I'll try to keep the backstory short on this.  We have an outside vendor that has developed a web-based application for one of our departments.  The application allows the logged on user to upload files into a directory that is accessible to the web server.  In other words, you can upload a file, and then point your browser at that file.  We have some concerns about this, so I decided to set up a test machine to test a potential vulnerability. 

I have set up IIS 6.0 on a virtual machine running a fully patched evaluation version of Windows Server 2003 and I set some ridiculously wide open permissions on the folder and whipped up an ASP.NET application that lets an anonymous user upload any file to the wwwroot directory.  I have verified that I was able to upload cmd.exe and nc.exe to the wwwroot directory.

The problem is, I can't seem to do anything with those files that I uploaded.  I have made sure that everyone has execute permission on the wwwroot folder, but I still can't seem to get a reverse shell.  I can't even seem to get a directory listing.  I tried putting this into my browser:

but I keep getting a page cannot be displayed error.  I also tried:
which also hasn't worked.  Does anyone know IIS well enough to tell me what I've done wrong here?  Is there some setting that I haven't opened up so that the web server can run the exe?  Is there something wrong with the http request that I've sent to the server?

You know, I've been thinking about making the switch too.  For me, it all started when I start migrating from using windows to using linux on my desktop.  Once I started to get used to how things were done in linux I started to grow as a security professional.  And I think I have a more powerful operating system.  I've recently had the opportunity to play around with the Macs a bit, and I have to say that I was impressed.  Since the operating system is unix based, I was able to do a lot of the stuff that I do in linux on the mac, but I was also able to take advantage of the fact that I know the hardware is going to work with my operating system.  Also, the media playback is far superior on Mac than it is on linux.  Sure, I can make my debian machine play a .WMV file, but it was a pain in the butt to make it happen.  On the Mac, it was easy.

There have been some applications that I use on linux that don't come standard with the Macs, like Gnu Privacy Guard (GPG).  I also found that everything I needed had been ported to Macs.  I think that since they moved to the unix based operating system, the amount of software available on the platform has increased quite a bit. 

I don't know how the virtualization works on the Macs.  If VmWare is available on the Mac then I would be pretty confident that you could work your windows stuff just fine.  Since I got to a point where I almost never need to use Windows, I didn't really spend much time trying to make my Mac act like a windows machine.  Worst case scenerio, you can always have a windows desktop running somewhere and use remote desktop if you need to use some application like MS Outlook.

So there is my opinion.  I liked using the Mac, and I'm trying to come up with a way of convincing my boss that I should have one permanently.

I found an interesting article over at the Dark Reading website about a technique that was recently covered at Black Hat Europe.  The hack involves combining XSS and CSRF to gain control of a browser and launch attacks against other sites using the users level of access. 

An example giving in the article would be to gain control of a corporate users browser and then attack corporate servers from inside the firewall.

http://www.darkreading.com/document.asp?doc_id=120801&WT.svl=news1_4

If you're like me, and you've never heard of CSRF before, you can read about it in more detail at wikipedia!  http://en.wikipedia.org/wiki/CSRF

I always feel like training is the place to start.  You need to know some stuff before you even have an idea of what you want to do and what gear you're going to need.  Also, with a bit of training you can probably get yourself a job where you can get hands on experience with someone else's gear.

That said, put the money into an indexed mutual fund, and take out student loans for your classes.  You'll make anywhere from 10 to 15 percent on the money in your fund, and you'll pay about 5 percent on your students loans.  As a general rule, I try to hang on to as much of my money as I can, and get other people to pay for the things I need to know.

I don't understand the motivation for this.  I have read that there are some spam campaigns trying to lure people to websites that are hosting the malicious file.  The question that raises is, why?

If the malicious file causes the computer to go into a boot loop then I don't see how there is any money to be made, and I can see considerable risk that you might bring prosecution on yourself by trying to mess up peoples computers.  I know that once upon a time the general opinion was that people were hacking for reputation and bragging rights, but the conventional wisdom is that the motivation has shifted to profits, and I don't see where the profits are in this attack.

I've been working in IT security for just about a year now, and while I certainly do enjoy my work, I can see that something in my heart is pulling me towards forensics.

The question that raises for me is where do I start?  This isn't the kind of stuff that they teach in college, and while finding stuff on the Internet can be very effective, I literally don't know what it is that I need to know to be effective at the job. 

I can imagine that some classes on evidence collection would be necessary, and that is stuff that I can take here at the university that I work at.  On the computer side, I have access to quite a bit of hardware, and I can make a case for buying some things that I might need.  What I need is a roadmap.  Anyone have any ideas?

I must disagree with Don.  If it weren't for Hackers I never would have heard of The Prodigy and my life wouldn't include their sweet soothing music.

You also get to see Angelina Jolie back before she adopted a small army of children to do her bidding.

Joking aside, I would say that the only reason you would ever need to see that movie is so that you can understand any pop culture references that are made to the movie.  You're not going to learn anything from it.

Perhaps the ISP has put in proxies to prevent people from running servers out of their house.  It wouldn't be the first time that they have used dirty tricks to try and stop people from running a website or FTP site on their home connection.

I'm not sure what your set up is, but if you were to disconnect your firewall from your ISP and then use a crossover cable to connect your scanning machine to the external interface on your firewall then you could scan the firewall and be certain that no interference from your ISP is skewing your results. 

You could also try to telnet to some of those ports and see what server is answering, if it isn't your stuff then you know that there are shenanigans being pulled at the ISP level.

Thanks, Kev.  You don't have to think very hard to figure that the key to dictionary attacks is having a great word list.  I found a website that has a pretty good pile of word lists that people might want to check out.  http://www.theargon.com/achilles/wordlists/.

So far I have managed to break 5 of 17 passwords with the dictionary attack, which I would consider to be pretty good results.  After all, a person only needs one to cause some damage.

The point of this whole exercise is to come up with some tips for making the lab computers at our university less susceptible to this kind of thing.  I have a few suggestions that I will run by my managers:
   1. We need to alter the registry so that we don't cache credentials
   2. We need to make sure that the workstations aren't storing LANMAN hashes of local accounts
   3. Maybe we should alter group policy so that users cannot run executables from a usb drive.

Well, Kev, the reason I brought this up was so other people could tell me some of those tools that are better than fgdump to get at cached passwords.  I looked around on google and most of the tutorials on gathering the password caches use a tool called cachedump which is no longer in the public domain. 

Now I've found that cachedump does come with fgdump, and if I use that program directly I can get the hashes that I want.  Then I reformatted the cache file info a format that can be used by Cain and tried running a dictionary attack against the file.  We'll see how well that works for me.
Kevin

The word on the street is that Symantec bought lophtcrack and discontinued it.  I couldn't find the program anywhere.  The open source cousin of lophtcrack, ophcrack, doesn't seem to be able to gather cached credentials, only local accounts.  Any other ideas, or does anyone have some thoughts on what I'm doing wrong?

Hi all,

I was wondering what tools you guys use to retrieve and crack any cached credentials for domain users on workstations.  I was in a meeting about password policy and I mentioned that our computer lab computers are still set to cache credentials and store NTLM passwords for users.  Later I went to one of our lab computers and used fgdump to get a list of hashes for local accounts on the machine.  However, no matter what I try I can't seem to get a list of cached credentials for domain accounts that have logged in.  I know that there has been plenty of activity on these machines, but I can't get at it.  I tried using Cain, but I keep getting an error about LSASS.  And yes, I am logging in with a local administrator account on the machine.

any ideas?

You're already going to take a performance hit because you're running the operating system in a virtual machine.  That means that operating system isn't going to have as much RAM or processing power available to it.  Then, on top of that, you're giving it a slower hard drive.  I think there isn't much you could do to make that combination result in good performance.  I also think that once you get flight simulator installed you will crap yourself over how poorly it runs.

As for running two operating systems, make sure you check out VMware player.  It is a free download and if you look around on the Internet you can find instructions for legally going around the technical restrictions that make vmware player less appealing than vmware workstation.

Does anyone know of a good way to push security updates out to macs? 

You might want to glance over the instructions I posted in another thread about gathering a hard drive image.  If you use that technique you should be able to gather and mount an image from a USB drive.  The only difference will be the device file to use.
http://www.ethicalhacker.net/component/option,com_smf/Itemid,54/topic,937.msg2826/#msg2826