There are just a few basic commands you need to learn, and then some unix

programs that will aid you in logging in logging into or keeping access to

the machine.

Call your local internet service provider and ask them to sell you a shell

account so that you will have something to practice on to learn these

basic commands. The average shell account might cost you $10.00 per month

if you don't already get one with your existing account.

I hope you have a basic knowledge of DOS, that would help a bit, and I will

assume that you already do in writing this manual.

DOS Commands you are used to first:

REMEMBER: unix is case sensitive, so if I here use lower case you must also,

if I use a space you must also. DOS will let you get away with allot of things

but unix will not!

DIR/W = ls

DIR = ls -l

DIR/AH = ls -al AH=(hidden) -al=(include hidden files as well as regular)

RENAME = mv

ATTRIB = chmod

MD = mkdir

RD = rmdir

DEL = rm

COPY = cp

These are the basic commands, i suggest that you lookup the man pages

on each one of these commands from your unix shell. You would do this by

typing 'man command' without the ''.

each one of these commands will have switches for them, like cp -R to copy

files and directories. So you would type man cp to get all of the switches

you can use with the copy command.

cd {then press enter} will always take you to your home directory

cp filename $HOME will copy the file to your home directory

cd ~username will take you to that users home dir if you have access to be

there

pwd {press enter} will show you what directory you are in.

Telnet is a command that you can use from a shell account, or from an exe

file (telnet.exe) from Windows, OS/2, Windows 95 and other operating systems

that will let you connect to another machine on the net. There are other

programs you will learn about here like FTP, and rlogin that you can use as well

but now we will use telnet.

You can use telnet if you know the IP address or the host name you want to

connect or login to. To use the command you would just use the telnet program

to connect to the IP or host like this:

Telnet netcom.com or telnet 206.146.43.56

Ok, now lets login:

telnet machine.com

trying .....

Connected to machine.com

Linux 2.0.28 (machine.com) (ttyp0)

machine login:username

password:#######

bash$

Your prompt might look different, but we will use this one.

Notice above that it will tell you the O/S when you get the login prompt.

You can use this if you get a large collection of passwd files. Even before

going on to crack them sort them by O/S types by just telnet-ing to them to

see what they are running. There are other ways, but lets keep this telnet

topic going for a sec... telnet domain.name.com, after you see what they are

running make a note of this and ctrl ] to break out of the connection.

Put all of your linux passwd files into a pile to be cracked first. All we

need is one account that works for the system, and we can be almost sure

we will have root on that machine! There are way to many holes in linux to

think we will not be able to own one of those machines, so lets get to work so

we can start this wonderful world of hacking.

Unix File Permissions

bash$

bash$ cd /tmp

bash$ ls -l

total 783

-rwx------ 1 wood users 1 Jan 25 18:28 19067haa

-rw-r--r-- 1 berry mail 1 Jan 16 12:38 filter.14428

-rw------- 1 rhey19 root 395447 Jan 24 02:59 pop3a13598

-rw------- 1 rhey19 root 395447 Jan 24 03:00 pop3a13600

drwxr-xr-x 4 root root 1024 Jan 12 13:18 screens

First notice that we used a / and not \ to change to the tmp directory! Unix

uses the / as the root so it is backwards from DOS here.

Notice we did ls -l for the long directory. If we did 'ls' we would have what

you see below.

bash$ ls

19067haa filter.14428 pop3a13598 pop3a13600 screens

With what we see here can not tell much, so most of the time we will be

using ls -al with the -al we will see the hidden files also, hidden

files and directories will always start with a '.'. Now watch:

bash$ ls -al

total 794

drwxrwxrwt 4 root root 8192 Jan 25 23:05 .

drwxr-xr-x 22 root root 1024 Dec 28 18:07 ..

-rw-r--r-- 1 berry users 6 Jan 25 23:05 .pinetemp.000

drwxr-xr-x 2 berry users 1024 Jan 25 23:05 .test

-rwx------ 1 wood users 1 Jan 25 18:28 19067haa

-rw-r--r-- 1 berry mail 1 Jan 16 12:38 filter.14428

-rw------- 1 rhey19 root 395447 Jan 24 02:59 pop3a13598

-rw------- 1 rhey19 root 395447 Jan 24 03:00 pop3a13600

drwxr-xr-x 4 root root 1024 Jan 12 13:18 screens

.pinetemp.000 is a hidden file, and .test is a hidden directory.

-rw-r--r-- 1 berry mail 1 Jan 16 12:38 filter.14428

row 1 row2 row3

----------------------------

Now here we need to learn about permissions, users, and groups.

Row #1 is the file permissions

Row #2 is who owns the file

Row #3 is the group owner of the file

File permissions are grouped together into three different groups.

If the line starts with a d, it is a directory, if there is no d, it is a file.

- --- --- ---

| | | |--------> Other = anyone on the machine can access

| | |------------> Group = certain groups can access

| |----------------> User = only the owner can access

|------------------> Directory Mark

- rw- r-- r--

| | | |--------> Other can only read the file

| | |------------> Group can only read the file

| |----------------> User can read or write to the file

|------------------> It is not a directory

- rwx rwx r-x

| | | |--------> Other can read and execute the file

| | |------------> Group can read write and execute the file

| |----------------> User can read write and execute the file

|------------------> It is not a directory

The owner is the user name in row #2 and the group owner is the name in row #3.

In DOS the file has to have a .exe, .com, or .bat extension to execute, but in

unix all you need is the --x in your group of user, other, group

You can change these permissions if you own the file or have root access:

---------------------------------------------------------------------------

chmod oug+r filename will make all three groups of permissions be able to

read the file.

chmod og-r filename would make the file readable only to the user that owns

the file. (notice the - or + to set the file yes or no)

chmod +x filename would make the file execute by all.

chown username filename would make the file owned by another user.

chgrp groupname filename would make the file owned by another group.

