Tutorials | Byte Me | C.A.I.R.A | Message Board | Mailing List | War game | The Team | Online Chat | Links | Translations | Books



How servers are cracked, by R a v e N.

Session Start: Sat Jan 22 18:04:06 2000
[18:04] *** Now talking in #bsrf
[18:04] *** Topic is 'Welcome to #bsrf | Our Website: http://blacksun.box.sk | Next IRC lecture: 'How Servers are Cracked' | See http://blacksun.box.sk/irc.html | Alright, I know the bot is down most of the time now, and that the channel is ultra insecure, so please don't abuse this... heh, yeah right'
[18:04] *** Set by Raven on Wed Jan 19 07:22:58
[18:04] * #bsrf is being logged
[18:04] <INTJ> okie
[18:05] <INTJ> ready?
[18:05] <Raven> alright
[18:05] <Raven> is everyone ready?
[18:05] <c0c0> yep
[18:05] <Chaotic_Thought> Yes sir...
[18:05] <Seeker> yup
[18:05] <squiler> yup
[18:05] <INTJ> 9 ppl overall
[18:05] <SnIpEr_WoLf_> yeah
[18:05] <Seeker> that good?
[18:05] <Raven> including me
[18:05] <Raven> :-)
[18:05] <Raven> alright
[18:05] <Raven> On your marks.
[18:05] <Raven> Get set.
[18:05] <Raven> Go!
[18:05] <Raven> okay, so today's topic is...
[18:06] <Raven> how servers are hacked
[18:06] <Raven> basically, of course
[18:06] <INTJ> cracked
[18:06] <Raven> yeah, cracked
[18:06] <Raven> terminology...
[18:06] <Raven> hehe
[18:06] <Raven> :-)
[18:06] <INTJ> that's what you wrote on your website ;p
[18:06] <squiler> :)
[18:06] <Raven> anyway, most of those website defacements...
[18:06] <Raven> dns cracks
[18:06] <Raven> email cracks
[18:06] <Raven> ftp cracks
[18:06] <Raven> etc' etc'
[18:06] <Raven> they're usually done in fairly easy and simple ways
[18:06] <Raven> that do not require much knowledge
[18:07] <Raven> they're usually done by little kids
[18:07] <Raven> mostly little kids in "hacking" groups
[18:07] <Raven> who want to show the world how smart they are
[18:07] <Raven> Phase I
[18:07] <Raven> --------
[18:07] <Raven> oops...
[18:07] <Raven> -------
[18:07] <Raven> DAMN!
[18:07] <Raven> lol
[18:07] <Raven> okay, all over again
[18:07] <Raven> Phase I
[18:07] <Raven> -------
[18:07] <Raven> ahh...
[18:07] <Raven> that's better
[18:07] <Raven> any questions so far?
[18:07] <Raven> okay, so phase one is...
[18:07] <Raven> intelligence gathering
[18:07] <TheJoker> why is it so easy?
[18:08] <Raven> we'll get to that
[18:08] <INTJ> because of ./i-0wn3d-u <server> <port> ;p
[18:08] <Raven> exactly
[18:08] <Raven> if some of u don't understand, don't worry
[18:08] <Raven> we'll get to that
[18:08] <Raven> so anyway, stage one is intelligence gathering
[18:08] <Raven> this is the most important stage
[18:08] <Raven> why?
[18:08] <squiler> ...
[18:09] <Raven> because otherwise you'll find yourself trying thousands of sunos 3.4 exploits
[18:09] <Seeker> need to know what os
[18:09] <TheJoker> you have to know what exploits apply
[18:09] <Raven> while you're actually attacking an nt4.0 server
[18:09] <Raven> what os...
[18:09] <Raven> and what is the host running
[18:09] *** c0c0_ has joined #bsrf
[18:09] <Raven> those are the two most important phases in intelligence gathering
[18:09] <c0c0_> damn i've disconnected
[18:09] <Raven> getting them is fairly easy
[18:09] *** c0c0 has quit IRC (Ping timeout)
[18:09] <INTJ> welcome c0c0_, we're in the middle of the lecture
[18:09] *** c0c0_ is now known as c0c0
[18:09] <Raven> poor soul
[18:09] <TheJoker> nmap?
[18:09] <Raven> :-)
[18:10] <Raven> that's two
[18:10] <Raven> nmap is too "advanced" for most script kiddies
[18:10] <TheJoker> advanced?
[18:10] <Raven> most people use really amateurish methods
[18:10] <Raven> such as reading daemon banners
[18:10] <Raven> (yes, it requires the "cracker" to have unix... ooh)
[18:10] <TheJoker> hehe
[18:10] <Seeker> whats a daemon banner?
[18:10] <Raven> and to know how to install new software
[18:10] <squiler> ha
[18:10] <Raven> alright, i'll show u
[18:10] <squiler> oo me oo me!
[18:10] <Raven> everyone, do telnet mailgw.netvision.net.il
[18:10] <Raven> this is my isp's smtp server
[18:11] <Raven> smtp = simple mail transfer protocol
[18:11] <INTJ> but daemon banner is trivial to be spoofed
[18:11] <Raven> for outgoing mail
[18:11] <Raven> yes, of course
[18:11] <Raven> first, let's explain to those who don't know what daemon banners are
[18:11] <Raven> what do u get when u telnet to mailgw.netvision.net.il?
[18:11] <Seeker> oh, i think i know what you mean
[18:11] <c0c0> Trying 194.90.1.14...
[18:11] <squiler> "could not connect"
[18:11] <squiler> :-)
[18:11] <c0c0> telnet: connect to address 194.90.1.14: Connection refused
[18:11] <c0c0> telnet: Unable to connect to remote host: Connection refused
[18:11] <Raven> oops
[18:11] *** SnIpEr_WoLf_ has left #bsrf
[18:11] <Raven> telnet mailgw.netvision.net.il 25
[18:11] *** SnIpEr_WoLf_ has joined #bsrf
[18:11] <Raven> telnet mailgw.netvision.net.il 25
[18:12] <Raven> port 25, this is important
[18:12] <Raven> smtp runs on port 25
[18:12] <c0c0> yea
[18:12] <Chaotic_Thought> I'm on...
[18:12] <squiler> we get like sendmail version etc...
[18:12] <TheJoker> running sendmail
[18:12] <Chaotic_Thought> 8.9.3 sendmail
[18:12] <Raven> yup
[18:12] <Raven> 220 alpha.netvision.net.il ESMTP Sendmail 8.9.3/8.8.6; Sat, 22 Jan 2000 19:14:41 +0200 (IST)
[18:12] <TheJoker> a linux/unix?
[18:12] <Raven> this is what u get
[18:12] *** Sniper_wolf__ has joined #bsrf
[18:12] <Raven> this is a daemon banner
[18:13] <c0c0> hmmmm, oki
[18:13] <Raven> btw check blacksun.box.sk/ports.txt for a list of standard ports
[18:13] <Raven> now, what does it tell us?
[18:13] <Raven> ooh, sendmail
[18:13] <Raven> the dumbest daemon ever
[18:13] <Raven> it just gave us the version of the daemon that is running
[18:13] <TheJoker> it's a unix type sys
[18:13] <Raven> usually, in sendmail holes, the OS doesn't matter much
[18:13] <Raven> yup
[18:13] <Raven> now, suppose we're some script kiddie
[18:14] <Raven> so we have the version
[18:14] <Raven> of the daemon
[18:14] <Raven> now we go to, say, packetstorm.securify.com
[18:14] <Raven> or neworder.box.sk
[18:14] <Raven> and we search
[18:14] <INTJ> bugtraq
[18:14] <INTJ> technotronic
[18:14] <INTJ> ;p
[18:14] <Raven> we use keywords such as "sendmail 8.9.3"
[18:14] <Raven> yes, bugtraq is good too
[18:14] <Chaotic_Thought> look for a crack/bug
[18:14] <Raven> yup
[18:14] <INTJ> ntbugtraq.com
[18:14] <Raven> now, here is what we'll find
[18:14] <Raven> we could find:
[18:15] <TheJoker> that's pathetic!
[18:15] <Raven> a) advisories
[18:15] <Raven> these hardly mean anything to crackers
[18:15] <Raven> they only explain to u how to fix the hole
[18:15] <Raven> and a little technical backgruond
[18:15] <Raven> and a little technical background
[18:15] <Raven> which the common script kiddie won't be interested in
[18:15] <Raven> b) texts
[18:15] <Raven> texts will detail the hole
[18:15] <Raven> how to exploit it
[18:16] <Raven> and a workaround, if any
[18:16] <Raven> c) an exploit
[18:16] <Raven> BINGO!
[18:16] <Raven> an exploit is a premade program
[18:16] <Raven> that exploits a certain hole
[18:16] <Raven> all the cracker has to do is to compile it
[18:16] <Raven> (unless it's written in perl)
[18:16] <Raven> (or another interpreted programming language)
[18:16] <INTJ> bash
[18:16] <Raven> ('cause they run in the form of source code)
[18:16] <Chaotic_Thought> So crackers are usally lazy punks...
[18:16] <Raven> yes, or a shell script
[18:16] <Raven> although u'll hardly ever found exploits in the form of shell scripts
[18:16] <INTJ> pamslam.sh
[18:16] <INTJ> heheh ;p
[18:17] <Raven> sniperwolf missed everything from phase one 'till "the dumbest daemon ever"
[18:17] <INTJ> redhat and mandrake rooter
[18:17] <Raven> can anyone plz help him?
[18:17] <Raven> i'm kinda busy here with the lecture and everything
[18:17] <Raven> :-)
[18:17] <Raven> other daemons a cracker might want to look at:
[18:17] <Raven> ftp
[18:17] <Raven> by logging into ftp servers
[18:17] <Raven> when logging into ftp servers
[18:17] <Raven> u usually get technical information about the system
[18:18] <Raven> u could also try to issue the syst command
[18:18] <Raven> which will also give away some information
[18:18] <Raven> webservers
[18:18] <Raven> if u issue a bad url request
[18:18] <Raven> it'll give u some info
[18:18] <Raven> for example: try surfing to http://blacksun.box.sk/some-dead-link.html
[18:18] <c0c0> like they are usun apache
[18:18] <Raven> it'll give u an error msg
[18:18] <Raven> and the name and version of the webserver program
[18:18] <Raven> fairly easy
[18:18] <Raven> all u need is a browser
[18:19] <Raven> crackers can also utilize newsgroups daemons
[18:19] <TheJoker> how bout pop mail?
[18:19] <Raven> and others
[18:19] <Raven> pop mail too
[18:19] <Chaotic_Thought> Apache 1.3.6 port 80
[18:19] <Raven> pop3 usually reveals information
[18:19] <Raven> ftp port 21
[18:19] <Raven> news port...
[18:19] <Raven> 119, i think
[18:19] <Raven> pop is...
[18:19] <TheJoker> telnet
[18:19] <Raven> uhh, damn
[18:19] <INTJ> 110 = pop
[18:19] <TheJoker> 110
[18:19] <Raven> yeah
[18:19] <Raven> telnet too
[18:19] <Raven> telnet to port 23
[18:19] <c0c0> yep 119 if it is not a secure connection
[18:19] <Raven> go ahead and telnet to blacksun.box.sk on port 23
[18:19] <Raven> u'll get some info on the system
[18:20] <Raven> but what if we change this information?
[18:20] *** Sniper_wolf__ has quit IRC (IL.Quit: I was using Ghost_Rider Script version 2.0)
[18:20] <Raven> most of today's server programs let u do it
[18:20] <TheJoker> most admins do it.
[18:20] <squiler> redhat linux 5.2 --- you learn the os
[18:20] <c0c0> Kernel 2.0.36 on an i586
[18:20] <squiler> and the system
[18:20] <Raven> so suppose we've changed the daemon banner
[18:20] <TheJoker> Red Hat Linux release 1.2 (Apollo)
[18:20] <Raven> but what if...
[18:20] <squiler> ...
[18:20] <Raven> we're dealing with a smarter script kiddie?
[18:21] <Raven> (ph33r)
[18:21] <squiler> they exist?
[18:21] <Raven> yeah
[18:21] <squiler> :)
[18:21] <Raven> there are some
[18:21] <TheJoker> nmap!
[18:21] <INTJ> yes, unfortunately ;p
[18:21] <Raven> yup
[18:21] <Raven> www.insecure.org
[18:21] <Raven> download nmap
[18:21] <c0c0> queso may be?
[18:21] <Raven> how does nmap work?
[18:21] <INTJ> winfingerptint.exe
[18:21] <Raven> queso too
[18:21] <Raven> winfingerprint too
[18:21] <Raven> winfingerprint is for windows
[18:21] <Raven> the others are for unix
[18:21] <Raven> get them all at packetstorm.securify.com
[18:21] <INTJ> windows nt
[18:21] <Raven> how do they work?
[18:21] <Raven> pretty simple
[18:21] <Raven> each OS has what we call tcp/ip fingerprints
[18:21] <Raven> why?
[18:22] <TheJoker> it trys all these same techniques don't it?
