DARPA DARPA Defense Advanced Research Projects Agency Information Assurance and Survivability Operational Experimentation (OPX) Phoenix Challenge 2002 Brian Witten OPX Program Manager [email protected] PX
PX DARPADARPA
Defense Advanced Research Projects AgencyInformation Assurance and Survivability
Operational Experimentation(OPX)
Phoenix Challenge 2002
Brian WittenOPX Program Manager
PX
REPORT DOCUMENTATION PAGE Form Approved OMB No.0704-0188
Public reporting burder for this collection of information is estibated to average 1 hour per response, including the time for reviewing instructions, searching existing data sources, gathering and maintaining the data needed, and completingand reviewing this collection of information. Send comments regarding this burden estimate or any other aspect of this collection of information, including suggestions for reducing this burder to Department of Defense, WashingtonHeadquarters Services, Directorate for Information Operations and Reports (0704-0188), 1215 Jefferson Davis Highway, Suite 1204, Arlington, VA 22202-4302. Respondents should be aware that notwithstanding any other provision oflaw, no person shall be subject to any penalty for failing to comply with a collection of information if it does not display a currently valid OMB control number. PLEASE DO NOT RETURN YOUR FORM TO THE ABOVE ADDRESS.
1. REPORT DATE (DD-MM-YYYY)22-04-2002
2. REPORT TYPEBriefing
3. DATES COVERED (FROM - TO)xx-xx-2002 to xx-xx-2002
4. TITLE AND SUBTITLEInformation Assurance and Survivability Operational Experimentation (OPX)Unclassified
5a. CONTRACT NUMBER5b. GRANT NUMBER5c. PROGRAM ELEMENT NUMBER
6. AUTHOR(S)Witten, Brian ;
5d. PROJECT NUMBER5e. TASK NUMBER5f. WORK UNIT NUMBER
7. PERFORMING ORGANIZATION NAME AND ADDRESSDARPAxxxxx, xxxxxxx
8. PERFORMING ORGANIZATION REPORTNUMBER
9. SPONSORING/MONITORING AGENCY NAME AND ADDRESSDARPA,
10. SPONSOR/MONITOR'S ACRONYM(S)11. SPONSOR/MONITOR'S REPORTNUMBER(S)
12. DISTRIBUTION/AVAILABILITY STATEMENTAPUBLIC RELEASE,13. SUPPLEMENTARY NOTES14. ABSTRACTSee report.15. SUBJECT TERMSIATAC Collection16. SECURITY CLASSIFICATION OF: 17. LIMITATION
OF ABSTRACTPublic Release
18.NUMBEROF PAGES17
19. NAME OF RESPONSIBLE PERSONemail from Booz, Allen & Hamilton (IATAC),(blank)[email protected]
a. REPORTUnclassified
b. ABSTRACTUnclassified
c. THIS PAGEUnclassified
19b. TELEPHONE NUMBERInternational Area CodeArea Code Telephone Number703767-9007DSN427-9007
Standard Form 298 (Rev. 8-98)Prescribed by ANSI Std Z39.18
REPORT DOCUMENTATION PAGEForm Approved
OMB No. 074-0188Public reporting burden for this collection of information is estimated to average 1 hour per response, including the time for reviewing instructions, searching existing data sources, gathering and maintaining the dataneeded, and completing and reviewing this collection of information. Send comments regarding this burden estimate or any other aspect of this collection of information, including suggestions for reducing this burden toWashington Headquarters Services, Directorate for Information Operations and Reports, 1215 Jefferson Davis Highway, Suite 1204, Arlington, VA 22202-4302, and to the Office of Management and Budget, PaperworkReduction Project (0704-0188), Washington, DC 20503
1. AGENCY USE ONLY (Leaveblank)
2. REPORT DATE4/22/2002
3. REPORT TYPE AND DATES COVEREDBriefing 4/22/2002
4. TITLE AND SUBTITLEInformation Assurance and Survivability OperationalExperimentation (OPX)
5. FUNDING NUMBERS
6. AUTHOR(S)Witten, Brian
7. PERFORMING ORGANIZATION NAME(S) AND ADDRESS(ES) 8. PERFORMING ORGANIZATION REPORT NUMBER
DARPA
9. SPONSORING / MONITORING AGENCY NAME(S) AND ADDRESS(ES) 10. SPONSORING / MONITORING AGENCY REPORT NUMBER
Defense Advanced Projects Research Agency
11. SUPPLEMENTARY NOTES
12a. DISTRIBUTION / AVAILABILITY STATEMENTApproved for public release; Distribution unlimited
12b. DISTRIBUTION CODE
A
13. ABSTRACT (Maximum 200 Words)
This briefing was presented during the Phoenix Challenge 2002 Conference and WarfighterDay.
