How servers are cracked, by R a v e N.
Session Start: Sat Jan 22 18:04:06 2000
[18:04] *** Now talking in #bsrf
[18:04] *** Topic is 'Welcome to #bsrf | Our Website: http://blacksun.box.sk
| Next IRC lecture: 'How Servers are Cracked' | See
http://blacksun.box.sk/irc.html | Alright, I know the bot is down most of the
time now, and that the channel is ultra insecure, so please don't abuse this...
heh, yeah right�'
[18:04] *** Set by Raven on Wed Jan 19 07:22:58
[18:04] * #bsrf is being logged
[18:04] <INTJ> okie
[18:05]
<INTJ> ready?
[18:05] <Raven> alright
[18:05] <Raven>
is everyone ready?
[18:05] <c0c0> yep
[18:05]
<Chaotic_Thought> Yes sir...
[18:05] <Seeker> yup
[18:05]
<squiler> yup
[18:05] <INTJ> 9 ppl overall
[18:05]
<SnIpEr_WoLf_> yeah
[18:05] <Seeker> that good?
[18:05]
<Raven> including me
[18:05] <Raven> :-)
[18:05]
<Raven> alright
[18:05] <Raven> On your marks.
[18:05]
<Raven> Get set.
[18:05] <Raven> Go!
[18:05] <Raven>
okay, so today's topic is...
[18:06] <Raven> how servers are hacked
[18:06] <Raven> basically, of course
[18:06] <INTJ> cracked
[18:06] <Raven> yeah, cracked
[18:06] <Raven> terminology...
[18:06] <Raven> hehe
[18:06] <Raven> :-)
[18:06]
<INTJ> that's what you wrote on your website ;p
[18:06]
<squiler> :)
[18:06] <Raven> anyway, most of those website
defacements...
[18:06] <Raven> dns cracks
[18:06] <Raven>
email cracks
[18:06] <Raven> ftp cracks
[18:06] <Raven> etc'
etc'
[18:06] <Raven> they're usually done in fairly easy and simple
ways
[18:06] <Raven> that do not require much knowledge
[18:07]
<Raven> they're usually done by little kids
[18:07] <Raven>
mostly little kids in "hacking" groups
[18:07] <Raven> who want to
show the world how smart they are
[18:07] <Raven> Phase I
[18:07]
<Raven> --------
[18:07] <Raven> oops...
[18:07]
<Raven> -------
[18:07] <Raven> DAMN!
[18:07] <Raven>
lol
[18:07] <Raven> okay, all over again
[18:07] <Raven>
Phase I
[18:07] <Raven> -------
[18:07] <Raven> ahh...
[18:07] <Raven> that's better
[18:07] <Raven> any questions
so far?
[18:07] <Raven> okay, so phase one is...
[18:07]
<Raven> intelligence gathering
[18:07] <TheJoker> why is it so
easy?
[18:08] <Raven> we'll get to that
[18:08] <INTJ>
because of ./i-0wn3d-u <server> <port> ;p
[18:08] <Raven>
exactly
[18:08] <Raven> if some of u don't understand, don't worry
[18:08] <Raven> we'll get to that
[18:08] <Raven> so anyway,
stage one is intelligence gathering
[18:08] <Raven> this is the most
important stage
[18:08] <Raven> why?
[18:08] <squiler> ...
[18:09] <Raven> because otherwise you'll find yourself trying
thousands of sunos 3.4 exploits
[18:09] <Seeker> need to know what os
[18:09] <TheJoker> you have to know what exploits apply
[18:09]
<Raven> while you're actually attacking an nt4.0 server
[18:09]
<Raven> what os...
[18:09] <Raven> and what is the host running
[18:09] *** c0c0_ has joined #bsrf
[18:09] <Raven> those are the
two most important phases in intelligence gathering
[18:09] <c0c0_>
damn i've disconnected
[18:09] <Raven> getting them is fairly easy
[18:09] *** c0c0 has quit IRC (Ping timeout�)
[18:09] <INTJ>
welcome c0c0_, we're in the middle of the lecture
[18:09] *** c0c0_ is now
known as c0c0
[18:09] <Raven> poor soul
[18:09] <TheJoker>
nmap?
[18:09] <Raven> :-)
[18:10] <Raven> that's two
[18:10] <Raven> nmap is too "advanced" for most script kiddies
[18:10] <TheJoker> advanced?
[18:10] <Raven> most people use
really amateurish methods
[18:10] <Raven> such as reading daemon
banners
[18:10] <Raven> (yes, it requires the "cracker" to have
unix... ooh)
[18:10] <TheJoker> hehe
[18:10] <Seeker> whats
a daemon banner?
[18:10] <Raven> and to know how to install new
software
[18:10] <squiler> ha
[18:10] <Raven> alright, i'll
show u
[18:10] <squiler> oo me oo me!
[18:10] <Raven>
everyone, do telnet mailgw.netvision.net.il
[18:10] <Raven> this is my
isp's smtp server
[18:11] <Raven> smtp = simple mail transfer protocol
[18:11] <INTJ> but daemon banner is trivial to be spoofed
[18:11]
<Raven> for outgoing mail
[18:11] <Raven> yes, of course
[18:11] <Raven> first, let's explain to those who don't know what
daemon banners are
[18:11] <Raven> what do u get when u telnet to
mailgw.netvision.net.il?
[18:11] <Seeker> oh, i think i know what you
mean
[18:11] <c0c0> Trying 194.90.1.14...
[18:11] <squiler>
"could not connect"
[18:11] <squiler> :-)
[18:11] <c0c0>
telnet: connect to address 194.90.1.14: Connection refused
[18:11]
<c0c0> telnet: Unable to connect to remote host: Connection refused
[18:11] <Raven> oops
[18:11] *** SnIpEr_WoLf_ has left #bsrf
[18:11] <Raven> telnet mailgw.netvision.net.il 25
[18:11] ***
SnIpEr_WoLf_ has joined #bsrf
[18:11] <Raven> telnet
mailgw.netvision.net.il 25
[18:12] <Raven> port 25, this is important
[18:12] <Raven> smtp runs on port 25
[18:12] <c0c0> yea
[18:12] <Chaotic_Thought> I'm on...
[18:12] <squiler> we get
like sendmail version etc...
[18:12] <TheJoker> running sendmail
[18:12] <Chaotic_Thought> 8.9.3 sendmail
[18:12] <Raven> yup
[18:12] <Raven> 220 alpha.netvision.net.il ESMTP Sendmail 8.9.3/8.8.6;
Sat, 22 Jan 2000 19:14:41 +0200 (IST)
[18:12] <TheJoker> a linux/unix?
[18:12] <Raven> this is what u get
[18:12] *** Sniper_wolf__ has
joined #bsrf
[18:12] <Raven> this is a daemon banner
[18:13]
<c0c0> hmmmm, oki
[18:13] <Raven> btw check
blacksun.box.sk/ports.txt for a list of standard ports
[18:13] <Raven>
now, what does it tell us?
[18:13] <Raven> ooh, sendmail
[18:13]
<Raven> the dumbest daemon ever
[18:13] <Raven> it just gave us
the version of the daemon that is running
[18:13] <TheJoker> it's a
unix type sys
[18:13] <Raven> usually, in sendmail holes, the OS
doesn't matter much
[18:13] <Raven> yup
[18:13] <Raven> now,
suppose we're some script kiddie
[18:14] <Raven> so we have the
version
[18:14] <Raven> of the daemon
[18:14] <Raven> now we
go to, say, packetstorm.securify.com
[18:14] <Raven> or
neworder.box.sk
[18:14] <Raven> and we search
[18:14] <INTJ>
bugtraq
[18:14] <INTJ> technotronic
[18:14] <INTJ> ;p
[18:14] <Raven> we use keywords such as "sendmail 8.9.3"
[18:14]
<Raven> yes, bugtraq is good too
[18:14] <Chaotic_Thought> look
for a crack/bug
[18:14] <Raven> yup
[18:14] <INTJ>
ntbugtraq.com
[18:14] <Raven> now, here is what we'll find
[18:14]
<Raven> we could find:
[18:15] <TheJoker> that's pathetic!
[18:15] <Raven> a) advisories
[18:15] <Raven> these hardly
mean anything to crackers
[18:15] <Raven> they only explain to u how
to fix the hole
[18:15] <Raven> and a little technical backgruond
[18:15] <Raven> and a little technical background
[18:15]
<Raven> which the common script kiddie won't be interested in
[18:15]
<Raven> b) texts
[18:15] <Raven> texts will detail the hole
[18:15] <Raven> how to exploit it
[18:16] <Raven> and a
workaround, if any
[18:16] <Raven> c) an exploit
[18:16]
<Raven> BINGO!
[18:16] <Raven> an exploit is a premade program
[18:16] <Raven> that exploits a certain hole
[18:16] <Raven>
all the cracker has to do is to compile it
[18:16] <Raven> (unless
it's written in perl)
[18:16] <Raven> (or another interpreted
programming language)
[18:16] <INTJ> bash
[18:16] <Raven>
('cause they run in the form of source code)
[18:16] <Chaotic_Thought>
So crackers are usally lazy punks...
