Security consultants running a pen test have something in common with the undercover vice cops buying drugs: If some uniformed precinct cop spots the transaction and pulls his gun, the vice squad guy just shows his
badge. No worries about going to jail. The security consultant hired to test the defenses of a company wants the same protection. Instead of a badge, each member of the pen-test team gets a letter signed by a com-pany executive saying, in effect, “This guy has been hired to do a project for us, and if you catch him doing something that looks improper, it’s okay. No sweat. Let him go about his work and send me a message with the details.”
In the security community, this letter is known by all as a “get-out-of-jail-free card.” Pen testers tend to be very conscientious about making sure they always have a copy of the letter with them when they’re on or anywhere near the premises of the client company, in case they get stopped by a security guard who decides to flex some muscle and impress the higher-ups with his gumshoe instincts, or challenged by a conscien-tious employee who spots something suspicious and has enough gump-tion to confront the pen tester.
In another standard step before a test is launched, the client specifies the ground rules — what parts of their operation they want included in the test and what parts are off-limits. Is this just a technical attack, to see if the testers can obtain sensitive information by finding unprotected systems or getting past the firewall? Is it an application assessment of the publicly fac-ing Web site only, or the internal computer network, or the whole works?
Will social engineering attacks be included — attempting to dupe employ-ees into giving out unauthorized information? How about physical attacks, in which the testers attempt to infiltrate the building, circumventing the guard force or slipping in through employee-only entrances? And how about trying to obtain information by dumpster diving — looking through the company trash for discarded paperwork with passwords or other data of value? All this needs to be spelled out in advance.
Often the company wants only a limited test. One member of the l0pht group, Carlos, sees this as unrealistic, pointing out that “hackers don’t work that way.” He favors a more aggressive approach, one where the gloves are off and there are no restrictions. This kind of test is not only more revealing and valuable for the client but more pleasing to the testers as well. It is, Carlos says, “a lot more fun and interesting.” On this one, Carlos got his wish: Newton agreed to a no-holds-barred attack.
Security is primarily based on trust. The hiring firm must trust the secu-rity company entrusted to perform the secusecu-rity assessment. Furthermore, most businesses and government agencies require a nondisclosure agree-ment (NDA) to legally protect proprietary business information from unauthorized disclosure.
It’s common for pen testers to sign an NDA, since they may come upon sensitive information. (Of course, the NDA seems almost superflu-ous: Any company that made use of any client information would likely
never manage to get another client. Discretion is essentially a prerequisite.) Frequently, pen testers are also required to sign a rider stating that the firm will do its best not to impact the company’s daily business operations.
The l0pht crew for the Newton test consisted of seven individuals, who would work alone or in pairs, each person or team responsible for focus-ing on a different aspect of the company’s operations.
Attack!
With their get-out-of-jail-free cards, the l0pht team members could be as aggressive as they wanted, even “noisy” — meaning carrying out activities that could call attention to themselves, something a pen tester usually avoids. But they still hoped to remain invisible. “It’s cooler to get all this information and then at the end know they hadn’t detected you. You’re always trying for that,” says Carlos.
Newton’s Web server was running the popular server software called Apache. The first vulnerability that Mudge had found was the target com-pany’s Checkpoint Firewall-1 had a hidden default configuration (rule) to allow in packets with a source UDP (User Data Protocol) or TCP (Transmission Control Protocol) port of 53 to almost all the high ports above 1023. His first thought was to attempt to mount off their exported file systems using NFS (Network File System), but quickly realized that the firewall had a rule blocking access to NFS daemon (port 2049).
Although the common system services were blocked, Mudge knew of an undocumented feature of the Solaris operating system that bound rpcbind (the portmapper) to a port above 32770. The portmapper assigns dynamic port numbers for certain programs. Through the portmapper, he was able to find the dynamic port that was assigned to the mount daemon (mountd) service. Depending on the format of the request, Mudge says, “the mount daemon will also field Network File System requests because it uses the same code. I got the mount daemon from the portmapper, then I went up to the mount daemon with my NFS request.” Using a program called nfsshell, he was able to remotely mount the target system’s file system. Mudge said, “We quickly got the dial-up list numbers. We just download their entire exported file systems.
We had total control of the system.”
Mudge also found that target server was vulnerable to the ubiquitous PHF hole (see Chapter 2, “When Terrorists Come Calling”). He was able to trick the PHF CGI script to execute arbitrary commands by passing the Unicode string for a newline character followed by the shell command to run. Looking around the system using PHF, he realized that the Apache server process was running under the “nobody” account. Mudge was pleased to see that the systems administrators had “locked down the
box” — that is, secured the computer system — which is exactly what should be done if the server is connected to an untrusted network like the Internet. He searched for files and directories, hoping to find one that was writable. Upon further examination, he noticed that the Apache configuration file (httpd.conf) was also owned by the “nobody” account.
This mistake meant that he had the ability to overwrite the contents of the httpd.conf file.
His strategy was to change the Apache configuration file so the next time Apache was restarted, the server would run with the privileges of the root account. But he needed a way to edit the configuration so he could change what user Apache would run under.
Working together with a man whose handle is Hobbit, the two figured out a way to use the netcat program, along with a few shell tricks, to get the closest thing to an interactive shell. Because the system administrator had apparently changed the ownership of the files in the “conf”directory to “nobody,” Mudge was able to use the “sed” command to edit httpd.conf, so the next time Apache was started, it would run as root.
(This vulnerability in the then-current version of Apache has since been corrected.)
Because his changes would not go into effect until the next Apache was restarted, he had to sit back and wait. Once the server rebooted, Mudge was able to execute commands as the root through the same PHF vul-nerability; while those commands had previously been executed under the context of the “nobody” account, now Apache was running as root.
With the ability to execute commands as root, it was easy to gain full con-trol of the system.
Meanwhile, the l0pht attacks were progressing on other fronts. What most of us in hacking and security call dumpster diving, Mudge has a more formal term for it: physical analysis.
We sent people over to do physical analysis. One employee [of the client company] I guess had recently been fired and instead of just throwing out his paperwork, they had trashed his entire desk. [Our guys found] his desk set out with the trash. The drawers were full of old airline tickets, manuals, and all kinds of internal documents.
I wanted to show [the client] that good security practices are not just about computer security.
This was a lot easier than going through all their trash stuff because they had a compactor. But they couldn’t fit the desk in the compactor.
I still have that desk somewhere.
The physical team also entered the company premises using a simple and, in the right circumstances, nearly infallible method known as tail-gating. This involves following closely behind an employee as he or she goes through a secured door, and it works especially well coming out of a company cafeteria or other area mostly used by employees, into a secured area. Most staff members, particularly lower-ranked ones, hesi-tate to confront a stranger who enters the building right behind them, for fear the person might be someone of rank in the company.
Another l0pht team was conducting attacks on the company’s telephone and voicemail systems. The standard starting point is to figure out the man-ufacturer and type of the system the client is using, then set a computer to war dialing — that is, trying one extension after another to locate employ-ees who have never set their own passwords, or have used passwords that are easy to guess. Once they find a vulnerable phone, the attackers can then listen to any stored voicemail messages. (Phone hackers — “phreakers” — have used the same method to place outgoing calls at the expense of the company.)
While war dialing, the l0pht telephone team was also identifying company phone extensions answered by a dial-up modem. These dial-up connections are sometimes left unprotected, relying on the security-through-obscurity approach, and are frequently on “the trusted side” of the firewall.
Blackout
The days were rolling by, the teams were recording valuable tidbits of infor-mation, but Mudge still hadn’t come up with a brilliant idea about causing the Apache system to reboot so that he could gain access to the network.
Then a misfortune occurred that, for the team, had a silver lining:
I was listening to the news and heard there was a blackout in the city where the company was located.
It actually was tragic because a utility worker had died in a manhole explosion across on the other side of town, but it had knocked out power for the whole town.
I thought, if they just take long enough to restore the power, then the server’s power backup system most likely will run out.
That would mean the server would shut down. When the city power was restored, the system would reboot.
I sat there checking the Web server constantly and then at some point the system went down. They had to reboot it. So the timing
was perfect for us. When the system came up, lo and behold Apache was running as root, just as we planned.
The l0pht team at that point was able to completely compromise the machine, which then became “our internal stepping stone to scan an attack out from that point.” To Carlos, this was “a field day.”
The team developed a piece of code that would make it unlikely they could be shut out of the system. Corporate firewalls are not usually con-figured to block outgoing traffic, and Mudge’s lightweight program, installed on one of Newton’s server, made a connection every few min-utes back to a computer under the team’s control. This connection pro-vided a command-line interface like the “command-line shell” familiar to users of Unix, Linux, and the old DOS operating system. In other words, the Newton machine was regularly providing Mudge’s team the oppor-tunity to enter commands that bypassed the company’s firewall.
To avoid detection, Mudge had named their script to blend into the system’s background language. Anyone spotting the file would assume it was a part of the normal working environment.
Carlos set about searching the Oracle databases in hopes of finding the employee payroll data. “If you can show the CIO his salary and how much bonus he was paid, that usually drives the message home that you’ve got everything.” Mudge set up a sniffer on all email going in and out of the company. Whenever a Newton employee went to the firewall for maintenance work, l0pht was aware of it. They were shocked to see that clear text was being used to log in on the firewall.
In just a short time, l0pht had fully penetrated the entire network, and had the data to prove it. Says Mudge, “You know, that’s why I think a lot of companies don’t like to have pen tests of the inside of their networks.
They know it’s all bad.”