What's New!

Chat with
Hackers

How to Defend
Your Computer 

The Guides
to (mostly) 
Harmless Hacking

Happy Hacker 
Digests (old stuff) 

Hacker Links 

Hacker
Wargames 

Meet the 
Happy Hacksters 

Help for 
Beginners 

Hacker 
Bookstore 

Humor 

It Sucks 
to Be Me!

How to Commit
Computer Crime (not)! 

What Is a 
Hacker, Anyhow? 

Have a 
Great Life! 

News from the 
Hacker War Front

Carolyn's most
popular book,
in 4th edition now!

For advanced
hacker studies,
read Carolyn's
Google Groups
Subscribe to Happy Hacker
Email:
Visit this group


May 19, 1999
_______________________________________________________________________
See the Happy Hacker web site at http://www.happyhacker.org
URL of the day: http://www.xs4all.nl/~freeswan/ (IPSEC & IKE for Linux)
_______________________________________________________________________

Editor's Comments
URLs
Nuggets of Info
Reader Questions
Reader Submissions
IP Spoofing
Future Issues

***********************************************************************
      *** Editor's Comments
***********************************************************************

Submissions have slowed WAY down. So I'll be writing up some (hopefully)
nifty articles about one or more of the topics you've seen in the "Future
Issues" section of the last few digests. Hopefully you'll all get
something out of it. Oh yeah, and I think I may have made a mistake in the
last digest - see "Nuggets of Info" for the clarification. And there seem
to be more people criticizing me for using Eudora as my mail client. Let
me spell this out ONE more time, and maybe people will stop addressing me
as Carolyn, too:

I am the unix editor. I am not Carolyn.
I compile the digests under Solaris, then...
I send the completed digests to Carolyn for review and dispatching.
(and she uses Eudora)
I have no control over the mailing list or sending of digests.

***********************************************************************
      *** URLs
***********************************************************************

Lance Spitzner's Know Your Enemy II: Tracking Their Moves
http://www.enteract.com/~lspitz/enemy2.html

NES (Network Encryption System) devices
http://www.jya.com/nes-curr.htm

SSH Communications Security
http://www.ssh.fi/

SSLeay - a free implementation of Netscape's Secure Socket Layer
http://psych.psy.uq.oz.au/~ftp/Crypto/

Lotus Notes under Linux
http://www.brooklinesw.com/linux/linuxnotes.html

Translate the digest from English to German, Spanish, and others
http://babelfish.altavista.com/

Linux IP Masquerading Mailing list
http://tiffany.indyramp.com/mailman/listinfo/masq/

***********************************************************************
      *** Poll Results
***********************************************************************

Unsurprisingly, (since this is a UNIX digest) Linux beat out Windows with
almost everyone's emphatic votes. Let me give you the pros and cons given
by the various readers for Linux, and you can simply reverse everything
for Windows. I really don't want to hear any flames about people's
opinions. Some people like Linux. Some like Windows. Some even like other
operating systems. (Hey, I kinda like Solaris and OpenBSD myself)

Linux pros:
Faster than Windows on comparable hardware
More stable
Consumes fewer resources
More customizable (don't like something? Rewrite it!)
Pipes make it more powerful
You have to think to use it
Virtual Terminals
Multi-User
Free
The "Open Source Ethic"
Easier to solve problems (if you know what you're doing)

Linux cons:
You have to think to use it (yes, it is a con to some people)
Command line is intimidating
Lack of commercial software (soon to be a non-issue)
Not many good games (yet!)

Jan Svenungson put it rather well:
"In Windows you can do everything Microsoft wants you to do; in Linux you
can do anything the computer is able to do."

***********************************************************************
      *** Nuggets of Info
***********************************************************************

1) I think I got CR and LF mixed up in the last issue. It may be the case
   that UNIX actually uses just the LF without the CR, not the reverse
   like I said before. Sorry for the mixup.

2) To my knowledge, the stock partition managers in most Linux distros do
   not support FAT32. You need a third-party utility to modify these.

3) I will not write a section about DOS. Look to the windows editor for
   that. He'll handle any Microsoft-related stuff.

4) Just because an email address ends with "@somewhere.com" doesn't mean
   that the mailserver runs on somewhere.com, port 25 - you can configure
   a mailserver to be anywhere. Antionline now runs the happy hacker
   mailserver, yet you won't notice a real difference when you email us.

***********************************************************************
      *** Reader Questions
***********************************************************************

Kevin Clancy <clancy@druid.uchsc.edu> wrote:

I've enjoyed your web site and have been applying your material to our
local network, for which I am the systems administrator. I have recently
come across references to IP spoofing. I think that I understand that
this involves using a false IP number to communicate with another
computer. Theoretically one could use this to diguise oneself during an
attack, thus making it harder to be identified. My questions are how is
this possible, what software is used and how can one defeat this type of
attack?

Thank you for your time in reading this message. I look forward to your
future Happy Hacker bulletins.

Sincerely
Kevin Clancy

[Ed- Take a look below at the "IP Spoofing" Section]

-----------------------------------------------------------------------

Devin Morin <devlinc@home.com> wrote:

Dear Sir/Madam,

  As a graphic artist/web designer, my expertise is in logos, animations,
etc.  However, I recently have been finding my customers asking me to go
one step further and supply web space as well.  So with good business
sense in mind, I found a fast, reliable server which offered a reseller
program so I could bill my own customers... GREAT!  ...NOT... I am not
much of a high level programmer.  The extent of my programming stops at
java scripts, cobol, basic, dbase and some C.  The 40 page "Manual" I
recieved from them was supposed to contain pertinent information on the
unix servers I am leasing from them... turns out that they are no more
than the equivalent of a "DOS for Dummies" style of book which basically
says.."This is where your directories are located and this is how to get
to them...."  Which leads to my dilemma...

  I need to place counters on my customers pages as well as access to
form data, etc..  There are no pre-supplied counter scripts or the such in
my directories and I don't know how to code them.  I'm sure I could go get
a book and figure it out.. but I don't have the time to p!ss around with
excess scripting or education for that matter.  As well..  I know nothing
about setting up proper directory access and other unix related commands.

  Could you please point me in the direction of the information I seek?

Sincerely,
Devin
DevL Interactive Media and Design.

[Ed- Yipe. Well, it's situations like this that lead to security breaches,
I'm sorry to say. (That and newbies setting up home Linux boxes connected
directly to the net) For your page counter problem, there are plenty of
stock scripts out there for free to download. Try searching yahoo. (How
many times have I said that in the past 4 months? ;) If you don't know how
to set up proper directory access, either don't or find someone who does.
Otherwise it will be an unauthorized someone who will set up access for
himself, I'm sorry to say. I can't say _be_careful_ enough, I guess.]

-----------------------------------------------------------------------

Jes Khangura <rocketir@hotmail.com> wrote:

Hello,
 Question about secure shell.  Can you give me the particulars
on what it can and can't do.  I work for a government contractor and
during certain times of the year we conduct 'events'.  During these
events we capture some data to a computer (a sun station ultra 1).
During the capture we real time send this stuff on the network to
certain other locations.  Because of the sensitivity of this material
we use a NES box to encrypt on one end and decrypt on the other.  We
use the UDP protocol to do this.  My question really is . how good is
secure shell.  Can it really encrypt and decrypt the packets that we
are sending?  Thanks

Jes Khangura

[Ed- I'm not sure I understand your question completely, but let me take a
shot. SSH can be used to create an encrypted remote login session, a la
telnet. It's not completely foolproof, I'm sure. (We all remember the SSH
exploit from not too long ago) Now, if you're wondering if SSH can pick up
your encrypted packets between your two NES boxes, I would say no. There's
much better places than me to find out more about SSH. Also check out SSL
and FreeS/WAN at the URLs above. Those of you looking for an overview of
NES boxes can also check the URL section for a link.]

-----------------------------------------------------------------------

Robert Donald Leclerc <rdlecler@ucalgary.ca> wrote:

  I was looking around but didn't seem to find anything on the happy
hacker web site, or anywhere on antionline. The question I have is, is
there any scripted or documented exploits that were successful on koan or
any of the other boxes. I am familiar with unix, and so would at most only
need a brief commentary on any of the commands, but would very much like
to see successful line by line text of how it was done, and what was
accomplished. This was done in Farmer's famous essay, and was wondering if
there were any other similar examples perhaps captured onsome history
file?

4xiom

[Ed- This vulnerability on koan was not something you'll find on hundreds
of servers out there...it was planted. I know there were other root-ings
of koan, but I don't have the explanations handy anymore. Hope this one
helps.]
 

Sweasel18@aol.com <Sweasel18@aol.com> wrote:

I wrote a small paper to detail Mysidias hack because his explanation
left alot of newbies clueless.  If you can fix any errors in my paper that
would be apreciated.  Feel free too add anything too.  I just want the
newbies to be able to understand it so they will stop asking about it and
so they can learn something too.  I can definatly say i learned something
from his hack.

First I would like to congratulate Mysidia on his/her hack. I'm in #koan
all the time and have had quite a few people come in and ask how mysidia
got root. I guess not everyone is able to understand Mysidia's explanation
(personally I thought it was pretty good).  I am going to try to tell you
how he did it in more detail.  Since I am not mysidia i might be off on
some things so don't take this as 100% accurate.

Satori gave the clue that there was a permisions hole and that the hole
opened monthly.  The fact that it opens monthly should lead you to the
crontab file in /etc.  Go there and you notice monthly is run monthly and
monthly runs a file called monthly.local.  In monthly.local is a command,
build world and this compiles alot of files including ping.c.  Now at this
point you dont know that ping.c is where the hole is.  This is probably
when Mysidia gave the command

nice +20 find /usr/src -type f -perm -o+w.somefile &

I'm not real familiar with this command but i can explain some of it.  The
find is looking for files in /usr/src that have world write permisions.
It saves the results to .somefile and the & makes the command run in the
background. Now mysidia probably opened up .somefile and found ping.c in
there.  Now he adds some c code of his own to ping.c and then waits for
crontab to compile it. Satori notice someone found the hole and modified
ping.c so he had it compile early but if Satori hadn't done that the
crontab would have done it at the end of the month.  Once it compiled
Mysidia probably just had to execute the ping command and then he
obtained root.  Mysidia has patched this hole so you CAN NOT use it to get
root!

Feel free to add anything and fix any of my errors.  This may not be
totally accurate but it should give you a good idea as to how Mysidia
rooted Koan. For the newbies that dont know unix or dont understand the
basics as how to hack.  Visit sites like www.antionline.com and view
there beginning guides to hacking unix.  Most of these guides will start
by telling you the basic Unix commands.

BladerHater

[Ed- Thanks BladerHater...I didn't have any good justification to post
this one until now.]

***********************************************************************
      *** Reader Submissions
***********************************************************************

Nils van den Heuvel <n.heuvel@wxs.nl> wrote:

First of all... Dear editor... You are absolutely right... I should have
been more tactful. I apologize to all I may have offended with my
previous message.

> Nils van den Heuvel sent you a reply to someone's submission in the
> latest unix digest, sent on april 3rd.
> He called the counter measure stupid, and saying that it would be easy
> to send a packet with a spoofed ip address and thus causing a mixup.
> I do agree with the fact that this COULD  be accomlpished, and also
> with the fact that boasting about "things you could have done" is
> childish. But it makes me wonder how in the hell the "Smart Hacker"
> would know about the counter measure in the first place?? Would he not
> have to send a packet with his real ip address first, or something??
> What I'm trying to say is that, the theory behind the "counter port
> scanner" still stands. Unless of course the counter scanner goes around
> boasting and playing "Big Bad Hacker", hence revealing that he has a
> counterscanner.
>  =)

That would be one way :)

But if the "smart hacker" has cruel intentions (now also a movie!) and is
as smart as the name "smart hacker" suggests, he probably won't be using
his own dialup account and will be using a number of "relays"... So it
won't be a very serious problem if the attacker reveals "his" (the one
of the relay he used to access the system) IP...

This "counter-portscanning" would only be usefull if you are planning on
"attacking" the attacker (which would not be proper sysadmin
behaviour)... Else you'll only be collecting useless information, because
the IP and the time would suffice if you're planning on only tracking
down the attacker, and this data can be collected from the initial
package(s) the attacker sent...

> BTW, Nils, I hope you don't feel offended or anything.
> -ZenFire

Yes you have... You've hurt my feelings... Now I feel obligated to declare
a flame-war on you ;-)

Nils

-----------------------------------------------------------------------

Alex Harrington <fastkeys@btinternet.com> wrote:

>Marc Childress <marc.childress@lownotes.org> wrote:
>
>unixed.,
>
>As I understand it, RedHat's default installation is rather "insecure".
[SNIP]

Redhat put on all the latest libs 'n' apps before they have had long
enough to iron out any bugs. If you need a secure distro, use Slackware.
It uses older libs and versions of apps which have very few bugs. The only
thing we do on the webservers at work is to edit /etc/seccurety to ban
root telnets. Other than that, it seems to be pretty secure out of the
box.

Alex

fastkeys@btinternet.com

[Ed- Better yet, use OpenBSD ;)]

-----------------------------------------------------------------------

Jes Khangura <rocketir@hotmail.com> wrote:

Hello,
  I would just like to comment on the importance of locking your
.login and .cshrc (or whatever) scripts.  I am amazed at how many
people can leave these files open for public manipulation.  To
demonstrate my point a colleague of mine at work was repeatedly told
by me to lock up his files.  I wrote a little script that found all
the writeable startup files.  Now I am just a normal user so I guess
he paid me no mind.  But just to make my point I wrote a little script
and sourced it in his login file.  So when he next logged in it ran
the script.  Needless to say he mailed me his user name and password
and didn't even know it.  Imagine the shock when I told him his own
password.  ( I later checked  and he had his startup file locked.)

Jes Khangura

[Ed- Good deal! You get the gold "good hacker" star of the day! Probably
a good thing you knew him, otherwise you may have gotten a warrant and
matching handcuffs. I can't emphasize enough - breaking into somebody's
account or computer is illegal without their explicit permission.]

-----------------------------------------------------------------------

Anonymous wrote:

Hello,

ipfwadm has been replaced with ipchains in the 2.2.x kernels. In other
words ipfwadm is no longer supported by the 2.2.x kernel. I'm guessing
you upgraded via ftp or something similar.  You'll need to find the
change logs for upgrading from 2.0.x to 2.2.x on SuSE's site, there
should be someplace on there telling you all the packages that need to be
upgraded. If not wonder over to www.linuxhq.com and scroll down to the
linux kernel section particularly the upgrading section. You also might
want to consider upgrading the kernel considering it is up to 2.2.7 and
2.2.3 has several nasty bugs in it.. check out a bugtraq list archive for
info on that.(http://geek-girl.com/bugtraq/index.html ) Then after
getting all the correct packages up to snuff go read up on ipchains.
http://linuxhq.com/HOWTO/IPCHAINS-HOWTO.html

-----------------------------------------------------------------------

Jeff <mgardinr@execulink.com> wrote:

Im just reading some old Happy Hacker Unix digests and I don't know how I
missed this one.  Im sorry I'm so late with this one but if it helps,
better late then never.  Editor, your answer was basically correct for
this but not as clear as it could have been.  Let me take a shot at it.
Problem:

Yan Haijin <seascene@163.net> wrote:

Dear Sir:
Happy new Year!
I am an engineering student in China. Now i encountered a question
about C language.  I downloaded some source code and want to compile it
under solaris 2.5 and there is one line that cc gives me the error:

    u_long get_sp(void)
    {
        _asm_(mov %sp,%i0);
    }

Here the function get_sp wants to get the value of sp - it uses
embedded asm, but the function wants a return value while in the
function there's no return. So the cc compiler gives the error that
get_sp must specify a return value and exits the compiling process.
I do not know what to do because almost all the overflow source code
is written in this way. So would you please tell me how to solve this
problem? Your help will be greatly appreciated!
Thank you very much!
seascene

Answer

"mov %sp, %i0"  is copying the contents of the stack pointer to the output
register and it is syntactically correct (looks like assembly for the
sparc !).  The line
"_asm_(mov %sp,%i0); " is instructing the program to compile this and
execute it.
The function
    u_long get_sp(void)
    {
        _asm_(mov %sp,%i0);
    }
is expecting a return value of type u_long (unsigned long int) however the
function doesn't actually contain the instruction to return the value of
the output register.  The purpose of this function is to return the
address of the stack pointer and my guess is that whoever wrote this is
trying to determine how much stack space they have.   The fix would be
   u_long get_sp(void)
    {
       return ( (u_long)_asm_(mov %sp,%i0) );
    }
All I've done is add the return command and cast the return from the line
        _asm_(mov %sp,%i0) as a long int.  (ie (u_long))
One final note, if it is assembly for the sparc I'm not sure the best way
to denote the stack pointer as an unsigned long int!

The second thing I wanted to do is share for your readership a neat little
xwindows trick.  If you want your local machine to display a window from
a remote computer do this:

in a shell on your local computer (with xwindows running) type

xhost +
Be warned (this reduces the security of your computer)

[Ed- So do this only if you know what you're doing.]

in a shell on the remote computer (with xwindows running) type

setenv DISPLAY my.computer.com:0.0  (for csh or tsh)
export DISPLAY=my.computer.com:0.0 (for bash?!)
Then when you execute a command on the remote machine the window pops up
on your local display.  I may not have the bash command just right but in
principle you must sent the DISPLAY var to have either the name of your
local machine:0.0 or the ip_address of your local machine:0.0. The xhost
+ line reduces the security of your computer by making your computer
accept signals from remote sources.

Its cool, try it.

[Ed- Again, try it if you know what you're doing...or are willing to open
a security hole.]

Cheers
Jeff

P.S.  Unixeditor, good work on the digest!

[Ed- Thanks, Jeff. Good work on this submission!]

***********************************************************************
      *** IP Spoofing
***********************************************************************

IP spoofing is the mechanism for tricking a target computer into thinking
it's receiving data from a source other than you. The main problem with
this, however, is that all of the target's responses will be directed at
the fake address. Let me give a (very obviously made-up) example:

My IP is 192.168.1.666 (ORIGIN)
My target's IP is 144.7.291.30 (TARGET)
I'm going to pretend I'm from 200.200.200.300 (FAKE)

Now, if ORIGIN connects normally to TARGET, the standard three-way
handshake establishes the TCP connection. If, when ORIGIN initiates the
connection, it uses FAKE's address instead, TARGET will try to respond to
FAKE. If FAKE is a real computer, and is alive, it will respond to TARGET
quizzically, basically saying, "Hey, I didn't send that!" So the
connection will not be created. If FAKE doesn't exist, or is unreachable,
TARGET will eventually realize this (it times out) and again the
connection will not be created. To fully understand how this next part
works, you need to know a little about the way TCP works. Whenever you
send a TCP packet (a chunk of data), there are two 'sequence numbers'
associated with it. These sequence numbers keep everything in order, so if
one packet gets lost and later resent, the receiving computer knows where
to put it. IP spoofing can really only work if FAKE will not respond to
TARGET (and thus not interrupt the faked conversation) Imagine you're on a
3 way phone call, and the other two parties don't know you're there. If
you want to pretend you're John Doe talking to his wife Jane, the REAL
John could end the charade rather quickly if he was on the line.

I'm going to make this one a two-parter, since the digest is already
rather long. Look forward to part 2 of IP Spoofing in either the next
digest, or another very soon! In the meantime, look into the mechanics of
TCP, and everything will become clearer. Do a quick search on your
favorite search engine, or grab a networking book for more info. A quickie
link to a graphical representation of the 3-way handshake is at
http://gaia.cs.umass.edu/cs653-1998/notes/ch5-5/sld017.htm

Enjoy!

***********************************************************************
      *** Future Issues
***********************************************************************

[Ed- Sorry I haven't gotten to any of these yet. One of the following
(probably the Wargame one due to popular demand) will definitely be in the
next digest...I promise!]

Setting up your own Wargame
Onion Routing
How Private is it?
_______________________________________________________________________
To subscribe to the Happy Hacker Digest, email mailman@antionline.com
with the message "subscribe happyhacker."  Unsubscribe with message
unsubscribe happyhacker.

This is a list devoted to *legal* hacking! If you plan to use any
information in this Digest or at our Web site to commit crime, go away!
Foo on you! Don't email us bragging about any crimes you may have
committed.  We mean it.

For Unix questions, contact unixeditor@cmeinel.com.

Happy Hacker staff: Unix editor, <unixeditor@cmeinel.com>;
Windows editor, <editor@cmeinel.com>; Hacker Wargame
Director, Vincent Larsen <vincent@sage-inc.com>;
Clown Princess: Carolyn Meinel <>

Happy Hacker is a 501 (c) (3) tax deductible organization

 © 2013 Happy Hacker All rights reserved.