United States
Easy management - our secret sauce. Watch the video tour.
WatchGuard Technologies, Inc.
WatchGuard Technologies, Inc.
Products  

Security Articles

Video Tutorials

WatchGuard Feeds

White Papers

Case Studies

Network Security Glossary

Nandi versus Virtual Virtuoso (Part 2 / Conclusion)

By the LiveSecurity Writers

Nandi whipped a cell phone out of the pocket of his black jeans. With one speed-dial call, he reached the Kunstler & Sons booth, inside the same room but seemingly a mile away.

"Hey there, Nandi James Bondy!" Troy's booming voice crackled from the tiny speaker.

Nandi winced and held the phone farther from his ear. "I'm at the ConGlomCo booth," he said. "They are having difficulty accessing the Web. How is Web access from our booth?"

"Uh, just a sec." Distantly: "Kaiser Roll, can you reach the Web okay? Yeah?" Back directly into the receiver: "We're good here. Kai just pulled up the BAMMcon home page."

"Could you ask him to click the Restaurants link? And then click through to the Paris Web site?"

"Hey, we ain't no reservation service!"

"Please? I am not kidding around." While waiting, Nandi watched Chew Lan parse the HTML code on her laptop. When she glanced up at Nandi, he waggled his eyebrows. She rewarded him with a smile.

"It all acts normal," Troy declared in his ear. "Gotta go, Ghandi, I see a live one comin'." The line disconnected.

Pocketing his phone, Nandi declared, "It is most likely a wireless attack. Wired Web access seems fine."

Chew Lan nodded once, then moused down to the System Tray. She clicked a tiny icon and pulled up her Wireless Configuration window. Quickly, she sorted through a stack of papers on the little counter next to the laptop -- with Nandi mentally noting her lovely manicured nails -- and held up a print-out. "I almost trashed this," she said. She held the paper next to the screen.

"Oh, very good!" Nandi approved. "The official BAMMcon WAP specifications!"

Chew Lan's eyes bounced between the paper and the screen. She frowned. "I thought rogue AP," she said. "But the WAP I am connected to broadcasts the proper name, SSID, and MAC address." She dropped the paper on the counter, puzzled.

Nandi angled her laptop to face him. He pressed the Windows key, then R, and in the resulting dialog box, typed "cmd." He hit Enter, bringing up a CLI. "Let us verify that the Paris Web site is up," he said. He typed:

Ping caesars.com

A second later, the screen came back with:

	Pinging www.caesars.com [170.224.20.190]
	with 32 bytes of data:
	
	Reply from 170.224.20.190 bytes=32 time=154ms TTL=50
	Reply from 170.224.20.190 bytes=32 time=215ms TTL=50
	Reply from 170.224.20.190 bytes=32 time=268ms TTL=50
	Reply from 170.224.20.190 bytes=32 time=197ms TTL=50
	Ping statistics for 170.224.20.190:
		Packets: Sent = 4; Received = 4; Lost = 0 <0% loss>,
	
	Approximate round trip times in milli-seconds:
	Minimum = 154ms, Maximum = 268ms, Average = 208ms

"Kai can surf to it. I can ping it. The Paris site is up," Nandi mused.

"And DNS works," Chew Lan pointed out. "It found the IP address for caesars.com." She angled the keyboard back to herself and said, "Let's see if routing works." She entered,

Tracert caesars.com

In short order, back came the response.

The two technicians stared at the screen. "Lots of routers and addresses," Chew Lan said.

"Plenty of hops," Nandi agreed. "So Internet connectivity is probably good. Let me try this." He typed,

ssh nandihome.dyndns.org

The SSH server running on a PC at Nandi's apartment responded immediately, asking him to log in. That was enough to confirm that BAMMcon's wireless Internet connection worked, so he cancelled the SSH connection. "Secure shell works," he said.

"DNS works," she said.

"Routing works," he said. "Probably every protocol works except HTTP. Do you have a sniffer?"

"No. We don't normally need one from the show floor. So how?"

Nandi stared at his feet for a second, wishing he did not have to leave Chew Lan. But duty called. He looked at her. "I must return to the K & S booth. I need to verify that the hacker's buffer overflow code does not affect anything there. And I have better tools to try to catch him."

"Catch him?" Chew Lan grinned. "Can leh, you so on the ball! Then... I see you tonight?"

"Of course," he said.

She looked around to make sure her boss didn't see, then hugged him briefly. Feeling her warm arms around him, Nandi would gladly have stood there for half an hour.

She stepped back, then plucked a business card from a holder on the counter. "This has my cell phone number. Keep in touch."

Nandi tucked the card into his shirt pocket. "I hear what you are blowing," he said. At Chew Lan's puzzled look, he grinned, turned, and began threading his way back to the Kunstler & Sons booth.

His mind whirred. Wireless attack. Not a rogue AP. Maybe a DNS redirect? No, DNS worked. By the time he'd reached the booth, he'd formed and discarded several theories. He needed more data.

"Hey Handy!" Troy greeted him. Preoccupied, Nandi nodded at him, but headed straight for the messenger bag he used as his laptop's travel case. He found his Knoppix-STD CD, slid it into his laptop's drive, and rebooted. That brought up the Linux-based OS from the CD. He initiated a couple of STD's preinstalled security tools, including Snort, ACID and MySQL.

Kai finished talking to a customer, then sauntered over to where Nandi perched on the booth's guest chair. "What's up?"

"Just checking things," Nandi said, intentionally vague. He activated STD's Wireless Card Config utility and told it to scan for signals. It quickly found the BAMMcon access point, which he selected. He clicked Connect. A screen popped up asking for the WPA password. Nandi harrumphed and looked around. His booth included a podium that acted as a reception point for customers. It also provided some concealed storage. He rummaged around behind it and found the BAMMcon handout Chew Lan had showed him. After verifying that he was connecting to the right AP, he entered the password and completed the wireless connection. Kai got bored and wandered away, exactly as Nandi had hoped.

From the STD desktop, he ran Aterm as root, which gave him an administrative command prompt window. At the root@0[knoppix]$ prompt, he typed:

tethereal -i eth0 tcp port 80

That launched Tethereal, a text-based version of Ethereal.

Using Mozilla Firebird (an older version of Firefox) for his browser, he surfed to the BAMMcon home page. Instantly, the Snort Web-based reporting tool, ACID, popped up an alarm: "BLEEDING-EDGE EXPLOIT IE iFRAME exploit."

"Ha!" Nandi declared, "I knew it was an IE flaw!" He switched to Tethereal's Aterm window and looked at the results:

	0.002902 192.168.1.147 -> www.BAMMcon.com HTTP GET / HTTP/1.1
	
	0.003456 www.BAMMcon.com -> 192.168.1.147 TCP http > 1688 [ACK]
	
	Seq=544509274 Ack=3399689093 Win=26182 Len=0
	
	0.009871 www.BAMMcon.com -> 192.168.1.147 HTTP HTTP/1.1 200 OK
	
	0.031529 www.BAMMcon.com -> 192.168.1.147 TCP http > 1688 [ACK]
	
	Seq=544509274 Ack=3399689093 Win=26182 Len=0
	
	0.043876 www.BAMMcon.com -> 192.168.1.147 HTTP HTTP/1.1 200 OK

Nandi frowned. He had gone to BAMMcon.com once, which made his computer issue an HTTP GET request to "get" BAMMcon's page. But it looked like BAMMcon's Web site had responded twice. That made no sense. Browsers expected only one reply, so they disregarded the second.

The summary was not enough. He had to see the full packets coming from BAMMcon.com. He ran Tethereal again, instructing it to output the results to a file rather than directly to the screen:

tethereal -i eth0 tcp port 80 -w Websniff

He refreshed his browser, still on the BAMMcon home page, to trigger a new HTTP GET. Then he minimized Aterm, found Ethereal on the desktop, and launched it. From inside Ethereal, he navigated to the file he had named Websniff, and opened it.

Now that he could see entire packet captures, Nandi could drill down and compare the contents of the first and second responses to his HTTP GET request. The first reply contained the buffer overflow string he had spotted in the Web page's source code. The second reply did not.

Nandi rocked back in his chair. "I am hearing from two different Web sites!" he exclaimed. "I'll bet the second reply is the real one." To test his theory, he left the packet capture running and tried to surf to Google. His bro ws er still showed the BAMMcon home page. But when he checked Ethereal, it showed two replies to his GET request. The first one contained the corrupted BAMMcon page. The second reply, which his bro ws er disregarded, was a normal Google page.

A smile crept onto his face. "Very clever!" He looked at Troy, who happened to look his way.

"What?" Troy said.

"Someone is hacking BAMMcon's wireless network," Nandi said. "He has something watching for HTTP packets on the wireless network. Then it injects an HTTP response before the real Web page can answer. He is leet!"

Troy looked concerned. "Is our stuff gonna get hurt?"

"No," Nandi said. "It is a wireless attack, and our network is wired. But anyone who has used the wireless network to reach BAMMcon's conference page has been back-doored and possibly trojaned." As he spoke, he moved to one of the demo machines on the wired network, exited the demo, and called up Google. Accessing it was no problem. He typed, "802.11 packet injection." The first result read, "What are some interesting Wi-Fi (802.11) tools?" It mentioned something called "airpwn."

He was about to read more when a cry of disgust distracted him. He looked at the booth next door.

"That's gross!" an athletic-looking woman exclaimed. Nandi could see her computer screen. It featured a large picture of a hairy man doing something biologically impossible, obscured only slightly by the words, "pwned by V1rtu@L V1rtu0s0." "Look at this!" the woman said to a colleague. "I tried to call up our price list on the Web--"

A groan reached Nandi from across the aisle. The same image had popped up on three monitors in the booth across the way, to the chagrin of the salesmen. One of them kept switching to the next computer and the next, trying to call up a Web page, but getting the same obscene image.

Compelled by curiousity, Nandi hurried down the aisle, glancing in the booths. Most of them had the same vulgar image appearing on their monitors. "He's here!" Nandi realized. "He has to be in range to do this!"

He was halfway to the ConGlomCo booth before he noticed what he was doing. Eager to impress Chew Lan with his analysis, he was instinctively rushing to her side.

When he arrived at the enormous ConGlomCo booth, the hideous V1rtu@L V1rtu0s0 picture blared from their giant video wall. Silver-shirted employees scrambled to shut it off. "Chew Lan?" he asked the first ConGlomCo employee he encountered. "Where's Chew Lan?"

Following a pointing finger, he turned left. At the end of the aisle, a crowd of people huddled in front of the pipe-and-drape booths provided for relative privacy. Attendees craned their necks to see over the crowd. At the center of it, conference security guards and Las Vegas cops finished conferring. Some of them turned around and began dispersing the crowd.

"Move along," a guard told Nandi. "Show's over."

"But I have to find my friend," Nandi said.

The guard began to contradict him, but when the crowd parted Nandi caught a glimpse of Chew Lan, who spotted him at the same time. "Nandi!" she beamed. She hurried over to him, her eyes sparkling. "I caught the hacker!"

"Y-You?" he stammered. As a child in India, he had loved standing on the ocean shore because of the strange sliding sensation he got when waves pulled back from under his feet. The floor was doing it to him right now. "B-but... how--"

"I just had to clear the barang barang from my brain. A wireless attack, so the gear has to be in range, lah? The attacker wouldn't be a vendor. He wouldn't want his gear in plain sight. The only place for him to hide was these privacy booths. So I called BAMMcon security, and when they began searching... here he is!"

She pointed at a scrawny, pimple-faced youth. A cop clutched each of his skinny arms. His nose and eyes were red, as if he had been crying. At his feet, technicians carefully bagged the electronic contents of an open viola case.

Nandi swallowed hard. He recognized the kid; he had passed him less than an hour ago. In his zeal to impress her, he hadn't even considered notifying the conference that it had been hacked. Defensively, he said, "I figured out how he did it. It was an 802.11 --"

"He used a tool called 'air pone,'" Chew Lan said. "He already confessed." She brightened. "But good for you, figuring it out!" She gave his hand a little squeeze.

To Nandi, it felt like his mommy was cooing over a finger painting he'd brought home from kindergarten. Kindly condescending.

A muscular, hard-bodied Vegas police officer with blonde hair came over. "We're going to need a full statement from you," he told Chew Lan. "Do you know anything about all this high tech stuff?"

She surveyed the muscular officer. In Nandi's mind, he heard her thinking, "Wah, so yandao!" She smiled at the officer and said, "I will be pleased to help."

"Great," the officer said. "Can I drive you to the station? This could take awhile. Do you need to gather your things? Notify your boss?"

Nandi watched them walk away. Absorbed in answering the officer's questions, Chew Lan did not look back.

###

The decor: sumptuous. The live jazz: top-notch. The atmosphere: dimly-lit romance. The skinny Indian kid: alone.

Uncomfortable in his sport coat, Nandi squirmed in the overstuffed wing chair. He pulled out his cell phone for the hundredth time. 11:05 p.m. No point in leaving Chew Lan another voice mail message. Perhaps he would never know why she hadn't shown up.

He looked at the chocolate-dipped strawberries he had ordered an hour ago. They were sweating. He popped one in his mouth, pushed his chair back, and walked out.

From the Paris hotel's chilled shopping corridor, he pushed a speed dial button on his cell and called someone he knew would be awake. After a couple of rings, a familiar voice answered.

"Hey, Nandi! How're things in Vegas? You okay?"

The sound of Dustin's voice was even more welcome than he had expected. Nandi said, "You would not believe the day I have had."

Dustin chuckled. "Yeah? Tell me all about it. Then I'll tell you what Junior's up to now."

Despite his depression, Nandi laughed. "I cannot imagine. Did you know I met Chew Lan today?"

From inside Napoleon's, a lone sax expressively played, "I've Got You Under My Skin." The song drifted past the Indian kid murmuring into his cell phone, and floated into the desert night. ##

The End