---------------------------------------------------------------------------

Make sure to keep file perm's and groups the same or you will be sniffed

out and booted from the system. Changing configs on the system might only

break other functions, so keep your paws off or you are just asking to get

cought. Only do what you are *SURE* of. Only use commands that you know,

you might find yourself spending hours fixing just one typo like

chown -R username /* could keep you busy for a year ;)

Just be careful!

We will get into this stuff more as we go into the needs for this.

Section 1c - Rlogin

There is another command you might use and we will get into this elsewhere

as we get into using rlogin to login to a system without a password.

For now read the man pages on rlogin by using the man rlogin from your

shell account.

The basic command would be :

rlogin -l username hostname

connecting....

password:

bash$

Rlogin requires the user to have a file in their home directory that tells

what system they can receive the rlogin from. In this file .rhosts it would

look like this:

username hostname (or) hostname

if you were to add to this file + + it would let any user from any host

login without a password.

The file would look like this:

----- cut here ------

+ +

_____ cut here ------

if they already had entry's you could add the + + under their host names, but

remember now they would notice seeing they would now be able to rlogin

without the password. You would be targeting people that did not

already have a .rhosts file.

Another way to login will be FTP. You can use a windows client, or just

login from a shell.

ftp ftp.domain.com

This will allow you to download or upload files to the site you are hacking.

Just make sure to edit the xferlog (see section 6d) to wipe your tracks

on the system. Remember NEVER to ftp or telnet out of the hacked system, only

log into it! If you are coming from your own system, or from another hacked

account you might just be giving your login and password to the system admin

or another hacker on their system. There could be a telnetd or ftpd trojan

loaded on the system, or even a sniffer. Now you would have just gave someone

your login id and password. And if this was the system admin, he might have

the idea that revenge is sweet ;)

Using ftp from the shell, I would suggest using a few commands:

After you login, and have your prompt, type these commands

pressing enter after each one.

prompt

hash

bin

prompt will allow you to type a command like (mget *) or (mput*) and transfer

an entire directory without having it prompt you for each file yes or no.

hash marks

hash will put ############ on the screen so you can see the transfer

is still moving and at what speed.

bin will make sure you get the files in the right mode, and if transferring

binary files, you will be sure they will uncompresses.

The transfer commands are easy, get filename, or, put filename, or for many

files you can use regular wild cards with mput or mget.

There will be a time when you will need to compile a .c file.

It is best to compile on the machine you are working on. So upload or copy

and past the files to the hacked box and compile them there. If you have

problems with their compiler you can try to upload pre-compiled files.

One way to get the file up to the victims machine would be to use copy

and paste. Get a good tsr or windows shareware program to do this if

you do not have any way to do it now. You can copy a script file from

one window and paste it into an editor on the victims machine, and then compile

the new file. Walaa... no upload log of the file. You can copy and paste

from the victims machine as well so that there are no download logs of ascii

files.

To copy and paste you can just open an editor on the hacked box, and then copy

from your other session, and paste your script into the editor and save the

file. This way there will not be anything in the xferlog yet.

You can do the same thing with the password file. If you do decide to

download the password file using ftp, make sure to copy it to your home

directory first under a different name.

bash:/etc:> cp passwd $HOME/plog would copy the file called passwd from the /etc

directory you were in, to your home directory in a file called plog instead of

passwd. Admin's grep the xfer logs looking for who is downloading the passwd

file.

Another way to get file to or from the box without showing up in the logs

would be to open an irc session on the victims machine, then from your other

session where you are already a user on irc, send the files using dcc.

The command to send the files would be /dcc send <nick> <filename>

The command to get the file on the other side would be /dcc get <nick> <file>

It would be nice if you had a bot loaded on the irc when you were hacking so

that you could just send files to the bot and have it auto receive them.

A 'bot' is a robot program that you can load in the background on your shell

account that will receive files, keep channels open, etc...

The GCC compiler is easy...

gcc filename.c -o filenameyouwant

If i was to compile a file called z2.c that would zap the log files i would

type this:

gcc z2.c -o zap

This would give me a file that would exe, called zap

If I just typed : gcc z2.c I would have a file named a.out, that was the executable

file and would have to rename it to zap, or some name i would know by doing

this: mv a.out zap

Now I would have a file named zap that was executable instead of a.out.

You will want to make sure you are not naming these files names that sys admin's

will know. If you had a sniffer file called 'linuxsniffer.c' you don't

want to keep the same name ;) call it something like:

gcc linuxsniffer.c -o lsn

Remember also sometimes you can execute these files names right in the directory

by just typing the file name like for our 'lsn' (sniffer) above just by

typing lsn. But sometimes this will not work unless you add a ./ to the

command. So remember, sometimes you will need to type ./lsn or your file

name.

Also there will be a time you will want a program to run in the background

even after you logoff. Like in the case of the sniffer above. In this case

you might want to name your sniffer something that would not be so easy

noticed. Use your own style here. BUT to make it stay in the background while

you are off the system you need to run the command with a & after the command.

lsn&

If you were to just type lsn, your screen would pause, and you would not be

able to type while the program was sniffing, but if you typed lsn& it would

load and the system prompt would come right back to you. Also the system

would let you know it was loaded by giving you the process id # that it

was loaded as.

You could view the process with the ps -x command, you might want to run

ps -auxe |more

a= all

u= show user

x= yours

e= env

some machines

f=tree