Probing Remote Networks
by Armageddon
Let's just say I decided to investigate a network, something.net, for one reason or another. It could have been for any reason - it doesn't matter because if I told you it might give away what network I was investigating.
Anyhow, I just left WS_Ping ProPack (Ipswitch) on all night to scan the subnet and scanned up through ports 1024. I came back in the morning and guess what turned up? Basically, port 23 was open on almost every machine. Port 53 was open on the two name servers (duh). Port 21 was open on a few machines. Ports 110 and 25 on mail.something.net were open (that was a given).
The first thing I did was telnet to port 23 on host15.something.net. It established a TCP connection, but then it disconnected me. I figured it was either a firewall or the machine I tried to Telnet to would only allow connections if I was a trusted client. Either way, that is a bitch to work around. So what next? I started scanning for ports on which I was able to maintain my TCP connection. I found that every port but 23 would let me maintain a TCP connection. Talk about lax in security. I figured they thought if they didn't allow port 23 connections they didn't have to worry about people logging in. Which is pretty stupid.
So I figure this would be an easy hack. Anyhow, most of the machines on the network were SunOS 5.5.1. Some FreeBSD machines were also on the network (lucky for me I like FreeBSD). I started looking around for any exploit I could find without much luck. So I figured out the FreeBSD machine was version 2.1.0. That machine was a little outdated; they must have just kinda forgotten about it or something. So I decided to pick on it, because it might have just been the one weak link in the chain I needed. A port scan returned ports 7 (echo), 23 (Telnet), 25 (Sendmail), 53 (DNS), 79 (Finger), 80 (HTTP), 111 (Sun RPC), and 513 (remote login). Anyhow, the first thing I always think of is Sendmail, and I remembered that FreeBSD was shipped with a vulnerable version. So I Telnet'd to port 25, and... it's 8.8.8. Damn, that door got slammed in my face.
So next, I looked at port 53, the name server. I believed that it was the secondary name server because its OS wasn't that up to date. In an attempt to figure out where exactly the name server was placed I did a traceroute to it. Then I ran a traceroute to a few other computers.
The result: each traceroute turned up cisco-7k.something.net. I am gonna bet that that is a Cisco 7000 router (some nice hardware).
On the last two computers where I ran a traceroute was anyname.something.net. I believe that to be a firewall because almost all traceroutes pass through that computer, and it appears just after the router. But it didn't appear when I did a traceroute to what I believed was the secondary domain name server. So then I decided to do a WHOIS on something.net and found what the two name servers were (why didn't I think of this before):
and of course the outdated FreeBSD machine was ns2.something.net. All right, I'm in business.
I then ran a traceroute to ns1.something.net and it didn't pass through the firewall, which meant that they had their name servers set up outside of the firewall. (It's very typical to put name servers in front of the firewall.) So I searched the sploit archives for a FreeBSD exploit, and a named exploit came up - talk about my lucky day. So I compiled and ran it. I then got myself a root shell on the name server. (No, I will not give you the source of the exploit; that would be aiding you in attacking a computer). Too bad it was outside the firewall.
So was there anything of any use to me? Yes, of course. The master.passwd but it's only good I imagine if they are running NIS or NIS+. So I issued the ftp command back to some computer on the Internet (not my computer, that would be stupid) and downloaded it. Eventually I got it back to my computer. I started good old John The Ripper right away and continued to explore the network because what good is a username/password if you can't get in because of a f*cking firewall?
Anyhow, on one machine I found an anonymous FTP server. So I decided to check it out, and I found that the machine was running SunOS 5.5.1, and it was vulnerable to an FTP bounce attack! Hell yeah. So now I went and grabbed that script and ran the little devil; it bounced me straight through the anonymous FTP and to a Telnet port on the subnet. Now all I had to do was crack that password file. So I waited a long while as John The Ripper went to town, day and night on the password file. Then finally I just took the first login I got, and boom, I was on this system which was inside a firewall! Hell yeah!
So I had to get root. Would su work? If it did, kickass, but if it didn't I may have been screwed. Since I always play it safe, I looked for something I could run on the shell to get me root. Now that I had passed the firewall, I could just use any remote buffer overflow and get root on any of the computers. Or, I could just log into another system anywhere and run a local root exploit. I had a wide range of exploits to choose from.
I figured I'd look around and see if I could find another FreeBSD machine lying around to screw with and barn! FreeBSD 2.2.1. This one had a local root exploit in the /proc filesystem. I got the list of username/passwords and I was past the firewall so I figured this would be pretty simple. I Telnet'd over to the FreeBSD 2.2.1 box, and FTP'd the exploit source over, compiled the thing, ran it, waited a few minutes, and barn, root shell!
Anyhow, I searched around the network for what I came for and ran those nifty little cloaking programs to cover my ass. I wiped all the necessary logs to hide my punkass and got out. It was rather daring to jump around to so many machines, but since I only came for one reason and got what I needed, I didn't leave any backdoors for myself. And I didn't change anything. So I should get off scot-free.