efforts. Well, that and a couple sessions of text-sex. Meanwhile, c1sman’s
set-up pinged away, enumerating the target network. This enumeration
process revealed the target network’s layout, confirming what kinds of
software the servers were using, how they were set up, and most impor-
tantly what their firewall was like. The firewall was the main bastion
between the target network and the big bad world of the Internet, and
the more they knew about it, the easier their job became. C1sman’s
meticulous port scan managed to find the sweet spot between efficiency
and speed (or so he claimed, Paul had to take his word for it), eventually
producing a network map that not only enumerated the firewall but also
mapped all the individual computers (or “boxes” as c1sman referred
to them) in the network. They also knew the most important piece of
information—which ports accepted connections from the outside and
what those ports were used for. Their particular target, while generally
well defended and maintained, was not breaking any new ground when
it came to usage or security. Like most, it used Port 80 for Web servers
and Port 3306 for MySQL connections to its databases, along with a
few other ports, some of which c1sman felt sure were going to provide
them access through which they could launch an attack.
Launching the final attack was going to have to wait, though. It
needed to be timed with everything else, and everything else wouldn’t
be ready until they’d all got set up in Washington D.C. But there was
one stage left before D-Day, and Paul wanted to make sure c1sman saw
10
Geek Mafia: Black Hat Blues
it through while he was watching. A lot of the basics of network secu-
rity hacking were freely available online, and Paul had done his best to
bone up on them in preparation for his “quality time” in Georgia. But
even with c1sman explaining things as he went along, Paul still only
had a vague idea that things were going as planned. He had hoped to
know enough to double check c1sman’s work, but that turned out to
have been some crazy pipe dream. He’d have to trust c1sman’s word
that things were going to go the way they were supposed to, so Paul
had quickly shifted gears from looking over the hacker’s shoulder to
patting him on it. He’d heaped praise and support on the man, along
with a healthy dose of friendship and camaraderie. Plus he’d paid all the
bills and cleared some of c1sman’s more pressing debt (particularly the
back child support that the unemployed hacker had fallen behind on).
It helped that he actually did like the guy, even if he was pretty dull at
times. Hopefully all that together was enough to ensure that the new
recruit really was being on the up and up with him and Chloe and the
rest of the Crew.
“Most good attacks are designed to get control in some way, but the
real skill comes in taking control without being noticed by the net-
work’s system administrators or intrusion detection software,” c1sman
had explained when they began their ping session. “Finding the exploit
is just the beginning. Retrieving something of value from the system
we’ve penetrated is the whole point. And, yeah, in some cases it’s pos-
sible to just smash and grab, just break into the system and steal what-
ever data you can get your hands on. But there’s no art to that kinda
attack and, really just as important, they’re less efficient. Ideally, we
want to leave no trace that we were ever there. A loud, frontal attack
will alert the network administrator, who will then do everything in
his or her power to boot us off the network. But if we never trip any
alarms, we’ll be able to take our time and find what we want. Plus, you
know, if the target doesn’t know their data’s been compromised, then
they won’t take any measures to minimize damage. Once the network’s
owners realize they’ve lost data they’ll start changing passwords, rewrit-
ing code, and generally covering their losses and all our work won’t
mean crap.”
C1sman had written his own arsenal of exploits that used shellcode
to take advantage of specific vulnerabilities that he’d identified in the
various software and hardware configurations of the target network. He
could have downloaded “off the shelf” code from places like metasploit.
com or shellcode.org, but he preferred to use his own versions since the
target system was less likely to have a defense against them. C1sman had
Rick Dakan
11
identified a few different approaches that he thought might work, but he
decided to go with a traditional buffer overflow attack since he’d found
a few points in the target network where these might work. “I love me
some buffer overflows,” he’d said once he realized he could use them
in this instance. “They’re my ultimate power-up—I can do anything
with them.”
Understanding exactly how a buffer overflow works required several
explanations from c1sman, even though Paul had read all about them
on his own. It was one of those things that was surprisingly difficult
for a non-programmer to understand. C1sman’s simplest explanation
was, “Every program sets aside a certain block of memory to receive the
input of data, right? Like, for example, a database entry might have a
certain amount of memory set aside to receive social security numbers.
As long as the amount of data entered is equal to the amount of data
the program is expecting (enough for nine digits of an SSN) then every-
thing is fine. But in some programs, if you enter more than nine digits
worth of data, the program starts overwriting memory space normally
reserved for other data. This can cause some serious problems in normal
circumstances. But when someone like me finds something like that, it’s
like handing me the house keys and the security code. I can insert my
shellcode right into the space, and BAM! My shellcode overwrites good
data and then gets executed as if it were part of the normal program!
The shell runs, it opens a door for me from the outside and wham, bam,
thank you ma’am, I own the box.”
When Paul had asked him how common it was to find such buf-
fer overflow vulnerabilities, c1sman had shook his head in disgust. “It
shouldn’t happen at all, except people are lazy. It’s entirely possible to
write software that has no buffer overflow vulnerabilities in it. It just
requires the programmers to be very security conscious as they code.
But all the crap today’s so huge and bloated and manager driven, with
the work of multiple software engineers all trying to make their code
work together, it just gets sloppy and messy. Besides, most programmers
aren’t security people and don’t write code that’s good for security—it’s
hard enough to get these things working in the first place without wor-
rying about leaving buffer overflow holes.”
