The Art of Intrusion: The Real Stories Behind the Exploits of Hackers, Intruders and Deceivers (41 page)

Costa) White House break-in, 35�39

arrest for Boeing hack, 82�83 SIPRNET hack, 30�32

background, 69�70 Whurley

current activities, 87 cold readings, 222�223

dumpster diving, 70�71 direction of approach, 223�224

hotel services, theft of, 72�73 fooling the guards, 223�224

phone phreaking, 70�71, 84�86 impersonating an employee, 226�229

prison time, 84�86 Las Vegas security audits, 222�232

punishment, 81, 82�84 phony badges, 229�230

U.S. District Court hack, 71�72, 73�74 psychology of color, 225�226 Lamo, Adrian schmoozing casino staffers, 222�223

background, 93 Zatko, Pieter (Mudge)

current activities, 107�108 the attack, 118�119

damage costs, 105, 109�110 background, 116

eavesdropping on the FBI, 107�108 dumpster diving, 118, 120�121

Excite@Home hack, 93�98 e-mail sniffing, 122

free-form SQL query, 102�103 final report, 123�124

kitten rescue, 92�93 fortuitous blackout, 121�122

Lexis/Nexis hack, 104�105 get-out-of-jail-free card, 118

MCI WorldCom hack, 98�99 ground rules, 117�119

Microsoft hack, 99�100 meeting the client, 117

misconfigured proxy servers, exploiting, 94, 99 NDAs (nondisclosure agreements), 118�119

monitoring network activity, 96�97 tailgating, 121

New York Times hack, 100�108 voicemail snooping, 122

open shares, 96 Zyklon. See Burns, Eric

password cracking, 103�104 Hacking for Girlies (H4G), 100

personal history, 93 hand warmer trick, 133�134

punishment, 107�108 hardening, countermeasures, 218

RAT (Remote Access Trojan), 96 Harkat ul-Mujahideen group, 34

restitution to victims, 107�108 Harkat-ul-Ansar group, 34

reverse DNS lookup, 95�96 hashing (checksumming), 21

unique skills, 106�107 help desk, hacking, 171�173 Louis heuristic information processing, 234�235

3COM device configuration, determining, 200�202 host names

accessing the company system, 211�215 reverse DNS lookup

background, 195�196 countermeasures, 111�112

barging the IIS server, 213 Excite@Home hack, 95�96

countermeasures, 216�218 security company intrusion, 197�198

hackers' background, 195�196 hotel services, theft of, 72�73, 87�88

identifying a router, 198�199

mapping the network, 197�198, 202�207 Ibrahim, Khalid

passwords, cracking, 200, 210, 214 background investigation, 32�34

ping sweeps, 202�203 FBI informant, 39�40

port scanning, 199�201 Harkat ul-Mujahideen group, 34

remote control of a PC, 208�211 Harkat-ul-Ansar group, 34

researching the target, 196�197 recruiting hackers, 25�32

reverse DNS lookup, 197�198 IDA Pro, 173

success, 215 impersonating an employee, 226�229

trapped in a DMZ, 202�207 incident response, 188 Matt. See Anderson, Charles Matthew Indian Airlines hijacking, 29�30 Mayfield, Alex. See casino hack information leakage, countermeasures, 110 MindPhasr, 39�40 insider abuse, 62�66 MostFearD, 36 installation files, removing, 192 MostHateD, 39�40 intellectual property hack Mudge. See Zatko, Pieter busted, 163�164 ne0h close call, 160�161

on 9/11, 35 downloading source code, 164�165

background, 24 dumping Registry information, 161

Boeing hack, 27�28 examining Internet Explorer history, 162

challenge to the FBI, 39 hacking target applications, 161�163

and Comrade, 22�25 hacking the target, 159�160

current activities, 40�41 identifying the target, 158�159

Indian Airlines hijacking, 29�30 known plaintext attack, 165�166

and Khalid Ibrahim, 25�27, 32�33 password cracking, 157�159, 165�166 266 Index

intellectual property hack (continued) countermeasures, 20

port scans, 155�157 damage costs, 18�20

retrieving licensing keys, 161�162 development phase, 4�6

tracing network packets, 162�163 firmware, 5�8 Interactive Disassembler, 173 getting caught, 16�18 Internet banking, 139�141 insight, 20 IP addresses playing the slots, 8�16

ARIN (American Registry for Internet Numbers), punishment, 18

100�101 random number generator

finding host names from. See reverse DNS lookup manipulating the slots, 10

netblocks, 101 reverse engineering, 12�13

reverse DNS lookup rewriting, 6�8

countermeasures, 111�112 true randomness, 20

Excite@Home hack, 95�96 research phase, 2�4

security company intrusion, 197�198 wearable computer, 13�16 Iraqi Army hack, 250�252 Las Vegas security audits, 222�232

law enforcement training. See cops and robbers jailbait hack, 255�257 Lexis/Nexis hack, 104�105 Juhan, 140�143 licensing keys, retrieving, 161�162 Jurassic Park hack, 248�250 liking, and social engineering, 236�237

