Last Breath

51

“So how do we get in?” Brand asked, pacing the office while a cold wind howled and bleated outside. “We don’t have time for a low-and-slow, and if we bombard them, they’ll get their guard up right away.”

“I know,” Rawls said, staring at the homepage of the cellular phone company whose server he had to break into.

There were two obvious methods of testing a company’s perimeter defenses. Low-and-slow port scanning was one way. Data packets, small enough to be missed by most intrusion-detection software, were sent to the corporate network over a period of days. Entry was accomplished by flying under the radar and taking a long time-low and slow. Eventually all open ports would be identified, and a skilled hacker could map the network.

The alternative was to bombard the target with data packets-an NMap FIN scan, in hacker argot. There was nothing slow about this approach, but unfortunately it wasn’t clandestine either. An all-out scanning attack would trigger an immediate security alert.

Rawls needed to get in fast but surreptitiously. Tall order, but there was always a way.

His fingers moved across his keyboard and pulled up a program that allowed him to launch a null session-a NetBIOS connection established with a blank user name and password. A null session could get him into any vulnerable server and allow him to read some of its contents.

“You can’t get to Nolan’s account that way,” Brand said, watching over his shoulder.

“I’m aware of that, Ned.” Rawls heard testiness in his own voice. Well, it was after 2:00 A.M. He had a right to be testy.

The null session got him into the corporate server and gave him read-only access to the registry. “They’re running NT 4.0,” he said, “service pack five, option pack four.”

“Outdated,” Brand observed.

“That’s what I was hoping for. You remember the problem with this build of NT?”

“There were lots of problems.”

“The big one.”

“You mean the i-i-s-hack thing?”

“You got it.”

“There’s been a patch for that since last year.”

“But if the sysadmin hasn’t upgraded his OS, he may not have kept current on the patches either.” Rawls was already searching his hard drive for a file named “ncx. exe.” He uploaded it to the Baltimore field office’s Web site, then typed a telnet command, sending a 500-byte file-a small program called “iis-hack”-to port 80 of the cell-phone company’s Web server. The port was open, as it had to be in order to receive Internet traffic. The question was: Would it run the program, or had the server been upgraded with a security patch that would reject the file?

“No way they didn’t patch it,” Brand said.

“There are hundreds of holes in NT,” Rawls countered. “No one can patch them all.”

“Don’t even need a patch, really. Sysadmin just has to disable script mapping for. HTR files.”

“Well, let’s hope he didn’t.”

They waited. The “iishack” program would instruct the server to find the “ncx. exe” file at the Baltimore field office’s URL. It would take a couple of minutes for the file to be downloaded and run. Or the request might already have been denied.

When two and a half minutes had passed according to Rawls’s wristwatch, he entered a new telnet command and reconnected with port 80 of the victim server.

“Moment of truth,” Brand said, leaning closer to the screen.

The corporate homepage vanished, replaced by a black screen with the copyright notice for Windows NT. Below it flashed a DOS prompt.

“We’re in,” Rawls breathed. The flickering C:\ looked beautiful to him.

He was past the firewall. He had access to the corporate server.

Quickly he scrolled through the directory, then went to accounts, entering the Read command followed by Adam Nolan’s account number, which was probably the filename.

A request for log-on identification came up.

“Shit.” Brand sighed. “I guess their security’s not as lame as I thought.”

“We can crack it.” Rawls returned to the directory and located a list of user names. No passwords were shown, but he didn’t think he’d need one. He scanned the list until he found the user name backup. He tapped it with his fingertip. “Sounds like a back door.”

Brand agreed. “Give it a shot.”

Back doors were simple means of access left in place by maintenance and diagnostic personnel who didn’t want to be bothered with memorizing complicated user IDs and passwords. Often they left the manufacturer’s default settings intact. Even when they modified the settings, the changes were usually easy to guess.

Rawls went back into Accounts and typed the user name backup. A password request came up. He retyped backup. He knew how a lazy person’s mind worked. It was easier to remember one word than two.

A moment later the screen filled with lines of text. Adam Nolan’s account in detail.

“Man, you are on a roll,” Brand exulted.

The most recent cell-phone activity came at the end of the list. Nolan’s last call began at 19:54 Pacific Standard Time and continued for three minutes twenty-three seconds. The terminal cell site was given as a string of figures-the cell tower’s latitude and longitude.

Rawls wrote down the numbers, then stood and pulled out his cell phone. “I’m calling LA. Can you clean up?”

“No prob,” Brand said, settling into Rawls’s seat.

Rawls pressed redial and heard the long-distance call go through. Behind him, Brand went about the business of covering their tracks. He would schedule the deletion of the ncx. exe file from the phone company’s server, and for good measure he would go into the server’s log file and erase all references to the intrusion. He would delete “ncx. exe” from the field office’s Web site, as well. It wouldn’t be a good idea for anyone to find it, since what Rawls and Brand had just done was highly illegal.

“Walsh.” The familiar voice from three thousand miles away.

“We’ve got the cell site.”

“This fast?”

“What can I tell you, Morrie? We’re bona fide federal agents. We’re the best of the best.”