Inventory * NIX
Inventory * NIXSo, now I would like to go to one of the most controversial topics in the inventory. Controversial because no important information you can not collect at all, because nix systems based on TCP Security - IP protocol (which worked out for years) with little or no innovation.
*** I'll note that Linux has more innovations.
Therefore, if you will fall a system that was built with the mind, there is nothing useful you can not collect, but if anyone again - then decided to install everything and more, the ... system can become very weak in defense.
For me, the question of how to write the article correctly (!!!) is very acute. The reason again is that "to say too much" can be almost every network daemon, but I can not devote their attention to how to "talk» Apache or SendMail (this can be found in the more narrow the articles or bagtakah, advisori and etc.). Therefore have to say that the more popular and what is likely to work. Therefore, this article will be very short.
For a start I will say that is worth reading about port scans, before reading on.
In * nix systems have a very popular bags which are certainly of interest to us. For example, already notorious RPC service (Remote Procedure Call), as well as NFS (Network File System) and NIS (Network Information Service).
Let's first look at the RPC. This service requires programs that communicate over the network. Especially for this has been developed and RPC. On the basis of this protocol works rpcbind program. Its purpose: to be a mediator between the client and the port. The program dynamically assigns ports to clients. For inventory RPC there rpcinfo utility that works like a finger (discussed below).
Well, we once again be faced with the fact that we need a list of open ports, as we need a port 111. If we know that we have to deal with Sun, a port is 32771.
/ * Keep in mind that in reality, you will most likely not see the same as it was in my previous articles, which were written using leaky machines, which are still on the network. Now I modeled such a machine in your network to save time on finding leaky machines on the Internet. Therefore, in the listings, you will see mainly what is a vulnerability and what you should look for in inventory * /
---------------------------------------
#rpcinfo -p XX.XXX.XX.XXX
program vers proto port
100000 2 111 tcp rpcbind
100002 3 712 udp rusersd
100005 1 udp 635 mountd
100003 2 udp 2049 nfs
100004 2 tcp 778 ypserv
... ... ... ... ...
---------------------------------------
From this we see that we have a demon rusersd (which can show us more details), ypserv (NIS service server), the mountd, from which we obtain information through showmount -e (discussed in more detail below). You can see whether there is rquotad server: rpcinfo -n -t 111 100011
In the RPC server rquotad corresponds to the number 100011.
So we can easily find out what is running on the system, as well as to obtain some kind of additional information. Of course, we could get it via a port scan, but! Please note that we see udp and tcp, and the scanner would have to scan a further udp.
Now consider NFS.
Here everything is quite simple. If we know that we (100003 2 udp 2049 nfs), we enter and see balloons
--------------------------------------
showmount -e XX.XXX.XX.XXX
export list for XX.XXX.XX.XXX
/ Pub (everyone)
/ Source (everyone)
/ Loc (everyone)
/ Usr user
--------------------------------------
It is worth noting that it is now included in the Linux part of NFS Samba alternative! In that fixes flaws NFS, are added to your self. Samba uses the SMB protocol (Server Message Block), it is a kind of point touch * nix and Windows systems on shared files and printers.
Next a "tidbit" called the NIS. Sometimes it seems to me that it has been developed by our government. The idea is good, but the implementation is all ruined. So its good side is that it is designed to support a distributed database of network information. And now ... the realization of a simple RPC NIS server request we get any card NIS. The map is a file that contains information for each domain node, until passwords
First we need to find a domain name. You can use pscan (lying everywhere). It is the method of selection will provide us with all the information.
We have a list of files and their corresponding cards.
___________________________________________________________
/ Etc / hosts | hosts.byname, hosts.byaddr
/ Etc / networks | networks.byname, networks.byaddr
/ Etc / passwd | passwd.byname, passwd.byuid
/ Etc / group | group.byname, group.bygid
/ Etc / services | services.byname, services.bynumber
/ Etc / rpc | rpc.byname, rpc.bynumber
/ Etc / protocols | protocols.byname, protocols.bynumber
/ Usr / lib / aliases | mail.aliases
-------------------------------------------------- ---------
Looking ahead and say that the entire hacking could end here ---> #ypx -o passwd.byname -g target.remote.com
Further passwords fed some sort of favorite prog, which we normally their present form, well, assume root can not produce, but some of the passwords we will.
Imagine that we have a guess about the names of users of the system, or we want to check whether a particular user in the system. In this case, we will help SMTP (Simple Mail Transfer Protocol). Among others, he has two useful commands:
// In config you can disable them
1. vrfy - confirms that the entered name is available in the system
2. expn - it shows the real address of the message delivery. But if we are dealing with a mailing list (mailing list), the PHA will eogo all members of the list.
Example:
---------------------------------------
#telnet XX.XXX.XX.XXX 25
Trying XX.XXX.XX.XXX ...
Connected to XX.XXX.XX.XXX.
Escape character is '^]'.
220 mail.target.ru ESMTP Postfix
vrfy john
252 john
expn mike
250 mike
quit
221 mail.target.ru closing connection
----------------------------------------
Now, very briefly. If we saw that opened the port 79, then we are dealing with a finger. It is an old tool, but still more common. Just in fact it byladeystvitelno need at the dawn of the Internet, when it was not so easy to use. Finger served to someone else could get information about users.
It is best to look at all the example:
--------------------------------------------
#finger -l @ haha.lala.com
[Haha.lala.com]
Login: root
Directory: / root
On since Thu Jan 28, 23:12 (PST) on tty1 2 minutes idle
(Messages off)
On since Thu Jan 28, 23:12 (PST) on ttyp1 12 minutes idle
1 mail
Plan:
I am root
My phone num 555.555.55
--------------------------------------------
In general, it is nothing special, but we can see what users are, how long they are inactive. For example we can see there are now keeping an eye over the system Ruth, in this case I was working actively so that the climb would not be worth.
In conclusion I want to say that for each distribution you can find their own methods of inventory may be someday I will gather all possible information on the subject. Lay out as supplements a la "Inventory RedHat". What has been described above somehow helps in understanding the inventory Unix system and its clones. You can find a lot of systems with similar breaches. In my next article I will describe how to use the firewall to their advantage. As a router. Therefore, the network will open many completely unprotected Unix, Windows and others. System. Inventory of each separately is also very useful because it they are points of network intrusion. Here there and remembered everything.
Comments
Commenting, keep in mind that the content and the tone of your messages can hurt the feelings of real people, show respect and tolerance to his interlocutors, even if you do not share their opinion, your behavior in terms of freedom of speech and anonymity offered by the Internet, is changing not only virtual, but real world. All comments are hidden from the index, spam control.