A Case Study in How Hackers Penetrate Network Infrastructures
Laura Chappell — one of the world’s leading authorities on network protocols and analysis — shared an interesting experience she about hacking had when assessing a customer’s network. This may help you identify some poor practices in your own company.
A customer called Ms. Chappell with a routine “the network is slow” problem. Upon Ms. Chappell’s arrival onsite, the customer mentioned sporadic outages and poor performance when connecting to the Internet.
First, Ms. Chappell examined individual flows between various clients and servers. Localized communications appeared normal, but any communication that flowed through the firewall to the Internet or other branch offices was severely delayed. Ms. Chappell sniffed the traffic going through the firewall to see whether she could isolate the cause of the delay.
A quick review of the traffic crossing the firewall indicated that the outside links were saturated, so Ms. Chappell needed to review and classify the traffic. Using the network analyzer, Ms. Chappell plugged in to examine the protocol distribution. She saw that almost 45 percent of the traffic was listed as “others” and was unrecognizable.
Laura captured some data and found several references to pornographic images. Further examination of the packets led her to two specific port numbers that appeared consistently in the trace files — ports 1214 (Kazaa) and 6346 (Gnutella), two peer-to-peer (P2P) file-sharing applications. Ms. Chappell did a complete port scan of the network to see what was running and found more than 30 systems running either Kazaa or Gnutella.
Their file transfer processes were eating up the bandwidth and dragging down all communications. Shutting down these systems and removing the applications would have been simple, but Laura wanted to investigate them further without the users’ knowledge.
Ms. Chappell decided to use her own Kazaa and Gnutella clients to look through the shared folders of the systems. By becoming a peer member with the other hosts on the network, Ms. Chappell could perform searches through other shared folders, which indicated some of the users had shared their network directories.
Through these shared folders, Ms. Chappell obtained the corporate personnel roster, including home phone numbers and addresses, accounting records, and several confidential memos that provided timelines for projects at the company.
Many users said they shared these folders to regain access to the P2P network because they had been labeled freeloaders — their shares contained only a few files. They were under the delusion that because no one outside the company knew the filenames contained in the network directories, a search wouldn’t come up with matching values, and no one would download those files.
Although this onsite visit started with a standard performance and communication review, it ended with the detection of some huge security breaches in the company. Anyone could have used these P2P tools to get onto the network and grab the files in the shared folders — with no authorization or authentication required.
Laura Chappell is Senior Protocol Analyst at the Protocol Analysis Institute, LLC. A best-selling author and lecturer, Ms. Chappell has trained thousands of network administrators, security technicians, and law enforcement personnel on packet-level security, troubleshooting, and optimization techniques. You should check out her website for some excellent technical content that can help you become a better ethical hacker.