Beginner's Guide To Hacking On Mac OS X Greetings, I decided to write this because after looking for hours on the web, the only hacking articles I found were either written by complete dumb asses or were from 10 years ago. Lemme tell you folks, the Ping O' Death doesn't work anymore. :) Anyway, I decided to take everything I had learned from those articles and compile it into one massive article. This isn't something I did in 5 minutes by cut & pasting 5 million hacker articles, but I did cut and paste a couple choice paragraphs that I felt were appropriate. This guide will incorporate things such as: Cracking passwords, The hacker Attitude, Programming resources, Links to Hacker forums, basic hacker skills, and much more. I will also start by teaching you what it means to be a hacker and how you should associate yourself with other hackers. By doing this, I am not trying to say that everyone who reads this is a brain-dead baboon or that you don't have any manners. There is just a certain way of presenting yourself that, if done correctly, will help you in the long run. Now, let us begin. The Hacker lifestyle: If you are new to the whole hacking scene, then you probably aren't familiar with the hacker culture. It is an extremely interesting place, if you know the right people and aren't misguided by other newbs fighting their way to the top. If you never have, read the article called "The Mentor's Last Words." It is on the front page of my site, www.phreakforums.net A lot of people don't like that article. They have either heard it a thousand times or they think it is "Commie Bullshit." Whatever you might think, it was one of the first hacking articles I ever read and no matter how many times I read it, it always inspires me. For those of you who have seen the movie "Hackers," you may recognize part of this. It was written right before the (Now famous) hacker, The Mentor, got raided by the secret service and arrested. Anyway, just read it. You'll either like it or you won't, but it is worth a good read through. Now then, if you actually read that part and aren't just skipping down to this now, you should feel all inspired. Well, congratulations. Hacking is all about motivation. Artists don't paint pictures just for the money (Ever heard of Starving Artists?), they do it because it is something they love. Athletes play sports because kicking that soccer-ball, or shooting that basketball, or hitting that puck, or whatever, gives them a rush that no drug can emulate. Hackers are the same way. We get our thrills from computers. Whether you decide to hack the Pentagon (something I do NOT advise attempting) or just stick to writing programs, you will always get some sort of thrill out of it. If you don't, then stop reading right now and close this document. Without motivation, hacking will be like a job and it will make it 10x harder to learn how to do it because it isn't something you really care about. Now then, let us move on to "The Hacker Attitude." The Hacker Attitude: Hacking with the wrong attitude won't work. Dealing with other hackers with the wrong attitude REALLY won't work. The hacker attitude is all about determination. Who cares if you have never even opened Terminal (/Applications/Utilities/), you can accomplish whatever you want as long as you have the determination. Ok... so you can't hack into other computers if you have never opened Terminal, but if you have the ambition, then there is no reason why you can't learn. I will get into some Terminal basics later on. I strongly recommend reading the book Hex by Rhiannon Lassitter. There are also two sequels, Hex: Shadows and Hex: Ghosts. I'll give a little background in case you don't rush out and buy these: The scene is set in 2330 (Or something like that... really far in the future anyway). There is this sub-strain on humans who have a genetically altered brain and they can "tap" in to computers, making them super hackers. Anyway, the reason for mentioning this series of books is that the character Raven displays a flawless hacker attitude. She shows strong determination. You don't have to give up your social life to be a hacker. You don't have to dump your girl/boy friend, but it helps :). Those things will only get in the way of your learning. But, if you want to do something that drastic, it is up to you. You don't have to at all, hell, I still have a good social life. It's just that those things will constantly distract you during your learning process. To become a hacker, you will want to always remember the following things (Kind of the 5 commandments of hacking): -The world is full of fascinating problems waiting to be solved. -No problem should ever have to be solved twice. -Boredom and drudgery are evil. -Freedom is good. -Attitude is no substitute for competence. Being a hacker is lots of fun, but it's a kind of fun that takes lots of effort. The effort takes motivation. Successful athletes get their motivation from a kind of physical delight in making their bodies perform, in pushing themselves past their own physical limits. Similarly, to be a hacker you have to get a basic thrill from solving problems, sharpening your skills, and exercising your intelligence. If you aren't the kind of person that feels this way naturally, you'll need to become one in order to make it as a hacker. Otherwise you'll find your hacking energy is sapped by distractions like sex, money, and social approval. (You also have to develop a kind of faith in your own learning capacity ‹ a belief that even though you may not know all of what you need to solve a problem, if you tackle just a piece of it and learn from that, you'll learn enough to solve the next piece ‹ and so on, until you're done.) Creative brains are a valuable, limited resource. They shouldn't be wasted on re-inventing the wheel when there are so many fascinating new problems waiting out there. To behave like a hacker, you have to believe that the thinking time of other hackers is precious ‹ so much so that it's almost a moral duty for you to share information, solve problems and then give the solutions away just so other hackers can solve new problems instead of having to perpetually re-address old ones. (You don't have to believe that you're obligated to give all your creative product away, though the hackers that do are the ones that get most respect from other hackers. It's consistent with hacker values to sell enough of it to keep you in food and rent and computers. It's fine to use your hacking skills to support a family or even get rich, as long as you don't forget