_________________________________________________________ Guide to (mostly) Harmless Hacking Vol. 5 Programmers' Series No. 2: Shell Programming: an Exploit Explained, Part 1 _________________________________________________________ by Carolyn Meinel and BOFH (finger us for important security tips!) "What?" you wonder. "Another GTMHH on shell programming?" Some people complained about the first of this GTMHH Programming Series because it didn't look like it had much to do with breaking into computers. I hope you weren't one of those d00dz, because to run almost any exploit program, you need to understand shells and shell programming. Of course that also means you must have a shell account. To find out how to get one, see the GTMHHs on "How to Get a Good Shell Account" at http://www.happyhacker.org. ========================================================= In this Guide you will learn: * Why shell programming is important * The t shell (tcsh) and where to get it * How to customize your login shell script to make it: easier to use more secure more phun:) * How to discover all available Unix commands * The C language compiler * An exploit explained: how to break into a computer in one easy shell script * How to explore a computer from inside a shell account * How to read email directly from the mail spool * Library programs ========================================================= WHY SHELL PROGRAMMING IS IMPORTANT We are doing yet more on Unix shells because almost any serious break-in program does its deed from inside a Unix shell. This is a difficult subject to teach because there are many varieties of Unix and many Unix shells. There also is that big unknown called "library functions." Most exploit programs use many library functions. If the computer on which you have a shell account doesn't have the required compiler or libraries, you can't run exploits. =========================================================== Newbie Note: This Guide uses the following concepts: * Unix shell: A program that provides you with a wonderful storehouse of commands which it turns into instructions that your computer can understand. The same Unix operating system may accept different commands depending on what shell you use. And different flavors of Unix (Linux, Sun OS, Solaris, AIX, Irix, FreeBSD, etc.) offer different sets of commands that you can use. You can also create your own shell commands -- something this Guide will teach you. * Interpreted programs: Your computer reads and performs your commands line by line. This kind of program is easy to write and use, but slow. * Compiled programs: A compiler reads the commands line by line, figures out how to run these commands fast, and writes them into a compiled program. This kind of program is harder to make. But once compiled, it runs much faster than an interpreted program. * Script: A sequence of commands which is interpreted rather than compiled. The most common scripts you will create or use in hacking are shell scripts and Perl programs. A shell script is a series of Unix commands that are automatically executed (run) when you simply enter the name you gave to that script. What this means is that each script becomes a new Unix command for you to use. * Library functions and other library programs: These are compiled programs that your computer stores which may be used by many other programs. This saves disk space and programming time because each program that uses the instructions of a library program can simply call it from the library. * Binaries: These are the kind of files made by compilers. A binary can be an entire program, or just a portion of a program used by many other programs (for example the library functions). =========================================================== There is no way this Guide -- or even a big, fat Unix manual -- could tell you all you may wish to know about the flavor of Unix you are using and its many shells, and all the library programs the exploits you want to run might use. So at this point in the Programmers' Series we concentrate on showing you how to discover what the shells, compilers and library programs of your account will allow you to do. Besides, you may discover your shell account is hopelessly crippled. Some Internet service providers are so afraid of hackers that they disable the use of compilers and put the library programs off limits. After reading this Guide, you will appreciate why they do this. You will also understand what to look for in a good shell account. This may even inspire you to install Unix on your home computer so your skills will be the only limit on your system. ============================================================ DISCLAIMER (from BOFH): The information shown in this Guide is known to work with Linux, OpenBSD, FreeBSD, SunOS and Solaris. The instructions of this Guide may not work with other flavors of Unix. Please note that I'm not a technical writer, nor do I plan on doing this for a living. I'm just attempting to pass on a bit of knowledge. If someone finds a mistake, gleaming error or typo, do me a favor... bite me. ============================================================ THE T SHELL (TCSH) AND WHERE TO GET IT This Guide will concentrate on only one Unix shell: the T shell (tcsh). That is shorthand for TENEX C Shell, an enhanced version of the Berkeley csh (C shell). Tcsh is the most powerful shell for people who wish to learn about every command they have the power to use. Also, it is easy for spastic typists (like me -- Carolyn) to use. To delete messed up stuff, just backspace! To repeat a command, just use the up arrow to get to it. The very first thing you need to do is find out if you have tcsh. Try the following commands: which tcsh whereis tcsh locate tcsh As a last result, you can try "find". But be warned, many sysadmins don't like that command because it is slow and disk intensive. The find command can put a serious lag on the machine. Once you find where your tcsh is, make sure it's a "valid shell". This can be done by checking whether it is in the "/etc/shells" file. This may be done with the command: ->grep tcsh /etc/shells (Note: throughout this Guide, "->" represents your command prompt.) If you get back something like: /bin/tcsh Then you can safely use tcsh. If you don't get anything back, then I (BOFH) suggest you contact your ISP and ask them to install it and add it to the valid shells list. Yes, you can compile and install your own version. But if your shell is _not_ listed in the valid shells file, you may run into difficulties using programs such as ftp (incoming ftp) since many ftp daemons check to see if the user has a valid shell before logging in. If you're not grep savvy, try just `cat`ing the file: ->cat shells This should give you something that looks like: /bin/sh /bin/bash /bin/tcsh /bin/csh /bin/zsh /bin/ash If you discover tcsh in that file, at the prompt in your Unix shell account, simply type "tcsh" and play with it for awhile. If you find that you prefer tcsh over your current shell, you can use the "chsh" command to make it your primary shell so that everytime you log in, you will already be in tcsh: ->chsh tcsh This should give the result: Changing login shell for cpm on mack. Old shell: /bin/bash New shell: /bin/tcsh ============================================================ Evil genius tip: Don't have tcsh? Do you run some sort of Unix on your home computer? Then you can install it. To find a tcsh that will run under your version of Unix, do a Web search. For example, for one that runs on almost any type of Linux, you will probably be able to use the tcsh at the Debian Linux Web site, http://www.debian.org. Of course you will have to compile it, but if you are an evil genius you either already know how to do that, or will figure out enough from this Guide to successfully compile tcsh. ============================================================ HOW TO CUSTOMIZE YOUR LOGIN SHELL SCRIPT BOFH points out that in the world of vanilla Unix, different shells have different startup files. For example: bash: .profile sh: .profile csh: .cshrc tcsh: .cshrc zsh: $ZDOTDIR/.zprofile and/or $ZDOTDIR/.zshrc I [BOFH] could go on with the different shells out there, but these are the most common. btw... There's even an lsh which emulates a doslike environment. It sorta kinda sucks because if you're on a *nix ("*nix" stands for all the kinds of Unixes) system you want to use a *nix like shell but it's fun to use as a prank. Most all of these startup files read the files .login and .logout. Let's assume you have tcsh. The first thing you may wish to do is customize it. It would be really shameful for a hacker like you or me to have an ordinary shell. Here's how you can see how your shell is set up. The settings for tcsh are in a file named ".cshrc". This is a shell script, a program consisting of a series of Unix shell commands. To read what is in it, give the command: ->cat .cshrc|more (Or give the command "more .cshrc". The Unix motto is "There's more than one way to do it.") This will display the contents of this script on your monitor. Following is an example of the commands in a good .cshrc script: echo "-------------------------------------------" echo "To err is human..." echo " To get caught is just plain stupid..." echo " Fatal Error" echo "-----------Big brother is watching----------" if (! ${?hostname} ) setenv hostname 'fubar' umask 076 set path=( ~/bin /usr/local/bin /bin /usr/bin /usr/local/sbin ) set path=( $path /usr/openwin/bin /usr/X11/bin /usr/local/X11/bin ) set path=( $path /usr/ucb /usr/libexec /usr/etc /etc /usr/games ) set path=( $path /usr/sbin ) setenv host `uname -n` setenv WWW_HOME http://www.fubar.com/ setenv LD_LIBRARY_PATH "/usr/openwin/lib:/usr/local/X11/lib:/usr/X11/lib" setenv MANPATH "/usr/man:/usr/share/man:/usr/local/man" setenv VISUAL pico setenv EDITOR pico setenv PGPPATH ~/.pgpdir mesg y #set autologout=(0 40) set exinit set history=40 set implicitcd set listjobs set listlinks set listjobs=long set noclobber set prompt="%U\n(`whoami`) fubar:%u \n%~ %# " set tperiod=1 set rmstar set watch=(1 friend1 any friend2 any enemy1 any enemy2 any) unset autologout if ($?USER == 0 || $?prompt == 0) exit alias a 'alias | more' alias cd 'cd \!*' alias check 'last | grep -v fubar.com | grep -v ftp | grep -v "^U"' alias cp 'cp -i -p' alias cls 'clear' alias dd 'ls -lgF \!* | more' alias ddm 'ls -lgF \!* | more' alias elm 'pine' alias jobs 'jobs -l' alias ld 'ls -ld $1' alias ls 'ls -F' alias pico 'pico -w -z' alias port 'ps -aux | grep $1' alias quit 'exit' alias scr 'source .cshrc;rehash' alias su "ksu" alias sz 'sz -w 2048' alias w 'w|sort|more' alias who 'who|sort|more' alias whois 'whois -h rs.internic.net' alias viman 'man \!$ | col -b > /tmp/myman$$;vi /tmp/myman$$;rm /tmp/myman$$' /usr/lib/sendmail x@techbroker.com < .junk HOW TO MAKE YOUR SHELL MORE SECURE If you really consider yourself a hacker, you may choose to change your .cshrc to make it more secure. Here's how to rewrite your .cshrc: 1) Just in case you mess up and don't care to admit to tech support at your ISP that you have been messing with .cshrc, the first thing you should do is save it with a new name. One way to do this is to give the command: cp .cshrc .cshrc.old Then if you don't like the results of this exercise, you can fix it by just giving the command: cp .cshrc.old .cshrc 2) Now you are ready to change .cshrc. Give the command "pico .cshrc" (substitute "vi" or "emacs" if you prefer those editors). This opens the program that runs every time you start up your C shell. 3) Here's something good to change. See all those commands above that begin with "alias"? Those are commands that allow you to run complicated commands by only typing in one letter or word. Enter those aliases in you login script and see how you like them. In the case of the alias "check," substitute the domain name of the computer you are using for "fubar.com". 4) Do you wish to be able to easily access lots of good commands? That is what the "set path" command is for. Good paths depend on the flavor of Unix you're running. Good generic paths could be: set path=( ~/bin /usr/local/bin /bin /usr/bin /usr/local/sbin ) set path=( $path /usr/openwin/bin /usr/X11/bin /usr/local/X11/bin ) set path=( $path /usr/ucb /usr/libexec /usr/etc /etc /usr/games ) set path=( $path /usr/sbin ) This will have some erroneous directories but it's generic and something you could use on Linux, FreeBSD, OpenBSD, Sun OS and Solaris. With other flavors, your mileage may vary. 5) When you are done editing, here's how pico saves it: * hold down the control key and hit the letter "x" * pico asks, "Save modified buffer (ANSWERING "No" WILL DESTROY CHANGES) ?" Hit the "y" key to save it. * pico asks "File Name to write : .cshrc" Just hit enter. Your login file must be named ".cshrc" for it to run whenever you log in. ============================================================ Evil genius tip: Want to be a hacker? Take a serious look at learning "vi". It is a quick and powerful Unix editor that can do tedious tasks in a short amount of time. Head down to your local book store (or "Unix in a Nutshell" by O'Reilly (ISBN: 1-56592-001-5), and "Vi" by O'Reilly ============================================================ ============================================================ Evil genius tip: Are you a serious programmer? Do you plan to become a serious programmer? If your .cshrc is missing anything in the example script above, try adding those commands. ============================================================ Now, by setting aliases for your shell, you have made it easier to use, and also more secure. Try out the aliased commands "w", "who", and "check". The first two tell you who is currently logged into shell accounts on the same computer you are on. "Check" shows you the log of whoever has logged into the computer you use from telnet or ssh from outside that computer system. If you see an unusual pattern of logins, you may suspect there is a problem. Here's how these commands work. I [Carolyn] am using one of our Hacker Wargame computers for the example below so you will get a chance to see how we find out whether there has been an intruder in my account. Netstat is really great because it tells you so much: Active Internet connections Proto Recv-Q Send-Q Local Address Foreign Address (state) tcp 0 0 cryptotek.http sol7.cs.wisc.edu.33089 FIN_WAIT_2 tcp 0 0 cryptotek.http sol7.cs.wisc.edu.33088 FIN_WAIT_2 tcp 0 20 cryptotek.ssh pmd05.rt66.com.1753 ESTABLISHED Active UNIX domain sockets Address Type Recv-Q Send-Q Inode Conn Refs Nextref Addr f05e7f00 dgram 0 0 0 f03dcf14 0 f03dcb14 f05f9200 dgram 0 0 0 f03dcf14 0 f03dcd14 f05e9600 dgram 0 0 0 f03dcf14 0 f03dcd94 f05eba00 dgram 0 0 0 f03dcf14 0 0 f05a9000 dgram 0 0 f05ab680 0 f03ecc94 0 /var/run/log This readout tells us is that a guy from the University of Wisconsin is reading our Web site at http://cryptotek.happyhacker.org, while I am logged in with an ssh (Secure Shell, which encrypts my communications) connection. The commands "w" and "who" only tell you who is actually logged into a shell account and what they are doing just now. They both identify the same people, but give somewhat different information on their activities. Here's a "w" command readout: 1:05PM up 2 days, 17:42, 2 users, load averages: 0.00, 0.00, 0.00 USER TTY FROM LOGIN@ IDLE WHAT cryptik p0 206.206.108.7 1:02PM - (pine) cmeinel p1 pmd05.rt66.com 12:31PM - w This means Cryptik is in his shell account reading his email using the Pine program while I (Carolyn) am snooping on him with the "w" command. If your ISP has logs readable by users, that alias in your .cshrc named "check" will tell you everyone who has logged into their shell accounts lately: cmeinel ttyp0 152.172.76.111 Thu Apr 23 14:25 - 16:30 (02:05) (snip) cryptik ttyp0 206.206.108.7 Thu Apr 23 13:02 - 13:06 (00:04) mrcurt ttyp1 152.166.28.22 Thu Apr 23 01:23 - 02:02 (00:38) (snip) cryptik ttyp0 152.167.87.187 Wed Apr 22 19:18 - 19:20 (00:02) cryptik ttyp0 152.173.170.182 Wed Apr 22 17:55 - 17:56 (00:00) root ttyv0 Wed Apr 22 17:02 - 17:04 (00:02) cryptik ttyp0 152.171.172.203 Wed Apr 22 15:25 - 15:29 (00:03) protocol ttyp1 152.204.20.98 Wed Apr 22 01:43 - 01:59 (00:16) cryptik ttyp0 152.170.244.211 Tue Apr 21 23:41 - 02:28 (02:47) cmeinel ttyp1 bofh.foobar.org Tue Apr 21 22:09 - 22:17 (00:08) xmyth ttyp0 152.203.67.27 Tue Apr 21 18:11 - 18:12 (00:00) (snip) 420smk ttyp0 152.172.97.237 Tue Apr 21 14:35 - 14:36 (00:01) root ttyv0 Tue Apr 21 14:03 - 14:04 (00:00) root ttyp2 152.171.159.158 Tue Apr 21 01:25 - 02:10 (00:45) cryptik ttyp1 206.206.108.7 Tue Apr 21 00:24 - 00:25 (00:00) skullz ttyp1 152.166.74.235 Mon Apr 20 23:55 - 23:59 (00:04) skullz ttyp1 152.166.74.235 Mon Apr 20 23:48 - 23:53 (00:05) cryptik ttyp0 152.171.255.221 Mon Apr 20 23:24 - 01:33 (02:08) cryptik ttyp0 152.167.139.204 Mon Apr 20 23:16 - 23:16 (00:00) cmeinel ttyp1 152.170.227.210 Mon Apr 20 22:17 - 22:19 (00:02) (snip) Aha! Now you know the handles of the folks that have been using ftp or logging into shell accounts from outside the ISP (Rt66) hosting this computer lately. That root login with no IP address after it, was done from the console. That means someone was actually physically at the keyboard to log in. The numbers after the other handles are the IP addresses from which they came in. For example, "cmeinel ttyp1 152.170.227.210" means I came in from an America Online dialup! (To see what those IP numbers mean, read the GTMHH "How to Map the Internet" for lots of ways to figure them out.) Fortunately, I remember telneting into my account from an AOL dialup that time, so it's cool. Now if I were to see my user name on this list at a time that I know I didn't log in, I would know someone has gotten my password and is making merry with my account! That IP number would also tell me where Mr. Baddie is coming from (unless he or she is IP spoofing.) ======================================================================= Newbie note: IP spoofing is a way to fake your IP address. Many computer criminals use it to hide their identity. If one of these criminal types try to tell you this technique really works, please think twice. There are commercially available sniffer programs that identify the true IP address even though the hacker is using an IP spoofing program. See http://www.iss.net; http://www.engarde.com; and http://www.engarde.com. ======================================================================= So -- what's this? The log file says cmeinel telneted in from bofh.fubar.com! I [Carolyn] know that computer. "BOFH" stands for the owner's handle, Bastard Operator from Hell. Actually I was expecting that. He promised me a prank program or two in exchange for use of my account. Since this is an account on a Hacker Wargame computer, I said "what the heck." Besides, I would trust anyone with such a neato handle. But, oh, my, look at this! cmeinel ttyp0 152.172.76.111 Thu Apr 23 14:25 - 16:30 (02:05) Who is this cmeinel who logged into my account from America Online for over two hours? Wasn't me! Maybe this individual will soon be able to use access to my shell account to get root and be the next Hacker Wargame winner! Nah, I'll make it hard and change my password. The command is simply "passwd." That's what you should do often anyhow, and definitely do whenever you discover an intruder was in your account. You probably would like to know exactly how that "check" command works. BOFH points out that the "last" command (give command "man 1 last" to learn more) shows the last logins that are usually stored in the wtmp file. Some ISP's rotate this file while others just leave it be. The "last" command used by itself would show all logins to the current machine since the creation of the wtmp file. The command "grep" is a powerful line/pattern matching utility. (Give command "man 1 grep" for more info). The '-v' switch tells grep to filter out the following regular expression ("regular expressions" could use a series of GTMHHs to explain the concept itself). In the above example, we are filtering out "fubar.com", "ftp", and anything starting with 'U'. (The "^" signifies "starting with"). In this case, the "grep -v ^U" portion is used to grep out (discard) uucp (a communications protocol used for transmitting Usenet posts) entries since Fubar.com uucp accounts begin with "^U". Your Internet service provider, however, may identify Usenet posts differently. Commands that may work better on your account than those used in the "check" alias above may be: last -200 | grep _your_user_name_here | more - This shows the last 200 logins by your username, and pipes it to the "more" command. This makes it easier to read if your terminal program doesn't allow you to scroll back. last -200 | grep -v _your_user_name_here | more - This shows the last 200 logins of everyone except your username, piping it to the "more" command. What are some other things you may add to your .cshrc script to make your account more secure? Do you have friends or enemies that you wish to watch for when you are logged on? Add this command to .cshrc: set watch=(1 myfriend1 any myfriend2 any myenemy1 any myenemy2 any) Substitute the user names of your friends/enemies for myfriend etc. If you use a small ISP, a newbie may wish to change the watch entry to: set watch=(1 any any) That will watch for logins every 1 second for any username. On a slow system where resources are limited, change "1" to "5". If you are like me [Carolyn] and have lots of people trying to break into your account, you can also set up a warning system. 1) Use pico to create a file named ".junk" containing the sentence "Someone used my shell account." 2) Bring up .cshrc in an editor and add this line: "/usr/lib/sendmail x@techbroker.com < .junk" (for "x@techbroker.com" substitute an email address of yours that is NOT the one for your shell account. If you are a hacker you surely do have more than one email account, right?) WARNING: This command varies according to the configuration of your ISP. You might have to substitute a different path for "sendmail" (use command "whereis sendmail" to find it), or substitute mail for sendmail, etc. etc. If you can't make this command work, DON'T EMAIL US! Only tech support at your ISP can answer your questions. 3) Save the new .cshrc file. Why send this warning to a different email account? An intruder can simply delete your warning email if it goes back to your shell account. You can get free email accounts at Hotmail, Yahoo, and several other places on the Web. Or get one of those email accounts that notifies you by pager the instant your warning email arrives. Of course, that can be a real pain having your beeper go off every time you log into your own account! But we are showing you this trick to give you an idea of how systems administrators can find out instantly when an intruder gets in. Here's what that shell script sends me whenever someone uses tcsh in my account: Received: from Rt66.com (198.59.162.1) by mail02.rapidsite.net (8.8.5/8.8.5) with ESMTP id NAA24145 for ; Thu, 23 Apr 1998 13:08:38 -0400 (EDT) Received: (from cpm@localhost) by Rt66.com (8.8.7/8.8.6) id LAA23890 for x@techbroker.com; Thu, 23 Apr 1998 11:05:51 -0600 (MDT) Date: Thu, 23 Apr 1998 11:05:51 -0600 (MDT) From: cpm Message-Id: <199804231705.LAA23890@Rt66.com> X-Loop-Detect: 1 Someone used my shell account. HOW TO MAKE YOUR SHELL MORE PHUN Next, I wage a little psychological warfare. OK, I admit it, this part is lame, but fun. So hold your flames. 1) Open .cshrc with your favorite editor. 2) Insert something like this: echo ------------------------------------------- echo To err is human... echo To get caught is just plain stupid... echo Fatal Error echo -----------Big brother is watching---------- (This Guide continued in Part 2...) _______________________________________________________________________ Where are those back issues of GTMHHs and Happy Hacker Digests? Check out the official Happy Hacker Web page at http://www.happyhacker.org. We are against computer crime. We support good, old-fashioned hacking of the kind that led to the creation of the Internet and a new era of freedom of information. So don't email us about any crimes you have committed! To subscribe to Happy Hacker and receive the Guides to (mostly) Harmless Hacking, please email hacker@techbroker.com with message "subscribe happy-hacker" in the body of your message. Copyright 1998 Carolyn P. Meinel and BOFH. You may forward, print out or post this GUIDE TO (mostly) HARMLESS HACKING on your Web site as long as you leave this notice at the end. _________________________________________________________ Carolyn Meinel M/B Research -- The Technology Brokers http://techbroker.com