-
August 29th, 2003, 04:08 PM
#11
Junior Member
well if i had the book i wont be posting the questions.............so will u post the answers here asap...........thnx
-
August 29th, 2003, 05:06 PM
#12
ROFL..... OK, I'll sucker for it...... If you don't have the book how on earth are you reading the scenario's???????
[Second Thought]
You know.... I think I get it...... There's a certain urgency in your post my dear..... That, coupled with the fact that you have the scenario but not the book leads me to believe that you might be in school and this is an assignment, (that's due soon by the urgency in your response).
Now what would you learn if I just told you? That coupled with the fact that it is a classic exploit that is old also leads me to believe you have done no work of your own to try to determine what occurred...........
[/Second Thought]
Google is your friend..... Take a look through the log they provide and see what doesn't look normal..... Type it into google and you will be surprised how much info you will get......
As to the second question that I said was "lame", it is..... I'll give you that one 'cos when I did it I couldn't see anything that the attacker really did to obfuscate his trail....... 'cos I really don't call renaming a file by adding a "1" to it as "obfuscating".....
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
-
August 29th, 2003, 05:12 PM
#13
Junior Member
hackers challenge question
well bro.........im in uni.....n this scenriao is due on monday...........the fact is that im not into networking..........not my topic......n i have tried searching in google......but couldnt find anything relevant..............pls can u give me the answer for the first question............
-
August 29th, 2003, 07:30 PM
#14
I don't know why you would be doing a course like this if you aren't into networking but hey.... I'm not gonna hold you up any longer even though it would probably be good for you to find it out for yourself - especially since it is a rather easy one......
The attack was the good ole IIS file request parsing vulnerability where the c:\winnt\system32 folder was not properly secured allowing anyone access to it. The attack works because unpatched NT boxes would not properly check the request when \..\ was used to move up a folder in the tree before moving down again and would produce the requested result even though, (technically), the IUSER account should be able to leave the inetpub folder. They standard attack runs a cmd.exe /c+dir to see if output is given. If it is then the cmd.exe file is usually copied somewhere more convenient like the scripts folder under inetpub and then the fun begins. The second part of the answer is that the attacker obfuscated the audit trail by renaming the cmd.exe file to cmd1.exe which, as I said, is darnright lame because you can quite clearly see the cmd.exe /c+ren+cmd.exe command in the IIS log so how they figure that it obfuscates the audit trail I really don't know...... and you can tell your prof that too. Anyone worth their salt would not be following an audit trail based on the cmd.exe file when the IP address of the attacker and the commands he carried out from that IP address are there for all to see.
The attack could have been mitigated by patching the box, (duh), or by having a properly secured system32 folder that allows only admins into it - unfortunately, default installs of NT allow "everyone" access to the entire drive.
Good luck...... And learn networking if you are into computers at all..... It's fun doing security and you learn a ton of fun stuff.....
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
-
August 30th, 2003, 05:23 AM
#15
Junior Member
thnx bro........well im into computing.........but our course requires us to do a subject of networking........but as u know without any interest u cant learn anything
anyway thnx for the info......
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|