Computer Lab Recon

Flir walked through the lobby of his dorm, completely oblivious to an attractive coed carrying on a conversation with two boys, while clothed only in a pair of towels. Strangely, no one else seemed to notice that she was dressed any differently than her peers. If Flir wasn't so over-focused, perhaps he'd realize that his dorm was fairly extraordinary. In the meantime, he just needed to get to the computer lab.

It was dark outside now, approaching night. The main computer lab wasn't far from the dorms. Flir didn't have much to do tonight - he was just coming by to recon the lab environment. Hackers spent far more time doing reconnaissance than any movie ever gave them credit for and Flir was no exception. Tonight he just wanted to observe how the labs were set up. He walked in and looked around the lab. Forty-eight computers were set up on six long room-length desks. Flir sat down at one of the many computers. Each was more or less identical. A standard beige box PC sat on top of the table, with a network cable and power cable leading into a grommet on the top. The front of the table obstructed view into the "inside," where the power and network cables went. Excellent.

He traced each cable, illuminating the path through the 3-inch wide grommet with an LED flashlight. The power cable was a standard black cable leading to a fully-populated power strip. The network cable was orange - he'd have to remember that - and led off into the darkness. He rose and walked around the long table, examining the floor. He didn't find the power cables leaving the tables. "They must plug into the floor," he thought. He did find that the eight network cables all left the table in a electric tape-bound cluster. The cluster ran, taped-down, along the floor and ended in a closed networking closet. "How odd," Flir thought, as he realized that each closet probably contained a single managed switch. Then again, with the University's budgets, it might even be an unmanaged switch or hub. He began to wonder how many labs might be connected to a large switch before they hit the first router. Even the best-funded universities can be extremely thrifty on general computing resources - Ptech probably wouldn't have any routers separating the labs. He'd test that later with standard tools. It would be a simple matter to run a traceroute from a machine in one lab to a machine in another, checking to see if the packet's TTL (time-to-live) was decremented by an intermediary router.

His on-site reconnaissance finished for the night, Flir left the lab to continue his plan. He walked back to his dorm, contemplating the details and wondering if Jordan would be asleep yet. He stopped in the lobby to use a public computer and ran a few quick traceroute commands. He traced the path of routers to two computers in two different labs in the same computing building. As he'd hoped, both computers had the same router as their last hop. This meant that only a switch separated the two, not a router, and was very, very good news.

Pacific Tech was saving money on both routing hardware and the staff time required to keep the router configured and patched. Knowing what the school charged non-scholarship students, Flir had once been surprised by how frugal Pacific Tech tended to be. A friend who had transferred from another school had explained that many expensive schools were still fairly frugal with computing services departments. Part of the reason was that better-run computer labs just didn't seem to attract new students the same way that other services might. That department was also, politically speaking, one of the easiest to apply budget cuts to. Few professors on campus would fight the cuts, especially since those whose research depended on computers often bought and staffed their own computer clusters with grant money.

Flir left the lobby and headed to his room. When he arrived at his room, Jordan was cutting a sunroof into the Prius' top with a circular saw. Flir couldn't believe the sheer amount of noise that she got away with and plugged in his headphones. Though he'd left Physics behind completely after his intense and traumatic freshman year, he'd used the theory to create a noise-cancellation patch to xmms, his Linux machine's mp3 player. It read in sound signals from microphones mounted on his headphones and modified the headphone's output sound waves to cancel much of the noise created by Jordan's constant use of power tools.

Flir's headphones cranked out the creations of DJ CMOS, one of his favorites. CMOS had somehow blended 80's songs into a fast, driving house mix. For some odd reason, Flir had an affinity for 80's music, as if he'd lived much of his life through the era. In truth, it being 2004, Flir was only alive for the last two years of the 80's. Those two years must have made an impression upon him!

Preparing the Plant - There's No Offense without a Good Defense

On to the plan. He'd need to control a machine in the computer lab to sniff traffic. He could hack one the machines there, but the IT staff might notice that and shut it down. Even if they didn't, many schools "re‑imaged" the lab system's hard drives once per month, week or even day, replacing their contents automatically with a known good operating environment. No, he'd need to introduce his own system into the lab.

Flir pulled out one of the new Sony Vaio laptops that Knuth had bought him, which he decided to call "Rogue." It had just the qualities he needed. It measured 8" by 10" by 1" and, at 3 pounds, it was light enough to duct tape under a desk if he needed to. He'd already installed Linux on it and run Bastille Linux on it to lock it down, hardening the OS and the firewall rules. He sat down to configure it for this particular job.

The system would need to intercept people communicating with the myPtech system. It would need to collect usernames and passwords. Finally, Flir needed to control it remotely - he should never have to touch the machine again once he'd planted it, unless he wanted the hardware back when he was done. He set about to work on his control mechanism.

Flir would ssh into the system over a wireless 802.11b link from his other laptop, which he'd call "controller." That would allow for stealth and make it much harder to trace the system back to him. He plugged a wireless card into the system and used Linux's iwconfig command to configure the card. First, he set the card to function on channel 3. Few people used channels other than 1,6, and 12, so few, if any, people would find his system addressable.

# iwconfig eth1 channel 3

Next, he wanted to set the card to encrypt all its communications with a wired equivalent privacy (WEP) key. First, Flir had to choose the key. WEP keys were hexadecimal strings, usually 32 characters long. To choose digits somewhat more randomly, he had used a piece of overhead transparency to create an overlay for a Twister spinner. With an overhead pen, he had divided the circle into sixteen pieces, with the digits 0,1,2,3,4,5,6,7,8,9, A, B, C, D, E and F. He spun it 32 times to get: 458E 50DA 1B7A B137 8C32 D68A 5812 9012. He set the card's WEP key to that:

# iwconfig eth1 enc on

# iwconfig eth1 key 458E50DA1B7AB1378C32D68A58129012

Finally, he'd need to set an ESSID, an ID for the wireless network of two machines that he'd use.

# iwconfig eth1 essid lazlosbasement

He set an IP address for the system next of 2.3.2.1 for the wireless link.

# ifconfig eth1 2.3.2.1 netmask 255.0.0.0 up

That number was reserved and wouldn't route on the Internet, but it didn't matter - this was a network of just two systems, connected by a radio link without any routers in between.

He'd control the system over an ssh link. He could write his own remote login program, but this was easier. He modified the ssh daemon's configuration file, sshd_config, though, setting it to only listen to the wireless card and not to theEthernet card:

ListenAddress 2.3.2.1

He also set the ssh daemon to disallow password authentication out of habit, leaving password-protected RSA keys in place instead. Flir hated passwords - they were almost always the weakest link in computer security, since they could be guessed or brute-forced by a determined attacker. Using an RSA keypair for authentication, encrypted with a passphrase, was much stronger.

Finally, he added three custom rules to the beginning of the iptables firewall:

# iptables -I INPUT 1 -i eth1 -m mac --mac-source ! AA:BB:DD:EE:55:11 -j DROP

# iptables -I INPUT -i eth1 -p tcp --dport ssh -s 2.3.2.20 -j ACCEPT

# iptables -I INPUT 3 -i eth1 -j DROP

The first line told the kernel to drop any packets that did not come from a single specific wireless network card. The second line allowed ssh access in from a single IP address. The third line caused the kernel to drop any other packets from the wireless interface.

Flir had now hid his control channel slightly, by using a different channel. He had also placed some nice access control on that channel by forcing all control connections to come from a specific IP address and from a specific network card hardware (MAC) address. Finally, he had encrypted his communications with WEP.

Of course, any other attacker could fake his MAC address, set the particular IP address, and perhaps even crack the WEP key if he was able to observe enough traffic. Flir's actions served to raise the bar, locking out all attackers except for the rare ones with the knowledge and determination to find his wireless network and attack it. He could even keep his WEP key hard to crack if he didn't communicate a great deal with the rogue laptop -- WEP crackers require a healthy number of packets before they can brute force a key.

Even if an attacker cracked the WEP key and discovered the key to the firewall policy, the real authentication step still happened in the ssh daemon. Since Flir was using a private/public keypair instead of a password, the attacker couldn't get access by guessing passwords - any attacker would have to find a vulnerability in the ssh daemon itself. Since Flir was using privilege separation, it was highly likely that any exploits in the ssh daemon wouldn't even get the attacker Flir's root access - the attacker would have to work hard to "escalate privilege" to root.

Flir was being very careful. He could add additional measures to this, but he believed he had gone far enough. He had taken multiple measures, remembering what he read about "Defense In Depth," but also remembered not to take security so far as to render the machine or network useless. Striking this balance between convenience or usability and security is difficult in any environment. It was especially difficult here, because if someone broke into the laptop, Flir's entire plan could fail.

Flir stopped for a moment to consider that he wasn't just defending his rogue laptop from normal attackers. Ironically, he was also defending it from any Pacific Tech computer security staff! It was bizarre what Agent Knuth had called upon Flir to do for his country.

Now that Flir had prepared the rogue laptop for remote control, he wanted to place it in the lab as soon as possible. Once it was in place, he could configure it to steal passwords. He put it into a "sleep" mode. With the headphones still on, he packed the laptop and A/C adapter into his backpack, along with two orange network cables, a palm-sized hub, a patch-style directional antenna, a network card, a USB wireless adapter, and a roll of black duct tape. He placed the backpack aside for tonight —he'd go back to the lab tomorrow. In the meantime, he'd try to convince Jordan to come to bed.

When Flir removed his headphones and rejoined the world around him, he found Jordan using a drill to screw the solar panel into the sunroof slot she'd cut into the Prius' roof. She wasn't fitting the panel into a sliding assembly, like on most sunroofs - she was actually screwing it directly into the car's body. "Jordan, it's 1am. Let's go to sleep!"

Her words came out rapid fire, as they always did when Jordan was solving problems out loud. "The solar panel will allow me to push the motor much further, much faster! But it leaks. It shouldn't leak! I cut it just right! I put the same rubber around it that all the other sunroofs have. But it leaks! It can't leak. I'm going to have to make a sealant and that takes chemicals! I have chemicals..."

Jordan went on for some time, eventually sitting down to research sealants, designing her own. Later, she'd go back to her room and mix chemicals from the supply in her closet. Jordan seemed to take everything way too far. She'd built a wine rack in her closet filled with bottles of liquid chemical agents. Adjacent to the rack, a number of boxes sat, filled with chemical solid components. Next to those boxes, wedged against the wall, was her floor-sander, which she used twice a year to clean her dorm room's floors. Flir had first thought the machine was evidence of extreme overkill, but he began to understand the need for such a device as he learned that Jordan's dorm room was more workshop than sleeping area. Jordan almost never slept, though she worked incessantly on these extracurricular engineering projects. "Oh well," he thought, "most guys would kill for a woman who enjoyed power tools this much."