For quite a while now, I work in the security industry. One of the
things I do is providing security advice for companies on all sorts of
guidelines, policies and hardening stuff. Web penetration tests is
also something I do very regularly. In other words, a disclaimer
before you read on: I should have known better...
VirtualBox, Packer, Vagrant and Ansible are tools that I use a lot.
These four tools make virtualizing and provisioning really easy. You
can create new machines, experiment with them and test different
setups in a repeatable and automated way.
As I sometimes organize pentesting workshops, I have several virtual
machines with Kali (a penetration testing distribution) installed on
them readily availabe.
So, I connected my laptop to the network of the 23rd Defcon conference
in Las Vegas, when one of these standard Kali virtual machines was
(still) running as guest on my machine. Not only was Kali running, the
guest was also configured to run in bridged networking mode. This
means that Kali got it's own network IP address assigned.
What I hadn't changed on that machine was Kali's default root
password. To make matters worse, what I had changed was the ssh server
(which doesn't run by default) that was running now.
Once again, I should have known better. What you should do when you
visit the world's biggest hacker's conference is hardening your
machine, and bring a burner (throwaway) laptop.
What you shouldn't do is exposing the ssh server of a standard Kali
distribution to the network, with the default root password.
Yet, that's exactly what I did...
What surprised me though is how quickly the box was owned. Literally
within a minute someone on the network was so kind enough to change
the root password for me. Within a minute! I expected hostile traffic,
but this turnaround time really was impressive. So helpful!
I immediately shut down the box and will do some offline forensic
research on it, just for fun. Thankfully, when you have prepared
virtual machines you can be up and running within almost the same time
as it took for someone else to hack the box.
Exactly because of my beginner's mistake I liked Defcon so much. It made
me feel like a rookie (and rightfully so!). There were so many
knowledgeable people, so many clever talks, demonstrations, workshops
and games going on. It made me humble to the core. Everybody was so
friendly and helpful, I learned a lot.
One of the things I always tell people is that pentesting taught me
that people are generally good. You always find vulnerabilities in
(web) applications, but people haven't exploited those vulnerabilities
yet. People must be good by nature.
So a big thank you to the one owning my virtual machine within a
minute. Even though I'm deeply ashamed about my beginner's mistake,
thank you for reminding me of how important consistent operational
security is. Thank you for reminding me of what the world could look
like if people would be evil. But they aren't. People are generally
good. Hackers even more so.
Another post will be on the Defcon OpenCTF competition, which I was
fortunate enough to compete in.