July 16th, 2004, 11:06 PM
Penetration Testing on Win 2k Advance Server
I'm in this system admin basic course class with a couple of other friends and our current assignment is to block most remote access to our box. It's like a wargames simulation with the teacher being the pdc, he does something remotely to our box and it's our job to disable it. We are all on domain admin accounts for this exercise.
First my run command and desktop icons were taken away so i figured it was remote registry and turned that off. Then i was shut down remotely without warning so i disabled advanced power management on my box. Then event logs kept running so i disabled "alert" service. Then my dos prompt was disabled so i locked myself out of gpedit after restoring rights of course. Then stuff keeps appearing on my desktop so i disabled admin shares. Then a .bat file was ran to open like 1000 windows so i disabled telnet. Now iam being shut down remotely again, this time WITH a prompt warning saying "warning, admin/@domain has shut iceland(my hostname)" and it has a countdown of like 15 seconds and my box shuts off. I have no clue how the teacher did this, he gave us a hint though, something about IIS? I disabled that but he could still shut me down. A little help would be much appreciated, thanks.
July 16th, 2004, 11:12 PM
If it's an IIS exploit, check out google and see what you could dig up. However, it sound's like a virus/worm if after 15 second's your box shut's off. Sound's oddly familiar. Check symantec for the latest worm's/viruses and see if your teacher used any of those. (Sasser? any other's possibly)
July 16th, 2004, 11:16 PM
Yes i believe it to be an IIS exploit, he told me it wasn't a virus or trojan, no outside programs besides Win2k default utilities are used in this exercise.
July 16th, 2004, 11:27 PM
In that event, pop in your favorite search engine into your browser and search the web for IIS exploit's, narrow it down by selecting the version of IIS and then from there narrow down by the symptom's of attack,etc.
July 16th, 2004, 11:42 PM
Just one concern, if this is a wargames exercise and you all have domain admin rights does that include your teacher? if so then isn`t that a little unfair? and rather unrealistic.
Quis custodiet ipsos custodes
July 16th, 2004, 11:47 PM
Yea i suppose it is lol, but yea the shutdown after 15 secs, it's prompted by a little pop up window. I tried finding how it was done on google and yahoo and so far no cigar.
July 16th, 2004, 11:48 PM
Hrmm, try altavista.com and also, when you say there's a pop-up window (as I expect), what does it say?
July 16th, 2004, 11:55 PM
"Warning, administrator/domain_name has shut down iceland(my hostname), save and exit or data loss will occur" and it has a timer on the buttom of the popup window.
July 16th, 2004, 11:58 PM
Uhh, wait.. so then you left out something to me. Is your teacher doing this remotely? And obviously he's using an exploit. I would search google for that specific message and see what you come up with. Go to the IIS homepage as well (I dunno what it is) and see if they've had an update for a problem concerning something of the like?
July 17th, 2004, 01:25 AM
or of course he might just be using shutdown.exe.....which if I recall works just like that. or he could just be right clicking on the my computer icon, selecting manage, connecting remotely, and then shutting it down.
I still think its a very unfair war game...
if your box is patched up to date then how about going to the NSA site and grabbing the hardening settings for Win2k, apply those and then see what happens perhaps. Stop all netBIOS traffic as well.
Quis custodiet ipsos custodes