Yesterday (I am typing this at 00:02, midnight on Sunday) I was part of a team for the University of Advancing Technology competing in the AVNet Tech Games. I was part of a three man team competing against two other teams in the Defense in Depth game. The game consisted of us setting up a network using gear they provided to us, and locking it down in the time they specified.
The game had three parts.
- Write a security policy (max 5 pages)
- Secure the network and the machines on the network
- Find the rogue access point
The night before we figured we should probably get the paper done, so we started writing this on Friday night. Since my team consists of me, and two room mates, when we get tired we head home and start figuring out what software we want to use. In the end we use all open source software, since the game specifically state that the business does not want to spend money on licensing software. We came up with the following free software to supplement what they already had available:
- wipfw (IPFW from FreeBSD ported to Windows. Take note Windows admins!)
What we got was the following:
- Windows 2000
- Windows XP
- Windows 2003 Server
- WRT54G Wireless Linksys router
The night before we also prepped, we had a friend who had a WRT54G they did not mind letting us flash and use, so the day of, I woke up early in the morning and flashed it with OpenWRT, I set it up, and added certain packages I was going to need to be able to configure it properly. Unfortunately the WRT54G's have less memory than I had hoped for, so I had to reflash the router just to be able to finally finish installing the bare minimum packages I required. You will find out more about the configuration I used on this router as I go along.
When we get to our stations, we walk in, and we immediately unplug our router, and replace it with the one we had pre-flashed. Since it was flashed, we could also bridge it with the wireless network that was available, because of problems with the network drops that were given to us to use by the UAT IT staff. We start getting our updates onto the different machines. This takes for ever and a day. Multiple machines are all rebooting all the time. We started at 0800, by 1030 we have completed about half the updates for all the machines. By 1145 the updates for the Windows 2003 Server have been completed and it is on it's final reboot. The Windows 2000 client had been all ready to go, and set up.
During this update cycle, I had created a domain/activate directory on the Windows 2003 server and then joined the other two machines. We now had a way to log in to all the machines with the same usernames/passwords that we set up in the active directory, so now we could easily share folders and make sure that when people accessed files on the server they had the proper permissions to do so. We set up the anti-virus software WinPooch, we installed the firewall and set up some basic rules. And we started setting static IP addresses on all the different machines:
- 10.55.10.1 - Router
- 10.55.10.2 - Windows 2003
- 10.55.10.10 - Windows XP
- 10.55.10.11 - Windows 2000
At this point I head back into the OpenWRT flashed router, and turn off DHCP for the network. All of them have been set to perfectly static IP addresses, and everything functions as expected. Attackers that want to attack the network will now have a more difficult time trying to figure out what IP address range is in use, where the gateway is, and what the machines on the network is. Especially since most people will blindly try the default ranges of 10.10.10.x, 10.x.x.x and 192.168.x.x.
Now I will give a bit more background on the WRT54G from Linksys, if you are not familiar with it. It contains one Broadcom chip, and 5 ports on the back. 1 WAN, and 4 LAN. The cool thing about these ports is that they really are a switch and they are vlan tagged and then handled differently by Linux because of the tagging. So WAN really is vlan network 1, and the other 4 LAN ports are really vlan network 0. Vlans are a way of splitting up networks into logical segments, without actually splitting up routers and switches. It is a hardware based solution to having multiple routers for multiple departments.
As I mentioned before, we had three computers, and one outgoing connection. So I left the WAN port alone, and the other three computers were plugged into ports 1, 2, and 3. The last port was left open, and a network cable was plugged into it, but was not going anywhere. The contest was being judged on how well we could secure our network, so what I did was move port number 4 to vlan number 2. So now we have the following three vlans:
- 0 is physical ports 1, 2 and 3
- 1 is physical port WAN
- 2 is physical port 4
The hackers that read this blog will recognise what happened next. Nowhere in the competition did it state we had to leave this port connected, or at all accessible. So using OpenWRT's config files in /etc/config I set up a "network" I named blocked. This network was going to have the router have a static IP of 192.168.1.1, and we shall turn on DHCP. We won't allow any outgoing, so really it was a dead port that handed out 192.168.1.x ip addresses, yet it would not allow them to anything on the network. So at one point was I was talking to a cute girl and walking over to the contest area, one of the judges pulled me aside and asked me what the hell was up. Apparently the fact that we had turned this port into a dead port stopped them from doing their judging, which was basically running a Nessus scan over the network (I laughed at this! Suckers). This meant that to do their nessus scan, they would have to unplug one of the other machines and plug in, find the IP range (remember, the other ports don't have DHCP turned on), and then set a static IP and do their scans. I had left an extra Asus switch I had grabbed from the LAN Party stash in the contest area, so they made use of that to be able to plug their multiple devices in to do the judging.
I don't know yet what they judges us on, what we scored in what categories. We however set up some fun traps. Windows 2000, even when fully patched, since it is not maintained by Microsoft anymore is vulnerable to many exploits (go search milw0rm.com). Using the firewall that we had found (wipfw, and the front-end for it qtipfw) I quickly set up some basic rules that basically said any outgoing connections are allowed, and state was kept. So that it could correctly connect to the domain controller, and connect to websites. However incoming connections were only allowed for IP addresses 10.55.10.2 and 10.55.10.10. So unless the judges unplugged one of the machines on the network, and took its ip address, the Windows 2000 machine would reply with an RST or ICMP UNREACHABLE packet for every single thing thrown at it. We had reduced a huge target to that the size of a mosquito, by merely setting up a proper firewall. Could it be hacked some other way. Yes, absolutely, and the solution we used was not a hundred percent complete, and would not stop all attacks.
When I finally get some sleep, I am going to email LostboY, who was our team lead, and I am going to see if we can get some clue into what they judged us on, what we did well on, and what we need to learn for next time. For three Unix/Linux/Mac OS X administrators we did pretty damn well. We were pretty lost in Windows, but we pulled through just fine.
I skipped over the first part, which was the security policy, since it sucked, and was something I hate doing. Especially since they wanted us to complete it ahead of time, rather than document while we were working through the problems. So I am going to skip that.
The last part of the challenge was to find the rogue wireless access node. We were the first team to find it, we were also the first time to set up a decoy using the same OpenWRT we had flashed! Since wireless on our router was disabled on purpose (why set something up that is a security hazard, when nowhere it was required to be turned on). So now we had our router also advertising AVNETAP which was the name of the AP we had to find.
We as a team ended up winning the competition. What this means is that we all three will be receiving a scholarship worth a $1000. Which will be going towards paying for security conferences I want to visit this year, those include LayerOne, DefCon and ToorCon, at least, and will most likely also include Maker Faire. The games were a lot of fun, and at the same time were very frustrating because at multiple points in time the judges while judging us were not able to understand what we did and why we did it, and thus wanted to deduct points. All in all, a good day, and probably the quickest I have ever made a $1000, eventhough it took a whole lot of sweating to get the network up and running, and working the way we wanted it to work. Notes for next time. More sleep. 5 hours of sleep before a competition is hell.