Search n00bz.net

Entries in LLCJ (1)

Friday
Apr152011

He’s pissing into the wind! How brilliant can he be?

Sometimes the most technical solutions are undone by the most simple of things…

In the movie Deep Blue Sea (the one with evil sharks and LL Cool J) Samuel L Jackson arrives on the rig and is being introduced to the crew.  One of my favorite quotes is when Dr. Whitlock is pointed out.

There’s Doctor Jim Whitlock, the most brilliant man ever!

He’s pissing into the wind!  How brilliant can he be?

Names have been changed to protect guilty and sorry, no pictures for this one. 

After some preliminary investigation, an employee was identified as stealing Intellectual Property.  We will call him Dwight.  Dwight on the outside looked like the model employee.    He was always ready to stay late, never complained about being volen-told to do work , and didn’t care about things like promotion or missing that bonus.  Dwight was a good employee.  Except he wasn’t.  Dwight was mad and decided to take his revenge.  Downloaded GPG and created his very own private key (RSA3072).

Around this time IT was running out of space on a network drive.  Some employee was storing large files. A sysadmin accessed the drive and saw a bunch of files that were encrypted.  The sysadmin called the Security Team and the investigation began. 

First thing was monitor email.  Dwight was sending only 1 person any files (which was encrypted).   The email account was some random account which in the end belonged to Dwight. 

It seems that Dwight is a brilliant guy and knows that there is no evidence.  Sure we could beat him and make him decrypt but thanks to legal we can’t. 

Well this guy was pissing into the wind…. First thing we did was create a meterpreter payload. 

Note: There are many tools that can be used.  However this guy needed to be taken down a peg and since the afternoon was free, open source we go.

Using psexec, we run meterpreter on this machine on his behalf… meterpreter session 1 open

Next we grabbed some screen shots…  It looked like he copying some sensitive information into a document. 

Game… 

Next we start a keydump…  we see the key strokes “Sensitive Project Marketing Plan.doc” next we see “B33TF@rm3r4life”  Could this be his gpg password?

Set…

Next through a series of screen shots we saw him compose the email with the attachment to that secret email account.  Before he hit SEND, we remotely turned off his keyboard and mouse.  We also flipped on his webcam just to make sure it was him at the keyboard.

Match…

Afterwards we looked at the GNU Privacy Handbook at gnupg.org

Ultimately, there are diminishing returns on the extra security a large key provides you. After all, if the key is large enough to resist a brute-force attack, an eavesdropper will merely switch to some other method for obtaining your plaintext data. Examples of other methods include robbing your home or office and mugging you.

Well now he is in jail, getting a brute-force attack!

Lessons Learned:

  • Shell is money, but Post-Exploitation is Priceless.
  • No matter how smart you are, you don't know everything
  • Even though I know we are all geniuses, please remember to piss downwind.