Domain: hackiis6.com
Stories and comments across the archive that link to hackiis6.com.
Comments · 29
-
hack it!
Or shut the fuck up, go linux
You lainuks pimps, no properly configured windos is
not safe. -
Re:ridiculous
Here's your big chance. Seems no-one has done it yet.
-
Re:the real question is..
If kids can do it, why would this be a problem for the kids? Shouldn't it be publically shown that the system was insecure, not that it was breached?
Well I dunno...publically saying "hey...this database is insecure and holds valuable information of many people and it's part of school XYZ" kind of seems like saying advertising "HACK ME!" on your site. Although for some it works and proves a point...I don't think this is the same case.
just a thought... -
take a shot m8...
http://www.hackiis6.com/default.htm
Shouldn't prove to be much of a problem then. Oh wait, nobody would ever waste their secret knowledge of vulnerabilities on a mere x-box... by.. bi.. bass... bias! there we go, I think that might have something to do with it. -
Re:For the . . .
Well of course they will put it on a secure machine, I heard they were looking at one of these:
http://www.hackiis6.com/ -
More like can you hack Windows with Symantec
Hey, I ran a nmap against it and found: http://www.hackiis6.com/Interesting ports on 66.133.110.84: (The 1656 ports scanned but not shown below are in state: filtered) PORT STATE SERVICE 80/tcp open http Device type: firewall|general purpose Running (JUST GUESSING) : Symantec Windows NT/2K/XP (93%), IBM AIX 4.X|3.X (92%), FreeBSD 4.X (85%), Microsoft Windows 2003/.NET|NT/2K/XP (85%) Aggressive OS guesses: Symantec Enterprise Firewall 7.0 running on Windows 2000 SP2 (93%), IBM AIX 4.3.2.0-4.3.3.0 on an IBM RS/* (92%), IBM AIX v4.2 (92%), IBM AIX v3.2.5 - 4 (92%), FreeBSD 4.6 (85%), Microsoft Windows Server 2003 (85%), Microsoft Windows 2000 SP3 (85%), Microsoft Windows XP Professional RC1+ through final release (85%), Microsoft Windows XP Professional SP1 (85%), Microsoft Windows XP SP1 (85%) No exact OS matches for host (test conditions non-ideal). Nmap run completed -- 1 IP address (1 host up) scanned in 316.546 seconds So how does this compare to a general IIS server and what other software is on the box protecting it ??? Michael
-
Re:Not even running IIS6
HTTP headers directly from the server are:
1 HTTP/1.1 200 OK
2 Content-Length: 2966
3 Content-Type: text/html
4 Content-Location: http://hackiis6.com/default.htm
5 Last-Modified: Thu, 05 May 2005 23:30:53 GMT
6 Accept-Ranges: bytes
7 ETag: "f2a3b7bca51c51:5ec"
8 Server: Microsoft-IIS/6.0
9 Date: Fri, 06 May 2005 02:49:09 GMT
10 Connection: keep-alive
If the Server header is faked, then they'll be in plenty of legal trouble for rigging a contest. But based on what we see here, we must assume that the Netcraft data is incorrect... and it most likely is, being several days old now. -
Not even running IIS6Either they've written an ISAPI filter or whatever to report differently what's behind the scenes but according to the rules and website it's stock IIS6, 2003, etc. Netcraft says differently:
http://toolbar.netcraft.com/site_report?url=http:/ /www.hackiis6.comhttp://www.hackiis6.com/ was running Microsoft-IIS on Windows 2000 when last queried at 2-May-2005 10:52:28 GMT
-
Re:Netcraft confirms..(this time in readable form)
A quick click on Refresh confirms that it is indeed running IIS6 on Windows Server 2003.
(ugly copy/paste follows)
OS, Web Server and Hosting History for www.hackiis6.com
http://www.hackiis6.com/ was running Microsoft-IIS on Windows Server 2003 when last queried at 5-May-2005 22:49:51 GMT Site Report
Try out the Netcraft Toolbar! FAQ
OS Server Last changed IP address Netblock Owner
Windows Server 2003 Microsoft-IIS/6.0 5-May-2005 66.133.110.84 CONSONUS
Windows Server 2003 Microsoft-IIS/6.0 4-May-2005 66.133.110.84 CONSONUS
Windows 2000 Microsoft-IIS/5.0 1-Apr-2005 63.88.172.208 Consonus -
Re:Netcraft confirms...
A quick click on Refresh confirms that it is indeed running IIS6 on Windows Server 2003. (ugly copy/paste follows) OS, Web Server and Hosting History for www.hackiis6.com http://www.hackiis6.com/ was running Microsoft-IIS on Windows Server 2003 when last queried at 5-May-2005 22:49:51 GMT Site Report Try out the Netcraft Toolbar! FAQ OS Server Last changed IP address Netblock Owner Windows Server 2003 Microsoft-IIS/6.0 5-May-2005 66.133.110.84 CONSONUS Windows Server 2003 Microsoft-IIS/6.0 4-May-2005 66.133.110.84 CONSONUS Windows 2000 Microsoft-IIS/5.0 1-Apr-2005 63.88.172.208 Consonus
-
Re:Post your error messages here!
That last one should be
http://www.hackiis6.com/percent35percent3
with the "percent" replaced with the percent sign. For some reason, if I just type that in, the slashdot editor randomly changes what I write. -
Re:Post your error messages here!
That last one should be
http://www.hackiis6.com/ percent 35 percent 3
for some reason the slashdot editor doesn't accept it as written above. -
Re:Post your error messages here!
Bad Request (Invalid URL)
http://www.hackiis6.com/%3C%253 -
Re:Post your error messages here!
Forbidden (Invalid URL).
http://www.hackiis6.com/..%5C -
Post your error messages here!
Everyone knows that error messages can be the biggest clue towards a vuln.
One I got was this:
The filename, directory name, or volume label syntax is incorrect.
By using this URL:
http://www.hackiis6.com/%3C%3E
And another:
The system cannot find the file specified.
http://www.hackiis6.com/?*/%22!
And another:
The web host www.hackiis6.com:8080 is not accessible.
http://www.hackiis6.com:8080/c$
Completely stupid URLs but I did get different messages for all 3 (which were non-standard), so maybe this will help somebody who has a clue... -
Post your error messages here!
Everyone knows that error messages can be the biggest clue towards a vuln.
One I got was this:
The filename, directory name, or volume label syntax is incorrect.
By using this URL:
http://www.hackiis6.com/%3C%3E
And another:
The system cannot find the file specified.
http://www.hackiis6.com/?*/%22!
And another:
The web host www.hackiis6.com:8080 is not accessible.
http://www.hackiis6.com:8080/c$
Completely stupid URLs but I did get different messages for all 3 (which were non-standard), so maybe this will help somebody who has a clue... -
Post your error messages here!
Everyone knows that error messages can be the biggest clue towards a vuln.
One I got was this:
The filename, directory name, or volume label syntax is incorrect.
By using this URL:
http://www.hackiis6.com/%3C%3E
And another:
The system cannot find the file specified.
http://www.hackiis6.com/?*/%22!
And another:
The web host www.hackiis6.com:8080 is not accessible.
http://www.hackiis6.com:8080/c$
Completely stupid URLs but I did get different messages for all 3 (which were non-standard), so maybe this will help somebody who has a clue... -
Re:Weee, another publicity-drenched waste of time
RTFA:
Why a Hacking Contest?
To have fun! We know there will be critics who say sponsoring a hacking contest proves nothing. If the IIS server remains unbroken, it still doesn't mean that IIS is really "secure." True, and if I weren't the contest's team leader, I'd probably be the first one to say so. Hacking contests rarely prove something is secure, although it only takes a single successful hack to prove something is not secure.
