I see that the README file talks about a util called sextract for reading and concatting TCP payloads which would be really cool, from the description, but is not included in blackbag. Any chance of including it?
Thanks,
Martin
kokanin
· 1 year ago
Since blackbag is resurfacing I thought I'd repost a small example of the deezee part in action: [code] remote un-passworded root access in IBM's totalstorage ds400 storage thingie, like this: # download blackbag from http://www.matasano.com/download/blackbag-0.9.1... # download firmware for totalstorage ds400 lort# wget -q http://parker.vslib.cz/MIRRORS/ftp.adaptec.com/... lort# unzip -q IBM_TotalStorage_DS_Series_FW_v4.15.zip lort# rm IBM_TotalStorage_DS_Series_FW_v4.15.zip lort# ls Copy of IBM_TotalStorage_DS_Series_FW_v4.15.upgrade README_Single_IBM_TotalStorage_DS_Series_FW_v4.15.txt.TXT lort# mv Copy\ of\ IBM_TotalStorage_DS_Series_FW_v4.15.upgrade ds400.4.15.fw lort# bkb deezee ds400.4.15.fw Scanning file ds400.4.15.fw for compressed components Compressed size: 21898976 bytes Compressed segment found. Expanded to 2181580 bytes Compressed segment found. Expanded to 16777216 bytes Compressed segment found. Expanded to 67108864 bytes lort# mkdir /mnt/1 /mnt/2 lort# mdconfig -a -t vnode -f ./ds400.4.15.fw.1 -u 1 lort# mdconfig -a -t vnode -f ./ds400.4.15.fw.2 -u 2 lort# mount_ext2fs /dev/md1 /mnt/1 lort# mount_ext2fs /dev/md2 /mnt/2
# part where you look for vulnerabilities intentionally skipped
lort# cat /mnt/2/etc/shadow root::11430:0:10000:::: bin:*:8902:0:10000:::: daemon:*:8902:0:10000:::: ftp:*:8902:0:10000:::: named:*:8902:0:10000:::: nobody:*:0:0:10000:::: user::11430:0:10000:::: manager::11430:0:10000:::: administrator::11430:0:10000:::: operator::11430:0:10000:::: lort# cat /mnt/2/etc/inetd.conf # See "man 8 inetd" for more information. # # If you make changes to this file, either reboot your machine or send the # inetd a HUP signal: # Do a "ps x" as root and look up the pid of inetd. Then do a # "kill -HUP ". # The inetd will re-read this file whenever it gets that signal. # # # # If you want telnetd not to "keep-alives" (e.g. if it runs over a ISDN # uplink), add "-n". See 'man telnetd' for more deatails. # telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd cli stream tcp nowait root /usr/sbin/tcpd in.telnetd -L /etc/eurologic/bin/cli login stream tcp nowait root /usr/sbin/tcpd in.rlogind shell stream tcp nowait.500 root /usr/sbin/tcpd in.rshd -Lh # # End. lort# grep ^telnet /mnt/2/etc/services telnet 6000/tcp
# sit back and laugh at the passwordless accounts and the undocumented telnet daemon. [/code]
All Comments
Thanks,
Martin
[code]
remote un-passworded root access in IBM's totalstorage ds400 storage thingie, like this:
# download blackbag from http://www.matasano.com/download/blackbag-0.9.1...
# download firmware for totalstorage ds400
lort# wget -q http://parker.vslib.cz/MIRRORS/ftp.adaptec.com/...
lort# unzip -q IBM_TotalStorage_DS_Series_FW_v4.15.zip
lort# rm IBM_TotalStorage_DS_Series_FW_v4.15.zip
lort# ls
Copy of IBM_TotalStorage_DS_Series_FW_v4.15.upgrade
README_Single_IBM_TotalStorage_DS_Series_FW_v4.15.txt.TXT
lort# mv Copy\ of\ IBM_TotalStorage_DS_Series_FW_v4.15.upgrade ds400.4.15.fw
lort# bkb deezee ds400.4.15.fw
Scanning file ds400.4.15.fw for compressed components
Compressed size: 21898976 bytes
Compressed segment found. Expanded to 2181580 bytes
Compressed segment found. Expanded to 16777216 bytes
Compressed segment found. Expanded to 67108864 bytes
lort# mkdir /mnt/1 /mnt/2
lort# mdconfig -a -t vnode -f ./ds400.4.15.fw.1 -u 1
lort# mdconfig -a -t vnode -f ./ds400.4.15.fw.2 -u 2
lort# mount_ext2fs /dev/md1 /mnt/1
lort# mount_ext2fs /dev/md2 /mnt/2
# part where you look for vulnerabilities intentionally skipped
lort# cat /mnt/2/etc/shadow
root::11430:0:10000::::
bin:*:8902:0:10000::::
daemon:*:8902:0:10000::::
ftp:*:8902:0:10000::::
named:*:8902:0:10000::::
nobody:*:0:0:10000::::
user::11430:0:10000::::
manager::11430:0:10000::::
administrator::11430:0:10000::::
operator::11430:0:10000::::
lort# cat /mnt/2/etc/inetd.conf
# See "man 8 inetd" for more information.
#
# If you make changes to this file, either reboot your machine or send the
# inetd a HUP signal:
# Do a "ps x" as root and look up the pid of inetd. Then do a
# "kill -HUP ".
# The inetd will re-read this file whenever it gets that signal.
#
#
#
# If you want telnetd not to "keep-alives" (e.g. if it runs over a ISDN
# uplink), add "-n". See 'man telnetd' for more deatails.
#
telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd
cli stream tcp nowait root /usr/sbin/tcpd
in.telnetd -L /etc/eurologic/bin/cli
login stream tcp nowait root /usr/sbin/tcpd in.rlogind
shell stream tcp nowait.500 root /usr/sbin/tcpd in.rshd -Lh
#
# End.
lort# grep ^telnet /mnt/2/etc/services
telnet 6000/tcp
# sit back and laugh at the passwordless accounts and the undocumented telnet daemon. [/code]