HackFest - Review of Harold Wong's Presentation as a Windows 7 flag:
Judd Pickell
pickell at gmail.com
Wed Oct 13 06:42:58 MST 2010
Sorry, but I am a bit confused. You were or were not able to run an exploit
on his machine?
Sincerely,
Judd Pickell
On Tue, Oct 12, 2010 at 7:11 PM, Lisa Kachold <lisakachold at obnosis.com>wrote:
> We promised various people that we would be following up the a real blow by
> blow of our exploit of Harold Wong's Windows 7 machine.
>
> It's published over on hackfest.obnosis.com under:
>
> Home <http://www.it-clowns.com/y/> » Flags Captured October 2<http://www.it-clowns.com/y/node/4>» CTF
> - Microsoft Powershell <http://www.it-clowns.com/y/node/5>
>
>
> <please register to share files, get updates and accept our "terms of
> service".>
>
> Possible ways to attach Harold Wong's Windows 7:
>
> Network port attack vector:
> Open ports:
>
> 3389
> 2638
>
> Using RDP we could do either a RDP MITM attack or a Hydra dictionary attack
> to the listening service itself.
>
> Example RDP MITM:
> http://www.irongeek.com/i.php?page=videos/cain-rdp-terminal-server-mitm-...<http://www.irongeek.com/i.php?page=videos/cain-rdp-terminal-server-mitm-sniff>
>
> Should get RDP Windows7 via MITM if possible with loose encryption in a
> real world situation where RDP traffic connections were working which we
> could arp cache poison.
>
> Just having the port open we would have to do a hydra dictionary attack,
> and Harold informed us that he used secure passwords.
>
> Therefore the only real attack vector we ever had open was social
> engineering to get him to click on an exploit delivered via insecure file
> sharing.
>
> Sending a Kaseya agent, liveperson cookie, or metasploit payload via pdf in
> mail after getting assurance of his willingness to open it by asking him to
> look at it attached to email.
>
> In the real world test Lisa Kachold delivered a pdf exploiting Adobe, but
> since Harold Wong wisely doesn't use Adobe for his pdf's, it failed.
>
> No-one crafted nor delivered a RDP "package" for email delivery, which
> would have worked best:
> http://www.gnucitizen.org/blog/remote-desktop-command-fixation-attacks/
>
> Additionally, we might have to obfuscate, in a real world situation, code
> in our pdf, or it will not be accepted as an attachment in Gmail. If Harold
> Wong was using Microsoft Outlook directly to a MS based Mail Transport
> Authority, we have a better chance of getting our PDF accepted, depending on
> spam/virus protection.
>
> Harold Wong used a regular user desktop, without file sharing available,
> configured for the "Internet Zone" without additional firewall or virus
> checking add-ons.
>
> No flags were delivered by our team for Harold Wong.*
> So, as heretic as it might seem, this completely debugs the myth that
> "Microsoft 7 out of the box is more secure than Linux".
>
> hide everyone - here comes the fallout
> --
> Skype: 6022393392
> Fax: 6233211450
> ATT: 5037544452
> Phoenix Linux Security Team <http://plug.phoenix.az.us/gangplank>
>
> http://www.it-clowns.com
>
> *"Great things are not done by impulse but a series of small things
> brought together." -Van Gogh*
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.PLUG.phoenix.az.us/pipermail/plug-discuss/attachments/20101013/6a5eb611/attachment.html>
More information about the PLUG-discuss
mailing list