El Espacio Europeo de Educación Superior

Reuben put two cups of coffee on the coffee table. “Ready to kick some ass today?”

“Sure am.” MadFast picked up the black coffee and took a sip. “Think it’ll take long to install?”

“Nah, don’t think so. Should be easy enough. It seems fairly idiot-proof too, so I don’t think we’ll run into misconfiguration issues. Whether the default normal config is secure enough though, that’s another story.”

“Yep.”

They figured out who would be doing what during the day, and how to make best use of the time.They got into the car, and off the little Honda sped towards the Vigility office and their lab.They both marinated in their own thoughts as the car moved along, listening to a techno mix in the CD player and working through their own parts of the day’s task in their heads.

Arriving at the building, they hustled in, eager to get started. Reuben went up to his cubicle on the seventh floor to grab his laptops while MadFast opened up the lab on the sixth floor.

The lab was a mish-mash of systems: two NT servers, a Windows 2000 workstation, and an NT workstation system. Between them ran Ethernet cables with a hub in the middle.The small room was a bit tricky to navi- gate, as the cables ran everywhere and tripping over them was a genuine risk. But it was a working lab, for their purposes, and it was all they needed.

Reuben arrived, handing MadFast the NT-based laptop; it was filled with vulnerability assessment tools and a copy of Visual Studio, plus some Windows-based exploits. “Thought you might want this. I set you up with an account on it already. Username, ‘MadFast,’ and password just ‘password,’ but you’ll have to change it once you log in.”

“Right on! Is this the one you were telling me about, with develop- ment tools?”

“Yeah, that’s the one.You’ve got admin rights on it, so you should be set.”

“Right on. I’ll start on the packet injector, I have some code that I can reuse. Guess what it’s from?”

“I give, what?”

“I wrote part of a system for online gaming. Just sort of a test, really, but it’s the same basic concept. I wrote it to be flexible and variable, so I’ve got a basic structure already sorted out. I can set it up so that it’ll establish a connection, and fire whatever payload we want at the target.”

“Great! So that part’s largely done?” “Exactly.”

“Cool. Let’s finish installing this stuff, and then we can get some packet captures. I can handle that part while you finish the tool.”

They got the software installed and intercommunicating properly. MadFast began setting up Visual Studio to his tastes and downloading code from his FTP server at home while Reuben set up a sniffer and did a few practice captures, setting the filter to ignore protocols like ARP and SMB, which were also being generated but had no direct bearing on the ZFon software. He then proceeded to do a series of six captures, three with one username and three with another. He pulled up the raw data in the sniffer and looked at the packets for some kind of pattern, some indication of their structure.

The ZFon software used only one port,TCP 1734. All traffic passed through this port at all phases of the connection. As normal, there was the standard three-way handshake needed to establish a TCP connection. A packet with the SYN flag set went from client to server, the packet with both SYN and ACK went to client from server, and the packet from the client to the server with the ACK flag set completed the connection.The next packet (and the first one containing data) went from the client to the server, requesting a VPN connection.

Packet One

The first packet, which MadFast and Reuben promptly defined as “Packet One,” was a time request, in fairly human-readable format.This was apparently to make sure that both ends of the connection were oper- ating on the same time, as session keys would be set to expire after a cer- tain period of time. It might have been up to the client to know when a new key was needed, and to request it; if it was operating off of the time of its hardware clock, and that clock was set even a few minutes later than the server, the key might expire before a new one was requested, breaking the connection.

“Packet Two,” as it was called, was the time reply to the client. Not a lot of surprises there, and since everything was passing over TCP, spoofing options were probably limited.There wasn’t much chance of a race condi- tion either, since you couldn’t flood the client or server with lots of false packets…at least not any that either end would accept as valid. And if you tried a large enough set of packets in hope of finding a match, odds were that the real packet would get through before anything fake that matched the right sequence number would. Even with predictable sequencing, you’d need more time to match up than you would have to work with. Two packets didn’t take long to go back and forth.

Packet Three

“Packet Three” showed some real promise.There was a well-defined data structure containing version information, the user name, and some indeterminate data.The Field delimeter was apparently the & character, and it looked like there were two fields of the mystery data at the end of the packet.The odd thing about the data was that it was all characters; the bytes all used only the first seven bits.There were no values above 128, only upper and lowercase letters, numbers, slashes, plus signs and equal signs.The equal signs always came at the end though, as though they were padding of some form. Another interesting fact; the packets all looked like they were modified HTTP GET functions, including “pragma no-cache,”

which made sense since the ZFon documentation said their protocol was designed to work correctly through proxy servers. If the information was cached, it would only be correct for the first connection, after which con- nections would fail to work properly.

“All packets after Packet Three are encrypted; Packet Three must con- tain the authentication andthe initial keying data from the client,” Reuben told MadFast. “I think that’s our target for now. I’ll work on decoding the offsets in the packet; there are a few fields. When I’m done with that, I’ll start building some payloads for your injector.”

“Right on. Check this out; I’m building it to be like a rifle.” Reuben stepped over to the laptop and took a look. Sure enough, the GUI was full of ballistic references.The “Send Packet” button had crosshairs on it, and the button that looked like it led to the dialog box for selecting a payload to send, was labeled: “Load Magazine.”

He smiled at the irreverent nature of the whole thing. “Nice. Okay, I’ll get back to making you some bullets to fire with this thing. Hey, can you do me a favor?”

“What’s that?”

“Can you make it so that it’ll strip off any carriage returns in the pay- load? That way, I can have every component of my payload on a separate line; it’ll make them easier to read.”

“Sure, but let me know whether you’ll be using Notepad or Wordpad; they do the line breaks differently.”

“I’ll be using Notepad.”

“Right on, I’ll do it.There won’t be any characters like that in the normal packets…you’re sure about that?”

“Yeah, I’m pretty sure. It seems that it’s all those characters I told you. Kind of funny, I haven’t figured that one out yet.”

“It might be good to know what that’s all about. If the data is being transformed in some way, we’ll need to un-transform it so I can do things like entropy checking.”

“Ah, okay. I’ll focus on that after I build the test payloads then.”

Reuben went back to his laptop and started designing packets. He figured there were four data fields in Packet Three, and so he started with four packets, one with each field set to be too large.Then he expanded on that

concept, developing different sizes and types; some of the larger fields just had random garbage, others had special characters to see what would happen if they were taken literally. And another set of packets had no data in one of the fields at all. All of them used data from captured packets when called for, so the data was probably at least somewhat valid. Reuben decided that once he knew what the unusual character set of the packets was all about, he would come up with another set of test data to send to the server.

“Are you getting hungry?” Reuben suggested.

“Yeah, actually. Let me finish cleaning up this function, and then we’ll go get some food.”

“Sounds like a plan.” Reuben started writing down notes of where he was at this point in things, so that he wouldn’t lose his place mentally. Still, he couldn’t figure out what to do about how the session and encrypted data was transformed, or why. Every option that came to mind was

instantly discounted. He vowed to put it out of his mind for a while as the two of them locked the door to the lab, and walked to the elevator.

As he unlocked the car, Reuben still couldn’t get the thought out of his mind, the notion that the answer to the mystery was already in his head. As he got in, reached over to unlock the other door for MadFast, and started the engine, it hit him.

He sat for a minute, thinking about the data.Lowercase characters, that’s 26,he counted.Uppercase, another 26, that’s 52. Add digits and that’s 62, then the plus and slash, that’s…64. Something nagged at his mind; the solution was right there. He was close to understanding it.It’s like a number that uses 64 different digits to…wait.That’s it…it’s base-64 encoding! Proxies don’t always like extended characters, so they use base-64 encoding to make sure that it’s kosher!

“I have it…it’s base-64 encoding!”

MadFast turned, for a moment not knowing what Reuben was talking about.Then, it dawned on him, and his head tilted back as the recognition struck. “Yeah, that makes sense. Right on! That way it works with proxy servers!”

“Exactly. Great…do you have anything to do base-64 encoding/ decoding?”

“Nope, but I think we can figure something out when the time comes. At least now we know.”

“Yeah, true enough. I’m almost ready with the packets too.This is going to be cool. I feel lucky too.”

Reuben pulled out of the parking lot, waiting briefly at the light to turn onto Route 7, then pulled into the lunchtime traffic.

Washington, DC: