-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-= -= Script Kiddies: How to be one, and be loathed by your peers =- -= By Grifter =- -= grifter@staticdischarge.com =- -= http://www.2600slc.org =- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- § Introduction I would like to state at this time that the term "peers" in the title of this text is used very loosely. I put this together rather quickly and it may have errors, I have had 7 hours of sleep in the last 72 hours, so give me a break. If you find an error, e-mail me and I'll fix it. Most of the website defacements, trojan horses, and general cracks are carried out not by real hackers, but by people who have stumbled upon the hacker community, fallen into IRC and made themselves a funny name to call their own. They've seen WarGames, Sneakers, or Hackers and believe that this is what it's really like, and they want to be part of it. Besides, their friends will think they're really kool. We call these people Script Kiddies, and you can be one too. § What is a Script Kiddie? I could probably go on and on for hours on what a script kiddie is and what they do. But, the way I see it is, if you've found this site, then you probably know what it is, hell...you might even be one. Just to be on the safe side though, the basic definition of a script kiddie is "someone with limited, if any, skill in the arts of hacking; known to use other peoples' hard work in order to exploit as many machines as they can in order to feel better about themselves and pretend to be elite". Okay, so I made that up, but that's the way I see it. If you fit this category but want to make sure you're doing everything right, then read on. If not, read on anyway, I didn't write this for my health. § Footprinting Now I know this seems an odd thing to put in since most kiddies will just scan for the latest vulnerabilities, but we'll pretend that you have someone in mind and actually thought ahead. You've got to make sure you know what you're getting into. It wastes an awful lot of time if you go through NT exploit after NT exploit for hours on end if the machine you are attacking is running Slackware. So know the OS and what exploits are available to you. Also, make sure you check to see what services are running on the system, it's these services that you will be exploiting. You can find this information easily, here are a few ways. Daemon Banners - When you telnet to a port running a certain service it will return something that looks like this... 220 targethost.org ESMTP Sendmail 8.9.1 (1.1.20.3/17Jun01-0239AM) Sun, 17 Jun 2001 03:22:36 0530 Okay, what this tells us is that the system is running Sendmail version 8.9.1, now you just need to find an exploit for this version of Sendmail. Port Scanning - Very simple, you put in a hostname or IP and it will find any services running and sometimes return information about each service such as program data and version numbers. Try nmap. Using you Browser - If you're targeting targethost.org then go to their website and go to a link you know does not exist, like... http://www.targethost.org/this-should-work.html. When you receive an error message it may contain the type of web server and what version is running. § Obtaining your Tools Once you find out what OS is running on your target machine you can go ahead and look for the tools you're going to need to do whatever it is you plan to do with this system. There are a ridiculous an\mount of sites out that that have exploits for every operating system you could possibly think of. The most popular being: http://packetstorm.securify.com http://www.securityfocus.com Once you've jumped onto one of these sites you'll be flooded with terms like...advisories, texts, and exploits. Let me explain what you're looking at and what you're looking for. An advisory is basically a technical document that details how to go about fixing a hole in a particular system once you have located the problem. Texts are basically details about the exploit, and what you need to do to exploit it. Exploits are what you're looking for, while I highly recommend reading the advisories and texts so that you can have a better understanding of the actual hole, you are after all a script kiddie, so I'm not going to hold my breathe. Exploits are actual code, a.k.a. scripts, that once compiled will do all of the work for you, they are written by real hackers and at times by the person who found the hole to begin with. Go ahead and download the exploits you need. I would once again recommend reading the source, but forget that, just compile it. § Once you're in Wow look at you, you got in. You must be super elite. I hope you're prepared for all the news reports about you and all of the people who are going to want to be your friend now that they know you can hack. Damn hacking is kool!! Okay, so you're in, and look at you, not only did you get in, but that little program you ran got you root access on the system (that means you control it). Good for you. Now what do you do? Well now it's time to cover your ass. By this I mean it's time for you to make sure you don't end up on the 10 o'clock news. Make sure you are alone. Use the "who" command and/or "ps -aux" so you know who is there and what processes are running. Hell, you could have tried "finger @blahblah.com" before ever getting in, but nobody really runs finger anymore. Time to erase all traces that you were even there. You can do this one of two ways.. 1) Edit the logs by hand, you're looking for klog (kernel logger) and syslog (system logger). You can either change the logs so that what you did looked like actual users going about their business or you can delete the entries in the log that pertain to you. Whatever you do, DO NOT delete the entire log files, this will tip the admin off that there is/was someone in his system and he'll go over his system with a fine toothed comb to make sure you don't get in again, or worse, he'll wait for you to log in again and track you down, so you'll spend some time with Bubba. 2) Use a rootkit. That's right, you're lazy as hell so here's something that will clean the logs for you, and if you find a nice one, leave a backdoor. You're limited on your source of rootkits though, so you're better off just learning to edit logs. § Maintaining Access Well, now that you're in and you have a new toy, you certainly don't want it to be taken away. What you have to do now is find a way to maintain access to the system. Once again there are several ways you can do this. 1) Add yourself as a user on the system using "adduser" You could edit the password file from here and set your uid to 0, but that's about the most obvious backdoor there is, and an admin is bound to notice someone else trying to play god. 2) Add a trojan to a daemon, by doing this everything looks normal, but the daemon allows you to access a root shell. You run the risk of having this found because the size and date of the file will change. 3) Use rlogin. rlogin will let you log in remotely to a system. For example, using... rlogin cheech will log you into your remote account on the system named cheech. You can add as many backdoors as you like, but try to remember that the more you add, the more chances there are of the admin finding one and locking you out. § What now? You have access to this machine and if you're lucky, total control over it. Now you can do really kool things like running IRC bots or mail bombing people you hate. Hell, you can even use this machine to launch attacks on other machines, thereby making yourself harder to catch. Now go to your local 2600 meeting and show off your skills, you should be feared, and everyone will know this, especially since you reserved a room for DefCon. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=- © 2600SLC.ORG 2001 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-