Re: VmWare and Pen-test Learning

["Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]" <sbradcpa () pacbell net>]

I'm not sure though that "RTM" is a valid test... especially for Windows 
2000 for several reasons.

1.  Windows 2000 RTM is sooooo not supported that it's not funny... for 
a firm to still be running Windows 2000 rtm in a setting that would 
provide the means for remote exploitation...well they deserve to be 
hacked.  Windows 2000 sp4 is the supported OS.
2.  Windows 2000 rtm'd in Feb of 2000 ...while you site the unicode 
exploit of IIS 4.0... IIS 5.0 was known on the map for Code Red/Nimda... 
http://www.caida.org/analysis/security/code-red/  In it's day you could 
build a box and get nailed while installing the OS.   As you tried to 
bring it online to patch it... it would get nailed in the process.
3.  A default installed Windows 2000 was in the era of "Hey, let's get 
Mickey to try it!" and everything was running on that system ... IIS 5.0 
was default installed on that Windows 2000 .. thus if you have a Windows 
2000 RTM box sitting there with no firewall... well let me put it this 
way...there was a time in the newsgroups in the 2k era that we'd tell 
folks who came in with IIS non functional... "what rock did you crawl 
out from under"?

http://www.microsoft.com/technet/security/bulletin/MS01-033.mspx

*I'm running Windows 2000 Server. Am I vulnerable?* 
Default installations of Windows 2000 Server *are* vulnerable. IIS 5.0 
installs by default as part of Windows 2000 server products, and Idq.dll 
is installed as part of the IIS 5.0 installation process.

If you can't nail an RTM Windows 2000 in say... oh... what.. 5 minutes 
or less?  I'd be surprised.  I'm not sure that's testing those pool 
shots (and what is it with security and people who play pool?) and 
exercising anything when that's sooooo vulnerable it's not funny.  You 
don't even have to do anything.. just build it and stick it on the 
internet.  What kind of pool shot is that?

Even Windows 2003... RTM means that pre blaster and no firewall to 
protect that live nic as it comes up on the internet.

RTM of Windows 2003 was April of 2003

Blaster came out in August http://www.sbslinks.com/timeline.htm

RTM of Windows 2003 doesn't have a firewall enabled on boot and is 
vulnerable to blaster. Stick that Windows 2k3 live on the web without a 
firewall. See how long it lasts before getting nailed. Let us know.

I think SANS had a machine last like 30 minutes before being owned...
http://www.incidents.org/survivalhistory.php?isc=08a65cd9f99ef350d7fa82dbce2c6fc4 


For the rest read this:
http://www.sans.org/top20/

....but remember... RTM is not only not secure...but may not be 
supported.. Win2k sp4 is the supported version of Windows 2000.  ... 
Win2k3 rtm (if my memory of life span is working) will go out when 
Win2k3 sp2 is released ...given that they are talking beta of sp2 not 
sure when that will occur.
http://support.microsoft.com/gp/lifesupsps#Servers

I would hope that if firms needed OS's like NT and prior versions of 2k 
they'd be protecting those and isolating those as they are insecure and 
are a risk to the rest of us as well.

Go to the metasploit site and see if some of the oldies but goodies are 
there.  Any of the IIS5 stuff will work....
http://www.metasploit.com/projects/Framework/exploits.html




Erin Carroll wrote:
> Welcome to the pen-test world John. 
>
> Now before everyone freaks out about why I let essentially a basic newbie
> question on the list here's why and what kind of responses I was hoping for:
> I like to play pool. But in order to get better I do lots of drills of
> simple shots over and over. Some people prefer to practice in other ways. In
> a similar vein, what types of exercises should John do to increase his
> skills and expand his knowledge? I know how I practice my pen-test skills to
> stay sharp but hearing some other methods people use might give me some
> ideas or other ways to tackle things.
>
> So, he's got Vmware and a couple of images to play with. What kinds of
> drills should he work on?
>
> --
> Erin Carroll
> Moderator
> SecurityFocus pen-test list
> "Do Not Taunt Happy-Fun Ball" 
>
>   
> > -----Original Message-----
> > From: IRM [mailto:irm () iinet net au] 
> > Sent: Sunday, August 06, 2006 1:58 AM
> > To: pen-test () securityfocus com
> > Subject: VmWare and Pen-test Learning
> >
> > Hi all,
> >
> > I would like to learn about Penetration testing or maybe 
> > Vulnerability Assessment (?) or whatever it is called. I have 
> > set up a few machines on VMWare - Windows 2000 Server, 
> > Windows 2003 Server and Solaris 9.0. These machines are 
> > unpatched with no updates or service pack. 
> >
> > Basically what I would like to achieve in this task is to 
> > demonstrate that these machine are not secured. Thus by using 
> > a well-known exploit that are available in the public space , 
> > people can easily exploit the system and gain administrator 
> > privilege either by Local exploit or Remote Exploit.
> >
> > Now, the question is that, where to start? Can people suggest 
> > me where should I start? 
> >
> > Should I start using Nessus and identify all the 
> > vulnerabilities that are applicable on these machines? And 
> > start to do some research on securityfocus.com i.e. to find 
> > the exploit?
> >
> > Or maybe if there is a list of vulnerabilities for each of 
> > the operating system, I think that would be great! Because I 
> > know that Unicode Exploit on IIS 4.0 is quite famous at that 
> > time. Is there similar thing on Windows 2003? Is there a list 
> > available like TOP 10 Exploit or something?
> >
> > Cheers,
> > John
> >
> >
> >
> >  
> >
> >
> > --------------------------------------------------------------
> > ----------------
> > This List Sponsored by: Cenzic
> >
> > Concerned about Web Application Security? 
> > Why not go with the #1 solution - Cenzic, the only one to win 
> > the Analyst's Choice Award from eWeek. As attacks through web 
> > applications continue to rise, you need to proactively 
> > protect your applications from hackers. Cenzic has the most 
> > comprehensive solutions to meet your application security 
> > penetration testing and vulnerability management needs. You 
> > have an option to go with a managed service (Cenzic 
> > ClickToSecure) or an enterprise software (Cenzic Hailstorm). 
> > Download FREE whitepaper on how a managed service can help 
> > you: http://www.cenzic.com/news_events/wpappsec.php
> > And, now for a limited time we can do a FREE audit for you to 
> > confirm your results from other product. Contact us at 
> > request () cenzic com for details.
> > --------------------------------------------------------------
> > ----------------
> >
> >
> > --
> > No virus found in this incoming message.
> > Checked by AVG Free Edition.
> > Version: 7.1.394 / Virus Database: 268.10.7/410 - Release 
> > Date: 8/5/2006
> >  
> >
> >     
>
>   

------------------------------------------------------------------------------
This List Sponsored by: Cenzic

Concerned about Web Application Security? 
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's 
Choice Award from eWeek. As attacks through web applications continue to rise, 
you need to proactively protect your applications from hackers. Cenzic has the 
most comprehensive solutions to meet your application security penetration 
testing and vulnerability management needs. You have an option to go with a 
managed service (Cenzic ClickToSecure) or an enterprise software 
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can 
help you: http://www.cenzic.com/news_events/wpappsec.php 
And, now for a limited time we can do a FREE audit for you to confirm your 
results from other product. Contact us at request () cenzic com for details.
------------------------------------------------------------------------------