Yesterday I attended my second security Capture the Flag event and it was once again quite fun. The challenges had not changed, but I was able to get further into the Linux challenges and onto the second AppSec challenge, which features a rather grizzly C program in all of its archaic goodness.
I learned, with the help of my friend Mike, that…
- sudo can work at the group level, and apparently I don’t know how to set permissions for that
- less is a powerful program and you can perform operations on chunks of text or the entire text, such as a base64 decode on a cryptic file
- the password system that allows teams to increase their scores on the score board get sent in plaintext over the network.
Yeah, about that #3. I took a long Wireshark catpure which I will be using soon to extract all the passwords that people entered onto the scoreboard. No big deal. Granted, I will be revealing my strategy once it works, but once again I have encountered the conundrum of how to encrypt traffic over an intranet. Why work hard when you can work smart? That’s what hackers do. I do still plan to learn, of course, but my hope is to teach a lesson.
Last night I decided I wanted to see what might appear over my network if I booted two of my computers up and started surfing the web. I hadn’t touched Wireshark in ages, but as I have recently committed myself to Information Security, I thought I would let my curiosities run wild.
My router, a Century Link ZyXEL, is currently configured to allocate IP addresses statically, but I hadn’t checked which addresses were assigned to my devices. I logged into the router, stopped my capture session, and sure enough I found the admin username and password in plaintext in the HTTP POST call.
This makes sense since you aren’t typically accessing a router from outside your network, and it also makes sense because you need to set the router up before you have internet connection. The device needs to work without access to a certificate authority. What I do find very interesting, however, is that somewhere, somehow, the router is running a web server, which is the primary interface for configuration. Is there even a way to force a security connection over http without an external certificate authority for https?
I can imagine any number of social engineering attempts at coffee shops where I could ask a savvy owner or manager to check the connection because “the wifi isn’t working for me”. One simple login from the owner/manager and the entire network could be compromised. Not that coffee shop wifi is secure anyway.
Since I am surrounded by XfinityWifi routers in my apartment, I wonder too whether the actual Xfinity logins are encrypted, though I don’t believe I have ever seen an Xfinity router that was. I’m going to assume that the logins are encrypted, but I am rather curious.