[18:16] <Raven> yes, or a shell
script
[18:16] <Raven> although u'll hardly ever found exploits in the
form of shell scripts
[18:16] <INTJ> pamslam.sh
[18:16]
<INTJ> heheh ;p
[18:17] <Raven> sniperwolf missed everything
from phase one 'till "the dumbest daemon ever"
[18:17] <INTJ> redhat
and mandrake rooter
[18:17] <Raven> can anyone plz help him?
[18:17] <Raven> i'm kinda busy here with the lecture and everything
[18:17] <Raven> :-)
[18:17] <Raven> other daemons a cracker
might want to look at:
[18:17] <Raven> ftp
[18:17] <Raven>
by logging into ftp servers
[18:17] <Raven> when logging into ftp
servers
[18:17] <Raven> u usually get technical information about the
system
[18:18] <Raven> u could also try to issue the syst command
[18:18] <Raven> which will also give away some information
[18:18]
<Raven> webservers
[18:18] <Raven> if u issue a bad url request
[18:18] <Raven> it'll give u some info
[18:18] <Raven> for
example: try surfing to http://blacksun.box.sk/some-dead-link.html
[18:18]
<c0c0> like they are usun apache
[18:18] <Raven> it'll give u an
error msg
[18:18] <Raven> and the name and version of the webserver
program
[18:18] <Raven> fairly easy
[18:18] <Raven> all u
need is a browser
[18:19] <Raven> crackers can also utilize newsgroups
daemons
[18:19] <TheJoker> how bout pop mail?
[18:19]
<Raven> and others
[18:19] <Raven> pop mail too
[18:19]
<Chaotic_Thought> Apache 1.3.6 port 80
[18:19] <Raven> pop3
usually reveals information
[18:19] <Raven> ftp port 21
[18:19]
<Raven> news port...
[18:19] <Raven> 119, i think
[18:19]
<Raven> pop is...
[18:19] <TheJoker> telnet
[18:19]
<Raven> uhh, damn
[18:19] <INTJ> 110 = pop
[18:19]
<TheJoker> 110
[18:19] <Raven> yeah
[18:19] <Raven>
telnet too
[18:19] <Raven> telnet to port 23
[18:19] <c0c0>
yep 119 if it is not a secure connection
[18:19] <Raven> go ahead and
telnet to blacksun.box.sk on port 23
[18:19] <Raven> u'll get some
info on the system
[18:20] <Raven> but what if we change this
information?
[18:20] *** Sniper_wolf__ has quit IRC (IL.Quit: I was using
Ghost_Rider Script version 2.0�)
[18:20] <Raven> most of today's
server programs let u do it
[18:20] <TheJoker> most admins do it.
[18:20] <squiler> redhat linux 5.2 --- you learn the os
[18:20]
<c0c0> Kernel 2.0.36 on an i586
[18:20] <squiler> and the system
[18:20] <Raven> so suppose we've changed the daemon banner
[18:20]
<TheJoker> Red Hat Linux release 1.2 (Apollo)
[18:20] <Raven>
but what if...
[18:20] <squiler> ...
[18:20] <Raven> we're
dealing with a smarter script kiddie?
[18:21] <Raven> (ph33r)
[18:21] <squiler> they exist?
[18:21] <Raven> yeah
[18:21] <squiler> :)
[18:21] <Raven> there are some
[18:21] <TheJoker> nmap!
[18:21] <INTJ> yes, unfortunately
;p
[18:21] <Raven> yup
[18:21] <Raven> www.insecure.org
[18:21] <Raven> download nmap
[18:21] <c0c0> queso may be?
[18:21] <Raven> how does nmap work?
[18:21] <INTJ>
winfingerptint.exe
[18:21] <Raven> queso too
[18:21] <Raven>
winfingerprint too
[18:21] <Raven> winfingerprint is for windows
[18:21] <Raven> the others are for unix
[18:21] <Raven> get
them all at packetstorm.securify.com
[18:21] <INTJ> windows nt
[18:21] <Raven> how do they work?
[18:21] <Raven> pretty
simple
[18:21] <Raven> each OS has what we call tcp/ip fingerprints
[18:21] <Raven> why?
[18:22] <TheJoker> it trys all these
same techniques don't it?
[18:22] <Raven> because each os implements
tcp/ip in a different way
[18:22] <Raven> kinda
[18:22]
<Raven> yeah
[18:22] <Raven> basically, nmap and the others are
just port scanners
[18:22] <TheJoker> ya now I remember
[18:22]
<Raven> but they do more
[18:22] <Raven> they can detect these
fingerprints
[18:22] <Raven> and give definitive information
[18:22] <INTJ> this irc server gives a lot if advertising msgs..
