Found at: 0x1bi.net:70/textfiles/file?hacking/ttyspoof.txt

                              TTY SPOOFING
  I know what you are going to say...  "THAT WAS ALREADY COVERED BY VAXBUSTER
IN PHRACK-41!" Yeah, I know, but if you would shut your mouth for long
enough and pay attention you might learn something.  This file is meant to
be a follow up of VaxBuster's very informative article on TTY spoofing. 
Vax does a great job in explaining how TTY spoofing works, but falls short
in a few areas.  This article will NOT repeat anything said in VaxBuster's
article so if you haven't read it go do it now or just be confused.
  Manual TTY spoofing is made out to look SOOO easy by VaxBuster, but when
I recieved my issue of Phrack-41 I (of course) immediately tried some TTY
spoofing of my own.  Well needless to say I figured it out, but it wasn't
quite as simple as cating the TTYs and waiting.  One of the most
immediate problems is finding out what TTY's are used for what purposes. 
Many machines, especially larger machines, can have HUNDREDS of TTYs. 
Some are obviously for devices such as printers and modems, while others
are set aside for "scum" student users, and still others might be for
"special" users.  My advise is to take a tour of your /dev direcotry.  Get
to know it, because even beyond TTY spoofing there are many things that
can be done in the /dev directory.  When you look at all the TTYs in the
/dev directory look for ones whose owner isn't "root" and don't just check
it once, check it at different times of the day and keep a log of
patterns, such as where maybe the modem users are and where the CIS lab
terminal TTYs are.  Not all computers have different TTYs for different
groups of users, but if you keep your eyes open you may notice things that
will be to your advantage later.
  Now once you figure out what TTYs the bulk of users you might want to
spoof are on, then you can start cating terminals and wham, bam, thank you
ma'm you magically get accounts, right?  Wrong.
  Even after you know the best TTY areas for spoofing, there are still
some problems.  One of the biggest problems I had when spoofing was this: 
once I catted an unused TTY, that TTY was skipped over by the login
process.  If I catted a whole area of TTYs that whole area of TTY was
skipped over and it looks pretty obvious something is up when you look at
a "who" and there is a gap of TTYs about 30 long that don't have users. 
The obvious solution to this problem is, of course to cat ALL the TTYs.  
I have a slight problem with that though.  There are just TOO many TTYs to
spoof.  The normal use TTYs on my machine go from ttyx1 to ttyx255. 
That's right 255 TTYs!  And don't tell me cats don't show up in a ps -aux
because they do.  It would look pretty suspicous if your name were on the
process list with 255 cats running.
  Needless to say I needed to find out more about how the TTYs worked.  I
found that every once in while when I did cat a large area of TTYs I could
snag a user, but then I would just end up killing all the other process
after five minutes because I noticed that the TTYs I still had catted
started to get skipped.  After a while of playing I figured out that the
users I would snag were through PURE LUCK.  While catted TTYs are skipped
over, what happens is you can actually cat someones terminal as they are
logging in!  This is what happens most of the time.  I came up with a
process to better my chances of "snagging" some poor schmuck as he is
logging in.  
  Now as most people know, (or maybe not so I'm telling you anyway) TTYs
are distributed numerically.  ttyx1 (or whatever your first tty?? happens
to be) is given out before ttyx2 and so on down the line.  Now if ttyx1
through ttyx10 are used and the person using ttyx2 logs off, then ttyx2 is
the next tty to be given out to the next user who logs in.  This I believe
generally holds true on most machines (although I am not positive).  Now
in order to optimize getting ttys here is what you can do.
  First you log in (to whichever hacked account you prefer, although with
this method I genereally don't fear using my own) during busy hours and find
which tty you are on by doing a ps.  Now most of the time, especially
during VERY busy hours you will tend to slip into the middle of the used
ttys.  This is because someone has dropped out of the middle and you have
gotten that tty.  Now what you want to do is try to identify a LOW numbered
unused tty. You COULD keep doing whos to see who drops off of a low
numbered tty, but here is what I do to maximize efficiency.  Just Telnet to
your own machine and log in again.  This guarantees that you will find out the
lowest number open tty on your machine, plus since you are logged in no
one else will be able to take.  This TTY is the one you will spoof. 
It is very important that the tty number be as low as possible.  You will
see why later.
  Now say you originally logged on to ttyx55 and then when you Telneted to
your own machine you managed to get ttyx7.  What you want to do now is
logout off of ttyx7 putting you back to ttyx55.  Now right away cat that
cat < /dev/ttyx7 &
  Alright.  Now if you don't get a "permission denied" error you got it.  If
you do get "permission denied" try the whole process again.  
  Once you get a low tty cated you are in good shape.  Now unless, as I
said before, someone is logging in at the same time as you cat the terminal
then nothing will happen.  The tty you catted will be skipped over.  Now
you want to typ% the cgmlAndq fg2 the "
you should actually have to work for anything.