If you missed the previous articles in this series please read:
Shells for sale Part III
We left off in part two with John having checked the compromised test computer’s time. This would allow him to know what time the exploited computer was in relation to his, and that of potential future customers who bought one of his shells. This time was crucial as he needed to know when to modify the AT command to send the reverse shell to his hopefully plentiful customers, at a time of their choice. The next step for him to take was to hide both the nc.exe and nc.bat files that were on the practice victim computer elsewhere. It was unlikely that the average home computer user would ever venture into a DOS prompt or browser to explore their computers contents. In the unlikely event that it would happen, he decided to hide both those files in c:\winnt. He knew that very few people ever bothered looking there, and this was the reason it was a favorite hiding place for malware. We can see in the below noted screenshot that our files nc.exe and nc.bat are sitting there in plain view on c:\. Not a good thing.
Figure 1
So with the need to hide these files John goes ahead and does just that, as seen in the below noted screenshot.
Figure 2
Now with those files safely copied over to c:\winnt, it was time to delete the copies remaining in c:\ itself. This was quickly done, and it was now time to move onto the next phase of the exercise. That of setting up an AT job so that John could test the remote shell connectivity, at a specific time. For those of you who are not overly familiar with the AT command, it is a service which will start up your anti-virus program at a specific time to do a sweep of your hard drive. So it only makes sense to use this service for the shoveling back of a remote shell at a specific time, seen as it is already there. Most importantly though is also the fact that the AT command can be via the command line. We need to remember that John has access to a cmd.exe and not explorer.exe which would have given him a desktop interface. With this in mind it was necessary to use commands that were available within a cmd.exe.
Figure 3
You can see from the above noted screenshot that I have entered the appropriate syntax to invoke AT and schedule a job via this service. Do you notice anything in that command line syntax though that puzzles you? Well right after the “at” is the NetBIOS name of the computer in question “win2k2”. How did I know that was the NetBIOS name of the computer though? Well let’s look back at our earlier scan output from Superscan when we used it to probe the practice victim.
Figure 4
You will notice that in the UDP Port 137 information is contained all of the detail we need to determine the NetBIOS name of this computer. It is contained right there in the NetBIOS name table, and the suffixes as well. From this information gleaned earlier was I able to ascertain what the computers NetBIOS name was. Remember that a NetBIOS name is simply the name that you give to your computer, or the one that the system administrator gives to it.
Figure 5
Now we can see in the above screenshot that the AT command was successful in invoking nc.exe hidden in c:\winnt, and shovel back a command prompt to our attacker’s computer in John’s lab setup. This was a pretty slick feature that John had read about before in one of the online mailing lists. He thought it would be pretty neat to incorporate at some future date, much like today’s experimentation. Well with all of the pieces in place all John had left to do was actually apply the hotfix patch that he has sent over via TFTP. This would allow him the ability to patch the vulnerability that he himself had used to break in.
Figure 6
Well with the above noted syntax to install the hotfix patch, it takes a couple of minutes for it to install and then reboot the practice victim computer. Now with the patch in place it should no longer be vulnerable to the RPC DCOM exploit. That being said, seeing is believing, so John once again tries to exploit the practice victim with the same exploit.
Figure 7
We can now see that the remote install of the hotfix patch has indeed worked splendidly. The Framework was not able to exploit the computer, as seen in the above noted screenshot, for there is no reverse shell waiting for us. John has now successfully tested out safely in his lab what he considers to be a relatively sophisticated hack. He would now go through it again several times to ensure his results, and chronicle on paper all of his steps. Once this was done he would be ready to “go live” and begin doing it for real. Once he had a dozen or so computers harvested he would go back to one of his favorite IRC chat rooms, and begin to advertise his “shells for dollars” scheme.
When John started to actually begin active exploitation the next day it did not take him long to get some vulnerable computers under his control. It was not as elegant as having an automatic rooter like some bot exploit code, but he had made do with what he had. John used publicly available information, such as what range of IP addresses his provider had. From there he simply inputted this into Superscan, and let it do the work for him. The long boring part now came where he had to replicate what he had done in the lab many more times. Had John not taken what he had done in the lab to the real world, he would have actually been displaying some character traits of a hacker ie: those being curiosity and tenacity. Problem was John was at heart a lazy man, with a tendency towards petty crime.
The takedown
Once John had completely finished his task of collecting as many unprotected computers as possible, he logged into his favorite IRC chat room. His usual cronies were there all chatting about some exploit or other hacking news. He listened for a while, and then decided to drop his bomb. Much as he had hoped he got a round of cyber applause for his ingenuity. Thing of it was, he also advertised the online payment account he had setup for payment. Well John true to course had set up his own fall. Listening in the chat room was a federal agent whose job it was to monitor these types of chat rooms for illegal activity, and any other interesting information.
The federal law enforcement officer dutifully reported his finding to his supervisor. This was exactly the type of activity that they were trying to crack down and it was also handy that the online payment company was in North America. It took a couple of days before a court order was served to the online payment company, but it was needed to get the information of the holder of that account. John’s goose was now well and truly cooked. Four days after John had gone into the chat room with this “shells for dollars” scheme his home was raided, his computer seized, and himself arrested on several counts. John really should have stuck to studying at college.
While this was a fictionalized account of what could happen if a semi-skilled hacker were to act in a criminal manner, let me assure it is a very real scenario. It is one that has been seen before, and no doubt one we will see again in the future. I sincerely hope you enjoyed the article series, and as always I am interested in your thoughts. On a final note I would like to thank Sherry Rumbolt for the discussions we had while I developed this series. Till next time!
If you missed the previous articles in this series please read:
