Home page logo
/

pen-test logo Penetration Testing mailing list archives

Re: VmWare and Pen-test Learning
From: "Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]" <sbradcpa () pacbell net>
Date: Sun, 06 Aug 2006 22:10:47 -0700

I'm not sure though that "RTM" is a valid test... especially for Windows 2000 for several reasons.

1. Windows 2000 RTM is sooooo not supported that it's not funny... for a firm to still be running Windows 2000 rtm in a setting that would provide the means for remote exploitation...well they deserve to be hacked. Windows 2000 sp4 is the supported OS. 2. Windows 2000 rtm'd in Feb of 2000 ...while you site the unicode exploit of IIS 4.0... IIS 5.0 was known on the map for Code Red/Nimda... http://www.caida.org/analysis/security/code-red/ In it's day you could build a box and get nailed while installing the OS. As you tried to bring it online to patch it... it would get nailed in the process. 3. A default installed Windows 2000 was in the era of "Hey, let's get Mickey to try it!" and everything was running on that system ... IIS 5.0 was default installed on that Windows 2000 .. thus if you have a Windows 2000 RTM box sitting there with no firewall... well let me put it this way...there was a time in the newsgroups in the 2k era that we'd tell folks who came in with IIS non functional... "what rock did you crawl out from under"?

http://www.microsoft.com/technet/security/bulletin/MS01-033.mspx

*I'm running Windows 2000 Server. Am I vulnerable?* Default installations of Windows 2000 Server *are* vulnerable. IIS 5.0 installs by default as part of Windows 2000 server products, and Idq.dll is installed as part of the IIS 5.0 installation process.

If you can't nail an RTM Windows 2000 in say... oh... what.. 5 minutes or less? I'd be surprised. I'm not sure that's testing those pool shots (and what is it with security and people who play pool?) and exercising anything when that's sooooo vulnerable it's not funny. You don't even have to do anything.. just build it and stick it on the internet. What kind of pool shot is that?

Even Windows 2003... RTM means that pre blaster and no firewall to protect that live nic as it comes up on the internet.

RTM of Windows 2003 was April of 2003

Blaster came out in August http://www.sbslinks.com/timeline.htm

RTM of Windows 2003 doesn't have a firewall enabled on boot and is vulnerable to blaster. Stick that Windows 2k3 live on the web without a firewall. See how long it lasts before getting nailed. Let us know.

I think SANS had a machine last like 30 minutes before being owned...
http://www.incidents.org/survivalhistory.php?isc=08a65cd9f99ef350d7fa82dbce2c6fc4

For the rest read this:
http://www.sans.org/top20/

....but remember... RTM is not only not secure...but may not be supported.. Win2k sp4 is the supported version of Windows 2000. ... Win2k3 rtm (if my memory of life span is working) will go out when Win2k3 sp2 is released ...given that they are talking beta of sp2 not sure when that will occur.
http://support.microsoft.com/gp/lifesupsps#Servers

I would hope that if firms needed OS's like NT and prior versions of 2k they'd be protecting those and isolating those as they are insecure and are a risk to the rest of us as well.

Go to the metasploit site and see if some of the oldies but goodies are there. Any of the IIS5 stuff will work....
http://www.metasploit.com/projects/Framework/exploits.html




Erin Carroll wrote:
Welcome to the pen-test world John.
Now before everyone freaks out about why I let essentially a basic newbie
question on the list here's why and what kind of responses I was hoping for:
I like to play pool. But in order to get better I do lots of drills of
simple shots over and over. Some people prefer to practice in other ways. In
a similar vein, what types of exercises should John do to increase his
skills and expand his knowledge? I know how I practice my pen-test skills to
stay sharp but hearing some other methods people use might give me some
ideas or other ways to tackle things.

So, he's got Vmware and a couple of images to play with. What kinds of
drills should he work on?

--
Erin Carroll
Moderator
SecurityFocus pen-test list
"Do Not Taunt Happy-Fun Ball"
-----Original Message-----
From: IRM [mailto:irm () iinet net au] Sent: Sunday, August 06, 2006 1:58 AM
To: pen-test () securityfocus com
Subject: VmWare and Pen-test Learning

Hi all,

I would like to learn about Penetration testing or maybe Vulnerability Assessment (?) or whatever it is called. I have set up a few machines on VMWare - Windows 2000 Server, Windows 2003 Server and Solaris 9.0. These machines are unpatched with no updates or service pack. Basically what I would like to achieve in this task is to demonstrate that these machine are not secured. Thus by using a well-known exploit that are available in the public space , people can easily exploit the system and gain administrator privilege either by Local exploit or Remote Exploit.

Now, the question is that, where to start? Can people suggest me where should I start? Should I start using Nessus and identify all the vulnerabilities that are applicable on these machines? And start to do some research on securityfocus.com i.e. to find the exploit?

Or maybe if there is a list of vulnerabilities for each of the operating system, I think that would be great! Because I know that Unicode Exploit on IIS 4.0 is quite famous at that time. Is there similar thing on Windows 2003? Is there a list available like TOP 10 Exploit or something?

Cheers,
John




--------------------------------------------------------------
----------------
This List Sponsored by: Cenzic

Concerned about Web Application Security? Why not go with the #1 solution - Cenzic, the only one to win the Analyst's Choice Award from eWeek. As attacks through web applications continue to rise, you need to proactively protect your applications from hackers. Cenzic has the most comprehensive solutions to meet your application security penetration testing and vulnerability management needs. You have an option to go with a managed service (Cenzic ClickToSecure) or an enterprise software (Cenzic Hailstorm). Download FREE whitepaper on how a managed service can help you: http://www.cenzic.com/news_events/wpappsec.php And, now for a limited time we can do a FREE audit for you to confirm your results from other product. Contact us at request () cenzic com for details.
--------------------------------------------------------------
----------------


--
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.1.394 / Virus Database: 268.10.7/410 - Release Date: 8/5/2006


------------------------------------------------------------------------------
This List Sponsored by: Cenzic

Concerned about Web Application Security? Why not go with the #1 solution - Cenzic, the only one to win the Analyst's Choice Award from eWeek. As attacks through web applications continue to rise, you need to proactively protect your applications from hackers. Cenzic has the most comprehensive solutions to meet your application security penetration testing and vulnerability management needs. You have an option to go with a managed service (Cenzic ClickToSecure) or an enterprise software (Cenzic Hailstorm). Download FREE whitepaper on how a managed service can help you: http://www.cenzic.com/news_events/wpappsec.php And, now for a limited time we can do a FREE audit for you to confirm your results from other product. Contact us at request () cenzic com for details.
------------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]