Líneas de trabajo

Despite that episode, Robert insists that “I am not some dirty horrible spammer; I’m a very upstanding person.” The rest of his story supports the claim. He works in security for a “very religious and upstanding company” and takes on outside projects as an independent security consultant. And he’s a published author on security topics.

I found him particularly verbal in expressing his attitudes about hacking:

I really like to be challenged against a system and I like to fight the system on a configurational level and a social level, rather than a strictly technical level — a social level, meaning getting into [the head of] the person behind the computer.

Robert has a long background in hacking. He mentioned a friend (an American hacker whose name he didn’t want revealed) who used to have a game with Robert.

We both used to [hack into] a lot of development companies, like people who were creating Active X controls and Delphi controls, and little cool tools for programming. We would find a magazine on the subject and there’s an ad on every other page of these new products. And we would see if we could find someone we hadn’t hacked. Especially games.

He has “wandered around” the internal networks of major gaming software companies and gotten source code to a few of their games.

Eventually, he and his hacker buddy began to find that “we had actually broken into practically everyone who was advertising every new product out there. ‘We’ve done this one, this one, this one . . . We’re still trying to get into here, but got this one.’”

Still, for Robert, one area held special interest: software products for what’s called “video post production” — in particular, the products used to create the animation used in movies.

I love the mess involved in what these people do. There’s some geniuses that make these things. I like to read it and know how it works, because it seems so alien when you look at it. I mean when you watch [the animated movie] on TV you probably go, “Holy f___k, this is really something.”

What he finds especially intriguing is looking at the code, at a pure mathematical level — “the equations and the functions, and the mindset behind the people that create these things. It’s phenomenal.”

Software Temptation

In 2003, Robert was reading through a product announcement in a software magazine and came upon a new product for doing “digital video effects, cool lighting stuff — making light look real, with textures [that] were amazingly smooth.”

The whole selling point of this product was that it was used on a recent major animated feature film — one of the designing, modeling, and rendering tools they used.

When I heard about it, it looked really cool. And some people from the circles I’ve been around, like on the Net, had been very interested in the software. A lot of people wanted to get their hands on it.

Everyone wants to get this application because it’s hard to get, it’s really expensive — as in maybe two or three hundred thousand. It’s used by, like, Industrial Light and Magic, and there’s probably, like, only four or five other companies in the world that have bought it.

Anyway, I was really keen on getting this software and I set out on casing the company. I’ll just call them Company X. Is that okay? Company X was fully based in America and their entire network was centralized.

His goal wasn’t just to get the software for himself but to share it where it would be available to millions of Internet users worldwide.

He found the company had “a firewall out front, and a tight little network. They had a lot of servers, and multiple Web servers. I guessed from this that they probably had maybe 100, 150 employees.”

Discovering Server Names

Robert has a standard strategy when he’s trying to break into a corporate network that’s of significant size. He “goes after how they take care of the need for people to be able to get into their network. A large company has a much greater challenge in this than a small one. If you have five employees, you can send them an email, right? Or, you can see them all and say, ‘This is how you connect to your server from home, this is how you get your email from home.’”

But a large company will usually have a help desk or some external resource that people can go to when they’re having a computer problem. Robert figures that a company with a significant number of employees will have a set of instructions somewhere — most likely from its help desk — explaining how to access files and email remotely. If he could find those instructions, he could probably learn the steps for getting onto the network from outside, such as what software is needed to connect to the internal network over the corporate VPN. In particular, he was hoping to find out what access points the developers used to access the development system from outside, because they would have access to the much-coveted source code.

So his challenge at this stage was to find his way to the help desk.

I started using a little utility called the Network Mapper, something I wrote myself. It basically goes sequentially through a list of typical host names. I use it as my sequential DNS resolver.

The Network Mapper identifies hosts and provides the IP address for each. Robert’s short Perl script simply went down a list of commonly used hostnames and checked to see if it existed with the target company’s domain. So, for an attack on a company called “digitaltoes,” the script might look for web.digitaltoes.com, mail.digitaltoes.com, and so on. This exercise had the potential of uncovering hidden IP addresses or network blocks that were not easily identified. On running the script, he might get back results looking like the following:

This would reveal that our fictitious company “digitaltoes” has some servers in the 63.149 net block, but I’d put my money on the server in the 65.115 net block with the name “intranet” as being their internal network.

A Little Help from helpdesk.exe

Among the servers Robert discovered with his Network Mapper was the one he had hoped for: helpdesk.companyX.com. When he tried to go to the site, though, a login dialog box appeared demanding a username and password, restricting access to authorized users.

The helpdesk application was on a server running IIS4, an ancient version of Microsoft’s Internet Information Server (IIS) software, which Robert knew had a number of vulnerabilities. With a little luck, he might find a useful one that had not been patched.

Meanwhile he also discovered a gaping hole. Some company administrator had enabled MS FrontPage in such a way that anyone could upload or download files from the root directory where the Web server files are stored.

(I’m familiar with the problem. One of the Web servers at my security startup company was hacked using a similar vulnerability because the volunteer system administrator who was giving me a hand did not properly configure the system. Fortunately, the server was a standalone system, on its own network segment.)

Recognizing that this mistake gave him the ability to download and upload files to the server, he began looking at how the server was set up. The most common thread with some dumb IIS servers is that [whoever set it up] enabled FrontPage authoring.

And, in fact, this site had a weakness. Deploying Microsoft FrontPage (an application program used to easily create and edit HTML documents) without setting the proper file permissions is sometimes an oversight by a system administrator, sometimes intentionally configured this way for convenience. In this case, it meant anyone could not only read files but could also upload files to any unprotected directory. Robert was stoked.

I was looking at it and going, “Holy shit, I can read or edit any pages on the server without needing a username or password.” So I was able to log in and look at the root of the Web server.

Robert thinks that most hackers miss an opportunity here.

The thing is that when people set up a scanner network for a server, they often don’t look for common misconfigurations with server extensions like FrontPage. They look [to see what kind of server it is] and say, “Well, it’s just Apache” or “It’s just IIS.” And they miss making their work much easier if FrontPage has been misconfigured.

It wasn’t as much of a blessing as he had expected, since “there wasn’t really a whole lot on that server.” Still, he noticed that an application called helpdesk.exe would come up when he accessed the site through his browser. That could prove highly useful, but required a login with password.

So, I’m looking at it thinking how the f___k can I attack this? One thing I don’t like doing is uploading some other file to a Web server, because if the administrators look through their Web logs and see a thousand people going to helpdesk.exe and all of a sudden one guy in the South Pacific is going to two.exe or some other thing, that would make them think twice, right? So I try to stay out of the logs.

The helpdesk application consisted of a single executable and a dynamic-link library (DLL) file (files with the .DLL extension contain a collection of Windows functions the application can call on).

With the ability to upload files to the Web root, an attacker could easily upload a simple script allowing him or her to execute commands through his or her browser. But Robert isn’t just any attacker. He prides himself on being stealthy, leaving few if any traces in the Web server logs. Instead of just uploading a customized script, he downloaded the helpdesk.exe and helpdesk.dll files to his computer to analyze how the application worked, relying on some of his background experience. “I’ve done a lot of reverse engineering applications and looking at things in assembler,” so he knew how to go about working with the compiled C code and reversing most of it back to assembler.

The program he turned to was called IDA Pro, the Interactive Disassembler (sold by www.ccso.com), used, as he describes it, “by a lot of, like, virus companies and worm hunters, looking to decompile something to an assembler level and read it and figure out what it’s doing.” He decompiled helpdesk.exe and, approving of work performed by professional programmers, decided that it was “written quite well.”

From the Hacker’s Bag of Tricks: the “SQL Injection” Attack

Once he had the program decompiled, Robert examined the code to see whether the helpdesk application was susceptible to “SQL injection,” an attack method that exploits a common programming oversight. A security-conscience programmer will sanitize any user query by including code that, among other things, filters certain special characters such as the apostrophe, quotation mark, and greater-than and less-than symbols. Without filtering characters such as these, the door may be left open for a malicious user to trick the application into running manipulated database queries that may lead to a full system compromise.

In fact, Robert had realized that the helpdesk application had indeed made the proper sanitation checks to prevent someone from using SQL injection. Most hackers would have just upload an ASP script to the Web server and be done with it, but Robert was more concerned with being covert than exploiting a simple vulnerability to compromise his targets.

I thought, “That’s quite fun, that’s quite cool. I’m gonna enjoy this.”

