Copyright © 2008 by The McGraw-Hill Companies. Click here for terms of use.
124
large sum of money. To get it, all Enrique had to do was to hack into the company’s administrative servers and collect all their customer records.
However, after following the standard information gathering steps, he started wondering if he made a good choice accepting this job. The target company had a full C class on the Internet, which seemed to be 70 percent populated. Although firewalls were running on OpenBSD, he found that most of the web servers were running on FreeBSD, which meant he couldn’t use Internet Information Server exploits or Linux 0-day code.
The satellite company’s ISP was a tough one as well, with no default or known in-the-wild accounts. It was a castle, very well protected from the external world. He would have to find some unconventional attack vectors.
He started to think out-of-the-box, imagining himself as one of the IT developers or managers. What was the company’s core-business? To sell movies via satellite.
Through the Internet, customers were only allowed to sign up for a monthly or yearly based subscription. He played with the web applications, but the code was well written — no SQL injections, XSS, or other cracks in the walls.
But to view the movies, customers needed a Set Top Box (STB). Enrique considered the STB. How did it communicate with the company? He browsed through the help and how-to files on the website and discovered that the STB communicated with the satellite company via a telephone line. Every time you wanted to buy a movie, the STB made a call to the company servers. He imagined the data flow: The user requests a movie; the STB performs a modem call; the company servers bill the customer and then deliver the movie.
He called his client and asked for an STB. The STB he got had many connectors: a SCART connector that was linked to the TV, a 9-pin serial port, RCA and S-VHS outputs, and an RJ-11 telephone jack. The manual explained that the user must connect the box to the home telephone line. Enrique made the connection and ordered a movie.
After the movie was delivered to his STB, he browsed through his phone billing via the phone company’s online utility and found a confirmation: a 2€ phone call to the number 00-33-1-4545.1219.
• 00 was for calling Spain.
• 33 was the country code for France.
• 1 was the area code for Paris.
So 4545.1219 was the phone number he wanted. From the telephone on his desk, he called the number from one of his external lines. Bingo, a modem answered. He fired up Minicom and called the number again. After the handshake, he got no prompts or login requests. Probably, the remote system was waiting for a string sent by the STB itself. This wouldn’t get him what he needed. But it got him closer.
He got the ward tool from Raptor—the lighter PSTN scan tool he had—and performed a very fast PSTN scan, configuring it to scan +33-1-4545.12xx. He found live modems on
125
17, 18, 19, and then on 25 and 50. Calling each one, he just found the same garbage generated from the 19 extension.
He fired up ward again, this time scanning for +33-1-4545.1xxx. This time the answer was better: 1000, 1010, 1050, 1999.
Calling the first result with Minicom, he connected to a Cisco box asking for a password: He tried to guess the password, including the satellite company name and words such as movies, subscription, paris, Paris, and so on…but nothing. The same happened with 1010 and 1050: different banners, but the same result.
His last try was 1999. The remote system answered with CONNECT 9600/ARQ/V34/LAPM/V42BIS
____________________________________________________________
TeleSat Communications Systems WARNING:
This is a private network
Every abuse is strongly discouraged.
billing-gw-BE __________________________________________________
User Access Verification Username: subscriber Password:
Billing-gw-BE>
After a few tries, Enrique entered subscriber/subscriber, and he was in the system.
He performed a quick show arp on the Cisco, in order to see which hosts the box was talking to:
Billing-gw-BE> sh arp
Protocol Address Age (min) Hardware Addr Type Interface Internet 10.44.2.12 1 0050.8be1.eb4a ARPA FastEthernet0/0 Internet 195.65.122.2 112 0002.b51d.5e94 ARPA FastEthernet0/0 Internet 195.60.131.2 160 0002.b51d.c9c0 ARPA FastEthernet0/0 […]
Billing-gw-BE>
He then decided to call what seemed to be one of the most recent routed internal hosts:
Billing-gw-BE>10.44.2.12 Trying 10.44.2.12 ... Open
HP-UX billing-gw B.10.20 A 9000/840 (ttyp1) login: oracle
Password:
126
12:10pm up 10 days, 15:53, 1 user, load average: 0.03, 0.04, 0.04 User tty login@ idle JCPU PCPU what
oracle ttyp1 07:10pm w
$ unset HISTFILE
$ cat /etc/passwd
root:4ABicoYzK3PLM:0:3::/:/sbin/sh daemon:*:1:5::/:/sbin/sh
bin:*:2:2::/usr/bin:/sbin/sh sys:*:3:3::/:
[…]
At this point, he checked /etc/hosts and noticed a nice entry:
############################## IP to X.25
10.44.2.250 x25linux # X.25 linux box for CC payments He decided to call that Linux box:
$ telnet 10.44.2.250 Trying...
Connected to 10.44.2.250.
Escape character is '^]'.
Local flow control on
Telnet TERMINAL-SPEED option ON Debian GNU/Linux 2.2 x25linux ttyp1 X25linux login:
Enrique had successfully hacked the Linux box, and from the internal configuration files, he had been able to get the machine’s X.25 address. This gave him a comfortable avenue to use to hack into the satellite company via the X.25 link.
Continuing, he shortly had full access to the customer records. He arranged for the data to be delievered to his client, and his client arranged for the large sum of money to be delivered to him.
Chapter 6: Unconventional Data Attack Vectors
127
W
ithin the scope of a penetration test, companies often make a common mistake when trying to correctly identify and select the attack vectors related to communications. The primary mistake is to see the Internet attack vector as“the devil,” focusing all the company’s effort and proactive security budget on this communication media while forgetting about the “old school” attack vectors.
Historically, attackers taught us that wardialing is the hacking technique for dealing with remote modem access. This is still true but only the tip of the iceberg when dealing with unusual attack vectors. Computer security history—especially when related to the hacking of corporate networks—is incredibly full of true tales of high-level attacks that let the attackers gain access to the deepest secrets of the involved companies.
When reading books such as Underground: Tales of Hacking, Madness and Obsession on the Electronic Frontier by Suelette Dreyfus, Masters of Deception: The Gang That Ruled Cyberspace by Michelle Stalalla and Joshua Quinttner, or even an evergreen like The Cuckoo’s Egg by Clifford Stoll, you realize that the hacking carried out by the intruders described in these books always used one or more unconventional attack vectors.
By analyzing these attacks in depth, you can discover the “gold keyword”: old communication networks, aside from the Internet, that connect the companies to the world. That’s why this chapter focuses on the so-called old-school attack techniques, identifying and analyzing the three main attack vectors:
• PSTN
• ISDN
• PSDN
The selection of the above-mentioned attack vectors comes from both history and experience. Before the Internet boom, telephone lines and X.25 links were the only way companies and governments could communicate with each other via corporate networks.
Even today, the world is still full of “forgotten” links of this kind, rarely monitored and rarely security-tested.
From our experience, when customers who have never tested these attack vectors request a penetration test, you will likely find one or more security holes and be able to obtain full access to the internal LAN or WAN of the target company.
This chapter introduces the challenges of auditing and securing these old-school attack vectors with a dedicated and uncommon focus for Linux users and outlines the steps to secure an organization’s PSTN-, ISDN-, and PSDN-linked infrastructures.