||* Introduction to Hacking *||
The first part of any hacking expidition is getting into the system
that you plan to 'explore.' This can be achieved in any number of
ways. The main two are:
1) Cracking passwd (brute force)
2) Using an exploit
Cracking passwd is fairly simple. You get a 'cracking' program which
is designed to take each word in a word list file and encrypt it
using the same one-way hash that UNIX uses to encrypt its password
file. Then it compares the hashed value to each password in the
encrypted list, which is found on UNIX and other *IX systems in the
file /etc/passwd Word lists and cracking programs are available at
http://kwantam.home.ml.org
The list of words used is called a dictionary file. It contains a
series of words, one per line, in a standard ASCII text file. An
excerpt from a dictionary file could be
helix
hell
hellacious
hello
hellbender
hellbent
hell-bent
hellbox
hellcat
hellebore
heller
hell-for-leather
hellgrammite
etc.
The one-way hash function is a small series of mathematical steps
that makes a series of characters which is saved in the passwd file.
The one-way hash function UNIX uses is a variant of Crypt(3). The reason
that a dictionary file is needed is the fact that the Crypt(3) function
cannot be reversed, hence the name one-way hash. It is mathematically
infeasible to find in any amount of time the string of characters from
which the hash value came.
The passwd file is a series of lines, each with user info on it. An
example is:
joeschmoe:naVwowMManasMMo:10:200:Joe Schmoe:/users/joeschmoe:/bin/bash
^ ^ ^ ^ ^ ^ ^
| | | | | | +- User's
| | | | | | shell program
| | | | | +---- User's home directory
| | | | +----------------- User's real name
| | | +------------------------- User number
| | +----------------------------- User's group number
| +--------------------------------------- Hash of user's password
+--------------------------------------------------- Username
I will explain each of these:
- Username is the name under which the user logs in. Usually this is
accomplished by typing in the username at the username prompt and then
the password at the password prompt.
- Hash of user's password is the target of the cracking method. This is
what the hash of each word in the dictionary file is compared to.
- User's group number determines things such as access to certain files,
etc. Used more in the exploit technique
- User's number is basically identification for the system.
- User's real name is the name the user entered. Not used by the system,
but it provides a handy human-readable id of each user.
- User's home directory is the directory that they go to when they log
into the system.
- User's shell is the user interface that the user uses. Shells include
/bin/bash /bin/ash /bin/tcsh /bin/csh and /bin/sh
It is not necessary to modify the passwd file to contain only the passwords
because most cracking programs look for the second field, which is indicated
by the colon (:) seperating it from the username.
As you can see, it is also possible that, if the user's password is not
in the dictionary file, the cracker won't find the password to that
username. However, on a system of 200 users, at least 70 of them will
usually have passwords that are in dictionaries, depending on if the
system administrator checks the passwords or not and the type of user
that accesses the system most. A server used by computer security experts
will not be nearly as susceptible to this kind of an attack (or any, for
that matter) as one which is used by average people for e-mail and internet
access.
The second kind of attack, the exploit, is a more difficult one, but it
usually has greater rewards, including the possiblity of getting total
control of the system. Exploits work by using a piece of software in
such a way as to compromise the security of the system. One of the most
popular programs to use in this way is sendmail. Sendmail is most
susceptible because it must be open to public access to allow mail to be
transferred into and out of the system. Usually a buffer, an area in
memory where the system stores program information, is overwritten using
sendmail. The experienced hacker can transfer his own program code into
the buffer so that while the system thinks it is simply running the mail
retriever it is actually copying a shell program into a public access
directory and giving it superuser privlidges. Another type of exploit
involves causing a program which has superuser prividges to change your
group ID to 1, root, which effectively makes you the administrator of
the system.
Most of the time, these two types of attacks are used together. The hacker
will first get a login with brute force to gain access to the outer level of
the system, and then from there use an exploit of some kind to gain root
priviledges. After attaining root access, the hacker will install one or more
'back doors' to allow himself access to the system again. A very common one
is taking the source code of the login program and modifying it to accept
a certain password for any user, as well as the user's own password.
An example of a function in C that could do this would be:
check_backdoor(entry,access)
{
/* the variable entry is the password that the user entered
* the variable access determines whether or not to allow the
*/ user into the system. If access = 1 then the user is let in.
if (entry == "mybackdoor")
{
access = 1;
return;
}
cryptcheck(entry,access);
return;
}
In this example, mybackdoor would be the password that could be used on
any user account. If mybackdoor was not the entry, then the password
is hashed and checked against the password in /etc/passwd which allows
the back door to function without being noticed by anyone, including the
administrator.
I hope this information hhas been helpful in teaching you about the basis
of hacking. For more information, visit my home page or drop me an e-mail.
KwAnTAM_PoZeEtroN
Leader of the Black Angels
Ringmaster of the Ruiners Webring
Head of Psychotic security