July 17, 2009 at 7:51 pm #4033Don DonzalKeymaster
“Dad, I feel downright awful about what we did,” Peter whimpered. “We just wanted to help.”
“Before the dot com bust I was a leet haxor,” says Alice. “I had to fall back on house cleaning since I didn’t want to get stuck in a dead end job. You know they say that Pen Testing is going to be dead soon.”
“Well, with computers now we don’t need many pens, or people to test them,” responded Mike.
Carol’s blank stare and the laugh track reveal that Mike doesn’t know what he is talking about.
“Ok, let me explain to you what happened. First, lets open Oliver’s packet capture and figure out how the kids connected to the office.” Alice continues, “If you look right at the beginning of the capture you can see that boondoggle got them into this boondoggle.”
Cisco-Li_fc:c0:6f HonHaiPr_1b:03:fa Probe Response, SN=1, FN=0, Flags=…….., BI=100, SSID=”boondoggle”
“We can see the MAC address of the access point is 00:1a:70:fc:c0:6f and the MAC address of the kid’s OLPC is 00:19:7d:1b:03:fa. If we look further we can see a lot of traffic between these two devices,” said Alice.
“But Mike, I though you just had some kind of compliance guy come in, why couldn’t he find the access point,” questioned Carol.
“We set the access point to not broadcast its SSID,” Cindy said sheepishly. “But it still broadcasts, you can see here that instead of broadcasting boondoggle it broadcasts null characters. The PCI assessor couldn’t get any detailed information on it unless someone connected, and we, uh, Peter, didn’t connect until after everyone was gone.”
“Cindy! You were in on this too!” Carol screamed.
Cindy shamefully bows her head and hides behind Peter. “Yes, mommy,” she whispers.
“We know how they got the access point inside and how they connected to it, but how did they access the HR database?” asked Mike.
Alice begins, “You see here where there are all these packets that say SYN and RST, ACK? They tried to connect to connect to every port on Mr. Phillips machine to see what was accessible.”
“And we found that port 22 was open,” injected Greg.
“But there is only one port on the back of his machine,” Mike says confused which queues the laugh track again.
Alice continues, ignoring Mike’s ignorance and total noobness. “If you look down further you see lots of traffic on port 22. Traffic on port 22 is typically ssh and from the number of attempts it appears they tried to brute force the password and eventually got in.
“Mike, your office do they ever patch?” asks Alice.
“There was an issue with Debian where the encryption wasn’t as strong as it could be. I wonder if we might be able to see what the kids did,” Alice ponders.
A look of fear comes across the children’s faces. Alice breaks out her laptop and gets to work. She, like Ed Skoudis, is a Josh Wright fan and goes to willhackforsushi.com. She looks over the “Decrypting Debian-Vulnerable SSH Traffic” and works her mojo with wireshark to extract the session. She then Josh’s tools against the dump and ends up with the encrypted traffic from the server.
“Well, the laptop was patched, but the server wasn’t, so we can see the server’s half of the conversation. First thing the kids did was to look around a bit to see if anyone else was connected and what was running. After that they came across a php file that contained credentials to the database and used those credentials to create their own php to run commands against the database.”
“As you can see they searched around and eventually found the payroll database and the salary table. They eventually came across the payroll information. By the way Mike, you are due for a raise if the perfume warehouse design goes well, and you get paid just $18,500.”
“Yeah, dad, that is why we though we would help and bump your salary to $185,000!” said Greg with glee.
“Well kids, I appreciate the help but I want to build my salary on my own. Get it, build, I’m an architect.”
The kids groan, the stupid laugh track kicks in again, and fade to credits.
July 18, 2009 at 2:58 pm #25690timmedinParticipant
Freaked me out to see my name at the top of a post. Ha!
After looking at the answer here: http://www.ethicalhacker.net/content/view/265/2/
…it looks like I missed the wknock bit. I was a little confused about why Kismet didn’t detect it. Good to know.
I also typo’ed the bit about brute forcing the key (I said password).
I submitted my answer before they extended the deadline and stated that no one had it 100% correct. I was curious to know what I missed. I definitely learned something.
July 20, 2009 at 11:14 am #25691UNIXParticipant
Congratulations, Tim. 😉
Haven’t read the Counter Hack Reloaded book yet, but as I have read good reviews about it and Ed Skoudis seems to be quite knowledgeable, I will buy it soon too.
- You must be logged in to reply to this topic.