It was late on Saturday night, and Blain couldn't sleep. Since his run-in with Mitch, he had trouble concentrating. His sullen and ill-tempered attitude wasn't making a great first impression on his roommate. Fully dressed, he got up from his bed, pulled on his sneakers, grabbed his ever-present computer backpack, and pulled it on. Blain slid out his door, closing it gently behind him. It seemed as though the Pacific Tech campus never slept, but at this time of night it was quiet. The night air was doing him some good. As he walked around for what must have been a solid hour, Blain realized that he had been focusing too much on the incident with Mitch.

"I'm certainly not the first person to make a bad impression," he thought aloud, "and I won't be the last."

As he rounded the corner to the ED04 building, Blain stopped as he saw someone who looked like Mitch entering ED04. "He's probably making his way back to his dorm," Blain thought. Seeing this as a sign, Blain decided to take this opportunity to apologize to Mitch for being such a jerk. He picked up his pace toward the building, rehearsing what it was he would say to Mitch.

As he pulled open the door to ED04, he was surprised to see that Mitch was nowhere in sight. From his vantage point and current trajectory, Mitch should be straight ahead, near the exit, on his way through to the dorms. Blain kept constant pressure on the open door and silently eased it closed behind him as he padded into the building. The building was empty as always, but Blain could hear the distinct sound of a chair sliding across the room in the computer lab ahead. He froze in his tracks as he heard another sound from the computer lab: the sound of a desk sliding out of place. "Now that's odd," Blain thought to himself. "Why would he be moving the desk?"

Frozen in the hallway, Blain listened. Although he couldn't explain why, he couldn't move. Something felt odd about Mitch's behavior, and his timeframe. He glanced at his watch: 1:22 am. The next sound was the oddest of all, and Blain recognized it immediately. It was the sound of duct tape being pulled from the roll. This sound repeated several times.

Blain realized how odd he must look, standing there in the hallway like a deer in the headlights. Without making a sound, he sidestepped into a room to his left, across the hall and down from the computer lab. Although he was not in sight of the lab, he could still make out the sound of lots of duct tape being expended. By the time the taping stopped, Blain was convinced that an entire roll had been used. Next came the familiar sound of a sliding desk, followed by a sliding chair. The faint, sharp sound of a zipper told Blain that the person in the lab was finished and was leaving. As he heard the sound of footsteps, Blain had a moment of panic: he would be discovered, standing like some kind of stalker in the door of the classroom. He held his breath and sighed quietly as he heard the exit door lever engage at the opposite end of the hall. Peering around the corner, Blain saw Mitch, backpack over his shoulder, leaving the building. Mitch had been in and out in less than 20 minutes, but to Blain it seemed like an eternity.

Blain had forgotten all about his plan to apologize to Mitch. Instead, he was consumed with intense curiosity. He felt a sharp twinge from his conscience, but he summarily ignored it, knowing full well that he had to find out what Mitch was up to in that computer lab.

Convinced that Mitch was long gone, Blain emerged from the classroom and made his way to the computer lab. He had no idea what he was looking for, but he knew that a chair and a desk had been moved, and that Mitch had expended a lot of duct tape. Blain worked his way from desk to desk, and looked under each and every one, but found nothing out of place. Thinking for a moment, he realized that the sounds suggested Mitch might have been taping something to the back panel of a desk, where it would remain unseen from the front. Blain was consumed by his curiosity, and continued his search. Eventually he found what he was looking for, stuck to the back of the desk farthest from the door, completely encased in black duct tape, network and power cables extruding from its wrapping; a laptop. Mitch, or "Flir," as he said he was known, was up to no good. "Flir," he thought out loud, "is a hacker handle if I ever heard one!" Blain snickered to himself. "I have to get access to this laptop."

Blain knew that Flir might be using the laptop remotely, so he tucked the desk back the way he had found it and left the lab, heading towards the dorm buildings. Only a handful of rooms on the ground floor had lights on, and he walked towards Flir's window, which he had scoped out after his unfortunate incident. He could hear the unbelievably loud sound of power equipment inside, and as he peered through the window, he saw the cute girl he had seen earlier with Mitch. She was in the center of the room using a circular saw on what appeared to be the top frame of a car! Mitch sat off to the side, a pair of headphones on his head as he fiddled with an aluminum can and several wires. Blain recognized the equipment immediately, and realized that Flir was building a "cantenna," a low-cost wireless antenna. Blain had little time, but knowing that Flir was busy in his room gave him the confidence he needed to get to work on Flir's laptop in the lab. He ran as fast as he could back to ED04, and sat down at the far corner desk, winded.

The first order of business was to dismount the laptop from the bottom of the desk. Removing all the duct tape took a bit of work. It was important to remove the machine so that it could be returned to its position without Flir noticing that it had moved. This frustrating job took nearly 10 minutes, but once the machine was removed, it was easy to flip open despite the huge layer of duct tape still attached to the top of the machine. Blain took a closer look at the machine, a very nice and brand-spanking-new Sony VAIO. It was a shame to see such a nice machine coated with duct tape.

"Your grant money at work," he thought with a grin.

The duct tape on the back panel bulged slightly. Three Ethernet cables and a power cable protruded from under the duct tape near the bulge. The power cable connected to the power strip under the desk, and (based on the information printed on the power adapter) powered a small hub. One of the Ethernet cables connected to the VAIO's built-in Ethernet port. The second cable connected to the classroom LAN, and the third cable plugged into the lab computer that sat on top of the desk. This simple configuration tapped the workstation's LAN connection, and provided wired access to both the lab machine and the laptop. Connected to the laptop was a USB wireless interface; a cable ran from the adapter's antenna jack to the back panel of the laptop, underneath the duct tape. Blain assumed this was a flat patch-style antenna. That explained Flir's antenna project.

Although it was a bit of a chore, Blain managed to open the laptop. As he expected, he was greeted with a black screen with white letters, prompting him for a username. "Linux," he said out loud.

At this point, Blain had a bit of a dilemma: in order to keep tabs on what Flir was up to, he was going to need to get into this machine. Grinding through default usernames and passwords seemed meaningless, as Flir wouldn't make this classic mistake. He flipped through each of the consoles, making sure there wasn't a console already logged in. No such luck. Blain knew that his best bet was to boot the machine off his USB drive loaded with Puppy Linux, which he always kept in his bag. If he was able to boot the machine from the USB stick, he could mount the laptop's hard drive and insert himself a nice backdoor.

Blain opened his bag, grabbed the USB stick, and pressed it into the VAIO's USB slot. He wondered if Flir would notice the reboot. Although he was pretty sure that Flir hadn't yet connected to the laptop, he held his breath and bounced the box. Within a few seconds, the machine rebooted, and Blain tagged the F3 key to try to enter the BIOS setup. His heart sunk when the machine prompted him for a password.

"I need to get into the BIOS so I can boot off this USB..." Blain said to himself. Then a thought occurred to him. He looked through his bag, and within seconds he produced a CD-ROM from the CD wallet he always carried in the bag. The scrawled label on the CD-ROM read "Knoppix Linux 3.8." Knoppix was a CD-based Linux distribution that had gotten Blain out of a jam on more than one occasion, and he hoped this would prove to be another such occasion. He opened the drive tray and slid in the CD. Holding his breath as he rebooted, the seconds seemed like eternities. Blain nearly jumped out of his chair when the Knoppix boot screen displayed on the laptop.

"YES!" Blain shouted, forgetting for a moment that he was trying to keep a low profile.

When Knoppix booted, Blain logged in, unset the HISTFILE variable to prevent logging, and mounted the VAIO's primary partition:

# fdisk -l

Disk /dev/hda: 40.0 GB 40007761920 bytes

Units = cylinders of 16065 * 512 bytes

Device Boot Start End Blocks Id System

/dev/hda1 * 1 4863 39062016 83 Linux

# mkdir /mnt/tmp

# mount –rw /dev/hda1 /mnt/tmp

This gave Blain access to the laptop's file system. Next he created a script on the laptop that would create a root user and set its password when the system rebooted.

