tty hacking
Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: tty hacking

  1. #1
    Junior Member
    Join Date
    Sep 2001
    Posts
    10

    Wink tty hacking

    I came across an old phrack that was about "tty hacking." I though this would be a totally outdated hack, but i was sort of wrong. Say a dumb user was logged onto tty2.. i made this nifty little script that works on my redhat 7.1:
    echo -ne "\nexit\n" > /dev/tty2
    sleep 1
    clear > tty2
    echo -ne "\n\nRedHat Linux release 7.1 (Seawolf)\nKernel 2.4.3 on an i686\n\nlocalhost: $USER\nPassword: " > /dev/tty2
    echo -ne "user: $USER\nwait for password..."

    Now if I was a little less ignorant on scripting I could make this more believable (feel free to use/change it). What it does is it prints "exit" on the users screen then mimics redhats login prompt, except this one already has his username filled out. His cursor will be blinking after "Password: ". If/when he types it in, he wont see the characters displayed on his screen (just like in the real thing!) but youll see it on yours. Anything and Everything he types will go right back to your console! Of course after he presses enter and nothing happens, he'll start to panic, pressing all kinds of escape sequences. I didnt find any except Crtl-C, but that just gives you your [$USER blah $PWD]: thingie, you still cant do anything. The only way is if the attacker kills the proccess. Oh and there is one catch, the user has to be in your same group. Anyway, i just though that was pretty cool; if anyone knows how to make the ttys not writable to the group by default would ya let me know? thanks
    -Ryan
    Share on Google+

  2. #2
    Senior Member linuxcomando's Avatar
    Join Date
    Sep 2001
    Posts
    430

    cool trick

    Thanks for the neet trick i just might have to try it
    Share on Google+

  3. #3
    Senior Member
    Join Date
    Oct 2001
    Posts
    131

    Lightbulb tty hacking (new trick)

    This is great, Im so glad you put this post up. After i read it then wrote it down "no disk with me" I got thinking, try this.

    lets say the dumb user is logged into tty2 and you are on tty3

    echo -ne /dev/tty3 > /dev/tty2

    or something to that nature,

    basically you freak out the idiot by echoing your screen to theirs.
    I think it is how they did the part in The Matrix where neo is sleeping in front of his computer (yeah right) I am not sure if this will work but I would have to look over my shell scripting again.

    Great post.
    Whats a \"START\" button?
    Share on Google+

  4. #4
    Junior Member
    Join Date
    Sep 2001
    Posts
    14

    Thumbs up

    You can also(if you are root) cat things to their screen and disable their ablilty to type in commands. but I have never heard of this. Pretty cool. Good post.
    Share on Google+

  5. #5
    Junior Member
    Join Date
    Sep 2001
    Posts
    10

    Angry

    Today I fired up my computer and ran the little script... it didn't work! The guy (me(tty2)) could see the password he typed in, and nothing went back to to tty1 . Also when I sued in tty2, and ran the script on tty1, the username shown was not root. I dont understand how it could work one day, and then stop the next. Any ideas?
    Anyway, I was fooling around with cat and found something out. If you type in:

    cat > file1 <enter>
    Ctrl-[ [ H (without spaces) <enter>
    Ctrl-C <enter>
    cat file1 <enter>

    What happens is the cursor moves to a few lines below the top of the screen (nothing below it or _anywhere_ gets erased). Then you can just go about your business as normal from the cursors new position as if you had Insert on (or a cooler form of it). I have no idea if this (should i call it an escape character?) is a security related bug or not, but it could be a starting point for you elite uberhackers to jump off of. The man page for 'cat' and 'echo' sucks arse if you ask me.
    -Ryan
    Share on Google+

  6. #6
    Senior Member
    Join Date
    Oct 2001
    Posts
    131

    Lightbulb tty and keyloggers

    After I read this tread I went home, Tried it and it didnt work...then I thought maybe (on my own machine) I have to have one tty as root.

    Then I got thinking, This would be a great way to make a keylogger for logging what others do on different tty's.

    Example: Lets say you run an anonymouse ftp server (arent you looking for trouble) You notice that your logs are not keeping track of quit what you want to find out about your users habbits. So you use This nifty trick to build a script to record the habbits (keystrokes) of users by changing the script to save files as date/time.txt or whatever.

    This thread has greatly interested me. I plan to play around with it for a while to see what neat stuff I can do.
    Whats a \"START\" button?
    Share on Google+

  7. #7
    Senior Member
    Join Date
    Aug 2001
    Posts
    251
    Hey now, that is SLICK.

    I tested it out, cat-ing large text files over to another user that I had logged in as.

    Now, I have to figure out some neat scripts to play around with.

    dhej
    Share on Google+

  8. #8
    Junior Member
    Join Date
    Nov 2001
    Posts
    2

    hmm

    This might seem clever on the surface but its uses are limited. You only have write permission to the other persons terminal, and they can switch this off.. (mesg n)

    See "man write" for another way to write messages to someone else terminal. See "man mesg" to see how to disable this.

    There is no way to read back what the other person is typing unless you are the root user and have installed software specifically for that purpose.

    Jason
    Share on Google+

  9. #9
    Junior Member
    Join Date
    Nov 2001
    Posts
    2

    Re: tty hacking

    Originally posted by ryannh@prodigy.
    I came across an old phrack that was about "tty hacking." I though this would be a totally outdated hack, but i was sort of wrong. Say a dumb user was logged onto tty2.. i made this nifty little script that works on my redhat 7.1:
    echo -ne "\nexit\n" > /dev/tty2
    sleep 1
    clear > tty2
    echo -ne "\n\nRedHat Linux release 7.1 (Seawolf)\nKernel 2.4.3 on an i686\n\nlocalhost: $USER\nPassword: " > /dev/tty2
    echo -ne "user: $USER\nwait for password..."

    Now if I was a little less ignorant on scripting I could make this more believable (feel free to use/change it). What it does is it prints "exit" on the users screen then mimics redhats login prompt, except this one already has his username filled out. His cursor will be blinking after "Password: ". If/when he types it in, he wont see the characters displayed on his screen (just like in the real thing!) but youll see it on yours. Anything and Everything he types will go right back to your console! Of course after he presses enter and nothing happens, he'll start to panic, pressing all kinds of escape sequences. I didnt find any except Crtl-C, but that just gives you your [$USER blah $PWD]: thingie, you still cant do anything. The only way is if the attacker kills the proccess. Oh and there is one catch, the user has to be in your same group. Anyway, i just though that was pretty cool; if anyone knows how to make the ttys not writable to the group by default would ya let me know? thanks
    -Ryan
    Share on Google+

  10. #10
    Junior Member
    Join Date
    Nov 2001
    Posts
    2
    I tried the tty program but could not get any display back to the terminal window, any ideas why.
    Share on Google+

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides