Hack Like a Pro: How to Hack Like the NSA (Using Quantum Insert)

How to Hack Like the NSA (Using Quantum Insert)

Welcome back, my greenhorn hackers!

Over the years, I have written many articles here on Null Byte chronicling the many the hacks of the NSA, including the recent hack of the Juniper Networks VPN. (By the way, my speculation in that article has proven to be correct. The NSA did embed a backdoor on those devices.)

Many readers here have expressed surprise, condemnation, and a bit of admiration at the capabilities and tools of the NSA. Much of that is undeserved. The NSA has legal authority to tap resources that none of us do (such as the ISPs and backdoors) as well as supercomputers and other powerful devices that assist them in their hacks. Sometimes, though, the NSA does something innovative and creative. It is one those hacks that I would detail here.

A few years back, specifically 2013, the NSA and GCHQ (Britain's equivalent agency to the NSA) implemented a hack that came to be known as the "Quantum Insert." It was used against officials of OPEC and Belgacom (Belgium's telecom service), and is a variation on classic MitM attacks but with a bit of a twist.

Let's take a moment to break it down here and see if we could do the same.

Step 1: Monitor/Recon the Target

The first step in the Quantum Insert attack is to monitor/recon the target. The NSA has access to the ISPs and can see all the traffic from the target. From a non-NSA hacker, this would likely require being inside the local area network.

For instance, if we are inside the target's LAN we may be able to sniff on the target's network. If we can do that, we can use sniffers such as Tcpdump or Wireshark and filter by the target's IP address. We could automate this process by putting Snort on the LAN and write a rule to see and alert traffic from the target's IP address. In this way, we could develop a pattern of the target's web browsing activity.

Step 2: Predict the Target's Browsing Habits

As we watch the target, we can see the target's browsing habits. In this way, we can predict what websites that the target is likely to go to each day. In the case of this hack by the NSA, they observed regular traffic to LinkedIn and Slashdot. Based upon what the attacker reconned, they can begin to develop a appropriate hacking strategy.

Step 3: Build a Fake Web Server Near the Target

Now that the attacker know what websites the target is likely to visit, they can plan the attack. The key is to "insert" an HTTP reply from our fake website when the target requests the website with a HTTP request.

If we can beat the legitimate website's reply, the target will get the bogus website. This is often referred to as a "race condition." If the attacker's fake HTTP reply arrives at the target before the legitimate reply—if only by a millisecond—the attacker will have won the race and the legitimate reply will be discarded when it arrives. Although the attacker may not win the "race condition" every time, they only need to win once.

Of course, we need a web server and an exact replica of the legitimate website. We can use Apache as our web server and HTTrack to download an exact copy of the website. The closer the proximity of the attacker's web server is to the target, the faster the HTTP reply will arrive at the target.

Although the NSA used this race condition, we could also use Dnsspoof to redirect the target's request to our website, if we are on the local network. The problem with this approach is that a vigilant security admin is likely to see the Dnsspoof packets and the rogue web server on the LAN—but not every security admin is vigilant.

When the bogus webpage arrives, it contains the payload/rootkit that is inserted into the target's system. As we know, there are numerous Adobe Flash vulnerabilities we can take advantage of as well as almost innumerable browser vulnerabilities. We would have to determine which exploit to use based upon our recon/monitoring in Step #1. For instance, if we determine that the target is using a Firefox browser, we would find a Firefox exploit and embed it in the webpage they request.

Step 4: Own the System!

Now that the NSA/attacker has been able to send the malicious webpage to the target, the rootkit is embedded into the target's system and the attacker now own's the target's system!

Thanks to WikiLeaks and Edward Snowden for the diagrams. Sometimes we can learn by observing other hackers successful exploits and the NSA is no different.

Keep coming back, my greenhorn hackers, as we develop the most valuable skill set of the 21st century—hacking!

14 Comments

I remember the Belgacom hack... It was a true shock for us Belgians!

The Belgacom hack was the reason I started focusing on cybersecurity. Thanks for pointing this hack out!

Maybe a side note: ever since the Belgacom hack, most Belgians lost their faith in the US.

-Phoenix750

Very interesting, just one question though, how does one know when the target tries to contact the server? If it requires the attacker to already be in the LAN I feel like there could be easier ways. I can't see how we could know that the target is trying to access a website without them already being compromised in some way.

Anyways great article, I'm loving these big and high level hacks, moves us away from the nitty gritty. Thanks!

Cheers,
Washu

Read my other reply.

-Phoenix750

if im right to say.. this is an ADVANCED MITM attack

I'm not sure I would categorize this as a MiTM. Ina MiTM, we want the target's traffic to pass through our computer. In this hack, we are trying to get malware on the target by sending them a fake webpage of the site that actually requested. There is no traffic of the target traversing our computer.

So we could pull this off on WAN in some conditions?

-Phoenix750

I guess that really my question because if your already within LAN, why bother with this more complicated way to serve them a webpage? Maybe because its a passive attack (i.e. not actively changing the packets)? But if your in WAN how can you know if they sent out a request to the web server?

Thanks for your help :)

Cheers,
Washu

Because in a real life situation, the average hacker (we) won't be on the user's LAN for too long, especially when there is a vigilant security admin. Here is my situation:

I have the external IP of the network. I go nearby, connect my laptop to their WLAN, sniff with Wireshark for about 10 mins, save the PCAP, then go home quickly, where I analyze the PCAP. Based on the websites we saw in the PCAP, we can develop a fake webpage to send to them through WAN. I'd say we kind of DoS the target with the fake webpage, until the user requests for the legitemate webpage, and gets ours instead.

My question is if this is actually possible.

-Phoenix

Remember, this is a race condition. You must respond faster than the legitimate website.

As for DoSing the target, few DoS attacks take down the site completely. Instead, they slow the response, so unless you can take down the site completely, the legitimate site will respond before you can.

With "DoS", I didn't mean to take down the target. A bit confusing (since it isn't DoSing, but it comes down to the same principle), I know, but let me explain:

What I was hoping to do was send a fake reply of the website to the target every 10 ms or so, in the hope of winning the "race". If the website wasn't requested, the packet gets rejected. If it was requested, the chance is pretty high we got our packet in and kept the legitemate one out. Am I right in this theory?

-Phoenix750

No that wouldn't work since for the reply packet has to have the right sequence number or else its dropped. You would have to know what was the required sequence number which can only be discovered by sniffing the request.

the way the NSA does it is they have some "secret" servers(called "shooters") throughout the internet backbone which allows them to basically sniff all the traffic they want.

Cheers,
Washu

As far as I understand this is a MOTS (Man-On-The-Side). The difference is that a classic MITM can manipulate all the data from and to a target but a MOTS can only observe and inject packets.

Cheers,
Washu

true OTW, thanks for the clarification

A serie on How To Hack Like The NSA would be fun.

Share Your Thoughts

  • Hot
  • Latest