To add clarification.  No one was able to penetrate / exploit my Windows 7 
machine.

Here's how I had configured the machine.

Windows 7 Ultimate 64 bit edition default install

o   Built-in administrator and guest accounts are disabled by default

o   Initial user account created is a local administrator

o   Machine was setup on home network and joined to a Home Group

§  Shared printers, documents, video and music with other computers in the Home 
Group (verified access)

§  Setup and configured Media Center to communicate with other Media Center 
devices in the home (both as source and target)

o   Remote Assistance and Remote Desktop were enabled

o   Microsoft Security Essentials was installed

o   Foxit PDF Reader 4.2 was installed

o   All the latest hotfixes and patches were applied

o   Set the password using a 20 character passphrase that used lower case, 
upper case, a number and a special character

o   Left all other security settings at default values (User Account Control, 
Firewall, etc.)

When I connected to the WiFi at Gangplank, I configured the network connection 
as a Public network and did nothing else.

I had no additional firewall software installed on the computer.

I would be more than happy to bring the laptop to the next Open Lab session at 
Gangplank in November to be a flag again.

Harold Wong
IT Pro Evangelist | US Developer & Platform Evangelism - West Region
Office: (425) 706-3501 | Blog: 
blogs.technet.com/haroldwong<http://blogs.technet.com/haroldwong>
MCITP Server Administrator | MCITP Enterprise Administrator | MCITP Enterprise 
Messaging Administrator 2007 / 2010

From: [email protected] 
[mailto:[email protected]] On Behalf Of Judd Pickell
Sent: Wednesday, October 13, 2010 6:43 AM
To: Main PLUG discussion list
Cc: [email protected]
Subject: Re: HackFest - Review of Harold Wong's Presentation as a Windows 7 
flag:

Sorry, but I am a bit confused. You were or were not able to run an exploit on 
his machine?

Sincerely,
Judd Pickell
On Tue, Oct 12, 2010 at 7:11 PM, Lisa Kachold 
<[email protected]<mailto:[email protected]>> wrote:
We promised various people that we would be following up the a real blow by 
blow of our exploit of Harold Wong's Windows 7 machine.

It's published over on hackfest.obnosis.com<http://hackfest.obnosis.com> under:
Home<http://www.it-clowns.com/y/> » Flags Captured October 
2<http://www.it-clowns.com/y/node/4> » CTF - Microsoft Powershell 
<http://www.it-clowns.com/y/node/5>


<please register to share files, get updates and accept our "terms of service".>

Possible ways to attach Harold Wong's Windows 7:

Network port attack vector:
Open ports:

3389
2638

Using RDP we could do either a RDP MITM attack or a Hydra dictionary attack to 
the listening service itself.

Example RDP MITM:
http://www.irongeek.com/i.php?page=videos/cain-rdp-terminal-server-mitm-...<http://www.irongeek.com/i.php?page=videos/cain-rdp-terminal-server-mitm-sniff>

Should get RDP Windows7 via MITM if possible with loose encryption in a real 
world situation where RDP traffic connections were working which we could arp 
cache poison.

Just having the port open we would have to do a hydra dictionary attack, and 
Harold informed us that he used secure passwords.

Therefore the only real attack vector we ever had open was social engineering 
to get him to click on an exploit delivered via insecure file sharing.

Sending a Kaseya agent, liveperson cookie, or metasploit payload via pdf in 
mail after getting assurance of his willingness to open it by asking him to 
look at it attached to email.

In the real world test Lisa Kachold delivered a pdf exploiting Adobe, but since 
Harold Wong wisely doesn't use Adobe for his pdf's, it failed.

No-one crafted nor delivered a RDP "package" for email delivery, which would 
have worked best: 
http://www.gnucitizen.org/blog/remote-desktop-command-fixation-attacks/

Additionally, we might have to obfuscate, in a real world situation, code in 
our pdf, or it will not be accepted as an attachment in Gmail. If Harold Wong 
was using Microsoft Outlook directly to a MS based Mail Transport Authority, we 
have a better chance of getting our PDF accepted, depending on spam/virus 
protection.

Harold Wong used a regular user desktop, without file sharing available, 
configured for the "Internet Zone" without additional firewall or virus 
checking add-ons.

No flags were delivered by our team for Harold Wong.*
So, as heretic as it might seem, this completely debugs the myth that 
"Microsoft 7 out of the box is more secure than Linux".

hide everyone - here comes the fallout
--
Skype: 6022393392
Fax:     6233211450
ATT:     5037544452
Phoenix Linux Security Team<http://plug.phoenix.az.us/gangplank>

http://www.it-clowns.com

"Great things are not done by impulse but a series of small things brought 
together." -Van Gogh
















---------------------------------------------------
PLUG-discuss mailing list - 
[email protected]<mailto:[email protected]>
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss

---------------------------------------------------
PLUG-discuss mailing list - [email protected]
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss

Reply via email to