I rarely watch TV and when I do it’s almost always DVRed so I can skip commercials. But one advert for the U.S. Army caught my eye even while fast forwarding through the break. I went back and actually watched the ad. Then I went back and paused the playback to view the technobabble that was slow-rolled onto the blacked ruggedized laptop (dude, the hacker uses a Durabook? Maybe, it’s really the NSA).
If you haven’t seen it, you can view the original commercial below.
Now on to the fun stuff.
That can’t be fun to lug around. At least we have a power LED going to show the machine is actually running. Still, the character output is so smooth and slow. Are we watching the output from a remote session over a 2400 baud modem? Moving right along…
Enhance
That’s a bit better. Let’s dig in.
Our badactor
user is running a Linux machine named cyberweapon
.
For the life of me, I can’t figure out why the computer security
sector has latched onto cyber like a barnacle to a mothballed
destroyer. Just makes me think of the Lawnmower
Man. No one wants to be
reminded of that.
But cool, we’re going to run nmap
against a website target.
Executed on September 20th, 2016 it’s a bit curious why anyone would
be running an 11 year old version of nmap
. nmap
4.11 was released
in June of 2006. The current release (as of this writing) is 7.40.
7.12 would’ve been a good stable version to be using. It was released
in March of 2016. Regardless, that’s a lotta revs behind.
Digging into what nmap
pulled from our target machine, we find more
11 year old software– OpenSSH
4.3 and Apache
2.3.3 are both from 2006. Given that additional note with Apache that the target machine
is running CentOS, we can guess it’s a CentOS 4 release at best.
Well support for that OS is well and truly past.
But our attacker should be jumping for joy at this point. Look at all
the lovely ports left open. mysql
and plain HTTP Apache
are prime
targets along with the rpc ports. But wait, what’s this?
The Mac address OUI of the target comes back as Cadmus Computer
Systems. Who? Oh, VirtualBox. Our target is a virtual machine and
probably local given the private IP space (192.168.0.x
) and last
octet sequence (101
).
Lastly from nmap
0.169 days or 4 hours, 3 minutes, 21 seconds; give or take some millis. From November of 2013 which given the 2016 release of the advertisement gives a bit more credence to the idea that our target host is a VirtualBox VM.
The rest of the scroll is a nessus
command, followed by a curl
.
We see the output of neither command, so there’s not much more we can
guess.
Conclusion
Did the makers of this advert actually fire up a 3 year old VM, of a 10 year old OS to make this little dramatic intro? Certainly looks like it. Then again, the little bit of film could be stock footage from 2013 and I’m all shades of wrong. Even if that’s the case, who’s running a 7 year old version of CentOS. Is the military that far behind?
None of that really matters, though, because the use of actual SecOps tools to make this advertisement is a good thing in and of itself. Having it all be older than dirt (in technology terms) is irrelevant. The point is that I watched and paid attention to the advertisement. That’s at least 90% of the battle right there.
Refence Links
OpenSSH
– Release Notesnmap
– Change LogApache
– Release AnnouncementVirtualBox
– who is Cadmus Computer Systems?