hacker court 2006 sex, lies, and sniffers hackercourt@wkeys

Hacker Court 2006Hacker Court 2006

Sex, Lies, and SniffersSex, Lies, and Sniffers

[email protected]@wkeys.com

Sex, Lies, and Sniffers Sex, Lies, and Sniffers AnnouncementsAnnouncements

oyez, Oyez, OYEZoyez, Oyez, OYEZ

The annual court of Black Hat is now in The annual court of Black Hat is now in session session

with the honorable Judge Richard with the honorable Judge Richard Salgado presidingSalgado presiding

CASTCASTJUDGE: Richard SalgadoJUDGE: Richard Salgado – Attorney, Former Senior Counsel of – Attorney, Former Senior Counsel of

CCIPS, a division of Department of JusticeCCIPS, a division of Department of JusticeCOURT CLERK: Caitlin Klein COURT CLERK: Caitlin Klein SAMANTHA JONES (CISO): Carole FennellySAMANTHA JONES (CISO): Carole Fennelly, Senior Security , Senior Security

Engineer, Tenable Network SecurityEngineer, Tenable Network SecurityPROSECUTOR: Kevin Bankston – PROSECUTOR: Kevin Bankston – Staff Attorney, Electronic Staff Attorney, Electronic

Frontier FoundationFrontier FoundationDEFENSE ATTORNEYDEFENSE ATTORNEY : Paul Ohm, : Paul Ohm, Attorney and Law Professor, Attorney and Law Professor,

Former counsel CCIPS, a division of Former counsel CCIPS, a division of Department of JusticeDepartment of JusticeDEFENDANT: Brian MartinDEFENDANT: Brian Martin – Attrition.org – Attrition.orgREPORTER: Ryan Bulat (as himself)REPORTER: Ryan Bulat (as himself) - Intern, Wizard’s Keys - Intern, Wizard’s Keys

Corp.Corp.CASE AGENT: Ovie Carroll CASE AGENT: Ovie Carroll – Former OSI, CCIPS, a division of – Former OSI, CCIPS, a division of

Department of JusticeDepartment of JusticeSENATOR DAMON GASM: Simple Nomad – SENATOR DAMON GASM: Simple Nomad – Vernier NetworksVernier NetworksDEFENSE EXPERT: Jonathan Klein DEFENSE EXPERT: Jonathan Klein – Director – Security – Director – Security

Solutions, Calence, LLCSolutions, Calence, LLC

ScheduleSchedule

16:45 – 16:50 Introductions, Court Called to 16:45 – 16:50 Introductions, Court Called to OrderOrder

16:50 – 17:10 Opening Statements16:50 – 17:10 Opening Statements17:10 – 17:30 Agent Carroll17:10 – 17:30 Agent Carroll17:30 – 17:50 Samantha Jones17:30 – 17:50 Samantha Jones17:50 – 18:05 Ryan Bulat17:50 – 18:05 Ryan Bulat18:05 – 18:20 SenatOR Gasm18:05 – 18:20 SenatOR Gasm18:20 – 18:30 break18:20 – 18:30 break18:30 – 18:55 Jonathan Klein18:30 – 18:55 Jonathan Klein18:55 – 19:15 Brian Martin18:55 – 19:15 Brian Martin19:15 – 19:25 Closing Statements - Attorneys19:15 – 19:25 Closing Statements - Attorneys19:25 – 19:30 Jury Instructions – Judge Salgado19:25 – 19:30 Jury Instructions – Judge Salgado19:30 – 20:00 panel discussion19:30 – 20:00 panel discussion

Witness ClassificationWitness Classification

Factual WitnessFactual Witness: testifies to events directly : testifies to events directly witnessed or observed. May only testify witnessed or observed. May only testify regarding facts, not draw conclusions.regarding facts, not draw conclusions.

Expert WitnessExpert Witness: specifically qualified by the : specifically qualified by the court as an expert in the subject at hand. court as an expert in the subject at hand. May offer opinion and draw conclusions May offer opinion and draw conclusions based on knowledge and expertise.based on knowledge and expertise.

Prosecution Opening Prosecution Opening StatementStatement

AttorneyAttorney Kevin Bankston will Kevin Bankston will present his key points for the present his key points for the Prosecution.Prosecution.

Defense Opening StatementDefense Opening Statement

AttorneyAttorney Paul Ohm will present his Paul Ohm will present his key points for the Defense.key points for the Defense.

Prosecution Witness 1Prosecution Witness 1

Agent Carroll is the Case Agent Agent Carroll is the Case Agent testifying as both a factual and expert testifying as both a factual and expert witness on events he witnessed and witness on events he witnessed and actions he took when he conducted actions he took when he conducted the forensic examination on the the forensic examination on the computer.computer.

Government Exhibit 1Government Exhibit 1

Volatile Memory commandsVolatile Memory commands

► rpcinfo –prpcinfo –p – Print port numbers for each registered rpc listener – Print port numbers for each registered rpc listener► rpcinforpcinfo – Print general information about registered rpc listeners – Print general information about registered rpc listeners► netstat –annetstat –an – Print information about all open sockets – Print information about all open sockets► netstat –nrnetstat –nr – Print routing information – Print routing information► ps –lefps –lef – Print a long listening of all processes on the system – Print a long listening of all processes on the system► lsof lsof – List all open file descriptors– List all open file descriptors► nmapnmap – Scanning tool used to determine what ports are open on a remote – Scanning tool used to determine what ports are open on a remote

system.system.► gcore <pid>gcore <pid> - Take a “core” snapshot of a process. - Take a “core” snapshot of a process.► nmstatnmstat – Print virtual memory statistics – Print virtual memory statistics► iostatiostat – Print i/o statistics – Print i/o statistics► ifconfigifconfig – Interface configuration – Interface configuration ► nddndd – Display network driver settings (dev/ip, /dev/tcp,/dev/udp) – Display network driver settings (dev/ip, /dev/tcp,/dev/udp)

Government Exhibit 1 (cont’d)Government Exhibit 1 (cont’d)

Volatile Memory commandsVolatile Memory commands

► pstack <pid>pstack <pid> – Stack trace for each thread. – Stack trace for each thread.► pcred <pid>pcred <pid> - Displays the credentials of each process - Displays the credentials of each process► memdmpmemdmp – dumps memory for later examination (found in The Coroner’s – dumps memory for later examination (found in The Coroner’s

Toolkit)Toolkit)► pldd <pid>pldd <pid> - Displays the dynamic libraries the process is linked with. - Displays the dynamic libraries the process is linked with.► netcatnetcat – used to save volatile data across the network to a secure system. – used to save volatile data across the network to a secure system.► dddd – used with netcat to save off the system image – used with netcat to save off the system image

dd if=/dev/rdsk/c0t0d0s0 bs=1024 conv=sync,noerror | nc 10.1.1.1 49152dd if=/dev/rdsk/c0t0d0s0 bs=1024 conv=sync,noerror | nc 10.1.1.1 49152


Switch Configuration – Cisco 3750 IOS 12.2.25(SEE)Switch Configuration – Cisco 3750 IOS 12.2.25(SEE)

Switch attached to investigation machineSwitch attached to investigation machine

Fa0/1 – Uplink to the rest of the networkFa0/1 – Uplink to the rest of the network

Fa0/5 – Link to investigation machineFa0/5 – Link to investigation machine

!!

monitor session 1 source interface Fa0/1monitor session 1 source interface Fa0/1

monitor session 1 destination interface Fa0/5monitor session 1 destination interface Fa0/5

!!

Government Exhibit 3Government Exhibit 3#!/usr/bin/perl#!/usr/bin/perl

##

# # ChaosreaderChaosreader can trace TCP/UDP/... sessions and fetch application data can trace TCP/UDP/... sessions and fetch application data

# from tcpdump or snoop logs. This is like an "any-snarf" program, it will # from tcpdump or snoop logs. This is like an "any-snarf" program, it will

# fetch telnet sessions, FTP files, HTTP transfers (HTML, GIF, JPEG, ...),# fetch telnet sessions, FTP files, HTTP transfers (HTML, GIF, JPEG, ...),

# SMTP emails, etc ... from the captured data inside the network traffic # SMTP emails, etc ... from the captured data inside the network traffic

# logs. It creates a html index file that links to all the session details,# logs. It creates a html index file that links to all the session details,

# including realtime replay programs for telnet, rlogin or IRC sessions; # including realtime replay programs for telnet, rlogin or IRC sessions;

# and reports such as image reports and HTTP GET/POST content reports.# and reports such as image reports and HTTP GET/POST content reports.

# It also creates replay programs for telnet sessions, so that you can# It also creates replay programs for telnet sessions, so that you can

# play them back in realtime (or even different speeds).# play them back in realtime (or even different speeds).

# #

# Chaosreader can also run in standalone mode - where it invokes tcpdump or # Chaosreader can also run in standalone mode - where it invokes tcpdump or

# snoop (if they are available) to create the log files and then processes # snoop (if they are available) to create the log files and then processes

# them.# them.

##

##

# 29-May-2004, ver 0.94 (check for new versions, http://www.brendangregg.com)# 29-May-2004, ver 0.94 (check for new versions, http://www.brendangregg.com)

## (or run a web search for "chaosreader") (or run a web search for "chaosreader")

##

##


# QUICK USAGE:# QUICK USAGE:

## tcpdump -s9000 -w out1; chaosreader out1; netscape index.htmltcpdump -s9000 -w out1; chaosreader out1; netscape index.html

# or,# or,

## snoop -o out1; chaosreader out1; netscape index.htmlsnoop -o out1; chaosreader out1; netscape index.html

# or,# or,

## ethereal (save as "out1"); chaosreader out1; netscape index.htmlethereal (save as "out1"); chaosreader out1; netscape index.html

# or,# or,

## chaosreader -s 5; netscape index.htmlchaosreader -s 5; netscape index.html


$ cd snoop$ cd snoop

$ ls -l$ ls -l

total 237232total 237232

-rw-r--r-- 1 root other 2001215194 May 10 11:59 0510.snoop.out-rw-r--r-- 1 root other 2001215194 May 10 11:59 0510.snoop.out






$$


-rwxr--r-- 1 root other 8831290 May 16 09:13 my-new-tripod.zip-rwxr--r-- 1 root other 8831290 May 16 09:13 my-new-tripod.zip

-rwxr--r-- 1 root other 275910 May 16 09:13 sheep_defile.JPG-rwxr--r-- 1 root other 275910 May 16 09:13 sheep_defile.JPG

-rw-r--r-- 1 root other 12102409 May 16 08:57 -rw-r--r-- 1 root other 12102409 May 16 08:57 session_0013.part_01.smtp.partial.emailsession_0013.part_01.smtp.partial.email

-rw-r--r-- 1 root other 12399097 May 16 08:57 session_0013.smtp.partial.html-rw-r--r-- 1 root other 12399097 May 16 08:57 session_0013.smtp.partial.html

-rw-r--r-- 1 root other 379103 Jul 30 17:06 session_0004.part_01.smtp.email-rw-r--r-- 1 root other 379103 Jul 30 17:06 session_0004.part_01.smtp.email

-rw-r--r-- 1 root other 389562 Jul 30 17:06 session_0004.smtp.html-rw-r--r-- 1 root other 389562 Jul 30 17:06 session_0004.smtp.html


smtp: 192.168.10.146:3298 -> 205.102.30.222:25smtp: 192.168.10.146:3298 -> 205.102.30.222:25

File 0512.snoop.out, Session 4File 0512.snoop.out, Session 4220 mailsvr.senate.gov ESMTP Sendmail 8.12.0.Beta10/8.12.2; Fri, 12 May 2006 14:05:48 -0800 220 mailsvr.senate.gov ESMTP Sendmail 8.12.0.Beta10/8.12.2; Fri, 12 May 2006 14:05:48 -0800

(PST)(PST)

EHLO [192.168.10.146]EHLO [192.168.10.146]

250-mailsvr.senate.gov Hello host146.cmo.org [192.168.10.146], pleased to meet you250-mailsvr.senate.gov Hello host146.cmo.org [192.168.10.146], pleased to meet you

250-ENHANCEDSTATUSCODES250-ENHANCEDSTATUSCODES

250-PIPELINING250-PIPELINING

250-EXPN250-EXPN

250-VERB250-VERB

250-8BITMIME250-8BITMIME

250-SIZE250-SIZE

250-DSN250-DSN

250-ETRN250-ETRN

250-DELIVERBY250-DELIVERBY

250 HELP250 HELP

MAIL FROM:<[email protected]> SIZE=379105MAIL FROM:<[email protected]> SIZE=379105

250 2.1.0 <[email protected]>... Sender ok250 2.1.0 <[email protected]>... Sender ok

RCPT TO:<[email protected]>RCPT TO:<[email protected]>

250 2.1.5 <[email protected]>... Recipient ok250 2.1.5 <[email protected]>... Recipient ok

DATADATA


354 Enter mail, end with "." on a line by itself354 Enter mail, end with "." on a line by itself

Message-ID: <[email protected]>Message-ID: <[email protected]>

Date: Fri, 12 May 2006 14:05:31 -0800Date: Fri, 12 May 2006 14:05:31 -0800

From: Damon Gasm <[email protected]>From: Damon Gasm <[email protected]>

User-Agent: Thunderbird 1.5.0.5 (Windows/20060719)User-Agent: Thunderbird 1.5.0.5 (Windows/20060719)

MIME-Version: 1.0MIME-Version: 1.0

To: Kimberly Loveless <[email protected]>To: Kimberly Loveless <[email protected]>

Subject: Put this in a safe place.Subject: Put this in a safe place.

Content-Type: multipart/mixed;Content-Type: multipart/mixed;

boundary="------------020303020005030800050404"boundary="------------020303020005030800050404"

This is a multi-part message in MIME format.This is a multi-part message in MIME format.

--------------020303020005030800050404--------------020303020005030800050404

Content-Type: text/plain; charset=ISO-8859-1; format=flowedContent-Type: text/plain; charset=ISO-8859-1; format=flowed

Content-Transfer-Encoding: 7bitContent-Transfer-Encoding: 7bit


Kim,Kim,

I’ve been thinking of you. See what happens when you are not around? ;)I’ve been thinking of you. See what happens when you are not around? ;)

-D-D

--------------020303020005030800050404--------------020303020005030800050404

Content-Type: image/jpeg;Content-Type: image/jpeg;

name="sheep_defile.JPG"name="sheep_defile.JPG"

Content-Transfer-Encoding: base64Content-Transfer-Encoding: base64

Content-Disposition: inline;Content-Disposition: inline;

filename="sheep_defile.JPG"filename="sheep_defile.JPG"


DISCLAIMER: The following document is a fictionalized testimonial stipulation for the Black Hat 2003 DISCLAIMER: The following document is a fictionalized testimonial stipulation for the Black Hat 2003 Conference. The witness of the stipulation does not exist, nor was any evidence in this matter Conference. The witness of the stipulation does not exist, nor was any evidence in this matter gathered. gathered.

__________________________________ x__________________________________ x ||UNITED STATES OF AMERICA, |UNITED STATES OF AMERICA, |

| |-v.- |-v.- |

| | STIPULATIONSTIPULATIONBRIAN MARTIN, |BRIAN MARTIN, | | | || ||

Defendant, |Defendant, | ||

____________________________________________________________________

IT IS HEREBY STIPULATED AND AGREED between the United States of America, KEVIN IT IS HEREBY STIPULATED AND AGREED between the United States of America, KEVIN BANKSTON, Assistant United States Attorney, of counsel, and the defendant BRIAN MARTIN, by his BANKSTON, Assistant United States Attorney, of counsel, and the defendant BRIAN MARTIN, by his attorney PAUL OHM, Esq.:attorney PAUL OHM, Esq.:

If called as a witness, Bert Smith, would testify as follows:If called as a witness, Bert Smith, would testify as follows:

1)1) He’s the Policy Enforcement officer at Potomac River Internet Access (potomacriver.com) which is He’s the Policy Enforcement officer at Potomac River Internet Access (potomacriver.com) which is located in Backwater, Maryland.located in Backwater, Maryland.

2)2) Potomacriver.com provides high speed internet access to the Maryland area. Internet access is Potomacriver.com provides high speed internet access to the Maryland area. Internet access is provided by Digital Subscriber Line (DSL) and Dialup-Connection. provided by Digital Subscriber Line (DSL) and Dialup-Connection.

3)3) When a subscriber connects to the potomacriver.com backbone, the subscriber is provided with an When a subscriber connects to the potomacriver.com backbone, the subscriber is provided with an Internet Protocol (IP) address that is unique to the subscriber during their session Internet Protocol (IP) address that is unique to the subscriber during their session

4)4) Potomacriver.com is assigned the Class B address 63.36.0.0 by the American Registry of Internet Potomacriver.com is assigned the Class B address 63.36.0.0 by the American Registry of Internet Numbers (ARIN) to provide IP addresses for its customers.Numbers (ARIN) to provide IP addresses for its customers. Government Exhibit 7


► smtp: 192.168.10.146:2241 -> 205.102.30.222:25smtp: 192.168.10.146:2241 -> 205.102.30.222:25► File 0515.snoop.out, Session 13File 0515.snoop.out, Session 13

► 220 mailsrvr.senate.gov ESMTP Sendmail 8.12.0.Beta10/8.12.2; Sun, 14 May 2006 220 mailsrvr.senate.gov ESMTP Sendmail 8.12.0.Beta10/8.12.2; Sun, 14 May 2006 08:54:05 -0800 (PST)08:54:05 -0800 (PST)

► EHLO [192.168.10.146]EHLO [192.168.10.146]► 250-mailsrvr.senate.gov Hello host146.cmo.org [192.168.10.146], pleased to meet 250-mailsrvr.senate.gov Hello host146.cmo.org [192.168.10.146], pleased to meet

youyou► 250-ENHANCEDSTATUSCODES250-ENHANCEDSTATUSCODES► 250-PIPELINING250-PIPELINING► 250-EXPN250-EXPN► 250-VERB250-VERB► 250-8BITMIME250-8BITMIME► 250-SIZE250-SIZE► 250-DSN250-DSN► 250-ETRN250-ETRN► 250-DELIVERBY250-DELIVERBY► 250 HELP250 HELP


► MAIL FROM:<[email protected]> SIZE=12103671MAIL FROM:<[email protected]> SIZE=12103671► 250 2.1.0 <[email protected]>... Sender ok250 2.1.0 <[email protected]>... Sender ok► RCPT TO:<[email protected]>RCPT TO:<[email protected]>► 250 2.1.5 <[email protected]>... Recipient ok250 2.1.5 <[email protected]>... Recipient ok► DATADATA► 354 Enter mail, end with "." on a line by itself354 Enter mail, end with "." on a line by itself► Message-ID: <[email protected]>Message-ID: <[email protected]>► Date: Sun, 14 May 2006 08:48:45 -0800Date: Sun, 14 May 2006 08:48:45 -0800► From: Damon Gasm <[email protected]>From: Damon Gasm <[email protected]>► User-Agent: Thunderbird 1.5.0.5 (Windows/20060719)User-Agent: Thunderbird 1.5.0.5 (Windows/20060719)► MIME-Version: 1.0MIME-Version: 1.0► To: Kimberly Loveless <[email protected]>To: Kimberly Loveless <[email protected]>► Subject: Stuck at this boring conference.... Subject: Stuck at this boring conference.... ► Content-Type: multipart/mixed;Content-Type: multipart/mixed;► boundary="------------060909010300050701070305"boundary="------------060909010300050701070305"

► This is a multi-part message in MIME format.This is a multi-part message in MIME format.► --------------060909010300050701070305--------------060909010300050701070305► Content-Type: text/plain; charset=ISO-8859-1; format=flowedContent-Type: text/plain; charset=ISO-8859-1; format=flowed► Content-Transfer-Encoding: 7bitContent-Transfer-Encoding: 7bit

Government Exhibit 8 (cont’d)Government Exhibit 8 (cont’d)► Kim,Kim,

► Hi sweetie! I am so bored at this conference. It is so boring and so notHi sweetie! I am so bored at this conference. It is so boring and so not► me, if I knew I was going to be this bored I would have stayed in DC andme, if I knew I was going to be this bored I would have stayed in DC and► listened to floor debates. Yes it is that bad. Great photo ops though,listened to floor debates. Yes it is that bad. Great photo ops though,► looks like I may make Newsweek and the cover of USA Today.looks like I may make Newsweek and the cover of USA Today.

► Speaking of photo ops, I've been putting that new tripod I bought toSpeaking of photo ops, I've been putting that new tripod I bought to► good use. I appreciate the fact that you tucked your underwear in mygood use. I appreciate the fact that you tucked your underwear in my► bag, so to show you my appreciation I thought I'd send these photos.bag, so to show you my appreciation I thought I'd send these photos.► Remind you of a certain trip to Cancun and a certain set of strippers?Remind you of a certain trip to Cancun and a certain set of strippers?► Boy we had fun that night! You were an animal!Boy we had fun that night! You were an animal!

► Anyway, heading back down to the conference in this stupid boring hotelAnyway, heading back down to the conference in this stupid boring hotel► so many miles away from you my love....so many miles away from you my love....

► DamonDamon

► --------------060909010300050701070305--------------060909010300050701070305► Content-Type: application/octet-stream;Content-Type: application/octet-stream;► name="my-new-tripod.zip"name="my-new-tripod.zip"► Content-Transfer-Encoding: base64Content-Transfer-Encoding: base64► Content-Disposition: attachment;Content-Disposition: attachment;► filename="my-new-tripod.zip"filename="my-new-tripod.zip"


Government Exhibit 9


DISCLAIMER: The following document is a fictionalized testimonial stipulation for the Black Hat 2006 DISCLAIMER: The following document is a fictionalized testimonial stipulation for the Black Hat 2006 Conference. The witness of the stipulation does not exist, nor was any evidence in this matter Conference. The witness of the stipulation does not exist, nor was any evidence in this matter gathered. gathered.

UNITED STATES OF AMERICA, UNITED STATES OF AMERICA,

-v.--v.- STIPULATIONSTIPULATION

BRIAN MARTIN, BRIAN MARTIN,

DefendantDefendant ||

IT IS HEREBY STIPULATED AND AGREED between the United States of America, KEVIN BANKSTON, IT IS HEREBY STIPULATED AND AGREED between the United States of America, KEVIN BANKSTON, Assistant United States Attorney, of counsel, and the defendant BRIAN MARTIN, by his attorney PAUL Assistant United States Attorney, of counsel, and the defendant BRIAN MARTIN, by his attorney PAUL OHM, Esq.:OHM, Esq.:

If called as a witness, Kimberly Loveless, would testify as follows:If called as a witness, Kimberly Loveless, would testify as follows:

1)1) She is the communications director for the office of Senator Damon Gasm.She is the communications director for the office of Senator Damon Gasm.2)2) She received an e-mail from Senator Gasm on May 12She received an e-mail from Senator Gasm on May 12 thth, 2006 at approximately 5pm., 2006 at approximately 5pm.3)3) The source header on the e-mail indicated it came from an address owned by cmo.orgThe source header on the e-mail indicated it came from an address owned by cmo.org4)4) The e-mail contained an attached picture called The e-mail contained an attached picture called sheep_defile.jpgsheep_defile.jpg. This file depicted Senator Gasm . This file depicted Senator Gasm and a sheep. and a sheep. 5)5) She was present when the picture was taken and can confirm it’s authenticityShe was present when the picture was taken and can confirm it’s authenticity6)6) She received an e-mail from Senator Gasm on May 14She received an e-mail from Senator Gasm on May 14 thth, 2006 at approximately 11 am., 2006 at approximately 11 am.7)7) The source header on the e-mail indicated it came from an address owned by cmo.orgThe source header on the e-mail indicated it came from an address owned by cmo.org8)8) The e-mail contained a zip file attachment . One of the images depicted Senator Gasm wearing her The e-mail contained a zip file attachment . One of the images depicted Senator Gasm wearing her bra and lipstick.bra and lipstick.


..

IT IS FURTHER STIPULATED AND AGREED that this stipulation may be received in evidence as a IT IS FURTHER STIPULATED AND AGREED that this stipulation may be received in evidence as a Government exhibit at trial.Government exhibit at trial.

Dated: July 1, 2006Dated: July 1, 2006

By:____________________________By:____________________________

KEVIN BANKSTONKEVIN BANKSTON

Assistant United States AttorneyAssistant United States Attorney

By: ___________________________ By: ___________________________

PAUL OHM, ESQ.PAUL OHM, ESQ.

Attorney forAttorney for BRIAN MARTIN BRIAN MARTIN


Samantha Jones is the Chief Information Samantha Jones is the Chief Information Security Officer for the Security Officer for the Coalition for Moral Coalition for Moral OrderOrder. The coalition was the sponsor of . The coalition was the sponsor of ““Society’s Morals Under ThreatSociety’s Morals Under Threat” from ” from May 10May 10thth – May 15 – May 15thth, 2006. This was the , 2006. This was the conference attended by Senator Gasm. She conference attended by Senator Gasm. She is a factual witness and she is testifying to is a factual witness and she is testifying to factual items about the conference, Brian factual items about the conference, Brian Martin’s job roles and the organization’s Martin’s job roles and the organization’s security policies.security policies.


Ryan Bulat is a staff writer for Ryan Bulat is a staff writer for The New The New York CompostYork Compost. Ryan broke the story . Ryan broke the story about the picture of Senator Gasm and about the picture of Senator Gasm and the sheep. He will be testifying as a the sheep. He will be testifying as a factual witness regarding the story he factual witness regarding the story he wrote about the Senator and who the wrote about the Senator and who the source was for the story.source was for the story.


Senator Damon Gasm is the victim of Senator Damon Gasm is the victim of the release of the pornography the release of the pornography pictures and is testifying as a factual pictures and is testifying as a factual witness on events he directly witness on events he directly witnessed.witnessed.

Defense Witness 1Defense Witness 1

Jonathan Klein is testifying as an expert Jonathan Klein is testifying as an expert in general computer knowledge. Part in general computer knowledge. Part of his testimony will be given outside of his testimony will be given outside the presence of the jury as the judge the presence of the jury as the judge determines whether his testimony will determines whether his testimony will be admitted. be admitted.

Defense Exhibit 1Defense Exhibit 1/*/*

* $Id: raptor_passwd.c,v 1.1.1.1 2004/12/04 14:35:33 raptor Exp $* $Id: raptor_passwd.c,v 1.1.1.1 2004/12/04 14:35:33 raptor Exp $

**

* raptor_passwd.c - passwd circ() local, Solaris/SPARC 8/9* raptor_passwd.c - passwd circ() local, Solaris/SPARC 8/9

**

* Unknown vulnerability in passwd(1) in Solaris 8.0 and 9.0 allows local users * Unknown vulnerability in passwd(1) in Solaris 8.0 and 9.0 allows local users

* to gain privileges via unknown attack vectors (CAN-2004-0360).* to gain privileges via unknown attack vectors (CAN-2004-0360).

**

* "Those of you lucky enough to have your lives, take them with you. However,* "Those of you lucky enough to have your lives, take them with you. However,

* leave the limbs you've lost. They belong to me now." -- Beatrix Kidd0* leave the limbs you've lost. They belong to me now." -- Beatrix Kidd0

**

* This exploit uses the ret-into-ld.so technique, to effectively bypass the* This exploit uses the ret-into-ld.so technique, to effectively bypass the

* non-executable stack protection (noexec_user_stack=1 in /etc/system). The* non-executable stack protection (noexec_user_stack=1 in /etc/system). The

* exploitation wasn't so straight-forward: sending parameters to passwd(1) * exploitation wasn't so straight-forward: sending parameters to passwd(1)

* is somewhat tricky, standard ret-into-stack doesn't seem to work properly * is somewhat tricky, standard ret-into-stack doesn't seem to work properly

* for some reason (damn SEGV_ACCERR), and we need to bypass a lot of memory* for some reason (damn SEGV_ACCERR), and we need to bypass a lot of memory

* references before reaching ret. Many thanks to Inode <[email protected]>.* references before reaching ret. Many thanks to Inode <[email protected]>.

**

* Usage:* Usage:

* $ gcc raptor_passwd.c -o raptor_passwd -ldl -Wall* $ gcc raptor_passwd.c -o raptor_passwd -ldl -Wall

* $ ./raptor_passwd <current password>* $ ./raptor_passwd <current password>

* [...]* [...]

* # id* # id

* uid=0(root) gid=1(other) egid=3(sys)* uid=0(root) gid=1(other) egid=3(sys)

* #* #

**

* Vulnerable platforms:* Vulnerable platforms:

* Solaris 8 with 108993-14 through 108993-31 and without 108993-32 [tested]* Solaris 8 with 108993-14 through 108993-31 and without 108993-32 [tested]

* Solaris 9 without 113476-11 [tested]* Solaris 9 without 113476-11 [tested]

*/*/

Defense Exhibit 2Defense Exhibit 2$ ./raptor_passwd [password deleted]$ ./raptor_passwd [password deleted]

raptor_passwd.c - passwd circ() local, Solaris/SPARC 8/9raptor_passwd.c - passwd circ() local, Solaris/SPARC 8/9

Using SI_PLATFORM : SUNW,Sun-Blade-100 (5.9)Using SI_PLATFORM : SUNW,Sun-Blade-100 (5.9)

Using stack base : 0xffbffffcUsing stack base : 0xffbffffc

Using var address : 0xffbffb50Using var address : 0xffbffb50

Using rwx_mem address : 0xff3f6004Using rwx_mem address : 0xff3f6004

Using sc address : 0xffbfff94Using sc address : 0xffbfff94

Using ff address : 0xffbfff50Using ff address : 0xffbfff50

Using strcpy() address : 0xff3e0288Using strcpy() address : 0xff3e0288

"Pai Mei taught you the five point palm exploding heart technique?" -- Bill"Pai Mei taught you the five point palm exploding heart technique?" -- Bill

"Of course." -- Beatrix Kidd0, alias Black Mamba, alias The Bride (KB Vol2)"Of course." -- Beatrix Kidd0, alias Black Mamba, alias The Bride (KB Vol2)

# id;uname -a;uptime;# id;uname -a;uptime;

uid=0(root) gid=1000(test) egid=3(sys)uid=0(root) gid=1000(test) egid=3(sys)

SunOS lamb 5.9 Generic sun4u sparc SUNW,Sun-Blade-100SunOS lamb 5.9 Generic sun4u sparc SUNW,Sun-Blade-100

8:33pm up 1 day(s), 7:22, 2 users, load average: 0.08, 0.03, 0.028:33pm up 1 day(s), 7:22, 2 users, load average: 0.08, 0.03, 0.02

# #

Defense Exhibit 3Defense Exhibit 3

Output of nmap –sT –p1-65535 192.168.11.23Output of nmap –sT –p1-65535 192.168.11.23

Starting nmap V. 2.54BETA7 ( www.insecure.org/nmap/ )Starting nmap V. 2.54BETA7 ( www.insecure.org/nmap/ )

Interesting ports on spleh.cmo.org (192.168.10.23):Interesting ports on spleh.cmo.org (192.168.10.23):

(The 65486 ports scanned but not shown below are in state: closed)(The 65486 ports scanned but not shown below are in state: closed)

Port State ServicePort State Service

7/tcp open echo 7/tcp open echo

11/tcp open systat 11/tcp open systat

13/tcp open daytime 13/tcp open daytime

15/tcp open netstat 15/tcp open netstat

19/tcp open chargen 19/tcp open chargen

21/tcp open ftp 21/tcp open ftp

22/tcp open ssh 22/tcp open ssh

23/tcp open telnet 23/tcp open telnet

25/tcp open smtp 25/tcp open smtp

37/tcp open time 37/tcp open time

53/tcp open domain 53/tcp open domain

79/tcp open finger 79/tcp open finger

111/tcp open sunrpc 111/tcp open sunrpc

512/tcp open exec 512/tcp open exec

514/tcp open shell 514/tcp open shell

540/tcp open uucp 540/tcp open uucp

587/tcp open submission 587/tcp open submission

754/tcp open krb5_prop 754/tcp open krb5_prop

898/tcp open unknown 898/tcp open unknown

2049/tcp open nfsd 2049/tcp open nfsd

4045/tcp open lockd 4045/tcp open lockd

Defense Exhibit 3 (cont’d)Defense Exhibit 3 (cont’d)5987/tcp open unknown 5987/tcp open unknown



6112/tcp open dtspc6112/tcp open dtspc

7100/tcp open fs 7100/tcp open fs






















33003/tcp open unknown33003/tcp open unknown

Nmap run completed -- 1 IP address (1 host up) scanned in 1687 secondsNmap run completed -- 1 IP address (1 host up) scanned in 1687 seconds

Defense Exhibit 4 Defense Exhibit 4

Output of netstat –an | grep LISTENOutput of netstat –an | grep LISTEN

*.898 *.* 0 0 49152 0 LISTEN*.898 *.* 0 0 49152 0 LISTEN

*.32805 *.* 0 0 49152 0 LISTEN*.32805 *.* 0 0 49152 0 LISTEN

*.5988 *.* 0 0 49152 0 LISTEN*.5988 *.* 0 0 49152 0 LISTEN

*.32806 *.* 0 0 49152 0 LISTEN*.32806 *.* 0 0 49152 0 LISTEN

*.25 *.* 0 0 49152 0 LISTEN *.25 *.* 0 0 49152 0 LISTEN

*.587 *.* 0 0 49152 0 LISTN*.587 *.* 0 0 49152 0 LISTN

*.9002 *.* 0 0 10720 0 LISTEN*.9002 *.* 0 0 10720 0 LISTEN

*.32807 *.* 0 0 49152 0 LISTEN*.32807 *.* 0 0 49152 0 LISTEN

*.32808 *.* 0 0 49152 0 LISTEN*.32808 *.* 0 0 49152 0 LISTEN

*.2049 *.* 0 0 49152 0 LISTEN*.2049 *.* 0 0 49152 0 LISTEN

*.32809 *.* 0 0 49152 0 LISTEN *.32809 *.* 0 0 49152 0 LISTEN

*.32810 *.* 0 0 49152 0 LISTEN*.32810 *.* 0 0 49152 0 LISTEN

*.32811 *.* 0 0 49152 0 LISTEN*.32811 *.* 0 0 49152 0 LISTEN

*.22 *.* 0 0 49152 0 LISTEN*.22 *.* 0 0 49152 0 LISTEN

*.6000 *.* 0 0 49152 0 LISTEN*.6000 *.* 0 0 49152 0 LISTEN

*.33003 *.* 0 0 49152 0 LISTEN*.33003 *.* 0 0 49152 0 LISTEN

Defense Exhibit 5Defense Exhibit 5 Output of rpcinfo –pOutput of rpcinfo –p

program vers proto port serviceprogram vers proto port service

100000 4 tcp 111 rpcbind100000 4 tcp 111 rpcbind



100000 4 udp 111 rpcbind100000 4 udp 111 rpcbind



100232 10 udp 32780 sadmind100232 10 udp 32780 sadmind

100083 1 tcp 32785100083 1 tcp 32785

100221 1 tcp 32786100221 1 tcp 32786

100068 2 udp 32781100068 2 udp 32781

100068 3 udp 32781100068 3 udp 32781

100068 4 udp 32781100068 4 udp 32781

100024 1 udp 32782 status100024 1 udp 32782 status

100024 1 tcp 32789 status100024 1 tcp 32789 status

100133 1 udp 32782100133 1 udp 32782

100133 1 tcp 32789100133 1 tcp 32789

100068 5 udp 32781100068 5 udp 32781

100229 1 tcp 32790 metad100229 1 tcp 32790 metad

100230 1 tcp 32791 metamhd100230 1 tcp 32791 metamhd

100242 1 tcp 32792 metamedd100242 1 tcp 32792 metamedd

100001 2 udp 32783 rstatd100001 2 udp 32783 rstatd



100002 2 udp 32784 rusersd100002 2 udp 32784 rusersd

100002 3 udp 32784 rusersd100002 3 udp 32784 rusersd

Defense Exhibit 6Defense Exhibit 6 grep 33003 /etc/servicesgrep 33003 /etc/services

loginlogin 33003/tcp33003/tcp

Defense Exhibit 7Defense Exhibit 7 grep login lsof.out (output from lsof)grep login lsof.out (output from lsof)

sqldata 1883 root 3u IPv4 0x300027b3ce8 0t0 TCP *:login (LISTEN)sqldata 1883 root 3u IPv4 0x300027b3ce8 0t0 TCP *:login (LISTEN)

