13:23 Story made the cracker | |
In this article I will discuss a small, but for someone to be instructive story of his life.IntroductionPursuing the theme of information security, from time to time, searching for vulnerabilities on websites. It was such a peculiar hobby. Defaces and other vandalism, I do not approve, so those not engaged in dirty tricks. Immediately make a reservation, which is especially outstanding knowledge and skills I do not have and do not consider myself a hacker, but that in most cases through a standard vulnerability in the web application to access the server command line, I have skills, like enough. In general, it was all self-indulgence. Pen-testing providera lot of having played enough with a simple site, I decided to switch to something more serious. In autumn 2009 decided to check the server and the sites of its provider. Here's what came of it. Technical details of penetrationThe steps below were carried out with the VDS, located in Norway. It was established Socks proxy for anonymity (as it turned out, this was not enough). Port scanning for vulnerable services performed by a scanner nmap with key-sS-sV-O (stealth scan, the definition versions of the demons and the definition of an operating system, respectively). In rare cases, use the option-A (Aggressive scan), which displays additional information about services + all the previous options + trace. Directories scanned the dictionary utility DirBuster and samopisnym script in Python and then manually searching for vulnerabilities. At the main provider's site and server vulnerabilities have been identified. Then my gaze fell on the hosting service provided by your ISP. List of hosting your site on a server dedicated specifically for the hosting, was obtained through the service Reverse IP, which displays a list of domains that are bound to a specific IP-address. Further handles paced the site and I was lucky - one of them I found the vulnerability type PHP-injection, in another vulnerability has been found to SQL-injection (which I left on every fire, and she told me in the future anymore.) Using PHP-injection has opened the file / etc / passwd with a list of all users: site / index.php? Page =../../../../../../ etc / passwd% 00. With the help of his script was created kombolist form login: login for subsequent bruteforce FTP. Luck smiled on me again and I had obtained access to FTP one of the sites. Will briefly describe my following steps: filling the shell to the site> privilege escalation on the server (using a public exploit, since the Linux kernel on the server was not the first freshness)> bruteforce administrator accounts from a file hashes / etc / shadow. User, which I successfully picked up the password was allowed to enter via SSH to the server billing provider for SSH-key without password protection. I therefore took advantage of and seamlessly infiltrated the billing server. Later it was discovered that some administrators have used the same password for access to various administration interfaces. Including a critical part of the system - billing (CRM). To the provider at that time was connected to more than 60,000 customers. Since all I've done not for profit, there is nothing I have not changed, only cleaned up the log files using the standard command line utilities sed: sed 's / my_ip / new_ip /' file.log> file.log.tmp & & mv file.log.tmp file.log Hacking was made purely for fun and curiosity to know how everything inside turns. On the consequences of thought much about personal safety and I despise. I have seen enough on the inside of the organization and safely forgotten about it, without removing the shell. Not yet ... Gotcha!The irony for me came on April 1 in the morning the officers of "K" of the city police with a search warrant. The case was serious. This unexpected turn of events threw me into shock. Everything was pretty quiet: no "Mask Show" with hand-wringing and handcuffs were not. Oper-authorized brought the two neighbors as witnesses for the removal of the system unit and the media. Then put into a van and taken to the office for questioning. There I was given the public defender (a lawyer). Deny anything I did not actively cooperated with the investigation. And my puncture lay in the fact that I was not carefully cleaned my IP logs and restored from backup. During the examination, I found on the computer I've found with the addresses of several shells of other compromised servers. According to him, I could get more episodes, but the offense has not been found, as actions falling under Article 272 part 1 ("Illegal access to computer information"), was detected. I really did not touch anything there and not removed. It was published in 6 volumes. Interrogated in great detail. Evoked in six months. Remains under house arrest. I note that the investigators treated me fairly loyal, for example, are often negotiated for questioning at a convenient time to me (after school). CourtI was tried on the above Article 272 part 1. Aggravating circumstances were not, good performance, self-serving intent was not there either. Claims from the provider did not receive, because the real damage inflicted was not. As a result, was sentenced to a fine of 10,000 rubles. What is said lightly. Desire to engage in such dubious hobby anymore. But the interest in information security remained. ConclusionsErrors on the part of "hacker", that is me:
Errors from the provider:
So, comrades, hackers and administrators who do not do such stupid things! | |
|
Total comments: 0 | |