Authors: Kevin D. Mitnick,William L. Simon
Tags: #Computer Hackers, #Computer Security, #Computers, #General, #Security
At this point, Erik estimates, he had been working on this for some- thing like a full year. And then his efforts were rewarded with a major breakthrough.
Erik was getting to the point were he felt he was gaining a grasp on the company's password strategy, so he went back to try tackling the CEO's computer once again, taking stabs at the password. What made him think he might be able to guess what password the CEO might be using for MS SQL Server?
You know, the truth is, I can't explain it. It's just an ability I
have to guess the passwords people use. I can also know what sort
of passwords they would use in the future. I just have a sense for
that. I can feel it. It's like I become them and say what password
I would use next if I was them.
He's not sure whether to call it luck or skill, and shrugs off the ability with "I'm a good guesser." Whatever the explanation, he actually came up with the right password, which he remembers as "not a dictionary word, but something more complicated."
Whatever the explanation, he now had the password that gave him access to the SQL server as a database administrator. The CEO was "owned."
He found the computer to be well protected, with a firewall, and only one port open. But in other ways, Erik found plenty to sneer at. "His sys- tem was really messy. I couldn't find anything on there. I mean there were just files everywhere." Not understanding the foreign language that most everything was written in, Erik used some online dictionaries and a free online translator service called "Babblefish" to hunt for keywords. He also had a friend who spoke the language, which helped. From the chat logs, he was able to find more IP addresses and more passwords.
Since the files on the laptop were too disorganized to find anything of value, Erik turned to a different approach, using "dir /s /od
To make his next tasks easier -- gaining a better foothold, and more easily upload and download files -- he wanted to move onto the CEO's laptop his hacker's toolkit. He was only able to communicate with the laptop through his Microsoft SQL server connection but was able to use the same stored procedure mentioned earlier for sending commands to the operating system as if he were sitting at a DOS prompt in Windows. Erik wrote a little script to cause the FTP to download his hacker tools. When nothing happened on his three attempts, he used a command-line program already on the laptop called "pslist" to list out the running processes.
Big mistake!
Since the CEO's laptop was running its own personal firewall (Tiny Personal Firewall), each attempt to use FTP popped up a warning box on the CEO's screen, requesting permission to connect out to the Internet. Fortunately the CEO had already downloaded a common set of command- line tools from www.sysinternals.com to manipulate processes. Erik used "pskill" utility to kill the firewall program so the pop-up dialog boxes would disappear before the CEO saw them.
Once again Erik figured it would be wise to lay low for a couple of weeks just in case anyone had been noticing his activities. When he returned, he tried a different tack for attempting to get his tools onto the CEO's laptop. He wrote a script to retrieve several of his hacking tools by using an "Internet Explorer object" that would trick the personal firewall into believing that Internet Explorer was requesting permission to connect to the Internet. Most everyone allows Internet Explorer to have full access through their personal firewall (I bet you do, too), and Erik was counting on his script being able to take advantage of this. Good call. It worked. He was then able to use his tools to begin searching the laptop and extracting information.
The CEO Spots a Break-in These same methods, Erik said, would still work today.
On a later occasion, while connected to the CEO's computer, Erik again killed the firewall so he could transfer files to another system from which he would be able to download them. During this, he realized the CEO was at his computer and must have noticed something strange going on. "He saw the firewall icon missing from the system tray. He saw I was on." Erik immediately got off. After a couple of minutes, the note- book was rebooted, and the firewall had started up again. Chapter 8 Your Intellectual Property Isn't Safe 161
I didn't know if he was on to me. So I waited a couple of weeks
before I went back and tried it again. I eventually learned what
his work patterns were, when I could get onto his system.
Gaining Access to the Application After laying low and rethinking his strategy, Erik got back into the CEO's laptop and starting examining the system more closely. First he ran a pub- licly available command-line tool known as LsaDump2, to dump sensi- tive information stored in a special part of the registry called Local Security Authority Secrets. LSA Secrets contains plaintext passwords for service accounts, cached password hashes of the last 10 users, FTP and Web user passwords, and the account names and passwords used for dial- up networking.
He also ran the "netstat" command to see what connections were established at that moment, and what ports were listening for a connec- tion. He noticed there was a high port listening for an incoming con- nection. Connecting to the open port from the backup server he compromised earlier, he recognized it was a lightweight Web server being used as some sort of mail interface. He quickly realized that he could bypass the mail interface and place any files onto the server's root directory used for the mail interface. He would then be able to easily download files from the CEO's laptop to the backup server.
Despite minor successes over the year, Erik still didn't have the source code to the product, or the key generator. However, he had no thoughts of giving up. In fact, things were just getting interesting. "I found a backup of the `tools' directory on the CEO's laptop. In it was an inter- face to a key generator but it didn't have access to the live database."
He hadn't found the licensing server that was running the live database containing all the customer keys -- only something pointing to it. "I didn't know where the actual licensing tools were located for employees. "I needed to find the live server." He had a hunch it was on the same server as their mail server, since the company operated a Web site that allowed customers to immediately purchase the software product. Once the credit card trans- action was approved, the customer would receive an email with the licens- ing key. There was only one server left that Erik hadn't been able to locate and break into; it must be the one that held the application for generating the licensing key.
By now Erik had spent months in the network and still didn't have what he was after. He decided to poke around the backup server he had compromised earlier and started scanning the mail server from the other 162 The Art of Intrusion
servers he already "owned," using a broader range of ports, hoping to discover some services running on nonstandard ports. He also thought it would be best to scan from a trusted server just in case the firewall was only allowing certain IP addresses.
Over the next two weeks he scanned the network as quietly as possible to identify any servers that were running unusual services, or attempting to run common services on nonstandard ports.
While continuing his port-scanning tasks, Erik started examining the Internet Explorer history files of the administrator account and several users. This led to a new discovery. Users from the backup server were connecting to a high-numbered port on the main mail server using Internet Explorer. He realized that the main mail server was also block- ing access to this high-numbered port unless the connection was from an "authorized" IP address.
Finally he found a Web server on a high port -- "1800 or something like that," he remembers -- and was able to guess a username and pass- word combination that brought up a menu of items. One option was to look up customer information. Another was to generate licensing keys for their product.
Bingo!
This was the server with the live database. Erik was starting to feel his adrenaline pump as he realized he was getting close to his goal. But "this server was really tight, incredibly tight." Once again he had run into a dead end. He backtracked, thought things through, and came up with a new idea:
I had the source code for these Web pages because of the backup of
the Web site I found on the CEO's laptop. And I found a link on
the Web page for some network diagnostics, like netstat, trace-
route and ping -- you could put an IP address into the web form,
and click "OK," and it would run the command and display the
results on your screen.
He had noticed a bug in a program that he could run when he logged in to the Web page. If he chose the option to do a tracert command, the program would allow him to do a traceroute -- tracing the route that packets take to the destination IP address. Erik realized that he could trick the program into running a shell command by entering an IP address, followed by the "&" symbol, and then his shell command. So, he would enter something in the form of the following:
localhost > nul && dir c:\ Chapter 8 Your Intellectual Property Isn't Safe 163
In this example, the information entered into the form is post-appended to the traceroute command by the CGI script. The first part (up to the "&" symbol) tells the program to do a traceroute command to itself (which is useless), and redirect the output to nul, which causes the out- put to be "dropped in the bit bucket" (that is, to go nowhere). Once the program has executed this first command, the "&&" symbols indicate there is another shell command to be executed. In this case, it's a com- mand to display the contents of the root directory on the C drive -- extremely useful to the attacker because it allows him or her to execute any arbitrary shell commands with the privileges of the account the Web server is running under.
"It gave me all the access I needed," Erik said. "I pretty much had access to everything on the server."
Erik got busy. He soon noticed that the company's developers would put a backup of their source code on the server every night. "It was a pile -- the entire backup is about 50 megs." He was able to execute a series of commands to move any files he wanted to the root directory of the Web server, and then just download them to the first machine he had broken into, the backup Web server.
Caught! The CEO incident had been a close call. Apparently, the executive had been suspicious, but with his busy schedule and Erik's increasing stealth, there'd been no more alarms. However, as he delved further and further into the heart of the company's system, it became more difficult for Erik to maintain a low profile. What happened next is frequently the cost of pushing a hack to the limits while maintaining a long-time presence in an alien system. He was starting to download the source code of the long- sought program, when
About half way through I noticed that my download stopped. I
looked into the directory and the file was gone. I started looking
at some of the log files and modified dates and I realized that this
guy was on the server at that time looking at log files. He knew I
was doing something -- basically, he caught me.
Whoever had detected Erik's presence wasted no time in quickly eras- ing critical files. The game was up . . . or was it?
Erik disconnected and didn't go back for a month. By now he'd been struggling to get the software for many months, and you might think he would have been getting exasperated. Not so, he says. 164 The Art of Intrusion
I never get frustrated because it's just more of a challenge. If I
don't get in at first, it's just more to the puzzle. It's certainly not
frustrating. It's a lot like a video game, how you go from level to
level and challenge to challenge. It's just part of the whole game.
Erik practices his own brand of faith -- one that with enough perse- verance always pays off.
If one thing didn't work, I'd just try something else because I
knew there was something that would work. There is always some-
thing that works. It's just a matter of finding out what.
Back into Enemy Territory Despite the setback, about a month later he was at it again, connecting to the CEO's computer for another look at the chat log (he actually saved his chat logs), to see if there were any notes about somebody reporting anything about being hacked. Remembering the day and exact time at the company's location that he had been spotted, Erik scanned the log. No mention of a hacker or an unauthorized attempt to download. He breathed a sigh of relief.
What he did find instead was that he had been very lucky. At almost the exact same time, there'd been an emergency with one of the company's clients. The IT guy had abandoned whatever else he'd been doing to deal with the situation. Erik found a later entry that the guy had checked the logs and run a virus scan but didn't do anything more. "It was like he thought it looked suspicious. He looked a little bit into it, but couldn't explain it," so he had just let it go.
Erik retreated and waited for more time to pass, then reentered, but more cautiously, only during off-hours, when he could be pretty certain that no one was around.
Piece by piece he downloaded the entire file of the source code, bounc- ing the transmissions through an intermediary server located in a foreign country -- and for good reason, since he was doing all this from his home.
Erik described his familiarity with the company's network in terms that may sound suspiciously grandiose at first, but when you consider the amount of time he spent ferreting the countless ins and outs of this com- pany's system, breaking it down one small step at a time until he knew its most reclusive intimacies and quirks, the statement certainly lies within the bounds of believability.