It was early evening and ToneLoc had been averaging nearly 240 calls an hour for the past two days. The Don was getting antsy to check out the results.
Four hours to go. He sighed, and waited.
Finally, the wardialing finished. The Don, curious as to how many modems he actually had discovered , ran the simple tlreport tool included with ToneLoc.
C:\TONELOC>tlreport emtel.dat TLReport; Reports status of a ToneLoc data file by Minor Threat Report for emtel.DAT: (v1.00) Absolute Relative Percent Percent Dialed = 10000 (100.00%) Busy = 56 ( 0.56%) ( 0.56%) Voice = 4969 (49.69%) (49.69%) Noted = 3 ( 0.03%) ( 0.03%) Aborted = 0 ( 0.00%) ( 0.00%) Ringout = 4117 (41.17%) (41.17%) Timeout = 635 ( 6.35%) ( 6.35%) Tones = 0 ( 0.00%) ( 0.00%) Carriers = 220 ( 2.20%) ( 2.20%) Scan is 100% complete. 50:57 spent on scan so far.
Two hundred and twenty modems. The Don smiled as he copied the log files to his laptop and securely wiped the wardialing contents from his desktop machine.
To check the results of the scan, The Don needed a change of scenery . He decided that it was a fine night to be at Maxim s.
Later, illuminated by the glow of his 15 laptop screen, The Don checked each of the numbers that the wardialer had marked as potential hits, one by one, hoping for the one golden egg, the light at the end of the tunnel.
Many of the systems to which The Don connected just sat there. A dead modem connection, a digital black hole, so to speak. No matter what keys were pressed, they didn t respond. But The Don wasn t discouraged; for every handful of unresponsive machines, there is usually a diamond in the rough. Or at least a computer that can be probed for more information.
Finally, The Don got his first hit.
CONNECT 1200/NONE 01:45:38/04 0018 01 PEREYBERE ================================================= CHAN NO NO2 NOX TEMP CO SO2 UNITS PPM PPM PPM DEG K PPM PPM ================================================= 01:45 0.045 0.025 0.069 261 0.2 0.020
As soon as the connection was made, the system spit out a table containing concentration readings of various pollutants in parts -per-million ”Nitric Oxide, Nitrogen Dioxide, Carbon Monoxide, and Sulfur Dioxide. It looked like some sort of environmental monitoring system.
A quick Web search showed that Pereybere, printed on the first line of the table, is a small beach town on the northwest part of Mauritius. Poking around with various keys, The Don found that typing L provided a configuration menu.
L # PWR FAIL TO PRT (1-A) - 4 5 MIN STATUS 0,1 - 1 # A/D SMPS (1-99) - 06 PRELIMINARY AVG; 1=1MIN, 2=2MIN, 3=3MIN = 1 INTERIM AVG; 1=5MIN, 2=6MIN, 3=10MIN = 1 FINAL; 1=60MIN, 2=30MIN, 3=15MIN = 1 AVERAGE (1) OR INSTANTANEOUS (2) = 1 CARTRIDGE INTERVAL; 1=FINAL, 2=INTERIM, 3=PRELIM, = 1 NUMBER OF WS/WD PAIRS 0-3 = 0 WD SENSOR TYPE; 1=540 2=360 = 1 # CHANNEL TO RECORD 1-8 = 6 IS CHANNEL 1 RAINFALL (Y/N) - N CART ROLLOVER (Y/N) - Y RECORD DATA STATUS - Y RECORD INPUT STATUS - N MULTIPLE UNIT - N PORTABLE OPERATION - N PARALLEL PORT - Y PRT SMALL CHARS Y/N - N CAL CONFIGURATION PARAMETER TYPE 8 - 1 16 - 9 EXPECTED CAL FS NO I ..Z..... ........ 0.000 0.500 NO I .S...... ........ 0.000 0.500 NO2 I ..Z..... ........ 0.000 0.500 NO2 I .S...... ........ 0.366 0.500 NOX I ..Z..... ........ 0.000 0.500 NOX I .S...... ........ 0.367 0.500 CO I ......Z. ........ 0.0 50.0 CO I .....S.. . ....... 36.9 50.0 SO2 I ....Z... . ....... 0.000 0.500 SO2 I ...S.... . ....... 0.356 0.500 04-11-69.M28,JD131, P740,AQM,NS,RAIN=10IN,AC-2,SP=4,SQ=4,PSW-0 ,OME,TP,BKT,8CH,16CO,24S,PP-6,OMA,4M,FDA,HBA
With a snicker, The Don moved down the list. A few more dead modem connections before he hit another interesting one.
CONNECT 9600 @ Userid:
He instantly recognized this as a Shiva LanRover, a remote access server, probably part of the University on the island. Logging in as root with no password, The Don was granted supervisor access to the device. The funny thing is that the unpassworded root account has been a known problem with Shiva LanRovers for over a decade .
Chalk it up to choosing user convenience over security, quipped The Don.
