500 likes | 633 Views
Hacker Court 2006 Sex, Lies, and Sniffers hackercourt@wkeys.com. oyez, Oyez, OYEZ The annual court of Black Hat is now in session with the honorable Judge Richard Salgado presiding. Sex, Lies, and Sniffers Announcements. CAST.
E N D
Hacker Court 2006Sex, Lies, and Sniffershackercourt@wkeys.com
oyez, Oyez, OYEZ The annual court of Black Hat is now in session with the honorable Judge Richard Salgado presiding Sex, Lies, and Sniffers Announcements
CAST JUDGE: Richard Salgado – Attorney, Former Senior Counsel of CCIPS, a division of Department of Justice COURT CLERK: Caitlin Klein SAMANTHA JONES (CISO): Carole Fennelly, Senior Security Engineer, Tenable Network Security PROSECUTOR: Kevin Bankston – Staff Attorney, Electronic Frontier Foundation DEFENSE ATTORNEY : Paul Ohm, Attorney and Law Professor, Former counsel CCIPS, a division of Department of Justice DEFENDANT: Brian Martin – Attrition.org REPORTER: Ryan Bulat (as himself) - Intern, Wizard’s Keys Corp. CASE AGENT: Ovie Carroll – Former OSI, CCIPS, a division of Department of Justice SENATOR DAMON GASM: Simple Nomad – Vernier Networks DEFENSE EXPERT: Jonathan Klein – Director – Security Solutions, Calence, LLC
Schedule 16:45 – 16:50 Introductions, Court Called to Order 16:50 – 17:10 Opening Statements 17:10 – 17:30 Agent Carroll 17:30 – 17:50 Samantha Jones 17:50 – 18:05 Ryan Bulat 18:05 – 18:20 SenatOR Gasm 18:20 – 18:30 break 18:30 – 18:55 Jonathan Klein 18:55 – 19:15 Brian Martin 19:15 – 19:25 Closing Statements - Attorneys 19:25 – 19:30 Jury Instructions – Judge Salgado 19:30 – 20:00 panel discussion
Witness Classification Factual Witness: testifies to events directly witnessed or observed. May only testify regarding facts, not draw conclusions. Expert Witness: specifically qualified by the court as an expert in the subject at hand. May offer opinion and draw conclusions based on knowledge and expertise.
Prosecution Opening Statement AttorneyKevin Bankston will present his key points for the Prosecution.
Defense Opening Statement AttorneyPaul Ohm will present his key points for the Defense.
Prosecution Witness 1 Agent Carroll is the Case Agent testifying as both a factual and expert witness on events he witnessed and actions he took when he conducted the forensic examination on the computer.
Government Exhibit 1 Volatile Memory commands • rpcinfo –p – Print port numbers for each registered rpc listener • rpcinfo – Print general information about registered rpc listeners • netstat –an – Print information about all open sockets • netstat –nr – Print routing information • ps –lef – Print a long listening of all processes on the system • lsof – List all open file descriptors • nmap – Scanning tool used to determine what ports are open on a remote system. • gcore <pid> - Take a “core” snapshot of a process. • nmstat – Print virtual memory statistics • iostat – Print i/o statistics • ifconfig – Interface configuration • ndd – Display network driver settings (dev/ip, /dev/tcp,/dev/udp)
Government Exhibit 1 (cont’d) Volatile Memory commands • pstack <pid> – Stack trace for each thread. • pcred <pid> - Displays the credentials of each process • memdmp – dumps memory for later examination (found in The Coroner’s Toolkit) • pldd <pid> - Displays the dynamic libraries the process is linked with. • netcat – used to save volatile data across the network to a secure system. • dd – used with netcat to save off the system image • dd if=/dev/rdsk/c0t0d0s0 bs=1024 conv=sync,noerror | nc 10.1.1.1 49152
Government Exhibit 2 Switch Configuration – Cisco 3750 IOS 12.2.25(SEE) Switch attached to investigation machine Fa0/1 – Uplink to the rest of the network Fa0/5 – Link to investigation machine ! monitor session 1 source interface Fa0/1 monitor session 1 destination interface Fa0/5 !
Government Exhibit 3 #!/usr/bin/perl # # Chaosreader can trace TCP/UDP/... sessions and fetch application data # from tcpdump or snoop logs. This is like an "any-snarf" program, it will # fetch telnet sessions, FTP files, HTTP transfers (HTML, GIF, JPEG, ...), # SMTP emails, etc ... from the captured data inside the network traffic # logs. It creates a html index file that links to all the session details, # including realtime replay programs for telnet, rlogin or IRC sessions; # and reports such as image reports and HTTP GET/POST content reports. # It also creates replay programs for telnet sessions, so that you can # play them back in realtime (or even different speeds). # # Chaosreader can also run in standalone mode - where it invokes tcpdump or # snoop (if they are available) to create the log files and then processes # them. # # # 29-May-2004, ver 0.94 (check for new versions, http://www.brendangregg.com) # (or run a web search for "chaosreader") # #
Government Exhibit 3 (cont’d) # QUICK USAGE: # tcpdump -s9000 -w out1; chaosreader out1; netscape index.html # or, # snoop -o out1; chaosreader out1; netscape index.html # or, # ethereal (save as "out1"); chaosreader out1; netscape index.html # or, # chaosreader -s 5; netscape index.html
Government Exhibit 4 $ cd snoop $ ls -l total 237232 -rw-r--r-- 1 root other 2001215194 May 10 11:59 0510.snoop.out -rw-r--r-- 1 root other 2005216270 May 11 11:59 0511.snoop.out -rw-r--r-- 1 root other 2003215732 May 12 11:59 0512.snoop.out -rw-r--r-- 1 root other 2005217346 May 13 11:59 0513.snoop.out -rw-r--r-- 1 root other 2003218422 May 14 11:59 0514.snoop.out -rw-r--r-- 1 root other 2005215732 May 15 11:59 0515.snoop.out $
Government Exhibit 5 -rwxr--r-- 1 root other 8831290 May 16 09:13 my-new-tripod.zip -rwxr--r-- 1 root other 275910 May 16 09:13 sheep_defile.JPG -rw-r--r-- 1 root other 12102409 May 16 08:57 session_0013.part_01.smtp.partial.email -rw-r--r-- 1 root other 12399097 May 16 08:57 session_0013.smtp.partial.html -rw-r--r-- 1 root other 379103 Jul 30 17:06 session_0004.part_01.smtp.email -rw-r--r-- 1 root other 389562 Jul 30 17:06 session_0004.smtp.html
Government Exhibit 6 smtp: 192.168.10.146:3298 -> 205.102.30.222:25 File 0512.snoop.out, Session 4 220 mailsvr.senate.gov ESMTP Sendmail 8.12.0.Beta10/8.12.2; Fri, 12 May 2006 14:05:48 -0800 (PST) EHLO [192.168.10.146] 250-mailsvr.senate.gov Hello host146.cmo.org [192.168.10.146], pleased to meet you 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-EXPN 250-VERB 250-8BITMIME 250-SIZE 250-DSN 250-ETRN 250-DELIVERBY 250 HELP MAIL FROM:<damon_gasm@senate.gov> SIZE=379105 250 2.1.0 <damon_gasm@senate.gov>... Sender ok RCPT TO:<kimberly_loveless@senate.gov> 250 2.1.5 <kimberly_loveless@senate.gov>... Recipient ok DATA
Government Exhibit 6 (cont’d) 354 Enter mail, end with "." on a line by itself Message-ID: <44CD1DEF.1030402@cmo.org> Date: Fri, 12 May 2006 14:05:31 -0800 From: Damon Gasm <damon_gasm@senate.gov> User-Agent: Thunderbird 1.5.0.5 (Windows/20060719) MIME-Version: 1.0 To: Kimberly Loveless <kimberly_loveless@senate.gov> Subject: Put this in a safe place. Content-Type: multipart/mixed; boundary="------------020303020005030800050404" This is a multi-part message in MIME format. --------------020303020005030800050404 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit
Government Exhibit 6 (cont’d) Kim, I’ve been thinking of you. See what happens when you are not around? ;) -D --------------020303020005030800050404 Content-Type: image/jpeg; name="sheep_defile.JPG" Content-Transfer-Encoding: base64 Content-Disposition: inline; filename="sheep_defile.JPG"
Government Exhibit 18 DISCLAIMER: The following document is a fictionalized testimonial stipulation for the Black Hat 2003 Conference. The witness of the stipulation does not exist, nor was any evidence in this matter gathered. __________________________________ x | UNITED STATES OF AMERICA, | | -v.- | | STIPULATION BRIAN MARTIN, | | | | Defendant, | | __________________________________ IT IS HEREBY STIPULATED AND AGREED between the United States of America, KEVIN BANKSTON, Assistant United States Attorney, of counsel, and the defendant BRIAN MARTIN, by his attorney PAUL OHM, Esq.: If called as a witness, Bert Smith, would testify as follows: • He’s the Policy Enforcement officer at Potomac River Internet Access (potomacriver.com) which is located in Backwater, Maryland. • Potomacriver.com provides high speed internet access to the Maryland area. Internet access is provided by Digital Subscriber Line (DSL) and Dialup-Connection. • When a subscriber connects to the potomacriver.com backbone, the subscriber is provided with an Internet Protocol (IP) address that is unique to the subscriber during their session • Potomacriver.com is assigned the Class B address 63.36.0.0 by the American Registry of Internet Numbers (ARIN) to provide IP addresses for its customers. Government Exhibit 7 Government Exhibit 7
Government Exhibit 8 • smtp: 192.168.10.146:2241 -> 205.102.30.222:25 • File 0515.snoop.out, Session 13 • 220 mailsrvr.senate.gov ESMTP Sendmail 8.12.0.Beta10/8.12.2; Sun, 14 May 2006 08:54:05 -0800 (PST) • EHLO [192.168.10.146] • 250-mailsrvr.senate.gov Hello host146.cmo.org [192.168.10.146], pleased to meet you • 250-ENHANCEDSTATUSCODES • 250-PIPELINING • 250-EXPN • 250-VERB • 250-8BITMIME • 250-SIZE • 250-DSN • 250-ETRN • 250-DELIVERBY • 250 HELP
Government Exhibit 8 (cont’d) • MAIL FROM:<damon_gasm@senate.gov> SIZE=12103671 • 250 2.1.0 <damon_gasm@senate.gov>... Sender ok • RCPT TO:<kimberly_loveless@senate.gov> • 250 2.1.5 <kimberly_loveless@senate.gov>... Recipient ok • DATA • 354 Enter mail, end with "." on a line by itself • Message-ID: <44CDFC2D.7000008@wkeys.com> • Date: Sun, 14 May 2006 08:48:45 -0800 • From: Damon Gasm <damon_gasm@senate.gov> • User-Agent: Thunderbird 1.5.0.5 (Windows/20060719) • MIME-Version: 1.0 • To: Kimberly Loveless <kimberly_loveless@senate.gov> • Subject: Stuck at this boring conference.... • Content-Type: multipart/mixed; • boundary="------------060909010300050701070305" • This is a multi-part message in MIME format. • --------------060909010300050701070305 • Content-Type: text/plain; charset=ISO-8859-1; format=flowed • Content-Transfer-Encoding: 7bit
