Restrict Anonymous User Access?

So me and my roommates decided to have a small in-house security competition. The rules were simple: break in, create a new directory containing a small .txt file and exit. We also agreed to full disclosure after it was all over. Neither one of us claim to be security experts, it was all fun and games. Anyway, I won the first round :D. I managed to compromise both of my victims security settings and consequently win some free beer. However, wanting revenge, my roommates wanted a rematch. We got one week to improve our defenses before round 2 took place. This time around one of my roommates got wise and managed to fool me :o . He changed some settings in his registry (XP.) The settings he changed makes him completely invisible to the outside world! I tried Nmap, Nessus, LanGuard, nothing! No trace of him existing! How is this possible? Is there any way besides using a scanner to flush him out? I would greatly appreciate if someone could explain this to me (Yes, I've tried to Google for it.) Round 3 is around the corner and it would be nice to reclaim my crown of in-house uber haxor ;) . We're all on XP/nix dual-boot boxes.

Thanks,
Rob

Did he just use a firewall and deny everything that comes at it including ICMP?

Regarding the restrict annonymous access, use the following tweak.

http://www.winguides.com/registry/display.php/97/

That isn't going to make the machine "invisible" though.

You want to really fool him? Use linux and configure iptables to use the mirror function.

Meaning... when he tries to scan you... he will really be scanning himself. ;)
Of course... this can be bad if you are on the net cause people can use your box to DoS someone else. They just have to spoof the source of the scan.... which isn't too difficult.
For more info on that... look @
http://www.antionline.com/showthread...172#post685172
and
http://www.netfilter.org/security/20...22-mirror.html

Depending on your LAN setup, you can also sniff the network for a while and capture his passwords... just so you don't have to do too much pw cracking. Look into ettercap for this. Hell... start killing all his connections whenever he is online. He'll be really confused as to what is going on. Ettercap is also a good way to find all live hosts on the network too. Ping sweeps don't always work, cause you can configure it to not reply to the ping.

There are so many evil things you can do...

I wish I had people around here to do that with.

Quote:

---

Originally posted here by realmatic
We also agreed to full disclosure after it was all over.

---

Why didn't he tell you if that's true. I would force him to tell you. I really don't know how this is done. Maybe he just changed his IP, it sounds like you all were behind the same router, he could have just gotten a different IP after the games began. Of course, it sounds like he told you that he changed the registry to do what he did, so that eleminates changing the IP. You have me interested, it could be something real simple, or something real complex, but either way I would like to know how this was achieved. Sorry for posting without answering your question.

Didn't you guys promise full disclosure? ::Grins:: He should HAVE to tell you, like h3r3tic says.

As phish said, a firewall that blocks EVERYTHING including ICMP should do the trick. You could force Tiny Personal Firewall 2 to do this.
Cheers,
cgkanchi

By any chance did he either:-

1. Disable the network interface, or
2. Unbind TCP/IP or all protocols from the interface.

If he did either it would explain why he won;t tell you - 'cos he "cheated".

I should’ve been more specific in my initial post. My roommate tweaked his registry as phishphreek80 suggested (http://www.winguides.com/registry/display.php/97/.) However, this simple tweak shouldn’t enable him to go into complete stealth mode…. right? Furthermore, he did disclose the tweak when round two was completed.

We’re all behind a router on a broadband connection. Before each round we reset the router in order for it to assign us new IPs. In round 2 when I scanned our network, only two out of three IPs showed up. Knowing for a fact that he was hiding somewhere on the segment, I was confused as to what he had done to completely disappear. I finally found him by using Ethereal to sniff our wire. However, since I don’t know what services or exploitable weaknesses he might have on his box, I wasn’t able to find a way to compromise him. I’m sure there’s ways to breach someone’s security setup without the above knowledge, however, this goes beyond my current scope of 1337n335 ;).

When he resets the tweak to default (without changing his firewall settings), I can see him again….. Oh well, I’ll get him in round 3.

Phishphreek80 – thank you for the links… I’m already messing with my IP tables :cool: .

Thanx,
Rob

Quote:

---

When he resets the tweak to default (without changing his firewall settings), I can see him again….. Oh well, I’ll get him in round 3.

---

I'm a bit confused. AFAIK, the restrict annon setting only restricts people from connecting to you via null session to enumerate your box. I don't see ANY way that this would make the box "invisible".

He has to be doing something else... such as the firewall, disabling of other services, etc.

What am I missing?

if he changes his IP to 0.0.0.0 you cannt see him and would not be able to scan

Quote:

---

Originally posted here by qod
if he changes his IP to 0.0.0.0 you cannt see him and would not be able to scan

---

I don't think that is possible with XP...

Thats too obvious anyway... if they change their IP to ANY IP other than the IP Scheme that they are using, he won't be able to see him.

If they are using 192.168.1.x and he changes it to anything else, he can't see it cause there is no route to it.

Quote:

---

Originally posted here by phishphreek80
I'm a bit confused. AFAIK, the restrict annon setting only restricts people from connecting to you via null session to enumerate your box. I don't see ANY way that this would make the box "invisible".

He has to be doing something else... such as the firewall, disabling of other services, etc.

What am I missing?

---

We're missing the same thing. I know for a FACT that the reg. tweak is the only thing he modifies.... Maybe it's because we're on the same network segment? BTW, what does AFAIK mean?

Thanx,
Rob

Quote:

---

Originally posted here by realmatic
BTW, what does AFAIK mean?

---

As Far As I Know. And I think if you were on a diff network segment then that would be more of a cause than being on the same network segment.

Quote:

---

Originally posted here by realmatic
We're missing the same thing. I know for a FACT that the reg. tweak is the only thing he modifies.... Maybe it's because we're on the same network segment? BTW, what does AFAIK mean?

Thanx,
Rob

---

I still don't get it... do you get the same thing by enabling it on your PC? I sure don't...

Anyone else have any insight on what he claims is happening? I say "claims" because I can't reproduce it... I have this setting on all my hosts and I can see them all just fine.

Do you get the same thing with you try to scan with nessus? But instead of a defualt scan... disable the ping. It will scan even though it doesn't "see" anything there.

Try nmap -p0 ip . That *might* just work.
Cheers,
cgkanchi

His box finally showed up when I disabled Ping and increased some of the time delays in my various scanners :D. Thanks for the tips! However, round 3 has already started, consequently, I can't ask him any more questions until Sunday.

Ok, so now I can finally see him, however, his box is completely non-responsive! No matter what type of probe I throw at him, his box refuses to give me any kind of reply... I've never seen anything like it! Eh, I got a week to figure it out. However any suggestions would be appreciated.

phishphreek80 - No, I didn't get the same result when I tweaked my 'puter... I don't know if he did something he's not telling me or if he did something by accident which would allow him to go stealth. I think it's the latter since he's usually an honest guy.