164 lines
6.8 KiB
Plaintext
164 lines
6.8 KiB
Plaintext
|+=================================+|
|
|
||*********************************||
|
|
||* Introduction to Hacking *||
|
|
||* by KwAnTAM_PoZeEtroN *||
|
|
||*********************************||
|
|
|+=================================+|
|
|
|
|
The first part of any hacking expidition is getting into the system
|
|
that you plan to 'explore.' This can be achieved in any number of
|
|
ways. The main two are:
|
|
|
|
1) Cracking passwd (brute force)
|
|
2) Using an exploit
|
|
|
|
Cracking passwd is fairly simple. You get a 'cracking' program which
|
|
is designed to take each word in a word list file and encrypt it
|
|
using the same one-way hash that UNIX uses to encrypt its password
|
|
file. Then it compares the hashed value to each password in the
|
|
encrypted list, which is found on UNIX and other *IX systems in the
|
|
file /etc/passwd Word lists and cracking programs are available at
|
|
http://kwantam.home.ml.org
|
|
|
|
The list of words used is called a dictionary file. It contains a
|
|
series of words, one per line, in a standard ASCII text file. An
|
|
excerpt from a dictionary file could be
|
|
|
|
helix
|
|
hell
|
|
hellacious
|
|
hello
|
|
hellbender
|
|
hellbent
|
|
hell-bent
|
|
hellbox
|
|
hellcat
|
|
hellebore
|
|
heller
|
|
hell-for-leather
|
|
hellgrammite
|
|
|
|
etc.
|
|
|
|
The one-way hash function is a small series of mathematical steps
|
|
that makes a series of characters which is saved in the passwd file.
|
|
The one-way hash function UNIX uses is a variant of Crypt(3). The reason
|
|
that a dictionary file is needed is the fact that the Crypt(3) function
|
|
cannot be reversed, hence the name one-way hash. It is mathematically
|
|
infeasible to find in any amount of time the string of characters from
|
|
which the hash value came.
|
|
|
|
The passwd file is a series of lines, each with user info on it. An
|
|
example is:
|
|
|
|
joeschmoe:naVwowMManasMMo:10:200:Joe Schmoe:/users/joeschmoe:/bin/bash
|
|
^ ^ ^ ^ ^ ^ ^
|
|
| | | | | | +- User's
|
|
| | | | | | shell program
|
|
| | | | | +---- User's home directory
|
|
| | | | +----------------- User's real name
|
|
| | | +------------------------- User number
|
|
| | +----------------------------- User's group number
|
|
| +--------------------------------------- Hash of user's password
|
|
+--------------------------------------------------- Username
|
|
|
|
I will explain each of these:
|
|
|
|
- Username is the name under which the user logs in. Usually this is
|
|
accomplished by typing in the username at the username prompt and then
|
|
the password at the password prompt.
|
|
|
|
- Hash of user's password is the target of the cracking method. This is
|
|
what the hash of each word in the dictionary file is compared to.
|
|
|
|
- User's group number determines things such as access to certain files,
|
|
etc. Used more in the exploit technique
|
|
|
|
- User's number is basically identification for the system.
|
|
|
|
- User's real name is the name the user entered. Not used by the system,
|
|
but it provides a handy human-readable id of each user.
|
|
|
|
- User's home directory is the directory that they go to when they log
|
|
into the system.
|
|
|
|
- User's shell is the user interface that the user uses. Shells include
|
|
/bin/bash /bin/ash /bin/tcsh /bin/csh and /bin/sh
|
|
|
|
It is not necessary to modify the passwd file to contain only the passwords
|
|
because most cracking programs look for the second field, which is indicated
|
|
by the colon (:) seperating it from the username.
|
|
|
|
As you can see, it is also possible that, if the user's password is not
|
|
in the dictionary file, the cracker won't find the password to that
|
|
username. However, on a system of 200 users, at least 70 of them will
|
|
usually have passwords that are in dictionaries, depending on if the
|
|
system administrator checks the passwords or not and the type of user
|
|
that accesses the system most. A server used by computer security experts
|
|
will not be nearly as susceptible to this kind of an attack (or any, for
|
|
that matter) as one which is used by average people for e-mail and internet
|
|
access.
|
|
|
|
The second kind of attack, the exploit, is a more difficult one, but it
|
|
usually has greater rewards, including the possiblity of getting total
|
|
control of the system. Exploits work by using a piece of software in
|
|
such a way as to compromise the security of the system. One of the most
|
|
popular programs to use in this way is sendmail. Sendmail is most
|
|
susceptible because it must be open to public access to allow mail to be
|
|
transferred into and out of the system. Usually a buffer, an area in
|
|
memory where the system stores program information, is overwritten using
|
|
sendmail. The experienced hacker can transfer his own program code into
|
|
the buffer so that while the system thinks it is simply running the mail
|
|
retriever it is actually copying a shell program into a public access
|
|
directory and giving it superuser privlidges. Another type of exploit
|
|
involves causing a program which has superuser prividges to change your
|
|
group ID to 1, root, which effectively makes you the administrator of
|
|
the system.
|
|
|
|
Most of the time, these two types of attacks are used together. The hacker
|
|
will first get a login with brute force to gain access to the outer level of
|
|
the system, and then from there use an exploit of some kind to gain root
|
|
priviledges. After attaining root access, the hacker will install one or more
|
|
'back doors' to allow himself access to the system again. A very common one
|
|
is taking the source code of the login program and modifying it to accept
|
|
a certain password for any user, as well as the user's own password.
|
|
|
|
An example of a function in C that could do this would be:
|
|
|
|
check_backdoor(entry,access)
|
|
{
|
|
/* the variable entry is the password that the user entered
|
|
* the variable access determines whether or not to allow the
|
|
*/ user into the system. If access = 1 then the user is let in.
|
|
|
|
if (entry == "mybackdoor")
|
|
{
|
|
access = 1;
|
|
return;
|
|
}
|
|
|
|
cryptcheck(entry,access);
|
|
|
|
return;
|
|
}
|
|
|
|
In this example, mybackdoor would be the password that could be used on
|
|
any user account. If mybackdoor was not the entry, then the password
|
|
is hashed and checked against the password in /etc/passwd which allows
|
|
the back door to function without being noticed by anyone, including the
|
|
administrator.
|
|
|
|
I hope this information hhas been helpful in teaching you about the basis
|
|
of hacking. For more information, visit my home page or drop me an e-mail.
|
|
|
|
KwAnTAM_PoZeEtroN
|
|
Leader of the Black Angels
|
|
Ringmaster of the Ruiners Webring
|
|
Head of Psychotic security
|
|
http://kwantam.home.ml.org
|
|
kwantam@mailhost.net
|
|
|
|
|
|
|
|
|