A Beginner's Guide To Unix
      --------------------------

The information contained in this file
is by no means new or original. I was
simply asked to compile some basic
commands and concepts for the access
and use of Unix systems. I would like
to give credit to the many other files
which I have gained this information
from, and to the people who have helped
me learn what I know today.

I will not cover any detailed or
complicated features of Unix. I am
merely going to provide the means to
access low-security systems and
navigate the shell.

Access:
-------

All Unix systems are provided with
default accounts. They are used for
system administration and such. Many
system operators are too lazy or naive
to remove them. You may find the
following accounts on a system, with no
passwords:

daemon
uucp
bin
adm
sysadm
admin
sysadmin
nuucp
sync

Others may have been added, such as:

user
guest
demo
test
public
help
field
system
operator

You can also try common first or last
names (john,fred,smith,etc...). Be sure
to use lowercase for the login name. If
you enter a capital letter as the first character, the system will assume that
you terminal is incapable of displaying
lowercase. From then on, in order to
enter capital letters you must precede
each by a "\". This can become quite
annoying, and you will probably never
see an account with a capital letter as
the first character.

Of the above defaults, the uucp or
nuucp accounts are often used for Unix
to Unix communications (uucp stands for
Unix to Unix CoPy). If this is the
case, the system will give send the
uucp identifier, "Shere". In this case,
the account is basically useless
unless you can call via another system
through the uucp command.

The sync account is a self-running Unix
management account. If present, it will
run a few housekeeping chores and log
off. The only reason I included this is
that many systems provide a greeting
message or something of the sort when
you log on as sync. Occasionally you
can obtain information which will help
you find an account.

If you cannot get in via the above
methods, try using "who". If present,
it will display a list of all accounts
currently online. You can try those
and hope they have no password.

If you are desperate, just hack
blindly. Often the login name and
password are the same. You can also
try initials (as in names...rlb,jhs,
etc...).

Once you are in:
----------------

If you make it through the front door,
you do not necessarily have access to
the shell. Often accounts have programs
run automatically for specific users,
such as system administration programs
(useful), accounting programs, etc...
In this case, you can try to break out
of the program (either through a menu
option or a loophole). Try various
escape/break related control characters
(escape [ascii 27], ctrl-c [ascii 3],
etc...).

When you are in the shell, you will be
greeted by one of two prompts. Either
a "$", denoting basic access, or a "#",
denoting superuser access. If you have
superuser access, most of your work may
be done (depending on other security
measures that have been taken).
Either way, the following will help
you get higher access.

First, you'll need some basic commands
for moving around:

stty
  This command sets your terminal
  characteristics. Before you attempt
  anything else, you should set some
  important ones. First, your delete
  character. Many systems do not use
  the common ctrl-h [ascii 8]. Also,
  the delete on your computer may not
  be the standard ctrl-h. To set your
  delete character, type:

  stty erase (character)

  Do not use the parentheses. Spacing
  is important. You can replace
  (character) by hitting your own
  delete key, or typing a control key
  sequence.

  If you would like to enter something
  a bit more visual to reassure
  yourself, you can use:

  stty erase \^(character)

  To enter a control character without
  actually hitting control. Replace
  character with the desired control
  character. Ex:

  stty erase \^h

  Sets the erase character to ctrl-h.

  If you make a mistake doing this,
  hit return and start over
  (obviously if the system does not
  know your erase character, you
  cannot edit your mistakes).

  Once your control character is set,
  you will want to set your break
  character. This is vital for file
  editing, which we will cover
  shortly. To set the break character,
  type:

  stty intr (character)

  The same options as the delete
  character apply.

  To view the current setting, simply
  enter stty by itself. Often, the
  system will already be configured to
  your liking. Occasionally, the stty
  command will not display the erase
  or break (intr) characters, in which
  case you should enter them to be
  sure. All control characters will be
  displayed in the ^(character)
  format.

ls
  This is the list-files command. It
  will show the names of all non-
  hidden files in the current
  directory. The display will either
  be a single list or multi-column
  display. The command lc toggles
  between the two. In either case, the
  files will be sorted alphabetically
  (numbers first, followed by most
  punctuation symbols, then capital
  letters, and finally lowercase
  letters).

  ls has many options, which I will
  cover later.

pwd
  Displays the current directory path
  from the root directory (/).

cd
  Change directory. Those familiar
  with the MS-DOS environment will
  have no trouble with this command.
  To change directories, simply supply
  a path from the root directory.
  To go to the "lib" directory, within
  the "usr" directory, you would
  enter:

  cd /usr/lib

cat
  Displays a file. Often it is
  difficult to differentiate between
  text files and data files. If you
  wish to abort the display, type
  your break character.

  Cat requires the full pathname to
  access files outside the current
  directory, but for files within
  the current directory, the filename
  will suffice.

  Ex:

  cat /etc/passwd

  Will display the passwd file within
  the etc directory. This file is
  present on all systems. It is
  immensily useful in gaining higher
  access (basically, it is necessary
  to gain any access).

These commands will help you for now.
After setting your terminal options,
enter:

cd /etc

We will be doing most of our work in
there for the time being. You should
have had your buffer on long before
this on the system, but turn it before
executing the following command if you
haven't:

cat /etc/passwd

Often these files are quite large, so
after a while you may want to abort it.
Often what you are looking for will be
within the first few lines.

Each line of the passwd file represents
an individual user. There are seven
fields to each entry. A typical entry
looks like this:

user:x:100:100:Elmo:/usr/user:/bin/sh

The first field is the login ID. The
second is the password field. In newer
releases, it will contain an "x". Older
releases may contain the actual
encrypted password (a string of
seemingly random characters). On new
systems the encrypted password are
found in the /etc/shadow file. The
third field is the user ID number.
Fourth is the group ID number (more
on groups later). Fifth is merely a
comment about this user (often their
name, or in an administrative account,
its duties). Sixth is the home
directory. The system will place you
in your home directory when you log on.
The final field contains the path and
file names for the default shell or
program. If this field is empty, the
system defaults to /bin/sh.

You cannot gain a user's password via
this file. You may be able to obtain
access through a higher account,
however. When looking for high-level
accounts, you will want to examine the
fourth field. The lower numbers often
denote administrative accounts. The
group "root" belongs to is most likely
what you will want.

To discover more about the groups, view
the /etc/group file. This contains the
group names, the encrypted password
required to change into/out of this
group (almost always "NONE"), the group
ID number (to compare to the passwd
file), and a list of the group's
members.

You will want to scan the passwd and
group files to find any accounts that
belong to the same group as root, or
a group which root is in. Often root
will be the only member of its group,
so you will have to look for other
administrative account groups (those
containing such accounts as adm,admin,
sysadm,sysadmin and so on).

Once you have found these accounts,
you can attempt to gain their access.
The command:

su (login ID)

allows you to essentially "become" that
user. Replace (login ID), of course,
with the account you want to assume.
If the account has no password, the
process is automatic. Otherwise, you
will be prompted for a password. You
can try the login ID as a password, but
this may not work. If it does, make a
note of it. Otherwise, you can try
other methods, or go on to another
account.

Hopefully, you will find an account
with no password. If you have found
an older system, without the
/etc/shadow file, an empty password
field (::) will tell you immediately
which accounts do not have passwords.
If it is a newer system, it will
contain an "x" regardless of the
presence of the password status.

If you find yourself in this dilemna,
you may still be able to find an list
of those accounts without passwords.

If you have the superuser ("#") prompt,
you may be able to read the /etc/shadow
file. The format for this file is:

login ID:(encoded pw):6480:14:28

The first field is the same as the
login ID found in the /etc/passwd file.
Each entry in /etc/passwd should have
a corresponding one in /etc/shadow. The
second field will be blank, denoting
no password, or contain the
afformentioned "random" characters.
Third is a numeric code describing
when the password was last changed.
Fourth and fifth are the minimum and
maximum number of days between
mandatory password changes. Often the
last two fields are empty, which means
users are not required to change thier
passwords.

Here, again, you should look for any
accounts without passwords, and
examine the group file as mentioned.

Now, hopefully, you will have some
decent access. Many of the accounts
with no password are that way for a
reason - they do not allow shell
access; but that never stopped anyone.

If you discover an account that runs
a program and then logs off, or runs
a program which allows you to
interact in a boring way, you can use
this to your advantage. Look in the
seventh field of this account's passwd
information. It will contain the
path and filename of the program being
run.

At this point, security on most systems
is extremely low. Many system operators
are sure that by stopping you from
directly getting access, they have
stopped you totally. By "tricking" the
system, you can get access indirectly.

If you find a program being run, go
back to the account which gave you
shell access. Then enter the directory
where the program was (do not include
the file "/" and the filename). You
want to change the filename of the
program. To do this, type:

mv (filename) (backup filename)

To change /usr/prog to /usr/prog.b, you
would enter:

mv /usr/prog /usr/prog.b

Make sure you remember the filename
you give it. It is also a good idea
to keep it in the same directory. Now,
you have to create a dummy file to
replace it. We will have to use the
"ed" file editor to do this. MAKE SURE
YOU HAVE SET YOU BREAK CHARACTER. You
cannot use ed without having a break
character. To make the file, type:

ed (filename)

Where (filename) is the name of the
file you just renamed. Use the OLD name
(the one in the passwd file)! ed will
respond with:

?(filename)

meaning the file does not exist yet.

Some basic ed commands are:

q
  Quit. If you attempt to quit after
  making changes, ed will not quit
  until you hit "q" again (this is to
  remind you to save changes).
w
  Write file (saves all the changes
  you make).
,p
  Displays all lines.
/(string)
  Searches the buffer for (string),
  and displays that line.
a
  Add lines (starting at the current
  line).
i
  Insert lines at the current line.
d
  Delete the current line.
h
  Turns help on (shows verbose error
  messages).

Entering a line number will bring you
to that line. When editting a file
which already exists, ed will show you
the current number of bytes in the file
rather than "?(filename)". If you
attempt to write a file, and ed replies
with "?(filename)", you do not have
access to write that file.

Now, back to the dummy file. Type "a"
to add lines. Enter:

echo "Blah"
/bin/sh

Then, after pressing return on the
/bin/sh line, type your break
character. Write the file and quit the
editor. You now have your dummy program
set up. The command "echo" is a simple
print command. You can enter as many
as you like, or none at all. They are
merely to reassure you that your
program is running. The important part
of this is the "/bin/sh", which runs
the shell program.

You must now give all users access to
your program, so the account will be
able to use your newly created
program. Type:

chmod +rwx

This will give read, write, and execute
permissions to all users (more on
permissions some other day).

You should now logon again as the
account which uses this program.
If you did everything right, you should
now have control of the shell,
hopefully with superuser access ("#"
prompt). If you still do not have
superuser access, go back and try
something else. Be sure to do the next
few steps whether it works or not, to
insure your continued use of the
system. Delete your dummy program by
typing:

rm (filename)

Be sure to include the directory path
in the filename, as before. Now,
rename the old file back to its
original name (just reverse the
filenames in the previous rename
command).

Now everything is back to normal. If
you did not get access, you will have
to go back to your old account to set
the files back to normal. Make sure you
do this, or you may cause damage to the
system. This will result in higher
security. Also, real hackers never
damage systems for without cause.
Laziness is not an excuse.

If you are still without decent access,
you will have to consult another file.
I may write another soon on more ways
to gain access, but for now, this
should help enough people. From now on,
I will assume you have achieved
superuser access within an
administrative group. You will most
likely want an account of your own now.
Use the ed command to edit the
/etc/passwd file. Somewhere in the
mid-beginning section (within the first
4-12 lines), add an account using one
of the default account not already
present (from the first list, if
possible), or commandeer an unused (be
sure it is unused) default account
already there.

Set you ID number and group to those
of the root account (usually 0:3).
Set your directory wherever you like,
and set the shell filename to either
/bin/sh, or leave it blank. In the
password (second) field, what you
enter depends on the system. If it is
an older system where the encrypted
passwords are stored in the passwd
file, just enter whatever password you
like there. The system will encrypt it
for you when you save it. If it is the
newer "x" system, put an "x" there, and
do the following, otherwise skip this.

New system users will have to enter
the command:

/etc/pwconv

This command will recreate the
/etc/shadow file based on the
information in the passwd file. Just
to be sure, ed the shadow file, and
leave the password field blank for
your newly created account (use the
/(string) command within ed to jump
directly to your login ID).

Now, you can call back as your new
account. You should enter:

passwd

to create a password for your account
if it doesn't already have one.

If all has gone well, you now have an
account of your own. I will now give
a list of other commands which you can
play around with.

Unix commands:
--------------

banner (string)
  This is a "fun" command, which will
  take (string) and expand it into
  block letters on your display.

write (user)
  Will send a message to another user.
  After entering the command, the
  system will wait for you to type a
  message and terminate it with your
  eof character. Change your eof
  character by entering:

  stty eof (character)

wall
  Like write, but sends to all users.

who
  Displays a list of everyone online.

mail (user)
  Send email to any user in the passwd
  file. To read your mail, just type
  mail.

exit
  Logout of the system. I should have
  mentioned this before, but I forgot.
  You can also use your eof
  character at the shell prompt to
  logout.

echo
  Prints text or variables, as shown
  before.

env
  Display all variables in your
  environment. More on shell
  variables soon.

rmdir (directory)
  Delete a directory.

mkdir (directory)
  Make a directory.

cp (original) (backup)
  Copy a file.

grep (string) (filename)
  Searches through (filename) until
  it finds (string), and then
  displays the entire line (string)
  was found on.

date (time & date)
  Alone, date displays the time and
  date. It can also be used to set
  it.

cal (date)
  Alone, cal displays a calendar of
  the current month. With optional
  month and year, it will display
  any year from 1 to 9999.

There are many more commands, but to
explain them all could take forever.
Most systems contain online help files
which you can access by typing either:

man (command)

or:

help (command)

For a list of commands, look in the
various "bin" directories. They
contain the actual programs.

Variables:
----------

The shell allows the use of variables.
All variables are represented by
capital letters. You can create your
own, or view/change standard system
variables. Some standard variables are:

PATH
  This will show the order the shell
  searches in to find commands. You
  will most likely find a number of
  directories ending in "bin". An
  example could be:

  :/bin:/usr/bin:/usr/lib/bin:/etc

  This means that when you type a
  command, the system checks to
  directories in that order before
  finally giving up and reporting an
  error if the command is not found
  (All commands are files).

PS1
  This is the main shell prompt,
  usually "$" or "#", depending on
  your access. You can change this
  to whatever you like.

TERM

  Some systems keep track of what
  type of terminal you are using, for
  use in formatting output (usually
  through other programs).

LOGNAME
  The login ID you are using.

HOME
  Your home directory.

TZ
  Timezone.

MAIL
  The file your mail is sent to.

There are others, but they tend to vary
with the account. Enter the env command
to display the variables in use.

Variables you create within shell
programs (such as the dummy program
that was discussed before) retain thier
values for the life of the program
only (they do not affect the other
shell variables).

You can change a variable like this:

TERM=ansi

Whenever you want to view a variable,
or use it for another purpose, precede
it with a "$". Ex:

echo $LOGNAME

will display your login ID.

Misc:
-----

I seem to have run out of memory, so
forget it for now. Hopefully I'll write
so more soon...

                - Midnite Raider




Downloaded From P-80 International Information Systems 304-744-2253 12yrs+

You are viewing proxied material from infinitelyremote.com. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.