Friday, November 14, 2008

The Story of a Hack - Part 2. Breaking In

Just a reminder, this series of post, like all my posts, is for educational purposes. Mostly my education but if anyone else finds them interesting or useful then that's great too.


This is the second part of my little hacking story. The intro can be read here, and the first part here.

I do not condone breaking into networks without permission, the methods I describe here are how I envisage a network might be penetrated by a determined attacker, I could be completely wrong.

Okay, that said lets get on with it.


Breaking In

So I had a little recce of the target and performed a very inconspicuous war-walk with my IPhone. Knowing that HackMe uses WEP on the wireless network and broadcasts the SSID as HackMe speaks volumes of the security stance of the company in general.

So I sit myself in the park opposite the premises on this lovely day along with quite a few other people, all making the most of the warm weather and wanting to get out of the offices. Booting straight into my favourite security distro BackTrack I put my black hat on for a little wireless fun.

To start with I launch kismet, specifying the capture source and with logging turned off.

kismet -c madwifi_ag,wifi0,madwifi -n



Great, I can see the HackMe wireless network and by simply pressing "i" I can get the MAC address of the access point and I make a note of the channel, I'll need these in SpoonWEP.


I fire up the SpoonWEP tool that's included with BackTrack, configure it to point to the WAP, adjust the channel and tell it to use my wireless interface. 2 minutes later and I'm a very happy hacker.


My next step is to associate to the target network with the cracked WEP key and spend a few minutes exploring.


I'll just fire off a few Nmap commands to get an idea of what my targets network looks like. At this stage I don't know if I'm on the internal network or just on a wireless subnet.

Before long it seems as though I am indeed in the internal LAN. I can see a few other hosts that would only usually live on the LAN. This makes life easier, and that's exactly what I want, an easy life.

nmap 192.168.1.1/24 -sP



nmap 192.168.1.1/24 -A

oh.... there we go. Test-Server. That's what we like.




Hopefully Test-Server is one of those poor servers that gets sat in the corner and forgotten about. We all know the ones I'm talking about. Don't worry Bad Admin, Bob will give it some attention for you!



Lessons
  • In my opinion it's a real bad idea to have a wireless network coming straight onto your LAN. It should be firewalled off and should employ strong certificate based authentication.
  • As I pointed out in the previous post, a number of measures can be taken to secure wireless networks, and although these layers of security can be peeled away, each layer raise the bar slightly and makes the attackers job harder.
  • Every host on a network is important, as an attacker there are two thing I count on to be able to break into a network, poorly patched hosts and human stupidity, and these are both one in the same!

Next............Kung Fu Shopping.


No comments: