80 and 88

Svejk · Jun 1, 2004

I hate to have to do this, but I'm having trouble with a coursework.
Anyone care to suggest how they'd tackle it?

"Discuss how an intruder using ONLY the TCP/80 and TCP/88 ports can
break into a Windows 2000 Server that is functioning as a domain
controller. Assume that the Windows 2000 Server is not making using
of IP-Sec or Kerberos."

I've no idea. :-(
Svejk

Bojidar Alexandrov · Jun 1, 2004

The question is not corrects.

88 is strange port. Probably there can be a proxy probably web site - who
knows.

80 is http port for WWW Service. So there must be web server! Not only
Domain Controler. The only possibility is to break the web server
application that this server uses. Most probably IIS. You have to find
unpatched vulnerability of IIS there.
Search google for list of them.

Bojidar Alexandrov

Steven L Umbach · Jun 2, 2004

Port 88 is for kerberos while 80 TCP is for http website. By default in W2K, IIS is
installed and enabled. There are many attacks that can be launched against a web
server that will be successful if the web server is not patched or secured for web
services though it is doubtful in the real world that a domain controller would not
be protected by a firewall. These attacks often involve creating a buffer overflow
condition which allows a user to have system access to the computer. An attacker may
also try to gain access to system files through IIS, particualry if the website is
located on the same partition as the \winnt folder. --- Steve

http://www.sans.org/top20/#w1 --- see W1.1
http://www.hackersprogrammers.com/articles/iis.htm
http://www.iis-resources.com/modules/mylinks/topten.php?hit=1

Svejk · Jun 28, 2004

Steven L Umbach said:
Port 88 is for kerberos while 80 TCP is for http website.

If a Windows 2000 Server is a domain controller, then it is running
Active Directory, right?

If it is running Active Directory, then is kerberos *required*?

Does the question below make sense then?

Thanks,
Svejk

Steven L Umbach · Jun 29, 2004

Kerberos is required for AD replication between AD domain controllers. It is
not required to access a share or logon to the domain. NT computers can be
members of a W2K domain and do not use kerberos, but use ntlm instead. I am
not sure exactly what the question is trying ot get at as it is vague. W2K
domain controllers can be attacked through port 80 if they are running IIS,
which they are in a default installation. Of course a firewall would
mitigate a lot of that risk, though it should be disabled [IIS] if not used
and if it is used the IIS service should be hardened by being up to date on
all patches and using the IIS Lockdown tool. --- Steve