A Hacking Tutorial 2

[Criminal]

-------------------

The C compiler

-------------------

This Will be BRIEF. Why? Becuase if you want to learn C, go

buy a book. I don't have time to write another text file on

C, for it would be huge. Basically, most executables are programmed

in C. Source code files on unix are found as filename.c .

To compile one, type in "cc filename.c". Not all C programs

will compile, since they may depend on other files not there, or

are just modules. If you see a think called "makefile" you can

usually type in just "make" at the command prompt, and something

will be compiled, or be attempted to compile. When using make or

CC, it would be wise to use the background operand since

compiling sometimes takes for ever.

IE:

$ cc login.c&

[1234]

$

(The 1234 was the process # it got identified as).

_____________________________________________________________________________

--------------

Hacking:

--------------

The first step in hacking a UNIX is to get into the operating system

by finding a valid account/password. The object of hacking is usually to

get root (full privileges), so if you're lucky enough to get in as root,

you need not read anymore of this hacking phile , and get into the

"Having Fun" Section. Hacking can also be just to get other's accounts also.

Getting IN

----------

The first thing to do is to GET IN to the Unix. I mean, get past

the login prompt. That is the very first thing. When you come across a UNIX,

sometimes it will identify itself by saying something like,

"Young INC. Company UNIX"

or Just

"Young Inc. Please login"

Here is where you try the defaults I listed. If you get in with those

you can get into the more advanced hacking (getting root). If you do something

wrong at login, you'll get the message

"login incorrect"

This was meant to confuse hackers, or keep the wondering. Why?

Well, you don't know if you've enterred an account that does not exist, or one

that does exist, and got the wrong password. If you login as root and it says

"Not on Console", you have a problem. You have to login as someone else,

and use SU to become root.

Now, this is where you have to think. If you cannot get in with a

default, you are obviously going to have to find something else to

login as. Some systems provide a good way to do this by allowing the use

of command logins. These are ones which simply execute a command, then

logoff. However, the commands they execute are usually useful. For instance

there are three common command logins that tell you who is online at the

present time. They are:

who

rwho

finger

If you ever successfully get one of these to work, you can write down

the usernames of those online, and try to logon as them. Lots of unsuspecting

users use there login name as their password. For instance, the user

"bob" may have a password named "bob" or "bob1". This, as you know, is

not smart, but they don't expect a hacking spree to be carried out on

them. They merely want to be able to login fast.

If a command login does not exist, or is not useful at all, you will

have to brainstorm. A good thing to try is to use the name of the unix

that it is identified as. For instance, Young INC's Unix may have an account

named "young"

Young, INC. Please Login.

login: young

UNIX SYSTEM V REL 3.2

©1984 AT&T..

..

..

..

Some unixes have an account open named "test". This is also a default,

but surprisingly enough, it is sometimes left open. It is good to try to

use it. Remember, brainstorming is the key to a unix that has no apparent

defaults open. Think of things that may go along with the Unix. type

in stuff like "info", "password", "dial", "bbs" and other things that

may pertain to the system. "att" is present on some machines also.

ONCE INSIDE -- SPECIAL FILES

----------------------------

There are several files that are very important to the UNIX

environment. They are as follows:

/etc/passwd - This is probably the most important file on a Unix. Why?

well, basically, it holds the valid usernames/passwords.

This is important since only those listed in the passwd

file can login, and even then some can't (will explain).

The format for the passwordfile is this:

username:password:UserID:GroupID:Description(or real name):homedir:shell

Here are two sample entries:

sirhack:89fGc%^7&a,Ty:100:100:Sir Hackalot:/usr/sirhack:/bin/sh

demo::101:100:Test Account:/usr/demo:/usr/sh

In the first line, sirhack is a valid user. The second

field, however, is supposed to be a password, right? Well,

it is, but it's encrypted with the DES encryption standard.

the part that says "&a,Ty" may include a date after the comma

(Ty) that tells unix when the password expires. Yes, the

date is encrypted into two alphanumeric characters (Ty).

In the Second example, the demo account has no password.

so at Login, you could type in:

login: demo

UNIX system V

©1984 AT&T

..

..

But with sirhack, you'd have to enter a password. Now,

the password file is great, since a lot of times, you;ll

be able to browse through it to look for unpassworded

accounts. Remember that some accounts can be restricted

from logging in, as such:

bin:*:2:2:binaccount:/bin:/bin/sh

The '*' means you won't be able to login with it. Your

only hope would be to run an SUID shell (explained later).

A NOTE ABOUT THE 'DES" ENCRYPTION: each unix makes its own unique

"keyword" to base encryption off of.

/etc/group - This file contains The valid groups. The group file is usually

defined as this:

groupname:password:groupid:users in group

Once again, passwords are encrypted here too. If you see a blank

in the password entry you can become part of that group by

using the utility "newgrp". Now, there are some cases in

which even groups with no password will allow only certain

users to be assigned to the group via the newgrp command. Usually,

if the last field is left blank, that means any user can use newgrp

to get that group's access. Otherwise, only the users specified in

the last field can enter the group via newgrp.

