Copy Link
Add to Bookmark
Report
Modernz 04
A Beginner's Guide To Unix
--------------------------
The information contained in this file is by no means new or original. I
was simply asked to compile some basic commands and concepts for the access
and use of Unix systems. I would like to give credit to the many other
files which I have gained this information from, and to the people who have
helped me learn what I know today.
I will not cover any detailed or complicated features of Unix. I am merely
going to provide the means to access low-security systems and navigate the
shell.
Access: -------
All Unix systems are provided with default accounts. They are used for
system administration and such. Many system operators are too lazy or naive
to remove them. You may find the following accounts on a system, with no
passwords:
daemon uucp bin adm sysadm admin sysadmin nuucp sync
Others may have been added, such as:
user guest demo test public help field system operator
You can also try common first or last names (john,fred,smith,etc...). Be
sure to use lowercase for the login name. If you enter a capital letter as
the first character, the system will assume that you terminal is incapable
of displaying lowercase. From then on, in order to enter capital letters
you must precede each by a "\". This can become quite annoying, and you
will probably never see an account with a capital letter as the first
character.
Of the above defaults, the uucp or nuucp accounts are often used for Unix
to Unix communications (uucp stands for Unix to Unix CoPy). If this is the
case, the system will give send the uucp identifier, "Shere". In this case,
the account is basically useless unless you can call via another system
through the uucp command.
The sync account is a self-running Unix management account. If present, it
will run a few housekeeping chores and log off. The only reason I included
this is that many systems provide a greeting message or something of the
sort when you log on as sync. Occasionally you can obtain information which
will help you find an account.
If you cannot get in via the above methods, try using "who". If present, it
will display a list of all accounts currently online. You can try those and
hope they have no password.
If you are desperate, just hack blindly. Often the login name and password
are the same. You can also try initials (as in names...rlb,jhs, etc...).
Once you are in: ----------------
If you make it through the front door, you do not necessarily have access
to the shell. Often accounts have programs run automatically for specific
users, such as system administration programs (useful), accounting
programs, etc... In this case, you can try to break out of the program
(either through a menu option or a loophole). Try various escape/break
related control characters (escape [ascii 27], ctrl-c [ascii 3], etc...).
When you are in the shell, you will be greeted by one of two prompts.
Either a "$", denoting basic access, or a "#", denoting superuser access.
If you have superuser access, most of your work may be done (depending on
other security measures that have been taken). Either way, the following
will help you get higher access.
First, you'll need some basic commands for moving around:
stty
This command sets your terminal
characteristics. Before you attempt
anything else, you should set some
important ones. First, your delete
character. Many systems do not use
the common ctrl-h [ascii 8]. Also,
the delete on your computer may not
be the standard ctrl-h. To set your
delete character, type:
stty erase (character)
Do not use the parentheses. Spacing
is important. You can replace
(character) by hitting your own
delete key, or typing a control key
sequence.
If you would like to enter something
a bit more visual to reassure
yourself, you can use:
stty erase \^(character)
To enter a control character without
actually hitting control. Replace
character with the desired control
character. Ex:
stty erase \^h
Sets the erase character to ctrl-h.
If you make a mistake doing this,
hit return and start over
(obviously if the system does not
know your erase character, you
cannot edit your mistakes).
Once your control character is set,
you will want to set your break
character. This is vital for file
editing, which we will cover
shortly. To set the break character,
type:
stty intr (character)
The same options as the delete
character apply.
To view the current setting, simply
enter stty by itself. Often, the
system will already be configured to
your liking. Occasionally, the stty
command will not display the erase
or break (intr) characters, in which
case you should enter them to be
sure. All control characters will be
displayed in the ^(character)
format.
ls
This is the list-files command. It
will show the names of all non-
hidden files in the current
directory. The display will either
be a single list or multi-column
display. The command lc toggles
between the two. In either case, the
files will be sorted alphabetically
(numbers first, followed by most
punctuation symbols, then capital
letters, and finally lowercase
letters).
ls has many options, which I will
cover later.
pwd
Displays the current directory path
from the root directory (/).
cd
Change directory. Those familiar
with the MS-DOS environment will
have no trouble with this command.
To change directories, simply supply
a path from the root directory.
To go to the "lib" directory, within
the "usr" directory, you would
enter:
cd /usr/lib
cat
Displays a file. Often it is
difficult to differentiate between
text files and data files. If you
wish to abort the display, type
your break character.
Cat requires the full pathname to
access files outside the current
directory, but for files within
the current directory, the filename
will suffice.
Ex:
cat /etc/passwd
Will display the passwd file within
the etc directory. This file is
present on all systems. It is
immensily useful in gaining higher
access (basically, it is necessary
to gain any access).
These commands will help you for now. After setting your terminal options,
enter:
cd /etc
We will be doing most of our work in there for the time being. You should
have had your buffer on long before this on the system, but turn it before
executing the following command if you haven't:
cat /etc/passwd
Often these files are quite large, so after a while you may want to abort
it. Often what you are looking for will be within the first few lines.
Each line of the passwd file represents an individual user. There are seven
fields to each entry. A typical entry looks like this:
user:x:100:100:Elmo:/usr/user:/bin/sh
The first field is the login ID. The second is the password field. In newer
releases, it will contain an "x". Older releases may contain the actual
encrypted password (a string of seemingly random characters). On new
systems the encrypted password are found in the /etc/shadow file. The third
field is the user ID number. Fourth is the group ID number (more on groups
later). Fifth is merely a comment about this user (often their name, or in
an administrative account, its duties). Sixth is the home directory. The
system will place you in your home directory when you log on. The final
field contains the path and file names for the default shell or program. If
this field is empty, the system defaults to /bin/sh.
You cannot gain a user's password via this file. You may be able to obtain
access through a higher account, however. When looking for high-level
accounts, you will want to examine the fourth field. The lower numbers
often denote administrative accounts. The group "root" belongs to is most
likely what you will want.
To discover more about the groups, view the /etc/group file. This contains
the group names, the encrypted password required to change into/out of this
group (almost always "NONE"), the group ID number (to compare to the passwd
file), and a list of the group's members.
You will want to scan the passwd and group files to find any accounts that
belong to the same group as root, or a group which root is in. Often root
will be the only member of its group, so you will have to look for other
administrative account groups (those containing such accounts as adm,admin,
sysadm,sysadmin and so on).
Once you have found these accounts, you can attempt to gain their access.
The command:
su (login ID)
allows you to essentially "become" that user. Replace (login ID), of
course, with the account you want to assume. If the account has no
password, the process is automatic. Otherwise, you will be prompted for a
password. You can try the login ID as a password, but this may not work. If
it does, make a note of it. Otherwise, you can try other methods, or go on
to another account.
Hopefully, you will find an account with no password. If you have found an
older system, without the /etc/shadow file, an empty password field (::)
will tell you immediately which accounts do not have passwords. If it is a
newer system, it will contain an "x" regardless of the presence of the
password status.
If you find yourself in this dilemna, you may still be able to find an list
of those accounts without passwords.
If you have the superuser ("#") prompt, you may be able to read the
/etc/shadow file. The format for this file is:
login ID:(encoded pw):6480:14:28
The first field is the same as the login ID found in the /etc/passwd file.
Each entry in /etc/passwd should have a corresponding one in /etc/shadow.
The second field will be blank, denoting no password, or contain the
afformentioned "random" characters. Third is a numeric code describing when
the password was last changed. Fourth and fifth are the minimum and maximum
number of days between mandatory password changes. Often the last two
fields are empty, which means users are not required to change thier
passwords.
Here, again, you should look for any accounts without passwords, and
examine the group file as mentioned.
Now, hopefully, you will have some decent access. Many of the accounts with
no password are that way for a reason - they do not allow shell access; but
that never stopped anyone.
If you discover an account that runs a program and then logs off, or runs a
program which allows you to interact in a boring way, you can use this to
your advantage. Look in the seventh field of this account's passwd
information. It will contain the path and filename of the program being
run.
At this point, security on most systems is extremely low. Many system
operators are sure that by stopping you from directly getting access, they
have stopped you totally. By "tricking" the system, you can get access
indirectly.
If you find a program being run, go back to the account which gave you
shell access. Then enter the directory where the program was (do not
include the file "/" and the filename). You want to change the filename of
the program. To do this, type:
mv (filename) (backup filename)
To change /usr/prog to /usr/prog.b, you would enter:
mv /usr/prog /usr/prog.b
Make sure you remember the filename you give it. It is also a good idea to
keep it in the same directory. Now, you have to create a dummy file to
replace it. We will have to use the "ed" file editor to do this. MAKE SURE
YOU HAVE SET YOU BREAK CHARACTER. You cannot use ed without having a break
character. To make the file, type:
ed (filename)
Where (filename) is the name of the file you just renamed. Use the OLD name
(the one in the passwd file)! ed will respond with:
?(filename)
meaning the file does not exist yet.
Some basic ed commands are:
q
Quit. If you attempt to quit after
making changes, ed will not quit
until you hit "q" again (this is to
remind you to save changes). w
Write file (saves all the changes
you make). ,p
Displays all lines. /(string)
Searches the buffer for (string),
and displays that line. a
Add lines (starting at the current
line). i
Insert lines at the current line. d
Delete the current line. h
Turns help on (shows verbose error
messages).
Entering a line number will bring you to that line. When editting a file
which already exists, ed will show you the current number of bytes in the
file rather than "?(filename)". If you attempt to write a file, and ed
replies with "?(filename)", you do not have access to write that file.
Now, back to the dummy file. Type "a" to add lines. Enter:
echo "Blah" /bin/sh
Then, after pressing return on the /bin/sh line, type your break character.
Write the file and quit the editor. You now have your dummy program set up.
The command "echo" is a simple print command. You can enter as many as you
like, or none at all. They are merely to reassure you that your program is
running. The important part of this is the "/bin/sh", which runs the shell
program.
You must now give all users access to your program, so the account will be
able to use your newly created program. Type:
chmod +rwx
This will give read, write, and execute permissions to all users (more on
permissions some other day).
You should now logon again as the account which uses this program. If you
did everything right, you should now have control of the shell, hopefully
with superuser access ("#" prompt). If you still do not have superuser
access, go back and try something else. Be sure to do the next few steps
whether it works or not, to insure your continued use of the system. Delete
your dummy program by typing:
rm (filename)
Be sure to include the directory path in the filename, as before. Now,
rename the old file back to its original name (just reverse the filenames
in the previous rename command).
Now everything is back to normal. If you did not get access, you will have
to go back to your old account to set the files back to normal. Make sure
you do this, or you may cause damage to the system. This will result in
higher security. Also, real hackers never damage systems for without cause.
Laziness is not an excuse.
If you are still without decent access, you will have to consult another
file. I may write another soon on more ways to gain access, but for now,
this should help enough people. From now on, I will assume you have
achieved superuser access within an administrative group. You will most
likely want an account of your own now. Use the ed command to edit the
/etc/passwd file. Somewhere in the mid-beginning section (within the first
4-12 lines), add an account using one of the default account not already
present (from the first list, if possible), or commandeer an unused (be
sure it is unused) default account already there.
Set you ID number and group to those of the root account (usually 0:3). Set
your directory wherever you like, and set the shell filename to either
/bin/sh, or leave it blank. In the password (second) field, what you enter
depends on the system. If it is an older system where the encrypted
passwords are stored in the passwd file, just enter whatever password you
like there. The system will encrypt it for you when you save it. If it is
the newer "x" system, put an "x" there, and do the following, otherwise
skip this.
New system users will have to enter the command:
/etc/pwconv
This command will recreate the /etc/shadow file based on the information in
the passwd file. Just to be sure, ed the shadow file, and leave the
password field blank for your newly created account (use the /(string)
command within ed to jump directly to your login ID).
Now, you can call back as your new account. You should enter:
passwd
to create a password for your account if it doesn't already have one.
If all has gone well, you now have an account of your own. I will now give
a list of other commands which you can play around with.
Unix commands: --------------
banner (string)
This is a "fun" command, which will
take (string) and expand it into
block letters on your display.
write (user)
Will send a message to another user.
After entering the command, the
system will wait for you to type a
message and terminate it with your
eof character. Change your eof
character by entering:
stty eof (character)
wall
Like write, but sends to all users.
who
Displays a list of everyone online.
mail (user)
Send email to any user in the passwd
file. To read your mail, just type
mail.
exit
Logout of the system. I should have
mentioned this before, but I forgot.
You can also use your eof
character at the shell prompt to
logout.
echo
Prints text or variables, as shown
before.
env
Display all variables in your
environment. More on shell
variables soon.
rmdir (directory)
Delete a directory.
mkdir (directory)
Make a directory.
cp (original) (backup)
Copy a file.
grep (string) (filename)
Searches through (filename) until
it finds (string), and then
displays the entire line (string)
was found on.
date (time & date)
Alone, date displays the time and
date. It can also be used to set
it.
cal (date)
Alone, cal displays a calendar of
the current month. With optional
month and year, it will display
any year from 1 to 9999.
There are many more commands, but to explain them all could take forever.
Most systems contain online help files which you can access by typing
either:
man (command)
or:
help (command)
For a list of commands, look in the various "bin" directories. They contain
the actual programs.
Variables: ----------
The shell allows the use of variables. All variables are represented by
capital letters. You can create your own, or view/change standard system
variables. Some standard variables are:
PATH
This will show the order the shell
searches in to find commands. You
will most likely find a number of
directories ending in "bin". An
example could be:
:/bin:/usr/bin:/usr/lib/bin:/etc
This means that when you type a
command, the system checks to
directories in that order before
finally giving up and reporting an
error if the command is not found
(All commands are files).
PS1
This is the main shell prompt,
usually "$" or "#", depending on
your access. You can change this
to whatever you like.
TERM
Some systems keep track of what
type of terminal you are using, for
use in formatting output (usually
through other programs).
LOGNAME
The login ID you are using.
HOME
Your home directory.
TZ
Timezone.
MAIL
The file your mail is sent to.
There are others, but they tend to vary with the account. Enter the env
command to display the variables in use.
Variables you create within shell programs (such as the dummy program that
was discussed before) retain thier values for the life of the program only
(they do not affect the other shell variables).
You can change a variable like this:
TERM=ansi
Whenever you want to view a variable, or use it for another purpose,
precede it with a "$". Ex:
echo $LOGNAME
will display your login ID.
Misc: -----
I seem to have run out of memory, so forget it for now. Hopefully I'll
write so more soon...
- Midnite Raider
[4] Tfiles: (1-8,?,Q) : 
