things to come: example of stealing info from users (anti-virus programs and trojans), story of ciru cookie stealing from acanium, ThePull's javascript exploits, and the about:// exploit. Since so many people were asking when this tutorial would come out I decided to finally put it up. I'd appriecated some feedback. Flames without a reason are not welcome. This tutorial is not completely finished.. and probably never will be :( rest of test page
-idea: cross site scriptting by opening a new page in a frame and then writting to form fields or somehow injecting javascript. Or somehow write the html to the top or bottom.
Intro
Javascript is used as a client side scripting language, meaning that your browser is what interprets it. It is used on webpages and is secure (for the most part) since it cannot touch any files on your hard drive (besides cookies). It also cannot read/write any files on the server. Knowing javascript can help you in both creating dynamic webpages, meaning webpages that change, and hacking. First I will start with the basic javascript syntax, then I will list a few sites where you can learn more, and then I will list a few ways you can use javascript to hack.
There are a few benifits of knowing javascript. For starters, it is really the only (fully supported) language that you can use on a website making it a very popular language on the net. It is very easy to learn and shares common syntax with many other languages. And it is completely open source, if you find something you like done in javascript you can simply view the source of the page and figure out how it's done. The reason I first got into javascript was because back before I got into hacking I wanted to make my own webpage. I learned HTML very quickly and saw Dynamic HTML (DHTML) mentioned in a few tutorials. I then ventured into the land of javascript making simple scripts and usful features to my site.
It was only after I was pretty good with javascript and got into hacking that I slowly saw it's potential to be used milisously. Many javascript techniques are pretty simple and involve tricking the user into doing something. Almost pure social engineering with a bit of help from javascript. After using simple javascript tricks to fake login pages for webbased email I thought about other ways javascript could be used to aid my hacking, I studied it on and off for around a year. Some of these techniques are used by millions of people, some I came up with an are purely theorectical. I hope you will realize how much javascript can aid a hacker.
1. Basic Syntax
2. Places To Learn More Advanced Javascript
3. Banner Busting & Killing Frames
4. Getting Past Scripts That Filter Javascript
5. Stealing Cookies
6. Stealing Forms
7. Gaining Info On Users
8. Stories Of Javascript Hacks
9. Conclusion
1. Basic Syntax
The basics of javascript are fairly easy if you have programmed anything before, although javascript is not java, if you know java you should have no problems learning it. Same for any other programming language, as most share the same basics as javascript uses. This tutorial might not be for the complete newbie. I would like to be able to do a tutorial like that, but I don't have the time or patience to write one. To begin if you don't know html you must learn it first!
Javascript starts with the tag
Anything between these two tags is interpreted as javascript by the browser. Remember this! Cause a few hacks use the fact that if you use
.. either way is fine. I would also like to mention that many scripts have right before the tag, this is because they would like to make it compatible with other browsers that do not support javascript. Again, either way is fine, but I will be using the because that is how I learned to script and I got used to putting it in.
Javascript uses the same basic elements as other programming languages.. Such as variables, flow control, and functions. The only difference is that javascript is a lot more simplified, so anyone with some programming experience can learn javascript very quickly. The hardest part of scripting javascript is to get it to work in all browsers. I will now go over the basics of variables:
to define a variable as a number you do: var name = 1;
to define a variable as a string you do: var name = 'value';
A variable is basically the same in all programming languages. I might also point out that javascript does not support pointers. No structs to make your own variables either. Only variable types are defined by 'var'. This can be a hard thing to understand at first, but javascript is much like C++ in how it handles variables and strings. A string is a group of characters, like: 'word', which is a string. When you see something like document.write(something); it will try to print whatever is in the variable something. If you do document.write('something'); or document.write("something"); it will print the string 'something'. Now that you got the variables down lets see how to use arithmetic operators. This will make 2 variables and add them together to make a new word:
first we define the variable 'name' as b0iler, then I define 'adjective' as owns. Then the document.write() function writes it to the page as 'name'+'adjective' or b0ilerowns. If we wanted a space we could have did document.write(name+' '+adjective);
Escaping characters - This is an important concept in programming, and extremely important in secure programming for other languages.. javascript doesn't really need to worry about secure programming practice since there is nothing that can be gained on the server from exploitting javascript. So what is "escaping"? It is putting a \ in front of certain characters, such as ' and ". If we wanted to print out:
b0iler's website
We couldn't do:
document.write('b0iler's website');
because the browser would read b0iler and see the ' then stop the string. We need to add a \ before the ' so that the browser knows to print ' and not interpret it as the ending ' of the string. So here is how we could print it:
document.write('b0iler\'s website');
There are two types of comments in javascript. // which only lasts till the end of the line, and /* which goes as many as far as possible until it reaches */ I'll demonstrate:
The only thing that script will do is print "this will show up". Everything else is in comments which are not rendered as javascript by the browser.
Flow Control is basically changing what the program does depending on whether something is true or not. Again, if you have had any previous programming experience this is old stuff. You can do this a few different ways different ways. The simplest is the if-then-else statements. Here is an example:
Lets break this down step by step. First I create the variable 'name' and define it as b0iler. Then I check if 'name' is equal to "b0iler" if it is then I write 'b0iler is a really cool guy!', else (if name isn't equal to b0iler) it prints 'b0iler can not define variables worth a hoot!'. You will notice that I put { and } around the actions after the if and else statements. You do this so that javascript knows how much to do when it is true. When I say true think of it this way:
if (name == 'b0iler')
as
if the variable name is equal to 'b0iler'
if the statement name == 'b0iler' is false (name does not equal 'b0iler') then whatever is in the {} (curely brackets) is skipped.
We now run into relational and equality operators. The relational operators are as follows:
> - Greater than, if the left is greater than the right the statement is true.
< - Less than, if the left is lesser than the right the statement is true. >= - Greater than or equal to. If the left is greater than or equal to the right it is true.