So why do it? There are very few places on the Internet where hackers, good and bad, can hack legally. Windows IT Pro thought the contest would be a fun way to interact with the hacker community (they realize most hackers have good intentions) and provide a practical way for readers of Windows IT Pro to learn about security (of course, the magazine will disavow all responsibility and blame me solely if the server gets hacked) *grin*.
So, welcome to the contest! Hack away. If the IIS server goes unhacked during the extended time period, it might not mean that IIS is "unhackable", but if the site does survive the contest it might convince a few people that that you can implement a relatively secure Web server platform with IIS if you follow best practices and take reasonable precautions. After all, over 20 percent of the Internet relies on IIS, including some of the largest Web sites in the world.
I know IIS is an "M$" product so the moderators will eat up any and all defamation, but would it kill anyone to actually read the site before divining its intentions?
-
Most of the way but...From the hidden text:
Additional Requirements:
- Replace My picture with You know who!
- Make "FR1ST PS0T fer GNAA!" on Slashdot.org
/UL
- Replace My picture with You know who!
-
Re:But is it the default config...
What I want to know is if this site is running a DEFAULT INSTALL. Well, have you even read the info on the site? On http://www.hackiis6.com/welcome.htm it says what have been done to secure the system.
-
5 seconds later...
'Starting May 2nd and going until June 8th, the server located at http://www.hackiis6.com/ will welcome hackers to attack it. If you can deface the web site or capture the "hidden" document, you win an X-box!
..."
Roger Grimes: Hey George, I just set up that HackIIS6 server, just now.
George: Really? Great! I wonder how long it will last.
5 seconds later...
(The server's status flatlines) Roger (scoffing): I knew I should have made this a HackApache contest... -
Re:One thing that might help
http://hackiis6.com/events.htm
Sequence of Events
May 2 - Challenge begins with very basic static HTML web site to focus hackers on hacking IIS code
May 16 - ASP.NET web site put up to give more potential hacking angles
June 8 - Contest ends
June 9 - Winner (or lack of winner) announced at TechEd in Orlando. -
Headers for the truly curious...
http://www.hackiis6.com/
GET / HTTP/1.1
Host: www.hackiis6.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050414 Firefox/1.0.3
Accept: text/xml,application/xml,application/xhtml+xml,tex t/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
If-Modified-Since: Mon, 02 May 2005 04:07:00 GMT
If-None-Match: "0ca8663cc4ec51:5ec"
HTTP/1.1 200 OK
Content-Length: 2964
Content-Type: text/html
Content-Location: http://www.hackiis6.com/default.htm
Last-Modified: Mon, 02 May 2005 04:07:00 GMT
Accept-Ranges: bytes
Etag: "0ca8663cc4ec51:5ec"
Server: Microsoft-IIS/6.0
Date: Thu, 05 May 2005 20:07:06 GMT
content-script-type: text/javascript
content-style-type: text/css
Pragma: no-cache -
Headers for the truly curious...
http://www.hackiis6.com/
GET / HTTP/1.1
Host: www.hackiis6.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050414 Firefox/1.0.3
Accept: text/xml,application/xml,application/xhtml+xml,tex t/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
If-Modified-Since: Mon, 02 May 2005 04:07:00 GMT
If-None-Match: "0ca8663cc4ec51:5ec"
HTTP/1.1 200 OK
Content-Length: 2964
Content-Type: text/html
Content-Location: http://www.hackiis6.com/default.htm
Last-Modified: Mon, 02 May 2005 04:07:00 GMT
Accept-Ranges: bytes
Etag: "0ca8663cc4ec51:5ec"
Server: Microsoft-IIS/6.0
Date: Thu, 05 May 2005 20:07:06 GMT
content-script-type: text/javascript
content-style-type: text/css
Pragma: no-cache -
Law...
"Void where prohibited by law."
http://www.hackiis6.com/rules.htm -
Re:contest rules
6. The web admin hasn't patched the daily security hole in the server before the hack was initiated on that given day.
Note to those who haven't read all of TFA: Parent added #6, it is not an actual rule for the contest. The actual contest rules can be found here.
-
Easiest route to take?
-
Re:Does Social Engineering count?
Just email prizes@hackiis6.com and include one of those
.vbs or .jpg exploits.
No beers neccessary. Er, assuming they have a real live human opening and reading emails to that address. -
Full context of original e-mail.
The site is down so here is the original e-mail he sent out.
Welcome to the HackIIS6.com Contest!
Starting May 2nd and going until June 8th, the server located at
http://www.hackiis6.com/ will welcome hackers to attack it. If you can
deface the web site or capture the "hidden" document, you win an X-box!
Read contest rules for what does and doesn't constitute a successful
hack. We've tried to be as realistic as possible in what constitutes a
successful hack, and in mimicking a basic HTML and ASP.NET web site.
For the most part, almost anything reasonable constitutes a successful
attack except for a massive network denial of service attack against the
IIS 6 or its host provider. Not that doing a successful DoS attack
wouldn't be a problem in the real world...it would be...but we aren't
testing that. We want to test the security of Windows Server 2003, IIS,
and other Microsoft applications. So, please, respect this one rule of
the contest so everyone can have a chance at claiming the prize.
Questions and Prizes
If you have questions, send an email to admin@hackiis6.com. If you want
to claim a prize, send your email, with the details listed in the
official rules to prizes@hackiis6.com.
Contest Summary
We are going to start the contest for the first two weeks with the very
basic, static HTML web site that you are now reading. Two weeks later,
we'll add an ASP.NET web site and a back-end SQL server to add more
flavor and give more area to attack. We started with the basic site to
prove that Microsoft's Internet Information Service (IIS) and Windows
Server 2003 is secure by itself. This is to satisfy the purists who
thinking hacking ASP.NET is hacking an application and not the server.
So, if you've got skillz in one area versus the other, you'll have a
chance to try both attack types.
Once the contest stops on June 8th, we will announce the winner(s) at
the upcoming June Microsoft Tech.Ed conference.
The Setup
This server is running Windows Server 2003, Service Pack1, with all
current publicly-released patches and hotfixes installed (we ran Windows
Update and MBSA just like a real admin would do). We installed IIS 6.0.
and then we followed the basic recommendations
(http://www.microsoft.com/technet /security/prodtec h/IIS.mspx) suggested
by Microsoft. I added a few tweaks here and there, to put my personal
mark on the site, but nothing extraordinary.
There is no non-Microsoft software involved with the exception of the
host's router/firewall, which would be normal in most environments. We
want to make this a test of Microsoft software.
Why a hacking contest?
To have fun! Sure there will be critics who say sponsoring a hacking
contest proves nothing. If the IIS server remains unbroken, it still
doesn't mean that IIS is really "secure." True, and if I wasn't the
contest's team leader, I'd probably be the first one to yell that out.
Hacking contests rarely prove something is secure, although it only
takes a single successful hack to prove something is unsecure.
So why do it? There are very few places on the Internet where hackers,
good and bad, can hack legally. Windows IT Pro thought the contest would
be a fun way to interact with the hacker community (they realize most
hackers have good intentions) and bring some attention to Windows IT Pro
(of course, they'll disavow all responsibility and blame me solely if
the server gets hacked) .
So, welcome to the contest! Hack away. If the IIS server goes unhacked
during the extended time period, it might not mean that IIS is
"unhackable", but if it does survive the contest it might convince a few
people that it is a relatively secure web server platform. After all,
over 20% of the Internet relies on it, including some of the largest web
sites in the world.
Happy Hacking,
Roger A. Grimes
Contributing editor, Windows IT Pro Magazine