💾 Archived View for gemini.spam.works › mirrors › textfiles › hacking › UNIX › p500unix.txt captured on 2022-06-12 at 08:51:02.
-=-=-=-=-=-=-
Parent-Message-Id: <12229084762.30.AWALKER@RED.RUTGERS.EDU>
There is a flaw in the Berkeley 4.3 Unix passwd program that makes a
tape attack on a password feasible. (We haven't looked at any other
versions of Unix.) From passwd.c:
time(&salt);
salt = 9 * getpid();
saltc[0] = salt & 077;
saltc[1] = (salt>>6) & 077;
for (i = 0; i < 2; i++) {
c = saltc[i] + '.';
if (c > '9')
c += 7;
if (c > 'Z')
c += 6;
saltc[i] = c;
}
pw = crypt(pwbuf, saltc);
What does the salt depend on? Well, the paper on unix password
security by Morris and Thompson states that the choice of seed is based
upon the time of day clock and that there are 4096 different possible
seeds. (See "Password Security: A Case History" CACM, v 22, n 11,
November 1979, p. 594. That paper is often distributed with Unix
manuals.) On first glance at the above code, we were surprised to
find a call to getpid() in addition to the expected call to time(). A
close inspection of the first two lines of the above code reveals that
result of the call to time() is completely thrown out in the next line
of code. The salt depends only on the process ID number of the passwd
program!
But, lets go ahead and assume that a call to getpid() produces a
sufficiently random 16 bit number. What's the effect of multiplying
by 9? Well, since on the next two lines, only the low 12 bits of the
variable "seed" are used, the multiplying by 9 reduces the number of
possible seeds by a factor of nine. For example, after the second
line of code above, the variable "seed" could be 0, 9, 18, 27, etc,
but it could never be any value that is not a multiple of 9. Thus the
passwd program can only produce 4096/9 (= 456) of the 4096 possible
salt values. (It's amusing to note that without the second line, or
if the operator was "+=" instead of just "=" in the second line, the
code would generate all 4096 different seeds with about evenly
distributed probabilities.)
So what? Well, imagine taking a dictionary of 30,000 likely passwords
and producing 456 different files, one for each different salt, and
each containing 30,000 hashed passwords, each on a separate line, and
in the same order as the words in your dictionary. Each file would be
about 270 thousand bytes long (including line-feeds) and all the files
together could be kept on two 6250bpi tapes (which hold about 100
megabytes each). Now, to determine somebody's password from their
entry in the password file (assuming that their password is in your
original dictionary), position the appropriate tape at the start of
the file corresponding to the that user's salt and grep -n the tape
for the hashed password. (This will be vastly faster than 30,000
calls to crypt(), even the faster versions described in an earlier
message.)
If the salt could take on all 4096 possible values, you would need
instead need around 15 tapes to hold all the files.
All this underlies the importance of choosing a password which is not
in any dictionary and which is long enough.
Bob Baldwin
BALDWIN@XX.LCS.MIT.EDU
...!ihnp4!mit-eddie!baldwin
and
Tim Shepard
SHEP@XX.LCS.MIT.EDU
...!ihnp4!mit-eddie!shep
-------
provided for your consideration by:
| Striker |
Phortune500/BOD
-=>The DEC Hunters<=-
==============================================================================
UNIX* Usage Notes
The following is a collection of information on various UNIX topics:
Logging On
----------
You need a username and a password, supplied by the system administrator.
Some systems have guest accounts ("guest", "netguest", and other names).
To find out who's on the system without logging in, "who", "finger", or
"w" may work on your system.
(WARNING-- When you get a username or password wrong, a message gets printed
out on the system console. Trying to brute-force your way into someone else's
system is stupid, and you can get caught easily.)
There is a new Federal law that prohibits fucking around with computers across
state lines; many states also have tough computer-crime laws. You're best off
(believe me, I KNOW) using a UNIX system you have legitimate access to, such
as a school's system or a public access UNIX/Xenix (there are a few in New
York and other places; where you pay a certain amount per month).
Special Characters
------------------
ctrl-C (DEL (Ascii 127 on some systems) Interrupt. Stops the current
program. (intr) [<-- name for changing it with the "stty" command]
ctrl-B (or ctrl-\ (28)) Quit. Like control-C but stronger. Often works
when ctrl-C doesn't. Try ctrl-C first; some programs catch it so
they can clean up and exit gracefully. (quit)
ctrl-D End-of-file. Used to end input when the terminal is being read as a
file (mail senders and many other programs do this). If you type
control-D to the shell (command interpreter), it will usually log
you out. (If not, use "exit" or "logout".) (eof)
DEL (or ctrl-H) Erase the last character typed. (erase)
ctrl-U (rarely @) Erase the line typed so far. (kill)
ctrl-S Pause during output. (stop)
ctrl-Q Resume during output. (start)
ctrl-M Will usually work just like RETURN.
ctrl-J Will usually work just like RETURN.
As you can see, special characters are hardly standardized. (Old UNIX's used
to use # for character erase!) Give the "stty" command to see the settings on
your system, or to change them for your terminal session. To change the erase
to backspace (ctrl-H), give the command "stty erase '^H'".
Getting Information on Commands
-------------------------------
"man" is the standard command for getting information. "man mail" tells you
all about the 'mail' command. "man -k delete" gives you a list of everything
matching the keyword 'delete'.
Sending and Receiving Mail
--------------------------
"mail joe" sends a letter to the username 'joe'. Type your letter on the
next lines, ending with control-D on a line by itself.
"mail" lets you read your mail. When it asks whether to "save?", 'y' saves
the letter in your file 'mbox' (for old mail); 'n' gets rid of it.
Many systems also have more sophisticated programs for sending and receiving
mail (for those, type a "?" at the mail prompt "_" or maybe "-").
Directories ala UNIX
--------------------
UNIX files are arranged in a tree structure. (If you're used to MS-DOS or
PC-DOS, just use forward slashes / instead of backslashes \, and forget about
drive letters, and you'll be fine.)
There is a root directory, the "top" of the file system. At any point, there
can be subdirectories, which are just named areas to put files in so they
won't clutter up the root directory. These subdirectories can contain sub-
directories, which can contain other subdirectories, and so forth until the
disk can't hold any more files.
Here's an example of what *part* of a UNIX filesystem might look like:
(root)
/
++++++++++++++++++++++++++++++++++++
+ + + + + +
+ + + + + +
unix/ bin/ etc/ lib/ tmp usr/
+ + + + ++
++ lib dev src + + +
+ + + + +
+ + + + +
adm bin george bill mikey
A name like /foo/bar means start at the root, go to subdirectory foo, then
to the file bar (which can be either a subdirectory or a plain file).
"foo/bar" (no slash at the beginning) means start at the CURRENT DIRECTORY
(the 'pwd' command tells you where you are), and go through subdirectory
foo to bar.
foo means foo in the current directory. . (a dot) means the current direc-
tory itself; .. (two dots) means the parent directory, one level above the
current one. So ./xyzzy is the same file as xyzzy.
/unix is the UNIX kernel, the system routines that get read in when the system
is booted up.
/bin and /usr/bin (and other places like /usr/local on most systems) hold
command programs; when you type 'pwd' or 'ls' (list files) or most other UNIX
commands, these directories are checked for the 'pwd' or 'ls' program or what-
ever. Almost all UNIX commands are ordinary programs; nothing magical.
/etc, /lib, /usr/lib, /usr/adm, etc. hold "miscellaneous" system files. A few
of these are quite critical; I'll discuss them later.
/tmp and /usr/tmp are work areas for temporary files. They get cleared
regularly, at least whenever the system is re-"booted".
In this example, /usr/george, /usr/bill, and /usr/mikey are three users' file
areas or "home directories". Naming of home directories varies wildly between
UNIX systems; they might look like /usr/george or /usr/users/smith or
/home/andrews or /i/ins/.heyho. When you log in, your current directory is
set to your home directory.
Commands for Managing Directories
---------------------------------
cd Change Directory - move to another current directory (e.g.
"cd /usr/george" or "cd .."). Plain "cd" takes you to your
own home directory (unlike MS/PC-DOS!).
pwd Print Working Directory - prints your current (default)
directory. Lets you see where you are.
mkdir MaKe DIRectory, e.g. "mkdir hacks" to create a subdirectory
named "hacks" under your current directory.
rmdir ReMove DIRectory. The directory must be empty.
Other File Commands
-------------------
ls LiSt files. You may give directories or filenames after "ls", or "ls"
by itself will list the current directory.
ls -l List in Long format (with protection, owner, size (in characters) and
date before the filenames.
ls -a List All files; ordinarily files starting with a dot are not listed.
Many "setup" files have names like .profile, .login, .cshrc, .sendrc,
and so forth. Ordinarily "ls" doesn't bother you with them.
ls -d foo
Lists "foo" as a file; doesn't list what's inside if foo is a
directory. Useful in combinations like "ls -ld foo".
Other options can be combined this way, like "ls -al".
cat chow
Prints the contents of the file "chow" on your terminal.
rm trash
ReMoves (deletes) the file "trash". Once it's gone, you can't get it
back again.
chmod
Changes file protections. More about that later.
ed, vi, ex, emacs, ...
Text editors. Consult any good introductory UNIX book.
Input/Output Redirection
------------------------
Using "<file" on the command line (after the command!) lets input come from
"file" instead of "standard input" (the terminal). Similarly, ">file" redi-
rects output to "file", clobbering whatever was in it before. ">>file" means
append to the end of "file".
"foo a b c | bar x y z" means to run the command "foo a b c", and give its
output as the input of the command "bar x y z". This is called a 'pipe'
between the commands; UNIX hackers call '|' a "pipe sign".
For example, "cat" (like many commands) uses standard input if you don't give
a filename. If you say "cat >piss", it'll read from your terminal until you
hit control-D, and put that text into the file "piss".
Special Filename Characters (Wildcards)
---------------------------------------
'*' in the command line matches any string of characters within a filename.
'?' matches any ONE character. '[abc]' matches 'a', 'b', or 'c'. For
example, "*.c" will match "foo.c", "prog2b.c", and ".c", but not "mailbox"
or ".c.d.e".
A dot at the beginning of a filename (as in ".profile") and directory slashes
will not be matched -- you have to type them explicitly.
These wildcards are expanded on the command line. So if you type "echo a*b",
"echo" might be run with arguments "abb" "alba1.b" etc., or whatever. (echo
just echoes back its arguments to you; "echo *" works a lot like plain "ls".)
UID's, GID's, and File Protection
---------------------------------
Your account has a User ID (uid) number, which identifies which files you own,
and a Group ID (gid), which determines which files you can access as a member
of "the group".
A uid of 0 is special. It signifies the superuser, who can read any file and
write any non-directory. Superusers can use "chown" and "chgrp" to change
the ownership of files, and in general do anything we damn well please.
There is usually an account "root" whose uid is 0. If you're running a UNIX
system, NEVER give the superuser password to anyone who doesn't have a DAMNED
EXCELLENT reason to know. (change the password frequently--maybe every week
or two; ALWAYS whenever an "employee" leaves).
There are three ways to access a file -- owner, if your uid matches that of
the file; group member, if your gid matches the file's; and other.
Whenever you create a file, it is given your uid and gid.
The "ls -l" display shows the protection code for a file (which the owner may
change). A typical "ls -l" line might look like this:
-rw-r--r-- george users 6125 May 20 15:42 stuffy-funk
prot.code owner group size mod.date name
(these correspond
to uid & gid #'s)
The protection code can be broken down into several sections:
- rw- r-- r--
1 2 3 4
1: 'd' for a directory, 'b' or 'c' for "special files" which are really
devices, and '-' for ordinary files.
2: permissions for the owner. 'r'=read, 'w'=write, 'x'=execute.
3: permissions for the group.
4: permissions for others.
Protection on Directories
-------------------------
Since it makes no sense to 'execute' a directory, the protection bits have
a slightly different meaning on a directory.
Execute means you can access files and subdirectories if you know their
names. (If a directory has execute but no read permission, you can't "ls"
it to see what's there, but you can use files you know are there.)
Read means you can look to see what's there with "ls" or with special
filename characters.
Write means you can create and delete files in the directory. THIS IS THE
ONLY PROTECTION DEALING WITH DELETING FILES - it doesn't matter whose file it
is, as long as you have write permission in its parent directory.
SetUID and SetGID programs
--------------------------
If the setuid bit of an executable file is set, then whenever you run that
file, your "effective uid" temporarily becomes that of the file. This is
commonly used for games which write to a high score file that people should
not be able to mess with otherwise. The "set group id" bit works similarly.
These bits show up as an 's' instead of an 'x' in the owner and group sections
of the protection code.
The "Sticky" Bit ('t' bit)
----------------
Only the superuser can set the sticky bit, which shows up as a 't' in the
"others" section of the protection code. This bit means the program can't
be swapped out of memory, speeding up access time for small systems programs
that are used often. This bit can also be set as a part of your trusty hack
program (to be presented in a later installment).
Changing File Protection with "chmod"
-------------------------------------
The chmod command has the form "chmod CODE FILE(S)". CODE is an octal code
made by or-ing together the following:
04000 set user id on execution
02000 set group id on execution
01000 sticky bit [program is loaded into buffer]
0400 read permission for owner
0200 write permission for owner
0100 execute permission for owner
040, 020, 010 read, write, execute for group
04, 02, 01 read, write, execute for others
For example, "chmod 644 trash" would set the file "trash" to be readable and
writable by the owner, and only readable by others (or world).
Of course, only the owner or the superuser can use chmod on a file.
The Password File -- /etc/passwd
-----------------
The file /etc/passwd lists all the accounts on the system. It is stored in a
printable form, and everyone can read it. Each account is represented by a
line like
george:D/d7C.Xyu3pPr:205:40:George Porgie:/usr/george:/bin/sh
1----- 2------------ 3-- 4- 5------------ 6---------- 7------
There are seven parts, separated by colons.
1: the username
2: the encrypted password. The encryption algorithm is supposed to not be
reversible; to check the password you type while logging in, UNIX encrypts
your guess and sees if the encrypted version matches.
If no value is given (like in "guest::99:99: ...etc..."), no password is
necessary. If you see an "X" or "*" or "NOLOGIN" or something here, then
nobody can log into the account, since the "X" will never match an encrypt-
ed password.
3: the user id
4: the group id. (The file /etc/group lists group ids and group names.)
5: usually the person's real name
6: the home directory
7: the command interpreter to use. The default is "/bin/sh". Special
accounts like "who" work by putting the program name (like /bin/who)
here; as soon as this "command interpreter" finishes, the account is
logged off.
The SU Command -- Temporarily Switching to Another Account
--------------
If you give the command "su bill", it will ask for a password. If you give
bill's correct password, you temporarily switch into bill's account. Type
a control-D to get back to your own account.
"su" by itself means the same as "su root". *WARNING*!! Every time you use
su to try to get into a superuser account, it prints a message on the system
console (something like "SU george 20 May 1986 15:42" if you get in; "BADSU"
etc. if you don't). Don't try to force your way in with "su" -- they'll
notice and possibly trace your phone line.
=============================================================================
This is the end of my introduction to UNIX* systems.
Look for further installments on the UNIX series of operating systems.
(Including "Hacking" philes :-)
---Striker---> 1/12/86
---=======--> uVaxSquad!