[18:22] <TheJoker> the win tcp/ip stack is easy to detect
[18:22]
<Raven> yes, it's the easiest
[18:22] <Raven> windows is the
easiest to detect
[18:23] <Raven> detecting the difference between two
similar unix distributions is harder
[18:23] <Raven> detecting the
differences between, say, some unix and windows
[18:23] <Raven> or mac
and windows
[18:23] <Raven> is fairly easy
[18:23] <Seeker>
could you spoof fingerprints? as an admin i mean
[18:23] <Raven> so
our smart and elite script kiddie grabs his copy of nmap
[18:23]
<INTJ> how bout between linux distro or *bsd?
[18:23] <TheJoker>
but nmap uses a combo of all the techniques.
[18:23] <Raven>
technically, u can, but it takes a lot of messing around with code and stuff
[18:24] <Raven> and u probably won't be able to do it well
[18:24]
<Raven> nor hide from all techniques
[18:24] <Raven> also, nmap
does other things
[18:24] <Raven> it's a portscanner that can also
scan through firewalls
[18:24] <TheJoker> but do your really have too
hide?
[18:24] <Raven> more on nmap's website and nmap's man pages
[18:24] <Raven> (it installs a manpage)
[18:24] <Raven> (so
u type man nmap after u install it)
[18:24] <Raven> (and it explains
everything)
[18:24] <Raven> www.insecure.org/nmap
[18:25]
<TheJoker> arent your lost in say ftp trafic when ftping?
[18:25]
<Raven> well, if u reveal critical information about ur system
[18:25]
<Raven> u might be helping a cracker
[18:25] <Raven> TheJoker�:�
say again plz?
[18:25] <TheJoker> does the cracker have to worry about
hiding?
[18:26] <Raven> yes
[18:26] <Raven> so the cracker
would implement some techniques
[18:26] <TheJoker> wont' he/she be
lost in trafic?
[18:26] <Raven> such as the ones described in
blacksun.box.sk/anonymity.txt
[18:26] <Raven> generally, yes
[18:26] <Raven> but there are IDSs
[18:26] <Raven> IDS =
Intrusion Detection System
[18:26] <TheJoker> dynamic IPs now days
[18:26] <Raven> they go over traffic
[18:26] <Raven> and
highlight several parts in the logs
[18:26] <squiler> is a proxy
enough to hide?
[18:26] <Raven> which might mean a cracking attempt
[18:26] *** c0c0 has quit IRC (Ping timeout�)
[18:26] <Raven>
bouncing ur connection would usually suffice
[18:27] <Raven> okay,
that's it. if u miss something, just wait for the logs to come out
[18:27]
<INTJ> if the proxy party cooperate w/ us ;p
[18:27] <Raven>
or...
[18:27] <Raven> suppose we telnet to nether.net
[18:27]
<Raven> and get a free shell account
[18:27] <Raven> and then
break out
[18:27] <Raven> and manage to get root
[18:27]
<Raven> (suppose we do it from a public place so they can't trace us back
home)
[18:27] <Raven> now we have a root shell on nether.net
[18:27] <Raven> and we can run exploits and hack from them
[18:27]
<TheJoker> http://freebooks.hypermart.net/proxy/proxiesn.htm
[18:28] <Raven> :-)
[18:28] <TheJoker> free proxies
worldwide
[18:28] <squiler> nether.net is the best free shell provider
[18:28] <Raven> okay, so these were phase one and two
[18:28]
<Raven> phase one - info gathering
[18:28] <Raven> two -
searching online databases
[18:28] <Raven> now, suppose we're in
[18:28] <Raven> now comes phase three
[18:28] <Raven> no,
not defacing the website!
[18:28] <Raven> or dns database
[18:28]
<Raven> we have some other things to worry about
[18:29] <Raven>
first we need to clean out presence from the logs
[18:29] <TheJoker>
logs?
[18:29] <Raven> or the admin might realize he got cracked
[18:29] <squiler> thats what i'm doing right now
[18:29]
<Raven> and put more effort into security
[18:29] <squiler> :)
[18:29] <Raven> :-)
[18:29] <INTJ> this is where rootkit
comes in ;p
[18:29] <Raven> not these logs!
[18:29]
<squiler> hahaha
[18:29] <Raven> yeah, rootkits automate such
processes
[18:29] <TheJoker> :p)
[18:29] *** INTJ has quit IRC (No
route to host�)
[18:29] * Chaotic_Thought grins
[18:29] <Raven>
fun for the whole family
[18:29] <squiler> how does a rootkit actaully
work?
[18:29] <Raven> so now that we've cleaned our presence from the
logs
[18:30] <Raven> it's just an automated script
[18:30]
<Raven> it automates some tasks for u
[18:30] <Raven> they only
work on specific configurations
[18:30] *** INTJ has joined #bsrf
[18:30] <Raven> of course, if we only clean the standard logs like
klog (kernel logger) and syslog (system logger)
[18:30] <INTJ> shoot,
israel.net closed me
[18:30] <Raven> it might now be enough
[18:30] <Raven> don't worry, just get someone to give u the logs at
the end of the lecture
[18:31] <Raven> okay, so if we only cleaned
syslog and klog
[18:31] <Raven> we might have still left some trace
[18:31] <Raven> maybe the admin is using an external logging system?
[18:31] <Raven> could be...
[18:31] <TheJoker> in being
rooted?
[18:31] <Raven> hey, when ur done with the lecture, plz send
the logs to tplec@zipmail.com.br (sniper wolf) and to me
(barakirs@netvision.net.il)
[18:31] <Raven> now, suppose we're a
cracker
[18:31] <Raven> and we've cleaned syslog and klog
[18:32]
<Raven> but the admin was using some external logger
[18:32]
<Raven> WHOOPS!
[18:32] <Raven> we've left some presence
[18:32] <TheJoker> dead
[18:32] <Seeker> wed be screwed..
[18:32] <Raven> now, phase 4
[18:32] <Chaotic_Thought> Do u
want logs edited somewhat?
[18:32] *** SnIpEr_WoLf_ has quit IRC (IL.Quit:
�12Delta 3.4 �15,1- �14��Dark�15 Il�16lu�15mina�14tion�� �15-� - [
http://delta.cjb.net ]�)
[18:32] <squiler> how do you get around that?
[18:32] <Raven> so u need to do some research on the machine
[18:32] <Raven> browse around in it's directories
[18:32]
<Raven> see what u can find
[18:32] <Raven> and of course, u
must have a lot of experience
[18:32] <Seeker> can one practice that?
[18:32] <Raven> install some log cleaners on urself
[18:33]
<Raven> mess around with external logging programs
[18:33]
<Raven> etc' etc'
[18:33] <TheJoker> skript kiddies dont though
[18:33] <INTJ> rootkit
[18:33] <Raven> that's right
[18:33] <Raven> u can practice that on ur own box
[18:33]
<Raven> script kiddies hardly ever practice
[18:33] <Raven> the
average script kiddie would skip phases 3 and 4
[18:33] <Raven> phase
3 - deleting urself from the logs
[18:33] <INTJ> rootkit can make
logging exclude our doings
[18:33] <Raven> phase 4 - installing a
backdoor
[18:33] <Raven> (we'll get to that)
[18:34] <Raven>
btw, DO NOT just delete the logs!
[18:34] <Raven> this will surely get
the admin to notice
[18:34] <Raven> DUH!!
[18:34] <Raven>
that's the dumbest thing u could possibly do
[18:34] <TheJoker> just
your intries!
[18:34] <Raven> exactly
[18:34] <Raven> u can
also change ur entries
[18:34] <Raven> and make them look like
something more legitimate
[18:34] <Raven> of course, u have to make
sure they look authentic
[18:34] <TheJoker> skript kiddies would'nt
know thier entries form others would they?
[18:35] <Raven> yup -
experience with loggers
[18:35] <Raven> yeah
[18:35] <Raven>
okay, let's move on
[18:35] <Raven> suppose this whole process of
cracking into the machine and cleaning the logs
[18:35] <Raven> took
u...
[18:35] <Raven> 5 minutes...
[18:35] <Raven> 30
minutes...
[18:35] <Raven> maybe a couple of hours
[18:35]
<Raven> a day?
[18:35] <Raven> ;-)
[18:35] <Seeker>
*g*
[18:35] <Raven> u wouldn't want to repeat that whenever u step in,
would u?
[18:36] <Raven> this is what backdoors are for
[18:36]
<squiler> hell no
[18:36] <TheJoker> no
[18:36]
<TheJoker> ya!
[18:36] <Raven> the most basic one is:
[18:36] <Raven> useradd my-backdoor
[18:36] <Raven> password
my-backdoor my-new-pass
[18:36] <Raven> we've just added a new user
[18:36] <INTJ> passwd
[18:36] <Raven> oops
[18:36]
<TheJoker> you would'nt use my-backdoor!
