Thursday, December 15, 2011

Script Kiddie

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=

          -= Script Kiddies: How to be one, and be loathed by your peers =-

                                -= By Grifter =-
                        -= grifter@staticdischarge.com =-
                          
                           -= http://www.2600slc.org =-
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

§ Introduction

I would like to state at this time that the term "peers" in the title of this text is used
very loosely.  I put this together rather quickly and it may have errors, I have had 7
hours of sleep in the last 72 hours, so give me a break.  If you find an error, e-mail me
and I'll fix it. 
Most of the website defacements, trojan horses, and general cracks are carried out not by
real hackers, but by people who have stumbled upon the hacker community,  fallen into IRC
and made themselves a funny name to call their own.  They've seen WarGames, Sneakers, or
Hackers and believe that this is what it's really like, and they want to be part of it. 
Besides, their friends will think they're really kool.  We call these people Script Kiddies,
and you can be one too.

§ What is a Script Kiddie?

I could probably go on and on for hours on what a script kiddie is and what they do.  But,
the way I see it is, if you've found this site, then you probably know what it is,
hell...you might even be one.  Just to be on the safe side though, the basic definition of
a script kiddie is "someone with limited, if any, skill in the arts of hacking; known to
use other peoples' hard work in order to exploit as many machines as they can in order to
feel better about themselves and pretend to be elite".  Okay, so I made that up, but that's
the way I see it.  If you fit this category but want to make sure you're doing everything
right, then read on.  If not, read on anyway, I didn't write this for my health.

§ Footprinting

Now I know this seems an odd thing to put in since most kiddies will just scan for the
latest vulnerabilities, but we'll pretend that you have someone in mind and actually
thought ahead.  You've got to make sure you know what you're getting into.  It wastes
an awful lot of time if you go through NT exploit after NT exploit for hours on end if
the machine you are attacking is running Slackware.  So know the OS and what exploits
are available to you.  Also, make sure you check to see what services are running on
the system, it's these services that you will be exploiting.

You can find this information easily, here are a few ways.

Daemon Banners - When you telnet to a port running a certain service it will return
something that looks like this...
220 targethost.org ESMTP Sendmail 8.9.1 (1.1.20.3/17Jun01-0239AM) Sun, 17 Jun 2001 03:22:36 0530
Okay, what this tells us is that the system is running Sendmail version 8.9.1, now you just
need to find an exploit for this version of Sendmail.

Port Scanning - Very simple, you put in a hostname or IP and it will find any services
running and sometimes return information about each service such as program data and
version numbers. Try nmap.

Using you Browser - If you're targeting targethost.org then go to their website and go to a
link you know does not exist, like... http://www.targethost.org/this-should-work.html. 
When you receive an error message it may contain the type of web server and what version is
running.

§ Obtaining your Tools

Once you find out what OS is running on your target machine you can go ahead and look
for the tools you're going to need to do whatever it is you plan to do with this system.
There are a ridiculous an\mount of sites out that that have exploits for every operating
system you could possibly think of.  The most popular being:

http://packetstorm.securify.com
http://www.securityfocus.com

Once you've jumped onto one of these sites you'll be flooded with terms like...advisories,
texts, and exploits.  Let me explain what you're looking at and what you're looking for.
An advisory is basically a technical document that details how to go about fixing a hole
in a particular system once you have located the problem.  Texts are basically details
about the exploit, and what you need to do to exploit it.  Exploits are what you're looking
for, while I highly recommend reading the advisories and texts so that you can have a better
understanding of the actual hole, you are after all a script kiddie, so I'm not going to
hold my breathe.  Exploits are actual code, a.k.a. scripts, that once compiled will do all
of the work for you, they are written by real hackers and at times by the person who found
the hole to begin with.  Go ahead and download the exploits you need.  I would once again
recommend reading the source, but forget that, just compile it.

§ Once you're in

Wow look at you, you got in.  You must be super elite.  I hope you're prepared for all the
news reports about you and all of the people who are going to want to be your friend now
that they know you can hack.  Damn hacking is kool!!

Okay, so you're in, and look at you, not only did you get in, but that little program you
ran got you root access on the system (that means you control it).  Good for you.  Now
what do you do?  Well now it's time to cover your ass.  By this I mean it's time for you
to make sure you don't end up on the 10 o'clock news. 

Make sure you are alone.  Use the "who" command and/or "ps -aux" so you know who is there
and what processes are running.  Hell, you could have tried "finger @blahblah.com" before
ever getting in, but nobody really runs finger anymore.

Time to erase all traces that you were even there.  You can do this one of two ways..

1) Edit the logs by hand, you're looking for klog (kernel logger) and syslog (system logger).
You can either change the logs so that what you did looked like actual users going about
their business or you can delete the entries in the log that pertain to you.  Whatever you
do, DO NOT delete the entire log files, this will tip the admin off that there is/was
someone in his system and he'll go over his system with a fine toothed comb to make sure
you don't get in again, or worse, he'll wait for you to log in again and track you down, so
you'll spend some time with Bubba.

2) Use a rootkit.  That's right, you're lazy as hell so here's something that will clean
the logs for you, and if you find a nice one, leave a backdoor.  You're limited on your
source of rootkits though, so you're better off just learning to edit logs.

§ Maintaining Access

Well, now that you're in and you have a new toy, you certainly don't want it to be taken
away.  What you have to do now is find a way to maintain access to the system.  Once again
there are several ways you can do this.

1) Add yourself as a user on the system using "adduser"  You could edit the password file
from here and set your uid to 0, but that's about the most obvious backdoor there is, and
an admin is bound to notice someone else trying to play god.

2) Add a trojan to a daemon, by doing this everything looks normal, but the daemon allows
you to access a root shell.  You run the risk of having this found because the size and
date of the file will change.

3) Use rlogin.  rlogin will let you log in remotely to a system.  For example, using...
rlogin cheech will log you into your remote account on the system named cheech.

You can add as many backdoors as you like, but try to remember that the more you add,
the more chances there are of the admin finding one and locking you out.

§ What now?

You have access to this machine and if you're lucky, total control over it.  Now you can
do really kool things like running IRC bots or mail bombing people you hate.  Hell, you
can even use this machine to launch attacks on other machines, thereby making yourself
harder to catch.  Now go to your local 2600 meeting and show off your skills, you should
be feared, and everyone will know this, especially since you reserved a room for DefCon.

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-
© 2600SLC.ORG 2001
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-