Moving onto the next level

[ommy]

Hi all,
umm..To begin with (before guys start falming me or anything), let me ******** that I completely understand and know about Antionline rules and I am just looking for an advice/guidance from some senior pen-tester or a security professional(Since, in my opinion I have learnt alot,alot while just reading the everyday posts on antionline).

So, here is the situation. My friend has decided to set up a war game. He'll defend and I'll attack. His point is that an updated Windows 2000 machine, with all patched software does not need a firewall and only a potential hacker (with sharp programming skills) can either discover a 0 day exploit and then exploit the machine. My point is that he still needs a firewall to harden his machine. Now I am supposed to attack his updated Microsoft Windows 2000 Advanced Server machine and take it down. What I did was is following:

1) I nmap'd his machine and found out the following:

53/tcp open domain Microsoft DNS
80/tcp open http Apache httpd 2.0.55 ((Win32))
135/tcp open msrpc Microsoft Windows RPC
1027/tcp open msrpc Microsoft Windows RPC
1029/tcp open msrpc Microsoft Windows RPC
1030/tcp open msrpc Microsoft Windows RPC
3306/tcp open mysql MySQL 4.1.16-nt
3389/tcp open microsoft-rdp Microsoft Terminal Service

2) I ran nessus against his machine(with all updated plugins) and found no serious vulnerability. What I found was some information from the port scanners and a couple of warnings, which were almost harmless.

3) It's been almost 2 days that I am googling for RPC exploits and searching Packetstorm and BugTraq. What I found was DCE-RPC tester and a couple of old vulnerabilities, which have been already patched by the vendor.(I compiled them and ran against the machine and it didnt work).

Now, its been a couple of days, and I am all lost with this. What i need from you guys is to help me moving in the right direction. I believe there is a difference in "help me taking down my friend's machine" and "help me learning the security concerns" notion.

What I can do is to 'syn flood' or 'DoS' his machine to take it down, but this is not the real purpose of setting up this war game. What I am looking at is Microsoft RPC and RDP terminal services to exploit, but didnt found out something really serious to do that.(Only a couple of NULL session vulnerabilities, which have been already patched). What do you guys have to say about this? Am i moving in the right direction.

I really feel that I lack this confidence of actually carrying out a pen-test and the ability to exploit a hole. Since, it has been long that I am reading alots of stuff on different security portals, mailing lists, pen-testing tutorials, experience with knoppix and other security distributions but hav'nt really shown these exploiting abilities. Help me building my confidence AO

Looking forward to your response...

[.:front2back:.]

With this little wargame, do you just have to retrieve a file, or drop a file onto the box.?
If not then i personally would Dd0s it until it drops offline..
Also has he checked with he/her's ISP to make sure that we you's are doing is approved? As the ISP might see the attemts, and think something is up, and investigate.
And while there investigating you might find that both of your internet connection's might get suspended..

just a few thoughts.

cheers
front2back

[ommy]

.:front2back:. I forgot to mention that we are on the same subnet/LAN set up internally in our homes. So no bandwidth/ISP issues. That might be easy to do this ICMP reflection or D'DoSing the machine, but this is not the purpose. I am not supposed to drop or reterieve any file from the box. Its just that the machine is breathing and I have to take it down (not in 3l33t3 Script Kiddie way..DoS or anything).. I am looking for some service to exploit and found no way of doing that as yet ...
so any responses AO?

[qwertyman66]

Try looking more towards other forms of attack other than the RPC that you seem to have focused on. Check the websites of any servers he is running. Maybe he is not as up to date as he might think...

[steve.milner]

There are many thinkgs you could think of.

In this situation the direct, upfront attack seems to be yielding poor results. The next step?

Pretend to be someone else (love interest perhaps?)
Email a trojan & try and get it executed.
Persuade them to talk to you via MSN & look for & try vunerabilities. (Send a file!).
Break into the machine & gain pyhysical access, install a trojan.

These are all things the 'bad guys' might try if the frontal attack fails and they really need to gain control of a machine.

Just my 2c

Steve

[killerbeesateme]

read the news. your zero-day is already out. of course it doesn't really work if no one uses the machine. you could try emailing it to the box if it has email. I remember the f-secure blog said it infected a DOS box after just downloading it. Play around with the WMF. what do you really have to lose at this point. hell, just load up a linux livecd and give him the actual one. thumb your nose at him with the spyware. lol.

*edit*

you said your on a LAN, so can you knock him off by messing with the switches or routers? it's technically a win.

[ommy]

well..first of all..seeing the negative status of the thread is "disappointing"..

steve.milner: This is against the agreed rules of war game. So I wo'nt go for it. Secondly, he is not using this machine as his primary machine (where he checks his email and uses IM clients)..

killerbeesateme: I have read about the WMF zero-day exploit, but again since he does not use that machine to broswe or anything, so its kinda useless.. What I am going to do next is to fire up a live CD and try some stuff from it...

Guys..till this very moment..I still havnt got a serious clue to head in the right direction.. I still wonder that an updated Windows 2000 Advanced server machine can be this secure and so hard to break into..I am not learning anything new and I am getting frustrated now..

still need a serious piece of advice from senior pen-testers..Irongeek,Th3horse13,gore,nihil,negative,HTRegz,catch,Soda_Popinsky,MemorY..where are you guys..I believe you all know me for a long time now..help me moving in the right direction...

[Raion]

ommy, first of all, there is no 100% secure machine. If I were you I'd take killers suggestion and find a way to gain access through the LAN, messing with hardware or whatever. By the way don't count on MemorY for computer advice lol (he's banned, he now goes by the name Copyright)

[killerbeesateme]

Well... my last bit of advance kind of sucked. but there is another way. Not really any better than just a DoS, but you can go LAND attack on it. I don't think that ever got patched.

I was LAND attacking my coworkers at my last job when they pissed me off and they were all running XP SP2. (my admin didn't care, he didn't like those people either and i wasn't disrupting business)

It'll shoot their resources use up to 99% as long as you keep shooting packets at it. Probably won't help, but yea. I'd say mess around with the RDP too. see where you get. Sorry, I'm not much of a pen tester but I'm bored at work so you have to deal with my crappy advice.

[zencoder]

You might want to redefine the rules of the game and start over. You aren't to DDoS it, but you need to take the server down. Why take it down? Why not just change the wallpaper remotely, once you have cracked the system? It doesn't *really* matter, but I'm using this to help you in other channels...think beyond the boundaries, the bad guys certainly will. That's why you've gotten the suggestions you have.

To be honest, with the restrictions you two have placed on this game and in this setting your friend may be right and you may be wrong. You are dealing in too many finite points, and Security is not a finite (science|school of thought|art).

Why can't you DDoS it? The end result is the same. If the point is to exploit the box ONLY via RPC vulnerabilities, and it is up-to-date, then you may have already lost...UNTIL the next RPC exploit is found.