Information Networking Security and Assurance Lab National Chung Cheng University 2004/03/031 A Real World Attack: wu-ftp Cao er kai ( 曹爾凱 ) Tel: Ext
Information Networking Security and Assurance Lab National Chung Cheng University 2004/03/032 Outline Description Purpose Principle and Pre-Study Required Facilities Step by step Summary Reference
Information Networking Security and Assurance Lab National Chung Cheng University 2004/03/033 Description The exercise will guide you through the process of discovering a vulnerable system, exploiting the vulnerability, and installing software to cover your tracks
Information Networking Security and Assurance Lab National Chung Cheng University 2004/03/034 Purpose Located a vulnerable system Exploit that vulnerability to gain a root shell Installed a rootkit Access the system via the rootkit
Information Networking Security and Assurance Lab National Chung Cheng University 2004/03/035 Principle and Pre-Study CERT Advisory CA Multiple Vulnerabilities in WU-FTPD 1.MAPPING_CHDIR Buffer Overflow 2.Message File Buffer Overflow 3.SITE NEWER Consumes Memory
Information Networking Security and Assurance Lab National Chung Cheng University 2004/03/036 Required Facilities Hardware PC or Workstation with UNIX-like system Software Wu-ftp RootKits and Buffer Overflow Program WARNING: This process of cracking a system is only tested in internal network. Do not actual exploit on unprivileve host
Information Networking Security and Assurance Lab National Chung Cheng University 2004/03/037 Step (I): reconnaissance and scanning Use “nmap” for system scanning Test the account of anonymous
Information Networking Security and Assurance Lab National Chung Cheng University 2004/03/038 Step (II): exploit the target Decompress the buffer overflow file and compile it List the usage of this tool
Information Networking Security and Assurance Lab National Chung Cheng University 2004/03/039 Step (III): cracking Execute the buffer overflow on target host Got the root right
Information Networking Security and Assurance Lab National Chung Cheng University 2004/03/0310 Step (IV) Download the rootkit from outside and install it checking the login user Download the tool from another victim Execute the rootkit Decompress the rootkit
Information Networking Security and Assurance Lab National Chung Cheng University 2004/03/0311 Step (V): auto-patch the victim the default login password change the system command open the telnet port close the system filewall Report the system information
Information Networking Security and Assurance Lab National Chung Cheng University 2004/03/0312 Step (IV) try the rootkit if it works Now you can do anything We have got a root shell now The Telnet daemon has been replaced Input the ID and the Password Which predefine by us
Information Networking Security and Assurance Lab National Chung Cheng University 2004/03/0313 Summary Checking the OS and applications’ vulnerability periodically. None unsafe applications, but careless people
Information Networking Security and Assurance Lab National Chung Cheng University 2004/03/0314 Reference CERT Nmap Buffer Overflow and RootKits download site