140 likes | 261 Views
A Real World Attack: wu-ftp. Cao er kai ( 曹爾凱 ) g92430023@comm.ccu.edu.tw Tel: 05-272-0411 Ext. 23535. Outline. Description Purpose Principle and Pre-Study Required Facilities Step by step Summary Reference. Description.
E N D
A Real World Attack: wu-ftp Cao er kai (曹爾凱) g92430023@comm.ccu.edu.tw Tel: 05-272-0411 Ext. 23535 2004/03/03
Outline • Description • Purpose • Principle and Pre-Study • Required Facilities • Step by step • Summary • Reference 2004/03/03
Description • The exercise will guide you through the process of discoveringa vulnerable system, exploitingthe vulnerability, and installing software to cover your tracks 2004/03/03
Purpose • Located a vulnerable system • Exploit that vulnerability to gain a root shell • Installed a rootkit • Access the system via the rootkit 2004/03/03
Principle and Pre-Study • CERT Advisory CA-1999-13 Multiple Vulnerabilities in WU-FTPD • MAPPING_CHDIR Buffer Overflow • Message File Buffer Overflow • SITE NEWER Consumes Memory • http://www.cert.org/advisories/CA-1999-13.html 2004/03/03
Required Facilities • Hardware • PC or Workstation with UNIX-like system • Software • Wu-ftp 6.2.0 • RootKits and Buffer Overflow Program • WARNING: • This process of cracking a system is only tested in internal network. • Do not actual exploit on unprivileve host 2004/03/03
Step (I): reconnaissance and scanning Use “nmap” for system scanning Test the account of anonymous 2004/03/03
Step (II): exploit the target Decompress the buffer overflow file and compile it List the usage of this tool 2004/03/03
Step (III): cracking Execute the buffer overflow on target host Got the root right 2004/03/03
Step (IV) • Download the rootkit from outside and install it checking the login user Download the tool from another victim Decompress the rootkit Execute the rootkit 2004/03/03
Step (V): auto-patch the victim the default login password change the system command open the telnet port Report the system information close the system filewall 2004/03/03
Step (IV) • try the rootkit if it works • Now you can do anything The Telnet daemon has been replaced Input the ID and the Password Which predefine by us We have got a root shell now 2004/03/03
Summary • Checking the OS and applications’ vulnerability periodically. • None unsafe applications, but careless people 2004/03/03
Reference • CERT • http://www.cert.org/ • Nmap • http://incsecure.org/ • Buffer Overflow and RootKits download site • http://www.flatline.org.uk/~pete/ids/ 2004/03/03