OK, here are my responses.  Anyone care to comment?


Challenge Question 1: What is the most probable reason Michael could not get network connectivity from the desk Ethernet jack? What actions should the team take to determine exactly what is going on, collect full traffic captures, and gain full access to the network?

A probable explanation is that GATE corporation is using the equivalent of Cisco's port security on the network port where Michael was connected.  This allows them to lock down the use of a port to a device with a specific MAC, or a range of MACs (for VOIP phones with a built-in switch).

The team should try to spoof the MAC of the voip phone in order to gain network access.  If the MAC of the phone is not easily accessible, they could reconnect the phone to a portable ethernet hub and sniff the DHCP requests.  This would likely require a portable power injector like the Cisco AIR-PWRINJ1.  Once the MAC is discovered, use the "macchanger" utility included on the BackTrack 4 CD to spoof the MAC and issue a DHCP request.

As long as the network port allows traffic beyond SIP and voip protocols, the team should be able to continue with their packet captures.

Challenge Question 2: What tool should Lincoln download, if any, to be able to capture traffic on the desktop computer?

From the screenshot provided, it looks like nmap 4.85beta9 and windump have been copied to the machine already. Since nmap includes the winpcap libraries that windump relies on, it is only necessary to unpack and install them. Given that the account we have on the desktop is Administrator, we won't need to perform a reboot to use winpcap.

As described below, unless an unzip utility like winrar, 7-zip, or pkunzip is available, we would need to get that in place. If Java is installed, it may be possible to use the "jar" utility to uncompress the nmap package.

Challenge Question 3: Starting with the reverse connection from the desktop computer, describe a step-by-step approach that could be applied prior to 09:00 the next day in order to capture the network traffic on the remote network and get a capture file for further in-depth analysis. Make sure your approach follows Michael's advice to avoid detection.

First, winpcap libraries must be installed so that we can capture packets using windump. Fortunately, the nmap package that is present on the General's machine includes a version of the winpcap installer that can be started in silent mode.

The biggest problem we face is unzipping the nmap package. Upload a copy of 7-zip or some other unzip utility that would escape detection (this should be ok to upload, since the filesize of 7-zip is 939,956 bytes).

Note: although this is one way of unzipping the file, it is certainly not the best way. It would probably be detected since the new software will show up in Add/Remove programs, and any host based package management or inventory software will detect it.

Follow the steps below to unzip and install the necessary software and begin the packet capture.  All of these steps are performed from within the metasploit console, unless otherwise indiciated.

1.Navigate to C:\Scylla:


2.Upload the 7-zip installer and run it in silent mode:


3.Unzip the nmap package and install winpcap:


4.Once winpcap is installed, we can create a script to run windump from a hidden shell:


5.Run the script as follows:


It may be possible to run the script as a scheduled task, but running it by hand is simpler at this point. It would also make sense to add further options to the windump command line to capture only the first 1000 or so packets after the General begins his web session. Once the packet capture is finished, use the other allotted transfer of a file to retrieve the capture from the desktop.

One major flaw in this approach is the fact that Windows UAC will prompt the user that the software installation is taking place.  As an administrator it is possible to disable this prompting according to the following (from http://blogs.msdn.com/windowsvistasecurity/archive/2007/08/09/faq-why-can-t-i-bypass-the-uac-prompt.aspx):
   
Having said all that, there is a Local Security Policy option to change the behavior of the elevation prompt for Administrators to "elevate without prompting". With this option selected, anything that requests elevation gets elevated without prompting the user. (The default setting is "prompt for consent"; the third option is "prompt for credentials". Note that "elevate without prompting" is available only for members of the Administrators group. The options for standard users are "prompt for credentials" and "automatically deny elevation requests".) While "elevate without prompting" may be useful in well-constrained, secure environments for automated testing and possibly for initial system setup, having this option selected otherwise is very risky and strongly discouraged. (Note also that Vista's Home SKUs do not include the policy editor.)
The challenge here is that this needs to be performed with the Local Policy Editor, which requires GUI access.  I didn't have a chance to perform this myself, but it may be possible to use the ”getgui” custom meterpreter script to enable RDP to the desktop.  With that in place, an RDP session could be established to the desktop.  From there, using the policy editor could be accomplished.

Challenge Question 4: Help the team complete this aspect of their mission by analyzing the packet capture file collected on the desktop computer and provide detailed information about the environment. Your response should at least include the type of network traffic collected, details about the General’s laptop computer, details about the Scylla Codes server plus any other server available, and provide the names and contents of the files stored on the server the input passphrase is based on.

I began by loading the packet capture into Wireshark.  I first noticed that there was SSL data in the capture. Fortunately, the server's private key can be found in the backup.zip file provided by Roland.

In order to decode the HTTPS session data in Wireshark, I loaded the server's private key, by performing the following steps:

1Navigate to Edit -> Preferences -> Protocols -> SSL
2In the RSA keys list field, type the following:


We now have the capability of following decrypted SSL streams in the session. Following each transaction in order, we have the request/response cycles listed below.

<all HTTP request/responses redacted for brevity - suffice it to say that all images and HTML data was recovered.>
 
Analysis of hosts based on packet capture
The packet capture contains 7 request/response cycles originating from 10.10.10.91 (the general's laptop), destined for 10.10.20.94 (the server).  The transactions were sent over an SSL connection.  No other hosts appear in the packet capture, and all miscellaneous network traffic, such as ARP, have been removed.

Laptop Details

MAC: 00:0c:29:d5:ed:7c
IP: 10.10.10.91
O/S: Microsoft Windows Vista
Browser: Internet Explorer 7
Architecture: x86
Features: .Net common language runtime v. 2.0.50727, .Net common language runtime v. 3.0.04506, Security Licensing Component

Most of this was determined using the UA-string in the requests:


Server Details

MAC: 00:0c:29:5e:e8:ca
IP: 10.10.20.94
O/S: Unix
HTTP Server: Apache 2.2.8
Features: mod_ssl 2.2.8, OpenSSL 0.9.8g, mod_dav 2, PHP 5.2.9

This was determined from the server response headers:


Challenge Question 5: What are the validation code and input passphrase used by the General to generate the Scylla validation code for this week?

I was able to determine from the HTTP post below that the code is: “6189db841f01413a05a53b7135137a17”.


The file that was downloaded, file.zip, contained two files that appear to be robots.txt files.  The files, new.txt and old.txt hold a long list of directories and files on the server.  Digging through the old.txt file, there are several filenames that indicate they were part of a government website.  One line in the file stood out:


The validation code looks like an md5 hash to me, so after a little digging, I found that the hash “6189db841f01413a05a53b7135137a17” is the md5 hash returned for the string “http://www.whitehouse.gov/robots.txt".  I confirmed this with the following php code:

I am going to presume that the input passphrase is the string above (the URL http://www.whitehouse.gov/robots.tx), and that the validation code is the md5 hash produced.

I have a strong suspicion that the two GIF images (Scylla.gif and TheCompany.gif) contain hidden information.  I stumbled across a site that allows users to generate logos using the same font and color scheme that Google uses (http://googlefont.com).  I generated my own images and noticed that the canvas sizes of the GIFs were identical to those that were recovered from the packet capture.  However, the images I generated were about one quarter of the size of those recovered.

BONUS QUESTION: Briefly describe your recommendations about how The Company could have detected and defended against the tactics you described in your answer to Question 3.

The simplest way to detect the method I described would be to implement group policy that would prompt even the  Administrator account when installing software.  As mentioned earlier, the policy should be set to either “Prompt for consent”, or “Prompt for credentials”.

This sounds great - can't wait to read the review.

As someone whose employer doesn't provide training funds, knowing which resources are the best is very important...

This is a great opportunity - I hope the winner enjoys...

Did anybody notice anything interesting about the three keynotes?

So would it bother anyone to discuss the approach they took to solve this challenge?

My response was pretty weak on the third question, but I'm pretty sure my analysis was correct...

If nobody else minds, I'll publish my response here...

I'm not very familiar with the .net implementations of ws-security, but here is a link to an article that discusses microsofts' "web security enhancements" (wse):

http://www.devx.com/security/Article/15634

Also, here is a link to OASIS' standards documents:

http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=wss

Justin

If you require a trust relationship, you should look into WS-Security.  Assuming you're using J2EE, there is IBM's implementation in WebSphere, and there is also Apache Rampart, the open source alternative. 

If you're using php, here is a good article: http://wso2.org/library/2814.

There are also .net alternatives.

Sorry if I took this in the wrong direction...but if you're looking for message level trust that will go beyond what SSL can provide, ws-security is probably where you want to look.

Justin

Don,

I know this is a thread is a little old, but I just downloaded and listened.

Great presentation - really heartfelt too.  It's awesome to be able to access high quality resources like this for free.

Thanks for the hard work,
Justin

Hopefully it's only me, but the audio for first 5 or so minutes was pretty bad - sounded like a really bad voip call piped through a speaker and back into the handset to be heard again...

Other than that, this is great stuff.

Alright,

I think I've got it figured out.  Good luck to everyone!

Justin

This is my first attempt at any of the Hacker Challenges and it is tough!

I've got most of the work done, but I'm just not cutting it on question 5.  The validation code is easy enough to get, same goes for the robots.txt files.  But I don't know where to start in attempting to find the passphrase used to generate the code...

I'm pretty certain that the images contain some hidden data, since they are several times larger than those produced at http://googlefont.com, but I'm not having alot of luck with that one...

Any subtle, last minute hints?

Eager to see the winning submissions...

Thanks,
Justin

@BillV:

Certainly not cheap at all...

Looking through some of the other requirements, such as the ability for PCI SSC to audit the QSA at any times during normal business hours, I wonder how many independent QSA's are out there...

Justin

@Ketchup:

Good points - career-wise I've been a systems engineer/admin for almost 5yrs, and 7 yrs before that in IT operations.  It didn't strike me to structure my resume in a way that would emphasize what each job experience gave me for each knowledge domain.

Also, I hear you on the dud PCI auditors.  We are currently going through our second PCI audit, and the auditor last year was clearly underqualified.  Lately I've been reading alot about mounting pressure on QSA's which would explain the higher quality we are seeing with this year's auditor.

I do agree that passing an exam doesn't say much for your ability to assess compliance with PCI, et al.  More years under the belt will certainly produce a more qualified auditor, provided those are true years of learning and practice.  (i.e.: 10 years of experience, not 1 yr. experience times 10).

Thanks,
Justin

Aside from the $1250 fee for the exam, there is a 5yr. infosec experience requirement (or a CISSP/CISM/CISA).

Many of you may not have to worry about this, but what about those of us that don't have that 5yrs. of resume experience?

This also applies to qualifying for certs like the CISSP and others...but doesn't the X years of experience seem kind of arbitrary?  If you have the knowledge necessary to pass the exam, plus the endorsement, what does the time get you?

What are others experiences in this regard?

Thanks,
Justin