Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Networking

Round 1 Submission - Information Systems and Internet Security

advertisement 
Team 4
Michael Aiello
cSAW Capture the Flag Competition
Round 1 Submission
Background and justification
Useful NMAP results (I have added the associated exploit link in parenthesis)
Host 10.43.61.101
22/tcp open ssh
OpenSSH 3.1p1 (protocol 1.99)
(http://www.securiteam.com/exploits/5MP030A7PA.html)
80/tcp open http
Apache Advanced Extranet Server httpd 1.3.23 (Mandrake
Linux) (http://security-protocols.com/modules.php?name=News&file=print&sid=1470)
Host 10.43.61.102
22/tcp open ssh
OpenSSH 3.1p1 (protocol 1.99)
(http://www.securiteam.com/exploits/5MP030A7PA.html)
80/tcp open http
Apache Advanced Extranet Server httpd 1.3.23 (Mandrake
Linux) (http://security-protocols.com/modules.php?name=News&file=print&sid=1470)
Host 10.43.61.103
22/tcp open ssh
OpenSSH 3.1p1 (protocol 1.99)
(http://www.securiteam.com/exploits/5MP030A7PA.html)
Host 10.43.61.104
22/tcp open ssh
OpenSSH 3.2.3p1 (protocol 1.99)
(http://www.securiteam.com/exploits/5MP030A7PA.html)
Host 10.43.61.105
PORT
STATE SERVICE
VERSION
21/tcp open ftp
WU-FTPD wu-2.6.1-0.6x.21
(http://www.securiteam.com/exploits/2CUQ1QAQRS.html)
22/tcp open ssh
SSH 1.2.27 (protocol 1.5)
(http://www.securiteam.com/exploits/3A5Q5RPQAW.html) ** this was used in round 2
note, other non-exploitable serves were running on a few of the hosts, and are not
included above
I found the following information manually using ping.
Team Hosts are at 10.128.238.51-65
We will all appear to log in from 10.128.238.1
Probable/working Network configuration
The network appears to be running on 2 subnets, the team hosts on one and all
other hosts on another. (We can assume they are virtual subnets, the ping times are far too
close for them to be on separate boxes, it is easy to fingerprint that we are on a virtual
host) Also, from email correspondence it appears that they are being run on VMware
servers and all “victims” will be in the 10.43.61.* range. So, an assumed, simplified
network diagram would look like.
Scoring Server
Firewall/router/bridge etc
VMWARE ATTACKER MACHINE on
10.128.238.50-65
VMWARE SERVER MACHINE on
10.43.61.*
Virtual Attacker 1
Virtual Attacker 2
Virtual Server 1
Virtual Server 2
Virtual Attacker 3
Virtual Attacker 4
Virtual Server 3
Virtual Server 4
Virtual Attacker 4
Virtual Attacker 5
Virtual Server 4
Virtual Server 5
Virtual Attacker 6
Virtual Attacker 7
Virtual Server 6
Virtual Server 7
Tools installed
Scanning
 Nmap – used to perform targeted scans/fingerprinting syn/fin/ping/idle
scanning
 Nessus – used to fingerprint elicited hosts and identify vulnerabilities
 Rvscan – automated exploitation tool (might give it a shot against servers
with old OS fingerprints)
Exploiting



Netcat – used for remote control of exploited hosts/quick scanning
Metasploit framework – framework for rapid exploitation/rooting of
recent/common vulnerabilities
Custom exploits from security websites – custom exploits will be
downloaded/modified/executed as necessary
Sniffing/Espionage
 Dsniff – sniffs out passwords/cleartext from ftp/telnet/netcat connections
 Snort (not yet installed) – detect fingerprints of attacks being used by other
teams and copy when necessary.
Host holding via port Knocking (not implemented due to rule restrictions)
 cd00r.c – “The idea is the set up a listener in non-promiscuous mode
which is looking for a specific sequence of packets arriving on this
interface before actually opening any kind of listener. This sequence can
be any kind of IP traffic - we use SYN packets in this example - and
therefore provides a thick extra layer of obscurity.” Essentially, the hosts
will still be running all of their services, but no one will be able to connect
to anything without the correct encoded “knock” of packets. Therefore,
other teams will not even be able to connect to my compromised hosts
(even to exploit another vuln). For windows servers, I wrote my own
implementation (http://sourceforge.net/projects/winportknocking).
Attack plan
Host discovery
 Use Nmap to perform a quick ping then syn/fin scan of the network, log
and analyze all results.
 Rescan network each round for differences. The topology of the network
does not matter much in this competition, only the number of hosts
compromised.
 SNMP scan dense network “areas”
 Use compromised hosts to speed up/update scan of network (ping scans
with Netcat)
Espionage



Sniff telnet/netcat traffic/ftp/etc for connections to compromised hosts
from other teams (Dsniff). Use such information to over-capture hosts as
soon as such traffic is detected.
Use snort to detect outgoing attack patterns, copy them and over-capture
hosts from other teams.
If necessary, poison (but do not damage) any ARP table only in order to
sniff.
Attack




Use nmap results to find easiest exploitable targets (those with
vulnerabilities already contained in the metasploit framework) make a
prioritized list of hosts to acquire, and attack them in an easiest to hardest
order (most points for quantity of hosts captured, not complexity of
capture)
Proceed down the list and gain control such hosts with the framework and
grab the /flag files.
When I run out of hosts that are vulnerable to the exploits included in
metasploit framework, I will run rvscan, recreate my list and then go after
hosts identified manually (download exploit code, integrate into
metasploit framework and run against hosts).
Periodically send out known packets that will overflow/root/crash systems
that are running older versions of ethereal integrated in many “script
kiddy” network attack tools.
Defense





Upgrade all venerable processes immediately.
Use encrypted netcat after initial compromise to control remote hosts.
Modify iptables for minimal connection settings
Install port knocking on any compromised host for protection of overcapture. (not done)
Notify judges of “port knocked” hosts and give them instructions on how
to connect, if necessary. (not done)
Things I won’t do that I thought about
 Fuzz/search for buffer overflows/injections/vulnerabilities in any agent
processes running on the victim hosts. If any are found, use this to take
control.
 Use the knowledge of local VMWARE exploits to take over/actively
reconfigure competitor’s machines.
 Send out spoofed packets to drive up the competitor’s bandwidth
measurements.
 Mess up the ARP table of a switch so that only my host can connect
outside of the network.
 Set up a script to kill all TCP connections that my machine can find except
those that my host is part of.
Related documents
Summer Newsletter - MSD of Wayne Township
Summer Newsletter - MSD of Wayne Township
Northampton Community College CISC267 – CCNA 2
Northampton Community College CISC267 – CCNA 2
TIPS FOR VISITING THE HOME OF AN AMERICAN FAMILY
TIPS FOR VISITING THE HOME OF AN AMERICAN FAMILY
Visit to Archena 20 – 23 April, 2012
Visit to Archena 20 – 23 April, 2012
Review Questions
Review Questions
2016 Committee Interest Form - Association of California Nurse
2016 Committee Interest Form - Association of California Nurse
The micro-parasite pool
The micro-parasite pool
Day 6 Index - 507 Access 35-36, 38-39, 41, 66, 74
Day 6 Index - 507 Access 35-36, 38-39, 41, 66, 74
Download
advertisement