Page 2 of 2 FirstFirst 12
Results 11 to 15 of 15

Thread: Question on Hacker's Challenge

  1. #11
    Junior Member
    Join Date
    Aug 2003
    Posts
    4
    well if i had the book i wont be posting the questions.............so will u post the answers here asap...........thnx

  2. #12
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    ROFL..... OK, I'll sucker for it...... If you don't have the book how on earth are you reading the scenario's???????

    [Second Thought]

    You know.... I think I get it...... There's a certain urgency in your post my dear..... That, coupled with the fact that you have the scenario but not the book leads me to believe that you might be in school and this is an assignment, (that's due soon by the urgency in your response).

    Now what would you learn if I just told you? That coupled with the fact that it is a classic exploit that is old also leads me to believe you have done no work of your own to try to determine what occurred...........

    [/Second Thought]

    Google is your friend..... Take a look through the log they provide and see what doesn't look normal..... Type it into google and you will be surprised how much info you will get......

    As to the second question that I said was "lame", it is..... I'll give you that one 'cos when I did it I couldn't see anything that the attacker really did to obfuscate his trail....... 'cos I really don't call renaming a file by adding a "1" to it as "obfuscating".....
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  3. #13
    Junior Member
    Join Date
    Aug 2003
    Posts
    4

    Lightbulb hackers challenge question

    well bro.........im in uni.....n this scenriao is due on monday...........the fact is that im not into networking..........not my topic......n i have tried searching in google......but couldnt find anything relevant..............pls can u give me the answer for the first question............

  4. #14
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    I don't know why you would be doing a course like this if you aren't into networking but hey.... I'm not gonna hold you up any longer even though it would probably be good for you to find it out for yourself - especially since it is a rather easy one......

    The attack was the good ole IIS file request parsing vulnerability where the c:\winnt\system32 folder was not properly secured allowing anyone access to it. The attack works because unpatched NT boxes would not properly check the request when \..\ was used to move up a folder in the tree before moving down again and would produce the requested result even though, (technically), the IUSER account should be able to leave the inetpub folder. They standard attack runs a cmd.exe /c+dir to see if output is given. If it is then the cmd.exe file is usually copied somewhere more convenient like the scripts folder under inetpub and then the fun begins. The second part of the answer is that the attacker obfuscated the audit trail by renaming the cmd.exe file to cmd1.exe which, as I said, is darnright lame because you can quite clearly see the cmd.exe /c+ren+cmd.exe command in the IIS log so how they figure that it obfuscates the audit trail I really don't know...... and you can tell your prof that too. Anyone worth their salt would not be following an audit trail based on the cmd.exe file when the IP address of the attacker and the commands he carried out from that IP address are there for all to see.

    The attack could have been mitigated by patching the box, (duh), or by having a properly secured system32 folder that allows only admins into it - unfortunately, default installs of NT allow "everyone" access to the entire drive.

    Good luck...... And learn networking if you are into computers at all..... It's fun doing security and you learn a ton of fun stuff.....
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  5. #15
    Junior Member
    Join Date
    Aug 2003
    Posts
    4
    thnx bro........well im into computing.........but our course requires us to do a subject of networking........but as u know without any interest u cant learn anything
    anyway thnx for the info......

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •