What's New!

Chat with

How to Defend
Your Computer 

The Guides
to (mostly) 
Harmless Hacking

Happy Hacker 
Digests (old stuff) 

Hacker Links 


Meet the 
Happy Hacksters 

Help for 



It Sucks 
to Be Me!

How to Commit
Computer Crime (not)! 

What Is a 
Hacker, Anyhow? 

Have a 
Great Life! 

News from the 
Hacker War Front

ÜberhackerII, Chapter 9: Ethernet Exploration

In this chapter you will learn about:

· How to uncover the identities of computers on a LAN
· Arp troubleshooting
· Why arp tables are so useful
· MAC addresses and OUI databases
· Sniffers

Aug. 6, 1998, around 11 PM, I was playing with my favorite SPARC 10 running Sun OS over at Rt66 Internet. While trying to compile a program, I noticed that things had slowed to a crawl. A look at the process table showed little CPU time was being used. That made me suspicious, because that SPARC sure was slow. There were two possibilities: either my connection was making it appear slow, or the ps command had been Trojaned to hide an intruder.

I tried a network ping to check connection speed within the Rt66 LAN. I figured this would also check my Point-to-Point Protocol (PPP) connection speed. If it was slow, the results of my network ping would be delayed coming back to my console. So I gave the command:

~> ping 198.59.999.255

I watched the replies coming back at their normal speed. OK, then it was the SPARC 10 itself that was slow. But - wait - what was this I saw? The computer we nicknamed Bastard was also responding to the network ping. Bastard was a co-located Linux box configured to ignore any ICMP (Internet Control Message Protocol) packets such as ping, to hide silently in the network. I phoned its owner, Dennis. "I'm wondering if Bastard got hacked?"

Dennis explained that he had just made a configuration change on Bastard and had temporarily allowed it to answer ICMP queries. He also had an answer for the slow SPARC - it was probably being used to download an unusual amount of porn that night. I was afraid, however, that the slow system and anomalous ps result meant intruders might be doing a lot of hidden work on that system.

Four AM that morning, I woke, as I do so often, in pain from an old injury. It's a major reason I hack - what else is there to do in those small, painful hours of the morning? I got online at 4:28 AM. I discovered there were new intruders at Rt66. Yes, I say new, because I had been observing the activities of a single intruder who had been on that SPARC for 10 days that I knew of. I had alerted the owners of Rt66 Internet, but since the intruder was not doing any damage, they had decided to let him or her remain.

Unfortunately the guys who were root at 4:28 AM Sept. 7, 1998 were hardly harmless. It was the second assault of the Hacking for Girliez gang. They had just gotten the credit card files for 1,800 customers and broadcast some of them to Pete Shipley's Def Con email list. In the mail queue were threatening messages to all Rt66 customers, and boasts addressed to a long list of journalists. The company web site had not yet been hacked, but construction of the new web site was in progress. It included a photo taken at the Def Con shootout that year of a poster of me with a bullet hole in my forehead (see Figure 1).

Figure 1: Part of a hacked web page that never got online. After that the Hacking for Girliez gang was careful to get everything ready in advance.

The FBI later estimated that the Girliez' activities that night cost the affected credit card companies alone some $1.8 million dollars. The Vice President of Rt66, Mark Schmitz, told me that if I hadn't caught the hack before the customers got the threatening email, it would have driven them out of business. As it was, the assault did enough damage that the company barely survived and a year later sold out to a competitor.

It's amazing how much you can learn about an Ethernet LAN, legally, and even if you don't have root or administrator privileges on any computer on that LAN. All you will need is some simple, built-in network commands common to the various Unix-type and Windows-type operating systems.

For maximum enjoyment of this chapter, you should both set up a home LAN and get a shell account on an ISP. Any ISP that offers shell accounts most likely has many computers on a local area network (LAN). It probably uses Ethernet. Alternatively, your employer or school may have a LAN with which you can experiment.

Be sure to get permission from the sysadmins at your place of work or school before trying even the most innocuous things in this chapter. Some sysadmins are extremely anxious over the possibility that users may be attempting to harm their system or steal sensitive data. Until recently, it was insiders that committed the majority of computer crime. So if you don't want to get fired or expelled from school, be extremely careful that you have permission - in writing - to explore your LAN. Tom Massey warns, "Also make sure the permission is given in writing by somebody who's actually allowed to give that permission. The sysadmin may not be enough, you want to get permission from as high up in the organization as you can."

More --->>

Carolyn's most
popular book,
in 4th edition now!
For advanced
hacker studies,
read Carolyn's
Google Groups
Subscribe to Happy Hacker
Visit this group

© 2013 Happy Hacker All rights reserved.