Government Exhibit 8 (cont’d) • Kim, • Hi sweetie! I am so bored at this conference. It is so boring and so not • me, if I knew I was going to be this bored I would have stayed in DC and • listened to floor debates. Yes it is that bad. Great photo ops though, • looks like I may make Newsweek and the cover of USA Today. • Speaking of photo ops, I've been putting that new tripod I bought to • good use. I appreciate the fact that you tucked your underwear in my • bag, so to show you my appreciation I thought I'd send these photos. • Remind you of a certain trip to Cancun and a certain set of strippers? • Boy we had fun that night! You were an animal! • Anyway, heading back down to the conference in this stupid boring hotel • so many miles away from you my love.... • Damon • --------------060909010300050701070305 • Content-Type: application/octet-stream; • name="my-new-tripod.zip" • Content-Transfer-Encoding: base64 • Content-Disposition: attachment; • filename="my-new-tripod.zip"
Government Exhibit 6 (cont’d) Government Exhibit 9
Government Exhibit 10 DISCLAIMER: The following document is a fictionalized testimonial stipulation for the Black Hat 2006 Conference. The witness of the stipulation does not exist, nor was any evidence in this matter gathered. UNITED STATES OF AMERICA, -v.- STIPULATION BRIAN MARTIN, Defendant | IT IS HEREBY STIPULATED AND AGREED between the United States of America, KEVIN BANKSTON, Assistant United States Attorney, of counsel, and the defendant BRIAN MARTIN, by his attorney PAUL OHM, Esq.: If called as a witness, Kimberly Loveless, would testify as follows: • She is the communications director for the office of Senator Damon Gasm. • She received an e-mail from Senator Gasm on May 12th, 2006 at approximately 5pm. • The source header on the e-mail indicated it came from an address owned by cmo.org • The e-mail contained an attached picture called sheep_defile.jpg. This file depicted Senator Gasm and a sheep. • She was present when the picture was taken and can confirm it’s authenticity • She received an e-mail from Senator Gasm on May 14th, 2006 at approximately 11 am. • The source header on the e-mail indicated it came from an address owned by cmo.org • The e-mail contained a zip file attachment . One of the images depicted Senator Gasm wearing her bra and lipstick.
Government Exhibit 10 (cont’d) . IT IS FURTHER STIPULATED AND AGREED that this stipulation may be received in evidence as a Government exhibit at trial. Dated: July 1, 2006 By:____________________________ KEVIN BANKSTON Assistant United States Attorney By: ___________________________ PAUL OHM, ESQ. Attorney for BRIAN MARTIN
Prosecution Witness 2 Samantha Jones is the Chief Information Security Officer for the Coalition for Moral Order. The coalition was the sponsor of “Society’s Morals Under Threat” from May 10th – May 15th, 2006. This was the conference attended by Senator Gasm. She is a factual witness and she is testifying to factual items about the conference, Brian Martin’s job roles and the organization’s security policies.
Prosecution Witness 3 Ryan Bulat is a staff writer for The New York Compost. Ryan broke the story about the picture of Senator Gasm and the sheep. He will be testifying as a factual witness regarding the story he wrote about the Senator and who the source was for the story.
Prosecution Witness 4 Senator Damon Gasm is the victim of the release of the pornography pictures and is testifying as a factual witness on events he directly witnessed.
Defense Witness 1 Jonathan Klein is testifying as an expert in general computer knowledge. Part of his testimony will be given outside the presence of the jury as the judge determines whether his testimony will be admitted.
