Conducting an Insider Attack

Conducting an attack from the inside can be accomplished by using familiar tools and techniques, all of which are found in this book. The primary difference is that you will be working inside the target company at a pre-specified privilege level of an employee, complete with your own network account. In most cases, you can arrange for a private place to work from, at least initially, but in some cases you may have to work out in the open in the presence of other employees. Both scenarios have their advantages; for example, whereas working in private allows you to work undisturbed, working with other employees allows you to get up to speed on security procedures more quickly.

No matter where you wind up working, it’s a given that you must be able to explain your presence, as any newcomer is likely be questioned by curious coworkers. These encounters are far less stressful than encounters during social engineering or physical intrusions because you are legitimately working for someone at the target company and have an easy cover story. In most cases, a simple “consulting” explanation will suffice. In all cases, the fewer people at the target company that are aware of your activities, the more realistic the test will be. If the help desk staff or system administrators are aware that you are a gray hat posing as an employee with the intent of subverting security controls, they will be tempted to keep a close eye on what you’re doing or, in some cases, even give you specially prepared equipment to work from.

For this chapter, we’ll examine a hypothetical company call ComHugeCo Ltd. We’ve been given a Windows domain user account called MBryce with minimal privileges. We’ll attempt to gain domain administrator rights in order to search and access sensitive information.

Tools and Preparation

Each test will be slightly different depending on the environment you are working within. It’s best to work from equipment supplied by the target organization and begin with very little knowledge of the security controls in place. You should arrive prepared with everything you need to conduct your attack since you may not have an opportunity to download anything from the outside once you’re in. At the time of this writing, most companies use content filters. A good network security monitoring (NSM) system or intrusion detection system (IDS) operator will also notice binary downloads coming from hacking sites or even unfamiliar IP addresses. Have all the tools you are likely to need with you on removable media such as a USB drive or CD.

Since you may find the equipment provided fully or partially locked down, hardened, or centrally controlled, you should also have bootable media available to help you access both the individual system and the network at a higher privilege level than afforded your provided account. In the most difficult cases, such as a fully locked CMOS and full disk encryption, you may even want to bring a hard drive with a prepared operating system on it so that you can attempt to gain access to the subject network from the provided equipment. Having your tools with you will help you stay under the radar. We’ll discuss a few practical examples in the following sections.

Orientation

The most common configuration you’ll encounter is the Windows workstation, a stand-alone PC or laptop computer running a version of Microsoft Windows. It will most likely be connected to a wired LAN and utilize the Windows domain login. You’ll be given a domain account. Log in and have a look around. Take some time to “browse” the network using the Windows file explorer. You may see several Windows domains as well as drives mapped to file servers, some of which you may already be connected to. The whole point of the insider attack is to find sensitive information, so keep your eyes open for servers with descriptive names such as “HR” or “Engineering.” Once you feel comfortable that you know the bounds of your account and have a general view of the network, it’s time to start elevating your privilege level.

Gaining Local Administrator Privileges

The local operating system will have several built-in accounts, at least one of which will be highly privileged. By default, the most privileged account will be the Administrator account, but it’s not uncommon for the account to be renamed in an attempt to obscure it from attackers. Regardless of what the privileged account names are, they will almost always be in the Administrators group. An easy way to see what users are members of the local Administrators group of an individual machine is to use the built-in net command from the command prompt:

net localgroup Administrators

In addition to the Administrator account, there will often be other privileged accounts owned by the help desk and system administration groups within the company. For the purposes of our example, our machine uses the Windows default Administrator account.

The easiest way to gain access to the Administrator account is to reset its password. In order to do this while the operating system is running, you’d need to know the existing password, which you probably won’t. Windows protects the file that contains the password hashes, the SAM file, from being accessed while the OS is running. While there are exploits that allow access to the file’s contents while Windows is running, doing so may set off an alert if a centrally managed enterprise antivirus system is in place. Dumping the SAM file only gives you the password hashes, which you then will have to crack. While recovering the local Administrator password is on our agenda, we’ll remove the password from the Administrator account altogether. We’ll collect the SAM file and hashes along the way for cracking later. To do this, we’ll boot the system from a CD or USB drive and use the Offline NT Password and Registry Editor tool (referred to hereafter as “Offline NT Password” for short).

Most computers boot from removable media such as a CD-ROM or floppy disk when they detect the presence of either. If nothing is detected, the machine then boots from the first hard drive. Some machines are configured to bypass removable media devices but still provide a boot menu option during power-up. This menu allows the user to select which device to boot from. Our example uses the Phoenix BIOS, which allows the user to select a boot device by hitting the ESC key early in the boot process. In the worst case, or the best configurations, the boot menu will be password protected. If that’s the case, you’ll have to try dumping the SAM file with an exploit such as pwdump7 while the machine is running. Alternatively, you can install a hard drive of your own as primary to boot from and then access the target Windows drive as a secondary to recover the SAM file.

Offline NT Password is a stripped-down version of Linux with a menu-driven interface. By default, it steps you through the process of removing the Administrator account password. While we have the Windows file system accessible, we’ll also grab the SAM file before we remove the Administrator password. If you choose to boot Offline NT Password from a CD, make sure that you first insert a USB thumb drive to copy the SAM file to. This will make mounting it much easier.

Using Offline NT Password and Registry Editor

Offline NT Password runs in command-line mode. Once booted, it displays a menu-driven interface. In most cases, the default options will step you through mounting the primary drive and removing the Administrator account password, as described next.

Step One The tool presents a list of drives and makes a guess as to which one contains the Windows operating system. As you can see from Figure 6-1, it also detects inserted USB drives. This makes mounting them much easier, because if you insert one later, the tool often will not create the block device (/dev/sdb1) necessary to mount it.

In this case, the boot device containing Windows is correctly identified by default, so simply press ENTER to proceed.

Step Two Next, the tool tries to guess the location of the SAM file. In Figure 6-2, we can see that it is correctly identified as located in WINDOWS/system32/config.

Figure 6-2. Finding the SAM file

[View full size image]

Again, the correct action is preselected from the menu by default. Before continuing, however, we want to copy the SAM file to the USB drive. Since Offline NT Password is built on a simple Linux system, we can invoke another pseudo-terminal by pressing ALT-F2. This opens another shell with a command prompt. Mount the USB drive using the device name identified in step one and shown in Figure 6-1:

mount /dev/sdb1 /mnt

Next, copy the SAM and SECURITY files to the USB drive. Offline NT Password mounts the boot disk in the directory /disk.

cp /drive/WINDOWS/system32/config/SAM /mnt
cp /drive/WINDOW/system32/config/SECURITY /mnt

Make sure you perform a directory listing of your USB drive to confirm you’ve copied the files correctly, as shown here:

Now return to the menu on pseudo-terminal one by pressing ALT-F1, and then press ENTER to accept the default location of the SAM file.

Step Three The tool will now look into the SAM file and list the accounts. It will then give you the option to remove or replace the selected account password. By default, the Administrator account will be selected, as shown here:

Once selected, the default option is to simply remove the password, as shown next. Although there is an option to reset the password to one of your own choosing, this is not recommended because you risk corrupting the SAM file. Press ENTER to accept the default.

Step Four Once the password is successfully removed from the SAM file, it must be written back to the file system. As shown here, the default option will do this and report success or failure, so press ENTER:

With the SAM file successfully written back to the file system, simply press ENTER for the default option to not try again, and the menu will exit. Remove the CD and reboot the system. You will now be able to log in as the local Administrator with no password.

Recovering the Administrator Password

Despite widely publicized best practices, in more cases than not the LAN Manager (LM) hash for the Administrator account will still be present on the local machine. This hash can easily be cracked to reveal the local Administrator account password. This password will almost never be unique to just one machine and will work on a group of computers on the target network. This will allow virtually full control of any peer computer on the network that shares the password.

Since you’re on the client’s site and using their equipment, your choices may be more limited than your lab, but options include:

• Bringing rainbow tables and software with you on a large USB hard drive

• Using a dictionary attack with Cain or L0phtCrack

• Taking the SAM file back to your office to crack overnight

• Sending the SAM file to a member of your team on the outside

If you are working as a team and have someone available offsite, you may want to send the hashes to your team across the Internet via e-mail or web-based file sharing. This does present a risk, however, as it may be noticed by vigilant security personnel or reported by advanced detective controls. If you do decide to send the hashes, you should strongly encrypt the files, not only to obscure the contents but also to protect the hashes from interception or inadvertent disclosure. In our example, we’ll use Cain and rainbow tables from a USB hard drive running on the provided equipment now that we can log in as the local Administrator with no password.

Disabling Antivirus

Cain, like many gray hat tools, is likely to be noticed by almost any antivirus (AV) product installed on the system you’re using. If Cain is detected, it may be reported to the manager of the AV product at the company. Disabling AV software can be accomplished in any number of ways depending on the product and how it’s configured. The most common options include:

• Uninstall it (may require booting into Safe Mode)

• Rename the files or directories from an alternative OS (Linux)

• Suspend the process or processes with Sysinternals Process Explorer

An AV product is typically included in the standard disk image used during the workstation provisioning process. Finding the AV product on the computer is usually a simple process, as it likely has a user-level component such as a tray icon or an entry in the Programs menu off the Start button. In their simplest forms, AV products may simply be removed via the Add or Remove Programs feature located in the Control Panel. Bear in mind that after you remove the AV product, you are responsible for the computer’s safety and behavior on the network, as AV is a first-line protective control. The risk is minimal because typically you’re not going to use the computer to access websites, read e-mail, instant message, or perform other high-risk activities.

If you are having difficulty uninstalling the AV product, try booting into Safe Mode. This will limit which applications are loaded to a minimum, which in many cases will negate the active protective controls built into AV products allowing you to uninstall them.

If the product still will not uninstall even while in Safe Mode, you may have to boot the computer with an alternative OS that can mount an NTFS file system in read/write mode, such as Ubuntu or Knoppix. Once the NTFS is mounted under Linux, you can then rename the files or directory structure to prevent AV from loading during the boot process.

As an alternative, you may suspend the AV processes while you work. This may be necessary if the AV product is difficult to uninstall from the local machine without permission from the centralized application controller located somewhere else on the network. In some cases where an enterprise-level product is in use, the AV client will be pushed back onto the workstation and reinstalled if it’s not detected during periodic sweeps. You can use Sysinternals Process Explorer, procexp, to identify and suspend the processes related to the AV product. You may need to play with permissions to achieve this. To suspend a process using procexp, simply right-click the desired process from the displayed list and select Suspend from the drop-down menu, as shown in Figure 6-3. To resume the process, right-click it and select Restart from the drop-down menu.

Figure 6-3. Process Explore

[View full size image]

While the processes are suspended, you will be able to load previously prohibited tools, such as Cain, and perform your work. Keep in mind that you must remove your tools when you are finished, before you restart the AV processes, or their presence may be reported as an incident.

Raising Cain

Now that AV is disabled, you may load Cain. Execute the ca_setup.exe binary from your USB thumb drive or CD and install Cain. The install process will ask if you would like to install WinPcap. This is optional, as we will not be performing password sniffing or man-in-the-middle attacks for our simulated attack. Cain is primarily a password-auditing tool. It has a rich feature set, which could be the subject of an entire chapter, but for our purposes we’re going to use Cain to

• Recover the Administrator password from the SAM file

• Identify key users and computers on the network

• Locate and control computers that use the same local Administrator password

• Add our account to the Domain Administrators group

Recovering the local Administrator Password

With Cain running and the USB drive containing the recovered SAM file from the previous section inserted, click the Cracker tab, and then right-click in the empty workspace and select Add to List. Click the Import Hashes from a SAM Database radio button and select the recovered SAM file from the removable drive, as shown here:

Next you’ll need the boot key. This is used to unlock the SAM file in the event it is encrypted, as is the case in some configurations. Click the selection icon (…) to the right of the Boot Key (HEX) text box, and then click the Local System Boot Key button, as shown here:

Select and copy the displayed key, click Exit, and then paste the key into the Boot Key (HEX) text box. Click the Next button and the account names and hashes will appear in the Cracking window.

In our example, we’re going to recover the password using a cryptanalysis attack on the LM hashes. Using presorted rainbow tables, on a 1TB USB hard drive in this case, and Cain’s interface to the Rainbow Crack application, most passwords can be recovered in under 30 minutes. Right-click in the workspace of the Cracker section of Cain and select Cryptanalysis Attack | LM Hashes | via RainbowTables (RainbowCrack), as shown here:

Next you’ll be prompted to select the rainbow table files to process, in this case from the USB device. After the processing is complete, found passwords will be displayed in the Cracker section next to the account name. The lock icon to the left will change to an icon depicting a ring of keys, as shown here:

Now that we know what the original local Administrator password was, we can change it back on our machine. This will allow us to easily identify other machines on the network that use the same local Administrator password as we continue to investigate the network with Cain.

Identifying Who’s Who

Cain makes it easy to identify available domains, domain controllers, database servers, and even non-Windows resources such as Novell NetWare file servers. Cain also makes it easy to view both workstation and server machine names. Most companies use some sort of consistent naming convention. The naming convention can help you identify resources that likely store or process sensitive information; for example, a server named paychex might be worth looking at closely.

Using Cain’s enumeration feature, it is possible to view user account names and any descriptions that were provided at the time the accounts were created. Enumeration should be performed against domain controllers because these servers are responsible for authentication and contain lists of all users in each domain. Each network may contain multiple domain controllers, and they should each be enumerated. In some cases, the primary domain controller (PDC) may be configured or hardened in such a way that username enumeration may not be possible. In such cases, it is not unusual for a secondary or ternary domain controller to be vulnerable to enumeration.

To enumerate users from a domain controller with Cain, click the Network tab. In the left panel, drill down from Microsoft Windows Network to the domain name you’re interested in, and then to Domain Controllers. Continue to drill down by selecting the name of a domain controller and then Users. When the dialog box appears asking Start Users Enumeration, click Yes and a list of users will appear in the right panel, as shown in Figure 6-4.

Figure 6-4. PDC User Enumeration with Cain

[View full size image]

From this hypothetical list, the BDover account stands out as potentially being highly privileged on the COMHUGECO domain because of its PC Support designation. The DAlduk and HJass accounts stand out as users likely to handle sensitive information. To see what domain groups BDover is a member of, open a command prompt and type

net user BDover /domain

To see which accounts are in the Domain Admins group, type

net group "domain admins" /domain

In our hypothetical network example, BDover is a member of the Domain Admins group. We now want to locate his computer. A simple way to do this is by using the PsLoggedOn tool from the Sysinternals Suite. Execute the command

psloggedon.exe –lx BDover

This will search through every computer in the domain in an attempt to find BDover locally logged on. Depending on the number of computers in the domain, this may take quite a while or simply be impractical. There are commercial help desk solutions available that quickly identify where a user is logged on. In lieu of that, we can check the computer names and comments for hints using Cain.

By clicking the All Computers selection under the COMHUGECO domain in the left panel, a list of computers currently connected to the domain is displayed. In addition to the computer name, the comments are displayed in the rightmost column. As we can see here, a computer described as “Bob’s Laptop” could be BDover’s:

Using PsLoggedOn, we can check to see if BDover is logged into the computer described as “Bob’s Laptop” by issuing the following command:

psloggedon \\comhugec–x31zfp

Next, by clicking the COMHUGEEC-X31ZFP computer in the left pane of Cain, it will attempt to log in using the same account and password as the machine it’s running from. In our case, that’s the local Administrator account and recovered password. The account name that Cain uses to log into the remote computer is displayed to the right of the name. If Cain can’t log in using the local machine’s credentials, it will attempt to log in using anonymous. In our example, the local Administrator password is the same, as shown here:

Leveraging local Administrator Access

So far, we have recovered the shared local Administrator password, identified a privileged user, and found the user’s computer. At this point, we have multiple options. The right option will vary with each environment and configuration. In our situation, it would be advantageous to either add our account to the Domain Admins group or recover the BDover domain password. Either will allow us access to virtually any computer and any file stored on the network and protected by Active Directory.

Joining the Domain Admins Group

Adding a user to the Domain Admins group requires membership in that group. We know that user BDover is a member of that group, so we’ll try to get him to add our MBryce account to the Domain Admins group without his knowledge. By creating a small VBS script, go.vbs in this case, and placing it in the Startup directory on his computer, the next time he logs in, the script will run at his domain permission level, which is sufficient to add our account to the Domain Admins group. The go.vbs script is as follows:

Set objShell = WScript.CreateObject("WScript.Shell")
objShell.Run "net group ""Domain Admins"" MBryce /ADD /DOMAIN",1

To place the script in the Startup directory, simply map the C$ share using the recovered local Administrator password. This can be done from the Cain interface, from Windows Explorer, or from the command prompt with the net use command. In our example, the file should be placed in C:\Documents and Settings\BDover\Start Menu\Programs\Startup. You will have to wait until the next time BDover logs in, which may be the following day. If you are impatient, you can reboot the computer remotely using the Sysinternals PsShutdown tool, but you do so at the risk of arousing the suspicion of the user. Confirm your membership in the Domain Admins group using the net group command and don’t forget to remove the VBS script from the remote computer.

Recovering the User’s Domain Password

The simplest way to recover the user’s password, BDover in this case, is to use commercial activity-logging spyware. SpectorSoft eBlaster is perfect for the job and is not detected by commercial AV products. It can be installed in one of two ways: by using a standard installation procedure or by using a preconfigured silent installation package. The silent installation option costs more, $99 vs. $198, but will be easier to use during an insider attack exercise. Bring the binary with you because downloading it over the client’s LAN may get you noticed. To install the silent binary, place it in the Startup directory as described in the previous section or use PsExec from Sysinternals. If you must use the normal installation procedure, you’ll have to wait until the user is away from their computer and use Microsoft Remote Desktop Protocol (RDP) or DameWare. DameWare is a commercial remote desktop tool that can install itself remotely on the user’s computer and remove itself completely at the end of the session. If the user’s computer is not configured for terminal services, you can attempt to enable the service by running the following command line remotely with Sysinternals PsExec:

psexec \\machinename reg add "hklm\system\currentcontrolset\control\terminal server" /f /v fDenyTSConnections /t REG_DWORD /d


					  

SpectorSoft eBlaster reports are delivered via e-mail at regular intervals, typically 30 minutes to one hour, and record all login, website, e-mail, and chat activity. Once installed, eBlaster can be remotely managed or even silently uninstalled through your account on the SpectorSoft website.

It is also possible to collect keystrokes using a physical inline device such as the KeyGhost. The device comes in three styles: inline with the keyboard cable (as shown in Figure 6-5), as a USB device, and as a stand-alone keyboard. Each version collects and stores all keystrokes typed. Keystrokes are retrieved by typing an unlock code with the device plugged into any computer; it will dump all stored data to a log file. Obviously, this is not a good solution for a portable computer, but on a workstation or a server, it’s unlikely to be detected.

Figure 6-5. KeyGhost device placement

[View full size image]

Finding Sensitive Information

Along the way, you may find some users or servers you suspect contain sensitive information. Workstation and server names and descriptions can help point you in the right direction. Now that we have the keys to the kingdom, it’s very easy to access it. A tool that can help you locate further information is Google Desktop. Since we’re now a domain administrator, we can map entire file server drives or browse any specific user directory or workstation we think may contain valuable information. Once mapped, we can put Google Desktop to work to index the files for us. We can then search the indexed data by keywords such SSN, Social Security, Account, Account Number, and so forth. We can also search by file types, such spreadsheets or CAD drawings, or by any industry-specific terminology. Google Desktop can also help pinpoint obscure file storage directories that may not have been noticed any other way during the testing process.

References

Cain www.oxid.it/

DameWare www.dameware.com/

Google Desktop desktop.google.com/

KeyGhost www.keyghost.com/

Knoppix www.knoppix.org/

Offline NT Password and Registry Editor pogostick.net/~pnh/ntpasswd/

SpectorSoft eBlaster www.spectorsoft.com/

Sysinternals Suite technet.microsoft.com/en-us/sysinternals/bb842062.aspx

L0phtCrack www.l0phtcrack.com

Treasury Secretary Timothy Geithner said Tuesday the new administration will wage an aggressive two-front battle against the worst financial crisis in seven decades with commitments that could total up to $2 trillion.

But investors appeared wary of the government's latest plans. The Dow Jones industrial average plunged about 300 points in afternoon trading as financial stocks led the market lower, reflecting Wall Street's growing concerns about the government's ability to revive the banking industry.

The efforts were part of the government's major overhaul of the widely criticized financial rescue program.

The Federal Reserve said it would expand the size of a key lending program to as much as $1 trillion from $200 billion. The program, which has yet to begin operations, is designed to boost resources for consumer credit and small business loans.

The Fed said the program would be expanded to cover the troubled commercial real estate market and certain residential mortgages.

"Right now critical parts of our financial system are damaged," Geithner said. "Instead of catalyzing recovery, the financial system is working against recovery and that's the dangerous dynamic we need to change."

Geithner said the loss of 3 million jobs last year, and another 600,000 just last month underscored the urgency for government action.

ISLAMABAD, Pakistan, Dec. 11 -- Pakistan on Thursday closed 11 offices of a controversial Islamic charity that has been linked to last month's deadly attacks in the Indian city of Mumbai and placed the group's leader under house arrest. In India, top government officials announced a massive revamping of the country's security infrastructure, including creation of an FBI-style national agency to investigate terror attacks.

Hafiz Sayeed, the leader of the organization Jamaat-ud-Dawa, was put under house arrest in Lahore, according to a Pakistani foreign ministry official who spoke on condition of anonymity. The arrest was confirmed by a top Jamaat-ud-Dawa official.

Sayeed was one of four individuals singled out by the United Nations Security Council late Wednesday when it placed Jamaat-ud-Dawa on a list of designated terrorist organizations and imposed sanctions on the group, including a freeze on assets, a travel ban and an arms embargo. The U.N. also said the charity was directly linked to Lashkar-i-Taiba, the outlawed Pakistani militant group that Indian authorities blame for the three-day siege in Mumbai that killed at least 171 people, including six Americans.

"Pakistan has taken note of the designation of certain individuals and entities by the U.N.," Pakistani Prime Minister Yousaf Raza Gillani said in a statement hours before the house arrest, noting that the country would "fulfill its international obligations."

Also included in the sanctions were Zaki-ur-Rehman Lakhvi, the alleged operational commander and architect of the Mumbai attacks, and alleged Lashkar financiers Haji Muhammad Ashraf and Mahmoud Ahmed Bahaziq. Pakistani security forces arrested Lakhvi Sunday.

Before arresting Sayeed late Thursday, Pakistan shuttered nine Karachi offices of Jamaat-ud-Dawa and the group's main offices in Lahore and Muridke. Jamaat official Amir Hamza said Thursday night that 70 to 80 members of the organization were rounded up in raids that took place across the country. Hamza said Pakistani authorities had placed him and eight others on a wanted list and were preparing to arrest them.

"We are expecting to be picked up any minute," Hamza said. "We will fight our battles in court. We will not resort just to street protests. This is a great injustice."

Indian officials hailed Wednesday night's U.N. action as a long overdue step in the right direction, and called on Pakistan not to repeat a past pattern of arresting suspected extremists -- including Sayeed -- and then letting them go without standing trial..

"This only underscores what India has maintained throughout. That the forces of violence and terror, the organized groups which have attacked India on many occasions . . . pose a threat to civil world," Indian Deputy Foreign Minister Anand Sharma said.