14. SUBJECT TERMSIATAC Collection, information assurance
15. NUMBER OF PAGES
16
16. PRICE CODE
17. SECURITY CLASSIFICATION OF REPORT
UNCLASSIFIED
18. SECURITY CLASSIFICATION OF THIS PAGE
UNCLASSIFIED
19. SECURITY CLASSIFICATION OF ABSTRACT
UNCLASSIFIED
20. LIMITATION OF ABSTRACT
UNLIMITED
NSN 7540-01-280-5500 Standard Form 298 (Rev. 2-89)Prescribed by ANSI Std. Z39-18298-102
PX DARPADARPAVision
l Protect Centers of Gravity:Survivable Servers
l Pervasive Sensors:Hardened Clients
10101011010101101010110101011010101101010110101011010101101010110101011010101101010110101011010101101010110101011010101101010110101011010101101010110101
l Reduce Overload:Analyst Workbench
l New Capability:Situational Awareness
PX DARPADARPAStrategy
lObjectives:uAccelerate transition of effective technologiesuInform research agenda with operational experience
lKey Experimentation Risks, Transition Metrics:uLimited operational staff timeuImpact on operational systems
lApproach:uLeverage mature research, well tested in labuField cautiously: walk before we run
PX DARPADARPAThe Analyst’s Challenge
Today
Potential IAP Traffic(T3)
Impact of Transition to T3 volume at Internet Access Points
Tomorrow
PX DARPADARPA
lOperational sensors:uHundreds of false alarms per attackuActually miss most attacks
lResearch sensors:uDramatically reduce false alarm ratesuSubstantially improve detection coverage
Attacks: 38Normal: 660,049
0
10
20
30
40
50
60
70
80
90
100
0 33 66 100 133
Att
ack
s D
etec
ted
(%
)
False Alarms Per Day
R&D Systems
Keystring
Attacks: 38Normal: 660,049
0
10
20
30
40
50
60
70
80
90
100
0 33 66 100 133
Att
ack
s D
etec
ted
(%
)
False Alarms Per Day
R&D Systems
Keystring
ROC
0
10
20
30
40
50
60
70
80
90
100
0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1
false alarm rate
dete
ctio
n ra
te
asimemeraldnetstatustatustat+netstatsri(ll)ucsb(ll)stolfo(ll)
Intrusion Detection in the Lab
DARPA 1998 Results (MIT/LL and AFRL)
PX DARPADARPAAnalyst Workbench
lAnalysts currently overwhelmeduFlood of data, high false alarm, low detection ratesuNot… real time, decision quality, always actionable
lDARPA AlgorithmsuOver a dozen lab tested real time algorithmsuData mining, anomaly, self organizing, expert systems
lExecution: September 2001 – September 2002
PX DARPADARPAHardened Client
lMARFORPAC ChallengeuClassic SIPR/NIPR PC problemuCompounded by TAD laptop theftu Insider threat and unknown viruses
lProposed TechnologyuSafe e-mail “wrappers” and encrypting file systemuAutonomic Distributed FirewalluPGP Disk & Disk Eraser
PX DARPADARPAOperating System Wrappers
lTrap and stop unknown viruseslEnable safer use of mobile codelPerformance impact: LowlAvailability: Solaris, Linux, NT, Win2K
App
Wrapper
Controlled Interface
0
1
2
3
4
5
6
7
Kernel BuildKernel Build
HTTP ThroughputHTTP Throughputno WSSno WSS WSS onlyWSS only
callcountcallcount dbcallcountdbcallcount seqseq_id_id
(%)(%)33..3%3%
66..6%6%
Developers: Network Associates, Teknowledge, Cigital, Telcordia
JavaScript
VBScript
Script
PX DARPADARPA
- Firewall on Network Interface Card (NIC)- Hardware based cryptographic accelerator- Trustworthy control of untrustworthy OS
Autonomic Distributed Firewall
Made by Secure Computing and 3ComResearch performed under DARPA sponsorship
LANLAN
Internet
Firewall
ADF Controller • Converts high level policy into low level
packet filtering rules for each NIC• Triple redundancy, manages thousands• Drag and drop INFOCON changes• Encrypted communication with NIC• Audit database and browser
Workstation
Remote user
NIC
NIC
Server
NIC
NIC
PX DARPADARPAHardened Client Timeline
lMARFORPAC Limited Objective Experimentu Apply safe e-mail wrappers and encrypting file systemu MARFORPAC approved internal experiment charteru Execution: Late CY2001, RSO&I 02, UFL 02
l Fleet Battle Experiment India (C3F)u Execution: Jun 2001 – Autonomic Distributed Firewall (PCI)
l Fleet Battle Experiment Juliet Goals (PACFLT)u Complete application of diverse wrappersu Autonomic Distributed Firewall (PCMCIA)
PX DARPADARPASurvivable Server
l Motivating factors:u High-value and commonly targeted center of gravityu Need Intrusion Tolerant Systems:
Ability to confidently execute mission while under attacku Reactive defense not adequate
l Possible technologies:u PASIS: Perpetually Available Survivable Information System
Leverage fragmentation, redundancy, and scatteringu SELinux, Immunix, Emerald, NetTop Vmware, Wrappers
l Execution: 2002
PX DARPADARPASituational Awareness
lAm I under attack ?lWhat is the nature of the attack ?u Class, mechanism, and source
lWhat is mission impact ?u Urgency, damage assessment and control, initial response
lWhen did attack start ?uMore detailed damage assessment. What have I done wrong ?
lWho is attacking?uWhat are they trying to do? What is their next step ?
lWhat can I do about it ?u Course of action analysis, collateral damage risk, reversibility
PX DARPADARPA
NETOPS
TNM
IA IDM
Information Assurance
NetworkManagement
Information DisseminationManagement
•Theater Wide•Real Time•Decision Quality•Actionable Information
Theater C4I Coordination Center PACOM TCCC
NeedStrategy
• Leverage Cyber Panel emerging research
PX DARPADARPASummary
FY 01 FY 02
Analyst’s WorkbenchPAC CERT
Hardened Client - MARFORPAC, PACFLT
Survivable Server
Situational Awareness - TCCC
Possible extension to other CERTS
PX DARPADARPA
PX DARPADARPA
Confidentiality
Availability
IntegritySecurity
Functionality
Performance
Context
AttacksPrevention
Layered Protection
Tolerance Detection
Dynamic Defense Risk-Balanced Optimizing Strategy
InformationTreasures
( U n e x p e c t e d ! )- s n i f f e d p o p 3p a s s w o r d
s s h f r o m Y o r kt o c h e e t oL / L / L
H a l f m a n - i n - m i d d l eH / H / M
C a p t u r e D N S R e q u e s tL / L / L
C r a c k i n t om a i l s e r v e r
M / M / M
O b t a i n Y o r k t e l n e t P a s s w d s( p r e - e n c r y p t )M / M/ L
k e y b o a r d c a p t u r e
S e t u p a s c l i e n tL /L /M
O r d e r s d r o p p e d i n t r a n s i t
I s s u e o u r o w n o r d e r sL / L / L
S e t u p a s s e r v e rL /L / M
G e t o n t o Y o r kM / M / M
S c a n 3 f i r e w a l l sr e g u l a r s c a n n e r a n df i r e w a l l s c a n n e r f o ru n e x p e c t e d p a t h s
L / L / M
G e t t h r o u g h m a r s( t o a t t a c k c l i e n t s )
M / M / M
G e t o n t o t s e t s e( s o l a r i s e x p l o i t )
M / H / M
G e t r o o t o n C h e e t oo r a d m i n / r o o t o n o t h e rs y s t e m o n D L A L A N
L / M / M
S n i f f a l l D L A L A Nt r a f f i c t o g e t
F T P , D B A , a n d t e l n e tp a s s w o r d
L /H/ L
C o n t i n u o u s l y i s s u e r e s e t st o o n e c l i e n t sL / M / L
M o d i f y o rs u b m i t n e w f t p
L / L / M
M o d i f y a n d r e c o m p i l em o u n d a p p l i c .
