2010
04.05

HackUS 1st Edition… Complete Success!

This past weekend’s CTF event hosted at the Sherbrooke University, and organized by the crew of HackUS.org was a complete success in my opinion. From the warm (and unexpected) welcome, right down to the ambiance and food provided. This being my first ever participation in this type of event, must say I wasn’t disappointed at all.

The battle ground HackUS provided us was exceptionally well made. All teams had lots of room to set up shop; we had meals provided for us during the whole event. Alcoholic beverages were available. As a whole, these guys organized one hell of a party. We had the standard CTF event, a Web CTF, some trivia/crypto puzzles to solve and web level-ups. Some reverse engineering, a botnet to analyze and in the end even a game of open-arena… It had everything for everyone. No complaints; nothing more was needed.

As for our performance, well didn’t fare to well compare to the other teams. 10 teams participated, and we finished 9th overall. Still not bad for 2 guys looking to score at least 1 point… We got 60 in the end. I even got a bonus gift… An 85$ ticket for smoking near a public building.

Day 1:

We arrive at the hotel in Sherbrooke at around 15h00. After the 2 hour drive a well deserved shower is taken.
Then I decide to warm up for the upcoming activities.

All started with registration and the warm welcome (which gave me performance anxiety) from the HackUS crew. We were led to our table and then started to plug-in our gear. Seeing this was our first time at such an event we may have brought too much gear.

We’re given instructions on how things work, and we’re let loose on the network…
I of course, get another beer.

Day 2:

After 4 hours sleep, I drag my skinny a** out of bed and head back to face the war zone once more. After taking a wrong turn on the highway, I eventually got to Sherbrooke University campus.  Got a few points talked to some great people and more beer.

Day 3:

This one was rough. After two days away from home, I was starting to miss my own bed and pillow. We got a few more points in, but by this time we were out of ideas and stuck in 9th place.

Around 15h00 that afternoon, it was the end. Prizes were given out, pictures were taken and hands were shaken. All of this with the presence of beer.

So as whole, this weekend was great. We now know what such an event looks and feels like. We’ll be better prepared for next year’s HackUS CTF.
Good job guys. You guys should be proud.

2010
04.02

Ettercap command line basics

Odds are this topic has been blogged to death already, but sometimes I need to write things down so not to forget them. Also, there are times when the command line is the only option. Then again, in my opinion, one should start using the command line and then move on to GUI applications.

Ettercap is tool for computer network protocol analysis and security auditing. It’s capable of intercepting traffic, capturing credentials and conducting active “eavesdropping” against a number of common protocols. If you wish to know more, Google “Ettercap” and you’ll have lots of links referring to this tool.

Using Ettercap is a quick and easier alternative then using the “arp” command to arp poison your target(s) and redirecting traffic to you own network adapter, then re-forwarding those packets to their original destination. Again, it’s always good to be aware and able to use the “arp” command seeing that every situation is different and Ettercap may not always be available.

Imagine a simple scenario: Computer A, on the local LAN, connects to Computer B using the FTP protocol to retrieve a file. Our goal is to sniff the traffic between these two computers, retrieve either the username and password, or the file he/she is transferring over FTP. Do accomplish this we need to “arp cache poison” our victim’s machine, so to redirect traffic to our machine, sniff the traffic and then send it out to its original destination. Of course, let us assume this is on a switched environment. If you are unfamiliar with the concept of “arp cache poisoning”, I suggest you look it up… I’ll provide links at the end of this blog to push you in the right direction.

The simplest way to do this using ettercap from the command line is this:

ettercap -T -w dump -M ARP /xx.xx.xx.xx/ // output:

Where ‘xx.xx.xx.xx’ is our target machine’s IP address.

This will poison his arp cache, replacing the MAC address with our own. Of course, this is a very basic example. There are far more complex and more precise usage of this command, which are beyond the scope of this blog entry.

Let us continue…

“ –T” switch is for using the text based GUI only.

“-w dump” writes to file our packet capture session to a file called “dump”

“-M ARP” is the type of attack, in our case a “man in the middle”

“/xx.xx.xx.xx/ //” is our target’s IP address and port. Notice I have not entered any ports. So we’ll just grab everything.

“output:” just outputs everything on the screen. A “-q” or “-Tq” would’ve provided with less information on the monitor, but I always choose to see as much as possible.

Press “enter”, Ettercap will scan the network and start doing out bidding. Let it run for as long as you wish. Once you feel you have gathered enough, hit the “Q” key and ettercap will return our target’s arp cache table to its original state.

Now all you need to do is analyze the dump file. This can be done with “etterlog” or wireshark. To use wireshark, you may need to rename the file to “dump.pcap”. As for “etterlog” you’ll have to convert it to the proper format. Type “etterlog –h” and see all the wonderful options, it’s very complete.  Once you have your capture file, you can use tools such as chaosreader or network miner to retrieve the information. Or you could do it manually using wireshark.

Later on, I may just post something about filters and more “advance” methods. For now this will have to do. All the information is already on the Internet, and is readably available for anyone that takes the time to search and read.

On another note, we at Kioptrix.com are leaving for the HackUS.org CTF event this weekend. I’ll report back next week with a report. Also don’t forget that Hackfest.ca is accepting papers for the convention being held in November of this year (2010) in Quebec City Canada. Kioptrix should come out with episode 3 of our monthly podcast (French only) a week or so after the CTF in Sherbrooke. New VM images soon to be released (hint). Should be out within the next 2 weeks.

http://ettercap.sourceforge.net/

http://en.wikipedia.org/wiki/Ettercap_%28computing%29

http://en.wikipedia.org/wiki/ARP_spoofing

http://networkminer.sourceforge.net/

Hope you enjoyed the read.