tsk tsk tsk

Windows 2000?!?!? You want us to hack a Windows 2000 server? That seems kinda lame, but partially fun all the same.

So here's what I was thinking:

1. Research current vulnerabilities on securityfocus.com and read up on anything about win2k on textfiles.com.

2. Do some recon work on the site, stealth scans (using another IP I have access to, not my own) with slow timing (nmap -sS -T Paranoid), try and probe for firewall rules using firewalk.

3. Cross check my findings with my research and look for an "in."

4. Plan and execute an attack.

5. Document my success or failure and analyse what went right/wrong.

6. Cover tracks (if possible).


Note: I've done this before, but I got caught. I guess its harder than i thought to delete the logs on a win2k server, even with higher than admin access (jill.c rocks!). ;)

Anyone want to critique this?

--red0x

that is partially what this is for... helping newbs and up for ideas on how someone might be attempting to get into a server.

i did notice a decent attempt by a recent IP to obtain my password list. maybe whomever started that could enlighten the board more on that attempt...

I know I'm interested to see if and how someone was able to get it; if so, how long it took them to brute force admin access

Technique

I hate to be the newbie, but if anyone who is working on this please let me know what procedures you usually take when penetration testing a single server. I realize there are certain steps to take, most of this is not free form. Sometimes you get lucky, but mostly there is a process... or so it seems...

Enlightenment anyone?

--red0x

an "attempt" in this instance is every logged malformed header sent to the server. a large number of attempts could be simply running a program that tries that many headers, or in the instance of one IP, continuously running a similar set of headers

the time listed is the beginning time for the detected attempts, where the continuous attempt is actually still running

i haven't found it necessary at this point to post any other log information


unfortunately, I would also have to warn cautiousness against overdoing blatant continuous brute forces... I am interested in seeing what they can do, but something to keep in mind.. if the Tech College system office detects overwhelming activity, the open box party I'm trying out will probably be halted by them

What is considered an "attempt" in those logs?

hehehe oh, boy... i was hoping to not have to bother my supervisor with this (a little more conservative than I in thee respects), but I guess I can let him know if you feel inclined to call (wouldn't want him to worry)

actually, if you call the administrative contact, you'll get people that work for a local ISP that will have no clue of anything that we do. the correct administrative contact is either Bob Boucher at 207-755-5241, or us in the IT Services department, 207-755-5336. this is shown in our cmtc2.net registration to one of our test servers .154. our fax has actually changed since we got our own, it is 207-755-5497.

do not attempt anything on the 208 subnet, these servers are out of my hands. with a little more research you'll find that we also own the class c 63. range, although no domain names are currently registered with it. we use the 63 range for a variety of things, one of which is addressing for test servers, such as the one that i am testing the secuirty of.

out of work for the night, but you can contact me at sraymond@cmtc.net.


btw... nice to see some attempts upon checking one of the log files i found the following for your enjoyment

http://63.82.76.100/posted_attempts.html

Another thing

That is not the offical web server for the Central Main Technical College.

Here is the whois for cmtc.net

> nslookup cmtc.net
Server: someserver
Address: 0.0.0.0

Name: cmtc.net
Address: 208.209.191.51


Also a hint... if you get stuck use www.netcraft.com to help gather clues.

Also before anyone actually does anything I would suggest doing a whois on cmtc.net. And calling the technical contact and ask them if they have any knowledge of this and if it is actually OK.

simon

Here is a simple trick for anyone know doesn't know...

If a http port is open, generally you can telnet to server.com:80 and either dump some random text or a GET / request.

At the beginning of the data you get back should be some useful information...

Have fun,
simon

And the games are on...

the server's IP address is http://63.82.76.100

again, if you get in, there must be no destructive work to the configuration or data. this is a live server. this is an execise in getting there, not how much someone can change stuff.

i would suggest posting findings about the hack as progress is made (sort of like a dc team effort). this will help newbs to see a basic process, and everyone along the line to learn a little bit more about securing the boxes that they have or are stuck with...

Oh yea. One more thing. When you post the IP and config, dont forget to post your root password. Thanks. = p

hack off

hahah first thing, love the sig i wish i had thought of it.

second, when and if you post the addy, you should give them some detail. explain our network configuration, server configuration, os, fixes, etc etc. i'm sure you already planned on that, but you might as well give them the best opportunity to make a succesful crack.

just my 2 cents.