# echo "echo bla:x:0:0:bla:/:/bin/sh >> /etc/passwd; echo bla:::::::: >> /etc/shadow; echo bla123 | passwd bla –stdin" > /etc/rc3.d/S98f00f

After rebooting the laptop, Blain logged in as the "bla" user. His first order of business was to look at the password file, to determine the user accounts that existed on the machine. The only user account of interest was the "kent" account. There was no telling how many Kents were on campus, but there was little doubt that Flir was poking fun at Kent Torokvei, a local geek bully Flir loved playing jokes on. He knew it was a waste of time to attack passwords on the machine, since he had shell access, but decided to snag a copy of the rogue's password files just in case it became necessary.

Blain looked at his watch and realized that he had been sitting in the lab for nearly an hour. Although no one had entered the lab since he arrived, he could easily be mistaken for the owner of the rogue laptop. It was time to get some monitoring software in place and get out before someone discovered him. He needed something sexy, something quiet. The perfect tool came to mind; sebek, a data capture tool designed by the researchers supporting the Honeynet Project. A honeypot is a networked computer that exists for the sole purpose of being attacked. Researchers install and monitor honeypot systems in order to learn about the various techniques a hacker might employ. Once a hacking technique is known, it becomes easier to create an effective defensive technique. Although this sounds like a fairly straightforward process, it can be quite a challenge to monitor an attacker without that attacker's knowledge. This is where the sebek tool comes in handy. Designed to be very difficult to detect, sebek keeps tabs on the attacker's keystrokes via the kernel's sys_read call, and sends those keystrokes across the network to a sebek server, which displays the keystrokes for the administrator who is watching. Blain needed to install a sebek client on Rogue, and a sebek server on his own laptop. He pushed the client up to Rogue, and began configuring its options.

Blain set the interface (eth1), the destination IP, and destination MAC address in Rogue's sebek client install script. These settings ensured that the monitoring packets would be sent from the proper interface on Rogue and that they would be sent only to the IP and MAC address that matched Blain's laptop. Setting the keystrokes only value to 0 ensured that the client would collect not only keystrokes but other data as well, such as the contents of scp transactions. Blain executed the sbk_install.sh script on Rogue, thereby installing and executing the sebek client. At this point, any keystrokes, and all other sys_read data, that occurred on Rogue would be covertly sent out from Rogue's wireless interface to Blain's sebek server, which would also be listening on his laptop's wireless interface. It was a rather elegant setup, allowing wireless monitoring of the hacker without an established connection to the machine, bypassing any encryption the hacker might be using when connecting to Rogue. Before launching the server, Blain made a few quick modifications to the sbk_ks_log.pl script, which displayed the hacker's keystrokes. Having used sebek before, Blain had no use for details like date and time stamps, so he removed them from the program's output. With the client installed on Rogue, Blain launched the sebek server on his laptop.

sbk_extract –i eth1 | sbk_ks_log.pl

To test the setup, Blain typed a single command into Rogue's shell, the ls command. Almost immediately, his sebek server on his laptop burped up a single line:

[2.3.2.1 6431 bash 500]ls

The sebek server output showed five fields. First was the IP address of the rogue's wireless interface, 2.3.2.1, followed by the process ID, and the name of the command shell (in this case bash). Finally, sebek reported the command shell's arguments, in this case the ls command. The monitor was in place. Now the only thing Blain could do was wait for Flir to make a move. Blain thought for a moment about installing a backdoor on the device but decided against it, knowing that Flir might get spooked if he found something glaring.

"No," Blain mumbled, "keep it simple." Blain returned Rogue to its position under the desk. Satisfied that the machine was in its original hidden position, he gathered his belongings and headed back to his dorm to get some sleep.