Tuesday, April 29, 2008

The Hack without a Hack - Part 3

Yes, I've finally started to update my story. If you've forgotten what has happened, check out part 1 and part 2.

With a few quick Google searches Bill was able to find a few programs which would reveal any passwords which were hidden behind asterisks in Windows programs. More often than not, these "hidden" passwords were just being hidden from view and were decoded behind the scenes within the program. A number of programs are available which will reveal the hidden passwords and Bill found one he liked - Password Spectator (http://www.refog.com/passwordrecovery/).

A quick install and one click later and the password was revealed: "banklogin". Lame, Bill thought. It almost deserves to be broken into.

Bill opened up a telnet session to the trading machine, logged in as "trader" and began exploring the server. The server was a Debian Linux 4.0 server. From the routing tables on the machine it appeared to have a direct connection to the third party service, probably through a frame relay connection. This allowed for real-time trading to take place.

Bill couldn't tell if the third party service had access into this server, but running the "last" command, which displayed the last users to have logged on and where they came from, he did not see any connections from the other company.

Bill was logged in as user "trader". There were two other user accounts on the system: "admin" which was probably used to administrate the application and "root", the super-user account for the system. Bill's account appeared to have very little access on the system which meant he would not be able to install a sniffer unless he obtained root access.

However, since this was a 3rd party system the administrative passwords the bank normally used did not work for root. Bill tried a couple of common passwords with no luck. Quickly, though, he cursed himself for trying. Upon examining /etc/syslog.conf, the UNIX file which dictates what log messages go where, he found that any error messages were sent back to the 3rd party and to a system which he did not have access to. This meant that all of the failed password attempts he just tried were logged on another system - if anyone was watching those logs then he was sure to be discovered. Bill had to get root access quickly so he could cover his tracks.

Having administered various UNIX and Linux systems in the past, Bill knew where to look in order to find system weaknesses. After a few minutes of searching, Bill found his path to root in /var/spool/crontabs.

So, if anyone is reading this, what else could Bill have done to get the trader password? Any thoughts on how he'll get root access?

No comments: