::::::::: :::::::: ::::::::: ::::::::::
:+: :+: :+: :+: :+: :+: :+:
+:+ +:+ +:+ +:+ +:+ +:+
+#++:++#+ +#++:++#++ +#++:++#: :#::+::#
+#+ +#+ +#+ +#+ +#+ +#+
#+# #+# #+# #+# #+# #+# #+#
######### ######## ### ### ###
http://blacksun.box.sk
_____________________________
______________________I Topic: I_____________________
\ I I /
\ HTML by: I How to use the I Written by: /
> I Fast Zip Cracker (FZC) I Ghost_Rider <
/ Martin L. I_____________________________I R a v e N \
/___________________________> <_________________________\
8/1/2000
What is FZC? FZC is a program that cracks zip files (zip is a method of compressing multiple files into one smaller file) that are password-protected (which means you're gonna need a password to open the zip file and extract files out of it). You can get it anywhere - just use a search engine such as altavista.com.
FZC uses multiple methods of cracking - bruteforce (guessing passwords systematically until the program gets it) or wordlist attacks (otherwise known as dictionary attacks. Instead of just guessing passwords systematically, the program takes passwords out of a "wordlist", which is a text file that contains possible passwords. You can get lots of wordlists at www.theargon.com. Thanks to Caboom for this tip).
FZC can be used in order to achieve two different goals: you can either use it to recover a lost zip password which you used to remember but somehow forgot, or to crack zip passwords which you're not supposed to have. So like every tool, this one can be used for good and for evil.
The first thing I want to say is that reading this tutorial... is the easy way to learn how to use this program, but after reading this part of how to use the FZC you should go and check the texts that come with that program and read them all. You are also going to see the phrase "check name.txt" often in this text. These files should be in FZC's directory. They contain more information about FZC.
FZC is a good password recovery tool, because it's very fast and also support resuming so you don't have to keep the computer turned on until you get the password, like it used to be some years ago with older cracking programs. You would probably always get the password unless the password is longer than 32 chars (a char is a character, which can be anything - a number, a lowercase or undercase letter or a symbol such as ! or &) because 32 chars is the maximum value that FZC will accept, but it doesn't really matter, because in order to bruteforce a password with 32 chars you'll need to be at least immortal..heehhe.. to see the time that FZC takes with bruteforce just open the Bforce.txt file, which contains such information.
FZC supports brute-force attacks, as well as wordlist attacks. While brute-force attacks don't require you to have anything, wordlist attacks require you to have wordlists, which you can get from www.theargon.com. There are wordlists in various languages, various topics or just miscellaneous wordlists. The bigger the wordlist is, the more chances you have to crack the password.
Now that you have a good wordlist, just get FZC working on the locked zip file, grab a drink, lie down and wait... and wait... and wait...and have good thoughts like "In wordlist mode I'm gonna get the password in minutes" or something like this... you start doing all this and remember "Hey this guy started with all this bullshit and didn't say how I can start a wordlist attack!..." So please wait just a little more, read this tutorial 'till the end and you can do all this "bullshit". :)
We need to keep in mind that are some people might choose some really weird passwords (for example: 'e8t7@$^%*gfh), which are harder to crack and are certainly impossible to crack (unless you have some weird wordlist). If you have a bad luck and you got such a file, having a 200MB list won't help you anymore. Instead, you'll have to use a different type of attack. If you are a person that gives up at the first sign of failure, stop being like that or you won't get anywhere. What you need to do in such a situation is to put aside your sweet xxx MB's list and start using the Brute Force attack.
If you have some sort of a really fast and new computer and you're afraid that you won't be able to use your computer's power to the fullest because the zip cracker doesn't support this kind of technology, it's your lucky day! FZC has multiple settings for all sorts of hardware, and will automatically select the best method.
Now that we've gone through all the theoretical stuff, let's get to the actual commands.
--------------------------------------------------------------------------------
Bruteforce
--------------------------------------------------------------------------------
The command line you'll need to use for using brute force is:
fzc -mb -nzFile.zip -lChr Lenght -cType of chars
Now if you read the bforce.txt that comes with fzc you'll find the description of how works Chr Lenght and the Type of chars, but hey, I'm gonna explain this too. Why not, right?...;) (but remember look at the bforce.txt too)
For Chr Lenght you can use 4 kind of switches...
-> You can use range -> 4-6 :it would brute force from 4 Chr passwors to 6 chr passwords
-> You can use just one lenght -> 5 :it would just brute force using passwords with 5 chars
-> You can use also the all number -> 0 :it would start brute forcing from passwords with lenght 0 to lenght 32, even if you are crazy i don't think that you would do this.... if you are thinking in doing this get a live...
-> You can use the + sign with a number -> 3+ :in this case it would brute force from passwords with lenght 3 to passwords with 32 chars of lenght, almost like the last option...
For the Type of chars we have 5 switches they are:
-> a for using lowercase letters
-> A for using uppercase letters
-> ! for using simbols (check the Bforce.txt if you want to see what simbols)
-> s for using space
-> 1 for using numbers
Example:
If you want to find a password with lowercase and numbers by brute force you would just do something like:
fzc -mb -nzTest.zip -l4-7 -ca1
This would try all combinations from passwords with 4 chars of lenght till 7 chars, but just using numbers and lowercase.
*****
hint
*****
You should never start the first brute force attack to a file using all the chars switches, first just try lowercase, then uppercase, then uppercase with number then lowercase with numbers, just do like this because you can get lucky and find the password much faster, if this doesn't work just prepare your brain and start with a brute force that would take a lot of time. With a combination like lowercase, uppercase, special chars and numbers.
--------------------------------------------------------------------------------
Wordlis
--------------------------------------------------------------------------------
Like I said in the bottom and like you should be thinking now, the wordlist is the most powerfull mode in this program. Using this mode, you can choose between 3 modes, where each one do some changes to the text that is in the wordlist, I'm not going to say what each mode does to the words, for knowing that just check the file wlist.txt, the only thing I'm going to tell you is that the best mode to get passwords is mode 3, but it takes longer time too.
To start a wordlist attak you'll do something like.
fzc -mwMode number -nzFile.zip -nwWordlist
Where:
Mode number is 1, 2 or 3 just check wlist.txt to see the changes in each mode.
File.zip is the filename and Wordlist is the name of the wordlist that you want to use. Remember that if the file or the wordlist isn't in the same directory of FZC you'll need to give the all path.
You can add other switches to that line like -fLine where you define in which line will FZC start reading, and the -lChar Length where it will just be read the words in that char length, the switche works like in bruteforce mode.
So if you something like
fzc -mw1 -nztest.zip -nwMywordlist.txt -f50 -l9+
FZC would just start reading at line 50 and would just read with length >= to 9.
Example:
If you want to crack a file called myfile.zip using the "theargonlistserver1.txt" wordlist, selecting mode 3, and you wanted FZC to start reading at line 50 you would do:
fzc -mw3 -nzmyfile.zip -nwtheargonlistserver1.txt -f50
--------------------------------------------------------------------------------
Resuming
--------------------------------------------------------------------------------
Other good feature in FZC is that FZC supports resuming. If you need to shutdown your computer and FZC is running you just need to press the ESC key, and fzc will stop. Now if you are using a brute force attack the current status will be saved in a file called resume.fzc but if you are using a wordlist it will say to you in what line it ended (you can find the line in the file fzc.log too).
To resume the bruteforce attack you just need to do:
fzc -mr
And the bruteforce attack will start from the place where it stopped when you pressed the ESC key.
But if you want to resume a wordlist attack you'll need to start a new wordlist attack, saying where it's gonna start. So if you ended the attack to the file.zip in line 100 using wordlist.txt in mode 3 to resume you'll type
fzc -mw3 -nzfile.zip -nwwordlist.txt -f100
Doing this FZC would start in line 100, since the others 99 lines where already checked in an earlier FZC session.
Well, it looks like I covered most of what you need to know. I certainly hope it helped you... don't forget to read the files that come with the program, and visit http://blacksun.box.sk for more tutorials. If you have any problem fell free to post your questions on the message board at blacksun.box.sk, but don't send me any files to crack for you! Use your own computer power.
Saturday, September 6, 2008
Cracking Unix password files for beginners
::::::::: :::::::: ::::::::: ::::::::::
:+: :+: :+: :+: :+: :+: :+:
+:+ +:+ +:+ +:+ +:+ +:+
+#++:++#+ +#++:++#++ +#++:++#: :#::+::#
+#+ +#+ +#+ +#+ +#+ +#+
#+# #+# #+# #+# #+# #+# #+#
######### ######## ### ### ###
http://blacksun.box.sk
_____________________________
______________________I Topic: I_____________________
\ I I /
\ HTML by: I Cracking Unix password I Written by: /
> I files for beginners I Caboom <
/ Martin L. I_____________________________I R a v e N \
/___________________________> <_________________________\
Version 1.0
Date: 14/1/2000
1) First thing's first
--------------------------------------------------------------------------------
I guess you're a newbie in pass-cracking like I was and you've probably started John the Ripper full of enthusiasm, and got.... nothing. So the first thought you have is 'my god this must be hard, and I'm a newbie'. Forget it!!! You're always a newbie, and we all are... in pass cracking world, pardon, pass recovering world (or any world else) you always have something to learn. Sometimes, even if you are experienced in password cracking, you won't be able to crack the password or even get your own password. This is a pure technical manual and will give you only the recipe for cracking, but every password needs different approach...
OK, so a good way to get somewhere is to start getting somewhere...
What you're about to learn is to crack *nix(Unix/Linux/etc.) password files. It does not mean that you need to have some Unix distribution on your box, but it means you'll have to stop clicking your ass off all around the screen... 'What this fool is trying to say', you'll probably ask... This fool is trying to say that john is a DOS program (there is also Linux/Unix version, but I guess that most of the people that read this tutorial have win boxes). I will try to put this tutorial through the examples so it wouldn't look like a boring script with incredible amount of switches. After reading this text it wouldn't be a bad idea to look at the texts you get with John. I learnt it all from there, but that, of course, was the hard way, and you want the easy way, right? Right.
First, it wouldn't be a bad idea to get yourself John the Ripper, I guess... if you don't have it you can find it at:
1) packetstorm.securify.com (look at archives, password cracking)
2) neworder.box.sk (do some searching by yourself)
John can be found practically anywhere. For example: try going to altavista.com and running a search for 'john the ripper'.
Second thing you'll need is.... a HUUUUGE amount of password dictionaries (I'll explain what these are in a minute). The best dictionary around is at www.theargon.com and packetstorm (look at the archives) and is called theargonlistserver1 and is about 20Mb packed, and over 200Mb
unpacked... get it!!!! The people at theargon did a terrific job.
You should also get some smaller dictionary files (I'll explain why later).
2) Do we look like *nix?
--------------------------------------------------------------------------------
So now you have john, loaded with that huuuuge pass dictionary, and you think that you can crack anything... If you plan to live for 100000 years, that wouldn't be a problem, but you only have some 80 years left in the best case scenario (unless, of course, scientists find a way to... oh, nevermind).
Now, the first thing is that you have to make sure your password file really looks like a Unix password file (were talking about the /etc/passwd file).
Let's see how Unix pass files look like
owner:Ejrt3EJUnh5Ms:510:102:Some free text:/home/subdir/owner:/bin/bash
The important part is the username and the encrypted password, which are the first and the second parts (each line is divided into seven parts by : symbols)
owner:Ejrt3EJUnh5Ms
Owner is the username and 'that other thing' is the crypted password (encrypted in altered DES (Data Encryption Standard) encryption). For the other part you can put anything that looks like that but the structure must be same so the john could recognize it as unix pass. In fact the other part
:510:102:Some free text:/home/subdir/owner:/bin/bash
Is just some information about the user, his home directory, etc...
Sometimes you'll have passes that have only the first and second part, such as password files that you got from a webboard running matt's web board script.
owner:Ejrt3EJUnh5Ms
You'll have to put the other part so that password would look like unix pass, and you can do a copy-paste from another pass, you can even use
:510:102:His name:/home/subdir/owner:/bin/bash
What you have now should look like:
owner:Ejrt3EJUnh5Ms:510:102:His name:/home/subdir/owner:/bin/bash
Hell, you can even put
owner:Ejrt3EJUnh5Ms:a:a:a:a:a
It won't matter to john at all.
3) We're getting somewhere... nowhere
--------------------------------------------------------------------------------
Now you're ready to crack. Type in
john -w:words.lst password.file
Where words.lst is password dictionary and password file where you have your password or passwords. If you use it on example i gave to you you'll probably get password because it's really weak pass. You'd be surprised to see that people usually use really weak passes like their names, pet names, or even their username (for example: username=zalabuk, password=zalabuk).
Hint: Don't be stupid! Use strong passes like
p4sswr!@
p@s$w11s
with as many characters you can remember. Hint is to use special characters and numbers those passes are much harder to crack (I'll explain why in a minute).
The other hint is to use passes as long as you can remember, 8 characters are sometimes not enough... it depends what box that someone who cracks has... on dual alpha is certainly not enough... in other words... more than 10 characters will do fine, even more wouldn't hurt (like 16...). By the way, older *nix have fixed pass length of 8 chars... that is old DES crypted pass that uses a 64-bit key... now there are 128-bit keys, and some perverts use even more, so there is more fun now :)
john -w:words.lst password.file
Wait wait wait! What am I doing here?
Alright, listen up carefully. The DES encryption that Unix uses CANNOT be reversed. Some encryptions can be reversed using a sometimes simple or sometimes incredibly complicated algorithm (in the 3rd century AD, Ceasar used to send encrypted letters which used a formula of "shift by three", which means that d stands for a, e stands for b etc'. At that time, such an algorithm was just fine. Today, it isn't).
So anyway, the altered DES encryption that Unix uses for it's password files cannot be reversed. Why? Because it's a key-based encryption. The encryption algorithm uses a bunch of letters (lowercase and uppercase), numbers and symbols within the algorithm. So, in other words, to run the decryption algorithm you will need this key, which you simply cannot just have, because the key is the password! You see, when a user picks a password, the system generates an encrypted password for him, called a hash (which is what you get when you somehow acquire a password file), which is created by running this altered DES algorithm using the user's password as a key. If you try to decrypt the password using standard reversable DES encryption, you get a null string.
So how do John and other password crackers do it? Easy. They try to recreate this process by taking passwords out of these dictionary files (or wordlists) and using them as keys for this altered DES algorithm process. Then, they compare the result to all the encrypted passwords within the password file you've given them. If the two strings match - there you have it! The password is yours!
If the first step doesn't work, the next step would be to do this:
john -w:words.lst -rules password.file
This switch turn on not only browsing through the dictionary, but it uses some modifications of the words that are word dictionary (like adding a number at the end of pass - fool -> fool1, etc' etc'). This one will take long with huge pass dictionary, but it may give better results... For a start you could do a try with a small pass dictionary, and if it doesn't works you can try it with a huge pass dictionary.
Sometimes people are not stupid when they choose passwords and basic rules won't do a job... aaargh. As you've seen it takes more and more time for your CPU to crack this thing out as we go further. Now you can leave your computer on and go to sleep....
If you want to get even more possible passwords out of your password file, try typing
john -i password.file
This -i stands for incremental cracking, not a really good word for it, but...
Okay, what the hell does it do? It uses the default incremental mode parameters, which are defined in john.ini.
What does this mean? Do you remember -rules? Yes, well, of course you do, unless you're either incredibly senile or you've stopped reading after this part and only came back, like... a couple of years later. That is very much like rules, but much much more powerful than -rules, and it takes much, much more time.
4) So where are we now (dictionary vs. brute-force)?
--------------------------------------------------------------------------------
You can see that in all cases you use so-called dictionary cracking... but hell, why not just run John on a mode where it tried all possible combinations of lowercase and uppercase letters, numbers and symbols? I mean, this would be much more efficient, right? ... WROOOOOOONGG!!!
This method is called 'brute-force' attack (basically, dictionary attack is also sort of brute-force attack, but most people use the word brute-force for this specific attack).
What are the differences? First and most important, with dictionary you go through the selected words that could be passwords and their modifications, and with brute force cracking you use ALL possible combinations. That means you have
comb=nrch^let
where:
comb - number of possible combinations
nrch - number of chars
let - number of letters used
In case you're dealing with john's default -i 95 character set and, presume, a 6 letter password you have possible 735091890625 combinations! OUCH!!
Sure, this is useful for passwords like 2405v7, but still... with the computational powers of today's modern PC, I'd just give up, unless I had access to some University's supercomputer, which I'd bet noone would ever give me (well, at least not for free, and certainly not to run a password cracker on it).
As you can see it can take a looooong time until you crack a single one pass, do a little math and try to calculate how many possible combinations there are for 10, 12 and 16 chars.
I don't think you'll like the answer :)
Of course, sometimes dictionary attacks are not enough, but john has very powerful 'thinking'. In 'incremental' mode john will do all possible combinations from 0 to 8 characters (by zero password length is considered a hashed empty string, this sometimes happens). So incremental mode is one sort of brute-force attack in some way...
If you want to fire all weapons at one then you use
john password.file
this will do first basic dictionary attack, then -rules, then -i
5) What if...
--------------------------------------------------------------------------------
Ok, you have to turn off your box from time to time, don't you? If you're doing that haaard password that will take more than 20 hours of cracking you can set john with ctrl+c and then resume with
john -restore
If your box crashes or if there's a power failure, you won't be able to restore your cracking sessions (sometimes)... well that's just too bad. Hell, it happened
to me once :-(
John is modular, and that is the most powerful thing about john the ripper, and that is what makes john the most advanced password cracker. John is very, very modular. John uses modes that are described in john.ini (do you still remember that incremental cracking i was talking about? Modes for rules and incremental are described in john.ini).
If you're some inventive guy then you may change the parameters in john.ini.
Here is example how some default parameters for -i look like:
# Incremental modes
[Incremental:All]
File = ~/all.chr
MinLen = 0
MaxLen = 8
CharCount = 95
Ok... what do we have here?
[Incremental:All] - this stands for the beginning of the definition for the -i:all switch
File - filename of file that has characters used in mode -i:all (whole character
set)
MinLen - logically, minimum length of password that john -i:all would try
MaxLen - even more logical, maximum length of password that will john -i:all try
CharCount - number of chars used by john when you 'turn on' this switch
So, there are some more switches... heh
Yes there are and down there are all default modes pasted from john the ripper's documents:
John the Ripper's Command Line Options
--------------------------------------------------------------------------------
You can list any number of password files on John's command line, and also
specify some of the following options (all of them are case sensitive, but
can be abbreviated; you can also use the GNU-style long options syntax):
single "single crack" mode Enables the "single crack" mode, using rules from [List.Rules:Single].
wordfile:FILE wordlist mode, read words from FILE,
stdin or from stdin These are used to enable the wordlist mode.
rules enable rules for wordlist mode Enables wordlist rules, that are read from [List.Rules:Wordlist].
incremental[:MODE] incremental mode [using section MODE] Enables the incremental mode, using the specified ~/john.ini definition (section [Incremental:MODE], or [Incremental:All] by default).
external:MODE external mode or word filter Enables an external mode, using external functions defined in ~/john.ini's [List.External:MODE] section.
stdout[:LENGTH] no cracking, write words to stdout When used with a cracking mode, except for "single crack", makes John print the words it generates to stdout instead of cracking. While applying
wordlist rules, the significant password length is assumed to be LENGTH, or unlimited by default.
restore[:FILE] restore an interrupted session Continues an interrupted cracking session, reading point information from the specified file (~/restore by default).
session:FILE set session file name to FILE Allows you to specify another point information file's name to use for this cracking session. This is useful for running multiple instances of John in parallel, or just to be able to recover an older session later, not always continue the latest one.
status[:FILE] print status of a session [from FILE] Prints status of an interrupted or running session. To get an up to date status information of a detached running session, send that copy of John a SIGHUP before using this option.
makechars:FILE make a charset, overwriting FILE Generates a charset file, based on character frequencies from ~/john.pot, for use with the incremental mode. The entire ~/john.pot will be used for
the charset file unless you specify some password files. You can also use an external filter() routine with this option.
show show cracked passwords Shows the cracked passwords in a convenient form. You should also specify the password files. You can use this option while another John is cracking, to see what it did so far.
test perform a benchmark Benchmarks all the enabled ciphertext format crackers, and tests them for
correct operation at the same time.
users:[-]LOGIN|UID[,..] load this (these) user(s) only Allows you to filter a few accounts for cracking, etc. A dash before the list can be used to invert the check (that is, load all the users that aren't listed).
groups:[-]GID[,..] load this (these) group(s) only Tells John to load users of the specified group(s) only.
shells:[-]SHELL[,..] load this (these) shell(s) only This option is useful to load accounts with a valid shell only, or not to load accounts with a bad shell. You can omit the path before a shell name, so '-shells:csh' will match both '/bin/csh' and '/usr/bin/csh', while '-shells:/bin/csh' will only match '/bin/csh'.
salts:[-]COUNT set a passwords per salt limit This feature sometimes allows to achieve better performance. For example you can crack only some salts using '-salts:2' faster, and then crack the
rest using '-salts:-2'. Total cracking time will be about the same, but you will get some passwords cracked earlier.
format:NAME force ciphertext format NAME
Allows you to override the ciphertext format detection. Currently, valid
format names are DES, BSDI, MD5, BF, AFS, LM. You can use this option when
cracking or with '-test'. Note that John can't crack password files with
different ciphertext formats at the same time.
savemem:LEVEL enable memory saving, at LEVEL 1..3
You might need this option if you don't have enough memory, or don't want
John to affect other processes too much. Level 1 tells John not to waste
memory on login names, so you won't see them while cracking. Higher levels
have a performance impact: you should probably avoid using them unless John
doesn't work or gets into swap otherwise.
6) Tips
--------------------------------------------------------------------------------
I) A good schedule to do your cracking job is
john -w:words.lst password.file
john -w:words.lst -rules password.file
john -w:words.lst password.file
john -i:digits password.file
john -i:all password.file
II) If you have a file that has only passes that look like
owner:*:510:102:His name:/home/subdir/owner:/bin/bash
you have a shadowed passwords file.
Go to the Byte-Me page at blacksun.box.sk and try to find out more about
password files (I'll leave it up to you to do this. It's important that you'll
learn how to find things by yourself).
III) You have some little tools that you get with john, they are all
listed below (from john's docs)
unshadow PASSWORD-FILE SHADOW-FILE
Combines the passwd and shadow files (when you already have access to
both) for use with John. You might need this since if you only used your
shadow file, the GECOS information wouldn't be used by the "single crack"
mode, and also you wouldn't be able to use the '-shells' option. You'll
usually want to redirect the output of 'unshadow' to a file.
unafs DATABASE-FILE CELL-NAME
Gets password hashes out of the binary AFS database, and produces a file
usable by John (again, you should redirect the output yourself).
unique OUTPUT-FILE
Removes duplicates from a wordlist (read from stdin), without changing
the order. You might want to use this with John's '-stdout' option, if
you got a lot of disk space to trade for the reduced cracking time.
mailer PASSWORD-FILE
A shell script to send mail to all the users who got weak passwords. You
should edit the message inside before using.
--------------------------------------------------------------------------------
So, that was about it... hope you've got something from this text.
Further readings: try reading ALL the documentation you get with john in the docs
directory. Maybe it's a little bit chaotic, but.... man those are the docs :)
Ohh, wait, wait!!
Remember, not all password files can be cracked! Smart admins alter the
encryption that they are using, especially when it comes to root passwords.
But there are always other ways to get passwords. These are covered in other
BSRF tutorials. Collect them all (lol) at http://blacksun.box.sk.
:+: :+: :+: :+: :+: :+: :+:
+:+ +:+ +:+ +:+ +:+ +:+
+#++:++#+ +#++:++#++ +#++:++#: :#::+::#
+#+ +#+ +#+ +#+ +#+ +#+
#+# #+# #+# #+# #+# #+# #+#
######### ######## ### ### ###
http://blacksun.box.sk
_____________________________
______________________I Topic: I_____________________
\ I I /
\ HTML by: I Cracking Unix password I Written by: /
> I files for beginners I Caboom <
/ Martin L. I_____________________________I R a v e N \
/___________________________> <_________________________\
Version 1.0
Date: 14/1/2000
1) First thing's first
--------------------------------------------------------------------------------
I guess you're a newbie in pass-cracking like I was and you've probably started John the Ripper full of enthusiasm, and got.... nothing. So the first thought you have is 'my god this must be hard, and I'm a newbie'. Forget it!!! You're always a newbie, and we all are... in pass cracking world, pardon, pass recovering world (or any world else) you always have something to learn. Sometimes, even if you are experienced in password cracking, you won't be able to crack the password or even get your own password. This is a pure technical manual and will give you only the recipe for cracking, but every password needs different approach...
OK, so a good way to get somewhere is to start getting somewhere...
What you're about to learn is to crack *nix(Unix/Linux/etc.) password files. It does not mean that you need to have some Unix distribution on your box, but it means you'll have to stop clicking your ass off all around the screen... 'What this fool is trying to say', you'll probably ask... This fool is trying to say that john is a DOS program (there is also Linux/Unix version, but I guess that most of the people that read this tutorial have win boxes). I will try to put this tutorial through the examples so it wouldn't look like a boring script with incredible amount of switches. After reading this text it wouldn't be a bad idea to look at the texts you get with John. I learnt it all from there, but that, of course, was the hard way, and you want the easy way, right? Right.
First, it wouldn't be a bad idea to get yourself John the Ripper, I guess... if you don't have it you can find it at:
1) packetstorm.securify.com (look at archives, password cracking)
2) neworder.box.sk (do some searching by yourself)
John can be found practically anywhere. For example: try going to altavista.com and running a search for 'john the ripper'.
Second thing you'll need is.... a HUUUUGE amount of password dictionaries (I'll explain what these are in a minute). The best dictionary around is at www.theargon.com and packetstorm (look at the archives) and is called theargonlistserver1 and is about 20Mb packed, and over 200Mb
unpacked... get it!!!! The people at theargon did a terrific job.
You should also get some smaller dictionary files (I'll explain why later).
2) Do we look like *nix?
--------------------------------------------------------------------------------
So now you have john, loaded with that huuuuge pass dictionary, and you think that you can crack anything... If you plan to live for 100000 years, that wouldn't be a problem, but you only have some 80 years left in the best case scenario (unless, of course, scientists find a way to... oh, nevermind).
Now, the first thing is that you have to make sure your password file really looks like a Unix password file (were talking about the /etc/passwd file).
Let's see how Unix pass files look like
owner:Ejrt3EJUnh5Ms:510:102:Some free text:/home/subdir/owner:/bin/bash
The important part is the username and the encrypted password, which are the first and the second parts (each line is divided into seven parts by : symbols)
owner:Ejrt3EJUnh5Ms
Owner is the username and 'that other thing' is the crypted password (encrypted in altered DES (Data Encryption Standard) encryption). For the other part you can put anything that looks like that but the structure must be same so the john could recognize it as unix pass. In fact the other part
:510:102:Some free text:/home/subdir/owner:/bin/bash
Is just some information about the user, his home directory, etc...
Sometimes you'll have passes that have only the first and second part, such as password files that you got from a webboard running matt's web board script.
owner:Ejrt3EJUnh5Ms
You'll have to put the other part so that password would look like unix pass, and you can do a copy-paste from another pass, you can even use
:510:102:His name:/home/subdir/owner:/bin/bash
What you have now should look like:
owner:Ejrt3EJUnh5Ms:510:102:His name:/home/subdir/owner:/bin/bash
Hell, you can even put
owner:Ejrt3EJUnh5Ms:a:a:a:a:a
It won't matter to john at all.
3) We're getting somewhere... nowhere
--------------------------------------------------------------------------------
Now you're ready to crack. Type in
john -w:words.lst password.file
Where words.lst is password dictionary and password file where you have your password or passwords. If you use it on example i gave to you you'll probably get password because it's really weak pass. You'd be surprised to see that people usually use really weak passes like their names, pet names, or even their username (for example: username=zalabuk, password=zalabuk).
Hint: Don't be stupid! Use strong passes like
p4sswr!@
p@s$w11s
with as many characters you can remember. Hint is to use special characters and numbers those passes are much harder to crack (I'll explain why in a minute).
The other hint is to use passes as long as you can remember, 8 characters are sometimes not enough... it depends what box that someone who cracks has... on dual alpha is certainly not enough... in other words... more than 10 characters will do fine, even more wouldn't hurt (like 16...). By the way, older *nix have fixed pass length of 8 chars... that is old DES crypted pass that uses a 64-bit key... now there are 128-bit keys, and some perverts use even more, so there is more fun now :)
john -w:words.lst password.file
Wait wait wait! What am I doing here?
Alright, listen up carefully. The DES encryption that Unix uses CANNOT be reversed. Some encryptions can be reversed using a sometimes simple or sometimes incredibly complicated algorithm (in the 3rd century AD, Ceasar used to send encrypted letters which used a formula of "shift by three", which means that d stands for a, e stands for b etc'. At that time, such an algorithm was just fine. Today, it isn't).
So anyway, the altered DES encryption that Unix uses for it's password files cannot be reversed. Why? Because it's a key-based encryption. The encryption algorithm uses a bunch of letters (lowercase and uppercase), numbers and symbols within the algorithm. So, in other words, to run the decryption algorithm you will need this key, which you simply cannot just have, because the key is the password! You see, when a user picks a password, the system generates an encrypted password for him, called a hash (which is what you get when you somehow acquire a password file), which is created by running this altered DES algorithm using the user's password as a key. If you try to decrypt the password using standard reversable DES encryption, you get a null string.
So how do John and other password crackers do it? Easy. They try to recreate this process by taking passwords out of these dictionary files (or wordlists) and using them as keys for this altered DES algorithm process. Then, they compare the result to all the encrypted passwords within the password file you've given them. If the two strings match - there you have it! The password is yours!
If the first step doesn't work, the next step would be to do this:
john -w:words.lst -rules password.file
This switch turn on not only browsing through the dictionary, but it uses some modifications of the words that are word dictionary (like adding a number at the end of pass - fool -> fool1, etc' etc'). This one will take long with huge pass dictionary, but it may give better results... For a start you could do a try with a small pass dictionary, and if it doesn't works you can try it with a huge pass dictionary.
Sometimes people are not stupid when they choose passwords and basic rules won't do a job... aaargh. As you've seen it takes more and more time for your CPU to crack this thing out as we go further. Now you can leave your computer on and go to sleep....
If you want to get even more possible passwords out of your password file, try typing
john -i password.file
This -i stands for incremental cracking, not a really good word for it, but...
Okay, what the hell does it do? It uses the default incremental mode parameters, which are defined in john.ini.
What does this mean? Do you remember -rules? Yes, well, of course you do, unless you're either incredibly senile or you've stopped reading after this part and only came back, like... a couple of years later. That is very much like rules, but much much more powerful than -rules, and it takes much, much more time.
4) So where are we now (dictionary vs. brute-force)?
--------------------------------------------------------------------------------
You can see that in all cases you use so-called dictionary cracking... but hell, why not just run John on a mode where it tried all possible combinations of lowercase and uppercase letters, numbers and symbols? I mean, this would be much more efficient, right? ... WROOOOOOONGG!!!
This method is called 'brute-force' attack (basically, dictionary attack is also sort of brute-force attack, but most people use the word brute-force for this specific attack).
What are the differences? First and most important, with dictionary you go through the selected words that could be passwords and their modifications, and with brute force cracking you use ALL possible combinations. That means you have
comb=nrch^let
where:
comb - number of possible combinations
nrch - number of chars
let - number of letters used
In case you're dealing with john's default -i 95 character set and, presume, a 6 letter password you have possible 735091890625 combinations! OUCH!!
Sure, this is useful for passwords like 2405v7, but still... with the computational powers of today's modern PC, I'd just give up, unless I had access to some University's supercomputer, which I'd bet noone would ever give me (well, at least not for free, and certainly not to run a password cracker on it).
As you can see it can take a looooong time until you crack a single one pass, do a little math and try to calculate how many possible combinations there are for 10, 12 and 16 chars.
I don't think you'll like the answer :)
Of course, sometimes dictionary attacks are not enough, but john has very powerful 'thinking'. In 'incremental' mode john will do all possible combinations from 0 to 8 characters (by zero password length is considered a hashed empty string, this sometimes happens). So incremental mode is one sort of brute-force attack in some way...
If you want to fire all weapons at one then you use
john password.file
this will do first basic dictionary attack, then -rules, then -i
5) What if...
--------------------------------------------------------------------------------
Ok, you have to turn off your box from time to time, don't you? If you're doing that haaard password that will take more than 20 hours of cracking you can set john with ctrl+c and then resume with
john -restore
If your box crashes or if there's a power failure, you won't be able to restore your cracking sessions (sometimes)... well that's just too bad. Hell, it happened
to me once :-(
John is modular, and that is the most powerful thing about john the ripper, and that is what makes john the most advanced password cracker. John is very, very modular. John uses modes that are described in john.ini (do you still remember that incremental cracking i was talking about? Modes for rules and incremental are described in john.ini).
If you're some inventive guy then you may change the parameters in john.ini.
Here is example how some default parameters for -i look like:
# Incremental modes
[Incremental:All]
File = ~/all.chr
MinLen = 0
MaxLen = 8
CharCount = 95
Ok... what do we have here?
[Incremental:All] - this stands for the beginning of the definition for the -i:all switch
File - filename of file that has characters used in mode -i:all (whole character
set)
MinLen - logically, minimum length of password that john -i:all would try
MaxLen - even more logical, maximum length of password that will john -i:all try
CharCount - number of chars used by john when you 'turn on' this switch
So, there are some more switches... heh
Yes there are and down there are all default modes pasted from john the ripper's documents:
John the Ripper's Command Line Options
--------------------------------------------------------------------------------
You can list any number of password files on John's command line, and also
specify some of the following options (all of them are case sensitive, but
can be abbreviated; you can also use the GNU-style long options syntax):
single "single crack" mode Enables the "single crack" mode, using rules from [List.Rules:Single].
wordfile:FILE wordlist mode, read words from FILE,
stdin or from stdin These are used to enable the wordlist mode.
rules enable rules for wordlist mode Enables wordlist rules, that are read from [List.Rules:Wordlist].
incremental[:MODE] incremental mode [using section MODE] Enables the incremental mode, using the specified ~/john.ini definition (section [Incremental:MODE], or [Incremental:All] by default).
external:MODE external mode or word filter Enables an external mode, using external functions defined in ~/john.ini's [List.External:MODE] section.
stdout[:LENGTH] no cracking, write words to stdout When used with a cracking mode, except for "single crack", makes John print the words it generates to stdout instead of cracking. While applying
wordlist rules, the significant password length is assumed to be LENGTH, or unlimited by default.
restore[:FILE] restore an interrupted session Continues an interrupted cracking session, reading point information from the specified file (~/restore by default).
session:FILE set session file name to FILE Allows you to specify another point information file's name to use for this cracking session. This is useful for running multiple instances of John in parallel, or just to be able to recover an older session later, not always continue the latest one.
status[:FILE] print status of a session [from FILE] Prints status of an interrupted or running session. To get an up to date status information of a detached running session, send that copy of John a SIGHUP before using this option.
makechars:FILE make a charset, overwriting FILE Generates a charset file, based on character frequencies from ~/john.pot, for use with the incremental mode. The entire ~/john.pot will be used for
the charset file unless you specify some password files. You can also use an external filter() routine with this option.
show show cracked passwords Shows the cracked passwords in a convenient form. You should also specify the password files. You can use this option while another John is cracking, to see what it did so far.
test perform a benchmark Benchmarks all the enabled ciphertext format crackers, and tests them for
correct operation at the same time.
users:[-]LOGIN|UID[,..] load this (these) user(s) only Allows you to filter a few accounts for cracking, etc. A dash before the list can be used to invert the check (that is, load all the users that aren't listed).
groups:[-]GID[,..] load this (these) group(s) only Tells John to load users of the specified group(s) only.
shells:[-]SHELL[,..] load this (these) shell(s) only This option is useful to load accounts with a valid shell only, or not to load accounts with a bad shell. You can omit the path before a shell name, so '-shells:csh' will match both '/bin/csh' and '/usr/bin/csh', while '-shells:/bin/csh' will only match '/bin/csh'.
salts:[-]COUNT set a passwords per salt limit This feature sometimes allows to achieve better performance. For example you can crack only some salts using '-salts:2' faster, and then crack the
rest using '-salts:-2'. Total cracking time will be about the same, but you will get some passwords cracked earlier.
format:NAME force ciphertext format NAME
Allows you to override the ciphertext format detection. Currently, valid
format names are DES, BSDI, MD5, BF, AFS, LM. You can use this option when
cracking or with '-test'. Note that John can't crack password files with
different ciphertext formats at the same time.
savemem:LEVEL enable memory saving, at LEVEL 1..3
You might need this option if you don't have enough memory, or don't want
John to affect other processes too much. Level 1 tells John not to waste
memory on login names, so you won't see them while cracking. Higher levels
have a performance impact: you should probably avoid using them unless John
doesn't work or gets into swap otherwise.
6) Tips
--------------------------------------------------------------------------------
I) A good schedule to do your cracking job is
john -w:words.lst password.file
john -w:words.lst -rules password.file
john -w:words.lst password.file
john -i:digits password.file
john -i:all password.file
II) If you have a file that has only passes that look like
owner:*:510:102:His name:/home/subdir/owner:/bin/bash
you have a shadowed passwords file.
Go to the Byte-Me page at blacksun.box.sk and try to find out more about
password files (I'll leave it up to you to do this. It's important that you'll
learn how to find things by yourself).
III) You have some little tools that you get with john, they are all
listed below (from john's docs)
unshadow PASSWORD-FILE SHADOW-FILE
Combines the passwd and shadow files (when you already have access to
both) for use with John. You might need this since if you only used your
shadow file, the GECOS information wouldn't be used by the "single crack"
mode, and also you wouldn't be able to use the '-shells' option. You'll
usually want to redirect the output of 'unshadow' to a file.
unafs DATABASE-FILE CELL-NAME
Gets password hashes out of the binary AFS database, and produces a file
usable by John (again, you should redirect the output yourself).
unique OUTPUT-FILE
Removes duplicates from a wordlist (read from stdin), without changing
the order. You might want to use this with John's '-stdout' option, if
you got a lot of disk space to trade for the reduced cracking time.
mailer PASSWORD-FILE
A shell script to send mail to all the users who got weak passwords. You
should edit the message inside before using.
--------------------------------------------------------------------------------
So, that was about it... hope you've got something from this text.
Further readings: try reading ALL the documentation you get with john in the docs
directory. Maybe it's a little bit chaotic, but.... man those are the docs :)
Ohh, wait, wait!!
Remember, not all password files can be cracked! Smart admins alter the
encryption that they are using, especially when it comes to root passwords.
But there are always other ways to get passwords. These are covered in other
BSRF tutorials. Collect them all (lol) at http://blacksun.box.sk.
How to Install and run Windows CE on your USB Stick
How to: Install and run Windows CE on your USB Stick
Portable Windows CE is a 'launcher' for the Windows CE device emulator that can run an emulator-based image from a USB keychain.
Download the Windows CE 5.0 Device Emulator.
Code:
http://www.Mcft.com/downloads/details.aspx?FamilyID=A120E012-CA31-4BE9-A3BF-B9BF4F64CE72&displaylang=en
Change "Mcft" in link to what it is supposed to be icon_wink.gif
Extract the emulator to a folder on your hard drive by running "setup /a". The installer will prompt you to specify a directory to extract to . For example: D:\PortableCE
Download this launcher script:
Code:
http://www.furrygoat.com/Software/launchce.cmd.txt
Copy the following launcher script to the directory you extracted the setup to. You'll need to rename the file from launchce.cmd.txt to launchce.cmd
Once you have that set up, just copy the entire D:\PortableCE folder over to your USB keychain.
To launch the emulator, just plug in your USB keychain, navigate to the PortableCE folder, and run launchce.cmd. You should (hopefully) have the emulator fire up.
Portable Windows CE is a 'launcher' for the Windows CE device emulator that can run an emulator-based image from a USB keychain.
Download the Windows CE 5.0 Device Emulator.
Code:
http://www.Mcft.com/downloads/details.aspx?FamilyID=A120E012-CA31-4BE9-A3BF-B9BF4F64CE72&displaylang=en
Change "Mcft" in link to what it is supposed to be icon_wink.gif
Extract the emulator to a folder on your hard drive by running "setup /a". The installer will prompt you to specify a directory to extract to . For example: D:\PortableCE
Download this launcher script:
Code:
http://www.furrygoat.com/Software/launchce.cmd.txt
Copy the following launcher script to the directory you extracted the setup to. You'll need to rename the file from launchce.cmd.txt to launchce.cmd
Once you have that set up, just copy the entire D:\PortableCE folder over to your USB keychain.
To launch the emulator, just plug in your USB keychain, navigate to the PortableCE folder, and run launchce.cmd. You should (hopefully) have the emulator fire up.
Part 1 Bittorrents
PART 1
-------------------------------------------------------------------------------------
lets get into bittorents, cause its the easiest thing to setup.
All you do is install the bittorent client (see link above). go to
CODE
http://suprnova.org
and click on a torrent you like. I recommend that you right click and save the torrent. and then click on the saved torrent to start a download. this way if your download fails, u can resume it from the torrent you saved rather then having to go to the website. Confusing? it may be, thats why I recommend you go here for more helpful info.
CODE
http://www.dessent.net/btfaq/
The next thing that you need to note is, thats if you are using firewalls etc... you will need to free up some TCP ports. That is from 6881 to 6999. Otherwise the program will show you a yellow dot and your downloads will be slow.!!!
Now for all of you with limited connections, even though the faster you share the file you are downloading the faster you will download it at, IS TRUE. If you saturate your uplink, aside form making your internet connection crawl slower then a constipated snail, you will also slow down your bittorrent download as your pc will not be able to acknowledge the packets which you receive fast enough, since you are using all your uplink to share. In this case the *WISE* thing to do is to click on the torrent window and select Settings for [Dial up/ISDN] and move the arrow on the right of this all the way down to 3k for uploads.
I would also like to point out that with bittorrents, unlike other p2p sharing programs, you only share the file which you are downloading and NO other files on your pc. Torrents work by downloading bits of the file like a puzzle from various people. So if you have a part of the puzzle that someone else wants, you swap and so on.
(IMPORTANT often a torrent may appear to be completed on your hard disk (take up 500 megs as u expected) but it won't really be because torrents often reserve space and then this space gets filled up with the missing bits of the puzzle. PLEASE remember that a torrent is not finished downloading until it says "Download Finished"
It is also generally considered polite to leave the torrent open even after you have finished your download so that other people can download for you. If you don't wanna, then at least do it at times when there are 0 hosts and a few peers, that way you keep the torrent alive. (a host is a person or persons who have posted the torrent or left their finished file for sharing and peers are people who are downloading the file i.e. the host has the entire file and peers are ppl who don't and are downloading it)
FINALLY you should be able to find lots of handy stuff on suprnova but before you click to download a file, check that it has AT LEAST 1 SEED or if it has 0 seeds that it has quiet a few peers. The reason being that it is possible that all those people combined among themselves will not have enough data to put together the entier thing you are downloading (you will know that this is the case if after a while you still have a blue dot) Sometimes i have left these files going for a day or 2 and someone has kindly come in and shared their file again, and I managed to finish these downloads, so don't give up on these files straight away.
I know i have written a fair bit here, but you can probably ignore most of it heheh
Happy Torrennting!!
PS. if you have not found all the stuff you need on
CODE
http://suprnova.org
(you may notice they don't serve porn) then you may wanna give one of these links a go
CODE
http://members.lycos.nl/gettorrents/index.php?
PPS. suprnova.org down? try one of the mirrors (google is your friend "suprnova.org mirrors" and finally sometimes the mirror works but the torrent does not, in this case try to modify the link to the torrent to point to another one of suprnova's mirrors. for example if the link says
CODE
yellowhouse.com/suprnova/torrents/smellytorrent.torrent try altering it to phobal.ca/suprnova/torrents/smellytorrent.torrent
CODE
http://www.btsites.tk/
CODE
http://www.torrentbox.com/
CODE
http://isohunt.com/
[<-= submitted by LanoX] (a good IRC & Bittorent Search Engine
Thanks to OLI who wrote these guides.
-------------------------------------------------------------------------------------
lets get into bittorents, cause its the easiest thing to setup.
All you do is install the bittorent client (see link above). go to
CODE
http://suprnova.org
and click on a torrent you like. I recommend that you right click and save the torrent. and then click on the saved torrent to start a download. this way if your download fails, u can resume it from the torrent you saved rather then having to go to the website. Confusing? it may be, thats why I recommend you go here for more helpful info.
CODE
http://www.dessent.net/btfaq/
The next thing that you need to note is, thats if you are using firewalls etc... you will need to free up some TCP ports. That is from 6881 to 6999. Otherwise the program will show you a yellow dot and your downloads will be slow.!!!
Now for all of you with limited connections, even though the faster you share the file you are downloading the faster you will download it at, IS TRUE. If you saturate your uplink, aside form making your internet connection crawl slower then a constipated snail, you will also slow down your bittorrent download as your pc will not be able to acknowledge the packets which you receive fast enough, since you are using all your uplink to share. In this case the *WISE* thing to do is to click on the torrent window and select Settings for [Dial up/ISDN] and move the arrow on the right of this all the way down to 3k for uploads.
I would also like to point out that with bittorrents, unlike other p2p sharing programs, you only share the file which you are downloading and NO other files on your pc. Torrents work by downloading bits of the file like a puzzle from various people. So if you have a part of the puzzle that someone else wants, you swap and so on.
(IMPORTANT often a torrent may appear to be completed on your hard disk (take up 500 megs as u expected) but it won't really be because torrents often reserve space and then this space gets filled up with the missing bits of the puzzle. PLEASE remember that a torrent is not finished downloading until it says "Download Finished"
It is also generally considered polite to leave the torrent open even after you have finished your download so that other people can download for you. If you don't wanna, then at least do it at times when there are 0 hosts and a few peers, that way you keep the torrent alive. (a host is a person or persons who have posted the torrent or left their finished file for sharing and peers are people who are downloading the file i.e. the host has the entire file and peers are ppl who don't and are downloading it)
FINALLY you should be able to find lots of handy stuff on suprnova but before you click to download a file, check that it has AT LEAST 1 SEED or if it has 0 seeds that it has quiet a few peers. The reason being that it is possible that all those people combined among themselves will not have enough data to put together the entier thing you are downloading (you will know that this is the case if after a while you still have a blue dot) Sometimes i have left these files going for a day or 2 and someone has kindly come in and shared their file again, and I managed to finish these downloads, so don't give up on these files straight away.
I know i have written a fair bit here, but you can probably ignore most of it heheh
Happy Torrennting!!
PS. if you have not found all the stuff you need on
CODE
http://suprnova.org
(you may notice they don't serve porn) then you may wanna give one of these links a go
CODE
http://members.lycos.nl/gettorrents/index.php?
PPS. suprnova.org down? try one of the mirrors (google is your friend "suprnova.org mirrors" and finally sometimes the mirror works but the torrent does not, in this case try to modify the link to the torrent to point to another one of suprnova's mirrors. for example if the link says
CODE
yellowhouse.com/suprnova/torrents/smellytorrent.torrent try altering it to phobal.ca/suprnova/torrents/smellytorrent.torrent
CODE
http://www.btsites.tk/
CODE
http://www.torrentbox.com/
CODE
http://isohunt.com/
[<-= submitted by LanoX] (a good IRC & Bittorent Search Engine
Thanks to OLI who wrote these guides.
Packet Attacks - Version 1.1, { Packet_Attack_Exlained}
PACKET ATTACKS - VERSION 1.1
Let me start by saying the internet is full of wonderful tools and papers like this one. Alot of these things can help you
increase your knowledge, perhaps your job or more. But just as easily as you can learn from them, people read into them to
much and decide to harm other peoples work for no apparent reason. Let it be known that is in no way the purpose of this
paper. A true hacker is one who strives to attain the answers for themselves through curiosity. Its the path we take to
those answers that makes us hackers, not destruction of other peoples work. So with that said, please enjoy my work, as I
have enjoyed writing it.
The flow of data has always captured my interest. Just how does it work, how can we dissect it and use it to our advantage.
Well I have spent a long time studying all of this, and that is why I wrote this paper. It's a collection of run on s
entences on different packet attacks and how they work. Now we all know you can learn all you ever wanted to know about the
specifications of a protocol by reading its 30 page RFC document. But that is the protocol according to design, in the wild
its a different story all together. 'Packet Attacks' covers everything from basic DOS attacks to TCP/IP hijacking. Hence the
name "Packet Attacks". This paper also focuses not just on attacks but practical ways to prevent such attacks and ideas on
new methods to help us stop them and secure our networks.
Introduction:
TCP/IP Packet Switching Networks
OSI MODEL
---Chapter 1.---
Section a.
Introduction to DDOS/DOS & Packet Attacks
Section b.
How attacks are crafted
---Chapter 2.---
Section a. (attacks)
ICMP
Smurf
SYN/ACK
UDP
DNS
ARP
DrDOS
Special Bot / Trojans
Worm DOS
Unicode ping flood (new!)
Section b.
Phasing
Section c. (hacks)
TCP hijacking
Sniffing
Scans
Information gathering / Footprinting
Section d.
Defense against these attacks
Attack Detection
Intrusion Detection
Section e.
IPSEC
NAT as a means of security
---Chapter 3.---
Section a.
The future of TCP/IP as a means of using IPv6
---Chapter 4. ---
Section a.
New security application / protocol
-----
Introduction.
Well I assume most of you reading this paper already have a good understanding of TCP/IP and how it works so I wont get to
much into detail on that, but I will scrape the surface on the parts we NEED to discuss. The internet is a MASSIVE web of
machines all connected to one another through a series of hardware devices known as routers, switches, hubs, bridges and
lots more. All of these devices (although some are smarter then others) push along packets. Our operating systems and
applications craft these packets in order to send data to one another over the wire. Each packet, although varying in size,
carries a small bit of data to and from one host to another. Each packet must also carry its own personal information such
as where it came from and where its headed. Of course there is a lot more to a packet then just this information. But as far
as attacks go this is the crucial information we need to look at. Now there are many many different types of protocols that
craft many different types of packets. And they are all read differently when they are received at the other end. Where as
an ARP packet may tell a host who has this MAC address on this subnet, a TCP packet might transfer the last few bits in that
MP3 your downloading. Regardless the data, all of these packets use the same wire to move to and from locations. I couldn't
possibly discuss every protocol and packet structure in this one paper. The average end user takes for granted all of this
running in the background while they surf the net. Most people dont understand the complexity of this internet we are all so
familiar with, the chat rooms etc. But there are people who do, and there are people who take advantage of that. Reverse
engineering has led to the creation of attacks using the basic fundamentals these protocols rely on. And since TCP/IP is so
embedded in our infrastructure we must adapt and learn to defend each new attack.
OSI MODEL
Open Systems Interconnection model, is a seven layered networking design. Its an industry standard that defines exactly how
data is transffered between protocol to protocol. Not every protocol follows the OSI model exactly and some do. TCP the
internets main mode of data transport does not follow it exactly. Let me take you through a brief over view of the OSI model.
Layer Seven : Application Layer
This layer is obviously application specific, it provides everything from authentication to email to ftp and telnet, the
list goes on. Its specifically for end user processes, what we input into our applications we can see on our screens.
Layer Six : Presentation Layer
This layer changes and possibly encrypts the data so that the application layer can understand it. (you will understand what
this means in a few minutes)
Layer Five : Session Layer
Think of this layer as Establishment, Control and Termination of the sessions formed by the
application(client) to a remote host(server).
Layer Four : Transport Layer
This layer is responsible for the invisible transfer of data between host to host. It is there to ensure all data transfer
goes accordingly. The protocols used are, UDP and TCP.
Layer Three : Network Layer
This layer is for error correction, packet sequencing, and for transmitting data from node to node. Addressing is also
another function of this layer in inter-networking.
Layer Two : Data Link Layer
This layer decodes and encodes packets into bits so they are ready for the physical layer. It also handles error correction
in the physical layer. This layer is also divided into two different sub-layers. The LLC (logical link control) and MAC
(media access control) sub layers. The LLC sub layer provides control for frame synchronization and error checking. The MAC
sub layer controls how a computer on your network has access to data.
Layer One : Physical Layer
This layer is the actual movement of the data. Using electrical impulse or some other form of data movement is pushes the
bit stream towards the other host. This layer is the hardware level, the ethernet card, the wire etc. There are many
protocols within this layer.
You may ask yourself why I listed these from 7 to 1. Well I did to show you how the OSI model really works. Layer Seven
really comes first, the end user types something into his instant messenger (for example) and the data flows down through
the OSI model being encapsulated and changed at every level it has to be changed or corrected at. The data travels the wire
and at the other end it moves back up the OSI model all the way back up to layer seven where the other host can read it in
the original form it was sent. So theres a VERY basic understanding of the OSI model and how it works to transmit data from
host to host. There is alot more protocols and parts to the OSI model but this basic representation should provide a firm
understanding.
To understand all of this more in depth please get your hands on a few RFC (request for comment) documents and start reading.
Because it will take you a very long time to understand exactly how TCP/IP works. If your very knowledgeable in the way
TCP/IP works then this paper should make alot of sense to you, perhaps even bore you! :( On the other hand if you dont
understand TCP/IP as well as you would like to, you still might get something out of this. I try and explain all of the
technical writing as easily as I can. Feel free to email me if you have a question or comment. Thanks :)
Data_Clast
---------------------------------------------------------------------------------------
Chapter 1.
Section a.
The most common attack on the internet today is a denial of service attack. There are many programs on the internet today
that will assist anyone in crafting one of these attacks. The sad part is for as easy as they are to make their power can be
destructive when used properly. No matter what kind of packet attack it may be most are based on the same principal, volume.
Thousand and thousands of spoofed packets will eat up network resources within minutes, choking and essentially 'killing'
any network. There are many types of packet attacks. Some are more sophisticated then others. I will also talk about TCP/IP
hijacking and your typical port and vulnerability scans among other things.
Why do people launch these attacks? How are they launched? How do they exactly (technically speaking) 'choke a network'?!
Hold tight im getting to that. The lower end of these attacks are usually launched by what the hacker community calls a
script kiddie. You see a hacker isnt a mindless web defacing juvenile (please see the mentors manifesto). A hacker is a
person of true intellect and would never craft such an attack for no reason. But these lower end attacks are usually
launched at peoples individual machines. Their IP address's may come from an IRC chat room, yahoo messenger, AOL, ICQ, or
whatever other messenger you might use. Although not as sophisticated, these 'lower end' attacks can still knock an
individual machine offline in minutes. The slightly more advanced attacks may be aimed at a business competitor in order to
slow their sales or disrupt their outgoing internet connection. Whatever the reason may be they are usually launched for a
reason. Attacking a box for no reason is typically useless and will only take up your own bandwidth.
The more sophisticated attacks are aimed at government and root points of the internet. Such as the attacks on the root DNS
servers in October of 2002. These attacks were sophisticated in the way they were crafted. The attacks lasted for over an
hour and successfully took out a few of the servers. If the attack had lasted just a few more minutes who knows the damage
it could have caused. The possibility of the authorities solving these attacks and apprehending the offenders is slim to
none because they are created and launched by skilled malicious individuals. They were also distributed denial of service
attacks. Which means the 'zombie' machines that attacked the servers were spread out all over the world. We will touch more
on that later though.
Section b.
You will learn more about how these individual attacks are crafted and how they work later in this paper but this is
small introduction so you can get a vague idea. Creating spoofed packets requires an open socket. This socket binds to an
IP and a port and allows you to inject a packet onto the wire or accept any incoming packets to that IP and port. *NIX
openly supports open socket programming (many tutorials on this type of programming). Which means you can code programs that
create packets and then inject them into the network with ease. An example of this would be a program called "SENDIP" which
allows you to create custom packets, and it supports many protocols (another good program is nemesis). I have written a few
tutorials using SENDIP, I think its a great program for both advanced and new network engineers to use. It will help you
learn about packet structure and the different protocols it supports. Microsoft is not an open source company, which pretty
much makes it even harder to find help in creating these sorts of programs for Windows. But it is possible to craft these
attacks from within a Windows environment. Its referred to 'Winsock' programming. Infact most of these DDOS attacks are
because of vulnerable Windows boxes out on the net. They are sitting ducks for trojan horses and other programs that craft
these attacks on servers when commanded from a client program to do so. Most end users do not understand security and how
easy it is to break into someones home computer, so they lack firewalls and virus scanners. This leads to many zombie
machines available to hackers disposal on the net. All one has to do is scan a class C subnet for open trojan ports and
hack their way into those trojans and use them as a backdoor, another zombie is created for attacking remote targets. Almost
every program that interacts with TCP/IP generates packets to and from places, this is valid traffic. As you read you will
distinguish the difference between valid and non valid, as it easy pretty easy to understand what I am explaining when I say
"attack". When creating an open socket and crafting spoofed packets these programs tell the kernel they are going to
construct their own IP headers. Usually this information is put on by the kernel before exiting the machine. But in this
instance we are telling the kernel we want to specify our own information. Not all operating systems will allow this. And
no I dont have a detailed list of which do and which dont. Most of the experiments I have conducted on my network used
different versions of RedHat Linux, Mandrake Linux, and Windows XP.
Chapter 2.
Section a.
There are several different types of packet attacks. Theres the simple brute flood of ICMP packets which floods a network
and eats up all the available bandwidth. And then there are more sophisticated attacks like the Smurf or SYN/ACK attack.
All of these attacks target different things. While the SMURF attack may target the general network its attacking, the
SYN/ACK attack targets a specific host or service running on a host. We also must take into consideration when a target is
attacked it may not be the only machine affected. There are many routers and other boxes transfering the data between point
A and point B. Other peoples legitimate data is flowing between them, and may be disrupted by the packet flood. Even a top
of the line router can only handle so much data. And unfortunately it is very easy to attain soure code for these attacks
all over the web. Lets take a more detailed look at each attack.
ICMP brute flood attack.
ICMP works on top of TCP. The ICMP protocol is simple yet very effective. Its used for error correcting and testing network
connectivity. Your average PING program uses ICMP packets to test network connectivity. By sending a small amount of
arbitrary data in an ECHO_REQUEST packet it waits for a reply from the target host, simple right? A typical ICMP packet is
called an ECHO_REQUEST. You send 4 or 5 of these at a target machine and when it arrives there it requests an ECHO_REPLY.
Thats when everything is done according to design. If you want more info on an ICMP packet and how it works then read my
tutorial on that!
http://www.theory-x.org/dataclast/_content/MPS.txt
In this attack the source IP address is spoofed. So now hundreds, thousands of ECHO_REQUEST packets rush towards their
destination. They reach point B, request an ECHO_REPLY for every ECHO_REQUEST sent. Point B says OK, reads the source IP.
