Anonymous FTP Access
On windows systems Anonymous logins can perform a few functions. 1) They will provide you with an access measure into the network, and 2) they will provide you with a netbios name. The graphic in figure 1.0 will display this for you:
Figure 1.0 Displaying FTP Access information to a windows host.
As we can see in figure 1.0 The 220 “hacme-dds03141p” is the netbios name of the system we are trying to break into. And, as displayed, we've used an anonymous login to gain access into the system. Furthermore, we did not user our real e-mail address. Utilizing an e-mail address such as: This email address is being protected from spambots. You need JavaScript enabled to view it. will almost always grant you access into the box.
Although the access into the box is sufficient enough to say “look at me I got in” you'd need a few other things to work in your favor. One of the few things is misconfigured ftp access. In the case of misconfigured FTP access we will see what can be done in order to bypass security on a server.
One of the issues that we would seek to exploit when we discuss server security is that if we gained access to an FTP Server, chances are that FTP server has some kind of web directory attached with it. With those web directories we will notice that CGI, PHP and ASP may have some kind of executable permissions. This gives us an opportunity to upload files. Considering the fact that we are on a Microsoft windows machine, we have a few options to utilize at our disposal. 1) we can code a web application and have it grab some details for us, 2) we can upload an executable file where the web application will execute it and perform some type of function for us. Although getadmin is quite old, it's still worth the mention.
When contacting an FTP Server that is vulnerable utilizing the bin and put commands will allow you to upload files into the root of the system, or anywhere you please (given you have said access to do so). Furthermore you can also modify files and upload them. For instance, we have this simple script here (ASP execution) that will demonstrate how to modify a page (or add one) that will then allow you to execute a batch file, or in the latter example execute a bin file.
<% |
Figure 1.0 Demonstrating an ASP execution script
The next set of details we will look at is the execution of a binary file. In cases where you'd want to execute a binary file, you will notice a few things. 1) Installation of a trojan, 2) Installation of a rootkit, 3) Applications like getadmin, or pwdump [if permissions are set improperly] and the like. And, how would you execute this function? Simple. You replace the “C:\SQLBackup.bat” with “C:\execute\trojan.exe” and you're half way to ownage town.