HackFest - Review of Harold Wong's Presentation as a Windows 7 flag:

Lisa Kachold lisakachold at obnosis.com
Tue Oct 12 19:11:15 MST 2010 

We promised various people that we would be following up the a real blow by
blow of our exploit of Harold Wong's Windows 7 machine.

It's published over on hackfest.obnosis.com under:

Home <http://www.it-clowns.com/y/> » Flags Captured October
2<http://www.it-clowns.com/y/node/4>» CTF
- Microsoft Powershell <http://www.it-clowns.com/y/node/5>


<please register to share files, get updates and accept our "terms of
service".>

Possible ways to attach Harold Wong's Windows 7:

Network port attack vector:
Open ports:

3389
2638

Using RDP we could do either a RDP MITM attack or a Hydra dictionary attack
to the listening service itself.

Example RDP MITM:
http://www.irongeek.com/i.php?page=videos/cain-rdp-terminal-server-mitm-...<http://www.irongeek.com/i.php?page=videos/cain-rdp-terminal-server-mitm-sniff>

Should get RDP Windows7 via MITM if possible with loose encryption in a real
world situation where RDP traffic connections were working which we could
arp cache poison.

Just having the port open we would have to do a hydra dictionary attack, and
Harold informed us that he used secure passwords.

Therefore the only real attack vector we ever had open was social
engineering to get him to click on an exploit delivered via insecure file
sharing.

Sending a Kaseya agent, liveperson cookie, or metasploit payload via pdf in
mail after getting assurance of his willingness to open it by asking him to
look at it attached to email.

In the real world test Lisa Kachold delivered a pdf exploiting Adobe, but
since Harold Wong wisely doesn't use Adobe for his pdf's, it failed.

No-one crafted nor delivered a RDP "package" for email delivery, which would
have worked best:
http://www.gnucitizen.org/blog/remote-desktop-command-fixation-attacks/

Additionally, we might have to obfuscate, in a real world situation, code in
our pdf, or it will not be accepted as an attachment in Gmail. If Harold
Wong was using Microsoft Outlook directly to a MS based Mail Transport
Authority, we have a better chance of getting our PDF accepted, depending on
spam/virus protection.

Harold Wong used a regular user desktop, without file sharing available,
configured for the "Internet Zone" without additional firewall or virus
checking add-ons.

No flags were delivered by our team for Harold Wong.*
So, as heretic as it might seem, this completely debugs the myth that
"Microsoft 7 out of the box is more secure than Linux".

hide everyone - here comes the fallout
-- 
Skype: 6022393392
Fax:     6233211450
ATT:     5037544452
Phoenix Linux Security Team <http://plug.phoenix.az.us/gangplank>

http://www.it-clowns.com

*"Great things are not done by impulse but a series of small things brought
together." -Van Gogh*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.PLUG.phoenix.az.us/pipermail/plug-discuss/attachments/20101013/fd627938/attachment.html>

More information about the PLUG-discuss mailing list