What's New!

Chat with
Hackers

How to Defend
Your Computer 

The Guides
to (mostly) 
Harmless Hacking

Happy Hacker 
Digests (old stuff) 

Hacker Links 

Hacker
Wargames 

Meet the 
Happy Hacksters 

Help for 
Beginners 

Hacker 
Bookstore 

Humor 

It Sucks 
to Be Me!

How to Commit
Computer Crime (not)! 

What Is a 
Hacker, Anyhow? 

Have a 
Great Life! 

News from the 
Hacker War Front

Carolyn's most
popular book,
in 4th edition now!

For advanced
hacker studies,
read Carolyn's
Google Groups
Subscribe to Happy Hacker
Email:
Visit this group


Unix Edition, May 08, 1999
_______________________________________________________________________
See the Happy Hacker web site at http://www.happyhacker.org
URL of the day:
http://www.it.uq.edu.au/groups/csm/dcc.html - Decompile to C from binary
_______________________________________________________________________

Editor's Comments
URLs
Nuggets of Info
Reader Questions
Reader Submissions
Piles more UNIX commands
Future Issues

***********************************************************************
      *** Editor's Comments
***********************************************************************

Submissions as a whole have slowed down considerably. Fortunately, the
quality of the posts I _do_ receive have been steadily increasing in
quality. You may notice me answering some questions only distantly
related
to security... Basically, I thought they were interesting, and some of
you
may find them interesting too. Enjoy! I received one email asking to
note
the author of each section in the digests. Unless I explicitly name a
person (or anonymous) before the submission, you can assume that the
piece
was written by _me_, your caring, supportive UNIX editor. Many of the
URLs
I dig up my self, and some are contributed by readers. The Editor's
Comments section is by me, surprise surprise.

Oh, and I don't take unsubscribe requests. Look at the bottom of the
message for unsubscribe info.

***********************************************************************
      *** URLs
***********************************************************************

RFC2068 - HTTP/1.1 Specification
http://www.cis.ohio-state.edu/htbin/rfc/rfc2068.html

A search engine for RFCs
http://www.faqs.org/rfcs/

Armoring Solaris (Lance is so cool!)
http://www.enteract.com/~lspitz/armoring.html

comp.lang.c FAQ
http://www.eskimo.com/~scs/C-faq/top.html

Cheap Linux CDs & stuff
http://www.linuxcentral.com/

List of free shell accounts
http://www2.arnes.si/~sudmslad/freeunix.htm

Security Papers and Documents (lots!)
http://www.telstra.com.au/pub/docs/security/

"A Linux Programming Call to Arms"
http://www.lgcy.com/users/b/billspg/writings/Linux2desktop.htm

Kevin Mitnick Info
http://www.freekevin.com/
http://www.takedown.com/

***********************************************************************
      *** Nuggets of Info
***********************************************************************

1) Trying to get online with Linux? Check the documentation at the site
   of your particular distribution. Maybe I'll write up a little
tutorial
   one of these days.

2) Decompilers may generate very hard-to-understand code. Be sure you
know
   assembly before you use one seriously.

3) Linux is not a "point-and-click-instant-gratification" operating
   system. You may actually have to work to get it up and running. Then
   again, you may not.

4) Changing the source address of packets, be it TCP, UDP or ICMP will
   require you to learn how to manipulate raw sockets. Chapter 25 of
   Stevens' "UNIX Network Programming" would do you well.

5) Port 12345 open on a UNIX server may be a trap for script kiddies
   looking for a NetBus target.

6) UNIX and Linux are not languages. They are operating systems. They
are
   the programs that make the computer run and do things for you. C, C++
   and Java are languages.

7) You're never wasting time if you're learning something.

8) Bored, you say? Install Linux. Too much work? Go play Solitaire.

9) Windows inserts a CR and a LF when you hit <ENTER> in Notepad.
   Typically, UNIX-based text editors only use the CR. There are plenty
of
   utilities out there that will strip off the extra characters. This

   extra character per line would not make the file completely
illegible,
   however, as one poster claimed.

***********************************************************************
      *** Reader Questions
***********************************************************************

Ristridin <ristridin@earthling.net> wrote:

Hi  all!

I got a question concerning an error msg I get when trying to use
ipfwadm.
Whenever I type something like "ipfwadm -I -p deny" it responds with the
error message "SetSockOpt failed; Protocol not available". Anyone got a
clue what's wrong? My TCP/IP Networking works btw.

Here some info on my system...

SuSE Linux 6.1 Beta, Kernel 2.2.3; Firewalling options enabled
Networking via Network card and ISDN. Works so far....

I'd greatly appreciate your sending me some information on how to solve
the problem.
cya
Ristridin

[Ed- Hmm. I'm at a loss here. The only thing that comes to mind is that
your kernel is not compatible with your firewalling software. If you
took
a stock distribution that started with kernel 2.0.* and upgraded it
directly to 2.2.3, you may have some software conflicts. Check SuSE's
website for any compatibility issues. I know Debian 2.1 has minor
problems
if you replace the 2.0.35 kernel with 2.2.* - Anybody care to back me
up?]

-----------------------------------------------------------------------

Justaworm <justaworm@earthlink.net> wrote:

I have heard that we are legally allowed to hack, crack, and disrupt
computer systems of those countries in which we are legally at war with.
I
can't seem to find anyone who knows if this is true or not. It sounds
reasonable to me, but the man seems to have a stick up his arse when you
talk about any hacking of any nature during any time. Do you know if
this
is true or not?
Thanks,

--Justaworm

[Ed- Let's say we declare war on Foobarland. You would not be in your
rights to fly over there and start shooting people up with your hunting
rifle. Why would this be any different? I think someone is pulling your
leg, or there's an urban legend out there that I don't know about. In
short, "Not true." Check (URL wrapped)
 

http://www.foxnews.com/js_index.sml?content=/world/041599/
kosovoside_hackers.sml

for a news story on this.]

-----------------------------------------------------------------------

Kevin Matthews <kbmatt@biosys.net> wrote:

Hi,
    I have a question about the boot process in Linux.  I hope it's not
beyond the scope of this list, because I've looked for the answer
elsewhere and can't seem to find it.  I am trying to build my own
distribution from the ground up as a learning experience.  So far I have
created a partition with an F.H.S. compliant filesystem, created all of
the necessary device files, installed lilo, init and the kernel.  I am
almost a 100% sure a have at least this much done correctly.  Then, when
I
try to boot the partition, the kernel boots and everything works fine
until just after / is mounted read-only.  At this point the kernel
usually
hands off control to init.  The problem is that it's not happening.  The
boot process just hangs.  I tried re-naming sh to init, so I could at
least get a shell up, but that didn't work either.  My question is, are
there any binaries the kernel needs before it hands control to init (I
thought maybe it was hanging because it couldn't find some binary it
needed), and if not do you have any suggestions as to what the problem
might be?  Thank you.

Kevin

[Ed- Umm. I have no clue...never tried to do this. Not exactly
security-related, but I let this one slip in because it seemed like a
very
hackerish thing to do (building your own distribution). Anybody have
ideas
for Kevin?]

-----------------------------------------------------------------------

Dave Andrews <dave31_5@hotmail.com> wrote:

Hi

I was very interested on the article about buffer overflows but am not
any good at assembler.

[Ed- a good reason to learn, no?]

I have however been told that using gcc C++ progs can be compiled into

assembler code. Is this true and if so can this code be used in buffer
overflows as the assembler section?

Thanks very much
Dave.

[Ed- Yes, this is true. With the -S flags, both gcc and g++ will
generated
assembler code from a C/C++ file. You still need to know what the
assembly code does, though. Have you read "Smashing the Stack for Fun
and
Profit" yet?]

***********************************************************************
      *** Reader Submissions
***********************************************************************

Sniper <n8yul@stratos.net> wrote:

I work for a School system as an Network Admin and we have alot of
potential Hackers that try and break into some of our systems and try to
bypass the proxy server and one of the tricks they try is first to
change
there TCP/IP address (and they think that this would elude us), and then
start hacking but some of them don't realize that I don't need the IP
address, the Sniffers we use gives us both IP and MAC Address. They just
started this and we caught 2 student this month trying this. I hope this
helps out....

John
LKWDSCHOOLS Network Admin/Technician.

-----------------------------------------------------------------------

Nils van den Heuvel <n.heuvel@wxs.nl> wrote:

> Horrorshow wrote:
> Hey.  If programs like su, passwd, and login can read (as well as
edit,
> in the case of passwd) the shadow file, why couldn't programs like
> leet0unixCracker can't?  What makes those programs special?  Can that
> specialosity be harnessed by leet0 hax0r progs?

