We recently deployed HAC-1 for a multi-campus organization and came across something interesting. In this day and age, everyone is hyper-vigilant about cybersecurity and the latest attacks and zero-day vulnerabilities. They are both exciting and frightening for anyone involved in information technology. Yet, even though they are shiny, sometimes coming across something more traditional can still raise eyebrows.
As a networking professional, I am interested in architectures, so it is always a joy to interact with different networks. In this particular case, the former network manager at this organization had left sometime within the last few months, and the organization had yet to find a suitable replacement. As such, we worked with their IT staff to install the netpollers which would scan their various networks and provide visibility.
We immediately came across a Raspberry Pi connected to a switch on another campus, thousands of miles away.
This was a cause for concern, because the IT staff was unaware of this device or its purpose. As such, they had someone on the respective campus go down to the network room in question and take a photograph.
And this is where things became interesting. The Raspberry Pi was connected to a USRobotics modem which was connected to a phone line. In addition, the Pi was also connected to a USB RS-232 Serial Adapter which was connected into the console port on the network switch. A backdoor into the network had been discovered.
To understand what had transpired, we did a search after deploying the HAC-1 Agent onto all of the IT office computers. On one particular Linux machine, we found another modem.
This computer, of course, had been used by the former network manager, and no one had touched it since their departure. Given my curious nature, I asked if anyone could log into the system. The network manager had documented many things, although unfortunately not this backdoor, but had left credentials for the machine. A young helpdesk technician was able to login using the credentials, as other technicians watched.
Finding nothing notable in the applications, one of the other technicians mentioned that the former network manager had used terminals a lot. Scrolling through the applications again, we came across Terminator, and the delighted helpdesk tech eagerly launched the application and then sat stumped at the prompt. I told him to try minicom, and the program opened as soon as the tech pressed ENTER. After a couple of attempts at getting the CTRL-A then Z combination right, the menu appeared, and I asked the tech to press “D.” A single number appeared in the dialing directory.
Apologizing for my excitement, I asked if we could attempt the connection. Much to my delight, the request was granted by the manager. The helpdesk tech selected the number and pressed ENTER. A dial-tone came to life and numbers began dialing . . .
Shortly after, the screech of data scratching its way through the phone lines filled our ears! The helpdesk tech asked, “What’s that?” Everyone else laughed, having at least grown up knowing those sounds intimately. I smiled and told him to search for modem sounds later. And, then they stopped.
Connected. Connected! We had a connection! Pressing any key, we were greeted with our spoils! The helpdesk tech logged into the Raspberry Pi with another set of credentials!
It didn’t take long, but we found our way into the switch.
From thousands of miles away, we had dialed a phone number and been connected to a remote network using a modem. One of the other technicians recalled that the Internet connection on that particular campus was problematic at times. The former network manager had installed the Raspberry Pi and modem as a backup. We had opened that door and walked through; a door that had been hidden until uncovered by the visibility provided by HAC-1. It may sound silly, but I felt like a digital archaeologist, having navigated a hidden maze to uncover the mysteries of a forgotten network.
