Jump to content

Firewall Breach

Clarence

By Clarence
in Security

 Share

Recommended Posts

Clarence Newbie

Clarence

Posted
Posted

Hello, I am new to this form and I work for a school district as a pen tester. We use a firewall called IBoss and we had a student crack it to gain access to otherwise restricted sites and I am not able to recreate how the student worked around the firewall. I need some help on creating a breach within the IBoss system.

 

 

Thank you 

Clarence

Link to comment
Share on other sites
digininja Grand Master

digininja

Posted
Posted

Forgive the scepticism but this is a variant of the "how do I hack my wife's Facebook account?". We have no idea who you are, whether you have permission to do what you are doing or anything else.

My generic suggestions would be to check the logs, check the config for anything that appears to be more open than it's supposed to be and try asking the student, he may be happy to boast about how he did it in return for a less harsh penalty.

Link to comment
Share on other sites
Clarence Newbie

Clarence

Posted
  • Author
Posted

We have asked the student and we have tried to screen cap a Chromebook during the process   but he uses a usb rubber ducky to make the process much much quicker so fast in fact the screen cap. was not able to pick it up. I have tried my own attempt at what this kid can do but he is one step ahed of me.  

Link to comment
Share on other sites
Rkiver Collaborator

Rkiver

Posted
Posted
1 minute ago, Clarence said:

we cant. we would need a warrant to be able to take the ducky and read the script by state law we as a school are not able to do such actions with out defeat cause and a statement from our D.A.

Really? So if a student breaches your schools security, and in such breaks the Acceptable Use Policy that you would have gotten them and their parent to sign, you cannot confiscate the equipment they used to do so, even if by their actions they could be breaking data protection laws?

While I am not based in the US, and am not a lawyer, I do work with schools, and we have had similar attempts. I am EXTREMELY sceptical of your statements here...

Link to comment
Share on other sites
Clarence Newbie

Clarence

Posted
  • Author
Posted

Yes the students did have a contract but the school district left out the part of trying to breach the firewall or other systems to try and make it easer on me. having the students create the breach then we patch it out by watching there screen on how to do it , or asking them. but the student that uses the ducky is able to walk up to and Chromebook and run the script and all we see is a hid keyboard was attached and our systems don't log key strokes but it does log usage over the network. 

Link to comment
Share on other sites
digininja Grand Master

digininja

Posted
Posted

They deliberately left out a part that said the students couldn't attack your network to make the job of a pen tester easier.

Your first message sounded suspicious, this is now incompetent and suspicious.

Link to comment
Share on other sites
Rkiver Collaborator

Rkiver

Posted
Posted
21 minutes ago, Clarence said:

Yes the students did have a contract but the school district left out the part of trying to breach the firewall or other systems to try and make it easer on me. having the students create the breach then we patch it out by watching there screen on how to do it , or asking them. but the student that uses the ducky is able to walk up to and Chromebook and run the script and all we see is a hid keyboard was attached and our systems don't log key strokes but it does log usage over the network. 

Bull. Absolute bull.

 

They can have an AUP that covers everything, and then give you a letter of marque to let you do your job, like they do with EVERY OTHER PENTESTING JOB EVER.


 

Link to comment
Share on other sites
Rkiver Collaborator

Rkiver

Posted
Posted (edited)
3 hours ago, Clarence said:

I know it's stupid I tried to warn them if something were to happen like this. There rinsing behind it was so we don't have to pay you as much 

...

 

Stop. Just stop.

You are paid to do a job, they don't have to pay you less due to leaving out part of an AUP.

At this point I am convinced you are lying, and are a student trying to get around a firewall in your school by having us write a script for a USB Rubber Ducky for you.

Edited by Rkiver
Link to comment
Share on other sites
digip Newbie

digip

Posted
Posted
Quote

 I work for a school district as a pen tester.

Ok.

Quote

We use a firewall called IBoss

Who is "we"? Because "you" the pentester, aren't the one who secures the network(generally), you're the one who breaks and tests the network, then make recommendations on what to fix to the IT and Security team for the organization. If you are running iboss, and not "they" are running iboss, these are 2 different things. Who's in charge of the network? Are you the IT person who is implementing the network setup, part of the NOC/SOC, etc?

Quote

 I am not able to recreate how the student worked around the firewall

What difference does it matter how it happened? Will recreating it change anything? Sure, helps when patching, but if there is a hole, find the hole, patch the hole. You're the "pentester", hired to find weaknesses in the system. If "we" set this up, then "we" should double check and test our setup. I'd bet money, there are probably multiple ways around this firewall restriction, so knowing how the student did it, is only one of them.

If you are in fact the person in charge of the network, vs some outside contractor hired to break into and test the network, then you should have intimate knowledge of the firewall, the network topology, client and server machines, their setup configurations, permissions on the network, shares, etc, and where to start filtering and checking things, applying DNS and proxy filtering, vlans, etc.

While it should be trivial in most cases with tunneling or VPN's to bypass most of this stuff on the firewall, if the kid is abusing the network, you DO NOT LET THE KID BACK ON THE NETWORK, and revoke their privileges. If any abuse of a network, even if not explicitly listed in student agreement/policy for "bypassing the firewall" as a rule, should surely have something that states privilege access granted, but not a right, and abuse of, can be taken away.

As school staff for the IT team, even if just one person, you should have intimate knowledge of your perimeter and the network setup, and if you don't, there are probably way more pressing issues to fix, vs one kid bypassing the firewall.

What is the network sign-in policy, how do they get access to the network, are they proxied natively so they can't access DNS and outside sites, what prevents anyone from plugging into the network with BYOD, rouge AP's, etc. Either this network is wide open, or you're not telling us the whole story, or as others said, total BS.

This doesn't pass the smell test, and most pentesters, won't discuss client info on an open forum, as they probably have an NDA in most cases. Not saying it's 100% fabricated lie, sure, many schools have clueless network admins who are often at the mercy of the students, or just school staff/teachers/office personnel left to set this up, but if they can hire a "pen tester", they can surely hire a network admin and some IT people who know what is up with their network. You are either in over your head or should just come out and state you're trying to bypass the IBoss firewall.

Link to comment
Share on other sites
0phoi5 Apprentice

0phoi5

Posted
Posted
5 hours ago, digininja said:

Confiscate the ducky and read the script.

This.

Sorry, I don't believe for a moment that you aren't allowed to confiscate it. Schools are well within their rights to confiscate mobile phones, knives, and anything else them deem unsafe, inappropriate or a breach of their rules. The Rubber Ducky falls within this.

Link to comment
Share on other sites
barry99705 Veteran

barry99705

Posted
Posted

The needle on the bullshit meter just flew off.  Having worked and occasionally still work for school districts in the US, I can say that yes, the school can confiscate anything that a student uses on school property that damages the property.  The network is school property.

Link to comment
Share on other sites
digip Newbie

digip

Posted
Posted
7 minutes ago, haze1434 said:

This.

Sorry, I don't believe for a moment that you aren't allowed to confiscate it. Schools are well within their rights to confiscate mobile phones, knives, and anything else them deem unsafe, inappropriate or a breach of their rules. The Rubber Ducky falls within this.

I can't tell you how many things teachers used to confiscate from us growing up, from radios and walk-mans, to pen knives and such(today you'd probably be arrested for a small pen knife, but we all had them as kids when i was growing up), teachers never thought twice about confiscating stuff and tossing it in their drawer.They kept them locked up, you got it back at the end of the year. 

I don't think they have a right to search your cell or other devices, and even legally, you would probably need a warrant, but they can certainly take it and hold it till parents come get it or better yet, turn it over to police depending on what was done.

Link to comment
Share on other sites
digip Newbie

digip

Posted
Posted (edited)

By the way, does this look like a pentester, or some kids?

https://twitter.com/jonbush1234

Where the profile pick for "Clarence" comes from.  https://twitter.com/jonbush1234/status/914948133163061249 looks like maybe Mr "Clarence" needs help learning how to use his new rubber ducky.

 

@Clarence will the real slim shady please stand up - https://www.twitch.tv/videos/173897157

 

After some digging, looks like he is 15yrs old, born in 2002. How long before a thread lock? I think he's suffered enough...

Edited by digip
Link to comment
Share on other sites
Just_a_User Newbie

Just_a_User

Posted
Posted (edited)
1 hour ago, digip said:

How long before a thread lock? I think he's suffered enough...

Yes, thats enough.Don't want to discourage him from life :) just from pretending to be things hes not and from doing things he shouldn't! lol

Edited by Just_a_User
Link to comment
Share on other sites
digip Newbie

digip

Posted
Posted
Just now, UnLo said:

*smashes desk 

Of course I would finish my popcorn Before getting to this. 

 

* wishes I had another buttery bag 

It was a good SE attempt I guess. Albeit, failed attempt. I think had he known what admins do and things in place, the ruse would have been a bit more elaborate, but that could also have made it even more fishy, given a penetration test would more than likely be confidential. I had fun just sleuthing out his info though, which was pretty easy given his digital footprint.

Link to comment
Share on other sites
Joe S Newbie

Joe S

Posted
Posted

Sorry about the guys I am head of the I.T.  department from the School District clarence was claiming to be A admin and I have revoked his USB rubber ducky land turtle and bash bunny from his person and thank you for linking me his twitch that we have been have been trying to find and he's going to be getting a pension for some of the stuff that he's titled it streams 

 

 

thank you very much Joe S

 

Link to comment
Share on other sites
Michael Weinstein Newbie

Michael Weinstein

Posted
Posted (edited)
1 hour ago, Joe S said:

Sorry about the guys I am head of the I.T.  department from the School District clarence was claiming to be A admin and I have revoked his USB rubber ducky land turtle and bash bunny from his person and thank you for linking me his twitch that we have been have been trying to find and he's going to be getting a pension for some of the stuff that he's titled it streams 

 

 

 

thank you very much Joe S

 

So we've had Eminem, Slim Shady... and this would be Marshall Mathers?

https://getyarn.io/yarn-clip/ba393c1f-4166-443c-9f8c-5cb380b26ecf#SyInJJbNa-.copy

Edited by Michael Weinstein
Gratuitous Hackers movie reference.
Link to comment
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...