A Basic UNIX Overview
UNIX FOR DOS
ADDICTED WaReZ PuPPieZ AND THEIR PETS
Introduction
------------
One of the
most common operating systems in existance is Unix. Unix
exists in
many different flavors, from Berkeley BSD to AT&T System V
to SunOs.
Basic working knowledge of Unix is almost essential to a
hacker, as
it is the system a hacker is most likely to come across.
If you
intend to use the internet at all, or to do any serious
exploration
of Telenet, the ability to navigate through Unix is a
necessity.
(Unix is also the single most interesting system in
existance:
it's just fun to fuck with).
Unix Logins
-----------
Most Unix
logins look essentially the same. A general Unix login
prompt looks
something like this:
connected to
five.finger.com
login:
That first
line is the system identifier. Although it's not at all
essential to
what you are doing, it's good to know what system you are
attempting
to log on to.
The second
line is what typically identifies the system you are on as
Unix. Almost
all Unix systems greet a user with the same prompt:
login:.
Well,
there's not much to do in Unix from the outside, and Unix
systems are
typically fairly secure at this point. You may be able to
obtain a
list of users, or current users, by logging in as 'who', but
other than
that there are few functions available here.
Unless you
are on the internet, or have accounts specifically for the
specific
machine you are on, the only way on to the system is to try
the default
passwords. What are the default passwords?
Unix systems
come installed with certain passwords automatically. In
addition,
some accounts must exist on a system. One such account is
'root'. This
user is the divine Kami of the Unix system... in short,
an all
access pass. Unfortunately, few systems allow root logins
remotely,
and even fewer leave 'root' unpassworded. Nevertheless, it's
always worth
a shot... try this:
connected to
ren.stimpy.net
login: root
password:
root
invalid
login
login:
well, nice
try anyways... other possible passwords for root include
'sysadmin',
'sys', 'admin'... you get the idea. You may also want to
try these
passwords with a single digit appended (added, idiot) to
them...
meaning the password 'root' could be 'root1' or 'root2'.
An
interesting tip about passwords in general... many people that use
passwords
under 8 characters tend to add a digit or a non-alphanumeric
character to
the password. This is done in order to hinder guessing,
and to stop
password breakers (more on this later). In this case, you
may want to
try adding a space before root... or even an ascii 255 to
the end.
Fortunately,
there is more than one default password in a unix
system... a
quick list:
sys sys
bin bin
daemon daemon
rje rje
setup setup
uucp uucp/nuucp/anonymous
nuucp uucp/nuucp/anonymous
mountfsys mountfsys
In the
System
-------------
Ok, at this
point, I'm going to assume you've gotten past the login...
as painful
as that may sound. Although Unix may be secure from the
outside,
without effort from the system administrators, the inside of
the system
is not.
First off,
you'll likely by asked for a terminal. vt100 serves your
purposes
sufficently, and it's typically the default, so hit enter.
Now,
hopefully, you have a prompt. There are many different types of
unix
prompts, some of which contain current directory information,
some of
which are just a single character. Just don't panic when my
examples
don't look exactly like what you've got on your screen.
The first
thing you *need* to do on the system is establish your tty
paramters.
As eldritch and arcane sounding as this term may seem, it's
actually
quite simple... you need to tell the system what keys are
going to do
what.
The command
to set these parameters is 'stty'. Watch:
squinkyB ]
stty erase ^h
squinkyB ]
There...
that wasn't so bad, was it? Well, it's also pretty
meaningless
to you, unless you have the ascii table memorized and are
pretty good
at on-the-spot deduction.
The tty
erase parameters determines which key is to be used as a
backspace.
At times, this may already be set when you log in, or it
may be set
to a suitable alternate (such as delete). Most of the time
the system
will tell you when you log on if this is so. In this case,
we've
entered ^h in order to make the backspace key, appropriately
enough,
backspace.
Another
extremely important parameter is 'intr'. The 'intr' paramter
tells the
Unix system what you intend to use as a break character...
you should
have this set to ^c.
