Der Matze im Netz :: wie hacke ich einen server


		Hacking a Server
Dear admin,
the following links and hints may help you to find possible weaknesses in your systems

                                Greet Matze (www.dermatzeimnetz.de)


Default Information Links:

		[http://www.iana.org/assignments/port-numbers] # overview of all used ports
		[http://www.ietf.org/rfc.html] # overview of all RFCs
			IPV4			791,950,919
                        IPV6                    1883,1884
			TCP			793
			UDP			786

			RIP			1058
			IGRP (Cisco)
			OSPF 			1247
			EGP			904,1009
			BGP			1105,1265,1266,1267,1268

			SMTP			821,822
			MIME			1522,1523
			PEM			1421,1422,1423,1424

			NNTP			977
			NNAF			1036

			Telnet			197,754,755-761,774,775,854,855,1091,1096,1116
			FTP			959
			DNS			1032,1033,1034,1035,1101

			NFS			1057,1094,1014
			NIS

			NTP			1305
			SNTP			1769

			LDAP			2251
			MD5 HASH		1319,1320,1321

			URL-Syntax		1738



Related Links::

	tools:
		[http://www.packetfactory.net] # good sources for network security tools
		[http://www.aa-security.de]    # network tool to send and receive any kind of packets
		[http://www.ussrback.com]      # lots of exploits and tools for linux and win (out of date)
		[ftp://coast.cs.purdue.edu/pub/tools/unix/] # lots of tools (crypto,daemons,firewalls,ids,libs,logs,net,pwd,scanner,sys)

	rootkits:
		[http://packetstorm.security-guide.de/UNIX/penetration/rootkits/indexdate.shtml] # overview of current rootkits and backdoors as example
			# Knark 2.43 (kernel module rootkit)
			# lrk5 (backdoors some files)
			# Q (cleint/server backdoor)
			# b0stt (sshd-trojan to log all passwd)
			# apachebd (httpd 1.3.17-19 backdoor, spawn a root shell when a certain page is requested )
		[http://www.team-teso.net]      # adore (mighty kmem rootkit)

	exploits:
		[http://packetstorm.security-guide.de/]         # the number one codearchive, ever
		[http://packetstorm.security-guide.de/Netware/penetration/] # overview of netware penetration tools
		[http://www.nmrc.org/project/pandora/index.html]        # home of the pandora project (netware penetration)

        virii:
		[http://www.megasecurity.org]   # probably the biggest archieve of trojans
		[http://www.wildlist.org/]      # all viruses "in the wild"

	groups,projects,hackers:
		[http://www.team-teso.net]      # famous german hackergroup
		[http://mixter.void.ru]         # mixter site, what else should i say

	vulnerability-lists:
		[http://www.sans.org/top20/]    # top ten (win + unix) vulnerabilty list
		[http://www.cve.mitre.org/]     # common vulnerabilities and exposures
		[http://www.cert.org/advisories/]# cert advisories

	FAQs:
		[http://www.faqs.org]           # probably any kind of FAQs
		[ftp://rtfm.mit.edu/pub/usenet-by-hierarchy/comp] # FAQ archieve


PASSWORD_GUESSING:

	wordlists:
		[ftp://ftp.cerias.purdue.edu/pub/dict/] # dictionarys and wordlists
		[ftp://ftp.ox.ac.uk/pub/wordlists/]     # wordlists

	cracker:
		[http://www.openwall.com/john/]         # john the ripper, very good password cracking util
                [http://www.users.dircon.co.uk/~crypto/]# cracker jack, good password cracking util

SCANNER, SNIFFER, SPOOFER:

		[http://monkey.org/~dugsong/dsniff/]    # dnsiff: including
			arpspoof - arp poising and spoofing (take over all traffic in a LAN, just by poising the gateways mac adress is now yours)
			dnsspoof - create a dns-reply to tell a target that you are www.host.tdl (did you ever want to be microsoft.com ? ;)
			dsniff - sniff every password you can get (use it with arpspoof ;-)
			filesnarf - NFS traffic sniffer
			macof - floods mac adress in a LAN (switches fail open in repeating mode and are no longer switches :)
			mailsnarf - i read your email ;-)
			msgsnarf - sniffing irc-messages (also AOL, ICQ, MSN, Yahoo)
			sshmitm - men-in-the-middle-attack to hijack SSH version 1 connections
			sshow - analyse some kind of ssh traffic
			tcpkill - kill a tcp connection in a LAN
			tcpnice - slow down a specified tcp connections on a LAN
			urlsnarf - sniffing urls
			webmitm - men-in-the-middle-attack for http and https!!
			webspy - passive surfing ;-)

		[http://ettercap.sourceforge.net/]      # ettercap: powerful sniffing including men-in-the-middle-attack tool
		[http://lin.fsid.cvut.cz/~kra/]         # hunt: good sniffer and men-in-the-middle-attack tool
		[http://p-a-t-h.sourceforge.net/html/index.php] # perl advanced tcp hijacking
                [http://www.nmap.org]                   # nmap: THE portscanner
                [http://www.doxpara.com/paketto]        # advanced TCP/IP toolkit
                [http://www.tcpdump.org]                # tcpdump: dump all traffic (with pattern matching) to screen or file
                [http://www.ethereal.com/]              # ethereal: nice frontend to analyse and sort tcpdump ouput
                [http://etherape.sourceforge.net/]      # etherape: graphical tool (GTK) to analyse who is talking to who and which protokoll in a LAN (looking nice :)
                [http://www.nessus.org/]                # nessus, nice scanner who knows a lot of exploits (imho better than saint)
                [http://www.wwdsi.com/saint/]           # saint, nice scanner who knows lot of exploits

PACKET GENERATOR:

                [http://www.aa-security.de/]            # APSR is a network testing tool, designed to send and recieve arbitrary network packets
                [http://www.hping.org/]                 # command-line oriented TCP/IP packet assembler/analyzer
                [http://hispahack.ccc.de/programas/]    # ICMPush + httpush, tools to create ICMP/HTTP-packets

CRYPTO:

                [http://www.team-teso.net/releases.php] # burneye, encrypt your executable binarys

KEYLOGGER, ETC.
                [ftp://coast.cs.purdue.edu/pub/tools/unix/sysutils/ttywatcher] # tty-hijacking (watches realtime what a user is doing in his shell)

RTFM:
                [http://www.deter.com/unix/index.html#papers]           # known weaknesses


HOWTO->DELETE_LOGS:

		[www.ussrback.com]
                        - cloak: string replace in specified log files
		        - zap2
		        - clean



HOWTO->SCAN_PASSIV:

	- who is yur enemy ?
		./whois IP
	- where is your enemy (phys) ?
		[www.iana.org/assignments/ipv4-address-space]
	- where is your enemy (virt) ?
		./traceroute IP

HOWTO->IP_SPOOF:

	        [www.krecher.de]        # some experimentel spoofing sources
	        [www.nmrc.org/files/unix/ip-exploit.txt]        # explaination of IP-Spoofing
	        [www.engarde.com/software/seqnumsrc.c]]         # ??
	        [www.rootshell.com/archive-j457nxiqi3gq59dv/199707/ipspoof.c]   # Spoofit, ipspoof
	        [staff.washington.edu/dittrich/talks/qsm-sec/P50-06.txt]        # Juggernaut
	        [www.net-security.sk/network/spoof/rbone.tar.gz]# Rone
	        [www.deter.com/unix/software/arnudp.c]          #udp-spoofer

	- create an IP-Packet with the source adress of the internal network
		if the internal network handles private IPs - hope the firewall will accept internal IPs from an external network interface or loose
		if the internal network handles official IPs - there should be no problem
	- send it to (and thru) the firewall

HOWTO->ARP_SPOOF (LANs only):

	- create arp-replys to everyone in the LAN that you are the gateway (use arpspoof IP.OF.THE.GW)
	- create arp-replys to one host in the LAN that you are the server or gateway (use arpspoof -t IP.OF.THE.TARGET IP.OF.WHO.YOU_WANT_TO_BE)

HOWTO->DNS_SPOOF:

        	[packetstorm.securify.com/Exploit_Code_Archive/jizz.c] #

HOWTO->SOURCE_ROUTE:

	- search a stable route to your target (may try traceroute ?)
	- create an IP-Paket
		IP-Source-Adress = your target
		IP-Destination-Adress = your targets destination
		set the loose-source-routing flag

HOWTO->TCP_SEQUENCE_NUMBER_GUESSING:

        	[www.deter.com/unix/papers/bsd_tcpip_weakness_morris.ps.gz] # RTFM