Defcon 23
For quite a while now, I work in the security industry. One of the things I do is providing security advice for companies on all sorts of guidelines, policies and hardening stuff. Web penetration tests is also something I do very regularly. In other words, a disclaimer before you read on: I should have known better...
VirtualBox, Packer, Vagrant and Ansible are tools that I use a lot. These four tools make virtualizing and provisioning really easy. You can create new machines, experiment with them and test different setups in a repeatable and automated way.
As I sometimes organize pentesting workshops, I have several virtual machines with Kali (a penetration testing distribution) installed on them readily availabe.
So, I connected my laptop to the network of the 23rd Defcon conference in Las Vegas, when one of these standard Kali virtual machines was (still) running as guest on my machine. Not only was Kali running, the guest was also configured to run in bridged networking mode. This means that Kali got it's own network IP address assigned.
What I hadn't changed on that machine was Kali's default root password. To make matters worse, what I had changed was the ssh server (which doesn't run by default) that was running now.
Once again, I should have known better. What you should do when you visit the world's biggest hacker's conference is hardening your machine, and bring a burner (throwaway) laptop.
What you shouldn't do is exposing the ssh server of a standard Kali distribution to the network, with the default root password.
Yet, that's exactly what I did...
What surprised me though is how quickly the box was owned. Literally within a minute someone on the network was so kind enough to change the root password for me. Within a minute! I expected hostile traffic, but this turnaround time really was impressive. So helpful!
I immediately shut down the box and will do some offline forensic research on it, just for fun. Thankfully, when you have prepared virtual machines you can be up and running within almost the same time as it took for someone else to hack the box.

Exactly because of my beginner's mistake I liked Defcon so much. It made me feel like a rookie (and rightfully so!). There were so many knowledgeable people, so many clever talks, demonstrations, workshops and games going on. It made me humble to the core. Everybody was so friendly and helpful, I learned a lot.

One of the things I always tell people is that pentesting taught me that people are generally good. You always find vulnerabilities in (web) applications, but people haven't exploited those vulnerabilities yet. People must be good by nature.
So a big thank you to the one owning my virtual machine within a minute. Even though I'm deeply ashamed about my beginner's mistake, thank you for reminding me of how important consistent operational security is. Thank you for reminding me of what the world could look like if people would be evil. But they aren't. People are generally good. Hackers even more so.

Another post will be on the Defcon OpenCTF competition, which I was fortunate enough to compete in.


comments powered by Disqus