![[ARC FAQ Document Database]](image/faq.gif "[ARC FAQ Document Database]")
ARC FAQ Document Database - hackaserver の変更点
Working/Viewing : http://www.appdev.akmalida.com/index.php?hackaserver
** Hacking Kit Documentation
#contents
**''Preference''
If you have any other exploits, bugs, sniffers or utils that are not in here
please mail them to m-codec@akmalida.com. And I will be sure to keep you
updated with the latest version of this toolkit. ~
~
Comments are welcome. Sys admin's that want to keep their system clean are
welcome to request the latest version.~
~
If you are looking for perfect grammar or spelling please put this file in
your circular file. I put enough time into this and just put it through
a cheap spell check.~
~
Whats new? Look for more info on tricks of the trade, and nfs mounting
drives to gain access to shells. I am sure you will like the additions.
I have added a login trojan, in.telnetd trojan, and some more scripts for
scanning machines for mountable drives. Have fun!~
~
I will add a (*) to u p d a t e d s e c t i o n s.~
~
** Contents
*** [[Disclaimer>disclaimer]]
*** [[Preface>preface]]
*** [[Chapter I - Unix commands you need to know>hackchapter1]]
1A. Basic commands
Getting back to your home directory
getting into a user home directory easy
how to see what directory you are in now
How to get a complete manual for each command
1B. Telnet
Unix file permissions
Unix groups
How to change permissions and groups
1C. Rlogin
.rhosts
How to setup a .rhost file to login without a password
1D. FTP
Logging in to the site, but never out of the site.
Using prompt, hash, and, bin
Using get, put, mget, and, mput
1E. GCC (unix compiler)
How to get the file to the hack box without uploading it
How to copy files to your home directory easy
How to compile .c programs
How to name them what you want
How to load programs in the background while you log off
Looking at your process with ps
*** [[Chapter II - Getting started (your first account)>hackchapter2]]
2A. Cracking password files
How to get hundreds of accounts with your first hacked account
Why you only really need one password cracked on a system
How to get the root password from the admin, on an non-exploit system
Using A fake su program
Doc's for the fake su program
How to find the admin's
How to read .bash_history
Cracker Jack - A good password cracker
How to use crackerjack
Word Files
What you will need to get started
Hashing the word files
* Hash file for use with cracker jack and your word list
* Hash file for use with cracker jack and your passwd file
2B. Talking to newbe's
How to find the newbe's
How to get the newbe's passwords
2C. The hard way
Using finger @
What could the password be?
Getting more info from finger
a small .c file to use if you get on
Writing a small perl script to do the work for you.
How to get a domain list of all domains from rs.internic.net
A perl script to rip the domains & put them in a sorted readable list
How to execute the perl script
* 2D. Using mount to gain access to unix systems
* What is nfs mount
* What you need to get started
* How to check a system to see if you can mount their drives
* A script to scan for systems that are nfs mountable
* How to mount the system
* How to unmount the system
* A Live Demo
* Mounting the drive
* Viewing the user directories
* Editing the local machine's passwd file
* How to put a .rhosts file in one on thier users directories
* How to rlogin to the users account
*** [[Chapter III - Getting password files>hackchapter3]]
3A. PHF
What is phf
Using lynx or netscape to access phf
Finding the user id the victims httpd (www) is running under
How to see if you are root using phf
How to cat the password file using phf
Backing up the victims password file
Changing a users password using phf
Restoring the old passwords
A .c file that will let you pipe commands to phf from your shell
How to use the phf shell file
Another way to use phf - text by quantum
Quantum's bindwarez file
A perl script that will try EVERY domain on the internet and log
root access and snatch passwd files for you all day in the background.
Doc's for the pearl script above
Getting accounts from /var/?/messages
A script to get the passwords for you if you can access /var/?/messages
3B. Newbe's
Lammer's
3C. Getting shadow passwd files
What is a shadow passwd
Getting the shadow file without root access
A .c file to cat any file without root access
3D. Getting /etc/hosts
Why get /etc/hosts
*** [[Chapter IV - Getting the root account>hackchapter4]]
What to do if you can't get root on the system
4A. Bugs
Intro
4B. Exploits
The umount/mount exploit
What are SUID perm's
The umount .c file
How to compile umount.c
The lpr Linux exploit
The lpr Linux .c exploit file
The lpr BSD .c exploit file
How to use lpr
Watch the group owners with lpr
Just use lpr for first root, then make a SUID shell
How to make the SUID root shell for future root access (root root)
The splitvt exploit
The splitvt exploit .c program
How to use the splitvt exploit program
The sendmail 8.73 - 8.83 root exploit shell script
How to use the sendmail exploit to get root access
*** [[Chapter V - Making yourself invisible>hackchapter5]]
Keeping access
5A. Zap2 (for wtmp/lastlog/utmp)
Fingering the host before login
How to login and stay safe
How to configure Zap2
Finding the log file locations
The zap.c file
5B. Other scripts
The wted wtmp editor
Command line usage for wted
How to chmod the wtmp.tmp file
How to copy the wtmp.tmp to the wtmp file
Setting the path for the wtmp file in wted
The wted.c file
Cleaning the lastlog file using lled
Command line options for lled
How to use lled
How to chmod the lastlog.tmp file
How to copy the lastlog.tmp file to lastlog
Setting the path for the lastlog file in lled
The lled.c file
* A good perl script for editing wtmp, utmp, and, checking processes
*** [[Chapter VI - Cleaning the log files>hackchapter6]]
6A. A walk around in a hacked system - let's login
Logging on the system
Watching for admin's
Nested directories
Having your root file ready
Becoming invisible
Greping the log directory
Cleaning the logs
Lets sniff the network
Editing your linsniffer.c
Looking at the processes running
Compiling and naming your sniffer program
Starting a sniff session
Changing group file access
Making a suid root shell trojan for uid=0 gid=0 every time
Naming your trojan
Touching the files date
Checking the sniffer log file
Setting the history files to null
* Using unset for the history files
6B. messages and the syslog
How to find the logs are by reading /etc/syslog.conf
How to see if there are logs in hidden directories
How to see if logs are being mailed to user accounts
How to see if logs are going to another machine
* How to edit syslog.conf to hide logins
* Restarting syslogd
How to see if there is a secret su log by reading /etc/login.defs
6C. The xferlog
How to edit the xferlog
How to grep and edit the www logs
How to look for ftp logs
* Other ways to edit text logs
* Using grep -v
* A script to rip text lines from these logs
* Restarting syslogd
6D. The crontabs
How to find and read the root or admin's cron
How to see if MD5 is setup on the machine
What is MD5
*** [[Chapter VII - Keeping access to the machine>hackchapter7]]
7A. Tricks of the trade
When the system admin has found you out
What to expect from the admin
History files
Nested directories
Placing trojans
Hidden directories
Making new commands (trojans)
Adding or changing passwd file entry's
Setting some admin accounts with null passwords
The best way to add an account
Editing a null account so you can login
Installing more games or exploitable programs
How to know your admin's
Reading system mail (with out updating pointers)
What to look for in the mail directories
A program to read mail without updating pointers
7B. Root kits and trojans
What are root kits
What are Demon kits
What do trojans do
*** [[Appendix I - Things to do after access>hackappendix1]]
The a-z checklist
*** [[Appendix II - Hacking / Security WWW / ftp sites>hackappendix2]]
All available sites
*** [[Appendix III - More exploits for root or other access>hackappendix3]]
A3-01. Vixie crontab buffer overflow for RedHat Linux
A3-02. Root dip exploit
A3-03. ldt - text by quantumg
A3-04. suid perl - text by quantumg
A3-05. Abuse Sendmail 8.6.9
A3-06. ttysurf - grab someone's tty
A3-07. shadow.c - Get shadow passwd files
A3-08. Abuse Root Exploit (linux game program)
A3-09. Doom (game) root exploit - makes suid root shell
A3-10. dosmenu suid root exploit
A3-11. Doom root killmouse exploit
A3-12. Root exploit for resize icons
A3-13. Root console exploit for restorefont
A3-14. Root rxvt X server exploit
A3-15. Root wuftpd exploit
A3-16. A shell script called gimme, used to read any system file
*** [[Appendix IV - Other UNIX system utilities>hackappendix4]]
A4-01. Cloak v1.0 Wipes your presence on SCO, BSD, Ultrix, and HP/UX UNIX
A4-02. invisible.c Makes you invisible, and works on some SunOS without root
A4-03. SySV Program that makes you invisible
A4-04. UNIX Port scanner
A4-05. Remove wtmp entries by tty number or username
A4-06. SunOS wtmp editor
A4-07. SunOS 4+ Zap your self from wtmp, utmp and lastlog
*** [[Appendix V - Other Unix Exploits>hackappendix5]]
A5-01. HP-UX Root vhe_u_mnt exploit
A5-02. IRIX Root mail exploit
A5-03. Root cron grabber - Crontab exploit for OSF/1, AIX 3.2.5, Digital UNIX
A5-04. IRIX mail exploit to make you any user on the machine - BUT NOT root
A5-05. BSD - crontab root exploit
*** [[Appendix VI - UUENCODED FILES>hackappendix6]]
1. Quantum's Bindwarez binary file for PHF
2. Demon Root Kit - Includes: Banish, DemonPing, DemonSu, DemonTelnet
3. Linux Root Kit - Includes: Login, Netstat, and, PS
4. The Fake SU Program
-----
