My god! I’ve been out of the industry for a while (Hacking), but I decided tonight that I’d mess around with some old skills and read up on new technologies and devices. It’s too easy, holy crap. Not a decade ago you actually had to work to get these things done. Today it’s a breeze. There is so much information, everywhere. So let’s say there is company A – let’s call it MarkedMan Inc. Let’s say it does R&D with varying technologies and methodologies that may be of interest to people. Okay, so I’ve decided that MarkedMan Inc. is my target. In the past it was much more difficult to get information, for instance, people would employ social engineering and “dumpster diving” to get relevant information. That’s not even needed anymore. Hell, I don’t even have to pick up a phone. First, I’ll do a few Google searches about MarkedMan, see what I can’t dig up. Then go to Monster and look at their job descriptions. They give away more information than is wise, many even plainly state foolish things such as: “it would be preferable if you were knowledgeable of CISCO architecture.” Okay, CISCO, check – on the list. There is another site, Archive.org, which is very useful – it takes snapshots of websites and stores it overtime. So then I can use that to assess alterations in business methodology and conduct, extrapolate focus by assessing what they consider the most valuable information, and (of course) they give away contact and other associated information. Dun and Bradstreet is pretty much the core of all these “people search” websites you see, it started as a business that maintains a database on global companies. Today it has over 200 million records that include things like trade references, public records, newspaper publications, telephone interviews, etc. It’s a database, of course, that’s very valuable to someone interested in any particular company. (Think of it as a cheaper LexisNexis corporate information service). In mere minutes (what would’ve taken much longer before) I could have a list of employees, phone numbers, addresses, and rather a detailed idea of their network infrastructure. For instance, Cisco would provide a focus to particular vulnerabilities (called “vulns” in the field) and their job requirements are generally very telling on the software end of the house. Also, their particular layout and business information would immediately identify the most likely network setup, which could offer me clues as to what type of environment they’re running (Windows Active Directory, so most likely a Kerberos setup, or remote jobs and unix systems would imply Tacacs+). Then I get to the tools. Wow, utterly… completely… wow. Compared to what I had to do back in the day to acquire simple information on networks in horizontal and vertical scans… it’s easy now. Just download the right tool, enter your information, click a button and wait. Of course there are very many sophisticated systems that businesses have in their defense, too, but that’s only an issue if you’re not creative. So I took a shot against a company, (I know their admin), to help assess vulnerabilities, but I only did it, really, as a curiosity to see how far technology has come. They use a powerful Unified Threat Management System with all the bells and whistles. And, indeed, their Network Intrusion System detected me right away (to the immediate brag of my night-shift shit-talking acquaintance). So I changed tactics – I’m not precisely sure of the exact system he’s using but I know an old trick of the trade (do something original – make something happen that’s not supposed to happen). Of course, that’s pretty much the mentality of a hacker, but in this case I did what my buddy “Prodigy” calls an Infinite Bomb. An Infinite Bomb an infinitely encapsulated payload. The idea capitalizes on the very theory of secured tunneled communications (IPsec, for instance) by tying up the logical interpretation of electrical data – IE the encapsulating headers in the packets, themselves, forcing a self-addressed infinite encapsulation and decapsulation process of irrelevant data. (The headers). To be honest, I wasn’t expecting it to work, but that opened a whole mess of vulnerabilities in that expensive system of theirs. Somehow, perhaps compensation by the programming, it destroyed the packets (the information I sent) but continued the loop as if it were addressing itself – hijacking session data shouldn’t be that easy, especially of the server itself. Therein lies a vulnerability of the windows architecture, how it uses network loopback addresses to run services and maintain information. So an inbound encapsulated request with the headers claiming the server initiated the session and BAM! Not only did I have access to their server – my doings were encrypted. Not only that, it assumed, since it was looping to itself, that the session key was active – and how the hell that happened when the server should NOT be on its clients list, I’m at a loss. (So later, if they were wondering, they’d try to look up a non-existent IP and MAC address that was a proxy client diffused by a botnet – IE: they’d get about two steps into it and have no idea what the hell just happened). After that I merely capitalized on bad security procedures – as a RAS server with erroneous services running in the background is a bad idea. How the loopback authenticated itself … I’m in the process of understanding that myself, although I’m not complaining for bragging rights. Needless to say, I got on the dudes case about closing any unneeded background services windows maybe running and few other tweaks required in his Active Directory to at least make it a challenge. The only saving grace for that company WAS their UTM – and I suppose that’s the rub. As technology becomes more sophisticated people are relying more and more on that technology to do the job for them – and as they put a good chunk of change, (I imagine) into that UTM they were relying on that to block or give warning to all malicious attempts without following sound security procedures past that point. Which was stupid, of course, because then that means your security suite represents a single point of failure – sort of an ironic concept. It occurred to me that because of this mentality, if it is indeed prevalent, that the objective of an attacker shouldn’t be to get around a security system as much as to attack the security system itself. Once that system is compromised it’s a cake-walk. Anyway, once again I go back into retirement after this humorous and late night of computer security madness. It was a rather fun refresher, but I don’t want to give Uncle Sam the excuse to twist my arm again. So this is Achilles Asheelz, logging off. ;) (And I have enough shit to worry about without adding another list of complicated shit to my plate).
Posted on: Sun, 16 Jun 2013 07:08:45 +0000
Trending Topics
Recently Viewed Topics
© 2015