Let s Get Physical | Stealing the Network. How to Own a Continent

The next morning, Matthew headed to the local mall. There was a local NBSA branch there, as well as several ATMs scattered throughout the shops . He parked, pulled a canvas bag and tool box from his trunk, and headed into the mall. His old uniform fit perfectly , and as he approached the entrance , he projected himself back to the time that he did this on a daily basis.

Matthew didn t think he would feel this nervous, and he tried not to let it show. Behind the keyboard, he could face any situation, but out here in the real world, he was vulnerable. He kept telling himself that this part of the plan would be successful based solely on attitude, and not aptitude . Like a drug through one s veins, a distant memory slowly warmed Matthew s mind. He had met a man name Caezar once at a Blackhat conference, where what started as casual conversation had turned into the techniques one could use to control the actions of other people. He tried to focus on that conversation, though the fog of Vodka and Jaeger showed true their power to obscure the brain s electromagnetic retention. If you believe, so will they, was the phrase he remembered . He knew that he wasn t recalling it quite right, and felt that he was confusing it with a Kevin Costner move about a baseball field, but he got the basic gist down. Caezar said it, and so it would be.

He entered the mall retail shops management office at 12:10 p.m. with a purposefully confused look on his face. Hey there, he said to the young woman behind the open area reception desk. He gauged her at about 19. I ve got to check some computer wiring for a shop down the way, and one of the janitor guys said to come here to get into the phone closet. Am I in the right place?

Oh Everyone is at lunch. You ll have to wait until the manager gets back to get the key, she said. Matthew looked inquisitively at his watch though he knew full well it was lunch time. Lunch ? Damn. That s not good. I ve got a client across town whose server is down, and I really gotta get out of here. All I have to do is to make sure the connections in the closet are good ”it won t take but a minute.

I can t give you key- I ll get in trouble. You ll have to wait.

That s cool-,I don t really want the key. Like I said, it will take only a moment or so. Why don t you walk down with me and open it, won t that work? You can even watch me if you d like.

I can t leave the desk. I have to stay here while they are at lunch. Can t you just wait?

Matthew whipped out a spiral pad from his back pocket while speaking. No, but like I said, no biggie. I get paid by the service call, so you won t get any argument out of me. The client won t like it, but that s not my problem. Can I just get your name in case they question the fact that no one would let me in?

The receptionist flushed, Oh, here, she said as she handed Matthew a group of keys. These are for the bathrooms and utility closets. It s one of those. But please return them before my manger gets back from lunch.

You sure? Matthew prodded as he grabbed the keys without really giving her a chance to reply. Right on. I ll be back in a flash. Thanks.

Feeling the rush of successfully engineering the actions of another human being, Matthew made his way back around the mall to the wiring closet of his desire : next to the restrooms, and between Victoria s Secret and the bank. He almost stopped at the Victoria s Secret window, imagining Capri replacing the manikin. Moron, he thought to himself. Let s keep the big head in charge of this operation, shall we?

He opened the door and worked quickly. These closets were always a mess, so finding the bank equipment may be tough. He flipped on the light, and scanned the room. Almost laughing out loud, he saw a tidy rack of routers and switches with a nice big NBSA sign at the top. Well, that makes things a bit easier.

Walking behind the rack system, he produced a NETGEAR wireless access point from his work bag. There wasn t a lot of space available, but he found a spot on top of a Cisco switch that extended enough beyond the router above it that would not only hold the AP, but would keep it from immediate view if someone happened into the closet before the time came.

Power applied, he sorted through his tie of blue, yellow, green, and grey Ethernet patch cords to find one that came close to the grey color scheme the engineer used to populate the switch. It was off a bit, but Matthew doubted it would attract any attention.

Though the NETGEAR box was already configured to filter all MAC addresses save for a handful of 802.11g cards in his possession along with full firewalling of what would be the external interface as well as 128bit WEP encryption on the wireless side, Matthew knew that the box itself would be visible to someone who was really paying attention to network traffic, particularly if a suspicious admin went through the DHCP assignment logs. Though the likelihood of this happening was quite slim, particularly going into holiday, Matthew purposefully left the router name set to WRT54G just in case someone upstream noticed it. At least this would make them think some scrub somewhere just plugged an AP into the network somewhere without knowing what they were doing. This was really the only glitch in his plan (as far as he knew), but he couldn t risk hard-coding an IP address on the box, given the potential for conflict. No one on the bank network would be able to connect to any ports externally, or even PING it for that matter, so the risk of tracing back to here was minimal. Those mooks couldn t track a three-legged dog through the snow. I ve got nothing to worry about, he thought. And he was probably right.

Next, he produced a laptop and small hub from their hiding place in his bag. It wouldn t quite fit next to the AP, so he had to place the NETGEAR on top of the laptop. This made the antennae slightly visible through the rack system, because they extended just beyond the router. He adjusted them so that they were slightly hidden, but he didn t want to run the risk of reducing his range. He would still be able to get a decent connection from the parking lot outside.

He found power for the hub and laptop, and switched them both on. Two more Ethernet cables were retrieved, one going from a PCMCIA Ethernet card to the back of the NETGEAR, the other from the built-in LAN connection to the new hub. Link status looked good. Another gray cable went into the uplink port of the hub, and out to the main switch.

He held his breath for this next and final step. He hoped this momentary loss of service did not set off any monitoring units or alarms, but he wanted to do this the easiest way possible. He followed the router LAN cable to the switch, double-, then triple-checked himself to make sure.

Then, as quickly as possible, he removed the router s Ethernet patch cord from the switch, and plugged it directly into his hub. The link light blinked off and on as expected.

It was only about two seconds worth of inactivity on the router interface, but it was enough to cause what could be considered a mild panic for Matthew. Suddenly, the LED indicator sprung to flickering life: traffic was again flowing . Well, that was a Clinch Factor of about an eight, he thought to himself.

Moving behind the rack again, he now checked the configuration. He flipped open the laptop. Tcpdump was already running, the promiscuous mode interface now between the router and switch doing exactly as it was meant to do, sucking down all traffic and logging it to a file. Manually evoking a CRON job, he verified that the log file was copied over to an alternate filename, and that it was scheduled to run each night. He verified that the other interface could reach his private network, simply consisting of the laptop and the NETGEAR wireless access point.

This configuration allowed Matthew access to the Tcpdump data stored on the laptop hard drive via his wireless network without creating any traffic on the bank s network. Although it is possible to detect promiscuous mode sniffers on a network, he felt confident that his configuration would go unnoticed.

His other laptop was already on, and a quick check indicated the wireless network was working perfectly. In under five minutes, Matthew successfully had created his own private network that interfaced with the bank s, and had done so in a way that kept the risk of detection (via the network, that is) to a minimum.

Cleaning up after himself, adjusting cables, and putting the finishing touches on hiding the equipment cost him another 90 seconds.

Finally, he made a clay imprint of the key, though he was not really sure what he could do with it. He knew no one who could use it to make a key, even if he needed it for some reason. But, it was better to have it and not need it than need it and not have it.

He walked to the door, opened it, turned around, and put his finger on the light switch. One final scan of the area revealed nothing. Things looked good. He switched the lights off and closed the door.

Within a few minutes, he was back in the management office.

That was quick, said the secretary; she was finishing up what looked like a bring-from-home salad. Told ya so, said Matthew. Handing over the keys, he thanked her, bid her a good day, and left.

Shortly thereafter, Matthew was in his car just outside the bank branch where he estimated the best spot to access his wireless network to be. He reached for his laptop, which had already automatically associated to the NETGEAR AP. Wireless strength, Very Good. He remotely pulled up the Tcpdump file from his newly hidden laptop, and loaded it into a local session of Ethereal. Sniffing packets had never smelled so sweet.

A very, very large grin appeared on Matthews face as he told himself what a damn genius he was. He was superman , and he could do anything.