| Previous | Table of Contents | Next |
First, the hacker uses finger @<systemname> to get a list of users who are currently logged on. Then the hacker tries using login names at each system, such as root, bin, guest, ftp, tftp, daemon, sync, and usernames that the hacker has already discovered. This should result in a bonanza of information for the hacker’s growing database:
% finger @m2.notreal.com [m2.notreal.com] Login Name TTY Idle When Office root system PRIVILEGED ac *:0 Fri 11:41 root system PRIVILEGED ac p2 8d Fri 11:56 bkelley Bob Kelley p4 5d Tue 15:14 Bldg 52 X71111 % finger root@m2.notreal.com [root@m2.notreal.com] Login name: root (messages off) In real life: system PRIVILEGED account Office: Bldg 43, x71111 Directory: / Shell: /bin/sh On since Oct 27 11:41:13 on :0 On since Oct 27 11:56:39 8 days Idle Time on ttyp2 On since Nov 3 13:46:00 8 days Idle Time on ttypa from m4 On since Nov 3 15:52:41 8 days Idle Time on ttypb from m3 % finger ftp@m3.notreal.com [m3.notreal.com] Login name: xxftp In real life: anonymous ftp Directory: /users/ftp Shell: /bin/false Never logged in. No Plan. % finger bin@m3.notreal.com [m3.notreal.com] Login name: bin In real life: System Tools Owner Directory: /bin Shell: /dev/null Never logged in. No Plan. % finger guest@m3.notreal.com [m3.notreal.com] Login name: guest In real life: Guest Account Directory: /usr/people/guest Shell: /bin/csh Last login at Wed Jul 12 17:39 from mabel@halifax.com No Plan.
A hacker uses finger to build up a copy of the /etc/passwd file, with new information on login names, home directories, login shells, last login information (tty, system used to login from, and date last logged in), and even information about the individual (phone, address, and so on). This information can be useful as vulnerabilities are discovered. If the hacker discovers that /usr is NFS exported, for example, the hacker would like to know any users that have a home directory in /usr (such as guest above). This would permit the hacker to launch .rhosts-type attacks against this user.
Tip: Avoid enabling fingerd in inetd. The tcp-wrapper can restrict remote access to fingerd if finger information is absolutely necessary for the network.
The rpc equivalent of fingerd is rusersd. If the remote system indicates through the rpcinfo -p printout that rusersd is a registered rpc service, running rusers -l <remote system > generates a list comparable to that generated by finger @<remote system>. The output is very similar to who or rwho. rusers does not allow a query for information about an individual user. SATAN uses rusers to gather information about remote systems:
% rusers -l mail.notreal.com bkelley mail:ttys0 Oct 04 12:23 115:28 (m2.notreal.com) perry mail:ttys2 Oct 25 14:53 607:20 (sys1.notreal.com) chris mail:ttys3 Oct 06 08:16 473:41 (sys2.notreal.com) stan mail:ttys7 Sep 22 10:03 126:18 (m3.notreal.com) mabel mail:ttys9 Oct 16 15:42 447:27 (m4.notreal.com) www mail:ttysb Oct 10 08:27 65:27 (sys2.notreal.com)
The third program, rwho, depends on a daemon called rwhod that does periodic network broadcasts of who is on a system to other rwhod programs. This is not very useful for hacking because a hacker cannot directly interrogate the rwhod, but he must run a rwhod to listen to broadcasts. Because the broadcasts don’t go past the local LAN segment, the hacker never sees an update.
Note: A number of web sites that feature username searches are available from the Yahoo White Pages Web page at http://www.yahoo.com/Reference/White_Pages.
NFS Export Information
For those systems that indicate a mount service via the rpcinfo -p list, the showmount program can interrogate rpc.mountd for details. The showmount -a command prints out a list of which hosts have mounted the exported file systems. The showmount -e command requests a list of file systems that are exported via NFS as well as the authorization list for those file systems:
% showmount -e dns1.notreal.com export list for dns1.notreal.com: /tmp sys2,sys3 /usr (everyone) /export/home (everyone) /var (everyone) /cdrom (everyone) / m2 % showmount -a dns1.notreal.com m2.notreal.com:/ m3.notreal.com:/usr sys2.notreal.com:/tmp
Because NFS depends on client-side authentication, a hacker can use one of the many NFS hacking tools, such asnfsbug, nfsshell, ornfsmenu, to gain read and write access to the exported file systems. SATAN scans for unrestricted NFS access and indicates this as a potential problem in its reports.
An analysis of the exported file system can offer some insights at vulnerable points. The /cdrom file system is probably acceptable, because it is read-only, as long as the cdrom does not contain private information. The /tmp file system is also probably acceptable, because of the inherent understanding by most users and programs of the lack of security.
The /usr directory is probably acceptable if it is exported read-only, because it usually contains binaries. However, many programs depend on /usr/tmp, increasing the likelihood of this directory being writeable. If the directory is writeable and binaries are owned by non-root users, the integrity of the binaries is at risk.
/export/home is probably a directory of user home directories that are exported with read and write permissions. This is a major vulnerability if the system permits .rhosts files, .Xauthority files, or .netrc files for FTP logins.
By gaining access to the /var/yp directory of a system that is a yp/NIS server, as indicated by the portmap information, you can determine the domain name for yp/NIS. The domain name is the name of the subdirectory of /var/yp. If you have write access to that system via NFS, you can rewrite the passwd map files and distribute them to all the yp/NIS clients in the domain.
Tip: NFS should never be accessible to the Internet. When used, it should be read-only if possible. It should never permit root access with write capability. Hackers can cope with only so much laughter.
| Previous | Table of Contents | Next |