I have often been asked by friends or colleagues to look at their systems from a network perspective for flaws. This was way more common a decade or so ago, as doing things like scanning and interpreting the results was more of an art - particularly when you were trying to determine what was sitting behind a firewall. In this “everything in the cloud” world with a nice (supposedly) zero trust front end on it, this still applies although not nearly as much. But back when on-prem and DMZs and firewalls were all the rage and in abundance, this had some unique challenges.

I was not unique in my skill set, but I’d done presentations on it at security conferences in the past, so often I’d get asked. And it was always a fun exercise. But one time it was particularly entertaining, at least to me, when I was asked to look at a specific business’ infrastructure from the outside for a friend who’d just started work there. You see, I’d been there before.

Recognition

You tend to remember certain places where you’ve “frequented”. When my friend gave me the domain name, it seemed familiar, but I could not place it. Then I did a lookup of the MX record, saw the IP address, and it all came rushing back. I knew all about this site, I had used one of the internal print servers as a storage locker during my more hardcore hacking days.

Back then it was not uncommon for a business to get a series of class C networks assigned to them, or even a couple of class Bs if they were big enough. Yes, there were businesses that were not using the private IP ranges (192.168.xx.xx, 172.16.0.0-172.31.255.255, 10.xx.xx.xx) for IP addresses - often early adopters of Internet-accessible networks that were large enough could apply for and get something like entire class Bs. And often those early adopters had a lot of internal infrastructure that was older and unpatched. Common targets for attackers such as myself. This particular business had a registered class B and had the entirety of the company’s computers assigned with public IP addresses.

My Report

I contacted my friend the next day, and started laying things out. Misconfigured firewall. Misconfigured web, mail, and FTP servers in the DMZ. Database servers needing patching. Several print servers should be retired as a couple of them were barely being used even close to their capacity (one of them had been my storage locker, but I didn’t mention this). I knew the operating systems of most of their systems including workstations, how internal routers were configured, and the fact they had a USENET indexer node up and running in their IT department that was connected to the Internet and was filled with plenty of content - including porn and other NSFW material.

“You discovered all of this in a day?”

I told him something along the lines of hinting I might have “looked at it” before, but since he was just starting in Infosec, I mentioned he could use this information to show his bosses he knew what he was talking about. However I did mention that if he was asked how he figured this information out they might ask for proof or confirmation of how he discovered all this, but he said it was a great learning opportunity for him to get better on the networking side of things. So we left as an exercise for him to “discover” what I had told him. I also pointed out this information was probably not current anyway, so he needed to check just to get it up to date. I did recommend configuration settings to immediately correct the more obvious problems, but don’t get me wrong, he was absolutely no slouch when it came to computers and IT in general. He just felt he lacked in the networking space us hackers had to exist in to explore the Internet.

My Footprint

I later asked specifically about one of the print servers, my personal storage locker. Apparently it was fairly locked down (by me) compared to the other systems although it was still a bit past its prime (it was SCO Unix in the 90s when I was there, and the friend asked about this in the ‘00s), and they were migrating the functions over to a new system. He asked if I was ever in that SCO system in my past, to which I replied “I can neither confirm or deny” and got a good laugh out of him. He did mention since I had specifically mentioned print servers he had examined them thoroughly, and that there was absolutely no sign of me being on that system.

Conclusion

Back in the day a more careful hacker would try to avoid doing anything to be detected and close obvious holes to prevent some noisy attacker coming in and ruining everything. When one was leaving a system, it was considered good OPSEC to clean up after yourself - remove all of your files, ensure it is patched up, and basically try to leave it in a better state than when you broke in. That helped keep you from getting caught. And that is the point of today’s lesson.