bamed.org

So what is a Wifi race? Here’s the basic scenario. An off-the-shelf Linksys AP is mounted to a board and connected to a web server (also mounted on the board), both are plugged into an inverter stuck in the back seat of a car driving around downtown Nashville ( a.k.a. THE FOX). Our mission was to find it. Once we found it, we needed to associate with it, then scan the network for the web server and pull it up in a browser. On the web page that came up was the info we needed to win. I think it was a picture, a code and a phone number.

Now here’s our story…

In our minivan we had an omnidirectional antenna, and a directional antenna attached to a tripod. Each antenna was plugged into a different laptop. The two guys with the laptops were looking for the fox. One person drove and did not operate any kind of computer equipment (for safety, and legal, reasons), and the fourth member of the team sat in the front passenger seat with a laptop hooked up to a GPS device making certain we didn’t get lost. The basic plan was to find the fox with the omni, and pinpoint his location with the directional. Our first glimpse of the fox was within the first five minutes of the competition, but it was only for a few seconds. The we drove around for a bit. I was monitoring the directional antenna, but the sudden starts and stops, and sharp turns associated with driving around in downtown Nashville, while I was monitoring Kismet on my laptop watching dozens of access points scroll by the screen every second started to make me sick. And within 30 minutes of the start of the race I was puking on the sidewalk. So we decided I should drive, and poorchoices took over my job. FYI, our team consisted of myself, poorchoices, vollmond, and EULA. So we drove around a bit longer, ended up outside of the playing field because EULA(the navigator) didn’t realize the street he told me to turn on was one-way. So we went down a couple blocks and turned left, then turned left on another one-way street. We were in the left lane of a three-lane one way street. There was a truck in the center lane right next to us, and he decided to make a sudden left turn from the center lane, which led to the following pictures:

So… we were stuck waiting for the police to come and fill out a report for about an hour.

After that incident was over, we got back into the race, and found the fox several times, but he kept getting away from us. In the end, about 15 minutes before the race would be over the fox was found by a family (mom, dad and two kids) in a minivan.

Our equipment seemed to work pretty good, and at the end of the day kismet had detected over 800 networks!!!

Overall it was fun, even with the mishaps, and nobody got hurt, so we’ll let the insurance companies work the rest out.

We’re thinking we’d like to do something like this in Joplin. Anybody interested?

Wifi race logs Here’s the logs kismet output from our directional.  Use tcpdump, or Wireshark to view.

We’re all gonna be FOOd man!

We made it back from PhreakNIC, mostly in one piece.  I’ll try to go over the highlights over the next couple of days.  So I know you’re all wondering, how did the RootWar go?  Well… as it turned out no one registered for the RootWar.  We had no teams, so there was no competition.  So we went to plan B and just left the servers up for everyone to hack away at, and they did.  Here’s the basic setup, at least my part.  I had one box running Ubuntu and VMWare, and two Windows server VMs on it.  One was just Server 2003 with no patches.  IIS was setup and MSSQL 2005 Express.  I setup an ASPNUKE site on it.  The second VM server was SBS Server 2003 R2.  Again, no patches, but I did setup AD and Exchange and setup a couple of users.  (BTW, the first server was also part of the AD domain.)  I also brought a second box which was just running Windows XP SP1 with no additional patches.  I also stuck MS Office on it, added it to the domain, and setup both users to use it, and also setup Outlook for both users to use Exchange, and passed some mail back and forth between the users.  One of the emails actually had one of the users password in it. My goal was to make these systems easy to hack, so everyone could have fun finding different ways to hack them.  The XP machine was hacked pretty quickly, and someone loaded an FTP server onto it and started filling up the hard drive.  The ASPNUKE site was pwned pretty quickly as well.  There was a message left on the front page of the site by the one who pwned it first, but it looks like it’s been hacked since then, and the site isn’t functioning properly.  Here’s a screen shot:

I don’t have a screen shot from when the site was still working, so if you were the one who pwned it first, let me know.  No one claimed to have pwned the SBS server, and I looked over it briefly and couldn’t find any definite signs of it, so if any of you did, please let me know, and let me know how you did it.  I should note that when I started the VM up a little while ago the DNS server crashed on boot, which makes me think someone may have taken advantage of vulnerabilities in Windows’ DNS server and done something.

