ÜberhackerII, Chapter 9: Ethernet
In this chapter you will learn about:
· How to uncover the identities
of computers on a LAN
· Arp troubleshooting
· Why arp tables are so
· MAC addresses and OUI databases
Aug. 6, 1998, around 11 PM, I was playing with my favorite SPARC
10 running Sun OS over at Rt66 Internet. While trying to compile
a program, I noticed that things had slowed to a crawl. A look
at the process table showed little CPU time was being used. That
made me suspicious, because that SPARC sure was slow. There were
two possibilities: either my connection was making it appear slow,
or the ps command had been Trojaned to hide an intruder.
I tried a network ping to check connection speed within the Rt66
LAN. I figured this would also check my Point-to-Point Protocol
(PPP) connection speed. If it was slow, the results of my network
ping would be delayed coming back to my console. So I gave the
~> ping 198.59.999.255
I watched the replies coming back at their normal speed. OK,
then it was the SPARC 10 itself that was slow. But - wait - what
was this I saw? The computer we nicknamed Bastard was also responding
to the network ping. Bastard was a co-located Linux box configured
to ignore any ICMP (Internet Control Message Protocol) packets
such as ping, to hide silently in the network. I phoned its owner,
Dennis. "I'm wondering if Bastard got hacked?"
Dennis explained that he had just made a configuration change
on Bastard and had temporarily allowed it to answer ICMP queries.
He also had an answer for the slow SPARC - it was probably being
used to download an unusual amount of porn that night. I was afraid,
however, that the slow system and anomalous ps result meant intruders
might be doing a lot of hidden work on that system.
Four AM that morning, I woke, as I do so often, in pain from
an old injury. It's a major reason I hack - what else is there
to do in those small, painful hours of the morning? I got online
at 4:28 AM. I discovered there were new intruders at Rt66. Yes,
I say new, because I had been observing the activities of a single
intruder who had been on that SPARC for 10 days that I knew of.
I had alerted the owners of Rt66 Internet, but since the intruder
was not doing any damage, they had decided to let him or her remain.
Unfortunately the guys who were root at 4:28 AM Sept. 7, 1998
were hardly harmless. It was the second assault of the Hacking
for Girliez gang. They had just gotten the credit card files for
1,800 customers and broadcast some of them to Pete Shipley's Def
Con email list. In the mail queue were threatening messages to
all Rt66 customers, and boasts addressed to a long list of journalists.
The company web site had not yet been hacked, but construction
of the new web site was in progress. It included a photo taken
at the Def Con shootout that year of a poster of me with a bullet
hole in my forehead (see Figure 1).
Figure 1: Part of a hacked web page that never got online. After
that the Hacking for Girliez gang was careful to get everything
ready in advance.
The FBI later estimated that the Girliez' activities that night
cost the affected credit card companies alone some $1.8 million
dollars. The Vice President of Rt66, Mark Schmitz, told me that
if I hadn't caught the hack before the customers got the threatening
email, it would have driven them out of business. As it was, the
assault did enough damage that the company barely survived and
a year later sold out to a competitor.
It's amazing how much you can learn about an Ethernet LAN, legally,
and even if you don't have root or administrator privileges on
any computer on that LAN. All you will need is some simple, built-in
network commands common to the various Unix-type and Windows-type
For maximum enjoyment of this chapter, you should both set up
a home LAN and get a shell account on an ISP. Any ISP that offers
shell accounts most likely has many computers on a local area
network (LAN). It probably uses Ethernet. Alternatively, your
employer or school may have a LAN with which you can experiment.
Be sure to get permission from the sysadmins at your place of
work or school before trying even the most innocuous things in
this chapter. Some sysadmins are extremely anxious over the possibility
that users may be attempting to harm their system or steal sensitive
data. Until recently, it was insiders that committed the majority
of computer crime. So if you don't want to get fired or expelled
from school, be extremely careful that you have permission - in
writing - to explore your LAN. Tom Massey warns, "Also make
sure the permission is given in writing by somebody who's actually
allowed to give that permission. The sysadmin may not be enough,
you want to get permission from as high up in the organization
as you can."