Initial Reconnaissance


Initial Reconnaissance

Sendai first must perform some light reconnaissance against the three hosts Knuth gave him. Given the amount of white noise scanning traffic all over the Internet, he could probably get away with scanning from his own home IP address. A chill passes through him as he remembers operation Sundevil. No, scanning from his own ISP is unacceptable. He moves to his laptop, plugs an external antenna into the 802.11 card, then starts Kismet to learn which of his neighbors have open access points available now. He chooses one with the default ESSID linksys because users who do not bother changing router defaults are less likely to notice his presence. Ever careful, Sendai changes his MAC address with the Linux command ifconfig eth1 hw ether 53:65:6E:64:61:69 , associates with linksys , and auto-configures via DHCP. Iwconfig shows a strong signal and Sendai verifies that cookies are disabled in his browser before loading Slashdot to verify network connectivity. He should have used a different test, as he wastes 15 minutes reading a front-page story about that latest Fiasco outrage.

Sendai needs only a little bit of information about the targets right now. Most importantly, he wants to know what operating system they are running so that he can tailor his rootkit appropriately. For this purpose, he obtains the latest Nmap Security Scanner [2] from www. insecure .org/nmap. Sendai considers what options to use. Certainly he will need -sS -F , which specifies a stealth SYN TCP scan of about a thousand common ports. The -P0 option ensures that the hosts will be scanned even if they do not respond to Nmap ping probes, which by default include an ICMP echo request message as well as a TCP ACK packet sent to port 80. Of course -O will be specified to provide OS detection. The -T4 option speeds things up, and -v activates verbose mode for some additional useful output. Then there is the issue of decoys. This Nmap option causes the scan (including OS detection) to be spoofed so that it appears to come from many machines. A target administrator who notices the scan will not know which machine is the actual perpetrator and which are innocent decoys. Decoys should be accessible on the Internet for believability purposes. Sendai asks Nmap to find some good decoys by testing 250 IP addresses at random.

Finding Decoy Candidates with Nmap

start example
 # nmap -sP -T4 -iR 250
Starting nmap 3.50 ( http://www.insecure.org/nmap/ )
Host gso167-152-019.triad.rr.com (24.167.152.19) appears to be up.
Host majorly.unstable.dk (66.6.220.100) appears to be up.
Host 24.95.220.112 appears to be up.
Host pl1152.nas925.o-tokyo.nttpc.ne.jp (210.165.127.128) appears to be up.
Host i-195-137-61-245.freedom2surf.net (195.137.61.245) appears to be up.
Host einich.geology.gla.ac.uk (130.209.224.168) appears to be up.
Nmap run completed -- 250 IP addresses (6 hosts up) scanned in 10.2 seconds
# 
end example
 

Sendai chooses these as his decoys, passing them as a comma-separated list to the Nmap -D option. This carefully crafted command is completed by the three target IP addresses from Knuth. Sendai executes Nmap and finds the following output excerpts particularly interesting.

OS Fingerprinting the Targets

start example
 # nmap -sS -F -P0 -O -T4 -v -D[decoyslist] [IP addresses]
Starting nmap 3.50 ( http://www.insecure.org/nmap/ )
[...]
Interesting ports on fw.ginevra-ex.it (XX.227.165.212):
[...]
Running: Linux 2.4.X
OS details: Linux 2.4.18 (x86)
Uptime 316.585 days
[...]
Interesting ports on koizumi-kantei.go.jp (YY.67.68.173):
[...]
Running: Sun Solaris 9
OS details: Sun Solaris 9
[...]
Interesting ports on infowar.cols.disa.mil (ZZ.229.74.111):
[...]
Running: Linux 2.4.X
OS details: Linux 2.4.20 - 2.4.22 w/grsecurity.org patch
Uptime 104.38 days 
end example
 

As the results scroll by, the first aspect that catches Sendai s eye are the reverse DNS names . It appears that he is out to compromise the firewall of a company in Italy, a Japanese government computer, and a US military Defense Information Systems Agency host. Sendai trembles a little at that last one. This is certainly one of the most puzzling assignments he has ever had. What could these three machines have in common? Knuth no longer appears to be a spammer. I hope he is not a terrorist, Sendai thinks while trying to shake thoughts of spending the rest of his life branded as an enemy combatant and locked up at Guantanamo Bay.

[2] Nmap was written by your humble author.