home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Hacker's Arsenal - The Cutting Edge of Hacking
/
Hacker's Arsenal - The Cutting Edge of Hacking.iso
/
texts
/
gtmhh
/
gtmhh5-2.txt
< prev
next >
Wrap
Text File
|
2002-01-31
|
27KB
|
590 lines
_________________________________________________________
Guide to (mostly) Harmless Hacking
Vol. 5 Programmers' Series
No. 2: Shell Programming: an Exploit Explained, Part 1
_________________________________________________________
by Carolyn Meinel <cpm@rt66.com> and BOFH <blips@cryptotek.happyhacker.org>
(finger us for important security tips!)
"What?" you wonder. "Another GTMHH on shell programming?" Some people
complained about the first of this GTMHH Programming Series because it
didn't look like it had much to do with breaking into computers. I hope you
weren't one of those d00dz, because to run almost any exploit program, you
need to understand shells and shell programming.
Of course that also means you must have a shell account. To find out how
to get one, see the GTMHHs on "How to Get a Good Shell Account" at
http://www.happyhacker.org.
=========================================================
In this Guide you will learn:
* Why shell programming is important
* The t shell (tcsh) and where to get it
* How to customize your login shell script to make it:
easier to use
more secure
more phun:)
* How to discover all available Unix commands
* The C language compiler
* An exploit explained:
how to break into a computer in one easy shell script
* How to explore a computer from inside a shell account
* How to read email directly from the mail spool
* Library programs
=========================================================
WHY SHELL PROGRAMMING IS IMPORTANT
We are doing yet more on Unix shells because almost any serious break-in
program does its deed from inside a Unix shell. This is a difficult subject
to teach because there are many varieties of Unix and many Unix shells.
There also is that big unknown called "library functions." Most exploit
programs use many library functions. If the computer on which you have a
shell account doesn't have the required compiler or libraries, you can't run
exploits.
===========================================================
Newbie Note: This Guide uses the following concepts:
* Unix shell: A program that provides you with a wonderful storehouse of
commands which it turns into instructions that your computer can understand.
The same Unix operating system may accept different commands depending on
what shell you use. And different flavors of Unix (Linux, Sun OS, Solaris,
AIX, Irix, FreeBSD, etc.) offer different sets of commands that you can use.
You can also create your own shell commands -- something this Guide will
teach you.
* Interpreted programs: Your computer reads and performs your commands line
by line. This kind of program is easy to write and use, but slow.
* Compiled programs: A compiler reads the commands line by line, figures out
how to run these commands fast, and writes them into a compiled program.
This kind of program is harder to make. But once compiled, it runs much
faster than an interpreted program.
* Script: A sequence of commands which is interpreted rather than compiled.
The most common scripts you will create or use in hacking are shell scripts
and Perl programs. A shell script is a series of Unix commands that are
automatically executed (run) when you simply enter the name you gave to that
script. What this means is that each script becomes a new Unix command for
you to use.
* Library functions and other library programs: These are compiled programs
that your computer stores which may be used by many other programs. This
saves disk space and programming time because each program that uses the
instructions of a library program can simply call it from the library.
* Binaries: These are the kind of files made by compilers. A binary can be
an entire program, or just a portion of a program used by many other
programs (for example the library functions).
===========================================================
There is no way this Guide -- or even a big, fat Unix manual -- could tell
you all you may wish to know about the flavor of Unix you are using and its
many shells, and all the library programs the exploits you want to run might
use. So at this point in the Programmers' Series we concentrate on showing
you how to discover what the shells, compilers and library programs of your
account will allow you to do.
Besides, you may discover your shell account is hopelessly crippled. Some
Internet service providers are so afraid of hackers that they disable the
use of compilers and put the library programs off limits. After reading
this Guide, you will appreciate why they do this. You will also understand
what to look for in a good shell account. This may even inspire you to
install Unix on your home computer so your skills will be the only limit on
your system.
============================================================
DISCLAIMER (from BOFH):
The information shown in this Guide is known to work with Linux, OpenBSD,
FreeBSD, SunOS and Solaris. The instructions of this Guide may not work
with other flavors of Unix. Please note that I'm not a technical writer,
nor do I plan on doing this for a living.
I'm just attempting to pass on a bit of knowledge. If someone finds a
mistake, gleaming error or typo, do me a favor...
bite me.
============================================================
THE T SHELL (TCSH) AND WHERE TO GET IT
This Guide will concentrate on only one Unix shell: the T shell (tcsh).
That is shorthand for TENEX C Shell, an enhanced version of the Berkeley csh
(C shell).
Tcsh is the most powerful shell for people who wish to learn about every
command they have the power to use. Also, it is easy for spastic typists
(like me -- Carolyn) to use. To delete messed up stuff, just backspace! To
repeat a command, just use the up arrow to get to it.
The very first thing you need to do is find out if you have tcsh. Try the
following commands:
which tcsh
whereis tcsh
locate tcsh
As a last result, you can try "find". But be warned, many sysadmins don't
like that command because it is slow and disk intensive. The find command
can put a serious lag on the machine.
Once you find where your tcsh is, make sure it's a "valid shell". This
can be done by checking whether it is in the "/etc/shells" file. This may be
done with the command:
->grep tcsh /etc/shells
(Note: throughout this Guide, "->" represents your command prompt.) If
you get back something like:
/bin/tcsh
Then you can safely use tcsh. If you don't get anything back, then I
(BOFH) suggest you contact your ISP and ask them to install it and add it to
the valid shells list. Yes, you can compile and install your own version.
But if your shell is _not_ listed in the valid shells file, you may run into
difficulties using programs such as ftp (incoming ftp) since many ftp
daemons check to see if the user has a valid shell before logging in.
If you're not grep savvy, try just `cat`ing the file:
->cat shells
This should give you something that looks like:
/bin/sh
/bin/bash
/bin/tcsh
/bin/csh
/bin/zsh
/bin/ash
If you discover tcsh in that file, at the prompt in your Unix shell
account, simply type "tcsh" and play with it for awhile. If you find that
you prefer tcsh over your current shell, you can use the "chsh" command to
make it your primary shell so that everytime you log in, you will already be
in tcsh:
->chsh tcsh
This should give the result:
Changing login shell for cpm on mack.
Old shell: /bin/bash
New shell: /bin/tcsh
============================================================
Evil genius tip: Don't have tcsh? Do you run some sort of Unix on your home
computer? Then you can install it. To find a tcsh that will run under your
version of Unix, do a Web search. For example, for one that runs on almost
any type of Linux, you will probably be able to use the tcsh at the Debian
Linux Web site, http://www.debian.org.
Of course you will have to compile it, but if you are an evil genius you
either already know how to do that, or will figure out enough from this
Guide to successfully compile tcsh.
============================================================
HOW TO CUSTOMIZE YOUR LOGIN SHELL SCRIPT
BOFH points out that in the world of vanilla Unix, different shells have
different startup files. For example:
bash: .profile
sh: .profile
csh: .cshrc
tcsh: .cshrc
zsh: $ZDOTDIR/.zprofile and/or $ZDOTDIR/.zshrc
I [BOFH] could go on with the different shells out there, but these are
the most common.
btw...
There's even an lsh which emulates a doslike environment. It sorta kinda
sucks because if you're on a *nix ("*nix" stands for all the kinds of
Unixes) system you want to use a *nix like shell but it's fun to use as a prank.
Most all of these startup files read the files .login and .logout.
Let's assume you have tcsh. The first thing you may wish to do is customize
it. It would be really shameful for a hacker like you or me to have an
ordinary shell. Here's how you can see how your shell is set up. The
settings for tcsh are in a file named ".cshrc". This is a shell script, a
program consisting of a series of Unix shell commands. To read what is in
it, give the command:
->cat .cshrc|more
(Or give the command "more .cshrc". The Unix motto is "There's more than
one way to do it.")
This will display the contents of this script on your monitor. Following is
an example of the commands in a good .cshrc script:
echo "-------------------------------------------"
echo "To err is human..."
echo " To get caught is just plain stupid..."
echo " Fatal Error"
echo "-----------Big brother is watching----------"
if (! ${?hostname} ) setenv hostname 'fubar'
umask 076
set path=( ~/bin /usr/local/bin /bin /usr/bin /usr/local/sbin )
set path=( $path /usr/openwin/bin /usr/X11/bin /usr/local/X11/bin )
set path=( $path /usr/ucb /usr/libexec /usr/etc /etc /usr/games )
set path=( $path /usr/sbin )
setenv host `uname -n`
setenv WWW_HOME http://www.fubar.com/
setenv LD_LIBRARY_PATH "/usr/openwin/lib:/usr/local/X11/lib:/usr/X11/lib"
setenv MANPATH "/usr/man:/usr/share/man:/usr/local/man"
setenv VISUAL pico
setenv EDITOR pico
setenv PGPPATH ~/.pgpdir
mesg y
#set autologout=(0 40)
set exinit
set history=40
set implicitcd
set listjobs
set listlinks
set listjobs=long
set noclobber
set prompt="%U\n(`whoami`) fubar:%u \n%~ %# "
set tperiod=1
set rmstar
set watch=(1 friend1 any friend2 any enemy1 any enemy2 any)
unset autologout
if ($?USER == 0 || $?prompt == 0) exit
alias a 'alias | more'
alias cd 'cd \!*'
alias check 'last | grep -v fubar.com | grep -v ftp | grep -v "^U"'
alias cp 'cp -i -p'
alias cls 'clear'
alias dd 'ls -lgF \!* | more'
alias ddm 'ls -lgF \!* | more'
alias elm 'pine'
alias jobs 'jobs -l'
alias ld 'ls -ld $1'
alias ls 'ls -F'
alias pico 'pico -w -z'
alias port 'ps -aux | grep $1'
alias quit 'exit'
alias scr 'source .cshrc;rehash'
alias su "ksu"
alias sz 'sz -w 2048'
alias w 'w|sort|more'
alias who 'who|sort|more'
alias whois 'whois -h rs.internic.net'
alias viman 'man \!$ | col -b > /tmp/myman$$;vi /tmp/myman$$;rm
/tmp/myman$$'
/usr/lib/sendmail x@techbroker.com < .junk
HOW TO MAKE YOUR SHELL MORE SECURE
If you really consider yourself a hacker, you may choose to change your
.cshrc to make it more secure. Here's how to rewrite your .cshrc:
1) Just in case you mess up and don't care to admit to tech support at your
ISP that you have been messing with .cshrc, the first thing you should do is
save it with a new name. One way to do this is to give the command:
cp .cshrc .cshrc.old
Then if you don't like the results of this exercise, you can fix it by just
giving the command:
cp .cshrc.old .cshrc
2) Now you are ready to change .cshrc. Give the command "pico .cshrc"
(substitute "vi" or "emacs" if you prefer those editors). This opens the
program that runs every time you start up your C shell.
3) Here's something good to change. See all those commands above that begin
with "alias"? Those are commands that allow you to run complicated commands
by only typing in one letter or word. Enter those aliases in you login
script and see how you like them. In the case of the alias "check,"
substitute the domain name of the computer you are using for "fubar.com".
4) Do you wish to be able to easily access lots of good commands? That is
what the "set path" command is for. Good paths depend on the flavor of Unix
you're running. Good generic paths could be:
set path=( ~/bin /usr/local/bin /bin /usr/bin /usr/local/sbin )
set path=( $path /usr/openwin/bin /usr/X11/bin /usr/local/X11/bin )
set path=( $path /usr/ucb /usr/libexec /usr/etc /etc /usr/games )
set path=( $path /usr/sbin )
This will have some erroneous directories but it's generic and something
you could use on Linux, FreeBSD, OpenBSD, Sun OS and Solaris. With other
flavors, your mileage may vary.
5) When you are done editing, here's how pico saves it:
* hold down the control key and hit the letter "x"
* pico asks, "Save modified buffer (ANSWERING "No" WILL DESTROY CHANGES) ?"
Hit the "y" key to save it.
* pico asks "File Name to write : .cshrc" Just hit enter. Your login file
must be named ".cshrc" for it to run whenever you log in.
============================================================
Evil genius tip: Want to be a hacker? Take a serious look at learning
"vi". It is a quick and powerful Unix editor that can do tedious tasks in a
short amount of time. Head down to your local book store (or
http://www.amazon.com) and pick up a good vi book. Two to look for are:
"Unix in a Nutshell" by O'Reilly (ISBN: 1-56592-001-5), and "Vi" by O'Reilly
============================================================
============================================================
Evil genius tip: Are you a serious programmer? Do you plan to become a
serious programmer? If your .cshrc is missing anything in the example script
above, try adding those commands.
============================================================
Now, by setting aliases for your shell, you have made it easier to use, and
also more secure. Try out the aliased commands "w", "who", and "check". The
first two tell you who is currently logged into shell accounts on the same
computer you are on. "Check" shows you the log of whoever has logged into
the computer you use from telnet or ssh from outside that computer system.
If you see an unusual pattern of logins, you may suspect there is a problem.
Here's how these commands work. I [Carolyn] am using one of our Hacker
Wargame computers for the example below so you will get a chance to see how
we find out whether there has been an intruder in my account.
Netstat is really great because it tells you so much:
Active Internet connections
Proto Recv-Q Send-Q Local Address Foreign Address (state)
tcp 0 0 cryptotek.http sol7.cs.wisc.edu.33089 FIN_WAIT_2
tcp 0 0 cryptotek.http sol7.cs.wisc.edu.33088 FIN_WAIT_2
tcp 0 20 cryptotek.ssh pmd05.rt66.com.1753 ESTABLISHED
Active UNIX domain sockets
Address Type Recv-Q Send-Q Inode Conn Refs Nextref Addr
f05e7f00 dgram 0 0 0 f03dcf14 0 f03dcb14
f05f9200 dgram 0 0 0 f03dcf14 0 f03dcd14
f05e9600 dgram 0 0 0 f03dcf14 0 f03dcd94
f05eba00 dgram 0 0 0 f03dcf14 0 0
f05a9000 dgram 0 0 f05ab680 0 f03ecc94 0 /var/run/log
This readout tells us is that a guy from the University of Wisconsin is
reading our Web site at http://cryptotek.happyhacker.org, while I am logged
in with an ssh (Secure Shell, which encrypts my communications) connection.
The commands "w" and "who" only tell you who is actually logged into a
shell account and what they are doing just now. They both identify the same
people, but give somewhat different information on their activities. Here's
a "w" command readout:
1:05PM up 2 days, 17:42, 2 users, load averages: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE WHAT
cryptik p0 206.206.108.7 1:02PM - (pine)
cmeinel p1 pmd05.rt66.com 12:31PM - w
This means Cryptik is in his shell account reading his email using the Pine
program while I (Carolyn) am snooping on him with the "w" command.
