[prev in list] [next in list] [prev in thread] [next in thread]
List: owasp-dotnet
Subject: [Owasp-dotnet] IIS 6 Hacking Challenge
From: "P.B. Wagenaar" <PB.Wagenaar () chello ! nl>
Date: 2005-04-15 7:28:41
Message-ID: 0IEZ00CB38RL73 () hermes ! uci ! kun ! nl
[Download RAW message or body]
Hello list,
Windows IT Pro's is starting a challenge that is open to the public for
hacking an IIS 6 server at http://www.hackiis6.com/. This is not the actual
website that is going to be used for the challenge but only contains
information. For now it only states that more informaiton will be ginven on
april 17th.
Maybe worth to keep an eye on this project and see the outcome of it.
Philip Wagenaar
==== 1. In Focus: Hacking IIS 6.0 ====
by Mark Joseph Edwards, News Editor, mark at ntsecurity / net
Have you heard about Windows IT Pro's "Hack IIS 6.0 Challenge"? Roger
Grimes will secure a Microsoft IIS 6.0 system and make it available on
the Internet April 17 through June 8 so that people can try to break
into it. In the July issue, Roger will write about how he secured the
system and what happened during the contest. For more information about
the contest, go to
http://list.windowsitpro.com/t?ctl=7629:4FB69
I've already read messages on one security mailing list from people
complaining about the challenge or poking fun at it. One person wrote
that it's a ploy to gather zero-day (previously unpublished) exploits.
I don't know whether anybody will collect packets during the contest or
whether such packets will be examined to learn more about how people
approach hacking an IIS 6.0 box. But such forensic analysis might
occur. Would that be a bad thing?
There were also comments that the contest is an attempt to identify
hackers and arrest them. That notion is laughable (and probably based
in paranoia) given the fact that people have been invited to hack the
box.
Some people also felt that such challenges don't work because of
eventual Denial of Service (DoS) attacks. One person mentioned that the
hackiis6.com site is located on the same subnet as the magazine's Web
farm. So if somebody decides to launch a Distributed DoS (DDoS) attack
against the site, it could overwhelm the gateway and thereby render all
sites behind the gateway unavailable. That's true. But the hackiis6.com
site is only an information site. It's not the actual system that will
be made available for hacking. Sometime in the next week, further
information will become available at the hackiis6.com site, so check
back to learn more details, including the address of the system to
hack.
People also pointed out that the challenge can't really prove that the
site is secure. If no one manages to break into the site, it might just
be because somebody who might know how to break in doesn't take part in
the challenge. That's rational; we should probably assume that somebody
somewhere knows how to break any particular piece of software. It's a
widely held opinion that no system is completely secure.
We could enjoy the challenge for exactly what it is--a challenge--
without trying to read all sorts of motives into it. Many people attend
various hacker conferences at which such challenges are relatively
common. The main difference here is that this challenge is open to the
public. It's a way to test your skills and have some fun trying to find
a way to breach security. That's it.
_____
I am using the free version of SPAMfighter for private users.
It has removed 1088 spam emails to date.
Paying users do not have this message in their emails.
Try SPAMfighter <http://www.spamfighter.com/Product_Info.asp?> for free
now!