Foreign Minister Pranab Mukherjee told the country's parliament that Pakistan needed to follow up on its promises of action against militant groups. "They are banning organizations. Lashkar-i-Taiba was banned. But simply they are changing names, they are changing signboards," Mukherjee said. "Faces are the same, ideology are the same. How does it help us?"

Sayeed reacted to the imposition of sanctions with a news conference at his Lahore headquarters, hours before he was placed under house arrest. He denied reports that he had met with a Mumbai attacker and said his group split from Lashkar after Pakistan banned Lashkar following a 2001 attack on India's parliament. Sayeed said Jamaat-ud-Dawa would lodge a strong protest with the U.N. and the International Court of Justice in the Hague.

"Jamaat-ud-Dawa is a thorn in the eye of India because Jamaat-ud-Dawa does not support anything which India does to Pakistan or Kashmir," Sayeed said.

Pakistan initially said Friday that it had agreed to send its spy chief, Lt. Gen. Ahmed Shuja Pasha, on an unprecedented visit to India to share and obtain information from investigators there. Later Friday, however, Pakistani officials changed their minds and decided to send a less senior intelligence official in Pasha's place, according to a Pakistani source who spoke on the condition of anonymity.

It was unclear what prompted the reversal, but the Pakistani source said the Islamabad government was "already bending over backwards" to be cooperative and did not "want to create more opportunities for Pakistan-bashing." Pakistan's defense minister, Chaudhry Ahmed Mukhtar, told reporters in Islamabad, "I will say in very categoric terms that Pakistan is not involved in these gory incidents."

Meanwhile, Indian authorities ramped up their accusations that the plot had Pakistani connections. "Preliminary evidence, prima facie evidence, indicates elements with links to Pakistan are involved," Indian Foreign Minister Pranab Mukherjee said at a news conference in New Delhi. Other Indian officials echoed the statement, but none provided details.

Evidence collected by police in Mumbai, along with intelligence gathered by U.S. and British officials, has led investigators to concentrate their focus on Islamist militants in Pakistan who have long sought to spark a war over the disputed province of Kashmir. India and Pakistan have already fought two wars over Kashmir, the battleground between Hindu-majority India and Muslim-majority Pakistan that each country claimed soon after India's partition in 1947.

A U.S. counterterrorism official said additional evidence has emerged in the past 24 hours that points toward a Kashmiri connection. "Some of what has been learned so far does fall in that direction," the official said, declining to offer specifics.

"We have to be careful here," said the official, speaking on the condition of anonymity. "When you posit a Kashmiri connection, that puts Pakistan on the table. That is huge, enormous, but what does it mean? It can be anything from people who were [initially] in Pakistan, to maybe people who used to be associated with someone in the Pakistani government, to any gradation you could find."

Pakistani President Asif Ali Zardari, who has sought a rapprochement with New Delhi, rejected widespread suspicions in India that Pakistani intelligence services may have supported the Mumbai gunmen. "The germs of terrorist elements were not produced in security agencies' labs in Pakistan," he said Friday.

Analysts said Pakistan's pledge to assist in the investigation and send its spy chief to India was a sign of the high stakes involved. When armed Kashmiri militants tried to take over the Indian Parliament in December 2001, the fallout was immediate, as both countries responded with a massive military buildup along their shared border.

"A Pakistani link here would be so utterly damaging, all the way around, to Indo-Pakistani relations," said Shaun Gregory, a professor of international security at the University of Bradford in England and a specialist on Pakistan. The decision to dispatch Pasha to India, he said, "does signal a determination on Pakistan's part to clarify that even if there's a Pakistani link here, that it had nothing to do with the government."

A senior Pakistani official said the idea for Pasha's visit came during a telephone conversation Friday between Indian Prime Minister Manmohan Singh and Pakistani Prime Minister Yousaf Raza Gillani. Singh, who had previously blamed the Mumbai attacks on groups "based outside the country," offered to provide evidence to Gillani.

"One way to ensure that" was to send Pakistan's intelligence chief, the Pakistani official said. "If there is evidence, share it."

Terror Attacks Stagger the New Mumbai

The reputation of the rising Asia financial center is battered after terrorists kill 150 in the Indian city's latest violent chapter

Indian commandos assemble on the terrace of Nariman House as they prepare an assault in Mumbai on Nov. 28. Indian newspapers have slammed the government and intelligence agencies for failing to prevent the Mumbai attacks. INDRANIL MUKHERJEE/AFP/Getty Images

Meet the targets of the Mumbai terrorist attacks: CEOs meeting their boards, millionaires looking to buy yachts, financiers prepping for a private equity conference, a prominent family and friends gathered for a wedding.

Until Wednesday night, Nov. 26, when armed gunmen sneaked in from the Arabian Sea and plunged this city into a three-day nightmare, these were the people who made up the new Mumbai; staunchly cosmopolitan, ferociously competitive on the global stage, and luminous markers of India's soaring aspirations.

