A Beginner's Guide To Unix -------------------------- The information contained in this file is by no means new or original. I was simply asked to compile some basic commands and concepts for the access and use of Unix systems. I would like to give credit to the many other files which I have gained this information from, and to the people who have helped me learn what I know today. I will not cover any detailed or complicated features of Unix. I am merely going to provide the means to access low-security systems and navigate the shell. Access: ------- All Unix systems are provided with default accounts. They are used for system administration and such. Many system operators are too lazy or naive to remove them. You may find the following accounts on a system, with no passwords: daemon uucp bin adm sysadm admin sysadmin nuucp sync Others may have been added, such as: user guest demo test public help field system operator You can also try common first or last names (john,fred,smith,etc...). Be sure to use lowercase for the login name. If you enter a capital letter as the first character, the system will assume that you terminal is incapable of displaying lowercase. From then on, in order to enter capital letters you must precede each by a "\". This can become quite annoying, and you will probably never see an account with a capital letter as the first character. Of the above defaults, the uucp or nuucp accounts are often used for Unix to Unix communications (uucp stands for Unix to Unix CoPy). If this is the case, the system will give send the uucp identifier, "Shere". In this case, the account is basically useless unless you can call via another system through the uucp command. The sync account is a self-running Unix management account. If present, it will run a few housekeeping chores and log off. The only reason I included this is that many systems provide a greeting message or something of the sort when you log on as sync. Occasionally you can obtain information which will help you find an account. If you cannot get in via the above methods, try using "who". If present, it will display a list of all accounts currently online. You can try those and hope they have no password. If you are desperate, just hack blindly. Often the login name and password are the same. You can also try initials (as in names...rlb,jhs, etc...). Once you are in: ---------------- If you make it through the front door, you do not necessarily have access to the shell. Often accounts have programs run automatically for specific users, such as system administration programs (useful), accounting programs, etc... In this case, you can try to break out of the program (either through a menu option or a loophole). Try various escape/break related control characters (escape [ascii 27], ctrl-c [ascii 3], etc...). When you are in the shell, you will be greeted by one of two prompts. Either a "$", denoting basic access, or a "#", denoting superuser access. If you have superuser access, most of your work may be done (depending on other security measures that have been taken). Either way, the following will help you get higher access. First, you'll need some basic commands for moving around: stty This command sets your terminal characteristics. Before you attempt anything else, you should set some important ones. First, your delete character. Many systems do not use the common ctrl-h [ascii 8]. Also, the delete on your computer may not be the standard ctrl-h. To set your delete character, type: stty erase (character) Do not use the parentheses. Spacing is important. You can replace (character) by hitting your own delete key, or typing a control key sequence. If you would like to enter something a bit more visual to reassure yourself, you can use: stty erase \^(character) To enter a control character without actually hitting control. Replace character with the desired control character. Ex: stty erase \^h Sets the erase character to ctrl-h. If you make a mistake doing this, hit return and start over (obviously if the system does not know your erase character, you cannot edit your mistakes). Once your control character is set, you will want to set your break character. This is vital for file editing, which we will cover shortly. To set the break character, type: stty intr (character) The same options as the delete character apply. To view the current setting, simply enter stty by itself. Often, the system will already be configured to your liking. Occasionally, the stty command will not display the erase or break (intr) characters, in which case you should enter them to be sure. All control characters will be displayed in the ^(character) format. ls This is the list-files command. It will show the names of all non- hidden files in the current directory. The display will either be a single list or multi-column display. The command lc toggles between the two. In either case, the files will be sorted alphabetically (numbers first, followed by most punctuation symbols, then capital letters, and finally lowercase letters). ls has many options, which I will cover later. pwd Displays the current directory path from the root directory (/). cd Change directory. Those familiar with the MS-DOS environment will have no trouble with this command. To change directories, simply supply a path from the root directory. To go to the "lib" directory, within the "usr" directory, you would enter: cd /usr/lib cat Displays a file. Often it is difficult to differentiate between text files and data files. If you wish to abort the display, type your break character. Cat requires the full pathname to access files outside the current directory, but for files within the current directory, the filename will suffice. Ex: cat /etc/passwd Will display the passwd file within the etc directory. This file is present on all systems. It is immensily useful in gaining higher access (basically, it is necessary to gain any access). These commands will help you for now. After setting your terminal options, enter: cd /etc We will be doing most of our work in there for the time being. You should have had your buffer on long before this on the system, but turn it before executing the following command if you haven't: cat /etc/passwd Often these files are quite large, so after a while you may want to abort it. Often what you are looking for will be within the first few lines. Each line of the passwd file represents an individual user. There are seven fields to each entry. A typical entry looks like this: user:x:100:100:Elmo:/usr/user:/bin/sh The first field is the login ID. The second is the password field. In newer releases, it will contain an "x". Older releases may contain the actual encrypted password (a string of seemingly random characters). On new systems the encrypted password are found in the /etc/shadow file. The third field is the user ID number. Fourth is the group ID number (more on groups later). Fifth is merely a comment about this user (often their name, or in an administrative account, its duties). Sixth is the home directory. The system will place you in your home directory when you log on. The final field contains the path and file names for the default shell or program. If this field is empty, the system defaults to /bin/sh. You cannot gain a user's password via this file. You may be able to obtain access through a higher account, however. When looking for high-level accounts, you will want to examine the fourth field. The lower numbers often denote administrative accounts. The group "root" belongs to is most likely what you will want. To discover more about the groups, view the /etc/group file. This contains the group names, the encrypted password required to change into/out of this group (almost always "NONE"), the group ID number (to compare to the passwd file), and a list of the group's members. You will want to scan the passwd and group files to find any accounts that belong to the same group as root, or a group which root is in. Often root will be the only member of its group, so you will have to look for other administrative account groups (those containing such accounts as adm,admin, sysadm,sysadmin and so on). Once you have found these accounts, you can attempt to gain their access. The command: su (login ID) allows you to essentially "become" that user. Replace (login ID), of course, with the account you want to assume. If the account has no password, the process is automatic. Otherwise, you will be prompted for a password. You can try the login ID as a password, but this may not work. If it does, make a note of it. Otherwise, you can try other methods, or go on to another account. Hopefully, you will find an account with no password. If you have found an older system, without the /etc/shadow file, an empty password field (::) will tell you immediately which accounts do not have passwords. If it is a newer system, it will contain an "x" regardless of the presence of the password status. If you find yourself in this dilemna, you may still be able to find an list of those accounts without passwords. If you have the superuser ("#") prompt, you may be able to read the /etc/shadow file. The format for this file is: login ID:(encoded pw):6480:14:28 The first field is the same as the login ID found in the /etc/passwd file. Each entry in /etc/passwd should have a corresponding one in /etc/shadow. The second field will be blank, denoting no password, or contain the afformentioned "random" characters. Third is a numeric code describing when the password was last changed. Fourth and fifth are the minimum and maximum number of days between mandatory password changes. Often the last two fields are empty, which means users are not required to change thier passwords. Here, again, you should look for any accounts without passwords, and examine the group file as mentioned. Now, hopefully, you will have some decent access. Many of the accounts with no password are that way for a reason - they do not allow shell access; but that never stopped anyone. If you discover an account that runs a program and then logs off, or runs a program which allows you to interact in a boring way, you can use this to your advantage. Look in the seventh field of this account's passwd information. It will contain the path and filename of the program being run. At this point, security on most systems is extremely low. Many system operators are sure that by stopping you from directly getting access, they have stopped you totally. By "tricking" the system, you can get access indirectly. If you find a program being run, go back to the account which gave you shell access. Then enter the directory where the program was (do not include the file "/" and the filename). You want to change the filename of the program. To do this, type: mv (filename) (backup filename) To change /usr/prog to /usr/prog.b, you would enter: mv /usr/prog /usr/prog.b Make sure you remember the filename you give it. It is also a good idea to keep it in the same directory. Now, you have to create a dummy file to replace it. We will have to use the "ed" file editor to do this. MAKE SURE YOU HAVE SET YOU BREAK CHARACTER. You cannot use ed without having a break character. To make the file, type: ed (filename) Where (filename) is the name of the file you just renamed. Use the OLD name (the one in the passwd file)! ed will respond with: ?(filename) meaning the file does not exist yet. Some basic ed commands are: q Quit. If you attempt to quit after making changes, ed will not quit until you hit "q" again (this is to remind you to save changes). w Write file (saves all the changes you make). ,p Displays all lines. /(string) Searches the buffer for (string), and displays that line. a Add lines (starting at the current line). i Insert lines at the current line. d Delete the current line. h Turns help on (shows verbose error messages). Entering a line number will bring you to that line. When editting a file which already exists, ed will show you the current number of bytes in the file rather than "?(filename)". If you attempt to write a file, and ed replies with "?(filename)", you do not have access to write that file. Now, back to the dummy file. Type "a" to add lines. Enter: echo "Blah" /bin/sh Then, after pressing return on the /bin/sh line, type your break character. Write the file and quit the editor. You now have your dummy program set up. The command "echo" is a simple print command. You can enter as many as you like, or none at all. They are merely to reassure you that your program is running. The important part of this is the "/bin/sh", which runs the shell program. You must now give all users access to your program, so the account will be able to use your newly created program. Type: chmod +rwx This will give read, write, and execute permissions to all users (more on permissions some other day). You should now logon again as the account which uses this program. If you did everything right, you should now have control of the shell, hopefully with superuser access ("#" prompt). If you still do not have superuser access, go back and try something else. Be sure to do the next few steps whether it works or not, to insure your continued use of the system. Delete your dummy program by typing: rm (filename) Be sure to include the directory path in the filename, as before. Now, rename the old file back to its original name (just reverse the filenames in the previous rename command). Now everything is back to normal. If you did not get access, you will have to go back to your old account to set the files back to normal. Make sure you do this, or you may cause damage to the system. This will result in higher security. Also, real hackers never damage systems for without cause. Laziness is not an excuse. If you are still without decent access, you will have to consult another file. I may write another soon on more ways to gain access, but for now, this should help enough people. From now on, I will assume you have achieved superuser access within an administrative group. You will most likely want an account of your own now. Use the ed command to edit the /etc/passwd file. Somewhere in the mid-beginning section (within the first 4-12 lines), add an account using one of the default account not already present (from the first list, if possible), or commandeer an unused (be sure it is unused) default account already there. Set you ID number and group to those of the root account (usually 0:3). Set your directory wherever you like, and set the shell filename to either /bin/sh, or leave it blank. In the password (second) field, what you enter depends on the system. If it is an older system where the encrypted passwords are stored in the passwd file, just enter whatever password you like there. The system will encrypt it for you when you save it. If it is the newer "x" system, put an "x" there, and do the following, otherwise skip this. New system users will have to enter the command: /etc/pwconv This command will recreate the /etc/shadow file based on the information in the passwd file. Just to be sure, ed the shadow file, and leave the password field blank for your newly created account (use the /(string) command within ed to jump directly to your login ID). Now, you can call back as your new account. You should enter: passwd to create a password for your account if it doesn't already have one. If all has gone well, you now have an account of your own. I will now give a list of other commands which you can play around with. Unix commands: -------------- banner (string) This is a "fun" command, which will take (string) and expand it into block letters on your display. write (user) Will send a message to another user. After entering the command, the system will wait for you to type a message and terminate it with your eof character. Change your eof character by entering: stty eof (character) wall Like write, but sends to all users. who Displays a list of everyone online. mail (user) Send email to any user in the passwd file. To read your mail, just type mail. exit Logout of the system. I should have mentioned this before, but I forgot. You can also use your eof character at the shell prompt to logout. echo Prints text or variables, as shown before. env Display all variables in your environment. More on shell variables soon. rmdir (directory) Delete a directory. mkdir (directory) Make a directory. cp (original) (backup) Copy a file. grep (string) (filename) Searches through (filename) until it finds (string), and then displays the entire line (string) was found on. date (time & date) Alone, date displays the time and date. It can also be used to set it. cal (date) Alone, cal displays a calendar of the current month. With optional month and year, it will display any year from 1 to 9999. There are many more commands, but to explain them all could take forever. Most systems contain online help files which you can access by typing either: man (command) or: help (command) For a list of commands, look in the various "bin" directories. They contain the actual programs. Variables: ---------- The shell allows the use of variables. All variables are represented by capital letters. You can create your own, or view/change standard system variables. Some standard variables are: PATH This will show the order the shell searches in to find commands. You will most likely find a number of directories ending in "bin". An example could be: :/bin:/usr/bin:/usr/lib/bin:/etc This means that when you type a command, the system checks to directories in that order before finally giving up and reporting an error if the command is not found (All commands are files). PS1 This is the main shell prompt, usually "$" or "#", depending on your access. You can change this to whatever you like. TERM Some systems keep track of what type of terminal you are using, for use in formatting output (usually through other programs). LOGNAME The login ID you are using. HOME Your home directory. TZ Timezone. MAIL The file your mail is sent to. There are others, but they tend to vary with the account. Enter the env command to display the variables in use. Variables you create within shell programs (such as the dummy program that was discussed before) retain thier values for the life of the program only (they do not affect the other shell variables). You can change a variable like this: TERM=ansi Whenever you want to view a variable, or use it for another purpose, precede it with a "$". Ex: echo $LOGNAME will display your login ID. Misc: ----- I seem to have run out of memory, so forget it for now. Hopefully I'll write so more soon... - Midnite Raider [4] Tfiles: (1-8,?,Q) :