Defense Exhibit 8Defense Exhibit 8 grep sqldata lsof.out (output from lsof)grep sqldata lsof.out (output from lsof)

sqldata 1883 root cwd VDIR 136,0 1024 2 /sqldata 1883 root cwd VDIR 136,0 1024 2 /

sqldata 1883 root txt VREG 136,3 260056 179239 /opt/local/sql//@//sqldatasqldata 1883 root txt VREG 136,3 260056 179239 /opt/local/sql//@//sqldata

sqldata 1883 root txt VREG 136,0 866316 442080 /usr/lib/libc.so.1sqldata 1883 root txt VREG 136,0 866316 442080 /usr/lib/libc.so.1

sqldata 1883 root txt VREG 136,0 16768 377621 /usr/platform/sun4u/lib/libc_psr.so.1sqldata 1883 root txt VREG 136,0 16768 377621 /usr/platform/sun4u/lib/libc_psr.so.1

sqldata 1883 root txt VREG 136,0 743856 442131 /usr/lib/libnsl.so.1sqldata 1883 root txt VREG 136,0 743856 442131 /usr/lib/libnsl.so.1

sqldata 1883 root txt VREG 136,0 21676 441751 /usr/lib/libmp.so.2sqldata 1883 root txt VREG 136,0 21676 441751 /usr/lib/libmp.so.2

sqldata 1883 root txt VREG 136,0 316436 442151 /usr/lib/libresolv.so.2sqldata 1883 root txt VREG 136,0 316436 442151 /usr/lib/libresolv.so.2

sqldata 1883 root txt VREG 136,0 58504 441775 /usr/lib/libsocket.so.1sqldata 1883 root txt VREG 136,0 58504 441775 /usr/lib/libsocket.so.1

sqldata 1883 root txt VREG 136,0 60352 441864 /usr/lib/libz.so.1sqldata 1883 root txt VREG 136,0 60352 441864 /usr/lib/libz.so.1

sqldata 1883 root txt VREG 136,0 3984 441719 /usr/lib/libdl.so.1sqldata 1883 root txt VREG 136,0 3984 441719 /usr/lib/libdl.so.1

sqldata 1883 root txt VREG 136,0 192000 441610 /usr/lib/ld.so.1sqldata 1883 root txt VREG 136,0 192000 441610 /usr/lib/ld.so.1

sqldata 1883 root 0u VCHR 13,2 0t0 268835 /devices/pseudo/mm@0:nullsqldata 1883 root 0u VCHR 13,2 0t0 268835 /devices/pseudo/mm@0:null



sqldata 1883 root 3u IPv4 0x300027b3ce8 0t0 TCP *:login (LISTEN)sqldata 1883 root 3u IPv4 0x300027b3ce8 0t0 TCP *:login (LISTEN)

Defense Exhibit 9Defense Exhibit 9 Output of ps –ef commandOutput of ps –ef command

root 376 1 0 Jul 17 ? 0:02 /usr/sbin/voldroot 376 1 0 Jul 17 ? 0:02 /usr/sbin/vold

root 331 1 0 Jul 17 ? 0:00 /usr/dt/bin/dtlogin -daemonroot 331 1 0 Jul 17 ? 0:00 /usr/dt/bin/dtlogin -daemon

root 392 331 0 Jul 17 ? 1:00 /usr/openwin/bin/Xsun :0 -nobanner -auth /var/dt/A:0-KoayParoot 392 331 0 Jul 17 ? 1:00 /usr/openwin/bin/Xsun :0 -nobanner -auth /var/dt/A:0-KoayPa

root 389 1 0 Jul 17 console 0:00 /usr/lib/saf/ttymon -g -h -p belar console login: -T sun -d /dev/console -l coroot 389 1 0 Jul 17 console 0:00 /usr/lib/saf/ttymon -g -h -p belar console login: -T sun -d /dev/console -l co

root 385 1 0 Jul 17 ? 0:00 /opt/SUNWspci2/bin/sunpcidroot 385 1 0 Jul 17 ? 0:00 /opt/SUNWspci2/bin/sunpcid

root 393 363 0 Jul 17 ? 21:45 mibiisa -r -p 32796root 393 363 0 Jul 17 ? 21:45 mibiisa -r -p 32796

root 394 331 0 Jul 17 ? 0:00 /usr/dt/bin/dtlogin -daemonroot 394 331 0 Jul 17 ? 0:00 /usr/dt/bin/dtlogin -daemon

root 395 331 0 Jul 17 ?? 0:06 /usr/openwin/bin/fbconsole -d :0root 395 331 0 Jul 17 ?? 0:06 /usr/openwin/bin/fbconsole -d :0

root 396 1 0 Jul 17 ? 0:00 /usr/lib/ssh/sshdroot 396 1 0 Jul 17 ? 0:00 /usr/lib/ssh/sshd

root 2206 202 1 19:32:29 ? 0:00 in.telnetdroot 2206 202 1 19:32:29 ? 0:00 in.telnetd

root 411 1 0 Jul 17 ? 0:00 devfsadmdroot 411 1 0 Jul 17 ? 0:00 devfsadmd

root 412 1 0 Jul 17 ? 0:03 /usr/sbin/in.namedroot 412 1 0 Jul 17 ? 0:03 /usr/sbin/in.named

root 2210 203 1 19:32:32 ? 0:00 rquotadroot 2210 203 1 19:32:32 ? 0:00 rquotad

martin 2208 2206 1 19:32:29 pts/2 0:01 -kshmartin 2208 2206 1 19:32:29 pts/2 0:01 -ksh

root 2214 2208 0 19:32:35 pts/2 0:00 shroot 2214 2208 0 19:32:35 pts/2 0:00 sh

root 2217 2214 0 19:32:47 pts/2 0:00 ps -efroot 2217 2214 0 19:32:47 pts/2 0:00 ps -ef

root 1883 1 0 21:00:01 ? 0:00 /usr/sbin/voldroot 1883 1 0 21:00:01 ? 0:00 /usr/sbin/vold

Defense Exhibit 10Defense Exhibit 10# find / -print | grep sqldata# find / -print | grep sqldata

/opt/local/sql/sqldata/opt/local/sql/sqldata

# ls -l /opt/local/sql/sqldata# ls -l /opt/local/sql/sqldata

-rw-r--r-- 1 sql other 7 Jul 23 20:36 sqldata-rw-r--r-- 1 sql other 7 Jul 23 20:36 sqldata

# ls -la# ls -la

total 20total 20

drwxr-xr-x 2 sql other 512 Jul 23 23:36 .drwxr-xr-x 2 sql other 512 Jul 23 23:36 .

drwxr-xr-x 21 sql other 512 Jul 23 20:34 ..drwxr-xr-x 21 sql other 512 Jul 23 20:34 ..