Defense Exhibit 1 /* * $Id: raptor_passwd.c,v 1.1.1.1 2004/12/04 14:35:33 raptor Exp $ * * raptor_passwd.c - passwd circ() local, Solaris/SPARC 8/9 * * Unknown vulnerability in passwd(1) in Solaris 8.0 and 9.0 allows local users * to gain privileges via unknown attack vectors (CAN-2004-0360). * * "Those of you lucky enough to have your lives, take them with you. However, * leave the limbs you've lost. They belong to me now." -- Beatrix Kidd0 * * This exploit uses the ret-into-ld.so technique, to effectively bypass the * non-executable stack protection (noexec_user_stack=1 in /etc/system). The * exploitation wasn't so straight-forward: sending parameters to passwd(1) * is somewhat tricky, standard ret-into-stack doesn't seem to work properly * for some reason (damn SEGV_ACCERR), and we need to bypass a lot of memory * references before reaching ret. Many thanks to Inode <inode@deadlocks.info>. * * Usage: * $ gcc raptor_passwd.c -o raptor_passwd -ldl -Wall * $ ./raptor_passwd <current password> * [...] * # id * uid=0(root) gid=1(other) egid=3(sys) * # * * Vulnerable platforms: * Solaris 8 with 108993-14 through 108993-31 and without 108993-32 [tested] * Solaris 9 without 113476-11 [tested] */
Defense Exhibit 2 $ ./raptor_passwd [password deleted] raptor_passwd.c - passwd circ() local, Solaris/SPARC 8/9 Using SI_PLATFORM : SUNW,Sun-Blade-100 (5.9) Using stack base : 0xffbffffc Using var address : 0xffbffb50 Using rwx_mem address : 0xff3f6004 Using sc address : 0xffbfff94 Using ff address : 0xffbfff50 Using strcpy() address : 0xff3e0288 "Pai Mei taught you the five point palm exploding heart technique?" -- Bill "Of course." -- Beatrix Kidd0, alias Black Mamba, alias The Bride (KB Vol2) # id;uname -a;uptime; uid=0(root) gid=1000(test) egid=3(sys) SunOS lamb 5.9 Generic sun4u sparc SUNW,Sun-Blade-100 8:33pm up 1 day(s), 7:22, 2 users, load average: 0.08, 0.03, 0.02 #
Defense Exhibit 3 Output of nmap –sT –p1-65535 192.168.11.23 Starting nmap V. 2.54BETA7 ( www.insecure.org/nmap/ ) Interesting ports on spleh.cmo.org (192.168.10.23): (The 65486 ports scanned but not shown below are in state: closed) Port State Service 7/tcp open echo 11/tcp open systat 13/tcp open daytime 15/tcp open netstat 19/tcp open chargen 21/tcp open ftp 22/tcp open ssh 23/tcp open telnet 25/tcp open smtp 37/tcp open time 53/tcp open domain 79/tcp open finger 111/tcp open sunrpc 512/tcp open exec 514/tcp open shell 540/tcp open uucp 587/tcp open submission 754/tcp open krb5_prop 898/tcp open unknown 2049/tcp open nfsd 4045/tcp open lockd
Defense Exhibit 3 (cont’d) 5987/tcp open unknown 5988/tcp open unknown 6000/tcp open unknown 6112/tcp open dtspc 7100/tcp open fs 9002/tcp open unknown 32777/tcp open unknown 32778/tcp open unknown 32779/tcp open unknown 32780/tcp open unknown 32781/tcp open unknown 32782/tcp open unknown 32783/tcp open unknown 32785/tcp open unknown 32786/tcp open unknown 32789/tcp open unknown 32790/tcp open unknown 32791/tcp open unknown 32792/tcp open unknown 32799/tcp open unknown 32801/tcp open unknown 32807/tcp open unknown 32808/tcp open unknown 32809/tcp open unknown 32810/tcp open unknown 32811/tcp open unknown 33003/tcp open unknown Nmap run completed -- 1 IP address (1 host up) scanned in 1687 seconds
