# Hacking in telnet ftp

Chia sẻ: Nghia Bui Tuan | Ngày: | Loại File: PDF | Số trang:17

0
99
lượt xem
43

## Hacking in telnet ftp

Mô tả tài liệu

[I Want to Start at the Start] [I Want to Go Straight to Hacking] INTRODUCTION: A little background is needed before we get into hacking techniques. When we talk about ‘Hacking’

Chủ đề:

Bình luận(0)

Lưu

## Nội dung Text: Hacking in telnet ftp

1. choices.gif (538 bytes) [I Want to Start at the Start] [I Want to Go Straight to Hacking] INTRODUCTION: A little background is needed before we get into hacking techniques. When we talk about ‘Hacking’, we are talking about getting some access on a server we shouldn’t have. Servers are set up so that many people can use them. These people each have different ‘accounts’ on the server – like different directories that belong just to them. If Fred has an account with the froggy.com.au ISP (Internet Service Provider), he will be given: (1) a login name, which is like the name of your directory; and (2) a password, which lets you get access to that directory. This login name and password will usually give you access to all of Fred’s services - his mail, news services and web pages. There is also the ‘root’ account, which has it’s own login and password. This gives super-user access to the entire server. We will focus on ‘getting root’, in this help file. choices.gif (538 bytes) [Ok, I want to move to the 'anatomy of the hack'] [I know all this, let me move straight to hacking] [ I don't have a clue what you're on about, let me read some backgroundon this so called "Internet" you keep referring to ] THE ANATOMY OF THE 'HACK': There are two main ways to break into a system. Think of a server as a Swiss Bank Vault. There are two main ways to get in. You can try to get in by finding the combination of the vault. This is like finding the password. It’s how you are meant to get in. The second way is by using dynamite. You forget all about the ‘proper’ way to get in. This is like using ‘exploits’, or weaknesses in the servers operating system to gain access. choices.gif (538 bytes) [Ok, Let's Go. Tell Me About Not Getting Caught]
2. [Stuff it, I know how to not get caught, on to the techniques!] 'DON'T GET CAUGHT': Hacking is illegal, and it is very easy to trace you if froggy.com.au realizes you hacked them. Wherever you go, your IP number (your computer’s unique identification) is left and often logged. Solutions: 1. When you set up your account with an ISP, give a false name and address. choices.gif (538 bytes) [Nah, I can't be bothered, what other things can I do?] [Ok, I used this trick. What else can I do?] [Stuff it, I know how to not get caught, on to the techniques!] 'DON'T GET CAUGHT': 2. Hack using a filched account (stolen password, etc.). A tool called Dripper can steal passwords for you from public net cafes and libraries. choices.gif (538 bytes) [Nah, just tell me something easy I can do right now] [Ok, done. Anything else I should do?] 'DON'T GET CAUGHT': 3. Port your connection through something else. An easy way to do this is to change your proxy settings. By using the proxy settings meant for a different ISP, it can look like you are surfing from wherever that ISP is. A list of proxies you can use is here . You should also do any important info gathering through the IP Jamming Applet on the Cyberarmy.Com to hide your IP. If you want super anonymity, you should be surfing in an account you set up under a false name, with your proxy settings changed, and also surfing through the IP Jamming applet! Be aware that some ISPs could use Caller ID to test the number of someone logging on. Dial the relevant code to disable Caller ID before calling your ISP.
3. choices.gif (538 bytes) [I don't understand about the proxy settings thing, let me read more ] [Ok, I am wired for hyper stealth... Now, I want to HACK!] INFO GATHERING: To start off, you will probably need to gather information about www.froggy.com.au using internet tools. choices.gif (538 bytes) [Ok, how?] [Give me some reading to do about info gathering ] [No, I've already got all the info, just tell me what to do] DIRT DIGGING STAGE: We are now taking the first steps of any hack... Info Gathering. You should be set up for stealth mode. Get a notepad, and open a new browser window (through the IP Jammer). Bring the www.froggy.com.au 's web page up in the IP Jammer's window. You can load the IP Jamming applet on the Cyberarmy.Com . choices.gif (538 bytes) [Ok, What Now?] CASE THE JOINT: 1. First, check out the site. Take down any email addresses, copy down the HTML of important pages. choices.gif (538 bytes) [Done... What Else?] THE OLD BOUNCING MAIL TRICK:
4. 2. Send a mail that will bounce to the site. If the site is www.froggy.com.au , send a mail to blahblahblah@froggy.com.au . It will bounce back to you and give you information in its header. Copy the information from the headers down. (To maintain anonymity, it might be a good idea to send and receive the mail from a free web based provider, such as hotmail.com. Use full stealth features when sending the bouncing mail. This will protect you when they check through the logs after they are hacked.) choices.gif (538 bytes) [Done... What Else?] TRACEROUTE: 3. Still using stealth features, Traceroute froggy.com.au . This Traceroute search is avaliable from the Hacker's Home Page, in the Net Tools section. This will tell you the upstream provider of the victim server. TOOLS choices.gif (538 bytes) [Ok, what next?] WHOIS: 3. Still using stealth features, Whois the site. This Whois search is avaliable from the Hacker's Home Page, in the Net Tools section. This will give you information on the owners and servers that run the site. Write it down. TOOLS choices.gif (538 bytes) [Ok, what next?] GIVE 'EM THE FINGER: 4. Finger the site. Use this finger service at Cyberarmy.Com to check the site. Try fingering just with “finger @froggy.com.au ” first. This sometimes tells you the names of all accounts. If this does not work, try fingering any email addresses you found on the site, and through Whois. This will sometimes give you useful information.
5. FINGER @ choices.gif (538 bytes) [Ok, what next?] THE DEADLY PORT SCAN: 5. Now, we're about to get rough on the site. Port Scan the site. Port scanning checks for all open ports for an IP. It is extremely useful, however, it practially screams to the webmaster's of the victim site that they are in the middle of being hacked. The is basically no legitimate reason to port scan a site unless you are about to hack it. There are no very good ways to hide a port scan, but there are a few semi-stealthy port scanners. Most are only for Linux / Unix systems. However, the Exploit Generator for Windows is one that claims to be stealthy. However, if you are trying to enter a very secure site, perhaps forget about port scanning for now, unless you are running Linux. Though, port scan will tell you all the services a site is running. If port 21 is open, it means they have an FTP server. If port 23 is open, it means they have telnet. choices.gif (538 bytes) [Ok, What next?] TELNETTING: 5. The aim of telnetting to the site is basically to try and find out the server type. While your browser is in stealth mode, use the Anonymous Telnet applet in the Cyberarmy.Com to open a Telnet window. Telnet to the site to Port 23. Usually, if the address is “www.froggy.com.au ”, try telnetting to "froggy.com.au ". If this does not work, try to telnet to telnet.froggy.com.au or try telnetting to any of the sites listed as name servers in your previous Whois search. Once you have got access, note any information it gives you, such as server type. choices.gif (538 bytes) [This worked - I got the server type!] [None of that worked...] TELNETTING: Now change the telnet to port 21. This should send you straight in to the server's FTP
6. port. If this works, try typing SYST to find out what server type it is. choices.gif (538 bytes) [This worked - I got the server type!] [None of that worked...] TELNETTING: Now, if you are lucky, try telnetting to port 80, the HTTP port. Note if this gives you any information. choices.gif (538 bytes) [This worked - I got the server type!] [None of that worked...] RUNNING LAME PROGRAMS: You *need* to know the server type to have any hope of hacking the thing. How do you expect to run exploits against it if you cant even figure out what you're dealing with here? A final resort is to run a program called Whats Running? It doesn't work very well, but will sometimes tell you the server type. It will also probably be logged by the victim server. If that doesn't work, do anything to find the server type. Even write them an e-mail asking what operating system they're running. choices.gif (538 bytes) [Ok, I've got the Info... Now I want access!] HACKING THROUGH THE PASSWORD: We will now try to go through the front door of the server. As to our analogy, we are trying to find the combination of the safe. choices.gif (538 bytes) [Ok, I Want Root!] [Nah, I already know this server will need exploits] EASY THINGS FIRST:
7. You would kick yourselves if ya spent weeks trying advanced hacking with exploits, IP spoofing and social engineering, just to find that we could have got in by using: $Login: root$Password: root So, let’s just try this first and get it out of the way. Unix comes set up with some default passwords, and sometimes these are not changed. So, we telnet to froggy.com.au . Don’t use your usual telnet program. Unless you are using a filched or anonymous account, it will show your IP address to froggy.com.au . With your proxies changed, and everything set for stealth, switch back to the Anonymous Telnet window. Then try the following accounts and passwords: ACCOUNT: PASSWORD (login) root: (password)root sys: sys / system / bin bin: sys / bin mountfsys: mountfsys adm: adm uucp: uucp nuucp: anon anon: anon user: user games: games install: install demo: demo umountfsys: umountfsys sync: sync admin: admin guest: guest daemon: daemon The accounts root, mountfsys, umountfsys, install, and sometimes sync are root level accounts, meaning they have sysop power, or total power. Other logins are just "user level" logins meaning they only have power over what files/processes they own.
8. choices.gif (538 bytes) [Nup... Didn't think it would work] [Incredible... That Lame Trick Actually Worked!] USING THE LOGIN NAMES: Still simple things first. About 1 in 20 people are stupid enough to have the same login name and password. With your list of all the email addresses or finger information you dug from the site, try this. For example, if the web site made a reference to fred@froggy.com.au , try logging in (through telnet or a FTP program to their server) as: $Login: Fred$Password: Fred Do this with all the names you have found - you might get lucky. Did this work? choices.gif (538 bytes) [Nah, they had some baddass security, didn't work] [Oh, Golly Gee... I got access to one of the accounts!] GETTING THE PASSWD FILE: You probably had no luck until now. Actually, most hacking techniques only have a slim chance of success. You just try hundreds of slim chances till you get it. Assuming you were trying to log in on a Unix system, you may have been wondering how Unix checks to see whether the passwords you gave were correct or not. There is a file called ‘passwd’ on each Unix system which has all the passwords for each user. So, if we can’t guess the passwords, we will now try to rip this file and decrypt it. choices.gif (538 bytes) [Make it so, Number 1] ANCIENT CHINESE FTP METHOD:
9. Your browser should be set to use the fake proxies. We will keep using this browser to FTP, because it cannot be easily traced, whereas something like CuteFTP can be traced to you because it can't use proxies. If in your port scan, you found an opne port 21, its a pretty good indication that they run an FTP server. Using your stealth browser, try to FTP to froggy.com.au . Example: ftp://froggy.com.au If that does not work, try to FTP to ftp.froggy.com.au . Example: ftp://ftp.froggy.com.au If that does not work, try to FTP to the Domain Name Servers listed when you did your WHOIS search. Example: ftp://ns1.froggy.com.au choices.gif (538 bytes) [Ok, I'm In] [Nah, stupid thing won't let me in] ANCIENT CHINESE FTP METHOD: Now you are connected to froggy.com.au ’s FTP server, click on their \etc directory. You should see a file called ‘passwd’ and maybe a file called ‘group’. Download the ‘passwd’ file, and look at it. If it looks like this when you open it, you are in luck: root:2fkbNba29uWys:0:1:Operator:/:/bin/csh admin:rYsKMjnvRppro:100:11:WWW administrator:/home/Common/WWW:/bin/csh kangaroo:3A62i9qr:1012:10:Hisaharu [etc.] For example, we know a login is “kangaroo” and their encrypted password is “3A62i9qr”. Note - this is not their password, but an encrypted form of their password. Or, did it look more like this: root:*:0:1:Operator:/:/bin/csh admin:*:100:11:WWW administrator:/home/Common/WWW:/bin/csh kangaroo:*:1012:10:Hisaharu TANAKA:/home/user/kangaroo:/usr/local/bin/tcsh Is the second, encrypted password, section replaced by *’s or x’s? This is bad – it is called a shadowed password and cannot be decrypted. This is how most passwd files are now days. However, if you got a
10. passwd file which has some non-shadowed entries, you can put your hand to decrypting it. choices.gif (538 bytes) [Nah, It was all shadowed] [Nah, couldn't find the passwd file in the first place] [Yes! I think I got some non-shadowed passwords] DECRYPTING PASSWD FILES: There are a few programs around which were written to decrypt Unix passwd files. The most famous one was called ‘Cracker Jack’. Many ‘hacking’ texts strongly recommend this file – but they are mostly talking rubbish. Its old and most systems will just crash when they try to run it, as it uses weird memory allocation. The best Unix cracker around is currently called 'John the Ripper 1.5’. It is readily avaliable. It was only written in the last year or so, and is a lot faster than Cracker Jack ever was. John the Ripper was also designed with Pentiums in mind, and the brute force techique used is genius. But you have to go down to DOS to use it. You will also need a large ‘wordfile’, with every English word. Bigger the better. The Crack Programs test every word in the wordfile against the passwd file. If the wordfile is big enough, you have a good chance of getting a password. choices.gif (538 bytes) [Yes! I Got Me Some Decrypted Passwords!] [Nah, the Encryption was too Good] [Give me some reading about all the different password crackers, where to find them, etc. ] THE OLD-STYLE PHF TECHNIQUE: Although most servers have now trashed a program called PHF, let's just make sure... It is is working, it lets you get the passwd file remotely, even if it is inside hidden and root access only directories. In the Overlord Anonymizer, type: http://www.froggy.com.au /cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd. OVERLORD ANONYMIZ