Hack IIS6 Contest 545
ThePurpleBuffalo writes "This just came in across a BugTraq mailing list from Roger Grimes: 'Starting May 2nd and going until June 8th, the server located at http://www.hackiis6.com/ will welcome hackers to attack it. If you can deface the web site or capture the "hidden" document, you win an X-box! Read contest rules for what does and doesn't constitute a successful hack. We've tried to be as realistic as possible in what constitutes a successful hack, and in mimicking a basic HTML and ASP.NET web site. ' "
And who is to say (Score:4, Interesting)
When is the Hack Apache contest? (Score:4, Interesting)
Re:And who is to say (Score:5, Interesting)
But is it the default config... (Score:1, Interesting)
What I want to know is if this site is running a DEFAULT INSTALL. If it's ridiculously tweaked to be secure, it doesn't matter. most of the insecure IIS sites out there are the result of bad admins. apache can be made very insecure if you don't configure it properly.
that said, microsoft is certainly cleaning up its act on the server end. Win2000 was great, and Win2003 ain't too shabby considering what came before them.
that ALSO being said, Novell and OS X server still have 2003 beat from an administrative standpoint.
Does Social Engineering count? (Score:2, Interesting)
Isn't this technically illegal? (Score:3, Interesting)
I think they really need to have a lawyer right the release for someone to enter this contest. It just doesn't seem right. Or am I a victim of propaganda?
Predetermined outcome? (Score:3, Interesting)
From TFA:
Sounds like the results have already been decided.
Of course the easiest way to make any system "impenetrable" is to power it off...
Re:And who is to say (Score:1, Interesting)
$ dig mx hackiis6.com
; <<>> DiG 9.2.1 <<>> mx hackiis6.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 433
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 0
;; QUESTION SECTION:
;hackiis6.com. IN MX
;; ANSWER SECTION:
hackiis6.com. 127 IN MX 10 hostmaster1.local.banneretcs.com.
;; AUTHORITY SECTION:
hackiis6.com. 170217 IN NS ns1.mdnsservice.com.
hackiis6.com. 170217 IN NS ns2.mdnsservice.com.
hackiis6.com. 170217 IN NS ns3.mdnsservice.com.
;; Query time: 1 msec
;; SERVER: 192.168.0.10#53(192.168.0.10)
;; WHEN: Thu May 5 15:56:05 2005
;; MSG SIZE rcvd: 141
$ ping hostmaster1.local.banneretcs.com
ping: unknown host hostmaster1.local.banneretcs.com
hackiis6 is a bunch of cheats! (Score:2, Interesting)
Seriously, that machine ain't running no IIS6. That's a proxy server that's poorly configured (no HTTP/1.0 support).
The machine behind it claims to be running IIS6, but it's header output format is all wrong.
It's possible that the output file (claiming to be default.htm) was really ASP/custom ISAPI filter/or CGI, and emitted those headers manually, but then, it'd still be suspicious that that p0f thinks it's running an IP stack very similar to Linux 2.4, but it gets the Win2003 Server I'm aware of just fine...
It's trivial to make a hackfree static website. Anyone who says I'm a liar doesn't know what they're talking about.
Let's try a real game. How about they put a _stock_ IIS6 machine up, actually running Windows, and see how long it lasts.
As realistic as possible my eye! (Score:2, Interesting)
A "realistic" website would have some dynamically created pages, or forms, or a shopping cart. These guys have setup a "realistic" site meaning that it serves some html pages via http. All their pages are static.
The site is probably indeed unhackable. That is, unless someone discovers a buffer overflow in URLScan or IIS itself and doesn't notify M$ before they develop an exploit. But, the site's also useless to any business who actually uses the internet for generating revenue instead of just a glorified phone book.
Setting up a hardened server with static pages is simple... refuse all verbs except for GET; don't process any user input (= no asp/perl/php pages, no forms); run it under a non-privileged account with access to absolutely nothing (no databases, no files other than the static html); disable all of the web admin services.
If they were to write some ASP using a MS SQL database backend and then challenge the security community to a duel, I'd be impressed.
A chrooted 'nobody' context apache server running pages off of a ramdisk that's updated from CD every half hour would be just as unhackable. Plus , with syncookies enabled, it would be faster and less susceptible to the
Re:How long (Score:1, Interesting)
Re:How long (Score:3, Interesting)
GUESS WHAT IS PROTECTING IT. (Score:5, Interesting)
Obviously it's behind a Firewall at a pretty decent looking data center. It looks like a minimum security prison on the outside:
http://www.consonus.com/ [consonus.com]
The thing that pisses me off... (IF) nmap fingerprinted the OS right. Is that this IIS6 box is behind a Nokia IPSO.
http://www.nokia.com/cda1/0,1080,43324,00.html [nokia.com]
If you look on the right hand side of the page you will notice that Nokia credits the UNIX roots of IPSO.
So this Windows zealot is hiding his IIS6 box behind a big, bad ass, UNIX gatekeeper. For contest to prove that Microsoft rules... Shouldn't ISA Server be protecting the brave little web server?
http://www.microsoft.com/isaserver/default.mspx [microsoft.com]
It really pisses me off that he advertises the ability to put together an impenetrable IIS6 environment and that a key solution is a UNIX firewall.
If Microsoft ever makes a statement about this contest in their marketing and it was in fact behind an IPSO they should feel silly, not proud.