What should I call this? Public Information Services or Ignorance?
The story began when this afternoon I meet two great hackers, Aat Shadewa and Adi Nugroho. Actually, we already arrange for a meeting to have some discussion about my book. This is the first time I meet Aat, I knew him from his book which most of them talking about hacking stuff. Short the stories, from book we move to another topic, about hacking scada system. Yes, we start the discussion with our concern about the security of most scada system in Indonesia, especially the one which used at PLN’s infrastructure. Honestly, I’m not quite knew about this stuff. I learn about scada security around 1 year ago, but since I never learn it anymore. Well, back to the meeting, all of us agree that most of scada infrastructure in Indonesia had a poor security system. And that’s quite disturbing.
The story began about 2 months ago. When I was trying to connect my internet through my gsm modem using one of Indonesian telecoms service provider. After trying to connect my modem into internet (desperately), I decide to check what is going on with my connection. I started to contact the costumer service, and they said that my credit is insufficient to do the internet connection. Well , it’s my fault, I forget to buy the voucher. After borrow some money from my friend (around 100.000 IDR), I bought the voucher, and trying to start the internet connection again. And horey! the connection back to normal again… but only for 4 hour!
Well, at first I thought the problem came from my gprs modem. I tried to disconnect and connect the modem for all night long but still no result. Next day, I decide to contact the customer service again, and they said I need to wait for 24 hours. Well then, i have no choice at all. After 24 hours, I tried to connect the modem again but still have the same problem, I could not get into the internet. The again I decide to contact the customer service again, and they said I need to wait for 24 hours x 7 days.. What the h…
Short the stories, after waiting 7 days of bored times, I decide to connect my modem again and the result still the same, at that point I think there must be something wrong with the modem. I decide to borrow another modem from my friend, and the result still the same. Then I tried to change my card with another sim card from the same provider (again, I borrow the card from my friend), but at this this I could connect to the internet.. oh sh*t.
Well, after all what happened to me, at the next day I decide to contact the customer service again, and as I thought before, they ask me to wait for 24 hours x 7 days again!. I decide to waiting again, and after waiting for one week they ask me to wait for 1 week again. Now the time limit for my card has ended, and my 100.000 IDR is missing as the time limit’s of the sim card has been ended. I tried to protest but still useless. And this is the point where I changed, from a newbie into a dummies.Yes, now I became a dummies, I lost my mind and knowledge, and there come the dark side
I started to think about how to take revenge. Yes, I try to take back the things that supposed to be mine.My mind keep running, as I remember the modems gave me some IP number although I could not connect to the internet. So,this is my entry point. I tried to fire up my BT 4, call the wvdial and got connected, I have the IP address.
<div style="text-align: justify;">local IP address x.x.x.x</div>
<div style="text-align: justify;">Remote IP address z.z.z.z</div>
<div style="text-align: justify;">Primary DNS address a.a.a.a</div>
<div style="text-align: justify;">Secondary DNS address b.b.b.b</div>
<div style="text-align: justify;">
this good! after that I tried to nslookup into some address. but looks like I got no connection.Well, I tried fire up my mtr but still no connection. I tried to changed my destination address, this time I choose the IP address from the DNS, both primary and secondary. And what an interesting info I got, now the IP address changed into local address in every hop. It is no longer 10.x.x.x but It’s change into 192.x.x.x , seems promising for me, now I became more serious.
I the decide to do some scanning for each hop I got. and it started showing me some live host with various device. After finish do some scanning to each network. then I tried to check each service by nc-ing to each port that popped up along the scanning session. I got many strange port number, and some of them gave me an interesting banner via nc. form NSN to SGSN
Well, now I have some target in here, I starting to crack all the service one by one all over the night, the result seems worth enough. Now I could login into some machine, which on my opinion this must be the “router” device from the provider. Well, at first I have some problem running the console but I have google who always ready to answer all my question , short the stories, I play a little while inside the machine (on every machine I could get into). Runs some command which useful for me, such as capture traffic, dump configuration, backup setting or firmware , even on some machine I could dump the database structure
For the shake of ethical and for my own security, I could not give you the name of the company neither the real configuration strings but I will give you some “teaser”
Not enough space for a full dump. Generating a partial dump
msgbuf: 0x%x[0x%x] = %d
(%0x%x > %0x%x)
text + data + bss + rest: [0x%x - 0x%x]
INCOMPLETE CORE DUMP:
Dumping 0x%x pages of memory to sec 0x%x, 0x%x sectors
Updating header at addr 0x%x to sec 0x%x, 0x%x sectors
SGSN SG6 DX200 CD9
FLEXI ISN rel 3.2 SW Rel. 3.9.2NET-FCS21 CD5
Well I think it’s enough, it’s for my own safety. Now, I’m no more a newbie, the dark side has take over my mind and I become a dummies
Batch Audio Converter
Iseng-iseng nyari aplikasi yang bisa diotak-atik buat maenan SEH, dapet juga aplikasi Batch Audio Converter <= v.0.4.0.0 dan berhasil di eksploitasi dengan sukses melalui SEH Overflow (tulisan mengenai SEH secara jelas bisa dilihat di situs Peter Van Eeckhoutte dan situs underground Indonesia tertua, Kecoak Elektronik). Ngeliat versi dari aplikasinya, saya liat di Help/About pada aplikasi tersebut dan mengunjungi situs pembuatnya. Pembuatnya adalah Freewaretoolbox, langsung aja saya download versi terakhir, yaitu versi 1.0.0 dan ternyata masih kena juga dengan buffer overflow.
Saya langsung kirim email ke pembuatnya untuk segera diperbaiki karena kalau dilihat, aplikasi ini sangat umum dipakai karena beberapa dari pengguna internet sering melakukan konversi dari format mp3 ke format wav atau ke format yang lain. (more…)