Hello,
As some of you may know I competed in the NetKofTH(Network King of the Hill) last year. But this year I had a better coordinated and better planned out stratedgy for the gameplay of the day during this competition. So without futher ado here is my writeup.
I have to give props to Adrian Crenshaw for an amazing competition setup once again I truly enjoyed the setup of this years network and cannot wait until next years competition. Also I would like to thank my competitors without you this competition each year wouldn't be nearly as exciting! Okay enough with the thanks time to get down to business.
The competition started out rather slow the first hour or two people were just scanning the boxes and trying to determine what exploits could be used to get root access to the machines on the network. My laptop has been repaired 3 weeks before this for a broken pc adapter and the adapter died again so my computer was out of commission. We only had Brandon Grindotti's laptop who was my teamate and Vice President of The Computer Security Group of IUS. So I immediatly booted backtrack up on his laptop and started hacking away at the machines on the network.
Joshua Atkins my Treasurer for our student group used his laptop to search for information and exploits that we could find for the machines on the network. Brandon had managed to get us a empty room very close to the NetKofTH competition. And Josh and Brandon kept swapping turns finding exploits and information for me while i was using backtrack to hack the machines.
I managed to get a meterpreter shell on the widnows box using the ms08_netapi exploit to hack the msrpc service on the machine. I migrated the meterpreter session immediatly to a critical system process that if shutdown restarts the computer. Thus preventing it from being easily killed by a opposing competitor. I then added multiple users and changed the password for the user i had hacked in the windows amchine.
I got a linux box through the vulnerable samba version. The same exploit that had worked last year worked this year for the linux box. I did allot of the same things to the linux box as the windows box. I then started to work on hacking the other boxes. Josh was checking the status of our pages and we notices Hackercon had gotten into one of our boxes. I then was stuck killing their process and replacing the website file for about the next hour or two till finally they reset it a few times changed root password and killed the vulnerable services and unrecognized services.
They started to gain on us and an hour before the competition was over they passed us in points. They got about 50 points ahead of us and 15 minutes before the competition was over when I finally decided to pull our last resort that the team uky last year had won using. To test if it was working I arpsoofed the router that was being scored to see if we would receive a point for it.
Low and behold the scoring box gave us a point for the router cause of our local apache server. So at that point I opened 7 more tabs and arp spoofed the remaining scored machines. In the period of 15 minutes we gained 120 points and got almost 100 points ahead of Hackercon before Adrian ended the competition and put static arp in place. His message was "I put static arp :)!!!!". But it was definatly exciting. Next year we will have even more tricks to pull cause were already coming up with new ways to win it :). I LOVED competing this year it was so high energy and fast paced it was amazing. I hope to see you all next year in a competition :).
Wednesday, October 5, 2011
Tuesday, August 16, 2011
Default Password Policies and Their Failure to Secure Clients
Hello,
I have been doing some research into the effectiveness of default password policies and the protection it offers its clients. An example I can give is a password that incorporates parts of the connection owners name and serial numbers from some hardware being used for the actual connection to their internet. You don't need to social engineer the network owners to narrow down the possibilities. In fact in most cases a simple word list and a good GPU is enough to thwart the security efforts of the company in question.
The problem with using names as part of the default password policy of your company is the fact that there is a very narrow margin of options for the attacker to have to go through to break the password. An attacker need only visit the Census website and download the list of 88,000 Last names. This list is already organized from the highest occurrence of names to the least amount. This makes it much easier to increase the speed and effectiveness of a wordlist based attack on the passwords of a client. The password policy for companies need to be more abstract to make brute force, and word list attacks infeasible. Relying on the encryption protocol to be slow enough to thwart the efforts of brute forcing is not an effective security strategy.
Also another note is that if a client is broadcasting the default name for a device then you can reassured that under most circumstances the following facts will be true. 1) The person most likely is not tech savvy enough to change the settings themselves or were just too lazy too. 2) The default password will most likely be used. 3) The client will most likely not be able to recognize that an intrusion of some sort has occurred.
Some effective means of thwarting these attack vectors would be to incorporate the following. 1) Make the default password policy more secure (Upper case letters, numbers, lower case numbers, and symbols). 2) The password must be a minimum of 12-14 characters to make brute forcing an almost impossible task. 3) Educate your clients in why it is important to customize the password to something different than the default policy.
