The Art of Intrusion: The Real Stories Behind the Exploits of Hackers, Intruders and Deceivers (28 page)

Once connected to the company's internal network, Robert mapped Windows computer names to their IP addresses, finding machines with names like FINANCE, BACKUP2, WEB, and HELPDESK. He mapped others with people's names, apparently the computers of individual employees. About this, he reiterated a point made by others in these pages. Chapter 8 Your Intellectual Property Isn't Safe 177

When it came to names of the servers, someone in the company had a whimsical sense of humor familiar in parts of high tech. The trend started at Apple Computer in its early boom days. Steve Jobs, with his creative streak and his break-all-the-rules approach, decided that the conference rooms in the company buildings wouldn't be called 212A or the Sixth Floor Conference Room or anything else so everyday and boring. Instead, the rooms were named after cartoon characters in one building, movie stars in another, and so on. Robert found that the software com- pany had done something similar with some of their servers, except that with their connection to the animation industry, the names they chose included the names of famous animation characters.

It wasn't one of the servers with a funny name that attracted him, though. It was the one called BACKUP2. His search there produced a gem: an open network share called Johnny, where some employee had backed up a lot of his or her files. This person appeared to be someone feeling pretty comfortable and not very concerned about security. Among the files on the directory were a copy of an Outlook personal file folder, containing copies of all saved emails. (A network share refers to a hard drive or a part of a drive that has been intentionally configured to allow access or sharing of files by others.)

The Danger of Backing Up Data A common denominator in most of us is that when we want to do a backup, we want to make it really easy for ourselves. If there's enough space available, we back up everything. And then we forget about it. The number of backups lying around becomes enormous. People just let them build up, they gather, and nobody ever thinks about removing them until the server or backup device runs out of space.

"Often," Robert comments, "the backup contains critical, essential, amazing information which no one gives any thought to because it's the backup. They treat it with really low security." (During my own younger hacking days, I noticed the same thing. A company would go to extreme lengths to protect certain data, but the backups of the same data were treated as unimportant. When I was a fugitive, I worked for a law firm that would leave their backup tapes in a box outside the secured com- puter room entrance to be picked up by an off-site storage company. Anyone could have stolen the tapes with little danger of being caught.) On BACKUP2, he noticed a shared area where someone had backed up all his goodies -- everything. He imagined how it had happened, and the story will have a familiar ring to many: 178 The Art of Intrusion

This guy had been in a hurry one day. He thought, "I need to back

this up," so he'd done it. And, after being backed up like maybe

three or four months ago, it was still sitting there.

So, this gives me a feel for the network and really how maybe the

sys admins worked, because this wasn't some developer person or

someone without access. This was someone who could create a net-

work share, but he obviously wasn't amazingly worried about

security.

Robert went on:

If he'd been anally secure like me, he would have had a password

on that share, and he maybe would have called the share some-

thing random. And he would have removed it afterwards.

Even better, from Robert's perspective: "He had a copy of his Outlook in there as well" with all of his addresses and contacts. "I copied out the file archive," Robert says. "I retrieved his Outlook.pst file with all his email, 130 or 140 megs."

He logged off and spent a few hours reading the guy's email. He uncovered "Public announcements, pay changes, performance reviews, everything about this guy. I found out quite a bit of information about him -- he was one of the lead sys admins on the network and he was responsible for all of the Windows servers," Robert said "And I was able to gain through his box who the other sys admins were and who had a lot of access." It got even better:

The information within his email was extremely useful. I was

able to develop a list of people who would likely have access to the

source code I wanted. I wrote down all their names, all the details

I could get. Then I went around and I searched the guy's entire

mail file for "password," and what I found was a couple of regis-

trations, one of them with some network appliance company.

He had set up an account on their support side using his email

address and a password. And he had done this for two or three

vendors. I found the emails that had come back [from the com-

panies] saying, "Thank you for registering your account, your

username is this, your password is that." The password was

"mypassword" for two different companies.

So, maybe, just maybe, it was the same one he was using at work. People are lazy, so this would definitely be worth a try. Chapter 8 Your Intellectual Property Isn't Safe 179

Good guess. The password did work for one of his accounts on the company server. But it wasn't the domain administrator account that Robert had been hoping for, which would have allowed him access to the master accounts database, which stores every domain user's username and hashed password. That database was being called on to authenticate users to the entire domain. He apparently had a single username, but had different levels of access depending on whether he logged in to the domain or the local machine. Robert needed Domain Administrator access to gain access to the company's most sensitive systems, but the administrator was using a different password for the Domain Administrator account, one that Robert didn't have. "That really flecked me off," he complained.

The whole business was beginning to get more than a little frustrating. "But I figured that I could eventually find his password to the other account just by looking around other resources."

Then the situation started to brighten. He found that the company was using a project-management application called Visual SourceSafe and managed to get access to the external password file, which was apparently readable by any user who had access to the system. Attacking the pass- word file with public domain password cracking software, it took "maybe like a week and a half, two weeks, and I had a different password for the man." He had recovered a second password for the administrator he had been bird-dogging. Time for a little celebration. This password was also used for the Domain Administrator account, which gave Robert access to all the other servers he wanted to get into.

Password Observations Passwords are very personal things, Robert says. "And how you can tell very strict companies is when they give everyone a password and that password's very anal and very strict. But you can tell very relaxed com- panies when the default password is a day of the week, or the default pass- word is the name of the company or something equally mindless."

