Found something useful? Don't forget to leave a comment!

Tuesday, May 20, 2008

PWNED: Whitehat pwns a Blackhat

Today in my AP Psych class, a group was giving a Powerpoint presentation...or trying to, at least. The teacher's computer was running REALLY slowly - clicks took several seconds to get a response, and PowerPoint didn't run smoothly at all.

Well, the usual cause is some defunct program that is hogging memory. I opened up Task Manager, not sure what to expect. Under the Processes tab there were several odd programs running - RAR.EXE, BLAT.EXE, SBS.EXE, stunnel, etc. After several seconds I realized that I was looking at a live USB Switchblade/Hacksaw. In principle, this is similar to my ZBLADE2 project (though obviously not as elegant). Rebooting into safe mode and running msconfig, I found that there was a rogue entry named "SBS" in startup, pointing to a folder C:\WINDOWS\$NtUninstall931337$. This was set up to disguise the Hacksaw inside a bogus Windows Update folder.

Navigating to this folder, I found a gold mine of stuff. This was a classic Hacksaw setup - an SBS.EXE to dump the victim's files, RAR to archive them, stunnel to set up a secure Gmail connection, and blat to email the huge honkin' RAR file via SMTP. Of course, none of this would work without something to tie it all together - this was where send.bat came in, in typical script-kiddy fashion. Inside send.bat was the code to run everything, but even more importantly, the attacker's Gmail username and password.

Now, any person with half an ounce of common sense would probably not attempt to run such an operation on a teacher's computer, let alone do it at all. In any case a newly created fake email account would be the way to go. Unfortunately for this person, the Hacksaw-linked account was a perfectly real account, complete with names. This was the point where the wannabe h4xx0r got pwned. After IT was notified, I made sure all the incriminating evidence was laid out on the screen nice and big for everyone to see.

Ironically, the whole Hacksaw setup never worked because of the simple fact that the school blocks SMTP port 465. Were it not for the very idiotic decision to use a real email account, the investigative process would have been much more difficult. And boy, are people now investigating: after school I saw the principal, who along with a couple of IT guys, were crawling over the infected computer. The perp will remain unnamed for now.

Obviously, this noob h4xx0r botched up this n00bish op quite badly, and it looks he will get pwned a second time by the school administration.

Lesson of the day: Don't learn to hack, hack to learn.

Whitehat > Blackhat!

No comments: