HyperText Target Protocol


h3X is on her computer again, trying to identify potential targets to save her life. Since she decided to go for the SAP Internet Transaction Server, she first tried to find potential targets using the almighty Google search engine. The principle is simple. If you know a specific pattern that a web application produces regularly, you can enter this search term in Google and inspect the results. At first, this approach appeared to be working all the same with the ITS machines as it is with many other vulnerable applications.

The first search is for wgate as part of the URL. The front-end system for ITS will be installed on a generic web server, which could be Microsoft s IIS, Netscape s Enterprise Server or any other server allowing the execution of CGIs. But since the plugin or CGI will be called wgate and almost nobody will rename it, searching for this term will get you a number of good results together with a lot of web pages about the Watergate scandal. After a while, h3X figures out that another search term is a lot better. She goes back to the Google start page and enters Please log on to the SAP System . The reason is that the login page might be modified to provide users with a fancier page that corresponds to the corporate identity of the company running the system. But when the Google search bot crawls over the website of this company, it will follow the links blindly “ of course, without logging in. Therefore, at some point in time, the bot will get a response page stating that he should log into the system now, since the ITS can t know that it this in fact a Google bot.

Firing up the search, she gets around 206 results, many of which are still active hosts . The beauty of SAP ITS is that it will provide you with a lot of information regarding its version and other details without requiring any login or other authentication. In any HTML response generated by ITS is a comment at the top of the file. h3X inspects the source code of one of the links she just found in Google.

 <!--  This page was created by the   SAP Internet Transaction Server (ITS, Version 6100.1005.44.959, Build 610.440959, Virtual Server TI9, WGate-AGate Host d02sap0001, WGate-Instance TI9)  All rights reserved.                                            Creation time:     Sun Mar 14 19:49:00 2004  Charset:           iso-8859-1  Template:          catw/99/cantconnect  --> 

So, according to the exploits she got, this is a vulnerable version of ITS. Most of the exploits are for the backend system AGate and not for the front-end web server. This complicates matters and simplifies them at the same time. The good news is that she doesn t have to care all that much about the demilitarized zone set up at the target company. Having an exploit for the backend or middle- tier systems saves you from first hacking the front end web server, then trying to get enough foothold there to execute an exploit against the next stage. While this is possible, you either have to compile the exploit on the web server or use a scripting language supported there. Since most of the web servers will be Windows machines, using their scripting capabilities is equally intelligent as trying to use a Boeing-type commercial airliner with an M-16 automatic rifle duct taped to one of the wings as the tool of choice to shut down a fully armed Russian MIG 29 fighter plane. With the exploit taking over the machine behind the first web server, all those problems can be avoided.

But what s an advantage one day can be a real pain the other. The problem with the direct backend exploitation approach is that the network and firewall design matters a lot. If the AGate system is located behind a second firewall, it can t connect back to h3X s machine if this particular firewall prevents it. The same holds true if the AGate system is assigned a RFC1918 IP address, which can t be routed on the Internet and therefore must go through NAT, or network address translation. Now, assuming this is the case, it limits the scenarios in which the exploit would be able to actually perform the back connection to those where the firewall automagically translates all inside-out connections and those where the AGate host has a direct mapping.

h3X goes ahead and puts the ITS installations found via Google in an ordered list. First are all with a known vulnerable version installed. Even if this is not a big company, but a small college, having a few more systems in your owned list is never a bad idea. The other factor in the list of course is the size of the company, or rather the expected amount of banking- related information. Here, she has to guess a bit since the companies usually don t describe their internal financial transaction processes on their web pages. But portals and web shops usually have more credit card information while the main application of ITS, the Web-GUI for SAP R/3 itself, will sure lead toward real bank accounts. Only white hats think hackers are after credit cards , h3X thinks.

Going down the list, she tries one of the exploits against the top 10 entries. Of course, this has to be done one-by-one. It s a simple but tiresome process:

  • Get the IP address of the target system.

  • If the target system uses HTTPS, set up a stunnel connection to fire the exploit through.

  • Set up the listener on one of your other computers in the Internet.

  • Send the exploit.

  • Watch what happens.

  • If it fails, try to interpret the results.

She is not surprised when none of the 10 attempts actually work out. Many appear as if they have problems with the connection coming back from the AGate host to her system. When the exploit fails completely, the remote system complains about the AGate instance not returning any data, since the thread processing the request simply crashed. But in most cases, everything works out just fine and nothing is returned in the HTTP connection. Moments later, the reverse shell is supposed to pop up in her listener, but fails to materialize.

Cursing the idiots who wrote such stupid exploits and cursing herself to not have tested and played with the exploits earlier, she rolls back in her office chair away from her computer. Why did I have to lean so far out of the window and tell this guy I could do it? she asks the room. Damn, I hate working under pressure! The thing is, it s actually the first time in her life that she has to hack something as part of a work assignment. Hacking has always been fun to her. She could never understand why so many of her friends had no other goal than to become a hacker for hire “ a so-called ethical hacker or security consultant.

She needs a backup plan, and she needs one fast. She goes on and checks a number of SAP-related web sites for other potential ways into the core systems and has to digest an incredible amount of useless information before actually arriving at the conclusion that there doesn t exists another option. Fuck, there has to be some way to get in there! she says. Slowly, h3X is losing her nerve . Although she is usually the calm and winning person, this whole thing makes her jumpy and not relaxed at all. She throws a short look at the wall behind which she knows the Tupperware boxes sit. But there is no time to lose, because losing time right now would mean losing her life very soon. And there are a number of things still on her to do list for this round as a human being on this planet.

h3X picks up her phone again and scans the redial list for Tom s name , then she hits the call button. After a few rings, the voice mail system is active again. This time she doesn t leave a message but simply hangs up. Putting her phone aside, she rolls back to the computer, opens another shell and logs into the IRC server she and her friends use. Sure enough, Tom is logged in and talking at the #cybersex channel. She queries the current statistics for his account:

 tom [tom@my.brokenbox.com]  ircname   : tom  channels  : #cybersex  server    : irc.hacked.brokenbox.com  idle      : 0 days 0 hours 0 mins 8 secs End of WHOIS 

The idle entry tells her that Mr. Tom, as she likes to call him, is busy typing away on his keyboard. h3X fires up a query to him, which will open a private channel between the two of them and, often forgotten, all IRC server administrators who happen to check the traffic while the conversation goes on.

 <h3X> hey Tom, I need to talk to you urgently <tom> what 

Obviously, Tom is fairly busy right now.

 <h3X> how do you type with one hand anyway <h3X> horny bastard, who is it this time? 

Many people enjoy the fantasies of cyber sex. The funniest thing is that about 90% of the participants are male, either in their real person s role, posing as female for fun, or living a digital bi- curious life that their normal environment would not tolerate . Some of them are also just plain gay, which is probably also true for Tom. Although he tried to talk her several times into having cyber sex with her, she always refused .

 <tom> not now 

Okay babe, you need some help to become your friendly self again , h3X thinks. She logs into the IRC server using her regular shell account and elevates her privileges using her not-so-regular local root exploit. Tom never patches his box against local attacks, since he knows all the people who can log into the system and actually has the philosophy that if you can exploit him and get root on the box, you deserve it. So she checks the logs and the traffic going on right now and identifies the IP address of Tom s current communication partner. Enough dirty talking, she says to her root shell, otherwise we would have to wash the whole ASCII table clean tomorrow. And with that terminates the connection Tom s digital love affair was using.

 <tom> fuuuuck, did you do that? <h3X> do what? <tom> forget it <h3X> not feeling satisfied? <tom> f%!$ you! <h3X> I thought that's what you are doing right now.  <h3X> Anyway, I need your help with some SAP stuff <tom> yea, I heard your message <h3X> Thanks for ignoring it <h3X> I need a copy if ITS 6.2 or 6.1 <h3X> as fast as possible <h3X> it's really as important as it can get <h3X> please! <tom> Do we have a date on this server when you got it?   <h3X> fsck, when I get it fast enough we can share my bed here if you insist <tom> you are kidding me <h3X> can you get ITS or not? <tom> u r serious, aren't you? <h3X> yes damn it! <tom> youv never made such an offer before <tom> are you in trouble <h3X> it's not your problem, just get me the warez <tom> but I want to help you <h3X> get me the prog and you can have me later, but GET ME THE SOFTWARE !!! <tom> ok ok <h3X> when and where?  <tom> tomorrow night at the swinger club two blocks from your place? <h3X> no, the ITS installs! common!  <tom> oh yea, you could pull them down from my server here <tom> just a sec, have to mount it 

h3X waits impatiently for the blinking cursor to provide the information she s looking for.

 <tom> ok, scp it down from fileschwein.lab.brokenbox.com <tom> file is called its610.tgz <tom> your user is h3x, password getlaid <h3X> thanks man! <tom> with the password, nomen is ohmen <h3X> got the scp running <h3X> thanks man <h3X> love you <tom> you sure u r ok? <h3X> no, not really, but leave me alone for a few days <h3X> I will keep my promise <tom> never mind <h3X> bbl 

With that, h3X disconnects from the IRC server and watches the download proceeding slowly. Her Internet connection is not the fastest and Tom is running way too many servers and things on his site to provide the full bandwidth to her download. She leans back and watches the packets in her sniffer fly by but scp s ETA display stays frozen at a fairly large number. Fuck it , she thinks, locks her screen and calls a girlfriend, You are hanging out in the bar tonight? , h3X asks.

Yep, wanna come by?

Yea, got a lot to work on tonight, so no heavy drinking, but nothing against a few drinks. I m tired .

Just come by, I ll take care of you.

They disconnect the call and h3X gets ready to leave the house. She doesn t even care about changing into more appropriate clothing.




Stealing the Network. How to Own a Continent
Stealing the Network. How to Own a Continent
ISBN: 1931836051
EAN: N/A
Year: 2004
Pages: 105

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net