your loyalty to your art and your fellow hackers while doing it.) Hackers (and creative people in general) should never be bored or have to drudge at stupid repetitive work, because when this happens it means they aren't doing what only they can do ‹ solve new problems. This wastefulness hurts everybody. Therefore boredom and drudgery are not just unpleasant but actually evil. To behave like a hacker, you have to believe this enough to want to automate away the boring bits as much as possible, not just for yourself but for everybody else (especially other hackers). (There is one apparent exception to this. Hackers will sometimes do things that may seem repetitive or boring to an observer as a mind-clearing exercise, or in order to acquire a skill or have some particular kind of experience you can't have otherwise. But this is by choice ‹ nobody who can think should ever be forced into a situation that bores them.) Hackers are naturally anti-authoritarian. Anyone who can give you orders can stop you from solving whatever problem you're being fascinated by ‹ and, given the way authoritarian minds work, will generally find some appallingly stupid reason to do so. So the authoritarian attitude has to be fought wherever you find it, lest it smother you and other hackers. (This isn't the same as fighting all authority. Children need to be guided and criminals restrained. A hacker may agree to accept some kinds of authority in order to get something he wants more than the time he spends following orders. But that's a limited, conscious bargain; the kind of personal surrender authoritarians want is not on offer.) Authoritarians thrive on censorship and secrecy. And they distrust voluntary cooperation and information-sharing ‹ they only like Ścooperation' that they control. So to behave like a hacker, you have to develop an instinctive hostility to censorship, secrecy, and the use of force or deception to compel responsible adults. And you have to be willing to act on that belief. To be a hacker, you have to develop some of these attitudes. But copping an attitude alone won't make you a hacker, any more than it will make you a champion athlete or a rock star. Becoming a hacker will take intelligence, practice, dedication, and hard work. Therefore, you have to learn to distrust attitude and respect competence of every kind. Hackers won't let posers waste their time, but they worship competence ‹ especially competence at hacking, but competence at anything is good. Competence at demanding skills that few can master is especially good, and competence at demanding skills that involve mental acuteness, craft, and concentration is best. If you revere competence, you'll enjoy developing it in yourself ‹ the hard work and dedication will become a kind of intense play rather than drudgery. That attitude is vital to becoming a hacker. Now then, enough lecturing. If you actually read through all that, then I applaud you. It is a lot of information to take in at once and can really get you thinking. Now, let's move on to some basic hacking skills. Learn How To Program: This, of course, is the fundamental hacking skill. If you don't know any computer languages, I recommend starting with Python. It is cleanly designed, well documented, and relatively kind to beginners. Despite being a good first language, it is not just a toy; it is very powerful and flexible and well suited for large projects. I have written a more detailed evaluation of Python. Good tutorials are available at the Python web site. Java is also a good language for learning to program in. It is more difficult than Python, but produces faster code than Python. I think it makes an excellent second language. Unfortunately, Sun's reference implementation is still proprietary. This is not so much an issue with the Java language itself, as high-quality open-source Java interpreters are readily available; the real problem is the class libraries that travel with the language. The open-source class libraries lag behind Sun's. So, if you do choose to learn Java, do it with one of the open-source implementations rather than becoming dependent on Sun's proprietary code. But be aware that you won't reach the skill level of a hacker or even merely a programmer if you only know one or two languages ‹ you need to learn how to think about programming problems in a general way, independent of any one language. To be a real hacker, you need to get to the point where you can learn a new language in days by relating what's in the manual to what you already know. This means you should learn several very different languages. If you get into serious programming, you will have to learn C, the core language of Unix. C++ is very closely related to C; if you know one, learning the other will not be difficult. Neither language is a good one to try learning as your first, however. And, actually, the more you can avoid programming in C the more productive you will be. C is very efficient, and very sparing of your machine's resources. Unfortunately, C gets that efficiency by requiring you to do a lot of low-level management of resources (like memory) by hand. All that low-level code is complex and bug-prone, and will soak up huge amounts of your time on debugging. With today's machines as powerful as they are, this is usually a bad tradeoff ‹ it's smarter to use a language that uses the machine's time less efficiently, but your time much more efficiently. Thus, Python. Other languages of particular importance to hackers include Perl and LISP. Perl is worth learning for practical reasons; it's very widely used for active web pages and system administration, so that even if you never write Perl you should learn to read it. Many people use Perl in the way I suggest you should use Python, to avoid C programming on jobs that don't require C's machine efficiency. You will need to be able to understand their code. LISP is worth learning for a different reason ‹ the profound enlightenment experience you will have when you finally get it. That experience will make you a better programmer for the rest of your days, even if you never actually use LISP itself a lot. (You can get some beginning experience with LISP fairly easily by writing and modifying editing modes for the Emacs text editor.) It's best, actually, to learn all five of Python, C/C++, Java, Perl, and LISP. Besides being the most important hacking languages, they represent very different approaches to programming, and each will educate you in valuable ways. I can't give complete instructions on how to learn to program here ‹ it's a complex skill. But I can tell you that books and courses won't do it (many, maybe most of the best hackers are self-taught). You can learn language features ‹ bits of knowledge ‹ from books, but the mind-set that makes that knowledge into living skill can be learned only by practice and apprenticeship. What will do it is (a) reading code and (b) writing code. Learning to program is like learning to write good natural language. The best way to do it is to read some stuff written by masters of the form, write some things yourself, read a lot more, write a little more, read a lot more, write some more ... and repeat until your writing begins to develop the kind of strength and economy you see in your models. Finding good code to read used to be hard, because there were few large programs available in source for fledgeling hackers to read and tinker with. This has changed dramatically; open-source software, programming tools, and operating systems (all built by hackers) are now widely available. Using UNIX: Since I wrote this specifically for the Mac Underground users, those reading this probably are running OS X. If so, then you already have Terminal (/Applications/Utilities/) and you don't need to waste time installing a *NIX distro. If you are reading this and only have Windows, I strongly recommend getting Linux. You will be glad you did. And, yes, you can run Linux and MS Windows on the same machine. Unix is the operating system of the Internet. While you can learn to use the Internet without knowing Unix, you can't be an Internet hacker without understanding Unix. For this reason, the hacker culture today is pretty strongly Unix-centered. (This wasn't always true, and some old-time hackers still aren't happy about it, but the symbiosis between Unix and the Internet has become strong enough that even Microsoft's muscle doesn't seem able to seriously dent it.) Lets have some fun with Terminal, shall we? Here is a list of some basic commands: $ less (view a text file and have the option to scroll through it slowly, also has search commands like vi) $ more (same as less but with less features) $ cat (same as less but just spits out the whole file without stopping) $ vi (text editor.. I use vi all day long) $ ssh (enough said) $ ifconfig (see status of network information) $ top (see what processes are using the most resources, get uptime, load, and other useful info) $ netstat -rn (get routing table info) $ netstat -atuvp (look at port status, ie, see what ports are listening and established connections, etc) $ passwd (change your passwd) $ w (see who's logged in and what they are doing) $ stty erase ^? (make your backspace key work as delete) $ ls (same as "dir". You can even alias ls to dir if you are in the habit of typing dir) $ cd (change directory) $ rm (delete a file) $ mv (rename a file/dir or move it to a new location) $ tar -cvf (create a tar(zipped) file) $ tar -xvf (extract a tar file) $ locate (find a file) $ find . -name foo (find a file called foo starting in the directory you are in) $ apropos (find a command when you aren't sure exactly what it is you need) $ env (see what variables are set for your environment) $ export (set environment variable.. at least in bash) $ ps -auxgww (see what processes are running and the status of them) $ kill (kill a process) $ su (switch user) $ exit (logoff/close terminal.. ctrl+x does the same) $ id (find out groups/gid and uid of a user) $ df -h (report filesystem disk usage) $ pwd (print working directory) $ mkdir (create a directory) $ chown ( change ownership of a file/dir) $ chmod (change permissions of a file/dir) $ chsh (change shells) $ telnet (used mostly to check to see if a port on a remote box is listening.. ie "telnet mailserver.foo.com 25" $ finger (find out detailed information on a user) $ crontab -l (list jobs in your crontab) $ ldd (see what libraries a file is compiled against) $ echo $? (see the exit status of the last command) $ grep (does a search of files for matching strings) - apropos netinfo (get all the commands you can use to play with netinfo) and of course, the obligate - nidump passwd . (prints the passwd-file with useraccounts and encrypted passwords to stdout) $ fink from fink -h: Common commmands: install - install/update the named packages remove - remove the named packages purge - same as remove but also removes all configuration files update - update the named packages selfupdate - upgrade fink to the lastest release update-all - update all installed packages configure - rerun the configuration process list - list available packages, optionally filtering by name, see 'fink list --help' for more options apropos - list packages matching a search keyword describe - display a detailed description of the named packages index - force rebuild of package cache Lets Get Hacking: Now that we know some Terminal commands, we can try out some minor stuff on our own computers. But what if we want to... oh, I dunno, try them out on some one else's computer? :D Well, to start, you need to find computers that have vulnerabilities. Computers have what are called ports. These ports send and receive packets of information which are then recompiled and displayed as a whole on your computer. The problem with this is, while these ports are busily working, they leave themselves open to attack. All it takes is someone to go to the port and get around security to be able to take over the whole computer. If your having trouble understanding this, here is a mental picture for you: Imagine you go to a bar. The bar is the computer. People are walking in and out of the bar. When they go in, they get drinks. Sometimes people are causing a disturbance in the bar. It is then the job of the bouncer to remove that person. Also, sometimes people will try to get in the bar when they aren't supposed to. If they are successful, they will get in the bar unnoticed. Otherwise, the bouncer will catch them and throw them out. Now then, the bar is the computer. The people going in and out are the packets that the computer receives and sends. The door leading into the bar is the port. The bouncer is a firewall and the authorization dialog you get you try to go into the "bar." If you try to sneak in the bar, the bouncer will throw you out. This is exactly what firewalls do. They monitor the ports and "throw out" any packets that shouldn't be there. But, some bars (computers) don't have bouncers (firewalls). The door is just totally clear and people (packets) can walk in and out as they please. The problem is that there aren't that many computers like this and they are hard to find. Thus, we have port scanners. Port scanners are applications that scan computers and see what port's they have open (So it is like a bar with more then one entrance). These scanners will find computers that are open, allowing you to connect to them. So, I assume you all know what an IP address is. No? OK. Well, IP stands for Internet Protocol. Whenever you connect to the internet, your ISP (Internet Service Provider) receives a request from your computer basically saying "Lemme on the internet!" So then the server at your ISP verifies your IP address and then allows you to access the internet through their servers. Of course, this entire process only takes a matter of seconds to complete so you don't really know what's going on. So now that we understand IP addresses, we need to download a Port Scanner. There are some good ones on http://undergroundmac.com under Hacking. So once you have found a open computer, you will want to connect. You use different terminal commands depending on which ports are open. Here is a short list of the most common ports: 20 - FTP 21 - FTP 22 - SSH 23 - Telnet 25 - Mail 80 - HTTP 548 - AFP Now, to connect you would do the following: 20 & 21: Type "ftp the.host.ip.address" 22: Type "ssh the.host.ip.address" 23: Type "telnet the.host.ip.address" 25: Type "telnet the.host.ip.address 25" 80: Type "telnet the.host.ip.address 80" 548, I will explain in a minute You may have noticed that I used Telnet more then once. Telnet can actually be used to connect to any port, but the common ports (20, 21, 22) have their own commands which you can also use. The way telnet works is you type: "telnet the.host.ip.address portNumber" the.host.ip.address is the IP of the target portNumber is the port number of the computer you are connecting to So, for example, I could do "ssh the.host.ip.address" which, by default will use port 22. But, I could also use "telnet the.host.ip.address 22." If you don't type a port number after the.host.ip.address in telnet, it will default to port 23. NOTE: I feel I need to say that Telnet and ssh are actually different things. They connect to the target in different ways; but, for the purposes of this text, I will simply be using them as if they were the same thing. In personal experience, I find telnet is the easiest to get around. AFP: You can connect to a server through the AFP port (548) by hitting Apple-K on your keyboard or by going to Go->Connect To Server. There is a guide to hacking via AFP that I shall show you here: How to find other Mac's on the Internet By: Dimbulb Some port scanning software: PortSniffer 2 (GUI for OS 9 or X) http://software.theresistance.net/ Nmap (CLI) & NmapFE (GUI) for OS X http://faktory.org/m/software/nmap/ Strobe (CLI) for OS X http://macosx.forked.net/p/strobe-1.03.pkg.tgz (NicCentral provides a GUI front-end for Strobe: http://www.stepwise.com/Software/NicCentral/index.html I haven't tried it though...) HTTPScanner - identifies many Mac web servers (Darwin, OS X, OS 9) http://www.davtri.com/freeware.html Before you start scanning: Take a look at http://www.flumps.org/ip/ list of block registrations and pay particular attention to which IP ranges you DON'T WANT TO SCAN such as these: 6.x.x.x Army Information Systems Center - USAISC, Yuma Proving Ground, AZ (NET-YPG-NET) 7.x.x.x Defense Information Systems Agency, VA (NET-DISANET2) 11.x.x.x DoD Intel Information Systems, Defense Intelligence Agency, Washington DC (NET-DODIIS) 21.x.x.x US Defense Information Systems Agency (DDN-RVN), VA (NET-DDN-RVN) 22.x.x.x Defense Information Systems Agency, Washington DC (NET-DISNET) 26.x.x.x Defense Information Systems Agency, VA (NET-MILNET) 28.x.x.x ARPA DSI JPO, VA (NET-DSI-NORTH) 29.x.x.x Defense Information Systems Agency, Washington DC (NET-MILX25-TEMP) 30.x.x.x Defense Information Systems Agency, Washington DC (NET-ARPAX25-TEMP) 49.x.x.x Joint Tactical Command, Control, and Communications Agency, AZ (NET-JITCNET1) 50.x.x.x Joint Tactical Command, Control, and Communications Agency, AZ (NET-JITCNET2) 55.x.x.x Army National Guard Bureau, VA (NET-RCAS2) 56.x.x.x U.S. Postal Service, NC (NET-USPS1) And don't bother scanning any of these, they are private ranges and won't route on the internet (you need PUBLIC IPs!): 192.168.x.x 172.016.x.x 10.x.x.x 127.x.x.x = loop-back, for instance, 127.0.0.1 is localhost - it's your own computer. 255.255.255.255 = broadcast on your own subnet Start with your own IP Browse to www.showmyip.com and copy your public IP address. PortSniffer Paste your IP into the starting address field, delete the last segment and replace it with ".1", now replace the last TWO segments of the ending address with ".255.255" (remember that IP segments represent a byte so they should never be greater than 255 in any segment). Enter 548 as the port number to scan for (this is the default port number for Apple File Sharing.) Set the timeout... On a very fast connection a timeout of .6 will acheive results quickly but may skip over machines that are unable to respond quickly enough, for slower connections try a timeout of 3 (also allows for a slower connection on the remote side or a slow response from a machine under heavy load such as a server.) Just let PortSniffer run, you can save the results list later. You can open multiple windows to scan several ranges at a time (in parallel!) (If you have trouble saving the lists, scan 127.0.0.1 port 80 which is your own machine's web browser port, then save - sometimes the software needs a successful scan to allow saving!) Want more power for your scans? Use NmapFE! Paste your IP into the Host(s) field, delete the last segment and enter .1-255 Now uncheck the "Fast Scan" box, check the "Range of ports" box and enter 548 (again, the Apple File Sharing port.) Click the "Scan" button. Nmap will tell you which IPs have port 548 closed, which are open and which are filtered (behind a router or firewall for instance.) It also gives you the hostname from a DNS lookup of the IP address. Now paste in the "Host(s)" field one IP that has port 548 open, uncheck the "Range of ports" box and check the "OS Detection" box. Click scan again. Impressive isn't it?! Nmap just scanned the IP for ALL POSSIBLE PORTS. Position your mouse cursor over the various boxes and fields in NmapFE and it will tell you what they are. Got a list of IPs and want to check if the systems are still up? STROBE will check them quickly! Save your IP list as a text file with just the IPs, one per line. The file must have Unix "newline" endings (not Mac "return"s.) If you have MHW it includes a utility to do this for you - it's called M2U or you can translate the line endings in the terminal like so: Code: tr "\r" "\n" < myipfile.txt > ipsforstrobe.txt Now that your file has unix line endings, tell Strobe to scan each IP for port 548, allow up to 9 seconds for the remote system to respond and output a list of those that do respond in a text file called responses.txt. In terminal type: Code: strobe -t 9 -p 548 -i ipsforstrobe.txt -o responses.txt Now that you have some IPs with port 548 open, what can you do with them? In OS X's Finder, pull down the Go menu on the menu bar and chose "Connect to server" (it's command-k on the keyboard.) If you are using OS 9 go to the Chooser under the Apple menu, click AppleShare then "Enter Server IP Address". Enter one of the IP addresses from your list. Hopefully you will be asked to enter a user name and password. Is the "Guest" option greyed-out? If not, select Guest and connect. Chances are you will be looking at the OS X usernames for that machine (or possibly folders or whole volumes that have been shared for guest access.) Search the forums for information on AFPBrute if you want to know more about cracking the passwords for those user accounts. Curious where a computer is located? Go here to see a map of it's approximate location. http://www.geobutton.com/IpLocator.htm What other ports could you scan? For port lists, browse to http://www.opendoor.com/doorstop/ports.html or in OS X's Terminal app type: Code: open /etc/services Here are some particularly interesting ports for Mac's: 21 FTP & 25 POP - search the forums for info on BrutalGift 22 SSH - you'll need a username and password for SSH but it's a whole lot of fun. 80, 88, 1080, 8080 - if you find these ports open, try the IP in your browser (xxx.xxx.xxx.xxx:1080 for instance) and you might find that you are looking at a router configuration page. Search the forums for default router passwords if you want to play with these, also run HTTPScanner to search just for web pages within a c-block. 407 Timbuktu - guess at the user name, it will let you know when the name is right... then you have to guess the password. 497 Dantz Retrospect - if you have the program you can try "configuring" a client by address and enter an IP that has port 497 open - see the client name appear in the list? Older versions of the client didn't force users to put in a password (and there are still some out there) newer versions do although these passwords are frequently a weak-link in the security chain. (Try backup or retro or the name or initials of the company at that IP address.) You can use it to copy pretty much anything from the remote computer (like it's password hashes) or to PUT SOMETHING INTO the remote computer (like remote-control software or a keystroke recorder. Search the forums for more info on all these!) 5003 - FileMaker Pro, it's amazing how many databases have no password protection. They frequently list names of employees for the company at that IP address too and very often those are the names you would need to connect over other ports like 548 AFP (extremely helpful when Guest access isn't on and you didn't get any account names.) 5009 - AirPort base station, try running Apple's Airport Admin Utility software and enter this IP as "other". Default password is "public" 5500 Hotline - this could be a Hotline server. Use Pitbull to try connecting. 5900 - VNC, similar to Timbuktu. Download Chicken of the VNC for OS X to try connecting. http://sourceforge.net/projects/cotvnc/ 6700 Carracho - this is probably a Carracho server - head to http://www.carracho.com/ to get the software you'll need to connect. What other ways could you get IP addresses of Mac's? Google search for things like intitle:"index of" ".DS_Store" Check the logs on machines that you have access to - don't forget to look for Timbuktu & VNC logs, they show the IP addresses of other systems too (and the password that works on the system that the logs are in just might work on those IPs as well.) See this thread http://freaky.staticusers.net/ugboard/viewtopic.php?t=10997 for related information on obtaining an IP address for a specific target. (Some of the material applies, like gathering IPs from Carracho or Hotline servers for instance.) Once you get access to computers using the methods described above, you will want to get root access. Root is the most powerful user there is. From root, you can modify anything you want. To get root, you will have to crack the user's password. The following is a great article that taught me how to use JTR. Cracking Unix Password Files: OK, so a good way to get somewhere is to start getting somewhere... What you're about to learn is to crack *nix(Unix/Linux/etc.) password files. It does not mean that you need to have some Unix distribution on your box, but it means you'll have to stop clicking your ass off all around the screen... 'What this fool is trying to say', you'll probably ask... This fool is trying to say that john is a DOS program (there is also Linux/Unix version, but I guess that most of the people that read this tutorial have win boxes). I will try to put this tutorial through the examples so it wouldn't look like a boring script with incredible amount of switches. After reading this text it wouldn't be a bad idea to look at the texts you get with John. I learnt it all from there, but that, of course, was the hard way, and you want the easy way, right? Right. First, it wouldn't be a bad idea to get yourself John the Ripper, I guess... if you don't have it you can find it at: 1) packetstorm.securify.com (look at archives, password cracking) 2) neworder.box.sk (do some searching by yourself) John can be found practically anywhere. For example: try going to altavista.com and running a search for 'john the ripper'. Second thing you'll need is.... a HUUUUGE amount of password dictionaries (I'll explain what these are in a minute). The best dictionary around is at www.theargon.com and packetstorm (look at the archives) and is called theargonlistserver1 and is about 20Mb packed, and over 200Mb unpacked... get it!!!! The people at theargon did a terrific job. You should also get some smaller dictionary files (I'll explain why later). 