HackFest - Review of Harold Wong's Presentation as a Windows 7 flag:

Harold Wong Harold.Wong at microsoft.com
Wed Oct 13 10:31:26 MST 2010 

To add clarification.  No one was able to penetrate / exploit my Windows 7 machine.

Here's how I had configured the machine.

Windows 7 Ultimate 64 bit edition default install

o   Built-in administrator and guest accounts are disabled by default

o   Initial user account created is a local administrator

o   Machine was setup on home network and joined to a Home Group

§  Shared printers, documents, video and music with other computers in the Home Group (verified access)

§  Setup and configured Media Center to communicate with other Media Center devices in the home (both as source and target)

o   Remote Assistance and Remote Desktop were enabled

o   Microsoft Security Essentials was installed

o   Foxit PDF Reader 4.2 was installed

o   All the latest hotfixes and patches were applied

o   Set the password using a 20 character passphrase that used lower case, upper case, a number and a special character

o   Left all other security settings at default values (User Account Control, Firewall, etc.)

When I connected to the WiFi at Gangplank, I configured the network connection as a Public network and did nothing else.

I had no additional firewall software installed on the computer.

I would be more than happy to bring the laptop to the next Open Lab session at Gangplank in November to be a flag again.

Harold Wong
IT Pro Evangelist | US Developer & Platform Evangelism - West Region
Office: (425) 706-3501 | Blog: blogs.technet.com/haroldwong<http://blogs.technet.com/haroldwong>
MCITP Server Administrator | MCITP Enterprise Administrator | MCITP Enterprise Messaging Administrator 2007 / 2010

From: plug-discuss-bounces at lists.plug.phoenix.az.us [mailto:plug-discuss-bounces at lists.plug.phoenix.az.us] On Behalf Of Judd Pickell
Sent: Wednesday, October 13, 2010 6:43 AM
To: Main PLUG discussion list
Cc: PLUG-security at lists.phoenix.az.us
Subject: Re: HackFest - Review of Harold Wong's Presentation as a Windows 7 flag:

Sorry, but I am a bit confused. You were or were not able to run an exploit on his machine?

Sincerely,
Judd Pickell
On Tue, Oct 12, 2010 at 7:11 PM, Lisa Kachold <lisakachold at obnosis.com<mailto:lisakachold at obnosis.com>> wrote:
We promised various people that we would be following up the a real blow by blow of our exploit of Harold Wong's Windows 7 machine.

It's published over on hackfest.obnosis.com<http://hackfest.obnosis.com> under:
Home<http://www.it-clowns.com/y/> » Flags Captured October 2<http://www.it-clowns.com/y/node/4> » CTF - Microsoft Powershell <http://www.it-clowns.com/y/node/5>


<please register to share files, get updates and accept our "terms of service".>

Possible ways to attach Harold Wong's Windows 7:

Network port attack vector:
Open ports:

3389
2638

Using RDP we could do either a RDP MITM attack or a Hydra dictionary attack to the listening service itself.

Example RDP MITM:
http://www.irongeek.com/i.php?page=videos/cain-rdp-terminal-server-mitm-...<http://www.irongeek.com/i.php?page=videos/cain-rdp-terminal-server-mitm-sniff>

Should get RDP Windows7 via MITM if possible with loose encryption in a real world situation where RDP traffic connections were working which we could arp cache poison.

Just having the port open we would have to do a hydra dictionary attack, and Harold informed us that he used secure passwords.

Therefore the only real attack vector we ever had open was social engineering to get him to click on an exploit delivered via insecure file sharing.

Sending a Kaseya agent, liveperson cookie, or metasploit payload via pdf in mail after getting assurance of his willingness to open it by asking him to look at it attached to email.

In the real world test Lisa Kachold delivered a pdf exploiting Adobe, but since Harold Wong wisely doesn't use Adobe for his pdf's, it failed.

No-one crafted nor delivered a RDP "package" for email delivery, which would have worked best: http://www.gnucitizen.org/blog/remote-desktop-command-fixation-attacks/

Additionally, we might have to obfuscate, in a real world situation, code in our pdf, or it will not be accepted as an attachment in Gmail. If Harold Wong was using Microsoft Outlook directly to a MS based Mail Transport Authority, we have a better chance of getting our PDF accepted, depending on spam/virus protection.

Harold Wong used a regular user desktop, without file sharing available, configured for the "Internet Zone" without additional firewall or virus checking add-ons.

No flags were delivered by our team for Harold Wong.*
So, as heretic as it might seem, this completely debugs the myth that "Microsoft 7 out of the box is more secure than Linux".

hide everyone - here comes the fallout
--
Skype: 6022393392
Fax:     6233211450
ATT:     5037544452
Phoenix Linux Security Team<http://plug.phoenix.az.us/gangplank>

http://www.it-clowns.com

"Great things are not done by impulse but a series of small things brought together." -Van Gogh
















---------------------------------------------------
PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us<mailto:PLUG-discuss at lists.plug.phoenix.az.us>
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.PLUG.phoenix.az.us/pipermail/plug-discuss/attachments/20101013/90d9a721/attachment.html>

More information about the PLUG-discuss mailing list