Or Sendai could extend his domain name fraud to issuing actualfake press releases. Sendai has seen fake press releases move the market in thepast. Still giddy from his first successful investment hack, Sendai's mind isworking overtime contemplating his next steps.
Sendai has plenty of time to research investments during workhours because pen-testing jobs have been quite scarce now that the dot-commarket has collapsed. Sendai is pleased by this, due to the free-time aspect,until one day when the whole security department of his office is laid off. Somuch for the best job he has ever had. Sendai takes it in stride, particularlybecause his severance pay adds to the investment pot that he hopes will soonmake him rich.
Revenge of the Nerd
While home reading Slashdot in his underwear (a favoritepastime of unemployed IT workers), Sendai comes up with a new investmentstrategy. A pathetic little company named Fiasco is falsely claiming ownershipof Linux copyrights, trying to extort money from users, and filing multibilliondollar lawsuits. Sendai is sure that this is a stock scam and that Fiasco'sclaims are frivolous. Meanwhile, mainstream investors seem so fixated by theenormous amount of money Fiasco seeks that they lose their critical thinkingability. The stock is bid up from pennies to over $5! Sendai takes out a hugeshort position, planning to cover when the stock tumbles back down. Since theclaims have no merit, that can't take long.
Boy is he wrong! The Fiasco stock (symbol: SCUMX) climbsrapidly. At $9 per share, Sendai receives a margin call from his broker. Beingunwilling to take the huge SCUMX loss, Sendai sells all his other positions andalso wires most of the balance from his checking account to the brokerage. Thisallows him to hold the position, which is certain to plummet soon! It risesfurther. Maybe this is still due to initial uncritical hype. Perhaps themomentum traders are on board now. Maybe some investors know that anti-Linuxcorporations Microsoft and Sun secretly are funneling money to Fiasco. At $12, Sendaiis woken by another early morning margin call and he lacks the money to furtherfund the account. He is forced to buy back shares to cover his position, anddoing so further raises the price of this thinly traded stock. His accountvalue is devastated.
In a fit of rage and immaturity, Sendai decides to take downFiasco's Web site. They are using it to propagate lies and deception infurtherance of criminal stock fraud, he reasons. Sendai does not consider hisown recent stock shenanigans when judging Fiasco.
Web sites are taken down by attackers daily, usually using abrute packet flood from many source machines (known as a distributed denial ofservice attack). Sendai realizes that much more elegant and effective attacks arepossible by exploiting weaknesses in TCP protocol implementations rather thanraw packet floods. Sendai has taken down much bigger Web sites than Fiasco'sfrom a simple modem connection. His favorite tool for doing this is a privatelydistributed application known as Ndos. He reviews the usage instructions.
Ndos Denial of Service Tool Options
# ndosNdos 0.04 Usage: ndos [options] target_host portnumSupported options:-D <filename> Send all data from given file into the opened connection (must fit in 1 packet)-S <IP or hostname> Use the given machine as the attack source address (may require -e). Otherwise source IPs are randomized.-e <devicename> Use the given device to send the packets through.-w <msecs> Wait given number of milliseconds between sending fresh probes-P Activates polite mode, which actually closes the connections it opens and acks data received.-W <size> The TCP window size to be used.-p <portnum> Initial source port used in loop-l <portnum> The lowest source port number ndos should loop through.-h <portnum> The highest source port number used in loop-m <mintimeout> The lowest allowed receive timeout (in ms).-b <num> Maximum number of packets that can be sent in a short burst-d <debuglevel>
Ndos is one of those tools that has no documentation (otherthan the usage screen) and is full of obscure parameters that must be setproperly. But once the right values are determined from experimentation oractual understanding, it is deadly effective. Sendai starts it up at arelatively subdued packet rate from a hacked Linux box. You can bet that the-Poption was not given. The Fiasco Web site is down until thecompromised box is discovered and disconnected three days later.
Although his little temper tantrum was slightly gratifying, Sendaiis still broke, jobless, and miserable. Only one thing cheers him uptheupcoming annual Defcon hacker conference! This provides the rare opportunity tohang out with all his buddies from around the world, in person instead of onIRC. Sendai worries whether he can even afford to go now. Stolen credit cardnumbers are not wisely used for flight reservations. Counting the pitifulremains of his checking and brokerage accounts, as well as the remainder of hiscredit card limit, Sendai scrapes up enough for the trip to Las Vegas. Lodging isanother matter. After mailing several friends, his hacker buddy Don Crotcho(a.k.a The Don) offers to share his Alexis Park hotel room for free.
The following weeks pass quickly, with Sendai living cheaply onramen noodles and Kraft macaroni and cheese. He would like to try more“investment hacking,” but that requires money to start out with. Sendai blamesMicrosoft for his current condition, due in part to their clandestine fundingof Fiasco, and also because he is one of those people who find reasons to blameMicrosoft for almost all their problems in life.
A Lead from Las Vegas
Sendai soon finds himself surrounded by thousands of hackersin Las Vegas. He meets up with The Don, who surprisingly has sprung for theexpensive Regal loft room instead of the standard cheap Monarch room. Maybethey were out of Monarchs, Sendai thinks. The two of them head to the Strip forentertainment. Sendai wants to take in the free entertainment, though The Donis intent on gambling. Upon reaching the Bellagio, Sendai sees a roulette tableand is tempted to bet his last remaining dollars on black. Then he realizes howsimilar that would be to the Fiasco speculation that landed him in this mess. Andas with airline tickets, using a stolen credit card at casinos is a bad idea. Instead, Sendai decides to hang around and watch The Don lose his money. Don heads tothe cashier, returning with a huge stack of hundred dollar chips. Shocked, Sendaidemands to know how Don obtained so much money. The Don plays it off as no bigdeal, and refuses to provide any details. After several hours of persistenceand drinking, Sendai learns some of the truth. In a quiet booth in a vodka bar,Don concedes that he has found a new client that pays extraordinarily well forspecialized telecom manipulation, which is The Don's professional euphemism forphone phreaking.
Given his precarious financial situation, Sendai begs The Donto hook him up with this generous client. Perhaps he needs some of the securityscanning and vulnerability exploitation skills that Sendai specializes in. TheDon refuses to name his client, but agrees to mention Sendai if he finds achance. Sendai really cannot ask for anything more, especially after The Dontreats him to a visit to one of Vegas' best strip clubs later that night. Donsays it reminds him of Maxim's at home in Iceland.
The Call of Opportunity
The following Tuesday, Sendai is sitting at home readingSlashdot in his underwear and recovering from a massive Defcon hangover whenthe phone rings. He answers the phone to hear an unfamiliar voice. Afterconfirming that he is speaking to Sendai, the caller introduced himself.
“Hello Sendai. You may call me Bob Knuth. The Don informs me that you are one of the brightest system penetration experts around. I'm working on a very important but sensitive project and hope that you can help. I need three hosts compromised over the Internet and an advanced rootkit of your design installed. The rootkit must be completely effective and reliable, offering full access to the system through a hidden backdoor. Yet it must be so subtle that even the most knowledgeable and paranoid systems administrators do not suspect a thing. The pay is good, but only if everything goes perfectly. Of course it's critical that the intrusions are all successful and go undetected. A single slip up and you will feel the consequences. Are you up to this challenge?”
Thinking quickly, Sendai's first impression is not positive. Heis offended by the handle “Bob Knuth,” as it was obviously patterned after theworld-renowned computer scientist Don Knuth. How dare this arrogant criminalcompare himself to such a figure! “His words also sound patronizing, as if hedoubts my skills,” Sendai thinks. There is also the question of what Knuth hasin mind. He volunteered nothing of his intentions, and for Sendai to ask wouldbe a huge faux pas. Sendai suspects that Knuth may be the vilest of computercriminals: a spammer! Should he really stoop to this level by helping?
Despite this internal dialog, Sendai knows quite well that hisanswer is yes. Maintaining his apartment and buying food trump his qualms.Plus, Sendai loves hacking with a passion and relishes the chance to prove hisskills. So he answers in the affirmative, contingent of course on sufficientpay. That negotiation does not take long. Usually Sendai tries to bargain pastthe first offer in principle, but Knuth's offer is so high that Sendai lacksthe tenacity to counter. He would have insisted on receiving part of the moneyup front had he not known that The Don has been paid without incident. Knuthsounds extremely busy, so no small talk is exchanged. They discuss the jobspecifics and disconnect.
Initial Reconnaissance
Sendai first must perform some light reconnaissance againstthe three hosts Knuth gave him. Given the amount of “white noise” scanningtraffic all over the Internet, he could probably get away with scanning fromhis own home IP address. A chill passes through him as he remembers operationSundevil. No, scanning from his own ISP is unacceptable. He moves to hislaptop, plugs an external antenna into the 802.11 card, then starts Kismet tolearn which of his neighbors have open access points available now. He choosesone with the default ESSID linksys because users who do not botherchanging router defaults are less likely to notice his presence. Ever careful, Sendaichanges his MAC address with the Linux commandifconfig eth1 hw ether53:65:6E:64:61:69, associates with linksys, and auto-configures viaDHCP.Iwconfig shows a strong signal and Sendai verifies that cookiesare disabled in his browser before loading Slashdot to verify networkconnectivity. He should have used a different test, as he wastes 15 minutesreading a front-page story about that latest Fiasco outrage.
Sendai needs only a little bit of information about the targetsright now. Most importantly, he wants to know what operating systemthey are running so that he can tailor his rootkit appropriately. Forthis purpose, he obtains the latestNmap Security Scanner. Sendaiconsiders what options to use. Certainly he will need-sS -F,which specifies a stealth SYN TCP scan of about a thousand commonports. The-P0option ensures that the hosts will be scannedeven if they do not respond to Nmap ping probes, which by defaultinclude an ICMP echo request message as well as a TCP ACK packet sentto port 80. Of course-O will be specified to provide OSdetection. The-T4 option speeds things up, and-vactivates verbose mode for some additional useful output. Then thereis the issue of decoys. This Nmap option causes the scan (including OSdetection) to be spoofed so that it appears to come from manymachines. A target administrator who notices the scan will not knowwhich machine is the actual perpetrator and which are innocentdecoys. Decoys should be accessible on the Internet for believabilitypurposes. Sendai asks Nmap to find some good decoys by testing 250 IPaddresses at random.
Finding Decoy Candidates with Nmap
# nmap -sP -T4 -iR 250Starting nmap 3.50 ( http://nmap.org )Host gso167-152-019.triad.rr.com (24.167.152.19) appears to be up.Host majorly.unstable.dk (66.6.220.100) appears to be up.Host 24.95.220.112 appears to be up.Host pl1152.nas925.o-tokyo.nttpc.ne.jp (210.165.127.128) appears to be up.Host i-195-137-61-245.freedom2surf.net (195.137.61.245) appears to be up.Host einich.geology.gla.ac.uk (130.209.224.168) appears to be up.Nmap run completed -- 250 IP addresses (6 hosts up) scanned in 10.2 seconds#
Sendai chooses these as his decoys, passing them as acomma-separated list to the Nmap-D option. This carefully craftedcommand is completed by the three target IP addresses from Knuth. Sendaiexecutes Nmap and finds the following output excerpts particularly interesting.
OS Fingerprinting the Targets
# nmap -sS -F -P0 -O -T4 -v -D[decoyslist] [IP addresses]Starting nmap 3.50 ( http://nmap.org )[...]Interesting ports on fw.ginevra-ex.it (XX.227.165.212):[...]Running: Linux 2.4.XOS details: Linux 2.4.18 (x86)Uptime 316.585 days[...]Interesting ports on koizumi-kantei.go.jp (YY.67.68.173):[...]Running: Sun Solaris 9OS details: Sun Solaris 9[...]Interesting ports on infowar.cols.disa.mil (ZZ.229.74.111):[...]Running: Linux 2.4.XOS details: Linux 2.4.20 - 2.4.22 w/grsecurity.org patchUptime 104.38 days
As the results scroll by, the first aspect that catches Sendai'seye are the reverse DNS names. It appears that he is out to compromise thefirewall of a company in Italy, a Japanese government computer, and a USmilitary Defense Information Systems Agency host. Sendai trembles a little atthat last one. This is certainly one of the most puzzling assignments he hasever had. What could these three machines have in common? Knuth no longerappears to be a spammer. “I hope he is not a terrorist,” Sendai thinks whiletrying to shake thoughts of spending the rest of his life branded as an enemycombatant and locked up at Guantanamo Bay.
Shrax: The Ultimate Rootkit
Sendai looks at the platforms identified by Nmap. This iscritical information in determining what type of rootkit he will have toprepare. Rootkits are very platform-specific as they integrate tightly with anOS kernel to hide processes and files, open backdoors, and capture keystrokes. Knuth'sdemands are far more elaborate than any existing public rootkit, so Sendai mustwrite his own. He is pleased that these systems run Linux and Solaris, two ofthe systems he knows best.
Rather than start over from scratch, Sendai bases his rootkiton existing code. He downloads the latest Sebek Linux and Solaris clients fromwww.honeynet.org/tools/sebek. Sebek is a product of theHoneynet Project,a group of security professionals who attempt to learn the tools, tactics, andmotives of the blackhat community by placing honeypot computers on the Internetand studying how they are exploited. Sebek is a kernel module used to monitoractivity on honeypots while hiding its own existence. Sendai revels in thedelicious irony of this white hat tool fitting his evil purposes perfectly. Amajor plus is that it is available for Linux and Solaris.
Although Sebek serves as a useful foundation, turning it into aproper rootkit requires substantial work. Sebek already includes a cleaner thathides it from the kernel module list, but Sendai must add features for hidingfiles/directories, processes, sockets, packets, and users from everyone else(including legitimate administrators). The syslog functionality is alsocompromised to prevent intruder activity from being logged. Sendai adds severalfun features for dealing with any other users on the system. A TTY snifferallows him to secretly watch selected user terminal sessions and even activelyinsert keystrokes or hijack the hapless user's session.
The TTY sniffer makes Sendai smile, thinking back to thoseyouthful days when he would hack university machines just to pester studentsand professors. Watching someone type rapidly at a terminal, Sendai wouldsometimes enter a keystroke or backspace, causing the command to fail. Thinkingthey made a typo, the user would try again. Yet the typos continued! While theuser was wondering why she was having so much trouble typing and starting tosuspect that the keyboard was broken, phantom keystrokes would start appearingon the screen. That is quite disturbing in itself, but induces panic when thekeystrokes are typing out commands likerm -rf ~ or composing a nasty e-mailto the user's boss! Sendai never actually took these damaging actions, butderived a perverse pleasure from alarming the poor users. He wondered what techsupport would say when these users would call and declare that their systemswere possessed. Sendai now considers himself too mature for such antics, butimplements the terminal reading capability to spy on administrators that hesuspects are on to him.
Sendai adds another user manipulation feature he callscapability stripping. Linux process privileges are more granular than justsuperuser (uid 0) or not. Root's privileges are divided into several dozencapabilities, such as CAP_KILL to kill any process and CAP_NET_RAW to write rawpackets to the wire. Sendai's feature removes all these capabilities from alogged-in administrator's shell. He may still appear to be root from theidcommand, but has been secretly neutered. Attempts to execute privilegedoperations are rejected, leaving the administrator more frustrated and confusedthan if Sendai had terminated the session by killing his shell.
The infection vector is another pressing issue. Sebek hidesitself in the kernel module list, but the module itself is not hidden on disk. Worse,the system startup process must be modified to load the module, or a systemreboot will foil the whole plan. This is acceptable on a honeynet, becausethere is no other legitimate administrator who would notice changes to thestart-up process. It does not meet Sendai's requirements so well. Yet Knuth wasvery clear that the system must be resilient in the face of reboots. Sendai'ssolution is to inject his evil kernel module (which he has taken to callingShrax) into a legitimate kernel module such as an Ethernet driver.This avoids having an extra suspicious binary around and modifying startupfiles. Additionally, Sendai adds an inode redirection system so that the moduleappears unmolested once loaded. This should protect Shrax from file integritycheckers such as Tripwire, Aide, and Radmind. Of course it is possible that theLinux targets compiled their kernels without module support, as manyadministrators still believe that will stop kernel root kits. No problem! Sendaihas tools for both forcing a module into a running kernel using just /dev/mem,and for injecting a module into a static kernel image so that it will be executedsilently during the next reboot.
There is also the backdoor issue. One option is to simply compileand run an ssh server on some obscure port number like 31,337. A trivial patchwill bypass the authentication and give root access when a secret username isgiven. Shrax is capable of hiding the ssh process (and its children) from otherusers, as well as hiding the socket so it isn't disclosed by netstat and thelike. Despite this, Sendai finds the option unacceptable. Even though hiddenwithin the system, an outsider could find the open backdoor port with Nmap. Moreimportantly, Knuth insisted that he be able to activate the backdoor using awide variety of protocols and subtle packets. Ssh would require that the targetnetwork firewalls permit TCP connections to the chosen port. Such permissivefirewalls are unlikely at some of the sensitive organizations Knuth wants toattack.
After further brainstorming, Sendai decides on an in-kernelbackdoor rather than relying on external programs such as ssh. For backdoors,this one is pretty advanced. Knuth will be happy that its activation interfaceis the epitome of flexibility. It puts the system interfaces in promiscuousmode (hiding that fact, of course) and examines every IP packet that comes in,regardless of the destination IP address or protocol. The first data bytes arethen compared to an identification string. At first Sendai sets that string to“My crime is that of curiosity,” but then he smartly decides to be more subtleand chooses a random-looking string. If the string matches, the remainder ofthe packet is decrypted using AES and a configurable key. The result isinterpreted as a response method description followed by a series of shellcommands to be executed as root. There are also a few special configurationcommands for tasks like changing encryption keys, activating the TTY andnetwork password sniffers, and disabling Shrax and removing every trace of it. Sendaiis particularly proud of the response method description. This tells Shrax howto send back command responses, which are always encrypted with the shared key. Sendai is quite proud of all the transport methods supported. Of course,straightforward TCP and UDP to a given IP and port is offered. Or the user canhave responses sent via ICMP echo request, echo response, timestamp, or netmaskmessages. ICMP time-to-live exceeded messages are supported, too. The data canbe marshaled into a web request and even sent through a socks or http proxy. Sendai'sfavorite Shrax technique is to use a series of DNS requests falling under adomain controlled by the attacker. Shrax can even be set to poll a nameserverfrequently for new commands. Unless the system is completely unplugged, Knuthshould be able to find a way to tunnel his data back. Of course, one can chooseto execute a command without returning a response. This allows the intruder todo so completely anonymously with a spoofed IP packet.
