A long time ago in a galaxy far, far away...
(With all respect to George Lucas.)
A NEW HACK
It is a period of civil war. Rebel spaceships, striking from
a hidden base, have won their first victory against the evil Galactic Empire. During the battle, Rebel spies managed to steal secret plans to the Empire's ultimate weapon, the Death Star, an armored space station
with enough power to destroy an entire planet.
Through subsequent events, two droids named C3P0 and R2D2 find themselves in the docking bay control room of the Death Star itself. Using a radio, C3P0 communicates
with his master, Luke Skywalker. Luke is also on the Death Star, but is trapped in a garbage compactor with Princess Leia, Han Solo, and Chewbacca. The trash compactor walls are closing in, squishing not
only trash, but our heroes too. Using the radio, Luke tells C3P0 and R2D2 that they must stop the compactor, or Luke and friends will die!
From the control room, R2D2 jacks into the Death Star using a network
plug in the wall. Although the plug looks alien, it is really just a fancy wall plate hiding an Ethernet RJ-45 jack. Once he is physically connected to the Death Star's internal TCP/IP network, R2D2 searches
for the trash compactor controls. As he scans the network, something goes horribly awry. R2D2 emits an annoying sequence of high-pitched squeals and just stops in his tracks. C3P0 instantly recognizes
R2D2's intruder alert sound. Someone has hacked into R2D2 from the Death Star network!
"R2… Are you ok? Oh dear!" shouts C3P0. R2D2 doesn't respond, but they still need to stop the trash
compactor. C3P0 unplugs R2D2 from the control room network plug.
Stashed in the control room, C3P0 finds an old 13-inch green phosphor terminal, with a serial connector. His golden metal hands shaking,
C3P0 opens a panel in the side of R2D2 to reveal a serial port connector in the little droid's dome. C3P0 plugs the monitor and keyboard into R2D2. Within seconds, C3P0 is staring at the "login:" prompt of
R2D2. Few people realize that all R2-style droids are really Linux machines inside a trashcan on wheels. C3P0 logs into R2D2 to begin looking around.
C3P0 exclaims, "My goodness, R2, I'm a protocol droid,
not a system administrator! Why can't this be a TCP/IP problem?"
While looking through the system, C3P0 quickly observes that R2D2's logs have a 2-minute gap! This gap corresponds to shortly after R2
plugged into the Death Star network.
"3P0! Hurry…Aarrrgghh!" shouts Luke over the radio.
C3P0 happens to carry a CD-ROM that includes the AIDE file system integrity-checking tool (doesn't everyone?). He
inserts this CD into a slot on R2D2 and invokes the tool. AIDE scans the file system, but doesn't detect any file modifications. The login, du, ifconfig, ps, netstat, and numerous other executables all
appear intact. Next, C3P0 looks in the /home directory, and finds the following files:
C3P0 looks for unusual processes, but
finds nothing unexpected. Similarly, using the netstat command, he doesn't see any unusual port usage.
Next, C3P0 uses the ifconfig command to check if R2D2's Ethernet interface is in promiscuous mode, a sure
sign of an attacker running a sniffer. However, ifconfig does not show the PROMISC flag. Because he's the suspicious type, C3P0 runs the tcpdump sniffer himself to force the interface into promiscuous
mode. He then runs ifconfig again to make sure that it properly indicates promiscuous mode. To his surprise, ifconfig still does not indicate promiscuous mode.
1) What type of tools might the attacker have used on R2D2?
2) How were the attacker's tools flawed?
3) What steps should C3P0 take to get R2D2 back in action rapidly to stop
the trash compactor and save their friends?
4) After initially getting him back in action to stop the trash compactor, what longer-term steps should C3P0 take to analyze R2D2?