They are SUID (Set User ID) programs... SUID is a special bit (like r, w
and x, see "man chmod" to find out how to set them) that can be set on a
file...

OK, let's assume we have two users on a system... One is the root user
called "root" and the other is a normal user called "inferior" :-)
Normally, when a program is started by a "inferior" it will get
"inferior"'s privileges... So, when "inferior" runs texteditor on
/etc/passwd, he can't change it, because the texteditor has gotten his
privileges and /etc/passwd can (usually) only be changed by users with
root privileges...

When this SUID bit is set on an executable file, it will get the
privileges of the owner of the file (and not of the person who executed
it)... So if  "inferior" executes a texteditor with the SUID bit set on
it, and it's "owned" by root, he will be able to edit every file on the
system...

Usually only specially written programs get SUID root privileges,
because
setting it on a wrong file can open HUGE security holes... Passwd is
such
a program, it needs to be executed by all users (for changing their
passwords) and it needs root access to write the new password to the
password file (and perhaps reading the old one fom /etc/shadow)... So
passwd is owned by root and it has the SUID bit set on it...

And sure, your "leet0 hax0r progs" can be SUID root too... But only if
they are installed on the system by root... Sure, you (the user with
normal privileges) can install it too, and you can even set the SUID bit
on it, but the program will be owned by you (because you installed it),
so if it gets executed it will get your privileges instead of root
privileges, and it isn't possible to "chown" (man chown: change the
owner of a file) it to root.... If it would be possible, it would be
very
easy to hack a system once you have an account on it: just write a
shellscript that executes bash, sh, or another shell... set the SUID bit
on it and then chown it to root... this would give you a root shell...
but it just isn't possible...

Nils

ps. Read up on UNIX file-permissions

[Ed- Good, bad, I'm the guy with the gun. Sorry. Just felt like saying
that. Good article, Nils!]

-----------------------------------------------------------------------

Ben Jackson <ben@bensheila.demon.co.uk> wrote:

Hello.

Thanks for the column, I've been reading for about a year now and always
find something interesting. Many ideas I've picked up from the Unix

Digest
are now full scripts running on production systems where I work.

Anyway, I was on a *nix course recently which involved thirty or so
students each with a Sparc workstation networked in a classroom
situation.

As you can probably imagine an enjoyable part of this course was gaining
root access to one of the other students workstations remotely  and
ejecting their CD ROM trays / Floppys etc to surprise them.

Their responses ranged from "You b*&??rd" to "I think we may have a
ghost in here".

Anyway whilst on this course I wrote the following script to prevent
others doing unto me what I had done to them.

It loops exec's itself until a specified user (root) logs in and will
then kill and log any root users from logging on remotely from any
server
other that your own.

This of course stops rlogin, telnet etc. attacks by anyone who may have
gained your root password, but is not sitting at a terminal connected to
your host.

#!/usr/bin/ksh
# Script       :    rootout.ksh
# Author  :    Ben Jackson
# Date         :    04/04/1999
# Comments     :    Searches for root users logging in from other hosts.

# Set up our allowed localhost variable.
LOCAL="(cc1)"
# Remote user to keep out.
OUT=root
# The name of this script.
SCRIPT=${0}
# Keep a log of unauthorised users here.
LOG=/tmp/rootout.log
# Store the current date in a variable for use in the logfile.
DATE=`date +%a" "%b" "%e`
# Store the current time in another variable.
TIME=`date +%H:%M:%S`

# Wait until user logs in.
while who -u | grep ${OUT} | grep -v ${LOCAL}
do

# Start "for" loop to look at information every root user currently
# logged in.
for USER in "`who -u`"
do
  # Users login name stored in NAME variable.
  NAME=`echo ${USER} | awk '{print $1}'`
  # Users process id in this variable.
  PID=`echo ${USER} | awk '{print $7}'`
  # The name of users computer here.
  HOST=`echo ${USER} | awk '{print $8}'`
 

  # "If" loop to check if user is allowed to be here.
  # If not they are killed and their info written to the logfile.
  if [[ ${NAME} == ${NAME} && ${HOST} != ${LOCAL} ]]
    then
    # Take down the users particulars and write into the logfile.
    echo "Someone from ${HOST} logged in as ${NAME} on ${DATE} at
{TIME}">> ${LOG}
    # Kill of the offending user send additional info to logfile.
    kill -9 ${PID} >> ${LOG} 2>&1
    fi
done

done

exec ${0}

--
Ben Jackson

[Ed- This will work, albeit in a somewhat roundabout way. An attacker
could login and just su to root. Also, this method gives them a slpit
second as root, if they try to login as such, they may be able to do
their
deeds before you can kill the session. My Debian Linux box at home has
remote root logins disabled by default, so this isn't a problem. To
prevent root from telnetting into a Solaris box, make sure CONSOLE is
set
to something...probably /dev/console in /etc/default/login]

-----------------------------------------------------------------------

A. Kock <askaruba@setarnew.aw> wrote:

Nils van den Heuvel sent you a reply to someone's submission in the
latest
unix digest, sent on april 3rd. He called the counter measure stupid,
and
saying that it would be easy to send a packet with a spoofed ip address
and thus causing a mixup. I do agree with the fact that this COULD  be
accomlpished, and also with the fact that boasting about "things you
could
have done" is childish. But it makes me wonder how in the hell the
"Smart
Hacker" would know about the counter measure in the first place?? Would
he not have to send a packet with his real ip address first, or
something?? What I'm trying to say is that, the theory behind the
"counter
port scanner" still stands. Unless of course the counter scanner goes
around boasting and playing "Big Bad Hacker", hence revealing that he
has
a counterscanner.  =)
BTW, Nils, I hope you don't feel offended or anything.
-ZenFire

-----------------------------------------------------------------------
 

Ben Jackson <ben@bensheila.demon.co.uk> wrote:

Hello again.

One of the HH readers FuzzyFlup <flup@telekabel.nl> wrote the following:

>Hiya!
>
>I was wondering is there is a little program or script out there, which
>does the following:
>
>- Check a file content for several certain words or numbers, to specify
>  by the user
>- Gives a beep or another alert when it finds it
>- Deletes and remakes the file when it reaches a certain size, also to
>  specify by the user
>
>I'd like to use it with tcpdump > outputfile, because I don't always
>watch my tcpdump, and the connects scroll by very fast too. Thanks!
 

Which set me thinking being as I had a day off work.

For the first problem, ie check a file and alarm when a string is found,
here is a Korn shell script which does the job.

It requires two command line arguments, the first being the string to
find and the second being the file to check.

The ALARM message output can be modified to suit the user and then maybe
put on cron ie. * * * * * search.ksh

#!/bin/ksh
# Script        : search.ksh
# Author        : Ben Jackson
# Date          : 06/04/1999
# Comments      : Searches text files for a certain string and bleeps
#                 when it finds it.

USAGE="${0}: <String to find> <File to check>"

# Check user has supplied a file to check as the first argument
if [[ ${1} == "" ]]
then
        print ${USAGE}
        exit 1;
else
        STRINGTOFIND=${1}
fi

# Check user has supplied a string to check
if [[ ${2} == "" ]]
then
        print ${USAGE}
        exit 1;
else
        FILETOCHECK=${2}
fi

# Check file specified, line by line
cat ${FILETOCHECK} | while read LINE
do
        if echo ${LINE} | grep "${STRINGTOFIND}" > /dev/null 2>&1
        then
        # ALARM Beep and print line if specified string is found in it
                print -n "\007"
                print ${LINE}
        fi
done

Hope this is of use to some readers.

Cheers
--
Ben Jackson
 

[Ed- More shell script coolness from Ben!]

***********************************************************************
      *** Piles more UNIX commands
***********************************************************************

Thanks to CXref32@aol.com for compiling and sending this list of UNIX
commands. I have mentioned some of these before, and not all of them may
be available on your particular computer. As usual, type man <command>
for
more information on any of these.

=============
Communication
=============
cu -- Connect to UNIX system
ftp -- file transfer protocol
login -- Sign on to UNIX
mailx  -- Read or send mail
rlogin -- Sign on to remote UNIX
talk -- Write to other terminals
telnet -- Connect to another system
vacation -- Respond to mail automatically
write -- Write to other terminals

=============
Comparisions
=============
cmp -- Compare two files
comm  -- Compare items in files
diff  -- Compare two files
diff3 -- Compare three files
dircmp -- Compare directories
sdiff -- Compare two files, side-by-side

================
File Management
================
cat -- Join files or dipaly them
cd -- Change directory
chmod -- Change access modes on files
cp -- Copy files
csplit -- Break files at specific locations
file -- Determines a file's type
head -- Show the first few lines of a file
install -- Set up system files
ln  -- Create filename aliases
ls -- List files or directories
mkdir -- Create a directory
more  -- Display files by screenful
mv -- Move or rename files or directories
pwd -- Print your working directory
rcp -- Copy files to remote system
rm -- Remove files
rmdir -- Remove directories
split -- Split files evenly.
tail -- Show the last few lines of a file
wc -- Count lines, words, and characters

==============
Miscellaneous
==============
banner  -- Make posters from words
bc -- precision calculator
cal -- display calendar
calendar -- check for reminders
clear -- clear the screen
kill -- terminate a running process
man -- get information on a command

nice -- Reduce a job's priority
nohup -- Preserve a job after logging out
passwd -- Set password
script -- Produce a transcript of your login session
spell -- Report misspelled words
su -- become a superuser

=========
Printing
=========
cancel -- Cancel a printer request
lp -- Send to the printer
lpstat -- Get printer status
pr -- Format and paginate for printing

============
Programming
============
cb -- C source code "beautifier"
cc -- C compiler
cflow -- C function flowchart
ctags -- C function references
ctrace -- C debugger
ld -- link editor
lex -- Lexical analyzer
make -- Execute commands in a specified order
od -- dump input in various formats
sdb  -- Symbolic debugger
strip -- Remove data from an object file
truss -- Trace signals and system calls
yacc -- Compiler used with lex

==========
Searching
==========
egrep -- Entended version of grep
fgrep -- Search files for literal words
find -- Search the system for filenames
grep -- Search files for text patterns
strings -- Search binary files for text patterns

==================
Shell Programming
==================
echo -- Repeat input on the output
expr -- Perform arithmetic and comparisions
line -- Read a line of input
sleep -- Pause during processing
test -- test a condition

=======
Storage
=======
compress -- compress files to free up space
cpio -- copy archives in or out
pack -- pack files to free up space
pcat -- Display contents of packed files
tar -- tape archives
uncompress -- Expand compressed (.Z) files
unpack -- Expand packed (.z) files
zcat -- Display contents of compressed files

==============
System Status
==============
at -- Execute commands later
chgrp -- Change file group
chown -- Change file owner
crontab -- Automate commands
date -- Date or set date
df -- Show free disk space
du -- Show disk usage
env -- Show enviroment variables
finger -- Point out information about users
ps -- Show processes
ruptimes -- Show loads on working systems
shutdown -- Revert to single-user mode
stty -- Set or display terminal settings
who -- Show who is logged on

===============
Text Processing
===============
cut -- Select columns for display
ex -- Line-Editor underlying VI
fmt -- Produce roughly uniform line lengths
fold -- Produce exactly uniform line lengths
join -- Merge different columns into a database
nawk -- New version of awk (pattern-matching language for database
files)
paste -- Merge columns or switch order
sed -- Noninteractive text editor
sort -- Sort or Merge files
tr -- Translate (redefine) characters
uniq -- Find repeated or unique lines in a file
vi -- Visual text editor
xargs -- Process many arguments in manageable portions

======
Troff
======
deroff -- Remove troff codes
eqn -- Preprocesser for equations
nroff -- Formatter for terminal display
pic -- Preprocesser for line graphics
tbl -- Preprocesser for tables
troff -- Formatter for typesetting

***********************************************************************
      *** Future Issues
***********************************************************************

Setting up your own Wargame
Onion Routing
How Private is it?

_______________________________________________________________________
To subscribe to the Happy Hacker Digest, email mailman@antionline.com
with the message "subscribe happyhacker."  Unsubscribe with message
unsubscribe happyhacker.

This is a list devoted to *legal* hacking! If you plan to use any
information in this Digest or at our Web site to commit crime, go away!
Foo on you! Don't email us bragging about any crimes you may have
committed.  We mean it.

For Windows questions, email keydet89@yahoo.com.
For Unix questions, contact unixeditor@cmeinel.com.
For Macs, email Strider <s.corinth@iname.com>

Happy Hacker staff: Unix editor, <unixeditor@cmeinel.com>;
Windows editor, Keydet89 <editor@cmeinel.com>; Hacker Wargame
Director, Vincent Larsen <vincent@sage-inc.com>;
Clown Princess: Carolyn Meinel <>
 

Happy Hacker is a 501 (c) (3) tax deductible organization
in the United States operating under Shepherd's Fold Ministries.

 © 2013 Happy Hacker All rights reserved.