Penetration Testing mailing list archives
Re: [PEN-TEST] ftp etc/passwd
From: Alan Olsen <alan () CLUESERVER ORG>
Date: Tue, 28 Nov 2000 21:09:57 -0800
On Tue, 28 Nov 2000, Bill Weiss wrote:
Seth Georgion(sgeorgion () ECLOSER COM)@Tue, Nov 28, 2000 at 02:50:13PM -0800:I'm doing a pen-test on a Solaris/NT network and I found a Solaris server with anonymous ftp on and with what appears to be the root directory of a user on the system. Pardon my terminology as my experience lies mostly with NT. Anyway, inside etc is passwd, which I suppose I need to get to wrap this out, however everytime I try and retrieve it I get the error ftp> get /etc/passwd 200 PORT command successful. 550 /etc/passwd is marked unretrievable Another one of the folders reports access denied but this one definitely does not. Anybody have an idea on what I am doing wrong or how to get access to it.(If anyone knows this better than I, speak up) I doubt that the FTP server really is giving you the root directory. It probably is chroot()ing (or something similar). I imagine that, when writing a FTP server, I would just keep anonymous users from downloading even the fake /etc/passwd, which it may. Not knowing Solaris (Slack-type myself...), it's a guess.
Most likely it is a chrooted directory. Wu-ftpd and a few others have an /etc/passwd, as well as /bin, /lib, and /etc. (I am doing this from memory, so sorry if I accidently miss something.) /bin contains "ls", "gzip" and a few other needed commands. The permissions should be set so that the daemon can get to them, but no-one else can. (I have seen crackers put a copy of "sh" there as a backdoor.) /etc contains a modified copy of /etc/passwd used for guest accounts and that is about it. Usually the passwords has been removed. It is more of a stub than anything. There will also be a hacked down version of /etc/group. /lib will contain the libraries needed to allow "ls" and the other commands to work. (Most ftp packages do not include statically linked versions of these utilities.) Where are the problems? The ftp daemon usually reveals what version it is via the banner when you connect via anonymous ftp. From this you can determine if it is the stock daemon, what version it is, and possibly who built it. Other things to look for are if the "chmod" command works, if there are writable directories, if you can create directories, if you can write to /etc, /lib, or /etc, and so on. Crackers will not just look to root the site. Some want the ftp server to distribute "warez" and other forbidden bit patterns. Being able to create files and directories allows them to do that. (Having it happen can be harmful to your bandwidth.) alan () ctrl-alt-del com | Note to AOL users: for a quick shortcut to reply Alan Olsen | to my mail, just hit the ctrl, alt and del keys. "In the future, everything will have its 15 minutes of blame."
Current thread:
- [PEN-TEST] Attacking Cisco using SNMP Fabio Pietrosanti (naif) (Nov 29)
- [PEN-TEST] ftp etc/passwd Seth Georgion (Nov 29)
- Re: [PEN-TEST] ftp etc/passwd cdowns (Nov 29)
- Re: [PEN-TEST] ftp etc/passwd Bill Weiss (Nov 29)
- Re: [PEN-TEST] ftp etc/passwd Alan Olsen (Nov 29)
- Re: [PEN-TEST] Attacking Cisco using SNMP David Taylor (Nov 29)
- Message not available
- Re: [PEN-TEST] Attacking Cisco using SNMP Teicher, Mark (Nov 29)
- [PEN-TEST] ftp etc/passwd Seth Georgion (Nov 29)
- <Possible follow-ups>
- Re: [PEN-TEST] Attacking Cisco using SNMP Todd Garrison (Nov 30)