.

Windows 2k3 remote desktop hacking help

<<

a21duffman

Newbie
Newbie

Posts: 3

Joined: Sat Jan 31, 2009 11:30 pm

Post Sun Feb 01, 2009 12:18 am

Windows 2k3 remote desktop hacking help

ok so my university puts on cyber defense competitions and i was just wondering if people know of some security holes that administrators accidentally put into a system that would leave that system vulnerable to attack. I would love for these to be real life errors like the admin was lazy and left a copy of the password list in an obscure directory.

That system is a windows 2003 server SP1. When it is given to them it is not a part of a domain, but many decide to make it a part of one even though their only other windows system is a windows dns. The group of people that are trying to secure up their systems are high school students, but at the same time i want the attacking team to have to work at it to break into the system. The attackers come from professionals and some graduate students.
<<

KrisTeason

User avatar

Hero Member
Hero Member

Posts: 515

Joined: Sat Sep 08, 2007 7:48 pm

Location: /dev/null

Post Sun Feb 01, 2009 5:31 am

Re: Windows 2k3 remote desktop hacking help

I'm unaware of an exploit that allows an attacker to bypass this but I have seen a video demonstration on how to use a tool called tsgrinder, you should look into it. The tool can be found on:
http://www.hammerofgod.com/
and the video can be watched on:
www.learnsecurityonline.com
eCPPT (Silver/Gold), eWPT, GSEC, GISP, GCIH, OSCP, OSWP
<<

a21duffman

Newbie
Newbie

Posts: 3

Joined: Sat Jan 31, 2009 11:30 pm

Post Sun Feb 01, 2009 11:42 am

Re: Windows 2k3 remote desktop hacking help

ok i guess i should rephrase this. I'm looking for some semi common things that administrators do that are unsecure. The teams are given roughly 2-3 weeks to setup their network, and fix any holes in their security. So this would kinda be real world where someone comes into a business and the computer administrator has left. So no knowledge of how or what they did to the system, but they can't reinstall the os.
<<

geekyone

User avatar

Full Member
Full Member

Posts: 180

Joined: Fri Oct 26, 2007 12:45 pm

Location: Peoria, IL

Post Sun Feb 01, 2009 5:33 pm

Re: Windows 2k3 remote desktop hacking help

Aha, in that case you are looking at a long list LOL!  Here are a few off the top of my head.
- Insecure passwords
- Forgetting or delaying security patching
- Installing VNC/LogMeIn/GoToMyPC for convenient remote access
- Using a domain admin account for routine access (this is especially bad when combined with local caching of passwords)
- Giving users local administrator rights on PC's
- Not using an anti-virus or not updating anti-virus

I hope these help.
CISSP, CEH, GPEN, GCIH, GCFA
<<

a21duffman

Newbie
Newbie

Posts: 3

Joined: Sat Jan 31, 2009 11:30 pm

Post Sun Feb 01, 2009 11:34 pm

Re: Windows 2k3 remote desktop hacking help

Those are great. I also looked into setting the windows installer to run as the guest account, which is disabled. To help prevent users from updating their computers as this messes with the windows update. i also installed dreampack pl on the computers, but i don't think thats gonna do a whole lot cause we don't get physical access to computers.
<<

timmedin

User avatar

Sr. Member
Sr. Member

Posts: 469

Joined: Thu Feb 05, 2009 11:18 pm

Post Fri Feb 13, 2009 8:30 pm

Re: Windows 2k3 remote desktop hacking help

Try running Nessus against it.
http://www.nessus.org/nessus/
twitter.com/timmedin | http://blog.securitywhole.com
<<

slimjim100

User avatar

EH-Net Columnist
EH-Net Columnist

Posts: 385

Joined: Wed Nov 08, 2006 12:50 pm

Location: Atlanta

Post Sat Feb 14, 2009 12:14 pm

Re: Windows 2k3 remote desktop hacking help

If you are on the same LAN link as the server I would say run Cain & Able to and do a Man In The Middle Attack on it (If some one is running RDP you can get in the middle of it). Also look to Chris gates video here for some cool stuff: http://www.ethicalhacker.net/content/view/105/24/

If you are trying to defend against RDP types of attacks I think the best thing to do as a basic step is to change the RDP port number to something different.

Another basic step would be to make a new Admin account (with a name that is not anything like Admin and set a 14+ charter password on it) and change the old Admin account to Guest permissions or disable it.

My 2 cents :)

Brian
CISSP, CCSE, CCNA, CCAI, Network+, Security+, JNCIA, & MCP
<<

timmedin

User avatar

Sr. Member
Sr. Member

Posts: 469

Joined: Thu Feb 05, 2009 11:18 pm

Post Sat Feb 14, 2009 2:08 pm

Re: Windows 2k3 remote desktop hacking help

slimjim100 wrote:If you are trying to defend against RDP types of attacks I think the best thing to do as a basic step is to change the RDP port number to something different.

Another basic step would be to make a new Admin account (with a name that is not anything like Admin and set a 14+ charter password on it) and change the old Admin account to Guest permissions or disable it.

My 2 cents :)

Brian


It sounds like they are trying to attack one system ("that system") so moving the RDP port (not a bad idea) would only stop the laziest of attackers who never ran nmap.

I usually rename the admin account, but Brian's idea is a little better since the admin SSID is not 500.

I would suggest trying a quick null session enumeration with enum. It should give you lots of juicy info.
twitter.com/timmedin | http://blog.securitywhole.com
<<

timmedin

User avatar

Sr. Member
Sr. Member

Posts: 469

Joined: Thu Feb 05, 2009 11:18 pm

Post Sat Feb 14, 2009 2:12 pm

Re: Windows 2k3 remote desktop hacking help

Here is a link to a portion of Hacking Exposed describing null sessions.
http://books.google.com/books?id=-bkRry ... t#PPA85,M1
twitter.com/timmedin | http://blog.securitywhole.com

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 3 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software