Page 1 of 2 12 LastLast
Results 1 to 10 of 15

Thread: Restrict Anonymous User Access?

  1. #1
    Junior Member
    Join Date
    Aug 2003
    Posts
    12

    Restrict Anonymous User Access?

    So me and my roommates decided to have a small in-house security competition. The rules were simple: break in, create a new directory containing a small .txt file and exit. We also agreed to full disclosure after it was all over. Neither one of us claim to be security experts, it was all fun and games. Anyway, I won the first round . I managed to compromise both of my victims security settings and consequently win some free beer. However, wanting revenge, my roommates wanted a rematch. We got one week to improve our defenses before round 2 took place. This time around one of my roommates got wise and managed to fool me . He changed some settings in his registry (XP.) The settings he changed makes him completely invisible to the outside world! I tried Nmap, Nessus, LanGuard, nothing! No trace of him existing! How is this possible? Is there any way besides using a scanner to flush him out? I would greatly appreciate if someone could explain this to me (Yes, I've tried to Google for it.) Round 3 is around the corner and it would be nice to reclaim my crown of in-house uber haxor . We're all on XP/nix dual-boot boxes.

    Thanks,
    Rob

  2. #2
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    Did he just use a firewall and deny everything that comes at it including ICMP?

    Regarding the restrict annonymous access, use the following tweak.

    http://www.winguides.com/registry/display.php/97/

    That isn't going to make the machine "invisible" though.

    You want to really fool him? Use linux and configure iptables to use the mirror function.

    Meaning... when he tries to scan you... he will really be scanning himself.
    Of course... this can be bad if you are on the net cause people can use your box to DoS someone else. They just have to spoof the source of the scan.... which isn't too difficult.
    For more info on that... look @
    http://www.antionline.com/showthread...172#post685172
    and
    http://www.netfilter.org/security/20...22-mirror.html

    Depending on your LAN setup, you can also sniff the network for a while and capture his passwords... just so you don't have to do too much pw cracking. Look into ettercap for this. Hell... start killing all his connections whenever he is online. He'll be really confused as to what is going on. Ettercap is also a good way to find all live hosts on the network too. Ping sweeps don't always work, cause you can configure it to not reply to the ping.

    There are so many evil things you can do...

    I wish I had people around here to do that with.
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  3. #3
    Elite Hacker
    Join Date
    Mar 2003
    Posts
    1,407

    Re: Restrict Anonymous User Access?

    Originally posted here by realmatic
    We also agreed to full disclosure after it was all over.
    Why didn't he tell you if that's true. I would force him to tell you. I really don't know how this is done. Maybe he just changed his IP, it sounds like you all were behind the same router, he could have just gotten a different IP after the games began. Of course, it sounds like he told you that he changed the registry to do what he did, so that eleminates changing the IP. You have me interested, it could be something real simple, or something real complex, but either way I would like to know how this was achieved. Sorry for posting without answering your question.

  4. #4
    Senior Member
    Join Date
    Nov 2003
    Posts
    247
    Didn't you guys promise full disclosure? ::Grins:: He should HAVE to tell you, like h3r3tic says.
    www.ADigitalPimp.com
    There is a ghost in the machine, and he is my friend.

  5. #5
    Antionline Herpetologist
    Join Date
    Aug 2001
    Posts
    1,165
    As phish said, a firewall that blocks EVERYTHING including ICMP should do the trick. You could force Tiny Personal Firewall 2 to do this.
    Cheers,
    cgkanchi
    Buy the Snakes of India book, support research and education (sorry the website has been discontinued)
    My blog: http://biology000.blogspot.com

  6. #6
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    By any chance did he either:-

    1. Disable the network interface, or
    2. Unbind TCP/IP or all protocols from the interface.

    If he did either it would explain why he won;t tell you - 'cos he "cheated".
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  7. #7
    Junior Member
    Join Date
    Aug 2003
    Posts
    12
    I should’ve been more specific in my initial post. My roommate tweaked his registry as phishphreek80 suggested (http://www.winguides.com/registry/display.php/97/.) However, this simple tweak shouldn’t enable him to go into complete stealth mode…. right? Furthermore, he did disclose the tweak when round two was completed.

    We’re all behind a router on a broadband connection. Before each round we reset the router in order for it to assign us new IPs. In round 2 when I scanned our network, only two out of three IPs showed up. Knowing for a fact that he was hiding somewhere on the segment, I was confused as to what he had done to completely disappear. I finally found him by using Ethereal to sniff our wire. However, since I don’t know what services or exploitable weaknesses he might have on his box, I wasn’t able to find a way to compromise him. I’m sure there’s ways to breach someone’s security setup without the above knowledge, however, this goes beyond my current scope of 1337n335 .

    When he resets the tweak to default (without changing his firewall settings), I can see him again….. Oh well, I’ll get him in round 3.

    Phishphreek80 – thank you for the links… I’m already messing with my IP tables .

    Thanx,
    Rob

  8. #8
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    When he resets the tweak to default (without changing his firewall settings), I can see him again….. Oh well, I’ll get him in round 3.
    I'm a bit confused. AFAIK, the restrict annon setting only restricts people from connecting to you via null session to enumerate your box. I don't see ANY way that this would make the box "invisible".

    He has to be doing something else... such as the firewall, disabling of other services, etc.

    What am I missing?
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  9. #9
    Senior Member
    Join Date
    Sep 2003
    Posts
    161
    if he changes his IP to 0.0.0.0 you cannt see him and would not be able to scan

  10. #10
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    Originally posted here by qod
    if he changes his IP to 0.0.0.0 you cannt see him and would not be able to scan
    I don't think that is possible with XP...

    Thats too obvious anyway... if they change their IP to ANY IP other than the IP Scheme that they are using, he won't be able to see him.

    If they are using 192.168.1.x and he changes it to anything else, he can't see it cause there is no route to it.
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •