The Art of Intrusion: The Real Stories Behind the Exploits of Hackers, Intruders and Deceivers (16 page)

Once he had successfully installed the RAT on the @Home employee's computer, he executed a series of commands that provided him informa- tion on the active network connections to other computer systems. One of these commands, "netstat," showed him the network activity of an employee who was at that moment currently connected to the @Home Chapter 5 The Robin Hood Hacker 97

intranet by dial-in, and revealed what computer systems in the internal corporate network the person was using at the time.

In order to show a sample of the data returned by netstat, I ran the pro- gram to examine the operation of my own machine; in part, the output listing looked like this:

C:\Documents and Settings\guest>netstat -a

Active Connections

Proto Local Address Foreign Address

State

TCP lockpicker:1411 64.12.26.50:5190

ESTABLISHED

TCP lockpicker:2842 catlow.cyberverse.com:22

ESTABLISHED

TCP lockpicker:2982 www.kevinmitnick.com:http

ESTABLISHED

The "Local Address" lists the name of the local machine ("lockpicker" was at the time the name I was using for my computer) and the port number of that machine. The "Foreign Address"shows the hostname or IP address of the remote computer, and the port number to which a connection has been made. For example, the first line of the report indicates that my computer has established a connection to 64.12.26.50 on port 5190, the port com- monly used for AOL Instant Messenger. "State" indicates the status of the connection -- "Established" if the connection is currently active, "Listening" if the local machine is waiting for an incoming connection.

The next line, including the entry "catlow.cyberverse.com," provides the hostname of the computer system that I was connected to. On the last line, the entry "www.kevinmitnick.com:http" indicates that I was actively connected to my personal Web site.

The owner of the destination computer is not required to run services on commonly known ports but can configure the computer to use non- standard ports. For example, HTTP (Web server) is commonly run on port 80, but the owner can change that to run a Web server on whatever port he or she chooses. By listing the TCP connections of employees, Adrian found that @Home employees were connecting to Web servers on nonstandard ports.

From information like this, Adrian was able to obtain IP addresses for internal machines worth exploring for sensitive @Home corporate infor- mation. Among other gems, he found a database of names, e-mail addresses, cable modem serial numbers, current IP addresses, even what operating system the customer's computer was reported as running, for every one of the company's nearly 3 million broadband subscribers. 98 The Art of Intrusion

This one was "an exotic type of attack" in Adrian's description, because it involved hijacking a connection from an off-site employee dialing into the network.

Adrian considers it a fairly simple process to be trusted by a network. The difficult part -- which took a month of trial and error -- was com- piling a detailed map of the network: what all the different parts are, and how they relate to one another.

The lead network engineer for Excite@Home was a man Adrian had fed information to in the past and sensed could be trusted. Deviating from his usual pattern of using an intermediary to pass information to a com- pany he had penetrated, he called the engineer directly and explained he had discovered some critical weaknesses in the company's network. The engineer agreed to meet, despite the late hour that Adrian proposed. They sat down together at midnight.

"I showed him some of the documentation I had accrued. He called their security guy and we met him at the [Excite@Home] campus at around 4:30 in the morning." The two men went over Adrian's materi- als and questioned him about exactly how he had broken in. Around six in the morning, when they were finishing up, Adrian said he'd like to see the actual proxy server that had been the one he had used to gain access.

We tracked it down. And they said to me, "How would you secure

this machine?"

Adrian already knew the server wasn't being used for any crucial func- tion, that it was just a random system.

I pulled out my pocketknife, one of those snazzy one-handed little

openers. And I just went ahead and cut the cable and said, "Now

the machine's secure."

They said, "That's good enough." The engineer wrote out a note

and pasted it to the machine. The note said, "Do not reattach."

Adrian had discovered access to this major company as a result of a single machine that had probably long ago ceased to have a needed function, but no one had ever noticed or bothered to remove it from the network. "Any company," Adrian says, "will have just tons of machines sitting around, still connected but not being used." Every one is a potential for break-in.

MCI WorldCom As he has with so many other networks before, it was once again by attacking the proxy servers that Adrian found the keys to WorldCom's Chapter 5 The Robin Hood Hacker 99

kingdom. He began the search using his favorite tool to navigate com- puters, a program called ProxyHunter, which locates open proxy servers. With that tool running from his laptop, he scanned WorldCom's corpo- rate Internet address space, quickly identifying five open proxies -- one hiding in plain view at a URL ending in wcom.com. From there, he needed only to configure his browser to use one of the proxies and he could surf WorldCom's private network as easily as any employee.

Once inside, he found other layers of security, with passwords required for access to various intranet Web pages. Some people, I'm sure, will find it surprising how patient an attacker like Adrian is willing to be, and how many hours they're willing to devote in the determined effort to con- quer. Two months later, Adrian finally began to make inroads.

He had gained access to WorldCom's Human Resources system, giving him names and matching social security numbers for all of the company's 86,000 employees. With this information and a person's birth date (he swears by anybirthday.com), he had the ability to reset an employee's password, and to access the payroll records, including information such as salary and emergency contacts. He could even have modified the direct deposit banking instructions, diverting paychecks for many employees to his own account. He wasn't tempted, but observed that "a lot of people would be willing to blow town for a couple hundred thousand dollars."

Inside Microsoft At the time of our interview, Adrian was awaiting sentencing on a variety of computer charges; he had a story to tell about an incident he had not been charged with but that was nonetheless included in the information released by the federal prosecutor. Not wanting any charges added to those already on the prosecutor's list, he felt compelled to be circumspect in telling us a story about Microsoft. Tongue firmly in cheek, he explained:

I can tell you what was alleged. It was alleged that there was a

web page which I allegedly found that allegedly required no

authentication, had no indication that [the information was]

proprietary, had absolutely nothing except for a search menu.

Even the king of software companies doesn't always get its computer security right.

Entering a name, Adrian "allegedly" realized he had the details of a customer's online order. The government, Adrian says, described the site as storing purchase and shipping information on everybody who had ever ordered a product online from the Microsoft Web site, and also contain- ing entries about orders where credit cards had been declined. All of this 100 The Art of Intrusion

would be embarrassing if the information ever became available to any- one outside the company.

Adrian gave details of the Microsoft security breach to a reporter he trusted at the Washington Post, on his usual condition that nothing would be published until the breach had been corrected. The reporter relayed the details to Microsoft, where the IT people did not appreciate learning of the break-in. "Microsoft actually wanted to bring charges," Adrian says. "They supplied a large damage figure -- an invoice for $100,000." Someone at the company may later have had second thoughts about the matter. Adrian was subsequently told that Microsoft had "lost the invoice." The accusation of the break-in remained a part of the record, but with no dollar amount connected. (Judging from the newspaper's online archives, the editors of the Post did not consider the incident to be newsworthy, despite Microsoft being the target and despite the role of one of their own journalists in this story. Which makes you wonder.)

A Hero but Not a Saint: The New York Times Hack Adrian sat reading the New York Times Web site one day, when he sud- denly had "a flash of curiosity" about whether he might be able to find a way of breaking into the newspaper's computer network. "I already had access to the Washington Post," he said, but admitted that the effort had not been fruitful: He "didn't find anything much interesting."

The Times seemed as if it would pose a heightened challenge, since they had likely become prickly on the matter of security following a very pub- lic and embarrassing hack a few years before, when a group called HFG ("Hacking for Girlies") defaced their Web site. The defacers criticized Times' technology scribe John Markoff for the stories he had written about me, stories that had contributed to my harsh treatment by the Justice Department.

Adrian went online and began to explore. He first visited the Web site and quickly found that it was outsourced, hosted not by the Times itself but by an outside ISP. That's a good practice for any company: It means that a successful break-in to the Web site does not give access to the cor- porate network. For Adrian, it meant he'd have to work a little harder to find a way in.

