Hacking Basics
--------------

 2.1  What is hacking anyway?

A hacker is basically an explorer who gets "things" to do stuff they weren't intended
to do. These "things" can be anything from software, firmware, hardware, mechanical
devices, telephones, whatever. There is also a cleverness about the act.

Popular cultural outlets have caused the term hacker to be used to mean a computer
wiz who bypasses the computer security of another's system. This is essentially my
interpretation within the context of this FAQ, although I don't limit it to that 
meaning.

There has been much controversy in the mainstream and underground security
communities as to what the definition of "hacker" really is. Some say that the script
kiddies (who simply download pre-canned scripts of exploit code) are not hackers but
"crackers". Others say that if you actually code your own exploits then you are a 
hacker. Others call anyone that releases exploit code a cracker.

Then there are those who refer to hackers by their hat color, such as "black hat"
hackers (since they wear black they must be the bad guys who break laws), "white hat"
hackers (must be the good guys), and the "gray hat" hackers (who have a foot, or at
least a respective clue, of the white and black hat worlds).

Me? I'm probably gray, I don't commit crimes, but I probably know people who do. But
within the confines of this FAQ, I use the term "intruder" as someone who has gained
illicit access to a computer system.

 2.2  What are the steps to hacking?

There are usually around four different steps. Some people may combine two, or split
one into two, but this gives you a basic idea:

  1. Learn as much as possible about the target before the attack. This includes
gathering info from public sources, scans, and probes. By learning as much as you can
about a target, you can plan the next move. Typically the techniques involved here are
not illegal.
  2. Initial access to the system. This is a part of the actual attack. It involves
gaining access to the system with some basic user access. It may or may not illegal.
For example, anonymous FTP access could be considered initial access to the system,
but it may provide you with a method of uploading or downloading files that could
be used to further your level of access. Access to a shell account with basic user
rights, might get you on the box and server as a starting point for attack. Also,
running a script that remotely creates a shell you can access remotely would be
considered a form of access. Generally at this point what you are doing is considered 
illegal.
  3. Full access to the system. You have established administrative control of the
box and can do whatever the rightful maintainers can do. You can modify, remove, or
install software; create, disable, and delete user account -- you own the box.
  4. Covering your tracks and installation of backdoors. Once the intruder has gained
access, the next step should be to clean up the presence of a break-in. Most modern
operating systems provide various logging and auditing features, and if you have 
achieved full system admin access to the box then you probably have enough authority
to remove the presence of the intrusion from logs. It also is the time to possibly
install backdoors, or altered versions of programs that would normally log your 
activities or otherwise reveal your presence.

We'll be covering the above topics in a little more detail as we move along.

 2.3  What are accounts?

Account. Username. Logon ID. There are many names for this, but essentially is it a
designation that identifies a particular user to the operating system. On most modern
operating systems, there are three types of accounts - user, system, and priviledged.
Various levels of security are usually associated with those accounts.

User accounts are simply that -- accounts for regular users doing their regular work.
For example, the account name on the Windows system at work, or your user name at
your ISP are regular user account. When viewing a listing of account names, this will
be the most common type of account name you find. In large companies there are usually
naming conventions used for user accounts, at an ISP the end user is typically given
at least *some* freedom in specifying the account name. For example, accounts with
names like T19283, T78564, and T67482 from TotallyLame Inc.'s main server are probably
the regular user accounts. Other places use the first letter of the first name with
the first 7 letters of the last name, or some other combination. Typically the user
account name is whatever is to the left of the @ sign in someone's email address. At 
Microsoft, Scott Culp (who answers secure@microsoft.com) is scottcu@microsoft.com. If
you were to target Scott Culp's account, you might try scottcu as an account name. This
naming convention is usually done to help distinguish what type of account it is. Those
that administer the system are mainly responsible for the type of naming convention,
or it is listed in the company's security policy.

System accounts are special accounts that are used by system processes, and can have
different levels of security assigned to them. On Unix systems these are accounts like
bin, daemon, and nobody. On NT they may start with IUSR (service users are system
accounts). On Netware they may be SAS Service or LDAP Catalog. Most of the time these
system accounts have priviledges that are higher than a typical user, or special 
security that can only access certain portions of the system.

Priviledged accounts are the accounts that allow the maintainers to administer the
system. These accounts are usually considered to be god/goddess on the system. Each
of the major operating systems we are covering have one. On Unix it is usually root
(although any account with a UID of 0 is essentially root). On NT the default account
for administration is Administrator. On Novell it is Admin. On each of these three
operating systems you can use a different account as the god/goddess account, by
assigning a different account the same rights as the administrative account. On each
operating system it is easy to do this, and each operating system has a way to
determine who the real god/goddess acount is.

An intruder's goal is usually a priviledged account on a system. Of course they may have
to initially gain access as a regular user first, and explore to figure out their next
move, but unless they are after a specific user's files, the intruder will usually
target an account with priviledges (or a process running on the operating system with
priviledged authority).

Most system administrators will try to limit enumeration of account names, as this
gives a potential intruders a target. We'll cover the nuances of this in later sections.
Also, each system comes with defaults, and there are some common account names as well
as passwords that we'll cover in the individual sections for each operating system.

 2.4  What are groups?

Groups are groupings of users. All modern operating systems have them. To ease
administration, most organizations create groups and assign a lot of security access to
those groups. This saves time especially in organizations that are large, or have a lot
of employees who move from department to department.

An intruder should pay attention to who belongs to what group. If you can determine that
access to a group will give you access to the data you're after, you can target accounts
within that group to attack.

For example, you may discover that there is a group in NT called lanadmins. It has six
members, and through poking and prodding (discussed in the NT sections) you determine
that one member hasn't logged into the system for two months. You decide to attack that
account, because the group may have extra priviledges on the network. And even if they
don't, it is possible that the group may have documented procedures stored on a 
subdirectory on a server that only they have access to.

 2.5  What about passwords?

Obviously there needs to be some type of mechanism to prevent a regular user from 
entering into a priviledged account. Therefore virtually every system you run into will
require a password on each account.

Most systems require an account name and a password to gain entry. Two pieces of info.
If the intruder knows the account name, s/he can try passwords with that account name
to try and gain access. Therefore most systems will simply tell you that you've failed,
and not reveal whether the account name or the password was the part you had incorrect.

Many system accounts may have passwords, or not have the ability to be used by a user,
and can only be used by internal processes. Therefore attacking these types of accounts
is a little more difficult, but not impossible. For example if ftpd is running on a
Unix system as user bin, causing ftpd to execute your commands (via some bug) executes 
them with the authority of bin. This might not be enough rights to do much of anything,
but if bin is the owner of the /etc directory you could end up with the ability to
manipulate the contents of that directory, which contains a lot of system files.

Most systems have the ability to enforce password rules to ensure passwords chosen by
the users are decent passwords (longer than 6 characters and have a mixture of upper
and lower case letters, numbers, and symbols). Not all systems use these enforcements.

Obviously this entire scenario depends upon two things -- storing enough info about
an account's password to determine that the password is correct when entered by the
user, and securing this info from casual viewing.

If all of the passwords are sitting in a particular file, then an intruder would
simply target the file. If the file is captured somehow, you'd want to make sure the
passwords are encrypted or encoded somehow.

Therefore most passwords are encrypted or encoded to some degree to create a hash. This
usually involves either an algorithm with a constant (i.e. NT's Lan Man hash), or 
the creation of a unique hash by combining a "salt" or keying material (i.e Unix or 
Netware).

The algorithm varies system to system, but the idea is that the password stored on the
system is not actually a password, but a one-way hash of the password. This means the
system only stores the hashes and not the actual passwords themselves. Therefore if an
intruder manages somehow to recover the hashes, they can't simply "decrypt" them.

 2.6  Why protect the hashes?

If the password has become this unreadable thing, why do we need to protect it? Well,
if we know the algorithm used to create the hash, we could simply create our own hashes
until we get a match. The password we used to create the matching hash is in fact the
password. There are programs available that automate this process of password cracking.

Therefore the file containing the hashes is usually hidden, obfuscated, or otherwise
placed in a location on the system that requires either administrative or some type
of "special" priviledges.

 2.7  What is a "dictionary" password cracker?

A dictionary password cracker simply takes a list of words (typically from a dictionary)
and tries them one at a time, creating a one-way hash, and checking to see if there is
a match against the hash being cracked. If the hashes match, we have our password.

A lot of dictionary password crackers will perform permutations on each dictionary word,
such as adding a number to the end or some other type of manipulation (like substituting
numbers for certain letters). This makes the most of your dictionary list. If your
dictionary password cracker does not do character manipulation, there are tools you can
get that will do some of that work for you.

You can find word lists for tons of different languages, industry specific languages,
and other various lists on the Internet. A good place to start is
http://www.hackersclub.com/km/files/password_cracker/wordlists/index.html, which has
around 70MB worth of wordlists. A search in AltaVista with "cracking wordlists" will
find you even more.

Most typical hackers will have at least 50MB of wordlists, I know a few with well over
100MB.

 2.8  What is a "brute force" password cracker?

A brute force password cracker works just like the dictionary password cracker, but
starts with "A", "B", "C" and so on through "AA", "AB", etc until it has exhausted
all possible combinations of legal characters. This will eventually recover the password
regardless, it is simply a matter of time. All it depends on is the CPU power and the
patience of the person running the cracker. Most crackers have options that allow for
the user to specify the maximum password length to check, or the characters to be used
during the cracking (such as alpha characters only).

 2.9  So what is the best password cracking method?

The decision on whether to use a dictionary versus brute force really depends upon your
goals and your resources. If you have some really cool exploits that require them to be
run as a regular user to give you elevated priviledges, and you have acquired password
hashes from that system, a dictionary crack will usually yield at least one password
(unless the system is run by paranoid sys admins). In large organizations, my personal
dictionary cracking experience says that you'll get at least 20% of the passwords
cracked with large dictionaries, and in some cases as much as 75%.

If you need to crack a god/goddess password such as Unix's root, NT's Administrator,
or Novell's Admin, I would still run a dictionary attack and follow it with brute force.
There are other considerations which I'll touch on in each OS's section in the FAQ.

 2.10 What are common passwords?

Again, based upon personal experience I've seen a trend toward hobbies, sports, names
of family members, and other basic things. Some common generic passwords include
secret, test, password, computer, and assorted curse words. In a lot of organizations,
the end users are not computer technicians by trade. They are lawyers, secretaries,
clerks, doctors, bank tellers -- basically the computer to them is not where their
major skill set may lie. Therefore they will have a tendency to use the minimum
amount of effort required use the computer. The same goes for your average Internet
user. Not too long ago the Internet *was* mainly populated by computer geeks, but
now it is the same type of people we just mentioned -- clerks, insurance salesmen,
etc. They too will use the minimal amount of effort to do their online shopping and
porn viewing.

The minimal effort is using the smallest password possible. If the system requires
a minimum of 6 characters, then the password will be 6 characters. If it requires
at least one number, then they will usually have the number 1 at the end of a five
character word. If the system requires their password to be changed every 30 days and
it can't be a password they've used the last 8 times, it will be something like
their three initials followed by the three letter abbreviate of the current month.

In a large sports town such as Dallas, a real common password will be cowboy or
cowboys. At a large airline the passwords will typically include the three letter
airport abreviation of the user's home town. A trucking company's server will have
at least one user with a password of "trucks".

Learning a bit about the users in general on a system will tell you a lot about
potential passwords. And the larger the system, the greater the chances are the password
is an easy one.

Don't forget about accounts and passwords built for specific purposes, like the sys
admin trying out some strange permissions or trying to perform some automated task.
Account backup, password backup. Account test password testing. You get the idea.
Also look for "Joe" accounts. These are accounts where the user has made the password
the same as the account name, or the account name backwards, or some similar
variation.