Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
name server because its OS wasn't that up<br />
to date. In an attempt to figure out where<br />
exactly the name server was placed 1 did a<br />
traceroute to it. Then 1 ran a traceroute to a<br />
few other computers. The result: each<br />
traceroute turned up cisco-7k.<br />
something. net. I am gonna bet that that is a<br />
Cisco 7000 router (some nice hardware).<br />
On the last two computers where I ran a<br />
traceroute was anyname.something.net. I<br />
believe that to be a firewall because almost<br />
all traceroutes pass through that computer,<br />
and it appears just after the router. But it<br />
didn't appear when I did a traceroute to<br />
what 1 believed was the secondary domain<br />
name server. So then I decided to do a<br />
whois something. net and found what the<br />
two name servers were (why didn't I think<br />
of this before): nsl .something.net and<br />
ns2.something.net and of course the outdated<br />
freebsd machine was ns2.something.<br />
net. All right, I'm in business.<br />
I then ran a traceroute to ns1.something.<br />
net and it didn't pass through the firewall,<br />
which meant that they had their name<br />
servers set up outside of the firewall. (It's<br />
very typical to put name servers in front of<br />
the firewall.) So 1 searched the sploit<br />
archives for a freebsd exploit, and a named<br />
exploit came up - talk about my lucky day.<br />
So I compiled and ran it. I then got myself a<br />
root shell on the name server. (No, I will<br />
not give you the source of the exploit; that<br />
would be aiding you in attacking a computer).<br />
Too bad it was outside the firewall.<br />
So was there anything of any use to me?<br />
Yes, of course. The master.passwd but it's<br />
only good I imagine if they are running NIS<br />
or NIS+. So I issued the ftp command back<br />
to some computer on the Internet (not my<br />
computer, that would be stupid) and downloaded<br />
it. Eventually I got it back to my<br />
computer. I started good old John The Ripper<br />
right away and continued to explore the<br />
network because what good is a username/password<br />
if you can't get in because<br />
of a fucking firewall?<br />
Anyhow, on one machine I found an<br />
anonymous ftp server. So 'I decided to<br />
check it out, and I found that the machine<br />
was running SunOS 5.5.1, and it was vulnerable<br />
to an ftp bounce attack! Hell yeah.<br />
So now I went and grabbed that script and<br />
ran the little devil; it bounced me straight<br />
through the anonymous ftp and to a telnet<br />
port on the subnet. Now all I had to do was<br />
crack that password file. So I waited a long<br />
while as John The Ripper went to town, day<br />
and night on the password file. Then finally<br />
I just took the first login I got, and boom, I<br />
was on this system which was inside a firewall!<br />
Hell yeah!<br />
So I had to get root. Would su work? If it<br />
did, kickass, but if it didn't I may have been<br />
screwed. Since I always play it safe, I<br />
looked for something I could run on the<br />
shell to get me root. Now that I had passed<br />
the firewall, I could just use any remote<br />
buffer overflow and get root on any of the<br />
computers. Or, I could just log into another<br />
system anywhere and run a local root exploit.<br />
I had a wide range of exploits to<br />
choose from.<br />
I figured I'd look around and see if I<br />
could find another freebsd machine lying<br />
around to screw with and bam! freebsd<br />
2.2.1. This one had a local root exploit in<br />
the /proc filesystem. I got the list of username/passwords<br />
and I was past the firewall<br />
so I figured this would be pretty simple. I<br />
telnetted over to the freebsd 2.2.1 box, and<br />
ftp'd the exploit source over, compiled the<br />
thing, ran it, waited a few minutes, and<br />
bam, root shell!<br />
Anyhow, I searched around the network<br />
for what I came for and ran those nifty little<br />
cloaking programs to cover my ass. I wiped<br />
all the necessary logs to hide my punkass<br />
and got out. It was rather daring to jump<br />
around to so many machines, but since I<br />
only came for one reason and got what I<br />
needed, I didn't leave any backdoors for<br />
myself. And I didn't change anything. So I<br />
should get off scot-free.<br />
Fall 1998 2600 Magazine Page 17