<= - Less than or equal to. If the left is lesser than or equal to the right it is true. So lets run through a quick example of this, in this example the variable 'lower' is set to 1 and the variable 'higher' is set to 10. If lower is less than higher then we add 10 to lower, otherwise we messed up assigning the variables (or with the if statement).
and now the equality operators, you have already seen one of them in an example: if (name == 'b0iler') the equality operators are == for "equal to" and != for "not equal to". Make sure you always put two equal signs (==) because if you put only one (=) then it will not check for equality. This is a common mistake that is often overlooked.
Now we will get into loops, loops continue the statements in between the curly brackets {} until they are no longer true. There are 2 main types of loops I will cover: while and for loops. Here is an example of a while loop:
First 'name' is set to b0iler, then 'namenumber' is set to 1. Here is where we hit the loop, it is a while loop. What happens is while namenumber is less than 5 it does the following 3 commands inside the brackets {}: name = name + name; document.write(name); namenumber = namenumber + 1; The first statement doubles the length of 'name' by adding itself on to itself. The second statement prints 'name'. And the third statement increases 'namenumber' by 1. So since 'namenumber' goes up 1 each time through the loop, the loop will go through 4 times. After the 4th time 'namenumber' will be 5, so the statement namenumber < type="text/javascript">
text
now upload that page and view it in a browser. View the source of the page and find where the site added it's banner html. If it came after the and before the then you need to see if it came before or after the which is in between those. If it is before, then it is the tag that is the key tag which the site adds it's banner after. If it is under the than you know it puts it after the tag.
So now that we know where the site adds it's banner html what do we do to stop it? We try to make a "fake" tag and hopefully the site adds it's banner html to the fake one instead. Then we use javascript to print the real one. We can do a few things, here is the list:
the basic to stop it.
If all worked out you should have a page with no annoying popups or flashing banners. If not I guess you will have to play around a little and figure it out for yourself. Since every free host uses different keytags and methods of adding it's banner I can't go over them all one by one.
I decided to go over a real example of a free site that add popup ads or banners to every page you have. I'll be using angelfire since I hate them and because that's the one I picked out of my lucky hat. Just remember that sites can change the way they add banners anytime they feel like, so this method might not work the same way as I am showing. Doing this also breaks the TOS (Terms Of Service) with your host, so you might get your site taken down without any warning. Always have complete backups of your site on your harddrive, espechially if you have a hacking site or are breaking the TOS.
angelfire
------------------------
begin
------------------------
------------------------
end
------------------------
as you can see angelfire puts their ad right after the tag. All they are using to protect us from getting rid of the ad is a so.. we can put something like this to defeat the ad:
So angelfire's server will add the javascript for thier advertisment after the first they see. That will put the ad after and before
. This means that user's browsers will think that and the angelfires ad is css (cascading style sheet).. which is the
Javascript hacking
Wednesday, November 28, 2007Posted by ekansh at 7:10 AM 1 comments
Port knocking
In computing, port knocking is a method of externally opening ports on a firewall by generating a connection attempt on a set of prespecified closed ports. Once a correct sequence of connection attempts is received the firewall rules are dynamically modified to allow the host which sent the connection attempts to connect over specified port(s).
This is usually implemented by configuring a daemon to watch the firewall log file for said connection attempts then modify the firewall configuration accordingly. It can also be performed by a process examining packets at a higher level (using packet capture interfaces such as Pcap), allowing the use of already "open" TCP ports to be used within the knock sequence. Port knocking is most often used to determine access to port 22, the Secure Shell (SSH) port. The port "knock" itself is similar to a secret handshake and can consist of any number of TCP, UDP or even sometimes ICMP and other protocol packets to numbered ports on the destination machine. The complexity of the knock can be anything from a simple ordered list (e.g. TCP port 1000, TCP port 2000, UDP port 3000) to a complex time-dependent, source-IP-based and other-factor-based encrypted hash.
A port knock setup takes next to no resources and very simple software to implement. A portknock daemon on the firewall machine listens for packets on certain ports (either via the firewall log or by packet capture). The client user would carry an extra utility, which could be as simple as netcat or a modified ping program or as complicated as a full hash-generator, and use that before they attempted to connect to the machine in the usual way.
Most portknocks are stateful systems in that if the first part of the "knock" has been received successfully, an incorrect second part would not allow the remote user to continue and, indeed, would give the remote user no clue as to how far through the sequence they failed. Usually the only indication of failure is that, at the end of the knock sequence, the port expected to be open is not opened. No packets are sent to the remote user at any time.
While this technique for securing access to remote network daemons has not yet been widely adopted by the security community, it has been integrated in newer rootkits.
Step 3
Step 4
How Port knocking works in theory
Step 1 (A) Client cannot connect to application listening on port n; (B) Client cannot establish connection to any port.
Step 2 (1,2,3,4) Client tries to connect to a well-defined set of ports in sequence by sending certain packets; Client has prior knowledge of the port knocking daemon and its configuration, but receives no acknowledgement during this phase because firewall rules preclude any response.
Step 3 (A) Server process (a port knocking daemon) intercepts connection attempts and interprets (decrypts and decodes) them as comprising an authentic "port knock"; server carries out specific task based on content of port knock, such as opening port n to the client.
Step 4 (A) Client connects to port n and authenticates using application’s regular mechanism.
Benefits of port knocking
Consider that, if an external attacker did not know the port knock sequence, even the simplest of sequences would require a massive brute force effort in order to be discovered. A three-knock simple TCP sequence (e.g. port 1000, 2000, 3000) would require an attacker without prior knowledge of the sequence to test every combination of three ports in the range 1-65535, and then to scan each port in between to see if anything had opened. As a stateful system, the port would not open until after the correct three-digit sequence had been received in order, without other packets in between.
That equates to approximately 655354 packets in order to obtain and detect a single successful opening. That's approximately 18,445,618,199,572,250,625 or 18 million million million packets. On the average attempt it would take approximately 9 million million million packets to successfully open a single, simple three-port TCP-only knock by brute force. This is made even more impractical when knock attempt-limiting is used to stop brute force attacks, longer and more complex sequences are used and cryptographic hashes are used as part of the knock.
When a port knock is successfully used to open a port, the firewall rules are generally only opened to the IP address that supplied the correct knock. This is similar to only allowing a certain IP whitelist to access a service but is also more dynamic. An authorised user situated anywhere in the world would be able to open the port he is interested in to only the IP that he is using without needing help from the server administrator. He would also be able to "close" the port once he had finished, or the system could be set up to use a timeout mechanism, to ensure that once he changes IP's, only the IP's necessary are left able to contact the server. Because of port knocking's stateful behaviour, several users from different source IP addresses can simultaneously be at varying levels of the port knock. Thus it is possible to have a genuine user with the correct knock let through the firewall even in the middle of a port attack from multiple IP's (assuming the bandwidth of the firewall is not completely swamped). To all other IP addresses, the ports still appear closed and there is no indication that there are other users who have successfully opened ports and are using them.
Using cryptographic hashes inside the port knock sequence can mean that even sniffing the network traffic in and out of the source and target machines is ineffective against discovering the port knock sequence or using traffic replay attacks to repeat prior port knock sequences. Even if somebody did manage to guess, steal or sniff the port knock and successfully use it to gain access to a port, the usual port security mechanisms are still in place, along with whatever service authentication was running on the opened ports.
The software required, either at the server or client end, is minimal and can in fact be implemented as simply as a shell script for the server or a Windows batch file and a standard Windows command line utility for the client. Overhead in terms of traffic, CPU and memory consumption is at an absolute minimum. Port knock daemons also tend to be so simple that any sort of vulnerability is obvious and the code is very easily auditable. With a portknock system in place on ports such as the SSH port, it can prevent brute force password attacks on logins. The SSH daemon need not even wake up as any attempt that is made without the correct portknock will bounce harmlessly off the TCP/IP stack rather than the SSH authentication. As far as any attacker is concerned, there is no daemon running on that port at all until he manages to correctly knock on the port. The system is completely customisable and not limited to opening specific ports or, indeed, opening ports at all. Usually a knock sequence description is tied with an action, such as running a shell script, so when a specific sequence is detected by the port knock daemon, the relevant shell script is run. This could add firewall rules to open ports or do anything else that was possible in a shell script. Many portknocks can be used on a single machine to perform many different actions, such as opening or closing different ports.
Due to the fact that the ports appear closed at all times until a user knowing the correct knock uses it, port knocking can help cut down not only on brute force password attacks and their associated log spam but also protocol vulnerability exploits. If an exploit was discovered that could compromise SSH daemons in their default configuration, having a port knock on that SSH port could mean that the SSH daemon may not be compromised in the time before it was updated. Only authorised users would have the knock and therefore only authorised users would be able to contact the SSH server in any way. Thus, random attempts on SSH servers by worms and viruses trying to exploit the vulnerability would not reach the vulnerable SSH server at all, giving the administrator a chance to update or patch the software. Although not a complete protection, port knocking would certainly be another level of defense against random attacks and, properly implemented, could even stop determined, targeted attacks.
Port knocking generally has some disregard in the security world, given that early implementations basically consisted of a number of ports that had to be hit in order. However, the best of modern portknock systems are much more complex, some using highly secure cryptographic hashes in order to defeat the most common attacks (such as packet sniffing and packet replay). Additionally, portknock systems can include blacklists, whitelists and dynamic attack responses as can any internet service, however, even the simplest of port knocks controls access to a system before attackers are able to hit a service that allocates memory, CPU time or other significant resources and also acts as a barrier against brute-force attempts, automated vulnerability exploits, etc. Also, port knocking does not generally lower the security of a system overall. Indeed, it provides another layer of security for minimal overhead. In a worst case scenario however, the port knocking software introduced a new security problem or lowers security due to risk compensation.
i liked to share this information its really Knowledgeable
http://en.wikipedia.org/wiki/Port_knocking
Posted by ekansh at 7:00 AM 0 comments
HAcking your school , college computer and getting over blocked sites
getting over the blocked sites
u can try google translator .. or one proxy which i found intresting was greenpips.com try that or . try this http://64.233.179.104/translate_c?hl=de&ie=UTF-8&oe=UTF-8&langpair=de%7Cen&u=http://www.your website.com/ change the last part to the website you like to access
contributed by
Muhajir.K.M
Hacking at school
This tutorial is aimed at school servers running Windows underneath (most of them do). It works definitely with Windows 98, 2000, Me, and XP. never tried it with 95, but it should work anyway. However, schools can stop Batch files from working, but it is very uncommon for them to be that switched on.
There are problems with school servers, and they mostly come back to the basic architecture of the system - so the admins are unlikely to do anything about it! In this article I will discuss how to bypass web filtering software at school, send messages everywhere you want, create admin accounts, modify others' accounts, and generally cause havok. Please note that I ahve refrained from giving away information that will actually screw up your school server, though intelligent thinkers will work it out. THis is because, for god sakes, this is a school! Don't screw them up!
How to get it all moving
An MS-DOS prompt is the best way to do stuff, because most admins don't think its possible to get them and, if they do, they just can't do anything much about it.
First, open a notepad file (if your school blocks notepad, open a webpage, right click and go to view source. hey presto, notepad!). Now, write
command.com
and save the file as batch.bat, or anything with the extension .bat . Open this file and it will give you a command prompt:) (for more information on why this works, look to the end of the article). REMEMBER TO DELETE THIS FILE ONCE YOU'VE FINISHED!!! if the admins see it, they will kill you;)
Bypassing that pesky web filtering
Well, now you've got a command prompt, it's time to visit whatever site you want. Now, there are plenty of ways to bypass poorly constructed filtering, but I'm going to take it for granted that your school has stopped these. This one, as far as I know, will never be stopped.
in your command prompt, type
ping hackthissite.org
or anything else you wanna visit. Now you should have a load of info, including delay times and, most importantly, an IP address for the website. Simply type this IP address into the address bar, preceded by http://, and you'll be able to access the page!