[18:36] <Raven> passwd
my-backdoor my-new-pass
[18:36] <Raven> sorry
[18:36]
<Raven> yes, of course
[18:37] <INTJ> adduser
[18:37]
<Raven> or useradd
[18:37] <TheJoker> haha
[18:37]
<Raven> :-)
[18:37] <Raven> depends on the system
[18:37]
<Raven> and on...
[18:37] <Raven> nevermind!
[18:37]
<Raven> off-topic
[18:37] <TheJoker> hehe
[18:37]
<Raven> it really doesn't matter
[18:37] <INTJ> you wanna do
clickings in win ;p
[18:37] <Raven> now we edit the passwd file
[18:37] <Raven> and give the new account uid 0 and gid 0
[18:37]
<Raven> user id 0 = root access!
[18:37] <Raven> access to
ANYTHING
[18:37] <Seeker> not always
[18:37] <Raven> group
id 0 = root's group
[18:38] <Raven> yes, of course
[18:38]
<Raven> but usually
[18:38] <Raven> u can change anything on
unix boxes
[18:38] <Seeker> SuSE has extreme restrictions, then you
cant do some stuff
[18:38] <TheJoker> the admin would notice a new god
mode user!
[18:38] <Raven> exactly!
[18:38] <Raven> that's
why it's the most obvious backdoor
[18:38] <INTJ> there's a program
for unix that can restrict uid 0 guid 0 permissions
[18:38] <Raven> a
new god user would fire up some alarms, now wouldn't it?
[18:38]
<Raven> that's also true
[18:38] <TheJoker> ya!
[18:39]
<Raven> so no smart cracker would use this method
[18:39]
<Raven> another possible method:
[18:39] <Raven> taking some
backdoor noone uses
[18:39] <Raven> and trojan it
[18:39]
<Raven> oops, i mean daemon
[18:39] <Raven> taking some daemon
[18:39] <Raven> and trojaning it
[18:39] <TheJoker> what
about cracking the passwd file?
[18:39] <Raven> no, we already have
root access
[18:39] <INTJ> sshd daemon is a good one
[18:39]
<Raven> usually u won't need root's password
[18:40] <Raven>
u'll just run an exploit and get a root shell
[18:40] <TheJoker> but
after your in
[18:40] <Raven> another possible backdoor:
[18:40]
<Raven> trojaning some daemon
[18:40] <TheJoker> crack it and
then you'll be able to get back in
[18:40] <Raven> so the daemon would
appear to be working just fine
[18:40] <Raven> and will do everything
naturally
[18:40] <Raven> but will also allow the cracker to get a
root shell
[18:40] <Raven> but...
[18:40] <Raven> what if
the admin is running checksum checks?
[18:41] <INTJ> tripwire
[18:41] <Seeker> change them too... only problem left: time stamps
[18:41] <Raven> there are programs out there, such as tripwire, which
check the file sizes of files
[18:41] <Raven> and let's the admin know
when they're changed
[18:41] <Raven> critical files
[18:41]
<Raven> that's true too
[18:41] <Raven> the file's "last changed
date" would also change
[18:41] <Raven> sure, u can go around all of
this...
[18:41] <Raven> but this only means more variables
[18:41]
<Raven> more places where u can fail
[18:41] <Raven> or make a
mistake
[18:41] <TheJoker> you could change sys time before you mod
the file :p)
[18:42] <Raven> and reveal urself
[18:42]
<Raven> of course, but that would be noticed
[18:42] *** [S]hun has
joined #bsrf
[18:42] <Raven> this is one of the main reasons that u
need to make sure the admin is not present when u crack
[18:42]
<Raven> using finger
[18:42] <Raven> if finger is available
[18:42] <Raven> finger @target-host.com
[18:42] <TheJoker>
not much anymore.
[18:42] <Raven> yeah
[18:42] <Raven> it's
hard to find an admin
[18:42] <Raven> that is dumb enough
[18:42]
<Raven> to run finger!
[18:43] <INTJ> who
[18:43]
<Raven> suppose netvision.net.il (my isp) was running fingerd (finger
daemon)
[18:43] <INTJ> run 'who'
[18:43] <Raven> ppl would
just be able to do finger barakirs@netvision.net.il
[18:43] <Raven>
and get tons of information about me
[18:43] <Raven> yes, of course,
once you're in, u can use commands such as who
[18:43] <squiler> you
would have to be on the system to use who
[18:43] <INTJ> ps aux
[18:43] <Raven> exactly
[18:43] <Raven> ps -aux
[18:43]
<Raven> this will show ALL running processes
[18:43] <Raven>
useful too
[18:43] <Raven> sometimes to find loggers
[18:44]
<Raven> but the admin can change the process names of the loggers
[18:44] <INTJ> we can send the admin xxx passwd to distract him ;p
[18:44] <Raven> now, here's another method
[18:44] <Raven>
using the r services
[18:44] <Raven> especially rlogin
[18:44]
<Raven> go read rlogin's man page
[18:44] <Raven> wait, lemme
quote it
[18:44] <Raven> okay, nm, lemme write something of my own
[18:45] <Raven> rlogin is based on trust systems
[18:45]
<Raven> for example:
[18:45] <Raven> suppose u require anyone
who comes over to ur house to give a password
[18:45] <Raven> three
knocks or something
[18:45] <Raven> some password...
[18:45]
<Raven> but suddenly, ur best friends comes over
[18:45]
<TheJoker> 4 is better
[18:45] <Raven> and he doesn't know the
password
[18:45] <Raven> :-)
[18:45] <Raven> will u let him
in?
[18:45] <Raven> of course u will!
[18:45] <Seeker> no
[18:45] <Raven> u trust him
[18:45] <Raven> lol
[18:45]
<TheJoker> heck no!
[18:45] <Raven> u wouldn't
[18:45]
<Raven> trust systems would
[18:46] <TheJoker> they suck!
[18:46] <Raven> they're also good for more user-friendlyness
[18:46] <TheJoker> I don't want my ps to be friendly
[18:46]
<squiler> send me the log please i must go
[18:46] <Raven> so
dumb clerks won't have to type in passwords all the time
[18:46]
<TheJoker> sorry pc
[18:46] <Seeker> micro$oft? *eg*
[18:46]
*** squiler has quit IRC (IL.Quit: Leaving�)
[18:46] <Raven> now,
trust systems are also serious security hazards
[18:47] <Raven> go to
blacksun.box.sk/books.html and read 'IP Spoofing Demystified' later
[18:47]
<Raven> now, let's take rlogin for example
[18:47] <TheJoker> it
was good.
[18:47] <Raven> suppose u put a file:
[18:47]
<Raven> called /etc/rhosts
[18:47] <Raven> put a file called
rhosts in /etc
[18:47] <Raven> which will look like this:
[18:48]
<Raven> somehost.com someuser
[18:48] <Raven> the user someuser
from somehost.com will be able to do:
[18:48] <TheJoker> loggers would
catch it?
[18:48] <Raven> just a sec
[18:48] <Raven> he'll
be able to use rlogin
[18:48] <Raven> to remotely login to this bx
[18:48] <Raven> to remotely login to this box
[18:48]
<Raven> as ANY user
[18:48] <Raven> or if u put an .rhosts file
in a user's home directory
[18:48] <Raven> he'll be able to log in as
that user
[18:48] <Raven> ANOTHER POSSIBLE BACKDOOR!
[18:48]
<Raven> but wait...
[18:49] <Raven> that's fairly noticable,
isn't it?
[18:49] <TheJoker> ya
[18:49] <Raven> most
backdoors are
[18:49] <Raven> so we need to put a lot of thought into
it
[18:49] <Raven> and some luck
[18:49] <Raven> and make
sure the admin is as dumb as possible
[18:49] <TheJoker> should you
make backup back doors?
[18:49] <Raven> yes
[18:49] <Raven>
always
[18:49] <Raven> on the other hand
[18:49] <Raven>
more backdoors
[18:49] <Raven> would mean more chances
[18:49]
<Raven> that the admin will notice something wrong
[18:49]
<Raven> suppose u were an admin
[18:50] <TheJoker> like a stupid
one to make them think that they got you?
[18:50] <Raven> and u would
have suddenly noticed a backdoor
[18:50] <Raven> u would panic, right?
[18:50] <Raven> and put a lot more effort into security
[18:50]
<Raven> download every scanner u can find
[18:50] <Raven> roam
your system for backdoors and holes
[18:50] <Raven> perhaps
[18:50] <Raven> but they might find the stupid backdoor
[18:50]
<Raven> and then go crazy
[18:50] <Raven> search the system
[18:50] <Raven> and find ur other backdoors
[18:50]
<TheJoker> ya it's all luck,
[18:50] <INTJ> but a very smart
admin had setup a honeypot ;p
[18:50] <Raven> exactly
[18:50]
<Raven> yup
[18:50] <Raven> honeypots are kewl
[18:51]
<Raven> he would attract a cracker
[18:51] <Raven> and then...
[18:51] <Raven> KABOOM!!
[18:51] <[S]hun> Whats honeypot ?
[18:51] <TheJoker> ;P)
[18:51] <Raven> or something...
[18:51] <TheJoker> boobie trap
[18:51] <Raven> a honeypot is
a host or a certain situation that will attract crackers
[18:51]
<INTJ> KABOOM? the mail bomber? ;p hahaha
[18:51] <Raven> the
admin will monitor his honeypot
[18:51] <Raven> see if there are any
bees trapped inside
[18:52] <Raven> and then, once he sees
something...
[18:52] <Raven> he would realize that he's being attacked
[18:52] <Raven> and maybe call the police
[18:52] <Raven> or
Robert Frost!!
[18:52] <Raven> MWHAHAHAHA!!
[18:52] <Raven>
(the poet)
[18:52] <Raven> nevermind, forget it
[18:52]
<Chaotic_Thought> :)
[18:52] <Raven> private joke
[18:52]
<TheJoker> sounds like a personal problem
[18:52] <Raven> so
that was phase 4
[18:53] <Raven> now, we're in
[18:53]
<Raven> we've cleaned the logs
[18:53] <Raven> we have a
backdoor
[18:53] <Raven> now we only have one thing left to do:
[18:53] <INTJ> inflate ego in irc
[18:53] <Raven> utilize
the box
[18:53] <Raven> perhaps for mailbombing someone
[18:53]
<Raven> perhaps for installing bots on it
[18:53] <Raven> or
flooding
[18:53] <INTJ> vhost
[18:53] <Raven> or defacing
the website on the box
[18:53] <INTJ> hack another box
[18:53] ***
rekaerf has joined #bsrf
[18:53] <Raven> yup, u can also set a virtual
host on this box
[18:53] <rekaerf> hey
[18:54] <Raven> yes,
or start other attacks against other hosts from this newly cracked one
[18:54] <TheJoker> or just screw the system and kill a business
[18:54] <Raven> yes, that's also true
[18:54] <Raven> or...
[18:54] <Raven> corporate espionage
[18:54] <TheJoker>
yummy!
[18:54] <Raven> if ur a corporate spy
[18:54] <INTJ>
credit card numbers ;p
[18:54] <Raven> u could get info and stuff
[18:54] *** blu3h4z3 has joined #bsrf
[18:54] <Raven> or maybe
acccess credit card databases
[18:54] <Raven> or other sensitive
information
[18:54] <Raven> so that was phase 5
[18:55]
<Raven> which is...
[18:55] <Raven> well, the last phase
[18:55] <Seeker> LOL
[18:55] <Raven> thank u all for coming
over to the lecture
[18:55] <[S]hun> hmm, I think I missed the first
few parts
[18:55] <[S]hun> where can I get the logs ?
[18:55]
<blu3h4z3> argh, I missed the whole thing@
[18:55]
<Chaotic_Thought> it was cool
[18:55] <Raven> ouch
[18:55]
<[S]hun> on blacksun/ ?
[18:55] <TheJoker> na ni na na boo boo!
[18:55] <Seeker> it was good yes
[18:55] <Raven> someone
send me his logs plz
[18:55] <INTJ> hahaha
[18:55] <Seeker>
interesting
[18:55] <TheJoker> nice job Raven
[18:56]
<Chaotic_Thought> RaveN, u want logs sorta edited?
[18:56]
<INTJ> edit the personal joke!!! hahaha ;p
[18:56] <Raven> sorta
edited?
[18:56] <Raven> whaddya mean?
[18:56]
<Chaotic_Thought> Like, I was talking before lecture
[18:56]
<Raven> seeker, u didn't miss any parts of the lecture, right?
[18:56]
<blu3h4z3> no uncut and unedited
[18:56] <Chaotic_Thought> Want
that out?
[18:56] <Raven> nm, seeker is sending me his logs
[18:57] *** rekaerf has quit IRC (IL.Quit: I was using Ghost_Rider Script
version 2.0�)
[18:57] <Raven> in a whopping 0.6429k per second speed
[18:57] <[S]hun> haha
[18:57] <Raven> # ³ Type ³
Nick ³ Percent
Complete ³ K/s ³ File
[18:57] <Raven>
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
[18:57] <Raven> 1# GET
seeker ±²Û²±° °±°
94.6% 00:02 0.6395 #bsrf_20000122.log
[18:57] <Raven> ùíù DCC Warning: incoming file is larger than the
handshake said
[18:57] <Raven> ùíù DCC Warning: GET: closing
connection
[18:57] * Seeker grins
[18:57] <Raven> send again plz
Session Close: Sat Jan 22 18:57:32 2000
© 2001 Blacksun Research Facility. All rights
reserved.