Another important factor is for example wifi networks. If your company has a default policy for the wifi name of the network it shouldn't include any identifying information to link it to a real life owner of the account. The broadcasting of a default wifi network name for example is major target for a attacker. The attacker knows that one of the aforementioned vulnerabilities will be in place most likely. Also broadcasting something as important as the last 4 numbers of the account holder of the WiFi network is a dangerous thing to be doing. This should NEVER be an occurance. Anyone with WiFi range can exploit the publicity of those numbers to their own gain. Especially if they can manage to get into the personal network of the vulnerable network in question.
So all in all passwords have developed much needed complexity as time has progressed but still the security standards of corporations are still way too lax. We cannot allow clients to be vulnerable to attack for the sole purpose of the company not being inconvenienced for even the smallest amount of time. Improving the security standards of your corporation is a must or you will see a major public failure that will destroy your reputation as a good company to go through.
I have been doing some research into the effectiveness of default password policies and the protection it offers its clients. An example I can give is a password that incorporates parts of the connection owners name and serial numbers from some hardware being used for the actual connection to their internet. You don't need to social engineer the network owners to narrow down the possibilities. In fact in most cases a simple word list and a good GPU is enough to thwart the security efforts of the company in question.
The problem with using names as part of the default password policy of your company is the fact that there is a very narrow margin of options for the attacker to have to go through to break the password. An attacker need only visit the Census website and download the list of 88,000 Last names. This list is already organized from the highest occurrence of names to the least amount. This makes it much easier to increase the speed and effectiveness of a wordlist based attack on the passwords of a client. The password policy for companies need to be more abstract to make brute force, and word list attacks infeasible. Relying on the encryption protocol to be slow enough to thwart the efforts of brute forcing is not an effective security strategy.
Also another note is that if a client is broadcasting the default name for a device then you can reassured that under most circumstances the following facts will be true. 1) The person most likely is not tech savvy enough to change the settings themselves or were just too lazy too. 2) The default password will most likely be used. 3) The client will most likely not be able to recognize that an intrusion of some sort has occurred.
Some effective means of thwarting these attack vectors would be to incorporate the following. 1) Make the default password policy more secure (Upper case letters, numbers, lower case numbers, and symbols). 2) The password must be a minimum of 12-14 characters to make brute forcing an almost impossible task. 3) Educate your clients in why it is important to customize the password to something different than the default policy.
Another important factor is for example wifi networks. If your company has a default policy for the wifi name of the network it shouldn't include any identifying information to link it to a real life owner of the account. The broadcasting of a default wifi network name for example is major target for a attacker. The attacker knows that one of the aforementioned vulnerabilities will be in place most likely. Also broadcasting something as important as the last 4 numbers of the account holder of the WiFi network is a dangerous thing to be doing. This should NEVER be an occurance. Anyone with WiFi range can exploit the publicity of those numbers to their own gain. Especially if they can manage to get into the personal network of the vulnerable network in question.
So all in all passwords have developed much needed complexity as time has progressed but still the security standards of corporations are still way too lax. We cannot allow clients to be vulnerable to attack for the sole purpose of the company not being inconvenienced for even the smallest amount of time. Improving the security standards of your corporation is a must or you will see a major public failure that will destroy your reputation as a good company to go through.
Friday, November 12, 2010
Email Scraping, removing anti-ocr protections, and fixing these problems
Okay I am going to just jump right in. There was a certain website which shall remain nameless. This website had a weakness in its function to search for people who were apart of the website. This vulnerability was that there was a folder which all the previous 9000+ email address images(with multi-colored anti-ocr protections) which had been loaded in the people searcher. Now the thing is I didnt really know there was that many till I had a program count them there was around 8500 but it kept increasing until they were all reset a day or to later and then new ones started appearing.
Okay anti-ocr mechnaisms that have a color different than the color of the text(aka black) PHAIL. These is a huge reason why first of all the fact is someone can EASILY go in and remove any colors other than white and black and turn each pixel white effectivaly removing all those protections. Secondly using a common font for the images also phails. A better option would be to have the software that generates the image randmize between 3-5 fonts which are different enough to through off OCR programs. aspriseOCR is highly recommened if you know java its VERY easy ti implement and extremly accurate. The final step though guys into this ocr process us ti read out ALL the images text into a text file and then you have a list of thousands of email addresses. Remember do not use this information for malicious purposes.
Also I found a second vulnerabilty search for the last part of the email in the page finder application on this site allowed you to list something like 15,000 email addresses in plain text along with the persons name who owns it and the homepage that is their personal homepage. This being the case a program could easily be created to capture only the email, name, homepage name, and homepage link and link all of that information together possibly even under a database.
Finally this folder that listed all the images also had an Apache version of 1.3.3.1 which is over 5 years old and vulnerable to multiple attacks(just google exploit-db) and search on the site for that apache version. Anyways you get my point a server hosting this set of images most likely stores other private information which should not be released.
Anyways I would like to state that I have talked with the security staff of this website and they informed me they have/will soon fix these bugs so noone else who is more malicious will exploit said vulnerabilities. Hope you guys enjoyed this read I will be attaching the example source code(which works) on how to remove anti-ocr protection and also it implements aspriseOCR which is not free but if you use an autoclick program you can have it automatically click the nag-window so it will actually go through your images and output the text from them.
Sourcecode in java - http://www.mediafire.com/file/j1bxwdl7f880j8b/OcrSourceCode7z
===============================Disclaimer============================================
I would like to state at no time will I disclose to what party this vulnerabilty(set of vulnerabilities) were found at. I wish to keep the party's details anonymous due to the unknown effects that could happen if I were to release the parties information. Also everything I am discussing here should ONLY be done for educational purposes to study such possibilities. Do not and I repeat do not use any of this for malicious purposes.
Okay anti-ocr mechnaisms that have a color different than the color of the text(aka black) PHAIL. These is a huge reason why first of all the fact is someone can EASILY go in and remove any colors other than white and black and turn each pixel white effectivaly removing all those protections. Secondly using a common font for the images also phails. A better option would be to have the software that generates the image randmize between 3-5 fonts which are different enough to through off OCR programs. aspriseOCR is highly recommened if you know java its VERY easy ti implement and extremly accurate. The final step though guys into this ocr process us ti read out ALL the images text into a text file and then you have a list of thousands of email addresses. Remember do not use this information for malicious purposes.
Also I found a second vulnerabilty search for the last part of the email in the page finder application on this site allowed you to list something like 15,000 email addresses in plain text along with the persons name who owns it and the homepage that is their personal homepage. This being the case a program could easily be created to capture only the email, name, homepage name, and homepage link and link all of that information together possibly even under a database.
Finally this folder that listed all the images also had an Apache version of 1.3.3.1 which is over 5 years old and vulnerable to multiple attacks(just google exploit-db) and search on the site for that apache version. Anyways you get my point a server hosting this set of images most likely stores other private information which should not be released.
Anyways I would like to state that I have talked with the security staff of this website and they informed me they have/will soon fix these bugs so noone else who is more malicious will exploit said vulnerabilities. Hope you guys enjoyed this read I will be attaching the example source code(which works) on how to remove anti-ocr protection and also it implements aspriseOCR which is not free but if you use an autoclick program you can have it automatically click the nag-window so it will actually go through your images and output the text from them.
Sourcecode in java - http://www.mediafire.com/file/j1bxwdl7f880j8b/OcrSourceCode7z
===============================Disclaimer============================================
I would like to state at no time will I disclose to what party this vulnerabilty(set of vulnerabilities) were found at. I wish to keep the party's details anonymous due to the unknown effects that could happen if I were to release the parties information. Also everything I am discussing here should ONLY be done for educational purposes to study such possibilities. Do not and I repeat do not use any of this for malicious purposes.
Saturday, October 9, 2010
Windows Updates via the Command Line - The easy way
There have been many ways to try and update windows from the command line. All of which range from medium difficulty to very difficult. Now it appears there is a free solution to install these updates via the command line all from one pre-coded program.
WUInstall allows you to run this program from a command prompt allowing you to update windows without needing a GUI environment. This tool could be very useful to those who have to update a box remotely. For example in a CTF event you could download and install the updates via the command line to help you lock down the box from access from anyone else.
The command to update via the command line is WuInstall.exe /install
It's that simple after the command it will automatically download and install all the windows security updates!!
I am going to post a link at the bottom of this post I hope it helps you out!
http://www.wuinstall.com/
WUInstall allows you to run this program from a command prompt allowing you to update windows without needing a GUI environment. This tool could be very useful to those who have to update a box remotely. For example in a CTF event you could download and install the updates via the command line to help you lock down the box from access from anyone else.
The command to update via the command line is WuInstall.exe /install
It's that simple after the command it will automatically download and install all the windows security updates!!
I am going to post a link at the bottom of this post I hope it helps you out!
http://www.wuinstall.com/
Friday, October 8, 2010
Louisville,Kentucky Issa Capture the Flag 2010 - My writeup on making second place.
Okay well I guess I will just say before I get started Adrian did an amazing job with the setup of the CTF event. Now down to business. I came in at 8:30AM and adrian had that as the start time. So I went ahead and got started discovering the computers ports and services with nmap. I was there until almost 10:00 am before anyone showed up and then there were only us two who had never competed before so it took FOREVER for us to both really get off the ground due to us having limited experience. The first box 10.0.0.1 was a linux box running a apache server and openssh. The apache server version was vulnerable but metasploit was having some issues trying to encode the exploit even when I unsetg encoder it still was trying to encode the exploit before using it. Anyways 10.0.0.2 was originally a windows XP SP0 which I gained a shell to right when adrian decided to switch up the setup on it due to the fact that the other competitor having a 12 minute run with it so I was behind. He replaced the SP0 box with a SP2 or SP3 box not really sure as I focused the rest of my efforts on the wildcard box which was a windows 98 box we were getting a shell but no session in the box neither me or my competitor managed to do it so adrian ended up giving an easy opportunity for points he made the windows 98 computer share its c drive on the network. So my friend Jeff who is my next door neighbor was the one who found that he had shared the c drive on the network.
Jeff ended up just being a temporary team member seeing as he was only there for about 30 mins or so. But I "defaced" the website with my team name and scored 12 points then adrian changed the wildcard computer to a linux box. So me and my competitor were tied. I scanned the linux box 10.0.0.3 it had about 5-6 different services running and about 2 maybe 3 services could have been exploited but i found that the samba version was the easiest to exploit and the most reliable. I used a exploit located under multi/samba/ in metasploit. This gave me a reverse command shell which I then had to run the /bin/bash command to gain a remote shell with root access. First thing I did was create 1-2 users which would be decoys one was named "pwnme" and the other one I forgot the name of it. Anyways so I changed the root password aswell in order to always keep access open to the box. The computer had OpenSSH running on it already so I just ssh'ed to the box under the root user. "Purehate" who was one of the people moderating the competition repeatidly killed my metasploit exploit process and he took the bait and deleted the created users and didn't focus on the root user. So I had a constant ssh session open to the 10.0.0.3 box. I started to gain consistant points and then Purehate decided to switch things up he removed all the defaced webpages and then all of us had to go back in and redeface the pages. One of my competitors (2 more had just registered around 1PM) had gotten the exploit working in the 10.0.0.3 linux box and manged to block my ip address with ip tables. So I went in and changed my ip address to a static ip address so I could avoid the firewall rules he had instilled. I sshd back into the root user of the box then used iptables to reject all other ip addresses except mine. I did make a newbie mistake and ended up blocking my own by a typo and then noone could access the box so purehate had to go in and reset it. I had rejected connections from the 10.0.0.99 box aswell which was the score box and so i probably lost about 20 points before I relized it wasnt gaining anymore points. The site was defaced I was just not getting points for it anymore.
Then I fixed that mistake and started pulling farther ahead of my competitor. Purehate decided to pull a trick on us all and on my end he deleted the var/www/ folder which was the website folder. I recreated the html file and went to the page to find out it still said the site didnt exist. I found out it was in an apache2 config he had changed the allow website config to a directory under /root/ so I had to change it back. When I did I found out he deleted the www folder and had to recreate it and the html file. Finally I was getting points again. But there was a team "uky" who noone knew who they were but they had control of the 10.0.0.1 box or so we thought. They had setup a server with xammp and then arp poinsed the scoring box to check their ip address for the 10.0.0.1 site. This allowed them to not have to exploit the box or deface the site all it did was make it so the scorebox would see the actual site everyone else would have control of the boxes and actually deface the site but not receive points for it. I tried the password on the 10.0.0.1 box I had gotten from SQL injecting the website it was hosting. I logged in as greg and found a password which was used in the 2009 ctf. It turns out the uky team had already changed it so my easy way into the box had been eliminated and the exploit wasnt working which was supposed to work with the apache version it was running.
Anyways finally it came to a close when that team had pulled ahead of me and the other competitor. I ended up with 52 points and second place. The uky team had 130. Anyways so i learned a HUGE ammount during this conference adrian and the other people managing the competition gave us hints here and there and if we didnt know a command to do something they would tell us the base command so we could figure out which command to use and then how to use it by looking at the help pages. For the last 2 hours of the competition i had the 10.0.0.3 box under my control but the uky team basicly bypassed it for that last hour so I got no points. Anyways I really enjoyed myself and will definatly compete next year it was definatly interesting and fun to work on first hand the things everyone talk about with eachother everyday. Hope to see you there next year everyone!!
Jeff ended up just being a temporary team member seeing as he was only there for about 30 mins or so. But I "defaced" the website with my team name and scored 12 points then adrian changed the wildcard computer to a linux box. So me and my competitor were tied. I scanned the linux box 10.0.0.3 it had about 5-6 different services running and about 2 maybe 3 services could have been exploited but i found that the samba version was the easiest to exploit and the most reliable. I used a exploit located under multi/samba/ in metasploit. This gave me a reverse command shell which I then had to run the /bin/bash command to gain a remote shell with root access. First thing I did was create 1-2 users which would be decoys one was named "pwnme" and the other one I forgot the name of it. Anyways so I changed the root password aswell in order to always keep access open to the box. The computer had OpenSSH running on it already so I just ssh'ed to the box under the root user. "Purehate" who was one of the people moderating the competition repeatidly killed my metasploit exploit process and he took the bait and deleted the created users and didn't focus on the root user. So I had a constant ssh session open to the 10.0.0.3 box. I started to gain consistant points and then Purehate decided to switch things up he removed all the defaced webpages and then all of us had to go back in and redeface the pages. One of my competitors (2 more had just registered around 1PM) had gotten the exploit working in the 10.0.0.3 linux box and manged to block my ip address with ip tables. So I went in and changed my ip address to a static ip address so I could avoid the firewall rules he had instilled. I sshd back into the root user of the box then used iptables to reject all other ip addresses except mine. I did make a newbie mistake and ended up blocking my own by a typo and then noone could access the box so purehate had to go in and reset it. I had rejected connections from the 10.0.0.99 box aswell which was the score box and so i probably lost about 20 points before I relized it wasnt gaining anymore points. The site was defaced I was just not getting points for it anymore.
Then I fixed that mistake and started pulling farther ahead of my competitor. Purehate decided to pull a trick on us all and on my end he deleted the var/www/ folder which was the website folder. I recreated the html file and went to the page to find out it still said the site didnt exist. I found out it was in an apache2 config he had changed the allow website config to a directory under /root/ so I had to change it back. When I did I found out he deleted the www folder and had to recreate it and the html file. Finally I was getting points again. But there was a team "uky" who noone knew who they were but they had control of the 10.0.0.1 box or so we thought. They had setup a server with xammp and then arp poinsed the scoring box to check their ip address for the 10.0.0.1 site. This allowed them to not have to exploit the box or deface the site all it did was make it so the scorebox would see the actual site everyone else would have control of the boxes and actually deface the site but not receive points for it. I tried the password on the 10.0.0.1 box I had gotten from SQL injecting the website it was hosting. I logged in as greg and found a password which was used in the 2009 ctf. It turns out the uky team had already changed it so my easy way into the box had been eliminated and the exploit wasnt working which was supposed to work with the apache version it was running.
Anyways finally it came to a close when that team had pulled ahead of me and the other competitor. I ended up with 52 points and second place. The uky team had 130. Anyways so i learned a HUGE ammount during this conference adrian and the other people managing the competition gave us hints here and there and if we didnt know a command to do something they would tell us the base command so we could figure out which command to use and then how to use it by looking at the help pages. For the last 2 hours of the competition i had the 10.0.0.3 box under my control but the uky team basicly bypassed it for that last hour so I got no points. Anyways I really enjoyed myself and will definatly compete next year it was definatly interesting and fun to work on first hand the things everyone talk about with eachother everyday. Hope to see you there next year everyone!!
Saturday, August 22, 2009
Security Updates
I have been doing some random research lately into online security and have came to the conclussion our security protection are useless. Within hours if not less after an update of security protocals they get cracked. I will be posting more info on this blog later this week because I have to work tonight and don't have the chance to right now. See yah guys!!!
Monday, June 29, 2009
This is my Technology Blog
This is my technology blog I will keep it up-to-date with the latest information off the net.
Subscribe to:
Posts (Atom)