I thought to myself, “Well, I’m gonna enable SQL injection by screwing up the validity check.” I found the string of where the invalid characters were kept and I changed them all to, I think it was a space or a tilde (~) or something else that I wasn’t gonna be using, but at the same time it wouldn’t affect anyone else.

In other words, he modified the program (using a hex editor to “break” the routine designed to verify user input) so that the special characters would no longer be rejected. This way, he could secretly perform SQL injection without changing the behavior of the application for anyone else. Another added bonus was that the administrators would not likely check the integrity of the helpdesk application, since there would be no obvious signs it had been tampered with.

Robert then sent his modified version of the helpdesk application to the Web server, replacing the original version. The way some people collect stamps, postcards, or matchbooks from places they’ve been, hackers sometimes keep not just the spoils of their break-ins but the code they used as well. Robert still has a binary compiled copy of the executable he created.

Since he was working from home (gutsy, and not recommended unless you want to get busted), he uploaded his “new and improved” version of the helpdesk application through a chain of proxy servers — which are servers that act as a mediator between a user’s computer and a computer he or she wants to access). If a user makes a request for a resource from computer A, this request is directed to the proxy server, which makes the request, gets the response from computer A, and then forwards the response to the client.

Proxy servers are typically used for accessing World Wide Web resources from inside a firewall. Robert increased his security by using several proxy servers located in different parts of the world to lessen the likelihood that he could be identified. So-called “open proxies” are commonly used like this to mask the origin of a cyber attack.

With his modified version of the helpdesk application up and running, Robert connected to the targeted site using his Internet browser. When presented with an input form requesting username and password, he launched a basic SQL injection attack, as he had planned. Under normal circumstances, once a user enters a username and password — say, “davids” and “z18M296q” — the application uses these inputs to generate a SQL statement such as the following:

If the user field and the password field match the database entries, then the user is logged in. That’s the way it’s supposed to work; Robert’s SQL injection attack went like this: In the username field, he entered

For password, he entered the identical statement

The application used these inputs to generate a SQL statement similar to the following:

The element or where password like % tells SQL to return the record if the password is anything at all (the “%” is a wildcard). Finding that the password did meet this nonsense requirement, the application then accepted Robert as a legitimate user, just as if he had input authentic user credentials. It then logged him in with the credentials of the first person listed in the user database, usually an administrator. That turned out to be the case here. Robert found himself not only logged in, but logged in with administrator privileges.

these messages, he gleaned information on dial-up numbers for calling into the network and, in particular, hyperlinks for adding and removing users from the VPN group under Windows. The company was using Microsoft’s VPN services, which is set up so that employees use their Windows account names and passwords to sign in. And since Robert was logged in to the helpdesk application as one of the administrators, this gave him the ability to add users to the VPN group and change user passwords for Windows accounts.

Making progress. Yet, so far, he was just logged in to an application as an administrator; that didn’t get him closer to their source code. His next goal was to gain access to their internal network through their VPN setup.

Just as a test, through the helpdesk menu he tried changing the password of what appeared to be a dormant account, and added it to the VPN users and administrator’s group — which meant that his activities would be less likely to be noticed. He figured out some details of their VPN configuration, so he could then “VPN in. This is good, but it plays a bit slowly.”

I got in at about 1:00 a.m. their time. With me being in the Australia time zone is very nice. It can be 1:00 a.m. in America, but during the working day here. I wanted to go in when I was sure the network was empty, I didn’t want anyone logged in or people to notice this. Maybe they have active reporting of everyone who’s going in. I just want to be sure.

Robert has a sense that he understands how IT and network security people work, and it’s not all that different from everyone else in the working world. “The only way for them to notice [my going online] would have been going through the logs actively.” His view of IT and security people isn’t very flattering. “People don’t read logs every morning. When you get to your desk, you sit down, have a coffee, read some Web sites of personal interest. You don’t go in and read logs and see who changed their passwords yesterday.”

One of the things he had noticed in his hacking efforts, Robert says, is that “when you change something on a site, people will either catch it right away, or they won’t catch it at all. The change I made to that Web application would have been noticed if they’d been running something like Tripwire,” he said, referring to an application that verifies the integrity of systems programs and other applications by doing a cryptographic checksum and comparing it against a table of known values. “They would have noticed that the executable had changed.”

At that point he felt reassured, citing the now-familiar term about “M&M security” — hard on the outside but very soft and chewy on the inside. “No one