[18:22] <Raven> because each os implements tcp/ip in a different way
[18:22] <Raven> kinda
[18:22] <Raven> yeah
[18:22] <Raven> basically, nmap and the others are just port scanners
[18:22] <TheJoker> ya now I remember
[18:22] <Raven> but they do more
[18:22] <Raven> they can detect these fingerprints
[18:22] <Raven> and give definitive information
[18:22] <INTJ> this irc server gives a lot if advertising msgs..
[18:22] <TheJoker> the win tcp/ip stack is easy to detect
[18:22] <Raven> yes, it's the easiest
[18:22] <Raven> windows is the easiest to detect
[18:23] <Raven> detecting the difference between two similar unix distributions is harder
[18:23] <Raven> detecting the differences between, say, some unix and windows
[18:23] <Raven> or mac and windows
[18:23] <Raven> is fairly easy
[18:23] <Seeker> could you spoof fingerprints? as an admin i mean
[18:23] <Raven> so our smart and elite script kiddie grabs his copy of nmap
[18:23] <INTJ> how bout between linux distro or *bsd?
[18:23] <TheJoker> but nmap uses a combo of all the techniques.
[18:23] <Raven> technically, u can, but it takes a lot of messing around with code and stuff
[18:24] <Raven> and u probably won't be able to do it well
[18:24] <Raven> nor hide from all techniques
[18:24] <Raven> also, nmap does other things
[18:24] <Raven> it's a portscanner that can also scan through firewalls
[18:24] <TheJoker> but do your really have too hide?
[18:24] <Raven> more on nmap's website and nmap's man pages
[18:24] <Raven> (it installs a manpage)
[18:24] <Raven> (so u type man nmap after u install it)
[18:24] <Raven> (and it explains everything)
[18:24] <Raven> www.insecure.org/nmap
[18:25] <TheJoker> arent your lost in say ftp trafic when ftping?
[18:25] <Raven> well, if u reveal critical information about ur system
[18:25] <Raven> u might be helping a cracker
[18:25] <Raven> TheJoker: say again plz?
[18:25] <TheJoker> does the cracker have to worry about hiding?
[18:26] <Raven> yes
[18:26] <Raven> so the cracker would implement some techniques
[18:26] <TheJoker> wont' he/she be lost in trafic?
[18:26] <Raven> such as the ones described in blacksun.box.sk/anonymity.txt
[18:26] <Raven> generally, yes
[18:26] <Raven> but there are IDSs
[18:26] <Raven> IDS = Intrusion Detection System
[18:26] <TheJoker> dynamic IPs now days
[18:26] <Raven> they go over traffic
[18:26] <Raven> and highlight several parts in the logs
[18:26] <squiler> is a proxy enough to hide?
[18:26] <Raven> which might mean a cracking attempt
[18:26] *** c0c0 has quit IRC (Ping timeout)
[18:26] <Raven> bouncing ur connection would usually suffice
[18:27] <Raven> okay, that's it. if u miss something, just wait for the logs to come out
[18:27] <INTJ> if the proxy party cooperate w/ us ;p
[18:27] <Raven> or...
[18:27] <Raven> suppose we telnet to nether.net
[18:27] <Raven> and get a free shell account
[18:27] <Raven> and then break out
[18:27] <Raven> and manage to get root
[18:27] <Raven> (suppose we do it from a public place so they can't trace us back home)
[18:27] <Raven> now we have a root shell on nether.net
[18:27] <Raven> and we can run exploits and hack from them
[18:27] <TheJoker>  http://freebooks.hypermart.net/proxy/proxiesn.htm
[18:28] <Raven> :-)
[18:28] <TheJoker> free proxies worldwide
[18:28] <squiler> nether.net is the best free shell provider
[18:28] <Raven> okay, so these were phase one and two
[18:28] <Raven> phase one - info gathering
[18:28] <Raven> two - searching online databases
[18:28] <Raven> now, suppose we're in
[18:28] <Raven> now comes phase three
[18:28] <Raven> no, not defacing the website!
[18:28] <Raven> or dns database
[18:28] <Raven> we have some other things to worry about
[18:29] <Raven> first we need to clean out presence from the logs
[18:29] <TheJoker> logs?
[18:29] <Raven> or the admin might realize he got cracked
[18:29] <squiler> thats what i'm doing right now
[18:29] <Raven> and put more effort into security
[18:29] <squiler> :)
[18:29] <Raven> :-)
[18:29] <INTJ> this is where rootkit comes in ;p
[18:29] <Raven> not these logs!
[18:29] <squiler> hahaha
[18:29] <Raven> yeah, rootkits automate such processes
[18:29] <TheJoker> :p)
[18:29] *** INTJ has quit IRC (No route to host)
[18:29] * Chaotic_Thought grins
[18:29] <Raven> fun for the whole family
[18:29] <squiler> how does a rootkit actaully work?
[18:29] <Raven> so now that we've cleaned our presence from the logs
[18:30] <Raven> it's just an automated script
[18:30] <Raven> it automates some tasks for u
[18:30] <Raven> they only work on specific configurations
[18:30] *** INTJ has joined #bsrf
[18:30] <Raven> of course, if we only clean the standard logs like klog (kernel logger) and syslog (system logger)
[18:30] <INTJ> shoot, israel.net closed me
[18:30] <Raven> it might now be enough
[18:30] <Raven> don't worry, just get someone to give u the logs at the end of the lecture
[18:31] <Raven> okay, so if we only cleaned syslog and klog
[18:31] <Raven> we might have still left some trace
[18:31] <Raven> maybe the admin is using an external logging system?
[18:31] <Raven> could be...
[18:31] <TheJoker> in being rooted?
[18:31] <Raven> hey, when ur done with the lecture, plz send the logs to tplec@zipmail.com.br (sniper wolf) and to me (barakirs@netvision.net.il)
[18:31] <Raven> now, suppose we're a cracker
[18:31] <Raven> and we've cleaned syslog and klog
[18:32] <Raven> but the admin was using some external logger
[18:32] <Raven> WHOOPS!
[18:32] <Raven> we've left some presence
[18:32] <TheJoker> dead
[18:32] <Seeker> wed be screwed..
[18:32] <Raven> now, phase 4
[18:32] <Chaotic_Thought> Do u want logs edited somewhat?
[18:32] *** SnIpEr_WoLf_ has quit IRC (IL.Quit: 12Delta 3.4 15,1- 14Dark15 Il16lu15mina14tion 15- - [ http://delta.cjb.net ])
[18:32] <squiler> how do you get around that?
[18:32] <Raven> so u need to do some research on the machine
[18:32] <Raven> browse around in it's directories
[18:32] <Raven> see what u can find
[18:32] <Raven> and of course, u must have a lot of experience
[18:32] <Seeker> can one practice that?
[18:32] <Raven> install some log cleaners on urself
[18:33] <Raven> mess around with external logging programs
[18:33] <Raven> etc' etc'
[18:33] <TheJoker> skript kiddies dont though
[18:33] <INTJ> rootkit
[18:33] <Raven> that's right
[18:33] <Raven> u can practice that on ur own box
[18:33] <Raven> script kiddies hardly ever practice
[18:33] <Raven> the average script kiddie would skip phases 3 and 4
[18:33] <Raven> phase 3 - deleting urself from the logs
[18:33] <INTJ> rootkit can make logging exclude our doings
[18:33] <Raven> phase 4 - installing a backdoor
[18:33] <Raven> (we'll get to that)
[18:34] <Raven> btw, DO NOT just delete the logs!
[18:34] <Raven> this will surely get the admin to notice
[18:34] <Raven> DUH!!
[18:34] <Raven> that's the dumbest thing u could possibly do
[18:34] <TheJoker> just your intries!
[18:34] <Raven> exactly
[18:34] <Raven> u can also change ur entries
[18:34] <Raven> and make them look like something more legitimate
[18:34] <Raven> of course, u have to make sure they look authentic
[18:34] <TheJoker> skript kiddies would'nt know thier entries form others would they?
[18:35] <Raven> yup - experience with loggers
[18:35] <Raven> yeah
[18:35] <Raven> okay, let's move on
[18:35] <Raven> suppose this whole process of cracking into the machine and cleaning the logs
[18:35] <Raven> took u...
[18:35] <Raven> 5 minutes...
[18:35] <Raven> 30 minutes...
[18:35] <Raven> maybe a couple of hours
[18:35] <Raven> a day?
[18:35] <Raven> ;-)
[18:35] <Seeker> *g*
[18:35] <Raven> u wouldn't want to repeat that whenever u step in, would u?
[18:36] <Raven> this is what backdoors are for
[18:36] <squiler> hell no
[18:36] <TheJoker> no
[18:36] <TheJoker> ya!
[18:36] <Raven> the most basic one is:
[18:36] <Raven> useradd my-backdoor
[18:36] <Raven> password my-backdoor my-new-pass
[18:36] <Raven> we've just added a new user
[18:36] <INTJ> passwd
[18:36] <Raven> oops
[18:36] <TheJoker> you would'nt use my-backdoor!
