What can I do to stop
Page 1 of 2 12 LastLast
Results 1 to 10 of 14

Thread: What can I do to stop

  1. #1
    Junior Member
    Join Date
    Mar 2004
    Posts
    2

    Question What can I do to stop

    I've got a Microsoft Infastructure class this semester and need some help with security. We have established a domain of about 25 computers with a variaty of OS(XP pro,2000 pro,NT workstation,NT 4.0,2000 server,2000 advanced and a fedora server and a couple of Fedora workstations) Each person in the class has a diffrent OS and we have learned how to get them to all work together. But now that we have most of the bugs worked out the instructer has a new twist, One member of my class we have no idea who, has been instructed to hack us at will and do as much damage as he can. I am running a 2000 advanced server as a Domain controller with WINS and DNS on it. Last week he pretty much had his way with a couple of peoples machines and I don't want to be next, can anyone give me any ideas? Please remember I'm still new at this. I'm smart enough to know that I know nothing.

  2. #2
    Senior Member
    Join Date
    Apr 2003
    Posts
    147
    Search google and this site for security related terms... that's where you should start... Though I may be inclined to help you since minus the WINS server, that's exactly what my desktop machine is running... don't ask why.

    Can you d/l and install stuff, or are you stuck with configuring what you have? I'd assume you can get updates, get all them of course.

    If you can, d/l like zone alarm first, then research. Wait for a few more posts, there's alot o' experienced people on here. They'll hook you up with all sorts of stuff.

    Do you have to keep all your services operational? if not you can shut off some of them. Though not all since you've made the leap to domain controller already. If someone knows how to shut all that **** off after actually becoming domain controller you'd be helping me as well as him

    A funny thought just crossed my mind... depending on how mutch he already knows about your network, like your IP address and such (like that can't be changed anyways, screw network policy, DHCP is even better), I, Myself would play with a honeypot. Just to keep him busy for a while. I'd assume he won't spend all his free time trying to hack your box. though you never know. If you could work a honeypot, you could log what he's doing, hopefully buying you at least one class period to send us the logs .. HAHA that would be great.

    Though you said you know nothing, I'll see what you have to say on the subject. Wait for a dozen or so more replies to get the whole think tank on board if their interested. You'll need to keep me interested too. See if you can do something about finding the identity of the dude and feeding us some profile info. it may come to something, who knows.

    Good luck, hope your next reply isn't -- I've been haxored!!! ---

  3. #3
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,190
    Hi,

    A few more questions to add to those from UpperCell :

    1. Do you know how the other two machines were attacked
    2. Will he/she have physical access to your machine (when I build a "secure box" I always use removable hard drives, lock the CD and floppy to normal users, boot from HDD first etc).
    3. Which OSes were attacked first?
    4. I would suggest some security tools, but I am not sure if you are allowed to load them. I guess the EULA is OK as you are using them "privately", albeit in an educational environment? As UpperCell has already pointed out it is important to us to know if you can do this, and any other rules of engagement

    Good luck
    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  4. #4
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324
    Hrmm.. Sounds like a wargame!

    I noticed the lack of mention of a firewall and/or an IDS. Are you not allowed to install these? You might want to look at the NSA's Security Guides to see if they may help you lock down your servers better. And perhaps check the tutorials I wrote on Wargames as they may give you a better idea as to how the attacker got in. I suspect that there is no physical access immediately but rather remote access.

    Lastly, the most common way that I get into my students machines is due to really poor password policy (e.g., "password", "root", "course#", their email password -- which they access over the clear). You might want to ensure you put in some strong password policies on important machines in particular.
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  5. #5
    Junior Member
    Join Date
    Mar 2004
    Posts
    2
    The first two machines he got were another 2000 advanced server and one of the 98 machine. I think he's just picking at random. The only access he is allowed is remote only so that helps. I can download anything but a firewall and all my updates are downloaded so there I'm okay. I have GFI LANguard Network Security Scanner downloaded and I'm going to use it tonight to try and find all the holes in the network. But I really want to beat this guy since the instructer is so sure we will all fail. Thanks for your help.

  6. #6
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,190
    OK I haven't built the 2Kas machine yet, and I will NOT abuse free for private use by installing it at work. That means I don't know if this stuff will run

    http://www.diamondcs.com.au

    Have a look around the site and get the free (to everybody) RegistryProt.............might as well protect the Windows Registry?

    http://www.winpatrol.com

    This one may not work with your OS............if it does, it should be a useful damage limitation exercise.

    http://digilander.libero.it/zancart

    You want WinSonar 2003.................if it runs on your OS it should detect a network connection, if not open an internet connection to "liven it up"............say "yes" to the prompt to block unknown background processes

    A word about social engineering............it is NOT one of your fellow students...........hell, they know as much, or as little as you?.........it is your instructor who is the "bad guy"

    Find out what you can about his ID, logon etc.

    Cheers
    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  7. #7
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324
    I can download anything but a firewall and all my updates are downloaded so there I'm okay.
    Actually, you know who you should talk with: Pooh Tzu Sun. He has a Windows box locked down without Firewall or AV. And I've checked it. It's an impressive setup. Send him a quick note on some advice on how to lock your boxes down to prevent remote access but still allowing necessary services. His setup was quite impressive.

    Oh yes, if you are required a webserver toss IIS.
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  8. #8
    Senior Member Maestr0's Avatar
    Join Date
    May 2003
    Posts
    604
    The real prize would be the domain server and since you are using 98 machines and possibly samba the DC must answer LM authentication requests, if your 'attacker' is on the LAN with you he may as well go for the DC by sniffing LM hashes and then he will 0wn j00 all. But seriously just some initial precautions I would take would be to tighten your file permissions, disallow anon NB stuff(do you have to have it?), enable auditing,check your local sec policy,remove all un-needed/required services,if you run IIS run IIS lockdown and remove all your extensions, remove SYSTEM execute privileges on commonly exploited binaries (cmd.exe,tftp,etc), change your admin account,enforce strong password policy, then run some tools like baseline security and nessus against yourself (Perhaps a trial/edu version of E-eye Retina?) and see what turns up, then rinse...repeat....
    Have fun!

    -Maestr0
    \"If computers are to become smart enough to design their own successors, initiating a process that will lead to God-like omniscience after a number of ever swifter passages from one generation of computers to the next, someone is going to have to write the software that gets the process going, and humans have given absolutely no evidence of being able to write such software.\" -Jaron Lanier

  9. #9
    Senior Member
    Join Date
    Jan 2003
    Posts
    1,499
    Check the web logs on the other machines and then go hook the guy in the face.

    That should deter him from fuxoring your box.

  10. #10
    Dead Man Walking
    Join Date
    Jan 2003
    Posts
    810
    why would a firewall be against the rules? Please forgive my ignorance but i have never been in a classsroom type waregame.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •