Welcome back, my greenhorn hackers!
Over the years, I have written many articles here on Null Byte chronicling the many the hacks of the NSA, including the recent hack of the Juniper Networks VPN. (By the way, my speculation in that article has proven to be correct. The NSA did embed a backdoor on those devices.)
Many readers here have expressed surprise, condemnation, and a bit of admiration at the capabilities and tools of the NSA. Much of that is undeserved. The NSA has legal authority to tap resources that none of us do (such as the ISPs and backdoors) as well as supercomputers and other powerful devices that assist them in their hacks. Sometimes, though, the NSA does something innovative and creative. It is one those hacks that I would detail here.
A few years back, specifically 2013, the NSA and GCHQ (Britain's equivalent agency to the NSA) implemented a hack that came to be known as the "Quantum Insert." It was used against officials of OPEC and Belgacom (Belgium's telecom service), and is a variation on classic MitM attacks but with a bit of a twist.
Let's take a moment to break it down here and see if we could do the same.
Step 1: Monitor/Recon the Target
The first step in the Quantum Insert attack is to monitor/recon the target. The NSA has access to the ISPs and can see all the traffic from the target. From a non-NSA hacker, this would likely require being inside the local area network.
For instance, if we are inside the target's LAN we may be able to sniff on the target's network. If we can do that, we can use sniffers such as Tcpdump or Wireshark and filter by the target's IP address. We could automate this process by putting Snort on the LAN and write a rule to see and alert traffic from the target's IP address. In this way, we could develop a pattern of the target's web browsing activity.
Step 2: Predict the Target's Browsing Habits
As we watch the target, we can see the target's browsing habits. In this way, we can predict what websites that the target is likely to go to each day. In the case of this hack by the NSA, they observed regular traffic to LinkedIn and Slashdot. Based upon what the attacker reconned, they can begin to develop a appropriate hacking strategy.
Step 3: Build a Fake Web Server Near the Target
Now that the attacker know what websites the target is likely to visit, they can plan the attack. The key is to "insert" an HTTP reply from our fake website when the target requests the website with a HTTP request.
If we can beat the legitimate website's reply, the target will get the bogus website. This is often referred to as a "race condition." If the attacker's fake HTTP reply arrives at the target before the legitimate reply—if only by a millisecond—the attacker will have won the race and the legitimate reply will be discarded when it arrives. Although the attacker may not win the "race condition" every time, they only need to win once.
Of course, we need a web server and an exact replica of the legitimate website. We can use Apache as our web server and HTTrack to download an exact copy of the website. The closer the proximity of the attacker's web server is to the target, the faster the HTTP reply will arrive at the target.
Although the NSA used this race condition, we could also use Dnsspoof to redirect the target's request to our website, if we are on the local network. The problem with this approach is that a vigilant security admin is likely to see the Dnsspoof packets and the rogue web server on the LAN—but not every security admin is vigilant.
When the bogus webpage arrives, it contains the payload/rootkit that is inserted into the target's system. As we know, there are numerous Adobe Flash vulnerabilities we can take advantage of as well as almost innumerable browser vulnerabilities. We would have to determine which exploit to use based upon our recon/monitoring in Step #1. For instance, if we determine that the target is using a Firefox browser, we would find a Firefox exploit and embed it in the webpage they request.
Step 4: Own the System!
Now that the NSA/attacker has been able to send the malicious webpage to the target, the rootkit is embedded into the target's system and the attacker now own's the target's system!
Thanks to WikiLeaks and Edward Snowden for the diagrams. Sometimes we can learn by observing other hackers successful exploits and the NSA is no different.
Keep coming back, my greenhorn hackers, as we develop the most valuable skill set of the 21st century—hacking!
Just updated your iPhone? You'll find new emoji, enhanced security, podcast transcripts, Apple Cash virtual numbers, and other useful features. There are even new additions hidden within Safari. Find out what's new and changed on your iPhone with the iOS 17.4 update.
6 Comments
Very interesting, just one question though, how does one know when the target tries to contact the server? If it requires the attacker to already be in the LAN I feel like there could be easier ways. I can't see how we could know that the target is trying to access a website without them already being compromised in some way.
Anyways great article, I'm loving these big and high level hacks, moves us away from the nitty gritty. Thanks!
Cheers,
Washu
if im right to say.. this is an ADVANCED MITM attack
I'm not sure I would categorize this as a MiTM. Ina MiTM, we want the target's traffic to pass through our computer. In this hack, we are trying to get malware on the target by sending them a fake webpage of the site that actually requested. There is no traffic of the target traversing our computer.
As far as I understand this is a MOTS (Man-On-The-Side). The difference is that a classic MITM can manipulate all the data from and to a target but a MOTS can only observe and inject packets.
Cheers,
Washu
true OTW, thanks for the clarification
A serie on How To Hack Like The NSA would be fun.
Share Your Thoughts