DEF CON 22 CTF Quals: Hackertool

Hackertool was one of the Baby's First challenges in DEF CON CTF Quals this year, and provided you with a .torrent file, and asked you to download the file and MD5 it. Seems easy enough, so I knew there must be more to it. The torrent file itself was a whopping 4 MB in size, very large for a torrent file. Looking at it, we see it contains just one file, named every_ip_address.txt, and the file is ~61GB in size. Hrrm, there must be an easier way than torrenting 61GB, especially at <1k/s.

So what is this every_ip_address.txt? Seems like it might be a list of all IP addresses. In fact, if you add up the length of all IP addresses written in decimal dotted-quad form, separated by newlines, you get 61337501696 bytes, exactly the same as the length of our target torrent. But is it newline separated? What order are they in? Fortunately, torrents also contain the SHA-1 of each 256kb block of the file. So I wrote a little python script to quickly check if we had a match for the first block:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
import hashlib

def get_block():    
  block = 256 * 1024
  v = ''
  for a in xrange(0, 256):
    for b in xrange(0, 256):
      for c in xrange(0, 256):
        for d in xrange(0, 256):
          v += '%d.%d.%d.%d\n' % (a,b,c,d)
          if len(v) > block:
            return v[:block]       


print hashlib.sha1(get_block()).hexdigest()

This matched the value from the torrent file, so I knew we were on the right track. Unfortunately, python is too slow to hash 61GB this way, so I turned to C for the final solution:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
#include <openssl/md5.h>
#include <string.h>
#include <stdio.h>

int main(int argc, char **argv){
  char buf[64];
  MD5_CTX md5_ctx;
  int i,j,k,l;

  MD5_Init(&md5_ctx);
  for (i=0;i<256;i++) {
    printf("%d.\n", i);
    for (j=0;j<256;j++) {
      for (k=0;k<256;k++) {
        for (l=0;l<256;l++) {
          sprintf(buf, "%d.%d.%d.%d\n", i, j, k, l);
          MD5_Update(&md5_ctx, buf, strlen(buf));
        }
      }
    }
  }
  MD5_Final(buf, &md5_ctx);
  for (i=0;i<128/8;i++) {
    printf("%02ux", buf[i] & 0xFF);
  }
  printf("\n");
  return 0;
}

There might’ve been prettier ways, but this ran in the background while I moved on to another hash, and got us our first flag not too long afterwards.


Weekly Reading List for 5/16/14

###How Target Blew It Normally, I stick to more technical articles, but this article from Businessweek is a very interesting read on how, despite doing most of the right things technically, company procedures and humans can still be the weak link in your security infrastructure.


The Machine Inside the Machine

Imagine this scenario:

One of your employees visits a site offering a program to download videos from a popular video site. Because they’d like to throw some videos on their phone, they download and install it, but it comes with a hitchhiker: a RAT, or remote access trojan. So Trudy, an attacker, has a foothold, but the user isn’t an administrator, so she starts looking at the network for a place to pivot. Scanning a private subnet, she finds a number of consecutive IP addresses all offering webservers, FTP servers, and even telnet! Connecting to one, the attacker suddenly realizes she has just found her golden ticket…

Dell calls it iDRAC; IBM refers to it as RSA or IMM; HP likes iLO; and Intel goes with AMT. Whatever the name, most servers offer an out-of-band management option, and those are an oft-overlooked potential backdoor into your network. Generally these devices use their own network connection, are powered even if the server is shut down (so long as the power supplies are on), and offer a number of powerful features:

  • Remote console (most often a Java applet)
  • Attach remote drives (ISOs or disk images)
  • Reboot server
  • Update firmware
  • Control boot and BIOS/EFI settings

What can our attacker do with this? These devices are intended to provide system administrators with access roughly equivalent to physical access, and for attackers, they do the same.

Connecting to the out-of-band controller, Trudy hopes that whoever racked the server hooked up the controller but did no more configuration, such as changing the passwords. Almost all use a static password, so upon seeing the logo on the login screen, she immediately knew to try PASSW0RD, and was presented with the admin interface moments later. Launching the Java-based remote console, she was delighted to see a Windows Server 2012 interface with the hostname “DC2”, indicating the server was probably a Domain Controller, but was slightly disappointed to see that someone hadn’t done her the favor of leaving it logged in.

No matter, she had her bag full of tricks. She mounted an ISO of Kali Linux and, hoping the failover would work properly, clicked the reboot icon. After the system booted, she mounted the hard drives and replaced a few less-critical service executables with binaries that had some extra functionality. As she disconnected her ISO and power-cycled the server again, she fired up Metasploit on her laptop and started listening for connections. Shortly after the server booted, she saw an incoming connection pop up on her screen.

1
2
3
4
5
[*] Sending stage (748032 bytes) to 192.168.9.9
[*] Meterpreter session 1 opened (10.3.13.37:4444 -> 192.168.9.9:1051)
[*] Starting interaction with 1...
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

Due to an insecure Lights-Out Management device, Trudy now has SYSTEM on a domain controller at her target. Even with servers configured to best practices and fully patched, the network is now wide open. Trudy is free to pivot throughout the network, extract sensitive data, and whatever else she’d like. In short, you’ve been pwn3d.

####Securing Out of Band Management

Not all hope is lost, however. While these devices pose a risk, they are also very useful. We can secure the controllers, but it takes planning.

  1. If you’re not going to use them, don’t connect them. If it’s not on the network, it’s not the way in.
  2. Maintain inventory of these devices, and include them in your patch management lifecycle. Patch them now.
  3. Like any server, disable unneeded services. Are you really going to use the telnet service on it? Ideally, only leave encrypted services around so passive sniffers aren’t a risk.
  4. Change the passwords. Nearly all of these devices have a default password that is the same across the board, so it doesn’t take much to get in if you haven’t changed the passwords.

Watch out for the machine within the machine!


Workflowy: Good for Keeping Organized?

I’ve been using Workflowy for a while as an organizational tool. It self describes as thus:

WorkFlowy is an organizational tool that makes life easier. It can help you organize personal to-dos, collaborate on large team projects, take notes, write research papers, keep a journal, plan a wedding, and much more.

I’ve been using Workflowy for about 6 months now, and so I think I’ve developed a good feeling for what’s working for me and what’s not, but I think it’s important to recognize that everyone will have different needs and expectations out of an organizational tool.

###What Works

  • Workflowy’s hierarchical/tree view is its best feature. I very much think of problems in categories, and then subdivided into other problems. I start at the top level with “Priority TODO”, “Life”, “Security Research”, “Blogging”, etc., and then break each of those down into smaller areas.
  • You can blow up any bullet level to be a top-level page, so you can limit your focus to the information in this category. Likewise, each branch node and be collapsed to hide information you don’t need to see at the moment.
  • You can star these pages for quick access to your most frequently used areas.

###What’s Missing

  • Deadlines or date prioritization. I’d like to be able to find things that need to be done in, say, the next week. Workflowy suggests using tags for deadlines, but this still makes it hard to filter on “next 7 days”.
  • Orthogonal views. I wish I could categorize entries to look at them in different ways. I can get close with tagging and search, but it’s not as nice as, say, GMail style labels.

###What else I’ve tried For comparison, I’ve tried a number of other tools that didn’t work as well for me.

  • Remember the Milk
  • Todoist
  • Wunderlist

If you’re looking for a better way to get organized, give Workflowy a try.


Reading List for 5/9/2014

###On XTS Mode for Disk Encryption Thomas Ptacek writes You Don’t Want XTS, and suggests that though XTS works well enough in practice, it is far from ideal for Full Disk Encryption, and should not be used at all for other encryption operations (i.e., anything that doesn’t resemble FDE). XTS is useful only in that it makes “random access” encryption more secure, as you need for a disk. For encryption of whole blocks of data at rest, you probably want CBC mode, and for anything on the wire, AES-GCM is the new hotness.

###The Six Dumbest Ideas in Computer Security mjr has a post on The Six Dumbest Ideas in Computer Security. I actually disagree with several of his points (but, of course, I work on a Red Team doing, among other things, penetration testing), but I think it’s good and important to hear about opposing views, and if nothing else, they make you think. Specifically, he seems to think penetration testing is about finding holes to be fixed. It’s not, though that is a nice outcome. Penetration testing is about seeing how an attacker moves through your network, understanding the interconnections, the lateral movement, the mindset of the attacker.

###Fishing for Hackers Draios has an interesting post on what attackers do on a system. To me, the most interesting part was not actually the actions, but a tool sysdig that I’d never heard of before. Looks like an interesting tool I’ll need to play with and see how useful it is in analyzing software behavior.