Yet another unique Shrax feature is that it can transparentlypass commands through a chain of rootkits. An attacker can configure the clientto go through an initial rooted machine in Romania, then to one in China, thento a web server on the target corporation's DMZ, and finally to an internaldatabase machine. The first hops help the attacker cover his or her tracks, whereas thefinal one may be necessary because the DB is accessible only from the webserver.
Sendai goes all out working on Shrax because he plans to useit for several years to come and to share it with his buddies. If it had beenwritten only for this specific task, he would have likely hacked the targetsfirst and written only the most critical features.
After all this work on Shrax, Sendai is itching to deploy hisnew baby. He wants to start hacking immediately, but knows better. Consideringthat military and government sites are involved, attacking from his neighbor'swireless connection would be foolish. Sendai remembers how the authoritiestracked down Kevin Mitnick based on a wireless connection from his apartment. Andif the police ever show up at Sendai's apartment complex, he will be a primesuspect. Sendai suddenly regrets ordering the license plate HACKME for hisvehicle. The police might not even notice a more subtle plate such as SYNACK. Sendaihas a number of compromised boxes all over the Internet, but he really wantssome machine that is unconnected to him, which he can use once and thendiscard.
Throwaway Account
Sendai decides to venture outside after all these days writingShrax. Perhaps a day at the theatre, on the beach, or attending a game would begood for him. Instead, Sendai heads for the annual ASR Cryptography Conference.He cannot afford the presentations, but hopes to gain free schwag at the giantexpo. He won a Sharp Zaurus PDA the last time, which is wonderful for warwalkingto find open WAPs. Sendai brings it along in case they have wireless access atthe conference.
Although ASR does offer free wireless connectivity, theyattempt to secure it with 802.1X and PEAP authentication. That major hassle causeslines at the free wired terminals. Although Sendai would have checked his mailover ssh (after verifying server's ssh key) from his Zaurus, he certainly willnot do so from the terminal pavilion. Even if he trusted the ASR organizers(which he does not), they are totally exposed for any hacker to plug in akeylogger or defeat the software and install a program to do the same. In thatinstant, Sendai's expression turns from outrage to a mischievous grin as herecognizes this as a source of throwaway accounts!
The next morning, Sendai arrives early at ASR to beat thecrowds. He takes an available terminal and loads Slashdot. Feigningfrustration, he turns to the back of the machine and unplugs the PS/2 keyboardcable. He blows on the PS/2 port behind the machine, while his hands areinconspicuously slipping the KeyGhost SX onto the cable. This tiny devicestores up to two million keystrokes and supposedly even encrypts them so thatother troublemakers at ASR cannot steal the passwords. Sendai plugs the keyboard cable back in with his little addition, turns backto the front, and resumes web surfing. He smiles to complete his little actthat the machine had been broken and is now working again. Darn those dustykeyboard ports! Nobody paid the least attention to him during his charade andhe could have been far more blatant without attracting any attention, but itnever hurts to be careful. Plus it makes him feel sneaky and clever.
Attaching the Keyghost to Terminal Keyboard Cable
Sendai spends the next few hours at the expo collectingT-shirts, software CDs, pens, a pair of boxer shorts, an NSA pin and bag,magazines, and a bunch of candy treats. After a series of recent Internetworms, many vendors apparently decided that worm-themed giveaways would beclever and unique. Sendai was stuck with gummy worms, refrigerator magnetworms, and a keychain worm. He is tempted to watch the terminals from nearby toensure nobody steals his $200 KeyGhost. Then he realizes that even if hewatches someone discover and take it, he cannot risk a scene by approaching andyelling “Hey! That's my keylogger!” Sendai leaves for a long lunch and thenspends a couple hours browsing at a nearby computer superstore.
Late in the afternoon, Sendai returns to ASR, hoping thekeylogger remains undetected. He breathes a sigh of relief when it is rightwhere he left it. The terminal is open, so Sendai simply repeats his “brokensystem” act and 10 minutes later is driving home with all the evidence in hispocket.
At home, Sendai quickly plugs the Keyghost into his system tocheck the booty. Sendai opens up the vi editor and types his passphrase. Uponrecognizing this code, the KeyGhost takes over and types a menu. Sendai types 1for “entire download” and watches as pages and pages of text fill the screen. Scrollingthrough, he sees that the vast majority of users do little more than surf theweb. Security sites such as securityfocus.com, packetstormsecurity.nl,securiteam.com, and phrack.org are popular. Many folks made the mistake ofchecking their Hotmail or Yahoo webmail from the terminals. Sendai has littleinterest in such accounts. There are also a surprising number of porn sites. Nopurchases with typed credit card numbers, unfortunately. Search engine queriesare interesting. One user searched for “windows source torrent,” another forlsass.exe, and someone else seeks “security jobs iraq.”
Downloading Keyghost Logs
Sendai starts to worry when he passes over half the filewithout a single remote login. The few people who open terminal sessions onlyexecute simple commands likels andcat /etc/passwd. Seventypercent into the file, Sendai discovers promising data: A user logged in asantonio via ssh to psyche.ncrack.com. Sendai scans through the followingcommands, hoping the user will runsu and type the password to becomethe root superuser. There is no such luckAntonio simply reads his e-mail withmutt, sends a note to a coworker describing the conference, then disconnects. Inall the excitement of reading keystroke logs, Sendai almost forgets to erasethe Keyghost and remove it from his system. If he were to be convicted later basedon evidence from his own keylogger, Sendai would be the laughing stock of thecriminal hacker community. Such a gaffe reminds him of all the hackers who havebeen caught based on evidence logged from the packet sniffer they installed ona compromised box.
The keystroke logs contain no further remote system passwords,so Sendai tries to makes the most of psyche.ncrack.com. He moves to the laptop(which is still associated with thelinksys WAP) and successfully logsin to Psyche. Now the pressure is on, as he must move fast to avoid detection. Hisfirst action is to run thew command to see who else is online. He isrelieved that the real antonio is not online, but two other users are. Hopefullythey do not notice this suspicious antonio login from an unusual IP address. Anattempt by them to chat with the imposter antonio could be a disaster as well. Feelingvulnerable and exposed, Sendai focuses on the task at hand. He runsuname -ato determine that Psyche is running the Linux 2.4.20 kernel. The distributionis Red Hat 9 according to /etc/redhat-release. Sendai immediately thinks of thebrk() kernel exploit for kernels up to 2.4.22. That bug was unknown to thepublic until it was used to compromise many Debian Project machines. Sendai wasa little miffed that he had not been in on it during that prepublication 0-dayperiod. It is a very interesting bug, and Sendai had spent two days massagingassembly code into a working exploit. It is about to come in handy. He uploadshd-brk.asm and types:
psyche> nasm -f elf -o hd-brk.o hd-brk.asmpsyche> ld -o hd-brk hd-brk.o -Ttext 0x0xa0000000psyche> ./hd-brk# iduid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),10(wheel)#
Despite the hundreds of boxes that Sendai has compromised inhis lifetime (legally or not), he never fails to feel a joyful rush of triumphwhen he first sees that glorious hash prompt signifying root access! But thisis still only a minor victory, as the purpose of Psyche is simply to cover Sendai'stracks. There would be no time for celebration even if it was warranted, asthere is now a suspicious root shell that other users might notice.
Sendai turns his attention to rootkit installation. The commandlsmod shows that the kernel allows modules and that almost 50 of themare installed. This is typical for kernels from major Linux distributions. Sendaiinjects Shrax into the parport_pc module which, as the name implies, handles PCparallel ports. It is loaded early and unlikely to be changed, meeting the twomost desirable attributes. It is also easy to remove and then re-insert theparallel port module without attracting attention. Sendai does so.
With the rootkit seemingly installed, Sendai tests his power. Heissues the Shraxhideall command against the sshd process through which heis connected. Suddenly that sshd and all of its descendants (including hisrootshell) are now hidden from system process lists. Their syslog messages areignored and sockets are concealed. Sendai wipes the relevant wtmp, lastlog, andsyslog records to remove any trace that antonio logged on this evening. Hechecks up on the other two logged in users with the TTY sniffer to ensure thatthey are doing their own thing and not suspecting that anything is remiss. Sendailightly tests a few complex system components including the compiler gcc andemacs. One of the most common ways attackers are discovered is that theyinadvertently break something. The generally attentive Debian folks did notnotice intruders until kernel crashes began occurring on several boxes at once. Sendai is glad that no problems have yet appeared with Shrax. A feeling ofrelief rolls over him as he can now relax. His activities on the system arewell hidden now that Psyche is securely 0wn3d.
Seeking the Prize
After all this preparation, Sendai is ready to go after thethree primary targets. First he must learn as much as possible about them. Hestarts with an intrusive Nmap scan. Red Hat 9 comes with Nmap 3.00, which isfar out of date. Sendai grabs the latest version frominsecure.org, thencompiles and installs it into a directory hidden by Shrax. As for the options, Sendaiwill use-sS -P0 -T4 -v for the same reasons as for his previous scan. Insteadof-F (scan the most common ports), Sendai specifies-p0-65535 toscan all 65,536 TCP ports. He will do UDP (-sU) and IP-Proto (-sO)scans later if necessary. Instead of -O for remote OS detection, -Ais specified to turn on many aggressive options including OS detection andapplication version detection. Decoys (-D) are not used this timebecause version detection requires full TCP connections, which cannot bespoofed as easily as individual packets. The -oA option is given with abase filename. This stores the output in all three formats supported by Nmap(normal human readable, XML, and easily parsed grepable). Sendai scans themachines one at a time to avoid giving the other organizations an early warning.He starts with the Italian company, leading to the following Nmap output.
Nmap Output: A More Intrusive Scan of Ginevra
# nmap -sS -P0 -T4 -v -A -p0-65535 -oA ginevra-ex fw.ginevra-ex.itStarting nmap 3.50 ( http://nmap.org )Interesting ports on fw.ginevra-ex.it (XX.227.165.212):(The 65535 ports scanned but not shown below are in state: filtered)PORT STATE SERVICE VERSION22/tcp open ssh OpenSSH 3.7.1p1 (protocol 1.99)Running: Linux 2.4.XOS details: Linux 2.4.18 (x86)Uptime 327.470 daysTCP Sequence Prediction: Class=random positive increments Difficulty=2325858 (Good luck!)IPID Sequence Generation: All zerosNmap run completed -- 1 IP address (1 host up) scanned in 1722.617 seconds
The results show that 22 is the only open TCP port. Sendai is alittle disappointed. He was hoping for many more ports, as each is a potentialsecurity vulnerability. He notices the line saying that the other 65,535 portsare in the filtered state. That usually means administrators have made aneffort to secure the box, since most operating systems install in a defaultclosed state. A closed port returns a RST packet, which tells Nmap that theport is reachable but no application is listening. A filtered port does notrespond at all. It is because virtually all the ports were filtered that Nmaptook so long (almost half an hour) to complete. Probes against closed ports arequicker because Nmap has to wait only until the RST response is received ratherthan timing out on each port. A reset response also means that noretransmission is necessary since the probe obviously was not lost. Care clearlywas taken to eliminate unnecessary services on this machine as well. Most Linuxdistributions ship with many of them open. It is also common for smallcompanies to host infrastructure services like name servers and mail servers onthe firewall. They do this to avoid placing these public services on a separateDMZ network, but it substantially weakens their security. As a pen-tester, Sendaihad compromised many firewalls because they were inappropriately running publicBIND nameservers. Apparently Ginevra is smarter than that.