[Attachment #3 (text/html)]
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META content="MSHTML 6.00.3790.1830" name=GENERATOR></HEAD>
<BODY>
<DIV><SPAN class=656382107-15042005><FONT face=Arial size=2>Hello
list,</FONT></SPAN></DIV>
<DIV><SPAN class=656382107-15042005><FONT face=Arial
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=656382107-15042005><FONT face=Arial size=2><FONT
face="Times New Roman"><FONT face=Arial>Windows IT Pro's</FONT> </FONT>is
starting a challenge that is open to the public for hacking an IIS 6 server at
<A href="http://www.hackiis6.com/">http://www.hackiis6.com/</A>. This is not the
actual website that is going to be used for the challenge but only contains
information. For now it only states that more informaiton will be ginven on
april 17th.</FONT></SPAN></DIV>
<DIV><SPAN class=656382107-15042005><FONT face=Arial
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=656382107-15042005><FONT face=Arial size=2>Maybe worth to keep
an eye on this project and see the outcome of it.</FONT></SPAN></DIV>
<DIV><SPAN class=656382107-15042005><FONT face=Arial
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=656382107-15042005><FONT face=Arial size=2>Philip
Wagenaar</FONT></SPAN></DIV>
<DIV><SPAN class=656382107-15042005><FONT face=Arial
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=656382107-15042005><FONT size=1>
<P>==== 1. In Focus: Hacking IIS 6.0 ====</P>
<P>by Mark Joseph Edwards, News Editor, mark at ntsecurity / net</P>
<P>Have you heard about Windows IT Pro's "Hack IIS 6.0 Challenge"? Roger </P>
<P>Grimes will secure a Microsoft IIS 6.0 system and make it available on </P>
<P>the Internet April 17 through June 8 so that people can try to break </P>
<P>into it. In the July issue, Roger will write about how he secured the </P>
<P>system and what happened during the contest. For more information about </P>
<P>the contest, go to</P>
<P></FONT><U><FONT color=#0000ff
size=1>http://list.windowsitpro.com/t?ctl=7629:4FB69</U></FONT><FONT size=1>
</P>
<P>I've already read messages on one security mailing list from people </P>
<P>complaining about the challenge or poking fun at it. One person wrote </P>
<P>that it's a ploy to gather zero-day (previously unpublished) exploits. </P>
<P>I don't know whether anybody will collect packets during the contest or </P>
<P>whether such packets will be examined to learn more about how people </P>
<P>approach hacking an IIS 6.0 box. But such forensic analysis might </P>
<P>occur. Would that be a bad thing? </P>
<P>There were also comments that the contest is an attempt to identify </P>
<P>hackers and arrest them. That notion is laughable (and probably based </P>
<P>in paranoia) given the fact that people have been invited to hack the </P>
<P>box. </P>
<P>Some people also felt that such challenges don't work because of </P>
<P>eventual Denial of Service (DoS) attacks. One person mentioned that the </P>
<P>hackiis6.com site is located on the same subnet as the magazine's Web </P>
<P>farm. So if somebody decides to launch a Distributed DoS (DDoS) attack </P>
<P>against the site, it could overwhelm the gateway and thereby render all </P>
<P>sites behind the gateway unavailable. That's true. But the hackiis6.com </P>
<P>site is only an information site. It's not the actual system that will </P>
<P>be made available for hacking. Sometime in the next week, further </P>
<P>information will become available at the hackiis6.com site, so check </P>
<P>back to learn more details, including the address of the system to </P>
<P>hack. </P>
<P>People also pointed out that the challenge can't really prove that the </P>
<P>site is secure. If no one manages to break into the site, it might just </P>
<P>be because somebody who might know how to break in doesn't take part in </P>
<P>the challenge. That's rational; we should probably assume that somebody </P>
<P>somewhere knows how to break any particular piece of software. It's a </P>
<P>widely held opinion that no system is completely secure.</P>
<P>We could enjoy the challenge for exactly what it is--a challenge--</P>
<P>without trying to read all sorts of motives into it. Many people attend </P>
<P>various hacker conferences at which such challenges are relatively </P>
<P>common. The main difference here is that this challenge is open to the </P>
<P>public. It's a way to test your skills and have some fun trying to find </P>
<P>a way to breach security. That's it. </P></FONT></SPAN></DIV>
<DIV><SPAN class=656382107-15042005><FONT face=Arial
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=656382107-15042005><FONT face=Arial
size=2></FONT></SPAN> </DIV><br><hr>I am using the free version of SPAMfighter \
for private users.<br>It has removed 1088 spam emails to date.<br>Paying users do not \
have this message in their emails.<br>Try <a \
href="http://www.spamfighter.com/Product_Info.asp?">SPAMfighter</a> for free now!<br> \
</BODY></HTML>
-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
Owasp-dotnet mailing list
Owasp-dotnet@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/owasp-dotnet
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic