The contents of this blog are not old now as I have not updates it since long. The mobile trick wont work now.

NETBIOS

Posted on Wednesday, June 11, 2008 by Ajit

Understanding NetBIOS
By NeonSurge
Released through the rhino9 Team

Preface

Before you begin reading this paper, understand that this paper was written for the novice to the concept of NetBIOS, but - it also contains information the veteran might find educational. I am prefacing this so that I do not get e-mail like "Why did you start your paper off so basic?" - Simple, its written for people that may be coming from an enviroment that does not use NetBIOS, so they would need me to start with basics, thanks. -NeonSurge, rhino9 team.

Whats is NetBIOS?

NetBIOS (Network Basic Input/Output System) was originally developed by IBM and Sytek as an Application Programming Interface (API) for client software to access LAN resources. Since its creation, NetBIOS has become the basis for many other networking applications. In its strictest sense, NetBIOS is an interface specification for acessing networking services.

NetBIOS, a layer of software developed to link a network operating system with specific hardware, was originally designed as THE network controller for IBM's Network LAN. NetBIOS has now been extended to allow programs written using the NetBIOS interface to operate on the IBM token ring architecture. NetBIOS has since been adopted as an industry standard and now, it is common to refer to NetBIOS-compatible LANs.

It offers network applications a set of "hooks" to carry out inter-application communication and data transfer. In a basic sense, NetBIOS allows applications to talk to the network. Its intention is to isolate application programs from any type of hardware dependancies. It also spares software developers the task of developing network error recovery and low level message addressing or routing. The use of the NetBIOS interface does alot of this work for them.

NetBIOS standardizes the interface between applications and a LANs operating capabilities. With this, it can be specified to which levels of the OSI model the application can write to, making the application transportable to other networks. In a NetBIOS LAN enviroment, computers are known on the system by a name. Each computer on the network has a permanent name that is programmed in various different ways. These names will be discussed in more detail below.

PC's on a NetBIOS LAN communicate either by establishing a session or by using NetBIOS datagram or broadcast methods. Sessions allow for a larger message to be sent and handle error detection and correction. The communication is on a one-to-one basis. Datagram and broadcast methods allow one computer to communicate with several other computers at the same time, but are limited in message size. There is no error detection or correction using these datagram or broadcast methods. However, datagram communication allows for communication without having to establish a session.

All communication in these enviroments are presented to NetBIOS in a format called Network Control Blocks (NCB). The allocation of these blocks in memory is dependant on the user program. These NCB's are divided into fields, these are reserved for input and output respectively.

NetBIOS is a very common protocol used in todays enviroments. NetBIOS is supported on Ethernet, TokenRing, and IBM PC Networks. In its original induction, it was defined as only an interface between the application and the network adapter. Since then, transport like functions have been added to NetBIOS, making it more functional over time.

In NetBIOS, connection (TCP) oriented and connectionless (UDP) communication are both supported. It supports both broadcasts and multicasting and supports three distinct services: Naming, Session, and Datagram.

NetBIOS Names

NetBIOS names are used to identify resources on a network. Applications use these names to start and end sessions. You can configure a single machine with multiple applications, each of which has a unique NetBIOS name. Each PC that supports an application also has a NetBIOS station name that is user defined or that NetBIOS derives by internal means.

NetBIOS can consist of up to 16 aplhanumeric characters. The combination of characters must be unique within the entire source routing network. Before a PC that uses NetBIOS can fully function on a network, that PC must register their NetBIOS name.

When a client becomes active, the client advertises their name. A client is considered to be registered when it can successfully advertise itself without any other client claiming it has the same name. The steps of the registration process is as follows:

1. Uppon boot up, the client broadcasts itself and its NetBIOS information anywhere from 6 to 10 to ensure every other client on the network receives the information.

2. If another client on the network already has the name, that NetBIOS client issues its own broadcast to indicate that the name is in use. The client who is trying to register the already in use name, stop all attempts to register that name.

3. If no other client on the network objects to the name registration, the client will finish the registration process.

There are two types of names in a NetBIOS enviroment: Unique and Group. A unique name must be unique across the network. A group name does not have to be unique and all processes that have a given group name belong to the group. Each NetBIOS node maintains a table of all names currently owned by that node.

The NetBIOS naming convention allows for 16 characters in a NetBIOS name. Microsoft, however, limits these names to 15 characters and uses the 16th character as a NetBIOS suffix. A NetBIOS suffix is used by Microsoft Networking software to indentify the functionality installed or the registered device or service.

[QuickNote: SMB and NBT (NetBIOS over TCP/IP work very closely together and both use ports 137, 138, 139. Port 137 is NetBIOS name UDP. Port 138 is NetBIOS datagram UDP. Port 139 is NetBIOS session TCP. For further information on NetBIOS, read the paper at the rhino9 website listed above]

The following is a table of NetBIOS suffixes currently used by Microsoft WindowsNT. These suffixes are displayed in hexadecimal format.

Name Number Type Usage
==========================================================================
00 U Workstation Service
01 U Messenger Service
<\\_MSBROWSE_> 01 G Master Browser
03 U Messenger Service
06 U RAS Server Service
1F U NetDDE Service
20 U File Server Service
21 U RAS Client Service
22 U Exchange Interchange
23 U Exchange Store
24 U Exchange Directory
30 U Modem Sharing Server Service
31 U Modem Sharing Client Service
43 U SMS Client Remote Control
44 U SMS Admin Remote Control Tool
45 U SMS Client Remote Chat
46 U SMS Client Remote Transfer
4C U DEC Pathworks TCPIP Service
52 U DEC Pathworks TCPIP Service
87 U Exchange MTA
6A U Exchange IMC
BE U Network Monitor Agent
BF U Network Monitor Apps
03 U Messenger Service
00 G Domain Name
1B U Domain Master Browser
1C G Domain Controllers
1D U Master Browser
1E G Browser Service Elections
1C G Internet Information Server
00 U Internet Information Server
[2B] U Lotus Notes Server
IRISMULTICAST [2F] G Lotus Notes
IRISNAMESERVER [33] G Lotus Notes
Forte_$ND800ZA [20] U DCA Irmalan Gateway Service

Unique (U): The name may have only one IP address assigned to it. On a network device, multiple occurences of a single name may appear to be registered, but the suffix will be unique, making the entire name unique.

Group (G): A normal group; the single name may exist with many IP addresses.

Multihomed (M): The name is unique, but due to multiple network interfaces on the same computer, this configuration is necessary to permit the registration. Maximum number of addresses is 25.

Internet Group (I): This is a special configuration of the group name used to manage WinNT domain names.

Domain Name (D): New in NT 4.0

For a quick and dirty look at a servers registered NetBIOS names and services, issue the following NBTSTAT command:

nbtstat -A [ipaddress]

NetBIOS Sessions

The NetBIOS session service provides a connection-oriented, reliable, full-duplex message service to a user process. NetBIOS requires one process to be the client and the other to be the server. NetBIOS session establishment requires a preordained cooperation between the two stations. One application must have issued a Listen command when another application issues a Call command. The Listen command references a name in its NetBIOS name table (or WINS server), and also the remote name an application must use to qualify as a session partner. If the receiver (listener) is not already listening, the Call will be unsuccessful. If the call is successful, each application receives notification of session establishment with the session-id. The Send and Receive commands the transfer data. At the end of a session, either application can issue a Hang-Up command. There is no real flow control for the session service because it is assumed a LAN is fast enough to carry the required traffic.

NetBIOS Datagrams

Datagrams can be sent to a specific name, sent to all members of a group, or broadcast to the entire LAN. As with other datagram services, the NetBIOS datagrams are connectionless and unreliable. The Send_Datagram command requires the caller to specify the name of the destination. If the destination is a group name, then every member of the group receives the datagram. The caller of the Receive_Datagram command must specify the local name for which it wants to receive datagrams. The Receive_Datagram command also returns the name of the sender, in addition to the actual datagram data. If NetBIOS receives a datagram, but there are no Receive_Datagram commands pending, then the datagram is discarded.

The Send_Broadcast_Datagram command sends the message to every NetBIOS system on the local network. When a broadcast datagram is received by a NetBIOS node, every process that has issued a Receive_Broadcast_Datagram command receives the datagram. If none of these commands are outstanding when the broadcast datagram is received, the datagram is discarded.

NetBIOS enables an application to establish a session with another device and lets the network redirector and transaction protocols pass a request to and from another machine. NetBIOS does not actually manipulate the data. The NetBIOS specification defines an interface to the network protocol used to reach those services, not the protocol itself. Historically, has been paired with a network protocol called NetBEUI (network extended user interface). The association of the interface and the protocol has sometimes caused confusion, but the two are different.

Network protocols always provide at least one method for locating and connecting to a particular service on a network. This is usually accomplished by converting a node or service name to a network address (name resolution). NetBIOS service names must be resolved to an IP address before connections can be established with TCP/IP. Most NetBIOS implementations for TCP/IP accomplish name address resolution by using either broadcast or LMHOSTS files. In a Microsoft enviroment, you would probably also use a NetBIOS Namer Server known as WINS.

NetBEUI Explained

NetBEUI is an enhanced version of the NetBIOS protocol used by network operating systems. It formalizes the transport frame that was never standardized in NetBIOS and adds additional functions. The transport layer driver frequently used by Microsofts LAN Manager. NetBEUI implements the OSI LLC2 protocol. NetBEUI is the original PC networking protocol and interface designed by IBM for the LanManger Server. This protocol was later adopted by Microsoft for their networking products. It specifies the way that higher level software sends and receives messages over the NetBIOS frame protocol. This protocol runs over the standard 802.2 data-link protocol layer.

NetBIOS Scopes

A NetBIOS Scope ID provides an extended naming service for the NetBIOS over TCP/IP (Known as NBT) module. The primary purpose of a NetBIOS scope ID is to isolate NetBIOS traffic on a single network to only those nodes with the same NetBIOS scope ID. The NetBIOS scope ID is a character string that is appended to the NetBIOS name. The NetBIOS scope ID on two hosts must match, or the two hosts will not be able to communicate. The NetBIOS Scope ID also allows computers to use the same computer namee as they have different scope IDs. The Scope ID becomes a part of the NetBIOS name, making the name unique.

increase the shutdown speed of PC

Posted on by Ajit

Increasing XP shutdown speed
Increasing shutdown speed by reducing wait times:

Windows XP stores a couple of values in its registry which are responsible for determining how long to wait before shutting down (killing) open applications and services once the shutdown command has been given.

By editing these two settings and changing them to lower values, you can considerably decrease the amount of time that Windows XP needs to successfully shut itself down. The first part of this tweak deals with setting the amount of time Windows will take to kill open applications on shutdown.

Open REGEDIT and navigate to 'HKEY_CURRENT_USER\Control Panel\Desktop\'
Highlight the 'WaitToKillAppTimeout' value.
Set it to '1000' (the default should be 20000).
Now highlight the 'HungAppTimeout' value
Set it to '1000' also.

------------------------------------------------------------------
FOR ALL USERS


Increasing shutdown speed by reducing wait times :

The second part of this tip changes the same settings, this time for all users on the system.

Open REGEDIT and navigate to 'HKEY_USERS\.DEFAULT\Control Panel\Desktop'
Highlight the 'WaitToKillAppTimeout' value.
Set it to '1000' (the default should be 20000).
Now highlight the 'HungAppTimeout' value.
Set it to '1000' also.

hiding you IP

Posted on by Ajit

You could try reading about wingates, socks and proxies (oh before i forget, turn off java, javascript, cookies, what's related, and smart update ... if you are using IE you're not very smart). Also try installing a firewall, or DHCP or you can learn from me!
There are situations in which you may want to visit a site without leaving a trace of the visit. For instance you want to check what's going on at your competitor's site. Your visit will generate a record in the log file. Frequent visits will generate many records. Do you want to know what kind of records? see in http://proxies.hotmail.ru/proxyck.htm or http://privacy.net/, http://www.leader.ru/cgi-bin/go?who, http://www.anonymizer.com/3.0/snoop.cgi - will tell you some scary info about what can be told about your computer via the internet.
Note that these tests are not very sophisticated. A dedicated "snooper" can often learn much more. Once I came across a server that tried to connect to my computer's disk while I was browsing ... that was an exciting experince. You should also remember about things like cookies (http://www.illuminatus.com/cookie.fcgi), hostile applets and java scripts, browser security holes and so on. So why don't we send someone instead of ourselves? Good idea.
Step #1-Determine your IP address:
To determine your IP address, go to http://megawx.aws.com/support/faq/software/ip.asp
Every computer connected to the Internet has a unique identifier called an IP address. On many networks, the IP address of a computer is always the same. On other networks, a random IP address is assigned each time a computer connects to the network. This is what we are referring to when we ask if you have a static or a dynamic IP address. If a system uses dynamic addressing, the IP can change quite often.
Step #2-Get Anonymous:
Method #1: Anonymizer
One can surf anonymously with the help of a nice service called the Anonymizer x (http://www.anonymizer.com/3.0/index.shtml). Check their site and just type a URL you want to visit -- the Anonymizer does the job for you, securing you from many potential dangers. When you follow a link on a page viewed via the Anonymizer you get there via the Anonymizer again, so you don't have to type a new URL. You can choose between pay or free service, but free service implies certain limitations such as 30 seconds delay before pages are loaded, and only HTTP (pay service allows FTP and HTTPS). There are a few sites that are inaccessible via the Anonymizer, e.g. some of the Web-based free e-mail services.
The Anonymizer has two more nice features. Firstly, there are WWW sites that are inaccessible from one place, but easily accessible from another. Once I was trying to load a page located in Australia for 20 minutes, all in vain. Using the Anonymizer immediately solved the problem. Secondly, there are certain sites that give you information depending on where you are "calling" from. Let's take an example. I was at Encyclopædia Britannica site, trying to check the price for their products. Clicking on Order Information button gave me the list of Britannica's dealers all over the world, no price info. Going to the same place via the Anonymizer led me to a different page, where I found the price list. As it turned out the local dealer's price for Encyclopædia Britannica CD'97 was several times higher than the one at which it's sold in USA. Good savings!
The Anonymizer is probably one of the most popular tools for anonymous surfing, but definitely not the only one. More and more similar services are emerging. A good alternative is JANUS (http://www.rewebber.de/) located in Germany. Janus is free, fast and can also encrypt the URL. Here is a quotation from their FAQ:
JANUS is able to encrypt URLs (uniform resource locator) in a way that these can be used as reference for a server. If a request with an encrypted URL occurs, JANUS is able to decrypt the URL and forward it to the server, without enabling the user to get knowledge about the server address. All references in the servers response are again encrypted before the response is forwarded to the client.
Method #2: Proxy Servers
One can also anonymize one's web surfing by using a proxy server. Proxy servers are similar to the Anonymizer, i.e. web pages are retrieved by the proxy server rather than by the person actually browsing the Web (you). But there are several important distinctions: proxy servers don't help with cookies, hostile applets or code. In most of the cases they do just one thing: they conceal your real geograhic location.
Most of proxy servers restrict access based on the IP address from which a user connects to them. In other words if you have an account with Bluh-Bluh-Com, you can't use La-Di-Da-Net's proxy server, access will be denied. Fortunately you can always find a "kind-hearted" proxy server on the Net the owners of which openly state that the service is publicly available, or a proxy server that doesn't restrict access that due to whatever reason, but the fact is not known to everyone.
How do you find a "kind-hearted" proxy server? Good news for lazy people: there are many lists of available proxy servers: http://tools.rosinstrument.com/cgi-bin/dored/cgi-bin/fp.pl/showlog
For those who are not so lazy: find your own proxy server, it's real easy. Go to Altavista (www.altavista.com) and type something like +proxy +server +configuration +port, and you'll get the list of Web pages where ISPs give complete instructions to their users of how they should configure their browsers. Try every proxy address and after 5 or 7 failures you will surely find a proxy server that works for you. So let's say you have found a proxy, e.g.: some.proxy.com, HTTP port 8080. To make your browser use a proxy server fill out the corresponding fields in Manual Proxy Configuration tab (hope you can find it yourself).
In Netscape Communicator do this:
Edit - Preferences - Advanced - Proxies - Manual proxy configuration - View, and for HTTP and FTP type name of your proxy server (example: proxy.siol.net) and port number (example 3128).
In Internet Explorer 4.0 do this:
View - Internet Options - Connection - mark "Access the Internet using a proxy server". At ADDRESS type name of the server (example: proxy.siol.net) and at PORT type port number (example: 3128), click on advanced button and mark "Use the same proxy server for all protocols".
Once you have carried out this simple operation, you can start surfing the Web leaving traces as if you are from Bulgaria, USA, North Korea (that would be fun!) or somewhere else, but ...there is one more very important privacy concern, "Is My Proxy Anonymous?"
Is My Proxy Anonymous?
Not all proxy servers are truly anonymous. Some of them let the system administrator of the site that you visit via a proxy server find out the IP address from which the proxy server is accessed, i.e. your real IP address. You can perform an anonymity check test: http://www.tamos.com/bin/proxy.cgi
If you get the message: Proxy server is detected! - then there is a security hole in your proxy, and information about your real IP address will be listed. If the message is Proxy server is not detected - everything should be OK. In any case, carefully study the list of IP addresses that is returned by this online tool. None of them should belong to you. You can also use alternative tests to check if your browser is anonymous. Such tests can give a complete list of the parametrs your browser passes to a remote server (this is called Environmental Variables). Proxys-4-All (http://proxys4all.cgi.net/tools.html) maintains a long list of environmental checkers.
Final Considerations
In spite of all of the the above said ... use proxies only when it's necessary. Working via proxy servers slows down data transfer rate and is an additional load on the network and the servers. Another important thing that is often forgotten by many people: use proxies for legal purposes. Hiding you identity is ok (at least in the free world) as long as you want to visit a site that offers, say, pornography. But if you use a proxy server for purchasing CDs or software with a bogus credit card number there is a good chance that you'll end up in prison, let alone the moral aspects. Remeber, all the connections are logged, and if you violate the law you can be tracked down. The site administrator can check the logs and contact the proxy's administrator, he can in turn check his own logs and find your real IP address, then they both will contact your ISP, and your ISP keeps logs too ... Anyway, I hope you got it.
Specially for paranoiacs
Look, different tools described above can be chained! For example you set up your browser to use Proxy A, and you know the addresses and port numbers of 2 more servers Proxy B and Proxy C. The URL that you type should look something like that: http://proxyB:port/http://proxyC:port/http://www.whereyougo.com/ As the result you go to the site via 3 servers: A,B and C. One of them can be the Anonymizer. WARNING: Not all the proxy servers allow chains like that. I won't answer your messages asking me why it doesn't work in your particular case!
Using SocksCap for anonymity in non HTTP applications (telnet, ftp, ICQ, RealPlayer, and so on)
What is SocksCap?
What is the current version?
What is the difference between SocksCap, SocksCap16, and SocksCap32?
Do I need to run SocksCap16, SocksCap32, or both?
Where do I get SocksCap?
Is SocksCap free? Is the source code available?
Will it work with all stacks and applications?
How do I know if it works with my stack and application?
What happens if I start SocksCap16 AFTER a WinSock application is already running?
What if I close SocksCap16 before closing a WinSock application?
Will I need to run ftp in PASV mode?
When I close SocksCap16 in Windows 95 or Windows for Workgroups, it tells me "Exiting SocksCap may cause some network connections to become unstable." I have already closed all the client applications.
Is SocksCap Y2K?
Can I use SocksCap32 with RealPlayer 5.0 and 6.0?
Can I use SocksCap32 with Internet Explorer 4.0 in desktop mode or on Windows98? What about Internet Explorer
5.0?What do I enter for SOCKS server and port in SocksCap Setup?
--------------------------------------------------------------------------------
What is SocksCap?
SocksCap automatically enables Windows-based TCP and UDP networking client applications to traverse a SOCKS firewall. SocksCap intercepts the networking calls from WinSock applications and redirects them through the SOCKS server without any modification to the orginal applications or to the operating system software or drivers.
What is the current version?
The current version of SocksCap16 (16-bit) is 1.02. The current release version of SocksCap32 (32-bit) is 1.03. A beta version of SocksCap32 (Version 2, Beta 3) is also available.
What is the difference between SocksCap, SocksCap16, and SocksCap32?
SocksCap refers to the 16- and 32-bit versions. SocksCap16 is the 16-bit version. SocksCap32 is the 32-bit
version.Do I need to run SocksCap16, SocksCap32, or both?
For Windows 3.1 and Windows for Workgroups 3.11, run SocksCap16.
For Windows 95 and Windows 98, you need SocksCap32 for the 32-bit applications. If you are running 16-bit applications under Windows 95 or Windows 98, you need SocksCap16 for those applications. You can run SocksCap16 and SocksCap32 simultaneously under Windows 95 and Windows 98 to handle both 16- and 32-bit applications.
Under Windows NT, use SocksCap32 for 32-bit applications. SocksCap16 does not run under Windows NT.
Where do I get SocksCap?
SocksCap is available for download through the SOCKS Web site at: http://www.socks.nec.com/.
Is SocksCap free? Is the source code available?
The software is available freely through the SOCKS web site. It is NOT in the public domain. Use and distribution is restricted and subject to certain agreements. Please read the full copyright, license terms, and restrictions in the file named "LICENSE.TXT" or "COPYRIGH.TXT" in the distribution. Source code is not available.
Will it work with all stacks and applications?
SocksCap functions independently from the applications and the stack. It needs to make some assumptions about the application and the stack implementations. Therefore, it will not work with every application and every stack. NEC USA has only tested SocksCap32 with m*cro$oft's 32-bit stack.
How do I know if it works with my stack and application?
The best way to find out is to try it. You may refer to the scorecard of applications and stacks with which SocksCap users have reported success or failure. Download the list from the SocksCap section at http://www.socks.nec.com/. Volunteers provide the information in the scorecard. The list is not complete and quickly becomes outdated. We greatly appreciate your additions and updates to the scorecard.
What happens if I start SocksCap16 AFTER a WinSock application is already running?
Start SocksCap16 before other WinSock applications. If SocksCap16 sees a request come from an application run prior to starting SocksCap16, it attempts to make all connections directly for that application. Beware that the application may become unstable.
What if I close SocksCap16 before closing a WinSock application?
SocksCap16 must remain running until after you close all network applications. When you attempt to close SocksCap16 and there are still active connections, SocksCap16 displays a warning and gives you a chance to cancel the exit. This does not apply to SocksCap32.
Will I need to run ftp in PASV mode?
FTP may experience problems, depending on the application and stack. Try running without PASV. If that does not work, try PASV.
When I close SocksCap16 in Windows 95 or Windows for Workgroups, it tells me "Exiting SocksCap may cause some network connections to become unstable." I have already closed all the client applications.
SocksCap16 notices that the "WSASRV" process is still running. Add "WSASRV" to the Direct Applications list in the SocksCap16 setup dialog.
Is SocksCap Y2K?
All dates and times in SocksCap16 and SocksCap32 are manipulated using structures from the operating system. As long as the OS and libraries are Y2K (year 2000 compliant), SocksCap should not have any problems.
Can I use SocksCap32 with RealPlayer 5.0 and 6.0?
Yes, but you need to configure RealPlayer so that it does not start up in the system tray. To do this in RealPlayer 5.0, select Preferences in the View menu. Click on the Advanced tab. Clear the check box for "Allow RealPlayer to run in the system tray." In RealPlayer 6.0, select Preferences in the Options menu. Under the General tab, clear the check box for "Allow SmartStart to run in the system tray."
Can I use SocksCap32 with Internet Explorer 4.0 in desktop mode or on Windows 98? What about Internet Explorer
5.0?Although SocksCap32 will not socksify your entire desktop, it is possible to browse with Internet Explorer 4.0 in desktop mode or on Windows 98 with SocksCap32. Select Internet Options in Internet Explorer's View menu. Under the Advanced tab, check the "Browse in a new process" box. Then open an individual Internet Explorer process by starting it from SocksCap32.
For Internet Explorer 5.0, select Internet Options in Internet Explorer's Tools menu. Under the Advanced tab, check the "Launch browser windows in a separate process" box. Under the Connections tab, click the LAN Settings button. Clear check box for "Automatically detect settings."
What do I enter for SOCKS server and port in SocksCap Setup?
Enter the address and port of the SOCKS server you need to traverse. If you are not sure what those are, contact your ISP, network administrator, or firewall administrator for your site or consult a list 1080.htm.
--------------------------------------------------------------------------------

FTP-Hacking

Posted on by Ajit

What Is FTP and What Is It Good For?
------------------------------------
The word FTP (see footnote 1 below) stands for File Transfer Protocol(1).
FTP servers will let you to both download (retrieve a file from the server) and upload (send a file to the server) files from the server with great ease (if you have permission to do so).
You browse through a remote FTP site the same way you browse through your own computer's files and directories (of course, you don't have read and/or write access to every file on the system, and some files you can't even see).

FTP Commands
------------
The following are several basic FTP commands. To communicate with FTP daemons(7), connect to port(2) 21 and then use the following commands (see footnote 2 below) to communicate with the FTP server:
cd change directory (on the server)
lcd change local directory (when sending a file, the path(4) of the specified file will be the path you specify on lcd)
dir,ls directory listing
binary change mode to binary transfer
get retrieve a file
mget retrieve many files
put send a file
mput send many files
pwd print working directory on the server

Footnotes
+++++++++
1. For thousands of computer-related acronyms and abbreviations head to blacksun.box.sk and download the file called acros.txt from the projects page.
2. If you don't feel like typing stupid commands, there are lots of FTP clients(5) who will do all the work for you, but fortunately some will still show you all the commands they use so you'll be able to learn new commands.
You can download FTP clients for every Operating System from TUCOWS. Simply go to the nearest TUCOWS mirror site(3) or go directly to www.tucows.com.


FTP Hacking
-----------
Since there are so many FTP holes for so many FTP server programs and so many Operating Systems, I decided that the best way it simply to explain to you how to find information about security holes by yourself.
I will also introduce several interesting FTP security holes near the end of this section.
To find FTP exploits, try searching the following websites (or join the BugTraq mailing list at www.securityfocus.com):
CERT (Computer Emergency Response Team) - http://cert.org
X-Force Search (simplest) - http://www.iss.net/cgi-bin/xforce/xforce_index.pl
Packet Storm - packetstorm.genocide2600.com
BugTraq Archives - http://www.securityfocus.com/level2/bottom.html?go=search
Fyodor's Exploit World - http://www.insecure.org/sploits.html
Spikeman's Denial Of Service Website (for DoS(9) attacks against FTP servers) - http://www.genocide2600.com/~spikeman/
RootShell - http://www.rootshell.com
Slashdot - http://www.slashdot.org
Data - http://www.hideaway.net/data.html

After you get to one of the following search sites (I recommend the BugTraq Archives) search for the keywords you want.
For example: you find out(5) that your target is using this OS with this FTP server and this Webserver program etc'. Try combining all of those pieces of information and I'm sure you'll find the holes that fit you the most.
You can also try searching holes on your own computer.
Speaking about holes, we will explain about many security holes on the upcoming Sendmail tutorial (see blacksun.box.sk).
Now, for several selected FTP holes.

Selected FTP Holes
******************
The following FTP holes aren't new or extraordinary or incredibly fantastic or anything of that sort of matter. They're just good for learning.
I picked some interesting FTP holes and written a small explanation about them just to get the newbies started.
Note: the sites I got these from aren't "evil hacking sites". These explanations are called advisories and they are meant to be used by people who want to fix bugs on their systems. Whether you use them for that purpose or others is none of our business.

1) Some FTP daemons allows a premature PASV command, which can cause some FTP daemons to crash with a core dump(9). FTP core dumps can be used to salvage encrypted passwords, bypassing any shadow password scheme.
It is not known exactly which servers are immune to this and which are not, and the only workaround right now is to get a newer FTP server program.
Also see http://www.genocide2600.com/~spikeman/bisonware3.html for a DoS(9) attack against BisonWare FTP Server 3.5 similar to this hole.

2) FTP Bounce Attack (too long, see http://www.netspace.org/cgi-bin/wa?A2=ind9507B&L=bugtraq&P=R1425 (From BugTraq))

3) Local bug in FTP Daemon (too long, see http://www.netspace.org/cgi-bin/wa?A2=ind9507B&L=bugtraq&P=R1345 (From BugTraq))

4) (Quotes in partfrom BugTraq) Impact: Anybody from outside can shutdown your pc ftp server. And if u are under win3.1 the system will crash.
Program: WinQVT/NET
Version: All versions.. 16 and 32 bits
Solution.. dont use it or upgrade
Exploit: Just Send a OOB (Out of Band) to port 21,
Exploit for dummies: Take any winnuke, start it, and when u find a "139" change it to "21" instead.
OK, I know this is stupid....... :P. But maybe somebody will need it.. who knows...
Note: A patched version of NT 4.0 isn't vulnerable to this running MS's FTP server. I haven't had a chance to test an unpatched server, but IIRC, I did check the FTP port when the OOB problem was first reported and it didn't cause a crash.

Newbies Corner
--------------
1. Protocol - a set of rules and regulations, similar to a language. When two computers know the same protocol, they can use it to communicate with each other.

2. Port - (for the more technical explanation of what ports are, see the end of this explanation) ports are like holes that enable things (data, in this case) to come in or out of them.
There are physical ports and software ports on your computer. Physical ports are those slots on the back of your computer, your monitor etc'. Now, software ports are used when connecting to other computers.
For example: I just bought a new computer and I want to turn it into a webserver (I want to enable people to access selecetd web pages, pictures, cgi and java scripts or applets, programs etc' that are located on my computer). In order for that to happen, I need to install a webserver software.
The webserver software opens a port on my computer and names it port 80. Then it listens to incoming connections on that port.
When someone starts his Internet browser (Netscape, Lynx, Microsoft Explorer etc') and surfs to my website, his browser connects to my computer on port 80 and then sends HTTP commands that my webserver program can understand into it.
My webserver program quickly picks up the incoming data and then sends it back into a port that the surfer's browser opened on the surfer's computer. The browser will listen on that port and wait for the data (the HTML page, the picture, the program etc') to come in through it.
There are different ports for different services (we'll get to that) so data won't mix up. Imagine your browser getting data your FTP client was supposed to get.
I hope you got the main idea of what a port is.
Now, there are three kinds of ports: well-known ports, registered ports and dynamic/private ports.
The well known ports are those from 0 through 1023. These are default ports for several services (a webserver is a service because it listens for connections from remote computers and then sends something back). For example: the default port for webservers is 80. Else, how would your browser know which port he has to access?
Now, the registered ports are those from 1024 through 49151. These ports are reserved for several programs. For example: ICQ (www.icq.com) reserves a port and listens to incoming messages on it.
The dynamic and/or private ports are those from 49152 through 65535, and can be used by anyone for any given purpose.

"Techy Explanation" - To grant simultaneous access to the TCP module, TCP provides a user interface called a port.
Ports are used by the kernel to identify network processes. These are strictly transport layer entities (that is to say that IP could care less about them).
Together with an IP address, a TCP port provides provides an endpoint for network communications.
In fact, at any given moment *all* Internet connections can be described by 4 numbers: the source IP address and source port and the destination IP address and destination port.
Servers are bound to 'well-known' ports so that they may be located on a standard port on different systems.
For example, the telnet daemon sits on TCP port 23, the FTP daemon sits on TCP port 21, the rlogin daemon sits on TCP port 513 etc'.

Important note about well-known ports: services (daemons waiting for incoming connections that serve people in some way) on these ports can be only ran by root, so inferior users won't start messing up with important ports.

3. Mirror site - a website which is an exact copy of the original website which is hosted by a different server.
Mirror sites can be used to speed up downloads/uploads. For example: instead of downloading/uploading from/to the main tucows webserver, located somewhere distantly from my home, I can simply do it from one of their Israeli mirrors (mirror site located in Israel, my country) and that way the downloads/uploads would go faster.

4. Path - UNIX example: if a file is located at /etc/passwd, the file's path would be /etc.
DOS/Windows example: if a file is located at c:\windows\win.exe, the file's path would be c:\windows.
There are two kinds of paths: a complete path and a relative path.
Complete path on DOS/Windows: if the file is located on c:\program files\quickview plus\ then this is the file's complete path.
Complete path on UNIX: if the file is located at /usr/local/sbin then this is the file's complete path.
Relative path on DOS/Windows: if the current directory (the directory you are on at the moment) is c:\windows and the target file is located at c:\windows\temp then the relative path to this file is temp.
Relative path on UNIX: if the current directory is /usr/nobody and the file is located at /usr/nobody/public_html/cgi-bin then the file's relative path is public_html/cgi-bin.

5. Client / Server programs - A client program is a program that uses a resource offered by another program/computer.
A server program is a program that supplies resources to client programs.
Example: Client=Netscape Navigator. Server=Apache version 1.6.6 (a webserver, meaning a program that lets people who use Internet browsers to download specific web pages, pictures, files etc' from the computer it is installed on).

6. How to find out information about remote hosts - the best way to find out information is too look at daemon(6) banners. Daemon banners are small pieces of information some daemons return when connected to in order for the remote machine (the one connecting to the daemon) to know how to interact with them better.
Try connecting to port 80 (webserver) and sending some commands like get and then looking at the banner. You may also try Sendmail (see next tutorial) on port 25, Telnet on port 23, FTP on port 21 or whatever you can come up with.

7. Daemon - a program that listens for incoming connections from remote machines on a specified port(2) and interacts with them.

8. Root - also referred as superuser, because his permissions are endless. His UID (User ID number, an identification number and user on a UNIX system has) and GID (Group ID. You can create groups and give them several permissions. For example: everyone from the accounting department can read and execute all the files on this directory, etc') are always 0 (except on very altered boxes).
Once you are root, you can do practically anything on a system.
Core Dump - when a program crashes it dumps all the core (all the info it handles that isn't saved on disk, meaning all of the program's stuff that are on the RAM chip) into a temporary file.