If your ISP has logs readable by users, that alias in your .cshrc named
"check" will tell you everyone who has logged into their shell accounts lately:
cmeinel ttyp0 152.172.76.111 Thu Apr 23 14:25 - 16:30 (02:05)
(snip)
cryptik ttyp0 206.206.108.7 Thu Apr 23 13:02 - 13:06 (00:04)
mrcurt ttyp1 152.166.28.22 Thu Apr 23 01:23 - 02:02 (00:38)
(snip)
cryptik ttyp0 152.167.87.187 Wed Apr 22 19:18 - 19:20 (00:02)
cryptik ttyp0 152.173.170.182 Wed Apr 22 17:55 - 17:56 (00:00)
root ttyv0 Wed Apr 22 17:02 - 17:04 (00:02)
cryptik ttyp0 152.171.172.203 Wed Apr 22 15:25 - 15:29 (00:03)
protocol ttyp1 152.204.20.98 Wed Apr 22 01:43 - 01:59 (00:16)
cryptik ttyp0 152.170.244.211 Tue Apr 21 23:41 - 02:28 (02:47)
cmeinel ttyp1 bofh.foobar.org Tue Apr 21 22:09 - 22:17 (00:08)
xmyth ttyp0 152.203.67.27 Tue Apr 21 18:11 - 18:12 (00:00)
(snip)
420smk ttyp0 152.172.97.237 Tue Apr 21 14:35 - 14:36 (00:01)
root ttyv0 Tue Apr 21 14:03 - 14:04 (00:00)
root ttyp2 152.171.159.158 Tue Apr 21 01:25 - 02:10 (00:45)
cryptik ttyp1 206.206.108.7 Tue Apr 21 00:24 - 00:25 (00:00)
skullz ttyp1 152.166.74.235 Mon Apr 20 23:55 - 23:59 (00:04)
skullz ttyp1 152.166.74.235 Mon Apr 20 23:48 - 23:53 (00:05)
cryptik ttyp0 152.171.255.221 Mon Apr 20 23:24 - 01:33 (02:08)
cryptik ttyp0 152.167.139.204 Mon Apr 20 23:16 - 23:16 (00:00)
cmeinel ttyp1 152.170.227.210 Mon Apr 20 22:17 - 22:19 (00:02)
(snip)
Aha! Now you know the handles of the folks that have been using ftp or
logging into shell accounts from outside the ISP (Rt66) hosting this
computer lately.
That root login with no IP address after it, was done from the console.
That means someone was actually physically at the keyboard to log in. The
numbers after the other handles are the IP addresses from which they came
in. For example, "cmeinel ttyp1 152.170.227.210" means I came in from
an America Online dialup! (To see what those IP numbers mean, read the
GTMHH "How to Map the Internet" for lots of ways to figure them out.)
Fortunately, I remember telneting into my account from an AOL dialup that
time, so it's cool.
Now if I were to see my user name on this list at a time that I know I
didn't log in, I would know someone has gotten my password and is making
merry with my account! That IP number would also tell me where Mr. Baddie
is coming from (unless he or she is IP spoofing.)
=======================================================================
Newbie note: IP spoofing is a way to fake your IP address. Many computer
criminals use it to hide their identity. If one of these criminal types try
to tell you this technique really works, please think twice. There are
commercially available sniffer programs that identify the true IP address
even though the hacker is using an IP spoofing program. See
http://www.iss.net; http://www.engarde.com; and http://www.engarde.com.
=======================================================================
So -- what's this? The log file says cmeinel telneted in from
bofh.fubar.com! I [Carolyn] know that computer. "BOFH" stands for the
owner's handle, Bastard Operator from Hell. Actually I was expecting that.
He promised me a prank program or two in exchange for use of my account.
Since this is an account on a Hacker Wargame computer, I said "what the
heck." Besides, I would trust anyone with such a neato handle.
But, oh, my, look at this!
cmeinel ttyp0 152.172.76.111 Thu Apr 23 14:25 - 16:30 (02:05)
Who is this cmeinel who logged into my account from America Online for over
two hours? Wasn't me! Maybe this individual will soon be able to use
access to my shell account to get root and be the next Hacker Wargame
winner! Nah, I'll make it hard and change my password. The command is
simply "passwd." That's what you should do often anyhow, and definitely do
whenever you discover an intruder was in your account.
You probably would like to know exactly how that "check" command works.
BOFH points out that the "last" command (give command "man 1 last" to learn
more) shows the last logins that are usually stored in the wtmp file. Some
ISP's rotate this file while others just leave it be. The "last" command
used by itself would show all logins to the
current machine since the creation of the wtmp file.
The command "grep" is a powerful line/pattern matching utility. (Give
command "man 1 grep" for more info). The '-v' switch tells grep to filter
out the following regular expression ("regular expressions" could use a
series of GTMHHs to explain the concept itself). In the above example, we
are filtering out "fubar.com", "ftp", and anything starting with 'U'. (The
"^" signifies "starting with"). In this case, the "grep -v ^U" portion is
used to grep out (discard) uucp (a communications protocol used for
transmitting Usenet posts) entries since Fubar.com uucp accounts begin with
"^U". Your Internet service provider, however, may identify Usenet posts
differently.
Commands that may work better on your account than those used in the
"check" alias above may be:
last -200 | grep _your_user_name_here | more
- This shows the last 200 logins by your username, and pipes it to the
"more" command. This makes it easier to read if your terminal program
doesn't allow you to scroll back.
last -200 | grep -v _your_user_name_here | more
- This shows the last 200 logins of everyone except your username,
piping it to the "more" command.
What are some other things you may add to your .cshrc script to make your
account more secure? Do you have friends or enemies that you wish to watch
for when you are logged on? Add this command to .cshrc:
set watch=(1 myfriend1 any myfriend2 any myenemy1 any myenemy2 any)
Substitute the user names of your friends/enemies for myfriend etc. If you
use a small ISP, a newbie may wish to change the watch entry to:
set watch=(1 any any)
That will watch for logins every 1 second for any username. On a slow
system where resources are limited, change "1" to "5".
If you are like me [Carolyn] and have lots of people trying to break into
your account, you can also set up a warning system.
1) Use pico to create a file named ".junk" containing the sentence "Someone
used my shell account."
2) Bring up .cshrc in an editor and add this line: "/usr/lib/sendmail
x@techbroker.com < .junk" (for "x@techbroker.com" substitute an email
address of yours that is NOT the one for your shell account. If you are a
hacker you surely do have more than one email account, right?)
WARNING: This command varies according to the configuration of your ISP.
You might have to substitute a different path for "sendmail" (use command
"whereis sendmail" to find it), or substitute mail for sendmail, etc. etc.
If you can't make this command work, DON'T EMAIL US! Only tech support at
your ISP can answer your questions.
3) Save the new .cshrc file.
Why send this warning to a different email account? An intruder can simply
delete your warning email if it goes back to your shell account. You can
get free email accounts at Hotmail, Yahoo, and several other places on the
Web.
Or get one of those email accounts that notifies you by pager the instant
your warning email arrives. Of course, that can be a real pain having your
beeper go off every time you log into your own account! But we are showing
you this trick to give you an idea of how systems administrators can find
out instantly when an intruder gets in.
Here's what that shell script sends me whenever someone uses tcsh in my
account:
Received: from Rt66.com (198.59.162.1)
by mail02.rapidsite.net (8.8.5/8.8.5) with ESMTP id NAA24145
for <x@techbroker.com>; Thu, 23 Apr 1998 13:08:38 -0400 (EDT)
Received: (from cpm@localhost)
by Rt66.com (8.8.7/8.8.6) id LAA23890
for x@techbroker.com; Thu, 23 Apr 1998 11:05:51 -0600 (MDT)
Date: Thu, 23 Apr 1998 11:05:51 -0600 (MDT)
From: cpm <cpm@Rt66.com>
Message-Id: <199804231705.LAA23890@Rt66.com>
X-Loop-Detect: 1
Someone used my shell account.
HOW TO MAKE YOUR SHELL MORE PHUN
Next, I wage a little psychological warfare. OK, I admit it, this part is
lame, but fun. So hold your flames.
1) Open .cshrc with your favorite editor.
2) Insert something like this:
echo -------------------------------------------
echo To err is human...
echo To get caught is just plain stupid...
echo Fatal Error
echo -----------Big brother is watching----------
(This Guide continued in Part 2...)
_______________________________________________________________________
Where are those back issues of GTMHHs and Happy Hacker Digests? Check out
the official Happy Hacker Web page at http://www.happyhacker.org.
We are against computer crime. We support good, old-fashioned hacking of the
kind that led to the creation of the Internet and a new era of freedom of
information. So don't email us about any crimes you have committed!
To subscribe to Happy Hacker and receive the Guides to (mostly) Harmless
Hacking, please email hacker@techbroker.com with message "subscribe
happy-hacker" in the body of your message.
Copyright 1998 Carolyn P. Meinel <cmeinel@techbroker.com> and BOFH. You may
forward, print out or post this GUIDE TO (mostly) HARMLESS HACKING on your
Web site as long as you leave this notice at the end.
_________________________________________________________
Carolyn Meinel
M/B Research -- The Technology Brokers
http://techbroker.com