The source IP ends up being unreachable. But point B is waiting a small amount of time (milliseconds) to determine that for
every packet thats hitting it. It will be a few more moments before the process relinquishes this small bit of memory back
to the system. This adds up to a great deal of packets and memory allocation building up. Now if these packets are coming
from multiple source zombies (DDOS) then this means there each coming from different routes. So even if one ISP stops one
attack, there are still many more zombie machines attacking the victim. All of this is eating up time and bandwidth, because
with every millisecond that passes more and more bandwidth is being taken up. Eventually point B can no longer keep up with
the ECHO_REQUESTS and his connection is completely flooded and of no use. On an unprotected system or router this attack
can be very consuming. This attack is also sometimes referred to a bandwidth attack. Even if the target is running an
advanced firewall it cannot protect the wire it connected to from being flooded with packets. There have been changes in
this attack as well. On the net there are what we call amplifiers. On every network there are the network and subnet
addresses. In many default configurations when you ping either one of these addresses they multiply the echo requests by 4
or more. So a zombie would attack a vulnerable network (.0) or subnet address (.255) with a spoofed source IP, being the
victims real IP. So even tho the traffic becomes valid as far as IP addresses go. The victim gets bombarded with massive
ECHO_REPLY packets. You will see more of this description in other attacks, as it works for some of those to.
[zombie machine] -->ICMP ECHO_REQUEST (source IP = 1.1.1.1) -->-->--> [target]
[??????????????] ICMP ECHO_REPLY (destination 1.1.1.1 ?)<-- [target]
Hopefully that simple drawing shows you exactly how this attack works. Its very very simple, massive ICMP packets with
spoofed address's taking up network resources. The simplest of attacks.
Smurf attack.
(first part is repeat from ICMP attack) There have been changes in the ICMP attack. On the net there are what we call
amplifiers. On every network there are the network and subnet addresses. In many default configurations when you ping either
one of these addresses they multiply the echo requests by 4 or more. So a zombie would attack a vulnerable network (.0) or
subnet address (.255) with a spoofed source IP, being the victims real IP. So even tho the traffic becomes valid as far as
IP addresses go. The victim gets bombarded with massive ECHO_REPLY packets. You will see more of this description in other
attacks, as it works for those to.
You can try this attack on your home network by simply opening a packet sniffer on each machine that is on. Pick a machine,
any machine and ping your broadcast address. Mine is 192.168.0.255 Immediately you see each machine receiving a broadcast
packet. Now imagine its several hundred and each one has a spoofed source IP address. Its a brute ICMP attack on a massive
scale, this possibilities to this attack are endless. You could easily implement this attack in anyway you chose. You could
spoof the victims real IP as your source IP and create massive volumes of legit ECHO_REPLY packets. Even though its valid
traffic, its 4x or more times the normal load of valid traffic. This consumes the connection and valid traffic cant pass,
or passes so slowly it makes no difference to the end user.
[zombie machine] --> ICMP ECHO_REQUEST source ip = 10.2.2.2 --> to: broadcast router 4.1.0.255 (router multiplies the
ECHO_REPLY packets by 4x! --> --> --> --> [victim 10.2.2.2]
SYN/ACK attack.
The SYN/ACK attack is a very powerful attack. SYN/ACK packets are also used in TCP hijacking, and the TCP/IP three way
handshake. When an application wants to connect with a server somewhere over the net via a TCP connection (connection vs
connectionless data transfer (UDP)) it first sends a SYN packet. The SYN packet tells the target machine he wants to make
a connection on a certain specified port, and then send data. When the target machine read the SYN packet it replies to
the original host with a SYN packet of his own and an ACK (acknowledgement) packet with sequence and ack numbers. These SEQ
and ACK numbers are used to synchronize the data transfer, incase one or two packets gets lost or slowed down along its
route, it can be assembled again in the correct order. The orignal machine replies again with another SYN ACK packet
combination acknowledging the sequencing numbers and then it starts to send data. When it creates this connection a tiny
piece of memory is allocated to hold the connection while the packets are in route. Now a SYN/ACK attack would consist of
spoofing the source IP address on the original SYN packet. The target receives the request for a connection, reads the
spoofed source IP and tries to send its own SYN and ACK packet to a destination that does not exist. Most operating systems
will continue to send SYN/ACK packets if they dont receive a reply as a method of error correction and guaranteed data
delivery. Just like in the ICMP attack the machine has to wait a few milliseconds before abandoning all hope of reaching
the machine. So these tiny allocated spaces of memory are building up with every spoofed packet that arrives at the target.
This attack is very powerful and can disable a service running on the target machine in a matter of minutes. Not to mention
all the available bandwidth is eaten with thousands and thousands of spoofed packets. So there is the SYN/ACK attack in a
brief description.
[zombie machine] --> SYN packet (source IP 1.1.1.1, port = 23 telnet) (seq = 100) --> [target]
[??????????????] <-- SYN/ACK packets sent (seq = 300) (ack = 101) <-- [target]
As you can see from the simple drawing above the target machine has no idea who is sending the SYN packets and the telnet
server he is running on port 23 would most likely crash. At best the telnet daemon would not allow any other legitimate
traffic through, as it could not gather enough resources (memory, bandwidth) to make the connection due to all the spoofed
packets.
Another use of this attack is to disconnect a user from their current TCP session. By spoofing SYN/ACK packets to a server
a client is currently using. An attacker would place a "FIN" flag in the packets, this tells the server the client is done
sending data. Client uses his connection and attacker walks away undetected, because it only took one packet to accomplish
this.
UDP attack
UDP is a protocol that is used to transfer data. Short for USER DATAGRAM PROTOCOL. UDP offers very little error correction
and is used as an alternative means for data transfer. It doesn't require the 3 way handshake such as the SYN/ACK method,
so its initial attack may not take down a remote daemon as quickly. UDP is generally used to broadcast messages over a
network. A UDP attack would consist of spoofing the source IP addresses and specifying a port number like in the SYN attack
above. UDP packets are generally large because they are usually used on closed 100mb subnets (LANS). So an attack would set
flags in the packets and fragment them (break them up and flag where in the packet they broke, so they can be reassembled
on the receiving end). For example in Windows 2000 there was a remote UDP DOS exploit that used the IKE service running on
port 500. All an attacker had to do was connect to port 500 on a random machine with that port open. Start sending massive
UDP packets (above 500 bytes) to that service and the CPU usage would hit 99% and the machine would lock up. The typical
ports that accept UDP packets are 7, 13, 19 and 37 on a Windows box.
DNS attack
The DNS attack is a special one. Not as easily crafted as the others, there arent that many tools readily available to the
average script kiddie to construct such an attack. The DNS protocol is used for name resolution, 216.239.35.100 = google.com,
simple as that? Well not really. A DNS attack is based on the fact that a DNS query takes very little data and bandwidth to
create, but a DNS response is much bigger. So this is how a DNS attack would look like.
10.10.10.10 = victims IP
[dns query packet (who is google.com)] --> source IP is 10.10.10.10 --> [dns server]
[dns server] --> --> --> [dns response] [dns response] [dns response] --> [victim]
As you can see the attack is sort of relayed from a legitimate DNS server. Although the DNS response packets are 'legit'
there is a massive flood of them because the DNS server that is sending them is a very good machine on a very good
connection. The end user, most likely a home pc, gets flooded with these huge DNS response packets it never asked for.
ARP attack
The arp attack is a special one, it can be used to 'hijack' a tcp connection currently in session or it can be used to
sniff the legitimate traffic on a wire other then your own. Which is a very dangerous thing in the information world we
live in today. There are a few methods of this attack. Lets say person1, attacker, and server are all on the same subnet.
Person1 and server currently have an FTP session open. Attacker sends both server and person1 an ARP packet containing an
invalid MAC address. Now both of their arp tables are messed up for atleast 30 seconds. Server and person1 cant find that
invalid MAC address so they send their data to the IP its associated with, the attacker. So in this case the attacker has a
sniffer setup and hes collecting a ton of data. Now the attacker (an advanced one at that) can issue commands as person1 to
the server. This attack takes timing and skill to pull off on the internet, but on a LAN its very easy. It only allows for
maybe 30 or so seconds of sniffing, until their arp table is constructed properly again.
DRDOS attack
A DRDOS attack uses a little of other attacks to inflict damage. This attack spoofs the source IP address of SYN packets
to the IP of the victim. It requires a third party. This is the part of the attack that makes it so easy. All it needs is
some ftp, webserver, telnet.. ANY service that will reply with an ACK packet, anywhere on the internet. Could be angelfires
free ftp servers, could be your neighbors web server running off his 233mhz compaq with IIS 4.0. It doesn't matter! The SYN
packets are sent to that services IP address and they of course reply with a steady stream of SYN/ACK packets to the victim.
Most likely directed towards an open port on the victims machine, crashing that service and the system. These attacks are
near impossible to track down. This attack is quite possibly the strongest DOS attack in my opinion. For every SYN packet
you send the middle man, it sends out up to 4 SYN/ACK combinations to the victim. And each time the victim doesn't respond
the middle man sends even more (error correction). This allows the attacker to contruct a massive attack from just one
machine with a broadband connection. There are more dangers to this attack as well, there are hundreds of thousands of FTP,
webservers and many more services running on the net today that will deflect these SYN/ACK packets at the victim. So in
theory this attack could use any number of 'middle man' servers to bombard your network with packets.
Let me start by saying the internet is full of wonderful tools and papers like this one. Alot of these things can help you
increase your knowledge, perhaps your job or more. But just as easily as you can learn from them, people read into them to
much and decide to harm other peoples work for no apparent reason. Let it be known that is in no way the purpose of this
paper. A true hacker is one who strives to attain the answers for themselves through curiosity. Its the path we take to
those answers that makes us hackers, not destruction of other peoples work. So with that said, please enjoy my work, as I
have enjoyed writing it.
The flow of data has always captured my interest. Just how does it work, how can we dissect it and use it to our advantage.
Well I have spent a long time studying all of this, and that is why I wrote this paper. It's a collection of run on s
entences on different packet attacks and how they work. Now we all know you can learn all you ever wanted to know about the
specifications of a protocol by reading its 30 page RFC document. But that is the protocol according to design, in the wild
its a different story all together. 'Packet Attacks' covers everything from basic DOS attacks to TCP/IP hijacking. Hence the
name "Packet Attacks". This paper also focuses not just on attacks but practical ways to prevent such attacks and ideas on
new methods to help us stop them and secure our networks.
Introduction:
TCP/IP Packet Switching Networks
OSI MODEL
---Chapter 1.---
Section a.
Introduction to DDOS/DOS & Packet Attacks
Section b.
How attacks are crafted
---Chapter 2.---
Section a. (attacks)
ICMP
Smurf
SYN/ACK
UDP
DNS
ARP
DrDOS
Special Bot / Trojans
Worm DOS
Unicode ping flood (new!)
Section b.
Phasing
Section c. (hacks)
TCP hijacking
Sniffing
Scans
Information gathering / Footprinting
Section d.
Defense against these attacks
Attack Detection
Intrusion Detection
Section e.
IPSEC
NAT as a means of security
---Chapter 3.---
Section a.
The future of TCP/IP as a means of using IPv6
---Chapter 4. ---
Section a.
New security application / protocol
-----
Introduction.
Well I assume most of you reading this paper already have a good understanding of TCP/IP and how it works so I wont get to
much into detail on that, but I will scrape the surface on the parts we NEED to discuss. The internet is a MASSIVE web of
machines all connected to one another through a series of hardware devices known as routers, switches, hubs, bridges and
lots more. All of these devices (although some are smarter then others) push along packets. Our operating systems and
applications craft these packets in order to send data to one another over the wire. Each packet, although varying in size,
carries a small bit of data to and from one host to another. Each packet must also carry its own personal information such
as where it came from and where its headed. Of course there is a lot more to a packet then just this information. But as far
as attacks go this is the crucial information we need to look at. Now there are many many different types of protocols that
craft many different types of packets. And they are all read differently when they are received at the other end. Where as
an ARP packet may tell a host who has this MAC address on this subnet, a TCP packet might transfer the last few bits in that
MP3 your downloading. Regardless the data, all of these packets use the same wire to move to and from locations. I couldn't
possibly discuss every protocol and packet structure in this one paper. The average end user takes for granted all of this
running in the background while they surf the net. Most people dont understand the complexity of this internet we are all so
familiar with, the chat rooms etc. But there are people who do, and there are people who take advantage of that. Reverse
engineering has led to the creation of attacks using the basic fundamentals these protocols rely on. And since TCP/IP is so
embedded in our infrastructure we must adapt and learn to defend each new attack.
OSI MODEL
Open Systems Interconnection model, is a seven layered networking design. Its an industry standard that defines exactly how
data is transffered between protocol to protocol. Not every protocol follows the OSI model exactly and some do. TCP the
internets main mode of data transport does not follow it exactly. Let me take you through a brief over view of the OSI model.
Layer Seven : Application Layer
This layer is obviously application specific, it provides everything from authentication to email to ftp and telnet, the
list goes on. Its specifically for end user processes, what we input into our applications we can see on our screens.
Layer Six : Presentation Layer
This layer changes and possibly encrypts the data so that the application layer can understand it. (you will understand what
this means in a few minutes)
Layer Five : Session Layer
Think of this layer as Establishment, Control and Termination of the sessions formed by the
application(client) to a remote host(server).
Layer Four : Transport Layer
This layer is responsible for the invisible transfer of data between host to host. It is there to ensure all data transfer
goes accordingly. The protocols used are, UDP and TCP.
Layer Three : Network Layer
This layer is for error correction, packet sequencing, and for transmitting data from node to node. Addressing is also
another function of this layer in inter-networking.
Layer Two : Data Link Layer
This layer decodes and encodes packets into bits so they are ready for the physical layer. It also handles error correction
in the physical layer. This layer is also divided into two different sub-layers. The LLC (logical link control) and MAC
(media access control) sub layers. The LLC sub layer provides control for frame synchronization and error checking. The MAC
sub layer controls how a computer on your network has access to data.
Layer One : Physical Layer
This layer is the actual movement of the data. Using electrical impulse or some other form of data movement is pushes the
bit stream towards the other host. This layer is the hardware level, the ethernet card, the wire etc. There are many
protocols within this layer.
You may ask yourself why I listed these from 7 to 1. Well I did to show you how the OSI model really works. Layer Seven
really comes first, the end user types something into his instant messenger (for example) and the data flows down through
the OSI model being encapsulated and changed at every level it has to be changed or corrected at. The data travels the wire
and at the other end it moves back up the OSI model all the way back up to layer seven where the other host can read it in
the original form it was sent. So theres a VERY basic understanding of the OSI model and how it works to transmit data from
host to host. There is alot more protocols and parts to the OSI model but this basic representation should provide a firm
understanding.
To understand all of this more in depth please get your hands on a few RFC (request for comment) documents and start reading.
Because it will take you a very long time to understand exactly how TCP/IP works. If your very knowledgeable in the way
TCP/IP works then this paper should make alot of sense to you, perhaps even bore you! :( On the other hand if you dont
understand TCP/IP as well as you would like to, you still might get something out of this. I try and explain all of the
technical writing as easily as I can. Feel free to email me if you have a question or comment. Thanks :)
Data_Clast
---------------------------------------------------------------------------------------
Chapter 1.
Section a.
The most common attack on the internet today is a denial of service attack. There are many programs on the internet today
that will assist anyone in crafting one of these attacks. The sad part is for as easy as they are to make their power can be
destructive when used properly. No matter what kind of packet attack it may be most are based on the same principal, volume.
Thousand and thousands of spoofed packets will eat up network resources within minutes, choking and essentially 'killing'
any network. There are many types of packet attacks. Some are more sophisticated then others. I will also talk about TCP/IP
hijacking and your typical port and vulnerability scans among other things.
Why do people launch these attacks? How are they launched? How do they exactly (technically speaking) 'choke a network'?!
Hold tight im getting to that. The lower end of these attacks are usually launched by what the hacker community calls a
script kiddie. You see a hacker isnt a mindless web defacing juvenile (please see the mentors manifesto). A hacker is a
person of true intellect and would never craft such an attack for no reason. But these lower end attacks are usually
launched at peoples individual machines. Their IP address's may come from an IRC chat room, yahoo messenger, AOL, ICQ, or
whatever other messenger you might use. Although not as sophisticated, these 'lower end' attacks can still knock an
individual machine offline in minutes. The slightly more advanced attacks may be aimed at a business competitor in order to
slow their sales or disrupt their outgoing internet connection. Whatever the reason may be they are usually launched for a
reason. Attacking a box for no reason is typically useless and will only take up your own bandwidth.
The more sophisticated attacks are aimed at government and root points of the internet. Such as the attacks on the root DNS
servers in October of 2002. These attacks were sophisticated in the way they were crafted. The attacks lasted for over an
hour and successfully took out a few of the servers. If the attack had lasted just a few more minutes who knows the damage
it could have caused. The possibility of the authorities solving these attacks and apprehending the offenders is slim to
none because they are created and launched by skilled malicious individuals. They were also distributed denial of service
attacks. Which means the 'zombie' machines that attacked the servers were spread out all over the world. We will touch more
on that later though.
Section b.
You will learn more about how these individual attacks are crafted and how they work later in this paper but this is
small introduction so you can get a vague idea. Creating spoofed packets requires an open socket. This socket binds to an
IP and a port and allows you to inject a packet onto the wire or accept any incoming packets to that IP and port. *NIX
openly supports open socket programming (many tutorials on this type of programming). Which means you can code programs that
create packets and then inject them into the network with ease. An example of this would be a program called "SENDIP" which
allows you to create custom packets, and it supports many protocols (another good program is nemesis). I have written a few
tutorials using SENDIP, I think its a great program for both advanced and new network engineers to use. It will help you
learn about packet structure and the different protocols it supports. Microsoft is not an open source company, which pretty
much makes it even harder to find help in creating these sorts of programs for Windows. But it is possible to craft these
attacks from within a Windows environment. Its referred to 'Winsock' programming. Infact most of these DDOS attacks are
because of vulnerable Windows boxes out on the net. They are sitting ducks for trojan horses and other programs that craft
these attacks on servers when commanded from a client program to do so. Most end users do not understand security and how
easy it is to break into someones home computer, so they lack firewalls and virus scanners. This leads to many zombie
machines available to hackers disposal on the net. All one has to do is scan a class C subnet for open trojan ports and
hack their way into those trojans and use them as a backdoor, another zombie is created for attacking remote targets. Almost
every program that interacts with TCP/IP generates packets to and from places, this is valid traffic. As you read you will
distinguish the difference between valid and non valid, as it easy pretty easy to understand what I am explaining when I say
"attack". When creating an open socket and crafting spoofed packets these programs tell the kernel they are going to
construct their own IP headers. Usually this information is put on by the kernel before exiting the machine. But in this
instance we are telling the kernel we want to specify our own information. Not all operating systems will allow this. And
no I dont have a detailed list of which do and which dont. Most of the experiments I have conducted on my network used
different versions of RedHat Linux, Mandrake Linux, and Windows XP.
Chapter 2.
Section a.
There are several different types of packet attacks. Theres the simple brute flood of ICMP packets which floods a network
and eats up all the available bandwidth. And then there are more sophisticated attacks like the Smurf or SYN/ACK attack.
All of these attacks target different things. While the SMURF attack may target the general network its attacking, the
SYN/ACK attack targets a specific host or service running on a host. We also must take into consideration when a target is
attacked it may not be the only machine affected. There are many routers and other boxes transfering the data between point
A and point B. Other peoples legitimate data is flowing between them, and may be disrupted by the packet flood. Even a top
of the line router can only handle so much data. And unfortunately it is very easy to attain soure code for these attacks
all over the web. Lets take a more detailed look at each attack.
