lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20050510230936.57143.qmail@web32013.mail.mud.yahoo.com>
Date: Wed May 11 01:38:34 2005
From: bobbie_prince at yahoo.com.au (Luke Skywalker)
Subject: RE: Invitation to www.banneretcs.com Hacking
	Contest


It's not the traditional honeypot...but it is. <grin>

 

Welcome to the Hack www.banneretcs.com Contest!

 

Starting May 2nd and going until June 8th, the server located at

www.banneretcs.com will welcome hackers to attack it. If you can

deface the web site or capture the "hidden" document, you win an X-box!

Read contest rules at www.hackiis.com for what does and doesn't constitute a successful

hack. We've tried to be as realistic as possible in what constitutes a

successful hack, and in mimicking a basic HTML and ASP.NET web site.  

 

For the most part, almost anything reasonable constitutes a successful

attack except for a massive network denial of service attack against the

IIS 6 or its host provider.  Not that doing a successful DoS attack

wouldn't be a problem in the real world...it would be...but we aren't

testing that.  We want to test the security of Windows Server 2003, IIS,

and other Microsoft applications. So, please, respect this one rule of

the contest so everyone can have a chance at claiming the prize.  

 

Questions and Prizes

If you have questions, send an email to roger@...neretcs.com.  If you want

to claim a prize, send your email, with the details listed in the

official rules to roger@...neretcs.com.

 

Contest Summary

We are going to start the contest for the first two weeks with the very

basic, static HTML web site that you are now reading. Two weeks later,

we'll add an ASP.NET web site and a back-end SQL server to add more

flavor and give more area to attack. We started with the basic site to

prove that Microsoft's Internet Information Service (IIS) and Windows

Server 2003 is secure by itself.  This is to satisfy the purists who

thinking hacking ASP.NET is hacking an application and not the server.

So, if you've got skillz in one area versus the other, you'll have a

chance to try both attack types.

 

Once the contest stops on June 8th, we will announce the winner(s) at

the upcoming June Microsoft Tech.Ed conference. 

 

The Setup

This server is running Windows Server 2003, Service Pack1, with all

current publicly-released patches and hotfixes installed (we ran Windows

Update and MBSA just like a real admin would do). We installed IIS 6.0.

and then we followed the basic recommendations

(http://www.microsoft.com/technet/security/prodtech/IIS.mspx) suggested

by Microsoft. I added a few tweaks here and there, to put my personal

mark on the site, but nothing extraordinary.

 

There is no non-Microsoft software involved with the exception of the

host's router/firewall, which would be normal in most environments.  We

want to make this a test of Microsoft software.

 

Why a hacking contest?

To have fun!  Sure there will be critics who say sponsoring a hacking

contest proves nothing.  If the IIS server remains unbroken, it still

doesn't mean that IIS is really "secure."  True, and if I wasn't the

contest's team leader, I'd probably be the first one to yell that out.

Hacking contests rarely prove something is secure, although it only

takes a single successful hack to prove something is unsecure. 

 

So why do it?  There are very few places on the Internet where hackers,

good and bad, can hack legally. Windows IT Pro thought the contest would

be a fun way to interact with the hacker community (they realize most

hackers have good intentions) and bring some attention to Windows IT Pro

(of course, they'll disavow all responsibility and blame me solely if

the server gets hacked) <grin>.

 

So, welcome to the contest! Hack away.  If the IIS server goes unhacked

during the extended time period, it might not mean that IIS is

"unhackable", but if it does survive the contest it might convince a few

people that it is a relatively secure web server platform. After all,

over 20% of the Internet relies on it, including some of the largest web

sites in the world.

 

Happy Hacking,

 

Roger A. Grimes

Contributing editor, Windows IT Pro Magazine

************************************************************************

***

*Roger A. Grimes, Banneret Computer Security, Computer Security

Consultant *CPA, CISSP, MCSE: Security (NT/2000/2003/MVP), CNE (3/4),

CEH, CHFI

*email: roger@...neretcs.com

*cell: 757-615-3355

*Author of Malicious Mobile Code:  Virus Protection for Windows by

O'Reilly *http://www.oreilly.com/catalog/malmobcode

*Author of Honeypots for Windows (Apress)

*http://www.apress.com/book/bookDisplay.html?bID=281

************************************************************************

****

 






---------------------------------
Find local movie times and trailers on Yahoo! Movies.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20050511/5b628603/attachment.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