The port mapper service works like this - I would connect to the port mapper
port and state that I want to use a specific RPC service - the port mapper
would then reply and tell me which port to use. (RPC is for remote procedure
call - it's like executing a function on a remote machine, and getting the
output back). The reverse is also true - if I want to write a RPC service, I
must register it with the port mapper, so that the client that wants the
service knows on what port I am listening. So what is the bottom line?
I could save myself a lot of port scanning trouble and just ask the
port mapper what services are running on which ports. Now obviously the
por tmapper service itself must be running. So I might be testing for
machines that have port 111 open first. Assuming that I now have a machine
with an open port mapper port the following is done:
> r pc info -p 210.xxx.96.151
program vers proto port
100000 2 tcp 111 portmapper
100000 2 udp 111 portmapper
100001 1 udp 1038 rstatd
100001 2 udp 1038 rstatd
100001 3 udp 1038 rstatd
100002 1 udp 1040 rusersd
100002 2 udp 1040 rusersd
100008 1 udp 1042 walld
100012 1 udp 1044 sprayd
150001 1 udp 1046 pcnfsd
150001 2 udp 1046 pcnfsd
100083 1 tcp 1026 ttdbserver
100068 2 udp 1048 cmsd
100068 3 udp 1048 cmsd
100068 4 udp 1048 cmsd
100068 5 udp 1048 cmsd
100003 2 udp 2049 nfs
100005 1 udp 785 mountd
100005 1 tcp 787 mountd
100024 1 udp 989 status
100024 1 tcp 991 status
100021 1 tcp 840 nlockmgr
100021 1 udp 842 nlockmgr
100021 3 tcp 845 nlockmgr
100021 3 udp 847 nlockmgr
100020 1 udp 850 llockmgr
100020 1 tcp 852 llockmgr
100021 2 tcp 855 nlockmgr
1342177279 3 tcp 1067
1342177279 1 tcp 1067
From this we can which RPC services the host is running. A very interesting
service see running is NFS (network file system). Maybe the host is
exporting some interesting NFS "shares"? Let us have a look:
> showmount -a 210.xxx.96.151
All mount points on 210.xxx.96.151:
xxx.com.tw:/HUANGFS
xxx.com.tw:/HUANGFS
xxx.com.tw:/HUANGFS
We can see that this host is only export the shares to specific machines (in
Taiwan) - not to the rest of the world - so it is pretty useless to even try
to mount these "shares" on our host. Maybe I'll look for a host with some
public shares, and then we'll look at mounting those. OK...here goes:
> showmount -e 128.xxx.135.52
Exports list on 128.xxx.135.52:
/install_2.6 Everyone
/export/install Everyone
/psrc rcd_hosts
/usr/share/opt rcd_hosts xxx.edu
/usr/share/opt2.5 rcd_hosts
/scratch7 rcd_hosts
/pucc rcd_hosts xxx.edu
/home/helios/u52 rcd_all
/home/helios/u51 rcd_all
# mount_nfs 128.xxx.135.52:/export/install /mnt
# cd /mnt
# ls
Let us move on to some of the other services. One of the other services that
you would notice is "rusers". Rusersis the same as finger - there ain't
that many tricks with rusers, but it would give you a list of users active
on the host. It very useful when the finger service is not running, or when
it is blocked, and you need some usernames.
> rusers -al 210.xxx.96.151
Damn - no users logged on. Let us see if we can't find a host somewhere on
the 'net with users logged on:
# rusers -al 128.xxx.135.109
wgw xxx.edu:console Sep 19 16:11 :53 (:0)
(confirming:)
> finger @128.xxx.135.109
[128.xxx.135.109]
Login Name TTY Idle When Where
wgw William Wolber console 1:06 Tue 09:11 :0
Another RPC service that is quite cute is the rstatdserver. This service
gives some (kinda useless) information such as uptimeand load:
> rup 210.xxx.96.151
210.xxx.96.151 1:17am up 4 days, 22:14, load average: 0.00 0.00 0.01
Should I wish to, I could write a message to all the users logged in on the
host using the r wall command (now... I don't want to do that would I, but it
would look like this):
>r wall 210.xxx.96.151
Greetings from South Africa!
^D
>
This command would write above message to the consoles of all users
connected to the host. Using this command with loops has obvious annoying
effects.
Another RPC service that is not mentioned here is the Yellow Pagessystem
(YP). YP was quite popular at some stage in large corporations and
universities, but its rare to see it today. For a very nice discussion on
ways to get juicy information from YP the best document must be Dan Farmer's
"Improving the Security of Your Site by Breaking Into it" - you can find it
here (http://www.ussrback.com/docs/papers/unix/farmer.txt).
The more serious problems with RPC services are that some of them are
exploitable. The "ttdbserver" and "cmsd" services have known problems that
would allow an attacker to execute any command on the host. These exploits
are very OS dependent, but also a very real...check your local exploit
database for the goodies.
port and state that I want to use a specific RPC service - the port mapper
would then reply and tell me which port to use. (RPC is for remote procedure
call - it's like executing a function on a remote machine, and getting the
output back). The reverse is also true - if I want to write a RPC service, I
must register it with the port mapper, so that the client that wants the
service knows on what port I am listening. So what is the bottom line?
I could save myself a lot of port scanning trouble and just ask the
port mapper what services are running on which ports. Now obviously the
por tmapper service itself must be running. So I might be testing for
machines that have port 111 open first. Assuming that I now have a machine
with an open port mapper port the following is done:
> r pc info -p 210.xxx.96.151
program vers proto port
100000 2 tcp 111 portmapper
100000 2 udp 111 portmapper
100001 1 udp 1038 rstatd
100001 2 udp 1038 rstatd
100001 3 udp 1038 rstatd
100002 1 udp 1040 rusersd
100002 2 udp 1040 rusersd
100008 1 udp 1042 walld
100012 1 udp 1044 sprayd
150001 1 udp 1046 pcnfsd
150001 2 udp 1046 pcnfsd
100083 1 tcp 1026 ttdbserver
100068 2 udp 1048 cmsd
100068 3 udp 1048 cmsd
100068 4 udp 1048 cmsd
100068 5 udp 1048 cmsd
100003 2 udp 2049 nfs
100005 1 udp 785 mountd
100005 1 tcp 787 mountd
100024 1 udp 989 status
100024 1 tcp 991 status
100021 1 tcp 840 nlockmgr
100021 1 udp 842 nlockmgr
100021 3 tcp 845 nlockmgr
100021 3 udp 847 nlockmgr
100020 1 udp 850 llockmgr
100020 1 tcp 852 llockmgr
100021 2 tcp 855 nlockmgr
1342177279 3 tcp 1067
1342177279 1 tcp 1067
From this we can which RPC services the host is running. A very interesting
service see running is NFS (network file system). Maybe the host is
exporting some interesting NFS "shares"? Let us have a look:
> showmount -a 210.xxx.96.151
All mount points on 210.xxx.96.151:
xxx.com.tw:/HUANGFS
xxx.com.tw:/HUANGFS
xxx.com.tw:/HUANGFS
We can see that this host is only export the shares to specific machines (in
Taiwan) - not to the rest of the world - so it is pretty useless to even try
to mount these "shares" on our host. Maybe I'll look for a host with some
public shares, and then we'll look at mounting those. OK...here goes:
> showmount -e 128.xxx.135.52
Exports list on 128.xxx.135.52:
/install_2.6 Everyone
/export/install Everyone
/psrc rcd_hosts
/usr/share/opt rcd_hosts xxx.edu
/usr/share/opt2.5 rcd_hosts
/scratch7 rcd_hosts
/pucc rcd_hosts xxx.edu
/home/helios/u52 rcd_all
/home/helios/u51 rcd_all
# mount_nfs 128.xxx.135.52:/export/install /mnt
# cd /mnt
# ls
Let us move on to some of the other services. One of the other services that
you would notice is "rusers". Rusersis the same as finger - there ain't
that many tricks with rusers, but it would give you a list of users active
on the host. It very useful when the finger service is not running, or when
it is blocked, and you need some usernames.
> rusers -al 210.xxx.96.151
Damn - no users logged on. Let us see if we can't find a host somewhere on
the 'net with users logged on:
# rusers -al 128.xxx.135.109
wgw xxx.edu:console Sep 19 16:11 :53 (:0)
(confirming:)
> finger @128.xxx.135.109
[128.xxx.135.109]
Login Name TTY Idle When Where
wgw William Wolber console 1:06 Tue 09:11 :0
Another RPC service that is quite cute is the rstatdserver. This service
gives some (kinda useless) information such as uptimeand load:
> rup 210.xxx.96.151
210.xxx.96.151 1:17am up 4 days, 22:14, load average: 0.00 0.00 0.01
Should I wish to, I could write a message to all the users logged in on the
host using the r wall command (now... I don't want to do that would I, but it
would look like this):
>r wall 210.xxx.96.151
Greetings from South Africa!
^D
>
This command would write above message to the consoles of all users
connected to the host. Using this command with loops has obvious annoying
effects.
Another RPC service that is not mentioned here is the Yellow Pagessystem
(YP). YP was quite popular at some stage in large corporations and
universities, but its rare to see it today. For a very nice discussion on
ways to get juicy information from YP the best document must be Dan Farmer's
"Improving the Security of Your Site by Breaking Into it" - you can find it
here (http://www.ussrback.com/docs/papers/unix/farmer.txt).
The more serious problems with RPC services are that some of them are
exploitable. The "ttdbserver" and "cmsd" services have known problems that
would allow an attacker to execute any command on the host. These exploits
are very OS dependent, but also a very real...check your local exploit
database for the goodies.
No comments:
Post a Comment