ICMP brute flood attack.
ICMP works on top of TCP. The ICMP protocol is simple yet very effective. Its used for error correcting and testing network
connectivity. Your average PING program uses ICMP packets to test network connectivity. By sending a small amount of
arbitrary data in an ECHO_REQUEST packet it waits for a reply from the target host, simple right? A typical ICMP packet is
called an ECHO_REQUEST. You send 4 or 5 of these at a target machine and when it arrives there it requests an ECHO_REPLY.
Thats when everything is done according to design. If you want more info on an ICMP packet and how it works then read my
tutorial on that!
http://www.theory-x.org/dataclast/_content/MPS.txt
In this attack the source IP address is spoofed. So now hundreds, thousands of ECHO_REQUEST packets rush towards their
destination. They reach point B, request an ECHO_REPLY for every ECHO_REQUEST sent. Point B says OK, reads the source IP.
The source IP ends up being unreachable. But point B is waiting a small amount of time (milliseconds) to determine that for
every packet thats hitting it. It will be a few more moments before the process relinquishes this small bit of memory back
to the system. This adds up to a great deal of packets and memory allocation building up. Now if these packets are coming
from multiple source zombies (DDOS) then this means there each coming from different routes. So even if one ISP stops one
attack, there are still many more zombie machines attacking the victim. All of this is eating up time and bandwidth, because
with every millisecond that passes more and more bandwidth is being taken up. Eventually point B can no longer keep up with
the ECHO_REQUESTS and his connection is completely flooded and of no use. On an unprotected system or router this attack
can be very consuming. This attack is also sometimes referred to a bandwidth attack. Even if the target is running an
advanced firewall it cannot protect the wire it connected to from being flooded with packets. There have been changes in
this attack as well. On the net there are what we call amplifiers. On every network there are the network and subnet
addresses. In many default configurations when you ping either one of these addresses they multiply the echo requests by 4
or more. So a zombie would attack a vulnerable network (.0) or subnet address (.255) with a spoofed source IP, being the
victims real IP. So even tho the traffic becomes valid as far as IP addresses go. The victim gets bombarded with massive
ECHO_REPLY packets. You will see more of this description in other attacks, as it works for some of those to.
[zombie machine] -->ICMP ECHO_REQUEST (source IP = 1.1.1.1) -->-->--> [target]
[??????????????] ICMP ECHO_REPLY (destination 1.1.1.1 ?)<-- [target]
Hopefully that simple drawing shows you exactly how this attack works. Its very very simple, massive ICMP packets with
spoofed address's taking up network resources. The simplest of attacks.
Smurf attack.
(first part is repeat from ICMP attack) There have been changes in the ICMP attack. On the net there are what we call
amplifiers. On every network there are the network and subnet addresses. In many default configurations when you ping either
one of these addresses they multiply the echo requests by 4 or more. So a zombie would attack a vulnerable network (.0) or
subnet address (.255) with a spoofed source IP, being the victims real IP. So even tho the traffic becomes valid as far as
IP addresses go. The victim gets bombarded with massive ECHO_REPLY packets. You will see more of this description in other
attacks, as it works for those to.
You can try this attack on your home network by simply opening a packet sniffer on each machine that is on. Pick a machine,
any machine and ping your broadcast address. Mine is 192.168.0.255 Immediately you see each machine receiving a broadcast
packet. Now imagine its several hundred and each one has a spoofed source IP address. Its a brute ICMP attack on a massive
scale, this possibilities to this attack are endless. You could easily implement this attack in anyway you chose. You could
spoof the victims real IP as your source IP and create massive volumes of legit ECHO_REPLY packets. Even though its valid
traffic, its 4x or more times the normal load of valid traffic. This consumes the connection and valid traffic cant pass,
or passes so slowly it makes no difference to the end user.
[zombie machine] --> ICMP ECHO_REQUEST source ip = 10.2.2.2 --> to: broadcast router 4.1.0.255 (router multiplies the
ECHO_REPLY packets by 4x! --> --> --> --> [victim 10.2.2.2]
SYN/ACK attack.
The SYN/ACK attack is a very powerful attack. SYN/ACK packets are also used in TCP hijacking, and the TCP/IP three way
handshake. When an application wants to connect with a server somewhere over the net via a TCP connection (connection vs
connectionless data transfer (UDP)) it first sends a SYN packet. The SYN packet tells the target machine he wants to make
a connection on a certain specified port, and then send data. When the target machine read the SYN packet it replies to
the original host with a SYN packet of his own and an ACK (acknowledgement) packet with sequence and ack numbers. These SEQ
and ACK numbers are used to synchronize the data transfer, incase one or two packets gets lost or slowed down along its
route, it can be assembled again in the correct order. The orignal machine replies again with another SYN ACK packet
combination acknowledging the sequencing numbers and then it starts to send data. When it creates this connection a tiny
piece of memory is allocated to hold the connection while the packets are in route. Now a SYN/ACK attack would consist of
spoofing the source IP address on the original SYN packet. The target receives the request for a connection, reads the
spoofed source IP and tries to send its own SYN and ACK packet to a destination that does not exist. Most operating systems
will continue to send SYN/ACK packets if they dont receive a reply as a method of error correction and guaranteed data
delivery. Just like in the ICMP attack the machine has to wait a few milliseconds before abandoning all hope of reaching
the machine. So these tiny allocated spaces of memory are building up with every spoofed packet that arrives at the target.
This attack is very powerful and can disable a service running on the target machine in a matter of minutes. Not to mention
all the available bandwidth is eaten with thousands and thousands of spoofed packets. So there is the SYN/ACK attack in a
brief description.
[zombie machine] --> SYN packet (source IP 1.1.1.1, port = 23 telnet) (seq = 100) --> [target]
[??????????????] <-- SYN/ACK packets sent (seq = 300) (ack = 101) <-- [target]
As you can see from the simple drawing above the target machine has no idea who is sending the SYN packets and the telnet
server he is running on port 23 would most likely crash. At best the telnet daemon would not allow any other legitimate
traffic through, as it could not gather enough resources (memory, bandwidth) to make the connection due to all the spoofed
packets.
Another use of this attack is to disconnect a user from their current TCP session. By spoofing SYN/ACK packets to a server
a client is currently using. An attacker would place a "FIN" flag in the packets, this tells the server the client is done
sending data. Client uses his connection and attacker walks away undetected, because it only took one packet to accomplish
this.
UDP attack
UDP is a protocol that is used to transfer data. Short for USER DATAGRAM PROTOCOL. UDP offers very little error correction
and is used as an alternative means for data transfer. It doesn't require the 3 way handshake such as the SYN/ACK method,
so its initial attack may not take down a remote daemon as quickly. UDP is generally used to broadcast messages over a
network. A UDP attack would consist of spoofing the source IP addresses and specifying a port number like in the SYN attack
above. UDP packets are generally large because they are usually used on closed 100mb subnets (LANS). So an attack would set
flags in the packets and fragment them (break them up and flag where in the packet they broke, so they can be reassembled
on the receiving end). For example in Windows 2000 there was a remote UDP DOS exploit that used the IKE service running on
port 500. All an attacker had to do was connect to port 500 on a random machine with that port open. Start sending massive
UDP packets (above 500 bytes) to that service and the CPU usage would hit 99% and the machine would lock up. The typical
ports that accept UDP packets are 7, 13, 19 and 37 on a Windows box.
DNS attack
The DNS attack is a special one. Not as easily crafted as the others, there arent that many tools readily available to the
average script kiddie to construct such an attack. The DNS protocol is used for name resolution, 216.239.35.100 = google.com,
simple as that? Well not really. A DNS attack is based on the fact that a DNS query takes very little data and bandwidth to
create, but a DNS response is much bigger. So this is how a DNS attack would look like.
10.10.10.10 = victims IP
[dns query packet (who is google.com)] --> source IP is 10.10.10.10 --> [dns server]
[dns server] --> --> --> [dns response] [dns response] [dns response] --> [victim]
As you can see the attack is sort of relayed from a legitimate DNS server. Although the DNS response packets are 'legit'
there is a massive flood of them because the DNS server that is sending them is a very good machine on a very good
connection. The end user, most likely a home pc, gets flooded with these huge DNS response packets it never asked for.
ARP attack
The arp attack is a special one, it can be used to 'hijack' a tcp connection currently in session or it can be used to
sniff the legitimate traffic on a wire other then your own. Which is a very dangerous thing in the information world we
live in today. There are a few methods of this attack. Lets say person1, attacker, and server are all on the same subnet.
Person1 and server currently have an FTP session open. Attacker sends both server and person1 an ARP packet containing an
invalid MAC address. Now both of their arp tables are messed up for atleast 30 seconds. Server and person1 cant find that
invalid MAC address so they send their data to the IP its associated with, the attacker. So in this case the attacker has a
sniffer setup and hes collecting a ton of data. Now the attacker (an advanced one at that) can issue commands as person1 to
the server. This attack takes timing and skill to pull off on the internet, but on a LAN its very easy. It only allows for
maybe 30 or so seconds of sniffing, until their arp table is constructed properly again.
DRDOS attack
A DRDOS attack uses a little of other attacks to inflict damage. This attack spoofs the source IP address of SYN packets
to the IP of the victim. It requires a third party. This is the part of the attack that makes it so easy. All it needs is
some ftp, webserver, telnet.. ANY service that will reply with an ACK packet, anywhere on the internet. Could be angelfires
free ftp servers, could be your neighbors web server running off his 233mhz compaq with IIS 4.0. It doesn't matter! The SYN
packets are sent to that services IP address and they of course reply with a steady stream of SYN/ACK packets to the victim.
Most likely directed towards an open port on the victims machine, crashing that service and the system. These attacks are
near impossible to track down. This attack is quite possibly the strongest DOS attack in my opinion. For every SYN packet
you send the middle man, it sends out up to 4 SYN/ACK combinations to the victim. And each time the victim doesn't respond
the middle man sends even more (error correction). This allows the attacker to contruct a massive attack from just one
machine with a broadband connection. There are more dangers to this attack as well, there are hundreds of thousands of FTP,
webservers and many more services running on the net today that will deflect these SYN/ACK packets at the victim. So in
theory this attack could use any number of 'middle man' servers to bombard your network with packets.
Overclocking_Tutorial
Overclocking_Tutorial
Overclocking takes on 3 forms:
First, is the casual overclocking, easy, and anyone can do it.
Second, is the right way to overclock, taking into account, everything.
Third, if you want serious power, your gonna need to be savy to what does what.
The casual overclocker gains about 5% increase, and really doesn't see any benefit from this, whilst it makes you feel good, no serious damage can be made, by upping the FSB a little, or changing your multiplier, only thing is, you want more.
The correct way to overclock, is to start looking at your system, check the motherboard specs, PSU, amount of harddrives, CD ROMS etc. (high end systems, including the lastest graphic cards will need serious power).
Lets take a base system like my old system setup:
AMD XP1700+ ( Thoroughbred JIUHB DLT3C )
Core Voltage = 1.50v
Maximum Die Temp = 90c
FSB = 266Mhz
(factory unlocked)
Jetway K266B KT266 chipset
DDR + SDR RAM (not together)
No onboard RAID
DDR RAM = Dane Elec PC2700 DDR (333Mhz)
Not registered
2 Hard drvies
1 CD Writer & 1 DVD ROM drive
2 LAN cards
1 PCI soundcard
(onboard sound turned off).
Now, lets look at what they can do:
The Thoroughbred is still the top processor for overclocking, Thunderbirds are just not upto it, even though they are capable of some really decent speeds, same as the Palamino, not to mention the Barton's (these are not what they have been made up to be).
(for the purpose of space, I'll not go into unlocking your CPU)
As you can see, my Thoroughbred has a core voltage of 1.5v, and as my motherboard is capable of giving my processor anything upto 1.85v, there is score for more there.
The FSB on my motherboard is capable of a max of 200Mhz (this is the magic number).
Die temps to a max of 90c is good (never been near it, yet!).
Now, to work out your Mhz on your system, or to check your multiplier or FSB, there is a little calculation you'll need to remember, and it's easy:
Your Mhz is worked out by your multiplier timed your FSB.
example:
CODE
133x10 = 1.33Ghz
Of course you can devide your Mhz with your known FSB to give you your multiplier etc.
Now for easy, I have the results of my previous unlocking tests handy, so I'll use them, and not the current speeds etc.
Standard Multiplier = 11.0
Overclocked Multiplier = 12.0
Standard Voltage = 1.50v
Overclocked Voltage = 1.52v
Standard FSB = 133Mhz
Overclocked FSB = 136Mhz
Standard Speed = 1467Mhz
Overclocked Speed = 1630Mhz
Standard Temps = CPU = 37c SYSTEM = 32c (idle) CPU = 44c SYSTEM = 36c (under load)
Overclocked Temps = CPU = 34c SYSTEM = 29c (idle) CPU 40c SYSTEM 34c (under load)
As you can see, the system is cooler when overclocked, this is due to having the correct cooling setup, and temps for it when it was standard, was standard cooling setup.
Basically, all I have done, is raised the FSB by 3mhz, the voltage by 0.02v and the multiplier by 1.0, this has given me a 163Mhz increase without over strssing my system, but, here is where it gets teadious:
To achieve this, it took me about a week, and this is how I did it:
I started by lowering the multiplier to 5.0, from there I raised the FSB to its max (at the time, have latest BIOS update for mobo, allowing 200Mhz FSB), 166Mhz, this is the correct way of overclocking.
From there, I started to raise the multiplier one by one, getting it back upto the standard multiplier or higher, checking the stability of the system each time.
(currently I am way passed the 136Mhz FSB, as I am running PC2700 DDR).
One thing to look at though, overclocking using the FSB WILL (unless your system allows you to specify it) mess with your PCI & RAM speeds.
Even raising it by 3Mhz can make your PCI cards to not work, and your RAM to get confused and crash your system.
Now your thinking to yourself 'I can do that' and yes you can, anyone can, but.......
It takes TIME, I can't stress that enough, if your going to try this, then you'll need to run your system for at least 6 hours between changing your multiplier, and as you can imagine, this can take a long time to do.
For your information, I used Hot CPU Tester, SETI & played Vietcong for testing purposes.
Now, for the hard part:
As most experienced overclockers will tell you, heat is your enemy, killing heat is your number 1 aim, don't worry about your speed at first, a 50Mhz increasde isn't gonna make your 3D Mark scream through the roof, actually, you'll probably not even get any better than what you did before.
There are several ways of dispersing heat, and they are:
Aircooling
Pro's: Cheap, effective at lower speeds.
Con's: Noisey, dust collectors, need maintanance.
Watercooling:
Pro's: Can lower your CPU by about 10c easily.
Con's: It has water in it, expensive, hard for some to understand.
Pelter:
Pro's: With watercooling, it's the daddy
Con's: ONLY EXPERIENCED PEOPLE NEED TO APPLY, very complicated, power hungry, NOT for the faint hearted. Stupidly expensive.
Aircooling:
Upgrading your CPU fan is the first step, there are several companies that offer aftermarket fans, which are better than the OEM fans are 2 a penny in todays world, but it's NOT just about your CPU fan, your system needs to breath, you need to get rid of 'hot spots' within your system.
Watercooling:
Its easier than most make out, its a good thing, kit prices can be got from about £120 ($200 US), just make sure they are upgradable, as you might want to add, a Northbridge water block & a GPU water block.
Modern day kits & parts are idiot proof, and will not leak, unless you act like Noah.
Pelter:
Pelter cooling is DANGEROUS, minly for your system, fitting it incorrectly, and you could end up with not only a baked CPU but a system that will end up as a very expensive paperweight.
Ask your local overclocking expert for more info.
Basically, if you can get hold of a decent Thoroughbred cored XP, your in luck (just like me), if its unlocked, then your in business, obviously, its not just down to your CPU, your motherboard and RAM will denote whether you can overclock big style or not.
I'd advise ANYONE thinking of overclocking, to research into it more, weigh up the odds on what they want or need, if your on a buget, DON'T attempt it, things can and do go wrong.
Most of the time, its not about 'mines faster than yours' or massive speed increases, its done by most, cause it can be. 90% of the time, you'd be better off buying a new CPU (as prices are so low), but if you get the urge, then a new world awaits you
great tutorial. this should help the OC noobs. If I can add something like you said know your specs of the mobo....and if you are serious about OC'ing dont go and get some generic NO-NAME ram and some ghetto mobo. to get the best stability go with ASUS and ABIT for the mobo and Crucial, Kingston, mushkin for the ram. A great forum for OC'ing is amdmb.com.
Indeed, if you are serious about your overclocking, its advised you only use serious brand names.
Generic parts are always a lower spec, and can easily destroy themselves with even a little stress aimed towards them.
Memory advice, use the folloing:
Kingston (added because of reviews, personally, I'm not sure about them).
Crucial (for Dual Channel DDR ONLY)
OCZ
Mushkin
Corsair
PNY (for EEC rated)
Samsung
Geil (my choice, when I can afford it)
Motherbord advice, use the following:
Asus A7N8X Deluxe nForce2
Asus A7N8X-VM nForce2
Asus A7N8X-X nForce2
Abit KD7-S KT400
Abit KV7 KT600
Abit NF7 v2.0 nForce2
Abit NF7-S v2.0 nForce2
MSI K7N2 Delta-L Nforce2
MSI KT6 Delta-LSR KT600
Epox 8RDA+ nForce2
Epox 8RGA+ nForce2
Any nForce2 motherboard would be best, they allow more score for overclocking your system.
_________________
Overclocking takes on 3 forms:
First, is the casual overclocking, easy, and anyone can do it.
Second, is the right way to overclock, taking into account, everything.
Third, if you want serious power, your gonna need to be savy to what does what.
The casual overclocker gains about 5% increase, and really doesn't see any benefit from this, whilst it makes you feel good, no serious damage can be made, by upping the FSB a little, or changing your multiplier, only thing is, you want more.
The correct way to overclock, is to start looking at your system, check the motherboard specs, PSU, amount of harddrives, CD ROMS etc. (high end systems, including the lastest graphic cards will need serious power).
Lets take a base system like my old system setup:
AMD XP1700+ ( Thoroughbred JIUHB DLT3C )
Core Voltage = 1.50v
Maximum Die Temp = 90c
FSB = 266Mhz
(factory unlocked)
Jetway K266B KT266 chipset
DDR + SDR RAM (not together)
No onboard RAID
DDR RAM = Dane Elec PC2700 DDR (333Mhz)
Not registered
2 Hard drvies
1 CD Writer & 1 DVD ROM drive
2 LAN cards
1 PCI soundcard
(onboard sound turned off).
Now, lets look at what they can do:
The Thoroughbred is still the top processor for overclocking, Thunderbirds are just not upto it, even though they are capable of some really decent speeds, same as the Palamino, not to mention the Barton's (these are not what they have been made up to be).
(for the purpose of space, I'll not go into unlocking your CPU)
As you can see, my Thoroughbred has a core voltage of 1.5v, and as my motherboard is capable of giving my processor anything upto 1.85v, there is score for more there.
The FSB on my motherboard is capable of a max of 200Mhz (this is the magic number).
Die temps to a max of 90c is good (never been near it, yet!).
Now, to work out your Mhz on your system, or to check your multiplier or FSB, there is a little calculation you'll need to remember, and it's easy:
Your Mhz is worked out by your multiplier timed your FSB.
example:
CODE
133x10 = 1.33Ghz
Of course you can devide your Mhz with your known FSB to give you your multiplier etc.
Now for easy, I have the results of my previous unlocking tests handy, so I'll use them, and not the current speeds etc.
Standard Multiplier = 11.0
Overclocked Multiplier = 12.0
Standard Voltage = 1.50v
Overclocked Voltage = 1.52v
Standard FSB = 133Mhz
Overclocked FSB = 136Mhz
Standard Speed = 1467Mhz
Overclocked Speed = 1630Mhz
Standard Temps = CPU = 37c SYSTEM = 32c (idle) CPU = 44c SYSTEM = 36c (under load)
Overclocked Temps = CPU = 34c SYSTEM = 29c (idle) CPU 40c SYSTEM 34c (under load)
As you can see, the system is cooler when overclocked, this is due to having the correct cooling setup, and temps for it when it was standard, was standard cooling setup.
Basically, all I have done, is raised the FSB by 3mhz, the voltage by 0.02v and the multiplier by 1.0, this has given me a 163Mhz increase without over strssing my system, but, here is where it gets teadious:
To achieve this, it took me about a week, and this is how I did it:
I started by lowering the multiplier to 5.0, from there I raised the FSB to its max (at the time, have latest BIOS update for mobo, allowing 200Mhz FSB), 166Mhz, this is the correct way of overclocking.
From there, I started to raise the multiplier one by one, getting it back upto the standard multiplier or higher, checking the stability of the system each time.
(currently I am way passed the 136Mhz FSB, as I am running PC2700 DDR).
One thing to look at though, overclocking using the FSB WILL (unless your system allows you to specify it) mess with your PCI & RAM speeds.
Even raising it by 3Mhz can make your PCI cards to not work, and your RAM to get confused and crash your system.
Now your thinking to yourself 'I can do that' and yes you can, anyone can, but.......
It takes TIME, I can't stress that enough, if your going to try this, then you'll need to run your system for at least 6 hours between changing your multiplier, and as you can imagine, this can take a long time to do.
For your information, I used Hot CPU Tester, SETI & played Vietcong for testing purposes.
Now, for the hard part:
As most experienced overclockers will tell you, heat is your enemy, killing heat is your number 1 aim, don't worry about your speed at first, a 50Mhz increasde isn't gonna make your 3D Mark scream through the roof, actually, you'll probably not even get any better than what you did before.
There are several ways of dispersing heat, and they are:
Aircooling
Pro's: Cheap, effective at lower speeds.
Con's: Noisey, dust collectors, need maintanance.
Watercooling:
Pro's: Can lower your CPU by about 10c easily.
Con's: It has water in it, expensive, hard for some to understand.
Pelter:
Pro's: With watercooling, it's the daddy
Con's: ONLY EXPERIENCED PEOPLE NEED TO APPLY, very complicated, power hungry, NOT for the faint hearted. Stupidly expensive.
Aircooling:
Upgrading your CPU fan is the first step, there are several companies that offer aftermarket fans, which are better than the OEM fans are 2 a penny in todays world, but it's NOT just about your CPU fan, your system needs to breath, you need to get rid of 'hot spots' within your system.
Watercooling:
Its easier than most make out, its a good thing, kit prices can be got from about £120 ($200 US), just make sure they are upgradable, as you might want to add, a Northbridge water block & a GPU water block.
Modern day kits & parts are idiot proof, and will not leak, unless you act like Noah.
Pelter:
Pelter cooling is DANGEROUS, minly for your system, fitting it incorrectly, and you could end up with not only a baked CPU but a system that will end up as a very expensive paperweight.
Ask your local overclocking expert for more info.
Basically, if you can get hold of a decent Thoroughbred cored XP, your in luck (just like me), if its unlocked, then your in business, obviously, its not just down to your CPU, your motherboard and RAM will denote whether you can overclock big style or not.
I'd advise ANYONE thinking of overclocking, to research into it more, weigh up the odds on what they want or need, if your on a buget, DON'T attempt it, things can and do go wrong.
Most of the time, its not about 'mines faster than yours' or massive speed increases, its done by most, cause it can be. 90% of the time, you'd be better off buying a new CPU (as prices are so low), but if you get the urge, then a new world awaits you
great tutorial. this should help the OC noobs. If I can add something like you said know your specs of the mobo....and if you are serious about OC'ing dont go and get some generic NO-NAME ram and some ghetto mobo. to get the best stability go with ASUS and ABIT for the mobo and Crucial, Kingston, mushkin for the ram. A great forum for OC'ing is amdmb.com.
Indeed, if you are serious about your overclocking, its advised you only use serious brand names.
Generic parts are always a lower spec, and can easily destroy themselves with even a little stress aimed towards them.
Memory advice, use the folloing:
Kingston (added because of reviews, personally, I'm not sure about them).
Crucial (for Dual Channel DDR ONLY)
OCZ
Mushkin
Corsair
PNY (for EEC rated)
Samsung
Geil (my choice, when I can afford it)
Motherbord advice, use the following:
Asus A7N8X Deluxe nForce2
Asus A7N8X-VM nForce2
Asus A7N8X-X nForce2
Abit KD7-S KT400
Abit KV7 KT600
Abit NF7 v2.0 nForce2
Abit NF7-S v2.0 nForce2
MSI K7N2 Delta-L Nforce2
MSI KT6 Delta-LSR KT600
Epox 8RDA+ nForce2
Epox 8RGA+ nForce2
Any nForce2 motherboard would be best, they allow more score for overclocking your system.
_________________
Outsmarting System File Protection
Outsmarting System File Protection
Tested in Windows 2000 sp2, Windows 2000 sp3 with and without IE6 sp1. Should work fine in XP and XPsp1
------------------------------
A lot of people are having troubles with System File Protection (SFP for short). This can be a major pain in the butt unless you know the tricks to it. Having only tweaked Windows 2000 Service Pack 3 I figured out a few things about SFP and replacing files:
1) TaskManger is your best friend when replacing files in 2k/XP.
When you open task manager you can do just about as much as you can do with Explorer just by going File>NewTask(Run..). From here you can either use the Run Dialog to launch programs one at a time, or select 'Browse' and explore. Using right click menu commands to do the bulk of your work (Copy, Paste, Rename). Problem is often times you can't replace items do to the fact that your browse is making calls to things you want to delete.
2) CommandLine or Cmd.exe is like that other friend you have that likes to help out.
One plus this has over TaskMan is you don't use the file you are trying to replace. A minus is that it can be a pain if you aren't an experienced DOS user.
3) Backups are your ace in the hole.
Always back your files up prior to doing anything (sometimes I don't bother and wish I did.). Keep It Simple Stupid applies here. Save yourself a few keystrokes and place your backups in something like C:\back\
4) SafeMode is the rest of the hand.
Windows2000 and XP (I believe) can both be booted into SafeMode. When your computer is first booting up, after your bios screen but before the Windows is Starting screen (I could be slightly wrong here seeing how I don't know the timing for sure.) you hit F4 or F8 to get the SafeMode menu. Select 'SafeMode with CommandPrompt'. Welcome to "DOS" on 2k/XP. Anything that can't be replaced while Windows is running can be replaced here. (url.dll) Syntax would be Copy c:\url.dll "c:\Program Files\Internet Explorer\" quotations allow you to put spaces in the path (I didn't know this)
...
Here we go. System File Protection, of Sytem File Checker is a neato feature of Windows meant to protect Joe Computeruser's PC from being ruined. When a needed System file is being replaced your File Checker says "Wait a minute this isn't mine." While this can be great in the long run, it's not a positive thing in Windows Hacking. The trick is to replace the files it uses to replace files.
...
1) First up you need to find the file you want to hack and then replace. Start>Search>Files and Folders>dllname. It's good to actually search for the file so you can find out all of the locations of all copies. Let the search finish just in case. If you have installed any service packs you will have probably have copies of the file in:
\winnt\servicepackfiles\i386\ (Win2k)
\windows\servicepackfiles\i386\ (XP)
As well as:
\winnt\system32\dllcache\ (hidden folder in Win2k)
\WINDOWS\system32\dllcache\ (hidden folder in XP)
\winnt\system32\ (win2k)
\windows\system32\ (XP)
2) Now that you have all of the locations, write them down on paper or your forehead just to be safe (backwards so it shows up in the mirror).
3) Make a backup (remember K.I.S.S.)
4) Hack your file and save it c:\ for simplicity.
5) Open TaskManger (Right click on your taskbar and select TaskManger)
6) Go to the 'Processes' Tab and find 'Explorer.exe' highlight it and push the 'End Process' button. Say Yeah to the popup.
7) Go to the first tab in TaskManger and select 'File>NewTask>Run>Browse' from this Window navigate to c:\ and higlight your hacked file. Right clic on it and select 'Copy' (don't Cut it.)
8) Nagivate to your Windows directory, open the \servicepackfiles\i386\ folder. Paste your hacked file and replace the copy that is in that folder.
9) Navigate to your respective dllcache folder, paste the file there too.
10) Replace the normail copy in system32 finally (or wherever it might be).
11) Reboot. Don't LogOff , Reboot.
Now chances are this won't go that smoothly. Either the file you want to replace is in use, or your pal and mine SFP will pop-up. It can mess with you in odd ways. I've replaced the servicepackfiles version and the dllcache files, then had SFP grab the normal and replace the other two with it. This can be frustrating. Or maybe the file is in use. This is where the Command Prompt comes into play. If you already replaced the files and rebooted to no change, launch TaskMan again, kill explorer.exe, then go 'File>NewTask>Run>Cmd.exe' Use the DOS commands to try to replace all of the copies of the file in that order using your hacked version in C:\
This is usually where you get the message from SFP telling you it's alive and kicking. You will get a rather urgent looking pop-up telling you that a file that Windows needs is being replaced by a different file. It will then ask you if you want keep the modified files. Say 'yes'. Next it will prompt you to insert your Windows cd to retrieve a copy of the file it needs. Click 'Cancel'. As a good rule of thumb, when you get this message replace what you need then reboot!
If your file still isn't changing, boot into SafeMode with CommandLine. Wait for Windows to take it's sweet time loading. Then just type copy c:\file.dll c:\winnt\servicepackfiles\i386\. Rinse and Repeat. Then reboot. This has worked for me 100% of the time, if followed it will work for you as well.
http://pixelarmy.org
Tested in Windows 2000 sp2, Windows 2000 sp3 with and without IE6 sp1. Should work fine in XP and XPsp1
------------------------------
A lot of people are having troubles with System File Protection (SFP for short). This can be a major pain in the butt unless you know the tricks to it. Having only tweaked Windows 2000 Service Pack 3 I figured out a few things about SFP and replacing files:
1) TaskManger is your best friend when replacing files in 2k/XP.
When you open task manager you can do just about as much as you can do with Explorer just by going File>NewTask(Run..). From here you can either use the Run Dialog to launch programs one at a time, or select 'Browse' and explore. Using right click menu commands to do the bulk of your work (Copy, Paste, Rename). Problem is often times you can't replace items do to the fact that your browse is making calls to things you want to delete.
2) CommandLine or Cmd.exe is like that other friend you have that likes to help out.
One plus this has over TaskMan is you don't use the file you are trying to replace. A minus is that it can be a pain if you aren't an experienced DOS user.
3) Backups are your ace in the hole.
Always back your files up prior to doing anything (sometimes I don't bother and wish I did.). Keep It Simple Stupid applies here. Save yourself a few keystrokes and place your backups in something like C:\back\
4) SafeMode is the rest of the hand.
Windows2000 and XP (I believe) can both be booted into SafeMode. When your computer is first booting up, after your bios screen but before the Windows is Starting screen (I could be slightly wrong here seeing how I don't know the timing for sure.) you hit F4 or F8 to get the SafeMode menu. Select 'SafeMode with CommandPrompt'. Welcome to "DOS" on 2k/XP. Anything that can't be replaced while Windows is running can be replaced here. (url.dll) Syntax would be Copy c:\url.dll "c:\Program Files\Internet Explorer\" quotations allow you to put spaces in the path (I didn't know this)
...
Here we go. System File Protection, of Sytem File Checker is a neato feature of Windows meant to protect Joe Computeruser's PC from being ruined. When a needed System file is being replaced your File Checker says "Wait a minute this isn't mine." While this can be great in the long run, it's not a positive thing in Windows Hacking. The trick is to replace the files it uses to replace files.
...
1) First up you need to find the file you want to hack and then replace. Start>Search>Files and Folders>dllname. It's good to actually search for the file so you can find out all of the locations of all copies. Let the search finish just in case. If you have installed any service packs you will have probably have copies of the file in:
\winnt\servicepackfiles\i386\ (Win2k)
\windows\servicepackfiles\i386\ (XP)
As well as:
\winnt\system32\dllcache\ (hidden folder in Win2k)
\WINDOWS\system32\dllcache\ (hidden folder in XP)
\winnt\system32\ (win2k)
\windows\system32\ (XP)
2) Now that you have all of the locations, write them down on paper or your forehead just to be safe (backwards so it shows up in the mirror).
3) Make a backup (remember K.I.S.S.)
4) Hack your file and save it c:\ for simplicity.
5) Open TaskManger (Right click on your taskbar and select TaskManger)
6) Go to the 'Processes' Tab and find 'Explorer.exe' highlight it and push the 'End Process' button. Say Yeah to the popup.
7) Go to the first tab in TaskManger and select 'File>NewTask>Run>Browse' from this Window navigate to c:\ and higlight your hacked file. Right clic on it and select 'Copy' (don't Cut it.)
8) Nagivate to your Windows directory, open the \servicepackfiles\i386\ folder. Paste your hacked file and replace the copy that is in that folder.
9) Navigate to your respective dllcache folder, paste the file there too.
10) Replace the normail copy in system32 finally (or wherever it might be).
11) Reboot. Don't LogOff , Reboot.
Now chances are this won't go that smoothly. Either the file you want to replace is in use, or your pal and mine SFP will pop-up. It can mess with you in odd ways. I've replaced the servicepackfiles version and the dllcache files, then had SFP grab the normal and replace the other two with it. This can be frustrating. Or maybe the file is in use. This is where the Command Prompt comes into play. If you already replaced the files and rebooted to no change, launch TaskMan again, kill explorer.exe, then go 'File>NewTask>Run>Cmd.exe' Use the DOS commands to try to replace all of the copies of the file in that order using your hacked version in C:\
This is usually where you get the message from SFP telling you it's alive and kicking. You will get a rather urgent looking pop-up telling you that a file that Windows needs is being replaced by a different file. It will then ask you if you want keep the modified files. Say 'yes'. Next it will prompt you to insert your Windows cd to retrieve a copy of the file it needs. Click 'Cancel'. As a good rule of thumb, when you get this message replace what you need then reboot!
If your file still isn't changing, boot into SafeMode with CommandLine. Wait for Windows to take it's sweet time loading. Then just type copy c:\file.dll c:\winnt\servicepackfiles\i386\. Rinse and Repeat. Then reboot. This has worked for me 100% of the time, if followed it will work for you as well.
http://pixelarmy.org
Outpost Rules, Outpost rules for system & app
Outpost Rules, Outpost rules for system & app
Here you can find how to set up your Outpost firewall. Most of this rules I found on the internet, but some of them are mine. I think that you should be safer.
I used the online tests to test my firewall setings. The links to the this testers are:
CODE
http://scan.sygate.com/probe.html
http://www.auditmypc.com/
http://www.pcflank.com/about.htm
https://grc.com/x/ne.dll?bh0bkyd2
http://scan.sygatetech.com/
http://security1.norton.com/
SYSTEM:
Allow DNS Resolving
Protocol: UDP
Remote Port(s): DNS (53)
Action: Allow It
Allow Outgoing DHCP
Protocol: UDP
Remote Port(s): bootps (67),
bootp (68), dhcpv6-client (546),
dhcpv6-server (547)
Action: Allow It
Allow Inbound Identification
Protocol: TCP
Direction: Inbound
Local Port(s): AUTH (113)
Action: Allow It
Allow Loopback
Protocol: TCP
Remote Host: localhost
(127.0.0.1)
Action: Allow It
Allow GRE Protocol
Protocol: IP and the type is GRE
(IP protocol 47)
Action: Allow It
.
Allow PPTP control connection
Protocol: TCP
Remote Port(s): PPTP
Local Port(s): 1024-65535
Action: Allow It
Block Remote Procedure Call
(TCP)
Protocol: TCP
Direction: Inbound
Local Port(s): DCOM(135)
Action: Reject It
Block Remote Procedure Call
(UDP)
Protocol: UDP
Direction: Inbound
Local Port(s): 135
Action: Reject It
Block Server Message Block
Protocol (TCP)
Protocol: TCP
Direction: Inbound
Local Port(s): Microsoft DS (445)
Action: Reject It
Block Server Message Block
Protocol (UDP)
Protocol: UDP
Direction: Inbound
Local Port(s): Microsoft DS (445)
Action: Reject It
APPLICATION
SVCHOST.EXE
Allowing DHCP
Protocol: UDP
LocalPort: 68
RemotePort: 67
Direction: Inbound
AllowIt
Allowing DNS
Protocol: UDP
LocalPort: 53
AllowIt
Time Synchronizer
connection
Protocol: UDP
RemotePort: 123
AllowIt
Allowing HTTP
connection
Protocol: TCP
RemotePort: 80
Direction:
Outbound
AllowIt
Allowing HTTPS
connection
Protocol: TCP
RemotePort: 443
Direction:
Outbound
AllowIt
Blocking "SSDP
Discovery Service"
and "UPnP device
Host" services
Protocol: UDP
RemotePort: 1900
RemoteHost: 239.255.255.250
Direction: Inbound
Reject It
Blocking "SSDP
Discovery Service"
and "UPnP device
Host" services
Protocol: TCP
RemotePort: 5000
RemoteHost: 239.255.255.250
Direction: Inbound
Reject It
Blocking "SSDP
Discovery Service"
and "UPnP device
Host" services
Protocol: UDP
RemotePort: 5000
RemoteHost: 239.255.255.250
Direction: Inbound
Reject It
Blocking "Remote
Procedure Call"
Protocol: TCP
Local port: 135
Reject It
Web browsers:
Protocol: TCP
Direction: Outbound
Remote Port(s): HTTP(80), 81-83
Action: Allow It
Protocol: TCP
Direction: Outbound
Remote Port(s): HTTPS(443)
Action: Allow It
Protocol: TCP
Direction: Outbound
Remote Port(s):SOCKS (1080)
Action: Allow It
Protocol: TCP
Direction: Outbound
Remote Port(s): 3128,8080, 8088
Action: Allow It
Protocol: TCP
Direction: Outbound
Remote Port(s): FTP(21)
Action: Allow It
Protocol: TCP
Direction: Inbound
Remote Port(s): FTP DATA (20)
Action: Allow It
Protocol: TCP
Direction: Inbound
Local Port(s): 1024- 65535
Direction:Outbound
Remote Port(s): 1024- 65535
Action: Allow It
Protocol: TCP
Direction: Inbound
Remote Port(s): 1375
Action: Allow It
Protocol: UDP
Direction: Inbound
Remote Port(s): 1040-1050
Action: Allow It
E-Mail clients:
Protocol: TCP
Direction: Outbound
Remote Port(s): SMTP (25)
Action: Allow It
Protocol: TCP
Direction: Outbound
Remote Port(s): NNTP (119)
Action: Allow It
Protocol: TCP
Direction: Outbound
Remote Port(s): POP3 (110)
Action: Allow It
Protocol: TCP
Direction: Outbound
Remote Port(s): IMAP (143)
Action: Allow It
Protocol: TCP
Direction: Outbound
Remote Port(s): HTTP (80), 81-
83, HTTPS (443), SOCKS (1080),
3128, 8080, 8088, 11523
Action: Allow It
Antivirus updaters:
Protocol: TCP
Direction: Outbound
Remote Port(s): HTTP (80), 81-
83, HTTPS (443), SOCKS (1080),
3128, 8080, 8088, 11523
Action: Allow It
Symantec LiveUpdate HTTP
KAV Updater HTTP connection
McAfee Update
Update NOD32 virus definitions
Protocol: TCP
Direction: Outbound
Remote Port(s): FTP (21)
Action: Allow It
Symantec LiveUpdate FTP
KAV Updater FTP connection
Protocol: TCP
Direction: Inbound
Remote Port(s): FTP DATA (20)
Action: Allow It
Symantec LiveUpdate FTP DATA
KAV Updater FTP DATA connection
Protocol: TCP
Direction: Outbound
Remote Port(s): POP3 (110)
Action: Allow It
Scan incoming mail for viruses
Downloaders:
Protocol: TCP
Direction: Outbound
Remote Port(s): 80(HTTP), 81-
83,
443(HTTPS), 1080(SOCKS),
3128, 8080, 8088, 11523
Action: Allow It
FlashGet, GerRight, Go!Zilla, ReGet
Protocol: TCP
Direction: Outbound
Remote Port(s): FTP (21)
Action: Allow It
FlashGet, GerRight, Go!Zilla, ReGet
Protocol: TCP
Direction: Inbound
Remote Port(s): FTP DATA (20)
Action: Allow It
FlashGet, GerRight, Go!Zilla, ReGet
Protocol: TCP
Direction: Outbound
Remote Port(s): 1024-65535
Action: Allow It
ReGet PASV FTP connection
Protocol: TCP
Direction: Inbound
Remote Port(s): 1024-65535
Action: Allow It
ReGet PASV FTP connection
Protocol: TCP
Direction: Outbound
Remote Port(s): 80, 3128, 8080,
1080, 11523
Action: Allow It
ReGet Update
Trillian:
Trillian Pro Login
Where the protocol is: TCP
and Where the direction is: Outbound
and Where the remote host is: www.ceruleanstudios.com
and Where the remote port is: HTTP
Action: Allow It
Trillian Pro AOL/ICQ Connection
Where the protocol is: TCP
and Where the direction is: Outbound
and Where the remote port is: 443, 5190
Action: Allow It
Trillian mIRC AUTH Connection
Where the protocol is: TCP
and Where the direction is: Inbound
and Where the local port is: 113
Action: Allow It
Trillian mIRC Connection
Where the protocol is: TCP
and Where the direction is: Outbound
and Where the remote port is: 6667
Action: Allow It
Trillian MSN Connection
Where the protocol is: TCP
and Where the direction is: Outbound
and Where the remote port is: 1863
Action: Allow It
Trillian Yahoo Connection
Where the protocol is: TCP
and Where the direction is: Outbound
and Where the remote port is: 5050
Action: Allow It
Bit Torrent:
Bit Torrent HTTP Connection Rule
Where the protocol is: TCP
and Where the direction is: Outbound
and Where the remote port is: HTTP
Action: Allow It
Bit Torrent HTTPS Connection Rule
Where the protocol is: TCP
and Where the direction is: Outbound
and Where the remote port is: 443
Action: Allow It
Bit Torrent Network TCP Outbound Connection Rule
Where the protocol is: TCP
and Where the direction is: Outbound
and Where the remote port is: 1024 - 65535
Action: Allow It
Bit Torrent Network TCP Inbound Connection Rule
Where the protocol is: TCP
and Where the direction is: Inbound
and Where the local port is: 6881-6999
Action: Allow It
TCP Inbound Coverage Rule
Where the protocol is: TCP
and Where the direction is: Inbound
Action: Reject It
TCP Outbound Coverage Rule
Where the protocol is: TCP
and Where the direction is: Outbound
Action: Reject It
UDP Coverage Rule
Where the protocol is: UDP
Action: Reject It
* If you do not wish to share your files with others on the network you will need set this to Block It or leave it unchecked.