[18:36] <Raven> passwd my-backdoor my-new-pass
[18:36] <Raven> sorry
[18:36] <Raven> yes, of course
[18:37] <INTJ> adduser
[18:37] <Raven> or useradd
[18:37] <TheJoker> haha
[18:37] <Raven> :-)
[18:37] <Raven> depends on the system
[18:37] <Raven> and on...
[18:37] <Raven> nevermind!
[18:37] <Raven> off-topic
[18:37] <TheJoker> hehe
[18:37] <Raven> it really doesn't matter
[18:37] <INTJ> you wanna do clickings in win ;p
[18:37] <Raven> now we edit the passwd file
[18:37] <Raven> and give the new account uid 0 and gid 0
[18:37] <Raven> user id 0 = root access!
[18:37] <Raven> access to ANYTHING
[18:37] <Seeker> not always
[18:37] <Raven> group id 0 = root's group
[18:38] <Raven> yes, of course
[18:38] <Raven> but usually
[18:38] <Raven> u can change anything on unix boxes
[18:38] <Seeker> SuSE has extreme restrictions, then you cant do some stuff
[18:38] <TheJoker> the admin would notice a new god mode user!
[18:38] <Raven> exactly!
[18:38] <Raven> that's why it's the most obvious backdoor
[18:38] <INTJ> there's a program for unix that can restrict uid 0 guid 0 permissions
[18:38] <Raven> a new god user would fire up some alarms, now wouldn't it?
[18:38] <Raven> that's also true
[18:38] <TheJoker> ya!
[18:39] <Raven> so no smart cracker would use this method
[18:39] <Raven> another possible method:
[18:39] <Raven> taking some backdoor noone uses
[18:39] <Raven> and trojan it
[18:39] <Raven> oops, i mean daemon
[18:39] <Raven> taking some daemon
[18:39] <Raven> and trojaning it
[18:39] <TheJoker> what about cracking the passwd file?
[18:39] <Raven> no, we already have root access
[18:39] <INTJ> sshd daemon is a good one
[18:39] <Raven> usually u won't need root's password
[18:40] <Raven> u'll just run an exploit and get a root shell
[18:40] <TheJoker> but after your in
[18:40] <Raven> another possible backdoor:
[18:40] <Raven> trojaning some daemon
[18:40] <TheJoker> crack it and then you'll be able to get back in
[18:40] <Raven> so the daemon would appear to be working just fine
[18:40] <Raven> and will do everything naturally
[18:40] <Raven> but will also allow the cracker to get a root shell
[18:40] <Raven> but...
[18:40] <Raven> what if the admin is running checksum checks?
[18:41] <INTJ> tripwire
[18:41] <Seeker> change them too... only problem left: time stamps
[18:41] <Raven> there are programs out there, such as tripwire, which check the file sizes of files
[18:41] <Raven> and let's the admin know when they're changed
[18:41] <Raven> critical files
[18:41] <Raven> that's true too
[18:41] <Raven> the file's "last changed date" would also change
[18:41] <Raven> sure, u can go around all of this...
[18:41] <Raven> but this only means more variables
[18:41] <Raven> more places where u can fail
[18:41] <Raven> or make a mistake
[18:41] <TheJoker> you could change sys time before you mod the file :p)
[18:42] <Raven> and reveal urself
[18:42] <Raven> of course, but that would be noticed
[18:42] *** [S]hun has joined #bsrf
[18:42] <Raven> this is one of the main reasons that u need to make sure the admin is not present when u crack
[18:42] <Raven> using finger
[18:42] <Raven> if finger is available
[18:42] <Raven> finger @target-host.com
[18:42] <TheJoker> not much anymore.
[18:42] <Raven> yeah
[18:42] <Raven> it's hard to find an admin
[18:42] <Raven> that is dumb enough
[18:42] <Raven> to run finger!
[18:43] <INTJ> who
[18:43] <Raven> suppose netvision.net.il (my isp) was running fingerd (finger daemon)
[18:43] <INTJ> run 'who'
[18:43] <Raven> ppl would just be able to do finger barakirs@netvision.net.il
[18:43] <Raven> and get tons of information about me
[18:43] <Raven> yes, of course, once you're in, u can use commands such as who
[18:43] <squiler> you would have to be on the system to use who
[18:43] <INTJ> ps aux
[18:43] <Raven> exactly
[18:43] <Raven> ps -aux
[18:43] <Raven> this will show ALL running processes
[18:43] <Raven> useful too
[18:43] <Raven> sometimes to find loggers
[18:44] <Raven> but the admin can change the process names of the loggers
[18:44] <INTJ> we can send the admin xxx passwd to distract him ;p
[18:44] <Raven> now, here's another method
[18:44] <Raven> using the r services
[18:44] <Raven> especially rlogin
[18:44] <Raven> go read rlogin's man page
[18:44] <Raven> wait, lemme quote it
[18:44] <Raven> okay, nm, lemme write something of my own
[18:45] <Raven> rlogin is based on trust systems
[18:45] <Raven> for example:
[18:45] <Raven> suppose u require anyone who comes over to ur house to give a password
[18:45] <Raven> three knocks or something
[18:45] <Raven> some password...
[18:45] <Raven> but suddenly, ur best friends comes over
[18:45] <TheJoker> 4 is better
[18:45] <Raven> and he doesn't know the password
[18:45] <Raven> :-)
[18:45] <Raven> will u let him in?
[18:45] <Raven> of course u will!
[18:45] <Seeker> no
[18:45] <Raven> u trust him
[18:45] <Raven> lol
[18:45] <TheJoker> heck no!
[18:45] <Raven> u wouldn't
[18:45] <Raven> trust systems would
[18:46] <TheJoker> they suck!
[18:46] <Raven> they're also good for more user-friendlyness
[18:46] <TheJoker> I don't want my ps to be friendly
[18:46] <squiler> send me the log please i must go
[18:46] <Raven> so dumb clerks won't have to type in passwords all the time
[18:46] <TheJoker> sorry pc
[18:46] <Seeker> micro$oft? *eg*
[18:46] *** squiler has quit IRC (IL.Quit: Leaving)
[18:46] <Raven> now, trust systems are also serious security hazards
[18:47] <Raven> go to blacksun.box.sk/books.html and read 'IP Spoofing Demystified' later
[18:47] <Raven> now, let's take rlogin for example
[18:47] <TheJoker> it was good.
[18:47] <Raven> suppose u put a file:
[18:47] <Raven> called /etc/rhosts
[18:47] <Raven> put a file called rhosts in /etc
[18:47] <Raven> which will look like this:
[18:48] <Raven> somehost.com someuser
[18:48] <Raven> the user someuser from somehost.com will be able to do:
[18:48] <TheJoker> loggers would catch it?
[18:48] <Raven> just a sec
[18:48] <Raven> he'll be able to use rlogin
[18:48] <Raven> to remotely login to this bx
[18:48] <Raven> to remotely login to this box
[18:48] <Raven> as ANY user
[18:48] <Raven> or if u put an .rhosts file in a user's home directory
[18:48] <Raven> he'll be able to log in as that user
[18:48] <Raven> ANOTHER POSSIBLE BACKDOOR!
[18:48] <Raven> but wait...
[18:49] <Raven> that's fairly noticable, isn't it?
[18:49] <TheJoker> ya
[18:49] <Raven> most backdoors are
[18:49] <Raven> so we need to put a lot of thought into it
[18:49] <Raven> and some luck
[18:49] <Raven> and make sure the admin is as dumb as possible
[18:49] <TheJoker> should you make backup back doors?
[18:49] <Raven> yes
[18:49] <Raven> always
[18:49] <Raven> on the other hand
[18:49] <Raven> more backdoors
[18:49] <Raven> would mean more chances
[18:49] <Raven> that the admin will notice something wrong
[18:49] <Raven> suppose u were an admin
[18:50] <TheJoker> like a stupid one to make them think that they got you?
[18:50] <Raven> and u would have suddenly noticed a backdoor
[18:50] <Raven> u would panic, right?
[18:50] <Raven> and put a lot more effort into security
[18:50] <Raven> download every scanner u can find
[18:50] <Raven> roam your system for backdoors and holes
[18:50] <Raven> perhaps
[18:50] <Raven> but they might find the stupid backdoor
[18:50] <Raven> and then go crazy
[18:50] <Raven> search the system
[18:50] <Raven> and find ur other backdoors
[18:50] <TheJoker> ya it's all luck,
[18:50] <INTJ> but a very smart admin had setup a honeypot ;p
[18:50] <Raven> exactly
[18:50] <Raven> yup
[18:50] <Raven> honeypots are kewl
[18:51] <Raven> he would attract a cracker
[18:51] <Raven> and then...
[18:51] <Raven> KABOOM!!
[18:51] <[S]hun> Whats honeypot ?
[18:51] <TheJoker> ;P)
[18:51] <Raven> or something...
[18:51] <TheJoker> boobie trap
[18:51] <Raven> a honeypot is a host or a certain situation that will attract crackers
[18:51] <INTJ> KABOOM? the mail bomber? ;p hahaha
[18:51] <Raven> the admin will monitor his honeypot
[18:51] <Raven> see if there are any bees trapped inside
[18:52] <Raven> and then, once he sees something...
[18:52] <Raven> he would realize that he's being attacked
[18:52] <Raven> and maybe call the police
[18:52] <Raven> or Robert Frost!!
[18:52] <Raven> MWHAHAHAHA!!
[18:52] <Raven> (the poet)
[18:52] <Raven> nevermind, forget it
[18:52] <Chaotic_Thought> :)
[18:52] <Raven> private joke
[18:52] <TheJoker> sounds like a personal problem
[18:52] <Raven> so that was phase 4
[18:53] <Raven> now, we're in
[18:53] <Raven> we've cleaned the logs
[18:53] <Raven> we have a backdoor
[18:53] <Raven> now we only have one thing left to do:
[18:53] <INTJ> inflate ego in irc
[18:53] <Raven> utilize the box
[18:53] <Raven> perhaps for mailbombing someone
[18:53] <Raven> perhaps for installing bots on it
[18:53] <Raven> or flooding
[18:53] <INTJ> vhost
[18:53] <Raven> or defacing the website on the box
[18:53] <INTJ> hack another box
[18:53] *** rekaerf has joined #bsrf
[18:53] <Raven> yup, u can also set a virtual host on this box
[18:53] <rekaerf> hey
[18:54] <Raven> yes, or start other attacks against other hosts from this newly cracked one
[18:54] <TheJoker> or just screw the system and kill a business
[18:54] <Raven> yes, that's also true
[18:54] <Raven> or...
[18:54] <Raven> corporate espionage
[18:54] <TheJoker> yummy!
[18:54] <Raven> if ur a corporate spy
[18:54] <INTJ> credit card numbers ;p
[18:54] <Raven> u could get info and stuff
[18:54] *** blu3h4z3 has joined #bsrf
[18:54] <Raven> or maybe acccess credit card databases
[18:54] <Raven> or other sensitive information
[18:54] <Raven> so that was phase 5
[18:55] <Raven> which is...
[18:55] <Raven> well, the last phase
[18:55] <Seeker> LOL
[18:55] <Raven> thank u all for coming over to the lecture
[18:55] <[S]hun> hmm, I think I missed the first few parts
[18:55] <[S]hun> where can I get the logs ?
[18:55] <blu3h4z3> argh, I missed the whole thing@
[18:55] <Chaotic_Thought> it was cool
[18:55] <Raven> ouch
[18:55] <[S]hun> on blacksun/ ?
[18:55] <TheJoker> na ni na na boo boo!
[18:55] <Seeker> it was good yes
[18:55] <Raven> someone send me his logs plz
[18:55] <INTJ> hahaha
[18:55] <Seeker> interesting
[18:55] <TheJoker> nice job Raven
[18:56] <Chaotic_Thought> RaveN, u want logs sorta edited?
[18:56] <INTJ> edit the personal joke!!! hahaha ;p
[18:56] <Raven> sorta edited?
[18:56] <Raven> whaddya mean?
[18:56] <Chaotic_Thought> Like, I was talking before lecture
[18:56] <Raven> seeker, u didn't miss any parts of the lecture, right?
[18:56] <blu3h4z3> no uncut and unedited
[18:56] <Chaotic_Thought> Want that out?
[18:56] <Raven> nm, seeker is sending me his logs
[18:57] *** rekaerf has quit IRC (IL.Quit: I was using Ghost_Rider Script version 2.0)
[18:57] <Raven> in a whopping 0.6429k per second speed
[18:57] <[S]hun> haha
[18:57] <Raven> #  ³ Type  ³ Nick      ³ Percent Complete        ³ K/s   ³ File
[18:57] <Raven> ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
[18:57] <Raven> 1#   GET     seeker      ±²Û²±° °±° 94.6%      00:02  0.6395  #bsrf_20000122.log
[18:57] <Raven> ùíù DCC Warning: incoming file is larger than the handshake said
[18:57] <Raven> ùíù DCC Warning: GET: closing connection
[18:57] * Seeker grins
[18:57] <Raven> send again plz
Session Close: Sat Jan 22 18:57:32 2000


© 2001 Blacksun Research Facility. All rights reserved.