The following hacker scenario was created by Ed Skoudis, author of "Counter Hack" and SearchSecurity.com expert. The solution was written by SearchWebManagement.com user "RyanN."
HACKER SCENARIO: It is a period of civil war. Rebel spaceships, striking from a hidden base, have won their first victory against the evil Galactic Empire. During the battle, Rebel spies managed to steal secret plans to the Empire's ultimate weapon, the Death Star, an armored space station with enough power to destroy an entire planet.
Through subsequent events, two droids named C3P0 and R2D2 find themselves in the docking bay control room of the Death Star itself. Using a radio, C3P0 communicates with his master, Luke Skywalker. Luke is also on the Death Star, but is trapped in a garbage compactor with Princess Leia, Han Solo, and Chewie. The trash compactor walls are closing in, squishing not only trash, but our heroes too. Using the radio, Luke tells C3P0 and R2D2 that they must stop the compactor, or Luke and friends will die!
From the control room, R2D2 jacks into the Death Star using a network plug in the wall. Although the plug looks alien, it is really just a fancy wall plate hiding an Ethernet RJ-45 jack. Once he is physically connected to the Death Star's internal IP network, R2D2 searches for the trash compactor controls. As he scans the network, something goes horribly awry. R2D2 emits a sequence of high-pitched squeals and just stops in his tracks. C3P0 instantly
"R2… Are you ok? Oh dear!" shouts C3P0. R2D2 doesn't respond, but they still need to stop the trash compactor. C3P0 unplugs R2D2 from the control room network plug.
Stashed in the control room, C3P0 finds an old 13-inch green phosphor terminal, with a serial connector. His golden metal hands shaking, C3P0 opens a panel in the dome of R2D2 to reveal a serial port. C3P0 plugs the monitor and keyboard into R2D2. Within seconds, C3P0 is staring at the "login:" prompt of R2D2. Few people realize that all R2-style droids are really Linux machines inside a trashcan on wheels. C3P0 logs into R2D2 to begin looking around. C3P0 exclaims, "My goodness, R2, I'm a protocol droid, not a systemadministrator! Why can't this be a TCP/IP problem?"
While looking through the system, C3P0 quickly observes that R2D2's logs have a two-minute gap! This gap corresponds to shortly after R2 plugged into the Death Star network.
"3P0! Hurry…Aarrrgghh!" shouts Luke over the radio.
C3P0 happens to carry a CD-ROM that includes the AIDE file system integrity-checking tool (doesn't everyone?). He inserts this CD into a slot on R2D2 and runs the tool. AIDE scans the file system, but doesn't detect any file changes. The login, du, ifconfig, ps, netstat, and other executables all appear intact. Next, C3P0 looks in the /home directory, and finds the following files:
C3P0 looks for unusual processes, but finds nothing unexpected. Similarly, using the netstat command, he doesn't see any unusual port usage. Next, C3P0 uses the ifconfig command to check if R2D2's Ethernet interface is in promiscuous mode, a sure sign of an attacker running a sniffer. However, ifconfig does not show the PROMISC flag. Because he's the suspicious type, C3P0 runs the tcpdump sniffer himself to force the interface into promiscuous mode. He then runs ifconfig again to make sure that it properly indicates promiscuous mode. To his surprise, ifconfig still does not indicate promiscuous mode.
1) What type of tools might the attacker have used on R2D2?
2) How were the attacker's tools flawed?
3) What steps should C3P0 take to get R2D2 back in action rapidly to stop the trash compactor and save their friends?
4) After initially getting him back in action to stop the trash compactor, what longer-term steps should C3P0 take to analyze R2D2?
HACKER SOLUTION: Upon R2D2's entry to the network, the insidious Darth Vader felt a disturbance in the Force (actually he got a notice an IRC channel that the backdoor that was planted in the Death Star plans had been activated). He now had the IP address of the little droid and was ready to do some HAX0R tricks! Using the back door that the trojanized Death Star plans had installed on R2, Vader was able copy the password file from R2's /etc directory, and poor R2 hadn't received the Rebel memo stating that all droids must now use shadow passwords. Vader then whipped out his trusty copy of John the Ripper and proceeded to crack R2's root password. Due to poor choice of password on R2's part (another missed Rebel memo to blame), the root password was cracked in less than 1 minute.
Vader now knows what all really good hackers know. Having root is not enough. He must find a way to keep it. And what better way to keep access than to install a kernel level root kit! What better tool to use when trying to evade Tripwire or AIDE? So Vader goes to work.
But Vader doesn't realize that his kernel level root kit has a small flaw. When ifconfig is run, the root kit module is set to always report that the ethernet interface is NOT in promiscuous mode. While this is good for hiding his own sniffing, it can easily be detected by C3P0 (and was).
Since this was a kernel level root kit. Now that C3P0 knows that his little buddy has been R00Ted, he needs to work fast. C3P0 pulls out a floppy with a bootable Linux kernel and boots R2 with it! Feeling ever so much better R2 then saves our valiant heroes from pancake city! The good guys triumph once again! After returning to the Rebel base, the investigation begins. Knowing they will need to save R2's current hard drive for further investigation, the Rebel SysAdmins find parts from a few R5 droids and scavenges the drives (everyone knows that the parts for the R5 units and the R2 units are 100% compatible as the only difference is the outer trash can and some paint).
Several copies of R2's original drive are made, and the original is stored under tight security in case it is needed to prosecute the evil Vader.
After the investigation the Rebel SysAdmins determine that all R2 units should be built with a monolithic Linux kernel to ensure that the little droids will no longer be susceptible to the module that allows such a heinous root kit to run! And so, another memo goes out...
For more hacker scenarios by Ed Skoudis, visit our Challenge of the Month forum.
This was first published in July 2002