C1sman writing his custom shellcode seemed to Paul like more work
than was necessary. He’d started to suspect that the hacker was delay-
ing, either because he was afraid of breaking the law or didn’t want Paul
to leave. As delays mounted and days passed, Paul grew restless. Chloe
needed his help with other parts of the plan and he was getting sick of
Athens and c1sman. They needed to move. The original plan had been
12
Geek Mafia: Black Hat Blues
for them to insert the shellcode, own the system’s key boxes, and then
sit and wait until it was time to grab the data they needed. C1sman
would chill in Athens while Paul went back to Key West to help make
final preparations before they all went to DC. Except at this rate he’d
have to go straight to DC from here and Lord only knows what would
be missed if he wasn’t on hand to direct things. But c1sman insisted
he wasn’t stalling—that it was hard work and he wanted to make sure
everything worked right. For all Paul knew, he was telling the truth.
What Paul did know was that c1sman needed some extra motivation.
So during the down time, Paul started talking up Key West. The par-
ties, the women, the relaxing atmosphere, the women. While he wasn’t
quite ready to let c1sman stay at the Crew house, he could easily find
someplace for him to stay down there. A little bungalow with a private
pool that was strip club adjacent maybe? And some spending money?
C1sman eschewed the strippers, at least out loud, but Paul’s tempta-
tions were getting to him. Or maybe he just really did happen to pull
his code together the night after Paul promised to take him down to
Key West as soon as they’d cracked the target network and owned the
boxes they’d need to on D-Day. From Paul’s point of view, watching
c1sman work, he couldn’t see the difference from one moment to the
next. Numbers and letters changed on a screen and the hacker hooted
with real, unreserved joy. Paul didn’t think he had it in him to fake that
kind of enthusiasm. They had root. They would be ready to go whenever
Paul said the word.
Now, four weeks later, they were in a mini-suite in the Marriott and it
was time. “All right c1s, you ready?” He dug his hand into the hacker’s
shoulder, massaging some tiny fraction of the tension out of him.
“Yeah. I think I am. Yeah. We’re ready… .” he drifted off as he typed
a few more commands into one of his machines. “OK. Now we’re
ready… Ready now.”
“Your time to shine, buddy,” Paul said. He looked around the room.
Chloe was watching from the corner, wiping some pizza sauce from her
lips. Sandee had looked up from his laptop. Bee kept doing whatever it
was she was doing with her soldering iron, oblivious to the rest of them
in her focus fugue. Chloe smiled and nodded and Paul patted c1sman’s
shoulder three times. “Let’s get started.”
Chris had a love/hate relationship with hacker cons, but at this point
in his life, any relationship with at least some love in it was worth
clinging to as hard as he could. OK, things weren’t that bad really. He’d
wanted the divorce as much as Jessica had, if not more, and they’d been
separated for almost two years now. What he hadn’t expected was that
she’d take Shawn and move to Arizona to live at her mom’s, or that
Athens without her and their child would be so, so empty. Whereas
before he’d yearned constantly for a little more time for his projects, a
little more privacy and silence so he could just think a problem through,
now that was all he had. His college friends were long graduated and
only slightly less long gone. His family was in Tennessee and, to be
honest, bored him stiff anyway. Then his job had evaporated as well,
leaving him home alone with no one to have a beer or catch a movie
with. Of course his primary social circle on IRC remained as close as
ever, and he was pretty sure that without them he’d have gone insane
in some particularly depressing way. As it was, he could stay in touch
with his friends, trade gossip and exploits, and always find some inter-
esting project to throw a little bit of his coding expertise at. And just as
important, those friends spread out all over the world could throw him
freelance work from time to time, enough to keep him above water and
in burritos and beer at least. Also enough, as a disappointed Jessica had
pointed out, to make him think he didn’t have to go out and find a real
job. But he had a plan—his one-off contracts were starting to blossom
into repeat clients and at this rate he’d have his own little computer
14
Geek Mafia: Black Hat Blues
security consulting company up and running within a year. Two at the
most. He might even be able to hire on some help.
Until then though, the only quality time Chris was likely to get with
any of his intellectual or social peers (i.e., hackers) was at conventions.
But with his reduced available funds, he couldn’t afford to attend any-
thing he couldn’t get to on a tank of gas, and where he had at least three
people to split the hotel room with. That pretty much left CarolinaCon,
one of his new favorites, and then the old warhorse, SECZone, which
he’d been going to since it started. SECZone 5 was over in Atlanta, a
venerable little hacker con that Chris had volunteered at for the past
two years. This year he and a couple other guys were in charge of setting
up the NOC and the con’s wireless network. So right there he’d already
broken his own rules on expenses because that had meant driving over
to Atlanta every weekend for the month leading up to the con in order
to get everything set up in the hotel. In exchange for helping the hotel
upgrade its own network, the owners were allowing this extra access,
and Lor3n, the guy who founded and ran SECZone, was paying Chris
a small fee and comping his hotel room, which allowed Chris to write
the whole thing off as a business expense. He’d have to remember to
actually do that when tax time came. Despite all the perks, all this
preliminary work was part of what he hated about hacker cons. It really
was too much like real work, but he knew it had to be done and there