Before I start, I should mention that this isn't illegal, I was challenged by a good friend of mine because I've been asking him to teach me how to hack.
Anyway, here was the challenge:
You will connect to a network and be presented with a login page. Upon login your mac address will be recorded and you will have 1 hour of internet access. You're bandwidth will also be capped at 5Mb/s. Your goal is to hack the system to let you stay logged in for longer, and drop the bandwidth cap.
Now, I've determined that the router is located at:
10.71.0.1
but typing that in didn't bring me to any router login page. I watched wire-shark for a while while some other people connected, and typed in a few of the IP addresses I saw. Based on what what was there, i'm about 90% sure that this system contains an:
HP MSM7xx
and it seems to be a wireless access point controller.
Then I did some port scans to see if I could find some kind of login page.
here are the open ports:
53
81
444
1194
5432
8081
8082
8091
8092
8093
8094
Now, if I go to each of these ports in my browser (10.71.0.1:port) This is what shows up on each
53: N/A webpage not available
81: changes to 10.71.0.1:81/index.asp and displays: "ASP Error IncludeAsp("login_error_message.asp");"
444: N/A No data received
1194: displays: "Access Error: Site or Page Not Found Cannot open URL"
5432: N/A No data received
8081: displays the main login page (the one where you click a button and it gives you an hour of access)
8082: N/A No data received
8091: displays: "-ERR POP3 Please log through your browser first."
8092: displays: "Please log through your browser first."
8093: displays: "421 Service not available. Please log first through HTTP."
8094: displays: "Error Page! Due to the nature of the content, the website you are trying to view is unreachable through this network."
Hmm, I checked exploitdb and it didn't give me any results, but it pushed me in a little bit of the right direction, because I started wondering if I even had the right router, or if there might have been some kind of tunnel set up.
So, I went through the open ports and started researching them.
This is something I typed up real quick:
53 - DNS service
81 - No common found
444 - SNPP
1194 - OpenVPN
5432 - postgres service
8081 - blackice/sunproxy admin
8082 - blackice alerts
8091 - jamlink
8092 - No common found
8093 - No common found
8094 - No common found
I then checked a few of them that would be easy to check. For example, I wanted to confirm blackice was running on port 8081 and 8082. So in wireshark, and monitoring 10.71.0.1, I did a search for blackice and got several hits. So I think this confirms that blackice is being used. I didn't find any hits for jamlink or sunproxy. I did get one for postgres pointing to postgres.heroku.com.
This is what the scan returned. Looks like I was right about the postgres. As for the others... I'm not to sure.
Nmap scan report for wireless.colubris.com (10.71.0.1)
Host is up (0.0018s latency).
Not shown: 990 closed ports
PORT STATE SERVICE VERSION
22/tcp filtered ssh
53/tcp open domain
80/tcp filtered http
81/tcp open tcpwrapped
443/tcp filtered https
444/tcp open tcpwrapped
5432/tcp open postgresql PostgreSQL DB 8.2.6 - 8.2.15
8081/tcp open tcpwrapped
8082/tcp open tcpwrapped
8093/tcp open unknown
Okay, so I have no idea what I did, but I ran the scan and got this:
[*] Nmap: Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-08-19 17:43 Mountain Daylight Time
[*] Nmap: Nmap scan report for wireless.colubris.com (10.71.0.1)
[*] Nmap: Host is up (0.0023s latency).
[*] Nmap: Not shown: 990 closed ports
[*] Nmap: PORT STATE SERVICE
[*] Nmap: 22/tcp filtered ssh
[*] Nmap: 53/tcp open domain
[*] Nmap: 80/tcp filtered http
[*] Nmap: 81/tcp open hosts2-ns
[*] Nmap: 443/tcp filtered https
[*] Nmap: 444/tcp open snpp
[*] Nmap: 5432/tcp open postgresql
[*] Nmap: 8081/tcp open blackice-icecap
[*] Nmap: 8082/tcp open blackice-alerts
[*] Nmap: 8093/tcp open unknown
[*] Nmap: MAC Address: 00:25:61:91:80:EF (ProCurve Networking by HP)
[*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 1.57 seconds
Completely lost my leads. I have no idea what I'm doing now. Any thoughts?