yes... you. I am willing to test the measures I have taken on my server to prevent intrusion. As a rather newb security geek, I would like to challenge dc.org members to hack the site. This is a real server, so I must request several guidelines be adhered to.

* Do not attempt to DoS or nuke the server, network, or any routers/switches on the network. The network is not within my scope of responsibility and such attempts are highly unwarranted; I also seek more useful information

* Do not attempt to break other servers or computers on the network near the server. The server, and this server alone, is mine to administer. Intrusion into other computers could cause an unwanted incident

* If successful, please refrain from damaging any data or configuration. However, please make it known in some way that you did get into the server. Also, please post full detail of your findings on the dc board for the enjoyment and learning value to other dc members. This is meant to help me (and others) along.

Upon confirmation of interest, and a final backup of my configuration and data, I will post the address of my server for the challenge to begin.

hahah first thing, love the sig i wish i had thought of it.

second, when and if you post the addy, you should give them some detail. explain our network configuration, server configuration, os, fixes, etc etc. i'm sure you already planned on that, but you might as well give them the best opportunity to make a succesful crack.

just my 2 cents.

Oh yea. One more thing. When you post the IP and config, dont forget to post your root password. Thanks. = p

And the games are on...

the server's IP address is http://63.82.76.100

again, if you get in, there must be no destructive work to the configuration or data. this is a live server. this is an execise in getting there, not how much someone can change stuff.

i would suggest posting findings about the hack as progress is made (sort of like a dc team effort). this will help newbs to see a basic process, and everyone along the line to learn a little bit more about securing the boxes that they have or are stuck with...

Here is a simple trick for anyone know doesn't know...

If a http port is open, generally you can telnet to server.com:80 and either dump some random text or a GET / request.

At the beginning of the data you get back should be some useful information...

Have fun,
simon

That is not the offical web server for the Central Main Technical College.

Here is the whois for cmtc.net

> nslookup cmtc.net
Server: someserver
Address: 0.0.0.0

Name: cmtc.net
Address: 208.209.191.51


Also a hint... if you get stuck use www.netcraft.com to help gather clues.

Also before anyone actually does anything I would suggest doing a whois on cmtc.net. And calling the technical contact and ask them if they have any knowledge of this and if it is actually OK.

simon

hehehe oh, boy... i was hoping to not have to bother my supervisor with this (a little more conservative than I in thee respects), but I guess I can let him know if you feel inclined to call (wouldn't want him to worry)

actually, if you call the administrative contact, you'll get people that work for a local ISP that will have no clue of anything that we do. the correct administrative contact is either Bob Boucher at 207-755-5241, or us in the IT Services department, 207-755-5336. this is shown in our cmtc2.net registration to one of our test servers .154. our fax has actually changed since we got our own, it is 207-755-5497.

do not attempt anything on the 208 subnet, these servers are out of my hands. with a little more research you'll find that we also own the class c 63. range, although no domain names are currently registered with it. we use the 63 range for a variety of things, one of which is addressing for test servers, such as the one that i am testing the secuirty of.

out of work for the night, but you can contact me at sraymond@cmtc.net.


btw... nice to see some attempts upon checking one of the log files i found the following for your enjoyment

http://63.82.76.100/posted_attempts.html

What is considered an "attempt" in those logs?

an "attempt" in this instance is every logged malformed header sent to the server. a large number of attempts could be simply running a program that tries that many headers, or in the instance of one IP, continuously running a similar set of headers

the time listed is the beginning time for the detected attempts, where the continuous attempt is actually still running

i haven't found it necessary at this point to post any other log information


unfortunately, I would also have to warn cautiousness against overdoing blatant continuous brute forces... I am interested in seeing what they can do, but something to keep in mind.. if the Tech College system office detects overwhelming activity, the open box party I'm trying out will probably be halted by them

I hate to be the newbie, but if anyone who is working on this please let me know what procedures you usually take when penetration testing a single server. I realize there are certain steps to take, most of this is not free form. Sometimes you get lucky, but mostly there is a process... or so it seems...

Enlightenment anyone?

--red0x

that is partially what this is for... helping newbs and up for ideas on how someone might be attempting to get into a server.

i did notice a decent attempt by a recent IP to obtain my password list. maybe whomever started that could enlighten the board more on that attempt...

I know I'm interested to see if and how someone was able to get it; if so, how long it took them to brute force admin access

Windows 2000?!?!? You want us to hack a Windows 2000 server? That seems kinda lame, but partially fun all the same.

So here's what I was thinking:

1. Research current vulnerabilities on securityfocus.com and read up on anything about win2k on textfiles.com.

2. Do some recon work on the site, stealth scans (using another IP I have access to, not my own) with slow timing (nmap -sS -T Paranoid), try and probe for firewall rules using firewalk.

3. Cross check my findings with my research and look for an "in."

4. Plan and execute an attack.

5. Document my success or failure and analyse what went right/wrong.

6. Cover tracks (if possible).


Note: I've done this before, but I got caught. I guess its harder than i thought to delete the logs on a win2k server, even with higher than admin access (jill.c rocks!). ;)

Anyone want to critique this?

--red0x

Here's your chance to try it out on my server without getting in trouble (provided you adhere to the specifications I mentioned in the above posts..)

Yeah, it is a 2000 Server. The College I work for is all Windows and I'm not allowed to set up linux, even as simple bind servers, etc... So.. should be even easier right?

Read up on my rules, then go for it :)

lemme get this straight (btw, this isn't a flame):

your school wont *let* you set up a linux box?!?

what are they, insane? or just stupid?

hey, are you invis?

--red0x

Yes you have it dead on. Our school is very stupid. Everyone here is M$ Freaks, that do not understand linux, so it is "evil" in there eyes. We have had one known break in on a linux box, and oh probably hundres on windoze boxes. Go figure.

Anyways don't blow this off as an easy challenge because it is a M$ box. It is rather secure. Hey, that's the point of a challenge aint it?

I take any opurtunity I can to learn, both linux and win2k. I am trying a few things. ;)

--red0x

Anyone? Any successes? Any interesting findings yet?

i have an idea on how to get in...

can i get an email verifying it is ok for me to own your box?

simon@willhaven.org

thanks...

once you try it, can you tell me how you found it and what it is, etc?

--red0x

a computer to hack
how delicious

IIS 5.0 cross scripting vulnerability.
just a guess :)
mmmmmm
maybe not.

don't just guess... go for it

There are two ways that I think can lead to owning... Exploiting the asp code or some crazy packet analysis stuff that I couldn't tell you about (cause I dont know)...

I've already gotten the asp code to spit out some runtime errors...

whats everyone else gotten so far?

I already got some dll library to spit some errors.
That's why I said IIS cross scripting vulnerability.
Can't get it to do what I want though. Never been into this part of the exploiting world before anyway :D
DAmn where is George Guninski when you need him. heh

later all

i can think of a couple weaknesses in the site that are *possibly* expoitable...

give it a try and give me a shout if you want the source to work off of too... I know, I know... that would be cheating; but actually, if my code or one of the components I'm using is going to kill me, then I'd rather find out now

do I get a hired then? :D
hehehe

anyone tired of trying to hack my server yet? not wanting to play with asp, etc?? well, thats disheartening, but..!

hack my other server!

as of this point, I would also like to open up http://63.82.76.99 for scrutiny

my only request is that the same guidelines listed above for getting into .100 be your guiding cricket


btw.. for the asp code, see attached for your reading pleasure
the ASPTear component can be downloaded at http://www.alphasierrapapa.com/iisdev/components/asptear/