From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] (sbradcpa@pacbell.net)
Date: Mon Aug 07 2006 - 09:51:04 EDT
And prove why folks need to patch......
These days he's into fuzzing browsers and what not....
I think the better lesson is why 2k is so easy of pickin's ....
understand it's permission structure as compared to 2k3 (everyone does
not include anon).
Erin Carroll wrote:
> Thanks for the detailed response Susan. Some comments inline below
>
>
>> If you can't nail an RTM Windows 2000 in say... oh... what..
>> 5 minutes or less? I'd be surprised. I'm not sure that's
>> testing those pool shots (and what is it with security and
>> people who play pool?) and exercising anything when that's
>> sooooo vulnerable it's not funny. You don't even have to do
>> anything.. just build it and stick it on the internet. What
>> kind of pool shot is that?
>>
>
> While I agree that the degree of difficulty to compromise an RTM w2k image
> is practically nil, I don't see practicing on it as completely useless,
> especially for beginners. I think it all depends on how you practice. The
> reason even great pool players practice simple shots is to hone their craft
> to amazing levels of understanding and intuition. A straight-in shot to a
> corner pocket is easy. A straight-in shot to a corner pocket where your cue
> ball consistently ends up at the same exact spot every time isn't as easy. A
> straight-in shot where you vary draw, follow, or english (uh, places where
> you hit the ball that will affect how it rolls for you non-pool players) and
> *still* getting the cue to stop at that same exact spot... That's real
> mastery of skill. Solid repeatable results 99.9% of the time regardless of
> the variables.
>
> I view pen-testing practice much the same way. Repeat over and over until
> it's second nature to you... And then change something and try to get the
> exact same results.
>
> John could easily compromise an RTM w2k image with an IIS 5.0 exploit. But I
> don't think owning the box should be the only point of practice if he wants
> to expand his knowledge and get better. Take a simple known exploit. Use it.
> Use it many times until you are thoroughly comfortable with it. Now take a
> deeper look. How exactly does the exploit work? Buffer overflow? What is the
> diff between the patched version and the unpatched? What does the traffic
> look like on the wire? How exactly does the target change or react when the
> exploit hits? How would I hide any telltale signs?
> Now try mixing things up a little. If there was an IPS in the way how would
> you fragment the packets to still get that exploit through? What is the
> minimum level of fragmentation that would still work and what is the
> difference in the amount of time it takes? Heck, what about different types
> of IPS? If you modify the exploit payload how does the target box react? Can
> you modify it enough so that the standard signatures on the IPS don't
> trigger? How many different variables can you work through and *still* reach
> your objective? Solid repeatable results 99.9% of the time regardless of the
> variables should be the goal.
>
> This kind of practice isn't going to make RTM w2k IIS any less exploitable,
> solve some great unknown, or cause women to swoon. But I can almost
> guarantee that it will give him a more thorough understanding and background
> of how and why it works. The research, testing and understanding needed to
> tackle just the suggestions above for a beginner will greatly enhance their
> skills. Building on a foundation of knowledge and then adding layer upon
> layer isn't a waste of time IMHO.
>
>
>> Go to the metasploit site and see if some of the oldies but
>> goodies are there. Any of the IIS5 stuff will work....
>> http://www.metasploit.com/projects/Framework/exploits.html
>>
>
> I have the feeling that HD Moore uses a lot of the same tactics I describe
> above for practice when looking for new holes and exploits. Poking and
> prodding and seeing what happens when things are changed around. Of course,
> he may be too hung over after Defcon and Blackhat to reply right now :)
>
>
> --
> Erin Carroll
> Moderator
> SecurityFocus pen-test list
> "Do Not Taunt Happy-Fun Ball"
>
>
------------------------------------------------------------------------------
This List Sponsored by: Cenzic
Concerned about Web Application Security?
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's
Choice Award from eWeek. As attacks through web applications continue to rise,
you need to proactively protect your applications from hackers. Cenzic has the
most comprehensive solutions to meet your application security penetration
testing and vulnerability management needs. You have an option to go with a
managed service (Cenzic ClickToSecure) or an enterprise software
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can
help you: http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you to confirm your
results from other product. Contact us at request@cenzic.com for details.
------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:56:36 EDT