The dangers of a flat network - or how I tracked the mob boss...

Some time ago, while I was helping a law enforcement agency track a wanted mobter boss, I came across one of his trusted people's computer. He and I were connected to the same insecure wireless at a cafe. After some scanning and running several little exploits I managed to get a shell to his Windows XP machine.

Initially I thought the laptop was one of those burn computers: use once and discard, so I was hesitant to leave there any backdoor, however he was the only lead we had to the boss so I installed one.

The backdoor would try to connect to a server I had ready and send an "I'm alive" signal via an HTTP GET that was injected into any application connected to the internet. The idea was to utilize the app already connected as a conduit and try to remain hidden like that.

I wasn't sure if it would work because the more I searched the laptop, the more I thought this was a burn computer. My hope, though, was that this guy would eventually connect to a network where either the boss was connected or that we could find data belonging to the organization; maybe this last part would help us find the boss.

For several weeks my listening server didn't get any signals. Then, when I was about to shut down the server, I had one.

The IP seemed to be an internal IP. Good. The external IP was from a country where we thought the boss operated from. Great. I fired up the command module in the backdoor and I requested a shell. A few seconds later I had the standard Windows XP CMD prompt in front of me. I sent a file to the backdoor so it would be installed at the host. This file was a little worm that can crawl NETBIOS shares, open FTPs, NULL sessions and other things and search for files: word documents, text files, zip files, outlook email databases, etc.
I sent the run command and while it started the search, I began my own recon of the network.

A quick net, route, and other command line tools gave me a lot of info about the network I was in. I mounted several computers and starting moving to other systems. After a while I realized that the whole network seemed to be flat: no segmentation and each computer essentially can access any other device connected. That was great news.

The next day I connected again, this time through another computer. As soon as I was able to move to another system I installed the backdoor there. Redundancy and persistance. If the guy I penetrated originally wasn't connected anymore (and there was a big chance of this), I still wanted access to the network. I sent a command to my crawler and it, in turn, sent the documents collected. There were several good ones that I passed to the intel guys at the law enforcement agency. Having a flat network made my worm work faster.

One of the emails extracted out of the Outlook database of one of the computers, mentioned that the boss was going to call and have a little conference call with some of the bad guys. Great!
We didn't know who was going to be in that conference call or which of the 6 computers found (plus 3 servers) were on the rooms where the call was being made.

Well, since I was getting payed to be creative, this is what I did:

I had code that could activate the mike on the laptops. This isn't hard to do if you know the right APIs. I needed to get now a little app up and running that can open the mike, record whatever it is anyone is saying and send it back to me (I could also send a live streaming via the backdoor but this would spike the use of their network, not good). Not easy, but not hard either. I had a little over 36 hours until the supposedly conference call.
Several hours later and a LOT of caffeine, I had a little nasty piece of code that would do the trick. I uploaded it to the network and set it to be installed in all computers. Flat network, thank you very much.

Now, I didn't know which of those computers where laptops or which had microphones, however I had a "listener" program that was ready to receive any recordings made by my code. The recordings were being sent as HTTPS POST requests via an injection, with chunks of data being partitioned to save transfer time.

I set them all to start recording (if a mike was present) at the time of the conference call -5 minutes. Then I waited.

In the meantime one of the law enforcement officers arrived together with one of his hackers. I explained what I did and they both were exited. We all waited. More coffee.

At the time of the conference call we all started looking at the listener screen.

And we started getting chatter.

For about 20 minutes we received data. The listener was saving the data as an mp3 stream for each data pool being sent. After we saw that no data was coming for a while, I closed the connection. I opened my mp3 player and we played the first file. Nothing. Just someone typing and cursing. I opened the 2nd and there it was, one of the bad guys talking to the Boss. I gave those files to the law enforcement people and I told them to call me if they needed me to go search for more info.

A couple of weeks later, they called me. In that second file the person named the location where he and the boss would meet. The good guys went in and grab not only the boss but a bunch of his people as well.