Lockheed Martin hack, 27�28, 42�44 Katsaniotis, Costa loft. See l0pht

arrest for Boeing hack, 82�83 logging keystrokes, 130�132, 144, 148

background, 69�70 Louis

current activities, 87 3COM device configuration, determining, 200�202

dumpster diving, 70�71 accessing the company system, 211�215

hotel services, theft of, 72�73 background, 195�196

phone phreaking, 70�71, 84�86 barging the IIS server, 213

prison time, 84�86 countermeasures, 216�218

punishment, 81, 82�84 hackers' background, 195�196

restitution, 82�84 identifying a router, 198�199

U.S. District Court hack, 71�72, 73�74 mapping the network, 197�198, 202�207 Keebler Elves, 24 passwords, cracking, 200, 210, 214 Keyghost keystroke logger, 131�132 ping sweeps, 202�203 keystrokes, logging, 130�132, 144, 148 port scanning, 199�201 kitten rescue, 92�93 remote control of a PC, 208�211 known plaintext attack, 165�166 researching the target, 196�197 Knuth, Donald, 6�8 reverse DNS lookup, 197�198

success, 215 l0pht Heavy Industries, 116. See also penetration testing trapped in a DMZ, 202�207 l0phtCrack, 128�129 LsaDump2, 161 l0phtCrack III, 180 Lamo, Adrian mailing lists, retrieving, 167�168

background, 93 Markoff, John, 100

current activities, 107�108 Matt (Anderson, Charles Matthew)

damage costs, 105, 109�110 arrest for Boeing hack, 82�83

eavesdropping on the FBI, 107�108 background, 70

Excite@Home hack, 93�98 current activities, 87

free-form SQL query, 102�103 dumpster diving, 70�71

kitten rescue, 92�93 hotel services, theft of, 72�73

Lexis/Nexis hack, 104�105 phone phreaking, 70�71

MCI WorldCom hack, 98�99 prison time, 84�86

Microsoft hack, 99�100 punishment, 81, 82�84

misconfigured proxy servers, exploiting, 94, 99 restitution, 82�84

monitoring network activity, 96�97 U.S. District Court hack, 71�72, 73�74

New York Times hack, 100�108 Mayfield, Alex. See casino hack

open shares, 96 MCI WorldCom hack, 98�99

password cracking, 103�104 McKay, Niall, 27, 30

personal history, 93 metamorphosis of the spirit, 59

punishment, 107�108 Microsoft FrontPage, vulnerabilities, 172

RAT (Remote Access Trojan), 96 Microsoft hack, 99�100

restitution to victims, 107�108 Microsoft SQL servers, protecting, 190�191

reverse DNS lookup, 95�96 Microsoft VPN services, 192

unique skills, 106�107 Milw0rm group, 33 Las Vegas hack MindPhasr, 39�40

aftermath, 18�20 missing paycheck hack, 247�248

avoiding detection, 10�11 MIT of China hack, 25�27 Index 267

Mitnick, Kevin New York Times hack, 100�108

approached by Columbian drug lord, 41 Nietzsche, Friedrich, 59

The Art of Deception, 88, 232, 233 9/11, aftermath of, 34�35

Takedown, 24 Nmap, 199�201 M&M security, 176 nondisclosure agreements (NDAs), 118�119 momentum of compliance, 235 money transport intrusion one-way hash, 128�129

3COM device configuration, determining, 200�202 on-site visitor policies, 65

accessing the company system, 211�215 open shares, 96

barging the IIS server, 213 Operation Eligible Receiver, 41�42

countermeasures, 216�218 Outlook.pst file, retrieving, 178

hackers' background, 195�196

identifying a router, 198�199 passwords

mapping the network, 197�198, 202�207 breaking encryption, 76, 128�129

passwords, cracking, 200, 210, 214 changing, 88

ping sweeps, 202�203 Coke vending machine, 250

port scanning, 199�201 cracking

remote control of a PC, 208�211 bank hacks, 142, 148

researching the target, 196�197 countermeasures, 217

reverse DNS lookup, 197�198 extracting password hashes, 157�158

success, 215 guessing, 159, 200

trapped in a DMZ, 202�207 hashes, tables of, 180 MostFearD, 36 known plaintext attack, 165�166 MostHateD, 39�40 l0phtCrack, 116, 128�129 MS SQL injection attacks, protecting against, 191�192 l0phtCrack III, 180 Mudge (Zatko, Pieter) PkCrack, 165�166

the attack, 118�119 predictability, 103�104

background, 116 PwDump2, 180

dumpster diving, 118, 120�121 rainbow tables attack, 180

e-mail sniffing, 122 scanning e-mail messages, 178�179

final report, 123�124 searching file contents, 146, 210, 214

fortuitous blackout, 121�122 two-year hack, 159

get-out-of-jail-free card, 118 wildcards, 175

ground rules, 117�119 hacker observations, 180

meeting the client, 117 managing, 63, 189�190, 217

NDAs (nondisclosure agreements), 118�119 one-way hash, 128�129

tailgating, 121 protecting, 136

voicemail snooping, 122 RSA SecureID, 37

static, 88 NDAs (nondisclosure agreements), 118�119 Unix/Linux password files, 37 ne0h patch management, 44�45

on 9/11, 35 PC Anywhere, 208�211

background, 24 pedophile hack, 255�257

Boeing hack, 27�28 penetration testing

challenge to the FBI, 39 Dykes, Dustin

and Comrade, 22�25 accessing internal documents, 129�130

current activities, 40�41 the attack, 127�128

Indian Airlines hijacking, 29�30 background, 124

and Khalid Ibrahim, 25�27, 32�33 cease-and-desist process, 125

Lockheed Martin hack, 27�28 countermeasures, 135�137

SIPRNET hack, 29 establishing wireless access, 127�128

White House break-in, 35�39 ethics of social engineering, 135 netblocks, 101 ground rules, 125�126 Netcraft.com, 94�95 hand warmer trick, 133�134 netstat command, 96�97, 161 l0phtCrack, 128�129 networks logging keystrokes, 130�132

access protection, 136 outsmarting door sensors, 133�134

activity, monitoring, 96�97 password cracking, 128�129

establishing wireless access, 127�128 phony badges, 130�131, 137

examining connections, 161 planning, 126�127

intrusions, 161�163 red teaming, 126�127

mapping, 197�198, 202�207 REX (Request to Exit), 133

monitoring, 45�46 shoulder surfing, 126�127

netstat command, 161 tailgating, 132�133

shares, 177, 190 test results, 134�135

tracert command, 162�163

tracing packets, 162�163 268 Index

penetration testing (continued) ProxyHunter, 99

Zatko, Pieter (Mudge) psychology of color, 225�226

the attack, 118�119 psychology of social engineering. See social psychol-

background, 116 ogy of social engineering

dumpster diving, 118, 120�121 punishment. See also prison time; restitution

e-mail sniffing, 122 Anderson, Charles Matthew, 81, 82�84

final report, 123�124 Butler, William. See Texas prison hack

fortuitous blackout, 121�122 casino hack, 18

get-out-of-jail-free card, 118 Comrade, 30�32

ground rules, 117�119 Davis, Chad, 39�40

meeting the client, 117 Gregory, Patrick, 39�40

NDAs (nondisclosure agreements), 118�119 Katsaniotis, Costa, 81, 82�84

tailgating, 121 Lamo, Adrian, 107�109

voicemail snooping, 122 MindPhasr, 39�40 permissions, cracker countermeasures, 188�189 MostHateD, 39�40 personal firewalls, 186�187 reluctance to prosecute, 143 PHF (phone book) script, vulnerabilities, 43�44 SIPRNET hack, 30�32 phone book (PHF) script, vulnerabilities, 43�44 PwDump2, 180 phone hacking. See also phreaking

voicemail snooping, 122 RahulB (terrorist). See Ibrahim, Khalid; terrorist

war dialing, 71�72, 121 intrusions phony badges, 130�131, 137, 229�230 rainbow tables attack, 180 phreaking, 70�71, 84�86. See also phone hacking Rama3456 (terrorist). See Ibrahim, Khalid; terrorist physical access, 63�64 intrusions physical analysis. See dumpster diving random number generators ping sweeps, 202�203 manipulating the slots, 10 PkCrack, 165�166 reverse engineering, 6�8, 12�13 poker hack, 254�255 rewriting, 6�8 porn spam, 167�168 true randomness, 7, 20 port restrictions, 113 RAT (Remote Access Trojan), 96 port scanning reactance, 237�238

cracker countermeasures, 187 red teaming, 126�127

identifying server software, 155�157 Registry information, dumping, 161

security company intrusion, 199�201 Remote Access Trojan (RAT), 96 ports, using high numbers, 216 remote control of a PC, 208�211 preventive measures. See countermeasures Reno, Janet, 31�32 prison hack. See Texas prison hack Request to Exit (REX), 133 prison time. See also punishment; restitution; Texas restitution. See also prison time; punishment

prison hack Anderson, Charles Matthew, 82�84

Boron Federal Prison Camp, 86 Boeing hack (Matt and Costa), 82�83

federal prisons, 49�51 Katsaniotis, Costa, 82�84

phone phreaking, 84�85 Lamo, Adrian, 107�108

prison life, 49�51, 86�87 reverse DNS lookup

Sheridan Camp, 86 countermeasures, 111�112 prisoner escort intrusion Excite@Home hack, 95�96

3COM device configuration, determining, 200�202 security company intrusion, 197�198

accessing the company system, 211�215 reverse engineering

barging the IIS server, 213 C code to assembler, 173

countermeasures, 216�218 commercial software. See crackers

hackers' background, 195�196 random number generators, 6�8

identifying a router, 198�199 slot machine firmware, 5�6

mapping the network, 197�198, 202�207 REX (Request to Exit), 133

passwords, cracking, 200, 210, 214 risk assessment, 41�42