From Security Weekly Wiki
Jump to navigationJump to search


PaulDotCom Security Weekly - Episode 216 - For Thursday October 21st, 2010.

  • Announcing Hack3rcon!The con will take place on Oct 23-24, 2010 at the Charleston Civic Center, alongside CharCon, a gaming conference that will interest many of you as well. Tickets are $40 for the whole weekend. Our very own Carlos Perez will be speaking!
  • Mark Baggett teaches SANS 504 during SANS San Antonio for 6 days. Come learn Hacker Techniques, Exploits & Incident Handling! November 13th thru 20th.

Tech Segment: Defcon PaulDotCom Badge Challenge

This year we conducted another contest for DEFCON. While it wasn't for a party badge, it was for bragging rights and a cool laser cut badge. Here's the solution:

First off, we did mention that everything that you needed was in the blog post. Many of you thought incorrectly, that like last year, the hidden goodies were in the image. You were wrong. Close, but wrong. How close? Use the source Luke!

Looking at the HTML source of the page you would notice right under that image is a URL written in white text on a white background. Of course highlighting the blog post would have revealed it, or it would have rendered in a readable format using Chrome. What does it say? http://www.badguywalmart.com

So, what happens when you get there? You get a web page with a secret i-hacked contest code. But wait, theres more! Looks a little oddly formatted. Again, a reveal of the source or a highlight of the page reveals the following text:


Everything you need is located at the server www.badguywalmart.com. (We're in no way affiliated with Walmart Corporation, BTW.)

I sure hope noone portscans me, but you have permission to do so. You do not have permission to launch attacks or compromise this box though. Please be gentle with your scans, but be thorough. You only need to worry about TCP, and ports under 1000.) 

Ok, so, lets do it. We'll even do it the easy way, with as few command line options as possible. We will make sure that we don't go over port 1000 in order to be gentle.

Hiroshige:~ lpesce$ nmap www.badguywalmart.com -p 1-1000

Starting Nmap 5.21 ( http://nmap.org ) at 2010-08-12 10:52 EDT
Nmap scan report for www.badguywalmart.com (
Host is up (0.015s latency).
rDNS record for static-173-69-3-38.prvdri.fios.verizon.net
Not shown: 483 closed ports
1/tcp   open  tcpmux
6/tcp   open  unknown
9/tcp   open  discard
13/tcp  open  daytime
18/tcp  open  unknown
22/tcp  open  ssh
30/tcp  open  unknown
33/tcp  open  dsp
36/tcp  open  unknown
45/tcp  open  mpm
54/tcp  open  xns-ch
57/tcp  open  priv-term
70/tcp  open  gopher
71/tcp  open  netrjs-1
80/tcp  open  http
84/tcp  open  ctf
115/tcp open  sftp

Nmap done: 1 IP address (1 host up) scanned in 5.49 seconds

Uh, ok, so that's like a lot of weird services. Finger? Don't mind if I do. So, I did say to be thorough, right? One way we could have done that would have been with the Firefox plugin Header Spy, we would have noticed something very interesting about the header response for port 80:

The server identifies itself as "http://twitpic.com/photos/badguywalmart". Hrm. That's an interesting server header. That's no Apache! Of course, if you actually browse to that address, you'll get a bunch of pictures with phrases written on them..I wonder how those fit in.

Back to the header on port 80. So, I wonder if the other services are what nmap says they are. If we start plugging some of those other ports into a browser as well, we get the same web page as on on port 80. Clearly we have something here…even though I was looking forward to playing Netris.

Let's use the NSE script to look at HTTP headers! This one written by Ron Bowes, works real well, and when it can identify the server, it gives us a bunch of stuff (trimmed for brevity).

Hiroshige:~ lpesce$ nmap -sV --script=http-headers www.badguywalmart.com -p 1-1000

Starting Nmap 5.21 ( http://nmap.org ) at 2010-08-12 10:55 EDT
Nmap scan report for www.badguywalmart.com (
Host is up (0.048s latency).
rDNS record for static-173-69-3-38.prvdri.fios.verizon.net
Not shown: 483 closed ports
1/tcp   open  http       lighttpd 1.4.26
| http-headers:  
|   Content-Type: text/html
|   Accept-Ranges: bytes
|   ETag: "-1893968157"
|   Last-Modified: Tue, 27 Jul 2010 03:23:48 GMT
|   Content-Length: 1795
|   Connection: close
|   Date: Thu, 12 Aug 2010 14:56:55 GMT
|   Server: lighttpd/1.4.26
|_  (Request type: HEAD)
7 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :


Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 88.84 seconds

We will note that it isn't all formatted "properly". After speaking with Ron, you might want to modify the NSE script to perform the nice output for servers on ports other than 80 and 443. Entirely up to you, as we do get the information that we need either way.

