Nullcon Capture The Flag 2010 hacking competition : How did I crack it

Recently I had been to Nullcon, Goa, 2010 - Internation Hacking and Security Conference.Well a lot to say. It was a great experience. My first hacking experience, unforgettable. Here is the details:

Goal : There was a server, we had to shut it down.

Hint: "Its there in the air"

Step 1: I found the wireless network they have configured for the challenge. Definitely the server is inside that network. It was WEP encrypted network. I used aircrack-ng in Backtrack 4. Steps are explained here. Better explanation could be helpful. Still confused!!! then watch this:

Step 2: Once I got the key and connected the network, I started looking for the server. Now here they had configured two network one with 192 series ip that I was connected to and another one with 172 series ip where the server is. Also they have configured the firewall in the router so that no packets could reach to 172 network. So first firwall had to be disabled. But root priviledge was required to do so. So task is, gain root access to the router 192.68.1.1.

fingerprinting using nmap (nmap -O ip) gave the firmware details of the router: it was dd-wrt firmware. Searched for the existing vulnerabilities or exploits for that and foung cgi-bin vulnerability. It could be exploited by command-line approach or using metasploit. I found metasploit easier and faster as well. Once done successfully, I got the root shell in the router.

Step 3: Now disable the firewall.

They had set up iptable rules to drop the packet. So here are the commands:

iptables -L -nv

It showed the configured rule to drop all the packets mentioned earlier.

Now,

iptables -P FORWARD ACCEPT

iptables -F FORWARD

It allowed the connections through. If you want to allow only traffic from your machine then,

iptables -I FORWARD -p all -d -j ACCEPT

Once this is done. I was able to reach the server which was 172.16.1.2 (I guess).

Step 4: Now I could ping the server. Now I had to get into the server. So did a port scanning on that machine

nmap -sS -PT 172.16.1.2 (requires root privilege)

Found port 445 was open. It was SMB over TCP. Already an exploit was available in metasploit. So just ran that and BINGO... I got the command promt of the server.

Step 5: Shoutdown the server. Since I was already inside the server. Only thing required was to run the following:

SHUTDOWN -s -t 01

And I was done...

Spoof Mac in Mac

A MAC address is a unique identifier assigned to your network card, and some networks implement MAC address filtering as a method of security. Spoofing a MAC address can be desired for multiple reasons, and it is very easy to spoof your MAC address in both Mac OS X 10.4 and 10.5. For the purpose of this article, we are going to assume you want to spoof your Mac’s wireless MAC address. So without further ado, here’s a 3 step process on how to do it:

Retrieving your current MAC address

First, you’re going to want your current wireless MAC address so you can set it back without rebooting. Launch the Terminal and type the following command:
ifconfig en1 | grep ether
You’ll know see something like:
ether 00:12:cb:c6:24:e2
And the values after ‘ether’ makeup your current MAC address. Write this down somewhere so you don’t forget it. If you do, it’s not the end of the world, you’ll just have to reboot to reset it from a change.

Spoofing a MAC address

To spoof your MAC address, you simply set that value returned from ifconfig to another hex value in the format of aa:bb:cc:dd:ee:ff

For this example, we will set our wireless MAC address to 00:e2:e3:e4:e5:e6 by issuing the following command:
sudo ifconfig en1 ether 00:e2:e3:e4:e5:e6

The sudo command will require that you enter your root password to make the change.

Verifying the Spoofed MAC address worked

If you want to check that the spoof worked, type the same command as earlier:
ifconfig en1 | grep ether
Now you will see:
ether 00:e2:e3:e4:e5:e6
Meaning your MAC address is now the value you set it to. If you want to further verify the spoof, simply login to your wireless router and look at the ‘available devices’ (or attached devices) list, and your spoofed MAC address will be part of that list.

If you want to set your MAC address back to its real value, simply issue the above ifconfig commands with the MAC address that you retrieved in step 1. You can also reboot your Mac.

Enjoy!

Note: Reader Dee Brown points out the following, which may help with some users having difficulties: “running 10.5.6 you need to do the trick to disassociate from the network. ****DO NOT TURN AIRPORT OFF****. What you will have to do is click your airport and click join network and enter some bogus name as the network ssid. Then while it’s trying to connect click cancel.At this point you may spoof using the sudo ifconfig en1 ether command”

other reads point out that Dee Brown’s trick works in 10.5.7 and above too. Thanks Dee!

Update: If you’re still having problems with MAC address spoofing in Leopard or Snow Leopard, the above method still works but try disassociating with any wireless network BUT keep your wireless Airport on (as mentioned above) – an easy way to do this is to type the following in the command line:

airport -z

Note that you have to have the ‘airport’ command setup to work for users, you can do that by copy and pasting this command into the Mac Terminal:

sudo ln -s /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport /usr/sbin/airport

Once disassociated from the network you should be able to spoof your MAC address as usual

[Copied from http://osxdaily.com/2008/01/17/how-to-spoof-your-mac-address-in-mac-os-x/]

Invisible Nmap

Nmap is a powerful tool for network scanning. Whether it is good or bad is a different question and that is upto the users' motives to use it. It has a lot of options. Here are some of those options together to get a reasonable amount of information about an ip or network without bothering the owner by telling her about your existence :). Not sure though how efficient it would be considering the latest IDS/IPSes. But that's all I could get out of the options provided by NMAP. The command and its explanation are as follows:

sudo nmap -n -sS -f -A -T1 -S fake_ip -e interface_to_use -D fake_ip1, fake_ip2, fake_ip3 -vvv ip_to_scan -P0

Sudo: You have to have root permission to run it.
-n: Do not resolve host. Show the ips.
-sS: Stealth SYN scan. SUpposed to be less noisy.
-f: fragment the packets before sending to the ip_to_scan. Reduces the chance to get detected. New IDS/IPS can get it still (as per the information I got).
-A : Do OS and version detection, script scanning, and traceroute.
-T1 : Range is T0 (slowest) to T5 (fastest) -speed of execution. Slower packet sending increases your anonymity.
-S fake_ip: Use fake_ip as the source of the packets.
-e interface_to_use: Since source address is spoofed in precious option, you have to give the network interface details to send/receive packets.
D fake_ip1..ME : Decoy option - Use all these fake_ips mentioned and ME, i.e. my ip to create packets to send. More invisibility.
-vvv: very very verbose mode. Explains the output more elaborately.
ip_to_scan: IP/Network to scan.
-P0: Do not ping , do only scan. Saves time and finds more machines.

Crazy Visual Studio: “No files were found to look in. Find was stopped in progress.”

This is the second time I have faced the same problem... No gurrantee that it won't happen for third time. So here come my tips to solve it. The problem is, in Visual Studio 2008, whenever I tried to find someting in files, after clicking find I got a reply "No files were found to look in. Find was stopped in progress.”. Being stupid and superstitious, I restarted visual studio, din't work. Then restarted machine as well, din't work. Now its time to think logically. Asked my best friend - Google, for solution. He gave me this, this and THIS!!!.. In short: the solution is, press Ctrl+Scroll Lock and everything gets back to normal. If it doesn’t work, try to press Scroll Lock and than hit Ctrl+Scroll Lock again. I have no idea why or how it works, but the fact is that it does solve the problem, if anyone knows what happened here, please leave your comment and share your knowledge with us. This is a very strange and odd bug indeed, I must say.

OS X: Ten Boot Options for Leopard

Multiple shortcuts exist for the various methods of booting Leopard. These ten boot options range from essential debugging tips such as verbose and safe modes to dual booting options.

To use these boot shortcuts or commands, hold down the bolded keypress while your system is booting up. If it does not work, you probably did not start holding down the key (or key combination) soon enough.

shift – Safe Mode

Booting with the shift key depressed starts OS X in Safe Mode with Account preferences ignored and unessential kernal extensions / kexts disabled.

option – Startup Manager

Booting with the option key depressed starts OS X with the Startup Manager which allows the user to select which OS or partition from which to boot.

Mouse button – Eject Media

When the user boots with the mouse key depressed, any media in the drive such as a DVD or CD is ejected.

cmd v – Verbose Boot

If this key command is held down when booting, all the startup messages that are typically hidden will be displayed. This is an excellent method for debugging booting issues.

c – Boot from CD/DVD

Booting with the “C” key held will tell the system to boot directly from a CD/DVD in the drive.

t – Target Mode

If the “T” key is held during the bootup, the computer will be placed in target mode. This basically allows the computer to be accessed by other systems as a FireWire drive. Other computers can read, write, or mount the target mode system just like any other FireWire drive.

Other Bootup Shortcuts —

cmd s – Single User Mode

x – OS X Force boot

r – PowerBook Display Reset

n – Boot up from NetBoot Server

[courtesy:www.tech-recipes.com]

KGEC - The Beginning, my first iMovie project

This is something I wanted to do for a long time. But could not make it till last night. Finally I am here with my first iMovie video. But life was not that simple to get it done. I had a tough night learning and fighting with the features of iMovie to get what exactly I wanted. Could not find it helpful while editing the audio for it. Thanks to Chandan, he helped me with this by introducing me to Audacity . Also since I was trying to edit an mp3, I had to download LAME MP3 encoder along with audacity. Yah I know, I know, it is going to be little technical. But that is just to express my emotions. I am really happy that I made it finally. Still long way to go. Wait n watch, there are a lot to come yet.

YAF - Yet Another Forum

I was given an opportunity to set up a technical forum where people can discuss about technical stuffs. I was looking for ways to start and obviously my first preference was something open source. Thanks to Gautam (my colleague) to introduce me to YAF - Yet Another Forum. It is a .Net based open source forum control written in C#. It is really great. It was so easy to deploy, I was amused. I just simply loved it. The source is available here and the wiki as well. The funny part is there is also a forum about "Yet Another Forum" where people discuss about it. This seems like a snake eating herself from the tail, hehe. (Bad Jokh). But the moral of the story is I am impressed with such lovely open source tool with such a huge set of features. Kudos to all who are behind its creation.