A penetration into the Green Alliance

Author: xhacker

Green Alliance is a famous network security company in China (Note: This article cannot reveal the real name of the website, so we use X for the name). It can be said that there is no one in the security industry. Many intruders attempted to intrude into X League or find some bugs, but most people ended up failing. Of course there are also some winners, for example, a few years ago, the Xiaoyu wizards used the SQL Injection Technology to delete the database of the X League Forum, which had a certain impact. It is precisely because X league is very conspicuous in the security field that it has aroused a challenge that I have never been able to score. I decided to intrude on it on weekends. The following is a simple process of penetration and ideas (regardless of the results, only focus on the process ):

First, collect a series of information:

C:/> Ping bbs.xxxxxxx.net

Pinging bbs.xxxx.net [21.16.6.16] with 32 bytes of data:

Reply from 21.16.6.16: bytes = 32 time = 110 ms TTL = 236

Reply from 21.16.6.16: bytes = 32 time = 91 Ms TTL = 236

Reply from 21.16.6.16: bytes = 32 time = 110 ms TTL = 236

Reply from 21.16.6.16: bytes = 32 time = 100 ms TTL = 236

Ping statistics for 21.16.6.16:

[Note: The bbs.xxxxxxx.net and 21.16.6.16 are assumptions here. If there are similarities, they are purely coincidence and]

Result of full port scan with superscan:

* + 21.16.6.16

| ___ 29 MSG ICP

| ___ 31 MSG Authentication

| ___ 33 display support protocol

| ___ 37 time

| ___ 38 route access protocol

| ___ 35 any private printer Server

| ___ 39 resource location protocol

| ___ 41 graphics

| ___ 42 wins Host Name Server

| ___ 43 who is

| ___ 44 MPM flags Protocol

| ___ 45 message processing module [Recv]

| ___ 46 MPM [Default send]

| ___ 47 Ni FTP

| ___ 48 digital audit daemon

| ___ 71 remote job service

| ___ 67 Bootstrap Protocol server

| ___ 69 Trivial File Transfer

| ___ 72 remote job service

| ___ 70 Gopher

| ___ 68 Bootstrap Protocol Client

| ___ 73 remote job service

| ___ 74 remote job service

................................................

This is not a false positive. It must be the port generated by IDs. It seems that we cannot get a real open port. I wanted to perform CGI scanning next time, but I think so many people have tried it, and I will not scan any vulnerabilities. Besides, it is not feasible to deal with such a famous security website.

Because xmeng has installed IDS (there must be a firewall), I cannot collect information using a scanner. So we have to come up with another method:

Since the configuration of the target host is very secure, we have not come up with a good method for penetration intrusion at the moment (according to the previous detection, the input and output filtering of xmeng scripts is comprehensive, so the script is useless), but we can see from its network http://bbs.xxxxxx.net, X Meng still has a very serious security risk ----------- traditional HTTP protocol is not encrypted. Therefore, we can penetrate into other hosts of the same vswitch of X league, and then use ARP spoofing technology to sniff the communication packets of X League for indirect intrusion.

Then I used a variety of scanners X-scan, hscan, and streamer 4.7 to comprehensively scan a class C IP segment of X Meng, and tried to control a host in various ways. Some winnt/2000 hosts are found in the scan. However, Unicode encoding vulnerabilities, WebDAV overflow, Ida overflow, idq overflow, weak IPC passwords, and SQL overflow cannot be used to break this segment. Later thought of RPC Overflow, this vulnerability I once in sp0-sp3 (English, simple/traditional) host test passed, the success rate is extremely high, but the use of this overflow attack is very few, I think this is because everyone's attention has attracted WebDAV overflow, and RPC Overflow requires the Remote Procedure Call (RPC) Locator Service to be enabled by the other party. In addition to the domain controller, who has a meeting to open this service? According to common sense, we know that the domain controller will open a specific port, So I first look for 21.16.6.1-21.16.6.254 to see if there is a domain controller. The result is pretty good. I found three domain controllers:

21.16.6.30

21.167.67.61

21.167.67.68

Then, the system control of the 21.16.6.30 host is obtained through RPC Overflow, And there is Terminal Service (Port: 3389) in 21.16.6.30. I am not familiar with this. Why are all domain controllers of 90% open 3389? Log on to the terminal service 21.16.6.30:

C:/> query user

Username sessionname ID state idle time Logon Time

> Test RDP-TCP #9 1 running

Fortunately, 3389 only one of me

C:/> net session

The list is empty.

No one here

Now you can do it with confidence. First install Winpcap 2.1, and then install x-sniffer to attack bbs.xxxxxxx.net. first take a look at the local machine:

C:/> ipconfig

Windows 2000 IP configuration

Ethernet Adapter local connection:

Connection-specific DNS suffix .:

IP address ......: 21.16.6.30

Subnet Mask ......: 255.255.255.0

Default Gateway ......: 21.16.6.1

OK. Run the X-sniffer tool to configure and capture packets. The result will be available soon:

C:/> dir log1.txt

The volume in drive C is not labeled.

The serial number of the volume is 68ab-0241.

C:/directory

1,474,800 log1.txt

1 file, 1,474,800 bytes

0 directories, 961,003,520 available bytes

Let's take a look at the following:

Find/I "username" log1.txt

---------- A. txt

Act = login & Do = 01 & username = badhack & Password = aaa & submit = % Ce % D2 % D2 % Aa % B5 % C7 % C2 %

Bdact = login & Do = 01 & username = badhack & Password = aaa & submit = % Ce % D2 % D2 % Aa % B5 % C7 % C2 % BD ?? Act = login & Do = 01 & username = badhack & Password = aaa & submit = % Ce % D2 % D2 % Aa % B5 % C7 % C2 % bd211.167.67.167 (37395) -> 211.167.67.167 (80 )?? Act = login & Do = 01 & username = badhack & Password = aaa & submit = % Ce % D2 % D2 % Aa % B5 % C7 % C2 % bd211.167.254.76 (80) -& gt; 211.167.254.76 (37401)

Act = login & Do = 01 & username = Lanker & Password = ljyjsjx9803

Username = aoxue & Password = kfmytuav

Username = antisecurity & Password = nsfocus

............

Log On with the ADAM user and find that the user is actually logged in (1 ):

(Figure 1)

As long as I want to get the user password, I will get the user password. What I want to get is more permissions. I want to get the password of the forum administrator. If the Forum supports uploading files, I can get shell, however, the Forum Administrator does not know when to log on. I decided to try other places and maybe there may be new opportunities.

Ping X's main site:

Ping-A http://www.xxxxxxx.net/

Pinging www.xxxxxxx.net [211.16.6.16] with 32 bytes of data:

Reply from 21.16.6.16: bytes = 32 time = 181 Ms TTL = 236

Reply from 21.16.6.16: bytes = 32 time = 130 ms TTL = 236

Reply from 21.16.6.16: bytes = 32 time = 191 Ms TTL = 236

Reply from 21.16.6.16: bytes = 32 time = 150 ms TTL = 236

Ping statistics for 21.16.6.16:

It turns out that the BBS forum and the X League main site are the same web host. Why didn't I try it. Check whether the mail server is correct. If yes, you can also get the e-Mial password of the employees of the company. This will make a huge profit. First, let's look at the domain information of the other Party:

> Ls-D ns1.xxxx.com

[Ns.szptt.net.cn]

* ** Can't list domain ns1.xxx.com: Bad error value

> Server ns1.xxxx.com

Default Server: ns1.xxx.com

Address: 21.152.8.69

> Ls-D xxxx.net

[Ns1.xxxx.com]

Xxxx.net. SOA xxxx.net root.xxxx.net. (2003021801

86400 1200 604800 3600)

