+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ + UNIX : A Hacking Tutorial + + By: Sir Hackalot + +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ---------------------- o Intent of this file: ---------------------- This phile is geared as an UNIX tutorial at first, to let you get more familiar with the operating system. UNIX is just an operating system, as is MS-DOS, AppleDOS, AmigaDOS, and others. UNIX happens to be a multi-user- multi-tasking system, thus bringing a need for security not found on MSDOS, AppleDOS, etc. This phile will hopefully teach the beginners who do not have a clue about how to use UNIX a good start, and may hopefully teach old pros something they didn't know before. This file deals with UNIX SYSTEM V and its variants. When I talk about unix, its usually about SYSTEM V (rel 3.2). Where Can I be found? I have no Idea. The Boards today are going Up'n'Down so fast, 3 days after you read this file, if I put a BBS in it where you could reach me, it may be down! Just look for me. I can be reached on DarkWood Castle [If it goes back up], but that board is hard to get access on, but I decided to mention it anyway. I *COULD* Have been reached on jolnet, but...... This file may have some bad spelling, etc, or discrepencies since it was spread out over a long time of writing, because of school, work, Girl friend, etc. Please, no flames. If you don't like this file, don't keep it. This is distributed under PHAZE Inc. Here are the members (and ex ones) The Dark Pawn The Data Wizard Sir Hackalot (Me) Taxi (ummm.. Busted) Lancia (Busted) The British Knight (Busted) The Living Pharoah (Busted) _____________________________________________________________________________ ------------- o Dedication: ------------- This phile is dedicated to the members of LOD that were raided in Atlanta. The members that got busted were very good hackers, especially The Prophet. Good luck to you guys, and I hope you show up again somewhere. _____________________________________________________________________________ ------------------------ o A little History, etc: ------------------------ UNIX, of course, was invented By AT&T in the 60's somewhere, to be "a programmer's operating system." While that goal was probably not reached when they first invented UNIX, it seems that now, UNIX is a programmer's OS. UNIX, as I have said before, is a multi-tasking/multi-user OS. It is also written in C, or at least large parts of it are, thus making it a portable operating system. We know that MSDOS corresponds to IBM/clone machines, right? Well, this is not the case with UNIX. We do not associate it with any one computer since it has been adapted for many, and there are many UNIX variants [that is, UNIX modified by a vendor, or such]. Some AT&T computers run it, and also some run MSDOS [AT&T 6300]. The SUN workstations run SunOS, a UNIX variant, and some VAX computers run Ultrix, a VAX version of UNIX. Remember, no matter what the name of the operating system is [BSD, UNIX,SunOS,Ultrix,Xenix, etc.], they still have a lot in common, such as the commands the operating system uses. Some variants may have features others do not, but they are basically similar in that they have a lot of the same commands/datafiles. When someone tries to tell you that UNIX goes along with a certain type of computer, they may be right, but remember, some computers have more than one Operating system. For instance, one person may tell you that UNIX is to a VAX as MSDOS is to IBM/clones. That is untrue, and the only reason I stated that, was because I have seen many messages with info /comparisons in it like that, which confuse users when they see a VAX running VMS. ____________________________________________________________________________ ------------------------------- o Identifying a Unix/Logging in ------------------------------- From now on, I will be referring to all the UNIX variants/etc as UNIX, so when I say something about UNIX, it generally means all the variants (Unix System V variants that is: BSD, SunOS, Ultrix, Xenix, etc.), unless I state a variant in particular. Okay. Now its time for me to tell you how a unix USUALLY greets you. First, when you call up a UNIX, or connect to one however you do, you will usually get this prompt: login: Ok. Thats all fine and dandy. That means that this is PROBABLY a Unix, although there are BBS's that can mimic the login procedure of an OS (Operating System), thus making some people believe its a Unix. [Hah!]. Some Unixes will tell you what they are or give you a message before a login: prompt, as such: Welcome to SHUnix. Please log in. login: Or something like that. Public access Unixes [like Public BBSs] will tell you how to logon if you are a new users. Unfortunatly, this phile is not about public access Unixes, but I will talk about them briefly later, as a UUCP/UseNet/Bitnet address for mail. OK. You've gotten to the login prompt! Now, what you need to do here is enter in a valid account. An Account usually consists of 8 characters or less. After you enter in an account, you will probably get a password prompt of some sort. The prompts may vary, as the source code to the login program is usually supplied with UNIX, or is readily available for free. Well, The easiest thing I can say to do to login is basically this: Get an account, or try the defaults. The defaults are ones that came with the operating system, in standard form. The list of some of the Defaults are as follows: ACCOUNT PASSWORD ------- -------- root root - Rarely open to hackers sys sys / system / bin bin sys / bin mountfsys mountfsys adm adm uucp uucp nuucp anon anon anon user user games games install install reboot * See Below demo demo umountfsys umountfsys sync sync admin admin guest guest daemon daemon The accounts root, mountfsys, umountfsys, install, and sometimes sync are root level accounts, meaning they have sysop power, or total power. Other logins are just "user level" logins meaning they only have power over what files/processes they own. I'll get into that later, in the file permissions section. The REBOOT login is what as known as a command login, which just simply doesn't let you into the operating system, but executes a program assigned to it. It usually does just what it says, reboot the system. It may not be standard on all UNIX systems, but I have seen it on UNISYS unixes and also HP/UX systems [Hewlett Packard Unixes]. So far, these accounts have not been passworded [reboot], which is real stupid, if you ask me. COMMAND LOGINS: --------------- There are "command logins", which, like reboot, execute a command then log you off instead of letting you use the command interpreter. BSD is notorious for having these, and concequently, so does MIT's computers. Here are some: rwho - show who is online finger - same who - same These are the most useful, since they will give the account names that are online, thus showing you several accounts that actually exist. Errors: ------- When you get an invalid Account name / invalid password, or both, you will get some kind of error. Usually it is the "login incorrect" message. When the computer tells you that, you have done something wrong by either enterring an invalid account name, or a valid account name, but invalid password. It does not tell you which mistake you made, for obvious reasons. Also, when you login incorrectly, the error log on the system gets updated, letting the sysops(s) know something is amiss. Another error is "Cannot change to home directory" or "Cannot Change Directory." This means that no "home directory" which is essentially the 'root' directory for an account, which is the directory you start off in. On DOS, you start in A:\ or C:\ or whatever, but in UNIX you start in /homedirectory. [Note: The / is used in directories on UNIX, not a \ ]. Most systems will log you off after this, but some tell you that they will put you in the root directory [ '/']. Another error is "No Shell". This means that no "shell" was defined for that particular account. The "shell" will be explained later. Some systems will log you off after this message. Others will tell you that they will use the regular shell, by saying "Using the bourne shell", or "Using sh" ----------------------------- Accounts In General : ----------------------------- This section is to hopefully describe to you the user structure in the UNIX environment. Ok, think of UNIX having two levels of security: absolute power, or just a regular user. The ones that have absolute power are those users at the root level. Ok, now is the time to think in numbers. Unix associates numbers with account names. each account will have a number. Some will have the same number. That number is the UID [user-id] of the account. the root user id is 0. Any account that has a user id of 0 will have root access. Unix does not deal with account names (logins) but rather the number associated with them. for instance, If my user-id is 50, and someone else's is 50, with both have absolute power of each other, but no-one else. _____________________________________________________________________________ --------------- Shells : --------------- A shell is an executable program which loads and runs when a user logs on, and is in the foreground. This "shell" can be any executable prog- ram, and it is defined in the "passwd" file which is the userfile. Each login can have a unique "shell". Ok. Now the shell that we usually will work with is a command interpreter. A command interpreter is simply something like MSDOS's COMMAND.COM, which processes commands, and sends them to the kernel [operating system]. A shell can be anything, as I said before, but the one you want to have is a command interpreter. Here are the usual shells you will find: sh - This is the bourne shell. It is your basic Unix "COMMAND.COM". It has a "script" language, as do most of the command interpreters on Unix sys- tems. csh - This is the "C" shell, which will allow you to enter "C" like commands. ksh - this is the korn shell. Just another command interpreter. tcsh - this is one, which is used at MIT I believe. Allows command editing. vsh - visual shell. It is a menu driven deal. Sorta like.. Windows for DOS rsh - restricted shell OR remote shell. Both Explained later. There are many others, including "homemade " shells, which are programs written by the owner of a unix, or for a specific unix, and they are not standard. Remember, the shell is just the program you get to use and when it is done executing, you get logged off. A good example of a homemade shell is on Eskimo North, a public access Unix. The shell is called "Esh", and it is just something like a one-key-press BBS, but hey, its still a shell. The Number to eskimo north is 206-387-3637. [206-For-Ever]. If you call there, send Glitch Lots of mail. Several companies use Word Processors, databases, and other things as a user shell, to prevent abuse, and make life easier for unskilled computer operators. Several Medical Hospitals use this kind of shell in Georgia, and fortunatly, these second rate programs leave major holes in Unix. Also, a BBS can be run as a shell. Check out Jolnet [312]-301-2100, they give you a choice between a command interpreter, or a BBS as a shell. WHen you have a command interpreter, the prompt is usually a: $ when you are a root user the prompt is usually a: # The variable, PS1, can be set to hold a prompt. For instance, if PS1 is "HI:", your prompt will be: HI: _____________________________________________________________________________ ------------------------ SPecial Characters, ETc: ------------------------ Control-D : End of file. When using mail or a text editor, this will end the message or text file. If you are in the shell and hit control-d you get logged off. Control-J: On some systems, this is like the enter key. @ : Is sometimes a "null" ? : This is a wildcard. This can represent a letter. If you specified something at the command line like "b?b" Unix would look for bob,bib,bub, and every other letter/number between a-z, 0-9. * : this can represent any number of characters. If you specified a "hi*" it would use "hit", him, hiiii, hiya, and ANYTHING that starts with hi. "H*l" could by hill, hull, hl, and anything that starts with an H and ends with an L. [] - The specifies a range. if i did b[o,u,i]b unix would think: bib,bub,bob if i did: b[a-d]b unix would think: bab,bbb,bcb,bdb. Get the idea? The [], ?, and * are usually used with copy, deleting files, and directory listings. EVERYTHING in Unix is CASE sensitive. This means "Hill" and "hill" are not the same thing. This allows for many files to be able to be stored, since "Hill" "hill" "hIll" "hiLl", etc. can be different files. So, when using the [] stuff, you have to specify capital letters if any files you are dealing with has capital letters. Most everything is lower case though. ---------------- Commands to use: ---------------- Now, I will rundown some of the useful commands of Unix. I will act as if I were typing in the actual command from a prompt. ls - this is to get a directory. With no arguments, it will just print out file names in either one column or multi-column output, depending on the ls program you have access to. example: $ ls hithere runme note.text src $ the -l switch will give you extended info on the files. $ ls -l rwx--x--x sirhack sirh 10990 runme and so on.... the "rwx--x--x" is the file permission. [Explained Later] the "sirhack sirh" is the owner of the file/group the file is in. sirhack = owner, sirh = user-group the file is in [explained later] the 10990 is the size of the file in bytes. "runme" is the file name. The format varies, but you should have the general idea. cat - this types out a file onto the screen. should be used on text files. only use it with binary files to make a user mad [explained later] ex: $ cat note.txt This is a sample text file! $ cd - change directory . You do it like this: cd /dir/dir1/dir2/dirn. the dir1/etc.... describes the directory name. Say I want to get to the root directory. ex: $ cd / *ok, I'm there.* $ ls bin sys etc temp work usr all of the above are directories, lets say. $ cd /usr $ ls sirhack datawiz prophet src violence par phiber scythian $ cd /usr/sirhack $ ls hithere runme note.text src $ ok, now, you do not have to enter the full dir name. if you are in a directory, and want to get into one that is right there [say "src"], you can type "cd src" [no "/"]. Instead of typing "cd /usr/sirhack/src" from the sirhack dir, you can type "cd src" cp - this copies a file. syntax for it is "cp fromfile tofile" $ cp runme runme2 $ ls hithere runme note.text src runme2 Full pathnames can be included, as to copy it to another directory. $ cp runme /usr/datwiz/runme mv - this renames a file. syntax "mv oldname newname" $ mv runme2 runit $ ls hithere runme note.text src runit files can be renamed into other directories. $ mv runit /usr/datwiz/run $ ls hithere runme note.text src $ ls /usr/datwiz runme run pwd - gives current directory $ pwd /usr/sirhack $ cd src $ pwd /usr/sirhack/src $ cd .. $ pwd /usr/sirhack [ the ".." means use the name one directory back. ] $ cd ../datwiz [translates to cd /usr/datwiz] $ pwd /usr/datwiz $ cd $home [goto home dir] $ pwd /usr/sirhack rm - delete a file. syntax "rm filename" or "rm -r directory name" $ rm note.text $ ls hithere runme src $ write - chat with another user. Well, "write" to another user. syntax: "write username" $ write scythian scythian has been notified Hey Scy! What up?? Message from scythian on tty001 at 17:32 hey! me: So, hows life? scy: ok, I guess. me: gotta go finish this text file. scy: ok me: control-D [to exit program] $ who [w,who,whodo] - print who is online $ who login term logontime scythian + tty001 17:20 phiberO + tty002 15:50 sirhack + tty003 17:21 datawiz - tty004 11:20 glitch - tty666 66:60 $ the "who" commands may vary in the information given. a "+" means you can "write" to their terminal, a "-" means you cannot. man - show a manual page entry. syntax "man command name" This is a help program. If you wanted to know how to use... "who" you'd type $ man who WHO(1) xxx...... and it would tell you. stty - set your terminal characteristics. You WILL have to do "man stty" since each stty is different, it seems like. an example would be: $ stty -parenb to make the data params N,8,1. A lot of Unixes operate at e,7,1 by default. sz,rz - send and recieve via zmodem rx,sx - send / recieve via xmodem rb,sb - send via batch ymodem. These 6 programs may or may not be on a unix. umodem - send/recieve via umodem. $ sz filename ready to send... $ rz filename please send your file.... ...etc.. ed - text editor. Usage "ed filename" to create a file that doesn't exist, just enter in "ed filename" some versions of ed will give you a prompt, such as "*" others will not $ ed newtext 0 * a This is line 1 This is line 2 [control-z] * 1 [to see line one] This is line 1 * a [keep adding] This is line 3 [control-z] *0a [add after line 0] This is THE first line [control-z] 1,4l This is THE first line This is line 1 This is line 2 This is line 3 * w 71 * q $ The 71 is number of bytes written. a = append l = list # = print line number w - write l fname = load fname s fname = save to fname w = write to current file q = quit mesg - turn write permissions on or off to your terminal (allow chat) format "mesg y" or "mesg n" cc - the C compiler. don't worry about this one right now. chmod - change mode of a file. Change the access in other words. syntax: "chmod mode filename" $ chmod a+r newtext Now everyone can read newtext. a = all r = read. This will be explained further in the File System section. chown - change the owner of a file. syntax: "chown owner filename" $ chown scythian newtext $ chgrp - change the group [explained later] of a file. syntax: "chgrp group file" $ chgrp root runme $ finger - print out basic info on an account. Format: finger username grep - search for patterns in a file. syntax: "grep pattern file" $ grep 1 newtext This is Line 1 $ grep THE newtext This is THE first line $ grep "THE line 1" newtext $ mail - This is a very useful utility. Obviously, you already know what it is by its name. There are several MAIL utilities, such as ELM, MUSH and MSH, but the basic "mail" program is called "mail". The usage is: "mail username@address" or "mail username" or "mail" or "mail addr1!addr2!addr3!user" "mail username@address" - This is used to send mail to someone on another system, which is usually another UNIX, but some DOS machines and some VAX machines can recieve Unix Mail. When you use "mail user@address" the system you are on MUST have a "smart mailer" [known as smail], and must have what we call system maps. The smart mailer will find the "adress" part of the command and expand it into the full pathname usually. I could look like this: mail phiber@optik then look like this to the computer: mail sys1!unisys!pacbell!sbell!sc1!att.com!sirhacksys!optik!phiber Do not worry about it, I was merely explaining the principal of the thing. Now, if there is no smart mailer online, you'll have to know the FULL path name of the person you wish to mail to. For Instance, I want to mail to .. phiber. I'd do this if there were no smart mailer: $ mail sys!unisys!pacbell!sbell!sc1!att.com!sirhacksys!optik!phiber Hey Guy. Whats up? Well, gotta go. Nice long message huh? [control-D] $ Then, when he got it, there would be about 20 lines of information, with like a post mark from every system my message went thru, and the "from" line would look like so: From optik!sirhacksys!att.com!sc1!sbell!pacbell!unisys!sys!sirhack Now, for local mailing, just type in "mail username" where username is the login you want to send mail to. Then type in your message. Then end it with a control-D. To read YOUR mail, just type in mail. IE: $ mail From scythian ............ To sirhack ............ Subject: Well.... Arghhh! ? The dots represent omitted crap. Each Mail program makes its own headings. That ? is a prompt. At this prompt I can type: d - delete f username - forward to username w fname - write message to a file named fname s fname - save message with header into file q - quit / update mail x - quit, but don't change a thing m username - mail to username r - reply [enter] - read next message + - go forward one message - : go back one h - print out message headers that are in your mailbox. There are others, to see them, you'd usually hit '?'. -------- If you send mail to someone not on your system, you will have to wait longer for a reply, since it is just as a letter. A "postman" has to pick it up. The system might call out, and use UUCP to transfer mail. Usually, uucp accounts are no good to one, unless you have uucp available to intercept mail. ps - process. This command allows you to see what you are actually doing in memory. Everytime you run a program, it gets assigned a Process Id number (PID), for accounting purposes, and so it can be tracked in memory, as well as shut down by you, or root. usually, the first thing in a process list given by "ps" is your shell name. Say I was logged in under sirhack, using the shell "csh" and running "watch scythian". The watch program would go into the background, meaning I'd still be able to do things while it was running: $ ps PID TTY NAME 122 001 ksh 123 001 watch $ That is a shortened PS. That is the default listing [a brief one]. The TTY column represents the "tty" [i/o device] that the process is being run from. This is only useful really if you are using layers (don't worry) or more than one person is logged in with the same account name. Now, "ps -f" would give a full process listing on yourself, so instead of seeing just plain ole "watch" you'd most likely see "watch scythian" kill - kill a process. This is used to terminate a program in memory obvio- ously. You can only kill processes you own [ones you started], unless you are root, or your EUID is the same as the process you want to kill. (Will explain euid later). If you kill the shell process, you are logged off. By the same token, if you kill someone else's shell process, they are logged off. So, if I said "kill 122" I would be logged off. However, kill only sends a signal to UNIX telling it to kill off a process. If you just use the syntax "kill pid" then UNIX kills the process WHEN it feels like it, which may be never. So, you can specify urgency! Try "kill -num pid" Kill -9 pid is a definite kill almost instantly. So if I did this: $ kill 122 $ kill 123 $ ps PID TTY NAME 122 001 ksh 123 001 watch $ kill -9 123 [123]: killed $ kill -9 122 garbage NO CARRIER Also, you can do "kill -1 0" to kill your shell process to log yourself off. This is useful in scripts (explained later). ------------------- Shell Programmin' ------------------- Shell Programming is basically making a "script" file for the standard shell, being sh, ksh, csh, or something on those lines. Its like an MSDOS batch file, but more complex, and more Flexible. This can be useful in one aspect of hacking. First, lets get into variables. Variables obviously can be assigned values. These values can be string values, or numberic values. number=1 That would assign 1 to the variable named "number". string=Hi There or string="Hi There" Both would assign "Hi there" to a variable. Using a variable is different though. When you wish to use a variable you must procede it with a dollar ($) sign. These variables can be used as arguments in programs. When I said that scripts are like batch files, I meant it. You can enter in any name of a program in a script file, and it will execute it. Here is a sample script. counter=1 arg1="-uf" arg2="scythian" ps $arg1 $arg2 echo $counter That script would translate to "ps -uf scythian" then would print "1" after that was finished. ECHO prints something on the screen whether it be numeric, or a string constant. Other Commands / Examples: read - reads someting into a variable. format : read variable . No dollar sign is needed here! If I wwanted to get someone's name, I could put: echo "What is your name?" read hisname echo Hello $hisname What is your name? Sir Hackalot Hello Sir Hackalot Remember, read can read numeric values also. trap - This can watch for someone to use the interrupt character. (Ctrl-c) format: trap "command ; command ; command ; etc.." Example: trap "echo 'Noway!! You are not getting rid o me that easy' ; echo 'You gotta see this through!'" Now, if I hit control-c during the script after this statement was executed, I'd get: Noway!! You are not getting rid of me that easy You gotta see this through! exit : format :exit [num] This exists the shell [quits] with return code of num. ----- CASE ----- Case execution is like a menu choice deal. The format of the command or structure is : case variable in 1) command; command;; 2) command; command; command;; *) command;; esac Each part can have any number of commands. The last command however must have a ";;". Take this menu: echo "Please Choose:" echo "(D)irectory (L)ogoff (S)hell" read choice case $choice in D) echo "Doing Directory..."; ls -al ;; L) echo Bye; kill -1 0;; S) exit;; *) Echo "Error! Not a command";; esac The esac marks the end of a case function. It must be after the LAST command. Loops ----- Ok, loops. There are two loop functins. the for loops, and the repeat. repeat looks like this: repeat something somethin1 somethin2 this would repeat a section of your script for each "something". say i did this: repeat scythian sirhack prophet I may see "scythian" then sirhack then prophet on my screen. The for loop is defined as "for variable in something do .. .. done" an example: for counter in 1 2 3 do echo $counter done That would print out 1 then 2 then 3. Using TEST ---------- The format: Test variable option variable The optios are: -eq = -ne <> (not equal) -gt > -lt < -ge >= -le <= for strings its: = for equal != for not equal. If the condition is true, a zero is returned. Watch: test 3 -eq 3 that would be test 3 = 3, and 0 would be returned. EXPR ---- This is for numeric functions. You cannot simply type in echo 4 + 5 and get an answer most of the time. you must say: expr variable [or number] operator variable2 [or number] the operators are: + add - subtract * multiply / divide ^ - power (on some systems) example : expr 4 + 5 var = expr 4 + 5 var would hold 9. On some systems, expr sometimes prints out a formula. I mean, 22+12 is not the same as 22 + 12. If you said expr 22+12 you would see: 22+12 If you did expr 22 + 12 you'd see: 34 SYSTEM VARIABLES ---------------- These are variables used by the shell, and are usually set in the system wide .profile [explained later]. HOME - location of your home directory. PS1 - The prompt you are given. usually $ . On BSD its usually & PATH - This is the search path for programs. When you type in a program to be run, it is not in memory; it must be loaded off disk. Most commands are not in Memory like MSDOS. If a program is on the search path, it may be executed no matter where you are. If not, you must be in the directory where the program is. A path is a set of directories basically, seperated by ":"'s. Here is a typical search path: :/bin:/etc:/usr/lbin:$HOME: When you tried to execute a program, Unix would look for it in /bin, /etc, /usr/lbin, and your home directory, and if its not found, an error is spewed out. It searches directories in ORDER of the path. SO if you had a program named "sh" in your home directory, and typed in "sh", EVEN if you were in your home dir, it would execute the one in /bin. So, you must set your paths wisely. Public access Unixes do this for you, but systems you may encounter may have no path set. TERM - This is your terminal type. UNIX has a library of functions called "CURSES" which can take advantage of any terminal, provided the escape codes are found. You must have your term set to something if you run screen oriented programs. The escape codes/names of terms are found in a file called TERMCAP. Don't worry about that. just set your term to ansi or vt100. CURSES will let you know if it cannot manipulate your terminal emulation. ----