* How To Break Into Computer Systems – Part 3

* How To Break Into Computer Systems – Part3

- Release 3.0 -

Portwolf, 2000

E-mail

Information Insemination
__________________________________________________
In Summary
Appendix A – Dialup Hacking
Appendix B – commonly used UNIX passwords / usernames
Appendix C – basic UNIX commands
Appendix D – NT Hex Codes
Appendix E – well known TCP ports
Appendix F – NT and UNIX groups
Appendix G – Further Reading
__________________________________________________

In Summary
With this text I’ve scratched the surface of the hacking of today. If nothing else, you should have learned just how much you’re going to have to learn to become a proficient hacker. You’ll need to learn more about various protocols, about different operating systems. Learning programming languages such as C or Perl would definitely help you. There are a lot of programs out there, but most do the same as its legitimate counterpart would do, and don’t allow much room for fine tuning. Imagine the power in the ability to write a target-specific program to aid you in hacking it! Anyways, I also strongly suggest installing Linux on your machine as well. UNIX is more powerful (and therefore more complex) than DOS and Windows, and the only way you’ll learn anything about it is to have it (not to mention raw sockets!). Even a book wouldn’t be of much use if you had nothing to apply what you’ve learned on. When faced with a challenge that you don’t quite understand, fumble your way through. Try not to ask for help all the time. You’ll learn a lot more that way – and not just about the obstacle in question. In closing, let me say that you should never decide that you know enough. An unquenchable thirst for knowledge is what drives the real hacker. The process, not the end result. I guess I see no better way to end this text than with my favorite quote (from a good friend of mine):
“What do you want to hack today?”
[ Kurruppt2k ]

Shoutouts and Credits
Most of the info and methodologies here is from first hand experience. Some of the Exploits listed I got from Maximum Security (but I tried them, to make sure they work), and SecurityFocus. Inspiration? Go download a few good techno MP3’s (all available at mp3.com) – Matrix by Wintermute, Darth Techno by Raver FX, and Linux vs. Win NT by Noize Concept will all set the stage for some serious haxoring.

And a manual like this wouldn’t be complete without a few shoutouts to my cohorts. Shoutouts go to: Raz0rphane aka RiotKl0ne, _Syn, the LoungeRaptor, Grim Ph0enix, Dr34d 451, Enz00, WCU, HeadCase, ViRuSS, and Blu3skr33n, and all of Shadow of the iNode. Phear SiN.

If you (the reader) can think of anything you’d like to see added in future releases, or just have any criticisms, email me at E-mail. Thanx.

Appendices
Here is a compilation of miscellaneous info that either had no logical place in the flow of the manual, or is just kinda a chart or list of info that is better appended to the end. Have phun.

Appendix A – Dialup Hacking
This is something that has almost gone away completely. Back in the old skool days of hacking, people connected their networks by dialing into computers of their remote offices. Leased digital lines (such as T1’s, DSL, or Frame Relay) were much too expensive for most, so modems and the PSTN (Public Switched Telephone Network) were used. Nowadays, though, companies connect their networks with either dedicated digital lines, or over the internet (with technologies such as VPNs, explained in the crypto section of ‘Intro to h/p/v/c’). And that’s how hackers connected to their victims – by dialing directly into them. This limited hackers’ techniques to primarily brute force, social engineering, and trashing. Only being able to dial in is like having port 23 the only open port on every machine you ever try to hack. Not much phun.
Today, though, hackers do their work over the Net. On occasion, though, you may find yourself dialing right into the system you’re trying to crack. Why? Maybe you’re target isn’t on the Net, but have a modem. Maybe while tiptoe-ing around you found that one machine on their NT network was a RAS server, and want to dial in. For whatever reason, you’ll probably dial into at least one machine in your h/p career.

Dialing a modem with your own is just like telnetting to a machine. You type characters which are sent to the host, and it sends characters back to your screen. This means a few things. You’re programs that use any TCP/IP stuph wont work – because you’re not communicating over a TCP/IP network. All you can do is send text over the wire. One of the only reasons you ever might want to hack via dialup is because some companies might have heavily guarded firewall system in place for the Internet, but less secure modems (like if an employee hooks up a modem to their workstation without the sysadmin knowing about it).

To dial out from your computer, you’ll either use a Windows or DOS program such as Terminal, Hyperterminal, or Dial-Up Networking, or a Linux program such as netconf or pppd. Hyperterminal comes with Win9X and NT, but I prefer the old Terminal program that came with Windows 3.X. To talk to you’re modem, you’ll use the AT commands. Here are a few of those.

AT To see if your modem is responding. If so, you’ll get an ‘OK’ message back.
ATE0 To turn the local echo off. Some hosts will echo (send) characters you type back to
your screen. If they do, turn the echo off.
ATE1 To turn the local echo off. If the host you’re calling doesn’t echo, you’ll want to see what you’re typing.
ATS0 To turn your modem speaker off.
ATS1 To turn your modem speaker on.
ATPPP To turn PPP mode on.
ATDT To dial a number using touch-tone (DTMF). To dial 555-6789 type: atdt 555-6789
ATPT To dial a number using pulse dialing.

There are a lot of modem commands. Hyperterminal won’t let you use them, since it does all the dialing of numbers for you. Older DOS dialers/terminal emulators let you, though, as does Terminal.

When you dial into a machine, you’ll most likely see either some old mainframe OS, or a UNIX machine. NT does have a program called RAS, though, which stands for Remote Access Service. You use Dial-Up Networking to connect to RAS servers, and once authenticated, the computer (and sometimes network) you dialed into will show up on you’re network neighborhood. Windows 9X DUN must be updated before they can dial into RAS servers, but NT Workstation’s DUN will work out of the box.

PSTN Protocols. When the PSTN was the primary means of internetworking, a few protocols were developed to transfer data between remote hosts. Kermit, xmodem, and ymodem are a few of these. Mainframes support these usually, so get a dialup terminal emulator that supports these protocols to get or put data on/from these machines. Terminal has a built-in file transfer function. Kermit for DOS supports most PSTN protocols also.

How do you find dialup phone numbers? First find all phone numbers associated with that organization. Look in the phone book. Do a whois and you’ll get a few phone numbers. Then get yourself a wardialer. This is a program that scans PSTN exchanges. In laymen’s terms, it will dial every phone number in a range you specify looking for modems. These programs were very popular years ago, and most are for DOS. A few GUI wardialers exist though. Two very good ones are PhoneTag and PhoneSweep. So say you look up the phone number of victim.com in your phone directory and get 555-1234. You whois them, and for an administrative contact you get 555-9876. You’d want your wardialer to scan from 55512XX and 55598XX, meaning:

555-1200 to 555-1200 and
555-9800 to 555-9899

You’ll probably find a few numbers that are carriers (modems). Dial into each, and see what you find. If you get nothing when you connect, or garbage, try changing your start bits, stop bits, and parity (in the settings of your dialer program) to get readable results. For wardialers, PhoneTag is a good one. PhoneSweep is good too, and also has a built-in brute force program, which is pretty handy, especially for dialing into UNIX servers. This program might be your only way in to many dialup servers.

Then there’s DUN. Microsoft Dial-Up Networking. When you dial your ISP, DUN takes care of all the sending and receiving of characters over the phone line for you. To see what’s happening behind the scenes while you connect to your ISP, dial it with Terminal or Hyperterminal. You’ll actually get a login prompt that looks like one of these:

Login:
Username:
Userid:

Enter garbage, some username and password you know wont work. You’ll get an ‘access denied’ message, or a regular UNIX bad login message. Then enter the username/password you use to connect to your ISP. You’ll usually get a string of garbage characters, which is PPP or SLIP data (meaning you’re connected to the Net). When you use DUN, it types your username and password for you. Some systems require additional info. One ISP I had prompted with just a ‘>’ sign, at which point you type ‘logon.’ You then got a logon prompt, followed by the PPP data if you logged on successfully. DUN will take care of all of this miscellaneous data transfer for you. Sometimes, though, the host you dial into has a very obscure login process, involving multiple logons and commands to get an Internet connection. DUN can’t know all of this, so you use Dial-Up Networking scripts. These are.scp files. DUN scipts tell DUN what characters to send, and when. For example, a while back CompuServer didn’t have their own DUN client program, and logging into their system was to obscure for DUN to handle by itself, and too confusing for most people to use. So they gave out an .scp file to use with MS DUN, that typed in the appropriate characters at the right time. What’s the point of all this? DUN scripting is very easy to learn. Do a search on your own box for *.scp, and you’ll find a few that come with Windows. The syntax is pretty easy. Functions like ‘Expect’, and ‘Send’. Something like: “expect ‘login:’ – send ‘root’ ” means “when I get the text ‘login:’ I’ll send the text ‘root’ “. If you spend a few minutes looking at the .scp files that come with Windows, you’ll figure out how to use it. And when you do, you’ll be better armed to hack a dialup machine. Write a script that BF’s your target. Or write one that spits tons of data (lines and lines of characters) to a certain prompt to overload it and see what happens – maybe you’ll get a shell.

Appendix B – Commonly used and default usernames/passwords, UNIX

username: common passwords
—————————————–
root: root
sys: sys / system / bin
bin: sys / bin
mountfsys: mountfsys
adm: adm
uucp: uucp
nuucp: anon
anon: anon
user: user
games: games
install: install
demo: demo / tour / guest
umountfsys: umountfsys
sync: sync
admin: admin
guest: guest
daemon: daemon
qadmin: adm / admin
sys: sys system / bin
123: lotus / lotus123
anonuucp: anon / uucp
asg: device / devadmin
backup: save / tar
csr: support / castup
dbcat: database / catalog
default: user / guest
diag: diag / sysdiag(s)
field: fld / test / support
end: visitor / demo / tour
informix: database
ingres: database
lib: library / syslib
lp: print / lpadmin
lpr: (no password)
main: sysmaint / service
mail: mail / email / phones
manager: mgr / man
ncrm: ncr
net: netowrk
netinst: inst / install / net
netman: net / man / mgr
netmgr: mgr / man / net
network: net
nobody: anon
nuucp: anon
oasys: oa
odt: opendesktop
oper: operator / sysop
sysop: sysadm / sysop
ftp: ftp / anon / anonymous
telnet: telnet
visitor: anon / guest
www: webmaster / webadmin

Appendix C – UNIX commands
Here are some basic commands that work on most UNIX flavors
cd [dir] change directory to [dir]. cd with no arguments will place you in your home directory.
pwd tells you what directory you’re currently in.
ls lists the files in your pwd
ls -a lists all files in your pwd, even hidden files (files that begin with a period)
ls -l lists the files in your pwd, and gives the permissions for them
cat [file] displays the file you argue on the screen, equivalent to ‘type’ in DOS
vi powerful text editor, for avanced users
emacs, and pico text editors, similar to MS-DOS Edit
man [command] gives you the manual (help pages) on a particular command – USE THIS!!!
cp [src][dst] copy a file from src to dst
rm [file] delete a file
mv [file] [newfile] move or rename a file
mkdir create a directory
chmod change permissions of a file you own (use ‘man’ to learn more about this command)
grep search a file for a particular string
talk chat with a user
mail commandline email
pine and elm front-ends to mail
rlogin learn about rhosts files – a great hacking technique
rsh ditto

Also, if you are fermilliar with DOS redirects, appends, and pipes, they work similarly in UNIX. Remember, when in doubt, RTFM!

Appendix D – NT Hex Codes

When you nbtstat an NT b0x, you’ll be presented with a list of entires, and a hex code in anglebrackets telling you what that entry is. Why do you need to know any besides <00> and <20>? To get an idea of what role the computer plays in the domain. Here’s what they are.

Name Number Type Usage
========================================================================
<computername> 00 U Workstation Service
<computername> 01 U Messenger Service
<_MSBROWSE_> 01 G Master Browser
<computername> 03 U Messenger Service
<computername> 06 U RAS Server Service
<computername> 1F U NetDDE Service
<computername> 20 U File Server Service
<computername> 21 U RAS Client Service
<computername> 22 U Exchange Interchange
<computername> 23 U Exchange Store
<computername> 24 U Exchange Directory
<computername> 30 U Modem Sharing Server Service
<computername> 31 U Modem Sharing Client Service
<computername> 43 U SMS Client Remote Control
<computername> 44 U SMS Admin Remote Control Tool
<computername> 45 U SMS Client Remote Chat
<computername> 46 U SMS Client Remote Transfer
<computername> 4C U DEC Pathworks TCPIP Service
<computername> 52 U DEC Pathworks TCPIP Service
<computername> 87 U Exchange MTA
<computername> 6A U Exchange IMC
<computername> BE U Network Monitor Agent
<computername> BF U Network Monitor Apps
<username> 03 U Messenger Service
<domain> 00 G Domain Name
<domain> 1B U Domain Master Browser
<domain> 1C G Domain Controllers
<domain> 1D U Master Browser
<domain> 1E G Browser Service Elections
<INet~Services> 1C G Internet Information Server
<IS~Computer_name> 00 U Internet Information Server
<computername> [2B] U Lotus Notes Server
IRISMULTICAST [2F] G Lotus Notes
IRISNAMESERVER [33] G Lotus Notes
Forte_$ND800ZA [20] U DCA Irmalan Gateway Service

Appendix E – Commonly known TCP ports

If you’re unsure about any of these, look at the protocol section of ‘TCP/IP and the Client/Server Model’ above. Otherwise, research them on the Net.

Port Description How to Hack it (Explanation)
1 TCP Mux You figure this one out
7 Echo All characters are echoed back to you, used for network troubleshooting
9 Discard/null The name says it all… how quick can you figure this port out?
11 Systsat Use this port to get info on users of that system
13 Daytime Time and date, used to synchronize computers in a network
15 Netstat Info on network settings for this computer – go here!
19 Chargen Character Generator – used to spot network problems
21 FTP File Transfer Protocol
22 SSH Secure Shell – encrypted telnet
23 Telnet Telnet
25 SMTP Simple Mail Transfer Protocol
39 Rlp Resource location
43 Whois This machine has a whois daemon – use it
53 DNS Domain Name Service
69 TFTP Trivial FTP – oftentimes vulnerable (get /etc/passwd)
70 Gopher Text-only web surfing and indexing
79 cenzurat Info on users (and who’s logged on). Hack this!
80 HTTP (www) A web server
110 POP3 Post Office Protocol – used for email
111 SunRPC RPC – used in conjunction with NIS, and possible vulnerable
118 SQLSrv SQL (Sequel) Server – this machine proably housed a huge database
119 NNTP Network News Transfer Protocol – Usenet server
139 Nbsession Net BIOS Session Service – Windows Networking
443 SSL Secure HTTP – (Secure Session Link). Browse with ‘https://’
512 Biff Mail notification
513 Rlogin/who Remote login / remote who
520 Route Routing information protocol
524 NCP Netware Core Protocol (over IP) – sure sign of a Novell Netware box

Appenxix F – NT and UNIX Groups
Groups (in NT and UNIX) are an integral part to how permissions work. Most system admins assign permissions to individual user accounts. Instead they put certain users into certain groups, and assign permissions to those groups. Here is some info on groups for both OS’s.

NT
Group Privelages
Domain Admins High (Administrator equivalent)
Account Operators High
Domain Guests Low
Domain Users Low (everyone is part of this group – gives ‘everyone’ or ‘the world’ access)

UNIX
Group GID Members
Root 0 root(UID 0)
Bin 1 root, bin(UID 1), daemon(UID 2)
Daemon 2 root, bin, daemon
Sys 3 root, bin, adm(UID 3)
Adm 4 root, adm, daemon
Tty 5
Disk 6 root
Lp 7 daemon, lp(UID 4)
Mem 8
Kmem 9
Wheel 10 root
Mail 12 mail(UID 8)
News 13 news(UID 9)
Uucp 14 uucp(UID 10)
Man 15
Games 20
Gopher 30
Dib 40
ftp 50
nobody 99
users 100
floppy 19

Deamons, such as httpd and ftpd also have UID’s, which are set by the sysadmin. Having daemons with low UID’s is an insecurity – if a remote attacker can exploit httpd with a low UID, he can access resources with that UID equivalent. So if you buffer overflow ftpd (running UID 0) from outside and get a shell, that shell will be a rootshell – being its UID is 0 (root).

Appendix G – Redhat Linux Installation
Many kool hacker things for UNIX require that you are root. So you need root on a system, but cant hack root cuz you can’t use Nmap, SATAN, or even showmount. Also there’s no better way to learn how to hack UNIX machines than practicing on your own. You need to install Linux on a partition of your hard drive. Some newbies have trouble with this – its not exactly like a Windows installation.

Redhat is probably the easiest Linux to get up and running, rivaled by Caldera and SuSE. Version 6.X is out, but 5.2 will cost you only $30. Or have a friend burn you a copy of the CD-ROMs and boot floppy. Once you have this, you’re ready to begin.

First write down everything about your PC you can, especially monitor and display adapter info.
If your machine can’t natively boot off of your CD-ROM drive, Redhat comes with a boot floppy. Slap it in, and boot up. When prompted, hit enter for ‘normal’ (versus expert) mode. Drivers for your CD-ROM, keyboard, and monitor will be loaded, and installation will be switched to from your CD-ROM (make sure the CD is in). You’ll then be asked where you want to install from (NFS, Image, etc). Choose CD-ROM obviously.

When you partition your hard drive, use Disk Druid. You’ll need a separate partition for Linux swap space – make it 7 mb or so. HDA1 is hard drive 1 (a), partition 1, whereas HDB3 is hard drive 2 (b) partition 3. Disk Druid uses this naming scheme. This is also how partitions will be referred to later during the installation, and in your /etc file (HDA1 is represented by the file /etc/hda1).

Soon you’ll be prompted with a class of install: Workstation, Server, and Custom. If you have the hard drive space (a little over a gig) choose server, otherwise choose workstation (500 MB). If you have any less than 500 megs, you won’t be able to install enough to make a k-leet Linux box. Anyways, Custom allows you to pick individual packages – if you do this, make sure you include C development libraries (to compile exploits), editors, and X (if you want a GUI).

X ( X Windows, the GUI for Linux) is probably the hardest part to install. If your display card isn’t listed in the list presented to you, you’ll have to find out the following settings for your machine: vertical refresh rate, horizontal sync rate, megs of vid ram, and your clockchip setting. Get these from documentation that came with your hardware, or from technical support. If you just cant figure it out, try different settings until it works. Xconfigurator is the utility to change X settings after installation.

LILO is the program you use to change boot parameters. If you have multiple OS’s (Win98, NT, and Linux), you’ll need to configurate LILO to boot to all these OS’s. The installation will prompt you for the necessary info, otherwise use linuxconfig to do it manually.

Use the linuxconfig utility to configure your box after installation. Use netconf to config networking (including dial-up networking) stuph for your box. The redhat website (www.redhat.com) site also is a good source for tech support. Www.freshmeat.com has a good dialer program to get you connected to the net, and www.slashdot.com is always a good Linux reference.

Appendix H – Further Reading
This manual is the most in-depth yet all-encompasing hacking text for newbies I’ve seen yet. I’m not bragging – I too have lot to learn. But I’ve put a lot of time into this text over the various releases, and I think it covers a lot. The Net does hold a lot more, though. Some you’ll find are very basic and a bit of a waste of time. Others are very old, and only cover stuph like dial-up hacking. Lame. There are a lot of good texts out there that cover very specific areas of hacking (details that couldn’t be covered here without writing an encyclopedia). I encourage you to download and read as many of these as you can get your hands on. Target a SCO Unixware box? Get a text on SCO vulnerabilities. Find a new, more complex hacking tool such as NMap or NetCat? Grab a tutorial on it – there’s no need for me to reinvent the wheel. Also, a few books have been published on the subject. Here’s a quick guide to texts and books worth your time.

Texts
The Happy Hacker’s Guides to Mostly Harmless Hacking are worth reading, especially for newbies. Get them at www.happyhacker.org.
The Hacker’s Desk Reference is a in-depth look at Windows Networking and NetBEUI, along with other things. This is a very informative text, but might confuse the newbies. By Rhino9. Available at TCU.
The NT WarDoc is a new text also by Rhino9. It covers NT break-in techniques in more detail. Also available at TCU.
Securing Your Site by Breaking Into It is a good all-around UNIX hacking text. Available at TCU.
The Hacker’s Kit is handy. Its a bit old, but if you can wade through the occasional lame content, you’ll find usefull UNIX hacking tricks. This text is also filled with C code – tools and exploits of all kinds. Available at TCU.

Books
If you’ve ever heard of the Rainbow Books, they’re worth a look at. They’re specific books on specific technolgies and entities. Old, but usefull.
For general Network books, take a look at these: Networking Essentials by Microsoft Press. This is a beginner’s book to how networks work.
Cisco Routers and TCP/IP – complex, but great for learning how the Internet really works.
The Big UNIX Book is just that – full of UNIX info, including shell scripting, configuration, etc. Secrets of Redhat Linux is also good. Microsoft TCP/IP and NT Technical Support are good books to learn the innerworkings of NT.

And then the actual hacker books.
Secrets of a Super Hacker by The Knightmare was the first of these. It’s pretty vague, and doesn’t cover Internet hacking (due to its age), but is worth at least a check-out from your library.
The Happy Hacker is a great book for complete newbies. But if you consider yourself a novice hacker, most of the stuph in that book will bore you.
Maximum Security is a huge book with good info and a pretty big list of system vulnerabilities. It explains how to secure a network by explaining to how hack into one (sort of). It also has a decent amount of TCP/IP info – stuph you’ll need to know. It covers NT and UNIX well too.
Maximum Linux Security is pretty good too. It covers Linux security as well as other miscellaneous Linux issues. One particularly nice thing about this book is it explains how to setup a firewall with Linux.
And Hacking Exposed – the latest one. This one is, in my opinion, the best of the four. Not for amatures, but definitely a good book. You’ll learn all sorts of leet techniques to use, along with what programs to use and how to use them. Get this book.

RFC’s are good references to technical material as well. Www.hackersclub.com gets lots of submissions on specific vulnerabilities – always a good place to look. The ‘further reading’ section is titled ‘how to become elite” for a reason. In order to become 31337, you’ll have to do a lot of reading. Not just ‘how to hack’ stuph either. You’ll need to learn all kinds of systems, protocols, and technologies. Another great way to learn about a certain system is to install it on your own machine. Get NT Server and install IIS. Most Linux distributions come with Apache Web Server – install it and see how it works for yourself. You’ll be much better armed in hacking it.

Mostly, just have fun with this stuff. Enjoy learning what you must in order to break in. The process, not just the end result. So, on that note, have fun, learn, and don’t get caught.

~ by empa7hy on July 14, 2008.

Posted in Uncategorized
Tags: , , , , , , , , ,

Leave a Reply