Hack IIS6 Contest - win an Xbox

NetRyder

Tech Junkie
Joined
19 Apr 2002
Messages
13,256
Beginning May 2nd and running until June 8th, this server (located at http://www.hackiis6.com) will welcome hackers to attack it. If you are the first person to deface the Web site or capture the "hidden" document, you win an X-box! Read the contest rules for what does and doesn't constitute a successful hack. We've tried to be as realistic as possible in what constitutes a successful hack and in mimicking a basic HTML and ASP.NET web site.

For the most part, almost anything reasonable constitutes a successful attack except for a massive network denial of service (DoS) attack against the Internet Information Services (IIS) 6.0 box or its host provider. We want to test the security of Windows Server 2003, IIS, and other Microsoft applications. So, please, respect this rule of the contest so everyone can have a chance at claiming the prize.

This server is running Windows Server 2003, Service Pack1, with all current publicly released patches and hotfixes installed (we ran Windows Update and MBSA just like you would do). We installed IIS 6.0, and then we followed Microsoft's basic recommendations (http://www.microsoft.com/technet/security/prodtech/IIS.mspx). I added a few tweaks here and there to put my personal mark on the site, but nothing extraordinary.

We want this contest to test Microsoft software, and so the only third-party software we used is the host's router/firewall, which would be normal in most environments.
http://www.hackiis6.com/default.htm

Haha, let's see how this goes. :up:
 
its down for me, would that mean someone is already going to win?:p
 
themafia.69 said:
its down for me, would that mean someone is already going to win?:p
No, it just means you have a terrible connection. Sorry. :p
 
lol saudi.......looks interesting to bad i dont know the slighest thing about hacking maybe mafia or somone can hook me up with some info on doing so
 
haha, not me, i stopped even trying to look down that path, two reasons, i suck, and theres always someone better than you, and i think that trojans/backdoor programs are pathetic, used it once thought it was cool, got over it!
 
Hopefully all the mofos who have been bashing IIS all over the internet will come and show up and prove their rhetoric without due credence. I also hope that the people who are setting this up are geniunely curious and doing this objectively (hardening the box with reasonable security measures), instead of just conceding IIS is not secure.
 
vern said:
Hopefully all the mofos who have been bashing IIS all over the internet will come and show up and prove their rhetoric without due credence. I also hope that the people who are setting this up are geniunely curious and doing this objectively (hardening the box with reasonable security measures), instead of just conceding IIS is not secure.
Exactly my thoughts. :)
 
Interesting, the site was running Win2k and IIS 5.0 until a couple days ago, and now on 2k3 and IIS 6.0. Maybe they are afraid that IIS 5 and Win2k are insecure? BTW, this is run by Microsoft, do you really think they are going to admit it when their server gets compromised? I'll thow a Code Red/Nidma at it :p

I portscanned the server, they only have port 80 open, now if they were running the remote web administration I think I'd atleast try it, since there are some XSS vulnerabilities in IIS 6.0 that have gone unpatched for almost two years ;)
 
Last edited:
j79zlr said:
BTW, this is run by Microsoft, do you really think they are going to admit it when their server gets compromised?
The contest is actually being organized by Windows IT Pro, a magazine that isn't affiliated with Microsoft.
I'll throw a Code Red/Nidma at it :p
Less talk, more action. ;)
 
Last edited:
/love the idea, but win an x box?

they are going to get millions of dollars worth of r and d...anyone that will be able to crack this is site I don't think wants an x box...though they'll do it for the fame
 
j79zlr said:
Interesting, the site was running Win2k and IIS 5.0 until a couple days ago, and now on 2k3 and IIS 6.0. Maybe they are afraid that IIS 5 and Win2k are insecure?

This is irrelevant to the goal of the project.

BTW, this is run by Microsoft, do you really think they are going to admit it when their server gets compromised? I'll thow a Code Red/Nidma at it :p

Like Netryder has already said, the organizers are not affiliated with Microsoft. Just as there are *nix magazines, there are Windows magazines.

I portscanned the server, they only have port 80 open, now if they were running the remote web administration I think I'd atleast try it, since there are some XSS vulnerabilities in IIS 6.0 that have gone unpatched for almost two years ;)

I'm almost inclined to assume that that is conceding defeat. Must people wait until for someone else to publish an exploit before going forward?
 
Well they restrict Microsoft employee's from participating, so I would assume that they are affiliated. I am not a hacker/cracker whatever, all I was saying is that if they had allowed the remote web administration open, there are some easy break in's, or is fundamental english not required with the microsoft fanboy newsletter?
 
j79zlr said:
had allowed the remote web administration open, there are some easy break in's

would this be true for any operating system?
 
j79zlr said:
all I was saying is that if they had allowed the remote web administration open, there are some easy break in's, or is fundamental english not required with the microsoft fanboy newsletter?

There is a difference between being a fanboy and giving credence to the operating systems without prior anti-MS fanboy membership. It almost seems like you are saying that ... yes Windows Server is an easy target, but only if they had this or this running ... but not when capable admins reasonably secure it.
 
If the o/s is really insecure, then the server will be hacked. Unless someone steps up to put their money where their mouth is, any argument is pretty pointless :D
 
SPeedY_B said:
If the o/s is really insecure, then the server will be hacked. Unless someone steps up to put their money where their mouth is, any argument is pretty pointless :D

I'm thinking the server would get hacked even if it has greater security then other os's...everything is relative to the effort invested

the real test is to put all os's up to the same competition, and then the os to get hacked with the fewest resources, and fewest hours invested in the effort is the looser

even that wouldn't be fair becuase more people would have allready invested more time hacking microsoft products and ms would start any competition like that a leg down

still this would be accurate, since practically it would still be less secure regaredless of the reason that might be so
 
Last edited:
perris said:
I'm thinking the server would get hacked even if it has greater security then other os's...everything is relative to the effort invested

the real test is to put all os's up to the same competition, and then the os to get hacked with the fewest resources, and fewest hours invested in the effort is the looser

even that wouldn't be fair becuase more people would have allready invested more time hacking microsoft products and ms would start any competition like that a leg down

still this would be accurate, since practically it would still be less secure regaredless of the reason that might be so
The problem with this type of compitition is not that everyone has put more time into hacking MS products. The problem would be finding equal admins for each OS and being able to setup each with the same exact specs.

Also in the "real world" it often matters what else is running on the server in addition to a web server. Also how the web server is configured (ie does it run php, asp, cgi, ect.).
 
There is webmin for *nix servers, which is relatively secure, as in you can't really have a server be remotely administrated without any vulnerabilities. The problem with the remote web administration for IIS is that you can use session spoofing to gain administrative rights because of an exploit left in by Microsoft on purpose, in order to allow an administrator to reboot the machine remotely but still continue the remote administrative session without logging back in. It should also be noted that this server is not running anything, just IIS, not ASP, no database, email, ftp or anything, just IIS; also it is running behind a pretty powerful UNIX firewall ironically enough, as pointed out on /.

As noted in many other discussions on this, the prize of an XBOX is basically nil, considering a true exploit found in a "secured" IIS server would be worth a hell of a alot more than a $150 XBOX.
 
j79zlr said:
As noted in many other discussions on this, the prize of an XBOX is basically nil, considering a true exploit found in a "secured" IIS server would be worth a hell of a alot more than a $150 XBOX.

the prize should be a position in some security firm, with a generous salary guaranteed for a year and a bonus like half that salary

that's when you'd find the real hackers crackers come out of the woodwork
 
perris said:
the prize should be a position in some security firm, with a generous salary guaranteed for a year and a bonus like half that salary

that's when you'd find the real hackers crackers come out of the woodwork
I think alot of the ones that actually have skill (ie not script kiddies) do it for the thrill/fun of it, not for $/reward.
 

Members online

No members online now.

Latest profile posts

Also Hi EP and people. I found this place again while looking through a oooollllllldddd backup. I have filled over 10TB and was looking at my collection of antiques. Any bids on the 500Mhz Win 95 fix?
Any of the SP crew still out there?
Xie wrote on Electronic Punk's profile.
Impressed you have kept this alive this long EP! So many sites have come and gone. :(

Just did some crude math and I apparently joined almost 18yrs ago, how is that possible???
hello peeps... is been some time since i last came here.
Electronic Punk wrote on Sazar's profile.
Rest in peace my friend, been trying to find you and finally did in the worst way imaginable.

Forum statistics

Threads
62,015
Messages
673,494
Members
5,621
Latest member
naeemsafi
Back