Hacking .MIL

This leaves only one host remaining, and it is certainly the scariest. Hacking Italian and Japanese hosts from the US is one thing. Hacking infowar .cols.disa.mil is quite another. Yet it is too late to stop now. Sendai launches an intrusive scan of the host, and is disappointed to see zero open ports. Not again! This host has no IPv6 address and UDP scans come up negative. Sendai tries some more advanced scan types including Fin scan ( -sF ), Window scan ( -sW) , and the ultra -sneaky Idle scan ( -sI ), all to no avail. He knows Knuth will not accept two out of three, so giving up is no option. Sendai broadens his search, launching an intrusive scan of every host in that 256-host subnet by issuing the command nmap -sS -P0 -T4 -v -A -p0-65535 -oA disanet infowar.cols.disa.mil/24 . That trailing /24 is CIDR notation that tells Nmap to scan 256 addresses. Classless Inter Domain Routing (CIDR) is a method for assigning IP addresses without using the standard IP address classes like Class A, Class B, or Class C.

Upon seeing the results, Sendai grins because many machines are not locked down as tightly as infowar is. Unfortunately, they seem to have their patches in order. During the next day and a half, Sendai finds numerous potential vulnerabilities only to fail in exploitation because the hole is already patched. He is starting to worry. Then he begins to investigate webpxy.cols.disa.mil and discovers a Squid proxy.

A Squid Proxy Is Discovered

 Interesting ports on webpxy.cols.disa.mil (ZZ.229.74.191): (The 65535 ports scanned but not shown below are in state: filtered) PORT     STATE SERVICE    VERSION 3128/tcp open  http-proxy Squid webproxy 2.5.STABLE3 Device type: general purpose Running: FreeBSD 5.X OS Details: FreeBSD 5.1-RELEASE (x86) Uptime: 110.483 days 

 

Many organizations maintain a proxy to allow internal clients access to the World Wide Web. They often do this for security reasons, so that material can be scanned for undesirable or malicious content before being provided to the client. It can also keep clients shielded on the internal network so that attackers cannot reach them. Performance and site logging are further reasons managers often prefer this approach. Unfortunately these proxies can do much more harm than good when they are misconfigured. Sendai finds that the Netcat utility (nc) is unavailable on Psyche, so he connects to the proxy with the standard Telnet command and manually types an HTTP CONNECT request.

Open Proxy Test

 psyche>  telnet webpxy.cols.disa.mil 3128  Trying  ZZ.229.74.191 ... Connected to ZZ.229.74.191. Escape character is '^]'.  CONNECT scanme.insecure.org:22 HTTP/1.0  HTTP/1.0 200 Connection established SSH-1.99-OpenSSH_3.8p1 

 

Sendai is quite pleased. The proxy allows him to connect to port 22 (ssh) of an arbitrary Internet host and the SSH banner display shows that it succeeded. So perhaps it will allow him to connect to internal DISA machines too! A hacker by the name Adrian Lamo was notorious for publicly breaking into high-profile sites this way. Many companies thanked him for exposing the weaknesses, though the New York Times did not appreciate the unsolicited security help and they pressed charges. Sendai tries to exploit this problem by connecting to port 22 of infowar.cols.disa.mil through the proxy. He had been unable to reach any port on this machine, but through the proxy it works! Apparently he is behind the firewall now. Infowar is running 3.7.1p2, for which Sendai knows of no vulnerabilities. Nor does he have a password, though brute force is always an option.

With the newfound power of his open proxy, Sendai wants to fully portscan infowar and explore the whole department network. He curses the fact that Nmap offers no proxy bounce scan option. Then Sendai remembers a primary benefit of open source. He can modify it to meet his needs. Nmap does offer an ftp bounce scan ( -b ) that logs into an FTP server and then tries to explore the network by issuing the port command for every interesting host and port. The error message tells whether the port is open or not. Sendai modifies the logic to connect to a proxy server instead and to issue the CONNECT command. After an afternoon of work, he is proxy scanning likely internal IP ranges such as RFC1918-blessed 192.168.0.0/16 and 10.0.0.0/8 netblocks, looking for internal machines. He finds a whole intranet under the 10.1 netblock, with the primary internal web server at 10.1.0.20. That server is a gold mine of information about the organization. Sendai sifts through new employee manuals, news pages, employee mailing list archives, and more. In one mailing list post, a quality assurance engineer asks developers to try and reproduce a problem on the qa-sol1 machine. The password to the qa role account is buserror, he helpfully adds.

Sendai moves quickly to try this sensitive information. He scans qa-sol1 and finds that the Telnet and ssh services are available. It would be simple to Telnet into the proxy and then issue the CONNECT command himself to log into the telnetd on qa-sol1, but Sendai cannot bear to do that. He wants to connect more securely, using ssh. Sendai downloads an HTTP proxy shared library to Psyche, which allows normal applications to work transparently through the webpxy.cols.disa.mil proxy server. With that in place, Sendai makes an ssh connection to qa-sol1 and successfully logs in as qa. The system is running Solaris 8 and has quite a few users logged on. Sendai immediately reads /etc/passwd and finds that the first line consists of +::0:0::: . This means the system is using NIS (formerly called YP) to share accounts and configuration information among the whole department. NIS is wonderful from Sendai s perspective. It makes obtaining usernames and password hashes trivial using the ypcat command.

Obtaining the Password File from NIS

 qa-sol1> ypcat passwd root:lCYRhBsBs7NcU:0:1:Super-User:/:/sbin/sh daemon:x:1:1::/: bin:x:2:2::/usr/bin: sys:x:3:3::/: adm:x:4:4:Admin:/var/adm: lp:x:71:8:Line Printer Admin:/usr/spool/lp: uucp:x:5:5:uucp Admin:/usr/lib/uucp: smmsp:x:25:25:SendMail Message Submission Program:/: listen:x:37:4:Network Admin:/usr/net/nls: nobody:x:60001:60001:Nobody:/: jdl:mY2/SvpAe82H2:101:100:James Levine:/home/jdl:/bin/csh david:BZ2RLkbD6ajKE:102:100:David Weekly:/home/david:/bin/tcsh ws:OZPXeDdi2/jOk:105:100:Window Snyder:/home/ws:/bin/tcsh luto:WZIi/jx9WCrqI:107:100:Andy Lutomirski:/home/luto:/bin/bash lance:eZN/CfM1Pd7Qk:111:100:Lance Spitzner:/home/lance:/bin/tcsh annalee:sZPPTiCeNIeoE:114:100:Annalee Newitz:/home/annalee:/bin/tcsh dr:yZgVqD2MxQpZs:115:100:Dragos Ruiu:/home/dr:/bin/ksh hennings:5aqsQbbDKs8zk:118:100:Amy Hennings:/home/hennings:/bin/tcsh [Hundreds of similar lines] 

 

With these hundreds of password hashes in hand, Sendai goes to work on cracking them. He starts up John the Ripper on every one of his reasonably modern home machines. Each machine handles a subset of the accounts, which Sendai has sorted by crypt(3) seed (the first two characters of the hash) for efficiency. Within five minutes, dozens of the easiest passwords have been cracked. Then the rate slows down, and Sendai decides to sleep on it.

The next morning, nearly a third of the accounts have been cracked. Sendai is hoping that at least one of the users has an account on infowar using the same password. From qa-sol1, Sendai tries repeatedly to ssh into infowar, trying each cracked account in turn . The attempt fails time after time and eventually he runs out of cracked accounts. Sendai will not give up so easily. After 24 more hours, he has cracked almost half the accounts and tries ssh again. This time, he gets in using the account bruce! This is a Linux box, so Sendai tries the brk() exploit that was so successful against Psyche. No luck. He spends a couple hours trying other techniques in vain. Then he slaps himself on the forehead upon realizing that bruce is authorized to execute commands as root in the /etc/ sudoers file. Sendai simply types sudo vi /etc/resolve.conf , as if he planned to edit an administrative file. Then he breaks out of vi to a root shell by issuing the command :sh . Game over! Shrax is promptly installed.

Bursting with pride and looking forward to a wallet bursting with green, Sendai composes an e-mail to Knuth s e-mail address at Hushmail.com. He describes the systems and how to access them via the Shrax client. An encrypted version of Shrax has been posted on a free Geocities Web page that Sendai just created. He then obtains Knuth s PGP key from a public keyserver and verifies that the fingerprint matches what Knuth gave him. A couple minutes later the encrypted and signed document is waiting for Knuth in his inbox.