Defense Exhibit 4 Output of netstat –an | grep LISTEN *.898 *.* 0 0 49152 0 LISTEN *.32805 *.* 0 0 49152 0 LISTEN *.5988 *.* 0 0 49152 0 LISTEN *.32806 *.* 0 0 49152 0 LISTEN *.25 *.* 0 0 49152 0 LISTEN *.587 *.* 0 0 49152 0 LISTN *.9002 *.* 0 0 10720 0 LISTEN *.32807 *.* 0 0 49152 0 LISTEN *.32808 *.* 0 0 49152 0 LISTEN *.2049 *.* 0 0 49152 0 LISTEN *.32809 *.* 0 0 49152 0 LISTEN *.32810 *.* 0 0 49152 0 LISTEN *.32811 *.* 0 0 49152 0 LISTEN *.22 *.* 0 0 49152 0 LISTEN *.6000 *.* 0 0 49152 0 LISTEN *.33003 *.* 0 0 49152 0 LISTEN
Defense Exhibit 5 Output of rpcinfo –p program vers proto port service 100000 4 tcp 111 rpcbind 100000 3 tcp 111 rpcbind 100000 2 tcp 111 rpcbind 100000 4 udp 111 rpcbind 100000 3 udp 111 rpcbind 100000 2 udp 111 rpcbind 100232 10 udp 32780 sadmind 100083 1 tcp 32785 100221 1 tcp 32786 100068 2 udp 32781 100068 3 udp 32781 100068 4 udp 32781 100024 1 udp 32782 status 100024 1 tcp 32789 status 100133 1 udp 32782 100133 1 tcp 32789 100068 5 udp 32781 100229 1 tcp 32790 metad 100230 1 tcp 32791 metamhd 100242 1 tcp 32792 metamedd 100001 2 udp 32783 rstatd 100001 3 udp 32783 rstatd 100001 4 udp 32783 rstatd 100002 2 udp 32784 rusersd 100002 3 udp 32784 rusersd
Defense Exhibit 6 grep 33003 /etc/services login 33003/tcp
Defense Exhibit 7 grep login lsof.out (output from lsof) sqldata 1883 root 3u IPv4 0x300027b3ce8 0t0 TCP *:login (LISTEN)
Defense Exhibit 8 grep sqldata lsof.out (output from lsof) sqldata 1883 root cwd VDIR 136,0 1024 2 / sqldata 1883 root txt VREG 136,3 260056 179239 /opt/local/sql//@//sqldata sqldata 1883 root txt VREG 136,0 866316 442080 /usr/lib/libc.so.1 sqldata 1883 root txt VREG 136,0 16768 377621 /usr/platform/sun4u/lib/libc_psr.so.1 sqldata 1883 root txt VREG 136,0 743856 442131 /usr/lib/libnsl.so.1 sqldata 1883 root txt VREG 136,0 21676 441751 /usr/lib/libmp.so.2 sqldata 1883 root txt VREG 136,0 316436 442151 /usr/lib/libresolv.so.2 sqldata 1883 root txt VREG 136,0 58504 441775 /usr/lib/libsocket.so.1 sqldata 1883 root txt VREG 136,0 60352 441864 /usr/lib/libz.so.1 sqldata 1883 root txt VREG 136,0 3984 441719 /usr/lib/libdl.so.1 sqldata 1883 root txt VREG 136,0 192000 441610 /usr/lib/ld.so.1 sqldata 1883 root 0u VCHR 13,2 0t0 268835 /devices/pseudo/mm@0:null sqldata 1883 root 1u VCHR 13,2 0t0 268835 /devices/pseudo/mm@0:null sqldata 1883 root 2u VCHR 13,2 0t0 268835 /devices/pseudo/mm@0:null sqldata 1883 root 3u IPv4 0x300027b3ce8 0t0 TCP *:login (LISTEN)
Defense Exhibit 9 Output of ps –ef command root 376 1 0 Jul 17 ? 0:02 /usr/sbin/vold root 331 1 0 Jul 17 ? 0:00 /usr/dt/bin/dtlogin -daemon root 392 331 0 Jul 17 ? 1:00 /usr/openwin/bin/Xsun :0 -nobanner -auth /var/dt/A:0-KoayPa root 389 1 0 Jul 17 console 0:00 /usr/lib/saf/ttymon -g -h -p belar console login: -T sun -d /dev/console -l co root 385 1 0 Jul 17 ? 0:00 /opt/SUNWspci2/bin/sunpcid root 393 363 0 Jul 17 ? 21:45 mibiisa -r -p 32796 root 394 331 0 Jul 17 ? 0:00 /usr/dt/bin/dtlogin -daemon root 395 331 0 Jul 17 ?? 0:06 /usr/openwin/bin/fbconsole -d :0 root 396 1 0 Jul 17 ? 0:00 /usr/lib/ssh/sshd root 2206 202 1 19:32:29 ? 0:00 in.telnetd root 411 1 0 Jul 17 ? 0:00 devfsadmd root 412 1 0 Jul 17 ? 0:03 /usr/sbin/in.named root 2210 203 1 19:32:32 ? 0:00 rquotad martin 2208 2206 1 19:32:29 pts/2 0:01 -ksh root 2214 2208 0 19:32:35 pts/2 0:00 sh root 2217 2214 0 19:32:47 pts/2 0:00 ps -ef root 1883 1 0 21:00:01 ? 0:00 /usr/sbin/vold