@ Userid: root Shiva LanRover/8E, Version 2.1.2 LanRoverE_3F6500# ? clear <keyword> Reset part of the system configure Enter a configuration session connect <port set> Connect to a shared serial port debug Enter a debug session disable Disable privileges help List of available commands initialize <keyword>Reinitialize part of the system passwd Change supervisor password ppp Start a PPP session quit Quit from shell reboot Schedule reboot show <keyword> Information commands, type "show ?" for list slip Start a SLIP session LanRoverE_3F6500# show ? arp ARP cache bridge <keyword> Bridging information buffers Buffer usage configuration Stored configuration interfaces Interface information ip <keyword> Internet Protocol information lines Serial line information log Log buffer modem <keyword> Internal modem information netbeui <keyword> NetBeui information novell <keyword> NetWare information processes Active system processes security Internal userlist users Current users of system version General system information LanRoverE_3F6500#
Since the LanRover can be used to gain access to any phone lines connected to it (or to any networked machines connected to it via the telnet command), The Don could use this system as a relay point to mask his steps for future attacks. That could be fun for stuff later on, but his goal right now was to find the telephone switch. He had promised , and he d deliver.
A few minutes later, another good connection.
CONNECT 2400/NONE Version 0101, Release 29(09/14), Rom 3, 128K. Password : 110XXXXXXXX
Some sort of password was already entered in the field, so on a hunch The Don simply pressed Enter. Not surprisingly, he was presented with a menu.
Credit Report Menu Credit Station Bureau Status Other Services Function Key setup Initiate Service Call Use arrows to select Choice and press return. Or enter first letter of selection. Hit ESC to return to previous menu.
Pressing C , The Don was prompted with a submenu.
::::::::::::::::::CREDIT STATION::::::::::USER A::::BATCH 1 ::::::: A)dd, E)dit, F)ind applicant, G)enerate letter, H)old, D)elete, L)ist, T)ransmit, O)nline, C)ancel transmit, B)atch selection, P)rint letters. Use Arrows. ESC-exit ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Curious of what the system could be, The Don pressed G to delve deeper and was greeted with yet another menu.
CREDIT STATION USER A BATCH 1 LETTER GENERATION A- DENIAL J- INADEQUATE COLL S- WE DO NOT GRANT 1- COND APPRVL B- CREDIT APP INC K- TOO SHORT RESID T- OTHER (SPECIFY) 2- ADD COLLATRL C- INSUFF CR REF L- TEMP RESIDENCE U- PAY HIST LETTER 3- CO-SIGN REQ D- TEMP/IRR EMPLY M- UNABLE VER RESI V- Info. From CBI 4- PAY HISTORY E- UNABLE VER EMP N- NO CREDIT FILE W- Info Local Bur 5- CLAIMS & ACK F- LENGTH OF EMPLY O- INSUFF CR FILE X- Info. From TU 6- PNOTE LETTER G- INSUFF INCOME P- DEL CR OBLIGAT Y- Info. From TRW 7- cllctr ctgs H- EXCESSIVE OBLIG Q- GAR,ATT,FOREC, Z- CLOSING 8- MEMO I- UNABLE VER INCO R- BANKRUPTCY 0- 9- OUT. SOURCE
The system appeared to be an insurance, rental, or leasing agency. Escaping back to the main menu, The Don selected B for Bureau Status. A short listing appeared on his screen.
CREDIT STATION USER A BUREAU STATUS DEPT 1 # Bureau #Ind #Jnt Calls Tot_Access Last_Access #err Status 1 CBI 4790 0 1135 17:01:30 Wed 15:04 41 Ready 2 TRW 1136 0 168 15:38:04 Thu 12:46 8 Ready 3 TRANS UNION 290 0 97 3:13:56 Tue 02:53 2 Ready C TRANS UNION 234 0 27 1:18:33 Thu 01:01 4 Ready J ATLAS 3 4 0:00:59 Wed 01:39 0 Ready
So, this system also had direct access to a variety of credit bureaus. Just like the other systems that The Don had encountered thus far, no password was required. If The Don ever needed to pull credit information on an individual target, this would be the place to do it. Maybe he ll mention this to Knuth. Or maybe he ll just keep it to himself for now. He chuckled, made a note of it, and kept going.
The next system looked familiar. But from where?
CONNECT 19200 Local -010- Session 1 to GG established ****************************************************************** * * * W A R N I N G * * * * INTERNAL USE ONLY * * * * UNAUTHORIZED ACCESS IS PROHIBITED * * * ****************************************************************** Username:
The Don grabbed a small notebook from his courier bag, laid it out on the table, and started flipping through the ragged pages. Then it dawned on him ”while doing some research for the landmine heist with the crew back in Boston, he had happened upon a similar looking system that served him well. And although it looked like a typical DECServer prompt, it was not. It was most likely an Alcatel/DSC DEX 600 switch or the older 200 or 400 series. When The Don came across this type of system last year, he had turned away from his computer to sift through some papers. He turned back around to realize that he had been logged in automatically. The system timed out and just let him through. Was that a bug or feature? What were the chances that the same thing would occur here?
The Don sat motionless for a few seconds and waited to find out. The seconds turned into minutes. Then, suddenly, the screen came to life.
Error reading command input Timeout period expired >
And there he was.