2) Do we look like *nix? So now you have john, loaded with that huuuuge pass dictionary, and you think that you can crack anything... If you plan to live for 100000 years, that wouldn't be a problem, but you only have some 80 years left in the best case scenario (unless, of course, scientists find a way to... oh, nevermind). Now, the first thing is that you have to make sure your password file really looks like a Unix password file (were talking about the /etc/passwd file). Let's see how Unix pass files look like owner:Ejrt3EJUnh5Ms:510:102:Some free text:/home/subdir/owner:/bin/bash The important part is the username and the encrypted password, which are the first and the second parts (each line is divided into seven parts by : symbols) owner:Ejrt3EJUnh5Ms Owner is the username and 'that other thing' is the crypted password (encrypted in altered DES (Data Encryption Standard) encryption). For the other part you can put anything that looks like that but the structure must be same so the john could recognize it as unix pass. In fact the other part :510:102:Some free text:/home/subdir/owner:/bin/bash Is just some information about the user, his home directory, etc... Sometimes you'll have passes that have only the first and second part, such as password files that you got from a webboard running matt's web board script. owner:Ejrt3EJUnh5Ms You'll have to put the other part so that password would look like unix pass, and you can do a copy-paste from another pass, you can even use :510:102:His name:/home/subdir/owner:/bin/bash What you have now should look like: owner:Ejrt3EJUnh5Ms:510:102:His name:/home/subdir/owner:/bin/bash Hell, you can even put owner:Ejrt3EJUnh5Ms:a:a:a:a:a It won't matter to john at all. 3) We're getting somewhere... nowhere Now you're ready to crack. Type in john -w:words.lst password.file Where words.lst is password dictionary and password file where you have your password or passwords. If you use it on example i gave to you you'll probably get password because it's really weak pass. You'd be surprised to see that people usually use really weak passes like their names, pet names, or even their username (for example: username=zalabuk, password=zalabuk). Hint: Don't be stupid! Use strong passes like p4sswr!@ p@s$w11s with as many characters you can remember. Hint is to use special characters and numbers those passes are much harder to crack (I'll explain why in a minute). The other hint is to use passes as long as you can remember, 8 characters are sometimes not enough... it depends what box that someone who cracks has... on dual alpha is certainly not enough... in other words... more than 10 characters will do fine, even more wouldn't hurt (like 16...). By the way, older *nix have fixed pass length of 8 chars... that is old DES crypted pass that uses a 64-bit key... now there are 128-bit keys, and some perverts use even more, so there is more fun now :) john -w:words.lst password.file Wait wait wait! What am I doing here? Alright, listen up carefully. The DES encryption that Unix uses CANNOT be reversed. Some encryptions can be reversed using a sometimes simple or sometimes incredibly complicated algorithm (in the 3rd century AD, Ceasar used to send encrypted letters which used a formula of "shift by three", which means that d stands for a, e stands for b etc'. At that time, such an algorithm was just fine. Today, it isn't). So anyway, the altered DES encryption that Unix uses for it's password files cannot be reversed. Why? Because it's a key-based encryption. The encryption algorithm uses a bunch of letters (lowercase and uppercase), numbers and symbols within the algorithm. So, in other words, to run the decryption algorithm you will need this key, which you simply cannot just have, because the key is the password! You see, when a user picks a password, the system generates an encrypted password for him, called a hash (which is what you get when you somehow acquire a password file), which is created by running this altered DES algorithm using the user's password as a key. If you try to decrypt the password using standard reversable DES encryption, you get a null string. So how do John and other password crackers do it? Easy. They try to recreate this process by taking passwords out of these dictionary files (or wordlists) and using them as keys for this altered DES algorithm process. Then, they compare the result to all the encrypted passwords within the password file you've given them. If the two strings match - there you have it! The password is yours! If the first step doesn't work, the next step would be to do this: john -w:words.lst -rules password.file This switch turn on not only browsing through the dictionary, but it uses some modifications of the words that are word dictionary (like adding a number at the end of pass - fool -> fool1, etc' etc'). This one will take long with huge pass dictionary, but it may give better results... For a start you could do a try with a small pass dictionary, and if it doesn't works you can try it with a huge pass dictionary. Sometimes people are not stupid when they choose passwords and basic rules won't do a job... aaargh. As you've seen it takes more and more time for your CPU to crack this thing out as we go further. Now you can leave your computer on and go to sleep.... If you want to get even more possible passwords out of your password file, try typing john -i password.file This -i stands for incremental cracking, not a really good word for it, but... Okay, what the hell does it do? It uses the default incremental mode parameters, which are defined in john.ini. What does this mean? Do you remember -rules? Yes, well, of course you do, unless you're either incredibly senile or you've stopped reading after this part and only came back, like... a couple of years later. That is very much like rules, but much much more powerful than -rules, and it takes much, much more time. 4) So where are we now (dictionary vs. brute-force)? You can see that in all cases you use so-called dictionary cracking... but hell, why not just run John on a mode where it tried all possible combinations of lowercase and uppercase letters, numbers and symbols? I mean, this would be much more efficient, right? ... WROOOOOOONGG!!! This method is called 'brute-force' attack (basically, dictionary attack is also sort of brute-force attack, but most people use the word brute-force for this specific attack). What are the differences? First and most important, with dictionary you go through the selected words that could be passwords and their modifications, and with brute force cracking you use ALL possible combinations. That means you have comb=nrch^let where: comb - number of possible combinations nrch - number of chars let - number of letters used In case you're dealing with john's default -i 95 character set and, presume, a 6 letter password you have possible 735091890625 combinations! OUCH!! Sure, this is useful for passwords like 2405v7, but still... with the computational powers of today's modern PC, I'd just give up, unless I had access to some University's supercomputer, which I'd bet noone would ever give me (well, at least not for free, and certainly not to run a password cracker on it). As you can see it can take a looooong time until you crack a single one pass, do a little math and try to calculate how many possible combinations there are for 10, 12 and 16 chars. I don't think you'll like the answer :) Of course, sometimes dictionary attacks are not enough, but john has very powerful 'thinking'. In 'incremental' mode john will do all possible combinations from 0 to 8 characters (by zero password length is considered a hashed empty string, this sometimes happens). So incremental mode is one sort of brute-force attack in some way... If you want to fire all weapons at one then you use john password.file this will do first basic dictionary attack, then -rules, then -i 5) What if... Ok, you have to turn off your box from time to time, don't you? If you're doing that haaard password that will take more than 20 hours of cracking you can set john with ctrl+c and then resume with john -restore If your box crashes or if there's a power failure, you won't be able to restore your cracking sessions (sometimes)... well that's just too bad. Hell, it happened to me once :-( John is modular, and that is the most powerful thing about john the ripper, and that is what makes john the most advanced password cracker. John is very, very modular. John uses modes that are described in john.ini (do you still remember that incremental cracking i was talking about? Modes for rules and incremental are described in john.ini). If you're some inventive guy then you may change the parameters in john.ini. Here is example how some default parameters for -i look like: # Incremental modes [Incremental:All] File = ~/all.chr MinLen = 0 MaxLen = 8 CharCount = 95 Ok... what do we have here? [Incremental:All] - this stands for the beginning of the definition for the -i:all switch File - filename of file that has characters used in mode -i:all (whole character set) MinLen - logically, minimum length of password that john -i:all would try MaxLen - even more logical, maximum length of password that will john -i:all try CharCount - number of chars used by john when you 'turn on' this switch So, there are some more switches... heh Yes there are and down there are all default modes pasted from john the ripper's documents: John the Ripper's Command Line Options You can list any number of password files on John's command line, and also specify some of the following options (all of them are case sensitive, but can be abbreviated; you can also use the GNU-style long options syntax): single "single crack" mode Enables the "single crack" mode, using rules from [List.Rules:Single]. wordfile:FILE wordlist mode, read words from FILE, stdin or from stdin These are used to enable the wordlist mode. rules enable rules for wordlist mode Enables wordlist rules, that are read from [List.Rules:Wordlist]. incremental[:MODE] incremental mode [using section MODE] Enables the incremental mode, using the specified ~/john.ini definition (section [Incremental:MODE], or [Incremental:All] by default). external:MODE external mode or word filter Enables an external mode, using external functions defined in ~/john.ini's [List.External:MODE] section. stdout[:LENGTH] no cracking, write words to stdout When used with a cracking mode, except for "single crack", makes John print the words it generates to stdout instead of cracking. While applying wordlist rules, the significant password length is assumed to be LENGTH, or unlimited by default. restore[:FILE] restore an interrupted session Continues an interrupted cracking session, reading point information from the specified file (~/restore by default). session:FILE set session file name to FILE Allows you to specify another point information file's name to use for this cracking session. This is useful for running multiple instances of John in parallel, or just to be able to recover an older session later, not always continue the latest one. status[:FILE] print status of a session [from FILE] Prints status of an interrupted or running session. To get an up to date status information of a detached running session, send that copy of John a SIGHUP before using this option. makechars:FILE make a charset, overwriting FILE Generates a charset file, based on character frequencies from ~/john.pot, for use with the incremental mode. The entire ~/john.pot will be used for the charset file unless you specify some password files. You can also use an external filter() routine with this option. show show cracked passwords Shows the cracked passwords in a convenient form. You should also specify the password files. You can use this option while another John is cracking, to see what it did so far. test perform a benchmark Benchmarks all the enabled ciphertext format crackers, and tests them for correct operation at the same time. users:[-]LOGIN|UID[,..] load this (these) user(s) only Allows you to filter a few accounts for cracking, etc. A dash before the list can be used to invert the check (that is, load all the users that aren't listed). groups:[-]GID[,..] load this (these) group(s) only Tells John to load users of the specified group(s) only. shells:[-]SHELL[,..] load this (these) shell(s) only This option is useful to load accounts with a valid shell only, or not to load accounts with a bad shell. You can omit the path before a shell name, so '-shells:csh' will match both '/bin/csh' and '/usr/bin/csh', while '-shells:/bin/csh' will only match '/bin/csh'. salts:[-]COUNT set a passwords per salt limit This feature sometimes allows to achieve better performance. For example you can crack only some salts using '-salts:2' faster, and then crack the rest using '-salts:-2'. Total cracking time will be about the same, but you will get some passwords cracked earlier. format:NAME force ciphertext format NAME Allows you to override the ciphertext format detection. Currently, valid format names are DES, BSDI, MD5, BF, AFS, LM. You can use this option when cracking or with '-test'. Note that John can't crack password files with different ciphertext formats at the same time. savemem:LEVEL enable memory saving, at LEVEL 1..3 You might need this option if you don't have enough memory, or don't want John to affect other processes too much. Level 1 tells John not to waste memory on login names, so you won't see them while cracking. Higher levels have a performance impact: you should probably avoid using them unless John doesn't work or gets into swap otherwise. 6) Tips I) A good schedule to do your cracking job is john -w:words.lst password.file john -w:words.lst -rules password.file john -w:words.lst password.file john -i:digits password.file john -i:all password.file II) If you have a file that has only passes that look like owner:*:510:102:His name:/home/subdir/owner:/bin/bash you have a shadowed passwords file. Go to the Byte-Me page at blacksun.box.sk and try to find out more about password files (I'll leave it up to you to do this. It's important that you'll learn how to find things by yourself). III) You have some little tools that you get with john, they are all listed below (from john's docs) unshadow PASSWORD-FILE SHADOW-FILE Combines the passwd and shadow files (when you already have access to both) for use with John. You might need this since if you only used your shadow file, the GECOS information wouldn't be used by the "single crack" mode, and also you wouldn't be able to use the '-shells' option. You'll usually want to redirect the output of 'unshadow' to a file. unafs DATABASE-FILE CELL-NAME Gets password hashes out of the binary AFS database, and produces a file usable by John (again, you should redirect the output yourself). unique OUTPUT-FILE Removes duplicates from a wordlist (read from stdin), without changing the order. You might want to use this with John's '-stdout' option, if you got a lot of disk space to trade for the reduced cracking time. mailer PASSWORD-FILE A shell script to send mail to all the users who got weak passwords. You should edit the message inside before using. So, that was about it... hope you've got something from this text. Further readings: try reading ALL the documentation you get with john in the docs directory. Maybe it's a little bit chaotic, but.... man those are the docs :) Ohh, wait, wait!! Remember, not all password files can be cracked! Smart admins alter the encryption that they are using, especially when it comes to root passwords. But there are always other ways to get passwords. These are covered in other BSRF tutorials. Collect them all (lol) at http://blacksun.box.sk. Points For Style: Again, to be a hacker, you have to enter the hacker mindset. There are some things you can do when you're not at a computer that seem to help. They're not substitutes for hacking (nothing is) but many hackers do them, and feel that they connect in some basic way with the essence of hacking. Learn to write your native language well. Though it's a common stereotype that programmers can't write, a surprising number of hackers (including all the most accomplished ones I know of) are very able writers. Read science fiction. Go to science fiction conventions (a good way to meet hackers and proto-hackers). Train in a martial-arts form. The kind of mental discipline required for martial arts seems to be similar in important ways to what hackers do. The most popular forms among hackers are definitely Asian empty-hand arts such as Tae Kwon Do, Karate, Wing Chun, Aikido, or Ju Jitsu. Western fencing and Asian sword arts also have visible followings. In places where it's legal, pistol shooting has been rising in popularity since the late 1990s. The most hackerly martial arts are those which emphasize mental discipline, relaxed awareness and control, rather than raw strength, athleticism, or physical toughness. Study an actual meditation discipline. The perennial favorite among hackers is Zen (importantly, it is possible to benefit from Zen without acquiring a religion or discarding one you already have). Other styles may work as well, but be careful to choose one that doesn't require you to believe crazy things. Develop an analytical ear for music. Learn to appreciate peculiar kinds of music. Learn to play some musical instrument well, or how to sing. Develop your appreciation of puns and wordplay. The more of these things you already do, the more likely it is that you are natural hacker material. Why these things in particular is not completely clear, but they're connected with a mix of left- and right-brain skills that seems to be important; hackers need to be able to both reason logically and step outside the apparent logic of a problem at a moment's notice. Work as intensely as you play and play as intensely as you work. For true hackers, the boundaries between "play", "work", "science" and "art" all tend to disappear, or to merge into a high-level creative playfulness. Also, don't be content with a narrow range of skills. Though most hackers self-describe as programmers, they are very likely to be more than competent in several related skills ‹ system administration, web design, and PC hardware troubleshooting are common ones. A hacker who's a system administrator, on the other hand, is likely to be quite skilled at script programming and web design. Hackers don't do things by halves; if they invest in a skill at all, they tend to get very good at it. Finally, a few things not to do. Don't use a silly, grandiose user ID or screen name. Don't get in flame wars on Usenet (or anywhere else). Don't call yourself a Ścyberpunką, and don't waste your time on anybody who does. Don't post or email writing that's full of spelling errors and bad grammar. The only reputation you'll make doing any of these things is as a twit. Hackers have long memories ‹ it could take you years to live your early blunders down enough to be accepted. Well folks, I think that pretty much covers it. I would like to thank the following people and/or groups for their contribution to this article (Whether they knew it or not): Caboom Dimbulb BlackSun Security Eric Steven Raymond http://undergroundmac.com http://freaky.staticusers.net Disclaimer: The information provided in this text are for educational purposes ONLY. Phreak.Net and all of the writers of the articles used in this text take NO responsibility for your actions. Copyright Info: This text is totally free. Make copies of it and give it to friends, Post it on forums, Host it on your website, Whatever. You can do whatever you want with this as long as you don't modify anything or sell it and make money from it. Well everyone, it is time to say good bye. I sincerely hope that you have learned something from this and that it can continue to be passed on to help many other starting hackers. If you ever wanna talk or anything, you can e-mail me at: admin@phreakforums.net -Phreak.Net Written by Phreak.Net June 24, 2005