Dantevios.com

A friend of mine locked herself out of her car the other day and her keys were in the car. Since locksmiths are closed on sundays, we had to figure out a different solution of how to get into her car. The car was a 1998 toyota corolla with power locks. Of course an option that is open is to break a window, but people much prefer not to do that. I called a buddy of mine who has a lock-pick set and asked him about possibly picking the lock. He said that car locks are special and they cannot be easily picked like house door locks. In lieu of all this, it started making me think of ways to possibly break into her car. From having one of my other friends lock himself out of his car before as well, I thought back to what we did then. The cops had came by because some suspicious neighbor had called the cops on us, and he managed to wedge a triangle in the door where the rubber wind flap was, and use a long metal rod to press the power lock button. Essentially I did the same thing for my friend, except since her car was running I was able to push the button to make the window go down with a long bendy piece of metal. This took me all of 5 minutes to do. My two things I take away from this story are (1) when I am stuck, I just have to remember to study the system I am trying to break into and see how I could possibly break it (panicking is never good) and (2) I’m amazed at how useless car locks are. I guess the right tools are better than any key.

So I’m a little bored with my summer internship at Mississippi State University. It’s not a good idea to let people with creative minds like mine get bored, because we start to do “interesting” things. Anyway, I was in charge of visiting a whole bunch of websites and identifying their webmasters. I didn’t want to visit the whole 100 sites or so to identify the webmasters myself, and some of the websites did not have any emails on them at all. In light of this, to help with the process of finding webmasters I created an email data mining script in python, which you can download here. I decided to make it available under the GNU Public License 3.0. A couple things to note about it are 1) it only runs in unix environment because it relies on the wget and host commands 2) when downloading some of the content with wget I had occasionally come across websites with massive amounts of media on them that crashed the script. Although I have tailored the wget command that is called in this python script not to download movies or picture files, I did experience problems with python choking and dying due to out of memory errors. I also noticed on some websites where media files are specified as odd tokenized URLs, instead of ending with a file type, they are still downloaded even though they are media files. I don’t plan to upkeep this script at all. This is why I am releasing it on my website only and not on sourceforge.com. The only other email mining scripts out there that I know of currently are The Harvester, which is an open source email mining script that just searches google, bing, or other search engines and Maltego, which you have to pay for in order to download the emails you find. If you know of others and want to call me out on them, leave them in my comments . My email mining script simply downloads an entire website to disk as a single file, then uses a regular expression based on the RFC 2822 standard cited by http://www.regular-expressions.info/email.html to find emails and print them out to the screen. You are welcome to use it, but it is slow and I guarantee nothing as far as accuracy and benchmarks.

To use the script emailMiner.py, make a text file containing line by line the IP addresses of the websites you want to visit, then run the command “python emailMiner.py websites.txt”. You will probably want to modify this script so that it writes to a file location of your choice because everything is hard coded.

Oh yeah and one more thing… Nigerians you are not allowed to download this email mining tool. I am just kidding (I’m referring to the 409/419 phishing scammers of course). But seriously this tool is meant for people that need to mine email data for legitimate reasons such as penetration testing, auditing, etc. Please do not abuse it.

Today I was walking and I came across something I thought was very interesting. A lot of people say in order to be a good penetration tester you have to think “outside the box”. Well I’m not going to be preachy here, but the way this person thought to modify a fire hydrant with some PVC pipe in order to water the lawn was genius. I just had to take some pictures and share it. Here they are:

As many of you know that are probably coming here for the slides you requested, I spoke at Multiconf last Tuesday in orlando florida (7/13/2010) for the Information and Security Privacy sub-conference. My paper was ISP113 “HIPPA Violated by Wireless Access Points”. On the slide where I give statistics, here is what the statistics mean:

Green bar (no encryption) – 113 Access Points

Blue bar (WEP encryption) – 152 Access Points

Orange (WPA-TKIP encryption) – 23 Access Points

Yellow (WPA-AES encryption) – 56 Access Points

And if you combine the Access Points with no encryption, WEP encryption, and WPA-TKIP encryption, that all are vulnerable to being connected to or having their encryption cracked, this leaves 288/344.

The slide can be downloaded from here: HIPPA Violated by Wireless Access Points

If you were at the conference and want a copy of my paper I can give it to you, otherwise I’m pretty sure Multiconf reserves the right to publish my paper so I cannot give it out to the general public or publish it on my site.

Also thank you to Promote Research (http://www.promoteresearch.org) for organizing the conference.

Disclaimer: I am not a Black Hat hacker. If anything I am Grey Hat at worst, but I consider myself White Hat. I try my hardest not to break the laws of the land I am in when I know about them.

The following private conversation below is a dialog I had on IRC with a Black Hat. I have obscured the conversation to hide his or her contact details and other information throughout the conversation that may give hints as to who this person is. Normally, I do not snitch on people unless they are directly going to endanger other peoples lives.  This is why I am protecting this persons information. I enjoy social networking with all kinds of people, even if they are the kind of person that is on what people consider to be the “evil” side. My integrity for the bad guys means just as much to me as it does for the good guys. One thing I must state though is that I do not wish to be in contact with people that are foreign nationals or stupid people that are going to tell me about classified information. So if you have classified information, don’t talk to me about it. I do not want to end up being the next Adrian Lamo.

I am publishing this conversation for two reasons. (1) Because I want to show people out there that real computer crimes are out there (paying well) and (2) I wanted to flaunt that this person apparently thinks I have enough skills that they sought me out to break into a database and steal personal information. I am flattered really, but again I am not a Black Hat and would never do anything like this. With that said, here is the conversation:

— Log opened Fri Jul 02 09:13:48 2010
09:13 -!- Irssi: Starting query in #obscured#  with #obscured username#
09:13 <obscured> hello
09:19 <Dantevios> hi
09:20 <obscured> Nice to meet you
09:20 <obscured> I want to know you,and i  make you my friend .Could i?
09:21 <Dantevios> Nice to meet you too, it is possible. I do like making friends, especially in the information security field. Where are you from?
09:23 <obscured> I’M from #obscured#
09:23 <Dantevios> Very interesting. I must ask though, do you work for the #obscured# government?
09:24 <Dantevios> Or are you a Nationalistic hacker?
09:25 <obscured> no
09:25 <Dantevios> Very good then, we can be friends
09:25 <Dantevios> How old are you?
09:25 <obscured> #obscured#
09:26 <obscured> are you?
09:26 <Dantevios> I’m 23
09:26 <Dantevios> What do you do for a living?
09:28 <obscured> I’m work about business information
09:28 <Dantevios> cool, do you have a website or a blog?
09:29 <obscured> sorry,no
09:30 <obscured> are you hacker?
09:30 <Dantevios> I wouldn’t say I was a hacker, but a Penetration Tester sure.
09:30 <Dantevios> Hacker carriers a negative connotation in America, we don’t like to use that word to classify our profession.
09:32 <obscured> Understand
09:32 <obscured> I need to hacking the database
09:32 <obscured>  i need  your help
09:34 <obscured> hello,in?
09:35 <obscured> Of course, I will pay you
09:36 <Dantevios> What database?
09:36 <obscured> #obscured# Database
09:37 <Dantevios> This is a company? #obscured#?
09:39 <obscured> #obscured#
09:40 <Dantevios> do they have a website or something? I’m not sure what you are referring to
09:42 <obscured> I need the Mobile phone users date
09:42 <obscured> #obscured website#
09:43 <Dantevios> why me? and how much would you pay for this data?
09:44 <obscured> 10000 dollar
09:44 <Dantevios> US?
09:44 <obscured> yes
09:45 <Dantevios> and how will you pay me?
09:47 <obscured> Bank Transfer
09:48 <obscured> or eBay
09:48 <Dantevios> you have never done something like this before have you?
09:49 <Dantevios> don’t you know escrow? paypal? etc
09:49 <obscured> yes.i know
09:50 <Dantevios> What kind of data are you looking for specifically?
09:51 <obscured> the Mobile phone users date
09:51 <Dantevios> yeah, are you looking for accounts/passwords or numbers or what kind of data
09:51 <Dantevios> there is a lot of data
09:53 <obscured> For example, the number, zip code, ID card, the bill, the age. . .
09:53 <obscured> yes
09:54 <obscured> 50-200G
09:55 <Dantevios> what do you mean 50-200G?
09:55 <obscured> I guess, maybe not so much?
09:56 <Dantevios> I don’t understand these numbers 50-200G
09:56 <Dantevios> what are you referring to when you say 50-200G?
09:58 <obscured> the database capacity
09:59 <Dantevios> 50-200 gigabytes of data?
09:59 <obscured> yes
09:59 <Dantevios> Is there any way I can contact you other than IRC?
10:01 <obscured> do you have ICQ?
10:01 <obscured> or gtalk?
10:01 <Dantevios> I have gtalk, what is your gtalk?
10:02 <obscured> #obscured email address#
10:05 <Dantevios> and ICQ?
10:06 <obscured> #obscured ICQ number#
10:07 <Dantevios> How did you find out about me? Did you just message me because I was in #obscured chatroom# ?
10:09 <obscured> no
10:09 <Dantevios> ah, where have you heard of me before then?
10:12 <obscured>  a friend in network. but I forgot the name
10:13 <Dantevios> A friend I wrote an email harvesting tool for perhaps?
10:17 <obscured> no understand
10:18 <Dantevios> Well you have contacted me from no where and I don’t know who you are, but you know who I am. I am trying to figure out how my friends know your friends .
10:19 <Dantevios> This is about trust.
10:19 <obscured>  understand
10:20 <obscured> what do you know?
10:20 <Dantevios> what do I kno wabout what?
10:20 <Dantevios> what do I know about what? *
10:21 <obscured> Do you want to know?
10:21 <Dantevios> yes
10:22 <obscured> #obscured email#
10:22 <obscured> it’s gtalk
10:23 <Dantevios> he told you about me?
10:27 <obscured> yes
10:27 <Dantevios> How does he know me? I do not know him….
10:28 <obscured> This I don’t know
10:29 <Dantevios> When do you need this information by?
10:33 <obscured> July, August.The sooner the better
10:35 <obscured> hello,in?
10:36 <obscured> 2010.7-2010.8.The sooner the better
10:36 <Dantevios> Give me some time to think about it. I am at work right now. I must bet back to my job. If I am in, I will contact you.
10:38 <obscured> ok.thanks.How do I contact you?
10:40 <Dantevios> You don’t. I will contact you.
10:41 <obscured> ok
10:43 <obscured> What time can you contact me?
10:44 <obscured> last?
10:47 <Dantevios> I will contact you by emailing you at #obscured email#
10:49 -!- obscured [~#obscured#] has quit [Ping timeout: 240 seconds]
— Log closed Fri Jul 02 10:55:26 2010
— Log opened Fri Jul 02 11:11:56 2010
11:11 <obscured> hello,in?
11:14 <Dantevios> hi, what?
11:15 <obscured> What time can you contact me?last time
11:18 <Dantevios> I told you I will contact you by email, probably at around 00:00 GMT
11:18 <Dantevios> to your address #obscured#
11:19 <obscured> ok
— Log closed Fri Jul 02 11:24:26 2010
— Log opened Fri Jul 02 12:11:05 2010
12:11 -!- obscured [~#obscured#] has quit []
— Log closed Fri Jul 02 12:16:26 2010

Today I came across some disturbing news: http://android-developers.blogspot.com/2010/06/exercising-our-remote-application.html

It turns out google’s android market can automatedly delete applications from google-based android phones without their users permission. They claim it is to protect end users from malware, just as I’m sure the middle east claims it is building nuclear weapons for their own defense. I can see this growing to be a potentially big problem. I remember Google removing all tetris clones not less than a month ago from the market, but I didn’t realize they could delete the applications off all phones. You would think companies would have learned there lessons over the years? Even Mirosoft now has prompts for their updates and ActiveX controls to run on your computer. I guess history repeats itself.

What if I wanted that malware? I’m a security researcher and I like to study malicious applications. I could very well offload this application off my phone, decompiled it, and tried to see what it is that this person is doing. I couldn’t do that though if the application got deleted.

The fact of the matter is this “feature” google claims to be a protection mechanism can be abused by them to modify data on their users phones. I don’t know about you, but I sure would not feel comfortable if some appliance manufacturer had the authority to come into my home and steal my toaster because it was burning my toast every time I cooked bread. Of course we have all seen recently how google feels about handling other people’s data in the media lately with it’s latest wifi scandals. Are you going to trust them to have the authority over your phone to modify it remotely?

On a different note, I make it a habit not to install third party applications unless they’re open source or come from one of my personal trusted sources, especially if it’s an operating system. However, now that I know google has the power to delete applications off my phone I am probably going to root my android phone and not use google’s firmware anymore.

I just read today that a couple months ago tipping point held their annual hacking competition Pwn2Own. With $100,000 and more in prizes, well I understand why people are in this business. Even those who didn’t get to submit their results in the competition still received the opportunity to sell their exploits to tipping point for thousands if not tens of thousands of dollars. Of course you have to be amongst the most elite reversers of the world to be able to figure out exploits these vulnerabilities, so I imagine you are not in a competition for these prizes amongst a whole lot of people. Pwn2Own is probably another contest I will add to my list of contests I would like to participate in for the future. I say future because I lack the knowledge right now to reverse binaries, but I am slowly learning about this invaluable skill. I am sorry if you are reading this and you say “Dantevios, why are you pestering me with this old news? Especially when you offer no new insight to it?”. Well, sorry readers, but I am using this blog to keep track of events as well for my own sake so there are going to be some boring entries you won’t want to read such as this.

Last Saturday, May 8th, I participated in Offensive Security’s How Strong is your FU? hacking tournament. Now I am going to post the results of how I went about hacking the n00b filter.

The first obstacle of actually hacking the n00b filter was actually getting into the game. Many people that signed up for this tournament did not get the emails with their password to enter the tournament until an hour or so later than the competition started. If you had no life and had time to social engineer, instead of waiting you could have joined the #offsec channel on freenode.net and they would have pointed you to the #hsiyf channel for the competitions. There the admins could have manually set you up to enter the tournament.  This is actually how I entered the tournament.

When I finally got the instructions on what servers to attack (there were only two and they were identical), I did what most people do: nmap it and see what operating system it is and what services it has running. The results looked like this:

1/tcp     open   tcpmux?
3/tcp     open   compressnet?
4/tcp     open   unknown
6/tcp     open   tcpwrapped
7/tcp     open   tcpwrapped
9/tcp     open   tcpwrapped
13/tcp    open   tcpwrapped
17/tcp    open   tcpwrapped
19/tcp    open   tcpwrapped
20/tcp    open   tcpwrapped
21/tcp    open   tcpwrapped
22/tcp    open   tcpwrapped
23/tcp    open   tcpwrapped
24/tcp    open   tcpwrapped
25/tcp    open   tcpwrapped
26/tcp    open   tcpwrapped
30/tcp    open   tcpwrapped
32/tcp    open   tcpwrapped
33/tcp    open   tcpwrapped
37/tcp    open   tcpwrapped
42/tcp    open   tcpwrapped
43/tcp    open   tcpwrapped
49/tcp    open   tcpwrapped

…

Etc. etc. of tcpwrapped ports. When I chopped up this output and grepped for open ports I got:

1/tcp     open   tcpmux?
3/tcp     open   compressnet?
4/tcp     open   unknown
80/tcp    open   http?
110/tcp   open   pop3
1723/tcp  open   pptp?
2701/tcp  open   sms-rcinfo?
2702/tcp  open   sms-xfer?
5666/tcp  open   nrpe?
6788/tcp  open   unknown
7921/tcp  open   unknown
7938/tcp  open   lgtomapper?
8021/tcp  open   ftp-proxy?
9100/tcp  open   jetdirect?
9101/tcp  open   jetdirect?
9102/tcp  open   jetdirect?
9103/tcp  open   jetdirect?

They obviously had some kind of tarpit running that was spoofing a whole bunch of fake services, because if I tried to connect to fingerprint any of these with netcat they would not respond and time out.

They also spoofed all the operating system signatures and it looked ugly:

Running (JUST GUESSING) : 3Com embedded (86%), Dell embedded (86%), Samsung embedded (86%), Xerox embedded (86%), Bay Networks embedded (85%)
Aggressive OS guesses: 3Com SuperStack 3 Switch 4300, Dell PowerEdge 2650 remote access controller, Samsung ML-2571N or 6555N printer, or Xerox Phaser 3125N printer (86%), Dell 1815dn printer (86%), Bay Networks BayStack 450 switch (software version 3.1.0.22) (85%), Bay Networks BayStack 450 switch (software version 4.2.0.16) (85%)
No exact OS matches for host (test conditions non-ideal).
Service Info: OS: Windows

The only port that appeared to be open was port 80. When I visited it I arrived at this puzzle:

When I clicked the submit button, I was given this message:

Pretty humorous. When I tried entering in a single quotation to the user field I received the message “HAHAHA!” on a blank white page. There was a few hours where I was wondering around in the dark trying various things like making shell scripts to automatidly fingerprint ports I found on the machine and see if any other ports would respond, using p0f to try to passively fingerprint the operating system to see if I could find a vulnerability, trying XSS injects, and manually fuzzing the variables of the web application to see if I could make it overflow. P0f actually said the OS was Tru64. Apache error messages said the OS was fedora (which I think it was most likely a fedora box). After hitting a bunch of dead ends, I decided to revisit the “HAHAHA!” message and check the source code. I noticed an advertisement in the source for applicure. Turns out applicure makes a product called dotDefender, which was running on the server we had to attack and preventing the SQL injection. I spent a while over-thinking how to hack dotDefender and even debated downloading it, setting it up in a virtual machine, and fuzzing it for buffer overflows. Then a google search revealed the missing piece to the puzzle: the dotDefender exploit.

With this exploit I tried to log into the /dotDefender/index.cgi script. It was on a password protected .htaccess directory so I tried looking through the manuals on applicure’s website and it said the password was the same as the username. The .htaccess script told me the username was admin, so I assumed the password was admin. For a long time there was a lot of confusion because there was talk in the #hsiyf channel that people kept changing the passwords on the .htaccess file somehow. I knew we weren’t supposed to run automated tools, but I had heard of people using hydra, so I just hurled a dictionary attack at the dotDefender password prompt. In social engineering with some of the other contestants who were fed up with the lag problems with the dotDefender application, someone told me the login was admin/password . When I tried to log into the application it would lag like hell. I waited literally 10 minutes for a response from the http server, and at the same time the admins were reverting to snapshots on their VMs constantly. One time I did actually make it through and I was very close to getting to the n00bSecret.txt file that was needed to move on to phase 2. Here is a screen shot of me using the dotDefender exploit:

I was so close to getting to phase 2. All I had to do was sucessfully execute a few commands like find / -name n00bSecret.txt . But every single time I actually got onto the application I received a message like this:

Someone later told me (that went through the pain of waiting for 10 minutes for each http response) that they successfully managed to find n00bSecret.txt in /opt/<some random directory string>/n00bSecret.txt . With that they printed it out to the webapp using “cat /opt/<some random directory string>/n00bSecret.txt” as I suggested to them. I decided not to continue the tournament anymore because of the lag.

I talked with the admin known as muts about the lag on the dotDefender application. He claims (in a private message) that there was an Intrusion Prevention System (IPS), and that I was tripping it (which was causing my lag issues). No other person I talked to that entered phase 2 found a way to not trip this IPS (if there even was one that people were tripping in this way).  They all seemed to use burpsuite to modify the post data for the dotDefender exploit I posted earlier in this blog entry. Afterall, it couldn’t possibly be that 100′s of people trying to log on to a remote management application (that wasn’t intended to be used by multiple users) and executing shell commands on the box could cause the lag I was experiencing right (*sarcasm*)?  We will see what Offensive Security has to say if they ever post the solutions to their vulnerabilites like they said they would:

Dialogue from #hsiyf (May 8th):

07:32 < Abo3abd> @muts, can you please share ths solutions after end the tournament?
07:32 <@ryujin> we will Abo3abd
07:33 < Abo3abd> Thanks a lot

Critique:

I’d like to thank the folks at Offensive Security for hosting this tournament. It was a lot of fun. They did a great job at designing a neat little game for us all to play. The two biggest suggestions that I have been hearing for next time though are (1) please let us start at the same time instead of relying on SMTP to email people their passwords and (2) don’t use vulnerable software that is too laggy for people to exploit.

