Home page logo

pen-test logo Penetration Testing mailing list archives

Re: VmWare and Pen-test Learning
From: Chris Gates <chris () learnsecurityonline com>
Date: Mon, 07 Aug 2006 20:10:02 -0600

You should probably start with something a little easier and something that
has lots of write-ups to explain what the code is doing and what the bug
actually is.

Things like most of the IIS5 hacks like .printer, unicode and double decode
hacks come to mind.  There are some old *nix ones too but it seems like you
are starting out with windows.

The hacking exposed books are not a bad place to start either in my opinion.



Chris Gates, CISSP
C|EH, CPTS, MCP 2003, A+, Network+, Security+

Email:      chris () learnsecurityonline com
Web:        https://www.learnsecurityonline.com

Learn Security Online, Inc.

* Security Games        * Simulators
* Challenge Servers     * Courses
* Hacking Competitions  * Hacklab Access

On 8/7/06 4:06 AM, "IRM" <irm () iinet net au> wrote:

Dear all,

Thanks for all the response, I believe that being a script kiddies also
requires a lot of effort especially in researching the exploit and
tested them on the machine.

Today, I looked at the couples of vulnerabilities and most of them I
couldn't manage to get it works. The most of stressful part is that I
have no idea how to debug, since I am not a low level programmer. I am
not really sure too whether you guys are also approaching the same path
as mine, but here is my approach looks like on one of the
vulnerabilities that I tested today.

Microsoft IIS ASP Remote Code Execution Vulnerability


1) Download the code
2) Look at the code does, because I compiled the code in UNIX machine (
it won't compile with current code, I guess I need to uncomment #include
<window.h>, I have checked the code as well and I believe there is no
need to include <window.h> since all of the functions are purely

3) Look at the shell code and check what it does
4) Run the code and resultant of the code should given exploit2000.asp
5) Put the exploit2000.asp on the victim machine, I tested on both Win2k
and Win2003 machine with no SP
6) Go to the site i.e. exploit2000.asp

I expect that when I access the site, I should see Calculator on the
victim but it didn't appear. I am not sure whether my approach is wrong
, but most of the cases I do not where to start to debug it since I do
not about low level language i.e assembly.

Any idea?

-----Original Message-----
From: Erin Carroll [mailto:amoeba () amoebazone com]
Sent: Monday, August 07, 2006 5:41 PM
To: 'Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]'
Cc: 'IRM'; pen-test () securityfocus com
Subject: RE: VmWare and Pen-test Learning

Thanks for the detailed response Susan. Some comments inline below

If you can't nail an RTM Windows 2000 in say... oh... what..
5 minutes or less?  I'd be surprised.  I'm not sure that's
testing those pool shots (and what is it with security and
people who play pool?) and exercising anything when that's
sooooo vulnerable it's not funny.  You don't even have to do
anything.. just build it and stick it on the internet.  What
kind of pool shot is that?

While I agree that the degree of difficulty to compromise an RTM w2k
is practically nil, I don't see practicing on it as completely useless,
especially for beginners. I think it all depends on how you practice.
reason even great pool players practice simple shots is to hone their
to amazing levels of understanding and intuition. A straight-in shot to
corner pocket is easy. A straight-in shot to a corner pocket where your
ball consistently ends up at the same exact spot every time isn't as
easy. A
straight-in shot where you vary draw, follow, or english (uh, places
you hit the ball that will affect how it rolls for you non-pool players)
*still* getting the cue to stop at that same exact spot... That's real
mastery of skill. Solid repeatable results 99.9% of the time regardless
the variables.

I view pen-testing practice much the same way. Repeat over and over
it's second nature to you... And then change something and try to get
exact same results.

John could easily compromise an RTM w2k image with an IIS 5.0 exploit.
But I
don't think owning the box should be the only point of practice if he
to expand his knowledge and get better. Take a simple known exploit. Use
Use it many times until you are thoroughly comfortable with it. Now take
deeper look. How exactly does the exploit work? Buffer overflow? What is
diff between the patched version and the unpatched? What does the
look like on the wire? How exactly does the target change or react when
exploit hits? How would I hide any telltale signs?
Now try mixing things up a little. If there was an IPS in the way how
you fragment the packets to still get that exploit through? What is the
minimum level of fragmentation that would still work and what is the
difference in the amount of time it takes? Heck, what about different
of IPS? If you modify the exploit payload how does the target box react?
you modify it enough so that the standard signatures on the IPS don't
trigger? How many different variables can you work through and *still*
your objective? Solid repeatable results 99.9% of the time regardless of
variables should be the goal.

This kind of practice isn't going to make RTM w2k IIS any less
solve some great unknown, or cause women to swoon. But I can almost
guarantee that it will give him a more thorough understanding and
of how and why it works. The research, testing and understanding needed
tackle just the suggestions above for a beginner will greatly enhance
skills. Building on a foundation of knowledge and then adding layer upon
layer isn't a waste of time IMHO.

Go to the metasploit site and see if some of the oldies but
goodies are there.  Any of the IIS5 stuff will work....

I have the feeling that HD Moore uses a lot of the same tactics I
above for practice when looking for new holes and exploits. Poking and
prodding and seeing what happens when things are changed around. Of
he may be too hung over after Defcon and Blackhat to reply right now :)

Erin Carroll
SecurityFocus pen-test list
"Do Not Taunt Happy-Fun Ball" 

This List Sponsored by: Cenzic

Concerned about Web Application Security? 
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's 
Choice Award from eWeek. As attacks through web applications continue to rise, 
you need to proactively protect your applications from hackers. Cenzic has the 
most comprehensive solutions to meet your application security penetration 
testing and vulnerability management needs. You have an option to go with a 
managed service (Cenzic ClickToSecure) or an enterprise software 
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can 
help you: http://www.cenzic.com/news_events/wpappsec.php 
And, now for a limited time we can do a FREE audit for you to confirm your 
results from other product. Contact us at request () cenzic com for details.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]