Thursday, 15 December 2011

Looking Around

What should you expect to find, once you've made it onto a system or network? A whole lotta things!

There may be files to read, programs to run, or ways to move about from one computer to another, or one network to another.

Try looking for backup files and files that have been automatically saved on a timed basis. Some text editors leave behind files like this that are readable by anyone who happens to pass by. If the sysadmin has been editing the password file, or some other file containing sensitive data, you could be in luck. Electronic mail is
often not automati-cally deleted, and it accumulates in (perhaps hid-den) files on disks. Deleted files may not be deleted right away, but become hidden or moved to a spe-cial directory.

See if you can find evidence of security logs. One of the most common errors for a user to make while logging in is to type the password at the username prompt. If you can find a readable secu-rity log it will often contain records of these login errors. For example, if George Washington tries logging into his UNIX account with
his password, "cherrytree," but he types a little too fast, the following ensues:
WashingtonUs [Enter]
ername:cherrytree [Enter] Password:
George realizes he has messed up. He has typed his name before the login prompt, and he has put his password (quite visibly) on the "Usernarne:` line. He presses Enter a few times to clear every-thing, but the damage is already done.
Somewhere in the administrative directories, there is a log file that reads:
Unsuccessful login of user cherrytree @ Tue,
Mar 24,1992,14:16:03
Now you just have to go through the various users on the system until you find the one who uses this password.

Security logs may also keep track of files sent and received, errors resulting from unauthorized commands, new accounts or new users being granted superuser status.

Speaking of security, thefirst thing you should do any time you log in to an account for the first time is try to get a sense of who this person is whose account you are borrowing (assuming you don't already know). When you log on you will most likely be greeted with a message telling you the last time that account had been
active, and possibly which location or server the user had con-tacted it through.

If the message tells you that the legitimate user logged in recently then you may have a problem. Note the time of day the account was used and try to hack around it. Try logging in two times simul-taneously on two separate computers and see what happens. Do you get an error message the second time? Is it possible to
detect the presence of another person using the account with you concurrently? You want to know such things because you want to be able to deal with having the account holder co-incidentally log on at the same time as you.

Let's look at this first scenario. You are logged into the account... the actual user tries logging in but gets a "User hjones already logged in on port 116" message. You have no way of knowing that this has occurred, but you can prepare for its eventuality by sending an e-mail message to the ac-count, purportedly from the
system manager, and leave it unread. So if the legitimate account holder were to log in she would find something like this waiting for her:

Message #01
From 1513 SuperUser
To AUUSERS@calli.poo.n-til

Some faulty wiring has led to problems with several of our port connection verifier circuits in the subchart group C of the local network system. If you receive a message upon login that you are already logged on, please hang up and try again in a few minutes.

We are sorry about this problem and we are doing what we can to correct it, but this will take time. It was a matter of choosing between a bit of inconvenience for a while, or shutting down the system entirely. I hope you will agree it is better to have some bugs in the sys-tem than no system at all.

We expect the problem to be cleared up before March 3rd. Thanks for your cooperation.

Often users will have personal history logs stored in their directory. There may be history re-ports detailing command activity, newsgroup readership, file transfers or files deleted. These can show you when and how the legitimate user is us-ing the system, and also the level of competence of the user.

If your account has been used very infre-quently, then you know that the actual account owner poses very little threat to you - although it also means the system manager is now a threat, since he will suddenly see tons of activity from an account that had never before been active.

On the other hand, if the account holder is in there night and day, you will have to be more wary of him than of the sysop - after all, any hacking you do from that account will get lost in the shuffle.

Commands To Look For And To Use Most operating systems come with extensive online help. On UNIX, you can type "man com-mandname" to see the manual page for a com-mand. Also helpful is "apropos" which will display a list of commands that are related to a given word. For example, "apropos password" lists all the com-mands, programs and variables that have some-thing to do with passwords. You can then use "man
commandname" to find out what each one means.

On TOPS machines you can type "help" or "help commandname" for on-line information.

Process commands tell you what is being done on the system and, generally, who is doing it. UNIX lets you type "ps -f` ' to see how other people are using the computer. Using such commands will give you a feel for what options are available to you. Also, it will show you which users have access on other computers, if they
are logged into them from the one you are on. If you're extremely lucky you might even find an encryption key poised in the list of processes. If a person has typed some-thing like "crypt key < filename" that entire command, including the key, will appear in the listing. Unfortunately, the crypt program acts to remove the key from the listing once it is activated, but there is a brief period when the key is public data, there for all to see. A "daemon" program could search for such occurrences (See glossary).

"Telnet" is a program that allows you to connect to other computers. Earlier it was mentioned that the account you've entered is most likely a low-ac-cess account. The reason a hacker bothers with regular user accounts in the first place is to give him or her a safe place to do real hacking. From that account you can do all the
things you would never do from your legitimate account, like telnet to Pentagon computers and start a brute force attack. UNIX also has a "cu" (Call Up) command which allows the user to call up a specified phone number.

Calling one computer from another enables the hacker to avoid being traced. It also might be the most practical solution to the problem of connect-ing to a certain computer, since some computers can only be accessed through other networks.