Monday 05:45. The world around him was still asleep, the only sound violating the silence was the occasional bird outside. midfr0st was unaware of this, just as he was unaware of his mp3 playlist coming to an end three hours ago. His eyes had been fixed on his computer screen for the last sixteen hours. His mind had trouble remembering why. The screen was all black except for a line of text in the upper left corner: “follow the white rabbit.”
I’m going nowhere with this, he thought as he erased the text he’d written well over an hour go. Instead midfr0st brought up the network diagram he had been creating. It wasn’t for his own network, rather a network his present client wanted to 0wn.
midfr0st had some history of doing an honest living but had found the illegal path to be more rewarding when it came to making doubloons. Besides I like being my own boss.
At the moment midfr0st was working on a job concerning communication or rather email. His current client, Dae, was so eager to read the emails from Gantern Construction that midfr0st had been paid in advance. This usually wasn’t the way midfr0st worked but his confidence had grown a lot lately and he was positive he could pull it off. After his last contact with Dae he was beginning to regret his early payment.
Dae: How’s our little expedition going?
midfr0st: It’s moving along
Dae: Where is it moving?
midfr0st: I’m still working on it
Dae: I would hope so, when can you have the package delivered?
midfr0st: I don’t know, soon enough. These things take time.
Dae: You sounded a bit cockier when we paid you.
midfr0st: I haven’t spent the money, you can have it back if you want to.
Dae: The money is not important, my faith in you is. You do not want me to loose that faith.
midfr0st wasn’t overly concerned about Dae’s threats. Dae didn’t seem to know too much about Internet security and midfr0st did his best not to leave a trace back to him. Instead midfr0st traced the IP Dae had used in the irc session. He found that the IP belonged to a company called Wiamra Group, which according to their website was into construction. The way Dae could get to midfr0st was through M3m3th who had introduced them. M3m3th was a friend, but you never knew. midfr0st was pretty sure M3m3th wouldn’t be able to track him.
06:31, the dog started to bark. For some time midfr0st had been positive that his neighbors had that freaking dog running on ntp, every morning at 06:31 it started. The walls in his apartment seemed to have been optimized to let sound pass through them unhindered. Once when it was really getting on his nerves he began feeding the times into rrdtool to get some viewable graphs. After two weeks of manually running the update script he got fed up with the manual labor and considered setting up a microphone to record the barking automatically and then feed it to the update script. In the end he decided against it and figured he had better things to do with his time. Besides, during my testing the dog had been off 25 seconds one day and even if it was on ntp it had to be a very poor implementation.
midfr0st realized the music was silent and let a fresh load of mp3s drown the sound of the dog, it was time to get back to the task at hand. He had a lot of nmap scans, information from the Gantern Construction website, he had hacked an ftp site on their DMZ but that hadn’t been of further value. There were quite a few doors into the company but midfr0st hadn’t been able to squeeze through. All the log files and notes had stopped making sense a long time ago.
At 07:05 something finally caught his eye, mail.gantern.com had port 25 open which would be common enough. However the mx records for the domain pointed elsewhere
MX = 10, mail exchanger = gantern.com.in10.antispamprovider.com
MX = 20, mail exchanger = gantern.com.in20.antispamprovider.com
MX = 30, mail exchanger = gantern.com.in30.antispamprovider.com
MX = 40, mail exchanger = gantern.com.in40.antispamprovider.com
Why didn’t I see this earlier? midfr0st began searching through his notes and after a few minutes he verified that mail.gantern.com was in fact accepting mails from the world. I hope this will work and that it’ll be enough. midfr0st checked the time 07:13, it was too early to begin.