Social (In)Security • Chapter 8 209 Business as Usual? Jane:“Sally, did you notice anything odd this morning on the voicemail introduction.You know, right before you press 2 for your messages?” Sally:“No, I didn’t. I haven’t checked mine yet.” Jane:“It said something about ‘My kung-fu is greater than yours.’ Do you know what that means?” Sally:“Nope. It must be the guys in telecom goofing off again. Oh well. Did you hear about the storm coming our way?” www.syngress.com 249_StealThis_08.qxd 4/18/03 5:45 PM Page 209 249_StealThis_08.qxd 4/18/03 5:45 PM Page 210 BabelNet by Dan Kaminsky “A child of five could hack this network. Fetch me a child of five.” Hello Navi The hour was 3:00 A.M. Elena sat staring at her laptop. It being the only light source in the room for the last three hours, her attempts at sleep were cut short by the lingering anti-flicker under her closed eyelids… Chapter 9 211 249_StealThis_09.qxd 4/18/03 6:03 PM Page 211 212 Chapter 9 • BabelNet (She laughed at the thought—was this a bug, or an “undocumented feature” in her occipital lobe?) Her eyes danced a frenetic, analog tango; saccades skit- tering, as thought after thought evaded coalescence on the question, let alone its answer. Amidst a dozen windows, each filled with the textual detritus of command-line repartee, there was one that caught her attention, draped in nothing but a single character. # Root—complete access to whatever system one was so privileged to join.The kind of hash that script kiddies smoked. If only absolute trust was so easy to detect in the real world, or for that matter, that easy to acquire. “Do you accept this woman to be your lawfully wedded wife?” “I do.” “You may share your root password.” “l1ve-n00d-girlz-unite!” “su –l” Elena twirled her hair slowly, staring vaguely into the distance. How had she gotten here? Oh yeah, Fabinet. Once a music major, Elena achieved her first taste of notoriety when she managed to co-opt the speakers of all 60 desktops in her college computer lab, causing them to simultaneously erupt in a 120-part, massively surround-sound symphony.“Flight of the Valkries”— of course, Apocalypse Now style, with helicopters swirling across every node— had never sounded better, especially in the middle of a midterm. She might have gotten in some serious trouble, had it not been for the deft suggestion that “Real-time Mixing of Massively Surround Sound within a Hostile Network” might bring tenure to her (associate) professor. Even he was impressed that the system could seamlessly adapt to any particular host dropping out of the ad-hoc orchestra, its fallen instruments or silenced con- ductor’s wand immediately resurrected on a nearby host. (He was less impressed by Elena’s use of Elmer’s Glue to lock the volume knob in place. By the time she had picked that lab clean, it looked like somebody had molted his skin into the garbage can.) www.syngress.com 249_StealThis_09.qxd 4/18/03 6:03 PM Page 212 www.syngress.com Mirror, Mirror on the Wall But history would not explain what was going on now. Maybe it had some- thing to do with the kiddies? The shell was on a honeypot machine, set up to specifically allow monitoring of “attackers in the wild” (Elena would not compliment them by calling them hackers, nor insult herself by calling them crackers.) Hmmm… what was bouncing around the honeynet, anyway? She could run a sniffer and see addresses bounce to and fro. Most people used tcpdump. She usually preferred the vastly more elegant Ethereal, in its tethereal text mode, no less. (She had learned many a pro- tocol on the back of tethereal –V, which dumped multipage breakdowns of every last whisper on her network.) But on this occasion, a much more direct order was required, made possible by a tool called Linkcat (lc). BabelNet • Chapter 9 213 249_StealThis_09.qxd 4/18/03 6:03 PM Page 213 214 Chapter 9 • BabelNet Polyglot Computer, take all the raw data on the network. Filter