Attack Of The Dreamcasts

kevin_conaway writes "A pair of coders are now suggesting that it is possible, with a modified dreamcast system running Linux to sneek into an office building and stick it on a network drop and leave. The dreamcast will then probe for ways to connect to the outside world. They say they have created similar software for iPAQs and a special bootable cdroms for print servers and similar boxes. Just a reminder that are networks need to be as secure on the inside as they should be on the outside. Get the story here."

Even scarier

[crumbz]

Is when someone hacks an iPod to do this. You could hide it in a wall and have an IEEE-1394 to 10base-T adapter with a cat-5 cable right into a patch panel in the wiring closet labeled D-103...

What about WAPs?

[Kakarat]

The same thing could be done with wireless access points. In fact, it would be easier since with little or no experience, someone could walk in, find an open drop, plug in the WAP, and leave. Granted that the range is not worldwide, but you can get the same results. In some situations you don't even have to enter the building to set one up. Just leave that up to some ignorant employee.

Did it.

[Skyshadow]

Back when I was in high school (1994 or '95), we put together a small 386 -- no case, no nothin' -- with a NIC and stashed it above the library computer lab. This was pretty much just to see if we could, which as I think about it seems like the reasoning behind most of what I did in high school. Well, at least the things I did in high school that didn't involve girls.

We used it to run a dump of all the packets on the network and get pretty much all the passwords used by anyone. We printed out a copy and sent it to the bozo they had in charge of IT, and he called in a mess of expensive consultants to reload everything on the network.

Of course, they didn't fix the basic problem or find our little friend. For all I know it's still running up above the 'ol drop ceiling -- we were to chicken to try and retrieve it. Of course, this was a private school, so the real joke was on us (the clue -- consultants were being paid for by our own stupid selves).

Did something similar

[Anonymous Coward]

Near where I live there is this giant uber arcard called Playdium. Instead of using coins or tokens in the machines to get credits you swipe a little plastig card with a barcode on it through a reader. This reader in turn is hooked up to a solid-state machine running MSDOS which then contacts a MS SQL server to see if their is enough credit on the card and if there is it sends an authorization to the machine.

One day we decided that we wanted to get free video games. After scoping the place out we discovered that all the 10baseT ports that the video games plugged into were in fact patched into a 3com 3300 switch and were active. The network designers I guess figured it would be easier to activate all the ports instead of making some video game tech figure out how to patch stuff in.

We brought in a laptop with a long cat5 cable and looked for a place to plug it in where we wouldn't be noticed. Jurassic Park 3 has this little thing you sit in a close the blinds so the ambient light would stay out. It would do nicely.

We watching what we could with different packet sniffers (we were also very paranoid of getting busted) and were able to bring up the Switches web management system. We discovered that the video games use DHCP to get an address in the 10.10.x.x subnet and the video games also seem to contact a master server for configuration information. ie. How much does this game cost. By this time we had been sitting in Jurassic Park 3 for 2 hours and were getting REALLY paranoid. So we decided to try something malicious. We arp-spoofed/flooded everything we could see. An interesting thing happened. When the game control units can no longer talk to their master server, they go into 'free' mode. I guess this is in case there is a network failure. They'd rather lose a bit of money than piss of 100s of people. While our little program ran, every game in the place became free. So I thought to myself, why not just unplug the Cat5 cable for a game to make it free. That doesn't seem to work. I think this is because it needs to detect a link before it will go to free mode. Anyhoo, I guess the moral of this story is to have some kind of port security on your network ports in your business. or something :)

Re:how is this any different

[homer_ca]

Any networkable device that's easily programmed could do the same thing. They say the Dreamcast is cheap enough to be disposable since you wouldn't be going back to retrieve the probe. Only problem with this plan is that while Dreamcasts are plentiful and cheap, the ethernet adapter is rare and expensive (over $100 on Ebay). Might as well go dumpster diving to find some 486 laptops.

Wouldn't it be cheaper and just as effective

[pete-classic]

to just burn a CDR that boots Linux and does all the same stuff on a PC with any of the top X ethernet cards? Set it up to stubbornly ignore all keyboard input and never display anything on the screen. Write "coaster" on it with a black magic marker, drop it in some currently unused PC and hit power/reset and haul ass. Do it at 4:50 PM on a Friday and you'll probably have to 9:00 AM on monday to own some other box on a more permanent basis.

Hell, you might be able to modify a tomsrtbt to do this and wipe (or dd if=/dev/zero of=/dev/fd0; dd if=/dev/urandom of=/dev/fd0) the diskette once the ramdisk is loaded.

IOW, this whole thing strikes me as more of a "stunt" than a "hack."

-Peter

Re:how is this any different

[Anonvmous Coward]

" I mean, wouldn't a Dreamcast plugged into the company network be a bit more suspicious than a computer?"

At a game company?

