Home
Who am I?
Scenarios
Where & When
Misc
Olde Style Page
Math Puzzles
Trinity Runner Up B

By Mike Luedke

>> 1) What type of attack had Trinity really launched against the IRS?

SQL Injection attack. These attacks are performed by inputing special
characters such as the single quote (') character to get SQL to execute
commands, other than the command intended by the web application.


>> 2) What was the real purpose of the first set of user input, and how
does it function?

The purpose was to check to see if irsfile.asp was vulnerable to SQL
injection attacks. The SQL command which was injected uses a stored
procedure which executes a command using the Windows command shell. The
command executed, ping, sends a icmp echo requests to a host at the
209.171.43.28 address. Trinity could monitor the network anywhere between
the IRS web server and 209.171.43.28 and watch for ICMP echo request
packets. If these packets were spotted, it would indicate the attack was
successful. Since many firewalls are configured to allow outbound ICMP
echo requests originating from the inside network, these type of packets
were likely to reach their destination undetected.

It appears that the IP address in question hosts a website which belonged
an ancient security expert known within the Matrix as Ed Scoudis. This
website and software hadn't been updated since 2003, almost 200 years ago.
With 200 years worth of security vulnerabilities, this host was likely
controlled by a hacker.


3) What was the real purpose of the second user input, and how does it
function?

The second injected command retrieves a list of users on the SQL database
servers by appending extra statements at the end of the input field. The
extra 1,'1',1,'1' is used to pad the query so that the UNION function will
work properly against the table which stores the 'username' field.


4) What was the real purpose of the third user input, and how does it
function?

The third injected command retrieves the phone number for each tax payer
with the last name of 'Anderson' using the valid username of Trinity
obtained from the 2nd injected command.
 

Send me some e-mail

©Copyright 2004, Ed Skoudis