Seeking the Prize

Seeking the Prize

After all this preparation, Sendai is ready to go after the three primary targets. First he must learn as much as possible about them. He starts with an intrusive Nmap scan. Red Hat 9 comes with Nmap 3.00, which is far out of date. Sendai grabs the latest version from www. insecure .org, then compiles and installs it into a directory hidden by Shrax. As for the options, Sendai will use -sS -P0 -T4 -v for the same reasons as for his previous scan. Instead of -F (scan the most common ports), Sendai specifies -p0-65535 to scan all 65,536 TCP ports. He will do UDP ( -sU ) and IP-Proto ( -sO ) scans later if necessary. Instead of -O for remote OS detection, -A is specified to turn on many aggressive options including OS detection and application version detection. Decoys ( -D ) are not used this time because version detection requires full TCP connections, which cannot be spoofed as easily as individual packets. The -oA option is given with a base filename. This stores the output in all three formats supported by Nmap (normal human readable, XML, and easily parsed grepable). Sendai scans the machines one at a time to avoid giving the other organizations an early warning. He starts with the Italian company, leading to the following Nmap output.

Nmap Output: A More Intrusive Scan of Ginevra

start example
 # nmap -sS -P0 -T4 -v -A -p0-65535 -oA ginevra-ex
Starting nmap 3.50 ( )
Interesting ports on (XX.227.165.212):
(The 65535 ports scanned but not shown below are in state: filtered)
22/tcp open  ssh     OpenSSH 3.7.1p1 (protocol 1.99)
Running: Linux 2.4.X
OS details: Linux 2.4.18 (x86)
Uptime 327.470 days
TCP Sequence Prediction: Class=random positive increments
                         Difficulty=2325858 (Good luck!)
IPID Sequence Generation: All zeros
Nmap run completed -- 1 IP address (1 host up) scanned in 1722.617 seconds 
end example

The results show that 22 is the only open TCP port. Sendai is a little disappointed. He was hoping for many more ports, as each is a potential security vulnerability. He notices the line saying that the other 65,535 ports are in the filtered state. That usually means administrators have made an effort to secure the box, since most operating systems install in a default closed state. A closed port returns a RST packet, which tells Nmap that the port is reachable but no application is listening. A filtered port does not respond at all. It is because virtually all the ports were filtered that Nmap took so long (almost half an hour ) to complete. Probes against closed ports are quicker because Nmap has to wait only until the RST response is received rather than timing out on each port. A RST response also means that no retransmission is necessary since the probe obviously was not lost. Care clearly was taken to eliminate unnecessary services on this machine as well. Most Linux distributions ship with many of them open. It is also common for small companies to host infrastructure services like name servers and mail servers on the firewall. They do this to avoid placing these public services on a separate DMZ network, but it substantially weakens their security. As a pen-tester, Sendai had compromised many firewalls because they were inappropriately running public BIND nameservers. Apparently Ginevra is smarter than that.

According to Nmap, port 22 is running OpenSSH 3.7.1p1. This is another service that would not be available to the whole Internet in an ideal world, but Sendai can understand why administrators allow it. If something breaks while they are far from home, the admins want to connect from the nearest available Internet service. In so doing, administrators accept the risk that attackers might exploit the service. Sendai intends to do just that. OpenSSH has a sordid history of at least a dozen serious holes, though Sendai does not recall any in this version. Several exploitable bugs in buffer management code were described in CERT Advisory CA-2003-24, but those problems were fixed in 3.7.1. Sendai may have to implement a brute force attack instead. This is often quite effective, though it can take a long time. First Sendai will troll the Internet looking for employee names and e-mail addresses. He will search web pages, USENET and mailing list postings, and even regulatory findings. These will help him guess usernames that may be authorized on fw. He will also try to trick the public company mail server into validating usernames. The username root, of course, will be added to the brute force list.

With a list of users in hand, Sendai will begin the search for possible passwords. He already has a list of the 20,000 most popular passwords out of millions that he has acquired from various databases. Everyone knows words like secret, password, and letmein are common. What used to surprise Sendai is how common profane passwords are. Fuckyou is #27 on his list, just above biteme. It is also surprising how many people think asdfgh is a clever, easy-to-type password that no bad guys will ever guess.

Of course, common passwords differ dramatically based on the organization they are from. So Sendai cannot use just his top password list. He will need to download an Italian language wordlist . Then he will recursively download the entire Web site and parse it for new words. Finally, Sendai will whip out Hydra, his favorite open source brute force cracker, to do the actual attack. It may take days, but Sendai is optimistic that he will find a weak password.

Sendai is preparing his plan when he suddenly remembers an obscure vulnerability that affects only OpenSSH 3.7.1p1, and then only when the Pluggable Authentication Modules (PAM) system is in use and privilege separation is disabled. PAM is often used on Linux boxes, so he decides to give it a shot. The vulnerability is laughably easy to exploit. You simply try to login using SSH protocol 1 and any password (except a blank one) is accepted. No wonder that problem did not last long before being discovered and fixed! Sendai crosses his fingers and begins to type.

 psyche> ssh -1
The authenticity of host ' (XX.227.165.212)' can't be established.
RSA1 key fingerprint is 2d:fb:27:e0:ab:ad:de:ad:ca:fe:ba:be:53:02:28:38.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ',XX.227.165.212' (RSA1) to the list of known hosts.'s password: 

There is that happy hash prompt again! Sendai will not have to spend days preparing and executing a noisy brute force attack. He does a little root dance , which is similar to what sports players sometimes do when scoring a goal. Nobody is logged onto fw at the time, and the last command shows that people rarely do. So Sendai takes his time cleaning the logs and installing Shrax. He is exceedingly careful not to crash or otherwise break the box, as that sort of blunder could be ruinous.

With one down and two to go, Sendai moves his attention to the Japanese government box. He launches the following intrusive Nmap scan.

An Intrusive Scan of

start example
 # nmap -sS -P0 -T4 -v -A -p0-65535 -oA koizumi
Starting nmap 3.50 ( )
Interesting ports on (YY.67.68.173)
(The 65535 ports scanned but not shown below are in state: filtered)
113/tcp closed auth     
Running: Sun Solaris 9
OS details: Sun Solaris 9
Nmap run completed -- 1 IP address (1 host up) scanned in 1791.362 seconds 
end example

Oh dear! This host is even worse (from Sendai s perspective) than Ginevra in that it does not even have a single TCP port open! All ports are filtered, except the identd (auth) port, which is closed. Leaving port 113 closed often is done for better interoperability with some (poorly implemented) IRC and mail servers. Even though Sendai cannot connect with closed ports, they improve OS detection accuracy. The lack of open TCP ports will certainly make cracking in more challenging. There must be another way. Sendai considers wardialing the department s telephone number range for carriers , though so many calls to Japan would certainly rack up the long distance charges. Social engineering might work, though that is risky business. UDP scanning is worth a try, though it tends to be slow as sin against Solaris boxes due to their ICMP rate limiting. So Sendai does a UDP scan with the -F option that limits it to about a thousand common ports. No responses are received. This box is locked down tightly. Another idea is IPv6, particularly since this host is in Japan where that protocol is used more frequently than elsewhere. Psyche does not have an IPv6 interface, so Sendai tests this from his laptop using one of the free public IPv6 tunneling services. They provide an IPv6 address and also conceal his originating IPv4 host. Using the -6 option to activate IPv6 mode, Sendai takes another shot at scanning the host.

IPv6 Scan against

start example
 # nmap -6 -sS -P0 -T4 -v -sV -p0-65535

Starting nmap 3.50 ( )
Interesting ports on (2ffe:604:3819:2007:210:f3f5:fe22:4d0:)
(The 65511 ports scanned but not shown below are in state: closed)
PORT      STATE    SERVICE               VERSION
7/tcp     open     echo
9/tcp     open     discard?
13/tcp    open     daytime               Sun Solaris daytime
19/tcp    open     chargen
21/tcp    open     ftp                   Solaris ftpd
22/tcp    open     ssh                   SunSSH 1.0 (protocol 2.0)
23/tcp    open     telnet                Sun Solaris telnetd
25/tcp    open     smtp                  Sendmail 8.12.2+Sun/8.12.2
37/tcp    open     time
79/tcp    open     finger                Sun Solaris fingerd
111/tcp   open     rpcbind               2-4 (rpc #100000)
512/tcp   open     exec
513/tcp   open     rlogin
515/tcp   open     printer               Solaris lpd
540/tcp   open     uucp                  Solaris uucpd
587/tcp   open     smtp                  Sendmail 8.12.2+Sun/8.12.2
898/tcp   open     http                  Solaris management console server (SunOS 5.9 sparc; Java 1.4.0_00; Tomcat 2.1)
4045/tcp  open     nlockmgr              1-4 (rpc #100021)
7100/tcp  open     font-service          Sun Solaris
32774/tcp open     ttdbserverd           1 (rpc #100083)
32776/tcp open     kcms_server           1 (rpc #100221)
32778/tcp open     metad                 1 (rpc #100229)
32780/tcp open     metamhd               1 (rpc #100230)
32786/tcp open     status                1 (rpc #100024)
32787/tcp open     status                1 (rpc #100024)

Nmap run completed -- 1 IP address (1 host up) scanned in 729.191 seconds 
end example

Now this is exactly what Sendai likes to see! Many of the services may be unpatched too, since the administrators assumed they were inaccessible. Unfortunately they forgot to firewall IPv6 in the same way they do IPv4. Sendai uses an IPv6-enabled rpcquery command to learn more about the running RPC services, including many that are using UDP. He has several avenues of attack available, but decides on a UDP sadmind vulnerability. Sendai obtains an exploit from H.D. Moore s Metasploit framework (, and 10 minutes later is doing the root dance again.