Here you can find how to set up your Outpost firewall. Most of this rules I found on the internet, but some of them are mine. I think that you should be safer.
I used the online tests to test my firewall setings. The links to the this testers are:
CODE
http://scan.sygate.com/probe.html
http://www.auditmypc.com/
http://www.pcflank.com/about.htm
https://grc.com/x/ne.dll?bh0bkyd2
http://scan.sygatetech.com/
http://security1.norton.com/
SYSTEM:
Allow DNS Resolving
Protocol: UDP
Remote Port(s): DNS (53)
Action: Allow It
Allow Outgoing DHCP
Protocol: UDP
Remote Port(s): bootps (67),
bootp (68), dhcpv6-client (546),
dhcpv6-server (547)
Action: Allow It
Allow Inbound Identification
Protocol: TCP
Direction: Inbound
Local Port(s): AUTH (113)
Action: Allow It
Allow Loopback
Protocol: TCP
Remote Host: localhost
(127.0.0.1)
Action: Allow It
Allow GRE Protocol
Protocol: IP and the type is GRE
(IP protocol 47)
Action: Allow It
.
Allow PPTP control connection
Protocol: TCP
Remote Port(s): PPTP
Local Port(s): 1024-65535
Action: Allow It
Block Remote Procedure Call
(TCP)
Protocol: TCP
Direction: Inbound
Local Port(s): DCOM(135)
Action: Reject It
Block Remote Procedure Call
(UDP)
Protocol: UDP
Direction: Inbound
Local Port(s): 135
Action: Reject It
Block Server Message Block
Protocol (TCP)
Protocol: TCP
Direction: Inbound
Local Port(s): Microsoft DS (445)
Action: Reject It
Block Server Message Block
Protocol (UDP)
Protocol: UDP
Direction: Inbound
Local Port(s): Microsoft DS (445)
Action: Reject It
APPLICATION
SVCHOST.EXE
Allowing DHCP
Protocol: UDP
LocalPort: 68
RemotePort: 67
Direction: Inbound
AllowIt
Allowing DNS
Protocol: UDP
LocalPort: 53
AllowIt
Time Synchronizer
connection
Protocol: UDP
RemotePort: 123
AllowIt
Allowing HTTP
connection
Protocol: TCP
RemotePort: 80
Direction:
Outbound
AllowIt
Allowing HTTPS
connection
Protocol: TCP
RemotePort: 443
Direction:
Outbound
AllowIt
Blocking "SSDP
Discovery Service"
and "UPnP device
Host" services
Protocol: UDP
RemotePort: 1900
RemoteHost: 239.255.255.250
Direction: Inbound
Reject It
Blocking "SSDP
Discovery Service"
and "UPnP device
Host" services
Protocol: TCP
RemotePort: 5000
RemoteHost: 239.255.255.250
Direction: Inbound
Reject It
Blocking "SSDP
Discovery Service"
and "UPnP device
Host" services
Protocol: UDP
RemotePort: 5000
RemoteHost: 239.255.255.250
Direction: Inbound
Reject It
Blocking "Remote
Procedure Call"
Protocol: TCP
Local port: 135
Reject It
Web browsers:
Protocol: TCP
Direction: Outbound
Remote Port(s): HTTP(80), 81-83
Action: Allow It
Protocol: TCP
Direction: Outbound
Remote Port(s): HTTPS(443)
Action: Allow It
Protocol: TCP
Direction: Outbound
Remote Port(s):SOCKS (1080)
Action: Allow It
Protocol: TCP
Direction: Outbound
Remote Port(s): 3128,8080, 8088
Action: Allow It
Protocol: TCP
Direction: Outbound
Remote Port(s): FTP(21)
Action: Allow It
Protocol: TCP
Direction: Inbound
Remote Port(s): FTP DATA (20)
Action: Allow It
Protocol: TCP
Direction: Inbound
Local Port(s): 1024- 65535
Direction:Outbound
Remote Port(s): 1024- 65535
Action: Allow It
Protocol: TCP
Direction: Inbound
Remote Port(s): 1375
Action: Allow It
Protocol: UDP
Direction: Inbound
Remote Port(s): 1040-1050
Action: Allow It
E-Mail clients:
Protocol: TCP
Direction: Outbound
Remote Port(s): SMTP (25)
Action: Allow It
Protocol: TCP
Direction: Outbound
Remote Port(s): NNTP (119)
Action: Allow It
Protocol: TCP
Direction: Outbound
Remote Port(s): POP3 (110)
Action: Allow It
Protocol: TCP
Direction: Outbound
Remote Port(s): IMAP (143)
Action: Allow It
Protocol: TCP
Direction: Outbound
Remote Port(s): HTTP (80), 81-
83, HTTPS (443), SOCKS (1080),
3128, 8080, 8088, 11523
Action: Allow It
Antivirus updaters:
Protocol: TCP
Direction: Outbound
Remote Port(s): HTTP (80), 81-
83, HTTPS (443), SOCKS (1080),
3128, 8080, 8088, 11523
Action: Allow It
Symantec LiveUpdate HTTP
KAV Updater HTTP connection
McAfee Update
Update NOD32 virus definitions
Protocol: TCP
Direction: Outbound
Remote Port(s): FTP (21)
Action: Allow It
Symantec LiveUpdate FTP
KAV Updater FTP connection
Protocol: TCP
Direction: Inbound
Remote Port(s): FTP DATA (20)
Action: Allow It
Symantec LiveUpdate FTP DATA
KAV Updater FTP DATA connection
Protocol: TCP
Direction: Outbound
Remote Port(s): POP3 (110)
Action: Allow It
Scan incoming mail for viruses
Downloaders:
Protocol: TCP
Direction: Outbound
Remote Port(s): 80(HTTP), 81-
83,
443(HTTPS), 1080(SOCKS),
3128, 8080, 8088, 11523
Action: Allow It
FlashGet, GerRight, Go!Zilla, ReGet
Protocol: TCP
Direction: Outbound
Remote Port(s): FTP (21)
Action: Allow It
FlashGet, GerRight, Go!Zilla, ReGet
Protocol: TCP
Direction: Inbound
Remote Port(s): FTP DATA (20)
Action: Allow It
FlashGet, GerRight, Go!Zilla, ReGet
Protocol: TCP
Direction: Outbound
Remote Port(s): 1024-65535
Action: Allow It
ReGet PASV FTP connection
Protocol: TCP
Direction: Inbound
Remote Port(s): 1024-65535
Action: Allow It
ReGet PASV FTP connection
Protocol: TCP
Direction: Outbound
Remote Port(s): 80, 3128, 8080,
1080, 11523
Action: Allow It
ReGet Update
Trillian:
Trillian Pro Login
Where the protocol is: TCP
and Where the direction is: Outbound
and Where the remote host is: www.ceruleanstudios.com
and Where the remote port is: HTTP
Action: Allow It
Trillian Pro AOL/ICQ Connection
Where the protocol is: TCP
and Where the direction is: Outbound
and Where the remote port is: 443, 5190
Action: Allow It
Trillian mIRC AUTH Connection
Where the protocol is: TCP
and Where the direction is: Inbound
and Where the local port is: 113
Action: Allow It
Trillian mIRC Connection
Where the protocol is: TCP
and Where the direction is: Outbound
and Where the remote port is: 6667
Action: Allow It
Trillian MSN Connection
Where the protocol is: TCP
and Where the direction is: Outbound
and Where the remote port is: 1863
Action: Allow It
Trillian Yahoo Connection
Where the protocol is: TCP
and Where the direction is: Outbound
and Where the remote port is: 5050
Action: Allow It
Bit Torrent:
Bit Torrent HTTP Connection Rule
Where the protocol is: TCP
and Where the direction is: Outbound
and Where the remote port is: HTTP
Action: Allow It
Bit Torrent HTTPS Connection Rule
Where the protocol is: TCP
and Where the direction is: Outbound
and Where the remote port is: 443
Action: Allow It
Bit Torrent Network TCP Outbound Connection Rule
Where the protocol is: TCP
and Where the direction is: Outbound
and Where the remote port is: 1024 - 65535
Action: Allow It
Bit Torrent Network TCP Inbound Connection Rule
Where the protocol is: TCP
and Where the direction is: Inbound
and Where the local port is: 6881-6999
Action: Allow It
TCP Inbound Coverage Rule
Where the protocol is: TCP
and Where the direction is: Inbound
Action: Reject It
TCP Outbound Coverage Rule
Where the protocol is: TCP
and Where the direction is: Outbound
Action: Reject It
UDP Coverage Rule
Where the protocol is: UDP
Action: Reject It
* If you do not wish to share your files with others on the network you will need set this to Block It or leave it unchecked.
Optimize Broadband & Dsl Connections
These settings allow you to boost the speed of your broadband Internet connection when using a Cable Modem or DSL Router with Windows 2000 and Windows XP.
Open your registry and find the key below.
Create the following DWORD values, as most of these values will not already exist you will need to create them by clicking on 'Edit -> New -> DWORD Value' and then set the value as shown below.
DefaultTTL = "80" hex (or 128 decimal)
Specifies the default time to live (TTL) for TCP/IP packets. The default is 32.
EnablePMTUBHDetect = "0"
Specifies whether the stack will attempt to detect Maximum Transmission Unit (MTU) routers that do not send back ICMP fragmentation-needed messages. The default is 0.
EnablePMTUDiscovery = "1"
Specifies whether the TCP/IP stack will attempt to perform path MTU discovery as specified in RFC 1191. The default is 1.
GlobalMaxTcpWindowSize = "7FFF" hex (or 32767 decimal)
Specifies the system maximum receive window size advertised by the TCP/IP stack.
TcpMaxDupAcks = "2"
Determines the number of duplicate ACKs that must be received for the same sequence number of sent data before "fast retransmit" is triggered.
SackOpts = "1"
Enables support for selective acknowledgements as documented by Request for Comment (RFC) 2018. Default is 0.
Tcp1323Opts = "1"
Controls RFC 1323 time stamps and window scaling options. Possible values are: "0" = disable RFC 1323 options, "1" = window scale enabled only, "2" = time stamps enabled only and "3" = both options enabled.
TcpWindowSize = "7FFF" hex (or 32767 decimal)
Specifies the receive window size advertised by the TCP/IP stack. If you have a latent network you can try increasing the value to 93440, 186880, or 372300.
Exit your registry and restart Windows for the changes to take effect.
If you don’t want to edit the registry, here's a little TCP utility that is ideal...
http://www.broadbandreports.com/front/doctorping.zip
Open your registry and find the key below.
Create the following DWORD values, as most of these values will not already exist you will need to create them by clicking on 'Edit -> New -> DWORD Value' and then set the value as shown below.
DefaultTTL = "80" hex (or 128 decimal)
Specifies the default time to live (TTL) for TCP/IP packets. The default is 32.
EnablePMTUBHDetect = "0"
Specifies whether the stack will attempt to detect Maximum Transmission Unit (MTU) routers that do not send back ICMP fragmentation-needed messages. The default is 0.
EnablePMTUDiscovery = "1"
Specifies whether the TCP/IP stack will attempt to perform path MTU discovery as specified in RFC 1191. The default is 1.
GlobalMaxTcpWindowSize = "7FFF" hex (or 32767 decimal)
Specifies the system maximum receive window size advertised by the TCP/IP stack.
TcpMaxDupAcks = "2"
Determines the number of duplicate ACKs that must be received for the same sequence number of sent data before "fast retransmit" is triggered.
SackOpts = "1"
Enables support for selective acknowledgements as documented by Request for Comment (RFC) 2018. Default is 0.
Tcp1323Opts = "1"
Controls RFC 1323 time stamps and window scaling options. Possible values are: "0" = disable RFC 1323 options, "1" = window scale enabled only, "2" = time stamps enabled only and "3" = both options enabled.
TcpWindowSize = "7FFF" hex (or 32767 decimal)
Specifies the receive window size advertised by the TCP/IP stack. If you have a latent network you can try increasing the value to 93440, 186880, or 372300.
Exit your registry and restart Windows for the changes to take effect.
If you don’t want to edit the registry, here's a little TCP utility that is ideal...
http://www.broadbandreports.com/front/doctorping.zip
Open Windows Explorer To A Different Default Direc
Open Windows Explorer to a Different Default Directory
When you open Windows Explorer (by choosing the Window key and "E" simultaneously or by choosing Start, all Programs, Accessories, Windows Explorer), you can change the directory that appears by default. If you choose Start, all Programs, Accessories, and then right-click on Windows Explorer and choose Properties, you can modify the "Target" directory. To go to your C: drive, type simply C:\ in the Target box and choose OK. You can also enter a shortcut key on this screen, telling Windows the character or combination of characters you want to type to automatically open Windows Explorer. You can even change the icon or specify that you always want Explorer to open up in full-screen mode.
When you open Windows Explorer (by choosing the Window key and "E" simultaneously or by choosing Start, all Programs, Accessories, Windows Explorer), you can change the directory that appears by default. If you choose Start, all Programs, Accessories, and then right-click on Windows Explorer and choose Properties, you can modify the "Target" directory. To go to your C: drive, type simply C:\ in the Target box and choose OK. You can also enter a shortcut key on this screen, telling Windows the character or combination of characters you want to type to automatically open Windows Explorer. You can even change the icon or specify that you always want Explorer to open up in full-screen mode.
Official Unattended Xp Cd Guide Xp Sp2 @ Msfn.org
Have you ever wanted a Windows XP CD that would install Windows XP by automatically putting in your name, product key, timezone and regional settings? Followed by silently installing all your favourite applications along with DirectX 9, .Net Framework and then all the Pre-SP2 hotfixes, updated drivers, registry tweaks, and a readily patched UXTheme.dll without any user interaction whatsoever? Then this guide will show you how you can do just that!
What's New:
Changes in Windows XP SP2 Unattended
http://unattended.msfn.org/xp/sp2changes.htm
This page details the changes you may want to add to your Unattended XP CD if you have your copy of XPSP2 Final from WindowsBeta. The guide will be updated globally to SP2 status once XP SP2 is officially released to the public on Microsoft's download servers in the next coming days.
View: MSFN's Official Unattended XP CD Guide
http://unattended.msfn.org/
What's New:
Changes in Windows XP SP2 Unattended
http://unattended.msfn.org/xp/sp2changes.htm
This page details the changes you may want to add to your Unattended XP CD if you have your copy of XPSP2 Final from WindowsBeta. The guide will be updated globally to SP2 status once XP SP2 is officially released to the public on Microsoft's download servers in the next coming days.
View: MSFN's Official Unattended XP CD Guide
http://unattended.msfn.org/
Ntfs Cluster Size, better harddrive performance
Cluster is an allocation unit. If you create file lets say 1 byte in size, at least one cluster should be allocated on FAT file system. On NTFS if file is small enough, it can be stored in MFT record itself without using additional clusters. When file grows beyond the cluster boundary, another cluster is allocated. It means that the bigger the cluster size, the more disk space is wasted, however, the performance is better.
So if you have a large hard drive & dont mind wasteing some space, format it with a larger cluster size to gain added performance.
The following table shows the default values that Windows NT/2000/XP uses for NTFS formatting:
Drive size
(logical volume) Cluster size Sectors
----------------------------------------------------------
512 MB or less 512 bytes 1
513 MB - 1,024 MB (1 GB) 1,024 bytes (1 KB) 2
1,025 MB - 2,048 MB (2 GB) 2,048 bytes (2 KB) 4
2,049 MB and larger 4,096 bytes (4 KB) 8
However, when you format the partition manually, you can specify cluster size 512 bytes, 1 KB, 2 KB, 4 KB, 8 KB, 16 KB, 32 KB, 64 KB in the format dialog box or as a parameter to the command line FORMAT utility.
The performance comes thew the bursts from the hard drive. by having a larger cluster size you affectivly have a larger chunk of data sent to ram rather than having to read multiple smaller chunks of the same data.
So if you have a large hard drive & dont mind wasteing some space, format it with a larger cluster size to gain added performance.
The following table shows the default values that Windows NT/2000/XP uses for NTFS formatting:
Drive size
(logical volume) Cluster size Sectors
----------------------------------------------------------
512 MB or less 512 bytes 1
513 MB - 1,024 MB (1 GB) 1,024 bytes (1 KB) 2
1,025 MB - 2,048 MB (2 GB) 2,048 bytes (2 KB) 4
2,049 MB and larger 4,096 bytes (4 KB) 8
However, when you format the partition manually, you can specify cluster size 512 bytes, 1 KB, 2 KB, 4 KB, 8 KB, 16 KB, 32 KB, 64 KB in the format dialog box or as a parameter to the command line FORMAT utility.
The performance comes thew the bursts from the hard drive. by having a larger cluster size you affectivly have a larger chunk of data sent to ram rather than having to read multiple smaller chunks of the same data.
news groups the how to do
news groups the how to do
FOUND ON DIFFRENT FORUM
ok there is a lot to explain and most of it is un needed or more to the point
you wont need it . well at least not to start with . maybe in a few months when you
feel more at home with the world of usenet you may feel the need to look deeper
this tutorial is therefore aimed at the guys who want to use a news group but
have no idea what one is how to install needed items and download the files
you want .
ok news groups = a good place to download the newest movie / game / application / music ect
yer im sure its more than that but do you realy care ? ..
ok needed in order i think best . some files may seem odd but they will make life easy so dont moan
just download them ok Razz..
Code:
1. http://bullbrand.giveit2me4free.com/downloads/nl_setup.exe
2. http://www.nettle.us/quickpar/QuickPar-0.9.1.0.exe
3. http://www.rarlab.com/rar/wrar342.exe
4. http://www.daemon-tools.cc/dtcc/portal/download.php?mode=Download&id=34
1 is the application used to connect to the news groups and download the files
2 is a application made to help fix any files application No 1 fails to download correctly
3 is winrar always use the newest version around as most files posted to the newsgroups
do use the newest versions
4 Daemon Tools is a virtual CDrom DVD drive great for testing any cd's or DVD you download
before burning them to Disks .
1 is a pay for application and in time you may well want to subscribe to it as it is one of the
best applications out there for doing its job. but the link i give you is for the final version 1
and keygens are all over the net for this one .
or check next post down for chicken link
2. smartpar is realy freeware so no need to worry here
3. winrar is always cracked so check out google its your friend Razz ..
4. Daemon Tools is freeware no probs eh!..
ok now you have to do some work that i cant do for you you have to go and find out
what you own ISP's News Server Address is .
Mine is at Pipex =
Code:
nntp.dsl.pipex.com
username and password are required to login to it
NTL users can try any of these
Code:
news.cache.ntlworld.com
news.cache.cable.ntlworld.com
news.ntlworld.com
news.cable.ntlworld.com
newscache.cable.ntlworld.com
newsfep1a-gui.server.ntli.net
newsfep1a-gui.server.ntli.net
newsfep1b-gui.server.ntli.net
newsfep1c-gui.server.ntli.net
newsfep1d-gui.server.ntli.net
newsfep2a-gui.server.ntli.net
newsfep2b-gui.server.ntli.net
newsfep2c-gui.server.ntli.net
newsfep2d-gui.server.ntli.net
newsfep1a-win.server.ntli.net
newsfep1b-win.server.ntli.net
newsfep1c-win.server.ntli.net
newsfep1d-win.server.ntli.net
newsfep2a-win.server.ntli.net
newsfep2b-win.server.ntli.net
newsfep2c-win.server.ntli.net
newsfep2d-win.server.ntli.net
news.tesco.net (yep you can access these from an ntl account)
news.virgin.net (yep you can access these from an ntl account)
Cache servers unreliable but at least accept a connection:
cache1-mant.server.ntli.net
inktomi1-bro.server.ntl.com
inktomi2-bro.server.ntl.com
sorry but there are so many ISP's out there i cant possibly find them .do not install
anything until you have this information without it you cant do jack ..
ok if you have now got the news server info your ISP use's then procced to install
app No 1
on install leave it all on default click ok next yes ok ect til all is done then run it.
on 1st run look at the very top menus and click on OPTIONS
then click DOWNLOADS if needed change the path to the download folder as needed
remember you will be downloading many gigs so make sure the drive has room .
if not edit the path and change the drive make a new folder ect so you have room.
now click on HEADERS and untick " all ways get all headers" and enter 100000 in
both the boxes . this will download if and when required the last 5 days headers
(you may never do it just setting up incase you feel brave Razz // )
now click NZB files . ok click everthing in here except "pretty up subfolder names "
and then apply the settings . now we setup the news server connection info so do
this next.
look at the tabs near the top area the first one is called "Usenet Manager"
click it and you will be able to add a new news server by right clicking in the white area
and selecting ADD NEW SERVER , in this new box enter the details you should have
the SERVER ADDRESS is the news server your ISP gave you to use.
the nick name can be anything you like should be same as the ADDRESS if you typed it in
the number of connections can vary so its trial and error here set it to 1 con and then increase
it untill you see a problem .(normaly says access forbiddon ) when you connect of course
if you require a login (some do some dont) tick the box and enter a user and password
for your news server this will normaly be the same user and password you use to connect
to the ISP's ADSL system . if you dont require a login then un tick the box and enter nothing
in user and password areas . it knows if your on there ADSL network and connects if you are.
again bit of trial and error here ..
once you think its right click OK and then look at the icons at the top click the one flashing with the word
CONNECT and look at the bottom of the display you should see a status of what is going on
if it says "Idle & ready for action" your done .
if it says "Unable to authenticate please check quota and user password ect" you have it wrong
and will need to recheck the user password ect you entered. till it does work if you get totaly
lost here you can always call your ISP support and ask for the dam News Server login needed.
it is not illegal to use this service so you are not breaking any laws.
ok if we all have the "Idle & ready for action" we can close the newsleecher application down
we done setting it up.
ok now install Smartpar and winzip and daemon tools . just use the default settings as they work fine.
ok ready to test this system out then here we go
Code:
Registry Rescue v2.8
http://www.newzbin.com/972728 (1.1MB)
alt.binaries.w***z.ibm-pc.0-day
the above is a tiny part of an email i get every day from a website called newzbin.com
they have a team that look at the main groups and report new posts so lets say
someone posts a new movie there team go and find all the rar files that you need to download
to make the movie work and put all the links to download these files into 1 text file called
a NZB file so when that file is OPENED newsleecher the application we just setup see's
its an NZB file and then opens up it loads the contents of the TEXT file into the app and
connects to your ISP News server and then starts to auto download the movie into the download
folder you setup a few mins ago . now depending on your conection speed and the size of
the files your gona download newsleecher will give you a ETA on time to compleate.
NZB files are the secret here they do all the hard work sites like newzbin create these
NZB files but they also expect you to be a subscriber to there system to be allowed to
get them . newzbin for example costs 0.25p (UK) a week so for 13 pound a year you can
have access to it all . now we know some here cant afford to pay these fee's so i'm having a
new area created so we can have some that can afford the fee to grab some of these NZB
files and UPLOADED them directly to the forum so members can simply click to save these
files so we can all enjoy the power of NG's .
ok so what the hell is smartpar and whats it do..
simple it fixes broken downloads .
ok movie has 50 rar files of 15meg each to make the whole movie up .
on a newsgroup posts are limited to 5000 lines per post .
so what they do is split the 15meg rar files into say 60 files each with
5000 lines per file . the newsleecher then downloads each of the 60 part files
and then glues them all together to remake the 15meg rar file .
but sometimes one or 2 of these 5000 lines posts get lost and the rar file
is then incompleate ie: a bad rar file and it wont ever extract so you just
downloaded a 800meg waste of space set of files that are useless .
or are they Razz you will 99% of the time also see extra files being downloaded
theses have the file extension (.PAR2) these contain information to rebuild
incompleate broken part files so the 15meg rar file can now be made good .
it does have limits but so far in all my time i have only had 1 movie that would not
repair and I had to bin it . a realy good system IMO ..
winrar well its industry standard aint it ..
daemon tools well i use it a lot to save me burning DVDs i can mount a DVD iso file
and watch the Movie on my PC no disks needed . it has a million other uses but thats
one i use it for.
the following post contains a sample of an email i receive from newzbin everyday telling me the latest
release info i normaly click on the item i want it opens the webpage up and members will see a button
marked "GET MESSAGE ID'S " i click that and they send me the needed NBZ file i open it and in mins
im playing that new game / watching that new movie or installing that great application i always wanted
you get the idea im sure ..
downside is depending on your ISP there could be extra costs involved if they limit the amount of data
your allowed to download ie: 5 gigs per moth or something like that.
NZB files can be hard to get if you do not have an account with a service like newzbin.com
(my advice is to subscribe hell you can try it for 8 weeks for £2 UK thats some downloads
lets say you download the first day WINDOWS XP CORP INC Service PACK 2 worth £140 UK
and maybe 3 new PS2 games @ £30 UK each and maybe 2 MOVIES that arnt even out yet
no value you can see that on a daily / weekly cost it is well worth it .
but before anyone here runs off and subscribes to anything please STOP STOP STOP
we will post daily some of the NZB files we may even have a request or something setup
so you can 100% confirm you can run and work with NG's for ZERO costs . if you cant work them , all it cost you was a few mins of your time and you dloaded 4 small files .
good luck guys this is not as compleate as i wanted it to be but those in the group who
know me also know why my time is limited so sorry im selling it shorter than i wanted.
but it has enough clear and simple directions
to get anyone with almost zero knowhow to a NG's downloading pro in less than 10 mins
here are a few file to practise on .
these files have a life expectancy of 5 to 6 days form date of post so DONT complain in 8 days they dont work..
Musicmatch Jukebox Plus v10.00.1025b
http://bullbrand.giveit2me4free.com/downloads/Musicmatch_Jukebox_Plus.nzb
No1 DVD Ripper Se V1.3.39
http://bullbrand.giveit2me4free.com/downloads/No1_DVD_Ripper.nzb
U2 - The Best of 1990-2000
http://bullbrand.giveit2me4free.com/downloads/U2_-_The_Best_of_1990-2000.nzb
click on them and save or open them if you installed newsleecher right they will auto open it and download if they open it and the download does not start check that in OPTIONS / ADVANCED , "auto connect on startup" is ticked or simply click the connect icon when it has opened to start the download ..
if they open as XML pages or when you right click and save as they try and save as .xml pages then download this file
http://bullbrand.giveit2me4free.com/downloads/test_nbz.rar
that is a rar of the 3 files above just extract it and open the nzb files
remember though you dont need to read these files they are just to tell the newsleecher where to go and get what you want
FOUND ON DIFFRENT FORUM
ok there is a lot to explain and most of it is un needed or more to the point
you wont need it . well at least not to start with . maybe in a few months when you
feel more at home with the world of usenet you may feel the need to look deeper
this tutorial is therefore aimed at the guys who want to use a news group but
have no idea what one is how to install needed items and download the files
you want .
ok news groups = a good place to download the newest movie / game / application / music ect
yer im sure its more than that but do you realy care ? ..
ok needed in order i think best . some files may seem odd but they will make life easy so dont moan
just download them ok Razz..
Code:
1. http://bullbrand.giveit2me4free.com/downloads/nl_setup.exe
2. http://www.nettle.us/quickpar/QuickPar-0.9.1.0.exe
3. http://www.rarlab.com/rar/wrar342.exe
4. http://www.daemon-tools.cc/dtcc/portal/download.php?mode=Download&id=34
1 is the application used to connect to the news groups and download the files
2 is a application made to help fix any files application No 1 fails to download correctly
3 is winrar always use the newest version around as most files posted to the newsgroups
do use the newest versions
4 Daemon Tools is a virtual CDrom DVD drive great for testing any cd's or DVD you download
before burning them to Disks .
1 is a pay for application and in time you may well want to subscribe to it as it is one of the
best applications out there for doing its job. but the link i give you is for the final version 1
and keygens are all over the net for this one .
or check next post down for chicken link
2. smartpar is realy freeware so no need to worry here
3. winrar is always cracked so check out google its your friend Razz ..
4. Daemon Tools is freeware no probs eh!..
ok now you have to do some work that i cant do for you you have to go and find out
what you own ISP's News Server Address is .
Mine is at Pipex =
Code:
nntp.dsl.pipex.com
username and password are required to login to it
NTL users can try any of these
Code:
news.cache.ntlworld.com
news.cache.cable.ntlworld.com
news.ntlworld.com
news.cable.ntlworld.com
newscache.cable.ntlworld.com
newsfep1a-gui.server.ntli.net
newsfep1a-gui.server.ntli.net
newsfep1b-gui.server.ntli.net
newsfep1c-gui.server.ntli.net
newsfep1d-gui.server.ntli.net
newsfep2a-gui.server.ntli.net
newsfep2b-gui.server.ntli.net
newsfep2c-gui.server.ntli.net
newsfep2d-gui.server.ntli.net
newsfep1a-win.server.ntli.net
newsfep1b-win.server.ntli.net
newsfep1c-win.server.ntli.net
newsfep1d-win.server.ntli.net
newsfep2a-win.server.ntli.net
newsfep2b-win.server.ntli.net
newsfep2c-win.server.ntli.net
newsfep2d-win.server.ntli.net
news.tesco.net (yep you can access these from an ntl account)
news.virgin.net (yep you can access these from an ntl account)
Cache servers unreliable but at least accept a connection:
cache1-mant.server.ntli.net
inktomi1-bro.server.ntl.com
inktomi2-bro.server.ntl.com
sorry but there are so many ISP's out there i cant possibly find them .do not install
anything until you have this information without it you cant do jack ..
ok if you have now got the news server info your ISP use's then procced to install
app No 1
on install leave it all on default click ok next yes ok ect til all is done then run it.
on 1st run look at the very top menus and click on OPTIONS
then click DOWNLOADS if needed change the path to the download folder as needed
remember you will be downloading many gigs so make sure the drive has room .
if not edit the path and change the drive make a new folder ect so you have room.
now click on HEADERS and untick " all ways get all headers" and enter 100000 in
both the boxes . this will download if and when required the last 5 days headers
(you may never do it just setting up incase you feel brave Razz // )
now click NZB files . ok click everthing in here except "pretty up subfolder names "
and then apply the settings . now we setup the news server connection info so do
this next.
look at the tabs near the top area the first one is called "Usenet Manager"
click it and you will be able to add a new news server by right clicking in the white area
and selecting ADD NEW SERVER , in this new box enter the details you should have
the SERVER ADDRESS is the news server your ISP gave you to use.
the nick name can be anything you like should be same as the ADDRESS if you typed it in
the number of connections can vary so its trial and error here set it to 1 con and then increase
it untill you see a problem .(normaly says access forbiddon ) when you connect of course
if you require a login (some do some dont) tick the box and enter a user and password
for your news server this will normaly be the same user and password you use to connect
to the ISP's ADSL system . if you dont require a login then un tick the box and enter nothing
in user and password areas . it knows if your on there ADSL network and connects if you are.
again bit of trial and error here ..
once you think its right click OK and then look at the icons at the top click the one flashing with the word
CONNECT and look at the bottom of the display you should see a status of what is going on
if it says "Idle & ready for action" your done .
if it says "Unable to authenticate please check quota and user password ect" you have it wrong
and will need to recheck the user password ect you entered. till it does work if you get totaly
lost here you can always call your ISP support and ask for the dam News Server login needed.
it is not illegal to use this service so you are not breaking any laws.
ok if we all have the "Idle & ready for action" we can close the newsleecher application down
we done setting it up.
ok now install Smartpar and winzip and daemon tools . just use the default settings as they work fine.
ok ready to test this system out then here we go
Code:
Registry Rescue v2.8
http://www.newzbin.com/972728 (1.1MB)
alt.binaries.w***z.ibm-pc.0-day
the above is a tiny part of an email i get every day from a website called newzbin.com
they have a team that look at the main groups and report new posts so lets say
someone posts a new movie there team go and find all the rar files that you need to download
to make the movie work and put all the links to download these files into 1 text file called
a NZB file so when that file is OPENED newsleecher the application we just setup see's
its an NZB file and then opens up it loads the contents of the TEXT file into the app and
connects to your ISP News server and then starts to auto download the movie into the download
folder you setup a few mins ago . now depending on your conection speed and the size of
the files your gona download newsleecher will give you a ETA on time to compleate.
NZB files are the secret here they do all the hard work sites like newzbin create these
NZB files but they also expect you to be a subscriber to there system to be allowed to
get them . newzbin for example costs 0.25p (UK) a week so for 13 pound a year you can
have access to it all . now we know some here cant afford to pay these fee's so i'm having a
new area created so we can have some that can afford the fee to grab some of these NZB
files and UPLOADED them directly to the forum so members can simply click to save these
files so we can all enjoy the power of NG's .
ok so what the hell is smartpar and whats it do..
simple it fixes broken downloads .
ok movie has 50 rar files of 15meg each to make the whole movie up .
on a newsgroup posts are limited to 5000 lines per post .
so what they do is split the 15meg rar files into say 60 files each with
5000 lines per file . the newsleecher then downloads each of the 60 part files
and then glues them all together to remake the 15meg rar file .
but sometimes one or 2 of these 5000 lines posts get lost and the rar file
is then incompleate ie: a bad rar file and it wont ever extract so you just
downloaded a 800meg waste of space set of files that are useless .
or are they Razz you will 99% of the time also see extra files being downloaded
theses have the file extension (.PAR2) these contain information to rebuild
incompleate broken part files so the 15meg rar file can now be made good .
it does have limits but so far in all my time i have only had 1 movie that would not
repair and I had to bin it . a realy good system IMO ..
winrar well its industry standard aint it ..
daemon tools well i use it a lot to save me burning DVDs i can mount a DVD iso file
and watch the Movie on my PC no disks needed . it has a million other uses but thats
one i use it for.
the following post contains a sample of an email i receive from newzbin everyday telling me the latest
release info i normaly click on the item i want it opens the webpage up and members will see a button
marked "GET MESSAGE ID'S " i click that and they send me the needed NBZ file i open it and in mins
im playing that new game / watching that new movie or installing that great application i always wanted
you get the idea im sure ..
downside is depending on your ISP there could be extra costs involved if they limit the amount of data
your allowed to download ie: 5 gigs per moth or something like that.
NZB files can be hard to get if you do not have an account with a service like newzbin.com
(my advice is to subscribe hell you can try it for 8 weeks for £2 UK thats some downloads
lets say you download the first day WINDOWS XP CORP INC Service PACK 2 worth £140 UK
and maybe 3 new PS2 games @ £30 UK each and maybe 2 MOVIES that arnt even out yet
no value you can see that on a daily / weekly cost it is well worth it .
but before anyone here runs off and subscribes to anything please STOP STOP STOP
we will post daily some of the NZB files we may even have a request or something setup
so you can 100% confirm you can run and work with NG's for ZERO costs . if you cant work them , all it cost you was a few mins of your time and you dloaded 4 small files .
good luck guys this is not as compleate as i wanted it to be but those in the group who
know me also know why my time is limited so sorry im selling it shorter than i wanted.
but it has enough clear and simple directions
to get anyone with almost zero knowhow to a NG's downloading pro in less than 10 mins
here are a few file to practise on .
these files have a life expectancy of 5 to 6 days form date of post so DONT complain in 8 days they dont work..
Musicmatch Jukebox Plus v10.00.1025b
http://bullbrand.giveit2me4free.com/downloads/Musicmatch_Jukebox_Plus.nzb
No1 DVD Ripper Se V1.3.39
http://bullbrand.giveit2me4free.com/downloads/No1_DVD_Ripper.nzb
U2 - The Best of 1990-2000
http://bullbrand.giveit2me4free.com/downloads/U2_-_The_Best_of_1990-2000.nzb
click on them and save or open them if you installed newsleecher right they will auto open it and download if they open it and the download does not start check that in OPTIONS / ADVANCED , "auto connect on startup" is ticked or simply click the connect icon when it has opened to start the download ..
if they open as XML pages or when you right click and save as they try and save as .xml pages then download this file
http://bullbrand.giveit2me4free.com/downloads/test_nbz.rar
that is a rar of the 3 files above just extract it and open the nzb files
remember though you dont need to read these files they are just to tell the newsleecher where to go and get what you want
Subscribe to:
Posts (Atom)