I broke into 5 computers today (well, 4 servers and a Cisco router). They weren't my computers. I've never had root on a machine that wasn't mine before (although I have had root on some interesting, if not completely 100% legitimate, places), but today I was encouraged to compromise a bunch of machines in any way I could -- and I was even give tools to do so. It was hellaciously fun and 100% legitimate.

My friend Scott had me and some other local tech folks over at a hands-on presentation/demonstration at his place of work. Since Scott works for a company that "deals with national security", and his job (as I understand it) is to make sure that "people" can figure out how ne'er-do-wells are breaking into their networked computer systems by teaching them how to break into machines themselves, the subject of today's exercise was geared toward throwing us at an array of machines and seeing how many we could crack into. It was a contest, in other words. I didn't do too bad, I guess. Five out of 7 isn't so bad, I figured. For a newbie and all. It's my first time being a bad guy...

Scott's got this entire lab of a couple dozen machines set up with like 9 operating systems, some old workstations running Solaris, and a private network (off the 'Net). We had all these tools, and a 45 minute slideshow overview on network security, what tools people use, etc. Then we were given a host to log into and told to go at it. That's simplifying it greatly, but since I'd seen very few of the tools used, it was all pretty foreign. I'm used to looking at security from a "best practices" point of view. You keep everything patched, keep stuff turned off if you don't need it, look for intrusions on a regular basis, and so on. This was on the other side: we had to be the aggressor and get into these machines, and all we knew was their IP addresses.

So I had a good time today. Mostly it was a matter of nmapping the subnet, then nmapping each host in detail. Then you had to figure out what OS was running on that host (their version of namp doesn't accept the -O flag, so that was sometimes fun), and what exploit was likely given that and some guesswork (hint, hint: even one password is a huge nugget for a bad guy to get, and if they can get one, it's way easier to get others). If you have a user account that can be accessd via a network connection, make sure it a good one.

There's a really good tool called Hydra which will try a dictionary attack against nearly any common service. Everyone was running that today but for some reason, I couldn't get it to work. In fact, I never even saw what it gave as output until the very end of the day when Scott gave us hand-outs about how each machine could be cracked. I ran it and ran it, but never got anything out of hydra. I resorted to nmapping the target and trying all the tools I could think that might apply. It was a little slower, but I got as many machines as everyone except Tony (who got all 7 plus one "bonus" machine that Scott had him go up against) and Kelly (who got one which I probably shouldn't have given up on; see below). In retrospect, I would have immediately ran hydra (using the smaller password list) against every host once I first logged on and found what hosts were active. I'd have had 3 login accounts by the time lunch was done. And once you can log in, well...

The most annoying thing today was that after the you mastered the basics, it got very rote. It boiled down to a fairly straightforwrd matter of correlating which tool worked against which particular operating system and its possible range of services -- you just had to find the tool! For example, if you portscanned a machine and saw that it was running ftp, ssh, finger, and sendmail (plus some other uninteresting junk) running, after some poking, you could find out the OS. And you could do this discovery in a very regular way, machine after machine. And once you regularly discovered what each machine was, and then regularly discovered what was on each machine, you could simply run through the directory of exploits Scott's team has set up for that OS, service by service. See a pattern? It's easily scriptable. Look at every machine, find every service, try every one, easiest first. My frustration was a matter of me wanting to do a brute-forcing of the inscrutability of Scott's tools and their lack of documention (to his credit, all of the tools were written by hackers out in the wild, and so Scott can be forgiven for lack of helpful documentation -- command-line or otherwise). I just couldn't past by the feeling that me typing away trying to find that one certain exploit (which may or may not work) was a waste of a good algorithm.

I *seriously* considered writing a script that would do the above. Why didn't I? Well, I didn't really know the syntax of all the tools they had, although I could have scripted just a few of them of them and gotten good results. In fact, I'd say tool syntax ignorance was the major barrier to productivity (Scott, if you're reading this: Put up a default slide on hypothetical smbclient, nbaudit, nikto, john, hydra and [even] nmap commands). I also wanted to try things in a more hands-on way. You can't automate something very well unless you you know what it is you are trying to automate. And the way I would have written the script, it would have needed way more than the 4 hour window it would have had to run (because while hydra might be cool and all, when it fuckin' segfaults -- for the SECOND TIME -- after an hour of trying to run it, you'd have to worry more about scripting-in some error handling than trying new exploits). I'm not all that fast a programmer, either. And I would have spent too much time looking at the code of the exploit tool (the plain-text ones anyway; I wound up finding a few bugs as it was, and that was curbing my "this-is-how-you-indent" anal-retentiveness). And I'm not getting paid to write code for Scott's company. :-) They have much smarter folks than myself who would have already written those tools if they had needed them, I figure. And (last "and", I swear) hands-on experience is what we were after. Writing custom tools on-the-fly is 1337 and all, but that wasn't the point of the exercise. And (sorry...) Tony didn't need any ad-hoc tools to get root on every possible machine, nor did Kelley need anything but perserverance to get access to every machine but one. I needed to get more Soviet and less German in my "pen-test" engineering.

All in all, I'd say today was one of the more poignant hacker experiences of my life, and I'd repeat it in a heartbeat. It's always good to be around people who know more than you do. Now that I have a half-clue on what their particular environment is like, I'd be all that much more into it.

When I got home, I wound up trying some of the tools I'd been exposed to today. I'm not doing too bad as it turns out) my own hosts are way more difficult targets than what they had us crack today). Although if I go again to a penetration-test workshop again, I'm either bringing my own keyboard and/or my own laptop. My wrists are killing me.