Jump to content

Hacking Network


superzanti
 Share

Recommended Posts

Before I start, I should mention that this isn't illegal, I was challenged by a good friend of mine because I've been asking him to teach me how to hack.

Anyway, here was the challenge:

You will connect to a network and be presented with a login page. Upon login your mac address will be recorded and you will have 1 hour of internet access. You're bandwidth will also be capped at 5Mb/s. Your goal is to hack the system to let you stay logged in for longer, and drop the bandwidth cap.

Now, I've determined that the router is located at:

10.71.0.1

but typing that in didn't bring me to any router login page. I watched wire-shark for a while while some other people connected, and typed in a few of the IP addresses I saw. Based on what what was there, i'm about 90% sure that this system contains an:

HP MSM7xx

and it seems to be a wireless access point controller.

Then I did some port scans to see if I could find some kind of login page.

here are the open ports:

53
81
444
1194
5432
8081
8082
8091
8092
8093
8094

Now, if I go to each of these ports in my browser (10.71.0.1:port) This is what shows up on each

53: N/A webpage not available
81: changes to 10.71.0.1:81/index.asp and displays: "ASP Error IncludeAsp("login_error_message.asp");"
444: N/A No data received
1194: displays: "Access Error: Site or Page Not Found Cannot open URL"
5432: N/A No data received
8081: displays the main login page (the one where you click a button and it gives you an hour of access)
8082: N/A No data received
8091: displays: "-ERR POP3 Please log through your browser first."
8092: displays: "Please log through your browser first."
8093: displays: "421 Service not available. Please log first through HTTP."
8094: displays: "Error Page! Due to the nature of the content, the website you are trying to view is unreachable through this network."

Hmm, I checked exploitdb and it didn't give me any results, but it pushed me in a little bit of the right direction, because I started wondering if I even had the right router, or if there might have been some kind of tunnel set up.

So, I went through the open ports and started researching them.

This is something I typed up real quick:

53 - DNS service
81 - No common found
444 - SNPP
1194 - OpenVPN
5432 - postgres service
8081 - blackice/sunproxy admin
8082 - blackice alerts
8091 - jamlink
8092 - No common found
8093 - No common found
8094 - No common found

I then checked a few of them that would be easy to check. For example, I wanted to confirm blackice was running on port 8081 and 8082. So in wireshark, and monitoring 10.71.0.1, I did a search for blackice and got several hits. So I think this confirms that blackice is being used. I didn't find any hits for jamlink or sunproxy. I did get one for postgres pointing to postgres.heroku.com.

This is what the scan returned. Looks like I was right about the postgres. As for the others... I'm not to sure.

Nmap scan report for wireless.colubris.com (10.71.0.1)
Host is up (0.0018s latency).
Not shown: 990 closed ports
PORT STATE SERVICE VERSION
22/tcp filtered ssh
53/tcp open domain
80/tcp filtered http
81/tcp open tcpwrapped
443/tcp filtered https
444/tcp open tcpwrapped
5432/tcp open postgresql PostgreSQL DB 8.2.6 - 8.2.15
8081/tcp open tcpwrapped
8082/tcp open tcpwrapped
8093/tcp open unknown

Okay, so I have no idea what I did, but I ran the scan and got this:

[*] Nmap: Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-08-19 17:43 Mountain Daylight Time
[*] Nmap: Nmap scan report for wireless.colubris.com (10.71.0.1)
[*] Nmap: Host is up (0.0023s latency).
[*] Nmap: Not shown: 990 closed ports
[*] Nmap: PORT STATE SERVICE
[*] Nmap: 22/tcp filtered ssh
[*] Nmap: 53/tcp open domain
[*] Nmap: 80/tcp filtered http
[*] Nmap: 81/tcp open hosts2-ns
[*] Nmap: 443/tcp filtered https
[*] Nmap: 444/tcp open snpp
[*] Nmap: 5432/tcp open postgresql
[*] Nmap: 8081/tcp open blackice-icecap
[*] Nmap: 8082/tcp open blackice-alerts
[*] Nmap: 8093/tcp open unknown
[*] Nmap: MAC Address: 00:25:61:91:80:EF (ProCurve Networking by HP)
[*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 1.57 seconds

Completely lost my leads. I have no idea what I'm doing now. Any thoughts?

Edited by superzanti
Link to comment
Share on other sites

Try accessing the same ports, over https:// and see if you get any funky certificate errors too(which sometimes divulge server side paths for locally signed certificates, and also, do some banner grabbing manually, see if they tell you anything more than what you already seen with your scans. Some of them might be dummy pages to give you clues, or fake headers. Try manually connecting over telnet, with things like FOO instead of a GET or POST, and also oddbal protocols, like CONNECT, see what they return. Telnet to every open port too, sometimes, they just return open listing command shells.

View the source of all pages, even ones giving you errors, they might leave comments or clues to other pages and directories, like style sheet directories in upper paths that disclose what software is in use(ie:joomla, magento, drupal, etc), go go the css file if it has one, read through it for comments, remove it in the URL from the / of the path, see if they don't block with 403 forbidden if its an upper directory, and if it lists any other files.Try brute forcing directory names, like admin, administrator, login, files, etc, just things people don't think about looking for on sites that have login portals, sometimes you can get in just by knowing where other files are or finding them by accidental directory probing for things that aren't locked down or require authentication to reach. If you can confirm its an HP MSM7 whatever, do some googling on it, find if it has default passwords, hard coded back doors or logins, etc.

ASP is usually IIS, but can also be used on any system if they wanted to, its just a file extension, and could be used to throw you off, but I would probe the asp pages and try to make them return errors, any forms you see, try logging in with dummy data and watch in wireshark where they point to, what returns, cookies, etc, might find SQLi flaw, or even be able to pipe commands into a form if sending back data you posted in the page. See what kind of web server it is, if it is IIS, what version, if it has LFI and directory traversal flaws, try brute forcing known server directories or the default images with an IIS install to confirm its IIS, ldap flaws, etc.

Good tools to use, don;t care if anyone says its script kiddy, metasploit and armitage can sometimes show you more than simple nmap scans, and might find more info for you to work from, even if they don't have have exploits for the box you are on, might just give you enough info to lead you down other paths of things to try.

If you are ON th network already and just trying to get into the web portal section but can see other people connecting, can also try MITM to see if the site uses sessions, and piggy back your way in via cookie or session stealing via MITM too.If you can see other peoples MAC addresses, try faking yours with theirs, then reconnecting and seeing if your expiration time changes or whatever it is you have to be able to check that. Cloning someones MAC if they are successfully logged on, might be the easiest way to change what you have access to.

Overall, do more recon, do more probing of ports and fuzzing dummy data into open ports that don't return anything until they time out, see what kind of errors you can get it to give you. If he says to do it as a challenge, my thinking is he left you something on purpose to find, so there might be other ways in you just haven't thought of yet. If your friend purposely left a flaw for you to find as a challenge, then its there. If hes just telling you its secure and to see if you can break in, well, just keep at it either way, might surprise him in finding a way in he didn't know of, and he can then plug that hole.

Edited by digip
Link to comment
Share on other sites

By the way, colubris.com, is hp. As in, HP.com the company Hewlett-Packard owns that domain, so not sure what you we're hacking into, I thought it was a friends "local" lan, based on the 10.x.x.x. address.

Link to comment
Share on other sites

Yeah, he runs his own apartments, I haven't actually talked to him yet. It's like a 40 person complex. I think the security is managed through someone else.

he may have just redirected you via security, and pointed you at the HP network to throw you off..lol
Link to comment
Share on other sites

haha need you even ask? digip rarely gives bad advice 'round these parts, as evidenced above :) Irongeek infamously redirected a "hackme.irongeek.com" back to 127.0.0.1, so anyone trying to attack it would be attacking themselves...pretty hilarious.

telot

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...