Saturday, September 5, 2009

Using NFS to simply abuse the system

It's not unusual that companies and schools use NFS (& LDAP) to virtually connect the machines together. Thus, if you connect on machine X, you will find the same content as if you had connected to machine Y.
This is a very nice feature, because everywhere is like home :). It also means that if we have access to all these machines, we can take control of all of them at the same time.

In this article, I will show and mention different examples where we can take benefits from multiple machines connected by NFS.

To make it possible, we will simply use ssh. Basically, what we want to do is
  1. Connect on every machine of a predefined list.
  2. Execute the script on the machine.
  3. Quit and connect to the next one.
This is extremely easy to do that. First, you create a ssh key pair, without any password:

ssh-keygen -t rsa

Now that you have the public key available, you can put it in your authorized_keys file. If you don't know what I am talking about, here is a neat article. Next, we can connect to all machines:

for i in $POSTS; do
echo $i
ssh -T -o "StrictHostKeyChecking no" -o ConnectTimeout=3 \
-i $KEY -l user $i $TOEXEC

Here are few comments about the command:
  • $POSTS is a list of machine you want to connect on.
  • "StrictHostKeyChecking no": ssh won't complain about not knowing the key.
  • ConnectTimeout=3: Abandon if cannot connect after 3 seconds.
  • KEY : place where your private key lies. Usually it's in ~/.ssh/
  • $TOEXEC: The command you want to exec on the remote machine. You can set EXEC=$1 if you want to pass a parameter to the file.
Now if you suppose that this snippet of code is called ./, let me show you what kind of interesting application we can do with it.

  1. The singing machines: like on this video, you can make 80 iMac singing. Upload a sound file on a directory that NFS shares, and then, execute ./ "aplay /soundfile.wav". Here, I also used the "at" command to somehow synchronize them together, but did not work very well. In the same room as the video was taken, we made a script that was making the machines speaking together. That was fun.
  2. Exploit & rootkit the machines: for those of you that are more "evil", you can think about exploiting all the machines together. This is an easy way to write a small worm. Again, put your exploit in your shared directory and execute the ./ file from one machine.
  3. Abuse the web: it happens too often that web services recognize you based on your IP address. For example, you won't be able to vote a poll more than once a day. With this trick, you can use multiple machines to vote for a poll (provided you did the bot). Here is an example you can try to "attack":
  4. Use multiple machine to perform DoS, etc...
  5. Parallelize your work: if you have heavy calculations to perform, you can split it on multiple machines using this trick.
  6. etc.
This is a terrificly easy trick, but I have a lot of fun with it. I am using it especially to circumvent web protections.

Have fun 8)

No comments:

Post a Comment