Now, after three nights of gun battles and explosions that left at least 150 dead—more than a dozen of them foreigners—Mumbai may have taken a hit to its most precious asset: its reputation. "You can't keep having these events and not affect the image of the city," says Aninda Mitra, an analyst at Moody's (MCO). "But if you can't [improve things fast] the government will find itself not just worrying about the image, but the reality."

Amid an Economy Losing Steam

In recent years, Mumbai has been transformed from a city known for textiles and kitschy cinema to a financial powerhouse that serves as a gateway to India. It's the brightest beacon of the country's economic miracle, though there's still an overabundance of poverty—and no shortage of the secular strife that often threatens to rip India apart. In July 2006, 187 people were killed as coordinated bombs ripped through commuter trains in the crowded city. Three years before that, 60 people were killed by car bombs. And a decade before that, in 1992 and 1993, Hindu-Muslim riots claimed another 1,000.

Yet through it all, Mumbai has thrived, positioning itself proudly as an alternative to Hong Kong or Tokyo as the capital of Asian finance. Its stock exchange is among the world's busiest, its banking community the envy of South Asia, and its restaurants and nightlife closing in on those of any global cultural capital. "This sort of thing has happened before, and it can't stop Mumbai," says Omkar Goswami, the founder of the Corporate & Economic Research Group, and once the chief economist for India's biggest industry lobby. "Nothing has stopped our economy, nothing has changed Mumbai."

Indeed, on Friday, the Bombay Stock Exchange opened just a short distance from where terrorists still held hostages. The markets flared up in patriotic defiance, with the benchmark Sensex index closing up 66 points on a day when most expected it to drop. But India's economy has already lost steam, with GDP growth slowing to 7.6% and foreign institutional investors withdrawing more than $13 billion from its equity markets, leaving the Sensex at less than half where it stood a year ago. "The important question to ask is, what will the Indian state do now?" says Goswami. "The police, the intelligence gathering, how do you beef them up? These are the decisions which will decide what the impact of these terrorist attacks are."

Without doubt, Mumbai's economy, which contributes as much as 5% of India's $1 trillion GDP and nearly a third of its direct taxes, will take a while to limp back to normal. For three days now, trains have run empty, schools and offices have remained closed, and Mumbai residents, heeding a call from the government, have stayed indoors. On Friday afternoon, when a few people started trickling out of their homes, a false alarm about more armed gunmen at train stations sent them scrambling back. "There will be fewer board meetings, fewer deals being made, fewer people doing business," says Mitra, of Moody's. "But this won't last long." After all, says A.M. Naik, chairman of Indian engineering giant Larsen & Toubro, "Despite these issues, the world is not going to miss participating in an economy growing between 7 to 8%."

The special forces teams went room-to-room in the five-star Oberoi hotel to rescue 25 hostages, and police launched a fresh offensive to sweep out gunmen believed to be still holed up in the iconic Taj Mahal Palace and Tower hotel.

Two explosions on the top floors of the Taj were shown live on Indian television , while the Oberoi's 18th floor was engulfed in flames. As the commando teams removed the hostages, helicopters circled overhead and crowds of onlookers cheered from the street below. Five gunmen were reportedly still inside the hotel. Earlier, at least four dead bodies and a trickle of hostages were taken out of the Taj--a castle-like, 1903 landmark that was set on fire during the attacks and has been transformed into a smoldering symbol of a city under siege.

Eight Israelis were being held hostage at a Jewish outreach center, officials said, including a young rabbi and his wife. Their condition, and the total number of hostages trapped in or rescued from the hotels, was not known.

"We can say, this is the worst most brazen attacks in Indian history because people were shooting openly on the street," said police official A.K. Sharma. He was speaking at the funeral of a popular police inspector, who was killed Wednesday night while trying to stop gunmen who were attacking at the train station. "It's a violent situation that's still ongoing. Mumbai remains at war."

With the attacks stretching into their 16th hour, Prime Minister Manmohan Singh condemned the terror strikes in a nationally televised address Thursday afternoon. Some news channels split their screens to show both the prime minister speaking and the ongoing battle between security personnel and the terrorists.

Singh said the Mumbai attacks were "well-orchestrated" by terrorists, who chose well-known and high-profile targets. The prime minister called for creation of "a central agency" to investigate terrorism in India, where some 44 bomb blasts in seven different cities have killed more than 150 people since May.

As the sun set, some hostages unfurled "Save Us" banners from the windows of the Taj hotel, across from the Gateway of India monument and Mumbai's waterfront. Others climbed from upper-story windows using bed sheets tied together as ladders.

Authorities said more than 300 people were wounded in the highly coordinated attacks that started 10:30 Wednesday night. In addition to the five-star hotels, bands of masked gunmen armed with assault rifles, hand grenades and explosives attacked a popular café packed with tourists; the historic Metro Cinema; a crowded train station; the Chabad-Lubavitch Jewish center and a hospital.

In one case, a police van was stolen and gunmen opened fire in the street indiscriminately.

At the Jewish center, five rounds of shooting were heard Thursday and a grenade was thrown, said army officials who were surrounding the site and launching a rescue effort.

Despite the recent wave of bombings in India, Wednesday's assaults were seen as unprecedented, authorities said, in terms of the open, coordinated effort to lay siege to well-known symbols of India's prosperity and to places where Westerners gathered.

Sen. Barack Obama, in Indianapolis, Indiana, boards a plane Thursday to visit his ailing grandmother in Hawaii.

1 of 2

The ad plays heavily edited clips of Biden's remarks over images of Venezuelan President Hugo Chavez and Iranian President Mahmoud Ahmadinejad as well as stock videos of tanks, terrorists and a crying child.

"Listen to Joe Biden, talking about what electing Barack Obama will mean," the ad begins before introducing Biden's words from Sunday: "Mark my words. It will not be six months before the world tests Barack Obama. ... The world is looking. ... We're going to have an international crisis ... to test the mettle of this guy. ... I guarantee you it's going to happen."

The ad concludes, "It doesn't have to happen. Vote McCain." Watch a report on the mud being slung »

The McCain campaign said it will be putting the ad on airwaves in 14 battleground states.

The ad comes a day after McCain spent the day addressing economic issues on the campaign trail in Florida and as Obama takes a campaigning hiatus to visit his ailing grandmother in Hawaii.

Obama, who leads McCain 51 percent to 42 percent, according to Thursday's CNN poll of polls, will be replaced by his wife, Michelle Obama. She will fill in for the Democratic presidential candidate in Columbus and Akron, two stops in the battleground state of Ohio.

McCain will visit Colorado, a state that President Bush won in 2000 and 2004. The most recent CNN poll of polls shows Obama leading McCain there 50 percent to 44 percent.

McCain has events scheduled in Denver, Colorado Springs and Durango. Durango is on the border with New Mexico, where Obama leads by 5 percentage points, according to the most recent Research & Polling Inc. survey conducted for the Albuquerque Journal.

Biden and Gov. Sarah Palin, McCain's running mate, have both made stops in Colorado this week, and Obama will campaign there Sunday.

Biden will make Friday stops in Charleston, West Virginia; Danville, Virginia; and Martinsville, Virginia. Martinsville is on the border with the battleground state of North Carolina. Watch what's next for the candidates »

Obama campaigned Thursday in Indiana. He then flew to Honolulu, Hawaii, to spend the day with his grandmother, Madelyn Dunham, whose health is deteriorating after she suffered a broken hip. He traveled directly to her home after landing at the airport.

Obama said in an interview for Friday's "Good Morning America" that Dunham has been "inundated" with flowers and messages from strangers who read about her in Obama's 1995 book, "Dreams From My Father."

"Maybe she is getting a sense of long-deserved recognition toward the end of her life," he said.

Obama resumes campaigning Saturday with visits to three Western states. The campaign has not specified which states, but New Mexico is expected to be among them.

Palin also will have to take a break from campaigning Friday as she and her husband, Todd Palin, are scheduled to give depositions in St. Louis, Missouri, on the July firing of Walt Monegan as the Alaska public safety commissioner.

Alaska's Personnel Board is looking into whether Palin unfairly fired Monegan.

The Alaska governor is scheduled to deliver a speech Friday morning in Pittsburgh, Pennsylvania, before traveling to Missouri. She will hold a rally in Springfield before giving her deposition. Afterward, she is scheduled to drop the hockey puck at the St. Louis Blues game against the Los Angeles Kings.

On Thursday night, Palin continued her line of attack on Obama, criticizing his association with domestic-terrorist-turned-activist William Ayers and the Rev. Jeremiah Wright, the candidate's former minister.

"What did those characters see in Barack Obama? Why would they have wanted to be associated with him?" Palin asked during an interview with Fox News' Sean Hannity in Beaver, Pennsylvania.

Also Thursday, Palin addressed the Republican National Committee's purchase of $150,000 in pricey clothing for her, telling the Chicago Tribune that most of the clothes are still in her campaign airplane.

The designer clothing she has worn, she said, will be returned, auctioned off or donated to charity.

"If people knew how Todd and I and our kids shop so frugally. My favorite shop is a consignment shop in Anchorage, Alaska, called Out of the Closet," she said. "It is not Fifth Avenue-type of shopping."

She further suggested that gender bias was driving the controversy.

"Hillary Clinton was held to a different standard in her primary race. Do you remember the conversations that took place about her, say superficial things that they don't talk about with men -- her wardrobe and her hairstyles, all of that?" she asked. "That's a bit of that double standard."