[ packet storm ] - packetstorm.securify.com

The following FAQ was not written by the Packet Storm staff nor did we play any role in its creation. We feel that it is, however, very informative in a positive light and can prove beneficial to many administrators trying to secure and learn more about their network. The (so far) totally unofficial Packetstorm Newbie-Forum FAQ draft Born on the 8th of August 2000 Mackan@rpcs.pp.se Latest update: 12th of August 2000 Fixed ingress (We are now in Beta-stage - Wohooo!) Added Note about Posting to forum. (Secular) Q&A 2.9 - What is a firewall/personal FW/routingfilter? Updated 4.3 (Secular) Q&A 4.4 - How do I keep Windows from being nuked? (Secular) Updated Appendix 1 - Several new references. (Secular) Fixed Appendix 1. Everything is now sorted by subject. Contributors (in alphabetical order): Doxavg (Almost everything in chapter 3), Marcus Andersson (chapters 1,2,3 and 5), Occam, (Updates) Richard Glover "Secular" (Everything in chapter 4, updates), Trevlig (Almost everything in chapter 5, updates). Editor: Marcus Andersson (Mah-Kahn) Status of this memo: This document has no official seal of approval of any kind. In fact, it is still in pretty rough pre-draft Betaversion. DISCLAIMER: As any good information goes - it can be used whatever colour you might have on your hat. If it's white - great! I guess we're "scene buddies" and might bump into each other sooner or later. If it is black - well, shame on you! Hope you get caught! Hope that you will tell me how you did it before, though, so that I might benefit from it and fix my systems. Not ANYONE at Packet Storm, nor the participants in the forums, have ever, or will ever, encourage illegal or immoral behaviour, unless they are VERY stupid. Go figure. NOTE: The editor would like to thank all contributors to this FAQ. You have generously given of your time on this document, beacause you saw some usefulness in it. I hope you are right. At least, I give you my standing ovation. If you would like to contribute to this FAQ by adding questions, adding answers, fixing errors/spelling/grammar, please contact the editor at mackan@rpcs.pp.se. If your mail doesn't get answered right away, it's not because I'm ignoring you, but rather it signifies that I'm working on it. If you have heard nothing in a week, it's because I'm out of town and can't read the mail. DON'T mail again. Your mail WILL be answered, eventually. Patience is a virtue. If I get any more "Can you teach me how to hack?"-questions of ANY kind, in my mail I'll scream. At you. ABOUT POSTING TO THE FORUMS: [Secular holds the pen] A brief note about posting to the Packetstorm forums (or as Mah-Kahn prefers, the Packetstorm fora.): We really are here to help. No, we're not a bunch of crazed psycho sysadmins out to flame your head off. We want you to have the best learning experience possible. Sometimes that means that before you ask a question, you should do the research yourself. Make sure first you're asking your question in the correct forum. Second make sure your question hasn't already been answered here, or in one of the earlier postings. Third, RTFM (Read The Friggin' Manual, for those of you unfamiliar with the jargon.) Make certain you've read through your paper documentation, or the online documentation for your products. Do your homework. Go to the library. Take the time to learn it on your own, and then if you have questions on what you're learning, ask for help. If you've done all of this, and you've formed your question into a detailed, specific, well worded, well documented posting, we can more easily help you help yourself. Doing the leg work, learning your part, and helping to spread the information that wants to be free is what hacking is REALLY all about. Hackers aren't what the media says. A hacker, in the true sense of the word, is one who is capable of creating wonderful new things with very little to work with. We're trying to be real hackers. We're trying to help make the flow of information a little easier. We hope you are too. [Mah-Kahn holds the pen] If you are a newbie, having asked a question, and having been pointed to this document, don't take it as a personal insult. The reason is that the same questions have been asked over and over and over again, and that the same answers have been given in every possible form known to man. Nobody wants to start a fight. Nobody wants to hurt your feelings. If somebody did it anyway, unintentionally, swallow your pride, read the FAQ, learn something new, and get on with your life. The questions in this FAQ may have appeared in other forums other than the Newbie-forum, but are still referred to as frequently asked Newbie-questions in those forums. Chapter 1 - General questions 1.1 How do I hack a [put whatever here] system? 1.2 Where can I find some "K3wl pHil3z" on hacking? 1.3 How do I hack Hotmail/Yahoo mail/whatever? 1.4 Will you crack this machine/password/account for me? Chapter 2 - TCP/IP questions 2.1 How do I spoof my IP-address? 2.2 How do I hide my IP-address? 2.3 How do I trace someone on the Internet? 2.4 How do I get a DoS through a (personal) firewall? 2.5 Is there a legitimate use for DoS? Ever? 2.6 How do I sniff all the traffic going to a certain host? 2.7 Why can't i sniff in a switched environment? 2.8 How do I find firewalls? 2.9 What is a firewall/personal firewall/routingfilter? Chapter 3 - Unix questions 3.1 Where do I get a (free) shell-account? 3.2 How do I get root without having a compiler? 3.3 How do I upload a file to a UNIX, not having mail or FTP? 3.4 What are the security issues with core dumps? Chapter 4 - Windows questions 4.1 How do I upload a file to a box without them noticing? 4.1.1 How do I hide an .exe in a .jpg? 4.2 How do I hack with Windows? 4.3 How do I secure my Windows system? 4.4 How do I stop my Windows system from being nuked? Chapter 5 - Programming questions 5.1 How do I run a .c exploit? 5.2 What is a buffer-overrun? Appendix 1) Sources/Resources Chapter 1 - General questions ----------------------------- 1.1 How do I hack a [put whatever here] system? We will not help you crack a system's security. If you really want to learn how to break a system's security, you must start from the bottom and learn as much as you can about the system from the inside out, and the necessary respect which goes along with it. NO textfile will teach you how to hack. Ever. If you want to read a reasonable good and all-around FAQ on cracking system's security, read the alt.2600/#hack FAQ, which is found at http://www.linuxsavvy.com/staff/jgotts/underground/hack-faq.html (Oh, and I recommend that you download the ASCII-version, which is more readable, in my personal opinion.) 1.2 Where can I find some "K3wl pHil3z" on hacking? Well, if you know NOTHING, go to the FAQ above. If you want to learn some "heavier stuff", go to http://phrack.infonexus.com and read. You would probably want to use their search-function, though since reading through stone-age hacking material (written in the eighties) will eventually make your eyes bleed otherwise. Now, these guys knows what they are doing, so DON'T go there and ask silly questions, or they WILL flame your head off. Oh, and while you're at it, check out the "papers" section here, at http://packetstorm.securify.com/papers/ (In all, the Packet Storm archives offer a vast array of resources that you might find useful in your educational spelunking. - Packet Storm Editor's Note ) Make sure you have a viewer capable of opening postscript files. Many of the papers on packetstorm are in PostScript3 format. I'm still trying to find a worthy viewer for Windows. GhostScript IS ported to Windows, but is quite hard to install, if you are not used to it. (The installation is not point-and-clickable.) 1.3 How do I hack Hotmail/Yahoo mail/whatever? Now, first of all, that would be a BAD idea, since it would land you in jail. Don't do it. If you ask just out of curiosity, there are several ways to do this, as history has proven. A very lame way is to plug a wordlist into some automated script (a three-liner with netcat) and go to town, while your script tries every word in the list... This is basically how they "hack" in the movies, and if the password is generated correctly, the chances of succeeding such a task is really low. Oh, and even if you'd struck gold and actually got in, you would still be logged, because of all incorrect login-attempts. You WILL get spotted. Another (better) way of doing it would probably be to send a mal-formed html-post to the victim, and include some sort of hostile script (Javascript and VBscript comes to mind). However, a lot of these bugs has already been found, so don't try to just download something from the net and expect it to work. You WOULD have to find a way to include the script, without the html-parser of the mail-system figuring it out... I'll leave that as an exercise for the imaginative reader, but historical evidence shows methods of using mal-formed image-tags, including control-characters in the middle of the javascript tag, mal-formed gopher-tags, etc. 1.4 Will you crack this machine/password/account/whatever for me? Short answer: No. Long answer: No way. Chapter 2 - TCP/IP questions ---------------------------- 2.1 How do I spoof my IP-address? There is no easy (point-and-clickable) way to do this. Sorry. There are no such things as "IP-spoofers", or everyone would be using them. In order to make a full, spoofed, IP-connection, you would actually have to learn some of the inner workings of TCP/IP. I will make a brief summary here, but if you don't get it, check out http://phrack.infonexus.com/search.phtml?view&article=p48-14 until you do. It is nothing you do as a newbie, anyway. IF you want to learn, look below. In a TCP/IP-connection, the first thing that happens is the "TCP-handshake". This is a three-step initial setup that has to be made before any data can be sent. 1) A sends B a SYN-packet (SYNchronize) 2) B sends A a SYN/ACK (ACKnowledge the SYN, and send his own SYN values) 3) A sends B an ACK (ACKnowledge B's request for synchronisation) Now, if you want to "spoof" a connection, masquerading as someone else, you might think that there would just be to send the packets with this "someone's" IP-adress. This is wrong, because the Internet is built in such a way that the packets FROM B would ALWAYS go to A, and A would simply reset the connection, not knowing why B sends his SYN/ACK-packet. So, what you want to do is that you make sure that A can't answer (thus resetting) the packets from B. This is done through a DoS-attack of some sort (SYN-flooding was popular, with real hackers, because that method would make it possible to "undo" the attack later on, by sending RST:s to those packets, thus making A getting back in service.) Now, in order to really impersonate A, you must realize that B will still send his packets to the real A, so you won't see them. This is a problem, since you won't get the SYN/ACK by B, and thus can't synchronize the sequence-numbers of the packets. This means that you have to guess the sequence number (and the payload) of every single packet that might come, as a response to your packets. Doing this against machines with poor IP-stacks (like Windows-boxes) is doable, but on REAL implementations of TCP/IP-stacks (such as Linux, that actually follows the RFC) the numbers are quite unpredictable (random) which makes these attacks useless. Now, all this is theory... If you WOULD like to do it in practice, learn TCP/IP, a lot. You would probably be helped if you could, for instance, manipulate with the routing so that the real packets from B to A passes through a network where you can capture them. In that case you would JUST have to send your packets fast enough for B's IP-stack to not time out. As you can see, this is fairly esoteric stuff. Don't go there. Oh, and you will need a program to manipulate the raw IP-packets as well. [Defense] There are several ways to defend against these types of attacks. 1) The first one is of course to make it unusable to even try it, so, get rid of all trust-relationships to other hosts (hosts.equiv, .rhosts, etc.) 2) If that can't be done, exchange the services to equivalents that use cryptographical authentication of both ends before sending any packets over the connection. This way an attacker would need to get hold of the crypto-key somehow, in order to impersonate the machine. A good substitute for rsh and rlogin would be ssh, for example. 3) If you can't get rid of ALL trust-relationships between hosts, at least place the machines that need to trust eachother on the same subnet, and disable the services at the border router AND apply filtering rules to make sure that a packet with an "inside" address gets dropped if it comes in on the "outer" interface (i.e. a "spoofing filter"). 2.2 How do I hide my IP-address? Well, not being able to spoof the address (see above) you might still want to hide it. This is fairly doable by using proxies. A proxie is a machine that forwards queries for you. If you can get a proxie to forward an illegit query to the victim-host, it will be the proxy's, not your, IP-address showing up in the logs... Example, the light side (webproxy): If you have configured your webbrowser to use a webproxy, and you type in an URL, the proxy will first see if it has a copy of the document locally stored (cached) and if so, forward it to you, thus serving the request faster and reducing the use of bandwidth on the Net. If it does NOT have a copy of the document locally stored, it will forward your query to the intended webserver, then forward the answer back to you, and store a copy of it locally. Example, the dark side (webproxy): Now, an 3viL H4x0r wants to try to portscan through the proxy. This can not be done with ordinary portscanners, since what is forwarded are not your IP-packets, but the QUERY (data in the payload). So what the imaginative mind does, is that s/he connects to server:port through the webclient, and then waits for a while, before hitting the "stop" button. On the screen s/he will then see the banner of the service of the port. You could probably not scan low ports (<1023) in this way, but there are fun services on high ports as well. All kinds of (exploitable...) RPC-services, for example, as well as listening NFS-daemons, Radius-servers, SOCKS-servers, and others. Now, you could also (usually) chain webproxies by typing (in the client) proxy1:Pport:proxy2:Pport:proxy3:Pport:victim:Sport, where Pport is the port of the listening proxyserver (usually 8080 or thereabouts) and Sport is the port you want to scan on the victim. 2.3 How do I trace someone on the Internet? Now this is a real classic, with no real answer. First, you can never trace the connection farther than to the IP-address in use. This means that you CAN NOT get the actual user's name, address, phone number or some such. YOU can't. Their ISP can, though, and if you provide them with adequate logs (proving their misdeed, the time of the incident and the IP-address in question) they will deal with it according to their Acceptable Use Policy (AUP). Usually the culprit will lose his/her account, or at least will be given a slap on the wrist. Adequate standard addresses are abuse@ispname, security@ispname, postmaster@ispname, and root@ispname. Second, you have to actually get the IP-address involved. If the problem is a DoS-attack, they are almost always using some fake IP-address, so you will not be able to trace those. Get some sort of protection instead, like a "personal firewall". If the problem is foul language in a chat, most ISP's are not very interested. Sorry. If the problem is a threatening e-mail, look where it comes from, by looking at the mail-headers bottom-up (from the last To: line). The originating host will be the first one (reading "backwards", that is). If you want to see where a connection (such as an ongoing portscan, a trojan such as Back Orifice or some such) goes to, go to a DOS-window and do a netstat -an (the same for UNIX). Third, when you found the IP-address - DON'T DoS them, or approach them at all. Just report them to their ISP and let them do the work. Don't get into fights. 2.4 How do I get a DoS through a (personal) firewall? Don't. You'll be hated. There WAS a posting asking this question, and basically, this FAQ is an offspin to that posting... The only short answer to the question is: learn TCP/IP, and how and why firewalls work. After that, making a DoS-attack should be fairly obvious, as would the fact of why you wouldn't want to do it. Get the message: DoS are lame. 2.5 Is there a legitimate use for DoS? Ever? The simple answer is "no", because what the person asking the question wants to know, is generally if there is ever a moral reason to DoS someone. And there are not. Not even if they do it to you. Not even if you (think you have) hunt them down. Not ever. The ONLY practical, and therefore legitimate, use for DoS would be during a professional penetration audit, when the customer has ordered a stress-test of the machines OR the "Red Team"/"Tiger Team" would like to, for a moment, disable an ident daemon, a syslog daemon, or a host running some sort of NIDS. 2.6 How do I sniff all traffic going to a certain host? You can't, if you are not on the same network as that host. This means you would typically have to be in the same building as the host you want to "sniff". Even if you manage to get to the building, you are still out of luck if you try to sniff on a switched network (which most networks are today). If you start your sniffer on another network, you would only be able to see all traffic from that network segment to the host. Most probably, only your own packets, since the network YOU are sitting on (most usually an ISP) is switched too. Defense: Fairly obvious - implement a switched network environment. OK, it's quite expensive, but the payoff in increased security and better network-prestanda is huge. How much do you value your time? If you don't have the cash to immediately implement a switched environment, at least try to implement cryptographical countermeasures against this attack, such as ssh and other tunneling protocols. 2.7 Why can't I sniff in a switched environment? Now, this demands some fairly thorough explanation on how Ethernet works, but to put it simply: What a switch does, is to break up the addressable message-bus of the ethernet, into sub-buses, typically with one host per port. A sniffer sees the same segment (part of the addressable bus) that it is connected to (see above). If you just have one host per segment, that's all it's going to see. The reason for this was originally not to implement security, but to divide large networks into smaller pieces, in order to prevent packet-collisions on the message-bus. 2.8 How do I find firewalls? This question assumes that you want to hack a host and that you want to know if there is a firewall securing it. Now, this is not an easy question to answer, since all firewalls don't work the same way, but let me give you some general (and quite compressed) info on the subject. First, try to traceroute, from a UNIX-machine, to the machine you want to check. If the trace-route dies (hangs on the same routerhop forever...), it's probably because of a firewall. You could actually see if it is, by first seeing if a traceroute with ICMP-packets (such as a Windows tracert) goes through. If it does, it's definitely a firewall, or at least a filter of some sort. If it still does not get through, there MIGHT be a firewall OR the router is down for some unknown reason. In that case, you try with a sort of special traceroute... Now, if your traceroute dies beacause of a filter, it's beacause the probes are coming from a port that the filter doesn't like. What you do then, is that you try to mask your probes as something legitimate, like DNS-packets. Now, the portnumber is incremented for each probe, and for each routerhop traceroute sends out 3 probes. What you want to achieve is for the portnumber to reach 53 exactly at the filter, so it thinks that the packets are DNS-packets. The formula is: (target_port - (number_of_hops * num_of_probes)) - 1 So, let's say our traceroute died at the 8th routerhop, you would have to do a (53 - (8 * 3)) - 1 = 28 traceroute -p28 targethost Now, if the probe gets through, you can, again, be certain that there is a filter, and not just a broken router. You will just see ONE routerhop behind the filter, though. However if the traffic STILL dies, it MIGHT still be a firewall there, OR the route is just broken. Now, in order to keep this answer short (I could fill a whole FAQ with info about testing firewalls) I'll just cut to the chase. Try to fingerprint the machine where the traceroute dies, with nmap. Nmap will probably tell you wether or not it is a router. If it's not, it's a firewall. Note though, that EVEN if it is a router, it might still be a filtering router. Read the nmap documentation on scanning types at http://www.insecure.org/nmap/nmap_manpage.html Defense: Oh, the joys of configuring firewalls... One thing that you would want to do is to configure your firewall to actually send RST:s instead of just dropping the packets to filtered ports. This would make it REALLY hard to see from the outside. If this couldn't be done, your firewall WILL be spotted, and you have to make a trade-off what is better security-wise: To keep, for example, traceroutes open through the firewall, in order to keep it hidden (so that an attacker "stumbles" into it if they attack your net) and thereby making it possible for an attacker to draw quite detailed maps of your network environment? By closing traceroutes, on the other hand, your firewall will be visible to the outside, thus flagging for a potential attacker that s/he should be cautious, and thereby, you might miss the REAL attack, since the attacker carries it out more "silently". Best practice suggests that you tighten the filters so that it IS obvious that you have a firewall, but also set the firewall to be as paranoid as possible about what it leaves out. This is a VERY big topic, not to be covered in this FAQ. 2.9 What is a firewall/personal firewall/routing filter? Now, this is a BIG question in the business today, so I'll just give you some quite clear distinctions, not focusing too much on the border-cases. [Packet filtering routers] The first distinction to make, is between a packet-filtering router, and a firewall. In the spirit of selling as much routers as possible, a lot of routervendors, focusing on the home-use market, tries to sell ISDN- and cablerouters with "firewalling capabilities". This is sell-speak. Don't buy it. What it usually means is that the router is able to check every packet's source address, source port, destination address and destination port, and decide if the packet should be forwarded or dropped. End of story. That's what it does. Now, the cautious homeuser would of course set up the filter to let through any traffic from sourceadress "any", port 20, 21, 80 in order to use ftp and web. (Of course you would actually open up a LOT of ports in order to get mail, dns, news, etc. to work, but that's beyond the scope of this FAQ.) That would mean that an attacker could, if he was root on a UNIX-machine (his own Linux-box, for example), get ANY traffic through the filter, if s/he just binds to an "open" port locally. The router- filter does not check whether the traffic coming from, say, port 80 is REALLY webtraffic, it just assumes it is, and lets it through. Now, if you are a REALLY lucky routerowner, the vendor has actually put some thought into this problem, and have a feature in the router called "established"-filter. This would mean that the router checks is if the connection was established from YOUR side or the outside. Basically, it makes it impossible to just start any traffic from the outside, and bind it to an open port, as described earlier. The router keeps track on wether you have made started the connection or not. There is nothing magic about this, really. What the router does, in this case, is to see if the packets have the ACK-flag set. If a packet has the ACK-flag set, it just draws the conclusion that the initial SYN-packet was sent from the inside. If an ordinary SYN- packet is sent from the outside, it's just dropped. (To learn more about the TCP-handshake, check out 2.1 in this FAQ, "How do I spoof my IP-adress?") A quite obvious thing that you could do, as an attacker, if this is the case is that you could send any-packets with an ACK-flag set through the packet. This wouldn't give you a full connection, but you CAN portscan through the filter, and maybe find something interesting. Again, your best friend is http://www.insecure.org/nmap/nmap_manpage.html So much for "firewalling capabilities". [Firewalls] Now, what a real firewall does, in addition to the above is that is also "understands" the protocols involved, and not just the portnumbers. There are basically two philosophies on how to implement such an "understanding" - stateful packet inspection, and application-level proxying. Now, this sounds like gibberish to most people, but let me just explain it VERY briefly. Stateful packet-inspection means that firewall checks every packet that travels through it, but it can check for more things than just portnumbers, IP-adresses and if the ACK-flag is set. It can, for example, build up a table of ongoing connections made from the inside, and then keep track of them as long as they live. This means that it won't (typically) let through a packet, just because the ACK-flag is set. It can also, if an IP-packet is fragmented, await all fragments, reassemble the packet and THEN decide whether or not it shall route it to it's destination. Go figure. The most useful feature is, however, that it can actually look on the payload of the packets, and thereby "understand" at least some of the more obvious attacks on the datastream. Application-level proxying is briefly discussed in 2.2 "How do I hide my IP-adress?". In that particular example we used a HTTP-proxy. Now, in a proxying firewall, the clients sends ALL their requests (not just HTTP) to the outside world through proxies. This way we don't have to worry about the packetfilter, just to make the application work, beacause what's forwarded to the outside (and to inside servers) are just the REQUESTS, not the real CONNECTIONS. Now, in real life, almost all commercial firewalls implement both of these techniques, to some extent, but different firewalls have different underlying architecture. Is it mainly an application-level proxy, with packet-filtering capabilities, or is it the other way around? [Personal firewalls] Now, to confuse things even more, the software industry have jumped on the firewall-craze, and are trying to sell packet-filtering software, sometimes with some proxied services, as "personal firewalls". The biggest differences between these and "real" firewalls are that 1) real firewalls are run on machines reconfigured and "hardened" from kernel and up, and don't just run as an application on the machine, 2) have more features and better logging (often fewer false positives) and 3) can protect a whole network with several hosts (a personal firewall often just protect the machine it's running on). For a better understanding on firewalls and their capabilities, consult the books referred to in Appendix 1 - sources and resources. Look for the subject "TCP/IP". Chapter 3 - Unix questions -------------------------- 3.1 How do I get a (free) shell-account? There are many "free shell account" services in existence, but most strictly limit activities. Many, for example, will not allow you to telnet, ftp, or http out, or compile programs. Most decent shell services will require a fee. For those still interested in free shell accounts, a list of free shell providers resides Here. 3.2 How do I hack root without having a compiler? This basically the same question as "How do I hack, without only using pre-made scripts?". In question 1.1 and 1.2 you are pointed out to some resources, but there are many more ways, which you will only learn if you really have to secure a UNIX-box (In which case you would benefit greatly by reading "Practical Unix and Internet Security". Check out the details in Appendix 1). I will only summarize some basic fundamentals here. First of all, you have to have at least SOME sort of account on the machine... * See the file-permissions on .login-files, .forward-files, scripts started by cron, any files referred to in any file in /etc and so forth. If you can write to any of those files, write a simple shell-script that drops a SUID/SGID shell somewhere... (cp /path/to/ksh /tmp/.myshell; chmod 6555 /tmp/.myshell) and wait for the process to run. When it is run, you'll get a shell with the same privileges as the user who run the script. Run /tmp/.myshell and do issue the command id, and see what you got. * See if you can read (or edit) any .profile-file on the system. If the PATH-variable has a '.' in it, it means that the shell will look in "current working directory" for the command. So, make a shell-script (like above) and name it to some ordinary typo. Then, if you can get the owner of the .profile-file to cd to the directory, and make the typo, you're home free. * If the system is running nfs, and have any part of the filesystem exported writeable, put a SUID/SGID shell on the machine yourself. NFS will not let you do it as root (UID 0), but as bin (UID 2) is totally OK. Use nfsshell to facilitate the process. Now, being bin, you could easily become root by editing any file that runs with root privileges (see above, what I mean). Defense: This should be fairly abvious, by reading the points above, but anyway: Use the UMASK variable to set default file-permissions. Make no file writable to anyone but the owner of the file. The owner can chmod it if s/he wants later. Check though that no files are set chmod 777, by a cron-job. These files should be set 644 automatically, and a report about should be sent to both root and the owner of the file. Fix the file-permissions of all interesting files, and make a cron-job to do it for you daily. If you need help with that, check out "Practical Unix and Internet Security", referred to in Appendix 1 - Sources and resources. Check all .profile-files and and the PATH-variable in them. Do this by a cron-job, at least daily. chmod the .profile-files 600 Get tripwire (or something equivalent) to check the filesystem. If you have to use NFS, don't export anything rw that you don't need to. Don't export ANYTHING outside your own subnet. 3.3 How do I upload a file to a UNIX without having sendmail or FTP? A fair number of unix systems have sz/rz on them, this is a full implementation of the ZModem protocol, you will need a terminal emulator capable of using the ZModem protocol. TeraTerm Pro at http://hp.vector.co.jp/authors/VA002416/teraterm.html is an excellant choice for Windows users. "man rz" to see if your host has these programs on them. If not, ask your administrator to add them. 3.4 What are the security-issues with core-files? If you could get a process handling a password-database (such as inetd) to dump core, you could do a 'strings *core' and hopefully see bits of the database, (in this case, /etc/shadow). You would still have to "crack" the password-hashes, though. The process is described in the alt.2600/#hack FAQ, referred to in question 1.1 of this document. Defense: All modern UNIX-flavors can actually be set to not dump core at all, but rather just freeze the process. You can still enable core-dumps when you want to debug a crashing process. You could also set the size of the dumpfiles to something quite small. In this case you get alerted by the fact that a dumpfile is created at all, but no attacker will be able to dig out any real harmful information out of it. If you have a really old UNIX-system, that you can't update for some reason, and that does not support the above methods, consider having a cron-job deleting the core-files as often as possible. 3.5 How do I hack NIS? man ypcat Read the YP manpages for more information on the security of NIS/YP. Chapter 4 - Windows questions ----------------------------- 4.1 How do I upload a file to a Windows box without the owner's knowledge? Short answer: You don't. Long answer: Asking this question inevitably means you plan on dropping a copy of BackOrifice (or some similar trojan) on some poor, undeserving, soul's machine. This is, to say the very least, not cool. One individual once mentioned he was trying to Trojan his girlfriend...A word to the wise: THIS WILL END YOUR RELATIONSHIP! (aside from being totally lame.) (We're computer geeks, remember? We need to hang on tight to the relationships we have, because we're LUCKY our significant others put up with us in the first place.) Correct Answer: There are several ways to do this, all require some sort of programming knowledge. (Read: You don't really want to play with MS Visual Studio, do you?) You could, in theory, add the executable into some sort of installation package for legitimate software thus "disguising" the malicious code. Additionally you could write a malicious javascript or activex control and use that to take control of a user's machine. Certainly, either of these methods are far more advanced than you're ready for, if you're asking this question. The BEST way to get a program onto a windows machine is to sit down at the console and install it yourself. 4.1.1 How do I hide an .exe in a .jpg? The infamous and ever elusive "snapshot of a trojan horse." I say elusive, because I've never seen it done. I've never seen it done, because it's not actually POSSIBLE to do. (Short of typing "C:\>ren BackOrifice.exe BackOrifice.jpg" (and no, this doesn't actually work. It renames the file, so now windows will display rows and rows of garbage in internet explorer when you have someone click on the .jpg you sent them.)) You could, of course, make some sort of visual basic script, or executable or something that displayed a picture while installing a file in the background...again, like a little installation package. But such an option would require more time, and more programming skill, than you probably have if you're asking this question. Besides, it's really lame. Come on folks, let's get a life. Sysadmin's have better things to do with their time than scan for subseven and BackOrifice. The moral of the story: Don't bother. If you do this kind of crap, without knowing what you're getting into, you will be disliked and flamed widely. You will be one of those skript kiddies that we gripe about. You will be a loser. You will never be 31337. Nobody will Ph33r j00! 'Nuff said. 4.2 How do I hack with Windows? Learn to dual-boot to a unix environment. That is seriously the best way to learn. Windows doesn't come with nice things like a built-in C compiler, or integrated firewall software. If you're seriously interested in learning computer and network security, your best bet is going to be jumping into Unix. (I reccomend OpenBSD. It's the most secure out of the box, and installing and configuring it makes for a great learning experience.) For you young folks out there, whose parents won't let you install a second operating system on their computer: get a job, buy your own. Linux works pretty great on an old 486. A $300 investment will bring you untold benefits. You could maybe even talk your folks into picking up an old box at a garage sale, or university surplus property auction. To qualify this line of thought: If you REALLY want to learn to use windows as a hacking platform, you're going to spend a lot more money on software than you ever would on a small, but powerful, unix box. For starters, Windows 9x is not a real network operating system. So, you'd need to upgrade to NT or 2000 right away. That alone is at least 300 dollars. Additionally, you'd need to pick up the appropriate resource kit, probably with a subscription to MS Technet so you could fix it when it crashes into the ground once a week, and you'd certainly need some development tools as well, so that you could work with the exploits needed to effectively penetrate a remote system. To get all of those things, you'd be well off subscribing to the Microsoft Developer Network, which is a cost of $1500. Those aren't even all of the tools you'd need. Assuming you find some shareware you like, or a tool that you can't live without you're going to be spending LOTS of money. Buy a small unix box. Or, if your parents aren't cool with that, buy a copy of VM Ware at a cost of $300. (www.vmware.com). I guarantee you that this is the best, most educational, and least expensive way to become a real hacker, and not just some lame-o script kiddy. 4.3 How do I secure my Windows system? Windows 95/98: Disable file and print sharing. Odds are, if this is your home PC, you're not going to need this ability. If you do, for some reason need this ability at some point in time, enable and disable it as needed. 9x users may also benefit from the purchase of a personal firewall/IDS package such as Zonealarm, BlackICE Defender, Conseal, or other like-minded software. Although these are notorious for false positives, when properly configured they can provide a good measure of security for your home system. Windows NT: If you're on a network, block access to TCP/UDP ports 135-139 at the perimiter.These are the standard ports for the NetBIOS interface used in windows networking. Blocking access to these ports at the perimeter gateway interface will solve 90% of remote Windows NT problems. If you're running NT as a standalone system (and why would you do such a thing?) you can safely disable and unbind NetBIOS from TCP/IP and your NIC. Additionally,implement a strong password policy, some good solid system administration policies (disabling guest accounts, restricting anyonymous access, renaming administrator accounts, setting good system policies, tightening access control lists, etc. etc. etc.) and for the love of god DON'T run IIS. (If you host a website, use a decent webserver. Apache, for instance.) (Disclaimer for the windows junkies: If you must run IIS because you can't live without your precious frontpage extensions, then run your web server in a De-Militarized zone outside the reach of your regular servers. This is good advice for ANY web server, but IIS in particular, as it's host to so many remote vulnerabilities that it's typically just begging to be broken into.) Generally, good system administration policies on NT boxes can get you a long way toward a more secure system. Read some of the microsoft documentation. Read the NT security FAQ here on Packet Storm. READ!!! Read every paper on this site, if you can. You'll learn a great deal of VERY useful information. If you have more advanced question on securing your systems, that's what the forum is all about. Let us know, and don't be afraid to ask us. Obviously the concept of "securing Windows NT" is not something that one little part of a FAQ can take care of...books have been written about the subject...large heavy books. Help us help you by asking your questions in as much detail as possible. Exactly what you have, and exactly what you'd like us to help you with. 4.4 Windows keeps getting Nuked, what can I do to fix it? We get lots of questions about windows crashing. Everyone who has ever used windows has lots of questions about windows crashing. Typically the best way to keep windows from getting hosed via denials of service is to keep up-to-date with your service packs and software patches. Also, general rule-of-thumb: Don't piss people off on the IRC, or ICQ, or AIM, or Yahoo! Chat, or whatever. There are hundreds (read:thousands) of programs out there written specifically for the purpose of crashing the hell out of windows through a chat session, or whatever. The problem is that there are kids out there who think they are 31337 Hax0rz if they have the latest chat room scrolling proggie for AOL. These people like to compensate for their social ineptitude by dumping people offline. For those people: Shame on you. Get a life. Get a clue. Get a real ISP. None of us have any regard whatsoever for you if you act this way. Denials of service are lame. Find something better to do with your time. If you're being dumped offline by one of these people, take action. Report them to their ISP. Block them from sending things to you. Avoid them in IRC chat rooms. Use the personal firewall we talked about earlier to block their IP. And the most useful piece of advice we could offer you: Don't start internet piss-fights. Just leave the hostile situation, and ignore the instigator. Report them. Getting revenge is out because A) You've sunk to the level of that skript kiddi3 we all hate, and B) It could seriously land you in jail. Chapter 5 - Programming questions --------------------------------- 5.1 How do I run a .c-exploit? Don't. You obviously have no clue what it is if you have to ask, and then you have no business running it... However for the curious mind: .c-files are source-code for programs written in the C-language, the same programming language used to write UNIX. Therefor you would almost allways find a c-compiler on a UNIX-machine. In these cases you can compile the source into an executable program by issuing a 'cc filename.c -o programname' or 'gcc filename -o programname'. However you REALLY should take the time to read through it before running it. And if you dont even know what a compiler is perhaps you should leave them alone... Running programs like these may damage your system if you cannot trust the content of it. Be suspicious to all code that you have not written yourself. Or yake a small advice on trying the code on a isolated system that is of no importance [Read:Like your little brothers old 486 or something ;-)]. 5.2 What is a buffer overrun? Writing more info into a buffer then it can handle, causing overwrite into other areas of the memory. This may give opportunity to execute arbitrary code. However using this without a premade exploit will require you to know alot of things about how the system works and how to program in assembly code. Like you must know the stackpoint locations for the 'new command lines' for example. The best way would be to build up a similar system of the one your trying to hack and then try-try-try and try-again to finding these overflows on the system itself. So if you dump some core, getting the kernel to panic and getting segmentation faults, your getting there ;-) For a thorough description on what a buffer overrun is and how to implement one, go to Phrack, Issue 49, Article 14, "Smashing The Stack For Fun And Profit" by Aleph1. Appendix -------- 1. Sources & Resources ----------------------- These sources and resources is not indexed in some special reading order or anything. They are just basically good (read: Exellent) books if you want to learn a thing or two about the subjects in this FAQ. Try to find them in your local library, since you might want to read them before you buy them. Good luck! General "Must reads" [Trevlig recommends] The New Hacker's Dictionary - 3rd Edition (1996) 0-262-68092-0 Well... not really 31337 h4x0r lingo... but its a really funny book that can give you inspiration and understanding in how it was in the good 'ol days. Also check out the electronic version found at: http://www.tuxedo.org/~esr/jargon/jargon.html [Mah-Kahn says] Actually, check out ALL his works, and see what he has to say about Open Source, The history of Hackerdom, etc. Eric is a TRUE hacker, in the REAL (old) meaning of the word. [Trevlig recommends] Hacking Exposed - Second Edition (2000) 0072127481 NOT YET PUBLISHED, but order it anyways =) This book will be good for basic understanding of hacking. [Secular recommends] Phrack Magazine. http://phrack.infonexus.com Issues don't come out often, but every single one of them is full of good information. Various articles and issues have been recommended earlier in this FAQ, but I think it's a source worthy of note here as well. Read the older issues and learn the history of phreaking/hacking. Read the newer ones for more current information. Read line noise to get a truly great laugh. And don't ask stupid questions. You will burn. [Mah-Kahn says] This is a TRUE hacker/phreaker magazine. 2600 WAS good, but Phrack, in my opinion IS good. Some really serious network administration here too. A great resource. On TCP/IP [doxavg recommends] "TCP/IP Illustrated, Volumes 1 - 3", W. Richard Stevens & Gary R. Wright. ISBN #s: 0201633469, 020163354X, and 0201634953 respectively. These are the best books on the subject I've read. [Trevlig recommends] TCP/IP Network Administration, 2nd Edition (1997) ISBN 1-56592-322-7 This is a real Classic, i don't know anyone that do system administration/hacking that don't have "the crab book". It covers alot of topics surrounding the Internet (including Firewalls, DNS, Proxy and much more) Highly recommended!!! There is also a WinNT version but this is the real thing. [Mah-Kahn recommends] "Firewalls and Internet security, repelling the Wiley hacker", Cheswick and Bellovin, Addison-Wesley Pub Co, ISBN: 0201633574 A must read on the topic of firewalls, though it's getting quite old now. [Mah-Kahn recommends] "Building Internet Firewalls - Second edition", Elizabeth D. Zwicky, Simon Cooper, & D. Brent Chapman , O'Reilly and Associates, ISBN: 1565928717 . Great for understanding what a firewall is and what it does. Building your own firewall after reading this book is still no easy task, but at least you'll understand how one would work if you were to buy one. [Secular recommends] Building Linux and OpenBSD Firewalls (2000), Wes Sonnenreich, Tom Yates, Wiley Computer Publishing, ISBN 0471353663. Positively the best computer book I've ever read. Not only is it an excellent source of information on firewall construction and TCP/IP security theory, but it's also written with a refreshing humor that makes it very easy to read. A must-read. On UNIX [Mah-Kahn recommends] "Practical UNIX and Internet security - Second edition", Simson Garfinkel and Gene Spafford, O Reilly and Associates, ISBN: 1565921488. This book is a must-read. It takes you from groundlevel as a total novice and is actually at times a quite funny book. This is the first book you should read on UNIX-security, regardless of what colour you have on your hat. [Trevlig recommends] UNIX System Administration Handbook, 2nd Edition (1995) ISBN 0-13-151051-7. Really good book and easy to read (written with humor), covers all the major UNiX distros. Its alittle old but all the basic concepts are still the same. Highly recommended!!! A new edition coming out in fall of 2000 [Trevlig recommends] UNIX Power Tools 2nd Edition (1997) 1565922603 Good reference book for finding answers to "easy questions". This book handles alot of the tools that are commonly used for UNiX administration. [Secular recommends] Running Linux, 3rd Edition (1999) ISBN 1-56592-469-x Welsh, Dalheimer, and Kaufman, O'reilly publishing. A great book that covers all of the bases on how to install, administer, and run a Linux system. Covers everything from disk partitioning to programming to TCP/IP networking. A handy book for anyone running Linux. On Windows [Secular recommends] http://support.microsoft.com If you have a problem, Microsoft's knowledge base usually has an answer, or at least a workaround. On Programming [Secular recommends] Code Complete (1993) Steve McConnell, Microsoft Press ISBN: 1-55615-484-4 This is a must-read for any programmer. The techniques introduced in this book are a how-to for clean, well structured code in any language. If you want to write better programs with fewer headaches, take a look at this one. [Trevlig recommends] Programming Perl, 3rd Edition (2000) 0-596-00027-8. If you just gonna buy one book on Perl programming this is the one. Also known as "the camel book". [Mah-Kahn says] Perl is a great first language. It's easier than C, and more portable than BASIC. Oh, and it's free, too. [Trevlig recommends] The C Programming Language (2nd edition) 0-13-110370-9. Pick up this one when you gotten of your feet and start getting somewhere. Before you can learn alot just looking at code and trying things for yourself. [Trevlig recommends] Practical C Programming, (3rd Edition) 1-56592-306-5. Good for learning the structure of more advanced programs. [Mah-Kahn recommends] Thinking in C++ - Volume 1, Second edition, Bruce Eckel, Prentice Hall, ISBN: 0139798099. A great book if you want to understand what object-oriented programming really is. Not the first programming book you should buy, but it IS great if you know C and want to move on to C++. The book (and the draft-versions of Volume 2) is also downloadable at http://eckelobjects.com [Trevlig recommends] C++ Direkt ISBN: 9144014635 Well this book is in Swedish but its really a good starter on C++ programming.

Privacy Statement