Author: van Hauser /
THC HTML-version by Markus Hübner |
I. THE FIRST COMMAND
The first command you should enter after
logging in with a hacked account is a shell different from the one you are
currently running as login shell. The purpose is to disable history saving of
the commands you'll type in while hacking. A history check by the real user or
sysadmin reveils your presence and what you did!! If you are running a CSH then
execute a SH and vice versa.
$ <- this is a SH prompt % <- this is a CSH promptIf it does not look like the standard prompts above then execute SH. If the prompt stays the same, type "exit" and execute the CSH ... The reason for using these two shells and not bash, ksh, zsh etc. is that these two are simple with no extra options enabled by default (like history saving).
V. EXECUTING PROGRAMS
Don't execute programs with suspicous names
... ISS and YPX are for example very suspicous, and a skilled
admin knows what's going on if he sees a user running "loadmodule SandraBullok"
on his Sun ... ;-) Either you copy & rename the commands or you use those
sources around which exchanges the command name in the process list. Btw. the
process list can be checked by "ps -ef" or "ps -auxwww" and
the current command every user is executing with "w" and the most CPU
consuming processes with "top" ... so it's really easy to monitor the
programs the user(s) are running.
SH : <variable>=<new_value>;export <variable> example : USER=nobody;export USER CSH: setenv <variable> <new_value> example : setenv USER nobodyand don't forget to reset the variables after your telnet if you want to do something with the account before you log out.
--> ! The following 2 points are only possible with root access ! <--
VII. SYSLOG & LASTCOMM
You should also check the syslog
messages logfile if maybe entries with your hacked account or your origin host
are in it. It's usually located in /var/adm or /var/log ...
most time it's called "messages" but again can differ - and also check other
logfiles there which are generated by auth.* and authpriv.*
messages (and of course xferlog etc.). Check the file
/etc/syslog.conf to see the correct file and check out what is logged
to which file/program/mail/user.
VIII. INSTALLING TROJANS
When you install a sniffer, remember
that anyone can execute "ifconfig -a" to check if the card is in
promiscious mode. Get a rootkit for your unix OS and replace it. Run
fixer.c on it for the correct checksum and date/time but check the root
account first if maybe tripwire or other binary checker are installed! Remember
this for every binary you replace. If the binary is in a directory which is NFS
mounted and can't be remounted in write mode then you must first hack the NFS
host - life isn't easy sometimes ;)
X. THE END
I hope you had fun and learned alot from these two
textfiles, the theory/background and the practice one. For updates, tips, tricks
etc. just email me at mc@thc.net
Remember : Never get lazy. Every work must be done 100% - or face the consequences!
Type Bits/KeyID Date User ID pub 1024/3B188C7D 1995/10/10 van Hauser/THC of LORE BBS -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.3i mQCNAzB6PNQAAAEEALx5p2jI/2rNF9tYandxctI6jP+ZJUcGPTs7QTFtF2c+zK9H ElFfvsC0QkaaUJjyTq7TyII18Na1IuGj2duIHTtG1DTDOnbnZzIRsXndfjCIz5p+ Dt6UYhotbJhCQKkxuIT5F8EZpLTAL88WqaMZJ155uvSTb9uk58pv3AI7GIx9AAUT tBp2YW4gSGF1c2VyL1RIQyBvZiBMT1JFIEJCU4kAlQMFEDJ2gzNAf3b9d/IP1QEB 5DwD+gJRh6m4h0fVgpQJkOiuQD68lV5w8C0F5R3jk/o6Pollaf7gtVhG8BGGo5/7 /yiH40gujc82rJdmihwcKuZQtwt8X28VN8uy56SCpXD5wjjOZpq0t0qSXmhgunZ0 m7xv7R4mWRzFclsgQCMwXNgp4sXgw64bVm8FhEdkrVSO8iTyiQCVAwUQMkMhCspv 3AI7GIx9AQFstAP+Jrg7V06FGV/sTzegFNoaSyOItkvXjctzFsXuBfta2M7EzPX3 UR3kM4/W4xE70H4XmMOJ9RmTzs+MuhSq8BtGQtYaJqGjxe/ldbvGOXRxR1rBJAKS yDQYu0VJ/Ae8yuJcMS312jqwg8OLgYnQaqEoaRM4HEiB+hgDRqnFKpDxkhSJAJUD BRAyQx8E5y7IvlL6xvEBAQ+bA/9baK7f3M9F5n4aASy04WHOreUNpGQ8DXgtMVq7 KVdXMIWjURsboR+wt5eJTPeL00lHS5eqmZlNzGV9hWtzAr20qrKLmvE20Ke4VPB0 a/tWXNUdvLnk4ENbTBFfMMdnlDo3hSThSMQ7yZ9UEYgighKu6l2fG5UG6D+kXFLy iIvvlA== =nX2w -----END PGP PUBLIC KEY BLOCK-----