superzanti Posted August 20, 2012 Share Posted August 20, 2012 (edited) Before I start, I should mention that this isn't illegal, I was challenged by a good friend of mine because I've been asking him to teach me how to hack. Anyway, here was the challenge: You will connect to a network and be presented with a login page. Upon login your mac address will be recorded and you will have 1 hour of internet access. You're bandwidth will also be capped at 5Mb/s. Your goal is to hack the system to let you stay logged in for longer, and drop the bandwidth cap. Now, I've determined that the router is located at: 10.71.0.1 but typing that in didn't bring me to any router login page. I watched wire-shark for a while while some other people connected, and typed in a few of the IP addresses I saw. Based on what what was there, i'm about 90% sure that this system contains an: HP MSM7xx and it seems to be a wireless access point controller. Then I did some port scans to see if I could find some kind of login page. here are the open ports: 53 81 444 1194 5432 8081 8082 8091 8092 8093 8094 Now, if I go to each of these ports in my browser (10.71.0.1:port) This is what shows up on each 53: N/A webpage not available 81: changes to 10.71.0.1:81/index.asp and displays: "ASP Error IncludeAsp("login_error_message.asp");" 444: N/A No data received 1194: displays: "Access Error: Site or Page Not Found Cannot open URL" 5432: N/A No data received 8081: displays the main login page (the one where you click a button and it gives you an hour of access) 8082: N/A No data received 8091: displays: "-ERR POP3 Please log through your browser first." 8092: displays: "Please log through your browser first." 8093: displays: "421 Service not available. Please log first through HTTP." 8094: displays: "Error Page! Due to the nature of the content, the website you are trying to view is unreachable through this network." Hmm, I checked exploitdb and it didn't give me any results, but it pushed me in a little bit of the right direction, because I started wondering if I even had the right router, or if there might have been some kind of tunnel set up. So, I went through the open ports and started researching them. This is something I typed up real quick: 53 - DNS service 81 - No common found 444 - SNPP 1194 - OpenVPN 5432 - postgres service 8081 - blackice/sunproxy admin 8082 - blackice alerts 8091 - jamlink 8092 - No common found 8093 - No common found 8094 - No common found I then checked a few of them that would be easy to check. For example, I wanted to confirm blackice was running on port 8081 and 8082. So in wireshark, and monitoring 10.71.0.1, I did a search for blackice and got several hits. So I think this confirms that blackice is being used. I didn't find any hits for jamlink or sunproxy. I did get one for postgres pointing to postgres.heroku.com. This is what the scan returned. Looks like I was right about the postgres. As for the others... I'm not to sure. Nmap scan report for wireless.colubris.com (10.71.0.1) Host is up (0.0018s latency). Not shown: 990 closed ports PORT STATE SERVICE VERSION 22/tcp filtered ssh 53/tcp open domain 80/tcp filtered http 81/tcp open tcpwrapped 443/tcp filtered https 444/tcp open tcpwrapped 5432/tcp open postgresql PostgreSQL DB 8.2.6 - 8.2.15 8081/tcp open tcpwrapped 8082/tcp open tcpwrapped 8093/tcp open unknown Okay, so I have no idea what I did, but I ran the scan and got this: [*] Nmap: Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-08-19 17:43 Mountain Daylight Time [*] Nmap: Nmap scan report for wireless.colubris.com (10.71.0.1) [*] Nmap: Host is up (0.0023s latency). [*] Nmap: Not shown: 990 closed ports [*] Nmap: PORT STATE SERVICE [*] Nmap: 22/tcp filtered ssh [*] Nmap: 53/tcp open domain [*] Nmap: 80/tcp filtered http [*] Nmap: 81/tcp open hosts2-ns [*] Nmap: 443/tcp filtered https [*] Nmap: 444/tcp open snpp [*] Nmap: 5432/tcp open postgresql [*] Nmap: 8081/tcp open blackice-icecap [*] Nmap: 8082/tcp open blackice-alerts [*] Nmap: 8093/tcp open unknown [*] Nmap: MAC Address: 00:25:61:91:80:EF (ProCurve Networking by HP) [*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 1.57 seconds Completely lost my leads. I have no idea what I'm doing now. Any thoughts? Edited August 20, 2012 by superzanti Quote Link to comment Share on other sites More sharing options...
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.