For example: http://197.57.189.10 etc.
Now, I've noticed a lot of people have been saying that there are other ways to bypass web filtering, and there are. I am only mentioning the best method I know. Others you might want to try are:
1) Using a translator, like Altavista's Babel fish, to translate the page from japanese of something to english. This will bypass the filtering and won't translate the page, since it's already in English.
2) When you search up the site on Google, there will be a link saying 'Cache'. Click that and you should be on.
3) Use a proxy. I recommend Proxify.com. If your school has blocked it, search it up on Google and do the above. Then you can search to your heart's content:)
Sending messages out over the network
Okay, here's how to send crazy messages to everyone in your school on a computer. In your command prompt, type
Net Send
*Note:
Where
Net Send Varndean * "The server is h4x0r3d"
The asterisk denotes wildcard sending, or sending to every computer in the domain. You can swap this for people's accounts, for example
NetSend Varndean dan,jimmy,admin "The server is h4x0r3d"
use commas to divide the names and NO SPACES between them.
Adding/modifying user accounts
Now that you have a command prompt, you can add a new user (ie yourself) like so
C:>net user username /ADD
where username is the name of your new account. And remember, try and make it look inconspicuous, then they'll just think its a student who really is at school, when really, the person doesn't EXIST! IF you wanna have a password, use this instead:
C:>net user username password /ADD
where password is the password you want to have. So for instance the above would create an account called 'username', with the password being 'password'. The below would have a username of 'JohnSmith' and a password of 'fruity'
C:>net user JohnSmith fruity /ADD
Right then, now that we can create accounts, let's delete them:)
C:>net user JohnSmith /DELETE
This will delete poor liddle JohnSmith's account. Awww. Do it to you enemies:P no only joking becuase they could have important work... well okay only if you REALLY hate them:)
Let's give you admin priveleges:)
C:>net localgroup administrator JohnSmith /ADD
This will make JohnSmith an admin. Remember that some schools may not call their admins 'adminstrator' and so you need to find out the name of the local group they belong to.
You can list all the localgroups by typing
C:>net localgroup
Running .exe files you can't usually run
In the command prompt, use cd (change directory) to go to where the file is, use DIR to get the name of it, and put a shortcut of it on to a floppy. Run the program off the floppy disk.
Well, I hope this article helped a bit. Please vote for me if you liked it:) Also, please don't go round screwing up your school servers, they are providing them free to you to help your learning.
I will add more as I learn more and remember stuff (I think I've left some stuff out - this article could get very long...)
Posted by ekansh at 6:57 AM 1 comments
How not to get hacked
A Good Hacker Is Never Hacked : ekansh jain
Protect Urself !
Follow These Simple Guidelines n u are done
1. Stop using Internet Explorer and make the switch to Opera, it's more secure, plain and simple.
2. Get Spybot Search and Destroy or Spyware Doctor and immediately update it.
3. Get Adaware SE and immediately update it.
(Use both as a 1-2 punch on infected client computers and between the two there's not much they won't kill)
4. Update your anti virus
5. Boot into safe mode and run all three scans
6. While the scans are going check your registry (Click start --> Run and type regedit to get intot he registry) and look in HKEY_CurrentUser/software/microsoft/windows/currentversion/run & HKEY_Local_Machine/software/microsoft/windows/currentversion/run. Verify that all programs listed are legitimate and wanted.
7. If or when your antivirus scan comes across anything, search for that file name in your registry and delete it.
8. Use explorer to go to the windows/system32 folder and sort by date. If you haven't already done so, make sure you can see the entire file names. click Tools --> Folder Options and unclick the box labeled "Hide extensions for known file types" and under Hidden files and folders click "Show hidden files and folders." However, make sure you choose "Hide protected operating system files" so you don't accidentally remove anything that would cripple your computer.. You are looking for recent files with names ending with .exe and .dll that look suspicious. Major culprits will have gibberish names such as alkjdlkjfa.exe.
9. Once you can get clean scans in safe mode, reboot in normal mode and scan all over again. If you can't get a clean scan in regular mode then you have something more persistant that could take more research.
10. Make sure your firewall doesn't have strange exceptions.
11. If you suspect anything that is going wrong with your computer is the action of a stalker, on a more secure system change all your passwords.
12. If your system has been specifically targeted and hacked you can never be 100% sure that your system is no longer compromised so start with 11, make backups of personal files on the infected system and format and re-install Windows.
Good luck!
Posted by ekansh at 6:56 AM 0 comments
Novell security hacking
Shared from www
1. Introduction (PLEASE READ)
2. Novell - What You Need to Know
3. The Basics of Novell Hacking
i. Navigating the Network
ii. Command Prompt
iii. Floppy / CD
iv. Gaining Admin
v. Other stuff...
4. Advanced Novell Hacking
i. Tools
ii. File / Print Sharing
iii. SAM
iv. Access the Server
v. Viewing "restricted" drives
========================================================================
INTRODUCTION
========================================================================
Before we get started, let me get a couple of things straight. First of all, I hate it when I
surf the web and can't ever access any site without having shit like "This site is for
educational purposes only" pop up. For you people who are like me, I'll do you all a favour.
Which brings me to my next point. Admins. Most schools across the world have admins that think
they're the smartest things on two legs because they got some diploma that says they know how to
turn on a computer. Well, for any admins that think this way and are reading this tutorial, let
me say this: your diploma or certificate or whatever doesn't mean shit. Sure, it makes you look
smart on paper, but in the real world, if you're lazy or just plain stupid, you will get 0wned
by a person that you think is too young or too stupid to do any real damage to your network.
Make no mistake: if you stop learning, if you stop surfing the web to sharpen your skills, if
you stop caring about your network, sooner or later, some punk who's gonna try and have some
fun's gonna make your life really shit really fast when you find out that you are way out of
your depth real quick. Enough said. Always keep up with what's happening on the web, no matter
how much time you have to put into it.
Moving on. Now I would like to get some things straight about myself. Although I have made this
tutorial for people wishing to gain privileges in Novell, this tutorial isn't for everybody.
Although I like to think I'm a nice guy, there are certain people I dislike. These are the
people who always want you to do things for them. They never want to learn because they "can't
be bothered" so they always come to you for help. This tutorial is not for people who want the
easy way out. If the only reason you want to know how to do this is so you can impress your
friends, close this tutorial and click on it's icon. Now press Shift+DEL. There we go. That
probably got rid of some of them. Anyway, this tutorial is being written for serious people who
have little or no knowledge of Novell simply because they haven't come across it. No problem.
Enjoy.
========================================================================
Novell - What You Need To Know
========================================================================
Let's start off with the question "What is Novell?" Novell is basically a program that you
install over windows that works over a network to give users appropriate access. For example,
many schools use Novell because it allows them to give students limited rights so they can only
do what the admin allows them to (erhem). There is always at least one administrator to
supervise the network and manage student accounts.
Novell is a respected company that has been making security related programs for a long time.
Unfortunately, in recent years, Novell has been slipping up when it comes to the integrity of
their programs. Not surprisingly, many security holes have been found and many more are on their
way.
========================================================================
The Basics of Novell Hacking
========================================================================
As with any hack, we must first decide on the objective ie what do we want to achieve? Well,
let's go through it. Since you have physical access to the network, chances are you use it quite
often. Therefore you probably wouldn't want to install a virus as you would only be doing
yourself a bad favour. In places like schools, it is very common for admins to restrict access
to the floppy or cd drives as they don't want people bringing in stuff like viruses, corrupt
files or even games. We will soon see how to access these files anyway. Maybe you want admin
rights? If the admin is stupid, even this is possible. Do you want to install a game? Do you
want to look at other users files? All these things and more are possible on some Novell
networks. What you have to understand as either a user or an admin is that networks will always
have flaws. I have classified Novell networks into three basic categories:
* shit security
* ok security
* perfect flawless security
In my experience, I have come across two of the above mentioned types of networks. Guess which
two. Note that many systems start off in the "shit security" category but move up into the "ok
security" category. When this happens, a hacker that had gotten used to a certain system may be
depressed for a while. Until he or she finds new holes. There is only so much an admin can
disable on your computer before it becomes a vegetable and of absolutely no use to anyone.
That's why we use whatever programs we have left to our advantage. If you are a student then you
will undoubtedly have programs that aid in study, such as Notepad, MS Word, you may have
Powerpoint etc. All these programs can be used to our advantage.
First of all, let me cover the "shit" network class. In this network class, you should be able
to do anything. If something you do comes up with the message "This operation has been cancelled
by the Administrator" or "You have insufficient rights to execute this command" or something to
that effect, then the network falls into the "ok" class. Anyway, if your network falls into the
"shit" class, you should be able to open Internet Explorer then go File > Open then Browse...
When you do this, you will be able to see the entire C: drive of the computer, though you may
not necessarily be able to open any of the files.
***Note: This tutorial assumes that the Desktop has been stripped of all icons and the start
menu is almost bare if not completely removed.
OK. Now that we can see the path of all the files, we click Browse... again and attempt to open
a file using IE. Pick a useful file like "command.com" if you are using winnt. When you find the
file, click ok and you will have a little box with the full pathname of the file. You can either
OK, Cancel or Browse... Do neither. Copy the pathname. Now open MS Word. Go to View > Toolbars
then go to Visual Basic. A toolbox will pop up. Click "Design Mode". A new toolbox should pop up
again. This time click the "Command Button" which just looks like a small rectangle. When the
button pops up, double click it. You should be taken to a VB screen with the following in the
middle:
Private Sub CommandButton1_Click()
End Sub
Now type in...
SHELL("C:\winnt\system32\command.com")
...and hit F5 (Debug), so your screen looks like
Private Sub CommandButton1_Click()
SHELL("C:\winnt\system32\command.com")
End Sub
Hopefully, a minimized command screen will come up. If it doesn't, try this:
Private Sub CommandButton1_Click()
a = SHELL("C:\winnt\system32\command.com",vbNormalFocus)
End Sub
Hit F5 again. If this doesn't work there could be a number of things wrong. If a screen comes up
saying macros have been disabled, go back to your first Visual Basic toolbar. One of the buttons
says "Security...". Click it, then select the option that says "Low". Try again. If this was the
problem, you are lucky. If it still doesn't work, read on. If it says "Run-time error:'53'---
File not found" you are in trouble. It means you either fucked up the pathname or it isn't
there. Of course, if your computer is running win2k or xp you will have to slightly adjust your
pathname to the one above.
***Note: I recommend you use command.com as apposed to cmd.exe. The main reason is that cmd.exe
can be blocked off by your administrator, so as soon as you open it you will get something that
says "CMD has been restricted by your administrotor. Press any key to continue...". If this
happens, cmd is useless.
Now we move on to Powerpoint. This is a very simple way of opening files. You create any slide,
then right clock and go "Hyperlink" or whatever it says. From there you are able to link it to
any file on the computer. When you view the slide show, click on the hyperlink and you will open
the file.
Now we move on to Notepad. Notepad is one of those things that I would kill for. It is just so
versatile that it can be used for anything and everybody has it, so there are never any problems
with compatibility. That's part of the reason most tutorials, including this one, are written in
Notepad. The way we will use Notepad in this example is by creating a hyperlink to a document,
much like what we did with Powerpoint. So we open Notepad then type:
click
We then go to File > Save as... then we type in "link.html" in our private drive (the drive the
admin has allocated to each user for storage of personal files, sometimes also called My
Documents). When we refresh the drive, we should be able to see an IE icon called "link.html".
