Need tips & stratagies for Wargames

Im participating in a wargame at my school and I need some help. The target host machine is a fully patched Windows XP PRO (SP2) and I can reasonably assume that ports:
7
9
13
17
19
135
445
3389
1030
139

are opeing and listening, the problem is that the windows firewall is on and set not to allow any exceptions, which Im assuming doesnt alllow any inbound traffic unless in response to outbound traffic. We are on an internal switched (cisco) lan and I have access to XP pro 2, fedora core 4, and server 2003 OS's. I need some ideas on how to bypass this the firewall, also would arp poisoning or using a WSUS server to distribute code help me out in any way?

Thanks

I smell a rat, what school would run a wargame? and without teaching the pupils common security knowledge?

But either way, I assume that because its a wargame that the machines aren't actually being used (by people, maybe some bot is running to make sure they're still up and running) and are just running services.

So ARP poisoning wouldn't help you because no sensitive data is traveling to and/or from the target

Of course if there are people using the machine then ARP poisoning would be useful.

Yes there is someone using the machine, and Its not an official war game we just have a lab and want to experiment. But either way assuming that I was successful at arp poisoning, say I captured an html request and sent back an altered response, could I include batch like code in the packet?
Ex:
netsh firewall set opmode mode = disable exceptions = disable

Any ideas?

well you can't just include it in the HTTP page..or it would show up in the page they're viewing, i guess you could send back an altered response though it would be rather aggressive, and maybe the only option if the user has only limited privileges on the machine.

Another option is to just watch the traffic for sensitive passwords..but that won't do alot of good if the user doesn't have an admin account on a machine

The aggressive method would require more work and could possibly be detected whereas the passive method is probably less effective and only if a network admin were to check the ARP table on the switch/router? which you'd have to be pretty unlucky too.

I just have one more question, do you actually have permission from the people who run/own the network? and even so, its rather un-ethical to do this on live targets which I assume is illegal anyway (invasion of privacy)?

Sorry for the rather brief explanation but it'd take me ages to write an in-depth reply

It is a learning environment, we are on an isolated subnet, The target is fully aware of what were doing, and there is no reason to try to remain undetected, remember its just an experiment, The target and everyone else involved has an administrator account with the same password. The main goal is to get passed his firewall. So i guess my question is after I capture a packet, what tools could I use to alter the data? Is there some html syntax that has the equivalent effect as:
netsh firewall set opmode mode = disable exceptions = disable,

I guess it doesn't have to be html either, just some type of packet that I can try to alter.

thanks in advance

i'm not going to reply to this post anymore...because somehow the pieces just don't fit

There are no known/published unpatched vulnerabilities or bypasses to the windows XP firewall. So you will probably not find anybody on here who is willing to tell you of an unpublished way to do it, if such a way does in fact exist.

As much as people like to complain about windows firewall it is rather effective at what it does.

as it is in a school lab, and I asume you are all in the same room ?

gain physical access to machine
using your common paassword to get in
disable firewall, leave a TXT file on the desktop saying Hi :D

jobs a gud'un

so ............ can I take it the game went well :p
or not :eek: :D

Hey c'mon Mark,

You know how these wargames turn out?

:ubergun:
It's "blue on blue"? :shocked: