Hard Work

h3X returns from the bar around midnight. She s not really feeling like getting on with the SAP project. Again, she notices that it s an entirely different thing to hack something in a given timeframe and with some significant results at stake. The first thing she does is check the file transfer from Tom s box. Apparently, it finished. Slowly and with much discomfort, she sinks into her chair and starts VMware, the little box in which her test Windows installations live. As usual, it takes ages before Windows starts, even more so in VMware. She unpacks the archive just downloaded and copies the data into what Windows thinks is its hard drive. Then she starts looking for the setup program. Somewhere down in the directory structure, she finds instgui.exe and starts it. The same picture as the one that someone else saw on an LCD screen in a server room somewhere else in the world just a few hours ago materializes on her screen. h3X shakes her head when she reads the instruction that follows the typical Welcome bla bla bla and copyright notices. The instruction tells her to start a program called r3setup.exe with the parameter “garmesau:59595, the string armesau being the hostname of the virtual Windows installation.

Not really to her surprise, the program r3setup.exe fails to exist on this CD. But there is one that s called setup.exe, which turns out to not puke all over itself when it s presented with the “g parameter. A few seconds later, the graphical user interface installation wizard pops to life and asks her the usual silly questions of where to place the files and if this is a WGate, AGate or combined server and some more. The installation fails unpredictably at some random position in the process and the cryptic output doesn t really tell her much about the reason. Annoyed, she checks the output again. It says something about optimized kernel and host system. The only thing that comes to her mind is that this test installation is in fact a Windows 2000 Professional and while this is not really different from a Windows 2000 Server system, the install program might be a bit picky about it. Being German software, the assumption turns out to be true, as she discovers about 10 minutes later in her Windows 2000 Server installation: the program installs correctly.

Having a running instance of her target software lightens her frame of mind considerably. Now, she can test if the exploits from those guys are simply bad code or if there are other reasons caused by Cisco and Checkpoint that prevent her from saving her life. The exploits work instantly. The next thing she does is check which exact version of ITS she s running compared to the ones she tried to attack. Some of the ones in the wild are more recent version numbers than her installation. She goes through the process of trying to find the right patches at the sap.com and myriads of other sites run by the same company but comes up blank. In fact, she always comes up with requests to log into the service area or whatever this site calls them today. The problem is that she doesn t have an account available. She s simply stuck. The exploits work exactly as advertised and she goes into great lengths to verify this step by step in a debugger attached to the AGate process. But when fired against the systems in the wild, nothing happens.

It s already past three in the morning and h3X is tired and frustrated. She tries another approach and asks Google for consulting companies that do SAP and especially ITS planning and installation work. The resulting list is impressive. How many people make money doing what she just did and installing the software by constantly clicking either on Next or on Yes, I agree is just unbelievable. She goes to the most relevant web pages of the consulting companies and looks for reference lists in which the companies tell potential new customers how many existing customers they already have and what cool things they have done for them. Collecting a list of about 20 different reference pages, h3X cross references the customers and checks via the RIPE database what IP ranges we are talking about. Some of the consulting companies even have links to the ITS installations they did, but firing the exploits against those AGate instances again produces null, zero, zip shells .

Time to play the whole affair a little bit rougher, she says and fires up Nmap on a whole range of IP networks that appear to be the DMZ of one or the other company. Since this process is going to take a while anyway, she decides to scan the full range of ports on those networks. It wouldn t be the first time that she would find a root shell bound somewhere to a high port left by the last hacker who broke into the system.

 tanzplatz# ./nmap -sS sV O -vv -o dmzs.txt -i /tmp/targets -p1-65535 -n Reading target specifications from FILE: /tmp/targets Starting nmap 3.46 (http://www.insecure.org/nmap/)  Host 204.154.71.156 appears to be up ... good. Initiating SYN Stealth Scan against 204.154.71.156 at 3:56 

Now is a good time to leave the computer to do what it has been invented to do, namely the boring work. Most of the time, computers suck up more time than you could possibly save using them, but sometimes with the right software and the right split between tasks , it can actually help doing things and solving problems that one probably wouldn t have without the computers in the first place “ hence the existence of UNIX. The whole port scanning business is one of these points. But at four in the morning, h3X really doesn t feel like sitting there and watching the port scan perform its brute force work against some heavily firewalled networks. And if h3X is going to lose her life soon, she wants to at least experience the sensation of waking up from an uninterrupted sleep a few more times. With those thoughts she leaves everything alone, turns the lights off and goes to bed.