Newgrp is just a program that will change your group current

group id you are logged on under to the one you specify. The

syntax for it is: newgrp groupname

Now, if you find a group un passworded, and use newgrp to

enter it, and it asks for a password, you are not allowed to use

the group. I will explain this further in The "SU & Newgrp" section.

/etc/hosts - this file contains a list of hosts it is connected to thru

a hardware network (like an x.25 link or something), or sometimes

just thru UUCP. This is a good file when you are hacking a

large network, since it tells you systems you can use with

rsh (Remote Shell, not restricted shell), rlogin, and telnet,

as well as other ethernet/x.25 link programs.

/usr/adm/sulog (or su_log) - the file sulog (or su_log) may be found in

Several directories, but it is usually in /usr/adm. This file

is what it sounds like. Its a log file, for the program SU.

What it is for is to keep a record of who uses SU and when.

whenever you use SU, your best bet would be to edit this file

if possible, and I'll tell you how and why in the section

about using "su".

/usr/adm/loginlog

or /usr/adm/acct/loginlog -

This is a log file, keeping track of the logins.

Its purpose is merely for accounting and "security review". Really,

sometimes this file is never found, since a lot of systems keep the

logging off.

/usr/adm/errlog

or errlog - This is the error log. It could be located anywhere. It

keeps track of all serious and even not so serious errors.

Usually, it will contain an error code, then a situation.

the error code can be from 1-10, the higher the number, the

worse the error. Error code 6 is usually used when you try

to hack. "login" logs your attempt in errlog with error code

6. Error code 10 means, in a nutshell, "SYSTEM CRASH".

/usr/adm/culog - This file contains entries that tell when you used cu,

where you called and so forth. Another security thing.

/usr/mail/<userLogin> - this is where the program "mail" stores its mail.

to read a particular mailbox, so they are called,

you must be that user, in the user group "mail" or

root. each mailbox is just a name. for instance,

if my login was "sirhack" my mail file would usually

be: /usr/mail/sirhack

/usr/lib/cron/crontabs - This contains the instructions for cron, usually.

Will get into this later.

/etc/shadow - A "shadowed" password file. Will talk about this later.

-- The BIN account --

Well, right now, I'd like to take a moment to talk about the account

"bin". While it is only a user level account, it is very powerful. It is

the owner of most of the files, and on most systems, it owns /etc/passwd,

THE most important file on a unix. See, the bin account owns most of the

"bin" (binary) files, as well as others used by the binary files, such

as login. Now, knowing what you know about file permissions, if bin owns

the passwd file, you can edit passwd and add a root entry for yourself.

You could do this via the edit command:

$ ed passwd

10999 [The size of passwd varies]

* a

sirhak::0:0:Mr. Hackalot:/:/bin/sh

{control-d}

* w

* q

$

Then, you could say: exec login, then you could login as sirhack, and

you'd be root.

Some tips:

1. Don't give it out. If the sysadm sees that joeuser logged in 500

times in one night....then....

2. Don't stay on for hours at a time. They can trace you then. Also

they will know it is irregular to have joeuser on for 4 hours

after work.

3. Don't trash the system. Don't erase important files, and don't

hog inodes, or anything like that. Use the machine for a specific

purpose (to leech source code, develop programs, an Email site).

Dont be an asshole, and don't try to erase everything you can.

4. Don't screw with users constantly. Watch their processes and

run what they run. It may get you good info (snoop!)

5. If you add an account, first look at the accounts already in there

If you see a bunch of accounts that are just 3 letter abbrv.'s,

then make yours so. If a bunch are "cln, dok, wed" or something,

don't add one that is "joeuser", add one that is someone's

full initials.

6. When you add an account, put a woman's name in for the

description, if it fits (Meaning, if only companies log on to the

unix, put a company name there). People do not suspect hackers

to use women's names. They look for men's names.

7. Don't cost the Unix machine too much money. Ie.. don't abuse an

outdial, or if it controls trunks, do not set up a bunch of dial

outs. If there is a pad, don't use it unless you NEED it.

8. Don't use x.25 pads. Their usage is heavily logged.

9. Turn off acct logging (acct off) if you have the access to.

Turn it on when you are done.

10. Remove any trojan horses you set up to give you access when you

get access.

11. Do NOT change the MOTD file to say "I hacked this system" Just

thought I'd tell you. Many MANY people do that, and lose access

within 2 hours, if the unix is worth a spit.

12. Use good judgement. Cover your tracks. If you use su, clean

up the sulog.

13. If you use cu, clean up the cu_log.

14. If you use the smtp bug (wizard/debug), set up a uid shell.

15. Hide all suid shells. Here's how:

goto /usr

(or any dir)

do:

# mkdir ".. "

# cd ".. "

# cp /bin/sh ".whatever"

# chmod a+s ".whatever"

The "" are NEEDED to get to the directory .. ! It will not show

up in a listing, and it is hard as hell to get to by sysadms if

you make 4 or 5 spaces in there (".. "), because all they will

see in a directory FULL list will be .. and they won't be able to

get there unless they use "" and know the spacing. "" is used

when you want to do literals, or use a wildcard as part of a file

name.

16. Don't hog cpu time with password hackers. They really don't work

well.

17. Don't use too much disk space. If you archieve something to dl,

dl it, then kill the archieve.

18. Basically -- COVER YOUR TRACKS.