According to Nmap, port 22 is running OpenSSH 3.7.1p1. This isanother service that would not be available to the whole Internet in an idealworld, but Sendai can understand why administrators allow it. If somethingbreaks while they are far from home, the admins want to connect from thenearest available Internet service. In so doing, administrators accept the riskthat attackers might exploit the service. Sendai intends to do just that. OpenSSHhas a sordid history of at least a dozen serious holes, though Sendai does notrecall any in this version. Several exploitable bugs in buffer management codewere described in CERT Advisory CA-2003-24, but those problems were fixed in3.7.1. Sendai may have to implement a brute force attack instead. This is oftenquite effective, though it can take a long time. First Sendai will troll theInternet looking for employee names and e-mail addresses. He will search webpages, USENET and mailing list postings, and even regulatory findings. Thesewill help him guess usernames that may be authorized on fw. He will also try totrick the public company mail server into validating usernames. The usernameroot, of course, will be added to the brute force list.
With a list of users in hand, Sendai will begin the search forpossible passwords. He already has a list of the 20,000 most popular passwordsout of millions that he has acquired from various databases. Everyone knowswords like “secret,” “password,” and “letmein” are common. What used tosurprise Sendai is how common profane passwords are. “Fuckyou” is #27 on hislist, just above “biteme.” It is also surprising how many people think “asdfgh”is a clever, easy-to-type password that no bad guys will ever guess.
Of course, common passwords differ dramatically based on theorganization they are from. So Sendai cannot use just his top password list. Hewill need to download an Italian language wordlist. Then he will recursivelydownload the entire www.ginevra-ex.it Web site and parse it for new words. Finally, Sendai will whip out Hydra, his favorite open source brute force cracker, todo the actual attack. It may take days, but Sendai is optimistic that he willfind a weak password.
Sendai is preparing his plan when he suddenly remembers anobscure vulnerability that affects only OpenSSH 3.7.1p1, and then only when thePluggable Authentication Modules (PAM) system is in use and privilegeseparation is disabled. PAM is often used on Linux boxes, so he decides to giveit a shot. The vulnerability is laughably easy to exploit. You simply try tologin using SSH protocol 1 and any password (except a blank one) is accepted. Nowonder that problem did not last long before being discovered and fixed! Sendaicrosses his fingers and begins to type.
psyche> ssh -1 root@fw.ginevra-ex.itThe authenticity of host 'fw.ginevra-ex.it (XX.227.165.212)' can't be established.RSA1 key fingerprint is 2d:fb:27:e0:ab:ad:de:ad:ca:fe:ba:be:53:02:28:38.Are you sure you want to continue connecting (yes/no)? yesWarning: Permanently added 'fw.ginevra-ex.it,XX.227.165.212' (RSA1) to the list of known hosts.root@fw.ginevra-ex.it's password: #
There is that happy hash prompt again! Sendai will not have tospend days preparing and executing a noisy brute force attack. He does a littleroot dance, which is similar to what sports players sometimes do when scoring agoal. Nobody is logged onto fw at the time, and thelast command showsthat people rarely do. So Sendai takes his time cleaning the logs andinstalling Shrax. He is exceedingly careful not to crash or otherwise break thebox, as that sort of blunder could be ruinous.
With one down and two to go, Sendai moves his attention to theJapanese government box. He launches the following intrusive Nmap scan.
An Intrusive Scan of koizumi-kantei.go.jp
# nmap -sS -P0 -T4 -v -A -p0-65535 -oA koizumi koizumi-kantei.go.jpStarting nmap 3.50 ( http://nmap.org )Interesting ports on koizumi-kantei.go.jp (YY.67.68.173)(The 65535 ports scanned but not shown below are in state: filtered)PORT STATE SERVICE VERSION113/tcp closed auth Running: Sun Solaris 9OS details: Sun Solaris 9Nmap run completed -- 1 IP address (1 host up) scanned in 1791.362 seconds
Oh dear! This host is even worse (from Sendai's perspective)than Ginevra in that it does not even have a single TCP port open! All portsare filtered, except the identd (auth) port, which is closed. Leaving port 113closed often is done for better interoperability with some (poorly implemented)IRC and mail servers. Even though Sendai cannot connect with closed ports, theyimprove OS detection accuracy. The lack of open TCP ports will certainly makecracking in more challenging. There must be another way. Sendai considerswardialing the department's telephone number range for carriers, though so manycalls to Japan would certainly rack up the long distance charges. Socialengineering might work, though that is risky business. UDP scanning is worth atry, though it tends to be slow as sin against Solaris boxes due to their ICMPrate limiting. So Sendai does a UDP scan with the -F option that limits it toabout a thousand common ports. No responses are received. This box is lockeddown tightly. Another idea is IPv6, particularly since this host is in Japanwhere that protocol is used more frequently than elsewhere. Psyche does nothave an IPv6 interface, so Sendai tests this from his laptop using one of thefree public IPv6 tunneling services. They provide an IPv6 address and alsoconceal his originating IPv4 host. Using the-6 option to activate IPv6mode, Sendai takes another shot at scanning the host.
IPv6 Scan against koizumi-kantei.go.jp
# nmap -6 -sT -P0 -T4 -v -sV -p0-65535 koizumi-kantei.go.jpStarting nmap 3.50 ( http://nmap.org )Interesting ports on koizumi-kantei.go.jp (2ffe:604:3819:2007:210:f3f5:fe22:4d0:)(The 65508 ports scanned but not shown below are in state: closed)PORT STATE SERVICE VERSION7/tcp open echo9/tcp open discard?13/tcp open daytime Sun Solaris daytime19/tcp open chargen21/tcp open ftp Solaris ftpd22/tcp open ssh SunSSH 1.0 (protocol 2.0)23/tcp open telnet Sun Solaris telnetd25/tcp open smtp Sendmail 8.12.2+Sun/8.12.237/tcp open time79/tcp open finger Sun Solaris fingerd111/tcp open rpcbind 2-4 (rpc #100000)512/tcp open exec513/tcp open rlogin515/tcp open printer Solaris lpd540/tcp open uucp Solaris uucpd587/tcp open smtp Sendmail 8.12.2+Sun/8.12.2898/tcp open http Solaris management console server4045/tcp open nlockmgr 1-4 (rpc #100021)7100/tcp open font-service Sun Solaris fs.auto32774/tcp open ttdbserverd 1 (rpc #100083)32775/tcp open ttdbserverd 1 (rpc #100083)32776/tcp open kcms_server 1 (rpc #100221)32777/tcp open kcms_server 1 (rpc #100221)32778/tcp open metad 1 (rpc #100229)32779/tcp open metad 1 (rpc #100229)32780/tcp open metamhd 1 (rpc #100230)32786/tcp open status 1 (rpc #100024)32787/tcp open status 1 (rpc #100024)Nmap run completed -- 1 IP address (1 host up) scanned in 729.191 seconds
Now this is exactly what Sendai likes to see! Many of theservices may be unpatched too, since the administrators assumed they wereinaccessible. Unfortunately they forgot to firewall IPv6 in the same way theydo IPv4. Sendai uses an IPv6-enabled rpcquery command to learn more about therunning RPC services, including many that are using UDP. He has several avenuesof attack available, but decides on a UDP sadmind vulnerability. Sendai obtainsan exploit from H.D. Moore's Metasploit framework (www.metasploit.com), and 10minutes later is doing the root dance again.
Hacking .MIL
This leaves only one host remaining, and it is certainly thescariest. Hacking Italian and Japanese hosts from the US is one thing. Hackinginfowar.cols.disa.mil is quite another. Yet it is too late to stop now. Sendailaunches an intrusive scan of the host, and is disappointed to see zero openports. Not again! This host has no IPv6 address and UDP scans come up negative. Sendai tries some more advanced scan types including Fin scan (-sF),Window scan (-sW), and the ultra-sneaky Idle scan (-sI), all tono avail. He knows Knuth will not accept two out of three, so giving up is nooption. Sendai broadens his search, launching an intrusive scan of every hostin that 256-host subnet by issuing the commandnmap -sS -P0 -T4 -v -A-p0-65535 -oA disanet infowar.cols.disa.mil/24 . That trailing /24 is CIDRnotation that tells Nmap to scan 256 addresses. Classless Inter Domain Routing(CIDR) is a method for assigning IP addresses without using the standard IPaddress classes like Class A, Class B, or Class C.
Upon seeing the results, Sendai grins because many machines arenot locked down as tightly as infowar is. Unfortunately, they seem to havetheir patches in order. During the next day and a half, Sendai finds numerouspotential vulnerabilities only to fail in exploitation because the hole isalready patched. He is starting to worry. Then he begins to investigatewebpxy.cols.disa.mil and discovers a Squid proxy.
A Squid Proxy Is Discovered
Interesting ports on webpxy.cols.disa.mil (ZZ.229.74.191):(The 65535 ports scanned but not shown below are in state: filtered)PORT STATE SERVICE VERSION3128/tcp open http-proxy Squid webproxy 2.5.STABLE3Device type: general purposeRunning: FreeBSD 5.XOS Details: FreeBSD 5.1-RELEASE (x86)Uptime: 110.483 days
Many organizations maintain a proxy to allow internal clientsaccess to the World Wide Web. They often do this for security reasons, so thatmaterial can be scanned for undesirable or malicious content before beingprovided to the client. It can also keep clients shielded on the internalnetwork so that attackers cannot reach them. Performance and site logging arefurther reasons managers often prefer this approach. Unfortunately theseproxies can do much more harm than good when they are misconfigured. Sendaifinds that the Netcat utility (nc) is unavailable on Psyche, so he connects tothe proxy with the standard Telnet command and manually types an HTTP CONNECTrequest.
Open Proxy Test
psyche>telnet webpxy.cols.disa.mil 3128Trying ZZ.229.74.191 ...Connected to ZZ.229.74.191.Escape character is '^]'.CONNECT scanme.insecure.org:22 HTTP/1.0HTTP/1.0 200 Connection establishedSSH-1.99-OpenSSH_3.8p1
Sendai is quite pleased. The proxy allows him to connect toport 22 (ssh) of an arbitrary Internet host and the SSH banner display showsthat it succeeded. So perhaps it will allow him to connect to internal DISAmachines too! A hacker by the name Adrian Lamo was notorious for publiclybreaking into high-profile sites this way. Many companies thanked him forexposing the weaknesses, though the New York Times did not appreciate theunsolicited security help and they pressed charges. Sendai tries to exploitthis problem by connecting to port 22 of infowar.cols.disa.mil through theproxy. He had been unable to reach any port on this machine, but through theproxy it works! Apparently he is behind the firewall now. Infowar is running3.7.1p2, for which Sendai knows of no vulnerabilities. Nor does he have apassword, though brute force is always an option.
With the newfound power of his open proxy, Sendai wants tofully portscan infowar and explore the whole department network. He curses thefact that Nmap offers no proxy bounce scan option. Then Sendai remembers aprimary benefit of open source. He can modify it to meet his needs. Nmap doesoffer an ftp bounce scan (-b) that logs in to an FTP server and thentries to explore the network by issuing theport command for everyinteresting host and port. The error message tells whether the port is open ornot. Sendai modifies the logic to connect to a proxy server instead and to issuetheCONNECT command. After an afternoon of work, he is proxy scanninglikely internal IP ranges such as RFC1918-blessed 192.168.0.0/16 and 10.0.0.0/8netblocks, looking for internal machines. He finds a whole intranet under the10.1 netblock, with the primary internal web server at 10.1.0.20. That serveris a gold mine of information about the organization. Sendai sifts through newemployee manuals, news pages, employee mailing list archives, and more. In onemailing list post, a quality assurance engineer asks developers to try andreproduce a problem on the qa-sol1 machine. The password to the qa role accountis buserror, he helpfully adds.
Sendai moves quickly to try this sensitive information. Hescans qa-sol1 and finds that the Telnet and ssh services are available. Itwould be simple to Telnet into the proxy and then issue theCONNECTcommand himself to log into the telnetd on qa-sol1, but Sendai cannot bear todo that. He wants to connect more securely, using ssh. Sendai downloads an HTTPproxy shared library to Psyche, which allows normal applications to work transparentlythrough the webpxy.cols.disa.mil proxy server. With that in place, Sendai makesan ssh connection to qa-sol1 and successfully logs in as qa. The system isrunning Solaris 8 and has quite a few users logged on. Sendai immediately reads/etc/passwdand finds that the first lineconsists of“+::0:0:::”. This means the system is using NIS (formerly called YP) to shareaccounts and configuration information among the whole department. NIS is wonderfulfrom Sendai's perspective. It makes obtaining usernames and password hashestrivial using the ypcat command.
Obtaining the Password File from NIS
qa-sol1> ypcat passwdroot:lCYRhBsBs7NcU:0:1:Super-User:/:/sbin/shdaemon:x:1:1::/:bin:x:2:2::/usr/bin:sys:x:3:3::/:adm:x:4:4:Admin:/var/adm:lp:x:71:8:Line Printer Admin:/usr/spool/lp:uucp:x:5:5:uucp Admin:/usr/lib/uucp:smmsp:x:25:25:SendMail Message Submission Program:/:listen:x:37:4:Network Admin:/usr/net/nls:nobody:x:60001:60001:Nobody:/:jdl:mY2/SvpAe82H2:101:100:James Levine:/home/jdl:/bin/cshdavid:BZ2RLkbD6ajKE:102:100:David Weekly:/home/david:/bin/tcshws:OZPXeDdi2/jOk:105:100:Window Snyder:/home/ws:/bin/tcshluto:WZIi/jx9WCrqI:107:100:Andy Lutomirski:/home/luto:/bin/bashlance:eZN/CfM1Pd7Qk:111:100:Lance Spitzner:/home/lance:/bin/tcshannalee:sZPPTiCeNIeoE:114:100:Annalee Newitz:/home/annalee:/bin/tcshdr:yZgVqD2MxQpZs:115:100:Dragos Ruiu:/home/dr:/bin/kshhennings:5aqsQbbDKs8zk:118:100:Amy Hennings:/home/hennings:/bin/tcsh[Hundreds of similar lines]
With these hundreds of password hashes in hand, Sendai goes towork on cracking them. He starts up John the Ripper on every one of hisreasonably modern home machines. Each machine handles a subset of the accounts,which Sendai has sorted by crypt(3) seed (the first two characters of the hash)for efficiency. Within five minutes, dozens of the easiest passwords have beencracked. Then the rate slows down, and Sendai decides to sleep on it.
The next morning, nearly a third of the accounts have beencracked. Sendai is hoping that at least one of the users has an account oninfowar using the same password. From qa-sol1, Sendai tries repeatedly to sshinto infowar, trying each cracked account in turn. The attempt fails time aftertime and eventually he runs out of cracked accounts. Sendai will not give up soeasily. After 24 more hours, he has cracked almost half the accounts and triesssh again. This time, he gets in using the account bruce! This is a Linux box,so Sendai tries the brk() exploit that was so successful against Psyche. Noluck. He spends a couple hours trying other techniques in vain. Then he slapshimself on the forehead upon realizing that bruce is authorized to executecommands as root in the /etc/sudoers file. Sendai simply typessudo vi/etc/resolve.conf, as if he planned to edit an administrative file. Then hebreaks out of vi to a root shell by issuing the command:sh. Game over! Shraxis promptly installed.
Bursting with pride and looking forward to a wallet burstingwith green, Sendai composes an e-mail to Knuth's e-mail address atHushmail.com. He describes the systems and how to access them via the Shraxclient. An encrypted version of Shrax has been posted on a free Geocities Webpage that Sendai just created. He then obtains Knuth's PGP key from a publickeyserver and verifies that the fingerprint matches what Knuth gave him. Acouple minutes later the encrypted and signed document is waiting for Knuth inhis inbox.
Triumph and New Toys
The next morning, Sendai wakes up to find a glorious e-mailfrom PayPal notifying him of a large deposit. Knuth keeps his word, and quicklytoo! Sendai browses to eBay, pricing huge LCD monitors and Apple PowerBooks. Theseare a good way to blow a bunch of money and have something to show for it,unlike his Fiasco investment. Sendai is bidding on a 17” laptop when Knuthcalls. He has already tried out Shrax and verified that the machines were fullycompromised as promised. Suddenly Knuth drops a bomb, mentioning that it is nowtime to “start the real work.” Sendai is speechless. He spent weeks of nonstopeffort to own those machines. What is Knuth saying? Apparently Knuth has nointerest in those boxes at all. They were just a test to insure that Sendai isexpertly skilled and reliable. “You passed with flying colors,” Knuth offers inan unsuccessful attempt to restore Sendai's pride. He notes that those machineswould make a great Shrax proxy chain for safely owning the primary targets. Sendaihighly approves of that idea. It should allay his constant fear of beingcaught, and also brings value to all of his recent efforts.
Sendai accepts the next assignment and Knuth starts rattlingoff the new targets. Unlike the crazy assortment last time, these all belong tobanks with a heavy African presence. They include the Amalgamated Banks ofSouth Africa, Stanbic Nigeria, Nedbank, and Standard Bank of South Africa. Knuthwants numerous machines compromised with a covert Shrax install, as well asnetwork maps to better understand the organizations. Knuth will apparently bedoing the dirty work, as Sendai need only document the access methods andleave.
“This is so much better than working at that accounting firm,” Sendaithinks as he begins his first of many successful and lucrative bank intrusions.
The End
If you enjoyed this chapter, you may opt tobuythe whole book at Amazon (save $17) for 9 other chapters. My favorites are FX's chapter on SAP exploitation by a sexyhackse named h3X, Jay Beale's guide to hacking a university's student records database, and Joe Grand's phone phreaking escapades.
[1] Yourhumble author is a Honeynet Project member.
[2] Kernelmodule injection on Linux and Solaris is described athttp://www.phrack.org/show.php?p=61&a=10.
[3]The KeyGhost is only one of many such products easily available over theInternet. The KEYKatcher is another popular choice.