Actually though, at my company (not a game company) I could probably bring a Dreamcast in and get it on the network without anybody really noticing. If I disable the LED on it, I'm pretty sure most of the people here (even those that have a Dreamcast and play it) wouldn't consider looking to see if it was network connected or not.

There are advantages to keeping your desk cluttered like I do. ;)

Re:how is this any different

[pauly_thumbs]

how is this different from throwing a boot floppy into an unattended machine that loads an OS and scripst to do whatever it is said intruder wants to do?

Security is only as good as your vigilance and your Doorman!

Do you _Know_ everyone in your office?

This is where your social skills or lack there of can be either an asset or a detriment.

Introduce yourself around Sysadmins... find out who those mysterious personell are... Heck you might just make some friends!

Java-based disposable ethernet board!

[dstone]

Take a look at the Dallas Semiconductor TINI. It's a Java runtime environment on a 72-pin SIMM, complete with ethernet, serial, I2C, parallel IO, battery up to 1 meg of NVRAM, filesystem emulated in RAM, etc, etc. You can write web or ftp services for it in a few lines of Java, thanks to the supplied classes. You develop your Java code on your PC, compile it to Java bytecode, and then FTP it up to the little TINI device. My description is not doing this hardware justice, so I'll leave some links below.

Anyways, my point is this type of device is probably easier to program than a Linux Dreamcast. It may or may not be cheaper (sub-$100). And it's a lot easier to hide, if that's the goal. I've programmed a handful of hobby projects with this board, and it's really quite amazing for the price. (Compared to trying to implement an TCP/IP stack on a PIC microcontroller, say.)

TINI hardware [ibutton.com]
TINI [ibutton.com]
TINI board resource center [junun.org]
more resources [apms.com.au]
DalSemi discussions [dalsemi.com]

Social Engineering

[Erwos]

It strikes me that people have generally ignored a very valuable tool of hacking: social engineering. Kevin Mitnick proved its prowess, and we've all heard of him, no? A DC is technically feasible, but falls short on the social engineering front.

So, I propose that instead of using a relatively conspicuous DC, or even a laptop, you buy a TINI computer:
http://www.ibutton.com/TINI/hardware/in dex.html
And then modify it into an old Cisco plastic shell. Write something like, "Cisco Network Load Balancer" or something (in a believable fashion), slap it in as close to the server room as you can.

The issue here is not "can I crack people's networks from the inside?" but, rather, "can I _keep_ cracking the network for more than a couple weeks?" You think to look at a laptop or DC for a network spy, but who bothers to look at some random piece of Cisco hardware in a corner? I'd say the risk of discovery becomes far lower - and with TINI, you could theoretically put together a "button" that would wipe the contents of the device if it was moved.

Just an idea.

-Erwos

A simpler, cheaper alternative

[dstone]

Don't waste your Dreamcast! If you have physical access to the building, desks, etc, then why not just jam in a bootable floppy and reboot an unattended machine to:
1) port and service scan
2) send out results via http/ftp/ping/email/etc
3) wipe the floppy clean
4) write an innoculous text or word document on the floppy
4) reboot the workstation again

This leaves nearly zero physical evidence that there was an intrusion. Just an abandoned floppy and a rebooted machine.

Sure, you _might_ get past building security with a video game console in your bag. But I guarantee you'll get in with a floppy. And would you rather be caught plugging a floppy into a workstation or a video game console into the network?

And you'll still have your Dreamcast at home, running DCMAME!

Thought of doing it

[swb]

I've often thought of doing this myself where I get paid to work, not so much to sniff passwords but to have a little back door should I decide to leave. It'd be trivial to stash a laptop or other device in a little-used ceiling space and run a drop directly to a patch panel.

More challenging would be setting up a way to get the machine to periodically reconfigure itself to get out of the office network and establish a tunnel to the outside that could be used to get back inside.

The way that occurs to me is to have it load a public web page periodically and parse out the destination IP and then have the "automaton" search for ways out of the network to a destination host set to listen for tunnel attempts from the automaton.

I'd imagine you'd have to come up with really clever ways to get out of heavily firewalled/proxied business networks, some really don't allow any random end nodes to get unfiltered/proxied packets out of the network. Best way would be to tap into a fax line and have the machine periodically dial out, leaving a more clever human to fix any dedicated network tunnel.

I'm not sure what I'd *do* with a host if I had one, though.

Re:Why is this specifically a problem for dreamcas

[snookerdoodle]

Not only this, but two recommended practices (and EVEYONE does this, right? ;-) would stop it from doing anything:

1 - don't light up unused ports
2 - use switches instead of hubs and there'll be nothing to sniff...

Mark

Re:Here is a number for you to remember

[Anonymous Coward]

one: I'm sure that there is statute of limitations on this. After all it was done in 1994 (8 years ago) and the school knew about it.

two: chances are he did it as a minor.

three: the law on computer crimes in '95 wheren't as draconian as they are now. He would be held to the laws of 95. (at least in the US that is)

OTOH: anyone doing that now ...