M / M / L
M a s q u e r a d e a s c l i e n t sL / L / M
V P N m a n - i n - m i d d l eb e t w e e n t s e t s e a n d m a r s
H / H / L
F a k e M A Ca d d r e s s e s f o r f i r e w a l lM / M / M
G e t t h r o u g h s n a i l( t o a t t a c k d u r a c e l l )M / M / M
T u r n o f f a l l F T Ps e r v i c e s o n m o u n dL / L / M
H o s t i l e e m a i lo r w e b p a g e
M / L / L
K n o c k O u t Y o r kt o S p o o f Y o r k
( I P & M A C )M / M / L
O r d e r s m o d i f i e di n d a t a b a s e
A , B , F
A
O r d e r s M o d i f i e d
B
D , E
G e t t h r o u g h t s e t s eo n t o s y s t e m o n D L A L A N
M / M / M
O b t a i n n e c e s s a r yD B p a s s w o r df r o m m o u n d f i l e s
L / M / L
B i n a r y E d i t o f m o u n d D B
M / M / L
M o d i f y d u r a c e l l a p p l i c .( e d i _ s e r v e r . j a v a )M / M / M
C , E
O r d e r s A d d e d
C
O b t a i n r e m o t em o u n d f i l e a c c e s s
L / M / M
O r d e r s D e l e t e d
F , G , K
K n o c k o u t t s e t s eL / M / M
K n o c k o u t m a r sL / M / M
V P N m a n - i n - m i d d l eb e t w e e n t s e t s e a n d s n a i lH / H / L
C , D
R e s p o n d t o n e x t R e q u e s tw i t h m o u n d o n E x p L A NM / L / L
F
F
G
S S H D r o p B a c kL / M / M
S n i f f f o r u n e x p e c t e du n e n c r y p t e d t r a f f i c
t o e x p l o i tL / L / L
G e t o n t o a l m o n d j o yM / M / M
D , E , K
C
F
A , B , G
T e l n e t t o m o u n dL / L / L
T e l n e t t o s n i c k e rL / L / L
O b t a i n r e m o t es n i c k e r f i l e a c c e s s
L / M / M
M o d i f y a n d r e c o m p i l es n i c k e r a p p l i c .M / M / L
B i n a r y E d i t o f s n i c k e r D BM / M / L
O b t a i n n e c e s s a r yD B p a s s w o r d
f r o m s n i c k e r f i l e sL / M / L
R e s t a r t s n i c k e r a p p lM / M / M
B
B
G
A d d A p p l i c . t o c l i e n ts y s t e m t o m o d i f yp a c k e t s i n t r a n s i t
M / L / L
M o d i f y t s e t s e r u l e st o d e n y o r d e r s ( h t t p )
L / M / M
K
K
K
R e s p o n d t o n e x t R e q u e s tw i t h s n i c k e r o n E x p L A N
M / L / L
V P N F a l l b a c kL / H / L
M o d i f y f i r e w a l l r u l e s t or e d i r e c t o r d e r s e l s e w h e r e
L / M / M
M o d i f y o r d e r s i n t r a n s i tM / M / L
I n d u c e I C M Pe r r o r r e s p o n s e
M / M / L C a p t u r e a n d r e p l a y I C M Pe r r o r r e s p o n s e t o c l i e n t s
M / H / L
C l i e n t s p r e v e n t e d f r o mi s s u i n g n e w o r d e r s
JJ
J
J
D r o p O r d e r s a n dA c k n o w l e d g e R e c e i p t
t o s e n d e rM / M / L
F a l s e O r d e r s S u b m i t t e di n t r a n s i t
C , D
F o r w a r d C l i e n t O r d e r sm o d i f i e d i n t r a n s i t
C , E
