Ghost in the Wires: My Adventures as the World’s Most Wanted Hacker

Trophy Hunter
Phtm zvvvkci sw mhx Fmtvr VOX Ycmrt Emki
vqimgv vowx hzh L cgf Ecbst ysi?
I
’d fallen into a comfortable routine as a new citizen of Denver. During the
day, I’d go into work at the law firm on a regular shift from about 9:00 to
6:00. Afterward, I’d go to the gym for a few hours, grab dinner at a local
restaurant, then head home or back to the law firm and spend until bedtime
doing you know what.
Hacking was my entertainment. You could almost say it was a way of
escaping to an alternate reality—like playing a video game. But to play my
game of choice, you had to stay alert at all times. One lapse in attention or
sloppy mistake, and the Feds could show up at your door. Not the simulated
G-men, not the black wizards of Dungeons and Dragons, but the real,
honest-to-God, lock-you-up-and-throw-away-the-key Feds.
At the time, I was busy finding systems to explore and ways to match
wits with the security experts, network and system administrators, and
clever programmers I encountered in my alternate reality. I was doing it
purely for the thrill.
Since I couldn’t really share my exploits with anyone, I set my sights on
obtaining the source code for things that interested me, such as operating
systems and cellular phones. If I could get the code, it would be my trophy.
I was becoming so good at it that sometimes it seemed too easy.
Now that I had put everything on the line by cutting ties with my former
life, I had nothing to lose. I was primed and ready. How could I raise the
stakes? What could I do that would make every hack that came before it
seem like child’s play?
The world’s leading tech companies supposedly had the best security in
the world. If I really wanted trophies that meant something, I was going to

have to try to hack into them and get their code.
I had already had good success with Sun. Now I targeted Novell, which, I
discovered, used a server running the SunOS operating system as its
firewall gateway. I exploited a bug in a program called “sendmail,” which
was used, among other things, to receive email from the outside world. My
goal was to get the source code for one of the leading network operating
systems in the world, Novell’s NetWare.
I was able to create any file with any content I wanted by exploiting an
unpatched security flaw in the sendmail program. I would connect over the
network to the sendmail program and type in a few commands like these:
mail from: bin
rcpt to: /bin/.rhosts
[
text omitted
]
.
mail from: bin
rcpt to: /bin/.rhosts
data
+ +
.
quit
These commands caused the sendmail program to create a “.rhosts” file
(pronounced “dot-R-hosts”), which makes it possible to log in without a
password.
(For the technical reader, I was able to create a .rhosts file in the bin
account configured to allow me to log in without having to provide a
password. A .rhosts file is a configuration file used with certain legacy
system programs known as the “R-services,” which are used for logging in
or executing commands on a remote computer. For example, a .rhosts file
can be configured to allow the user “kevin” from the hostname “condor” to
log in without providing a password. In the example above, two plus signs
separated by a space provides a wildcard for both the user and the hostname
of the computer—meaning that any user can log in to the account or

execute commands. Because the bin account had write access to the “/etc”
directory, I was able to replace the password file with my own modified
version that allowed me to gain root access.)
Next I installed a hacked version of “telnetd” that would capture and
store the password of anyone who logged in to the Novell gateway
machine. As I was getting myself established on Novell’s network, I saw
that two other users were logged in and active. If they happened to notice
that somebody else was logged in from a remote location, they would
immediately know that the company was being hacked. So I took steps that
made me invisible: if any system administrator called up a list of everyone
who was on the system at that time, I wouldn’t show up.
I continued watching until one of the administrators logged in to the
gateway; I was then able to capture his password for the root account. The
password was “4kids=$$.” Cute.
It didn’t take me long to get into another system called “ithaca,” which
was one of the Engineering Group’s systems in Sandy, Utah. Once I
compromised that system, I was able to retrieve the encrypted password file
for the entire Engineering Group and recover the passwords of a large
number of users.
I searched the system administrators’ email for the keywords “modem,”
“dial-up,” and “dial-in” in various forms—singular, plural, with and without
a hyphen following “dial,” and so on—which led me to messages
answering employee questions such as “What number do I use to dial in?”
Very handy.
Once I found a dial-up, I started using that as my access point rather
than going in through Novell’s Internet gateway.
For starters, I wanted to find the system that contained the source code for
the NetWare operating system. I started searching through the email
archives of the developers, looking for certain words that might lead me to
the process used to commit updates to the source code repository. I
eventually found the hostname of the source code repository: “ATM.” It
wasn’t a cash machine, but to me it was worth much more than money. I
then went searching back through emails looking for “ATM” and found the
names of a few employees who supported the system.

