Dotless IPs

One of the fun facts people don’t generally think about is that the IP address can be represented in several ways. The most recognizable is the “dotted quad”. Dotless addresses are just converted to long words (from little endian). This technique has actually been used to bypass certain security devices. A dotted address looks like this

We’ve all seen this type of address before. The dotless looks like this

This topic came up during my night while creating a database to hold a large amount of IP addresses. It’s MUCH easier to convert to this integer format then trying to store the address any other way. At least for me it was, at two in the morning. Anyhow I needed to create some subroutines for my perl scripts to convert addresses and thought I’d publish them. Seeing as no one else in the immediate google archive seemed to have done so.
Just as a warning i took a few shortcuts in this script and it could be a lot cleaner. Again it’s two thirty in the morning so cut me a little slack. I’ve included the URL to an online version so anyone attempting to recreate this can check their work online.

# ip conversion tool
# this script is covered under the GPL.
# if you don’t know what it is or what that means
# look it up before you use this script

use strict;

print “Enter Address:”;
my $address = ;
print “\n”;

sub DottedToLong
my $DottedAddress=shift;
my ($short1,$short2,$short3,$short4) = split(/\./,$DottedAddress);

my $longip = ($short1*(256*256*256)) + ($short2*(256*256)) + ($short3*(256)) + ($short4);
return $longip;

sub LongToDotted
my $LongAddress=shift;
my ($octet1,$octet2,$octet3,$octet4);
my $DottedIP=”$octet1.$octet2.$octet3.$octet4″;
return $DottedIP;

if ($address=~/\\./) {print DottedToLong($address);}
else {print LongToDotted($address);}

Media spins hacker story… again

News agencies such as CNN are reporting that a “super hacker” has been caught and will be extradited to the United States for prosecution. I was intrigued by this story for obvious reasons. The first article that I came across was a local rag called This Is London. The reporter first set off my bullshit detector when I read the following in the story’s opening.
“$1billion of damage by breaking into its most secure computers at the Pentagon and Nasa.”

As dismal as the government’s security policies are even they were not stupid enough to put all their systems on the Internet. Recently they have even formed their own network for communications to further segregate systems. As I got into the story I realized the alleged hacks took place in 2001-2002. Thinking back to those days I was reminded that some critical systems may have been online.

This Is London Story

As I tracked the story through more traditional media I found the CNN story. Here we learn that the hacker, Gary McKinnon, “deleted critical system files” and “1300 accounts” from a system. Another blip on the bullshit radar appears. I am not espousing the traditional view that hackers are simply exploring and pursuing intellectual ideals. This is more practical. Any hacker deserving of “super hacker” or “greatest military hacker of all time” would know better then to attract attention to themselves by randomly deleting data. Sounds like a total novice.

CNN Story

It gets better, or worse depending on how you feel about the media spinning a story or an inept hacker breaking into totally inadequatley protected systems. At no time did our super hacker decide that he should use any other computer aside from his home system. No proxies, no shell accounts, he broke in “bare back”. Maybe he was just full of bravado and totally ignorant of extradition treaties? Unlikely.

The only counter spun article comes from ZDNet of all places. Guess the truth has to get buried somewhere. ZDnet notes that a common port scanner was used to find these systems. It is suggested that most had trivial passwords, like “password”. This is believable since the technical sophistication of McKinnon is in serious doubt. He also used RemotelyAnywhere to control these machines. As far as remote trojans go this isn’t the best. BackOrafice would have been an improvement.

ZDNet Story

The actual indictment is online. One word of warning before you read this, don’t look into the black boxes. As noted in some other blogs, and confirmed by me, they simply avoid printing out the IP addesses. They don’t in any way seem to protect the data if you should select the text and paste it into your text editor. The warning is incase you plan on running scans yourself to check out all the computers intruded upon.

Given that these systems were horribly configured and likely had trivial passwords another question comes to mind. How likely is it that not *all* the actions, which are in the indictment, were the result of McKinnon? In particular the deletion of system accounts and files. Maybe some of the other inhabitants were having a private war on the server. If the machines were this open then more then one person found them. If more then one person found them a lot of back doors were likely installed. It just seems like McKinnon was the only one sloppy enough to get caught.

[editors note: DoD and .mil networks have come a LONG way since 2002. I doubt very much that the type of slipshod administration noted in these articles is still going on.]