Double click it, then click the hyperlink. Hope it works!
Now we will try creating shortcuts. This is probably the easiest method to use to get into DOS
(strictly speaking this is not true DOS, but for the purpose of this tutorial I will refer to it as such).
That's the reason I saved it for last. The earlier methods allow you to fish around inside the
network and get to know how it works, what makes it tick. Not to mention that the previous
methods were not limited to accessing command, but allowed us to open ANYTHING. Now let's take a
look at how shortcuts work. Open your local drive, then right click and go to New > Shortcut
(if you have right click disabled go to File > New > Shortcut). In the space provided type
"command" and hit next. Now click finish. You should have a shortcut placed on your drive that
takes you to DOS.
Now let's take a look at QBasic. QBasic is a primitive sequential programming language used to
create really crappy programs. Luckily, most schools have QBasic in their syllabus, so you
should have the icon. If you do, you are lucky. Open QBasic, then when you get to the main
screen, type...
SHELL
...and Hit F5
This will immediately open up DOS for you. Cool huh? So, what can we do with DOS? If you need to
be asking that question then you shouldn't be reading this tutorial, but briefly I will tell you
that DOS is very helpful when accessing anything, whether it be on a hardrive, floppy, cd or
anywhere else.
Speaking of floppy, you may be wondering how to access it or cds on a network that appears to be
completely locked down. There are a couple of ways. First of all, if you can see any drives as
icons, try right clicking on them. You might have an option that says "Map Network Drive" and
"Disconnect Network Drive". If this is the case, find out which one is the floppy drive (try a:
or b: first) and disconnect it. Now, in the address bar in any window, type "a:" and you should
be taken to the floppy.
If this doesn't work, then don't worry. Heaps of things definitely will. Of course it depends
greatly on the network, but generally the principle is the same. In a network where you don't
have the luxury of being able to freely browse everything, you have to be shifty. In your
private drive, try creating a shortcut to a:. This will almost definitely not work but is worth
a try. Also, try going to File > Winzip > Zip to file. This will allow you to transfer files
to your floppy.
Lastly, we can use DOS. This is my favourite method because it's hell hard to disable shit in
DOS, at least, effectively, so there aren't heaps of ways around it. In DOS type:
C:\>a:
A:\>dir
Volume in A has no label
Volume Serial Number is 0001-0AA0
Directory of A:
BO2k.zip 111,111 1/1/04
Netbus.zip 111,111 1/1/04
C:\>
So now we can see what's on the disk. If you wanna run it you can type:
A:\>Netbus.zip
However, a more efficient way of opening it would be to first copy it to your private drive. We
do this by typing:
A:\>copy a:\*.zip h:
Assuming h: is your private drive. The wildcard will copy all files with the extension ".zip".
The same way, we can open cds. Exactly the same. Sometimes when we copy it to our drives we get
the message that "This operation has been cancelled by your administrator". In this case, we go
back to MS Word and open a VB macro. Type in the path and you open it. No questions asked and no
crappy prompts. By the way, you can also use a macro to open files directly from the floppy or
cd. I just prefer not to. I think it's easier to just copy them directly. Also you don't have to
check the pathname every time you want to open a new file. But whatever. Do what you feel
comfortable with. There is another way of getting access to the a: drive using the "net use"
command, but more about that later.
Another extremely useful thing you can do with DOS access is type something like:
C:\>copy c:\winnt\*.pwl a:
This command copies all the .pwl (password) files that are stored in the winnt directory. We can
now take the disk home and crack the password files in our own time at our own leisure. This
only works on crappy networks though. Most reasonably secure or just new networks no longer
store their passwords in .pwl files. In win2k, there's a new thing called SAM (Security Accounts
Manager). This is much harder to break, so more on that later.
Now for a quick lesson on network file sharing. In some networks, the admin allows you access to
all drives. If this is the case, there should be a drive which contains the files of all people
who have access to the network. Once you find the drive, simply scroll down to the folder with
the same name as the targets login name and you can browse their personal files. It should be
noted, however, that this kind of file sharing is only allowed on the shittiest of crappy
networks. I have come across it only once in my life =)
Now let's move on to something that may seem obvious, yet many people don't even consider.
Downloading off the web. As an admin, it is really very simple to turn off downloads. However,
you would be surprised how many admins forget about it and leave the web open to all their users
for all intents and purposes. I think the usefulness of being able to download files off the
internet is quite obvious, so I won't go on for long. In case you have absolutely no
imagination, the internet could be used for downloading backdoor programs, viruses (again,
what's the point?), password crackers or even just simple things like DOS =)
On a slightly different topic, DOS has many features that the common happy internet user doesn't
know, or doesn't need to know about. The most interesting one of these is Netstat. Netstat is a
time honoured command that allows the user to see all the inbound and outbound connections his
computer is engaged in. Netstat has many uses, but we will only quickly look at the most useful.
For the common internet user, Netstat can be used to find out, for example, whether or not they
have a trojan installed on their computer. For example, if they type in Netstat and see that
some computer has established a connection with them on a high numbered port such as 12345, they
know they're in trouble. Although by this time it may be too late, the person could then
terminate his internet connection and run down to the store to buy the latest anti-virus. Just
an example. For people who have malicious intentions, Netstat is an invaluable tool for quickly
and easily finding out someone's IP address or hostname. The trick is to send them a file and
execute the command. This file can be sent using anything; IRC, MSN etc.
***Note: Netstat usually shows only the hostname of the target. For an actual IP, type
Netstat -n.
At this point, you may be wondering why I'm wasting time in showing off my DOS skills. The
reason is that if you're connected to a network, Netstat can show you the IP of the server ie
the "big daddy" computer which runs and maintains the network. In theory, if you wanted to and
you knew the IP of the server, you could create a DoS (Denial of Service) attack on the server.
In the old days this could be achieved by pinging the server with large packets in an infinite loop.
You might me less lucky these days... but hey, it's worth a shot.
Something really cool with DOS is that you can create batch files that execute commands in DOS.
Batch files are basically little programs that you can get to fire off commands. For example, I
can create a batch file that pings the server until I turn off the file. I can, of course, use
all the same commands that I could in an actual DOS window. Thus I can specify how many packets
I send, the timeout, packet size etc.
Creating batch files is incredibly simple. Open up Notepad, then type:
@echo.on
ping 10.15.196.26 -t -l 1000 [This is the command you want to run]
@echo.off
ping.bat [Creates a loop to repeat command forever]
Now save this file as ping.bat, or anything you want it to be called but make sure you change
the filename at the bottom of the bat file to ensure a loop. The cool thing about this is that
it doesn't wait for the command to be completed. It immediately starts the next command
regardless of the result of the previous one. This method can, of course, be used to execute any
command, and the loop can be stopped by removing the "ping.bat" at the end of the file. If you
wanna have some fun, try typing in "net send [username] [message]" in the command prompt. If the
user is currently logged on, a message will appear on his screen. It's really funny if you can
see their monitor from where you are sitting if you type a crazy message like "You have just
been owned!!!". Be aware however that the person receiving the message will know what computer
the message has come from. Your computer name will be something crazy like LIB00123. Although
the user may not be able to tell exactly who sent the message (then again, if he's smart he
will), he can type in the computer name instead of the username and create a .bat file to spam
you to hell.
Let's get back on track. It's time to show you how to create admin accounts in Novell if the OS
is winnt, assuming the Control Panel is disabled. Note however that this is easy to disable, but
most admins forget about it. Go into any folder and go to the help menu, the Help Topics.
Search anything related to users, passwords etc. You will then find a topic that contains a hyperlink
to "Users and Passwords". Click it. The crappy thing about winnt security is that when changing
a password, you don't have to know the old one! Anyway, once you either create a new account
or change the password on an existing account, restart the computer. When the logon screen
appears, type your login name and password. Now look around for a checkbox that says
"Workstation". Check it and press OK.
***Note: you will only have admin access on that particular computer. "Workstation" means that
you log onto an account on that workstation. If the checkbox isn't on the login screen, then you
cannot create admin accounts in this way. You will have to try certain programs described later
in the "Advanced Novell Hacking" section.
Lastly, I will show you how to access telnet. As you may have seen, most of my methods involve
DOS. Telnet is no different. In a DOS screen, type "telnet" and you will be taken to the Telnet
screen. From here try telnetting to the server and punch in a few commands to see what you can
do. Find out as much info as you can about what programs he's using and go online to look for
some tutorials.
========================================================================
Advanced Novell Hacking
========================================================================
This short section will discuss various advanced Novell hacking techniques. These involve using
programs such as port scanners, keyloggers, trojans and password crackers. I will also be looking
at File and Print Sharing (Legion V2.1, Sid2User - User2Sid, DumpSec), as well as some tips and
tricks with navigating around the network, including the "net use" command.
Firstly, let's look at various methods of hacking the network using specific programs. Although
this section may offend some people, it is nevertheless an essential part of Novell security. It
is an unfortunate fact that many people these days want to hack someone to be "cool" in the eyes
of their friends. These people have little or no morals, and almost always possess absolutely no
skill what so ever. All they care about is getting what they want, and they don't care how they
get it. Because of their lack of skill, these people usually rely solely on programs to do their
dirty work (if they don't have a friend who does it for them). If anybody like this is reading
this, I spit on you.
On the other hand, there are many skilled hackers out there who also turn to programs which
automate the process for a variety of reasons, usually because it is easier and usually more
effective to use programs.
As with any hack, there is one tool that you simply cannot live without. A port scanner. There
has been much debate over which port scanner is the best, what the pro's and con's of each
scanner are etc. Many say Nmap, but I often there's no need to waste time with such an advanced
scanner. The problem with Nmap is that it is too complicated for quick and easy use. Nmap is
good for home use, when you have a lot of time on your hands to try out various scans. In my
humble opinion, the best scanner for a Novell network is Angry IP Scanner by Angryziber
(angryziber@angryziber.com). Angry IP allows for lightning fast port scans on huge networks,
with great accuracy. It has some built in features like being able to establish connections over
HTTP, FTP and Telnet, as well as being able to Traceroute. It also has cool things like
"favourites" and being able to tell you many things about the target, such as Hostname, Comp.
Name, Group Name, User Name, MAC address and TTL. On top of all this, it can be used from the
command line! Anyway, it has many more features that you need to explore yourself. For now, all
we really need to be focussing on is its efficient simple port scanning features.
First of all, you will need to get the IP of some computers on your network. If you have been
reading this tutorial carefully instead of just skip to this section, you will remember that this
can be done using the netstat command in DOS (btw, if you still can't get DOS then you are really
dumb - no offence). You really only need one IP, because most, if not all of the IP's on the
network will have the same Network Number and Host Number. So, if you can see that your IP is
123.123.12.123, you should only scan IP's that have the same Network Number and Host Number. In
the case of the example, you would enter the start IP as 123.123.12.1 and the end IP as
123.123.12.255. First you should scan using only one port because you want to know exactly how
many computers you are potentially dealing with. If you put too many ports, you will be waiting
ages for your results if there are heaps of computers on the network. An alternative to this
would be to use the "net view" command.
C:\>net view
This displays all the computers connected to the network that you are currently on. This command
can be used to get further information about an individual machine by typing:
C:\>net view \\SOMECOMPUTER
==============================
Disk | share name
C:\>net view \\workgroup:TARGETWG (gives all computers in workgroup)
C:\>net view \\domain:TARGETD (gives all computers in domain)
Anyway, it would be best to specify the port as TCP 139, which you should all know as NetBIOS.
