What's New!

Chat with
Hackers

How to Defend
Your Computer 

The Guides
to (mostly) 
Harmless Hacking

Happy Hacker 
Digests (old stuff) 

Hacker Links 

Hacker
Wargames 

Meet the 
Happy Hacksters 

Help for 
Beginners 

Hacker 
Bookstore 

Humor 

It Sucks 
to Be Me!

How to Commit
Computer Crime (not)! 

What Is a 
Hacker, Anyhow? 

Have a 
Great Life! 

News from the 
Hacker War Front

Carolyn's most
popular book,
in 4th edition now!

For advanced
hacker studies,
read Carolyn's
Google Groups
Subscribe to Happy Hacker
Email:
Visit this group


Mar. 3, 1999
_______________________________________________________________________
See the Happy Hacker web site at http://www.happyhacker.org
Your local firewall blocks you? Try http://happyhacker.org
URL of the day: 
http://www.distributed.net - Be a part of the world's largest computer
_______________________________________________________________________

Editor's Comments
Poll
URLs
News
Nuggets of Info
Reader Questions
Reader Submissions
Getting Extra Info with httpd, Part 2
Smurfs and Fraggles
Buffer Overflows Explained
More UNIX Commands
Next Issue

***********************************************************************
      *** Editor's Comments
***********************************************************************

First Things First: This is a security digest. Please submit questions
that are security related.
Now that that's off my chest- Linux IS a type a UNIX...thus this digest
will cover Linux, *BSD, Solaris, Digital UNIX, and so forth. Please don't
ask for a separate Linux digest. (More than one person did ask) Also, most
of the information people are asking me for is freely available out on the
web. Try searching yahoo.com or altavista.com.  To those of you pining for
a more advanced version of the digest, I'm trying to write to many
different skill levels or reader here, and I have to put in introductory
material for those not as 'l33t' as yourselves. If you want a particular
area explored, by all means, send me a suggestion, and even better, an
outline.  Still better would be an article of your own. Most articles that
have good content will be included, whether at the beginner or advanced
level.

***********************************************************************
      *** Poll
***********************************************************************

I've received a number of mails asking what a good beginner's book on
Linux is. Please let me know what you all think by replying to one or 
more of the following questions. I'll compile all the results in a 
future issue, along with some of my own opinions. Maybe this will become 
a regular part of the digest.

1) What is the best book for a beginner learning Linux?

2) What is the best book for a beginner learning computer security?

***********************************************************************
      *** URLs
***********************************************************************

Free Shells
http://www.cyberspace.org/shell.html

Slackware Linux
http://www.slackware.com

Linux Shadow Password HOWTO:
http://sunsite.unc.edu/LDP/HOWTO/Shadow-Password-HOWTO.html

A good description of the major Linux distributions
http://www.32bitsonline.com/article.php3?file=issues/199902
/distributions/part&page=1 
(NOTE: The URL is wrapped to 2 lines)

***********************************************************************
      *** News
***********************************************************************

KEVIN MITNICK IMPRISONED FOR 4 YEARS
(www.kevinmitnick.com)
Kevin Mitnick has been in jail for four years on February 15th, 1999. He
has been held (unconstitutionally, mind you) without a bail hearing for
computer-related crimes. The website explains his situation in much more
detail.

IBM GIVES NEW BOOST TO CREDIBILITY OF LINUX
(New York Times 18 Feb 1999)
IBM will now install both the Linux and Windows NT operating systems on
its Netfinity line of network servers, in a decision that follows similar
moves by Hewlett-Packard and Dell.  IBM will offer technical support of
Linux -- the popular and free Unix-based operating system that was
designed and built by a loose coalition of programmers around the world
-- through an agreement with Red Hat Software, distributor of Linux.

[Ed- Please note! Red Hat is not _the_ distributor of Linux, instead they
are one of many distributors.]

***********************************************************************
      *** Nuggets of Info
***********************************************************************

[Ed- Here's the place where I'll answer reader questions without having to
quote the whole message.]

1) If you have a dynamic IP allocated to you by your ISP, there's no easy
way to make it stay the same every time.

2) You generally need at least 2 partitions for Linux - one for swap
space, one for everything else.

3) There are a number of ways to get files onto your shell account. One
good way is to email the files to yourself. Another way is to use FTP with
your standard username/password instead of anonymous.

4) Perl is not compiled, it is interpreted.

5) Partition Magic can repartition a FAT32 drive safely.

***********************************************************************
      *** Reader Questions
***********************************************************************

Kongen <ab-so@online.no> wrote:

I found this info when I was looking around a little on a school in
New Zealand.

Login: xxxxxx                          Name: xxxxxxxx
Directory: /home/mail                   Shell: /bin/fake
Never logged in.
Mail last read Sun Nov  8 18:49 1998 (NZDT)
No Plan.

His (i wrote xxxx) shell is  /bin/fake

Isn't that a little weird on a school...
 

So I run a finger on more people...
and figured out that almost everyone had a /bin/fake shell

weird......
what can this be?? 

[Ed- I suspect that these accounts are set up for POP mail only, and any
attempt to login via telnet will greet them with a message saying so.
Anybody wanna back me up on this one?]

-----------------------------------------------------------------------

I have just read the first shell programming gtmhh.  I can make the
script executable by typing chmod 700 filename but I can only run it by
typing ./filename instead of just filename

Why do I have to type ./ for it to work? If I don't type ./ in front of
the filename, it says "command not found"

[Ed- Your current directory (.) is not in your path. When you type in a
command like filename without any path info, the shell will search
through a list of likely places the executable would reside. In tcsh,
the shell I'm using at the moment, the path is set in ~/.cshrc like so:
set path=(/usr/local/bin ...other stuff...) It's a space-delimited list
of likely directories that contain executables. If you put '.' without
the quotes at the end of the list of directories, your script should
work correctly, because your shell will look in the current directory
last for any executables.]

-----------------------------------------------------------------------

Dmitry Markushevich <Dmitry@Home.Com> wrote:

Hi there!

I recently installed RedHat 5.0
The most recent version as far as I know is 5.2

As I understand it, Linux due it's complexity is insecure from
the box so to speak. Or I guess, the programs that come with
Linux are insecure (Linux refers to the actual Kernel??)

[Ed- Correct. Linux refers to the kernel, and the distibutors package
programs with it.]

Here's my question finally :)

-- is there a site or anything that would help me to plug the  
   latest security holes/bugs etc

[Ed- Bugtraq is the first thing that comes to mind. They generally have
the majority of the cutting-edge vulnerabilities described there.]

-- i was reading old bugtraqs and there're couple of things
   that I found quiet interesting in there
     ** tripwire -- a program is checksumed to prevent tampering
     ** IDS Software (intrusion detection software, how does it
        work, where do i get it etc etc :)
[Ed- In short, IDS works by analyzing the incoming packets for attack
signatures of common exploits and so on. Anyone care to elaborate? If
nobody does, I'll try to put something in a later digest covering this.]

     ** I also heard/read about something called TCP_Wrappers 
        can you go into more detail on this one too
[Ed- TCP_Wrappers intercepts incoming connections, logs it, and then
passes it on to the appropriate daemon. Try (note- it's postscript)
http://www.raptor.com/lib/tcp_wrapper.ps for more info.]

-- Any other resources and programs that will improve 
   security of my machine
-- I remember seeing a document somewhere "Improve the security
   of your computer by hacking into it" is that thing worth
   reading?
[Ed- Yes.]

P.S.:
I was reading that news story (from Win Digest) , about a 16 year old
kid breaking into one of the Nova Scotia's ISP. How do they do
that?! Is the guy just reading bugtraq messages as they come
and then just uses the exploit or whatever on the random
machine on the net? Amazing, quiet amazing. Seems like a guy
got skillz :) but wastes them on senseless destruction when
he could probably be making good money as a netadmin
somewhere so very very sad....

[Ed- 'skillz'? eww. He could be just reading bugtraq/rootshell exploits
and trying them out on random computers till he hits the jackpot. Other
times, there will be an old security hole that someone has left
(unintentionally) vulnerable that can be exploited. Fortunately, it's
not all that hard to turn away from the dark side of the hack ;)]
        
P.S.S.:
I would like to say thanks to all the HH Editors. Some of
the info provided here is invaluable.

--
Regards,
 Dmitry Markushevich

-----------------------------------------------------------------------

Zulqernain Alam <post@alam.demon.co.uk> wrote:

Hello,

I have a user level Solaris 2.6 shell account at my university. I often
need to ping servers especially when I am testing one of my programs. The
ping binary does not exist on the system, and to my knowledge does not
exist on the system. I m unable to write one in C as my knowledge of C is
limited. I am primarily a Java program, and since Java does not yet
support ICMP I am only able to write a program that sends a UDP packet to
port 7. I was wondering where I could find a binary or source for a ping
program that does not require the user/installer to have root access. As
far as I know the program requires setuid root so that it can send it's
raw ICMP packets. Also Java is slow at doing this stuff especially when
there are 300 users on the system, so I would be interested in writing a
UDP packet sender in C. Sorry to be so confusing but could you be of any
help?

Many Thanks,

Zulqernain Alam          post@alam.demon.co.uk
CS, COGS                 zulqerna@cogs.sussex.ac.uk
University of Sussex     haue9@central.sussex.ac.uk

[Ed- Well, in answer to your first question, all ping programs require
root access, since (like you said), they manipulate raw ICMP. Sending
packets in C/C++ is not all too hard. UDP is pretty straightforward,
so here's the function you'd use to send a UDP packet:

sendto(int sockfd, const void *buf, size_t nbytes, int flags,
    const struct sockaddr *to, socklen_t addrlen);

A good place to start is 'man sendto' and then consult a C/C++
(network) programming book when you get lost. When I get motivated
enough, I may add a C++ corner like our esteemed Windows editor has his
Perl corner]

-----------------------------------------------------------------------

Gary Yap <y1289@mbox3.singnet.com.sg> wrote:

I know this sounds a bit lame but I am very new to Linux and I only
discovered it recently. I read through alot of text and magazines and I
was convinced to get a Linux system. The problem is that there are so many
version eg Redhat, FreeBSD etc. and I hope that you can tell me the
difference between the many different versions. Do they have different
capabilities or do some versions perform better than others? I'm not
running a server nor tdo I intend to so is it worthwhile to have Linux on
my system??

Thanx for your time.

Gary Yap

[Ed- Yikes! Be careful...FreeBSD is _very_ different from Linux. And if
you want an analysis of the different Linux distributions, check the URL
above in "URLs"]

***********************************************************************
      *** Reader Submissions
***********************************************************************

Ruy Diaz <ruydiaz@cheerful.com> wrote:

Bob listed a sequence of commands from an "elite" hacker text which
allegedly would snatch root. The Editor believes it will only work on a
poorly configured FTP server.

   <hit return at user and password prompts>
   QUOTE USER ftp
   QUOTE CWD ~root
   QUOTE PASS ftp

A brief explanation of these commands: First the automatic  
"user...password" stuff is skipped, and then the hacker repeatedly uses
the "QUOTE" command. This tells his ftp client to tell the ftp server
EXACTLY what he says. He likes the FTP protocol (RFC #959).

He says, "My name is >>ftp<<. My password is >>ftp<<." But in between
that he asks for the current directory he's working in to be changed to
user root's directory. That's very odd. FTP servers usually won't do
anything for you until you prove your identity to them.

If that command wasn't intended to be there, we'd simply be left with
the "My name is..." dialog. Then it'd be silly to go to all this trouble.
Just type "ftp" into the user and password prompts. This would work only
on poorly configured ftp servers, and would give you access to the "ftp"
account instead of the "root" account.

The source of this exploit wasn't miscopied into Chameleon's "hackftp"
texts, they were cut and pasted from Dan Farmer's "Improving the Security
of your site by Breaking into it." Farmer is the creator of the popular
SATAN security tool.

Farmer writes that this exploit works for versions of "wu-archive ftpd"
(an ftp server) released before April of 1993. An April 9, 1993 CERT
warning states that all versions released before April 8, 1993 are
succeptible to a widely exploited bug which allows crackers to get root.

The fix is NOT to configure your server differently, but to correct the
server's code or upgrade. Since the server had at least one serious bug at
the time, and Farmer knows something about security, it's safe to say the
exploit should be used exactly as it was written. But how does it work?
Alas, without the old wu-archive ftpd v2.3 source code that's difficult
to answer.

   Ruy Diaz - " Cuidado, hay llamas!"

-----------------------------------------------------------------------

Frank <lawrencf@bellsouth.net> wrote:

I'm new to the list and this might or might not be redundant.  Anyone
considering or getting close to gaining root access on another's system
without permission might want to look at things from that system's sys
adm shoes.  So you got root and played around!  YeeHaw !!  To see the
guidelines these system admins may be going by, check out
http://www.cert.org/tech_tips/root_compromise.html#Introduction

Kinda cooled MY heels !

Frank

[Ed- I like this page. Definitely go here. CERT generally puts out some
decent (if not a little late) stuff.]

-----------------------------------------------------------------------

David Nillesen <dave@northnet.com.au> wrote:

General answers to questions in happy hacker unix digest.

I have the good fortune to run an isp where linux is the main os of
choice. Here are some questions to answers some people have asked on
your digest.

...

Standard unix time stamps are measured in seconds from Jan 1 1970 (i
think) and wont become an issue until the year 2035 or so due to the
limitations of how big a number you can store in a 32 bit space.  By
then everyone will be running a 64Bit or better machine hopefully.
And since a 64bit number is way more then double the space of a 32bit
number (2^32 vs 2^64) we should have enough space to last till the end
of human existance in the universe.

As regards to linux installs and rebooting after losing the master boot
record and lilo, may i suggest throwing the redhat rescue disk away as
they are almost next to useless. Instead go to the slackware website and
use their bootdisks instead. Boot up to the lilo prompt (on the floppy)
and just type:
mount root=/dev/hda1 (or whatever device holds your root partition)
and voila! your unix system will boot up like normal. Rerun lilo from
the command line as root and reboot.

This is also handy if your idiotic bios requires a partition flagged
bootable to boot. Some bios's will see that no partition is marked
bootable and just give the master boot record a go, which works of
course cos we just installed lilo there. Unfortunatly RedHat by default
does not tag a partition as bootable. So boot with your trusty slackware
boot disk, (to make things quicker boot into single user mode by typing
"mount root=/dev/hda1 single" this also loads you as root user with no
password. The easiest and simplest way to hack into a linux box is to
just do this , though you do need access to the machine) and run fdisk.

Oh and for ease of setting up, give linuxconf a whirl. Later redhat's
install it by default. Be warned it is beta however. It has excellent
setup and configuration for most things including ppp setup and network
configuration.

Hope this helps a bit....

-- 
Dave

***********************************************************************
      *** Getting Extra Info with httpd, Part 2
***********************************************************************

[Ed- Here's a snippet of the email conversation between Carolyn and the
author of the original "Getting Extra Info..." article. Carolyn's text is 
marked with '>']

rkt@poboxes.com wrote:

> That is great info.

> If one is of a certain mindset, one can also set up a daemon that
> portscans the computer used by someone who runs an attack against you
> so as to see what vulnerabilities your attacker has.  Then log all this
> for a handy list of all your attackers and how they could be
> compromised.  If one wants the most vicious of revenges, one could
> email the attackers with descriptions of how you could have broken in
> and rmed them, but you just didn't find it worth your while:)

I'm working on a working module of the same. Would let you 
know when I have it fully running. Its interesting to note
that this is all documented info. Nothing is illegal ;-)
All it does it get all possible info using ident and finger.

regards
rkt

********

rkt@poboxes.com continues:

Hi Carolyn,

  Just wanted you to know how real the ident/finger thing
  could be. I just hacked up a small cgi script which 
  did a ident/finger and collected information on the visitors.

  Some people might be shocked by seeing their name on
  my page (asuming that ident is working on the client), but 
  the fact is that even IRC does a lookup before you log on. 
  Neway... have a visit at http://www.royans.net/
  when you have time. Rest of the info there is basic which
  the browser gives away when it interacts with the server

regards,
rkt
 

***********************************************************************
      *** Smurfs and Fraggles
***********************************************************************

The following message was originally posted to the firewall-wizards
mailing list by John McDonald and was forwarded to the digest by
ktinga@nmt.edu. For more information about the firewall-wizards mailing
list, please check http://www.nfr.net/forum/firewall-wizards.html

Date: Tue, 9 Feb 1999 13:02:53 -0800 
From: John McDonald <Johnm@Networkguys.com>
To: dcostello@cmol.com
Cc: Firewall-wizards@nfr.net
Subject: RE: Smurfs and fraggles

Sure do!!

DESCRIPTION:

The "smurf" attack, named after its exploit program, is one of the most
recent in the category of network-level attacks against hosts. A
perpetrator sends a large amount of ICMP echo (ping) traffic at IP
broadcast addresses, all of it having a spoofed source address of a
victim. If the routing device delivering traffic to those broadcast
addresses performs the IP broadcast to layer 2 broadcast function noted
below, most hosts on that IP network will take the ICMP echo request and
reply to it with an echo reply each, multiplying the traffic by the
number of hosts responding. On a multi-access broadcast network, there
could potentially be hundreds of machines to reply to each packet.

The "smurf" attack's cousin is called "fraggle", which uses UDP echo
packets in the same fashion as the ICMP echo packets; it was a simple
re-write of "smurf". 

Currently, the providers/machines most commonly hit are IRC servers and
their providers. 

There are two parties who are hurt by this attack... the intermediary
(broadcast) devices--let's call them "amplifiers", and the spoofed
address target, or the "victim". The victim is the target of a large
amount of traffic that the amplifiers generate. 

Let's look at the scenario to paint a picture of the dangerous nature of
this attack. Assume a co-location switched network with 100 hosts, and
that the attacker has a T1. The attacker sends, say, a 768kb/s stream of
ICMP echo (ping) packets, with a spoofed source address of the victim, to
the broadcast address of the "bounce site". These ping packets hit the
bounce site's broadcast network of 100 hosts; each of them takes the
packet and responds to it, creating 100 ping replies out-bound. If you
multiply the bandwidth, you'll see that 76.8 Mbps is used outbound from
the "bounce site" after the traffic is multiplied. This is then sent to
the victim (the spoofed source of the originating packets). 

HOW TO KEEP YOUR SITE FROM BEING THE SOURCE PERPETRATORS USE TO ATTACK
VICTIMS: 

The perpetrators of these attacks rely on the ability to source spoofed
packets to the "amplifiers" in order to generate the traffic which
causes the denial of service. 

In order to stop this, all networks should perform filtering either at
the edge of the network where customers connect (access layer) or at the
edge of the network with connections to the upstream providers, in order
to defeat the possibility of source-address-spoofed packets from entering
from downstream networks, or leaving for upstream networks. 

Paul Ferguson of cisco Systems and Daniel Senie of BlazeNet have written
an RFC pertaining to this topic. See: 

ftp://ftp.isi.edu/in-notes/rfc2267.txt

for more information and examples on this subject.

Additionally, router vendors have added or are currently adding options
to turn off the ability to spoof IP source addresses by checking the
source address of a packet against the routing table to ensure the return
path of the packet is through the interface it was received on. 

Cisco has added this feature to the current 11.1CC branch, used by many
NSP's, in an interface command '[no] ip verify unicast reverse-path'. 

See the "other vendors" section for 3Com information regarding this
feature.

John D. McDonald 

Phone: 510.713.8880 ext. 306 
Fax:      510.713.3456 
E-mail: JohnM@NetworkGuys.com
Web:    www.NetworkGuys.com

***********************************************************************
      *** More UNIX Commands
***********************************************************************

unlink - Remove a link to a file created with ln
[NOTE: You _can_ use this on files not created with ln, and they will
disappear from view, but it will _not_ delete them. Use rm for that.]

tar - create Tape ARchives and add or extract files

tar xvf foo.tar
-This will extract (x) all files in the file (f) foo.tar, while giving
-verbose (v) info on what it's doing

***********************************************************************
      *** Next Issue
***********************************************************************

The BSDs - Yep, I'm postponing this one one more issue.
Buffer Overflows explained - Yep, postponing this one too
Recompiling your kernel
More UNIX commands

______________________________________________________________


   
 

For Windows questions, email keydet89@yahoo.com or editor@cmeinel.com
For Unix questions, contact unixeditor@cmeinel.com.
For Macs, email Strider <s.corinth@iname.com> 

Happy Hacker is a 501 (c) (3) tax deductible organization 
in the United States operating under Shepherd's Fold Ministries. Yes! 
This is all a plot to save your immortal souls!

 © 2013 Happy Hacker All rights reserved.