Both networks were based on Microsoft systems, which is not that surprising since it is the most (and by far) used platform in corporate environments, especially on the desktop area. Both intrusions were made over the Internet with tools freely available on the Internet. They used vulnerabilities that were known for quite a long time, and we sometimes had to use a bit of imagination to do the rest. If you are a Windows NT/2000 admin, what you are about to read should scare you to hell. If you are a malicious hacker that does this kind of thing for a living of just plain fun, you probably know all this stuff already. But you'll probably still want to read on to have a good laugh.
Both intrusions followed the same methodology, similar to those of a typical intrusion, which is gathering of information, analysis of the information, research of vulnerabilities, and implementation of the attack (we didn't have time to test on one of our machines, but that didn't matter), repeat. Both attacks were done from our facilities using our dedicated ADSL line over the Internet. One of the intrusion involved going undercover physically onsite at the customer premises to plant a wireless hub on the network. A laptop equipped with a wireless network card was also used to link with the hub momentarilly, to avoid detection.
Some of the tools used were:
SuperScan : to scan classes of IP address to determine open ports
CyberKit : this tool lets you do IP infomation gathering (DNS lookups, traceroute, whois, finger)
nc.exe : NetCat, ported to Win32. This program lets you initiate telnet connections on any port you want
hk.exe : program that exploit a vulnerability in the Win32 API (LPC, Local Procedure Call) that can be used to get System Level access
net commands : these should be known to all NT admins (net view, net share, net use, etc)
a hex editor : these programs let you edit binary files in hexadecimal/ascii format, a bit similar to notepad for text files
l0phtcrack : this software lets you crack the NT passwords file
whisker.pl : this script will scan webservers for known vulnerabilities, along with instructions on how to expoit them
EditPad Classic : this is a Notepad Deluxe, where we gather the information collected during the hack
and other tools that I forgot that were part of the NT Ressource kit or that I will mention later in the text.
Sugar input was provided with a supply of M&Ms and coke (the drink, not the sniff).
1. Introduction
3. The first victim
Table of contents