242 Chapter 10 • The Art of Tracking You can tell how skilled hackers are by what tools they use. When they start, they use some publicly available tool. As time goes on, they begin to customize the tool to make it stealthier or more effective. Eventually, they develop their own set of custom tools.The funny thing is that they probably don’t realize that the more custom their tools and the more refined their techniques, the easier it is for me to profile them. This particular hacker I have been pursuing is beginning to make the transition to master hacker, but I know he is still arrogant enough to use his real IP address. I just haven’t found it yet. My hunt for him began 18 months ago, when I was called in to investigate an intrusion at a large university. Someone discovered a password cracker running on one of their servers, which resulted in a major security audit.The insurance company flew me in to do my own investigation.The university’s network was such a mess, I couldn’t imagine how anyone—whether hacker or administrator—could ever find anything.There were plenty of holes, and the hacker apparently saw the university’s disorganized but high-bandwidth network as a good launching point for other attacks.Through my investigation, I gathered mounds of evidence but could never produce anything conclusive enough to pass onto authorities. Still, this was only the first of several encounters I would have with this hacker. During my investigation, I found a suspicious file in one of the Web server’s content directories. It was a custom script that allowed an attacker to upload files to the Web server. When the investigation ended, I continued my research. Using search engines, I found another Web server that had the same file. I contacted this company, and the managers let me take a look around their server. A month later, I read about an e-commerce company that was hacked. The method described sounded similar to the work of my hacker. I called them and offered my services.They weren’t interested in hiring me, but they did share some information they had gathered. By studying these intrusions, I learned that this hacker often took over the systems of insecure cable- modem users. Doing my own probing, I found that these systems were usu- ally Windows boxes with blank administrator passwords. I even broke into some of these systems myself, hoping to gather more evidence. All I needed was his real IP address. I knew it was recorded somewhere.The trick was correlating it to the attacks. I gathered the IP addresses of systems he had www.syngress.com 249_StealThis_10.qxd 4/18/03 6:11 PM Page 242 The Art of Tracking • Chapter 10 243 hijacked, along with proxy servers he had used. With each intrusion, my ability to spot his work improved—the better he got, the better I got. What grabbed my attention in these particular log entries was the IP address. I recognized it as one of the many my hacker had commandeered. What struck me next was the 200 HTTP result code. HTTP result codes record how the server handled the request. A 404 code means a file wasn’t found. A 302 code means a request was redirected. A 200 code means the request was handled successfully.The interesting thing here is that the previous request to checklogin.asp had a 302 result, but this request returned a 200 code. Looking at the source code for checklogin.asp, I saw the following: <% Set objConn = CreateObject(“ADODB.Connection”) objConn.Open Application(“WebUsersConnection”) sSQL=”SELECT * FROM Users where Username=’” & Request(“user”) & _ “‘ and Password=’” & Request(“pwd”) & “‘“ Set RS = objConn.Execute(sSQL) If RS.EOF then Response.Redirect(“login.asp?msg=Invalid Login”) Else Session.Authorized=True Set RS = nothing Set objConn = nothing Response.Redirect(“menu.asp”) End If %> There were some obvious problems here. First, it doesn’t filter form input and is vulnerable to SQL injection. Second, it uses the generic Request object instead of specifically requesting the Request.Form object. What this means is that anyone can send the user and pwd parameters either through a form or as part of the query string, like this: www.syngress.com 249_StealThis_10.qxd 4/18/03 6:11 PM Page 243 244 Chapter 10 • The Art of Tracking http://www.example.com/checklogin.asp?user=joe&pwd=nothing This is significant, because such a request will show up in the IIS logs as a GET request rather than a POST, as my log entry showed: 2002-12-15 12:48:27 24.1.5.62 GET /checklogin.asp – 200 But, the question remained: Why was I seeing a 200 result code? Following the logic of checklogin.asp, a username and password could either match or not match. If the username and password matched, the user would be redirected to menu.asp, resulting in a 302 code. If either the user- name or the password were incorrect, the client would be redirected to login.asp, also resulting in a 302 code.The only other possibility I could think of was an ASP error, but that would show up as a 500 error in the logs.At least, I assumed it would show up that way. Assumption—it’s one of the worst things when investigating an intrusion. I have been burned by assumptions—mine or those of others—so many times that the word itself sends up a red flag whenever I say it. I have learned that I need to double-check everything. So, I browse to the company’s test Web server and force an error by entering invalid data in the login form.The response is exactly what I would expect: Microsoft ODBC Provider for SQL Server error ‘80040e14’ Unclosed quotation mark before the character string ‘’. /checklogin.asp, line 7 I open the IIS log files, and there it is: 200. Even though the ASP page returned an error, it wasn’t an ASP error. I try the same thing on my own Web server, and I don’t get the same results. But on this server (perhaps it’s the ODBC driver), I get a 200 result code. And that’s all I need.The only way to get a 200 code on this page is if an ODBC error occurs. All I need to do now is find all requests that match those criteria. I construct a new query in my database and hit Enter. And there it is: a complete list of IP addresses that tried this.The reason I couldn’t find this stuff before is because the 200 made the traffic look legiti- mate. I cross-reference the IP addresses, and sure enough, it’s definitely him. Now that I have all the IP addresses he used, I take each and build another query to see what else he did. An hour ago, I had nothing to go on. www.syngress.com 249_StealThis_10.qxd 4/18/03 6:11 PM Page 244 The Art of Tracking • Chapter 10 245 Now, I have hundreds, possibly thousands, of log entries. I print them (10 pages’ worth), lean back in my chair, and stare at them to see what patterns emerge. Immediately, these entries catch my attention: 2002-12-19 11:23:19 24.1.8.9 GET /checklogin.asp – 500 2002-12-19 11:28:54 24.1.8.9 GET /checklogin.asp – 500 2002-12-19 11:34:33 24.1.8.9 GET /checklogin.asp – 500 Why was he suddenly getting 500 errors? Perhaps it’s a CGI script timeout. Each entry is about five minutes apart, and the default CGI script timeout in IIS is 300 seconds. Suddenly, I realize that this checklogon.asp script doesn’t return anything, so he won’t be able to see the results of any commands he sends. Somehow, he will need to send the results back to his PC. Once, I saw a hacker who actually had SQL Server e-mail him the results. I do have the company’s SMTP logs, but I see nothing suspicious occurring during that time period.And no e-mails have ever originated from the SQL Server box. I’ve heard it suggested that data could be returned as part of an ICMP echo request, but I know this guy, and he’s too lazy to bother with something like that. Then I realize that no matter what method was used, it would involve establishing some kind of TCP/IP connection. But there’s nothing that would have recorded outgoing connections. It’s likely that the SQL Server has made few outgoing TCP connections, so on a long shot, I type the fol- lowing: C:\>ipconfig /displaydns DNS caching is a Windows 2000 client service that caches the most recent DNS queries for a period of time so it doesn’t need to perform another lookup to resolve the same hostname.The cool thing about this ser- vice is that it also keeps a handy record of what names have been recently resolved on the system. For the most part, the results are what I would have expected: Windows 2000 IP Configuration www.microsoft.com. Record Name . . . . . : www.microsoft.com Record Type . . . . . : 5 www.syngress.com 249_StealThis_10.qxd 4/18/03 6:11 PM Page 245 246 Chapter 10 • The Art of Tracking Time To Live . . . . : 82 Data Length . . . . . : 4 Section . . . . . . . : Answer CNAME Record . . . . : www.microsoft.akadns.net Record Name . . . . . : www.microsoft.akadns.net Record Type . . . . . : 1 Time To Live . . . . : 82 Data Length . . . . . : 4 Section . . . . . . . : Answer A (Host) Record . . . : 207.46.134.222 www.windowsupdate.com. Record Name . . . . . : www.windowsupdate.com Record Type . . . . . : 5 Time To Live . . . . : 458 Data Length . . . . . : 4 Section . . . . . . . : Answer CNAME Record . . . . : windowsupdate.microsoft.nsatc.net Record Name . . . . . : windowsupdate.microsoft.nsatc.net Record Type . . . . . : 1 Time To Live . . . . : 458 Data Length . . . . . : 4 Section . . . . . . . : Answer A (Host) Record . . . : 207.46.249.61 windowsupdate.microsoft.nsatc.net. Record Name . . . . . : windowsupdate.microsoft.nsatc.net Record Type . . . . . : 1 Time To Live . . . . : 458 www.syngress.com 249_StealThis_10.qxd 4/18/03 6:11 PM Page 246 The Art of Tracking • Chapter 10 247 Data Length . . . . . : 4 Section . . . . . . . : Answer A (Host) Record . . . : 207.46.249.61 But there was one entry (not shown here) that seemed quite suspicious: the DNS name of an ISP in Brazil. Is it possible that I’ve finally discovered his IP address? Not just some box he had seized, but his real IP address? The first thing I do is perform some searches on the IP address, just to see what turns up. I perform a WHOIS query at www.arin.net, to see who actually owns the IP address. It refers me to www.lacnic.net, and I check http://www.geobytes.com/IpLocator.htm to see if I can determine his phys- ical location. I also run some searches on Google (both Web and Usenet searches). It turns out the IP address is an ISP’s Web server. Another false alarm—it’s just an open proxy server. Still, I search for that IP address in the IIS logs, and I find a single log entry coming from it. Even more interesting are some log entries immedi- ately following: 2002-12-03 09:08:44 200.155.1.199 GET /checklogin.asp – 200 2002-12-03 09:10:23 88.162.15.64 GET /checklogin.asp – 200 2002-12-03 09:10:59 200.104.96.33 GET /checklogin.asp – 200 2002-12-03 09:11:18 197.208.212.55 GET /checklogin.asp – 200 This is a classic “check-this-out” event. What happens is that someone does some cool hack, and a couple minutes later, he tells some buddies in a chat room to check out what he just did. Next, you see several distinct IP addresses hitting the same URL within a very short time.These events are extremely important in a forensics investigation, because they allow me to make a relationship connection. Not only does it associate an IRC nick with an IP address, but it also tells me who else this hacker associates with. IRC monitoring is particularly fun. I have spent hundreds of hours developing a custom IRC monitoring tool.This tool connects to IRC net- works all around the world and searches for lists of IP addresses I provide. And it does it over and over, for as long as I keep the program running. After a few days, I can usually find at least some of the IP addresses I’m looking for. For now, I enter the four IP addresses I found in the logs and click the Connect button. www.syngress.com 249_StealThis_10.qxd 4/18/03 6:11 PM Page 247 248 Chapter 10 • The Art of Tracking The program spawns several application windows, each with raw IRC traffic scrolling so fast that it’s hardly useful (but looks extremely cool). In the main results window, I already have two matches. Each time it gets an IP address match, it performs a WHOIS lookup for that nick.The program does generate many false matches, but the two users it found are sitting in the same chat room, #haxordobrazil. Of all the skills required of a forensics expert, few are as important as the ability to speak (or at least read) as many foreign languages as possible. I speak Italian and Spanish fluently enough to convince a native speaker that I, too, am a native speaker. I can sufficiently communicate in Portuguese, and somewhat less French. I can’t speak German, but I can understand about 50 percent of what I read in German.The next language I would learn is Russian, but for some reason, it intimidates me. For other languages, I have enough friends in enough countries for most of what I encounter. For what’s left, there’s http://babelfish.altavista.com. #haxordobrazil, hackers from Brazil—Brazilian hackers. I’m getting closer. I seriously consider joining the IRC channel, but realize that I could completely spoil my investigation if they realize someone is on to them. For now, I keep my IRC logger running. At least, now I have something to report to my client. And just in time, because it’s almost 9:00 A.M., and people are beginning to arrive for a new day. Here I am, my eyes so red I need to wear sunglasses to bear the bright- ness of my monitor, wearing the same clothes and sitting in the same seat as I was yesterday when everyone left for the day. “I can’t believe I actually found him,” I tell myself. I get up to close my office door, then settle in to my chair and close my eyes for a short nap. Finally, I can sleep. But not for long. An hour has passed, but it was hardly satisfying. I hear two quick knocks at my office door. “So what have you got? Didn’t you go back to your hotel last night?” he asked. He was the CIO for the software company, my boss for the couple weeks of this investigation. “What, and miss out on all the fun here?” I respond, “I do have some good news. I found the hole, but I still need to gather some notes. I’ll go into more detail at our meeting.” www.syngress.com 249_StealThis_10.qxd 4/18/03 6:11 PM Page 248 The Art of Tracking • Chapter 10 249 My voice must have an obvious slur, because he gives me a questioning look. Just then, one of his employees approaches him with an apparent emer- gency. He looks back at me, gives me an “okay, let’s talk later” wave, and walks away. That day went by fast. We had a meeting and talked about what to do next. I was informed that they suspected the hackers still had access, which was probably the emergency earlier. We reviewed some strategies, I talked about the SQL injection bugs I saw in the source code, and I wrote some reports. Later, we had some more meetings, and I wrote more reports.That day, at 5:00 P.M., I rushed out with everyone else. Wednesday I don’t remember actually falling asleep, or even laying down on my bed. I just wake up the next morning, still wearing the same clothes I’ve had on for the past 48 hours. But I feel great. In the shower, I think about my strategy for the day. I need to find some solid, credible evidence I can hand over to authorities. Evidence is tricky. I’m in a strange position, because I’m not law enforce- ment, but I’m also not a normal part of this company’s business. If I want to start logging more information or install an IDS, I write up a policy and have the company establish it as a regular business process. If I just go in there and use all my tools to gather evidence, especially doing it in anticipa- tion of legal action, the evidence I produce loses credibility and could poten- tially be deemed inadmissible in court. But to collect information I can use to gather clues, I do whatever I want.Today, I’m going to put a Snort box on the network and watch for those IP addresses. I’m also going to add some rules to record all the X-FORWARDED-FOR HTTP headers that proxy servers sometimes add. Unfortunately, IIS doesn’t log custom HTTP headers, but a simple Snort rule gives me a wealth of information. Back at the office, I settle in and glance through my e-mail. I am shocked when I read my first message: From: daddo_4850 To: tmc Date: Wed, 5 Feb 2003 0:33:05 Subject: sup dood www.syngress.com 249_StealThis_10.qxd 4/18/03 6:11 PM Page 249 250 Chapter 10 • The Art of Tracking Hey, I see you are trying to find me. Good luck trying to catch me!!! *See* you around :) —daddo My stomach sinks, as a million questions race through my mind. How could he possibly have known? Where did he get my e-mail address? Is he an insider? Does he have an accomplice on the inside? What else does he know about me? Just then, I hear two quick knocks on my office door, followed by, “Hey!” It’s the CIO. My face must show my distress, because he quickly asks me, “Dude, what’s wrong?” “How many people know I’m doing this investigation?” I ask him. “I don’t know, maybe five,” he answers. “Do you trust those five?” I inquire. He is about to answer, but pauses, as if he just remembered something that would cause him to question how much he trusted everyone. Before arriving at an investigation, I always make sure the client is careful to not tell everyone what I’m doing there. I never know if I’m investigating an insider job, and I certainly don’t want an insider to be warned of my investigation. Once I was hired to investigate an employee for corporate espionage. One of the managers sent an e-mail to the other managers, making them aware of my investigation and asking for their full cooperation while I was there. Unfortunately, the guy I was investigating was one of the managers who received this e-mail. When I got there, his laptop had been securely erased, reformatted, and reinstalled. “Well,” I tell the CIO, “we have a problem here.This hacker has my e- mail address.Any ideas how he got it?” I explain the situation, and he leaves to go talk with the company VP. The first thing I do is check out my own Web and mail servers to make sure nothing there has been compromised.There is no sign of any intrusion. Then I realize that I have communicated with various employees via e- mail, and perhaps he has somehow intercepted someone’s e-mail. I wonder if all the company passwords were changed after the break-in. One of the first www.syngress.com 249_StealThis_10.qxd 4/18/03 6:11 PM Page 250 The Art of Tracking • Chapter 10 251 things people do after an intrusion is change passwords, but usually they change only a few key passwords, failing to realize that the intruder could very well have acquired hundreds of other logins. In fact, it doesn’t really help much to change only selected passwords after an intrusion, because if the intruder has just one way back into the network, he can easily discover all the other passwords again. I talk with the CIO, and we decide to do a password sweep of the entire company. It takes the rest of the day and well into the night. We change every domain account, every local administrator account on every PC, and every router and switch account. We change hundreds of external accounts, including those for domain registrars, payment processing services, online banking, and so on. We even have all the employees change their personal Hotmail and instant messenger passwords. I’m actually quite surprised how eager all the employees are to participate in this, and many of them bring often-overlooked accounts to our attention. I also change all my own passwords. When we’re finished and most people have left, I sit down at my laptop to write this guy the response I’ve been composing in my head all day. Being so upset earlier, I failed to realize how useful it was to have some kind of communication with him. At least now I have a name for him, Daddo. It’s kind of a lame name. I guess I had hoped for better. I write up my response: From: tmc To: daddo_4850 Date: Wed, 5 Feb 2003 20:06:22 Subject: RE: sup dood >Hey, I see you are trying to find me. Good luck trying to catch me!!! >*See* you around :) >—daddo Okay, that was good. But wait until you see what’s next ;) tmc It was hardly five minutes before I got the response: www.syngress.com 249_StealThis_10.qxd 4/18/03 6:11 PM Page 251 [...]... where the main Web site used to operate Over the past year, they’ve been moving their data operations from a colocated facility to their own in-house data center.They made the final transition just a month before the break-in occurred However, they never took down the old www.syngress.com 2 49_ StealThis_10.qxd 4/18/03 6:11 PM Page 253 The Art of Tracking • Chapter 10 servers; instead, they just updated the. .. and goes so far as to say that you “must verbally verify” the public keys.Their document outlines a scenario in which there are two router administrators, each with a secure link to the router (perhaps a terminal physically attached to the console), who are on the phone with each other During the process of key exchange, they are to read the key they’ve received to the other admin .The security in this... from the assumptions that the two administrators recognize each other’s voices, and that it’s very difficult to fake someone else’s voice If the administrators know each other well, and each can ask questions the other can answer, and they’re both logged on to the consoles of the router, and no one has compromised the routers, then this is secure, unless there is a flaw in the crypto We’re not going to. .. them or what deters them Few people know how to catch them, and even fewer know what to do once they have them.They are a menace to society, yet so many people revere them, even hire them.They steal, but what they steal isn’t something tangible like a wallet or a car—it’s just a network. They steal the network you still there? yes hey if you were planning on going to DEF CON this year,... when we begin to discuss “client-side?” If we were in a network (client-server) environment, we would define the client as the machine initiating a request for service and connection, and the server as the machine waiting for the request for service or connection or the machine able to provide the service .The term “client-side” in the network is used to refer to the computer that represents the client... Appendix links together three separate DES operations, for double or triple strength, depending on how it’s done In order for all of this to work, each router has to have the right public key for the other router If a MITM attack is taking place and the attacker is able to fool each router into accepting one of his public keys instead, then he knows all the session keys and can monitor any of the traffic... knife and start your own autopsy.You would call the police If you are an administrator and you get hacked, pull the plug on the server, remove the hard drives, and place them in a physically secure location If you need to use the server, buy some more hard drives, and you can put it back into service Some forensics experts don’t agree with the advice to pull the plug on a victim machine.They argue that... the same end of the spectrum, with the rest of the world on the other end.There really is no difference between responsible hacking and evil hacking Either way, it’s hacking .The only difference is the content Perhaps that’s why it’s so natural for a black hat to go white, and why it’s so easy for a white hat to go black .The line between the two is fine, mostly defined by ethics and law .To the hacker, ethics... one administrator using two Telnet windows If this is the case and the attacker is able to play man-in -the- middle and hijack the Telnet windows and key exchange, then he can subvert the encrypted communications Finally, let’s cover the endpoints Security is no stronger than the weakest links If the routers in our example can be broken into and the private keys recovered, then none of the MITM attacking... the coin for the ones we will explore Before we can work with the laws to discover potential problems, we need to have a working definition of what the laws are In the following sections, we’ll look at the laws and what they mean to us in our efforts to secure our networks and systems Client-Side Security Doesn’t Work In the first of our laws, we need to define a couple of concepts in regard to security.What, . they develop their own set of custom tools .The funny thing is that they probably don’t realize that the more custom their tools and the more refined their techniques, the easier it is for me to. • The Art of Tracking You can tell how skilled hackers are by what tools they use. When they start, they use some publicly available tool. As time goes on, they begin to customize the tool to. data center.They made the final transition just a month before the break-in occurred. However, they never took down the old www.syngress.com 2 49_ StealThis_10.qxd 4/18/03 6:11 PM Page 252 The Art of