Penetration Testing on Win 2k Advance Server
Page 1 of 2 12 LastLast
Results 1 to 10 of 14

Thread: Penetration Testing on Win 2k Advance Server

  1. #1
    Member
    Join Date
    Jul 2004
    Posts
    46

    Penetration Testing on Win 2k Advance Server

    I'm in this system admin basic course class with a couple of other friends and our current assignment is to block most remote access to our box. It's like a wargames simulation with the teacher being the pdc, he does something remotely to our box and it's our job to disable it. We are all on domain admin accounts for this exercise.
    First my run command and desktop icons were taken away so i figured it was remote registry and turned that off. Then i was shut down remotely without warning so i disabled advanced power management on my box. Then event logs kept running so i disabled "alert" service. Then my dos prompt was disabled so i locked myself out of gpedit after restoring rights of course. Then stuff keeps appearing on my desktop so i disabled admin shares. Then a .bat file was ran to open like 1000 windows so i disabled telnet. Now iam being shut down remotely again, this time WITH a prompt warning saying "warning, admin/@domain has shut iceland(my hostname)" and it has a countdown of like 15 seconds and my box shuts off. I have no clue how the teacher did this, he gave us a hint though, something about IIS? I disabled that but he could still shut me down. A little help would be much appreciated, thanks.

  2. #2
    Senior Member
    Join Date
    Oct 2002
    Posts
    4,055
    If it's an IIS exploit, check out google and see what you could dig up. However, it sound's like a virus/worm if after 15 second's your box shut's off. Sound's oddly familiar. Check symantec for the latest worm's/viruses and see if your teacher used any of those. (Sasser? any other's possibly)
    Space For Rent.. =]

  3. #3
    Member
    Join Date
    Jul 2004
    Posts
    46
    Yes i believe it to be an IIS exploit, he told me it wasn't a virus or trojan, no outside programs besides Win2k default utilities are used in this exercise.

  4. #4
    Senior Member
    Join Date
    Oct 2002
    Posts
    4,055
    In that event, pop in your favorite search engine into your browser and search the web for IIS exploit's, narrow it down by selecting the version of IIS and then from there narrow down by the symptom's of attack,etc.
    Space For Rent.. =]

  5. #5
    Senior Member
    Join Date
    Oct 2002
    Posts
    314
    Just one concern, if this is a wargames exercise and you all have domain admin rights does that include your teacher? if so then isn`t that a little unfair? and rather unrealistic.
    Quis custodiet ipsos custodes

  6. #6
    Member
    Join Date
    Jul 2004
    Posts
    46
    Yea i suppose it is lol, but yea the shutdown after 15 secs, it's prompted by a little pop up window. I tried finding how it was done on google and yahoo and so far no cigar.

  7. #7
    Senior Member
    Join Date
    Oct 2002
    Posts
    4,055
    Hrmm, try altavista.com and also, when you say there's a pop-up window (as I expect), what does it say?
    Space For Rent.. =]

  8. #8
    Member
    Join Date
    Jul 2004
    Posts
    46
    "Warning, administrator/domain_name has shut down iceland(my hostname), save and exit or data loss will occur" and it has a timer on the buttom of the popup window.

  9. #9
    Senior Member
    Join Date
    Oct 2002
    Posts
    4,055
    Uhh, wait.. so then you left out something to me. Is your teacher doing this remotely? And obviously he's using an exploit. I would search google for that specific message and see what you come up with. Go to the IIS homepage as well (I dunno what it is) and see if they've had an update for a problem concerning something of the like?
    Space For Rent.. =]

  10. #10
    Senior Member
    Join Date
    Oct 2002
    Posts
    314
    or of course he might just be using shutdown.exe.....which if I recall works just like that. or he could just be right clicking on the my computer icon, selecting manage, connecting remotely, and then shutting it down.

    I still think its a very unfair war game...
    if your box is patched up to date then how about going to the NSA site and grabbing the hardening settings for Win2k, apply those and then see what happens perhaps. Stop all netBIOS traffic as well.
    Quis custodiet ipsos custodes

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •