The Art of Intrusion: The Real Stories Behind the Exploits of Hackers, Intruders and Deceivers (40 page)

On the same subnet with the redemption center, they have [a con-

nection to] their mint -- the machine that makes the gift certifi-

cates. We broke into that machine using a trust relationship. As

opposed to just getting a root prompt, we made a gift

certificate -- we minted a gift certificate with 32 high bits, and

set the currency unit to U.S. dollars.

I now have a gift certificate worth $1,900,000,000. And the cer-

tificate was completely valid. Someone said we should have set it

to English pounds, which would have been more bang for the buck.

So, we went to the web site for the Gap and bought a pair of socks.

Theoretically, we had a billion, nine hundred million coming in

change from a pair of socks. It was awesome.

I wanted to staple the socks to the pen test report. 254 The Art of Intrusion

But he wasn't done. He didn't like the way he thought the story must have sounded to us, and he went on, hoping to correct the impression.

Maybe I sound like a rock star to you, but all you see is the path I

took and you go, "Oh, my God, look how clever he is. He did this to

get on the box, and then on the box he violated a trust relationship,

and then once there he got onto the mint and he fabricated a gift

certificate."

Yeah, but do you know how hard that really was? It was like,

"Well, try this, did that work?" No sale. "Try this, did that

work?" No sale. Trial and error. It's curiosity, perseverance and

blind luck. And mix in a little bit of skill.

I actually still have those socks.

THE TEXAS HOLD 'EM HACK One of the things poker players feel pretty confident about when sitting down at a table in a major casino -- whether playing today's most popu- lar version, Texas Hold 'Em, or some other variation -- is that, under the watchful eyes of the dealer, the pit bosses, and the all-seeing video cam- eras, they can count on their own skill and luck, and not worry much that some of the other players might be cheating.

These days, thanks to the Internet, it's possible to sit down at a poker table electronically -- playing from the comfort of your own computer, for money, against live players sitting at their computers in various parts of the country and the world.

And then along comes a hacker who recognizes a way to give himself more than a little advantage, by using a homemade bot -- a robot -- in this case, an electronic one. The hacker, Ron, says that this involved "writing a bot that played `mathematically perfect' poker online while misleading the opponents into thinking they were playing against a real human player." Besides making money on everyday games, he entered his bot in quite a number of tournaments with impressive success. "In one four-hour `free-roll' (no entry fee) tournament that started with three hundred players, the bot finished in second place."

Things were going great guns until Ron made an error in judgment: He decided to offer the bot for sale, with a price tag of $99 a year to each buyer. People began to hear about the product and folks using the online poker site he had targeted became concerned that they might be playing against robotic players. "This caused such an uproar (and concern by Chapter 11 Short Takes 255

casino management that they would lose customers) that the site added code to detect the use of my bot and said they would permanently ban anyone caught using it."

Time for a change in strategy.

After unsuccessfully attempting to make a business of the bot tech-

nology itself, I decided to take the whole project underground. I

modified the bot to play at one of the largest online poker sites,

and extended the technology so it could play in "team mode,"

where two or more bots at the same table share their hidden cards

among themselves for unfair advantage.

In his original email about this adventure, Ron implied that his bots were still in use. Later, he wrote again asking us to say the following:

After assessing the financial harm that would be caused to thou-

sands of online poker players, Ron ultimately decided never to use

his technology against others.

Still, online gamblers, you need to decide for yourselves. If Ron could do it, so can others. You might be better off hopping a plane to Las Vegas.

THE TEENAGE PEDOPHILE CHASER My coauthor and I found this story compelling. Even though it may be only partially true or, for all we know, entirely made up, we decided to share it essentially the way it was submitted:

It all started when I was about 15 years old. A friend of mine,

Adam, showed me how to place free phone calls from the school

payphone, which was located outside on the pavilion where we

used to eat lunch. This was the first time I had done anything

even remotely illegal. Adam fashioned a paperclip into a kind of

free phone card, using the paperclip to puncture the earpiece of the

handset. He would then dial the phone number he wanted to call,

holding down the last digit of the number and at the same time

touching the paper clip to the mouthpiece. What followed was a

series of clicks and then ringing. I was awestruck. It was the first

time in my life when I realized how powerful knowledge could be.

I immediately began reading everything I could get my hands on.

If it was shady information, I had to have it. I used the paperclip

trick all through high school until my appetite for darker avenues 256 The Art of Intrusion

followed. Perhaps it was to see just how far this newfound avenue

could go. That coupled with the thrill of doing something "bad" is

enough to drive any young 15-year-old punk to the underground.

What followed next was my realization that it took more than

just knowledge to be a hacker. You had to have that social cun-

ning in order to execute the trap.

I learned of these programs called Trojans through an online

friend who had me load one into my computer. He could do

amazing things like see what I was typing, recording my video

cam stream, and all kinds of other fun stuff. I was in heaven. I

researched all I could about this Trojan and began packing it

into popular executables. I would go into chat rooms and try to

get somebody to download one, but trust was an issue. No one

trusted me, and with good reason.

I went into a random teen IRC chat room and that's where I

found him: a pedophile came in looking for pictures of young kids

and teens. At first I thought it was a joke, but I decided to play

along and see if I could make a victim out of this person.

I began to chat privately with him posing as a young girl who had

every intention of meeting him one day -- but not the way he

thought. This gentleman was sick to say the least. My 15-year-old

instincts wanted to do the world justice. I wanted to burn this guy

so bad he would think twice about fishing for kids again. I tried

on many occasions to send him the Trojan, but he was smarter

than me. He had anti-virus software installed that blocked my

every attempt. The funny thing was he never suspected me of

being malicious. He thought that perhaps my computer was

infected and it was attaching itself to the pictures I attempted to

send. I just played dumb.

After a few days of chatting, he began to get pushier. He wanted

dirty pictures of me and he told me he loved me and wanted to meet

me. He was a first class scumbag and just the perfect target to burn

without remorse if I could just get in. I had gathered enough infor-

mation about him to gain access to a few of his email accounts. You

know those secret questions they ask you? "What is your favorite

color?" "What is your mother's maiden name?" All I had to do was

fish this information out of him and voila I was in.

The stuff he was up to was highly illegal. Let's just say lots of

pornography with children of varying ages. I was sickened. Chapter 11 Short Takes 257

Then it dawned on me. If he wouldn't accept the Trojan from me

maybe he would accept it from one of his porn buddies. I spoofed

an email address and wrote a short message.

Check out this hot vid. Disable your virus scanner

before downloading because it screws up the quality.

P.S. You owe me.

I thought for sure he was going to catch on and I waited patiently

all afternoon for him to check the email. I had given up. I wasn't

meant for this [social engineering] stuff.

Then at about 11 p.m. that night it happened. I got the message

triggered by my Trojan to tell me it had installed on his machine.

I had done it!

I gained access and immediately began copying evidence into a

folder [I created on his computer]; I named it "jailbait." I

learned all kinds of information about this guy. His name,

address, where he worked, and even what documents he was work-

ing on at the time.

I couldn't just call the FBI or the local police [because I was

afraid just knowing about the material on that man's computer]

would land me in jail, and I was scared. After some more poking

and prodding I learned he was married and he had kids. This

was horrible.

I did the only thing I knew to do. I sent his wife an email with all

the information she needed to access the jailbait file. I then cov-

ered my tracks and unloaded the Trojan.

That was my first taste of exploitation of not only code, but emo-

tions to get something done. Once I had access, I realized it wasn't

all it was cut out to be. It required more than just knowledge, it

required cunning, lying, manipulating and hard work. But it

was worth every ounce of energy to burn that asshole. I felt like a

king at 15. And I couldn't tell a single soul.

But I wish I would have never seen the things I did.

. . . AND YOU DON'T EVEN HAVE TO BE A HACKER It's clear from many of the stories in this book that most hackers take years developing their knowledge. So it always seems remarkable to me 258 The Art of Intrusion

when I run across an exploit involving hacker-type thinking carried out by someone with no background in hacking. This is one of those.

At the time of this incident, John was college senior majoring in Computer Science, and found an intern position at a local electric and gas company so that on graduation he'd have not just a degree but some experience. The company put him to work performing Lotus Notes upgrades for the employees. Each time he called someone to set up an appointment, he'd ask them for their Lotus Notes password so he could perform the upgrade. People had no hesitation in providing the information.

Sometimes, though, he would find himself playing voicemail tag and end up with a scheduled appointment but no opportunity to ask for the password in advance. You know what's coming, and he figured it out for himself: "I found that 80 percent of the people had never changed their password from when Notes had been installed on their system, so my first try was `pass.'"

If that failed, John would drift around the person's cubicle and take a little look-see for a Post-it note with all their passwords, generally stuck right in plain view on the monitor, or else hidden (if that's an appropri- ate word) under the keyboard or in their top drawer.

And, if that approach still left him empty-handed, he had one more card to play. "My last line of attack was studying the personal items in their cubicle. Anything that would give a clue to children's names, pets, hobbies, and the like." Several guesses was most often all it took.

One time, though, was harder than usual. "I still remember one woman's password was giving me a hard time until I noticed that every picture had a motorcycle in it." On a hunch, he tried "harley" . . . and got in.

Tickled by the success, he started keeping track. "I made a game of it and got in more than 90 percent of the time, spending less than ten min- utes on each one. Those that eluded me generally turned out to be sim- ple information that I could have found with deeper research -- most often, children's birthdays."

It turned out to be a profitable internship, one that "not only provided me with some resum� fodder, but also taught me how our first line of defensive against hackers is also our weakest: the users themselves and their password choices."

And that seems like a powerful message to end with. If every computer user were to improve his or her passwords tonight -- and not leave new Chapter 11 Short Takes 259

passwords in some easy-to-find place -- then tomorrow morning, we would suddenly find ourselves living in a much more secure world.

We hope that will be an action message for every reader of this book.

NOTES 1. CNet News.com, "Lost World, LAPD: Hacks or Hoaxes?," by Janet Kornblum, May 30, 1997. 2. CNet News.com, "The Ten Most Subversive Hacks," by Matt Lake, October 27, 1999.

3COM device configuration, determining, 200�202 countermeasures, 88 9/11, aftermath of, 34�35 insight, 87�88

restitution, 82�83 Abagnale, Frank, 46 surveillance, 77�81 accountability, 62�63 Boeing hacks (ne0h), 27�28 administrator accounts, renaming, 192 Boelling, Don alerts, 188 arrests, 82�83 altercasting, 234 detection, 75�79 American Registry for Internet Numbers (ARIN), intrusion goes public, 81

100�101 punishing the hackers, 83�84 Anderson, Charles Matthew (Matt) surveillance, 79�81

arrest for Boeing hack, 82�83 books and publications

background, 70 The Art of Deception, 88, 232, 233

current activities, 87 Catch Me If You Can, 46

dumpster diving, 70�71 The Eudaemonic Pie, 3

hotel services, theft of, 72�73 Takedown, 24

phone phreaking, 70�71 Brock

prison time, 84�86 3COM device configuration, determining,

punishment, 81, 82�84 200�202

restitution, 82�84 accessing the company system, 211�215

U.S. District Court hack, 71�72, 73�74 background, 195�196 ARIN (American Registry for Internet Numbers), barging the IIS server, 213

100�101 countermeasures, 216�218 armored car intrusion. See security company intrusion hackers' background, 195�196 The Art of Deception, 88, 232, 233 identifying a router, 198�199 attribution, 236 mapping the network, 197�198, 202�207 authentication, countermeasures, 217�218 passwords, cracking, 200, 210, 214 authorized changes, detecting, 188 ping sweeps, 202�203

port scanning, 199�201 backticked variable injection flaw, 167�168 remote control of a PC, 208�211 backups, 177�179, 191 researching the target, 196�197 badges, phony, 130�131, 137 reverse DNS lookup, 197�198 ball grid array (BGA) design, 21 success, 215 bank cards, 141 trapped in a DMZ, 202�207 bank hacks Burns, Eric (Zyklon), 35�40, 43�44

bank cards, 141

credit cards, 141 casino hack

Dixie bank, 143, 145�147 aftermath, 18�20

Estonian banks, 139�141 avoiding detection, 10�11

Internet banking, 139�141 countermeasures, 20

password cracking, 142, 148 damage costs, 18�20

Swiss bank, 147�148 development phase, 4�6 barging the IIS server, 213 firmware, 5�8 Berkeley Internet Name Domain (BIND), getting caught, 16�18

vulnerabilities, 43 insight, 20 BGA (ball grid array) design, 21 playing the slots, 8�16 billion-dollar gift certificate, 253�254 punishment, 18 BIND (Berkeley Internet Name Domain), random number generator

vulnerabilities, 43 manipulating the slots, 10 blackout, during penetration testing, 121�122 reverse engineering, 12�13 Boeing, security seminary, 75�79 rewriting, 6�8 Boeing hacks (Matt and Costa) true randomness, 20

break-in detected, 76�77 research phase, 2�4

breaking password encryption, 76 wearable computer, 13�16

261 262 Index

Catch Me If You Can, 46 sensitive files, protecting, 191 cease-and-desist process, 125 system-management tasks, 187�188 Chameleon, 27 third-party applications, 190 checksumming (hashing), 21 "dead" cubicles, 64 Chinese university hack, 25�27 default firewall rules, 111 chip on-board packaging, 21 defense-in-depth model, 45, 149 circumventing processes, 65 DMZ (demilitarized zone), 45 Citrix Metaframe vulnerability, 144, 145 e-mail snooping, 111�112 Coke vending machine password, 250 excessive privileges, 66 cold readings, 222�223, 236 exiting personnel, 64 Comrade filtering unnecessary services, 218

background, 23 firewalls, 186�187

busted, 30�32 firmware access, 20

current activities, 40�41 hardening, 218

and Khalid Ibrahim, 25�27 information leakage, 110

and ne0h, 22�25 insider abuse, 62�66

SIPRNET hack, 28�29 misconfigured proxy servers, 112 cops and robbers network access protection, 136

Boeing hack network monitoring, 45�46

break-in detected, 76�77 on-site visitor policies, 65

breaking password encryption, 76 Operation Eligible Receiver, 41�42

countermeasures, 88 password management, 63, 217

insight, 87�88 password security, 136, 150

surveillance, 77�81 patch management, 44�45

Boeing security seminary, 75�79 penetration testing, 135�137 corporate firewalls, 186 phone number sniffing, 110 Costa (Katsaniotis, Costa) physical access, 63�64

arrest for Boeing hack, 82�83 port restrictions, 113

background, 69�70 reverse DNS lookup, 111�112

current activities, 87 reviewing firewall rules, 136

dumpster diving, 70�71 role-based accounts, 62�63

hotel services, theft of, 72�73 securing personal laptops, 217

phone phreaking, 70�71, 84�86 social engineering, 110, 238

prison time, 84�86 software integrity audits, 66

punishment, 81, 82�84 software inventory and auditing, 65�66

restitution, 82�84 static passwords, 88

U.S. District Court hack, 71�72, 73�74 tailgating, 136 costs of hacking. See damage estimates target-rich environments, 63 countermeasures TCP port 53, blocking access to, 111

accountability, 62�63 temporary workarounds, 216

authentication, 217�218 terrorist intrusions, 44�46

bank hacks, 150 Texas prison hack, 62�66

BGA (ball grid array) design, 21 unauthorized hardware, 64�65

casino hack, 20 using high ports, 216

checksumming (hashing), 21 zero-day exploits, 45

chip on-board packaging, 21 zone transfer, 111

circumventing processes, 65 crackers. See also hackers; two-year hack

crackers countermeasures

administrator accounts, renaming, 192 administrator accounts, renaming, 192

alerts, 188 alerts, 188

authorized changes, detecting, 188 authorized changes, detecting, 188

backups, protecting, 191 backups, protecting, 191

credential storage, preventing, 192�193 credential storage, preventing, 192�193

defense in depth, 193 defense in depth, 193

DNS guessing, preventing, 190 DNS guessing, preventing, 190

hardening Windows, 192�193 firewalls, 186�187

incident response, 188 hardening Windows, 192�193

installation files, removing, 192 incident response, 188

Microsoft SQL servers, protecting, 190�191 installation files, removing, 192

Microsoft VPN services, 192 Microsoft SQL servers, protecting, 190�191

MS SQL injection attacks, protecting against, Microsoft VPN services, 192

191�192 MS SQL injection attacks, protecting against,

network shares, protecting, 190 191�192

password management, 189�190 network shares, protecting, 190

permissions, 188�189 password management, 189�190

port scanning, 187 permissions, 188�189 Index 263

port scanning, 187 DNS (Domain Name Servers)

sensitive files, protecting, 191 guessing, preventing, 190

system-management tasks, 187�188 reverse DNS lookup, 95�96

third-party applications, 190 reverse lookup

couriers, 183 countermeasures, 111�112

motivation, 154 Excite@Home hack, 95�96 crackers, individual security company intrusion, 197�198

Erik vulnerabilities, 43

busted, 163�164 Domain Name Servers (DNS)

close call, 160�161 guessing, preventing, 190

downloading source code, 164�165 reverse DNS lookup, 95�96

dumping Registry information, 161 reverse lookup

examining Internet Explorer history, 162 countermeasures, 111�112

hacking target applications, 161�163 Excite@Home hack, 95�96

hacking the target, 159�160 security company intrusion, 197�198

identifying the target, 158�159 vulnerabilities, 43

known plaintext attack, 165�166 door sensors, outsmarting, 133�134

password cracking, 157�159, 165�166 downloading, source code, 164�165, 180�182

port scans, 155�157 dumping Registry information, 161

retrieving licensing keys, 161�162 dumpster diving, 70�71, 118, 120�121

tracing network packets, 162�163 Dykes, Dustin

Robert accessing internal documents, 129�130

accessing the help desk, 171�173 the attack, 127�128

background, 166, 168�169 background, 124

backticked variable injection flaw, 167�168 cease-and-desist process, 125

backup dangers, 177�179 countermeasures, 135�137

discovering server names, 170�171 establishing wireless access, 127�128

downloading source code, 180�182 ethics of social engineering, 135

e-mail addresses, retrieving, 178 ground rules, 125�126

hacking video post production software, 169�177 hand warmer trick, 133�134

Outlook.pst file, retrieving, 178 l0phtCrack, 128�129

passwords, cracking, 175, 178�179, 180 logging keystrokes, 130�132

passwords, observations on, 179�180 outsmarting door sensors, 133�134

porn spam, 167�168 password cracking, 128�129

rainbow tables attack, 180 phony badges, 130�131, 137

retrieving mailing lists, 167�168 planning, 126�127

setup.pl exploit, 167�168 red teaming, 126�127

sharing with other crackers, 182�185 REX (Request to Exit), 133

SQL injection attack, 173�177 shoulder surfing, 126�127

uploading to protected directories, 172 tailgating, 132�133 credential storage, preventing, 192�193 test results, 134�135 credibility, 233 credit cards, 141 electronic attack on the U. S., vulnerabilities, 41�42

e-mail damage estimates addresses, retrieving, 178

casino hack, 18�20 Outlook.pst file, retrieving, 178

Lamo, Adrian, 105, 109�110 sniffing, 122

Lexis/Nexis hack, 105 snooping, countermeasures, 111�112

Microsoft hack, 100 encryption, breaking passwords, 128�129

theft of hotel services, 73 Erik Davis, Chad, 39�40 busted, 163�164 "dead"cubicles, 64 close call, 160�161 decompiling. See reverse engineering downloading source code, 164�165 defense in depth, 193 dumping Registry information, 161 Defense Information Systems Network Equipment examining Internet Explorer history, 162

Manager (DEM), 27 hacking target applications, 161�163 defense strategies. See countermeasures hacking the target, 159�160 defense-in-depth model, 45, 149 identifying the target, 158�159 DEM (Defense Information Systems known plaintext attack, 165�166

Network Equipment Manager), 27 password cracking, 157�159, 165�166 demilitarized zone (DMZ), 45, 202�207 port scans, 155�157 desire to help, 235�236 retrieving licensing keys, 161�162 distracting the target, 234�235 tracing network packets, 162�163 Dixie bank hack, 143, 145�147 Estonian bank hack, 139�141 DMZ (demilitarized zone), 45, 202�207 ethics of social engineering, 135

The Eudaemonic Pie, 3 264 Index

European security company intrusion. See security dumpster diving, 70�71

company intrusion hotel services, theft of, 72�73 examining network connections, 161 phone phreaking, 70�71 excessive privileges, 66 prison time, 84�86 Excite@Home hack, 93�98 punishment, 81, 82�84 exiting personnel, 64 U.S. District Court hack, 71�72, 73�74 exploits. See also vulnerabilities Brock

definition, 43 3COM device configuration, determining,

misconfigured proxy servers, 94, 99 200�202

setup.pl, 167�168 accessing the company system, 211�215

zero-day, 45 background, 195�196

barging the IIS server, 213 FBI countermeasures, 216�218

challenged by ne0h, 39 hackers' background, 195�196

eavesdropping by Adrian Lamo, 107�108 identifying a router, 198�199

gLobaLheLL roundup, 39 mapping the network, 197�198, 202�207

Khalid Ibrahim as informant, 39�40 passwords, cracking, 200, 210, 214

White House break-in, 35�39 ping sweeps, 202�203 fear, and social engineering, 237 port scanning, 199�201 federal prisons, 49�51 remote control of a PC, 208�211 filtering unnecessary services, 218 researching the target, 196�197 firewalls reverse DNS lookup, 197�198

corporate, 186 success, 215

default rules, 111 trapped in a DMZ, 202�207

personal, 186�187 Burns, Eric (Zyklon)

rules review, 136 punishment, 40

stateful inspection, 186 White House break-in, 35�39, 43�44

TCP port 53, blocking access to, 111 Butler, William. See Texas prison hack firmware. See also software Cerebrum. See Anderson, Charles Matthew (Matt)

access control, 20 Chameleon, 27

reverse engineering, 5�6 Comrade

rewriting, 6�8 background, 23 forcing the target into a role, 234 busted, 30�32 FrontPage, vulnerabilities, 172 current activities, 40�41

and Khalid Ibrahim, 25�27 Gabriel and ne0h, 22�25

background, 143�145 SIPRNET hack, 28�29

Dixie bank hack, 145�147 Costa. See Katsaniotis, Costa

long-distance bank hacks, 145�148 Davis, Chad, 39�40

Spy Lantern Keylogger, 144, 148 Dykes, Dustin

Swiss bank hack, 147�148 accessing internal documents, 129�130 get-out-of-jail-free card, 118 the attack, 127�128 gLobaLheLL group, 26, 35�39 background, 124 Gordon, Michael, 33 cease-and-desist process, 125 Gregory, Patrick, 39�40 countermeasures, 135�137 guidelines for social engineering training, 238�239 establishing wireless access, 127�128

ethics of social engineering, 135 H4G (Hacking for Girlies), 100 ground rules, 125�126 hackers hand warmer trick, 133�134

into commercial software. See crackers l0phtCrack, 128�129

groups logging keystrokes, 130�132

gLobaLheLL, 35�39 outsmarting door sensors, 133�134

H4G (Hacking for Girlies), 100 password cracking, 128�129

Milw0rm, 33 phony badges, 130�131, 137

intuition, 207 planning, 126�127

online sites red teaming, 126�127

Efnet, 24�25 REX (Request to Exit), 133

Netcraft.com, 94�95 shoulder surfing, 126�127

sharing with other crackers, 182�185 tailgating, 132�133

Warez sites, 182�185 test results, 134�135 hackers, individual Gabriel

Anderson, Charles Matthew. See also background, 143�145

Boeing hacks (Matt and Costa) Dixie bank hack, 145�147

arrest for Boeing hack, 82�83 long-distance bank hacks, 145�148

background, 70 Spy Lantern Keylogger, 144, 148

current activities, 87 Swiss bank hack, 147�148

Gregory, Patrick, 39�40 Index 265

Juhan, 140�143 Lockheed Martin hack, 27�28 Katsaniotis, Costa. See also Boeing hacks (Matt and SIPRNET hack, 29