l i n u x - u s e r s - g r o u p - o f - d a v i s
L U G O D
 
Next Meeting:
October 7: Social gathering
Next Installfest:
TBD
Latest News:
Aug. 18: Discounts to "Velocity" in NY; come to tonight's "Photography" talk
Page last updated:
2001 Dec 30 16:59

The following is an archive of a post made to our 'vox-tech mailing list' by one of its subscribers.

Report this post as spam:

(Enter your email address)
Re: [vox-tech] Cracking...
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [vox-tech] Cracking...



On Fri, 1 Dec 2000, Peter Jay Salzman wrote:

> there are a number of remote vulnerabilities involving sendmail.  depending
> on what distribution, you could get yourself a root or bin shell.  can you
> determine which MTA is running on the machine?

The firewall is protecting all ports on the remote system except for ports 22
and 80.  So I can't even tell if the system is running sendmail, let alone
telnet, finger, or whatever else...

> does anyone actually log into this machine to be hacked?  maybe can you get a
> laptop running a sniffer to sniff out passwords.

>From the outside, you can log in only via ssh, so sniffing won't do any good
unless I can crack a triple DES (or whatever encryption ssh uses.)


On Fri, 1 Dec 2000, Nicole Carlson wrote:

> On Fri, 1 Dec 2000, Mark Kim wrote:
> > The two guys who broke into the machine behind the firewall took less than
> > two days to get a root access on the system... so intimidating... but they
> > work in the security lab so they do have an advantage.  I've been told
>
> It was more like two hours.  (They're friends of mine.)

Yeah... I just knew it was less than two days because I checked the website
two days after the assignment was given and it was already hacked.  I didn't
get around to checking the website until two days later because of assignments
from other classes...  But I was told it was really easy exploit.

> I probably
> shouldn't reveal too much (this IS a class and all), but there is an
> avenue of attack that you've overlooked entirely.  It is nontechnical in
> nature.

The suspense is killing me (and the rest of the class!)

I've been thinking perhaps I can send bogus packets to get the firewall to
open up ports.  I've been looking at the "sendip" program that can send
arbitrary IP packets.  Perhaps if I send a bogus packet that tells the
firewall that the remote machine wants to connect to my computer, maybe it'll
open up a port I can go through... but it isn't working out well...

So you're telling me it's not at all technical?  Perhaps an open account w/o
password or something?  Bishop already said they didn't break in through the
web server, so they had to have gone through either ssh or using some
technical trickery... or at least that's what I'm thinking...

On Fri, 1 Dec 2000, Peter Jay Salzman wrote:

> turn the keyboard over and copy down the root password...  :)

The two guys that broke into the system does work for the security lab
(where the firewall is), but Bishop tells me the exploit doesn't require a
person to be part of the security lab to make use of the exploit...


On Fri, 1 Dec 2000, Harry Souders wrote:

> On Fri, Dec 01, 2000 at 03:38:44PM -0800, Mark Kim wrote:
> > So far, nmap scan of the firewall reveals ssh (22) and http (80) ports are
> > open.  ssh version is "SSH-1.99-2.3.0 SSH Secure Shell (non-commercial)",
>
> Some versions of ssh had security problems. Might want to check to see
> if this is one of those versions

Yeah, I checked, but there were so many irrelevent listings.  Let me try
again -- maybe I can narrow down the search.  Hmm... there are some
interesting vulnerabilities... mostly not very helpful.  I'll get back to
you after reading all the vulnerabilities.

> > Bugtraq shows thttpd 2.10 has a couple bugs, both related to CGI, but the
> > system isn't running any CGIs.  Both systems are some Linux variants and
>
> Maybe the system is running CGIs. What I mean is, some of the webserver

Nope.  No CGIs anywhere on the server as far as I can tell.  Verfied by
the professor.  He keeps on saying he'll put some up soon so we can play
with it but he isn't.

> the webserver bugs have to do with default admin accounts and passwords.

Yeah, tell me about it.  Our church just got this new webhost and it's got
all the cool stuff -- ssi, php, cgi, ssh, ... -- when I went to try out
some of the included CGI programs, it turns out they all have default
passwords posted right in index.html of the corresponding CGI programs'
directories.  I know how the passwords are stored (in a text file
accessible from ssh, hashed with crypt(3)) so I could overwrite them if
someone had gotten to these CGI programs and changed the password before I
got to them, but imagine what could happen to a poor webmaster who can't
use unix! :0  So sad...

On Fri, 1 Dec 2000, Harry Souders wrote:

> On Fri, Dec 01, 2000 at 06:32:04PM -0800, Mark Kim wrote:
> > All social engineering cracking techniques need to be approved by the
>
> Are you allowed to put a machine on the network and have it sniff all
> network traffic [I'm shootin from the hip and taking wild guesses]

Sniffing won't do good because the ssh traffic is encrypted and http
traffic is useless.  Also, the firewall is scanned like 24/7 by the entire
class so I'll be spending forever sorting through the packets.  Also,
I can't get on their network because:

   1. I don't have physical access to any port on the firewall's subnet.

   2. There aren't any IPs available on the subnet -- I ping-scanned
      the entire subnet and found every single machine, from 1 through
      255, are all in use by computers thriving online.

   3. You need your MAC address verfied by the DHCP server before you
      can get on the network.  I could make my MAC address but I
      wouldn't know what address to try.

Please keep those ideas coming!  Thanks a lot!

-Mark :(

---
Mark K. Kim
http://www.cbreak.org/mark/
PGP key available upon request.







LinkedIn
LUGOD Group on LinkedIn
Sign up for LUGOD event announcements
Your email address:
facebook
LUGOD Group on Facebook
'Like' LUGOD on Facebook:

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

Sponsored in part by:
Sunset Systems
Who graciously hosts our website & mailing lists!