The dangers of a flat network - or how I tracked the mob boss...

Some time ago, while I was helping a law enforcement agency track a wanted mobter boss, I came across one of his trusted people's computer. He and I were connected to the same insecure wireless at a cafe. After some scanning and running several little exploits I managed to get a shell to his Windows XP machine.

Putting aside the fact that his XP wasn't updated and that XP is the easiest Windows to penetrate, he didn't have any firewall, antivirus or any other security program on his laptop. Initially I thought the laptop was one of those burn computers: use once and discard, so I was hesitant to leave there any backdoor, however he was the only lead we had to the boss. I installed a little backdoor.

The backdoor program would try to connect to a server I had ready. Just send a "I'm alive" signal via an HTTP GET that was injected into any application connected to the internet as soon as the laptop connected to a new network (different from the one we were connected at that moment). The idea was to piggy back into an app already connected and try to remain hidden like that.

I wasn't sure it would work because the more I searched the laptop, the more I thought this was a burn computer. My hope, though, was that this guy would eventually connect to a network where either the boss was connected or that we could find data belonging to the organization; maybe this last part would help us find the boss.

For several weeks my listening program didn't get any signals. Then, when I was to shut down the server, I had one.

The IP seemed to be an internal IP. Good. The external IP was from a country where we thought the boss operated from. Great. I fired up the command module and I requested from my backdoor app to return a shell. A few seconds later I had the standard Windows XP cmd prompt in front of me. I sent a file to the backdoor so it would be installed at the host. This file was a little worm that can crawl NETBIOS shares, open FTPs, NULL sessions and other things and search for files: word documents, text files, zip files, outlook email databases, etc.
I sent the run command and while it started the search, I began my own recon of the network.

A quick net, route, and other command line tools gave me a lot of info about the network I was in. I mounted several computers and starting moving to other systems. After a while I realize that the whole network seemed to be flat: no segmentation and each computer essentially can access any other device connected. That was great news.

The next day I connected again, this time through another computer. As soon as I was able to move to another system I installed the backdoor there. Redundancy and persistance. If the guy I penetrated originally wasn't connected anymore (and there was a big chance of this), I still wanted access to the network. I sent a command to my crawler and it, in turn, sent the documents collected. There were several good ones that I passed to the intel guys at the law enforcement agency. Having a flat network made my worm work faster. Thank you mafia guys!

One of the emails extracted out of the Outlook database of one of the computers, mentioned that the boss was going to call and have a little conference call with some of the bad guys. Great!
We didn't know who was going to be in that conference call or which of the 6 computers found (plus 3 servers) were on the rooms where the call was being made.

Well, since I was getting payed to be creative, this is what I did:

I had code that can activate the mike on the laptops. This isn't hard if you know the right APIs and Windows have plenty of good documented as well as undocumented APIs to control pretty much anything. I needed now to get a little app up and running that can open the mike, record whatever it is anyone is saying and send it back to me. Not easy, but not hard either. I had a little over 36 hours until the supposedly conference call.
27 hours and a LOT of caffeine later I had a little nasty piece of code that would do the trick. I uploaded to the network and manually installed on all computers. Flat network, thank you very much.

Now, I didn't know which of those computers where laptops or which had microphones, however I had a "listener" program that was ready to receive any recordings made by my code. The recordings were being sent as HTTPS POST requests via an injection.

I set them all to start recording (if a mike was present) at the time of the conference call. Then I waited.

In the meantime one of the law enforcement officers arrived together with one of his hackers. I explained what I did and they both were exited. We all waited. More coffee.

At the time of the conference call we all started looking at the listener screen.

And we started getting chatter.

For about 20 minutes we received data. The listener was saving the data as an mp3 stream for each data pool being sent. After we saw that no data was coming for a while, I closed the connection. I opened my mp3 player and we played the first file. Nothing. Just someone typing and cursing. I opened the 2nd and there it was, one of the bad guys talking to the Boss. I gave those files to the law enforcement people and I told them to call me if they needed me to go search for more info.

A couple of weeks later, they called me to congratulate me. In that second file the person named the location where he and the boss would meet. The good guys went in and grab not only the boss but a bunch of his people as well.

We did we learn from this? Flat networks are bad. Don't do it.