9. DoS - Denial of Service. A nuke in dummies language. Some kind of an attack that causes the target computer to deny some/all kinds of services to the users of that computer (including remote users).
For example: Winnuke (also known as OOB), the simplest DoS in the world.
(Taken from Spikeman's DoS site) This denial of service program affects Windows clients by sending an "Out of Band" exception message to port 139, which does not know how to handle it. This is a standard listening port on Windows operating systems. Users of Win 3.11, Win95, and
Win NT are vulnerable to this attack. This program is basically a nuisance program, but it is being widely circulated over the internet now. It has become a bother in chatrooms and on IRC. By using your IP# and sending OOB data to port 139, malicious users can disconnect you from
the net, often leaving you with low resources and the blue tinted screen. Some of you may have been victims already. If this happens to you on Win 95, you will see a Windows fatal error message similar to the following:
Fatal exception 0E at 0028: in VxD MSTCP(01) + 000041AE.
This was called from 0028: in VxD NDIS(01) + 00000D7C.
Rebooting the comp should return it to normal state.

Patches ("fixes") For WinNuke (OOB)
-=-=-=-=-=-=-=-=-=-=-=-
Additional Information on WinNuke
http://support.microsoft.com/support/kb/articles/Q168/7/47.asp
Windows 95 Patches
http://support.microsoft.com/download/support/mslfiles/Vipup11.exe
http://support.microsoft.com/download/support/mslfiles/Vipup20.exe (for Winsock 2.0*)
http://www.theargon.com/defense/nuke/index.html
Please read notes referring to 95 patches before installing.
Which version of Winsock do you have on your Windows 95 PC?
http://premium.microsoft.com/support/kb/articles/Q177/7/19.asp
http://www.theargon.com/defense/nuke/index.html
Windows NT 4.0 Patch
http://support.microsoft.com/support/kb/articles/Q143/4/78.asp
http://www.theargon.com/defense/nuke/index.html
Please read notes referring to Windows NT patches before installing.

More info on DoS attacks can be found at Spikeman's DoS site: http://www.genocide2600.com/~spikeman/main.html

* I do not know it it will work on newer versions of Winsock, so you'd better downgrade to Winsock 1.1 (the version that comes with Windows 95) by going to Control Panel, Network and removing TCP/IP and Dial Up Adapter(11) and then readding them (click add, choose protocol and in the company frame choose Microsoft and you'll find TCP/IP. For DUN do the same but choose adapter instead of protocol).
After you finish downgrading reupgrade to Winsock 2.0, apply the patch (Vipup20.exe) and then upgrade to newer versions of Winsock.

10. Flames - the action of flaming someone (send him angry mail about things he has done, opinions he has etc' which you do not agree with).

11. DUN - Dial Up Adapter. Basically it's the Windows program that dials to your ISP(12).

12. ISP - Internet Service Provider. A company that provides Internet services, such as Internet connectivity, web hosting, Email services etc'.

13. Distro - Distribution. Since UNIX is not a registered patent, trademark, copyrighted or whatever there are many distributions (software packages) of it. Every distro has it's own advantages and disadvantages (example: Redhat is the best for beginners).

HACKING COMMANDS

Posted on by Ajit



SEO: search engine optimisation and submission











It is fun and often usefull to create a file that is owned

by someone else. On most systems with slack security ie 99% of

all UNIX systems, this is quite easily done. The chown command

will change any of your files to make someone else the owner.

Format is as follows:



chown ownername filelist



Where ownername is the new owner, and filelist is the list of

files to change. You must own the file which your are goin to

change, unless you are a superuser....then u can change ANYTHING!

chgrp is a similar command which will change the group

ownership on a file. If you are going to do both a chown and a

chgrp on a file, then make sure you do the chgrp first! Once the

file is owned by someone else, you cant change nything about it!



---------------------------------------------------------------



Sometimes just seeing who is on the system is a challenge in

itself. The best way is to write your own version of who in C,

but if you can't do that then this may be of some help to you:



who followed by on or more of the following flags:



-b Displays time sys as last booted.

-H Precedes output with header.

-l Lists lines waiting for users to logon.

-q displays number of users logged on.

-t displays time sys clock was last changed.

-T displays the state field (a + indicates it is

possible to send to terminal, a - means u cannot)

-u Give a complete listing of those logged on.



**who -HTu is about the best choice for the average user**



##by the way, the list of users logged on is kept in the file

/etc/utmp. If you want to write your own personalised version of

who in C, you now know where to look!###



---------------------------------------------------------------



When a users state field (see -T flag option for who

command) says that a user has their message function on, this

actually means that it is possible to get stuff onto their

screen.

Basically, every terminal on the system has a file

corresponding to it. These files can be found in the /dev

directory. You can to anything to these files, so long as you

have access -eg you can read them, and write to them, but you

will notice that they never change in size. They are called

character specific files, and are really the link between the

system and the terminals. Whatever you put in these files will

go staright to the terminal it corresponds to.

Unfortunately, on most systems, when the user logs in, the

"mesg n" command is issued which turns off write access to that

terminal, BUT- if you can start cating to that terminal before

system issues the mesg n command, then you will continue to be

able to get stuff up on that terminal! This has many varied uses.



Check out the terminal, or terminal software being used.

Often you will be able to remotely program another users

terminal, simply by 'cating' a string to a users screen. You

might be able to set up a buffer, capturing all that is typed, or

you may be able to send the terminal into a frenzy- (sometimes a

user will walk away without realizing that they are sill

effectively logged on, leaving you with access to their

account!). Some terminal types also have this great command

called transmit screen. It transmits everything on the screen,

just as if the user had typed it !

So just say I wanted to log off a user, then I would send a

clear screen command (usually ctrl l), followed by "exit"

followed by a carriage return, followed by the transmit screen

code. Using ths technique you can wipe peoples directories or

anything. My favourite is to set open access on all their files

and directories so I can peruse them for deletion etc at my own

leisure).



---------------------------------------------------------------



If you ever briefly get access to another persons account

eg. they leave the room to go to toilet or whatever, then simply

type the following:



chmod 777 $HOME

chmod 777 $MAIL



Then clear the screen so they dont see what you just typed.



Now you can go look at their directory, and their mail, and

you can even put mail in their mail file. (just use the same

format as any mail that is already there!). Next time they log in

the system will automatically inform them they have new mail!



---------------------------------------------------------------



Another way to send fake mail to people is to use the mail

server. This method produces mail that is slightly different to

normal, so anyone who uses UNIX a bit may be suspiscious when

they receive it, but it will fool the average user!



type telnet



the following prompt will appear:



telnet>



now type :



open localhost 25



some crap will come up about the mail server..now type:



mail from: xxxxxx Put any name you want.



some more bullshit will come up. Now type:



rcpt to: xxxxxx Put the name of the person to receive mail here.



now type:



data



now you can type the letter...end it with a "."

type quit to exit once you are done.



-------------------------------------------------------------



Heres one for any experimenters out there...

It is possible to create files which simply cannot be deleted

from the standard shell. To do this you will have to physically

CREATE THE FILE USING A C PROGRAM or SCRIPT FILE, and you will

have to use a sequence of control characters which cannot be

typed from the shell. Try things like Ctrl-h (this is the

code for the delete key). Just a file with the name Ctrl-h would

not be deleteable from the shell, unless you used wildcards. So,

make it a nice long series of characters, so that to delete the

file, the user has no choice but to individually copy all his

files elsewhere, then delete everything in his directory, and

then copy all his files back.....this is one of my

favourites..gets em every time!



The following script file is an example which will create a

file with the name Ctrl-h. You MUST tyoe this file in using the

vi editor or similar.

*****If you are not very good with vi, type "man vi" and print the

help file...it even contains stuff that I find useful now and

then.*****



type the following in vi...



echo'' > 'a^h'



***NOTE...to get the ^h (this really means ctrl-h) from vi type:



Ctrl v

Ctrl h



The Ctrl v instrcts vi to take the next character as a ascii

character, and not to interpret it.

change the access on the file you just created and now

execute it. It will create a file which looks like it is called

a, but try to delete it !..use wildcards if you really want to

delete it.



*> Title: Tutorial on hacking through a UNIX system





**



In the following file, all references made to the name Unix, may also be

substituted to the Xenix operating system.



Brief history: Back in the early sixties, during the development of

third generation computers at MIT, a group of programmers studying the

potential of computers, discovered their ability of performing two or

more tasks simultaneously. Bell Labs, taking notice of this discovery,

provided funds for their developmental scientists to investigate into this

new frontier. After about 2 years of developmental research, they produced

an operating system they called "Unix".

Sixties to Current: During this time Bell Systems installed the Unix system

to provide their computer operators with the ability to multitask so that

they could become more productive, and efficient. One of the systems they

put on the Unix system was called "Elmos". Through Elmos many tasks (i.e.

billing,and installation records) could be done by many people using the same

mainframe.



Note: Cosmos is accessed through the Elmos system.



Current: Today, with the development of micro computers, such multitasking

can be achieved by a scaled down version of Unix (but just as

powerful). Microsoft,seeing this development, opted to develop their own

Unix like system for the IBM line of PC/XT's. Their result they called

Xenix (pronounced zee-nicks). Both Unix and Xenix can be easily installed

on IBM PC's and offer the same function (just 2 different vendors).



Note: Due to the many different versions of Unix (Berkley Unix,

Bell System III, and System V the most popular) many commands

following may/may not work. I have written them in System V routines.

Unix/Xenix operating systems will be considered identical systems below.



How to tell if/if not you are on a Unix system: Unix systems are quite

common systems across the country. Their security appears as such:



Login; (or login;)

password:



When hacking on a Unix system it is best to use lowercase because the Unix

system commands are all done in lower- case. Login; is a 1-8 character field. It is

usually the name (i.e. joe or fred) of the user, or initials (i.e. j.jones

or f.wilson). Hints for login names can be found trashing the location of

the dial-up (use your CN/A to find where the computer is). Password: is a 1-8 character password assigned by the sysop or chosen by the user.



Common default logins

--------------------------

login; Password:

root root,system,etc..

sys sys,system

daemon daemon

uucp uucp

tty tty

test test

unix unix

bin bin

adm adm

who who

learn learn

uuhost uuhost

nuucp nuucp



If you guess a login name and you are not asked for a password, and have

accessed to the system, then you have what is known as a non-gifted account.

If you guess a correct login and pass- word, then you have a user account.

And, if you get the root p/w you have a "super-user" account.

All Unix systems have the following installed to their system:

root, sys, bin, daemon, uucp, adm Once you are in the system, you will

get a prompt. Common prompts are:



$

%

#



But can be just about anything the sysop or user wants it to be.



Things to do when you are in: Some of the commands that you may want to

try follow below:



who is on (shows who is currently logged on the system.)

write name (name is the person you wish to chat with)

To exit chat mode try ctrl-D.

EOT=End of Transfer.

ls -a (list all files in current directory.)

du -a (checks amount of memory your files use;disk usage)

cd\name (name is the name of the sub-directory you choose)

cd\ (brings your home directory to current use)

cat name (name is a filename either a program or documentation your username has written)

Most Unix programs are written in the C language or Pascal

since Unix is a programmers' environment. One of the first things done on the

system is print up or capture (in a buffer) the file containing all user names and accounts. This can be done by doing the following command:



cat /etc/passwd



If you are successful you will see a list of all accounts on the system. It

should look like this:

root:hvnsdcf:0:0:root dir:/: joe:majdnfd:1:1:Joe Cool:/bin:/bin/joe hal::1:2:Hal Smith:/bin:/bin/hal



The "root" line tells the following info :

login name=root

hvnsdcf = encrypted password

0 = user group number

0 = user number

root dir = name of user

/ = root directory



In the Joe login, the last part "/bin/joe " tells us which directory

is his home directory (joe) is. In the "hal" example the login name is

followed by 2 colons, that means that there is no password needed to get in

using his name.



Conclusion: I hope that this file will help other novice Unix hackers

obtain access to the Unix/Xenix systems that they may find.







On the Security of UNIX



=-=-=-=-=-=-=-=-=-=-=-=



Recently there has been much interest in the security aspects of operating



systems and software.At issue is the ability to prevent undesired disclosure of



information, destruction of information,and harm to the functioning of the



system.This paper discusses the degree of security which can be provided under



the system and offers a number of hints on how to improve security.The first



fact to face is that UNIX was not developed with security,in any realistic



sense,in mind;this fact alone guarantees a vast number of holes.(Actually the



same statement can be made with respect to most systems.)







The area of security in which is theoretically weakest is in protecting against



crashing or at least crippling the operation of the system.The problem here is



not mainly in uncritical acceptance of bad parameters to system calls (there



may be bugs in this area, but none are known)but rather in lack of checks for



excessive consumption of resources.







Most notably, there is no limit on the amount of disk storage used, either in



total space allocated or in the number of files or directories.Here is a



particularly ghastly shell sequence guaranteed to stop the system:











while : ; do



mkdir x



cd x



done







Either a panic will occur because all the i-nodes on the device are used up,



or all the disk blocks will be consumed, thus preventing anyone from writing



files on the device.In this version of the system,users are prevented from



creating more than a set number of processes simultaneously,so unless users



are in collusion it is unlikely that any one can stop the system altogether.







However, creation of 20 or so CPU or disk-bound jobs leaves few resources



available for others.Also, if many large jobs are run simultaneously,swap space



may run out, causing a panic. It should be evident that excessive consumption



of diskspace, files, swap space and processes can easily occur accidentally in



malfunctioning programs as well as at command level.In fact UNIX is essentially



defenseless against this kind of abuse,nor is there any easy fix.The best that



can be said is that it is generally fairly easy to detect what has happened



when disaster strikes ,to identify the user responsible, and take appropriate



action.In practice,we have found that difficulties in this area are rather



rare,but we have not been faced with malicious users,and enjoy a fairly



generous supply of resources which have served to cushion us against accidental



overconsumption.







The picture is considerably brighter in the area of protection of information



from unauthorized perusal and destruction.Here the degree of security seems



(almost) adequate theoretically, and the problems lie more in the necessity for



care in the actual use of the system.Each UNIX file has associated with it



eleven bits of protection information together with a user identification



number and a user-group identification number (UID and GID).







Nine of the protection bits are used to specify independently permission to



read, to write, and to execute the file to the user himself, to members of the



user's group, and to all other users.Each process generated by or for a user



has associated with it an effective UID and a real UID, and an effective and



real GID.When an attempt is made to access the file for reading, writing, or



executing UID for the process is changed to the UID associated with the file;



the change persists until the process terminates or until the UID changed again



by another execution of a set-UID file.Similarly the effective group ID of a



process is changed to the GID associated with a file when that file is executed



and has the set-GID bit set.The real UID and GID of a process do not change



when any file is executed,but only as the result of a privileged system



call.The basic notion of the set-UID and set-GID bits is that one may write a



program which is executableby others and which maintains files accessible to



others only by that program.







The classical example is the game-playing program which maintains records of



the scores of its players.The program itself has to read and write the score



file,but no one but the game's sponsor can be allowed unrestricted access to



the file lest they manipulate the game to their own advantage.







The solution is to turn on the set-UID bit of the game program. When, and only



when,it is invoked by players of the game,it may update the score file but



ordinary programs executed by others cannot access the score. There are a



number of special cases involved in determining access permissions. Since



executing a directory as a program is a meaningless operation,the



execute-permission bit, for directories, is taken instead to mean permission to



search the directory for a given file during the scanning of a path name; thus



if a directory has execute permission but no read permission for a given user,



he may access files with known names in the directory,but may not read (list)



the entire contents of the directory.







Write permission on a directory is interpreted to mean that the user may create



and delete files in that directory;it is impossible for any user to write



directly into any directory..Another, and from the point of view of security,



much more serious special case is that there is a ``super user'' who is able to



read any file and write any non-directory.The super-user is also able to change



the protection mode and the owner UID and GID of any file and to invoke



privileged system calls.It must be recognized that the mere notion of a



super-user is a theoretical, and usually practical, blemish on any protection



scheme.







The first necessity for a secure system is of course arranging that all files



and directories have the proper protection modes.Traditionally, UNIX software



has been exceedingly permissive in this regard;essentially all commands create



files readable and writable by everyone.In the current version,this policy may



be easily adjusted to suit the needs ofthe installation or the individual user.







Associated with each process and its descendants is a mask, which is in effect



anded with the mode of every file and directory created by that process. In



this way, users can arrange that, by default,all their files are no more



accessible than they wish.The standard mask, set by login,allows all permiss-



ions to the user himself and to his group,but disallows writing by others.







To maintain both data privacy and data integrity,it is necessary, and largely



sufficient,to make one's files inaccessible to others. The lack of sufficiency



could follow from the existence of set-UID programs created by the user and the



possibility of total breach of system security in one of the ways discussed



below(or one of the ways not discussed below).







For greater protection,an encryption scheme is available.Since the editor is



able to create encrypted documents, and the crypt command can be used to pipe



such documents into the other text-processing programs,the length of time



during which clear text versions need be available is strictly limited.The



encryption scheme used is not one of the strongest known, but it is judged



adequate, in the sense that cryptanalysisis likely to require considerably more



effort than more direct methods of reading the encrypted files.For example, a



user who stores data that he regards as truly secret should be aware that he is



implicitly trusting the system administrator not to install a version of the



crypt command that stores every typed password in a file. Needless to say, the



system administrators must be at least as careful as their most demanding user



to place the correct protection mode on the files under their control.







In particular,it is necessary that special files be protected from writing, and



probably reading, by ordinary users when they store sensitive files belonging



to otherusers.It is easy to write programs that examine and change files by



accessing the device on which the files live.







On the issue of password security,UNIX is probably better than most systems.



Passwords are stored in an encrypted form which, in the absence of serious



attention from specialists in the field,appears reasonably secure, provided its



limitations are understood.In the current version, it is based on a slightl y



defective version of the Federal DES;it is purposely defective so that



easily-available hardware is useless for attempts at exhaustive



key-search.Since both the encryption algorithm and the encrypted passwords are



available,exhaustive enumeration of potential passwords is still feasible up to



a point.We have observed that users choose passwords that are easy to



guess:they are short, or from a limited alphabet, or in a dictionary.



Passwords should be at least six characters long and randomly chosen from an



alphabet which includes digits and special characters.







Of course there also exist feasible non-cryptanalytic ways of finding out



passwords.For example: write a program which types out ``login:''on the



typewriter and copies whatever is typed to a file of your own. Then invoke the



command and go away until the victim arrives..The set-UID (set-GID)notion must



be used carefully if any security is to be maintained. The first thing to keep



in mind is that a writable set-UID file can have another program copied onto



it.







For example, if the super-user command is writable,anyone can copy the shell



onto it and get a password-free version of Shell Unix.A more subtle problem can



come from set-UID programs which are not sufficiently careful of what is fed



into them.To take an obsolete example,the previous version of the mail command



was set-UID and owned by the super-user.This version sent mail to the r



ecipient's own directory.The notion was that one should be able to send mail to



anyone even if they want to protecttheir directories from writing. The trouble



was that mailwas rather dumb:anyone could mail someone else's priva te file to



himself.Much more seriousis the following scenario: make a file with a line



like one in the password filewhich allows one to log in as the super-user.Then



make a link named ``.mail'' to the password file in some writable directory on



the same device as the password file (say /tmp). Finally mail the bogus login



line to /tmp/.mail;You can then login as the superuser,clean up the



incriminating evidence,and have your will.







The fact that users can mount their own disks and tapes as file systems can be



another way of gaining super-user status.Once a disk pack is mounted, the



system believes what is on it.Thus one can take a blank disk pack,put on it



anything desired,and mount it.There are obvious and unfortunate consequences.



For example:a mounted disk with garbage on it will crash the system;one of the



files on the mounted disk can easily be a password-free version of Shell Unix;



other files can be unprotected entries for special files. The only easy fix



for this problem is to forbid the use of mount to unpriv- ileged users.A



partial solution, not so restrictive,would be to have the mount command examine



the special file for bad data,set-UID programs owned by others ,and accessible



special files,and balk at unprivileged invokers.

FOOTPRINTING

Posted on by Ajit

WHAT IS FOOTPRINTING?
The systematic footprinting of an organization enables attackers to create a complete profile
of an organization’s security posture. By using a combination of tools and techniques,
attackers can take an unknown quantity (Widget Company’s Internet connection) and reduce
it to a specific range of domain names, network blocks, and individual IP addresses
of systems directly connected to the Internet. While there are many types of footprinting
techniques, they are primarily aimed at discovering information related to the following
environments: Internet, intranet, remote access, and extranet. Table 1-1 depicts these environments
and the critical information an attacker will try to identify.
Why Is Footprinting Necessary?
Footprinting is necessary to systematically and methodically ensure that all pieces of information
related to the aforementioned technologies are identified. Without a sound
methodology for performing this type of reconnaissance, you are likely to miss key pieces
of information related to a specific technology or organization. Footprinting is often the
most arduous task of trying to determine the security posture of an entity; however, it is
one of the most important. Footprinting must be performed accurately and in a controlled
fashion.