-rw------- 1 sql 1000 58 Jul 23 23:36 .sh_history-rw------- 1 sql 1000 58 Jul 23 23:36 .sh_history

-r-xr-xr-x 1 sql other 6104 Jul 23 20:36 sqlclean-r-xr-xr-x 1 sql other 6104 Jul 23 20:36 sqlclean


# ls -a@# ls -a@

total 20total 20

drwxr-xr-x@ 2 sql other 512 Jul 23 23:36drwxr-xr-x@ 2 sql other 512 Jul 23 23:36 . .

drwxr-xr-x 21 sql other 512 Jul 23 20:34 ..drwxr-xr-x 21 sql other 512 Jul 23 20:34 ..

-rw------- 1 sql 1000 58 Jul 23 23:36 .sh_history-rw------- 1 sql 1000 58 Jul 23 23:36 .sh_history

-r-xr-xr-x 1 sql other 6104 Jul 23 20:36 sqlclean-r-xr-xr-x 1 sql other 6104 Jul 23 20:36 sqlclean


Defense Exhibit 11Defense Exhibit 11# # ls –l /var/spool/cron/crontabs/sqlls –l /var/spool/cron/crontabs/sql

-r-------- 1 root sql 57 Feb 27 11:00 /var/spool/cron/crontabs/sql-r-------- 1 root sql 57 Feb 27 11:00 /var/spool/cron/crontabs/sql

# # cat /var/spool/cron/crontabs/sqlcat /var/spool/cron/crontabs/sql

0 * * * * /usr/local/sql/sqlclean /usr/local/sql sqldata0 * * * * /usr/local/sql/sqlclean /usr/local/sql sqldata

Defense Exhibit 12Defense Exhibit 12# # /usr/local/bin/md5 /opt/local/sql/sqlclean > /tmp/a/usr/local/bin/md5 /opt/local/sql/sqlclean > /tmp/a

# # /usr/local/bin/sfpC.pl /tmp/a/usr/local/bin/sfpC.pl /tmp/a

12ccde4d0f971f56f372e5e5466a848f - /opt/local/sql/sqlclean - 1 match(es)12ccde4d0f971f56f372e5e5466a848f - /opt/local/sql/sqlclean - 1 match(es)

canonical-path: canonical-path: /usr/bin/runat/usr/bin/runat

package: SUNWcsupackage: SUNWcsu

version: 11.9.0,REV=2002.04.06.15.27version: 11.9.0,REV=2002.04.06.15.27

architecture: sparcarchitecture: sparc

source: Solaris 9/SPARCsource: Solaris 9/SPARC

Defense Exhibit 13Defense Exhibit 13# # man runatman runat

NAMENAME

runat - execute command in extended attribute name spacerunat - execute command in extended attribute name space

SYNOPSISSYNOPSIS

/usr/bin/runat file [command]/usr/bin/runat file [command]

DESCRIPTIONDESCRIPTION

The runat utility is used to execute shell commands in a file's hidden attribute directory. The runat utility is used to execute shell commands in a file's hidden attribute directory. Effectively, this utilityEffectively, this utility

changes the current working directory to be the hidden attribute directory associated with the changes the current working directory to be the hidden attribute directory associated with the file argument andfile argument and

then executes the specified command in the bourne shell (/bin/sh). If no command argument is then executes the specified command in the bourne shell (/bin/sh). If no command argument is provided, an provided, an

interactive shell is spawned. The environment variable $SHELL defines the shell to be spawned. interactive shell is spawned. The environment variable $SHELL defines the shell to be spawned. If this If this

variable is undefined, the default shell, /bin/sh, is used.variable is undefined, the default shell, /bin/sh, is used.

The file argument can be any file, including a directory, that can support extended attributes. It is The file argument can be any file, including a directory, that can support extended attributes. It is not necessarynot necessary

that this file have any attributes (or be prepared in any way) before invoking the runat command.that this file have any attributes (or be prepared in any way) before invoking the runat command.

Defense Exhibit 14Defense Exhibit 14# runat /opt/local/sql ls -l# runat /opt/local/sql ls -l

total 528total 528

---s--x--x 1 root other 260056 Jul 23 20:35 sqldata---s--x--x 1 root other 260056 Jul 23 20:35 sqldata

##

Defense Exhibit 15Defense Exhibit 15# strings core.1883 | grep rlogin# strings core.1883 | grep rlogin

.rlogin.rlogin

rlogind: %s: %s.rlogind: %s: %s.

rlogind: %s.rlogind: %s.

usage: rlogind [options]usage: rlogind [options]

# strings core.1883 | grep vold# strings core.1883 | grep vold

/usr/sbin/vold/usr/sbin/vold

# runat /opt/local/sql strings sqldata | grep vold# runat /opt/local/sql strings sqldata | grep vold

/usr/sbin/vold/usr/sbin/vold

# runat /opt/local/sql strings sqldata | grep rlogin# runat /opt/local/sql strings sqldata | grep rlogin

.rlogin.rlogin

rlogind: %s: %s.rlogind: %s: %s.

rlogind: %s.rlogind: %s.

usage: rlogind [options]usage: rlogind [options]

Defense Witness 2Defense Witness 2

Brian Martin is the defendant and is not Brian Martin is the defendant and is not required to take the stand, but has the required to take the stand, but has the right to do so if he chooses. His right to do so if he chooses. His attorney should discourage him from attorney should discourage him from doing so, since the judge can add doing so, since the judge can add extra points to his sentence for perjury extra points to his sentence for perjury and obstruction of justice, if he is and obstruction of justice, if he is found guilty.found guilty.

Prosecution Closing Prosecution Closing StatementsStatements

Prosecutor Prosecutor Kevin Bankston will Kevin Bankston will summarize the key points and summarize the key points and evidence presented to persuade the evidence presented to persuade the jury that Senator Gasm is guilty jury that Senator Gasm is guilty beyond any reasonable doubt.beyond any reasonable doubt.

Defense Closing StatementsDefense Closing Statements

Attorney Attorney Paul Ohm will summarize the Paul Ohm will summarize the Defense key points to refute the Defense key points to refute the prosecution.prosecution.

Jury InstructionsJury Instructions

The Honorable Judge Richard Salgado The Honorable Judge Richard Salgado will present the jury with their will present the jury with their responsibilities on determining guilt or responsibilities on determining guilt or innocence of Senator Gasm.innocence of Senator Gasm.

Panel DiscussionPanel Discussion

Audience QuestionsAudience Questions

hacker court 2006 sex, lies, and sniffers hackercourt@wkeys

Documents