by Petros Angelatos
At my previous startup, Kamibu, we used to play what we called Wargames. The story below was my introduction to programming embedded computers, so I thought it was fitting to write it up for the Resin.io blog.
Computer Wargame: Game between hackers with the goal of acquiring control of the opponent's computer
Kamibu Version: Make the opponent's computer display a green screen with the text "PWND by ...". All methods allowed.
Starting Date: February 19th 2010
End Date: May 20th 2010
February 19th 2010, 17:30
Alexis loses by Dionysis and me. We used a Flash application which displayed the desired message in fullscreen. Chorvus had protected himself by using “DisableFullscreen = 1” in Flash's mms.cfg.
May 7th 2010, 18:30
Chorvus loses by Dionysis. Dionysis convinced Chorvus to play Age of Empires together and set up a VPN to play on a LAN. Dionysis retrieved Chorvus' password from Zino (previous website we had all worked together on), which was the same as the one he used on his PC. He obtained access to Chorvus' hard drive through "Simple File Sharing", with LAN privileges and the password, and modified the game's executable, which was in C:\Games, to display the desired green screen. Chorvus is disqualified.
May 20th 2010
Dionysis loses to Chorvus and me. How? Read on.
Flashback: February 22 2010
Chorvus: Are you up for going under Dionysis' house and pen testing his wifi? Chorvus: :P Chorvus: I'll be in Athens during the weekend Petros: Actually that's my plan :P Chorvus: (rofl) Petros: If he hasn't changed his wifi password, I know it. Petros: οk, it’s a deal Petros: :P Chorvus: If he has changed it, I'll deal with it with aircrack-ng Petros: It won't work from the street, he lives on the top floor Petros: We'll have to go in Petros: I know how. Chorvus: I'll bring my lenovo 13.3
Before Chorvus lost, we were discussing how we could take Dionysis down. I remembered his home WiFi was WEP-encoded, which can be cracked in a few minutes with the appropriate tools and techniques. Afterwards, once we had access to his network, we'd Man In The Middle his traffic using ARP Poisoning and we'd get him to download some executable which we'd substitute with one of our own design.
So, Chorvus came to Athens for 3 days, and he stayed at mine. We decided to go close to his house and crack his WiFi network. Dionysis lives on the top floor so to be in range we'd have to go into his appartment building. I remembered that on the way up to the roof, there was a small room which housed the elevator motor. The perfect place to attack from. In that room there was also a plug. We'd leave the a PC there, which would connect to Dionysis' network and we would access it through a Reverse SSH Tunnel
We used a set-top box from Vivodi (a Greek Telecom at the time) which was a set top box for Cable TV. It had a 733MHz CPU, 128MB HDD, 2 x USB 1.1, 2 x Ethernet and was small and silent. We prepared it at my house by setting up SliTaz, a mini distro, adding a USB WiFi interface, and made it connect to Dionysis' network and set up an SSH tunnel.
So, one evening we went to his house. To enter we rung a random doorbell and said "Dionysis", though I later realised we could have openned the door with a simple phonecard. We went up to the small room, but there was no mains power to plug the set-top box in as I had thought. Nevertheless, we continued to gather as much information as we could. Chorvus, using his laptop, and with a little work through Aircrack-ng determined Dionysis' WiFi password. We then used Cain and Abel for the ARP Poisoning which made all of Dionysis' traffic go through Chorvus' laptop. We weren't able to find something more than his WiFi password, and went back home.
A few days before he lost
Chorvus lost at Dionysis' hand, and Chorvus and I decided to try and defeat Dionysis again. He wasn't able to come to Athens again so the task fell to me. The little room had no mains power, but it did have an old lamp holder without a lamp, which we didn't know whether it was powered or not. The plan was to set up the set-top box again, this time more robustly, and power it through the lamp holder. The 128MB HDD made it very hard to set up the necessary tools as the mini-distro had its own peculiarities. The set-top box had no way to power a hard disk, so I used a power board from an external HDD case and replaced the 128MB IDE Flash Module with a 200GB hard disk. I then downloaded Ubuntu Server Edition, which after 2 attempts worked just fine. I also installed an extra fan as the new hard drive in such a limited space lead to increased temperature.
To power the system from the lamp holder I did the following: I broke a lamp and took the screw part that fits into the holder. I then soldered onto it two wires which ended up in a female plug, and added the appropriate insulation.
A few hours before he lost
At 6:30 in the evening, I went with a friend back to Dionysis' place, with the set-top box, the laptop, a multimeter, and electrical screwdriver. We got in like perfect gentlemen and I went into the small room. First, I connected the remnants of the lamp into the lamp holder and checked with the electrical screwdriver if the lamp holder was powered. It was! I turned the switch off and connected my laptop charger, the hard disk power board, and the set top box. When I turned the switch back on, there was a loud *POP* sound. Initially I thought I might have bricked everything, but thankfully the system had worked. I had power! I turned the set top box on, connected it to Dionysis' network with the WEP key I already knew, and had it tunnel to a server with SSH. Also, I set it to reconnect in case the WiFi connection went down. I left it there and went back home.
I told Chorvus that everything was OK and he got to work creating the executable which we'd serve to Dionysis. We'd modify Skype.com and when he'd download Skype Beta 5, in reality he'd be downloading our own executable, which had the same size and same icon/version info. The only thing missing was Skype's Digital Signature. Chorvus got the executable ready and matched the size by padding it with “PWNDPWNDPWND…”. In a server I created a Virtual Host for download.skype.com and we put the files there. The only thing we needed was to change the answer to the DNS Query Dionysis would make when he would try to download the file.
petros@europa:~$ cat /etc/apache2/sites-available/skype.com <VirtualHost *:80> ServerName download.skype.com DocumentRoot /var/www/skype.com/html/ ServerAdmin email@example.com CustomLog /var/log/apache2/skype.log common </VirtualHost> <VirtualHost *:80> ServerName skype.com DocumentRoot /var/www/skype.com/html/ ServerAdmin firstname.lastname@example.org CustomLog /var/log/apache2/skype.log common RedirectMatch (^/(.*)) http://www.skype.com$1 </VirtualHost> petros@europa:~$ ls /var/www/skype.com/html/ SkypeSetup.exe SkypeSetupFull-Beta.exe index.html petros@europa:~$
To do that I installed ettercap on the set top box through the SSH tunnel. Ettercap can do ARP Poisoning amongst other things and has some filters that can be applied to the traffic that passes through it. One of the filters was DNS Spoof. I set download.skype.com to resolve to our own server and began the ARP Poisoning. For Dionysis, everything was working normally, except for the fact that all his internet traffic was going through an external device.
Everything was ready...
A few minutes before he lost
Petros: Did you see Skype 5? Petros: It's got an awesome video interface Petros: We should add it to zino Dionysis: Let me see, give me a sec Petros: Did you see it? Dionysis: It's downloading now Petros: Ok Dionysis: nice Petros: What? Dionysis: I lost. Petros: hahahahahahahaha
Any questions? or you'd just like to say hi, come find us on our community chat.