See how NSA hackers use large data to get network system administrators

More than a year after the Snowden incident, the intelligence group has been looking at a number of published materials, selecting one of the "NSA's internal posts" in 2012 to see how the NSA's black Broad uses "big data" to capture the attack thinking of network administrators.

"Intelligence" is the ultimate purpose of the attack.

Sid inside the NSA (Signalsintelligence Directorate) The "Signaling Intelligence department" as the name suggests that his ultimate goal is to produce information for policymakers to use. Whenever the target uses High-tech to communicate, the NSA hacker will try to collect it, analyze it, and output the report. It sounds simple unless he is already in the communication network of the target. And they are not always able to collect all the information, especially their target communication network is not within their collection. This time they will need some manual "errands" to help them complete the task. This "errand runner" is the "system administrator" I want to introduce in this post, "I Hunt sys admins"

Popular Science advertising spots

SID, full name signals FDI Directorate Signal Intelligence Command, in the NSA organizational structure code-named "S", mainly responsible for the collection, analysis, production and dissemination of signal intelligence. Several subsidiaries, including the famous Tao, are as follows:

-S1-Customer Relationship

-s2-main analysis and Production center, subordinate a number of "production lines"

S2A: South Asia, S2B: China and South Korea, S2C: International Security, s2e: The Middle East and Asia, S2F: International crime, s2g: Anti-proliferation, S2H: Russia, s2i: counter-terrorism ...

-s3-data acquisition, mainly responsible for "collection" work, subordinates include:

S31--cryptanalysis and exploitation Services password and exploit service abbreviation CES

S32--tailored Access Operations, referred to as Tao, is responsible for hacking foreign computers with the fact that network espionage, known as the NSA "Signal Intelligence Command" the largest and most important part, there are 1000 military-level and civilian computer hackers, intelligence analysts, Targeting experts, computer software hardware designers, electronic engineers and other components.

S33--global Access Operations, referred to as GAO, is primarily responsible for intercepting signals from satellites or other international SIGINT platforms.

s34--collection strategy and needs center

S35--special Source Operations, SSO, is primarily responsible for domestic collection programs, such as the famous "Prism program" PRISM

Network system administrators are the best "errands"

In fact, "system administrator" is not the ultimate goal of these NSA hackers, his final goal is "extremists/terrorists" or the official government to use these networks, and the network is managed by these "system administrators." For example, his goal is to use a CDMA terminal in a foreign network, it is possible that the NSA claws have collected the target phone phone, SMS text messages, (PS: The words in the post is said "where we passively collect his phone call/sms out In the wild. From this perspective, the NSA has been able to extensively "passively" collect telephone communications data, but if it does get into the local infrastructure, it is possible to have more direct monitoring of the target from which base station at any one time, or even to monitor phone and data traffic. However, it is often difficult to set the attack target directly on the base, and a series of information is generally needed to help with the action. For example:

– Topology of the target network

– Credentials for infrastructure equipment (password)

– Actions of the target network, such as the Allowed access list for only the administrator's source IP restriction policy

– Some general overview of the background, such as how the network is composed and how it is formulated

So in order to get the above information, who else is more appropriate than the target network administrator? Many times, when the NSA hacker sees the target appearing on a new network, his first goal is to be able to capture the administrator on the network through CNE (Computer receptacle exploitation). This is usually dependent on "QUANTUM" to visit their account. Of course you can go through phishing emails, but the NSA hackers think that people are smarter than they have been in the last 5-10 years, so the attack is no longer a viable option. Therefore, in order for the quantum attack to be effective for these administrators, the NSA hacker needs some webmail/facebook types of selector.

Popular Science advertising spots:

SELECTOR: Also known as the "sorter", the NSA is a "selector" for identifying specific targets from large data traffic, such as Hotmail Guids,google prefids,apple imeis,apple Udids,nokia Imeis,wireless Macs and so on, and this selector with the following to be said about the "Quantum" closely related.

QUANTUM: This can not have much to do with quantum computation, is mainly a code of the NSA, is a man-on-the-side intermediate hijacking technology, in the backbone of the secret to put some servers, through the selector to identify the target of attack, Then, using the faster response time than the normal server, the exploit code is sent to the target of the attack (that is, the administrator here), making the attack successful. With the development of recent years, more than the beginning of the 2005 "Quantuminsert", there are 2007 years of quantumbot,2008 years of Quantumdns and so on, as shown in the following picture:

Cne:computer receptacle exploitation, if CNE is focusing on tapping information from target computers and networks, then another called can (Computer receptacle Attack) is trying to disrupt, damage and destroy targets.

Attack Ideas:

If you want to use such means as WHOIS, to find the target network IP address space or domain name information registration information to discover these administrator's personal information. The NSA hacker practice shows that this is not a high success rate, because this information is usually the administrator's official e-mail address, these mail servers are deployed in the target network, and the NSA hackers quantum the secret of success is not used in this type of mail system. What they really want is an administrator's personal mailbox, Facebook, and other accounts. (Because these accounts can filter out selector, use quantum technology to enforce control over administrators.) Here you can use "Dumpster-dive technology" (search the dumpster near the administrator's office) or "Google searches" (to see if the administrator exposes the information in an official unofficial forum).

Attack Line:

NSA big black broad--〉 "terrorists"--〉 the network of terrorists--〉 the network administrator--〉 Control network

Conditions required for an attack (reverse derivation):

Network administrator 〈--quantum Attack 〈--can identify administrator selector〈--personal account such as Facebook〈 ——???

Before proceeding, let's introduce the tools within Discoroute--nsa that specifically use to "passively" collect and store router configuration files in the Telnet sessions traffic.

Having such a tool, with such data, is a great help for invading the target network and understanding its network structure, but these profiles seem to have little to do with the personal webmail or Facebook that has found the network administrator. The network is far from successful invasion. To this end, the NSA has randomly selected a Kenyan routing configuration to do a demonstration. (from this side, the NSA says there's no intrusion, no eavesdropping on other countries ' communications.) Getting router configuration information is a handy thing. Next as an analyst, the most basic level is based on this configuration file to make bold assumptions:

-We have a router, the router has an admin

-Through the Discoroute tool to obtain the configuration file, you can know that this administrator through Telnet landing to the router

-admin may not allow anyone or everyone to log on to the router

-Administrator may have set ACLs to allow only his own IP telnet to the router

Here's a look at the router's configuration file:

From the above you can see that the administrator did set the source address access Acl--access-class, as well as the password attribute set to represent 7 of ciphertext, of course, this is also very good to crack. There are basically off-the-shelf tools available online to deal with this type of password 7 hash.

You can see from the following configuration list:

As you can see, if you want to telnet to this router, you have to access it from these (already hacked) IP addresses. A little bit of network knowledge you can know, even if you know the router's authentication information, even if you know these whitelist, you will not be able to forge these source address to log on to the router, because you can not see the response packet. So you have to access one of these IP addresses in order to log on to the router.

Let's recap the NSA hacker's assumption that an administrator would only allow him to telnet, and that no landing from other addresses would be allowed. So we can further boldly assume that this is the ACL address, the admin address that manages this Kenyan network.

Then, use these addresses to find, from these IP address login hotmail,yahoo,facebook activity account. It would then be possible to identify the administrator's personal account information for the Kenyan network. Using this information as a selector, you can use the quantum technology to attack these administrators to control the network through these administrators.

Summarize the above roughly two steps

Step one: From the router configuration information in the Discoroute, identify the ACL information with Telnet, and export the public IP address of these ACLs.

Step two: From Asdf (full name atomic SIGINT Data Format, is the NSA generated metadata from all session information collected from the Passive collection information system--passivesigint systems. ), the active user is associated with the public network IP obtained by step one.