The *NIX Black-Hat Hackers Guide by: ÇÉRßÉRܧ Leader of Hackers Against Tyranny Everywhere www.geocities.com/ares_102/ ares@armory.com What is this Black Hat stuff all about? A Black Hat hacker is someone who is not really concerned with learning about hacking for security-related purposes. Basically, they enjoy hacking, but not nessesarily are criminals. They don't nessesarily break into computers that are illegal to break into, ect. That being said, we at HATE do not encourage computer-related crime, or any other crime for that matter. The information contained within this guide is for informational/entertainment purposes only, if you want to break into systems, find someone who is hosting a war games server, and then play with their server. With all the legal stuff taken care of, lets get started. This guide is for the black hat community, and it is about *NIX-based hacking. *NIX is an abbreviation for all flavors of Linux, Unix, ect. If you have no idea of what Linux is, check out http://freeos.com and pick up yourself a distro, I reccomend Red Hat (and so does Linus Torvalds, the creator of Linux). Now then, if you just set up your *NIX box, this is going to be a little difficult for you, you really should learn basic *NIX navigation, including, but not limited to basic commands, basic configuration file experience/knowledge, ect. There may be a tutorial on the forementioned topics on the HATE site, I don't see why not, and at least its worth a shot. Now that we are all aquainted with *NIX, lets get to the gritty part. I hope you installed ipchains, or another firewall. We are going to be issuing a few rules, to slightly deter tracing of our IP. /sbin/ipchains -A input -j DENY -p icmp disables all icmp packets. Make the following scripts and place them in /usr/bin: icmpon: #This enables icmp packets, you you can quickly traceroute, ping, ect. a victim /sbin/ipchains -F icmpoff: #This disables icmp packets, to discourage any tracing by nosy sys admins. /sbin/ipchains -A input -j DENY -p icmp I suggest you check out the possibilites of ipchains, but that is the only rule we will REQUIRE in this tutorial, for obvious security concerns. TARGET SELECTION Pick your target. If you're new at this, do a search for a net.backwater ISP, or in other words an ISP out in the middle of nowhere that still doesn't offer broadband access. This is so that odds are the sys admin(s) at this ISP don't know as much, but at the same time, it increases the WIN NT systems, I prefer *NIX, and this is what this tutorial is about. now then, since you were a good little boy/girl, and you found yourself a net.backwater inbred ISP, and wrote the scrips I told you to, do the following: icmpon /usr/sbin/traceroute TARGET now then, with the traceroute, that is normally where it is, but it may reside in another directory, I suggest you make a symbolic link in /bin or /usr/bin to traceroute. You should have something similar to the following: 1 router.vb.quik.com (216.176.5.254) 128.099 ms 120.557 ms 119.892 ms 2 887.ATM1-0.GW2.RIC2.ALTER.NET (65.195.226.221) 125.275 ms 119.620 ms 119.721 ms 3 505.at-3-0-0.XR2.TCO1.ALTER.NET (152.63.37.226) 129.682 ms 129.528 ms 129.754 ms 4 292.at-7-1-0.XL2.DCA8.ALTER.NET (146.188.162.249) 129.758 ms 129.465 ms 129.737 ms 5 POS7-0.BR2.DCA8.ALTER.NET (152.63.35.193) 129.711 ms 129.449 ms 129.821 ms 6 sl-bb20-rly-6-0.sprintlink.net (144.232.18.169) 129.697 ms 129.557 ms 129.730 ms 7 sl-gw11-dc-0-0-0.sprintlink.net (144.232.25.220) 149.760 ms 139.453 ms 139.735 ms 8 sl-gw10-dc-0-0-0.sprintlink.net (144.228.20.10) 129.857 ms 129.622 ms 129.656 ms 9 sl-sumter-1-0-0.sprintlink.net (144.228.108.218) 179.816 ms 179.439 ms 179.742 ms 10 ns4.sumter.net (208.136.80.12) 189.753 ms 179.481 ms 179.777 ms In this case, I chose an ISP that I liked back at home, sumter.net. I DO NOT, I REPEAT, NOT ENCOURAGE ANYONE TO DO ANYTHING TO SUMTER.NET. THERE ARE GOOD PEOPLE AT THAT ISP, I HAPPEN TO LIKE THEM!!! Anyways, re-enable the icmp blocking now. Alright Cerberus, of what use is this?! Well, this provides a whole lot of information for the black-hat type. This is a route from your system to theirs, and every system in-between. It's pretty safe to ignore everything that says ALTER.NET, this is the internet "backbone". We're mostly concerned with #10, the target. Now then, ns4.sumter.net may not seem very useful, but we can make the following determinations: 1.) It is a name server. 2.) There are at least 4 name servers owned by sumter.net 3.) This is not exactly one of the faster servers, the ms numbers are the ping time in milliseconds, you may want to select another system, with faster/slower connection, depending upon your view. A.) A faster connection means less waiting B.) A slower connection could mean several things: I.) There is a lot of network traffic (which means that even if they do log every connection/packet, chances are they may overlook our activity). II.) Their connection is terrible. (this means it is defientely a net.backwater) Now then, 190 ms isn't slow, or bad at all, so I'll stick with sumter.net, and I know from experience that it is a net.backwater. So we got ourselves a toy--DNS. now type the following in a terminal: nslookup -query=any sumter.net ns4.sumter.net and you get: Server: ns4.sumter.net Address: 208.136.80.8#53 sumter.net nameserver = ns1.sumter.net. sumter.net origin = ns1.sumter.net. mail addr = hostmaster.sumter.net. serial = 99122001 refresh = 10800 retry = 3600 expire = 604800 minimum = 86400 Name: sumter.net Address: 208.136.80.12 Okay, what's all this about? Well, we were hoping for SMTP entries, but not all is lost, lets try: whois sumter.net and we get: [whois.crsnic.net] Whois Server Version 1.3 Domain names in the .com, .net, and .org domains can now be registered with many different competing registrars. Go to http://www.internic.net for detailed information. Domain Name: SUMTER.NET Registrar: THE REGISTRY AT INFO AVENUE D/B/A IA REGISTRY Whois Server: whois.iaregistry.com Referral URL: http://www.iaregistry.com Name Server: NS1.SUMTER.NET Name Server: NS4.SUMTER.NET Name Server: NS2.CW.NET Updated Date: 13-jun-2001 >>> Last update of whois database: Sat, 29 Sep 2001 05:50:16 EDT <<< The Registry database contains ONLY .COM, .NET, .ORG, .EDU domains and Registrars. [whois.iaregistry.com] Access to the WHOIS database of The Registry at Info Avenue(SM) is for informational purposes only. This information is made available "as is," and its accuracy is not guaranteed. The compilation, repackaging, dissemination or other use of The Registry at Info Avenue(SM)'s WHOIS information in its entirety, or a substantial portion thereof, is expressly prohibited without the prior written consent of The Registry at Info Avenue(SM). By accessing and using our WHOIS information, you agree to these terms. Registrant: Tim Brown 703 Bultman Drive Sumter, SC 29150 US Registrar..: IARegistry.com (http://www.iaregistry.com) Domain Name: SUMTER.NET Created on..............: 07-Oct-1996 Expires on..............: 06-Oct-2001 Record last updated on..: 02-Oct-2000 Administrative Contact: Failmezger, Gene GeneFailmezger@ftc.org Farmer's Telephone Cooperative INC 631 N. Pike West SUMTER, SC 29556 US +1.803.469.5316 (FAX) +1.803.469.5283 Technical Contact, Zone Contact: Failmezger, Gene GeneFailmezger@ftc.org Farmer's Telephone Cooperative INC 631 N. Pike West SUMTER, SC 29556 US +1.803.469.5316 (FAX) +1.803.469.5283 Name servers for this domain: NS1.SUMTER.NET 208.136.80.2 NS2.CW.NET 204.70.57.242 NS4.SUMTER.NET 208.136.80.8 hmmm.....no SMTP or any other entries.....interesting. Well, do we give up? I don't think so. We have plenty of info to get a SMTP address, we got a technical support # (social hacking), we have most importantly, three of their name servers. Also, we have the name of the Organization, the city, and who owns it. It appears that the local telephone monopoly bought out sumter.net a while ago, FTC is the Farmers Telephone Cooperative. So, we check out their website, ect: from this, we can get: FTP, SMTP, ect. server addresses (or we could guess them) either way, if you secide to guess the SMTP servers, try mx1.DOMAIN, or smtp.DOMAIN, or mail.DOMAIN, ect. This is what I was able to find out at the sumter.net website: ftp.sumter.net is their FTP server. sumter.net is the address for both SMTP, POP3 mail. Well, my favorite is SMTP, so we'll try that first. Enter the following: telnet sumter.net 25 This is the telnet program, which allows a remote connection on their machine on the specified port. The beauty of *NIX is that you can telnet to non-telnet ports, unline in Windows. okay, you get the sendmail version, ect. Trying 208.136.80.12... Connected to ns4.sumter.net (208.136.80.12). Escape character is '^]'. 220 mail.sumter.net ESMTP Sendmail 8.9.3/8.9.3; Sat, 29 Sep 2001 18:30:44 -0400 telnet> Connection closed. Trying 208.136.80.12... Connected to ns4.sumter.net (208.136.80.12). Escape character is '^]'. 220 mail.sumter.net ESMTP Sendmail 8.9.3/8.9.3; Sat, 29 Sep 2001 18:30:44 -0400 telnet> Connection closed. okay, we got a sendmail version number at first glance. We'll come back to this, we'll see if we can't find out more with the ftp address. telnet sumter.net ftp (if you don't recall the port #, you can just specify the service) Trying 208.136.80.8... Connected to status.sumter.net (208.136.80.8). Escape character is '^]'. 220 ProFTPD 1.2.0pre1 Server (ns1.sumter.net) [ns2.sumter.net] Kewl, we got ProFTPD. I happen to like this one, for some strange reason, it does have a decent amount of exploits out for it. Well, lets go hunt up some exploits. For this, we will need an exploit-devoted website (neworder.box.sk, bugtraq.com astalavista.com are some) Okay, so lets suppose we STILL didn't find any exploits...now what? If you've exausted *ALL* of your resources, and still no luck, try doing a portscan on a few of the systems. I would reccomend just telnetting to known services. The port numbers for common services are in /etc/services. But, if you're like me, and you might suspect they are running standard services on non-standard ports (i.e. SMTP on port 30) then you will want to port scan them. This is dangerous, to a degree. They will probably log such activity, so I suggest you use nmap (insecure.com/nmap). Syntax should be: nmap -sS -O -p 7-500 -p0 ns4.sumter.net this uses a Syn stealth scan (most recommended by nmap authors), guesses the remote operating system, scans ports 7 through 500, and sets pinging to 0 (we disabled pinging anyhow, right?) You should get something like: Starting nmap V. 2.53 by fyodor@insecure.org ( www.insecure.org/nmap/ ) Interesting ports on status.sumter.net (208.136.80.8): (The 488 ports scanned but not shown below are in state: closed) Port State Service 21/tcp open ftp 23/tcp open telnet 53/tcp open domain 80/tcp open http 98/tcp open linuxconf 111/tcp open sunrpc TCP Sequence Prediction: Class=truly random Difficulty=9999999 (Good luck!) Remote operating system guess: Linux 2.0.35-38 Nmap run completed -- 1 IP address (1 host up) scanned in 13 seconds We got lots of toys now! The only thing that is discouraging is that nmap calculates difficulty ratings, and this one made a 9999999. This could just be something the admin planned, possibly a bug in nmap, who knows/cares. Well, on the good side, we did get a pos ID on the kernel/OS. Its running Linux, the kernel version is 2.0.35-38. Well, lets check out one of the most dangerous services they run-telnet. telnet sumter.net Trying 208.136.80.8... Connected to status.sumter.net (208.136.80.8). Escape character is '^]'. Red Hat Linux release 5.2 (Apollo) Kernel 2.0.36 on an i586 login: Moving along, we remember the machine that was running our friend SMTP, right? to refresh your memory, it is mail.sumter.net. well, we could portscan again, but I'd leave that until DEFINETELY later. I try to only do 1 or 2 portscans per target. Well, lets check out mail.sumter.net telnet mail.sumter.net 25 Trying 208.136.80.12... Connected to ns4.sumter.net (208.136.80.12). Escape character is '^]'. 220 mail.sumter.net ESMTP Sendmail 8.9.3/8.9.3; Sat, 29 Sep 2001 18:30:44 -0400 okay, now type: expn root okay...we know there is a root user, try this: expn fdyufgdyuftg478326543 and you get: 550 fdyufgdyuftg478326543 user unknown now lets try: vrfy root 250 root okay, one more thing, for a worst-case scenario: vrfy john 250 Now, we have the task of looking up any reports of bugs/exploits. You should spend about an hour or so searching, we know several things about the services that sumter.net runs, and they are: 1.) Sendmail 8.9.3 2.) Red Hat Linux release 5.2 with the 2.0.36 kernel (outdated). 3.) ProFTPD 1.2.0pre1 Server (I know for certain there is an exploit out for this one, but I'll leave that up to you to discover on your own). Well, thats about all we have right now. So what next? On a hunch, we can traceroute ftc.net and the other DNS server,ns2.cw.net then we could preform whois inquiries, ect. These of course lead to dead ends, the ftc.net network is in no way sharing any network resources with sumter.net, which means less systems that might be vunerable. Now is when we make an important decision: there are two paths to go from here, one is to snoop some more, the other is to crack an account and exploit sumter.net through their telnet/ftp services. There is nothing wrong with cracking, that is why we verified that our friend john had an accnt. If you should decide to go the cracking way with the TARGET, keep a few things in mind: 1.) Only crack from safe (i.e. not yours) systems. 2.) The higher the connection speed, the better 3.) Privacy is the key. University computers are the best for this, but they often don't run *NIX. There are 2 alternatives, one is to DL a mini-distro. The other is to get a Windows cracking program and have fun. I suggest you decide, the mini-distro idea is good, but it is obvious that you're doing something you shouldn't. The Windows cracking idea is safe, but you'd have to use Windows, which is unstable as all get-out. The choice is yours. If you go with a mini-distro, I suggest TRINUX (http://trinix.org), and wwwhack (http://wwwhack.com) for the windoze cracking tool. TRINUX is designed to be used on a LAN-only environment, but there is PPP support as of 16 JAN 2002. Therefore, you may still be limited to Windows. The choice is yours. Now then, once you have decided how you're going to crack the accnt, now you need to think of WHERE you're going to do it. YOu have several options: 1.) FTP 2.) Telnet 3.) POP3 Mailbox 4.) http-based mailbox sumter.net offers all of these to their users, another advantage of visiting your TARGET'S website. However, I recommend against using a telnet tool, we are not 100% certain that their users are granted telnet access. **Hey Cerberus, couldn't I just crack the root account on the telnet service? The answer is probably no. Two reasons: 1.) The root password is probably EXTREMELY difficult to crack, as every sys-admin wannabe uses difficult passwords. 2.) Unless the wannabe sys admin is an idiot and enabled root login (which as a rule, is DISABLED, you cannot login as root even if you had the correct pwd). Number 1 is trivial, but #2 is where the headache is (glad I told you, aren't you?) That plus, cracking of the root account is usually monitored more strictly than a mortal's account. Well, thats your targets/stradegy. Good luck cracking. For the rest of us that would rather snoop, we still have a few options, although they are getting slimmer and slimmer. We can always do several things: 1.) Write an e-mail to a user on sumter.net asking something stupid, to get a reply. Then you can get their IP from their e-mail address, then preform a traceroute on it (more systems/TARGETS). 2.) portscan the machines in-between sumter.net and ALTER.NET. This could be useful, especially if one of the machines is running netstat/finger services. Lets try 2 first. LEts pick one hop from sumter.net: 144.228.108.218 is the next target. no problem: telnet 144.228.108.218 netstat telnet 144.228.108.218 finger CONNECTION REFUSED. FUCK. NEXT TARGET. 144.228.20.10 telnet 144.228.20.10 netstat telnet 144.228.20.10 finger SAME AS ABOVE. NEXT.144.232.25.220 telnet 144.232.25.220 netstat telnet 144.232.25.220 finger REFUSED. LAST ONE. 144.232.18.169 telnet 144.232.18.169 netstat telnet 144.232.18.169 finger REFUSED. Well, now what? We could nmap a few of those, but lets get a victim's e-mail, we'll use someone other than John. Time to telnet to mail.sumter.net smtp lets try vrfying jones. Alright, we got jones. Time to e-mail them. Alternatively, and I recommend this, you can sign up for a month or so with the ISP (If your target is indeed an ISP). This is a highly recommended tactic, as your opportunities are greatly enhanced when you are a client of the ISP. For instance, the other day I was at my friends house (who uses Road Runner). After being bored and pulling a few traceroutes, I wondered exactly where their firewall was located within their network. My hopes proved true, the gateway to ALTER.NET was the firewall, which meant that a client could connect to another client without any firewalls being employed/checked. This is called exploiting the "trust zone" in a network. Anyways, you have your email address. What approach should you take? I recommend going to hotmail, and setting up a free account, then using that to email him. Pick a real-sounding name, not Dark_Lord. Then, you basically email them telling them how you are, that your wife Suzy had the twins, and that everything's okay, just say something. Alternatively, you can e-mail tech support, or questions about the ISP's service (we found these contact email addresses on the web site). The former is recommended, if you can get them to reply, you have their IP. If you don't know how to find out someone's IP from an email, you have problems, sell your modem and buy a life. Which means you now have a couple of routers that are new, once you pull a traceroute. Now then, what if they'res a firewall in-between you and the person who emailed you? I suggest scanning the hop right before the firewall, for instance, if you have this: 1.) you.net 2.) router.you.net 3.) ALTER.NET ~~~~~~~~~ 6.) router.target.dummy.org 7.) router274.target.dummy.org 8.) * * * 9.) * * * ~~~~~~~~~~~ 30.) * * * it means that your target IP lies between a firewall, that is consealing everything (or trying to) about the guy who emailed you. Lets not port scan this time, at this point, take a break, disconnect from your ISP (you should do this every now and again during your attacks, as to make sure that different IPs show up in the logs. This is important, cause the sys admin might overlook the similarities, and think that they were all, harmless, un-related incidents (you'd be surprised by some of these people). So, lets try #7: $ nmap -sS -O -P0 -T paranoid router.274.target.dummy.org and go for a nice walk, this will take a while, you set nmap to do the following: preform a stealth SYN scan Guess the operating system disable pinging set the pace of scanning to really slow respectively. You usually want to scan slowly, so that your packets will be mixed in the log with normal packets, as to not draw attention. This is just a precaution, to throw the worst sys admins off your trail. Once you have those results, you just go from there. You should have this down by now, its not really that hard, you just have to think. Develop your own methods/processes. You may prefer to port scan last, or you may prefer to use nmap to do a network scan. This is the way I do it (legally). If you don't like it, write your own tutorial, and post it so that others can learn from you. Now you basically know how to break into your own system, provided with the basic "snooping" skills.