Jeffx did some packet capturing, and will be making that available.  I’ll let you know where it’s at when it’s available.

Things to come…

Wifi Race Wreck…
I was running through Star Wars planets in my head…
Joplin Linux Users Group
Turn-Key Pen-Test Labs
HoneyNets
Anything else I think might be not too boring…

We made it to our hotel in Nashville about 9:00 last night.  We would have made it sooner, but Adam made a wrong turn at the last minute, and we spent about 20 minutes driving around Nashville trying to find our way.  We picked up a map of Nashville at a tourist center, but in the end it was the satellite image I printed off for the WiFi race that got us going in the right direction.

So today PhreakNIC begins, and the RootWar.  I should be meeting Jeff soon and we’ll work on setting everything up.

I managed to come up with some decent wifi equipment, though I had to hack together some adapters so I could connect the high-gain omni-directional antenna to my laptop.  Thankfully, I brought my soldering iron with me and I managed to get it all working.  I haven’t done any field testing yet, so I really don’t know how much distance we’ll get with our equipment, but the general idea is we’ve got an omni-directional antenna that we’ll try to mount on top of the van, and a directional antenna that will be in the van with us, mounted on a tripod.  The omni-directional will let us know we’re in the vicinity of our target, and the directional will help us figure out exactly where the target is.

In other news, Gutsy Gibbon was released yesterday, so I’m upgrading now.

We leave for PhreakNIC in two days.  Everything is working out pretty well.  It looks like there will be six of us going now.  We’re also working on a strategy to participate in the Wifi-Race.  We’re coming up with some decent hardware, though not incredible.  I think we’ll rely mostly on dumb-luck, but it should be fun.

There’s been some modifications for the RootWar that I’m working on now, and I’ve come up with some additional hardware so I can provide another target.  I’m really looking forward to see how this plays out.

Besides these two events, there are several presentations I hope I’ll have time to see.  Overall, it should be a full weekend.

Next week is PhreakNIC!!  I’ve been looking forward to this for months!  I’ve been asked to help setup a couple of servers for the RootWars and I’ve got them mostly setup.  I just got some update info from JeffX concerning the way the network will be setup, and I have a little tweaking I want to do to make the target network as realistic as possible, but even so it’s all pretty much ready to go.  What is a RootWar you ask… go check it out at http://rootwars.jeffx.com.

I’ve got two people coming with me to PhreakNIC, possibly more.  Unfortunately, one of them can’t get next Thursday off work, so we can’t leave until 5PM, which should put us in Nashville around 1AM or so.  Not exactly what I was hoping to do, but what can I do?

I put it off for awhile, but I finally got around to getting Snort up and running.  It was actually pretty easy to get it working.  Since I’m using OpenBSD all I had to do was:

# pkg_add snort-2.6.0.2p1-mysql

And then it was installed.  I used Oinkmaster to download the rules I needed, and it all just worked.  Now I need to work on configuring some kind of user interface to make going through the logs easier.  At this point I’ve got 600K of logs to browse for a single day’s activity.  I know there are some nice GUI’s out there to make this easier, so when I get a chance, I’ll look into that and find something useful.

On another topic, I’ve also finally gotten around to getting Nagios setup.  I’m tweaking what I want monitored and what kind of alerts I want to get.  I’m going through all our mission-critical systems and figuring out what I want to monitor so I can catch any problems before they become problems.  Once I get the monitoring setup, I need to figure out how I want to be alerted.  I’m thinking I’ll use SMS.  With my current phone plan it will be cheaper than having my phone check email on a regular basis.  I wonder if Snort and Nagios can work together?  It doesn’t seem so far fetched that I could configure snort to send alerts for specific rules to Nagios.  It’s worth looking into.

I was browsing the net and I found this site tonight.  This looks similar to the challenge server available at Learn Security Online.  You start off as rtb0, and then find the password for rtb1, rtb2, etc.  Should be fun.

So, anybody out there want to join in the fun?

I’ve spent quite a bit of time this weekend trying to write my own buffer overflow, but I haven’t quite got it yet. I understand the principles behind it, but the devil is in the details. In case you didn’t know what a buffer overflow is, here’s a quick/simple and probably not 100% accurate description.

It all starts with a program that asks you for information. We’ll keep this simple, and I won’t use any code so I don’t lose those who aren’t code-monkeys. Let’s say there’s a program that asks you what your name is, then you type in your name, and then it saves whatever you typed into a file or a database, or it just outputs it back to the screen. Not a very useful program, but that’s what it does. When the program asks for your name it waits for your input, then it takes your input and stores it in the system’s memory until it goes to the next part of the program that does something with whatever you just typed in. This area in the memory where it stores whatever you typed in until the next part of the program runs is called the buffer. (I know, over-simplified, but work with me here.) As is always the case in programming, there’s dozens of ways to do all this, and some things just don’t work as well as others. For example, if you use strcpy() you’ll get potential buffer overflows. What happens is the program sets the size of the buffer (where your input is stored in memory) before it receives your input. Then strcpy() doesn’t check to see if the input is bigger than the buffer, so if the input is bigger than the buffer it still copies all the input, which results in the buffer being overflowed, and the next section in the system’s memory is overwritten. As an analogy (lots of holes in it but it gets the basic idea across), you have an 8.5×11 sheet of paper and your start writing on it, but what you write takes up more space than the 8.5×11 sheet of paper so you start writing on your desk. And that’s a buffer overflow error. The key to a buffer overflow exploit is to write over the right section of memory and to change what’s in that section to something more useful to you. I’ll try to explain this without any code. A program is broken up into smaller sections that perform specific tasks. The example above would have one section that asks for you name, another section that receives your name when you type it in, then another section which will output your name back to the screen. When a program finishes running a section of the program it is then told where to return to so it can know what to do next. Another bad analogy: you’ve been given a piece of paper with instructions to go somewhere (“Turn left on Main, go 2.5 miles, turn right on 15th…”). When you finish with ones section of the instructions you’ll return to your instructions to see what the next section is. A buffer overflow exploit will overwrite the section in memory that tells the program where to return to and overwrites it with a different location. So instead of returning to your directions on your piece of paper, you’ll look at directions from another piece of paper, which will end up leading you to the wrong location. So then you just need to make certain you get the program to end up at a location that has something useful for you. So how does this help? Some programs may run with a higher level of access than the person running the program. So the program will run as the root (or admin) user even though someone with limited privilege started the program. So if you can exploit this program with a buffer overflow, than you can run a command as root even though you don’t have root privileges. On a system you can log on to, you would spawn a shell which would essentially log you in as the root user. On a remote system you may install some kind of backdoor that would let you access the system remotely.

So, next time I say buffer overflow, you’ll know what I’m talking about.

As far as writing one goes, I’m still trying to pick up on some of the finer points. It seems to require a decent understanding of assembly, an area where I still have much to learn. But I’m close, I can feel it.

(Disclaimer)In case your wondering, I’m not planning on any criminal activity, but the ability to identify insecure programs and figure out how their exploited should help me keep my systems more secure, and it’s fun!

I did it!! I’m now a Level 8 Mod-X Agent!!!  Level 7 required some ASM knowledge.  Luckily I’ve been reading up a lot about assembly, so it didn’t take too long.   Now I’m ranked at 451.

The next level involves privilege elevation on a*nix server.  This should be fun.  I’ve done some challenges like this before, so let’s see how it goes.  I should note that only 31 people have passed level 8, so this may take awhile.

I made it to Level 7!!!

A while back I ran across Mod-X and started going through their hacking challenges.   I made it through levels 1-5 in a matter of days, and then came level6.  I got stumped, then I got distracted and left it alone.  Every now and then I come back to it and give it a go.  I got through most of the challenge, but there was one final step I couldn’t figure out.   I can’t say much about it, we’re not supposed to give clues and that sort of thing, but at the end of the challenge I’m supposed to find some specific info on a forum that I’ve managed to get access to.  The forum is supposedly being used to pass info back and forth on, but it’s hidden.  It’s my job to figure out how the info is being passed back and forth, then report the info I found.  It was one of those things that’s sitting right in front of you the whole time.  But I got it!!  So now I’m a level 7 Mod-X Agent.  My ranking is now 624 of 6410.

Now on to Level 7, it looks like I need to do some reverse engineering for this level.