TTY SPOOFING by SubEthan I know what you are going to say... "THAT WAS ALREADY COVERED BY VAXBUSTER IN PHRACK-41!" Yeah, I know, but if you would shut your mouth for long enough and pay attention you might learn something. This file is meant to be a follow up of VaxBuster's very informative article on TTY spoofing. Vax does a great job in explaining how TTY spoofing works, but falls short in a few areas. This article will NOT repeat anything said in VaxBuster's article so if you haven't read it go do it now or just be confused. Manual TTY spoofing is made out to look SOOO easy by VaxBuster, but when I recieved my issue of Phrack-41 I (of course) immediately tried some TTY spoofing of my own. Well needless to say I figured it out, but it wasn't quite as simple as cating the TTYs and waiting. One of the most immediate problems is finding out what TTY's are used for what purposes. Many machines, especially larger machines, can have HUNDREDS of TTYs. Some are obviously for devices such as printers and modems, while others are set aside for "scum" student users, and still others might be for "special" users. My advise is to take a tour of your /dev direcotry. Get to know it, because even beyond TTY spoofing there are many things that can be done in the /dev directory. When you look at all the TTYs in the /dev directory look for ones whose owner isn't "root" and don't just check it once, check it at different times of the day and keep a log of patterns, such as where maybe the modem users are and where the CIS lab terminal TTYs are. Not all computers have different TTYs for different groups of users, but if you keep your eyes open you may notice things that will be to your advantage later. Now once you figure out what TTYs the bulk of users you might want to spoof are on, then you can start cating terminals and wham, bam, thank you ma'm you magically get accounts, right? Wrong. Even after you know the best TTY areas for spoofing, there are still some problems. One of the biggest problems I had when spoofing was this: once I catted an unused TTY, that TTY was skipped over by the login process. If I catted a whole area of TTYs that whole area of TTY was skipped over and it looks pretty obvious something is up when you look at a "who" and there is a gap of TTYs about 30 long that don't have users. The obvious solution to this problem is, of course to cat ALL the TTYs. I have a slight problem with that though. There are just TOO many TTYs to spoof. The normal use TTYs on my machine go from ttyx1 to ttyx255. That's right 255 TTYs! And don't tell me cats don't show up in a ps -aux because they do. It would look pretty suspicous if your name were on the process list with 255 cats running. Needless to say I needed to find out more about how the TTYs worked. I found that every once in while when I did cat a large area of TTYs I could snag a user, but then I would just end up killing all the other process after five minutes because I noticed that the TTYs I still had catted started to get skipped. After a while of playing I figured out that the users I would snag were through PURE LUCK. While catted TTYs are skipped over, what happens is you can actually cat someones terminal as they are logging in! This is what happens most of the time. I came up with a process to better my chances of "snagging" some poor schmuck as he is logging in. Now as most people know, (or maybe not so I'm telling you anyway) TTYs are distributed numerically. ttyx1 (or whatever your first tty?? happens to be) is given out before ttyx2 and so on down the line. Now if ttyx1 through ttyx10 are used and the person using ttyx2 logs off, then ttyx2 is the next tty to be given out to the next user who logs in. This I believe generally holds true on most machines (although I am not positive). Now in order to optimize getting ttys here is what you can do. First you log in (to whichever hacked account you prefer, although with this method I genereally don't fear using my own) during busy hours and find which tty you are on by doing a ps. Now most of the time, especially during VERY busy hours you will tend to slip into the middle of the used ttys. This is because someone has dropped out of the middle and you have gotten that tty. Now what you want to do is try to identify a LOW numbered unused tty. You COULD keep doing whos to see who drops off of a low numbered tty, but here is what I do to maximize efficiency. Just Telnet to your own machine and log in again. This guarantees that you will find out the lowest number open tty on your machine, plus since you are logged in no one else will be able to take. This TTY is the one you will spoof. It is very important that the tty number be as low as possible. You will see why later. Now say you originally logged on to ttyx55 and then when you Telneted to your own machine you managed to get ttyx7. What you want to do now is logout off of ttyx7 putting you back to ttyx55. Now right away cat that sucker! cat < /dev/ttyx7 & Alright. Now if you don't get a "permission denied" error you got it. If you do get "permission denied" try the whole process again. Once you get a low tty cated you are in good shape. Now unless, as I said before, someone is logging in at the same time as you cat the terminal then nothing will happen. The tty you catted will be skipped over. Now you want to typ% the cgmlAndq fg2 the "<—j@O!