Hack IIS6 Contest

ThePurpleBuffalo writes "This just came in across a BugTraq mailing list from Roger Grimes: 'Starting May 2nd and going until June 8th, the server located at http://www.hackiis6.com/ will welcome hackers to attack it. If you can deface the web site or capture the "hidden" document, you win an X-box! Read contest rules for what does and doesn't constitute a successful hack. We've tried to be as realistic as possible in what constitutes a successful hack, and in mimicking a basic HTML and ASP.NET web site. ' "

And who is to say

[Gentoo Fan]

that if someone did hack it, the admins will reset it quickly and block the particular method?

When is the Hack Apache contest?

[NavySpy]

I wonder when the "Hack Apache" contest will be held.

Re:And who is to say

[NetNifty]

IIS isn't open source and as a result of that it's going be difficult to fix some holes without it being noticed (like for example a buffer overflow might be fixable by disabling something, but if that thing you're disabling is ASP handling, it's gunna get noticed) or help from MS.

But is it the default config...

[moosesocks]

Presumably with any previous release of IIS, if you turned enough features off and applied enough hacks, it was reasonably secure.

What I want to know is if this site is running a DEFAULT INSTALL. If it's ridiculously tweaked to be secure, it doesn't matter. most of the insecure IIS sites out there are the result of bad admins. apache can be made very insecure if you don't configure it properly.

that said, microsoft is certainly cleaning up its act on the server end. Win2000 was great, and Win2003 ain't too shabby considering what came before them.

that ALSO being said, Novell and OS X server still have 2003 beat from an administrative standpoint.

Does Social Engineering count?

[glengineer]

Maybe I could go to Colorado and buy Chad Phelps a few beers to let me win .... Registrant: Penton IT Media Group 221 E. 29th Street Loveland, CO 80538 US Domain name: HACKIIS6.COM Technical Contact: Phelps, Chad 221 E. 29th Street Loveland, CO 80538 US +01.9702032960 Fax: =01.9706672321

Isn't this technically illegal?

[jeblucas]

IANAL, but isn't this sort of thing illegal? I was trying to compare it to a homeowner saying, "Come and take my TV if you think you can--I'll give you a cherry popsicle." But chances are, you have a pretty good idea if the homeowner actually owns that home or not--he's probably living there. He's got a deed, etc. I don't see how I can determine that Roger Grimes actually owns the server running HackIIS Contest or not. Even if he does, does that make it OK for me to break in and alter his database? After all,

A successful hack includes:

1. Successful web site defacement (subject to the limitations as indicated below)
2. Modification of web server or database computers
3. Proven knowledge of content located in "hidden" Microsoft Word document.
4. Proven knowledge of other content found on the web server or database computer.

I think they really need to have a lawyer right the release for someone to enter this contest. It just doesn't seem right. Or am I a victim of propaganda?

Predetermined outcome?

[why-is-it]

From TFA:

Coming in our July issue, we'll publish an article "How to Set Up a Hackproof IIS" featuring Roger Grimes' recap of the contest, and sharing the secrets of how he created an impenetrable IIS environment.

Sounds like the results have already been decided.

Of course the easiest way to make any system "impenetrable" is to power it off...

Re:And who is to say

[Anonymous Coward]

Well, I think if you email them it goes off to outer space:

$ dig mx hackiis6.com

; <<>> DiG 9.2.1 <<>> mx hackiis6.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 433
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 0

;; QUESTION SECTION:
;hackiis6.com. IN MX

;; ANSWER SECTION:
hackiis6.com. 127 IN MX 10 hostmaster1.local.banneretcs.com.

;; AUTHORITY SECTION:
hackiis6.com. 170217 IN NS ns1.mdnsservice.com.
hackiis6.com. 170217 IN NS ns2.mdnsservice.com.
hackiis6.com. 170217 IN NS ns3.mdnsservice.com.

;; Query time: 1 msec
;; SERVER: 192.168.0.10#53(192.168.0.10)
;; WHEN: Thu May 5 15:56:05 2005
;; MSG SIZE rcvd: 141

$ ping hostmaster1.local.banneretcs.com
ping: unknown host hostmaster1.local.banneretcs.com

hackiis6 is a bunch of cheats!

[mrsbrisby]

Firstly, even if they weren't, is WindowsITPro/Microsoft actually saying that the entire security of IIS is equal to the cost [to them] of an Xbox?

Seriously, that machine ain't running no IIS6. That's a proxy server that's poorly configured (no HTTP/1.0 support).

The machine behind it claims to be running IIS6, but it's header output format is all wrong.

It's possible that the output file (claiming to be default.htm) was really ASP/custom ISAPI filter/or CGI, and emitted those headers manually, but then, it'd still be suspicious that that p0f thinks it's running an IP stack very similar to Linux 2.4, but it gets the Win2003 Server I'm aware of just fine...

It's trivial to make a hackfree static website. Anyone who says I'm a liar doesn't know what they're talking about.

Let's try a real game. How about they put a _stock_ IIS6 machine up, actually running Windows, and see how long it lasts.

As realistic as possible my eye!

[Whomever]

This site isn't "realistic" at all!

A "realistic" website would have some dynamically created pages, or forms, or a shopping cart. These guys have setup a "realistic" site meaning that it serves some html pages via http. All their pages are static.

The site is probably indeed unhackable. That is, unless someone discovers a buffer overflow in URLScan or IIS itself and doesn't notify M$ before they develop an exploit. But, the site's also useless to any business who actually uses the internet for generating revenue instead of just a glorified phone book.

Setting up a hardened server with static pages is simple... refuse all verbs except for GET; don't process any user input (= no asp/perl/php pages, no forms); run it under a non-privileged account with access to absolutely nothing (no databases, no files other than the static html); disable all of the web admin services.

If they were to write some ASP using a MS SQL database backend and then challenge the security community to a duel, I'd be impressed.

A chrooted 'nobody' context apache server running pages off of a ramdisk that's updated from CD every half hour would be just as unhackable. Plus , with syncookies enabled, it would be faster and less susceptible to the /. effect. That site is crawling! But, again with static only pages, what's it good for?

Re:How long

[alexhohio]

exactly what you said... Cool ...however a lot of Admins would love 2 hours to work on a box- usually they have less time- especially when the other fires that need to be put out consist of a sales guy spilling pepsi onto his machine, or a sales guy driving over his notebook...... I will say however, that this is a contest, so of course it isnt going to approximate real conditions- What fun would it be to see a burgler try to break into an average house when no one is home... It is more interesting to set up unlikely, however still plausible deterants to make the contest more interesting.

Re:How long

[LittleLebowskiUrbanA]

Dead fucking right. I like it when I hear about your "testing environment", crap like that. In the real world, you have a VP breathing down your neck wanting that box up NOW. And 90% of the time, the company can live with a halfway secured box for an hour uptime on the Internet so the Sales guys can demo your product. There's a lot of wannabe network adminstrators on here as captain_craptacular mentioned that have nothing better to do then to say "run Linux." Well, guess what? We do when we can but I don't have the time to spend weeks on switching something over to OSS when another part of my network needs attention right now.

GUESS WHAT IS PROTECTING IT.

[DaedalusLogic]

And who the hell is going to care... but... a little quick research on the host reveals the following:

Obviously it's behind a Firewall at a pretty decent looking data center. It looks like a minimum security prison on the outside:

http://www.consonus.com/ [consonus.com]

The thing that pisses me off... (IF) nmap fingerprinted the OS right. Is that this IIS6 box is behind a Nokia IPSO.

http://www.nokia.com/cda1/0,1080,43324,00.html [nokia.com]

If you look on the right hand side of the page you will notice that Nokia credits the UNIX roots of IPSO.

So this Windows zealot is hiding his IIS6 box behind a big, bad ass, UNIX gatekeeper. For contest to prove that Microsoft rules... Shouldn't ISA Server be protecting the brave little web server?

http://www.microsoft.com/isaserver/default.mspx [microsoft.com]

It really pisses me off that he advertises the ability to put together an impenetrable IIS6 environment and that a key solution is a UNIX firewall.

If Microsoft ever makes a statement about this contest in their marketing and it was in fact behind an IPSO they should feel silly, not proud.