Full Disclosure mailing list archives
Re: Breaking Computrace LoJack Part II
From: Lmwangi <labeneator () gmail com>
Date: Sat, 7 Jan 2006 20:56:21 +0300
Maybe, Just maybe. There's a parallel universe with you and a mirror of your laptop. Of course in the other universe, Somethings would be different such as the DoD IP address block On 1/7/06, obnoxious () hush com <obnoxious () hush com> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Breaking Computrace's LoJack Part II After my first hurried document, I figured I'd offer some follow information. An employee from Absolute.com contacted my employer rambling on about me being misinformed on their product. The employee from Absolute was more than likely a salesman as he couldn't answer technical questions so I requested that he send me information about my laptop since he was "concerned" that it had not "phoned home". But yet he was stating it had "phoned home" and Absolute was still able to track my machine. One thing this person stated was that "my machine was still calling in, but not updating their database with information on the state of my machine to their front end, but the back end was still working". Meaning, although my machine was not phoning home, it was phoning home. After a quick chuckle I again iterated that if this were the case - that my machine still contacting his company - he should be able to provide me with the information my machine was supposedly sending. After I received his response I sent off a detailed e-mail calling his bluff. According to the staff at Absolute.com, my machine had called in yesterday (January 06th 2006) morning at 9:45am. They even provided me with an IP address. I was shocked and ready to throw in the towel at that point, but decided to respond right back to them. Firstly, on January 06th 2005, my machine was powered down. Secondly, it was not physically plugged into any network. Thirdly, Troppix was running on the machine and the CD was still in its drive. Now I wondered what a marvelous feat it would be for 1) Absolute to create a kinetic based program to power up my machine at will. Such a great feat would bring them millions in revenue from people seeking to conserve money on power. I then thought even neater of them to have the ability to connect my machine to a network without my knowledge. Zeroconf (www.zeroconf.org) must have sped up production and given rights to Absolute or something. Almost lastly would be the fact that they've ported over Windows executable's and DLL's over to Linux. If that wasn't enough of a slap in the face, Absolute graciously provided me with what they labeled an IP address. The address they gave me was 485819880. So I wondered? 1CFC05E8? 00011100111101010000010111101000? What kind of crap are they giving me? If that's a decimal IP that would place me at 28.245.5.232. That would mean that my machine was "phoning home" from a Department of Defense" network which would probably make me a terrorist. Now I informed Absolute that I have a static address at home, this I could verify with my company's syslog server as well as 4 other (non company) servers which could provide them with my IP address if they wanted it for verification purposes. Surely a provider wouldn't pull Absolute's chain and give them false information so any claims by Absolute of me "fabricating my IP address" would be an insult. [root@imposter security]# echo 485819880 | trans.pl [root@imposter security]# 28.245.5.232 [root@imposter security]# whois -h whois.arin.net 28.245.5.232 [Querying whois.arin.net] [whois.arin.net] OrgName: DoD Network Information Center OrgID: DNIC Address: 3990 E. Broad Street City: Columbus StateProv: OH PostalCode: 43218 Country: US NetRange: 28.0.0.0 - 28.255.255.255 CIDR: 28.0.0.0/8 NetName: DSI-NORTH2 NetHandle: NET-28-0-0-0-1 Parent: NetType: Direct Allocation Comment: ARPA DSI JPO Comment: 7790 Science Applicationis Crt., Comment: Vienna, VA 22183 US RegDate: 1996-03-11 Updated: 2000-04-13 So now as it stands, Absolute has a kinetic, Zeroconf, password cracking, interchangeable (Windows executable to Linux binary) product capable of finding anyone anywhere on the planet. For those wondering about the password cracking part, how else could it have booted up Troppix and logged in - in order to send out information. To be fair I decided to boot into Windows XP turn on my firewall and watch whatever tries to connect to - where and why. Sure enough Internet Explorer was trying to send out information to a site that just so happened to be owned by Absolute. Packet data anyone? Protocol : TCP Local Address : 10.10.10.10 Local Port : 1596 Remote Name : search.namequery.com Remote Address : 209.53.113.223 Remote Port : 80 (HTTP - World Wide Web) Ethernet packet details: Ethernet II (Packet Length: 76) Destination: 00-09-5b-6d-a0-9c Source: 00-12-f0-44-4e-4b Type: IP (0x0800) Internet Protocol Version: 4 Header Length: 20 bytes Flags: .1.. = Don't fragment: Set ..0. = More fragments: Not set Fragment offset:0 Time to live: 128 Protocol: 0x6 (TCP - Transmission Control Protocol) Header checksum: 0xa878 (Correct) Source: 10.10.10.10 Destination: 209.53.113.223 Transmission Control Protocol (TCP) Source port: 1596 Destination port: 80 Sequence number: 3493489526 Acknowledgment number: 0 Header length: 28 Flags: 0... .... = Congestion Window Reduce (CWR): Not set .0.. .... = ECN-Echo: Not set ..0. .... = Urgent: Not set ...0 .... = Acknowledgment: Not set .... 0... = Push: Not set .... .0.. = Reset: Not set .... ..1. = Syn: Set .... ...0 = Fin: Not set Checksum: 0x1dfd (Correct) Data (0 Bytes) Binary dump of the packet: 0000: 00 09 5B 6D A0 9C 00 12 : F0 44 4E 4B 08 00 45 00 | ...[m.....DNK..E. 0010: 00 30 7E 5B 40 00 80 06 : 78 A8 C0 A8 00 07 D1 35 | ..0~[@...x......5 0020: 71 DF 06 3C 00 50 D0 3A : 6B 76 00 00 00 00 70 02 | q..<.P.:kv....p. 0030: 40 00 FD 1D 00 00 02 04 : 05 B4 01 01 04 02 6E 61 | @.............na 0040: 6D 65 71 75 65 72 79 03 : 63 6F 6D 00 | mequery.com. So what was the best thing to do? Block it via my firewall or play with my hosts file: echo "search.namequery.com 127.0.0.1" >> C:\PATH\TO MY\HOSTS ... Maybe I could have played with Absolute using Scapy (http://www.secdev.org/projects/scapy/): <Ether dst=00:09:5b:6d:a0:9c src=00:00:00:31:33:17 type=0x800 |<IP version=4L ihl=5L tos=0x6 len=67 id=1 flags= frag=0L ttl=255 proto=TCP chksum=0xa878 src=3.1.33.7 dst=209.53.113.223 options='' |<TCP sport=1337 dport=80 seq=0L ack=0L dataofs=5L reserved=0L flags=S window=8192 chksum=0xbb39 urgptr=0 options=[] |<Raw load='POST /1DJ1TS' |>>>> Perhaps change IP addressing every 5 minutes on a script, call them and ask them "Can you hear me now..." ... "Can you hear me now..." Anywho(w)... Now I'd really like to know what Absolute has to say about 1) their miraculous methods of finding my machine even when it is booted into Windows with me redirecting via my hosts file. I'd also like to know why if they were so concerned - as this salesperson's call alluded to, why didn't he mention the 3-4 other laptops in my stable that haven't "phoned home". Anyhow, the jury is out on this... Absolute has yet to respond (once again). So for those from Absolute reading this (you've done so before... Obviously in order to contact me at work) let it be known, prior to the original writing being posted, and prior to this one being sent, your company was notified. J. Oquendo obnoxious||hush.com "Please no tears no sympathy" -- VNV Nation Epicentre echo "\$|[\$_-{_,s:.(.).+.(.):print+(\$1..\$2)[15,22,13,4,3]:e}]"|perl-----BEGIN PGP SIGNATURE----- Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 2.4 wkYEARECAAYFAkO//YwACgkQo8cxM8/cskrizgCeOx/r0Q5X+e2sJ375wMnk1qb+ShYA nRqFBg14AaunNHf3wVeRLTNjPxd/ =xTxH -----END PGP SIGNATURE----- Concerned about your privacy? Instantly send FREE secure email, no account required http://www.hushmail.com/send?l=480 Get the best prices on SSL certificates from Hushmail https://www.hushssl.com?l=485 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
-- Article: - And an unknown college dropout named Bill Gates, together with his partner Paul Allen, wrote a version of the programming language BASIC for the Altair, forming a company called Micro-Soft in the process. He would later drop the hyphen and the capital S, and make billions of dollars. -- Comment: +++ Dammit Slashdot! If you would just drop the capital S, you could be making billions of dollars too! +++++ http://slashdot.org/comments.pl?sid=171335&cid=14270286 +++++++ www.opensource.or.ke _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Breaking Computrace LoJack Part II obnoxious (Jan 07)
- Re: Breaking Computrace LoJack Part II Lmwangi (Jan 07)