[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-Disclosure] ron1n phone home, episode 5
- To: full-disclosure@xxxxxxxxxxxxxxxx
- Subject: [Full-Disclosure] ron1n phone home, episode 5
- From: Bugtraq Security Systems <research@xxxxxxxxxxx>
- Date: Thu, 8 Apr 2004 17:07:01 -0400
Dear list,
Moving out of the comfort of Windows and into k-rad UNIX hacking is not
for the faint of heart. That's why, today, we're going to release a
Mostly Harmless Hacking whitepaper on finding out if you may already
have access to that trophy of all trophies. Indeed, today we will focus
on the allmighty..UNIX shellaccount.
Enjoy.
With regards,
Team Bugtraq Security
PS: come see our MHH presentation at Interz0ne next week!
http://www.interz0ne.com
http://esecurityonline.0catch.com
___________________________________________________________
GUIDE TO (mostly) HARMLESS HACKING
Beginners’ Series #3 Part 1
How to Get a *Good* Shell Account
____________________________________________________________
______________________________________________________________
In this section you will learn how to:
· tell whether you may already have a Unix shell account
· get a shell account
· log on to your shell account
_______________________________________________________________
You’ve fixed up your Windows box to boot up with a lurid hacker logo. You’ve
renamed “Recycle Bin” “Hidden Haxor Secrets.” When you run Netscape or
Internet Explorer, instead of that boring corporate logo, you have a
full-color animated Mozilla destroying New York City. Now your friends and
neighbors are terrified and impressed.
But in your heart of hearts you know Windows is scorned by elite hackers.
You keep on seeing their hairy exploit programs and almost every one of them
requires the Unix operating system. You realize that when it comes to
messing with computer networks, Unix is the most powerful operating system
on the planet. You have developed a burning desire to become one of those
Unix wizards yourself. Yes, you’re ready for the next step.
You’re ready for a shell account. SHELL ACCOUNT!!!!
*****************************************************
Newbie note: A shell account allows you to use your home computer as a
terminal on which you can give commands to a computer running Unix. The
“shell” is the program that translates your keystrokes into Unix commands.
With the right shell account you can enjoy the use of a far more powerful
workstation than you could ever dream of affording to own yourself. It also
is a great stepping stone to the day when you will be running some form of
Unix on your home computer.
*****************************************************
Once upon a time the most common way to get on the Internet was through a
Unix shell account. But nowadays everybody and his brother are on the
Internet. Almost all these swarms of surfers want just two things: the Web,
and email. To get the pretty pictures of today’s Web, the average Internet
consumer wants a mere PPP (point to point) connection account. They wouldn’t
know a Unix command if it hit them in the snoot. So nowadays almost the only
people who want shell accounts are us wannabe hackers.
The problem is that you used to be able to simply phone an ISP, say “I’d
like a shell account,” and they would give it to you just like that. But
nowadays, especially if you sound like a teenage male, you’ll run into
something like this:
ISP guy: “You want a shell account? What for?”
Hacker dude: “Um, well, I like Unix.”
“Like Unix, huh? You’re a hacker, aren’t you!” Slam, ISP guy hangs up on you.
So how do you get a shell account? Actually, it’s possible you may already
have one and not know it. So first we will answer the question, how do you
tell whether you may already have a shell account? Then, if you are certain
you don’t have one, we’ll explore the many ways you can get one, no matter
what, from anywhere in the world.
How Do I Know Whether I Already Have a Shell Account?
First you need to get a program running that will connect you to a shell
account. There are two programs with Windows 95 that will do this, as well
as many other programs, some of which are excellent and free.
First we will show you how to use the Win 95 Telnet program because you
already have it and it will always work. But it’s a really limited program,
so I suggest that you use it only if you can’t get the Hyperterminal
program to work.
1) Find your Telnet program and make a shortcut to it on your desktop.
· One way is to click Start, then Programs, then Windows Explorer.
· When Explorer is running, first resize it so it doesn’t cover the entire
desktop.
· Then click Tools, then Find, then “Files or Folders.”
· Ask it to search for “Telnet.”
· It will show a file labeled C:\windows\telnet (instead of C:\ it may have
another drive). Right click on this file.
· This will bring up a menu that includes the option “create shortcut.”
Click on “create shortcut” and then drag the shortcut to the desktop and
drop it.
· Close Windows Explorer.
2) Depending on how your system is configured, there are two ways to connect
to the Internet. The easy way is to skip to step three. But if it fails, go
back to this step. Start up whatever program you use to access the Internet.
Once you are connected, minimize the program. Now try step three.
3) Bring up your Telnet program by double clicking on the shortcut you just
made.
· First you need to configure Telnet so it actually is usable. On the
toolbar click “terminal,” then “preferences,” then “fonts.” Choose “Courier
New,” “regular” and 8 point size. You do this because if you have too big a
font, the Telnet program is shown on the screen so big that the cursor from
your shell program can end up being hidden off the screen. OK, OK, you can
pick other fonts, but make sure that when you close the dialog box that the
Telnet program window is entirely visible on the screen. Now why would there
be options that make Telnet impossible to use? Ask Microsoft.
· Now go back to the task bar to click Connect, then under it click “Remote
system.” This brings up another dialog box.
· Under “host name” in this box type in the last two parts of your email
address. For example, if your email address is jane_doe@xxxxxxxxxxxxxx, type
“ISP.com” for host name.
· Under “port” in this box, leave it the way it is, reading “telnet.”
· Under “terminal type,” in this box, choose “VT100.”
· Then click the Connect button and wait to see what happens.
· If the connection fails, try entering the last three parts of your email
address as the host, in this case “boring.ISP.com.”
Now if you have a shell account you should next get a message asking you to
login. It may look something like this:
Welcome to Boring Internet Services, Ltd.
Boring.com S9 - login: cmeinel
Password:
Linux 2.0.0.
Last login: Thu Apr 10 14:02:00 on ttyp5 from pm20.kitty.net.
sleepy:~$
If you get something like this you are in definite luck. The important thing
here, however, is that the computer used the word “login” to get you
started. If is asked for anything else, for example “logon,” this is not a
shell account.
As soon as you login, in the case of Boring Internet Services you have a
Unix shell prompt on your screen. But instead of something this simple you
may get something like:
BSDI BSD/OS 2.1 (escape.com) (ttyrf)
login: galfina
Password:
Last login: Thu Apr 10 16:11:37 from fubar.net
Copyright 1992, 1993, 1994, 1995 Berkeley Software Design, Inc.
Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
The Regents of the University of California. All rights reserved.
__________________________________________________________________
___________________ ______ ______________
___ / ___/ ___/ \/ \/ __ / ___/
_____ / ___/\__ / /__/ / / /___/ ___/
_______ / / / / / / / / / / / /
_________ \_____/\_____/\_____/\__/___/\_/ \_____/ .com
[ ESCAPE.COM ]
__________________________________________________________________
PLEASE NOTE:
Multiple Logins and Simultaneous Dialups From Different Locations Are
_NOT_ Permitted at Escape Internet Access.
__________________________________________________________________
Enter your terminal type, RETURN for vt100, ? for list:
Setting terminal type to vt100.
Erase is backspace.
MAIN
Escape Main Menu
----[05:45PM]-----------------------------------------------------
==> H) HELP Help & Tips for the Escape Interface. (M)
I) INTERNET Internet Access & Resources (M)
U) USENETM Usenet Conferences (Internet Distribution) (M)
L) LTALK Escape Local Communications Center (M)
B) BULLETINS Information on Escape, Upgrades, coming events. (M)
M) MAIL Escape World Wide and Local Post Office (M)
F) HOME Your Home Directory (Where all your files end up)
C) CONFIG Config your user and system options (M)
S) SHELL The Shell (Unix Environment) [TCSH]
X) LOGOUT Leave System
BACK MAIN HOME MBOX ITALK LOGOUT
----[Mesg: Y]------------[ TAB key toggles menus ]-------[Connected: 0:00]---
CMD>
In this case you aren’t in a shell yet, but you can see an option on the
menu to get to a shell. So hooray, you are in luck, you have a shell
account. Just enter “S” and you’re in.
Now depending on the ISP you try out, there may be all sorts of different
menus, all designed to keep the user from having to ever stumble across the
shell itself. But if you have a shell account, you will probably find the
word “shell” somewhere on the menu.
If you don’t get something obvious like this, you may have to do the single
most humiliating thing a wannabe hacker will ever do. Call tech support and
ask whether you have a shell account and, if so, how to login. It may be
that they just want to make it really, really hard for you to find your
shell account.
Now personally I don’t care for the Win 95 Telnet program. Fortunately there
are many other ways to check whether you have a shell account. Here’s how to
use the Hyperterminal program, which, like Telnet, comes free with the
Windows 95 operating system. This requires a different kind of connection.
Instead of a PPP connection we will do a simple phone dialup, the same sort
of connection you use to get on most computer bulletin board systems (BBS).
1) First, find the program Hyperteminal and make a shortcut to your desktop.
This one is easy to find. Just click Start, then Programs, then Accessories.
You’ll find Hyperterminal on the accessories menu. Clicking on it will bring
up a window with a bunch of icons. Click on the one labeled
“hyperterminal.exe.”
2) This brings up a dialog box called “New Connection.” Enter the name of
your local dialup, then in the next dialog box enter the phone dialup number
of your ISP.
3) Make a shortcut to your desktop.
4) Use Hyperterminal to dial your ISP. Note that in this case you are making
a direct phone call to your shell account rather than trying to reach it
through a PPP connection.
Now when you dial your ISP from Hyperterminal you might get a bunch of
really weird garbage scrolling down your screen. But don’t give up. What is
happening is your ISP is trying to set up a PPP connection with
Hyperterminal. That is the kind of connection you need in order to get
pretty pictures on the Web. But Hyperterminal doesn’t understand PPP.
Unfortunately I’ve have not been able to figure out why this happens
sometimes or how to stop it. But the good side of this picture is that the
problem may go away the next time you use Hyperterminal to connect to your
ISP. So if you dial again you may get a login sequence. I’ve found it often
helps to wait a few days and try again. Of course you can complain to tech
support at your ISP. But it is likely that they won’t have a clue on what
causes their end of things to try to set up a PPP session with your
Hyperterminal connection. Sigh.
But if all goes well, you will be able to log in. In fact, except for the
PPP attempt problem, I like the Hyperterminal program much better than Win
95 Telnet. So if you can get this one to work, try it out for awhile. See if
you like it, too.
There are a number of other terminal programs that are really good for
connecting to your shell account. They include Qmodem, Quarterdeck Internet
Suite, and Bitcom. Jericho recommends Ewan, a telnet program which also runs
on Windows 95. Ewan is free, and has many more features than either
Hyperterminal or Win 95 Telnet. You may download it from jericho’s ftp site
at sekurity.org in the /utils directory.
OK, let’s say you have logged into your ISP with your favorite program. But
perhaps it still isn’t clear whether you have a shell account. Here’s your
next test. At what you hope is your shell prompt, give the command “ls
-alF.” If you have a real, honest-to-goodness shell account, you should get
something like this:
> ls -alF
total 87
drwx--x--x 5 galfina user 1024 Apr 22 21:45 ./
drwxr-xr-x 380 root wheel 6656 Apr 22 18:15 ../
-rw-r--r-- 1 galfina user 2793 Apr 22 17:36 .README
-rw-r--r-- 1 galfina user 635 Apr 22 17:36 .Xmodmap
-rw-r--r-- 1 galfina user 624 Apr 22 17:36 .Xmodmap.USKBD
-rw-r--r-- 1 galfina user 808 Apr 22 17:36 .Xresources
drwx--x--x 2 galfina user 512 Apr 22 17:36 www/
etc.
This is the listing of the files and directories of your home directory.
Your shell account may give you a different set of directories and files
than this (which is only a partial listing). In any case, if you see
anything that looks even a little bit like this, congratulations, you
already have a shell account!
*******************************************************
Newbie note: The first item in that bunch of dashes and letters in front of
the file name tells you what kind of file it is. “d” means it is a
directory, and “-” means it is a file. The rest are the permissions your
files have. “r” = read permission, “w” = write permission, and “x” = execute
permission (no, “execute” has nothing to do with murdering files, it means
you have permission to run the program that is in this file). If there is a
dash, it means there is no permission there.
The symbols in the second, third and fourth place from the left are the
permissions that you have as a user, the following three are the permissions
everyone in your designated group has, and the final three are the
permissions anyone and everyone may have. For example, in galfina’s
directory the subdirectory “www/” is something you may read, write and
execute, while everyone else may only execute. This is the directory where
you can put your Web page. The entire world may browse (“execute”) your Web
page. But only you can read and write to it.
If you were to someday discover your permissions looking like:
drwx--xrwx newbie user 512 Apr 22 17:36 www/
Whoa, that “r” in the third place from last would mean anyone can hack your
Web page!
******************************************************
Another command that will tell you whether you have a shell account is
“man.” This gives you an online Unix manual. Usually you have to give the
man command in the form of “man <command>“ where <command> is the name of
the Unix command you want to study. For example, if you want to know all
the different ways to use the “ls” command, type “man ls” at the prompt.
On the other hand, here is an example of something that, even though it is
on a Unix system, is not a shell account:
BSDI BSD/386 1.1 (dub-gw-2.compuserve.com) (ttyp7)
Connected to CompuServe
Host Name: cis
Enter choice (LOGON, HELP, OFF):
The immediate tip-off that this is not a shell account is that it asks you
to “logon” instead of “login:”
How to Get a Shell Account
What if you are certain that you don’t already have a shell account? How do
you find an ISP that will give you one?
The obvious place to start is your phone book. Unless you live in a really
rural area or in a country where there are few ISPs, there should be a
number of companies to choose from.
So here’s your problem. You phone Boring ISP, Inc. and say, “I’d like a
shell account.” But Joe Dummy on the other end of the phone says, “Shell?
What’s a shell account?” You say “I want a shell account. SHELL ACCOUNT!!!”
He says, “Duh?” You say “Shell account. SHELL ACCOUNT!!!” He says, “Um, er,
let me talk to my supervisor.” Mr. Uptight Supervisor gets on the phone. “We
don’t give out shell accounts, you dirty &%$*# hacker.”
Or, worse yet, they claim the Internet access account they are giving you a
shell account but you discover it isn’t one.
To avoid this embarrassing scene, avoid calling big name ISPs. I can
guarantee you, America Online, Compuserve and Microsoft Network don’t give
out shell accounts.
What you want to find is the seediest, tiniest ISP in town. The one that
specializes in pasty-faced customers who stay up all night playing MOOs and
MUDs. Guys who impersonate grrrls on IRC. Now that is not to say that MUD
and IRC people are typically hackers. But these definitely are your serious
Internet addicts. An ISP that caters to people like that probably also
understands the kind of person who wants to learn Unix inside and out.
So you phone or email one of these ISPs on the back roads of the Net and
say, “Greetings, d00d! I am an evil haxor and demand a shell account pronto!”
