Violation

David woke the next morning, got ready for work, and headed out the door. He'd made the drive a thousand times. It was colder than the previous day, and a light rain fell on the cars as they sped down the expressway.

He was anxious to get into the office and see whether the honeypot had worked, and whether they had seen any activity. He arrived quickly, threw his coat on the coat rack in the corner and sat down at his desk. He opened Thunderbird and started downloading his e-mail. While the e-mail found its way to his desktop, he opened up a terminal services window and checked out PatriotBox.

"Whoa," David said softly.

"What?" asked Bryan as he walked into the office. "Whoa what?"

"We got scanned like our machine was the coolest place on the Internet."

"So it was working. Good. What kind of activity?"

"Nothing too exciting, but we had a few people do more than just scan," David said sounding slightly annoyed.

"Sweet! Isn't that we wanted?"

"Well, yeah. I mean, I guess so, but I just didn't think that it would be this much. Seriously, this is a lot of crap for just one night. Who the hell are these people?"

"You sound pissed, man."

"I am I guess, a little pissed. What if we weren't a honeypot? If we were a real user's computer, these guys would have broken into the machine and done who knows what. I mean this guy over here is setting up shop," David said as he pointed at an entry in the log.

David was pissed, and more pissed with every passing moment. He didn't like the idea of someone crawling around in his system while he wasn't there, even if they were confined to the honeypot.

"Let's hack them back," David said quietly.

"Say what?" Bryan said, more than a little shocked.

"Let's do it; let's hack them back."

"Ha, ha. Slow down, man. You think you're the first person to get pissed and want to do something about it? A few people have been talking about doing that for years. There's a problem, though. How do you know you're attacking the attacker?"

"What do you mean?"

"That's what they do, man; they're script kiddies. They jump from machine to machine just collecting them like they were Garbage Pail Kids. They use them for IRC bots or as a jump point to someone else's machine. It happens all the time."

"Well, what are we supposed to do, just let them get away with it? I mean, seriously."

"Look, they jump through these machines and rarely, if ever, get traced back to the original box. People never patch their systems, I mean we do, but most home users, and a lot of businesses just can't keep up with it. You think all the grandmas of the world know how to download and install a service pack? And even if they did, most people are still on dial-up, and a 200 meg download is like a day and a half worth of online time, and you can't tie up most people's phones that long."

David hadn't thought about that. How could he not think about that? He had to do something, though; it just didn't seem fair. When you're in school and a bully picks on you, what does everyone tell you to do? Fight back. You have to fight back, or it'll never stop. Or what about your home? If someone breaks into your house you're allowed to defend yourself, in some cases by any means necessary. David kept a gun in his nightstand, thankfully he'd never had to use it, but he had it just in case. And if, heaven forbid, someone ever entered his home with intent to harm him or his family, he'd shoot them, a lot. Why couldn't he defend his network?

"I have to do something," David said.

"I hear you, man, and if you can find a way to do something where we don't attack someone's grandma, I'm with you 100 percent. But right now, I'm going to head over to Nate's office; apparently some masked man ran into his office and kicked over his machine, ‘cause it was fine yesterday, but it's dead today.'"

"All right, I'll be here."

David tried to think of something to do, something that helped more than it harmed. Maybe Bryan was right, maybe he couldn't do anything. All those computers, on all those networks are unpatched targets waiting to be abused. Unpatched targets. He had an idea. What if when someone attacked his machine, he attacked back, but with a patch? It might work. He could try to exploit the same vulnerability that allowed the attacker access to the computer in the first place, and when he gained control, upload, and then execute, the patch. Maybe the attacker already patched the vulnerability they used to keep other attackers out of "their" new machine, but maybe not. Either way, he'd get some of them, and some seemed a whole lot better than none. Genius.

"How's Nate?" David asked as Bryan wandered back into the office.

"Turns out someone did kick his computer into submission; only it was him, and he kicked out the plug," Bryan said with a grin. "You come up with anything?"

"I think so."

"Well, let's hear it."

For the next half an hour David explained his idea to Bryan. They went back and forth on the best way to test the concept that David proposed. They decided that they would strike back at only those individuals who actually made a connection to their honeypot; port scans were not sufficient to merit attack. Together, they decided to collect a few tools, learn how to launch the attack, and when they thought they were ready, try it out.

Striking Back

On Thursday morning David headed into work with a sense of purpose. Today would be the day; they were going to test his theory. Would it work? He hoped so, but in a few hours he wouldn't have to hope; he'd know.

David walked into his office, and there was Bryan.

"Who are you, and what have you done with Bryan?" asked David.

"Shut up, man; I'm excited. I haven't played solitaire in three days!"

"Well, let's find out what we've got."

"Already done it, and I filtered the log so that just the direct connections to the honeypot are shown. We've got one. He connected through the Sub-7 Server, so he's a real winner."

David looked at the screen. Sure enough, an attacker had connected believing that he was looking at a machine infected with a Sub-7 trojan. The attacker looked around for a bit, downloaded what he thought was a password file, and then uploaded a few tools into the root directory. He was planning a return trip.

Figure 6 Results from PatriotBox

"That's our guy," David said. "Let's make the rounds, and when we finish up, we'll see if that machine is still online."

"Sounds good. See you in a bit," Bryan said.

A few hours later David and Bryan sat leaning close to David's monitor. They launched a quick nmap scan to make sure the target was online and to see if any services were running. The machine turned out indeed to be online, as well as running numerous services. There was no firewall for this guy. They looked at each other, smiled, and started up NeWT.

Figure 7 Tenable NeWT Security Scanner

Note

David clicked the New Scan Task option, input the attacker's IP address, and selected the option to enable all but the dangerous plug-ins, those that could cause a service, or the machine, to crash. They watched patiently as the scanner tested the security of the remote machine. Slowly, the number of open ports, notes, and warnings increased. After several minutes NeWT displayed a report for the attacker's machine.

Figure 8 A Tenable NeWT Security Report

"Wow," Bryan said. "That is one ridiculously insecure system."

"Yeah, wow. I guess it's probably safe to say that this is not the attacker's home machine," David said.

"Yeah, I mean, even with this being some wannabe hacker, I don't think he'd be so stupid as to leave his machine this insecure."

"Well, let's see what we have, and see if we can get this puppy patched."

They looked over NeWT's report closely, checking for any vulnerability that they could exploit using the Metasploit Framework.

Note

David started the Metasploit Framework console. He was greeted by a bit of ASCII art, the msf prompt, and a blinking cursor. Time to get started, he thought.

msf > help

He watched as a list of commands filled the console window.