DWE Issue 5: A Basic UNIX Overview August, 1993 Asriel UNIX FOR DOS ADDICTED WaReZ PuPPieZ AND THEIR PETS Introduction ------------ One of the most common operating systems in existance is Unix. Unix exists in many different flavors, from Berkeley BSD to AT&T System V to SunOs. Basic working knowledge of Unix is almost essential to a hacker, as it is the system a hacker is most likely to come across. If you intend to use the internet at all, or to do any serious exploration of Telenet, the ability to navigate through Unix is a necessity. (Unix is also the single most interesting system in existance: it's just fun to fuck with). Unix Logins ----------- Most Unix logins look essentially the same. A general Unix login prompt looks something like this: connected to five.finger.com login: That first line is the system identifier. Although it's not at all essential to what you are doing, it's good to know what system you are attempting to log on to. The second line is what typically identifies the system you are on as Unix. Almost all Unix systems greet a user with the same prompt: login:. Well, there's not much to do in Unix from the outside, and Unix systems are typically fairly secure at this point. You may be able to obtain a list of users, or current users, by logging in as 'who', but other than that there are few functions available here. Unless you are on the internet, or have accounts specifically for the specific machine you are on, the only way on to the system is to try the default passwords. What are the default passwords? Unix systems come installed with certain passwords automatically. In addition, some accounts must exist on a system. One such account is 'root'. This user is the divine Kami of the Unix system... in short, an all access pass. Unfortunately, few systems allow root logins remotely, and even fewer leave 'root' unpassworded. Nevertheless, it's always worth a shot... try this: connected to ren.stimpy.net login: root password: root invalid login login: well, nice try anyways... other possible passwords for root include 'sysadmin', 'sys', 'admin'... you get the idea. You may also want to try these passwords with a single digit appended (added, idiot) to them... meaning the password 'root' could be 'root1' or 'root2'. An interesting tip about passwords in general... many people that use passwords under 8 characters tend to add a digit or a non-alphanumeric character to the password. This is done in order to hinder guessing, and to stop password breakers (more on this later). In this case, you may want to try adding a space before root... or even an ascii 255 to the end. Fortunately, there is more than one default password in a unix system... a quick list: sys sys bin bin daemon daemon rje rje setup setup uucp uucp/nuucp/anonymous nuucp uucp/nuucp/anonymous mountfsys mountfsys In the System ------------- Ok, at this point, I'm going to assume you've gotten past the login... as painful as that may sound. Although Unix may be secure from the outside, without effort from the system administrators, the inside of the system is not. First off, you'll likely by asked for a terminal. vt100 serves your purposes sufficently, and it's typically the default, so hit enter. Now, hopefully, you have a prompt. There are many different types of unix prompts, some of which contain current directory information, some of which are just a single character. Just don't panic when my examples don't look exactly like what you've got on your screen. The first thing you *need* to do on the system is establish your tty paramters. As eldritch and arcane sounding as this term may seem, it's actually quite simple... you need to tell the system what keys are going to do what. The command to set these parameters is 'stty'. Watch: squinkyB ] stty erase ^h squinkyB ] There... that wasn't so bad, was it? Well, it's also pretty meaningless to you, unless you have the ascii table memorized and are pretty good at on-the-spot deduction. The tty erase parameters determines which key is to be used as a backspace. At times, this may already be set when you log in, or it may be set to a suitable alternate (such as delete). Most of the time the system will tell you when you log on if this is so. In this case, we've entered ^h in order to make the backspace key, appropriately enough, backspace. Another extremely important parameter is 'intr'. The 'intr' paramter tells the Unix system what you intend to use as a break character... you should have this set to ^c. Getting Around -------------- A good thing to remember about Unix is that it's alot like DOS. Files are laid out in directories just as in DOS... in fact, the only immediate difference in the directory structures is that Unix uses a forward slash ("/", moron!) instead of a backwards one. Also, the basic Unix directory navigation command is identical to DOS. In order to change directories, you use the command 'chdir', or 'cd'. A quick example: 1 /usr1/astoria ] cd .. 2 /usr ] Wala. That simple. Quick notes: þ cd / will take you to root. þ cd /*pathname* will take you to *pathname* þ cd home will take you to your home directory. You can make and delete your own directories with the mkdir/rmdir commands. Simply put, mkdir makes a subdirectory off of the current directory, and rmdir removes a subdirectory from the current subdirectory. Good to know if you plan to do a lot of file transfers. An important note about Unix directories, files, and concepts: Unix is a case-sensitive operating system. Thus, the files þ Spleen þ spleen þ SPLEEN þ SpLeEn are all different. This rule applies to directories and command line paramters, as well as most other Unix ideas. Another nice thing to know about Unix: Unix files are not subject to the normal DOS 8 character limit. Thus, you can have vast filenames, such as "this_file_ate_my_biscuit". Some other important commands ----------------------------- First and foremost, you should know cp. cp is the basic Unix equivalent of the DOS COPY command. The command line for cp is identical to that of COPY. Next on the scale of cosmic import is cat. cat is the Unix equivalent of the DOS TYPE command, and once again, for simple file displaying, the command line is identical. Variations on the theme: pg: displayes a file page by page. Type "pg x filename", where x is a number of lines to display before pausing and filename is the file you wish to display. more: displays a file screen by screen. Stupid pet trick: You can use your cat to copy files, simply by using the directional operators. To copy a file from here to there using cat, simply type: % cat here this is the file here % cat there this is the file there % cat here > there % cat there this is the file here The operator ">" simply takes the output from the cat command and places is in the location specified after it. Another vital command to know is 'rm'. rm deletes a file from the system, in the same way DEL would on a DOS system. Not to much else to say. Critical in your navigation of a Unix system is the ls command. ls is DOS DIR on heroin. Simply type ls and you get a nice, neat list of files in the directory. DIR on controlled substances: There are a few command line parameters that you should know... foremost is l. ls -l gets you a list of files, and valuable information about each file, including permissions (more on that later), size, and linked files. Another useful command for long file lists is C. ls -C gets you a list of files in multiple columns, much the same as DIR /W would merit a double column report of all existing files. A quick reminder: ls -C is NOT the same as ls -c. Unix = case sensitive. Another good command to know, mv will move a file from directory to directory. For those of you without DOS 6.0 , mv simply copies a file to another directory and deletes the original. quick tip for files on the lam: if you want to rename a file (to protect the innocent), you need to mv a file to a different file name. A quick demo: # ls myfile # cat myfile this is my file # mv myfile my_other_file # ls my_other_file # cat my_other_file this is my file Another vastly important command is 'man'. In fact, man is probably one of the most important commands extant for a beginning user... it calls up the system's help files. To use man, simply type in 'man command', where command is a Unix command you seek to gain enlightenment regarding. It's a great way to gain an understanding of Unix commandline parameters. If you are interested in seeing who's been on of late, or just want a few names to try to hack, type 'who'. You get a quick list of users that have accessed the system lately. If you need to know who you are at this point, type 'whoami'. If you want to change your identity on the system, type 'su name' where name is an account on the system. It'll ask you for the account password, then, *presto*... instant transmogrification. A Caveat for smart alec hackers: Unix typically logs usage of the su command. While su may seem like a great opportunity to try to hack out passwords manually without worrying about the system hanging up after 3 attempts, it's typically not a good idea to do this, as it may alert the administrators to your presence. *Numero Uno on the list of commands NEVER to use on a Unix system: The 'passwd' command changes your password on a Unix system. Seems innocous enough, eh? Uh-uh. If your account is active, and there's a very strong chance that it either is or will be, there is no better way to lose the account than to change the password, only to have the legitimate user alert the sysadmins when he/she can't gain access to his/her normal account (well, there are better ways... you could simply mail the sysadmin and tell him you are trying to hack his grandmother's life support machine through your account). I've seen this single, quick command turn a extremely lax system into an ironclad security compound in less than a day. DONT-FUCK-WITH-IT. *Numero Dos on that same list: The 'mail' command reads and sends mail. So what? Well, unless your account is stable (and it isn't unless you either paid for it or killed the original owner in such a way that his body cannot claw it's way out of it's grave to it's keyboard), the user is more likely than not going to know if you read his mail. In addition, if you send mail out of the system (type 'mail', and a username/address; type in your message and end it with a ^d on it's own line), the response from your message will likewise alert the user to your presence. System Spelunking ----------------- The first place you want to check out in the wild uncharted directory tree of your friendly neighborhood Unix system is the "/etc" directory. What's in it? The single most intensely important file on the system (besides a world writable root owned SUID file... but don't worry about that)... the passwd file. What is in the passwd file? þ a list of all accounts on the system þ a list of the passwords for these accounts þ a list of access levels for these accounts þ a list of the home directories for these accounts þ a list of information pertaining to these accounts. Why the hell the Unix designers decided this file should be world readable is beyond me. Be content to know that your standard everyday run-of-the-mill-lacking-in-certified-cosmic-power 'cat' command WILL display this file. As will pg and more. However, because most users don't have write permissions (more on that later) to the /etc directory, 'cat' is pretty much the only applicable command here. However, if you need to copy the file to your own directory (for whatever reason), just cat it there with the directional operator (>). The catch: Well, there are two catches here. First off, regardless of system security, if the passwords are in the file, they are encrypted. You can't decrypt them. Although you can get a list of accounts without passwords this way (just look for accounts with no entry in the password field), and a list of accounts that can't be logged onto remotely/at all (NO LOGIN), you can't get much else. Sucks, don't it? Notice I said 'if' the passwords are there. Some horrible, paranoid, draconian system administrators mutilate their passwd files in such a way that (*gasp*) the passwords don't show up. All you get is one cold, icy X staring at you from the bowels of Unix Shell Siberia, mocking you as you pull your hair out in frustration (sorry, but this is a sore spot with me). The kidnapped passwords reside in the shadow file in the /etc directory, available with your standard everyday run-of-the-mill-but-distinct-in-the-fact- that-only-root-level-accounts-can-use-it-to-this-extent 'cat' command. Well, if the passwords are encrypted, what good are they? By themselves, nothing. A account with a Unix encrypted password will get you no further than an account with no listed password at all. You can't even deduce the amount of characters in the password if it's encrypted. So what's the use? The Unix method of encrypting files is available to the public. It is also, to most mortals, irreversable. Essentially, this means you can encrypt a string of characters, but not decrypt it. Even the unix system itself doesn't decrypt the password when you log on... When you log on, the Unix system takes whatever you enter at the password prompt, encrypts it, and matches it to the entry in the passwd file. Thus, the Unix system never decrypts the password... it only compares it to a different encrypted string. While this may not sound too particularly useful at first, it is. There are programs that have been written to do the same thing on a personal computer... you supply it a list of passwords and a list of words to attempt to use as passwords (called dictionaries), and it spends the night encrypting dictionaries and matching them to password entries. By running a dictionary through a passwd file, on a typical system, you can usually get 10-20 accounts. Good personal computer examples of this program idea include Killer Cracker (the industry standard, so to speak) and CrackerJack (faster than Killer Cracker). Quick tips for CrackerJunkies with leech access at an H/P BBS: A standard dictionary will not uncover passwords protected with an appended digit or non-alphanumeric character. In order to get around this, you need only grab a program that processes the dictionary file to add that digit to each entry in the dictionary... although this takes longer, and you'll need to do it multiple times, you can typically get 10 more accounts just by adding a 1 to every entry. Files and directories in Unix are characterized further by their permissions. Permissions are a standard system of who gets access to a specific function of that file or directory. Standard permissions include read, write, and execute. You can get a list of permissions by typing 'ls -l'. The first field in the listing contains the permissions, grouped as follows: owner group world -------------------- rwx rwx rwx (Not drawn to scale... in fact, it doesn't look anything like that). Essentially, as long as the letter is there, you have access to that facet of the file. If the letter is not there, you'll see a dash... meaning you don't have access to that function. An example: rwxr-x--x In this case, the owner of the file can Read the file, Write to the file, and eXecute the file; members of his group (a bunch of linked accounts) can Read the file, CANNOT Write to the file, and can eXecute the file; and the rest of the user population CANNOT Read or Write to the file, but CAN eXecute the file. rwx---rwx is a WORLD-READABLE, WORLD-WRITABLE, WORLD-EXECUTABLE file. This simply means that anyone can read, write, or execute the file. Another permission sometimes set to a file is the SUID bit. An SUID file contains a smallcase s in the user executable section of the permissions list... rws--x--x When you execute an SUID file, your user ID becomes that of the owner of the file. While this may not look to important at first, by now you should know that no really important super elite hacker concept does. Take a look at this: rwsr-x--x Synopsis? It's a world executable SUID file. In essence, anyone can execute the file, and in doing so, become the owner of the file for the duration of the time that file is operating. However, this doesn't get you much, because you typically can't do anything while the programis running. More likely than not, it's calculating how many pencils it needs to order for school tomorrow or some other such drivel. The real power of the SUID file comes into play in this situation: rwsrwxrwx You won't see a lot of these, but when you do, look out. What you have here is a world writable SUID file... and a world writable program can be any program on the system you have read access to. Like, say, /bin/sh... the Unix shell... Quick command line example... 'diablo' is a root owned, world writable SUID file. I'm going to ignore the rest of the output of the ls command. #ls -l rwsrwxrwx... ...diablo #cat /bin/sh > diablo #diablo $ Oh, just so you know, the $ prompt denotes root access. Good deal, huh? In general, if you have right privs to an SUID file, copy it to your own directory and cat /bin/sh into it. You now have an instant gateway to the account of the owner of that file. If you want to find files that you can do this with, try this out: #find / -user root -perm -4000 -exec /bin/ls -al {} ";" This will give you a list of all root owned SUID files. If you want more info on the 'find' command, just 'man find'. Well, I'm overdo for an appointment on the IRC in #warez... so I'll cut off here. I hope I've been of assistance to you. ---------------------------------------------------------------------------- A C T U A L A R T I C L E E N D S H E R E . . . Please feel free to save an extra 1k of file space and invoke the DOS EDIT CUT command at the dotted line. Do not remove the rest of this article on penalty of law. S00P3R GR00P-3SQU3 GR33TZ / +HANX Greets go out to Nowhere Man, INC, THG, UNT, SaD, SoD, PTA, SOB Thanks to... ________________________ your ad here Current DWE Akshul M3mbre Boards: Nitro Burnin' Funny Cars WHQ/DWEnet HOST (312)582-1115 The Prodigal Sun CHQ/MECCA (312)238-3585 Dark Waters HQ/Infosite (312)667-0222 PyroTechnics II Infosite (708)991-9403 DWE M3/\/\B3R LiST President and Dictator for Life: Xanax Head Courier/Warez Cracker: Asriel Head Fisherman/Trout Expert: Changeling Head Person That Gets Asriel Free CDs: Monk Head Person That Gets DWE Members Free WaReZ: Pyro Head Person That Knows More Than Asriel (Honorary Title): LVX Head Person That Actually Wrote for DWE without Coercion: Cosmos Head Know-It-All Stoner that runs 386bsd: Goldstein Want to write for DWE? Neither do we. But if the spirit moves you, write up an article about anything we haven't discussed already, and post it somewhere in DWEnet or at any of the member boards, or call any of the members voice and dictate it to them, or submit it to them school newspaper of any of the members, or tack it on a bulletin board in the Third Coast Cafe in Century Mall, and chances are it'll be released as a s00per c00l DWE article. W H A T F O L L O W S M U S T N O T B E D E L E T E D --------------------------------------------------------------------------- (c) 1993 Dark World Enterprises Asriel(tm) appears courtesy of Hasbro, Inc.