Windows 2k3 remote desktop hacking help

Viewing 8 reply threads
  • Author
    Posts
    • #3265
      a21duffman
      Participant

      ok so my university puts on cyber defense competitions and i was just wondering if people know of some security holes that administrators accidentally put into a system that would leave that system vulnerable to attack. I would love for these to be real life errors like the admin was lazy and left a copy of the password list in an obscure directory.

      That system is a windows 2003 server SP1. When it is given to them it is not a part of a domain, but many decide to make it a part of one even though their only other windows system is a windows dns. The group of people that are trying to secure up their systems are high school students, but at the same time i want the attacking team to have to work at it to break into the system. The attackers come from professionals and some graduate students.

    • #21653
      KrisTeason
      Participant

      I’m unaware of an exploit that allows an attacker to bypass this but I have seen a video demonstration on how to use a tool called tsgrinder, you should look into it. The tool can be found on:
      http://www.hammerofgod.com/
      and the video can be watched on:
      http://www.learnsecurityonline.com

    • #21654
      a21duffman
      Participant

      ok i guess i should rephrase this. I’m looking for some semi common things that administrators do that are unsecure. The teams are given roughly 2-3 weeks to setup their network, and fix any holes in their security. So this would kinda be real world where someone comes into a business and the computer administrator has left. So no knowledge of how or what they did to the system, but they can’t reinstall the os.

    • #21655
      geekyone
      Participant

      Aha, in that case you are looking at a long list LOL!  Here are a few off the top of my head.
      – Insecure passwords
      – Forgetting or delaying security patching
      – Installing VNC/LogMeIn/GoToMyPC for convenient remote access
      – Using a domain admin account for routine access (this is especially bad when combined with local caching of passwords)
      – Giving users local administrator rights on PC’s
      – Not using an anti-virus or not updating anti-virus

      I hope these help.

    • #21656
      a21duffman
      Participant

      Those are great. I also looked into setting the windows installer to run as the guest account, which is disabled. To help prevent users from updating their computers as this messes with the windows update. i also installed dreampack pl on the computers, but i don’t think thats gonna do a whole lot cause we don’t get physical access to computers.

    • #21657
      timmedin
      Participant

      Try running Nessus against it.
      http://www.nessus.org/nessus/

    • #21658
      slimjim100
      Participant

      If you are on the same LAN link as the server I would say run Cain & Able to and do a Man In The Middle Attack on it (If some one is running RDP you can get in the middle of it). Also look to Chris gates video here for some cool stuff: http://www.ethicalhacker.net/content/view/105/24/

      If you are trying to defend against RDP types of attacks I think the best thing to do as a basic step is to change the RDP port number to something different.

      Another basic step would be to make a new Admin account (with a name that is not anything like Admin and set a 14+ charter password on it) and change the old Admin account to Guest permissions or disable it.

      My 2 cents 🙂

      Brian

    • #21659
      timmedin
      Participant

      @slimjim100 wrote:

      If you are trying to defend against RDP types of attacks I think the best thing to do as a basic step is to change the RDP port number to something different.

      Another basic step would be to make a new Admin account (with a name that is not anything like Admin and set a 14+ charter password on it) and change the old Admin account to Guest permissions or disable it.

      My 2 cents 🙂

      Brian

      It sounds like they are trying to attack one system (“that system”) so moving the RDP port (not a bad idea) would only stop the laziest of attackers who never ran nmap.

      I usually rename the admin account, but Brian’s idea is a little better since the admin SSID is not 500.

      I would suggest trying a quick null session enumeration with enum. It should give you lots of juicy info.

    • #21660
      timmedin
      Participant
Viewing 8 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2021 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?