No, no, no! Chances are you got the owner of this tiny ISP on the other end
of the line. He’s probably a hacker himself. Guess what? He loves to hack
but he doesn’t want hackers (or wannabe hackers) for customers. He doesn’t
want a customer who’s going to be attracting email bombers and waging hacker
war and drawing complaints from the sysadmins on whom this deadly dude has
been testing exploit code.
So what you do is say something like “Say, do you offer shell accounts? I
really, really like to browse the Web with lynx. I hate waiting five hours
for all those pretty pictures and Java applets to load. And I like to do
email with Pine. For newsgroups, I luuuv tin!”
Start out like this and the owner of this tiny ISP may say something like,
“Wow, dude, I know what you mean. IE and Netscape really s***! Lynx uber
alles! What user name would you like?”
At this point, ask the owner for a guest account. As you will learn below,
some shell accounts are so restricted that they are almost worthless.
But let’s say you can’t find any ISP within reach of a local phone call that
will give you a shell account. Or the only shell account you can get is
worthless. Or you are well known as a malicious hacker and you’ve been
kicked off every ISP in town. What can you do?
Your best option is to get an account on some distant ISP, perhaps even in
another country. Also, the few medium size ISPs that offer shell accounts
(for example, Netcom) may even have a local dialup number for you. But if
they don’t have local dialups, you can still access a shell account located
*anywhere* in the world by setting up a PPP connection with your local
dialup ISP, and then accessing your shell account using a telnet program on
your home computer.
*************************************************
Evil Genius Tip: Sure, you can telnet into your shell account from another
ISP account. But unless you have software that allows you to send your
password in an encrypted form, someone may sniff your password and break
into your account. If you get to be well known in the hacker world, lots of
other hackers will constantly be making fun of you by sniffing your
password. Unfortunately, almost all shell accounts are set up so you must
expose your password to anyone who has hidden a sniffer anywhere between the
ISP that provides your PPP connection and your shell account ISP.
One solution is to insist on a shell account provider that runs ssh (secure
shell).
**************************************************
So where can you find these ISPs that will give you shell accounts? One good
source is http://www.celestin.com/pocia/. It provides links to Internet
Service Providers categorized by geographic region. They even have links to
allow you to sign up with ISPs serving the Lesser Antilles!
***********************************************
Evil Genius tip: Computer criminals and malicious hackers will often get a
guest account on a distant ISP and do their dirty work during the few hours
this guest account is available to them. Since this practice provides the
opportunity to cause so much harm, eventually it may become really hard to
get a test run on a guest account.
***********************************************
But if you want to find a good shell account the hacker way, here’s what you
do. Start with a list of your favorite hacker Web sites. For example, let’s
try http://ra.nilenet.com/~mjl/hacks/codez.htm.
You take the beginning part of the URL (Universal Resource Locator) as your
starting point. In this case it is “http://ra.nilenet.com.” Try surfing to
that URL. In many cases it will be the home page for that ISP. It should
have instructions for how to sign up for a shell account. In the case of
Nile Net we strike hacker gold:
Dial-up Accounts and Pricing
NEXUS Accounts
NEXUS Accounts include: Access to a UNIX Shell, full
Internet access, Usenet newsgroups, 5mb of FTP and/or
WWW storage space, and unlimited time.
One Time Activation Fee: $20.00
Monthly Service Fee: $19.95 or
Yearly Service Fee: $199.95
Plus which they make a big deal over freedom of online speech. And they host
a great hacker page full of these Guides to (mostly) Harmless Hacking!
How to Login to Your Shell Account
Now we assume you finally have a guest shell account and are ready to test
drive it. So now we need to figure out how to login. Now all you hacker
geniuses reading this, why don’t you just forget to flame me for telling
people how to do something as simple as how to login. Please remember that
everyone has a first login. If you have never used Unix, this first time can
be intimidating. In any case, if you are a Unix genius you have no business
reading this Beginners’ Guide. So if you are snooping around here looking
for flamebait, send your flames to /dev/null.
***********************************************************
Newbie note: “Flames” are insulting, obnoxious rantings and ravings done by
people who are severely lacking in social skills and are a bunch of &$%@#!!
but who think they are brilliant computer savants. For example, this newbie
note is my flame against &$%@#!! flamers.
“/dev/null” stands for “device null.” It is a file name in a Unix operating
system. Any data that is sent to /dev/null is discarded. So when someone
says they will put something in “/dev/null” that means they are sending it
into permanent oblivion.
***********************************************************
The first thing you need to know in order to get into your shell account is
your user name and password. You need to get that information from the ISP
that has just signed you up. The second thing you need to remember is that
Unix is “case sensitive.” That means if your login name is “JoeSchmoe” the
shell will think “joeschmoe” is a different person than “JoeSchmoe” or
“JOESCHMOE.”
OK, so you have just connected to your shell account for the first time. You
may see all sorts of different stuff on that first screen. But the one thing
you will always see is the prompt:
login:
Here you will type in your user name.
In response you will always be asked :
Password:
Here you type in your password.
After this you will get some sort of a prompt. It may be a simple as:
%
or
$
or
>
Or as complicated as:
sleepy:~$
Or it may even be some sort of complicated menu where you have to choose a
“shell” option before you get to the shell prompt.
Or it may be a simple as:
#
**********************************************************
Newbie note: The prompt “#” usually means you have the superuser powers of
a “root” account. The Unix superuser has the power to do *anything* to the
computer. But you won’t see this prompt unless either the systems
administrator has been really careless -- or someone is playing a joke on
you. Sometimes a hacker thinks he or she has broken into the superuser
account because of seeing the “#” prompt. But sometimes this is just a trick
the sysadmin is playing. So the hacker goes playing around in what he or she
thinks is the root account while the sysadmin and his friends and the police
are all laughing at the hacker.
**********************************************************
Ready to start hacking from your shell account? Watch out, it may be so
crippled that it is worthless for hacking. Or, it may be pretty good, but
you might inadvertently do something to get you kicked off. To avoid these
fates, be sure to read Beginners’ Series #3 Part 2 of How to Get a *Good*
Shell Account, coming out tomorrow.
In that GTMHH section you will learn how to:
· explore your shell account
· decide whether your shell account is any good for hacking
· keep from losing your shell account
In case you were wondering about all the input from jericho in this Guide,
yes, he was quite helpful in reviewing it and making suggestions. Jericho is
a security consultant runs his own Internet host, obscure.security.org.
Thank you, jericho@xxxxxxxxxxxxxxx, and happy hacking!
_________________________________________________________
Want to see back issues of Guide to (mostly) Harmless Hacking? See either
http://www.cs.utexas.edu/users/matt/hh.html (the official Happy Hacker
archive site)
http://www.geocities.com/TimesSquare/Arcade/4594
http://www.silitoad.org
http://base.kinetik.org
http://www.anet-chi.com/~dsweir
http://www.tacd.com/zines/gtmhh/
http://ra.nilenet.com/~mjl/hacks/codez.htm
http://www.ilf.net/brotherhood/index2.html
Subscribe to our discussion list by emailing to hacker@xxxxxxxxxxxxxx with
message "subscribe"
Want to share some kewl stuph with the Happy Hacker list? Correct mistakes?
Send your messages to hacker@xxxxxxxxxxxxxxx To send me confidential email
(please, no discussions of illegal activities) use cmeinel@xxxxxxxxxxxxxx
and be sure to state in your message that you want me to keep this
confidential. If you wish your message posted anonymously, please say so!
Direct flames to dev/null@xxxxxxxxxxxxxxx Happy hacking!
Copyright 1997 Carolyn P. Meinel. You may forward or post this GUIDE TO
(mostly) HARMLESS HACKING on your Web site as long as you leave this notice
at the end.
________________________________________________________
Carolyn Meinel
M/B Research -- The Technology Brokers