Hack IIS6 Contest - win an Xbox

[DwarfData]

It should also be noted that this server is not running anything, just IIS, not ASP, no database, email, ftp or anything, just IIS;

From May 16th, the server will be hosting an ASP.Net website with a back end SQL Server.

 

[Perris Calderon]

I think alot of the ones that actually have skill (ie not script kiddies) do it for the thrill/fun of it, not for $/reward.

they will be giving up plenty of their tricks to accomplish this, those tricks never to work again.

but for the fame of it, maybe it'll be worth it to them

 

[NetRyder]

From May 16th, the server will be hosting an ASP.Net website with a back end SQL Server.

True.

May 2 - Challenge begins with very basic static HTML web site to focus hackers on hacking IIS code
May 16 - ASP.NET web site put up to give more potential hacking angles
June 8 - Contest ends
June 9 - Winner (or lack of winner) announced at TechEd in Orlando.

Having your name announced at TechEd seems well worth the effort to me. TechEd is a huge conference like WinHEC or PDC, and there are attendees from all over the industry.

 

[Perris Calderon]

True.

Having your name announced at TechEd seems well worth the effort to me.

this is the only reason anyone capable will want to take the challenge...certainly not an x box

 

[Steevo]

Pfffttt..


If I wanted to *CRACK* a server I sure as hell wouldn't want my name announced anywhere. Good way to find teh poliz knocking on your dor asking to see your office.

 

[NetRyder]

It's a contest. They're essentially giving you the right to break in. You wouldn't get into legal trouble for doing so.

 

[Steevo]

It's a contest. They're essentially giving you the right to break in. You wouldn't get into legal trouble for doing so.

But by doing so you are also telling everyone who knows who you are and what you are.

If it looks like a duck.
If it quacks like a duck.
It must be a qwacker, mebey they will then wonder what else you have been doing in your spare time or how you learned or what you practiced on?

No thanks.

 

[NetRyder]

Well, you don't have to give them your personal details. In that case, they probably won't be able to send you the Xbox either (although the recognition is a bigger incentive to most people, as discussed earlier).

But if someone wants to prove that IIS6 can be compromised, he can remain anonymous and still achieve his goal. If the server is compromised, I'm sure the results will be announced, regardless of whether the hacker chooses to reveal his personal details or not.

I doubt anyone on this forum (especially the IIS bad-mouthers) can do it. Prove me wrong.

 

[Elektro Slime]

Sure.. I can...... give me a year or two then ull see.......... gosh i dont know the first thing about hacking.....but then again a few years ago it was quite easy to hack into ur friends oc, just send him a legit file containg a trojan and get him to run it. then go to the client program type in his IP and you basically could own their system. I tried it on a couple of friends and it worked most the time. But things are different nowadays.........sigh

for those who run firefox, did you know that all ur saved passwords are kept in a file called signons.txt? well few days ago while using Shareaza ( a free P2P program) i decided to see if any1 was dumb enough to allow their entire system to publicaly shared, so in the search box I typed in signons.txt and sure enough in just a few seconds I got like 4 hits. i downloaded them but havent tried em out. I figure if i copy the text in those files into my own signons.txt i could log into their accounts.....

 

[Xie]

for those who run firefox, did you know that all ur saved passwords are kept in a file called signons.txt?

This is only if you tell Firefox (I assume it works the same way as w/ Mozilla) to remember your passwords. You also have the option to encrypt the info and also to set a "master password" for your password file.

 

[Elektro Slime]

really? how do you set the master pwd and encrypt the info?

 

[FishBoy]

damn no DoS allowed since it's the easiest way to get in to anything

 

[X-Istence]

Hopefully all the mofos who have been bashing IIS all over the internet will come and show up and prove their rhetoric without due credence. I also hope that the people who are setting this up are geniunely curious and doing this objectively (hardening the box with reasonable security measures), instead of just conceding IIS is not secure.

I am waiting for MS to roll out their next security patches for Windows 2003 server to patch the server at school. So far it is fairly secure, but you never know with the new exploits coming out daily. I personally trust Apache on FreeBSD/OpenBSD more than IIS on Windows, but that is just me.

Interesting, the site was running Win2k and IIS 5.0 until a couple days ago, and now on 2k3 and IIS 6.0. Maybe they are afraid that IIS 5 and Win2k are insecure? BTW, this is run by Microsoft, do you really think they are going to admit it when their server gets compromised? I'll thow a Code Red/Nidma at it

I portscanned the server, they only have port 80 open, now if they were running the remote web administration I think I'd atleast try it, since there are some XSS vulnerabilities in IIS 6.0 that have gone unpatched for almost two years

Well if they have everything closed but port 80, then it is a fair contest to see how bad IIS really is. I will be waiting for the results. IIS 6 is supposed to be quite a bit better security wise than the older versions, plus it does not run as the SYSTEM anymore, well, except a few modules that get loaded into the kernel for faster TCP/IP handshaking with Windows/IE. Interesting note about this later.

/love the idea, but win an x box?

they are going to get millions of dollars worth of r and d...anyone that will be able to crack this is site I don't think wants an x box...though they'll do it for the fame

I doubt they want fame because of this, after you hack the server people will be wary about hiring you, only people that can do this without repercussion in the form of not getting a job the next time they need one, is the security companies. And $150 is just not worth "giving" out a new exploit for script kiddies, they want to do more damage than get a shiny new Xbox. As to them it is not about the money, but rather the amount of damage they can do.

would this be true for any operating system?

Yes, if it is reasonable badly programmed. Cpanel, plesk, ensim all have major problems in their administration, only thing that helps them out of the fire is the fact that they have a pretty good security in the frontend, so getting in is more of a problem, than once you are in. That is not to say that if you run a server with cpanel, plesk or ensim that you are automatically insecure.

Webmin has a pretty good security track record as does DirectAdmin, but i would still not use them for my day to day tasks, and would keep even them limited to a small set of IP's that are allowed to connect to the port.

I'm thinking the server would get hacked even if it has greater security then other os's...everything is relative to the effort invested

the real test is to put all os's up to the same competition, and then the os to get hacked with the fewest resources, and fewest hours invested in the effort is the looser

even that wouldn't be fair becuase more people would have allready invested more time hacking microsoft products and ms would start any competition like that a leg down

still this would be accurate, since practically it would still be less secure regaredless of the reason that might be so

As a server? Running what software?

There is webmin for *nix servers, which is relatively secure, as in you can't really have a server be remotely administrated without any vulnerabilities. The problem with the remote web administration for IIS is that you can use session spoofing to gain administrative rights because of an exploit left in by Microsoft on purpose, in order to allow an administrator to reboot the machine remotely but still continue the remote administrative session without logging back in. It should also be noted that this server is not running anything, just IIS, not ASP, no database, email, ftp or anything, just IIS; also it is running behind a pretty powerful UNIX firewall ironically enough, as pointed out on /.

As noted in many other discussions on this, the prize of an XBOX is basically nil, considering a true exploit found in a "secured" IIS server would be worth a hell of a alot more than a $150 XBOX.

That is a problem with most software j79zlr recently cpanel closed a hole that had the same problem when restarting WHM itself, not the whole server.

From May 16th, the server will be hosting an ASP.Net website with a back end SQL Server.

Back end SQL server, so that will probably mean it is not open from attack from the internet, which is a good thing, as we are testing IIS 6 here, not the SQL server.

Well, you don't have to give them your personal details. In that case, they probably won't be able to send you the Xbox either (although the recognition is a bigger incentive to most people, as discussed earlier).

But if someone wants to prove that IIS6 can be compromised, he can remain anonymous and still achieve his goal. If the server is compromised, I'm sure the results will be announced, regardless of whether the hacker chooses to reveal his personal details or not.

I doubt anyone on this forum (especially the IIS bad-mouthers) can do it. Prove me wrong.

I doubt it as well. I am not sure if IIS 6 has new exploit's or not, MS is coming out with another patch set in June i believe, and that is when we get it at school, and will see what is going on. I do not know of any exploits that are currently available that work against a standard IIS 6 install, which is reasonable locked down.

damn no DoS allowed since it's the easiest way to get in to anything

No, DDoS is a distributed denial of service, not the easiest way to get into anything. All it does is make the server go down for extended periods of time because it is overwhelmed with illegitimate traffic which does nothing but congest pipes on the internet with Gigabytes of traffic per second. All it could find is that Windows TCP/IP stack breaks down because of the amount per second, and the server BSOD's, but then nothing is accomplished. If Linux or FreeBSD or openBSD, or any other OS gets that much traffic thrown at it, it will mostly get bogged down so fast that no more new connections are possible. And might possibly take a service down or two. This is mostly mitigated by having a ton of servers with a huge pipe and front load balancers, which spread the traffic thinly, and that most bad traffic never gets to the server in question. Thing is, most of the time that does not help anymore, because of the sheer magnitude of bandwidth that is used incoming.

 

[X-Istence]

Just a note about the kernel module loaded into memory when IIS is started, what this does is give the server an edge over other servers in the same field, as it is cheaper to get resources when you are the kernel. Also, everything passes through the kernel in such a manor:

NIC interrupt -> kernel -> device driver -> kernel -> userland -> kernel -> NIC

With the module:

NIC interrupt -> kernel -> device driver -> kernel (module) -> NIC

The module itself can complete most of the preliminary stuff that otherwise would have to be done in either userland, or after hitting userland in the kernel again.

If one looks at server farms where all those dead domains are hosted, or the parked domains, they are mostly hosted on IIS 6, since it is all static content. IIS 6 is extremely fast when it comes to static content, where it lacks is dynamic websites, ASP is not really up to where PHP is, also, when ASP comes into the picture much of the kernel's module efficiency is removed, as now we are waiting on ASP to "compile" the file and then send the output to the browser.

If i were hosting millions of sites with small 500 k sites, i would pick IIS for it's sheer speed in the hosting of the pages, would it come to big dynamic websites, and huge backends, I have personally through experience found that Apache scales better.

 

[Xie]

damn no DoS allowed since it's the easiest way to get in to anything

That would just drop the system, thats no way to "hack" a box. Perhaps your thinking buffer overflow or something?

 

[NetRyder]

Great posts, X-Istence. Very objective and well thought out.

 

[X-Istence]

Great posts, X-Istence. Very objective and well thought out.

Thank you.

 

[Perris Calderon]

the links are broken...how did this go?

 

[NetRyder]

Hmm...interesting. It was supposed to end today, wasn't it?

 

[X-Istence]

Hmm...interesting. It was supposed to end today, wasn't it?

Believe so. Major DDoS?