The Art of Intrusion: The Real Stories Behind the Exploits of Hackers, Intruders and Deceivers (31 page)

If the truth be known, any adversary with enough resources can even- tually get in, but your goal should be making that so difficult and chal- lenging that it's not worth the time.

NOTES 1. Interested in viewing your own LSA secrets and protected storage areas? All you need is a nifty tool called Cain & Abel, available from www.oxid.it. 2. This site is no longer accessible, but others have taken its place. 3. More information on Tripwire is available at www.tripwire.com. 4. One popular site hackers use to check for locations with default passwords is www.phenoelit.de/ dpl/dpl.html. If your company is listed there, take heed.

On the Continent You see little pieces of information, and the way things are phrased, and you start to get a little bit of an insight of the company and the people that are responsible for the IT systems. And there was kind of this feeling that they knew about security but that maybe they're doing something a little bit wrong.

-- Louis

A

t the beginning of Chapter 8, we cautioned that the nontech-

nical readers would find parts difficult to follow. That's even

more true in the following. Still, it would be a shame to skip the chapter, since this story is in many ways fascinating. And the gist can readily be followed by skipping over the technical details.

This is a story about like-minded individuals working for a company that was hired to hack a target and not get caught.

Somewhere in London The setting is in "the City," in the heart of London.

Picture "an open-plan kind of windowless room in the back of a build- ing, with a bunch of techie guys banding together." Think of "hackers away from society, not being influenced by the outside world" each working feverishly at his own desk, but with a good deal of banter going on between them.

Sitting in this anonymous room among the others is a guy we'll call Louis. He grew up in a small, insular city in the north of England, began

195 196 The Art of Intrusion

fiddling with computers about the age of seven when his parents bought an old computer so the children could start learning about technology. He started hacking as a schoolkid when he stumbled on a printout of staff usernames and passwords and found his curiosity stirred. His hacking landed him in trouble early, when an older student (a "prefect," in British terminology) turned Louis in. But getting caught didn't deter him from learning the secrets of computers.

Now grown tall, with dark hair, Louis no longer finds much time for the "very English sports" -- cricket and soccer -- that he cared so much about as a schoolboy.

Diving In Some time back, Louis and his buddy Brock, pounding away at a nearby computer, took on a project together. Their target was a company based in a country in Europe -- essentially a security company, dropping off large sums of money as well as ferrying prisoners between jail and court, and from one prison to another. (The idea of one company doing both the Brinks-type job of moving cash around and also shuttling prisoners is an eye-opener to Americans, but an arrangement that the British and Europeans take for granted.)

Any company that describes itself using the word "security" must seem like a particularly hot challenge. If they're involved with security, does that mean they're so security-conscious that there would be no way to break in? To any group of guys with a hacker mentality, it must seem like an irresistible challenge, especially when, as here, the guys had nothing to start out with beyond the name of their target company.

"We treated it as a problem to be solved. So, the first thing we did was to find out as much information about this company as we could," Louis says. They began by googling the company, even using Google to trans- late, since none of the group spoke the language of the country.

The automated translations were close enough to give them a feel for what the business was all about and how big it was. Though they aren't very comfortable with social engineering attacks, that possibility was ruled out anyway because of the language barrier.

They were able to map what IP address ranges were publicly assigned to the organization from the IP addresses of the company's Web site and its mail server, as well as from the European IP address registry, Reseaux IP Europeens (RIPE), which is similar to American Registry of Internet Numbers (ARIN) in the United States. (ARIN is the organization that manages IP address numbers for the United States and assigned territories. Chapter 9 On the Continent 197

Because Internet addresses must be unique, there is a need for some organ- ization to control and allocate IP address number blocks. The RIPE organ- ization manages IP address numbers for European territories.)

The main Web site, they learned, was external, with a third-party host- ing company. But the IP address of their mail server was registered to the company itself and was located within their corporate address range. So, the guys could query the company's authoritative Domain Name Service (DNS) server to obtain the IP addresses by examining the mail exchange records.

Louis tried the technique of sending an e-mail to a nonexistent address. The bounce-back message would advise him that his e-mail could not be delivered and would show header information that revealed some internal IP addresses of the company, as well as some email routing information. In this case, though, what Louis got was a "bounce" off of their external mailbox; his e-mail had only gotten to the external mail server, so the "undeliverable" reply provided no useful information.

Brock and Louis knew it would make life easier if the company was hosting its own DNS. In that case they would try to make inquiries to obtain more information about the company's internal network, or take advantage of any vulnerability associated with their version of DNS. The news was not good: Their DNS was elsewhere, presumably located at their ISP (or, to use the British terminology, their "telecoms").

Mapping the Network As their next step, Louis and Brock used a reverse DNS scan to obtain the hostnames of the various systems located within the IP address range of the company (as explained in Chapter 4, "Cops and Robbers," and elsewhere). To do this, Louis used "just a simple PERL script" the guys had written. (More commonly, attackers use available software or Web sites for reverse DNS lookups, such as www.samspade.org.)

They noticed that "there were quite informative names coming back from some of the systems," which was a clue to what function those sys- tems had within the company. This also provided insight into the mindset of the company's IT people. "It just looked like the administrators had not got full control over the information that is available about their network, and that's the first stage of intuition about whether you're going to be able to get access or not." Brock and Louis thought the signs looked favorable.

This is an example of trying to psychoanalyze the administrators, try- ing to get into their heads about how they would architect the network. For this particular attacker, "it was based in part on the knowledge of the 198 The Art of Intrusion

networks and companies that we had seen in the particular European country and the level of IT knowledge and the fact that the people in this country were maybe a year and a half to two years behind the UK."

Identifying a Router They analyzed the network using the Unix flavor of "traceroute," which provides a count of the number of routers a data packet passes through to reach a specified destination; in the jargon, this is referred to as the number of "hops." They ran traceroute to the mail server and to the bor- der firewall. Traceroute reported that the mail server was one hop behind the firewall.

This information gave them a clue that the mail server was either on the DMZ, or all the systems behind the firewall were on the same network. (The DMZ is a so-called demilitarized zone -- an electronic no-man's-land network that sits between two firewalls and that is ordinarily accessible from both the internal network and the Internet. The purpose of the DMZ is to protect the internal network in case any of the systems exposed to the Internet are compromised.)

They knew the mail server had port 25 open, and by doing a trace- route, they also knew they could actually penetrate the firewall to com- municate with the mail server. "We saw that that path actually took us through this router device, and then through the next hop that seemed to disappear, which was actually the firewall and then one hop behind that we saw the mail server, so we had a rudimentary idea about how the network was architected."

Louis said they often begin by trying a few common ports that they know are likely to be left open by firewalls, and he named a few services like port 53 (used by the DNS); port 25 (the SMTP mail server); port 21 (FTP); port 23 (telnet); port 80 (HTTP); port 139 and 445 (both used for NetBIOS, on different versions of Windows).

Before we conducted intrusive port scans, we were very keen to

make sure we had an effective target list that didn't include IP

addresses for systems that were not being used. In the initial

stages, you've got to have target lists without just blindly going

out and simply scanning each IP address. After we do our target

enumeration, we have maybe five or six end systems that we want

to examine further.

In this case they found only three open ports: a mail server, a Web server with all the security patches installed that was apparently not being used, and on port 23, the telnet service. When they tried to telnet in on Chapter 9 On the Continent 199

the device, they got the typical "User Access Verification" Cisco pass- word prompt. So they were seeing a little bit of progress -- at least they had identified the box as a Cisco device.

On a Cisco router, Louis knew from experience, the password is quite often set to something quite obvious. "In this case we tried three pass- words -- the name of the company, blank, and cisco, and we could not get into that router. So instead of creating too much noise at this point, we decided to stop attempting to access the service."