T u r n o f f H T T P o n s n i c k e rL / L / M
D u r a c e l l O r d e r sm o d i f i e d i n t r a n s i tA
M o d i f y d a t a i nO r a c l e d a t a b a s eM / M / L
BR e s t a r t m o u n d a p p l
M / M / M
M o d i f y d a t a i nF i l e M a k e r P r o d b
M / M / L
K E Y
A n t i c i p a t e d E f f e c tP h a s e M o d i f i c a t i o n s
P h a s e R e m o v a l s ( F l a g )
C o l o r e d L i n e s - A t t a c k P a t h sC o l o r e d B o x e s - A t t a c k N a m e
C / F / D r a t i n g sC - c o s t / d i f f i c u l t y
F - l i k e l i h o o d o f f a i l u r e
D - l i k e l i h o o d o f d e t e c t i o n r e s u l t i n g i n p r e v e n t i o n
L - l o w
M - m e d i u mH - h i g h
a t t a c k e r s a r ep h y s i c a l l y l o c a t e d o n
t h e e x t e r n a l L A N
a t t a c k e r s a r ep h y s i c a l l y l o c a t e d o nt h e e x t e r n a l L A N
G e t o n t o m a r s( s o l a r i s e x p l o i t )
M / H / M
M o d i f y f / w r u l e s t o o p e np o r t s o r t u r n o f f I P S e c
L / L / M
W i n 2 K e x p l o i t f o r d i r e c ta c c e s s t o c l i e n t s
M / M / L
D
S t e a l t h y S c o u tf o r N e t w o r k I n f o r m a t i o nL / L / L
R e s p o n d t o n e x t Z o n e R e q u e s tw i t h a l m o n d j o y o n E x p L A NM / L / L
R e s p o n d t o n e x t R e q u e s tw i t h c h e e t o o n E x p L A N
M / L / L
S e t u p a s S S H s e r v e ra n d c o n v e r s e w i t h y o r k
L / L / L
S e t u p a s F T P s e r v e ra n d a c k r e c e i p t
L /H / Mm i m i c m o u n d s d i r e c t o r ys t r u c t u r e / p a s s w o r d
S e t u p a s W e b s e r v e ra n d c o n v e r s e w i t h c l i e n t s
( o r d e r i s i n q u e u e )M /H / M
S e t u p a s C O R B A s e r v e ra n d a c k p a c k e t r e c e i p t
M /H / M C a p t u r e a n d M o d i f yU n e n c r y p t e d O r d e r sL / L / L
F
D r o p O r d e r s a n da l l o w D N S t o u p d a t e
L / L / L
S e t u p a s O r i g i n a l S o u r c ea n d I s s u e M o d i f i e d O r d e r s
M /H / L
F
C a p t u r e t e l n e t p a s s w o r d sf o r s n i c k e r a n d y o r ka n d S S H i n f o r m a t i o nL / L / L
T e l n e t t o S n i c k e rf r o m o u t s i d e
L / H / M
S S H t o c h e e t o f r o m u n a u t h o r i z e ds y s t e m o n E x p L A N
L / H / MS e e T e l n e t t o s n i c k e r / m o u n da n d S S H t o c h e e t o p a t h s a b o v e
S e e T e l n e t t o s n i c k e r / m o u n da n d S S H t o c h e e t o p a t h s a b o v e
I d e n t i f y F o r w a r d - C l i e n t t r a f f i cL / L / L
A d d A p p l i c . t o f / w t o i n t e r c e p tp a c k e t s a n d m o d i f y i n t r a n s i t
M /H / M
R e s t a r t d u r a c e l l a p p l i c .L / M / M
G e t o n t o s n a i l( s o l a r i s e x p l o i t )
M / H / M
M o d i f y s n a i l r u l e st o d e n y o r d e r s ( c o r b a )L / M / M
S e e G e t t h r o u g ht s e t s e / m a r s / s n a i l p a t h s
S e e G e t t h r o u g ht s e t s e / m a r s / s n a i l p a t h s
G e t o n t o w o w o r o t h e rd u r a c e l l L A N s y s t e m
M / M / M
S n i f f a l l D u r a c e l l L A N t r a f f i cL / L / LI s s u e o u r o w nC O R B A o r d e r sM / H/ M
U p Y o r k P r i v i l e d g e sL / M / L
A , B , G
F l o o d S n i c k e r P o r t 8 0L / L / H
S o l a r i s E x p l o i t f r o mD L A L A N o n t s e t s e
L / L / M
S e e G e t o n t o t s e t s e p a t hS e e G e t o n t o t s e t s e p a t h
O p e n W e b B r o w s e rL / M / M
S p o o f C l i e n t I PL / L / L
C o n n e c t t o s n i c k e rp o r t 8 0L / M / M
D e t e r m i n e C l i e n t P r o t o c o l sL / L / M K n o c k O u t C l i e n tt o S p o o f A d d r .
M / M / L
E
P r o t o c o l A t t a c k t o g e tC l i e n t s y s t e m a c c e s sM / M / M
E
O p e n W e b B r o w s e rL / M / M
C o n n e c t t o S n i c k e r p o r t 8 0L / M / L
D
B
A
K i l l C O R B A s e r v i c eL / L / L
S t e a l S e c r e t s( e n c l a v e - e n c l a v e )
M / M / L S e e F a k e M A C a d d r e s s e sf o r f i r e w a l l p a t hS e e F a k e M A C a d d r e s s e s
f o r f i r e w a l l p a t h
I d e n t i f y I n i t i a l V P NL i n k M e s s a g e s( e n c l a v e - e n c l a v e )
L / L / L
I d e n t i f y c r y p t o w e a k n e s sb y a n a l y z i n gG a u n t l e t s o f t w a r e
H / H / L
R e s e t e n d s o f V P Nt o f o r c e I n i t i a l V P N
L i n k M e s s a g e( e n c l a v e - e n c l a v e )L / M / L
C a p t u r e I n i t i a l V P NL i n k M e s s a g e sL / L / L
C r a c k K e y sH / H / L
S e e F a k e M A C a d d r e s s e sf o r f i r e w a l l p a t h
S e e F a k e M A C a d d r e s s e sf o r f i r e w a l l p a t h
F r o m O n C h e e t o o ro t h e r s y s t e m o n D L A L A N p a t h s
F r o m O n C h e e t o o ro t h e r s y s t e m o n D L A L A N p a t h s
I d e n t i f y I n i t i a l V P NL i n k M e s s a g e s( h o s t - h o s t )
L / L / L
I d e n t i f y c r y p t o w e a k n e s sb y a n a l y z i n g
W i n 2 K I P S e c s o f t w a r eH / H / L
R e s e t e n d s o f V P Nt o f o r c e I n i t i a l V P NL i n k M e s s a g e( h o s t - h o s t )
L / M / L
C a p t u r e I n i t i a l V P NL i n k M e s s a g e s
L / L / L
C r a c k K e y sH / H / L
S e e S n i f f D L A L A Nt r a f f i c p a t h
S e e S n i f f D L A L A Nt r a f f i c p a t h
A , B
G
E s t a b l i s h I P S e c t u n n e l( h o s t - h o s t )f r o m W i n 2 K
H / H / L
