Re: VmWare and Pen-test Learning

From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] (sbradcpa@pacbell.net)
Date: Mon Aug 07 2006 - 01:10:47 EDT


I'm not sure though that "RTM" is a valid test... especially for Windows
2000 for several reasons.

1. Windows 2000 RTM is sooooo not supported that it's not funny... for
a firm to still be running Windows 2000 rtm in a setting that would
provide the means for remote exploitation...well they deserve to be
hacked. Windows 2000 sp4 is the supported OS.
2. Windows 2000 rtm'd in Feb of 2000 ...while you site the unicode
exploit of IIS 4.0... IIS 5.0 was known on the map for Code Red/Nimda...
http://www.caida.org/analysis/security/code-red/ In it's day you could
build a box and get nailed while installing the OS. As you tried to
bring it online to patch it... it would get nailed in the process.
3. A default installed Windows 2000 was in the era of "Hey, let's get
Mickey to try it!" and everything was running on that system ... IIS 5.0
was default installed on that Windows 2000 .. thus if you have a Windows
2000 RTM box sitting there with no firewall... well let me put it this
way...there was a time in the newsgroups in the 2k era that we'd tell
folks who came in with IIS non functional... "what rock did you crawl
out from under"?

http://www.microsoft.com/technet/security/bulletin/MS01-033.mspx

*I'm running Windows 2000 Server. Am I vulnerable?*
Default installations of Windows 2000 Server *are* vulnerable. IIS 5.0
installs by default as part of Windows 2000 server products, and Idq.dll
is installed as part of the IIS 5.0 installation process.

If you can't nail an RTM Windows 2000 in say... oh... what.. 5 minutes
or less? I'd be surprised. I'm not sure that's testing those pool
shots (and what is it with security and people who play pool?) and
exercising anything when that's sooooo vulnerable it's not funny. You
don't even have to do anything.. just build it and stick it on the
internet. What kind of pool shot is that?

Even Windows 2003... RTM means that pre blaster and no firewall to
protect that live nic as it comes up on the internet.

RTM of Windows 2003 was April of 2003

Blaster came out in August http://www.sbslinks.com/timeline.htm

RTM of Windows 2003 doesn't have a firewall enabled on boot and is
vulnerable to blaster. Stick that Windows 2k3 live on the web without a
firewall. See how long it lasts before getting nailed. Let us know.

I think SANS had a machine last like 30 minutes before being owned...
http://www.incidents.org/survivalhistory.php?isc=08a65cd9f99ef350d7fa82dbce2c6fc4

For the rest read this:
http://www.sans.org/top20/

....but remember... RTM is not only not secure...but may not be
supported.. Win2k sp4 is the supported version of Windows 2000. ...
Win2k3 rtm (if my memory of life span is working) will go out when
Win2k3 sp2 is released ...given that they are talking beta of sp2 not
sure when that will occur.
http://support.microsoft.com/gp/lifesupsps#Servers

I would hope that if firms needed OS's like NT and prior versions of 2k
they'd be protecting those and isolating those as they are insecure and
are a risk to the rest of us as well.

Go to the metasploit site and see if some of the oldies but goodies are
there. Any of the IIS5 stuff will work....
http://www.metasploit.com/projects/Framework/exploits.html

Erin Carroll wrote:
> Welcome to the pen-test world John.
>
> Now before everyone freaks out about why I let essentially a basic newbie
> question on the list here's why and what kind of responses I was hoping for:
> I like to play pool. But in order to get better I do lots of drills of
> simple shots over and over. Some people prefer to practice in other ways. In
> a similar vein, what types of exercises should John do to increase his
> skills and expand his knowledge? I know how I practice my pen-test skills to
> stay sharp but hearing some other methods people use might give me some
> ideas or other ways to tackle things.
>
> So, he's got Vmware and a couple of images to play with. What kinds of
> drills should he work on?
>
> --
> Erin Carroll
> Moderator
> SecurityFocus pen-test list
> "Do Not Taunt Happy-Fun Ball"
>
>
>> -----Original Message-----
>> From: IRM [mailto:irm@iinet.net.au]
>> Sent: Sunday, August 06, 2006 1:58 AM
>> To: pen-test@securityfocus.com
>> Subject: VmWare and Pen-test Learning
>>
>> Hi all,
>>
>> I would like to learn about Penetration testing or maybe
>> Vulnerability Assessment (?) or whatever it is called. I have
>> set up a few machines on VMWare - Windows 2000 Server,
>> Windows 2003 Server and Solaris 9.0. These machines are
>> unpatched with no updates or service pack.
>>
>> Basically what I would like to achieve in this task is to
>> demonstrate that these machine are not secured. Thus by using
>> a well-known exploit that are available in the public space ,
>> people can easily exploit the system and gain administrator
>> privilege either by Local exploit or Remote Exploit.
>>
>> Now, the question is that, where to start? Can people suggest
>> me where should I start?
>>
>> Should I start using Nessus and identify all the
>> vulnerabilities that are applicable on these machines? And
>> start to do some research on securityfocus.com i.e. to find
>> the exploit?
>>
>> Or maybe if there is a list of vulnerabilities for each of
>> the operating system, I think that would be great! Because I
>> know that Unicode Exploit on IIS 4.0 is quite famous at that
>> time. Is there similar thing on Windows 2003? Is there a list
>> available like TOP 10 Exploit or something?
>>
>> Cheers,
>> John
>>
>>
>>
>>
>>
>>
>> --------------------------------------------------------------
>> ----------------
>> This List Sponsored by: Cenzic
>>
>> Concerned about Web Application Security?
>> Why not go with the #1 solution - Cenzic, the only one to win
>> the Analyst's Choice Award from eWeek. As attacks through web
>> applications continue to rise, you need to proactively
>> protect your applications from hackers. Cenzic has the most
>> comprehensive solutions to meet your application security
>> penetration testing and vulnerability management needs. You
>> have an option to go with a managed service (Cenzic
>> ClickToSecure) or an enterprise software (Cenzic Hailstorm).
>> Download FREE whitepaper on how a managed service can help
>> you: http://www.cenzic.com/news_events/wpappsec.php
>> And, now for a limited time we can do a FREE audit for you to
>> confirm your results from other product. Contact us at
>> request@cenzic.com for details.
>> --------------------------------------------------------------
>> ----------------
>>
>>
>> --
>> No virus found in this incoming message.
>> Checked by AVG Free Edition.
>> Version: 7.1.394 / Virus Database: 268.10.7/410 - Release
>> Date: 8/5/2006
>>
>>
>>
>
>

------------------------------------------------------------------------------
This List Sponsored by: Cenzic

Concerned about Web Application Security?
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's
Choice Award from eWeek. As attacks through web applications continue to rise,
you need to proactively protect your applications from hackers. Cenzic has the
most comprehensive solutions to meet your application security penetration
testing and vulnerability management needs. You have an option to go with a
managed service (Cenzic ClickToSecure) or an enterprise software
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can
help you: http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you to confirm your
results from other product. Contact us at request@cenzic.com for details.
------------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:56:35 EDT