out everything read- able by humans, at least eight English characters long. Give me the results. # lc –l00 –tp | strings —bytes=8 FastEthernet0/6 Cisco Internetwork Operating System Software IOS (tm) C2900XL Software (C2900XL-H-M), Version 11.2(8)SA2, RELEASE SOFTWARE (fc1) Copyright (c) 1986-1998 by cisco Systems, Inc. Compiled Fri 24-Apr-98 10:51 by rheaton cisco WS-C2924C-XLv GET / HTTP/1.0 Host: www.doxpara.com Accept: text/html, text/plain, text/sgml, */*;q=0.01 Accept-Encoding: gzip, compress Accept-Language: en User-Agent: Lynx/2.8.4rel.1 libwww-FM/2.14 SSL-MM/1.4.1 OpenSSL/0.9.6 HTTP/1.1 200 OK Date: Mon, 07 Apr 2003 13:53:30 GMT Server: Apache/1.3.26 (Unix) DAV/1.0.3 PHP/4.3.1 X-Powered-By: PHP/4.3.1 Connection: close Content-Type: text/html <TITLE>Welcome to Doxpara Research!</TITLE> M-SEARCH * HTTP/1.1 Host:239.255.255.250:1900 ST:urn:schemas-upnp-org:device:InternetGatewayDevice:1 Man:”ssdp:discover” SSH-1.99-OpenSSH_3.4p1 M!T7blnbXwG SSH-2.0-OpenSSH_3.4p1 Debian 1:3.4p1-4 =diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 ssh-rsa,ssh-dss faes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256- cbc,rijndael-cbc@lysator.liu.se www.syngress.com 249_StealThis_09.qxd 4/18/03 6:03 PM Page 214 BabelNet • Chapter 9 215 yourmom2 yourmom2 JlJmIhClBsr JlJmIhClBsr EJEDEFCACACACACACACACACACACACACA FHEPFCELEHFCEPFFFACACACACACACABO \MAILSLOT\BROWSE JlJmIhClBsr JlJmIhClBsr g,QString,QString,QSZ ECFDEECACACACACACACACACACACACACA ECFDEECACACACACACACACACACACACACA H ECFDEECACACACACACACACACACACACACA EBFCEBEDEIEOEBEEEPFICACACACACAAA On and on it went, electronic whispers plucked en masse from the aether. Protocols aren’t really anything more than ways for the disconnected to connect to each other.They exist among people as much as they do elec- tronically. (It’s an open question which type of protocol—human or com- puter—is harder to support.) Most electronic protocols don’t stick to letters and numbers that humans can read, making it pretty simple, given all the bytes off the wire, to read only that information written in the language of people themselves. Elena vegged to the half dozen protocols, stripped of their particular identity into only what she might have the sense to read. A Cisco switch announced to the world that it, indeed, existed, thanks to the heroic compilation of R. Heaton. A Web page was pulled down. Some other device issued universal Plug and Play commands, seeking a neighbor to play with (and potentially get plugged by, as the most serious Windows XP exploit showed). SSH2—secure shell, version 2—was rather chatty about its planned crypto exchange, not that such chattiness posed any particular threat. And then there was SMB. When Good Packets Go Bad SMB, short for Server Message Block, was ultimately the protocol behind NBT (NetBIOS over TCP/IP), the prehistoric IBM LAN Manager, heir- apparent CIFS, and the most popular data-transfer system in the world short www.syngress.com 249_StealThis_09.qxd 4/18/03 6:03 PM Page 215 216 Chapter 9 • BabelNet of e-mail and the Web: Windows file sharing. SMB was an oxymoron— powerful, flexible, fast, supported almost universally, and fucking hideous in every way shape and byte. Elena laughed as chunkage like ECFDEECACACA- CACACACACACACACACACA spewed across the display. Once upon a time, a particularly twisted IBM engineer decided that this First Level Encoding might be a rational way to write the name BSD. Humanly readable? Not unless you were the good Luke Kenneth Casson Leighton, co-author of the Samba UNIX implementation, whose ability to fully grok raw SMB from hex dumps was famed across the land, a post- modern incarnation of sword-swallowing. Quelle Horreur! This wasn’t the only way to sniff. Chris Lightfoot’s Driftnet (http://www.ex- parrot.com/~chris/driftnet ) had achieved some popularity. Inspired by the Mac-only EtherPEG (http://www.etherpeg.org), it spewed not text, but www.syngress.com 249_StealThis_09.qxd 4/18/03 6:03 PM Page 216 BabelNet • Chapter 9 217 actual images and mp3s screaming through the network.This was great fun at wireless Internet-enabled conferences.The weblogger types had christened it the greatest method invented for tapping the collective attention span of audience members. (As a cross between columnists, exhibitionists, and vigi- lante quality assurance, the webloggers were always keenly interested in Who Was Hot and Who Was Not.) But as particularly applies to reading minds, be careful what you wish for, or you just might get it. Elena wouldn’t launch Driftnet at gunpoint. Although she refused to talk about the circumstances of her phobia, it prob- ably had something to do with that unfortunate multimedia misadventure involving Britney Spears and a goat. One was the visual, and the other was the mp3, but damned if Elena would tell anyone which was which. Driftnet Paketto’s Linkcat was a hell of a lot safer. www.syngress.com 249_StealThis_09.qxd 4/18/03 6:03 PM Page 217 218 Chapter 9 • BabelNet Authorspeak: Paketto Borne It was in November 2002 that I released the first version of the Paketto Keiretsu (http://www.doxpara.com/paketto). It was “a collection of tools that use new and unusual strategies for manipulating TCP/IP networks.” At least one authority had called them “Wild Ass,” but I was left with no small amount of egg on my face after a wildly bombastic original posting on that geek Mecca, Slashdot.org. A much more rational index had been posted on Freshmeat. It read as followed: The Paketto Keiretsu is a collection of tools that use new and unusual strategies for manipulating TCP/IP networks. They tap functionality within existing infrastructure and stretch protocols beyond what they were originally intended for. It includes Scanrand, an unusually fast network service and topology discovery system, Minewt, a user space NAT/MAT router, linkcat, which presents an Ethernet link to stdio, Paratrace, which traces network paths without spawning new connections,and Phentropy, which uses OpenQVIS to render arbitrary amounts of entropy from data sources in three dimensional phase space. Paketto was an experiment. No, it was more than that. It was a collection of proof of concepts—an attempt to actually implement some of the amusing possibilities I’d talked about at that perennial agglomeration of hackers, hangers on, and Feds: DEF CON 10, with “Black Ops of TCP/IP.” It was an entertaining experience and quite educational. Apparently, a 12- pack of Coronas beats a Windows laptop on auto-suspend, when the judges are a 500-strong crowd of hackers, hax0rz, and all the Feds in between. And They Say We’re Social Creatures Elena sighed. She saw nothing, just the generic chatter of networks. And then something different fluttered by: :3lph_!~3lph_@timmy.edu PRIVMSG dw0rf :sup punk :dw0rf!~dw0rf@genome.nx PRIVMSG 3lph_ :0wned that warez site last night :3lph_!~3lph_@timmy.edu PRIVMSG dw0rf :Big man taking out the WinME :dw0rf!~dw0rf@genome.nx PRIVMSG 3lph_ :WinME, ServU, GoodBI www.syngress.com 249_StealThis_09.qxd 4/18/03 6:03 PM Page 218 [...]... [11] 0.477s DOWN: 64 .81 .64.164:21 [12] 0.478s UP: 64 .81 .64.164:443 [11] 0.478s DOWN: 64 .81 .64.164:465 [12] 0.478s DOWN: 64 .81 .64.164:139 [22] 0. 488 s DOWN: 64 .81 .64.164 :80 00 [22] 0.570s DOWN: 64 .81 .64.164:31337 [22] 0.636s www.syngress.com 249_StealThis_09.qxd 4/ 18/ 03 6:03 PM Page 229 BabelNet • Chapter 9 Was the host 11 hops away, 12 hops away, or 22 hops away? Turned out a slight bug in the kernel on... at the time of the intrusion I do have four months’ worth of IIS log files, which are better than nothing I actually suspected the Web server as the point of intrusion .The Web server was the most direct route to the SQL Server Otherwise, they would have to penetrate the DMZ firewall, then the internal firewall, and then try to break into the SQL Server Ironically, this company thought they were being... When a customer they insure is hacked, they call me in to investigate My job is to figure out what the hacker did, and just as important, what the hacker didn’t do My report determines if the company gets $10,000 or a $100,000 for their claim Before the insurance company cuts a check, the managers want to know exactly who did what, how they did it, whose fault it was, and how they can prevent the problem... modules .The next day, a customer tipped them off that their source code appeared on a public Web site.They brought in this consulting firm to get them secure These security consultants completely rebuilt much of their network and made some changes in their Web application Unfortunately, in doing so these consultants also destroyed much of the evidence, and I don’t know exactly how the network looked at the. .. ACK—with the server-generated stamp of approval—came back Only then would all the memory be allocated for this new and exciting connection Inverse SYN Cookies took this one step further .The ACK didn’t just reflect the SYN/ACK; the SYN/ACK also reflected the SYN So a cryptographic token in the SYN would have to return in any valid SYN/ACK or RST/ACK Linking the cryptographic token—a SHA-1 hash truncated to. .. P2P (Peer to Peer) networks would start using this to organize their virtual networks So why did Google’s SSL port appear 3 hops farther away? Say hello to their SSL accelerator, and possibly a separate network used to serve its content This wasn’t the only quirky thing one could find with TTLs: root@arachnadox:~# scanrand -b1k -e local.doxpara.com :80 ,21,443,465,139 ,80 00,31337 UP: 64 .81 .64.164 :80 [11]... thought they were being more secure by placing the SQL Server on their internal network While this did make the SQL Server slightly more difficult to attack directly, it also allowed the SQL Server to see the internal network If you can get to the SQL Server, you can get to the whole network. This mistake cost the company a vital piece of intellectual property: their source code I figured this would be a... 12.123.24.137 |80 66.5.1.1 [05] ) 64 .81 .64.1 |80 64 .8. 1.1 10.0.1.11 -> ) 12.122.11.106 |80 66.5.1.1 001 = 0.240s( ) 144.232.6.126 |80 64.5.1.1 [05] ) 144.232. 18. 42 |80 64.5.1.1 009 = 10.0.1.11 -> ) 12.122.11.217 |80 66.5.1.1 0.219s( ) 144.232.9.214 |80 64.5.1.1 007 = [04] ) 192.205.32.109 |80 66.5.1.1 10.0.1.11 -> ) 144.232.3.193 |80 64.5.1.1 006 = 0. 189 s( ) 206.24.210.61 |80 66.5.1.1 [04] ) 144.232.3.169 |80 64.5.1.1... filtering out the known, identifying the unknown, and tracing the attacker This was the part of security work that paid the bills, the spiritual inverse of dumpster diving But eventually, the problem was traced to a single IP: 10.10.250 .89 .That was the good news .The bad news was that Elena had to find this host, fast, because it had apparently been used to install backdoors on machines throughout the company... company was able to get the source code removed from the site within a few hours, but the damage had been done.They paid a large consulting firm to get them secure, but the insurance company flew me in to do the investigation For a week now, I have gathered every log file I could find, sanitized and normalized the data, and loaded it into my analysis database I have very little to go by, and the log files are . -e local.doxpara.com :80 ,21,443,465,139 ,80 00,31337 UP: 64 .81 .64.164 :80 [11] 0.477s DOWN: 64 .81 .64.164:21 [12] 0.478s UP: 64 .81 .64.164:443 [11] 0.478s DOWN: 64 .81 .64.164:465 [12] 0.478s DOWN: 64 .81 .64.164:139. just reflect the SYN/ACK; the SYN/ACK also reflected the SYN. So a crypto- graphic token in the SYN would have to return in any valid SYN/ACK or RST/ACK. Linking the cryptographic token—a SHA-1. was the trigger the oddity that demanded her interest .The next couple hours were consumed by the drudgery of examining the logs, fil- tering out the known, identifying the unknown, and tracing the