(Robert shared with me that at the company where he works, an employee's password is set to the day he starts. When trying to log on, "You can have seven attempts before the system locks you out, and, of course, you only need no more than five guesses" if you're trying to break into someone's account.)

Robert found that a lot of the accounts at the company he was trying to compromise had a default password in the form of the following:

companyname-2003 180 The Art of Intrusion

He didn't find any with "2002" or earlier, so it was obvious that they were all changed on New Year's Day. Ingenious password management!

Gaining Full Access Robert could feel himself getting closer to his goal. Armed with the sec- ond password he had obtained for the administrator whose electronic identity he had hijacked, he now had access to the password hashes of the entire domain. He used PwDump2 for extracting the hashes from the Primary Domain Controller, and l0phtCrack III to crack most of the passwords.

(The latest cool trick uses rainbow tables, which are tables of password hashes and their corresponding passwords. One site, http://sarcaprj. wayreth.eu.org/, will attempt to crack the password hash for you. You just submit the LAN Manager and NT hashes, and your email address. You get an email back with the passwords. Robert explained, "They have pre-generated certain hashes based on the commonly used character set in constructing a password, so that instead of needing lots of computing power, they have 18 or 20 gigabytes of pre-generated hashes and the cor- responding passwords. It's really quick for a computer to scan through the pre-computed hashes to find a match, asking, `Are you this? Are you this? Are you this? Okay -- you're this.'" A rainbow tables attack reduces the cracking time to seconds.)

When l0phtCrack finished, Robert had the passwords for most every user in the domain. By this time, from information in the emails he had hijacked earlier, he had put together a list of people who had exchanged messages with the systems administrator. One was from a worker who had written about a server that had broken, complaining, "I'm unable to save any new revisions and I can't develop my code." So he was obviously a developer, which was valuable information. Robert now looked up the developer's username and password.

He dialed in and signed on with the developer's credentials. "Logged on as him, I had full access to everything,"

"Everything" is this case meaning, in particular, the source code of the product -- "that's the keys to the kingdom." And he had it. "I wanted to steal the source. There was everything I wanted," he recounts happily.

Sending the Code Home Robert had now seen the glow of the gold he had been seeking. But he still had to find a way -- a safe way -- of getting it delivered to his doorstep. "They were pretty hefty files," he says. "I think the entire source tree was around a gig, which would take me f___king weeks." Chapter 8 Your Intellectual Property Isn't Safe 181

(At least it wasn't nearly as bad as trying to download a huge com- pressed file with a 14.4K baud modem, which is what I had done when I copied off hundreds of megabytes of VMS source code from Digital Equipment Corporation years earlier.)

Because the source code was so huge, he wanted a much faster connec- tion for sending it. And he wanted a delivery path that couldn't easily be traced back to him. The fast connection didn't present much of a problem. He had previously compromised another company in the United States that used Citrix MetaFrame, which was another sitting duck on the Internet.

Robert established a VPN connection into the target company and mapped a drive to where the source code resided. He simply copied it off. "I used that Citrix server to VPN into [the software company's] network again, and then mapped to the share. And then I copied all the source code, binaries, and other data to the expendable Citrix server."

To find a route for delivering the files safely, untraceably (he hoped), he used my own favorite search engine, Google, to locate an anonymous FTP server -- which allows anyone to upload and download files to a publicly accessible directory. Moreover, he was looking for an anonymous FTP server that had directories also accessible via HTTP (using a Web browser.) He figured that by using an anonymous FTP server, his activ- ity would be "buried in the noise" because many others would also be using the server to trade porn, warez, music, and movies.

The search term he used in Google was the following:

index of parent incoming inurl:ftp

This searches for FTP servers set up to permit anonymous access. From the servers identified by the Google search, he selected one that met his criteria for HTTP downloads as mentioned previously, so he could down- load the code from his Web browser.

With the source files already transferred from the company to the com- promised Citrix server, he now transferred them again to the anonymous FTP server he had located from the Google search.

Now there was only one final step remaining before he could, at long last, have the precious source code in his possession: transferring from the FTP server to his own computer. But "at the end of the day, I don't want to have my Internet address downloading all this source code, and espe- cially not for hours and hours, if you know what I mean." So before transferring the files to the FTP server, he zipped them into a smaller package, giving it an innocuous name ("gift.zip, or something like that").

Once again he used a chain of open proxy servers to bounce his con- nection in a way that makes it unlikely to be traced. Robert explains, 182 The Art of Intrusion

"There's like a hundred open Socks proxies in Taiwan alone. And you know at any time maybe a hundred people will be using any one of these proxies." So if they've enabled logging at all, that makes logs really quite big, meaning that it's highly unlikely the guys in suits are going to man- age to bloodhound you and come knocking at your door. "You're like the needle out of the haystack. It's just too cumbersome."

Finally, after all his effort, the transmission was on its way.

I couldn't believe that code was downloading to me. It was a

really big thing.

SHARING: A CRACKER'S WORLD What does a hacker like an Erik or a Robert do once they have the cov- eted software in hand? For both of them, as for others for whom the term "cracker" or "software pirate" applies, the answer is that most of the time, they share the software they have pirated with many, many others.

But they do the sharing indirectly.

Erik explained the steps he followed after nabbing the server software he had spent two years thirsting after. The application had been written in a programming language he wasn't proficient in, but Erik had a friend who had been a programmer in the language, so he passed the source code for generating the unlock or registration code to bypass the licens- ing security checks. He added a Graphical User Interface (GUI) on top of the stolen key generator to disguise the origin of the code.