|+=================================+| ||*********************************|| ||* Introduction to Hacking *|| ||* by KwAnTAM_PoZeEtroN *|| ||*********************************|| |+=================================+| The first part of any hacking expidition is getting into the system that you plan to 'explore.' This can be achieved in any number of ways. The main two are: 1) Cracking passwd (brute force) 2) Using an exploit Cracking passwd is fairly simple. You get a 'cracking' program which is designed to take each word in a word list file and encrypt it using the same one-way hash that UNIX uses to encrypt its password file. Then it compares the hashed value to each password in the encrypted list, which is found on UNIX and other *IX systems in the file /etc/passwd Word lists and cracking programs are available at http://kwantam.home.ml.org The list of words used is called a dictionary file. It contains a series of words, one per line, in a standard ASCII text file. An excerpt from a dictionary file could be helix hell hellacious hello hellbender hellbent hell-bent hellbox hellcat hellebore heller hell-for-leather hellgrammite etc. The one-way hash function is a small series of mathematical steps that makes a series of characters which is saved in the passwd file. The one-way hash function UNIX uses is a variant of Crypt(3). The reason that a dictionary file is needed is the fact that the Crypt(3) function cannot be reversed, hence the name one-way hash. It is mathematically infeasible to find in any amount of time the string of characters from which the hash value came. The passwd file is a series of lines, each with user info on it. An example is: joeschmoe:naVwowMManasMMo:10:200:Joe Schmoe:/users/joeschmoe:/bin/bash ^ ^ ^ ^ ^ ^ ^ | | | | | | +- User's | | | | | | shell program | | | | | +---- User's home directory | | | | +----------------- User's real name | | | +------------------------- User number | | +----------------------------- User's group number | +--------------------------------------- Hash of user's password +--------------------------------------------------- Username I will explain each of these: - Username is the name under which the user logs in. Usually this is accomplished by typing in the username at the username prompt and then the password at the password prompt. - Hash of user's password is the target of the cracking method. This is what the hash of each word in the dictionary file is compared to. - User's group number determines things such as access to certain files, etc. Used more in the exploit technique - User's number is basically identification for the system. - User's real name is the name the user entered. Not used by the system, but it provides a handy human-readable id of each user. - User's home directory is the directory that they go to when they log into the system. - User's shell is the user interface that the user uses. Shells include /bin/bash /bin/ash /bin/tcsh /bin/csh and /bin/sh It is not necessary to modify the passwd file to contain only the passwords because most cracking programs look for the second field, which is indicated by the colon (:) seperating it from the username. As you can see, it is also possible that, if the user's password is not in the dictionary file, the cracker won't find the password to that username. However, on a system of 200 users, at least 70 of them will usually have passwords that are in dictionaries, depending on if the system administrator checks the passwords or not and the type of user that accesses the system most. A server used by computer security experts will not be nearly as susceptible to this kind of an attack (or any, for that matter) as one which is used by average people for e-mail and internet access. The second kind of attack, the exploit, is a more difficult one, but it usually has greater rewards, including the possiblity of getting total control of the system. Exploits work by using a piece of software in such a way as to compromise the security of the system. One of the most popular programs to use in this way is sendmail. Sendmail is most susceptible because it must be open to public access to allow mail to be transferred into and out of the system. Usually a buffer, an area in memory where the system stores program information, is overwritten using sendmail. The experienced hacker can transfer his own program code into the buffer so that while the system thinks it is simply running the mail retriever it is actually copying a shell program into a public access directory and giving it superuser privlidges. Another type of exploit involves causing a program which has superuser prividges to change your group ID to 1, root, which effectively makes you the administrator of the system. Most of the time, these two types of attacks are used together. The hacker will first get a login with brute force to gain access to the outer level of the system, and then from there use an exploit of some kind to gain root priviledges. After attaining root access, the hacker will install one or more 'back doors' to allow himself access to the system again. A very common one is taking the source code of the login program and modifying it to accept a certain password for any user, as well as the user's own password. An example of a function in C that could do this would be: check_backdoor(entry,access) { /* the variable entry is the password that the user entered * the variable access determines whether or not to allow the */ user into the system. If access = 1 then the user is let in. if (entry == "mybackdoor") { access = 1; return; } cryptcheck(entry,access); return; } In this example, mybackdoor would be the password that could be used on any user account. If mybackdoor was not the entry, then the password is hashed and checked against the password in /etc/passwd which allows the back door to function without being noticed by anyone, including the administrator. I hope this information hhas been helpful in teaching you about the basis of hacking. For more information, visit my home page or drop me an e-mail. KwAnTAM_PoZeEtroN Leader of the Black Angels Ringmaster of the Ruiners Webring Head of Psychotic security http://kwantam.home.ml.org kwantam@mailhost.net