I spent hours trying to log in to ATM using the Unix-based credentials I
had intercepted, but without success. Finally I was able to find a valid
account, but it didn’t have rights to access the source code repositories.
Time for my standard fallback: social engineering. I called the number for a
lady who worked in support on ATM. Using the name of an engineer whose
password I had cracked, I told her I was working on a project and needed
access to the Netware 3.12 client source code. My gut told me something
just wasn’t right, but the lady didn’t sound at all hesitant.
When she came back on the line and told me she had given me the rights
I’d requested, I felt a familiar surge of adrenaline. But after only fifteen
minutes, my session was disconnected, and I couldn’t reconnect—I was
locked out. Moments later the engineer changed his password. Uh-oh. That
didn’t take long to figure out. Later I learned that the lady had had previous
conversations with the engineer whose name I used, and realized my voice
didn’t sound like his. She knew I was an imposter. Damn! Well, win some,
lose some.
I called another administrator who also supported ATM and convinced
him to add access rights to one of the other accounts I had compromised,
only to be locked out again. I also placed backdoors in numerous systems to
capture credentials as users logged in.
By now I had been working on this project for several days. Searching
emails was a quick means of discovering where I could find the tasty data—
the information that would lead to additional ways into the network, or to
software bugs, or to source code that interested me.
Now that I knew they would be watching closely and weren’t likely to
fall for the same trick again, I changed my tactics. What if I targeted a
developer who had full access and tricked him into copying everything for
me? I wouldn’t even need to find a way into ATM to get what I wanted.
After exploring Novell’s internal network for several days, I found a
cool tool accessible to any Novell employee. The program, called “411,”
listed the name, phone number, log-in name, and department of each staffer.
My luck was starting to change. I dumped out the entire employee list to a
file for analysis. As I looked through the list, it became clear that all the
developers worked in a group called “ENG SFT.” I figured that NetWare
development was likely handled out of Provo, Utah, the company
headquarters.

Looking through the directory using these two criteria, I randomly chose
a listing:
Nevarez, Art:801 429-3172:anevarez:ENG SFT
Now that I had my mark, I needed to pose as a legitimate Novell
employee. I wanted to choose a contractor or someone else who was
unlikely to be known by my target. The phone directory also contained a
department named Univel that had probably been formed when Novell and
AT&T’s Unix System Laboratories started up a joint venture in 1991. I
needed to find an employee who wasn’t going to be in the office. My first
choice was:
Nault, Gabe:801 568-8726:gabe:UNIVEL
I called and got his voicemail greeting, which very conveniently
announced that he would be out of the office for the next few days, without
access to email or voicemail. From the employee directory file, I picked out
a lady who worked in the Telecommunications Department and dialed her
number.
“Hi, Karen,” I said. “This is Gabe Nault calling from Midvale. Last
night I changed my voicemail password, but it doesn’t work. Can you
please reset it?”
“Sure, Gabe. What’s your number?”
I gave her Gabe’s number.
“Okay, your new password is the last five digits of your telephone
number.”
I thanked her politely, immediately dialed Gabe’s phone, keyed in the
digits for the new password, and recorded the outgoing greeting in my own
voice, adding, “I have several meetings today, so it’s best to leave a
voicemail. Thank you.” Now I was a legitimate Novell employee with an
internal phone number.
I phoned Art Nevarez, told him I was Gabe Nault in Engineering, and
asked, “Do you work with NetWare? I’m in the Univel Group.”

“Yes,” he said.
“Great. Can you do me a big favor? I’m working on the NetWare for
Unix project, and I need to move a copy of the NetWare 3.12 client source
code to one of our boxes here in Sandy. I’ll set up an account for you on the
‘enchilada’ server so you can map a drive and transfer the code.”
“Sure. What’s your number? I’ll call you after it’s done,” he said.
After we hung up, I was elated. No need to gain access to ATM—just
leverage someone who already has it.
I went to the gym to work out, checking Gabe’s voicemail during a
break to find a message from Art saying that he had finished. Awesome!
Now I had trust and credibility. Why not go a little further and ask for
another 
small
favor? Right from the gym, I called Nevarez back and said,
“Thanks, Art. Hey, sorry, but I just realized I also need 4.0 client utilities
too.”
He sounded a little annoyed. “There are a lot of files on that server, and
there’s not enough space left.”
“I’ll tell you what, I’ll take them off ‘enchilada’ to make room. I’ll call
you when I’m done.”
After I finished working out, I went home, logged on, and transferred
the files to an account I had created for myself at Colorado Supernet, the
largest Internet service provider in Denver. The next day, Nevarez
transferred the rest of the files for me, an operation that took him a long
time because there was so much code.
Later when I asked him to transfer the server source code, he got
suspicious and balked. As soon as his suspicions were raised, I dialed into
Gabe’s voicemail and reset it to use the standard outgoing greeting so my
voice would be erased. I certainly didn’t want a recording of my voice to be
Exhibit A in some future court case.
Undiscouraged, I thought to myself, 

Download 2,97 Mb.

Do'stlaringiz bilan baham: