|
Penetration Testing
mailing list archives
Re: VmWare and Pen-test Learning
From: "Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]" <sbradcpa () pacbell net>
Date: Sun, 06 Aug 2006 22:10:47 -0700
I'm not sure though that "RTM" is a valid test... especially for Windows
2000 for several reasons.
1. Windows 2000 RTM is sooooo not supported that it's not funny... for
a firm to still be running Windows 2000 rtm in a setting that would
provide the means for remote exploitation...well they deserve to be
hacked. Windows 2000 sp4 is the supported OS.
2. Windows 2000 rtm'd in Feb of 2000 ...while you site the unicode
exploit of IIS 4.0... IIS 5.0 was known on the map for Code Red/Nimda...
http://www.caida.org/analysis/security/code-red/ In it's day you could
build a box and get nailed while installing the OS. As you tried to
bring it online to patch it... it would get nailed in the process.
3. A default installed Windows 2000 was in the era of "Hey, let's get
Mickey to try it!" and everything was running on that system ... IIS 5.0
was default installed on that Windows 2000 .. thus if you have a Windows
2000 RTM box sitting there with no firewall... well let me put it this
way...there was a time in the newsgroups in the 2k era that we'd tell
folks who came in with IIS non functional... "what rock did you crawl
out from under"?
http://www.microsoft.com/technet/security/bulletin/MS01-033.mspx
*I'm running Windows 2000 Server. Am I vulnerable?*
Default installations of Windows 2000 Server *are* vulnerable. IIS 5.0
installs by default as part of Windows 2000 server products, and Idq.dll
is installed as part of the IIS 5.0 installation process.
If you can't nail an RTM Windows 2000 in say... oh... what.. 5 minutes
or less? I'd be surprised. I'm not sure that's testing those pool
shots (and what is it with security and people who play pool?) and
exercising anything when that's sooooo vulnerable it's not funny. You
don't even have to do anything.. just build it and stick it on the
internet. What kind of pool shot is that?
Even Windows 2003... RTM means that pre blaster and no firewall to
protect that live nic as it comes up on the internet.
RTM of Windows 2003 was April of 2003
Blaster came out in August http://www.sbslinks.com/timeline.htm
RTM of Windows 2003 doesn't have a firewall enabled on boot and is
vulnerable to blaster. Stick that Windows 2k3 live on the web without a
firewall. See how long it lasts before getting nailed. Let us know.
I think SANS had a machine last like 30 minutes before being owned...
http://www.incidents.org/survivalhistory.php?isc=08a65cd9f99ef350d7fa82dbce2c6fc4
For the rest read this:
http://www.sans.org/top20/
....but remember... RTM is not only not secure...but may not be
supported.. Win2k sp4 is the supported version of Windows 2000. ...
Win2k3 rtm (if my memory of life span is working) will go out when
Win2k3 sp2 is released ...given that they are talking beta of sp2 not
sure when that will occur.
http://support.microsoft.com/gp/lifesupsps#Servers
I would hope that if firms needed OS's like NT and prior versions of 2k
they'd be protecting those and isolating those as they are insecure and
are a risk to the rest of us as well.
Go to the metasploit site and see if some of the oldies but goodies are
there. Any of the IIS5 stuff will work....
http://www.metasploit.com/projects/Framework/exploits.html
Erin Carroll wrote:
Welcome to the pen-test world John.
Now before everyone freaks out about why I let essentially a basic newbie
question on the list here's why and what kind of responses I was hoping for:
I like to play pool. But in order to get better I do lots of drills of
simple shots over and over. Some people prefer to practice in other ways. In
a similar vein, what types of exercises should John do to increase his
skills and expand his knowledge? I know how I practice my pen-test skills to
stay sharp but hearing some other methods people use might give me some
ideas or other ways to tackle things.
So, he's got Vmware and a couple of images to play with. What kinds of
drills should he work on?
--
Erin Carroll
Moderator
SecurityFocus pen-test list
"Do Not Taunt Happy-Fun Ball"
-----Original Message-----
From: IRM [mailto:irm () iinet net au]
Sent: Sunday, August 06, 2006 1:58 AM
To: pen-test () securityfocus com
Subject: VmWare and Pen-test Learning
Hi all,
I would like to learn about Penetration testing or maybe
Vulnerability Assessment (?) or whatever it is called. I have
set up a few machines on VMWare - Windows 2000 Server,
Windows 2003 Server and Solaris 9.0. These machines are
unpatched with no updates or service pack.
Basically what I would like to achieve in this task is to
demonstrate that these machine are not secured. Thus by using
a well-known exploit that are available in the public space ,
people can easily exploit the system and gain administrator
privilege either by Local exploit or Remote Exploit.
Now, the question is that, where to start? Can people suggest
me where should I start?
Should I start using Nessus and identify all the
vulnerabilities that are applicable on these machines? And
start to do some research on securityfocus.com i.e. to find
the exploit?
Or maybe if there is a list of vulnerabilities for each of
the operating system, I think that would be great! Because I
know that Unicode Exploit on IIS 4.0 is quite famous at that
time. Is there similar thing on Windows 2003? Is there a list
available like TOP 10 Exploit or something?
Cheers,
John
--------------------------------------------------------------
----------------
This List Sponsored by: Cenzic
Concerned about Web Application Security?
Why not go with the #1 solution - Cenzic, the only one to win
the Analyst's Choice Award from eWeek. As attacks through web
applications continue to rise, you need to proactively
protect your applications from hackers. Cenzic has the most
comprehensive solutions to meet your application security
penetration testing and vulnerability management needs. You
have an option to go with a managed service (Cenzic
ClickToSecure) or an enterprise software (Cenzic Hailstorm).
Download FREE whitepaper on how a managed service can help
you: http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you to
confirm your results from other product. Contact us at
request () cenzic com for details.
--------------------------------------------------------------
----------------
--
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.1.394 / Virus Database: 268.10.7/410 - Release
Date: 8/5/2006
------------------------------------------------------------------------------
This List Sponsored by: Cenzic
Concerned about Web Application Security?
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's
Choice Award from eWeek. As attacks through web applications continue to rise,
you need to proactively protect your applications from hackers. Cenzic has the
most comprehensive solutions to meet your application security penetration
testing and vulnerability management needs. You have an option to go with a
managed service (Cenzic ClickToSecure) or an enterprise software
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can
help you: http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you to confirm your
results from other product. Contact us at request () cenzic com for details.
------------------------------------------------------------------------------
 By Date 
By Thread
Current thread:
|
