Sunday, August 5, 2007

Rooting


Published by: paranoiahax, on hackthissite.org
An article on gaining root to a remote system:

Too often have I seen articles that claim to teach how to hack into a server, but all they do is just show you how to scan open ports, and many many people have no idea what to do with an open port. So I am going to show you pretty much all the basics, to get you well on your way to your first ever successful hack of a server, giving you root privileges.

First tool that you will need is a good port scanner. Nmap and SuperScan are my favourites by far, and Nmap is by far the most popular port scanner in the world because of its many features. You can download both at: http://www.hackinglibrary.ws/dl/downloads/superscan4.zip and http://insecure.org/nmap/

SuperScan: If you have a website that you mainly want to target, then just copy and paste the URL into the box and click lookup. It will automatically determine the IP address, and with this you can simply scan away.

Nmap: Nmap is all used through CLI (Command Line Interface). Now to determine the IP address of a website, just run a WHOIS on it, http://whois.domaintools.com is the best one I know of and has many features, also check out http://www.dnsstuff.com/ which is also very useful and has many features. So now if you just simply typed "nmap 192.168.1.1" (changing the IP you see here to the target's IP address) it will scan the target for open ports and using -O will fingerprint the OS the remote system is using.

Once you have your port list at hand, now you will need to find out what programs each port are running, and the best manual way to do this is to connect to each port through telnet. When you are connected, you will be welcomed by a screen with some information, if you now copy and paste all this information into a .txt file, and do this for each port, it will become clear which programs run on which ports, and also the you will be able to see if it has the latest versions of the software (remember that new versions come out, securing the program more, so if the program has an extremely old version of the software, it will more likely be exploitable).
Once you have done this and got a list of all the programs running on the open ports, now is the time to search for an exploit. There are many ways to do this:

Milw0rm is an old favourite of mine http://www.milw0rm.com if you go to http://www.milw0rm.com/port.php it will give you a drop down menu of ports, just look through each one, and check if the exploits for the programs there match any of the programs you have in your .txt file, and finally check the versions. If you see an exploit there, then click on it, if it's a Perl exploit (will start with #!/usr/bin/perl) this is even better because it means that you don't have to mess about compiling the exploit. If not, then you will have to compile the exploit yourself, look up on another article for this, but you will need cygwin if you are running Windows. All you have to do is run this command "pl exploit.pl [target]" and if you're lucky it will be successful and all you need do now is either connect through netcat (the hacker's best friend, an alternative to telnet) and you will have root priviladges. Or if the payload is a reverse bind, then your computer may open another terminal automatically with root rights. Now you may go to the directory that the site is stored in (usually /home/site here) and you can do whatever you feel to the site in question.

Metasploit is another great method. You can download metasploit from: http://framework.metasploit.com/msf/download
Now once you have this, run it (msfconsole) and type "show exploits" this will give you a list of all the exploits in metasploit's library. Look for one that exploits one of the port's programs you found, and when you find it, type "use [exploit here]"
Now, "show targets" this will give you a list of targets, just set it to the OS you found while fingerprinting it with Nmap, type "set target x"
now, "show payloads" will show you the payloads available, using a reverse bind will give you the prompt, others you will have to connect yourself through netcat. Also, note that it has FreeBSD, win32, and Linux payloads, depending on the system. Right, now type "show options" and it will give you a list of options, which will show you the various parameters for the specific exploit you're working with. Set RHOST to the IP of your target by "set RHOST 192.168.1.1" and set LPORT as the listening port you want, port 4444 is the default. If you want to reset it all, just type "back" into your console.
If all is well, then all you need to type is "exploit" and metasploit will do it all for you, and once again you have just owned another system.

The final method is writing the exploit yourself. This is a more advanced level, and there are many places that teach you the basics, phrack.org has some good tutorials. But there is no tutorial that will teach you how to write your own exploits all the time, because after all, programming is about learning yourself through experience and practice.

If you have any further questions, then please please use google, google really is a hacker's best friend, and it has all the answers to life's problems ;-) If all else fails, then please feel free to mail me at paranoiahax@live.com.

This article was intended for the newbies out there who are still unsure about what the elite call "real hacking" and I apologise if it isn't very well structured, as I am not too good at writing articles.

Once final note is that using these methods illegally and improperly will probably land you a one way ticket to jail, you will not pass go, will not collect £200 and will get raped by a big white man called Bubba. Use the skills taught here for ethical reasons only, and HackThisSite nor myself are responsible for any actions that you do, or any damage that you cause. You have been warned.

No comments: