While not nearly as fantastical and incredible as the true story Cliff Stoll shared in "The Cuckoo's Egg," I too had the opportunity to experience a similar thrill in catching a "cyber criminal" who was up to no good.
This story took place while I was a college senior working for the College of Business Technology Support Center. By this point I had risen to the rank of Lead Student LAN Administrator, and was in charge of leading the other tech support student workers as well as building and managing some of the servers used within the college. In our sizable storage room, we had some space set aside where I and some of my coworkers could build development servers for independent learning.
One evening, I received a message from one of my coworkers who was out of town for the weekend saying that he thinks someone else had broken into the server he had built. When he built the server, it was running Windows Server 2000, however when he went to RDP into it, he found that it was now running Windows Server 2003 - and he swears he did not install 2003. This seemed odd, especially considering if someone broke in remotely, they would have to figure out a way to load the media, perform the install and ensure they could reconnect to the system afterwards. I found a few articles that suggested this could be done if they were doing an in-place upgrade, so the story seemed plausible enough.
Unfortunately, whoever had taken possession of my coworker's server had also removed their access to the server. Without the ability to login to the system, it was going to be more difficult to figure out what was going on. Additionally, if this was someone local (which was my hope) I did not want to tip them off that I was on to them, figuring that if they found out, they would wipe the system of anything that could trace back to them. How could I passively recon information and evidence without tipping them off? Sure, I could just disconnect the server from the network, comb through the logs and hope there was evidence that pointed back to them, however I really wanted to catch them in the act - but how?
Several things came to mind.
First, I ran Nmap against the system to see what ports were open in order to get a sense of what they might be doing with the server. The most interesting to note from this was that port 194 was open and appeared to be running some form of an IRC server. My coworker had not been using this for IRC - this was new. Aside from that, the rest of the ports were typical windows system ports, including RDP (3389) and SMB (139 & 445).
This at least gave me some direction on what to look for, if I could sniff the traffic. While it was not connected to a switch from which I could perform traffic mirroring, since I had physical access to the system, I could insert a device between it and the wall from which I could sniff the traffic. Network hubs were more commonly used back then, and we fortunately still had a few unused ones laying around. The beauty of a hub as opposed to a switch, is that a hub blindly sends copies of all the traffic to all of the interfaces (as opposed to a switch which only sends the traffic to the appropriate destination).
So here was the next plan - disconnect the cable from the wall, connect it to the hub, then connect another cable from the hub to the wall. Next, I would grab a laptop, install WinPCAP and Wireshark (this was before I became proficient with Linux), and connect that to the same hub.
Once I had everything setup, I needed to be quick in switching out the cables - again, to avoid tipping them off. And viola! Just like that I could see all the traffic flowing to and from the server. Working in my favor was that IRC sent all of the messages in clear text, so I could see all of the conversations streaming across the wire. This pretty much gave me everything I needed to start tracking down this pest. I ran capture after capture of the traffic to see if I could tell the source IP address for the person in control of the server.
I noticed pretty quick that one IP, which happened to originate from an on-campus residence hall network (per the DNS name), was consistently connecting to the IRC port. While not conclusive, it was a lead. The real break though, came after a few days of monitoring other activity originating from that IP. I happened catch a connected session established from that same IP to the RDP port. A ha! This was my person. After a quick call to Network Services to trace the IP, they were able to provide me with the switch it was associated to, and the associated room number into which it was patched. So I had an IP address and a residence hall room number, all I needed was a name.
I find that it pays to have friends in many areas and departments on campus, including Residence Services. I reached out to my friend there, who happened to be a fellow student employee that helped manage the housing database, to see if they might be willing to look up some information for me. They had no issue with that - while not publicly available, this was directory information that did not require consent or approval to hand out. I told him the room number, and he gave me the name - and wouldn't you know it! The occupant of that room was a student who had previously worked in the College of Business Technology Support Center. Gotcha!
I gathered up all of the information I collected, wrote up my findings, and preserved the evidence from Nmap and Wireshark and turned over my findings to my boss. He promptly contacted the University's recently formed information security office so they could take action. Following a conversation with the student about how even as innocent in the greater scheme of things as this was, it was still considered breaking the law - and brought along the threat of expulsion - the student wisely confessed, apologized for their mistakes, and agreed not to misuse any more university computers or networks. Getting to see their embarrassment for getting caught was satisfying enough for me.
No comments:
Post a Comment