They tried scanning the Cisco device for a few common ports but got nowhere.

So, on that first day we spent a great deal of time in analyzing

the company and their network, and starting some initial port

scans. I wouldn't say we were about to give up, because there were

still quite a few tricks that we'd certainly try again with any net-

work before we actually started to give up.

The sum total of their results for a whole day of effort didn't go much beyond having identified one single router.

The Second Day Louis and Brock came in for their second day ready to start doing more intensive port scanning. Using the term services to refer to open ports, Louis explained:

At this point we were thinking to ourselves that we need to find

more services on these machines. So we turned the volume up a lit-

tle bit and tried to find something that was really going to help us

to get into this network. What we were seeing was that there was

certainly good firewall filtering in place. We were really looking

for something that was [being] allowed by mistake and/or some-

thing that was misconfigured.

Then, using the Nmap program, a standard tool for port scanning, they did a scan with the program's default services file that looked for some 1,600 ports; again they came up with the empty bag -- nothing significant.

"So what we did was a complete full port scan, scanning both the router and the mail servers." A full port scan meant examining more than 65,000 ports. "We were scanning every single TCP port and looking for any pos- sible services on these hosts that we had on our target list at that point."

This time they found something interesting, yet strange and a little perplexing. 200 The Art of Intrusion

Port 4065 was open; it's unusual to find such a high port in use. Louis explained, "What we thought at that point was that maybe they've got a telnet service configured on port 4065. So, what we did was telnet into that port and see if we could verify that." (Telnet is a protocol for remotely controlling another machine anywhere on the Internet. Using telnet, Louis connected to the remote port, which then accepted com- mands from his computer and responded with output displayed directly to his screen.)

When they tried to connect to it, they got back a request for a login name and password. So they were right that the port was being used for telnet service -- but the dialog for user authentication was very different than presented by a Cisco telnet service. "After a while, we identified it as some 3COM device. This then really tweaked our enthusiasm for the job because it isn't often you find a Cisco box that looks like some other device, or find some other service listed on a high TCP port." But the fact that the telnet service on port 4065 was running as a 3COM device didn't make sense to them.

We had two ports open on one device and they identified them-

selves as completely different devices made by completely different

manufacturers.

Brock found the high TCP port and connected to it using telnet. "Once he got a log-in prompt, I shouted back to try admin [for the user- name], with the usual suspect passwords like password, admin, and blank. He tried various combinations of these three as the username and pass- word, and hit gold after only a few attempts: the username and password on the 3COM device were both admin. "At that point he shouted that he got in," Louis said, meaning that they were now able to get telnet access to the 3COM device. The fact that it was an administrative account was icing on the cake.

Once we guessed that password, it was the initial high on the job.

It was kind of the standard woo-hoo. We were working at differ-

ent workstations. Initially, while we were doing the network and

enumeration scanning, we were on our own machines and shar-

ing information between us. But once he found the port that gave

him access to that login prompt, I went over to his machine and

we started working together, both at the same machine.

It was great. It was a 3COM device and we got console access

to it and maybe we'd gotten an avenue to investigate what we

can do. Chapter 9 On the Continent 201

The first thing we wanted to do was to find out exactly what the

3COM device was, and why it was accessible on a high TCP port

on the Cisco router.

Through the command-line interface, they were able to query infor- mation about the device. "We figured that maybe someone had plugged the console cable from this 3COM device into the Cisco device and inad- vertently enabled access." That would make sense, as a convenient way employees could telnet into the 3COM device through the router. "Maybe there weren't enough monitors or keyboards in the Data Center," Louis guesses, and they had jury-rigged a cable as a temporary fix. When the need was over, the administrator who has strung the cable had forgotten all about it. He had walked away, Louis figured, "quite unaware of the consequences of his actions."