Mr. Robot was recommended to me and I finally got around to checking out the pilot episode. I dig the show, I really dig that they made an effort to use real stuff for the computer scenes. As I was watching the screens fly by I was thinking “wow, I think they got it right, this is the real deal!”.
I thought it would be interesting to freeze frame some of these scenes and take a closer look at what’s going on, will I come away more or less impressed? Let’s find out! But before I launch into this I want to say that I know how difficult it is making creative content and entertainment. Regardless of what I find, I’ll thumbs up the content creators as I think they did a good enough job pulling the wool over my eyes in the heat of the moment.
I’m about to read a lot into this little prefix: The format for this prefix is
First off, he’s running as root… this could be a clue that he’s a fast and loose kind of guy that prefers root to sudo. Does he really need to be root? Perhaps! You see, we know that Elliot is running ping to find some machine on the network, it’s possible that he regularly uses various ping switches that would require root:
We also see that he named his computer after himself, interesting! Maybe this could be an insight into his frequent conversations with himself, perhaps the voice in his head is personified by his computer. Setting your machine name to your own first name seems a little kindergarten at first glance, especially for a bright security hacker, but I could be giving too much street cred to cool and arguably less obvious computer names.
I can imagine that if I asked Elliot what’s up with his lame computer name he’d probably reply that if someone got his computer, it’s already too late, it doesn’t matter what the name is.
Honestly, the ping command output is where I start to notice things falling apart a bit. Ping is used to locate machines on a network if you didn’t know already. Here’s what an actual ping command looks like on linux or bsd:
root@computer:~$ ping -c 1 127.0.0.1 PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data. 64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.087 ms --- 127.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.087/0.087/0.087/0.000 ms root@computer:~$
What’s the difference? In the screenshot above, they’re replicating the user prompt
root@elliot onto every line of output. On normal boxes, the user prompt is not displayed when a program prints output. I don’t know of a way to replicate this output without piping every command to some other command, I also don’t think most people would want their prompt appended to their output.
Please tell me if you’ve seen this in the real world, I’d really like to know!
Most people run ping and then hit Ctrl + C to stop it once they’re satisfied, however since we never see a
^C appear on Elliot’s prompt, we must assume that he is invoking ping directly with the parameter
-n 1. Also, the ping statistics section is totally missing and there isn’t an invocation I could find that would squelch that output.
Perhaps Elliot was just sick and tired of
ping -q (supposedly the quiet mode) spitting out a bunch of extra lines and so one night while rolling on his pain-killers he compiled a personal version of ping with the brevity he desired.
Moving beyond the issues, we see that Elliot has found the machine he’s looking for, what’s next?
My guess is that this fictional program stands for Elliot’s Leet PaSsword CRacKer. The first invocation is cut off but reads:
elpscrk -list pswList.list-add Dylan; June 3rd, Stonehenge
The intent seems clear, Elliot is trying to crack a password and is adding some dates and words to help his dictionary attack. Here’s my problem with this, the semicolon… in linux, the semicolon is literally the end of command character, so this command would be split into two commands:
elpscrk -list pswList.list-add Dylan June 3rd, Stonehenge
Last I checked there is no program called June :/
Moving on, I’m guessing that the the list count of 9,875,894 is the number of permutations that will be attempted. It seems like a small number considering the password length is 10 characters. It doesn’t say Permutation Count, so it could be that each list is a unique dictionary by itself… that would be a lot of dictionaries!
The 2nd invocation of
elpscrk has Elliot specifying the IP address of the machine that he pinged earlier. He’s also specifying what looks like a user
mich05654. What machine is this exactly? Is he trying to crack the password by attempting to login to this server with user
mich05654? Typically there are timeouts that make this difficult. Maybe this is a server at his work and maybe the password he’s hacking is his co-workers. If so, interesting naming convention you got for your employees! Hmm, this will remain a mystery.
This is a fictional command and also highly suspicious as it uses a capital M. It’s really unclear what it would do. One guess is that it’s a command that loads a specific set of environment variables, similar to something like:
Heck let’s go with it. The M is probably capital so that it doesn’t conflict with the other map command that maps to and from unicode. The parameter
sectionus34567 is the section of the data center that we’re interested in… I’ll admit that
sectionus34567 is a very unwieldy name (better would be han or chewy). But once decoded, it makes perfect sense:
Section US, Row 34, Column 56, Cage 7
That’s one hell of a big data center, we would have to infer from the above that there are 10 cages per grid unit.
Locate server WBKUW300PS345672
Again with the capital letter commands! Clearly this is so the Locate command doesn’t interfere with the existing lowercase locate command (the one that helps you find files). I won’t try to decode the first part of this machine naming scheme other than to say that it appears the server location is also reflected in his name, with 1 additional detail. 345672 CLEARLY indicates Row 34, Column 56, Cage 7, Blade Chassis 2.
What’s interesting is that after running the locate command, the command prompt changes to indicate that Elliot is now either connected to machine
WBKUW300PS345672 or perhaps has more environment variables setup so that future alias’s will use this machine. It’s entirely possible/probable that the data center is using key-based passwordless login to ssh between various local machines. So the Locate command could have fired of an ssh in the background and you know, suppressed a bunch of the normal login output.
astsu - info -backup -short
astsu command is another fictional command that had me puzzled for awhile. The space between the first dash and the word info is what made me pause. I thought at first that it could be a custom sudo command, similar to doing
sudo su -. But there are other invocations where they do
astsu -close so I had to throw that theory away.
The author did some pretty amazing parsing of input parameters. My guess is that this is another utility that Elliot wrote. The command probably stands for A Server sTatuS Utility. The commands seem pretty obvious so far:
The output isn’t anything special. It’s an interesting design decision to force the user to specify the full
--backup would be more realistic). The more I think about this the more it seems out of character. Here’s a programmer that has spent an absurdly huge amount of time parsing input parameters to allow for spaces between dashes and a disproportional amount of time on the output layer where they abbreviate
bkup. This is highly suspect when the words
backup are both 6 characters long and would align nicely in a printed output with a fixed width font.
Let’s be honest, so far Elliot seems like a lazy coder with little to no stylish sensibility, if I had to guess, he wrote the input layer while high and the output layer the day after his anti-addiction drugs ran out.
This frame has a few different invocations of
astsu -close port: * -persistent
We really see the power of
astsu here as Elliot shuts down all the ports on the server. I wonder if
astsu just turns around and uses iptables?
astsu - ifconfig - disable
More magical spaces! At least
ifconfig is something that we’re all familiar with. Here it looks like Elliot is disabling the ethernet interfaces. It makes you wonder why he closed the ports first if he was just going to yank the whole rug out from under things. This could be a best practice as there’s a slight hiccup bringing interfaces back up later on.
Here Elliot switches to the backup server. He runs his usual
astsu wank to get details on the server. This one comes back as offline and has no default gateway! It also has a domain controller…
set waneth0* : * 18.104.22.168 255.255.255.0 [22.214.171.124; 126.96.36.199; 188.8.131.52]
This command appears to be bringing up all of the ethernet devices that were brought down earlier. Elliot is specifying the default gateway explicitly
184.108.40.206 as well as the 3 DNS servers in square brackets.
All of the ethernet interfaces come up except for
waneth04 which says failed, so Elliot man handles it:
set -force -ovr02 waneth04 : 220.127.116.11:441 18.104.22.168 255.255.255.0 [22.214.171.124; 126.96.36.199;
Right, the good ole
-force -ovr02 trick, seems to have worked. Tuck that one in your pocket sys admins.
astsu -open port: * -persistent
Elliot opens up all the ports.
ps aux|grep root
Hey hey! This looks legit…. at first… except that there should be about several dozen other processes on a normally running system. I’m gonna let it slide and move right to the bigger issue here, is Elliot really an
aux type of guy instead of an
-ef type of guy? Can we infer from this that Elliot cut his teeth on the BSD side of things rather than POSIX? Hmm, deep thoughts here, very deep thoughts.
This output is interesting, clearly we see the
evilscorpwb* processes, those probably shouldn’t be running. But what’s going on with PID 24?
cpuset ./01dat. Also to note is the
-20 on the command line, I’m guessing this is a nice level since those range from -20 to 20. What nice does is change the priority of your process. So here we see that someone has given their process maximum priority! Also
cpuset is a utility that allows you to assign an application to a specific set of CPUs. This could be the intent here but it’s hard to say.
astu trace -pid 244 -cmd
Lots of issues here. First of all, what the heck is
astu, did Elliot mean to type
astsu? Does Elliot have yet another custom program called
astu? Wow, thanks for the great naming convention Elliot. Furthermore, there is no pid 244 in the output, does he mean pid 24 (the suspiciously niced
Presumably what Elliot meant to type was:
astsu trace -pid 24 -cmd
astsu already does everything else, may as well add an
strace like feature too. We see an inconspicuous
trace placed message after this and presumably Elliot watches the fopen calls fly by to find where on the filesystem this process is reading/writing.
ps aux| grep root|cpuset
Well, looks like
cpuset is another piece of custom work, because you can’t just pipe stuff to it. Perhaps the intent was to also grep for
cpuset. Regardless, a process was returned with PID 4, it has a nice level of -20 so I’m guessing this is the
cpuset we saw in Frame D.
astu -ls ./root/fsociety/ -a
Presumably a typo that was meant to be
astsu. Here Elliot lists the contents of the
The file listing comes back followed by arguably the single most disappointing command in this entire series.
more? Whaaaaat? I would have pegged him for a
less kind of guy. Let’s talk about the contents of readme.txt. This was Elliot’s immediate reaction.
His reaction was not to the message itself, but to the sloppy asymmetric header that was missing a dash on the left side. Was this intentional? Did they know that this would bother Elliot?
sudo kill 4
Elliot kills the
setcpu process that was first PID 24, typed as PID 244 and then mysteriously changed to PID 4.
astu -rm -norecycle /root/ fsociety/
Whoah whoah whoah there tiger. First of all, the dreaded
astu command returns, we may need to refactor our entire theory on
astsu and its many functions. The willy nilly Elliot is deleting some files and skipping the recycle bin. Unfortunately he didn’t escape his space and is lucky he canceled the delete otherwise he would have blown away his entire root directory.
chmod -R ER280652 600
Elliot does a recursive change mod to presumably change the permissions of the fsociety folder so that only the owner can read/write it. The
ER280652 is presumably a user name or group. Unfortunately
chmod doesn’t let you specify user/group, you use
chown for that and
chown doesn’t let you specify a new permission, you use
chmod for that. This is a combination of both, so I’m guessing that Elliot wrote his own
chmod. Busy guy!
This was fun, but the ping-ponging between
has me a bit bewildered. I’d like to see someone do an in-depth analysis of the two tools and what their individual functions are.