I’m currently sat in the departure lounge at Canberra airport with a 3 hour wait for my flight. Luckily I’m sat at a table that’s near a bar, and also has a power socket I can use, so the combination of my laptop and Crown Lager should see me through. It feels weird travelling home on a Saturday though. There won’t be much of a weekend left when I get home.
I’m glad I stuck around for today’s exercise as it was really enjoyable. The hacking exercise was a lot harder than I expected. The goal was to capture 4 flags. These were basically text files called flag1.txt, flag2.txt etc that were stored on the each of 4 servers on the target network. Each of the flags had a ‘phrase that pays’ and the end goal was to get the full phrase that pays and be the first person to whisper it into the ear of the instructor. Two of the servers were Windows servers and two were Linux. I was fairly confident I’d be able to handle the Windows Servers (I did used to be a Microsoft Enginner after all) but it was the Linux Server that worried me. My Linux skills are quite rudimentary and there were some really experienced techies in the class who I new I had no chance of beating. Suffice to say I didn’t win the competition. Nor did I manage to get all the flags in the alloted time. I did manage to get 3 out of the 4 though.
The Windows servers turned out be fairly easy to exploit. The first one that I managed to connect to had the old null sessions vulnerability so I was able to connect to it using an anonymous account. Once I had a netbios session I was able to enumerate the accounts and grab a copy of the SAM password list. I then used a password cracker to crack an account that had admin privilages and then simply mapped a drive to it. Easy peasy.
The other servers weren’t that easy. One of the servers had some firewall or routing restrictions so it was only accessible from one of the other servers. So I had to compromise one server and then use that has a launching pad to compromise the other server. To make things trickier still, it turned out that one of the flags.txt files was hidden. There’s a thing called NTFS Alternate Data Streams on Windows where it’s possibly to hide a file in the data stream of another file or directory. So when you browse the file directory it’s completely hidden. You can’t even use file comparisons to detect the hidden file has it doesn’t affect the file size or checksum of the file that it’s attached to. After a few hints I did manage to find it using a tool that discovers these hidden data streams, and also found a few other hacking tools hidden within the same directory that I could use to compromise one of the other servers.
One of the other servers had a buffer overflow vulnerability so I used Metasploit to exploit that server and get a command shell.
That’s about as far as I got. 3 out of 4 isn’t bad but I didn’t get the full phrase. After the instructor explained how to do it I realised I could have been at it for days. One of the exploits was ridiculously hard. It involved carrying out a cross-site scripting attack (XSS), but it wasn’t as simply as launching the attack from my PC against the server. No, it involved compromising one server, generating traffic from that server to another server, and then sniffing the traffic off the network to grab the session cookies and then using the session cookies as part of the attack. That would have took me days to figure out!
Anyway, the day was very geeky but thorougly enjoyable and challenging. The 6 days course has been great but no one can really come out of a 6 day course and become a professional hacker or penetration tester. We’ve covered dozens of hacking tools in the 6 days so of course there’s a limit to the depth that you can go into for each tool given the alloted time. Now I have the fundamentals I’ll need to dig into the tools and techniques in detail and keep practicing to hone my skills. Luckily these days with VMWare I can easily do that by simulating an whole network on my laptop. All week I was running Windows XP and Red Hat Linux in virtual machines as guest operating systems whilst still using my Mac OSX Leoopard operating system as the host, and didn’t have any problems – basically running 3 different PC’s on my one mac.
One of the things that I’ll take away from this course is that it doesn’t take the latest and greatest malware (viruses, etc) to compromise a system. Some of the best hackers simply use the in-built administration tools already resident on the systems. That way there’s little danger of triggering off the anti-virus software or intrusion prevention software. For instance, the WMIC (Windows Management Instrumentation Command-Line) tool resident in all modern versions of Windows is a fantastic legitimate windows scripting tool that can be manipulated to do all sorts of nasty stuff.
Anyway, hopefully I’ll be able to put some of these new skills into practice on some real clients some time soon.