Defense Exhibit 10 # find / -print | grep sqldata /opt/local/sql/sqldata # ls -l /opt/local/sql/sqldata -rw-r--r-- 1 sql other 7 Jul 23 20:36 sqldata # ls -la total 20 drwxr-xr-x 2 sql other 512 Jul 23 23:36 . drwxr-xr-x 21 sql other 512 Jul 23 20:34 .. -rw------- 1 sql 1000 58 Jul 23 23:36 .sh_history -r-xr-xr-x 1 sql other 6104 Jul 23 20:36 sqlclean -rw-r--r-- 1 sql other 7 Jul 23 20:36 sqldata # ls -a@ total 20 drwxr-xr-x@ 2 sql other 512 Jul 23 23:36 . drwxr-xr-x 21 sql other 512 Jul 23 20:34 .. -rw------- 1 sql 1000 58 Jul 23 23:36 .sh_history -r-xr-xr-x 1 sql other 6104 Jul 23 20:36 sqlclean -rw-r--r-- 1 sql other 7 Jul 23 20:36 sqldata
Defense Exhibit 11 # ls –l /var/spool/cron/crontabs/sql -r-------- 1 root sql 57 Feb 27 11:00 /var/spool/cron/crontabs/sql # cat /var/spool/cron/crontabs/sql 0 * * * * /usr/local/sql/sqlclean /usr/local/sql sqldata
Defense Exhibit 12 # /usr/local/bin/md5 /opt/local/sql/sqlclean > /tmp/a # /usr/local/bin/sfpC.pl /tmp/a 12ccde4d0f971f56f372e5e5466a848f - /opt/local/sql/sqlclean - 1 match(es) canonical-path: /usr/bin/runat package: SUNWcsu version: 11.9.0,REV=2002.04.06.15.27 architecture: sparc source: Solaris 9/SPARC
Defense Exhibit 13 # man runat NAME runat - execute command in extended attribute name space SYNOPSIS /usr/bin/runat file [command] DESCRIPTION The runat utility is used to execute shell commands in a file's hidden attribute directory. Effectively, this utility changes the current working directory to be the hidden attribute directory associated with the file argument and then executes the specified command in the bourne shell (/bin/sh). If no command argument is provided, an interactive shell is spawned. The environment variable $SHELL defines the shell to be spawned. If this variable is undefined, the default shell, /bin/sh, is used. The file argument can be any file, including a directory, that can support extended attributes. It is not necessary that this file have any attributes (or be prepared in any way) before invoking the runat command.
Defense Exhibit 14 # runat /opt/local/sql ls -l total 528 ---s--x--x 1 root other 260056 Jul 23 20:35 sqldata #
Defense Exhibit 15 # strings core.1883 | grep rlogin .rlogin rlogind: %s: %s. rlogind: %s. usage: rlogind [options] # strings core.1883 | grep vold /usr/sbin/vold # runat /opt/local/sql strings sqldata | grep vold /usr/sbin/vold # runat /opt/local/sql strings sqldata | grep rlogin .rlogin rlogind: %s: %s. rlogind: %s. usage: rlogind [options]
Defense Witness 2 Brian Martin is the defendant and is not required to take the stand, but has the right to do so if he chooses. His attorney should discourage him from doing so, since the judge can add extra points to his sentence for perjury and obstruction of justice, if he is found guilty.
Prosecution Closing Statements Prosecutor Kevin Bankston will summarize the key points and evidence presented to persuade the jury that Senator Gasm is guilty beyond any reasonable doubt.
Defense Closing Statements Attorney Paul Ohm will summarize the Defense key points to refute the prosecution.
Jury Instructions The Honorable Judge Richard Salgado will present the jury with their responsibilities on determining guilt or innocence of Senator Gasm.
Panel Discussion Audience Questions