superzanti Posted August 20, 2012 Share Posted August 20, 2012 (edited) Before I start, I should mention that this isn't illegal, I was challenged by a good friend of mine because I've been asking him to teach me how to hack. Anyway, here was the challenge: You will connect to a network and be presented with a login page. Upon login your mac address will be recorded and you will have 1 hour of internet access. You're bandwidth will also be capped at 5Mb/s. Your goal is to hack the system to let you stay logged in for longer, and drop the bandwidth cap. Now, I've determined that the router is located at: 10.71.0.1 but typing that in didn't bring me to any router login page. I watched wire-shark for a while while some other people connected, and typed in a few of the IP addresses I saw. Based on what what was there, i'm about 90% sure that this system contains an: HP MSM7xx and it seems to be a wireless access point controller. Then I did some port scans to see if I could find some kind of login page. here are the open ports: 53 81 444 1194 5432 8081 8082 8091 8092 8093 8094 Now, if I go to each of these ports in my browser (10.71.0.1:port) This is what shows up on each 53: N/A webpage not available 81: changes to 10.71.0.1:81/index.asp and displays: "ASP Error IncludeAsp("login_error_message.asp");" 444: N/A No data received 1194: displays: "Access Error: Site or Page Not Found Cannot open URL" 5432: N/A No data received 8081: displays the main login page (the one where you click a button and it gives you an hour of access) 8082: N/A No data received 8091: displays: "-ERR POP3 Please log through your browser first." 8092: displays: "Please log through your browser first." 8093: displays: "421 Service not available. Please log first through HTTP." 8094: displays: "Error Page! Due to the nature of the content, the website you are trying to view is unreachable through this network." Hmm, I checked exploitdb and it didn't give me any results, but it pushed me in a little bit of the right direction, because I started wondering if I even had the right router, or if there might have been some kind of tunnel set up. So, I went through the open ports and started researching them. This is something I typed up real quick: 53 - DNS service 81 - No common found 444 - SNPP 1194 - OpenVPN 5432 - postgres service 8081 - blackice/sunproxy admin 8082 - blackice alerts 8091 - jamlink 8092 - No common found 8093 - No common found 8094 - No common found I then checked a few of them that would be easy to check. For example, I wanted to confirm blackice was running on port 8081 and 8082. So in wireshark, and monitoring 10.71.0.1, I did a search for blackice and got several hits. So I think this confirms that blackice is being used. I didn't find any hits for jamlink or sunproxy. I did get one for postgres pointing to postgres.heroku.com. This is what the scan returned. Looks like I was right about the postgres. As for the others... I'm not to sure. Nmap scan report for wireless.colubris.com (10.71.0.1) Host is up (0.0018s latency). Not shown: 990 closed ports PORT STATE SERVICE VERSION 22/tcp filtered ssh 53/tcp open domain 80/tcp filtered http 81/tcp open tcpwrapped 443/tcp filtered https 444/tcp open tcpwrapped 5432/tcp open postgresql PostgreSQL DB 8.2.6 - 8.2.15 8081/tcp open tcpwrapped 8082/tcp open tcpwrapped 8093/tcp open unknown Okay, so I have no idea what I did, but I ran the scan and got this: [*] Nmap: Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-08-19 17:43 Mountain Daylight Time [*] Nmap: Nmap scan report for wireless.colubris.com (10.71.0.1) [*] Nmap: Host is up (0.0023s latency). [*] Nmap: Not shown: 990 closed ports [*] Nmap: PORT STATE SERVICE [*] Nmap: 22/tcp filtered ssh [*] Nmap: 53/tcp open domain [*] Nmap: 80/tcp filtered http [*] Nmap: 81/tcp open hosts2-ns [*] Nmap: 443/tcp filtered https [*] Nmap: 444/tcp open snpp [*] Nmap: 5432/tcp open postgresql [*] Nmap: 8081/tcp open blackice-icecap [*] Nmap: 8082/tcp open blackice-alerts [*] Nmap: 8093/tcp open unknown [*] Nmap: MAC Address: 00:25:61:91:80:EF (ProCurve Networking by HP) [*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 1.57 seconds Completely lost my leads. I have no idea what I'm doing now. Any thoughts? Edited August 20, 2012 by superzanti Quote Link to comment Share on other sites More sharing options...
Mr-Protocol Posted August 20, 2012 Share Posted August 20, 2012 Lots of training opportunities out there. http://www.offensive-security.com/information-security-training/penetration-testing-with-backtrack/ https://www.derbycon.com/training-courses/ Quote Link to comment Share on other sites More sharing options...
superzanti Posted August 20, 2012 Author Share Posted August 20, 2012 Do you have any suggestions to point me in the right direction right now? Quote Link to comment Share on other sites More sharing options...
digip Posted August 20, 2012 Share Posted August 20, 2012 (edited) Try accessing the same ports, over https:// and see if you get any funky certificate errors too(which sometimes divulge server side paths for locally signed certificates, and also, do some banner grabbing manually, see if they tell you anything more than what you already seen with your scans. Some of them might be dummy pages to give you clues, or fake headers. Try manually connecting over telnet, with things like FOO instead of a GET or POST, and also oddbal protocols, like CONNECT, see what they return. Telnet to every open port too, sometimes, they just return open listing command shells. View the source of all pages, even ones giving you errors, they might leave comments or clues to other pages and directories, like style sheet directories in upper paths that disclose what software is in use(ie:joomla, magento, drupal, etc), go go the css file if it has one, read through it for comments, remove it in the URL from the / of the path, see if they don't block with 403 forbidden if its an upper directory, and if it lists any other files.Try brute forcing directory names, like admin, administrator, login, files, etc, just things people don't think about looking for on sites that have login portals, sometimes you can get in just by knowing where other files are or finding them by accidental directory probing for things that aren't locked down or require authentication to reach. If you can confirm its an HP MSM7 whatever, do some googling on it, find if it has default passwords, hard coded back doors or logins, etc. ASP is usually IIS, but can also be used on any system if they wanted to, its just a file extension, and could be used to throw you off, but I would probe the asp pages and try to make them return errors, any forms you see, try logging in with dummy data and watch in wireshark where they point to, what returns, cookies, etc, might find SQLi flaw, or even be able to pipe commands into a form if sending back data you posted in the page. See what kind of web server it is, if it is IIS, what version, if it has LFI and directory traversal flaws, try brute forcing known server directories or the default images with an IIS install to confirm its IIS, ldap flaws, etc. Good tools to use, don;t care if anyone says its script kiddy, metasploit and armitage can sometimes show you more than simple nmap scans, and might find more info for you to work from, even if they don't have have exploits for the box you are on, might just give you enough info to lead you down other paths of things to try. If you are ON th network already and just trying to get into the web portal section but can see other people connecting, can also try MITM to see if the site uses sessions, and piggy back your way in via cookie or session stealing via MITM too.If you can see other peoples MAC addresses, try faking yours with theirs, then reconnecting and seeing if your expiration time changes or whatever it is you have to be able to check that. Cloning someones MAC if they are successfully logged on, might be the easiest way to change what you have access to. Overall, do more recon, do more probing of ports and fuzzing dummy data into open ports that don't return anything until they time out, see what kind of errors you can get it to give you. If he says to do it as a challenge, my thinking is he left you something on purpose to find, so there might be other ways in you just haven't thought of yet. If your friend purposely left a flaw for you to find as a challenge, then its there. If hes just telling you its secure and to see if you can break in, well, just keep at it either way, might surprise him in finding a way in he didn't know of, and he can then plug that hole. Edited August 20, 2012 by digip Quote Link to comment Share on other sites More sharing options...
superzanti Posted August 20, 2012 Author Share Posted August 20, 2012 Wow, that was an awesome reply! Thank you so much. I just wanted to make some updates in case anyone has more ideas http://i.imgur.com/dPanE.png Quote Link to comment Share on other sites More sharing options...
superzanti Posted August 20, 2012 Author Share Posted August 20, 2012 Well I just figured out what I was hacking. And I surrendered. It was www.singledigits.net Quote Link to comment Share on other sites More sharing options...
digip Posted August 21, 2012 Share Posted August 21, 2012 By the way, colubris.com, is hp. As in, HP.com the company Hewlett-Packard owns that domain, so not sure what you we're hacking into, I thought it was a friends "local" lan, based on the 10.x.x.x. address. Quote Link to comment Share on other sites More sharing options...
superzanti Posted August 21, 2012 Author Share Posted August 21, 2012 Yeah, he runs his own apartments, I haven't actually talked to him yet. It's like a 40 person complex. I think the security is managed through someone else. Quote Link to comment Share on other sites More sharing options...
digip Posted August 21, 2012 Share Posted August 21, 2012 Yeah, he runs his own apartments, I haven't actually talked to him yet. It's like a 40 person complex. I think the security is managed through someone else. he may have just redirected you via security, and pointed you at the HP network to throw you off..lol Quote Link to comment Share on other sites More sharing options...
superzanti Posted August 21, 2012 Author Share Posted August 21, 2012 You can do that? Quote Link to comment Share on other sites More sharing options...
telot Posted August 24, 2012 Share Posted August 24, 2012 haha need you even ask? digip rarely gives bad advice 'round these parts, as evidenced above :) Irongeek infamously redirected a "hackme.irongeek.com" back to 127.0.0.1, so anyone trying to attack it would be attacking themselves...pretty hilarious. telot Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.