Doing the Meat Thing

Security at the main gate of the compound was probably as good as physical security could be in Nigeria ”a guard armed with an AK47 and a logbook in a hut. As the taxi stopped , Charlos rolled down his window. Charlos was dressed in a white flannel shirt, dark brown pants, and sandals. He hid the notebook under the seat and smiled at the security guard. Hi, my name is Robert Redford. I came here to visit Paul Meyer; he works for the NOC.

Did you make an appointment?

Charlos didn t expect this but kept his cool. I am in Lagos for business. Paul is an old friend of mine; we used to study together...

Sorry sir, without an appointment you cannot pass.

Charlos reached for his pocket and pulled out a couple of 100 Naira bills. Please, he said, holding out the notes, I am only here today. Tomorrow I fly back again. The guard eagerly took the money. Do you know which room I could find him? Charlos pushed his luck. But the guard did not know and Charlos s taxi rolled into the compound.

He walked toward what appeared to be the entertainment area ”a big screen TV tuned to some sports channel was situated in the corner. There was a Sony PlayStation II hooked up to the TV and a stack of pirated DVDs lying on a coffee table. On the couch a man was sleeping; his forehead was covered in sweat and Charlos figured he was sweating out a malaria attack. Charlos woke him up. Do you know where I can find Paul Meyer?

He s not here, he s at work, where else?! the man grunted. He spoke with a thick Australian accent and it was clear that he was in pain and annoyed that someone woke him from his feverish dreams.

Charlos pushed on, I m an old friend of his, he said to meet me here at 10:30.

Room 216, west wing.

The door at Meyer s flat was locked, and there was no keyhole ”a numeric keypad was installed. Probably because of the high volume of contractors that stay for only a month, pack up their stuff and leave at night, Charlos thought. Charlos was feeling a bit disappointed that he never asked Meyer about access to his room. He slipped with that little detail. His lock picking equipment was rendered useless. He tried 1234 as a PIN; it didn t work. He tried 0000; it didn t work either. Charlos remembered from his research that Meyer s birthday was the 14th of May and he was 31 years old. He remembered it because Meyer shared his birthday with Charlos s ex-wife. He tried 1405; no luck. 0514 didn t work. Finally, Charlos tried 1973 and he could hear the door click open . He was lucky this time.

Once inside the room Charlos was in known territory. He gently closed the door behind him, put on his surgical gloves, and took out his palm- sized digital camera. He took a few pictures of the room. This served two purposes: to ensure he left everything exactly the way it was when he walked into the room, and as additional proof to his employers that he had indeed reached his target. The place was a mess of computer equipment; Charlos smiled. The less organized, the less chance of Meyer finding anything out of place. Meyer s flat had a double bed, a walk-in kitchenette, bathroom, and living area. The living area had been transformed into an office/lab environment. There were several Ethernet cables hanging from the table, WiFi APs, computers without their covers, and audio equipment. These were decorated with coffee mugs, empty soft drink cans, and snubbed out cigarette butts ”one or two days worth, not more. My kind of place, Charlos muttered. He picked up the telephone in Meyer s room and phoned his prepaid cell phone (it was a habit of his to get his target s phone number). Charlos started looking around for Meyer s main computer. In the center of the table were two 17 flat panels, an optical trackball mouse, and a keyboard. No computer. A Sun Sparc 10 sat perched on the floor, without a screen, but with a keyboard on top of it. Then he saw it ”a Dell docking station attached to the main keyboard, and a clear open space on the table where the notebook must be. Meyer apparently took his notebook with him to work and brought it back here. This meant complications for Charlos. He could bug the keyboard here in the flat, but it meant missing out on his bonus, the files on Meyer s machine. Did Meyer even connect to the NOC network from home? Would he be able to steal credentials to the NOC network from here? Charlos started by installing the keystroke logger first.

He gently opened the keyboard with his electric screwdriver. When you ve done this hundreds of times it becomes second nature. The keyboard s coiled wire plugged into the keyboard via a small white clip. The keyboard logger chip that Charlos used had two white clips on it, a male and a female . The chip clips in where the keyboard normally plugs in, and the coiled cabled plugs into the chip. Finally, the chip secures neatly to the keyboard s plastic cover with some double-sided tape. Keyboard logger manufacturers quickly discovered that the speed at which a device can be commissioned was a major selling point. Gone were the days of cutting wires and struggling with a soldering iron.

Charlos put the beige-colored keyboard cover back on and shook the keyboard. No rattles, no loose keys, as good as new. Nobody would ever think the device was bugged . He plugged the keyboard back into the docking station. In a sense he was lucky ”he didn t have to take any chances with plugging out the keyboard on a live machine. This sometimes required a reboot of the machine ”not a big problem in Nigeria with its unreliable power supply.

He looked at his watch: 11h36. He still had plenty of time to install the creeper box. The creeper box was worth its weight in gold. A very small PC with a footprint of about 12x12x4 cm, equipped with a single Ethernet and tri- band GSM modem, the creeper could be installed virtually anywhere there was power, GSM coverage, and Ethernet. Whatever the assignment, Charlos always packed a creeper box. Once installed, the creeper would periodically dial out via GPRS to the Internet, making it a box that can be controlled from anywhere in the world. As soon as the machine connected to the Internet it would SMS him its IP number, a machine on the internal network totally under his control. The box packed all the latest exploits, tools needed to sniff the network, inject packets, and scanners . It could be remotely booted into a choice of either Linux or XP.

Charlos booted his notebook. The idea was to plug into the hub and get a sense of the traffic that was floating on the network in order to assign the creeper an IP address on Meyer s internal network. But something strange happened . With his notebook booted into Windows XP it registered a wireless network. The SSID of the network name was NOCCOMP ”the NOC compound. A DHCP server already assigned an IP address to his notebook. No WEP, nothing. Charlos smiled. In fact, he laughed out loud, added an ipconfig /all , and noted the IP number.

The question now was, how deep in the NOC network was this compound wireless network? Charlos dialed into the Internet from his GSM phone, and tried a zone transfer of the noc.co.ng domain. It was refused . He ran his DNS brute forcer and within five minutes saw that the server intranet-1.noc.co.ng had an IP address of 172.16.0.7. The IP given to him by the compound s DHCP server was in the 10 range. Both IP numbers were assigned to internal networks, but that meant nothing. The networks could be totally separate or maybe filtered by a nasty firewall. Charlos terminated his call and reconnected to the wireless network. Again he received an IP address in the 10 range. His fingers trembled as he entered ping 172.16.0.7 . And voil  , it responded less than 100ms. Not local, but not far away. Now for the major test: A quick portscan would reveal if the machine was indeed filtered. Charlos whipped up an Nmap. The results came in fast and furious: 21,80,139,443,445,1433. Default state: closed. This meant that the server was totally open from his IP ”no filtering or firewalling was done. Charlos was tempted to take a further look at the wide-open network, but thought otherwise . He was contracted to get Meyer s credentials and create a channel into the NOC network.

From his bag of tricks Charlos took a PCMCIA cradle and unscrewed the Ethernet card from the creeper. Who needs to hook into Meyer s network if you have unhindered access to the NOC internal network via the wireless network? He slid one of his 802.11b cards into the cradle and closed the creeper again. This was just beautiful ”he had GSM on the one interface, WiFi on the other ”all he needed was power. He didn t even have to place the box in Meyer s room; it could be anywhere in the compound! Meyer s room was as good as any place; he would probably notice the device only when he moved out of his flat. Charlos started looking around for a good hiding place for the machine. With trouble he moved the 2m high bookcase away from the wall. He was indeed lucky. Behind the bookcase was a power outlet. He gave the creeper power and set it down on top of the bookcase . He moved the case back against the wall, and started walking around in the room, making sure the box was not visible from any point in the flat. While still doing so his cell phone vibrated inside his pocket ”it was the creeper reporting in over the Internet.

Before leaving the apartment, Charlos checked the pictures on his digital camera. He moved the keyboard a few inches to the left, not that he thought Meyer would ever notice, but he took pride in his work. Everything had to be perfect. He checked his watch: 12h44. He was hungry. His taxi was still waiting for him in the parking lot. He was in time to get a Star and a chili chicken pizza at the hotel for lunch .

Back at the hotel, Charlos had lunch and a quick nap; the jet lag still hadn t worn off. By the time he woke up it was 16h55 and he had another SMS from his creeper box, faithfully checking in every four hours and disconnecting from the Internet after five minutes of inactivity. His next window was at around 20h40. He should check that everything is in place. He hung around the hotel for the next couple of hours taking a swim, going to the gym, smoking a couple of cigarettes, watching CNN. Just after eight, Charlos dialed up to the Internet from his GSM phone. From his MSN window Charlos would see that Meyer was online. At 20h38 his phone signaled the awakening of the creeper again. He SSH-ed into the box on port 9022, configured the wireless interface, and received an IP address from the compound s DHCP server. There was significant lag on the line, but that was just because of his slow 9600 baud connection. It was time to conclude his little project.

Charlos fired up Tethereal on the creeper. He could see a lot of traffic floating over the wireless network ”mostly HTTP requests to porn sites, MSN, e-mail, and some IRC. He entered into conversation with Paul Meyer. The idea was to see if he could see Meyer s traffic. Was Meyer s little home network connected to the NOC s compound network via the same wireless network? It was indeed. As Jacob Verhoef chatted to Paul Meyer, Charlos could see the conversation on his creeper s sniffer. Charlos remembered the APs he saw in Paul s place. This was good, really good. Although Charlos didn t own Meyer s machine it felt like he did. Now all he had to do was get him to log into the NOC domain, perhaps some firewalls, a router here, a fileserver there. Although most of the protocols are encrypted, his keystroke recorder would record every keystroke, including usernames, passwords, and so on.

It didn t happen that night or the night after that. Charlos was getting totally sick of Stars, chili chicken pizza, playing pool at the bar, and keeping the prostitutes at bay. His patience was running out fast. He had credentials as domain controller to the NOC domain, Meyer s personal mailbox, his MSN account, and more, but he lacked credentials to the firewalls and routers. Four days after he planted the bugs he made a bold move ”he faked a CERT advisory to the Full Disclosure mailing list stating that a terrible virus is sweeping across the world using IP protocol 82 and 89. All Cisco routers should be patched, and administrators must make sure they block these protocols on their firewalls. Charlos sent the advisory at around 8:00, making sure that Meyer would receive the alert while at home. It proved to be very effective. As a good security officer Meyer was logging into every router and firewall in the NOC network, blocking these protocols with ACLs on the routers and packet filters on the firewalls.

Charlos gave his logger another week - it had the capacity for half a million keystrokes and he was starting to ease into a routine at the hotel. Full disclosure discredited the CERT advisory. It became just another topic of pointless discussion, but it served its purpose. Two weeks since he arrived in Lagos, Charlos paid Meyer s room another visit. Knowing the combination to his room and using his only here for a day excuse with the gate guard Charlos slipped into Paul Meyer s room, removed the chip from his keyboard, and headed back to the hotel. He put the chip into a plastic bag, along with the chip s password. In another bag he inserted the GSM SIM card, the SIM card s PIN, and instructions on the schedule of the creeper plus how to connect to it over the Internet. He added some of the photos he took of Meyer s room to the bag. Finally, he made a list of passwords and IP numbers he obtained from the chip on a single piece of paper. All this was inserted into a small wooden box, wrapped in heavy duty brown paper. He made sure he wiped his fingerprints from the bag and the package ”you can never be too sure. On his way to the airport Charlos stopped at DHL offices and mailed the package to the address given to him by Antonio. The name on the address was just Knuth, no last name or first name. That seemed a little odd to Charlos, but as he had found out, curiosity could get him killed , so he just moved forward with what he was hired to do. He wiped the prepaid cell phone clean of any fingerprints and dropped it with the SIM card intact into the river .

And just like that he disappeared.