Qs on Solution 12:

Regarding the SOHO/router; the book states that it is a device, how is it been installed?if it is a device, then the company hav to spend money on this device on all VPN user?isn't it a waste of fund?

According to Solution 12, Answer Section No. 4;a skilled attacker will normally close the hole...if the attacker were to close the hole,is he/she goin to re-hack the system; or access the system through 'justme' account which he/she created? But the 'justme' account must be an administrative account, if not how is he/she going to takeover the system? Or justme may just a normal user account as he/she had already reset the SOHO/router passwd, as long as he/she can gain access to the computer, he/she will have no problem access the router to modify the NAT?

Qs on Solution 15:

What is a DoS attack?How will it affect the Server?

Is it that the Web Server will keep on respond to the source at UDP 7 and caused the processing of the in-coming traffic?

DoS, Denial of Service, a flood of information ofen used to silence or disconnect a machine from another one so that IP spoofing is possible....then again, it's just a flood.

- Noia

so what is it to do with port 7?
what is goin on when a server is been flood?
can someone explain...

When a port is flooded, it is taking on too much info that it can't hold/process, resulting in legitimate user/traffic not being able to access the service.

This is taken from the everhelpful www.whatis.com
denial of service

The term you searched for is being presented by searchSecurity.com, a TechTarget site for Security professionals.

On the Internet, a denial of service (DoS) attack is an incident in which a user or organization is deprived of the services of a resource they would normally expect to have. Typically, the loss of service is the inability of a particular network service, such as e-mail, to be available or the temporary loss of all network connectivity and services. In the worst cases, for example, a Web site accessed by millions of people can occasionally be forced to temporarily cease operation. A denial of service attack can also destroy programming and files in a computer system. Although usually intentional and malicious, a denial of service attack can sometimes happen accidentally. A denial of service attack is a type of security breach to a computer system that does not usually result in the theft of information or other security loss. However, these attacks can cost the target person or company a great deal of time and money.

This goes on to include more examples of DoS attacks. Read the rest here. (http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci213591,00.html)

Originally posted here (http://www.AntiOnline.com/showthread.php?threadid=#post) by Penguin
Qs on Solution 12:

Regarding the SOHO/router; the book states that it is a device, how is it been installed?if it is a device, then the company hav to spend money on this device on all VPN user?isn't it a waste of fund?


(It's been quite a while since I've read HC, I might not remember everything correctly)

A SOHO/router is indeed a hardware device. It's one of those "routers" you'll find at any computer shop, like those popular linksys or d-link...

As far as being a waist of funds, it could seem so, but it really isn't (well shouldn't be if configured right...). You see, when you're employees are connecting through a vpn, you are in fact expanding the perimiter of your corporate network to your employees' PCs. Your new security boundary should consequently be expanded to your employees' PCs. In other words, if your employees' PCs get compromised, and they have vpn access to the your main network, it's just as if they had actually broke into your main network; they have equivalent access. This is why it is worth it to provide your VPN users with router/firewalls. Unfortunately in this case, those were incorrectly configured, which was just as bad as having no firewall.



According to Solution 12, Answer Section No. 4;a skilled attacker will normally close the hole...if the attacker were to close the hole,is he/she goin to re-hack the system; or access the system through 'justme' account which he/she created? But the 'justme' account must be an administrative account, if not how is he/she going to takeover the system? Or justme may just a normal user account as he/she had already reset the SOHO/router passwd, as long as he/she can gain access to the computer, he/she will have no problem access the router to modify the NAT?


If I remember correctly here, the router device was actually the one setting up the vpn connection. As so, the attacker having gained access to the router only needed the account/pass for the router device, which he then used to modify the nat/redirection rules on the router so that connections coming from him to the router would be forwarded on the vpn tunnel, into the corporate network.


Ammo

so how could the intruder got to the router and not the PC first?is it that the router is in front of the PC...so the first contact is the router then the PC...therefore the intruder crack the router first then change the NAT?

Precisely. The router sits in front of the PC.
A quick shema would be:

Employe's PC ----- Router----{vpn link}--------Corporate VPN concentrator/firewall-------- corporate network.

Ammo

Originally posted here (http://www.AntiOnline.com/showthread.php?threadid=#post) by ammo
Precisely. The router sits in front of the PC.
A quick shema would be:

Employe's PC ----- Router----{vpn link}--------Corporate VPN concentrator/firewall-------- corporate network.

Ammo

so am i suppose to say the VPN liink is actually the Internet...the intruder attack the router so that he can go in and change the NAT?then from there he gain access to the VPN?

well was wondering can anyone give me solution to Challenge 1 " The French Connection"

1. What vulnerability did the attacker exploit to compromise the web server?
2. What did the attacker do to try to obfuscate tracking?

thnx

Gill: You could try looking on page 198 of the book..... It gives you a detailed description of the two answers - well.... of one of them..... the second "answer" is a tad lame - but technically it was a way to "obfuscate" tracking.

well if i had the book i wont be posting the questions.............so will u post the answers here asap...........thnx

ROFL..... OK, I'll sucker for it...... If you don't have the book how on earth are you reading the scenario's???????

[Second Thought]

You know.... I think I get it...... There's a certain urgency in your post my dear..... That, coupled with the fact that you have the scenario but not the book leads me to believe that you might be in school and this is an assignment, (that's due soon by the urgency in your response).

Now what would you learn if I just told you? That coupled with the fact that it is a classic exploit that is old also leads me to believe you have done no work of your own to try to determine what occurred...........

[/Second Thought]

Google (http://www.google.com) is your friend..... Take a look through the log they provide and see what doesn't look normal..... Type it into google and you will be surprised how much info you will get......

As to the second question that I said was "lame", it is..... I'll give you that one 'cos when I did it I couldn't see anything that the attacker really did to obfuscate his trail....... 'cos I really don't call renaming a file by adding a "1" to it as "obfuscating"..... :rolleyes:

well bro.........im in uni.....n this scenriao is due on monday...........the fact is that im not into networking..........not my topic......n i have tried searching in google......but couldnt find anything relevant..............pls can u give me the answer for the first question............

I don't know why you would be doing a course like this if you aren't into networking but hey.... I'm not gonna hold you up any longer even though it would probably be good for you to find it out for yourself - especially since it is a rather easy one...... ;)

The attack was the good ole IIS file request parsing vulnerability where the c:\winnt\system32 folder was not properly secured allowing anyone access to it. The attack works because unpatched NT boxes would not properly check the request when \..\ was used to move up a folder in the tree before moving down again and would produce the requested result even though, (technically), the IUSER account should be able to leave the inetpub folder. They standard attack runs a cmd.exe /c+dir to see if output is given. If it is then the cmd.exe file is usually copied somewhere more convenient like the scripts folder under inetpub and then the fun begins. The second part of the answer is that the attacker obfuscated the audit trail by renaming the cmd.exe file to cmd1.exe which, as I said, is darnright lame because you can quite clearly see the cmd.exe /c+ren+cmd.exe command in the IIS log so how they figure that it obfuscates the audit trail I really don't know...... and you can tell your prof that too. Anyone worth their salt would not be following an audit trail based on the cmd.exe file when the IP address of the attacker and the commands he carried out from that IP address are there for all to see.

The attack could have been mitigated by patching the box, (duh), or by having a properly secured system32 folder that allows only admins into it - unfortunately, default installs of NT allow "everyone" access to the entire drive.

Good luck...... And learn networking if you are into computers at all..... It's fun doing security and you learn a ton of fun stuff.....

thnx bro........well im into computing.........but our course requires us to do a subject of networking........but as u know without any interest u cant learn anything
anyway thnx for the info......