Hello,
As some of you may know I competed in the NetKofTH(Network King of the Hill) last year. But this year I had a better coordinated and better planned out stratedgy for the gameplay of the day during this competition. So without futher ado here is my writeup.
I have to give props to Adrian Crenshaw for an amazing competition setup once again I truly enjoyed the setup of this years network and cannot wait until next years competition. Also I would like to thank my competitors without you this competition each year wouldn't be nearly as exciting! Okay enough with the thanks time to get down to business.
The competition started out rather slow the first hour or two people were just scanning the boxes and trying to determine what exploits could be used to get root access to the machines on the network. My laptop has been repaired 3 weeks before this for a broken pc adapter and the adapter died again so my computer was out of commission. We only had Brandon Grindotti's laptop who was my teamate and Vice President of The Computer Security Group of IUS. So I immediatly booted backtrack up on his laptop and started hacking away at the machines on the network.
Joshua Atkins my Treasurer for our student group used his laptop to search for information and exploits that we could find for the machines on the network. Brandon had managed to get us a empty room very close to the NetKofTH competition. And Josh and Brandon kept swapping turns finding exploits and information for me while i was using backtrack to hack the machines.
I managed to get a meterpreter shell on the widnows box using the ms08_netapi exploit to hack the msrpc service on the machine. I migrated the meterpreter session immediatly to a critical system process that if shutdown restarts the computer. Thus preventing it from being easily killed by a opposing competitor. I then added multiple users and changed the password for the user i had hacked in the windows amchine.
I got a linux box through the vulnerable samba version. The same exploit that had worked last year worked this year for the linux box. I did allot of the same things to the linux box as the windows box. I then started to work on hacking the other boxes. Josh was checking the status of our pages and we notices Hackercon had gotten into one of our boxes. I then was stuck killing their process and replacing the website file for about the next hour or two till finally they reset it a few times changed root password and killed the vulnerable services and unrecognized services.
They started to gain on us and an hour before the competition was over they passed us in points. They got about 50 points ahead of us and 15 minutes before the competition was over when I finally decided to pull our last resort that the team uky last year had won using. To test if it was working I arpsoofed the router that was being scored to see if we would receive a point for it.
Low and behold the scoring box gave us a point for the router cause of our local apache server. So at that point I opened 7 more tabs and arp spoofed the remaining scored machines. In the period of 15 minutes we gained 120 points and got almost 100 points ahead of Hackercon before Adrian ended the competition and put static arp in place. His message was "I put static arp :)!!!!". But it was definatly exciting. Next year we will have even more tricks to pull cause were already coming up with new ways to win it :). I LOVED competing this year it was so high energy and fast paced it was amazing. I hope to see you all next year in a competition :).
Wednesday, October 5, 2011
Tuesday, August 16, 2011
Default Password Policies and Their Failure to Secure Clients
Hello,
I have been doing some research into the effectiveness of default password policies and the protection it offers its clients. An example I can give is a password that incorporates parts of the connection owners name and serial numbers from some hardware being used for the actual connection to their internet. You don't need to social engineer the network owners to narrow down the possibilities. In fact in most cases a simple word list and a good GPU is enough to thwart the security efforts of the company in question.
The problem with using names as part of the default password policy of your company is the fact that there is a very narrow margin of options for the attacker to have to go through to break the password. An attacker need only visit the Census website and download the list of 88,000 Last names. This list is already organized from the highest occurrence of names to the least amount. This makes it much easier to increase the speed and effectiveness of a wordlist based attack on the passwords of a client. The password policy for companies need to be more abstract to make brute force, and word list attacks infeasible. Relying on the encryption protocol to be slow enough to thwart the efforts of brute forcing is not an effective security strategy.
Also another note is that if a client is broadcasting the default name for a device then you can reassured that under most circumstances the following facts will be true. 1) The person most likely is not tech savvy enough to change the settings themselves or were just too lazy too. 2) The default password will most likely be used. 3) The client will most likely not be able to recognize that an intrusion of some sort has occurred.
Some effective means of thwarting these attack vectors would be to incorporate the following. 1) Make the default password policy more secure (Upper case letters, numbers, lower case numbers, and symbols). 2) The password must be a minimum of 12-14 characters to make brute forcing an almost impossible task. 3) Educate your clients in why it is important to customize the password to something different than the default policy.
Another important factor is for example wifi networks. If your company has a default policy for the wifi name of the network it shouldn't include any identifying information to link it to a real life owner of the account. The broadcasting of a default wifi network name for example is major target for a attacker. The attacker knows that one of the aforementioned vulnerabilities will be in place most likely. Also broadcasting something as important as the last 4 numbers of the account holder of the WiFi network is a dangerous thing to be doing. This should NEVER be an occurance. Anyone with WiFi range can exploit the publicity of those numbers to their own gain. Especially if they can manage to get into the personal network of the vulnerable network in question.
So all in all passwords have developed much needed complexity as time has progressed but still the security standards of corporations are still way too lax. We cannot allow clients to be vulnerable to attack for the sole purpose of the company not being inconvenienced for even the smallest amount of time. Improving the security standards of your corporation is a must or you will see a major public failure that will destroy your reputation as a good company to go through.
I have been doing some research into the effectiveness of default password policies and the protection it offers its clients. An example I can give is a password that incorporates parts of the connection owners name and serial numbers from some hardware being used for the actual connection to their internet. You don't need to social engineer the network owners to narrow down the possibilities. In fact in most cases a simple word list and a good GPU is enough to thwart the security efforts of the company in question.
The problem with using names as part of the default password policy of your company is the fact that there is a very narrow margin of options for the attacker to have to go through to break the password. An attacker need only visit the Census website and download the list of 88,000 Last names. This list is already organized from the highest occurrence of names to the least amount. This makes it much easier to increase the speed and effectiveness of a wordlist based attack on the passwords of a client. The password policy for companies need to be more abstract to make brute force, and word list attacks infeasible. Relying on the encryption protocol to be slow enough to thwart the efforts of brute forcing is not an effective security strategy.
Also another note is that if a client is broadcasting the default name for a device then you can reassured that under most circumstances the following facts will be true. 1) The person most likely is not tech savvy enough to change the settings themselves or were just too lazy too. 2) The default password will most likely be used. 3) The client will most likely not be able to recognize that an intrusion of some sort has occurred.
Some effective means of thwarting these attack vectors would be to incorporate the following. 1) Make the default password policy more secure (Upper case letters, numbers, lower case numbers, and symbols). 2) The password must be a minimum of 12-14 characters to make brute forcing an almost impossible task. 3) Educate your clients in why it is important to customize the password to something different than the default policy.
Another important factor is for example wifi networks. If your company has a default policy for the wifi name of the network it shouldn't include any identifying information to link it to a real life owner of the account. The broadcasting of a default wifi network name for example is major target for a attacker. The attacker knows that one of the aforementioned vulnerabilities will be in place most likely. Also broadcasting something as important as the last 4 numbers of the account holder of the WiFi network is a dangerous thing to be doing. This should NEVER be an occurance. Anyone with WiFi range can exploit the publicity of those numbers to their own gain. Especially if they can manage to get into the personal network of the vulnerable network in question.
So all in all passwords have developed much needed complexity as time has progressed but still the security standards of corporations are still way too lax. We cannot allow clients to be vulnerable to attack for the sole purpose of the company not being inconvenienced for even the smallest amount of time. Improving the security standards of your corporation is a must or you will see a major public failure that will destroy your reputation as a good company to go through.
Subscribe to:
Posts (Atom)