September 2006

Hours later when n3m0 left the server room, he felt like a plague bearer. Almost everything in the server room had been infested; the sysadmins would still believe they were in control. They needed to be secure in that belief for the time being. n3m0 didn’t want anything to happen while he still worked there. After leaving his employment, n3m0 would be glad to enlighten the network guys and show they who was in control.

He had copied several gigabytes of corporate information, along with the customer database, to Peter’s desktop. Now all he had to do was to transfer it to his external USB drive. It was far too late, or early, to go home. Even if he had the time he would have to use his access card to leave the building and that kind of log entry was unacceptable. Fortunately n3m0 had brought extra clothes in his rucksack, so he changed into “tomorrow’s” clothes. Can’t do much about the smell though, n3m0 thought as he unplugged the USB drive and shut down the computer. Again he headed for the storage room and settled in to sleep.

An hour and forty minutes later he woke up as he heard people talking outside the room. He gathered his things, when the conversation died out he headed for a toilet. His mirror reflection told him he had made a good call going there first, his hair was pointing everywhere. I could star in a zombie movie!

He tried to fix his hair as best he could and headed for his workstation. n3m0 spent the day trying not to fall asleep, he would hand Jennifer his resignation tomorrow. Not having a clue what Exibice offered in terms of employee exit policy he didn’t want to risk being escorted out by security guards, at least not when he had the USB drive in his rucksack.

The second reason he wanted to stay was that he wanted to see if anyone had noticed his nocturnal activities. During lunch n3m0 saw several of the network staff who were smiling and chatting away. They don’t have a clue.

n3m0 crashed in his bed when he came home and slept until morning. He woke up starving, he didn’t have any kind of food at home. As he was going to quit his job today he didn’t feel a pressing need to show up in time. He stopped by McDonalds on the way.

“Good luck in the future, clear your desk and leave.” n3m0 hadn’t expected tears from Jenifer, but perhaps more than ten words.

Tags: security, security fiction, fiction, insider threat, disgruntled employee, physical security

Yesterday I updated the address to the RSS Feed, the new address is http://feeds.ogenstad.net/Ogenstad. If you don’t know what a Feed is read about it on this page. If you want to stay up to date with the site but don’t want to use the RSS Feeds you also have the option to subscribe by email.

The old feeds will continue to work but that might change in the future so please point your RSS readers to the new url.

The Tale of the Disgruntled Employee is coming to an end. The next story will be about midfr0st. If you have any thoughts or feedback regarding the stories or site in general please share them, either as comments or you can contact me.

If you haven’t read all the stories (I’m saying all here since it sounds more than five :)) you can find them in the story section. I will add all the links for the Disgruntled Employee as soon as the story is finished. Hopefully this list will grow large.

Tags: rss, feed, url, security fiction

n3m0 inserted the power cord again and started the machine. He placed his CD in the tray and made sure the server booted from it. The boot process seemed to take forever. He jumped when a tape robot came alive behind him and started rotating tapes.

“Damn”, n3m0 screamed. If he was lucky, and the sysadmins sloppy, they might not notice that the server had “crashed” during the night, but if the backup failed someone would check it out. I have to get the server back up again.

Finally the system was done loading, he configured the network, opened up a command prompt and typed:

c:
cd temp
md temp
cd temp
copy c:\windows\system32\cmd.exe

He opened the Opera browser and downloaded srvany.exe which he placed in the C:\temp directory. n3m0 grabbed another tool and double clicked on the application, RegistryEditorPe. When the registry loaded, he browsed to the HKLM\_REMOTE_SYSTEM\ControlSet001\Services key. He added a new key and called it revenge. Under his revenge service he filled in Type, Start, ErrorControl, ObjectName, ImagePath. This will be perfect, n3m0 was humming to himself as he added a new key; Parameters.

Under it he created two entries Application with the value ‘C:\temp\cmd.exe’ and AppParameters with the value ‘/k dsadd user “cn=root,cn=users,dc=exibice,dc=com” -samid root -pwd Password13 -memberof “cn=Domain Admins,cn=users,dc=exibice,dc=com”‘

n3m0 closed the registry editor and clicked start, shutdown options, reboot (eject CDs). Again the boot process took an eternity. He wished he had a blue pill to feed the server. When Windows was done booting, n3m0 issued the three finger salute, and entered root and password Password13. The instant he hit enter he was presented with a message box.

Logon Message
The system could not log you on. Make sure your User name and domain are correct, then type your password again. Letters in passwords must be typed using the correct case.

n3m0 just stared at the message box, this is not happening. He knew he had typed it in right, but tried again anyway. The same message was returned.

Something inside n3m0 clicked and he started swearing and shouting at the server. After a few minutes he calmed down, he was sitting on the switch again talking to the server.

“You know, I wish someone would develop artificial intelligence. That way you’d understand how much I hate you.”

In his imagination the server answered him. “I might be slow, but you’re not the sharpest tool in the box either.”

Slow, of course, n3m0 pulled the power cord and booted from the CD again. He added a parameter to his revenge service; DependOnService with the value; dns netlogon.

After another long reboot n3m0 logged as root, the newly created domain administrator on the Exibice network.

0wned!

Tags: security, stories, fiction, insider threat, disgruntled employee, physical security

The humming servers seemed to sing to n3m0. He walked around the server room watching all the different LEDs. This is what my apartment should look like, n3m0 smiled as he grabbed the CD from his backpack. He was whistling as he began to spin the disc on his index finger, the label read ubcd4win.

On the previous occasion he had had a quick peek inside the server room, this time he walked around and really absorbed his surroundings. He found himself yawning and feeling a bit cold, he only had his t-shirt and the cooling system was a bit too effective for his liking.

n3m0 saw a lot of equipment that he wanted for himself. Thoughts of his own economy were returning to him, if he didn’t take the “job” at Beateval he would be broke. I’m already broke. n3m0 took a seat on a disconnected switch.

I’m not working for Jennifer, he just sat on the switch and stared at one of the racks. n3m0 missed the adrenaline rush he usually felt when breaking into systems. He started seeing images of his land lord kicking him out and he was still pissed at orion’s inability to get him some sort of job. The taste of the coffee felt sour in his mouth.

The spinning sound of a bad fan woke n3m0 up an hour later, he had fallen asleep sitting on the switch. With a severe pain in his neck, he turned his head to see that his pillow had been a server. It had a sticker which read “Exibice Forest Root 2 - EXDC02″.

He inhaled sharply and felt his heart beating faster. Just watching the sticker made him feel the same way he had when Jennifer made eye contact with him that first time. He laid his hand on the server.

“We are going to have a good time.”

While dreaming, n3m0 had seen himself as a powerful man with thousands obeying his will; his worries about his financial situation had vanished.

He felt a moment of panic when he realized the CD had disappeared; n3m0 wiped of some drool on his sleeve and stood up. He saw the CD under the switch, picked it up and carefully wiped away the dust.

He felt the rush coming and sweeping him up, he wondered if Thomas would get any blame for what he was about to do. n3m0 found the thought very amusing. Thomas’ idea of living wild went as far as solving sudoku with a non erasable pen.

“Don’t worry dear, this won’t hurt a bit,” he told the server as he pulled out the power cord.

Tags: security, stories, fiction, insider threat, disgruntled employee, physical security

I’ve just received two more translation files for SYDI-Server 2.0, or more specifically for the script ss-xml2word.vbs which converts an XML file from sydi-server into a Microsoft Word document. It also uses a language file which contains a lot of the text that is written to the final word document.

To use this file files you run:

cscript.exe ss-xml2word.vbs –xServer1.xml –llang_dutch.xml –sServer1_docs.xml

I’ve gotten quite a few emails from people who aren’t able to get the script working correctly. In those cases this has been due to path issues. Instead of the expected result you’d only get a small doc file without any relevant information. In the above example it is assumed that all the files (ss-xml2word.vbs, server1.xml, lang_dutch.xml and Server1_docs.xml) are all located in the same directory. If your files are in different locations you have to include the path to the files.

I will try to use a more user friendly error in the next version version of ss-xml2word.vbs.

The file I specified in the –s parameter is optional. This is a file you create, there are examples in the example directory. In the file you can specify information such as physical location of the server, service contract, and contact information for the administrator. Basically it’s in that file you are supposed to write the documentation about the server, this way you can keep the written documentation separate from the wmi information sydi-server has gathered.

At the moment I’ve just added the files as patches, the Dutch file can be downloaded from here and the Portuguese file from here! I’ve also added all the translation files I’ve received so far to the download section on the SYDI site.

I would like to thank Kilian Wester for sending the Dutch file and Luis Barreto for the Portuguese version!

Tags: sydi, network documentation, dutch, portuguese, translation, software, inventory, vbscript