F r o m s y s t e m o n p r e s e r v e s L A N- - s i m i l a r p a t h t o a b o v e
F r o m s y s t e m o n p r e s e r v e s L A N- - s i m i l a r p a t h t o a b o v e
V P N F a l l b a c kM / H / L
D
Phase 3 AttackTree
Actual AttacksExecuted
12-16 June 2000
A
D r o p W i n 2 K r e m o t e a c c e s sc o d e f o r a d m i n a c c e s st o y o r k , c l i e n t , o r w o w
M / M / M( v i a B O 2 K )
D r o p s o l a r i s r e m o t e a c c e s sc o d e f o r a d m i n a c c e s st o c h e e t o
M / M / M
C A s C l i e n t
D
E
C
C , E
I C M P R e d i r e c t F i r e w a l lt o o u r D N S S e r v e r
M / M / L
S S H E x p l o i t - R e m o t eA c c e s s t o C h e e t o
L / M / M
P H A S E 3
0 0 10 0 2
0 0 5
1 s t : B O 2 K p o r t 5 32 n d : c r e a t e u s e ra c c o u n t
w i t h a d m i np r i v e l e g e s
o n y o r k
0 0 6 . 1 - d i d n ' tw o r k , u n k n o w n r e a s o n
P r o b e d f o rv u l n e r a b i l i t i e sb u t r e a c h e d s a m e
c o n c l u s i o n a s p h a s e1 .B r u t e f o r c e p a s s w o r d
c r a c k w o u l d b em o s t f e a s i b l e - b u t i n s ' t d o - a b l e i nR T 0 0 0 1 t i m e f r a m e
0 0 4 0 2 0
0 0 8 . 3
0 2 6
t r i e d w i t h o u t ? ? ?f i r s t - a n d f a i l e d
f l a g c a p t u r e d
2 0 2
2 0 3
FC a p t u r e ? ? ? r e q u e s t
? ? ? m o u n dL / L / M
2 0 42 0 5
0 1 1
0 1 3
t r i e d i td i r e c t l y f r o m 0 0 8 . 3 ,b u t d i d n ' t w o r k ;
t r i e d f r o m 0 2 1 & g o td e n i e d b e c a u s e o f 1
t e l n e t l i m i t
0 1 4
t r i e d i t , d i r e c t l yf r o m 0 0 8 . 3 ,
b u t d i d n ' t w o r k ;t r i e d f r o m 0 2 1 &s u c c e e d e d .
A l s o w e n t f r o m1 8 . 3 1 , b u t t h a t ' s
l e s s s t e a l t h y
k i l l o t h e rt e l n e t s e s s i o n s
0 1 2
a l l o w t e l n e t d i r e c t l yf r o m R T s y s t e m t o
s n i c k e r / m o u n d -c r e a t e u s e r a c c t o n R T
s y s t e m t o m a t c h o n e o n Y o r k .
0 2 1 u s e s n i f f e d p a s s w o r dt o a c c e s s o t h e rs y s t e m s - e x p l o i tu n e x p e c t e d m i s c o n f i gt o S S H f r o m R Ts y s t e m t o c h e e t o .
( t r i e d a c c e s s i n g s n i c k e r ,m o u n d , t s e t s e , &
b u t t e r f i n g e r b u t f a i l e d )
0 1 8 . 3 1
n o t f o l l o w e d - - >( c o u l d h a v eb e e n )
u p l o a d h a c k i n gt o o l s
t r y S S H a n d t e l n e t& s o l a r i s r o o t e x p l o i t
o n t s e t s e( f a i l e d )
t r y S S H a n d t e l n e tt o b u t t e r f i n g e r
( f a i l e d )
0 1 9 . 3 2
0 1 9 . 3 3
0 1 9 . 3 1
d e a d e n d
u s e s n i f f e d p a s s w o r dt o a c c e s s m o u n d( f a i l e d )
u s e s n i f f e d p a s s w o r dt o a c c e s s s n i c k e r( f a i l e d )
1 8 . 3 2
0 1 8 . 3 3
Methodology