Clan x86
Technical (Development, Security, etc.) => General Security Information => Topic started by: iago on January 13, 2009, 06:22:45 pm
-
I spent the last week or so putting together a vulnerable network for a presentation/demo I'm doing next week. When I'm done, I was thinking of fixing up the demo a bit, making it a bit more interesting/challenging, then giving people access and seeing who can get to the end first.
Naturally, there'd be a prize for the person who got through it first.
If you'd be interested in doing it, post here (and get others to, as well ;) ). If at least 3-4 people are interested, I'll set it up.
It isn't insanely difficult, but it'd be an interesting challenge and requires the use of a few different tools.
-
Sure!
-
Incidentally, I'm well aware that nobody doing this will be experts (or even amateurs), so I'll post a list of tools and some basic theories at the outset.
-
Maybe.. might be interesting.
-
I'd definitely be interested to learn something.
-
So at least 4 people have shown some kind of interest (3 here + one more on AIM), so I'll definitely set this up. Don't expect it to be right away, though, but hopefully it'll be in the next couple months. :)
-
If I get time, I'll do it for the learning experience. :P
-
I must ditto everyone else's reponses. I'd be more then happy to take a swing at it to learn some new stuff.
As all of you know i'm not 'deh ubber 1337 haxorz' :)
-
Same as everyone else :P
-
I'm definitely interested!
-
Is this idea dead?
-
Is this idea dead?
So at least 4 people have shown some kind of interest (3 here + one more on AIM), so I'll definitely set this up. Don't expect it to be right away, though, but hopefully it'll be in the next couple months. :)
iago is slow like that
-
He did figure out what the prize is, though!
-
Haha, it's not at all dead. I'll even go so far as to promise I'll set it up, eventually.
The presentation I was going to do got bumped due to the fact that I couldn't stop throwing up the day I was supposed to do it (damn flu!), so I'm not doing it till the 18th.
But here's the thing -- I'm moving before the end of April, at which point I'll be on a new connection on a new ISP. I'm also considering picking up some new hardware, so I could even dedicate the old server to this contest. Whatever the case, that stuff isn't going to happen till May.
I also need to learn how to use OpenVPN, so people participating can connect directly to my network and not get pwned by ISPs that do filtering. If anybody knows how already, let me know.
And yes, I've chosen a prize for the contest. :D
-
This would be interesting...
-
I got openvpn working at some point (I think over last spring break or something?), but I wouldn't be helpful other than to tell you it's pretty well documented. :)
-
Heh, thanks. It looked pretty easy from a quick look at the manpage. I'll just have to send people .conf files that point to my private network.
-
For what it's worth, I haven't forgotten about this. I'm hopefully going to have the hardware I need in the next little while.
-
Incidentally, I'm well aware that nobody doing this will be experts (or even amateurs), so I'll post a list of tools and some basic theories at the outset.
Could you post the list of tools and basic theories now? That way I can begin allocating my free time for research purposes.
-
Incidentally, I'm well aware that nobody doing this will be experts (or even amateurs), so I'll post a list of tools and some basic theories at the outset.
Could you post the list of tools and basic theories now? That way I can begin allocating my free time for research purposes.
Hmm, I can't list too much without giving away a lot (I have a pdf I can send that is basically a guide, but it's also basically a walkthrough :) ). I'll list some stuff, though!
My favourite tools (and the ones you need for this) are:
* Nmap
* Metasploit
* sqlmap
* rainbowcrack (rcrack) -- you only need the 'alpha' tables, which are <1gb, not anything else. I think l0pht puts out a live cd for cracking passwords, too
The theories:
* Port scanning
* Network discovery
* Web vulnerabilities (sql injection, path traversal, cross-site scripting [not required, but good to know], local/remote file include)
* Exploits (metasploit -> how to use the exploits, different payloads [meterpreter])
* Password cracking (w/ rainbow tables)
* Pass-the-hash (w/ metasploit)
That should put you in a good position.
I'm thinking I should do a basic one first to get people going, give out a prize for that one, post the theories used, then do my full contest. Thoughts on that?
-
I was talking with my boss about this thread today. He says you need to get laid, iago. :P
-
I don't really understand what you mean.
Keep in mind that this is my job. I use this type of demo to teach people how to hack and to demonstrate to programmers/management what hackers do. That's my job, and I love doing it, people appreciate learning it, and I get paid decently for my skills.
The fact that I'm planning to share some of the work I've done with the community doesn't really change anything.
-
sounds fun to me!
-
I find it pretty interesting too. I think he doesn't approve of nerding during free time.
-
I find it pretty interesting too. I think he doesn't approve of nerding during free time.
I do a lot (in fact, most) of it at work. I use it to train new students, and I use it in presentation to our departments. :)
I do a ton of work in my free time, though, too. Like, I'm one of the top Nmap contributors right now, and have been for awhile. Speaking of which...
Tuberload: When you look things up, make sure you learn how to use the Nmap Scripting Engine (NSE), especially the scripts written by the guy named "Ron". They're awesome. :)
-
Tuberload: When you look things up, make sure you learn how to use the Nmap Scripting Engine (NSE), especially the scripts written by the guy named "Ron". They're awesome. :)
I'm setting my printer up now so I can start printing educational material.
-
Paper kills trees, you savage.
-
I do what I can.
-
This does sound really interesting. I would love to try and give it a shot, but I don't think I have time. : (
-
doing this on a DoD network... I might pass.
-
I'll give it a shot I guess :D
-
doing this on a DoD network... I might pass.
I'm going to set it up so you have to connect to me through a secure tunnel. So technically, if you wanted to, you'd be safe. :)
-
Not to get into a cryptography debate, but can't they decrypt everything that comes over the wire once he sends his public key? Sure, they can't pretend to be him, but they can read everything sent out, if I understand correctly.
But that's a moot point since it's not against the law to hack into a machine with it's owners permission. Of course, you might have to prove that you have iago's permission to someone pretty important.. :P
EDIT -
Headline: US Navy Cadet caught hacking into Canadian web server.
-
Not to get into a cryptography debate, but can't they decrypt everything that comes over the wire once he sends his public key? Sure, they can't pretend to be him, but they can read everything sent out, if I understand correctly.
But that's a moot point since it's not against the law to hack into a machine with it's owners permission. Of course, you might have to prove that you have iago's permission to someone pretty important.. :P
EDIT -
Headline: US Navy Cadet caught hacking into Canadian web server.
No, you're entirely wrong about how public-key cryptography works. To briefly explain, there are two concepts:
1) Anything encrypted with a private key can only be decrypted with the corresponding public key (what you're talking about)
2) Anything encrypted with a public key can only be decrypted with the corresponding private key (closer to what's actually happening)
-
I forgot that. SSH is double-encrypted, right? With your private key and their public key, therefore since only the intended recipient has both your public key and their own private key, only they can read it.
Gotcha.
-
I forgot that. SSH is double-encrypted, right? With your private key and their public key, therefore since only the intended recipient has both your public key and their own private key, only they can read it.
Gotcha.
Something like that, anyway. :P
-
Don't you work for an internet security company? :P
-
Nope, I work from the government.
I'm not a crypto expert, though I do have a decent understanding of how ssh works. Your answer isn't really right, but explaining it is kind of a waste of time. :)
-
I forgot that. SSH is double-encrypted, right? With your private key and their public key, therefore since only the intended recipient has both your public key and their own private key, only they can read it.
Gotcha.
SSH is a probably special case, but the standard public key model is the sender encrypts the message with the recipient's public key. A message can be decrypted using the private key corresponding to the public key that encrypted it. "Double encryption" probably means that the traffic is encrypted both ways.
Public keys and private keys have some sort of mathematical relation to each other. The idea is that the (or a) public key is trivially determinable from a private key, but it's an intractable problem to determine a private key from a public key. In RSA (and similar approaches), which is probably the most common form of public key cryptography in practice, the private key is two large primes, and the public key is the product of those two primes.
Don't you work for an internet security company? :P
The innards of cryptography is a rather small subset of what internet security is about...
-
SSH is a probably special case, but the standard public key model is the sender encrypts the message with the recipient's public key. A message can be decrypted using the private key corresponding to the public key that encrypted it. "Double encryption" probably means that the traffic is encrypted both ways.
Typically, encryption using public/private keys is rarely done, because it's computationally expensive. What happens in SSH/SSL/etc is that the client/server use public key encryption to exchange a session key (and as of SSHv2, it's done in a way that isn't vulnerable to man-in-the-middle attacks; I don't know the details), and that session key is used for symmetric encryption (AES or something).
The innards of cryptography is a rather small subset of what internet security is about...
Exactly. On a day-to-day basis, I need to know how to use encryption properly, but I don't necessarily need to know how it works (I trust very smart people like Bruce Schneier and the RSA folks to understand that kind of stuff. :) )
-
So it turns out that the old PoS computer I grabbed to run this on won't boot with a USB keyboard, and I don't own a PS/2 one. Oops. :)
I'm thinking of running this on my old laptop now.. I know it can handle it, and it's not doing anything else. We'll see! I suddenly got really busy again. Bah!
-
So it turns out that the old PoS computer I grabbed to run this on won't boot with a USB keyboard, and I don't own a PS/2 one. Oops. :)
I'm thinking of running this on my old laptop now.. I know it can handle it, and it's not doing anything else. We'll see! I suddenly got really busy again. Bah!
http://www.google.com/products/catalog?q=usb+to+ps/2+adapter&hl=en&cid=8787340792746948795&sa=title#p
-
Now that you mention it, I have several of those in a drawer. I only have two keyboard/mouse sets, though, and both are wireless. It's worth a try, anyways.
If not, I'll just borrow a PS/2 from work. :)
-
So yeah, I haven't forgotten about this, but I do apologize for the delay. Life's busy and all that, you know?
Anyway, this is all basically set up now. I was thinking, though, instead of doing a straight up competition, what if I give access to the virtual machines to people, give a brief lesson on a tool or two, then let you play around? After some practice, I can set up a proper "competition" for people. Would that work? And, is anybody still interested? :)
The only thing I have left to do is make an OpenVPN server. People who want to play will have to install OpenVPN on their workstation and connect to my server. From there, they will have access to the environment and can do whatever they like in the test network.
So yeah, anybody interested? :)
-
I am.
-
I'd be interested in that lesson with or without the competition.
However, that's not to say I'm not interested in the competition. :)
-
There's no way I'd win the competition but I'd be interested in learning.
-
Ok.. just give me some time to learn how to set up an OpenVPN server (if anybody has experience, let me know).