Sunday, December 19, 2010

PACS Hackathon - aka 'Grinching the Box'

It's been in the planning stages for a while now. Actually started as something to do for Hive76's hackathon, but that never materialized. Well, the hackathon materialized, but this part of the hackathon never materialized.

Penetration testing is cool. It just is. It is also a decent back-handed way to introduce people to the Linux command line and not have them come in with the preconceived notion that it is difficult and not for them. Didn't realize that part until right now.

Nothing fancy, nothing too hard. Concepts, tools, and thinking.

The setup was fairly simple. De-ice-1.100 live cd in a vmware machine connected to a wireless router, SSID sploit_me.

Audience participawnage was the key. Seeing is ok; doing is so much better.

The highlight for me, was when PhD Russ squealed aloud when a password was cracked. That's what it's all about! (I recently had the same outburst over a blinking led and a msp-430)

Ken, the security special interest group leader at PACS, wrote up a recap:
Thanks to all who attended the hands on HACKFEST workshop this
month. The turnout and participation was fantastic!

Jim from the Linux SIG led us all through the process of thinking
our way through a simulated penetration test of a hypothetical corporation's
web server. Starting with establishing a connection to the sploit_me
wireless network, we then reconnoitered the factious company's website for
clues that we could use to gain access to privileged information on their
servers. Using Nmap, we scanned their network for possible entry points in
the form of running services with possible well known weaknesses. We also
did a parallel scan using netcat.

After determining that an SSL port was open and secure shell was
running, we proceeded to brute force the user ids and passwords using medusa
and hydra -- two password probing tools. A brief discussion of password
security and research about the potential targets ensued during the
execution of the brute forcing tools.

The brute force attack resulted in compromising one account which go
us on to the system so that we could see what other accounts were present
and with what privileges they ran (/etc/passwd on linux/Unix, SAMS on
windows). Using these other accounts we brute forced another password using
medusa and hydra, at which point we were able to gain administrator (root)
level access to the system so that we could download the encrypted passwords

Running that password file through the john the ripper password
cracking tool (alternatively Googling the hash value) allowed us to finally
gain full root access where upon we ran out of time.

We received much positive feedback on the event and we plan on doing
another one in the future.

Ken Fox
SEC SIG moderator.
I hope everyone had as much fun as I did.

No comments: