220 linux.test.net FTP server Wed Aug 19 02:55:52 MST 1998) ready.
Name (192.168.0.2:root): hapless 331 Password required for hapless. Password: 230 User hapless logged in. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls -al 200 PORT command successful. 150 Opening ASCII mode data connection for /bin/ls. total 14 drwxrwxr-x 4 hapless hapless 1024 May 20 19:35 . drwxr-xr-x 6 root root 1024 May 20 19:28 .. -rw-rw-r-- 1 hapless hapless 96 May 20 19:56 .bash_history -rw-r--r-- 1 hapless hapless 49 Nov 25 1997 .bash_logout -rw-r--r-- 1 hapless hapless 913 Nov 24 1997 .bashrc -rw-r--r-- 1 hapless hapless 650 Nov 24 1997 .cshrc -rw-r--r-- 1 hapless hapless 111 Nov 3 1997 .inputrc -rwxr-xr-x 1 hapless hapless 186 Sep 1 1998 .kshrc -rw-r--r-- 1 hapless hapless 392 Jan 7 1998 .login -rw-r--r-- 1 hapless hapless 51 Nov 25 1997 .logout -rw-r--r-- 1 hapless hapless 341 Oct 13 1997 .profile -rwxr-xr-x 1 hapless hapless 182 Sep 1 1998 .profile.ksh drwxr-xr-x 2 hapless hapless 1024 May 14 12:16 .seyon drwxr-xr-x 3 hapless hapless 1024 May 14 12:15 lg 226 Transfer complete. ftp> ls 200 PORT command successful. 150 Opening ASCII mode data connection for /bin/ls. total 14 drwxrwxr-x 4 hapless hapless 1024 May 20 19:35 . drwxr-xr-x 6 root root 1024 May 20 19:28 .. -rw-rw-r-- 1 hapless hapless 96 May 20 19:56 .bash_history -rw-r--r-- 1 hapless hapless 49 Nov 25 1997 .bash_logout -rw-r--r-- 1 hapless hapless 913 Nov 24 1997 .bashrc -rw-r--r-- 1 hapless hapless 650 Nov 24 1997 .cshrc -rw-r--r-- 1 hapless hapless 111 Nov 3 1997 .inputrc -rwxr-xr-x 1 hapless hapless 186 Sep 1 1998 .kshrc -rw-r--r-- 1 hapless hapless 392 Jan 7 1998 .login -rw-r--r-- 1 hapless hapless 51 Nov 25 1997 .logout -rw-r--r-- 1 hapless hapless 341 Oct 13 1997 .profile -rwxr-xr-x 1 hapless hapless 182 Sep 1 1998 .profile.ksh drwxr-xr-x 2 hapless hapless 1024 May 14 12:16 .seyon drwxr-xr-x 3 hapless hapless 1024 May 14 12:15 lg 226 Transfer complete. ftp> ls -F 200 PORT command successful. 150 Opening ASCII mode data connection for /bin/ls. total 14 drwxrwxr-x 4 hapless hapless 1024 May 20 19:35 ./ drwxr-xr-x 6 root root 1024 May 20 19:28 ../ rw-rw-r-- 1 hapless hapless 96 May 20 19:56 .bash_history -rw-r--r-- 1 hapless hapless 49 Nov 25 1997 .bash_logout -rw-r--r-- 1 hapless hapless 913 Nov 24 1997 .bashrc -rw-r--r-- 1 hapless hapless 650 Nov 24 1997 .cshrc -rw-r--r-- 1 hapless hapless 111 Nov 3 1997 .inputrc -rwxr-xr-x 1 hapless hapless 186 Sep 1 1998 .kshrc* -rw-r--r-- 1 hapless hapless 392 Jan 7 1998 .login -rw-r--r-- 1 hapless hapless 51 Nov 25 1997 .logout -rw-r--r-- 1 hapless hapless 341 Oct 13 1997 .profile -rwxr-xr-x 1 hapless hapless 182 Sep 1 1998 .profile.ksh* drwxr-xr-x 2 hapless hapless 1024 May 14 12:16 .seyon/ drwxr-xr-x 3 hapless hapless 1024 May 14 12:15 lg/ 226 Transfer complete. ftp> cd lg 250 CWD command successful. ftp> ls -F 200 PORT command successful. 150 Opening ASCII mode data connection for /bin/ls. total 8 drwxr-xr-x 3 hapless hapless 1024 May 14 12:15 ./ drwxrwxr-x 4 hapless hapless 1024 May 20 19:35 ../ rw-r--r-- 1 hapless hapless 70 Aug 22 1998 lg3_colors -rw-r--r-- 1 hapless hapless 629 Aug 22 1998 lg3_prefs -rw-r--r-- 1 hapless hapless 728 Aug 22 1998 lg3_soundPref -rw-r--r-- 1 hapless hapless 2024 Aug 22 1998 lg3_startup drwxr-xr-x 2 hapless hapless 1024 May 14 12:15 lg_layouts/ 226 Transfer complete. ftp> cd lg_layouts 250 CWD command successful.
這是一個典型的用戶操作過程。現在我們看看linsniffer產生的嗅探結果:
gnss => linux.test.net [21] USER hapless PASS unaware SYST PORT 172,16,0,1,4,192 LIST -al PORT 172,16,0,1,4,193 LIST PORT 172,16,0,1,4,194 LIST -F CWD lg PORT 172,16,0,1,4,195 LIST -F
輸出的內容是很直觀的。首先它記錄這是從GNSS到Linux主機的FTP連接:
gnss => linux.test.net [21]
然後,linsniffer捕獲了hapless的用戶名和密碼。
USER hapless PASS unaware
最後,linsniffer記錄了hapless使用的每一個命令:
SYST PORT 172,16,0,1,4,192 LIST -al PORT 172,16,0,1,4,193 LIST PORT 172,16,0,1,4,194 LIST -F CWD lg PORT 172,16,0,1,4,195 LIST -F
GNSS 2# telnet 192.168.0.1 Connected to 192.168.0.1. login: hapless password: [hapless@linux2 hapless]$ w 19:55:29 up 58 min, 4 users, load average: 0.00, 0.00, 0.00 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT root tty1 7:44pm 27.00s 0.17s 0.06s -bash root tty2 7:46pm 1:56 0.24s 0.01s linuxsniff root tty3 7:44pm 10:43 0.17s 0.07s -bash hapless ttyp0 gnss 7:55pm 1.00s 0.26s 0.04s w [hapless@linux2 hapless]$ who root tty1 May 20 19:44 root tty2 May 20 19:46 root tty3 May 20 19:44 hapless ttyp0 May 20 19:55 (gnss) [hapless@linux2 hapless]$ finger -l Login: root Name: root Directory: /root Shell: /bin/bash On since Thu May 20 19:44 (PDT) on tty1 35 seconds idle On since Thu May 20 19:46 (PDT) on tty2 2 minutes 4 seconds idle On since Thu May 20 19:44 (PDT) on tty3 10 minutes 51 seconds idle No mail. No Plan.
Login: hapless Name: Caldera OpenLinux User Directory: /home/hapless Shell: /bin/bash On since Thu May 20 19:55 (PDT) on ttyp0 from gnss No mail. No Plan.
eth proto: 080008:00:69:07:3e:db->00:e0:29:19:4a:68 192.168.0.1[1239] ->192.168.0.2[23] 0000 ff fc 27 - ..' eth proto: 080008:00:69:07:3e:db->00:e0:29:19:4a:68 192.168.0.1[1239] ->192.168.0.2[23] 0000 ff fa 1f 00 50 00 28 ff - f0 ....P.(.. eth proto: 080008:00:69:07:3e:db->00:e0:29:19:4a:68 192.168.0.1[1239] ->192.168.0.2[23] 0000 ff fa 20 00 33 38 34 30 - 30 2c 33 38 34 30 30 ff . .38400,38400. 0010 f0 ff fa 23 00 47 4e 53 - 53 3a 30 2e 30 ff f0 ff ..#.GNSS:0.0... 0020 fa 18 00 49 52 49 53 2d - 41 4e 53 49 2d 4e 45 54 ..IRIS-ANSI-NET 0030 ff f0 - .. eth proto: 080008:00:69:07:3e:db->00:e0:29:19:4a:68 192.168.0.1[1239] ->192.168.0.2[23] 0000 ff fc 01 - ... eth proto: 080008:00:69:07:3e:db->00:e0:29:19:4a:68 192.168.0.1[1239] ->192.168.0.2[23] 0000 ff fd 01 - ... eth proto: 080008:00:69:07:3e:db->00:e0:29:19:4a:68 192.168.0.1[1239] ->192.168.0.2[23]
隨後,linux_sniffer記錄了登錄過程,下面用黑體表示:
eth proto: 080008:00:69:07:3e:db->00:e0:29:19:4a:68 192.168.0.1[1239] ->192.168.0.2[23] 0000 68 - h eth proto: 080008:00:69:07:3e:db->00:e0:29:19:4a:68 192.168.0.1[1239] ->192.168.0.2[23] eth proto: 080008:00:69:07:3e:db->00:e0:29:19:4a:68 192.168.0.1[1239] ->192.168.0.2[23] 0000 61 - a eth proto: 080008:00:69:07:3e:db->00:e0:29:19:4a:68 192.168.0.1[1239] ->192.168.0.2[23] eth proto: 080008:00:69:07:3e:db->00:e0:29:19:4a:68 192.168.0.1[1239] ->192.168.0.2[23] 0000 70 - p eth proto: 080008:00:69:07:3e:db->00:e0:29:19:4a:68 192.168.0.1[1239] ->192.168.0.2[23] 0000 6c - l eth proto: 080008:00:69:07:3e:db->00:e0:29:19:4a:68 192.168.0.1[1239] ->192.168.0.2[23] eth proto: 080008:00:69:07:3e:db->00:e0:29:19:4a:68 192.168.0.1[1239] ->192.168.0.2[23] 0000 65 - e eth proto: 080008:00:69:07:3e:db->00:e0:29:19:4a:68 192.168.0.1[1239] ->192.168.0.2[23] 0000 73 - s eth proto: 080008:00:69:07:3e:db->00:e0:29:19:4a:68 192.168.0.1[1239] ->192.168.0.2[23] eth proto: 080008:00:69:07:3e:db->00:e0:29:19:4a:68 192.168.0.1[1239] ->192.168.0.2[23] 0000 73 - s eth proto: 080008:00:69:07:3e:db->00:e0:29:19:4a:68 192.168.0.1[1239] ->192.168.0.2[23] eth proto: 080008:00:69:07:3e:db->00:e0:29:19:4a:68 192.168.0.1[1239] ->192.168.0.2[23] 0000 0d 00 - .. eth proto: 080008:00:69:07:3e:db->00:e0:29:19:4a:68 192.168.0.1[1239] ->192.168.0.2[23] eth proto: 080008:00:69:07:3e:db->00:e0:29:19:4a:68 192.168.0.1[1239] ->192.168.0.2[23] eth proto: 080008:00:69:07:3e:db->00:e0:29:19:4a:68 192.168.0.1[1239] ->192.168.0.2[23] 0000 75 - u eth proto: 080008:00:69:07:3e:db->00:e0:29:19:4a:68 192.168.0.1[1239] ->192.168.0.2[23] 0000 6e - n eth proto: 080008:00:69:07:3e:db->00:e0:29:19:4a:68 192.168.0.1[1239] ->192.168.0.2[23] 0000 61 - a eth proto: 080008:00:69:07:3e:db->00:e0:29:19:4a:68 192.168.0.1[1239] ->192.168.0.2[23] 0000 77 - w eth proto: 080008:00:69:07:3e:db->00:e0:29:19:4a:68 192.168.0.1[1239] ->192.168.0.2[23] 0000 61 - a eth proto: 080008:00:69:07:3e:db->00:e0:29:19:4a:68 192.168.0.1[1239] ->192.168.0.2[23] 0000 72 - r eth proto: 080008:00:69:07:3e:db->00:e0:29:19:4a:68 192.168.0.1[1239] ->192.168.0.2[23] 0000 65 - e eth proto: 080008:00:69:07:3e:db->00:e0:29:19:4a:68 192.168.0.1[1239] ->192.168.0.2[23]
最後,linux_sniffer記錄了所有的命令:
eth proto: 080008:00:69:07:3e:db->00:e0:29:19:4a:68 192.168.0.1[1239] ->192.168.0.2[23] eth proto: 080008:00:69:07:3e:db->00:e0:29:19:4a:68 192.168.0.1[1239] ->192.168.0.2[23] eth proto: 080008:00:69:07:3e:db->00:e0:29:19:4a:68 192.168.0.1[1239] ->192.168.0.2[23] eth proto: 080008:00:69:07:3e:db->00:e0:29:19:4a:68 192.168.0.1[1239] ->192.168.0.2[23] 0000 77 - w eth proto: 080008:00:69:07:3e:db->00:e0:29:19:4a:68 192.168.0.1[1239] ->192.168.0.2[23] eth proto: 080008:00:69:07:3e:db->00:e0:29:19:4a:68 192.168.0.1[1239] ->192.168.0.2[23] 0000 0d 00 - .. eth proto: 080008:00:69:07:3e:db->00:e0:29:19:4a:68 192.168.0.1[1239] ->192.168.0.2[23] eth proto: 080008:00:69:07:3e:db->00:e0:29:19:4a:68 192.168.0.1[1239] ->192.168.0.2[23] eth proto: 080008:00:69:07:3e:db->00:e0:29:19:4a:68 192.168.0.1[1239] ->192.168.0.2[23] 0000 77 - w eth proto: 080008:00:69:07:3e:db->00:e0:29:19:4a:68 192.168.0.1[1239] ->192.168.0.2[23] eth proto: 080008:00:69:07:3e:db->00:e0:29:19:4a:68 192.168.0.1[1239] ->192.168.0.2[23] 0000 68 - h eth proto: 080008:00:69:07:3e:db->00:e0:29:19:4a:68 192.168.0.1[1239] ->192.168.0.2[23] eth proto: 080008:00:69:07:3e:db->00:e0:29:19:4a:68 192.168.0.1[1239] ->192.168.0.2[23] 0000 6f - o eth proto: 080008:00:69:07:3e:db->00:e0:29:19:4a:68 192.168.0.1[1239] ->192.168.0.2[23] eth proto: 080008:00:69:07:3e:db->00:e0:29:19:4a:68 192.168.0.1[1239] ->192.168.0.2[23] 0000 0d 00 - .. eth proto: 080008:00:69:07:3e:db->00:e0:29:19:4a:68 192.168.0.1[1239] ->192.168.0.2[23] eth proto: 080008:00:69:07:3e:db->00:e0:29:19:4a:68 192.168.0.1[1239] ->192.168.0.2[23] eth proto: 080008:00:69:07:3e:db->00:e0:29:19:4a:68 192.168.0.1[1239] ->192.168.0.2[23] 0000 66 - f eth proto: 080008:00:69:07:3e:db->00:e0:29:19:4a:68 192.168.0.1[1239] ->192.168.0.2[23] eth proto: 080008:00:69:07:3e:db->00:e0:29:19:4a:68 192.168.0.1[1239] ->192.168.0.2[23] 0000 69 - i eth proto: 080008:00:69:07:3e:db->00:e0:29:19:4a:68 192.168.0.1[1239] ->192.168.0.2[23] eth proto: 080008:00:69:07:3e:db->00:e0:29:19:4a:68 192.168.0.1[1239] ->192.168.0.2[23] 0000 6e - n eth proto: 080008:00:69:07:3e:db->00:e0:29:19:4a:68 192.168.0.1[1239] ->192.168.0.2[23] eth proto: 080008:00:69:07:3e:db->00:e0:29:19:4a:68 192.168.0.1[1239] ->192.168.0.2[23] 0000 67 - g eth proto: 080008:00:69:07:3e:db->00:e0:29:19:4a:68 192.168.0.1[1239] ->192.168.0.2[23] 0000 65 - e eth proto: 080008:00:69:07:3e:db->00:e0:29:19:4a:68 192.168.0.1[1239] ->192.168.0.2[23] eth proto: 080008:00:69:07:3e:db->00:e0:29:19:4a:68 192.168.0.1[1239] ->192.168.0.2[23] 0000 72 - r eth proto: 080008:00:69:07:3e:db->00:e0:29:19:4a:68 192.168.0.1[1239] ->192.168.0.2[23]
--- Main Menu --- rcvpkt 0, free/alloc 63/64 ------ l/w/r) list/watch/reset connections u) host up tests a) arp/simple hijack (avoids ack storm if arp used) s) simple hijack d) daemons rst/arp/sniff/mac o) options x) exit * >
在整個例子中,我將從GNSS登錄到linux.test.net中進行測試。
GNSS 3% telnet 192.168.0.2 Trying 192.168.0.2... Connected to 192.168.0.2. Escape character is '^]'.
Caldera OpenLinux(TM) Version 1.3 Copyright 1996-1998 Caldera Systems, Inc.
login: [hapless@linux hapless]$ finger root Login: root Name: root Directory: /root Shell: /bin/bash On since Thu May 20 21:57 (PDT) on tty1 1 minute idle On since Thu May 20 22:02 (PDT) on tty2 7 minutes 19 seconds idle On since Thu May 20 21:59 (PDT) on tty3 15 seconds idle No mail. No Plan. [hapless@linux hapless]$ last root root tty2 Thu May 20 22:02 still logged in root tty3 Thu May 20 21:59 still logged in root tty1 Thu May 20 21:57 still logged in root tty2 Thu May 20 19:46 - down (00:26) root tty1 Thu May 20 19:44 - 20:12 (00:27) root tty3 Thu May 20 19:44 - down (00:2 root tty3 Thu May 20 19:42 - 19:44 (00:01) root tty1 Thu May 20 19:41 - 19:42 (00:00) root tty3 Thu May 20 19:28 - 19:41 (00:12) root tty2 Thu May 20 19:11 - 19:42 (00:31) root tty1 Thu May 20 19:07 - 19:40 (00:32) root tty1 Thu May 20 18:57 - 19:07 (00:09) root tty1 Mon May 17 22:32 - down (00:29)
最後檢查了/etc/passwd,在整個過程中都運行有hunt進行嗅探:
--- Main Menu --- rcvpkt 0, free/alloc 63/64 ------ l/w/r) list/watch/reset connections u) host up tests a) arp/simple hijack (avoids ack storm if arp used) s) simple hijack d) daemons rst/arp/sniff/mac o) options x) exit *> w 0) 192.168.0.1 [1049] --> 192.168.0.2 [23] choose conn> 0 dump [s]rc/[d]st/oth > b
註:上面的輸入(黑色字體部分)指示hunt來記錄0號連接,並輸出源和目的信息。
則hunt將顯示hapless的所有活動信息到終端屏幕上:
22:18:43 up 21 min, 4 users, load average: 0.00, 0.01, 0.00 TRL-C to break hhaapplleessss Password: unaware [hapless@linux2 hapless]$ cclleeaarr [hapless@linux2 hapless]$ wwhhoo root tty1 May 20 21:57 ww 22:18:43 up 21 min, 4 users, load average: 0.00, 0.01, 0.00