"There is no checklist for me," Adrian says of his approach to break- ins. But "when I'm doing a recon, I'm careful to gather information by querying other sources." In other words, he does not begin by immedi- ately probing the Web site of the company he's attacking, since this could create an audit trail possibly leading back to him. Instead, valuable research tools are available, free, at the American Registry for Internet Chapter 5 The Robin Hood Hacker 101

Numbers (ARIN), a nonprofit organization responsible for managing the Internet numbering resources for North America.

Entering "New York Times" in the Whois dialog box of arin.net brings up a listing of data looking something like this:

New York Times (NYT-3)

NEW YORK TIMES COMPANY (NYT-4)

New York Times Digital (NYTD)

New York Times Digital (AS21568) NYTD 21568

NEW YORK TIMES COMPANY NEW-YORK84-79 (NET-12-160-79-0-1)

12.160.79.0 - 12.160.79.255

New York Times SBC068121080232040219 (NET-68-121-80-232-1)

68.121.80.232 - 68.121.80.239

New York Times Digital PNAP-NYM-NYT-RM-01 (NET-64-94-185-0-

1) 64.94.185.0 - 64.94.185.255

The groups of four numbers separated by periods are IP addresses, which can be thought of as the Internet equivalent of a mailing address of house number, street, city, and state. A listing that shows a range of addresses (for example, 12.160.79.0 - 12.160.79.255) is referred to as a netblock.

He next did a port search on a range of addresses belonging to the New York Times and sat back while the program scanned through the addresses looking for open ports, hoping it would identify some interest- ing systems he could attack. It did. Examining a number of the open ports, he discovered that here, too, were several systems running mis- configured open proxies -- allowing him to connect to computers on the company's internal network.

He queried the newspaper's Domain Name Server (DNS), hoping to find an IP address that was not outsourced but instead internal to the Times, without success. Next he tried to extract all the DNS records for the nytimes.com domain. After striking out on this attempt as well, he went back to the Web site and this time had more success: he found a place on the site that offered public visitors a list of the e-mail addresses for all Times staffers who were willing to receive messages from the public.

Within minutes he had an e-mail message from the newspaper. It wasn't the list of reporter's e-mails he had asked for but was valuable anyway. The header on the e-mail revealed that the message came from the company's internal network and showed an IP address that was unpublished. "People don't realize that even an e-mail can be revealing," Adrian points out.

The internal IP address gave him a possible opening. Adrian's next step was to begin going through the open proxies he had already found, man- ually scanning the IP addresses within the same network segment. To make the process clear, let's say the address was 68.121.90.23. While most attackers doing this would scan the netblock of this address by starting 102 The Art of Intrusion

with 68.121.90.1 and continuing incrementally to 68.121.90.254, Adrian tried to put himself in the position of a company IT person set- ting up the network, figuring that the person's natural tendency would be to choose round numbers. So his usual practice was to begin with the lower numbers -- .1 through .10., and then go by tens -- .20, .30, and so on.

The effort didn't seem to be producing very much. He found a few internal Web servers, but none that were information-rich. Eventually he came across a server that held an old, no longer used Times intranet site, perhaps decommissioned when the new site was put into production and since forgotten. He found it interesting, read through it, and discovered a link that was supposed to go to an old production site but turned out instead to take him to a live production machine.

To Adrian, this was the Holy Grail. The situation began to look even brighter when he discovered that this machine stored training materials for teaching employees how to use the system, something akin to a stu- dent flipping through a thin CliffsNotes for Dickens's Great Expectations instead of reading the whole novel and working out the issues for herself.

Adrian had broken into too many sites for him to feel any particular emo- tion about his success at this stage, but he was making more progress than he could have expected. And it was about to get better. He soon discovered a built-in search engine for employees to use in finding their way around the site. "Often," he says, "system administrators don't configure these prop- erly, and they allow you to do searches that should be prohibited."