If this is open on any computers (and it damn well should be, you are on a network), you may be
able to get access to that computers hard drive. Go into DOS, and type in:
C:\>net use \\ADMINCOMPUTER\IPC$ "" /u:""
If you have even the slightest experience in hacking, you would have seen this command a
thousand times before. For those haven't, all you are doing is attempting to connect to computer
"ADMINCOMPUTER" using the inbuilt IPC$ share with a null password "" and an anonymous user
/u:"". If this doesn't work, you can try substituting the password for a wilcard * or even the
account, so you can have:
C:\>NET USE \\ADMINCOMPUTER\IPC$ "" /u:""
C:\>NET USE \\ADMINCOMPUTER\IPC$ * /USER:""
C:\>NET USE \\ADMINCOMPUTER\IPC$ * /USER:
They all do the same thing, but sometimes only certain ones will work on certain machines. If
you are unlucky, you could try to substitute the IPC$ for ADMIN$ or C$. These are just
additional default shares. The difference between ADMIN$, C$ and IPC$ is that IPC$ cannot be
removed. This means that you should always be able to establish a connection. Of course, the
admin may want to create additional shares such as such as A$ (remote floppy drive), E$ (remote
CD drive) and really anything he wants. An admin can quite easily create and delete shares using
the "net share" command:
C:\>net share ADMIN$ /delete
Command completed successfully
This command deletes the remote administrator ADMIN$ share. Shares can be added by typing:
C:\>net share A$ a:
Command completed successfully.
This tells the computer to create a share A$ with the target to the a: drive.
I said earlier that it is possible to disconnect the a: drive from the network, thus enabling it
for our own usage. This can be done using the command:
C:\>net use a: /delete
Unfortunately, this command can be restricted by the administrator. Once it is, no command with
the prefix "net" will work. On the bright side, it is rare for an admin to realise that anybody
has been fucking with net use commands and establishing connections, yet alone disable the
command. If the command does get disabled, we are forced to turn to programs to do our dirty
work.
Although there are a number of Netbios scanners, most of them are rather dated as these days few
hackers seriously rely on Netbios as their main weapon. Sure, it can be fun and rewarding, but
most computers these days have patches to guard against unauthorised access, or simply block
access to TCP 139 through their firewall or router. As a result, most people have stopped making
new Netbios programs. Because of this, most of the programs for Netbios are old. REALLY old.
We're talking old as in 1999 old. Sure, doesn't seem like that long ago, but in the computer
world, that is an eternity. Luckily for us, this is slightly different for networks. Because a
network has to be tied together very closely, it usually depends on port 139 to handle all the
traffic. As a result, most old programs will work like a charm. Although there are many, many
different programs you can use to try and get the shares, I recommend you use Legion V2.1 from
the now dead Rhino9 Security Group. It generally floats among internet sites.
Now let's take a quick look at the Security Accounts Manager (SAM). SAM is a way of storing
users details on the computer. It has usernames and password hashes inside, so it is very
important to keep safe from prying eyes. If you're the one with those eyes, SAM may just be your
goal. To cut the long story short, SAM cannot be accessed while anyone is logged onto that
computer. So what you have to do is restart it in DOS and try and copy it from there onto
floppy. The only problem with this is that sometimes SAM can be very big - a couple of Mb even
so floppy disk is an unlikely alternative. If the computer doesn't have a burner then it is
unlikely that you will be able to extract the hashes, so try and make the best of it any way you
can. Sometimes it's even possible to rename the SAM file by restarting in DOS and typing:
ren C:\winnt\repair\sam wateva
This will make the SAM file unreadable, so if the passwords are stored on the computer rather
than the server, they will all be useless. If this works, you will be able to log on without a
username or password. If you are able to extract the SAM file, there are many different password
crackers that you can use to take a peek at what's insisde. L0pht, Cain and Abel and many more
do a splendid job. Try them out and see what works for you.
Finally, I'll just show you one last thing that will freak the hell out of your admin if he ever
sees it. It is ridiculously easy to access the server on most networks and nobody even considers
this method. Simply create a shortcut to it!!! If you can find a way to find the hostname of
your server, all you have to do it right click, select new then click on shortcut. In the space
provided, type the hostname of the server. For example, if the server is called "server-1" then
in the shotcut type:
\\server-1
Then click next and that's it! You can double click on the shortcut and you will have access to
all the files on the server!!! As I said before, this will scare the hell out of any admin
because he wouldn't have thought of it himself and has definately not seen this before.
As for how much you can actually do - that depends entirely on the server. Most times
you will just browse but sometimes, who knows?
Lastly, we will take a quick look at the the SUBST command. The SUBST command associates
a path with a drive letter. This means it creates a virtual drive on top of an actual one. This can
be extremely handy when the administrator has blocked of say the C: drive from being viewed.
Often the admin simply restricts access to the C: drive by not showing the icon for the drive. If this
is the case simple open up a command prompt and type:
explorer c:
This will open explorer to the C: drive. Generally one will not be so lucky. The C: drive itself is
often restricted and trying to open explorer through command will tell us we don't have permission.
SUBST allows us to get passed this. Open up a command prompt and type in:
subst z: C:\
where z: is the virtual drive you wish to create and C:\ is the path of the drive you wish to view.
Now all you have to do is type...
explorer z:
...and an explorer window will pop up showing you the contents of C: but in the z: drive. You may
navigate this at will just as you would normally on an unrestricted computer. Although
useful, SUBST really only gives you a graphic interface since we may the entire contents of a
drive through command.
***Note: SUBST will also add the virtual drive to My Computer. If you have access to My Computer
you will see z: as well.
If you are having trouble with command because you cannot scroll up
whilst trying to use dir, try using dir /w or /p instead. Otherwise...
dir >> H:\dir.txt
...will send the results of the dir to a file called dir.txt (or will create the file if it does not already
exist) on the H: drive. Also note that on large networks net view can also be a pain, but using
net view >> H:\net.txt
we can see all the computers in a text file!
Posted by ekansh at 6:54 AM 0 comments