-
October 15th, 2001, 04:11 AM
#1
Junior Member
tty hacking
I came across an old phrack that was about "tty hacking." I though this would be a totally outdated hack, but i was sort of wrong. Say a dumb user was logged onto tty2.. i made this nifty little script that works on my redhat 7.1:
echo -ne "\nexit\n" > /dev/tty2
sleep 1
clear > tty2
echo -ne "\n\nRedHat Linux release 7.1 (Seawolf)\nKernel 2.4.3 on an i686\n\nlocalhost: $USER\nPassword: " > /dev/tty2
echo -ne "user: $USER\nwait for password..."
Now if I was a little less ignorant on scripting I could make this more believable (feel free to use/change it). What it does is it prints "exit" on the users screen then mimics redhats login prompt, except this one already has his username filled out. His cursor will be blinking after "Password: ". If/when he types it in, he wont see the characters displayed on his screen (just like in the real thing!) but youll see it on yours. Anything and Everything he types will go right back to your console! Of course after he presses enter and nothing happens, he'll start to panic, pressing all kinds of escape sequences. I didnt find any except Crtl-C, but that just gives you your [$USER blah $PWD]: thingie, you still cant do anything. The only way is if the attacker kills the proccess. Oh and there is one catch, the user has to be in your same group. Anyway, i just though that was pretty cool; if anyone knows how to make the ttys not writable to the group by default would ya let me know? thanks
-Ryan
-
October 15th, 2001, 05:35 PM
#2
cool trick
Thanks for the neet trick i just might have to try it
-
October 15th, 2001, 09:25 PM
#3
Senior Member
tty hacking (new trick)
This is great, Im so glad you put this post up. After i read it then wrote it down "no disk with me" I got thinking, try this.
lets say the dumb user is logged into tty2 and you are on tty3
echo -ne /dev/tty3 > /dev/tty2
or something to that nature,
basically you freak out the idiot by echoing your screen to theirs.
I think it is how they did the part in The Matrix where neo is sleeping in front of his computer (yeah right) I am not sure if this will work but I would have to look over my shell scripting again.
Great post.
Whats a \"START\" button?
-
October 15th, 2001, 11:31 PM
#4
Junior Member
You can also(if you are root) cat things to their screen and disable their ablilty to type in commands. but I have never heard of this. Pretty cool. Good post.
-
October 16th, 2001, 01:50 AM
#5
Junior Member
Today I fired up my computer and ran the little script... it didn't work! The guy (me(tty2)) could see the password he typed in, and nothing went back to to tty1 . Also when I sued in tty2, and ran the script on tty1, the username shown was not root. I dont understand how it could work one day, and then stop the next. Any ideas?
Anyway, I was fooling around with cat and found something out. If you type in:
cat > file1 <enter>
Ctrl-[ [ H (without spaces) <enter>
Ctrl-C <enter>
cat file1 <enter>
What happens is the cursor moves to a few lines below the top of the screen (nothing below it or _anywhere_ gets erased). Then you can just go about your business as normal from the cursors new position as if you had Insert on (or a cooler form of it). I have no idea if this (should i call it an escape character?) is a security related bug or not, but it could be a starting point for you elite uberhackers to jump off of. The man page for 'cat' and 'echo' sucks arse if you ask me.
-Ryan
-
October 16th, 2001, 10:15 PM
#6
-
October 30th, 2001, 07:13 PM
#7
Hey now, that is SLICK.
I tested it out, cat-ing large text files over to another user that I had logged in as.
Now, I have to figure out some neat scripts to play around with.
dhej
-
November 7th, 2001, 04:30 PM
#8
Junior Member
hmm
This might seem clever on the surface but its uses are limited. You only have write permission to the other persons terminal, and they can switch this off.. (mesg n)
See "man write" for another way to write messages to someone else terminal. See "man mesg" to see how to disable this.
There is no way to read back what the other person is typing unless you are the root user and have installed software specifically for that purpose.
Jason
-
November 8th, 2001, 04:38 PM
#9
Junior Member
Re: tty hacking
Originally posted by ryannh@prodigy.
I came across an old phrack that was about "tty hacking." I though this would be a totally outdated hack, but i was sort of wrong. Say a dumb user was logged onto tty2.. i made this nifty little script that works on my redhat 7.1:
echo -ne "\nexit\n" > /dev/tty2
sleep 1
clear > tty2
echo -ne "\n\nRedHat Linux release 7.1 (Seawolf)\nKernel 2.4.3 on an i686\n\nlocalhost: $USER\nPassword: " > /dev/tty2
echo -ne "user: $USER\nwait for password..."
Now if I was a little less ignorant on scripting I could make this more believable (feel free to use/change it). What it does is it prints "exit" on the users screen then mimics redhats login prompt, except this one already has his username filled out. His cursor will be blinking after "Password: ". If/when he types it in, he wont see the characters displayed on his screen (just like in the real thing!) but youll see it on yours. Anything and Everything he types will go right back to your console! Of course after he presses enter and nothing happens, he'll start to panic, pressing all kinds of escape sequences. I didnt find any except Crtl-C, but that just gives you your [$USER blah $PWD]: thingie, you still cant do anything. The only way is if the attacker kills the proccess. Oh and there is one catch, the user has to be in your same group. Anyway, i just though that was pretty cool; if anyone knows how to make the ttys not writable to the group by default would ya let me know? thanks
-Ryan
-
November 8th, 2001, 04:39 PM
#10
Junior Member
I tried the tty program but could not get any display back to the terminal window, any ideas why.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|