/* System Profiling Through RPC */ by: Screamer Chaotix The Sun RPC (Remote Procedure Call) Portmapper running on port 111 can be your best friend, or your worst enemy. As usual it depends on what side of the fence you choose to play on. For the purposes of this article, I will assume the reader is interested in exploring the possibilities of remote system profiling without the need for old fashion programs such as finger. Through the Portmapper running on 111, we can see what RPC programs are running on the remote machine, and may even get a chance to exploit one or two. The beauty of RPC is that, by it’s very nature, it’s designed to be open to the internet. And while most people have gotten around to getting rid of annoyances like finger, expn/vrfy on port 25, and of course, default accounts, not too many give RPC a second look. I could hypothesize as to why that is, perhaps the most obvious being that port 111, by itself, is not really a security hole. Its best use, from an invader’s perspective, is to show exactly what’s running where. For brevity, we will focus on two RPC programs. One can be used to gain information about the target system, the other could potentially give us access to the machine. These daemons are rusersd and mountd. But first, how do we find them? You could take your target machine and simply run the client version of these commands against it to see if anything gives, but I prefer knowing if the RPC ports are up and running or not before I go attacking anything. To find open ports, a simple nmap scan will suffice: screamer@localhost># nmap –sS –p 111 192.168.2.* > port_111 & I’ll assume you have a machine, and for legality purposes, it’s a comp you own (not 0wn). To see what RPC daemons are running, simply run the following command. screamer@localhost># rpcinfo –p target.host.com What will return is a listing of listening daemons, for example: program vers proto port 100007 1 udp 721 mountd 100025 1 udp 32790 rusersd How convenient, we have both mountd and rusersd up and running. Let’s begin by doing a little snooping. The first thing hackers would do a few years back was a quick and dirty “finger @target.host.com” to see who was logged into that machine. Nowadays, people know it’s not a good idea to leave their login information lying around, even if it’s just a username. What people don’t realize however, is that they may still be giving out this very same information without realizing it. Enter rusers, which can be found through www.rpmfind.net if not already included in your distribution. screamer@localhost># rusers –l target.host.com For those of you wondering if that’s a lowercase L or a one, it’s the former (as in little larry). With this command, you will be brought back to the good old days of finger, as login information will appear before you (if people are logged in at that time of course). Here’s an example for your viewing pleasure: Login Shell Last Login ----------------------------------- screamer /bin/bash Wed Nov 2 from pimpdaddy.pimpsandhiz-oes.com dash /bin/bash Thurs Dec 5 from bitchsmack.pimpsandhiz-oes.com Darn, and I thought by getting rid of finger I was safe! Guess not. So there we go, we have some login information. Now the next step I won’t even get into. If you don’t know what I’m talking about, it includes “password,” “love,” “sex,” “secret,” “god,” last names, addresses, birthdays, spouse names, dog names and maybe even a little social engineering. Now, let’s move on to more important matters, shall we? Namely, mountd. Now mountd isn’t all that terrible, when properly configured (natch). The mountd protocol can be used to mount a remote drive, onto a local one, and allow you to view the contents of that drive as though it were on your local machine. In other words, you can see inside a computer without logging in. Ok, let’s use mountd to it’s full potential. To do this, we’ll use a little program called showmount. The showmount client, in a nutshell, displays mountable drives on either your local or a remote machine. These are drives that can be mapped to a local drive and traversed as though that’s exactly what they were. screamer@localhost># showmount –e target.host.com Which returns (if you’re lucky): ---------------------------------- /usr/bin root /home/johns (everyone) Great, so we have a couple of mountable drives there. The first is owned by root, which we can’t touch. Fortunately, the next drive on the list looks like a users home directory. Bingo! As Lord Nikon would say, you in the butterzone now baby. You can see inside this drive without even logging in! Begin by making a new directory to mount the remote one onto, in our case we’ll call it new_mount. Then we mount the remote drive onto it, like so: screamer@localhost># mkdir new_mount screamer@localhost># mount target.host.com:/home/johns new_mount If everything goes smoothly, you can now cd into your new_mount directory, type ls, and see everything inside that users directory. Ooh, wow, you say. Who cares? I’m a hacker, I don’t want to read someone’s email, I want to explore the system they’re using. Fortunately, with a home directory mountd on your computer…you can. That, after all, is the magic of an .rhosts file. Yes that’s right, .rhosts, that file you should never have in your home directory is your ticket into this remote machine. Simply create an .rhosts file that contains this line. your.machine.com johns From there, all you have to do is rlogin into the remote machine. screamer@localhost># rlogin –l johns target.host.com And there you have it, you’re now logged into the remote machine as user johns. From here, you can use any number of local exploits to achieve root. Naturally those all depend on the architecture of the machine, so look around, or better yet, try and figure out somethings yourself (shocking concept, huh?). For just a minute, let’s say you didn’t find a mountable drive that belonged to a user…but was however, open to everyone. Possibilities exist for getting access here as well, potentially even as root. If you’re lucky enough to find /usr/bin (or any other directory located in a users path), you can mount the drive to your local machine and modify any number of programs in there to do your bidding. And if someone foolishly runs those programs as root (which is entirely possible), you can have some serious fun. Make ls discreetly add a new user with root privs, and voila, you have your very own backdoor. Try to be as inconspicuous as possible, name the new user “system_” or something to that effect, so it doesn’t draw too much attention. Last and certainly least, RPC is probably unnecessary on about 97% of the systems that use it. Why you need to show who’s logged in through rusersd is beyond me, and why you would ever want to have people on the internet mounting your drives on their local machines doesn’t seem to make a lick of sense. These things do exist, believe me. Scan a university, you’re bound to find a machine you can root with just a little effort. Naturally I can’t actually recommend it, don’t want to see anyone go to jail, but it’s good to know what’s possible, if only so you can better protect yourself. Until next time, never stop exploring. -screamer