[WEB SECURITY] Tools or software for hacking windows/iis.

Schmidt, Albert E AES at ola.state.md.us
Fri Dec 22 08:43:40 EST 2006

Thank you.  We all know that gas may be flammable.  However, outside the IT security profession there is a blatant ignorance regarding IT security.  Most individuals go through life thinking that information systems are secure, and are unaware of how fragile these systems may be.  I am even dishearten to see IT professionals who do not appear to have a strong grasp on IT security (please see a report finding and response below - this finding is public information - see http://www.ola.state.md.us/Reports/Fiscal%20Compliance/UMBI06.pdf).  
To demonstrate the ease of an exploit goes much farther in the eyes of the common man then saying vulnerabilities exist.  I once demonstrated the use of Ethereal to my quality assurance department, when questioned how easy it is to sniff non-encrypted network traffic.  They were horrified its ease of use.  Now imagine how horrified they would be to see how easy it is to exploit a vulnerable server.  What is even more fearful is the fact that these utilities are also in the hands of our enemies and attacks can come from a crossed the Ocean.  Who needs ballistic missiles, enemies can infiltrate the IT operations of nation from the comfort of their own home.  Maybe I am a doom sayer, but I feel that there is an IT atomic bomb waiting to go off.
Al S.
Numerous publicly accessible servers were located on UMBI's internal network rather than being placed in a neutral network zone. Publicly accessible servers should be placed in a neutral network zone, separate from the internal network, to enhance protection of sensitive data and systems on the internal network. We were advised that, in some cases, UMBI employees had placed publicly accessible servers on the internal network to facilitate public access to research information without the awareness or authorization of management of UMBI's Office of Information Systems.


Publicly Accessible Servers:

UMBI agrees that its internal computer network must be protected from external threats and has in fact gone to great lengths to ensure that it is secure. However, placing publicly available information in a neutral network zone, as suggested by the auditors, will either make such information less secure or require an unnecessary, costly and burdensome level of redundant security systems. UMBI has in fact placed great emphasis on protecting all information, including that information accessible to the public, as we deem making information accessible remotely an important part of our mission.


Yet we do so in a way that while not in strict accordance with State guidelines, using the flexibility explicitly allowed for per USM policy, achieves the same functional compatibility with State guidelines required by USM policies.


The mere presence of information accessible to the public within UMBI's internal network does not create an unacceptable security risk.  Unauthenticated access to UMBI information is only available via the Web for viewing purposes and UMBI has protection systems to prevent this information from being modified or manipulated. Access to all other data requires additional layers of security which are time-proven and state-of-the art methods to ensure an appropriate level of protection.


Due to UMBI's mission as a research institution much information is required to be remotely (i.e., publicly) accessible, and we feel that all information requires a great degree of protection. One reason is because UMBI faculty and staff regularly need to access services from all of our servers from remote locations due to their extensive travel and collaborations with researchers. Along the same lines, often research collaborators also must be able to access data remotely. In cases where the data are of a proprietary nature, authenticated access and other appropriate methods are used to ensure that only those persons authorized to access the data can do so. UMBI has no financial, personnel, student nor patient data on any UMBI publicly accessible servers.


UMBI feels that it has achieved an acceptable level of security given the mission critical need for UMBI faculty and staff to access information remotely and share research results and collaborating on research activities with researchers worldwide. We will diligently continue to enhance and add layers of security wherever appropriate.


From: Jarmon, Don R [mailto:Don.Jarmon at Intergraph.com]
Sent: Thu 12/21/2006 5:34 PM
To: Web Security
Subject: RE: [WEB SECURITY] Tools or software for hacking windows/iis.

I have been working with vulnerability assessment tools since 1995 and
still seeking one that I like (Free or Commercial).

First scan tool: http://www.ciac.org/ciac/bulletins/f-20.shtml

Exploiting a known vulnerability is more like a carnival act.  It can be
pretty cool to watch but not much real value.  We all know gas is
flammable.  Does using a match to test add any value?  Web application
security goes much beyond just patching.  The challenge for any
organization is to establish a secure baseline and sustain throughout
the entire lifecycle.  This requires effective administrative, physical,
and technical controls.

Most vulnerability assessment tools can only identify surface blemishes
that most often can be linked to ineffective security management
programs.  You have already identified an ineffective vulnerability
management process.  Further exploiting using another tool would not
address the over all security settings and controls of the Web server.

http://nvd.nist.gov  (Search for IIS or Windows 2000 or SQL)

Don Jarmon - CISSP
Sr. Technical Consultant
Security, Government & Infrastructure (SG&I) Division
Intergraph Corporation
P.O. Box 6695, Huntsville, AL 35824 USA
P 1.256.730.2366 F 1.256.730.4501
Don.Jarmon(at)Intergraph.com, solutions.intergraph.com

-----Original Message-----
From: Schmidt, Albert E [mailto:AES at ola.state.md.us]
Sent: Thursday, December 21, 2006 11:30 AM
To: Web Security
Subject: [WEB SECURITY] Tools or software for hacking windows/iis.

Hello group, I am auditing a Windows 2000 web server that has not been
patched for 2 years.  I am looking for tools that could be used to
exploit know vulnerabilities - I do not want to damage the server, but
would like to demonstrate the security weakness for my work papers.  I
have heard that there are tools such as iishack.exe that may be able to
help.  I would like an easy tool, as I am not that technical.  I have a
basic understanding of web application security.

Thank you,

Albert E. Schmidt, CPA
Senior Information System Auditor
Office of Legislative Audits
Department of General Services
Maryland General Assembly

The Web Security Mailing List:

The Web Security Mailing List Archives:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

The Web Security Mailing List:

The Web Security Mailing List Archives:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

The Web Security Mailing List: 

The Web Security Mailing List Archives: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

More information about the websecurity mailing list