Once we look at the results we will note that we have a bunch of server headers. Some for Lighttpd, which aren't very interesting, but we are left with the following ports and services (in addition to the one already discovered on port 80 for the twitpic pictures):

Port  Header 
13    i come third and sixth 
33    i come first
54    i come seventh
57    i come second
70    i come dot fourth N AND dot eighth W
84    i come fifth

Well, that seems interesting. That seems to be instructions! If we arrange the port numbers according to the instructions and apparent punctuation in the header we get:

33 57 13 . 70 N 84 13 54 . 70W


33 deg 57' 13.70" N, 84 deg 13' 54.70" W

Now we're talkin'. However, what is at this location? Let's Google Map it! Unfortunately, Google doesn't play well with Degrees Minutes Seconds. We can use the page <a href=http://www.fcc.gov/mb/audio/bickel/DDDMMSS-decimal.html>here</a> to convert to decimal, which google likes. Try this location instead:

33.953822, -84.231899

Which Google maps <a href=http://maps.google.com/maps?f=q&source=s_q&hl=en&geocode=&q=33.953806,+-84.231861+(You+can+insert+your+text+here)&sll=37.771868,-122.422972&sspn=0.045321,0.089006&g=37.771008,+-122.41175&ie=UTF8&ll=33.953546,-84.231985&spn=0.003084,0.005563&z=18&iwloc=lyrftr:m,10459900436034087647,33.953822,-84.231899>here</a> to a location with a GameStop at 6050 Peachtree Pkwy, Norcross, GA. But, what else interesting is at that address.

Unfortunatley since DEFCON, the page rank for the company we are looking for has plummeted from the second entry to the middle of the <a href=http://www.google.com/search?q=6050+Peachtree+Parkway,+Norcross,+GA&hl=en&client=firefox-a&rls=org.mozilla:en-US:official&prmd=m&ei=AkCITJG6KMK78gbXsKH6AQ&start=20&sa=N&cad=cbv#q=6050+Peachtree+Parkway,+Norcross,+GA+30092&hl=en&client=firefox-a&rls=org.mozilla:en-US:official&prmd=m&ei=lUCITMT6CIH98AbivNyiAg&start=50&sa=N&fp=368644f9c0f1c536>fourth page</a> When you see it, you'll get it.

Want to confirm? How do we know which phrase? How about downloading some pictures from that twitpic stream and using exiftool to look at the pictures? Remember, you need to download the full size image, as often post processing will remove metadata. Once we do that, we'll note that one image has the exact same GPS location as determined from our port numbers. Yep, the first one in the list. That was your phrase that pays. Now, time to go "check" you work!

Guest Interview: Mati "Muts" Aharoni & Chris Hadnagy

Mati is the founder of Offensive Security. His day to day work involves vulnerability research, exploit development and whitebox / blackbox Penetration Testing. In addition, he is the lead writer and trainer for many of the “Offensive Security” courses, which focus on attacker tools and methodologies. Mati has been training security and hacking courses for over 13 years and is actively involved in the security arena, and is one of the core developers of the BackTrack live CD.

Chris Hadnagy, aka loganWHD, has been involved with computers and technology for over 13 years. As the founder of social-engineer.org his focus is on the “human” aspect of technology such as social engineering and physical security. Chris has spent time in providing training in many topics and also has had many articles published in local, national and international magazines and online journals. Chris is working on the management and planning of new and exciting programs with the Offsec family.

  1. How did each of you get your start in information Security?
  2. What led you to develop an expertise in Social Engineering?
  3. Tell us about BackTrack's current and future development, what we can expect for 2011 from BT and the SE podcast?
  4. What your goals for the Social Engineering webcast?
  5. Where you got the idea for the SE podcast,
  6. How do you choose your guests? Describe challenges in putting it together
  7. Tell us about the upcoming book & class
  8. Any good SE/pen test stories you can share?
  9. Info, on the business side, as to what offensive-security.com provides

Stories For Discussion

  1. 6 security leaks you should fix NOW! - [Larry] - Uhhh, wow these seem a little off base to me.

- Unauthorized smartphones on Wi-Fi networks - Open ports on a network printer - Custom-developed Web applications with bad code - Social network spoofing - Employees downloading illegal movies and music - SMS text messaging spoofs and malware infections Lets discuss….

  1. Fake AV? Nah, it's real. - [Larry] - Kaspersky website gets poped, and links to download of fake style AV. Ironic. Kaspersky blames a third party component. You should still test it regardless, no?
  2. Thief backs up data. - [Larry] - Man gets laptop stolen. Man admits he's ba at backing up. Thief backs up data and mails to victim. Aww, how nice. Wait, what?

Other Stories of Interest