Introduction:

This past Saturday (April 10th 2010) I participated on a Red Team (along with about 6 other students from Mississippi State University) for a mock Northwest Collegiate Cyber Defense Competition. Needless to say, it was one of the most fun things I have ever done in my entire life. The Blue teams were composed from students of the University of Fairbanks Alaska, University of Anchorage, the University of Hawaii at Mānoa, and another Hawaiian University (sorry I don’t know their name). If you’ve never heard of the Collegiate Cyber Defense competition, the background on it is there are three teams: (1) a Red team (2) a Blue team (3) a White team. The Blue team has to setup and defend a network that would be similar to a regular information technology network. The Blue team works for the White team and are forced into doing business tasks and server administration to get points for the competition. The Red team gets to attack the Blue team’s network while they are trying to perform business tasks, and attempts to bring the Blue teams services down so that they lose points. The Red team is not in a competition against the Blue team, rather the Blue team is divided into sub teams which compete amongst themselves. The Red teams job is to attack all the sub divided Blue teams networks equally, and report to the White team the damage they do to their network. To get a better idea of what I’m talking about, I highly recommend you watch the videos of last years Mid-Atlantic Collegiate Cyber Defense Competition shown below. If you’re watching them for entertainment the Red team starts at Part 3 and you will probably get some good lulz out of watching how walk all over the Blue team who is obviously ignorant to the types of attacks that they are even getting hit by.

1. Part 1 – http://www.youtube.com/watch?v=PDCPrfuf6BY
2. Part 2 – http://www.youtube.com/watch?v=kp6bktaB0A4
3. Part 3 – http://www.youtube.com/watch?v=38Nv3fg54bs
4. Part 4 – http://www.youtube.com/watch?v=7Hr0GykHR9c

Unfortunately for our Red Team, we were set up on virtual machines and had no physical access to the Blue teams network so any physical attacks like rogue USB devices were out of the picture. Because of this restriction, we had a 24 hour grace period to ping the Blue teams network, fingerprint their operating systems and services, and devise a plan of attack. In our reconnaissance, we did DNS zone transfers and figured out the entire structure of their network and what each machine did by looking at its DNS name. For example dns.<blah>.com was obviously a DNS server for the teams. We saw that these were running on windows machines, and that each team had two workstation machines (ws1.<blah>.com, ws2.<blah>.com). These windows machines happened to look like they were running a lot of services that they shouldn’t be, and we noticed the machines were running older versions of Windows XP pre service pack 3.

My Responsibilities:

One of my jobs was to figure out how to maintain access once we exploited the machines. I went root kit shopping and found a lot of junk root kits on http://www.rootkit.com. Many of the tools on this website are not rootkits, but they do have good tools for avoiding virus and rootkit scanners and such. Also the root kits that worked on rootkit.com were services that needed to be connected to from outside the computer they were being hosted on. I prefer root kits that dial out to the owners of the root kits because of the chance that the Blue team may do some interesting firewall rules like blocking all incoming traffic on all ports, but allow all traffic going out. Some of you might be saying, yeah but even if they dial back out to you how are you going to talk back to them if you can’t send traffic in? Well some protocols like SSH are bi-directional protocols, which allow you to evade that requirement so if you’re interested go look into it. Not having much luck at rootkits.com I decided to look at Backtrack and see if it had any good rootkits in it by default. They do have a rootkit called sbd is pretty useful in both Backtrack 3 and Backtrack 4. This rootkit dials out, but the only problem with it is if the server gets restarted the service will die. Thus I also made instructions for how to install this rootkit to the windows registry for the competition to re-run on boot. I also renamed this program to be VMwareGroup.exe, evily making it look like it was installed as part of the VMware tools that were running on the Blue teams machines. They had services like VMwareUser.exe that had to be run in order for their VMs to function properly. A second rootkit that we used extensively throughout the competition was  Poision Ivy (http://www.poisonivy-rat.com/). This is the same rootkit that was used in the Mid-Atlantic videos linked to above. It dials back to a number of IP addresses on different ports, installs itself to automagically run when windows starts, installs a VNC-like backdoor (allowing you to control the victims keyboard and mouse), allows you to spawn a windows shell at any time, and many more features! When testing these rootkits in virtual machines, I noticed poision ivy was detected by AVG antivirus. I do not know if this is the case for the professional version, but it is for the free version. Sbd.exe was not detected by AVG antivirus, so I figured these were about the two best root kits I could get for the competition. One that was really loud so that if the Blue team was smart enough they could detect it, and another quieter rootkit so that if the Blue team started to eliminate our poision ivy backdoors, we could still maintain access.

Results:

The goal of the competition for the Blue team was to host a website hosting company. They were given thirty minutes to secure their networks without us launching any attacks against them. In the six hour competition, we took their website hosting business down for all teams within the first 15 minutes of attacking them. They did not fix their business for the rest of the competition. This means their website downtime was 5 hours and 15 minutes.

Taking down their websites was easy. We used metasploit’s feature autopwn to automatidly own their windows DNS servers (which they did not have time to patch, or didn’t want to suffer the downtime to patch them in after their 30 minutes of safety time from the Red team was up). After getting on their DNS servers, we installed poision ivy and maintained access for almost the entire competition with it. We also owned some teams workstations and installed poision ivy on their workstations too. While some of us on Red team were doing this, some other of our members were hacking their linux machines and intercepting the emails the Blue team was supposed to receive from the White team to do business tasks. We replied to the White team as the Blue team telling them “You can take this job and shove it. We quit”. There was a point in the competition where I don’t think the White team believed that we had successfully penetrated the machines the Blue team was using, so they told us to start making some noise. We fired up the poision ivy shells and started changing their desktop backgrounds to lawlcat pictures, fighting for control of their keyboard and mouse, and talking to some of the teams over notepad. They asked us over notepad “how did you get in?”, well I hope they read my blog lol. On the linux machines, there was also a VNC service running with no password so we were also annoying them on their linux boxes in a similar fashion.

Only one team managed to actually figure out the reason their website was broken was because we changed their DNS. We identified this team later on to be UH Mānoa Hawaii. They did do a decent job at keeping us out of their boxes. They were the only sub team of the Blue team to erase our root kits (toward the end of the competition). They were surprised after erasing our root kits off their workstations that we still had poision ivy dialing out to us on their DNS server. If we wanted to, we could have installed sbd so they would not have found us, but seeing as there was only an hour left in the competition we figured we tortured them enough and let them close us out of their network. They get a very small kudos for this, but I retract that in a few paragraphs and you will see why.

Now, I’m not sure if it was the White team’s true intention to score this competition or not. We were told at the begninning of the competition that the competition would be scored and that this was being conducted just like a Collegiate Cyber Defense Competition. The White team decided at the end they were not going to score the competition. With the Blue teams website business task being down for 5 hours and 15 minutes and all of them getting bombarded by the Red team through multiple security vulnerabilities the Blue teams did not patch, it is fair to say they would have low scores if this were a real competition. All the Blue teams have a lot of practice to do if they want to be in a real Northwest Collegiate Cyber Defense Competition. Nevertheless the 6 of us that were on the Red Team from Mississippi State University respect them for trying to better themselves at defending against hackers (by doing this competition) and we welcomed them to challenge us whenever they would like to do another event like this.

False Victory:

This blog post showed up a few days later from UH Mānoa:

I’m just going to leave it up to you (the reader) to decide what you think about that one. This is why I say I retract my kudos to UH Mānoa. Wesley Mcgrew (http://www.mcgrewsecurity.com), who headed up our Red Team found this post by them and told us about it so I saved it for my records.  Since Wesley notified the point of contact for UH Mānoa’s blog post, they have changed their tune: http://www.hawaii.edu/news/article.php?aId=3560 .

Incident Reports:

The White team was supposed to mail Wesley some incident reports. Incident Reports are what the Blue team had to file everytime the Red Team successfully penetrated their machine. They do this to get points back. I have not heard from him to see if he got them. If I ever do I will post them here.