Getting Around
--------------
A good thing
to remember about Unix is that it's alot like DOS. Files
are laid out
in directories just as in DOS... in fact, the only
immediate
difference in the directory structures is that Unix uses a
forward
slash ("/", moron!) instead of a backwards one.
Also, the
basic Unix directory navigation command is identical to DOS.
In order to
change directories, you use the command 'chdir', or 'cd'.
A quick
example:
1
/usr1/astoria ] cd ..
2 /usr ]
Wala. That
simple. Quick notes:
ÑŽ cd / will
take you to root.
ÑŽ cd
/*pathname* will take you to *pathname*
ÑŽ cd home
will take you to your home directory.
You can make
and delete your own directories with the mkdir/rmdir
commands.
Simply put, mkdir makes a subdirectory off of the current
directory,
and rmdir removes a subdirectory from the current
subdirectory. Good to know if you plan to do a lot of file transfers.
An important
note about Unix directories, files, and concepts:
Unix is a
case-sensitive operating system. Thus, the files
ÑŽ Spleen
ÑŽ spleen
ÑŽ SPLEEN
ÑŽ SpLeEn
are all
different. This rule applies to directories and command line
paramters,
as well as most other Unix ideas.
Another nice
thing to know about Unix: Unix files are not subject to
the normal
DOS 8 character limit. Thus, you can have vast filenames,
such as
"this_file_ate_my_biscuit".
Some other important commands
-----------------------------
First and
foremost, you should know cp. cp is the basic Unix
equivalent
of the DOS COPY command. The command line for cp is
identical to
that of COPY.
Next on the
scale of cosmic import is cat. cat is the Unix equivalent
of the DOS
TYPE command, and once again, for simple file displaying,
the command
line is identical.
Variations
on the theme:
pg:
displayes a file page by page. Type "pg x filename", where x is a
number
of lines to display before pausing and filename is the
file
you wish to display.
more:
displays a file screen by screen.
Stupid pet
trick:
You can use
your cat to copy files, simply by using the directional
operators.
To copy a file from here to there using cat, simply type:
% cat here
this is the
file here
% cat there
this is the
file there
% cat here
> there
% cat there
this is the
file here
The
operator ">" simply takes the output from the cat command and
places is
in the location specified after it.
Another
vital command to know is 'rm'. rm deletes a file from the
system, in
the same way DEL would on a DOS system. Not to much else to
say.
Critical in
your navigation of a Unix system is the ls command. ls is
DOS DIR on
heroin. Simply type ls and you get a nice, neat list of
files in the
directory.
DIR on
controlled substances:
There are a
few command line parameters that you should know...
foremost is
l. ls -l gets you a list of files, and valuable
information
about each file, including permissions (more on that
later),
size, and linked files.
Another
useful command for long file lists is C. ls -C gets you a
list of
files in multiple columns, much the same as DIR /W would
merit a
double column report of all existing files. A quick reminder:
ls -C is
NOT the same as ls -c. Unix = case sensitive.
Another good
command to know, mv will move a file from directory to
directory.
For those of you without DOS 6.0 <gasp>, mv simply copies a
file to
another directory and deletes the original.
quick tip
for files on the lam:
if you want
to rename a file (to protect the innocent), you need to
mv a file
to a different file name. A quick demo:
# ls
myfile
# cat
myfile
this is my
file
# mv myfile
my_other_file
# ls
my_other_file
# cat
my_other_file
this is my
file
Another
vastly important command is 'man'. In fact, man is probably
one of the
most important commands extant for a beginning user... it
calls up the
system's help files. To use man, simply type in 'man
command',
where command is a Unix command you seek to gain
enlightenment regarding. It's a great way to gain an understanding of
Unix
commandline parameters.
If you are
interested in seeing who's been on of late, or just want a
few names to
try to hack, type 'who'. You get a quick list of users
that have
accessed the system lately. If you <god forbid> need to know
who you are
at this point, type 'whoami'.
If you want
to change your identity on the system, type 'su name'
where name
is an account on the system. It'll ask you for the account
password,
then, *presto*... instant transmogrification.
A Caveat
for smart alec hackers:
Unix
typically logs usage of the su command. While su may seem like a
great
opportunity to try to hack out passwords manually without
worrying
about the system hanging up after 3 attempts, it's typically
not a good
idea to do this, as it may alert the administrators to
your
presence.
*Numero Uno
on the list of commands NEVER to use on a Unix system:
The 'passwd'
command changes your password on a Unix system. Seems
innocous
enough, eh? Uh-uh. If your account is active, and there's a
very strong
chance that it either is or will be, there is no better
way to lose
the account than to change the password, only to have the
legitimate
user alert the sysadmins when he/she can't gain access to
his/her
normal account (well, there are better ways... you could
simply mail
the sysadmin and tell him you are trying to hack his
grandmother's life support machine through your account).
I've seen
this single, quick command turn a extremely lax system
into an
ironclad security compound in less than a day.
DONT-FUCK-WITH-IT.
*Numero Dos
on that same list:
The 'mail'
command reads and sends mail. So what? Well, unless your
account is
stable (and it isn't unless you either paid for it or
killed the
original owner in such a way that his body cannot claw it's
way out of
it's grave to it's keyboard), the user is more likely than
not going to
know if you read his mail. In addition, if you send mail
out of the
system (type 'mail', and a username/address; type in your
message and
end it with a ^d on it's own line), the response from your
message will
likewise alert the user to your presence.
System Spelunking
-----------------
The first
place you want to check out in the wild uncharted directory
tree of your
friendly neighborhood Unix system is the "/etc"
directory.
What's in it? The single most intensely important file on
the system
(besides a world writable root owned SUID file... but don't
worry about
that)... the passwd file.
What is in
the passwd file?
ÑŽ a list of all accounts on the system
ÑŽ a list of the passwords for these accounts
ÑŽ a list of access levels for these accounts
ÑŽ a list of the home directories for these
accounts
ÑŽ a list of information pertaining to these
accounts.
Why the hell
the Unix designers decided this file should be world
readable is
beyond me. Be content to know that your standard everyday
run-of-the-mill-lacking-in-certified-cosmic-power 'cat' command WILL
display this
file. As will pg and more. However, because most users
don't have
write permissions (more on that later) to the /etc
directory,
'cat' is pretty much the only applicable command here.
However, if
you need to copy the file to your own directory (for
whatever
reason), just cat it there with the directional operator (>).
The catch:
Well, there
are two catches here. First off, regardless of system
security, if
the passwords are in the file, they are encrypted. You
can't decrypt
them. Although you can get a list of accounts without
passwords
this way (just look for accounts with no entry in the
password
field), and a list of accounts that can't be logged onto
remotely/at
all (NO LOGIN), you can't get much else. Sucks, don't it?
Notice I
said 'if' the passwords are there.
<ominous
soundtrack please>
Some
horrible, paranoid, draconian system administrators mutilate
their passwd
files in such a way that (*gasp*) the passwords don't
show up. All
you get is one cold, icy X staring at you from the bowels
of Unix
Shell Siberia, mocking you as you pull your hair out in
frustration
(sorry, but this is a sore spot with me). The kidnapped
passwords
reside in the shadow file in the /etc directory, available
with your
standard everyday run-of-the-mill-but-distinct-in-the-fact-
that-only-root-level-accounts-can-use-it-to-this-extent 'cat' command.
Well, if the
passwords are encrypted, what good are they?
By
themselves, nothing. A account with a Unix encrypted password will
get you no
further than an account with no listed password at all. You
can't even
deduce the amount of characters in the password if it's
encrypted.
So what's the use?
The Unix
method of encrypting files is available to the public. It is
also, to
most mortals, irreversable. Essentially, this means you can
encrypt a
string of characters, but not decrypt it. Even the unix
system
itself doesn't decrypt the password when you log on...
When you log
on, the Unix system takes whatever you enter at the
password
prompt, encrypts it, and matches it to the entry in the
passwd file.
Thus, the Unix system never decrypts the password... it
only
compares it to a different encrypted string.
While this
may not sound too particularly useful at first, it is.
There are
programs that have been written to do the same thing on a
personal
computer... you supply it a list of passwords and a list of
words to
attempt to use as passwords (called dictionaries), and it
spends the
night encrypting dictionaries and matching them to password
entries. By
running a dictionary through a passwd file, on a typical
system, you
can usually get 10-20 accounts. Good personal computer
examples of
this program idea include Killer Cracker (the industry
standard, so
to speak) and CrackerJack (faster than Killer Cracker).
Quick tips
for CrackerJunkies with leech access at an H/P BBS:
A standard
dictionary will not uncover passwords protected with an
appended
digit or non-alphanumeric character. In order to get around
this, you
need only grab a program that processes the dictionary file
to add that
digit to each entry in the dictionary... although this
takes
longer, and you'll need to do it multiple times, you can
typically
get 10 more accounts just by adding a 1 to every entry.
Files and
directories in Unix are characterized further by their
permissions.
Permissions are a standard system of who gets access to a
specific
function of that file or directory. Standard permissions
include
read, write, and execute. You can get a list of permissions by
typing 'ls
-l'. The first field in the listing contains the
permissions,
grouped as follows:
owner group
world
--------------------
rwx rwx
rwx
(Not drawn
to scale... in fact, it doesn't look anything like that).
Essentially,
as long as the letter is there, you have access to that
facet of the
file. If the letter is not there, you'll see a dash...
meaning you
don't have access to that function. An example:
rwxr-x--x
In this
case, the owner of the file can Read the file, Write to the
file, and
eXecute the file; members of his group (a bunch of linked
accounts)
can Read the file, CANNOT Write to the file, and can eXecute
the file;
and the rest of the user population CANNOT Read or Write to
the file,
but CAN eXecute the file.
rwx---rwx
is a
WORLD-READABLE, WORLD-WRITABLE, WORLD-EXECUTABLE file. This
simply means
that anyone can read, write, or execute the file.
Another
permission sometimes set to a file is the SUID bit. An SUID
file
contains a smallcase s in the user executable section of the
permissions
list...
rws--x--x
When you
execute an SUID file, your user ID becomes that of the owner
of the file.
While this may not look to important at first, by now you
should know
that no really important super elite hacker concept does.
Take a look
at this:
rwsr-x--x
Synopsis?
It's a world executable SUID file. In essence, anyone can
execute the
file, and in doing so, become the owner of the file for
the duration
of the time that file is operating. However, this doesn't
get you
much, because you typically can't do anything while the
programis
running. More likely than not, it's calculating how many
pencils it
needs to order for school tomorrow or some other such
drivel.
The real
power of the SUID file comes into play in this situation:
rwsrwxrwx
You won't
see a lot of these, but when you do, look out. What you have
here is a
world writable SUID file... and a world writable program can
be any
program on the system you have read access to. Like, say,
/bin/sh...
the Unix shell...
Quick
command line example... 'diablo' is a root owned, world writable
SUID file.
I'm going to ignore the rest of the output of the ls
command.
#ls -l
rwsrwxrwx...
...diablo
#cat /bin/sh
> diablo
#diablo
$
Oh, just so
you know, the $ prompt denotes root access.
Good deal,
huh? In general, if you have right privs to an SUID file,
copy it to
your own directory and cat /bin/sh into it. You now have an
instant
gateway to the account of the owner of that file.
If you want
to find files that you can do this with, try this out:
#find /
-user root -perm -4000 -exec /bin/ls -al {} ";"
This will
give you a list of all root owned SUID files. If you want
more info on
the 'find' command, just 'man find'.
Well, I'm
overdo for an appointment on the IRC in #warez... so I'll
cut off
here. I hope I've been of assistance to you.
No comments:
Post a Comment