Xxxx.net. Ns ns1.xxxx.com

Xxxx.net. Ns dns1.hichina.com

Xxxx.net. A 21.15.8.69

Xxxx.net. mx 5 mail.xxxx.com

Smtp a 21.152.8.69

Security A 21.167.67.16

Intra A 10.0.0.1

Pop a 21.15.8.69

Magazine A 21.16.67.16

Localhost A 127.0.0.1

Mail a 21.15.8.69

Www a 21.16.6.16

BBS a 21.16.6.16

NS1 A 21.152.8.69

Xxxx.net. SOA xx.net root.xxxxx.net. (2003021801 86400 1200

604800 3600)>

It is a security risk. The DNS can read Domain Name Information. Here, I have read the information of the entire domain of X League, which gives us a clear picture of the website structure. Well, we can see that the recipient's mail Host IP address is 21.15.8.69. It seems that we can't sniff it with the zombie just now. First, let's take a look at the mail version and Configuration:

D:/> NC 21.15.8.69 25

220 xxxx.com ESMTP service

Helo Yahoo

250 xxx.com

Mail from: adam@xxxx.net

250 OK

VRFY to: adam@xxxx.net

252 to: adam@xxxx.net

VRFY to: adam1@xxxx.net

252 to: adam1@xxxx.net

VRFY adam1@xxxx.net

252 adam1@xxxx.net

VRFY adam1@xxxx.net

252 adam1@xxxx.net

VRFY to: Adam

252 to: Adam

EXPN Adam

502 error: Command not implemented

EHLO

501 Syntax: EHLO hostname

ESMTP software configuration is also acceptable. Check whether the network is actually not the same, otherwise it is a pity to miss it:

C:/> tracert 21.15.8.69

Tracing Route to 21.15.8.69 over a maximum of 30 hops

1 <10 MS <10 MS <10 MS 192.168.0.1

2 81 MS 90 MS 110 MS 218.17.0.1

3 60 MS 50 MS 60 MS 61.144.238.97

4 60 MS 90 MS 50 MS 61.144.236.161

5 60 MS 91 MS 90 MS 61.144.236.13

6 90 MS 80 MS 50 MS 61.140.1.21

7 80 MS 70 MS 50 MS POS2-0-R2-C-GZ-A.gd.cn.net [202.105.1.161]

8 60 MS 70 MS 60 MS 61.140.0.17

9 140 MS 120 MS 131 MS 202.97.34.105

10 91 MS 150 MS 120 MS 202.96.12.34

11 110 MS 141 MS 140 MS 202.106.193.170

12 110 MS 110 MS 110 MS 202.106.193.206

13 111 MS 120 MS 130 MS 210.74.174.178

14 110 MS 120 MS 120 MS 210.77.139.177

15 121 MS 110 MS 130 MS 210.77.139.246

16 100 MS 100 MS 110 MS 21.15.8.69

Trace complete.

C:/> tracert 211.167.67.167

Tracing Route to 211.167.67.167 over a maximum of 30 hops

1 <10 MS <10 MS <10 MS 192.168.0.1

2 50 MS 70 MS 60 MS 218.17.0.1

3 70 MS 50 MS 70 MS 61.144.238.97

4 40 MS 70 MS 60 MS 61.144.236.105

5 70 MS 90 MS 80 MS 61.144.236.13

6 60 MS 70 MS 60 MS 61.140.1.21

7 50 MS 70 MS 81 MS POS2-0-R2-C-GZ-A.gd.cn.net [202.105.1.161]

8 90 MS 70 MS 80 MS 61.140.0.17

9 100 MS 120 MS 121 MS 202.97.34.105

10 110 MS 121 MS 120 MS 202.96.12.34

11 100 MS 120 MS 100 MS 202.106.192.158

12 110 MS 90 MS 111 MS 202.96.13.142

13 120 MS 100 MS 90 MS 211.167.80.194

14 131 MS 120 MS 120 MS 211.167.67.167

Trace complete.

Haha, I heard it from the mail server. However, we may still cheat on the mail server's arp. A smart reader will think of it. I will not talk about it here.