inside the file i targeted i found the hashed password like this
blah:S2XSgk2WEfE9w
so saved to list ready to crack , i called mine MD5pass for this lesson
this is what jtr will be cracking,
after you have several passwords to various sites you can begin jtr or just use a single hashed password ..its up to you
now there are many ways to crack the file using jtr am just going to use the basic
one i find the easiest but slowest to use...there are plenty of jtr guides around for more detail cracking modes
common modes are
john -si [passfile]
john -w:[wordlist] [passfile]
john -i [passfile]
there are other modes using digits,alpha,all...they all do the same thing... anyway on to basics
assuming you have john in C:\ directory just type
c:\john -i MD5pass.txt
image 1
after several minutes\hours you should have something like this with cracked passwords if you take a look at the image
after 21 minutes it had cracked 13 of the 36...not bad after 3hrs 24min 18 cracked...half done btw each password cracked is a website....so up to now 18 possible targets
image 2
to check progress hit any key
to stop the cracking hit Ctrl+c session aborted
to view your results type:
c:\john -show MD5pass.txt>result2.txt....this will save the file called result2.txt in the jtr root like this
image 3
you now have the password to gain access to the ftp,or whatever
to resume your cracking
type:
c:\john -restore
will load the remaning uncracked passwords and resume attempts from were it left off
image 4
JTR Commands and Modes
**if you look in the doc folder that came with JTR it gives you details on how to use them**
hope you enjoyed the tutorial...remember if you do gain access to a site\server please inform the admin
i hold no resposibility for your actions
John the ripper tutorial
Sunday, December 2, 2007Posted by ekansh at 1:32 AM 0 comments
Steps To Deface A Webpage (About Defacers)
First of all, I do not deface, I never have (besides friends sites as jokes and all in good fun), and never will. So how do I know how to deface? I guess I just picked it up on the way, so I am no expert in this. If I get a thing or two wrong I apoligize. It is pretty simple when you think that defacing is just replacing a file on a computer. Now, finding the exploit in the first place, that takes skill, that takes knowledge, that is what real hackers are made of. I don't encourage that you deface any sites, as this can be used get credit cards, get passwords, get source code, billing info, email databases, etc.. (it is only right to put up some kind of warning. now go have fun ;)
This tutorial will be broken down into 3 main sections, they are as followed:
1. Finding Vuln Hosts.
2. Getting In.
3. Covering Your Tracks
It really is easy, and I will show you how easy it is.
1. Finding Vuln Hosts
This section needs to be further broken down into two catigories of script kiddies: ones who scan the net for a host that is vuln to a certain exploit and ones who search a certain site for any exploit. The ones you see on alldas are the first kind, they scan thousands of sites for a specific exploit. They do not care who they hack, anyone will do. They have no set target and not much of a purpose. In my opinion these people should either have a cause behind what they are doing, ie. "I make sure people keep up to date with security, I am a messanger" or "I am spreading a political message, I use defacments to get media attention". People who deface to get famous or to show off their skills need to grow up and relize there is a better way of going about this (not that I support the ones with other reasons ether). Anyways, the two kinds and what you need to know about them:
Scanning Script Kiddie: You need to know what signs of the hole are, is it a service? A certain OS? A CGI file? How can you tell if they are vuln? What version(s) are vuln? You need to know how to search the net to find targets which are running whatever is vuln. Use altavista.com or google.com for web based exploits. Using a script to scan ip ranges for a certain port that runs the vuln service. Or using netcraft.com to find out what kind of server they are running and what extras it runs (frontpage, php, etc..) nmap and other port scanners allow quick scans of thousands of ips for open ports. This is a favorate technique of those guys you see with mass hacks on alldas.
Targetted Site Script Kiddie: More respectable then the script kiddies who hack any old site. The main step here is gathering as much information about a site as possible. Find out what OS they run at netcraft or by using: telnet www.site.com 80 then GET / HTTP/1.1 Find out what services they run by doing a port scan. Find out the specifics on the services by telnetting to them. Find any cgi script, or other files which could allow access to the server if exploited by checking /cgi /cgi-bin and browsing around the site (remember to index browse)
Wasn't so hard to get the info was it? It may take awhile, but go through the site slowly and get all the information you can.
2. Getting In
Now that we got the info on the site we can find the exploit(s) we can use to get access. If you were a scanning script kiddie you would know the exploit ahead of time. A couple of great places to look for exploits are Security Focus and packetstorm. Once you get the exploit check and make sure that the exploit is for the same version as the service, OS, script, etc.. Exploits mainly come in two languages, the most used are C and perl. Perl scripts will end in .pl or .cgi, while C will end in .c To compile a C file (on *nix systems) do gcc -o exploit12 file.c then: ./exploit12 For perl just do: chmod 700 file.pl (not really needed) then: perl file.pl. If it is not a script it might be a very simple exploit, or just a theory of a possible exploit. Just do alittle research into how to use it. Another thing you need to check is weither the exploit is remote or local. If it is local you must have an account or physical access to the computer. If it is remote you can do it over a network (internet).
Don't go compiling exploits just yet, there is one more important thing you need to know
Covering Your Tracks
So by now you have gotten the info on the host inorder to find an exploit that will allow you to get access. So why not do it? The problem with covering your tracks isn't that it is hard, rather that it is unpredictable. just because you killed the sys logging doesn't mean that they don't have another logger or IDS running somewhere else. (even on another box). Since most script kiddies don't know the skill of the admin they are targetting they have no way of knowing if they have additional loggers or what. Instead the script kiddie makes it very hard (next to impossible) for the admin to track them down. Many use a stolden or second isp account to begin with, so even if they get tracked they won't get caught. If you don't have the luxery of this then you MUST use multiple wingates, shell accounts, or trojans to bounce off of. Linking them together will make it very hard for someone to track you down. Logs on the wingates and shells will most likely be erased after like 2-7 days. That is if logs are kept at all. It is hard enough to even get ahold of one admin in a week, let alone further tracking the script kiddie down to the next wingate or shell and then getting ahold of that admin all before the logs of any are erased. And it is rare for an admin to even notice an attack, even a smaller percent will actively pursue the attacker at all and will just secure their box and forget it ever happend. For the sake of arugment lets just say if you use wingates and shells, don't do anything to piss the admin off too much (which will get them to call authoritizes or try to track you down) and you deleting logs you will be safe. So how do you do it?
We will keep this very short and too the point, so we'll need to get a few wingates. Wingates by nature tend to change IPs or shutdown all the time, so you need an updated list or program to scan the net for them. You can get a list of wingates that is well updated at http://www.cyberarmy.com/lists/wingate/ and you can also get a program called winscan there. Now lets say we have 3 wingates:
212.96.195.33 port 23
202.134.244.215 port 1080
203.87.131.9 port 23
to use them we go to telnet and connect to them on port 23. we should get a responce like this:
CSM Proxy Server >
to connect to the next wingate we just type in it's ip:port
CSM Proxy Server >202.134.244.215:1080
If you get an error it is most likely to be that the proxy you are trying to connect to isn't up, or that you need to login to the proxy. If all goes well you will get the 3 chained together and have a shell account you are able to connect to. Once you are in your shell account you can link shells together by:
[j00@server j00]$ ssh 212.23.53.74
You can get free shells to work with until you get some hacked shells, here is a list of free shell accounts. And please remember to sign up with false information and from a wingate if possible.
SDF (freeshell.org) - http://sdf.lonestar.org
GREX (cyberspace.org) - http://www.grex.org
NYX - http://www.nxy.net
ShellYeah - http://www.shellyeah.org
HOBBITON.org - http://www.hobbiton.org
FreeShells - http://www.freeshells.net
DucTape - http://www.ductape.net
Free.Net.Pl (Polish server) - http://www.free.net.pl
XOX.pl (Polish server) - http://www.xox.pl
IProtection - http://www.iprotection.com
CORONUS - http://www.coronus.com
ODD.org - http://www.odd.org
MARMOSET - http://www.marmoset.net
flame.org - http://www.flame.org
freeshells - http://freeshells.net.pk
LinuxShell - http://www.linuxshell.org
takiweb - http://www.takiweb.com
FreePort - http://freeport.xenos.net
BSDSHELL - http://free.bsdshell.net
ROOTshell.be - http://www.rootshell.be
shellasylum.com - http://www.shellasylum.com
Daforest - http://www.daforest.org
FreedomShell.com - http://www.freedomshell.com
LuxAdmin - http://www.luxadmin.org
shellweb - http://shellweb.net
blekko - http://blekko.net
once you get on your last shell you can compile the exploit, and you should be safe from being tracked. But lets be even more sure and delete the evidence that we were there.
Alright, there are a few things on the server side that all script kiddies need to be aware of. Mostly these are logs that you must delete or edit. The real script kiddies might even use a rootkit to automaticly delete the logs. Although lets assume you aren't that lame. There are two main logging daemons which I will cover, klogd which is the kernel logs, and syslogd which is the system logs. First step is to kill the daemons so they don't log anymore of your actions.
[root@hacked root]# ps -def | grep syslogd
[root@hacked root]# kill -9 pid_of_syslogd
in the first line we are finding the pid of the syslogd, in the second we are killing the daemon. You can also use /etc/syslog.pid to find the pid of syslogd.
[root@hacked root]# ps -def | grep klogd
[root@hacked root]# kill -9 pid_of_klogd
Same thing happening here with klogd as we did with syslogd.
now that killed the default loggers the script kiddie needs to delete themself from the logs. To find where syslogd puts it's logs check the /etc/syslog.conf file. Of course if you don't care if the admin knows you were there you can delete the logs completely. Lets say you are the lamest of the script kiddies, a defacer, the admin would know that the box has been comprimised since the website was defaced. So there is no point in appending the logs, they would just delete them. The reason we are appending them is so that the admin will not even know a break in has accurd. I'll go over the main reasons people break into a box:
To deface the website. - this is really lame, since it has no point and just damages the system.
To sniff for other network passwords. - there are programs which allow you to sniff other passwords sent from and to the box. If this box is on an ethernet network then you can even sniff packets (which contain passwords) that are destine to any box in that segment.
To mount a DDoS attack. - another lame reason, the admin has a high chance of noticing that you comprimised him once you start sending hundreds of MBs through his connection.
To mount another attack on a box. - this and sniffing is the most commonly used, not lame, reason for exploiting something. Since you now how a rootshell you can mount your attack from this box instead of those crappy freeshells. And you now have control over the logging of the shell.
To get sensitive info. - some corperate boxes have alot of valueable info on them. Credit card databases, source code for software, user/password lists, and other top secret info that a hacker may want to have.
To learn and have fun. - many people do it for the thrill of hacking, and the knowledge you gain. I don't see this as horrible a crime as defacing. as long as you don't destroy anything I don't think this is very bad. Infact some people will even help the admin patch the hole. Still illegal though, and best not to break into anyone's box.
I'll go over the basic log files: utmp, wtmp, lastlog, and .bash_history
These files are usually in /var/log/ but I have heard of them being in /etc/ /usr/bin/ and other places. Since it is different on alot of boxes it is best to just do a find / -iname 'utmp'|find / -iname 'wtmp'|find / -iname 'lastlog'. and also search threw the /usr/ /var/ and /etc/ directories for other logs. Now for the explanation of these 3.
utmp is the log file for who is on the system, I think you can see why this log should be appended. Because you do not want to let anyone know you are in the system. wtmp logs the logins and logouts as well as other info you want to keep away from the admin. Should be appended to show that you never logged in or out. and lastlog is a file which keeps records of all logins. Your shell's history is another file that keeps a log of all the commands you issued, you should look for it in your $ HOME directory and edit it, .sh_history, .history, and .bash_history are the common names. you should only append these log files, not delete them. if you delete them it will be like holding a big sign infront of the admin saying "You've been hacked". Newbie script kiddies often deface and then rm -rf / to be safe. I would avoid this unless you are really freaking out. In this case I would suggest that you never try to exploit a box again. Another way to find log files is to run a script to check for open files (and then manually look at them to determine if they are logs) or do a find for files which have been editted, this command would be: find / -ctime 0 -print
A few popular scripts which can hide your presence from logs include: zap, clear and cloak. Zap will replace your presence in the logs with 0's, clear will clear the logs of your presence, and cloak will replace your presence with different information. acct-cleaner is the only heavily used script in deleting account logging from my experience. Most rootkits have a log cleaning script, and once you installed it logs are not kept of you anyways. If you are on NT the logs are at C:\winNT\system32\LogFiles\, just delete them, nt admins most likely don't check them or don't know what it means if they are deleted.
One final thing about covering your tracks, I won't go to into detail about this because it would require a tutorial all to itself. I am talking about rootkits. What are rootkits? They are a very widely used tool used to cover your tracks once you get into a box. They will make staying hidden painfree and very easy. What they do is replace the binaries like login, ps, and who to not show your presence, ever. They will allow you to login without a password, without being logged by wtmp or lastlog and without even being in the /etc/passwd file. They also make commands like ps not show your processes, so no one knows what programs you are running. They send out fake reports on netstat, ls, and w so that everything looks the way it normally would, except anything you do is missing. But there are some flaws in rootkits, for one some commands produce strange effects because the binary was not made correctly. They also leave fingerprints (ways to tell that the file is from a rootkit). Only smart/good admins check for rootkits, so this isn't the biggest threat, but it should be concidered. Rootkits that come with a LKM (loadable kernel module) are usually the best as they can pretty much make you totally invisible to all others and most admins wouldn't be able to tell they were comprimised.
In writting this tutorial I have mixed feelings. I do not want more script kiddies out their scanning hundreds of sites for the next exploit. And I don't want my name on any shouts. I rather would like to have people say "mmm, that defacing crap is pretty lame" especially when people with no lives scan for exploits everyday just to get their name on a site for a few minutes. I feel alot of people are learning everything but what they need to know inorder to break into boxes. Maybe this tutorial cut to the chase alittle and helps people with some knowledge see how simple it is and hopefully make them see that getting into a system is not all it's hyped up to be. It is not by any means a full guide, I did not cover alot of things. I hope admins found this tutorial helpful aswell, learning that no matter what site you run you should always keep on top of the latest exploits and patch them. Protect yourself with IDS and try finding holes on your own system (both with vuln scanners and by hand). Also setting up an external box to log is not a bad idea. Admins should have also seen alittle bit into the mind of a script kiddie and learned a few things he does.. this should help you catch one if they break into your systems.
On one final note, defacing is lame. I know many people who have defaced in the past and regret it now. You will be labeled a script kiddie and a lamer for a long, long time.
Posted by ekansh at 1:30 AM 0 comments
Hacking Techniques: Issue #2 - Bouncing Attacks
. Getting info
-vuln scripts
-vuln services
-vuln people
1.99 Intro
2. Bouncing Attacks
-proxies
-wingates
-shells
2.5 Conclusion
(covered in future issue)
3. Once They Are In
-logs
-IDS
-Rootkits
-sniffers
-DDoS
-RootShell
-Deface
Intro
Welcome to the 2nd issue of Hacking Techniques. If you read the first one I am glad to see you liked it enough to want to read this one. This issue will focus on how hackers bounce their attacks so that they do not get caught and so they use the power of a *nix shell. As with the first one this tutorial can both be used by hackers and admins. Hackers will learn how to mount an attack and use proxies to help stay anonymous. Admins will learn how to prevent themselves from being used in an attack as a proxy and prevent stress. If you don't know what a proxy is or how to use a wingate you need to read this tutorial. People who run wingates, proxies, or give shells out also should go over this tutorial as to scare them into securing it. I'll go over a few other random things such as using routers as wingates, and using wingates to bounce your irc sessions.
Bouncing Attacks
There are a few ways to bounce your attack. Sometimes it depends on how you are gonna to do the attack, sometimes it depends on what you got on hand. I will introduce you to 3 ways to bounce you attack. I will not go into using routers as proxies since wingates are fairly easy to get. And I will not go over bouncing your attack off an ftp because all (or very close to all) ftp programs are patched to this by now. Not only should hackers read this next part, but so should admins who want to keep themselves from being used in an attack. Securing their proxies and wingates can help prevent trouble with hackers abusing it. This can save some time and hassle because you will not need to bother with an admin who trying to track down a hacker who used your network to bounce off of.
Bouncing through proxies
Bouncing through wingates
Bouncing and compiling the attack with shells
Bouncing through proxies
Proxies are the most basic way to stay anonomous while on the web. They are used with your web browser to rely data that you are downloading. So when you send data to get a webpage it is first sent to the proxy and then to the webpage. like this:
[your computer] -> [proxy] -> [website]
Some kinds of proxies, known as cache'ing proxies, will hold local copies of websites people visit. This makes browsing much faster since ideally the connection between you and the proxy is very fast. So instead of having to query the website the proxy will just send out the saved (cache'd) copy and save time and resources. Although this can be a problem as I have had first hand experience with this. When running lame industries we put a script up that allowed people to check out other users email addresses, image, website, names, country, etc.. all info was optional. But the script would check if you were an admin of lame industries and if you were it would display users passwords, cookies, allow you to change the status of users. Now somehow a nice fellow named MaAaX found a cache'ing proxy that had this page cached. Not only was it cache'd.. but it was the admin version cache'd. Some admin of the site must have used that proxy to visit that script, so the proxy saved what he saw. And MaAaX reported this, but he was tricked into reporting it to someone who was not an admin of the site. That person then used the proxy to get an admin's password from the cache'd page. Moral of the story? Don't leave sensitive info out for everyone to see, I would suggest not using a proxy when admining a site through http and also to put all scripts which can be used by an admin in a .htaccess protected directory.
Proxies are very easy to find and very easy to use. To find them try using a program called Proxy Hunter what this program will do is it will scan large ranges of ips for open proxies. Then it will report them to you so you can try them and see if they require a username and password or if you can use them without. Another way is to look on the web for lists of proxies, a few good sites for this are:
cyberarmy's proxy list
roswell's proxy list
Don't expect proxies to stay up forever, if one goes down try another. It is fairly simple to set up basic security for your proxy server, get a good access list restricting who can use it. Also, as with all programs, check for known security vulnerabilities in the proxy server itself, and vulnerabilities in your firewall, which you set the access list for the proxy server.
To use proxies you need to set up your browser to bounce off of them. In internet explorer this is done by going to Tools->Internet Options...->Connections->(highlighting your connection)->Settings...->check "Use a proxy server for this connection"->file in the ip or hostname and the port number then press ok, and ok.
To set up Netscape to use a proxy select edit->preferences->advanced->proxies->"Manual proxy configuration" then fill in the hostname or ip and the port number.
In lynx (or Mosaic) you would do this at the command line:
http_proxy="http://proxy.com:80/"; export http_proxy; exec lynx
or exec Mosaic.
Now to validate that the proxy is working go to a site which displays server environment variables from a perl/php script. One such site is http://www.cyberarmy.com/cgi/whoami.pl
One proxy is good for everyday surfing, but what if you are up to alittle more than just that? (I see that smile on your face) You need to use a technique called chaining proxies. What happends is you rely the data transfer from one proxy, to another, to another, to another ... until it reaches the destination. It is fairly simple to do this, but some proxies don't support it. Other problems include one proxy is slow it makes the connection timeout, too many proxies that the connection times out, and it takes awhile to find 4 or 5 good proxies. This should work in almost every browser, put the proxies in the address bar in this format: http://proxy.com:80/http://proxy2.com:80/http://proxy3.com:8000/http://site.com this should connect you to site.com using those 3 proxies and the one you put in your configuration (options, preferences.. what we just did above). I've also heard that using http://proxy.com;80-_-http://site.com works, but from my experience it tends to be less supported by proxy servers.
Now when I say proxies can be used to bounce a connection to a webpage - I mean webpage. You cannot use a normal http proxy on anything besides port 80 (the http port.. for webpages). If you want to bounce connections on other ports try a wingate .
So what if you are using an exploit to mount an attack and you are too lazy to use wingates to connect to your shell? You can use something like rain.forrest.puppy's libwhisker, which makes it extremely easy to add proxy support to perl scripts. You can get libwhisker at: http://www.wiretrip.net/rfp/bins/libwhisker/pr4/libwhisker.pm I haven't really looked for a C/C++ version of something like this, since it's just as simple to connect to a shell, but if anyone knows one please send info to b0iler@hotmail.com
One last thing I will go over for proxies is chaining them together, hackers use this so they have more cover when hacking into a script avalible over port 80. To do this you can put proxy1-_-proxy2-_-proxy3-_- before the url, or you can use a program called MultiProxy to chain anonymous proxies together. What is an anonymous proxy? It is a proxy that will not forward information about you. The main peice of information hackers want to keep secret is their IP address, when a proxy forwards this to a computer it is known as the X-Forward-For. It is a header in the packet which tells the target what computer the proxy is going to send the info to (the hackers IP). Anonymous proxies will leave the X-Forward-For header blank so that the target has no idea where the attack is comming from. You can check if a proxy is anonymous at http://www.cyberarmy.com/cgi/whoami.pl
Bouncing through wingates
Wingates are a type of proxy that allow you to make a telnet connection. They are intended to be used to allow computers to access the internet through another one, but since many types of wingates allow anyone to connect without a password this can be exploited by hackers and other people to be used to bounce their connection off of. Here is how this works:
[hacker's computer] -> [wingate] -> [destination]
This snazzy ascii shows how your data will go through a wingate and then to it's destination. So the destination sees it as if the data is coming from the wingate. If you can't see how hackers can use this to their advantage let me explain...
Hackers want to keep their ip hidden, they don't want their target to know where they are coming from. This is both so they cannot block the attack as easy and so they do not get in trouble if they do get caught. Using a wingate means that the target doesn't see the hackers ip, it sees the wingate's ip instead. Most hackers use over 3 wingates when hacking, just to be safe. Because if an admin caught the hack attempt and contacted the admin of the wingate logs can be used to find the hackers ip. So if they bounce off of like 5 wingates that means alot more hassle for the attacked admin to go through to find the hacker and the more chance that logs will not be kept or will be deleted by one of the wingate admins.
Bouncing hacking attacks off of a wingate is not the only reason a hacker would use one. They are also quite handy when going on some irc servers. The same basic concept applies, the data is bounced off the wingate and then sent to the destination (irc server). So the irc server sees the connection as comming from the wingate. This can allow hackers to get around channel bans, get around glines, hide themselves from others, create clones, etc.. Check your options in irc client to figure out how to use them. (with mirc it's known as a SOCKS 4 firewall in the options.)
Since they are useful on an irc, many people on irc tend to be using wingates. This is why I ported a simple port scanner to irssi (also works with BitchX and maybe Xchat). This port scanner is editted to only look for port 23 and 1080 the most commonly used ports for wingates, 23 is telnet, 1080 is SOCKS. What it does is collects people's ips when they enter a channel and then when you issue the command /scan it will check the list of ips for avalible wingates. There is also easy to use scripts for mirc that do this, a search on google for mirc wingate scanner produced many links. You can also use tools that scan wide blocks of ips for wingates using tools like wingate scanners . Here is a tip: find a cable or dsl isp and scan their subnet for wingates. Many people on fast connections use wingates for their network to split their bandwidth up and since cable they have a static ip they will not change as often. So do a '/whois user' on someone who is on cable to get their ip, then check all-nettols.com (use "smartwhois") to get their isp's ip range and I scan that for wingates.
Wingates tend to go up and down hourly, this is because sometimes people only need them for awhile and when someone does put one up they get alot of traffic from hackers using them to bounce off of, so instead of wasting their bandwidth they secure the wingate or take it down. Because of this you need to scan for wingates all the time. Another reason why irc works good for looking for wingates, you let other people find them for you. =)
Not many hackers just use 1 wingate when hacking. This is how using 4 wingates would work:
[hacker's computer] -> [wingate] -> [wingate] -> [wingate] -> [wingate] -> [destination]
Using multiple wingates is required for a hacker, they will not just use one, since it would be easy to track them. But using too many can make things very slow. Anything over 4 and under 10 would be normal.
So after you scan (this may take awhile, be patient) and get a few wingates how do you connect to them and use them? This is very simple, but tends to be asked all the time on message boards and chatrooms all over the place. When you telnet to a wingate you need to have it's ip or hostname and the port the wingate is running on. Normally the port is 23 or 1080. Now we can only use wingates which don't require a username and password to use. So after we get a list of them we will need to test and see which work without a login. Simply get out telnet and connect to that ip and port, wait for the connection and see if it says something like this:
Wingate>
If it had a login of some sort then you cannot use it. This is one way admins of wingates can protect themselves, make sure to password protect the wingate so random hackers cannot use it. Not only can hackers use your wingate, but spammers often use them aswell. Having spammers send thousands of emails through your wingate is a surefire way to get your isp to cancel your account. Besides adding passwords you can also secure your wingate by only allowing computers on your LAN to access it, this is how for GateKeeper :
login as Administrator on GateKeeper
Policies -> Default Policies -> Users can access services -> select everyone
Location -> Specify locations from where this recipient has rights ->
add 127.0.0.1 and 192.168.0.* (or whatever ip range your network uses).
To secure Deerfield's wingate simply upgrade to 3.x home version. The home version of 3.x doesn't let anyone connect at default. It's now configured securely by default :D
There are also other terminal's that will appear, it is not allways "Wingate>". It could be anything, Wingate> is just default on some.
We got connected, now to use the wingate. Wingates by default will telnet to any ip port you enter, so try to telnet to a server you know is up:
Wingate> 204.42.253.18:23
Now if you encounter an error this means somethings ether wrong with the ip:port you entered, the ip:port is down, or the wingate is not working. Also try to do 'telnet ip:port' since that wingate might not telnet at default. So we got our list of wingates down to a list of working, none passworded wingate. Now to link them. Lets say we have the wingates (note, these are fake):
203.43.25.104 port 23
214.133.200.20 port 1080
180.23.56.93 port 23
194.51.107.68 port 23
To link these we would telnet into the first one:
telnet 203.43.25.104 23
Sparky's server 1.03>
Then enter in the ip:port of the next one on the list.
Sparky's server 1.03> 214.133.200.20 1080
CDD Proxy Server>
and link the rest..
CDD Proxy Server> 180.23.56.93 23
welcome to 180.23.56.93: 194.51.107.68 23
Now A hacker can telnet into a shell account from the last wingate and launch the attack, or if they know how to do some socket programming they can set up exploits to go through wingates themselves. For the next section , shells , I'll go over how a hacker can use a shell to make his attack.
I have heard from a few people that routers can be used as a wingate, I myself have never done this since there is always plenty of wingates to use if you just scan for them. But.. using a router as a wingate is very interesting for a number of reasons. First, a router gets so much traffic that the admin would probably not know if it was being used to bounce an attack. Routers don't log by default, and since they get alot of traffic not many admins log everything (or they're logs do not last too long) this means there is less of a chance of the hacker getting tracked down. Routers are pretty much always up and have a fast connection, so if you got a few routers going as wingates you wouldn't have to scan for new ones as much =)
Now don't go out looking for routers just yet, before you can use a router as a wingate you need to have access to use telnet on it. Unlike wingates which can sometimes allow anyone to run telnet, routers don't. You will need to hack into the router to beable to use telnet on it to wingate from it. Of course the number of routers with default passwords (admin:admin) or simple exploits not patched is pretty high from my experience. Also to note: it might not be a good idea to telnet directly into a router as your first wingate.. if the admin does find out of your break in (and they log) you will have left your real ip. Hackers will probably use a regular wingate or two before connecting to a comprimized router. Needless to say, if you admin a router make sure to keep it locked up tight, not only can hackers screw up your network, sniff passwords, redirect data, and generally cause a muck, but they can also use your router as a launching pad for their next attack.
Another use for wingates is to use them to bounce a connection off of irc. Most commonly SOCKS (stands for SOCK-et-S), are used for irc, they are very simular to wingates but used mainly at a firewall to allow transparent connections through it. SOCKS usually run on port 1080. To bounce your connection to an IRC server with a wingate or SOCKS type the following in your irc client:
/server win.gate.com 23
/quote irc.box.sk 6667
/quote user grendelsucks 123.123.123.123 b0iler :ban evader
/quote nick b0iler2
then use irc like normal, you will have the ip or hostname of the wingate. I believe if you use mirc you can go to File -> Options -> Connect -> Firewall and then enter in the wingate's IP and port and checking "Use SOCKS Firewall" (correct me if I am wrong). If you use Xchat try Settings -> Setup -> IRC -> Proxy Server -> Fill in IP and port and select the type as wingate. You can also use a bnc (stands for BouNCe) to rely your connection to an IRC server.
Same as with proxies, if you don't want people connecting to your wingate set up a strict access list on a firewall. Also username and passwords are a good idea when it comes to wingates.
Shell Accounts
A shell account is having access to a remote computer. Users can connect to them and issue commands just like if they were at that computer's keyboard. This also means that hackers can issue commands, and they often use shell accounts as another way to bounce their attack.
Usually a shell account is used along with wingates and is used by the hacker to launch the attack. Hackers will not use free shells such as nether.net or hobbiton.org because they do not have the ablity to run programs they need and they cannot delete the log files with a regular user account. If they were to use one of these shells the admin could easily check the logs and see what they were upto. So hackers will use what are known as root shells, these are systems the hacker has already comprized and has root on them. This allows them to delete all nessasary logs of their attack and lets them have full access to *nix tools. The key tools hackers need are raw packet support, nmap and other auditting programs, a c compiler, a perl interpreter, and exploits. These come standard on most *nix boxes, so it makes *nix very valuable to hackers. Although most will have *nix installed on their computer they might still use shells because they have faster connections, and will allow another layer of protection along with the wingates.
This is an example of how a hacker would use 3 wingates with 2 shells:
[hacker's computer] -> [wingate] -> [wingate] -> [wingate] -> [shell] -> [shell] -> [target]
To login to the shells a hacker can use telnet or they can use ssh , whichever they want. ssh will allow a more secure connection. A simple: telnet owned.com:5742 would allow them to get in (if they set up telnetd on port 5742). To connect with ssh is: ssh owned.com -p 5742. If your system would get comprized it too could be used as a shell for the hackers next attack.
There are free shell accounts for beginner hackers to use, again, I stress that these are closely monitored and you only get a user account, so things are logged and power is limitted. Don't use them to hack! What a hacker wants is a 'rootshell' which is root access. This allows the hacker total control over everything on that computer. Raw sockets is a big thing, access to edit logs is another. If you can edit the logs on a rootshell this means that it is all the more harder for anyone to track you. If you use a free shell or a user account on a box you cannot edit the logs and will be vulnerable to be traced. Always using alot of wingates will help in keeping you out of trouble.
Most shells you will want are on *nix boxes, so you need to learn unix commands. Also knowing what files do what will help you understand how to hide yourself and how to modify the system the way you want. Setting up linux and securing your box will help you better understand how to break in, as well as breaking into linux will help you better understand how to secure it =) To help you learn *nix here is a few really good tutorials:
http://unixhelp.ed.ac.uk - A very easy and detailed step by step guide to getting started with Unix, with examples, solution to problems, and some cool facts.
http://www.mines.utah.edu/~wmgg/ - A short and sweet Unix tutorial to help with the basic commands.
http://www.belgarath.demon.co.uk/guide/ - A very nice guide that takes things slow and uses helpful pictures to explain things.
http://www.linuxnewbie.org - A very helpful stop for anyone new to linux, it has many helpful files.
Here's a good one
And another
More free knowledge
read one of these!
Unix links
How can you stop hackers from using your system? Well this is a very indepth question, because you will need to completely secure your box to stop them from gaining access to it. Read up on Unix security, firewalls, and IDS. Ofcourse take action before the hacker gets in, secure your box... use tripwire and snort 'just incase'. One way to catch them is to install a remote logging box. This will allow you to have logs of everything they do, to do this set up any old box with inetd and syslogd and then change syslog's configuration file to have logs sent to that box.
# /etc/syslog.conf file
*.* @213.165.52.61
For more info on setting up a secure remote logger try loki's guide on How to set up a secure remote logger
One thing I would like to stress about using shells from a friends box is that they may be logging everything you do and gathering your username:passwords to your email, hacked accounts, sites, ftp, nickserv, and anything else you transfer. Same holds true for BNCs and wingates. It's a trick passed around by many hackers to put a wingate on their box and put it on a hacker website's list and wait for people to log into their hacked accounts with it. I also read somewhere that governments set up wingates to catch hackers, I don't know how true this is.. but it sure is a good way to discurage hackers.
Conclusion
In this issue of Hacking Techniques I went over how and why hackers use proxies, wingates, and shells when attacking and how admins can stop them from using their networks to bounce attacks from. I think the next issue will be much longer, it will cover many things hackers do once they comprize a system. I hope everyone learned atleast something from this paper, and I hope I didn't forget anything =) I am sorry if you felt it was hard to read this tutorial, I had a hard time writting it, it just felt like my words didn't go together right. It may be awhile till I get around to finishing issue #3, thanks for your patients.
Posted by ekansh at 1:28 AM 0 comments
Cracking unix password files
1) First thing's first
--------------------------------------------------------------------------------
I guess you're a newbie in pass-cracking like I was and you've probably started John the Ripper full of enthusiasm, and got.... nothing. So the first thought you have is 'my god this must be hard, and I'm a newbie'. Forget it!!! You're always a newbie, and we all are... in pass cracking world, pardon, pass recovering world (or any world else) you always have something to learn. Sometimes, even if you are experienced in password cracking, you won't be able to crack the password or even get your own password. This is a pure technical manual and will give you only the recipe for cracking, but every password needs different approach...
OK, so a good way to get somewhere is to start getting somewhere...
What you're about to learn is to crack *nix(Unix/Linux/etc.) password files. It does not mean that you need to have some Unix distribution on your box, but it means you'll have to stop clicking your ass off all around the screen... 'What this fool is trying to say', you'll probably ask... This fool is trying to say that john is a DOS program (there is also Linux/Unix version, but I guess that most of the people that read this tutorial have win boxes). I will try to put this tutorial through the examples so it wouldn't look like a boring script with incredible amount of switches. After reading this text it wouldn't be a bad idea to look at the texts you get with John. I learnt it all from there, but that, of course, was the hard way, and you want the easy way, right? Right.
First, it wouldn't be a bad idea to get yourself John the Ripper, I guess... if you don't have it you can find it at:
1) packetstorm.securify.com (look at archives, password cracking)
2) neworder.box.sk (do some searching by yourself)
John can be found practically anywhere. For example: try going to altavista.com and running a search for 'john the ripper'.
Second thing you'll need is.... a HUUUUGE amount of password dictionaries (I'll explain what these are in a minute). The best dictionary around is at www.theargon.com and packetstorm (look at the archives) and is called theargonlistserver1 and is about 20Mb packed, and over 200Mb
unpacked... get it!!!! The people at theargon did a terrific job.
You should also get some smaller dictionary files (I'll explain why later).
2) Do we look like *nix?
--------------------------------------------------------------------------------
So now you have john, loaded with that huuuuge pass dictionary, and you think that you can crack anything... If you plan to live for 100000 years, that wouldn't be a problem, but you only have some 80 years left in the best case scenario (unless, of course, scientists find a way to... oh, nevermind).
Now, the first thing is that you have to make sure your password file really looks like a Unix password file (were talking about the /etc/passwd file).
Let's see how Unix pass files look like
owner:Ejrt3EJUnh5Ms:510:102:Some free text:/home/subdir/owner:/bin/bash
The important part is the username and the encrypted password, which are the first and the second parts (each line is divided into seven parts by : symbols)
owner:Ejrt3EJUnh5Ms
Owner is the username and 'that other thing' is the crypted password (encrypted in altered DES (Data Encryption Standard) encryption). For the other part you can put anything that looks like that but the structure must be same so the john could recognize it as unix pass. In fact the other part
:510:102:Some free text:/home/subdir/owner:/bin/bash
Is just some information about the user, his home directory, etc...
Sometimes you'll have passes that have only the first and second part, such as password files that you got from a webboard running matt's web board script.
owner:Ejrt3EJUnh5Ms
You'll have to put the other part so that password would look like unix pass, and you can do a copy-paste from another pass, you can even use
:510:102:His name:/home/subdir/owner:/bin/bash
What you have now should look like:
owner:Ejrt3EJUnh5Ms:510:102:His name:/home/subdir/owner:/bin/bash
Hell, you can even put
owner:Ejrt3EJUnh5Ms:a:a:a:a:a
It won't matter to john at all.
3) We're getting somewhere... nowhere
--------------------------------------------------------------------------------
Now you're ready to crack. Type in
john -w:words.lst password.file
Where words.lst is password dictionary and password file where you have your password or passwords. If you use it on example i gave to you you'll probably get password because it's really weak pass. You'd be surprised to see that people usually use really weak passes like their names, pet names, or even their username (for example: username=zalabuk, password=zalabuk).
Hint: Don't be stupid! Use strong passes like
p4sswr!@
p@s$w11s
with as many characters you can remember. Hint is to use special characters and numbers those passes are much harder to crack (I'll explain why in a minute).
The other hint is to use passes as long as you can remember, 8 characters are sometimes not enough... it depends what box that someone who cracks has... on dual alpha is certainly not enough... in other words... more than 10 characters will do fine, even more wouldn't hurt (like 16...). By the way, older *nix have fixed pass length of 8 chars... that is old DES crypted pass that uses a 64-bit key... now there are 128-bit keys, and some perverts use even more, so there is more fun now :)
john -w:words.lst password.file
Wait wait wait! What am I doing here?
Alright, listen up carefully. The DES encryption that Unix uses CANNOT be reversed. Some encryptions can be reversed using a sometimes simple or sometimes incredibly complicated algorithm (in the 3rd century AD, Ceasar used to send encrypted letters which used a formula of "shift by three", which means that d stands for a, e stands for b etc'. At that time, such an algorithm was just fine. Today, it isn't).
So anyway, the altered DES encryption that Unix uses for it's password files cannot be reversed. Why? Because it's a key-based encryption. The encryption algorithm uses a bunch of letters (lowercase and uppercase), numbers and symbols within the algorithm. So, in other words, to run the decryption algorithm you will need this key, which you simply cannot just have, because the key is the password! You see, when a user picks a password, the system generates an encrypted password for him, called a hash (which is what you get when you somehow acquire a password file), which is created by running this altered DES algorithm using the user's password as a key. If you try to decrypt the password using standard reversable DES encryption, you get a null string.
So how do John and other password crackers do it? Easy. They try to recreate this process by taking passwords out of these dictionary files (or wordlists) and using them as keys for this altered DES algorithm process. Then, they compare the result to all the encrypted passwords within the password file you've given them. If the two strings match - there you have it! The password is yours!
If the first step doesn't work, the next step would be to do this:
john -w:words.lst -rules password.file
This switch turn on not only browsing through the dictionary, but it uses some modifications of the words that are word dictionary (like adding a number at the end of pass - fool -> fool1, etc' etc'). This one will take long with huge pass dictionary, but it may give better results... For a start you could do a try with a small pass dictionary, and if it doesn't works you can try it with a huge pass dictionary.
Sometimes people are not stupid when they choose passwords and basic rules won't do a job... aaargh. As you've seen it takes more and more time for your CPU to crack this thing out as we go further. Now you can leave your computer on and go to sleep....
If you want to get even more possible passwords out of your password file, try typing
john -i password.file
This -i stands for incremental cracking, not a really good word for it, but...
Okay, what the hell does it do? It uses the default incremental mode parameters, which are defined in john.ini.
What does this mean? Do you remember -rules? Yes, well, of course you do, unless you're either incredibly senile or you've stopped reading after this part and only came back, like... a couple of years later. That is very much like rules, but much much more powerful than -rules, and it takes much, much more time.
4) So where are we now (dictionary vs. brute-force)?
--------------------------------------------------------------------------------
You can see that in all cases you use so-called dictionary cracking... but hell, why not just run John on a mode where it tried all possible combinations of lowercase and uppercase letters, numbers and symbols? I mean, this would be much more efficient, right? ... WROOOOOOONGG!!!
This method is called 'brute-force' attack (basically, dictionary attack is also sort of brute-force attack, but most people use the word brute-force for this specific attack).
What are the differences? First and most important, with dictionary you go through the selected words that could be passwords and their modifications, and with brute force cracking you use ALL possible combinations. That means you have
comb=nrch^let
where:
comb - number of possible combinations
nrch - number of chars
let - number of letters used
In case you're dealing with john's default -i 95 character set and, presume, a 6 letter password you have possible 735091890625 combinations! OUCH!!
Sure, this is useful for passwords like 2405v7, but still... with the computational powers of today's modern PC, I'd just give up, unless I had access to some University's supercomputer, which I'd bet noone would ever give me (well, at least not for free, and certainly not to run a password cracker on it).
As you can see it can take a looooong time until you crack a single one pass, do a little math and try to calculate how many possible combinations there are for 10, 12 and 16 chars.
I don't think you'll like the answer :)
Of course, sometimes dictionary attacks are not enough, but john has very powerful 'thinking'. In 'incremental' mode john will do all possible combinations from 0 to 8 characters (by zero password length is considered a hashed empty string, this sometimes happens). So incremental mode is one sort of brute-force attack in some way...
If you want to fire all weapons at one then you use
john password.file
this will do first basic dictionary attack, then -rules, then -i
5) What if...
--------------------------------------------------------------------------------
Ok, you have to turn off your box from time to time, don't you? If you're doing that haaard password that will take more than 20 hours of cracking you can set john with ctrl+c and then resume with
john -restore
If your box crashes or if there's a power failure, you won't be able to restore your cracking sessions (sometimes)... well that's just too bad. Hell, it happened
to me once :-(
John is modular, and that is the most powerful thing about john the ripper, and that is what makes john the most advanced password cracker. John is very, very modular. John uses modes that are described in john.ini (do you still remember that incremental cracking i was talking about? Modes for rules and incremental are described in john.ini).
If you're some inventive guy then you may change the parameters in john.ini.
Here is example how some default parameters for -i look like:
# Incremental modes
[Incremental:All]
File = ~/all.chr
MinLen = 0
MaxLen = 8
CharCount = 95
Ok... what do we have here?
[Incremental:All] - this stands for the beginning of the definition for the -i:all switch
File - filename of file that has characters used in mode -i:all (whole character
set)
MinLen - logically, minimum length of password that john -i:all would try
MaxLen - even more logical, maximum length of password that will john -i:all try
CharCount - number of chars used by john when you 'turn on' this switch
So, there are some more switches... heh
Yes there are and down there are all default modes pasted from john the ripper's documents:
John the Ripper's Command Line Options
--------------------------------------------------------------------------------
You can list any number of password files on John's command line, and also
specify some of the following options (all of them are case sensitive, but
can be abbreviated; you can also use the GNU-style long options syntax):
single "single crack" mode Enables the "single crack" mode, using rules from [List.Rules:Single].
wordfile:FILE wordlist mode, read words from FILE,
stdin or from stdin These are used to enable the wordlist mode.
rules enable rules for wordlist mode Enables wordlist rules, that are read from [List.Rules:Wordlist].
incremental[:MODE] incremental mode [using section MODE] Enables the incremental mode, using the specified ~/john.ini definition (section [Incremental:MODE], or [Incremental:All] by default).
external:MODE external mode or word filter Enables an external mode, using external functions defined in ~/john.ini's [List.External:MODE] section.
stdout[:LENGTH] no cracking, write words to stdout When used with a cracking mode, except for "single crack", makes John print the words it generates to stdout instead of cracking. While applying
wordlist rules, the significant password length is assumed to be LENGTH, or unlimited by default.
restore[:FILE] restore an interrupted session Continues an interrupted cracking session, reading point information from the specified file (~/restore by default).
session:FILE set session file name to FILE Allows you to specify another point information file's name to use for this cracking session. This is useful for running multiple instances of John in parallel, or just to be able to recover an older session later, not always continue the latest one.
status[:FILE] print status of a session [from FILE] Prints status of an interrupted or running session. To get an up to date status information of a detached running session, send that copy of John a SIGHUP before using this option.
makechars:FILE make a charset, overwriting FILE Generates a charset file, based on character frequencies from ~/john.pot, for use with the incremental mode. The entire ~/john.pot will be used for
the charset file unless you specify some password files. You can also use an external filter() routine with this option.
show show cracked passwords Shows the cracked passwords in a convenient form. You should also specify the password files. You can use this option while another John is cracking, to see what it did so far.
test perform a benchmark Benchmarks all the enabled ciphertext format crackers, and tests them for
correct operation at the same time.
users:[-]LOGIN|UID[,..] load this (these) user(s) only Allows you to filter a few accounts for cracking, etc. A dash before the list can be used to invert the check (that is, load all the users that aren't listed).
groups:[-]GID[,..] load this (these) group(s) only Tells John to load users of the specified group(s) only.
shells:[-]SHELL[,..] load this (these) shell(s) only This option is useful to load accounts with a valid shell only, or not to load accounts with a bad shell. You can omit the path before a shell name, so '-shells:csh' will match both '/bin/csh' and '/usr/bin/csh', while '-shells:/bin/csh' will only match '/bin/csh'.
salts:[-]COUNT set a passwords per salt limit This feature sometimes allows to achieve better performance. For example you can crack only some salts using '-salts:2' faster, and then crack the
rest using '-salts:-2'. Total cracking time will be about the same, but you will get some passwords cracked earlier.
format:NAME force ciphertext format NAME
Allows you to override the ciphertext format detection. Currently, valid
format names are DES, BSDI, MD5, BF, AFS, LM. You can use this option when
cracking or with '-test'. Note that John can't crack password files with
different ciphertext formats at the same time.
savemem:LEVEL enable memory saving, at LEVEL 1..3
You might need this option if you don't have enough memory, or don't want
John to affect other processes too much. Level 1 tells John not to waste
memory on login names, so you won't see them while cracking. Higher levels
have a performance impact: you should probably avoid using them unless John
doesn't work or gets into swap otherwise.
6) Tips
--------------------------------------------------------------------------------
I) A good schedule to do your cracking job is
john -w:words.lst password.file
john -w:words.lst -rules password.file
john -w:words.lst password.file
john -i:digits password.file
john -i:all password.file
II) If you have a file that has only passes that look like
owner:*:510:102:His name:/home/subdir/owner:/bin/bash
you have a shadowed passwords file.
Go to the Byte-Me page at blacksun.box.sk and try to find out more about
password files (I'll leave it up to you to do this. It's important that you'll
learn how to find things by yourself).
III) You have some little tools that you get with john, they are all
listed below (from john's docs)
unshadow PASSWORD-FILE SHADOW-FILE
Combines the passwd and shadow files (when you already have access to
both) for use with John. You might need this since if you only used your
shadow file, the GECOS information wouldn't be used by the "single crack"
mode, and also you wouldn't be able to use the '-shells' option. You'll
usually want to redirect the output of 'unshadow' to a file.
unafs DATABASE-FILE CELL-NAME
Gets password hashes out of the binary AFS database, and produces a file
usable by John (again, you should redirect the output yourself).
unique OUTPUT-FILE
Removes duplicates from a wordlist (read from stdin), without changing
the order. You might want to use this with John's '-stdout' option, if
you got a lot of disk space to trade for the reduced cracking time.
mailer PASSWORD-FILE
A shell script to send mail to all the users who got weak passwords. You
should edit the message inside before using.
--------------------------------------------------------------------------------
So, that was about it... hope you've got something from this text.
Further readings: try reading ALL the documentation you get with john in the docs
directory. Maybe it's a little bit chaotic, but.... man those are the docs :)
Ohh, wait, wait!!
Remember, not all password files can be cracked! Smart admins alter the
encryption that they are using, especially when it comes to root passwords.
But there are always other ways to get passwords. These are covered in other
BSRF tutorials. Collect them all (lol) at http://blacksun.box.sk.
Posted by ekansh at 1:25 AM 0 comments
