
README
------

	__________  ___ ___ ________ __________.___   _____
	\______	  \/   |   \\_____  \\______   \   | /	_  \
	 |     ___/    ~    \/	 |   \|	   |  _/   |/  /_\  \
	 |    |	  \    Y    /	 |    \	   |   \   /	|    \
	 |____|	   \___|_  /\_______  /______  /___\____|__  /
			 \/	    \/	     \/		   \/
       v.992b Security Scanner UK (c) 1997. All rights reserved
			      --------
				  .

._.    ,	 .	 ,
 | ._ -+-._. _	_|. . _.-+-* _ ._
_|_[ ) | [  (_)(_](_|(_. | |(_)[ )
----------------------------------

This utility does a scan of an Internet host looking for various
vulnerabilities.

This scanner is different from most other scanners as rather than check
for the absence of some security feature Phobia checks for the presence
of the bugs - this stops you from getting false positives.

This means that this program is VERY DANGEROUS on a network if used by
irresponsible person(s); while it does not touch any system files in any
way it does, however try to obtain system privileges.

As it stands, the privileges this program gains cannot be used for any
purpose other than for reporting. But the user of the package can abuse
these privileges if they have the know how, (it is very easy) I did not
take any measures to prevent this from happening (as it could be easily
undone) - as with any tool the manufacturer is NOT RESPONSIBLE for the
actions of the user.

I wrote/tested this on:

- REDHAT Linux 1.2.13 w/gcc. on a 486sx33.

- Also tested on Slackware 96, kernel 2.0 on a Pentium laptop 133MHz 1.1GB HD.

- Also tested and works fine on FreeBSD 2.0.5 on i486.

The conditions of usage for this packages are as follows:

1) You must not scan any machine without permission! This is illegal in
most countries. Its main purpose was to scan your own host and hence
some of the features work this way.

2) I have the right to record the usage of this program. If you do not
like this policy then simply do not use it. I will *NOT* give this
information to anyone for whatever reason... [Note: I disabled this in
this SE version so you are OK, but I may included it again].

3) You may not sell this.

4) You can not make changes for commercial purposes without asking me - you
may make moderate changes for studying or improving it.

5) You acknowledge that you are using this package at your own risk.

6) I reserve all rights to do whatever I choose ;P

The standard disclaimer now follows:

 "BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW.  EXCEPT WHEN
OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.  

 IN NO EVENT SHALL Zero Tolerance Technologies Ltd., OR "Kila_m, Esq." BE 
LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, 
CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF Zero 
Tolerance Technologies HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. 
IN ANY CASE LIABILITY WILL BE LIMITED TO THE AMOUNT OF MONEY THAT Zero 
Tolerance Technologies RECEIVED FROM YOU FOR THE USE OF THIS PROGRAM.

 THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU.  
SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY 
SERVICING, REPAIR OR CORRECTION." 

 "IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
PROGRAMS)."


	-- signed			<assume kila_m's signature>

	-- you agree to these terms 	<place your signature here>

*** Usage of this program also constitutes acceptance of these terms.

It checks for the following or does (in no particular order) :

	[x]	Sync account unpassworded
	[x]	If any username is the same as the password
        [x]	Grabs password file from NIS (its in there if you want it)
	[x]	Checks various vulnerable world writeable files
	[x]	Active TCP ports
	[x]	If decode, debug, wiz aliases active
	[x]	Sendmail vulnerable to double mailing file bug (localhost)
	[x]	Password file can be grabbed via SMTP
	[x]	FTP tilde bug is present
	[x]	If SITE chmod 777 / unprotects ftp site
	[x]	If FTP server is vulnerable to SITE EXEC bug
	[x]	If ROOTKIT v1.0 or v2.0 is running
	[x]	If RSHD has NULL argument bug
	[x]	If REXD, RUSERSD, YPUDATED and YPSERV are running
	[x]	REXECD password cracking

 __		.
/   _ ._ _ ._ *|*._  _
\__.(_)[ | )[_)|||[ )(_]
------------|--------._|

I use a configure script. So all you do is type "./configure" and it will
do the rest.

To compile it type "make" and then to run it "./phobia -h <hostname>".

You can install it by typing "make install" and uninstall it with 
"make uninstall".

You can also create a distribution to give to your friends by typing 
"make dist" and archive will be the "phobia-*.tar.gz" file.

It looks like It adheres to GNU specs but that was just to ease writing and
portability. Most of the ground work is laid out for portability.

So again it is not GNU (pun intended).

.__.   _;_  .__.
|  |  (_|_  [__]
|__\  (_|_  |  |
--------`-------

q) Why did you write this?
a) It was going to be for an academic project - but due to unforeseen
   circumstances this didn't go as planned. ;) to people who know me!

q) Isn't it dangerous to release tools like this into the hands of the general 
   public?
a) yes, but there are various places where people can get detailed information 
   of security problems, which is also available to the general public. This 
   tool isn't meant to be used by every man and his dog, it requires certain 
   knowledge on behalf of the user. If you wish to argue this point, try:

	alt.security, comp.unix.security, alt.ph.uk, alt.2600

q) The name is lame, why call it (ahakna)phobia?
a) If you have a better name e-mail me. It didn't take long to think it up, at 
   least its better than the cliched ACME SECURITY SCANNER blah blah blah,
   -- besides what's in a name (I feel a bit of poetry coming on).

q) How do a compile this?
a) Just type "./configure" and then type "make".

q) Why do I need root to execute the rsh test?
a) This because the other host wants you to be on a privileged port. A
   privileged port is when you assign yourself a port number < 1024, the 
   security implication of this is that you could be an evil hacker who has 
   killed say the rlogin server and set your own server that prints "Login: ", 
   "password: " and then just writes the password to a file -- in effect 
   spoofing the rlogin server. Anyway the system call to find one of these 
   ports, checks to see if you are root, so there you go!

.___	  .	     ,		   ._  .__.    ,
[__ \./._ | _.._  _.-+-* _ ._	 _ |,  |  |._ -+-* _ ._	 __
[___/'\[_)|(_][ )(_] | |(_)[ )	(_)|   |__|[_) | |(_)[ )_)
-------|-----------------------------------|--------------

- A password less Sync account allows you to PRELOAD the library routine
  sync() and gain UID=1.

- Having various files world writeable allows you to gain root indirectly.

- Active TCP ports on host (probe for targets) - self-explanatory really.

- Decode alias allows you to overwrite files with (often) UID=1.
  Staff often gives usernames to crack.
  Wizard (wiz) command gives you shell.
  Debug ditto.

- Sendmail double mailing bug - if you mail to a file twice fast on Sendmail
  5.x it will overwrite files.

- Sometimes the password file can be grabbed and often you can execute
  commands via Sendmail.

- The FTP tilde bug gives instant root.

- Site exec runs with privileges and allows root access.

- You can also deprotect a site if FTP is owned by FTP (implications are
  obvious)

- Rootkits are hacker kits that: Trojan various systems files, fake
  checksums, forge time, date, privs, install sniffers, etc ...
  It is a simple check.

- Buffer overflow exploiter allows you to gain root or test your software
  to see if a program is vulnerable enough to allow access.

  This was a last minute addition and credit goes to the Phrack article.
  It is slightly updated version of eggshell - with support for FreeBSD/HP,
  I liked on the Phrack article so consider it a bonus! The variable that
  contains the address is "$ADR".

  Some of the code arrays are from bugtraq - I only wrote assembler for the
  Linux version. E.g., phobia -b358 -o-50 ; crontab $ADR

- RSHD bug, allows root.

- RPC services:

  RUSERS		- shows users logged in; use with rexec cracker.
  YPSERV		- allows you to grab password file from NIS.
  REXD			- authentication problem, have root if running.
  YPUPDATED		- has nobody bug and allows command execution.

- REXEC crack is a password cracker that works over the network.
  Basically REXECD does not log anything to syslog() or anywhere else
  for that matter -- so we give it words to try and check if we cracked
  any. We get the users to try from "finger" and "rusers -l".

  If you find any other usernames you can put them in the file:
  "users_tc" (users to crack :) in case you were wondering). Each time
  you execute option "-k" I append to this file so it is YOUR responsibility 
  to maintain it. Look for other ways to get usernames (there are many ways).

  I think root rexecs will not be accepted so do not try.

  Inetd may kill us, because it thinks we are a looping process - I just 
  hacked the routine together to sleep for 2 seconds. Its not fantastic 
  but when you need to get desperate give it a try. I did not want to waste
  too much of my time writing stuff like this as all it takes is 1
  account and the whole system is vulnerable.

.  .
|  | __ _. _  _
|__|_) (_](_](/,
----------._|---

  [first thing; check it has probed for all the files in the correct location]

  $ ./phobia -w

  [check if the reported values are correct - make changes in "config.h" 
   and type "make"]

  rpcinfo is in				  [/usr/sbin/rpcinfo]

  rusers is in				  [/usr/bin/rusers]

  utmp is in				  [/var/adm/utmp]

  sort is in				  [/usr/bin/sort]

  uniq is in				  [/usr/bin/uniq]

  grabbed password file goes to		  [root@your.host.com]

  awk version found			  [gawk]

  ***To use (in Bourne shell) rexec cracker:

  # ./phobia -ctsfqrv -k words-phobia -h myhost.com

  ***If you want to save the output and run it in the background:

  # ./phobia -ctsfqrv -k words-phobia -h myhost.com > /tmp/p$$.log &

  ***If you know another way to get a list of the users on the system put
  them in "users_tc" for example with finger, is a good start:

  # finger @scanhost.co.uk | awk ' NR >2 { print $1 } ' | sort | uniq > users_tc

  ***To do a full scan turn off number cycling and run in background:

  # ./phobia -x -k words-phobia -h somehost.com > phobia$$.log &

  ***I suggest to disable Sendmail and ftp checking:
  $ ./phobia -sf -k words-phobia -h localhost

  ***To use buffer exploiter:

  # ./phobia -b0
  $ xterm -fg $ADR  ( or take a peek at syslog() )

.  .	,
|\ | _ -+- _  __
| \|(_) | (/,_)
---------------

External programs/files used by this program:

o	rpcinfo, sort, uniq, awk

(all but rpcinfo are used by rexec cracker).

It will search for mawk, nawk, gawk, awk for the best one to use on your
system - "mawk" is the fastest. Change any problems in "config.h". Same
goes for any HEADER probes!

Segmentation violation occurs if you mess around and start editing your
"utmp" file! Make sure its clean and intact. Boy, did I have trouble when
it started seg. v. and I didn't know why.

*ROOT* account will get e-mail if:

o	Sendmail < 6 and Sendmail does not have any bugs!!!
o	The -s flag is not set and the other system does not like you ;) !

I could have implemented more attacks, but left them as I didn't want to
rely on external programs (like SATAN does 80% of the time).

I will try phase out the basic stuff and put in more protocol routines later.

Try: 

http://www.access.org.uk and check out ACCESS-ALL-AREAS III.

The latest version can be obtained from my offical site: 

http://www.geocities.com/SiliconValley/Vista/3262

If you find any bugs or experience compatibility problems, (or donate large 
sums of money - which I could do with *grin*) mail me.

					-- kila_m@hotmail.com 05/97

